3G Security Principles
Download
Report
Transcript 3G Security Principles
Build on GSM security
Correct problems with GSM security
Add new security features
Source: 3GPP
Myagmar, Gupta
UIUC 2001
1
PSTN/ISDN
MS
Um
MSC
BTS
BSC
A-bis
A
Mobility
mgt
OMC
VLR
HLR
AUC
EIR
Voice Traffic
Circuit-switched technology
Myagmar, Gupta
UIUC 2001
2
Key functions: privacy, integrity and confidentiality
Authentication
SRES
Protect from unauthorized service access
Based on the authentication algorithm A3(Ki, RAND)=>
Problems with inadequate algorithms
Encryption
Scramble bit streams to protect signaling and user data
Ciphering algorithm A8(Ki, RAND) => Kc
A5(Kc, Data) => Encrypted Data
Need stronger encryption
Confidentiality
Prevent intruder from identifying users by IMSI
Temporary MSI
Need more secure mechanism
3
SIM
A removable hardware security module
Manageable by network operators
Terminal independent
Secure Application Layer
Secure application layer channel between subscriber
module and home
network
Transparency
Security features operate without user assistance
Needs greater user visibility
Minimized Trust
Requires minimum trust between HE and SN
4
Active Attacks
Impersonating network elements such as false BTS is
possible
Key Transmission
Cipher keys and authentication values are transmitted in
clear within and
between networks (IMSI, RAND, SRES, Kc)
Limited Encryption Scope
Encryption terminated too soon at edge of network to BTS
Communications and signaling in the fixed network portion
aren’t
protected
Designed to be only as secure as the fixed networks
Channel Hijack
Protection against radio channel hijack relies on encryption.
However, encryption is not used in some networks.
Myagmar, Gupta
UIUC 2001
5
Implicit Data Integrity
No integrity algorithm provided
Unilateral Authentication
Only user authentication to the network is provided.
No means to identify the network to the user.
Weak Encryption Algorithms
Key lengths are too short, while computation speed is
increasing
Encryption algorithm COMP 128 has been broken
Replacement of encryption algorithms is quite difficult
Unsecured Terminal
IMEI is an unsecured identity
Integrity mechanisms for IMEI are introduced late
Myagmar, Gupta
UIUC 2001
6
Lawful Interception & Fraud
Considered as afterthoughts
Lack of Visibility
No indication to the user that encryption is on
No explicit confirmation to the HE that authentication
parameters are
properly used in SN when subscribers roam
Inflexibility
Inadequate flexibility to upgrade and improve security
functionality over
time
Myagmar, Gupta
UIUC 2001
7
Circuit
Network
Circuit
Switch
Circuit/
Signaling
Gateway
IN Services
Feature
Server(s)
RNC
Voice
Radio Access
Control
Data +
Packet
Voice
Mobility
Manager
Call
Agent
IP Core
Network
Packet
Gateway
Packet Network
(Internet)
IP RAN
2G
2G/2.5G
3G
Myagmar, Gupta
UIUC 2001
8
Network Authentication
The user can identify the network
Explicit Integrity
Data integrity is assured explicitly by use of integrity
algorithms
Also stronger confidentiality algorithms with longer keys
Network Security
Mechanisms to support security within and between
networks
Switch Based Security
Security is based within the switch rather than the base
station
IMEI Integrity
Integrity mechanisms for IMEI provided from the start
Myagmar, Gupta
UIUC 2001
9
Secure Services
Protect against misuse of services provided by SN and HE
Secure Applications
Provide security for applications resident on USIM
Fraud Detection
Mechanisms to combating fraud in roaming situations
Flexibility
Security features can be extended and enhanced as
required by new
threats and services
Visibility and Configurability
Users are notified whether security is on and what level of
security is
available
Users can configure security features for individual services
Myagmar, Gupta
UIUC 2001
10
Compatibility
Standardized security features to ensure world-wide
interoperability and roaming
At least one encryption algorithm exported on world-wide
basis
Lawful Interception
Mechanisms to provide authorized agencies with certain
information about subscribers
Myagmar, Gupta
UIUC 2001
11
User Confidentiality
Permanent user identity IMSI, user location, and user
services cannot be determined by eavesdropping
Achieved by use of temporary identity (TMSI) which is
assigned by VLR
IMSI is sent in cleartext when establishing TMSI
USIM
VLR
IMSI request
IMSI
TMSI allocation
TMSI acknowledgement
Myagmar, Gupta
UIUC 2001
12
Mutual Authentication
During Authentication and Key Agreement (AKA) the user
and network authenticate each other, and also they agree on
cipher and integrity key
(CK, IK). CK and IK are used until
their time expires.
Assumption: trusted HE and SN, and trusted links between
them.
After AKA, security mode must be negotiated to agree on
encryption and integrity algorithm.
USIM
AKA process:
VLR
HLR
AV request, send IMSI
RAND(i) || AUTN(i)
Generate RES(i)
Generate authentication
data V(1..n)
Compare RES(i) and XRES(i)
Myagmar, Gupta
UIUC 2001
13
Generation of authentication data at HLR:
Generate SQN
Generate RAND
SQN
RAND
AMF
K
f1
MAC
f2
f3
f4
f5
XRES
CK
IK
AK
AUTN := SQN AK || AMF || MAC
AV := RAND || XRES || CK || IK || AUTN
Myagmar, Gupta
UIUC 2001
14
Generation of authentication data in USIM:
RAND
AUTN
f5
SQN AK
AK
AMF
MAC
SQN
K
f1
f2
f3
f4
XMAC
RES
CK
IK
Verify MAC = XMAC
Verify that SQN is in the correct range
Myagmar, Gupta
UIUC 2001
15
Data Integrity
Integrity of data and authentication of origin of signalling
data must be
provided
The user and network agree on integrity key and algorithm
during AKA and security mode set-up
COUNT-I
DIRECTION
MESSAGE
IK
f9
COUNT-I
FRESH
DIRECTION
MESSAGE
IK
FRESH
f9
MAC -I
XMAC -I
Sender
UE or RNC
Receiver
RNC or UE
Myagmar, Gupta
UIUC 2001
16
Data Confidentiality
Signalling and user data should be protected from
eavesdropping
The user and network agree on cipher key and algorithm
during AKA and security mode set-up
COUNT-C
DIRECTION
BEARER
CK
COUNT-C
LENGTH
f8
BEARER
CK
KEYSTREAM
BLOCK
PLAINTEXT
BLOCK
DIRECTION
LENGTH
f8
KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK
Sender
UE or RNC
PLAINTEXT
BLOCK
Receiver
RNC or UE
Myagmar, Gupta
UIUC 2001
17
IMEI
SN
IMEI is sent to the network only after the authentication of
The transmission of IMEI is not protected
User-USIM Authentication
Access to USIM is restricted to authorized users
User and USIM share a secret key, PIN
USIM-Terminal Authentication
User equipment must authenticate USIM
Secure Applications
Applications resident on USIM should receive secure
messages over the network
Visibility
Indication that encryption is on
Indication what level of security (2G, 3G) is available
Myagmar, Gupta
UIUC 2001
18
Configurability
User configures which security features activated with
particular
services
Enabling/disabling user-USIM authentication
Accepting/rejecting incoming non-ciphered calls
Setting up/not setting up non-ciphered calls
Accepting/rejecting use of certain ciphering algorithms
GSM Compatibility
GSM user parameters are derived from UMTS parameters
using the
following conversion functions:
cipher key Kc = c3(CK, IK)
random challenge RAND = c1(RAND)
signed response SRES = c2(RES)
GSM subscribers roaming in 3GPP network are supported
by GSM security context (example, vulnerable to false BTS)
Myagmar, Gupta
UIUC 2001
19
IMSI is sent in cleartext when allocating TMSI to the user
The transmission of IMEI is not protected; IMEI is not a security
feature
A user can be enticed to camp on a false BS. Once the user
camps on the radio channels of a false BS, the user is out of
reach of the paging signals of SN
Hijacking outgoing/incoming calls in networks with disabled
encryption is possible. The intruder poses as a man-in-themiddle and drops the user once the call is set-up
Myagmar, Gupta
UIUC 2001
20
3G TS 33.120 Security Principles and Objectives
http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf
3G TS 33.120 Security Threats and Requirements
http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF
Michael Walker “On the Security of 3GPP Networks”
http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/mike_walker.pdf
Redl, Weber, Oliphant “An Introduction to GSM”
Artech House, 1995
Joachim Tisal “GSM Cellular Radio Telephony”
John Wiley & Sons, 1997
Lauri Pesonen “GSM Interception”
http://www.dia.unisa.it/ads.dir/corso-security/www/CORSO-9900/a5/Netsec/netsec.html
3G TR 33.900 A Guide to 3rd Generation Security
ftp://ftp.3gpp.org/TSG_SA/WG3_Security/_Specs/33900-120.pdf
3G TS 33.102 Security Architecture
ftp://ftp.3gpp.org/Specs/2000-12/R1999/33_series/33102-370.zip
3G TR 21.905 Vocabulary for 3GPP Specifications
http://www.quintillion.co.jp/3GPP/Specs/21905-010.pdf
Myagmar, Gupta
UIUC 2001
21