Scribd Logo
Upload

Welcome to Scribd!

  • 3G Security Principles: - Build On GSM Security - Correct Problems With GSM Security - Add New Security Features

    Uploaded by

    s231189
    37 views21 pages

    Original Title

    3G Security Overview

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    37 views21 pages

    3G Security Principles: - Build On GSM Security - Correct Problems With GSM Security - Add New Security Features

    Uploaded by

    s231189

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    3G Security Principles

    • Build on GSM security

    • Correct problems with GSM security

    • Add new security features

    Source: 3GPP
    1
    Myagmar, Gupta UIUC 2001
    GSM Network Architecture
    PSTN/ISDN

    MS
    BTS MSC
    Um BSC
    A
    A-bis

    Mobility
    OMC mgt
    VLR
    HLR
    Voice Traffic AUC
    EIR

    Circuit-switched technology 2
    Myagmar, Gupta UIUC 2001
    GSM Security Elements, 1
    Key functions: privacy, integrity and confidentiality

    • Authentication
    Protect from unauthorized service access
    Based on the authentication algorithm A3(Ki, RAND)=> SRES
    Problems with inadequate algorithms
    • Encryption
    Scramble bit streams to protect signaling and user data
    Ciphering algorithm A8(Ki, RAND) => Kc
    A5(Kc, Data) => Encrypted Data
    Need stronger encryption
    • Confidentiality
    Prevent intruder from identifying users by IMSI
    Temporary MSI
    Need more secure mechanism

    3
    Myagmar, Gupta UIUC 2001
    GSM Security Elements, 2
    • SIM
    A removable hardware security module
    Manageable by network operators
    Terminal independent

    • Secure Application Layer


    Secure application layer channel between subscriber module and home
    network

    • Transparency
    Security features operate without user assistance
    Needs greater user visibility

    • Minimized Trust
    Requires minimum trust between HE and SN

    4
    Myagmar, Gupta UIUC 2001
    Problems with GSM Security, 1
    • Active Attacks
    Impersonating network elements such as false BTS is possible
    • Key Transmission
    Cipher keys and authentication values are transmitted in clear within
    and between networks (IMSI, RAND, SRES, Kc)
    • Limited Encryption Scope
    Encryption terminated too soon at edge of network to BTS
    Communications and signaling in the fixed network portion aren’t
    protected
    Designed to be only as secure as the fixed networks
    • Channel Hijack
    Protection against radio channel hijack relies on encryption.
    However, encryption is not used in some networks.

    5
    Myagmar, Gupta UIUC 2001
    Problems with GSM Security, 2
    • Implicit Data Integrity
    No integrity algorithm provided
    • Unilateral Authentication
    Only user authentication to the network is provided.
    No means to identify the network to the user.
    • Weak Encryption Algorithms
    Key lengths are too short, while computation speed is increasing
    Encryption algorithm COMP 128 has been broken
    Replacement of encryption algorithms is quite difficult
    • Unsecured Terminal
    IMEI is an unsecured identity
    Integrity mechanisms for IMEI are introduced late

    6
    Myagmar, Gupta UIUC 2001
    Problems with GSM Security, 3
    • Lawful Interception & Fraud
    Considered as afterthoughts
    • Lack of Visibility
    No indication to the user that encryption is on
    No explicit confirmation to the HE that authentication parameters are
    properly used in SN when subscribers roam
    • Inflexibility
    Inadequate flexibility to upgrade and improve security functionality
    over time

    7
    Myagmar, Gupta UIUC 2001
    3G Network Architecture
    Circuit
    Network Circuit/
    Signaling
    Gateway Mobility
    Manager
    Feature
    Circuit
    IN Services Server(s)
    Switch

    RNC Call
    Agent
    Voice Data +
    Packet
    Voice
    IP Core
    Radio Access Packet Network
    Control
    Network (Internet)
    Packet
    Gateway
    IP RAN

    2G 2G/2.5G 3G

    8
    Myagmar, Gupta UIUC 2001
    New Security Features, 1
    • Network Authentication
    The user can identify the network
    • Explicit Integrity
    Data integrity is assured explicitly by use of integrity algorithms
    Also stronger confidentiality algorithms with longer keys
    • Network Security
    Mechanisms to support security within and between networks
    • Switch Based Security
    Security is based within the switch rather than the base station
    • IMEI Integrity
    Integrity mechanisms for IMEI provided from the start

    9
    Myagmar, Gupta UIUC 2001
    New Security Features, 2
    • Secure Services
    Protect against misuse of services provided by SN and HE
    • Secure Applications
    Provide security for applications resident on USIM
    • Fraud Detection
    Mechanisms to combating fraud in roaming situations
    • Flexibility
    Security features can be extended and enhanced as required by new threats
    and services
    • Visibility and Configurability
    Users are notified whether security is on and what level of security is
    available
    Users can configure security features for individual services

    10
    Myagmar, Gupta UIUC 2001
    New Security Features, 3
    • Compatibility
    Standardized security features to ensure world-wide interoperability and
    roaming
    At least one encryption algorithm exported on world-wide basis
    • Lawful Interception
    Mechanisms to provide authorized agencies with certain information
    about subscribers

    11
    Myagmar, Gupta UIUC 2001
    Summary of 3G Security
    Features, 1
    • User Confidentiality
    Permanent user identity IMSI, user location, and user services cannot be
    determined by eavesdropping
    Achieved by use of temporary identity (TMSI) which is assigned by
    VLR
    IMSI is sent in cleartext when establishing TMSI

    USIM VLR
    IMSI request

    IMSI

    TMSI allocation

    TMSI acknowledgement

    12
    Myagmar, Gupta UIUC 2001
    Summary of 3G Security
    Features, 2
    • Mutual Authentication
    During Authentication and Key Agreement (AKA) the user and network
    authenticate each other, and also they agree on cipher and integrity key
    (CK, IK). CK and IK are used until their time expires.
    Assumption: trusted HE and SN, and trusted links between them.
    After AKA, security mode must be negotiated to agree on encryption
    and integrity algorithm.

    AKA process:
    USIM VLR HLR
    AV request, send IMSI

    Generate authentication
    RAND(i) || AUTN(i) data V(1..n)

    Generate RES(i)
    Compare RES(i) and XRES(i) 13
    Myagmar, Gupta UIUC 2001
    Summary of 3G Security
    Features, 3
    Generation of authentication data at HLR:
    Generate SQN

    Generate RAND

    SQN
    RAND
    AMF

    f1 f2 f3 f4 f5

    MAC XRES CK IK AK

    AUTN := SQN ⊕ AK || AMF || MAC

    AV := RAND || XRES || CK || IK || AUTN

    14
    Myagmar, Gupta UIUC 2001
    Summary of 3G Security
    Features, 4
    Generation of authentication data in USIM:
    RAND AUTN

    f5 SQN ⊕AK AMF MAC

    AK ⊕

    SQN
    K

    f1 f2 f3 f4

    XMAC RES CK IK

    Verify MAC = XMAC

    Verify that SQN is in the correct range

    15
    Myagmar, Gupta UIUC 2001
    Summary of 3G Security
    Features, 5
    • Data Integrity
    Integrity of data and authentication of origin of signalling data must be
    provided
    The user and network agree on integrity key and algorithm during AKA
    and security mode set-up

    COUNT-I DIRECTION COUNT-I DIRECTION

    MESSAGE FRESH MESSAGE FRESH

    IK f9 IK f9

    MAC -I XMAC -I

    Sender Receiver
    UE or RNC RNC or UE

    16
    Myagmar, Gupta UIUC 2001
    Summary of 3G Security
    Features, 6
    • Data Confidentiality
    Signalling and user data should be protected from eavesdropping
    The user and network agree on cipher key and algorithm during AKA
    and security mode set-up
    COUNT-C DIRECTION COUNT-C DIRECTION

    BEARER LENGTH BEARER LENGTH

    CK f8 CK f8

    KEYSTREAM KEYSTREAM
    BLOCK BLOCK

    PLAINTEXT CIPHERTEXT PLAINTEXT


    BLOCK BLOCK BLOCK

    Sender Receiver
    UE or RNC RNC or UE
    17
    Myagmar, Gupta UIUC 2001
    Summary of 3G Security
    Features, 7
    • IMEI
    IMEI is sent to the network only after the authentication of SN
    The transmission of IMEI is not protected
    • User-USIM Authentication
    Access to USIM is restricted to authorized users
    User and USIM share a secret key, PIN
    • USIM-Terminal Authentication
    User equipment must authenticate USIM
    • Secure Applications
    Applications resident on USIM should receive secure messages over the
    network
    • Visibility
    Indication that encryption is on
    Indication what level of security (2G, 3G) is available
    18
    Myagmar, Gupta UIUC 2001
    Summary of 3G Security
    Features, 8
    • Configurability
    User configures which security features activated with particular services
    Enabling/disabling user-USIM authentication
    Accepting/rejecting incoming non-ciphered calls
    Setting up/not setting up non-ciphered calls
    Accepting/rejecting use of certain ciphering algorithms
    • GSM Compatibility
    GSM user parameters are derived from UMTS parameters using the
    following conversion functions:
    cipher key Kc = c3(CK, IK)
    random challenge RAND = c1(RAND)
    signed response SRES = c2(RES)
    GSM subscribers roaming in 3GPP network are supported by GSM security
    context (example, vulnerable to false BTS)

    19
    Myagmar, Gupta UIUC 2001
    Problems with 3G Security
    • IMSI is sent in cleartext when allocating TMSI to the user

    • The transmission of IMEI is not protected; IMEI is not a security feature

    • A user can be enticed to camp on a false BS. Once the user camps on the radio
    channels of a false BS, the user is out of reach of the paging signals of SN

    • Hijacking outgoing/incoming calls in networks with disabled encryption is


    possible. The intruder poses as a man-in-the-middle and drops the user once
    the call is set-up

    20
    Myagmar, Gupta UIUC 2001
    References
    • 3G TS 33.120 Security Principles and Objectives
    http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf
    • 3G TS 33.120 Security Threats and Requirements
    http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF
    • Michael Walker “On the Security of 3GPP Networks”
    http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/mike_walker.pdf
    • Redl, Weber, Oliphant “An Introduction to GSM”
    Artech House, 1995
    • Joachim Tisal “GSM Cellular Radio Telephony”
    John Wiley & Sons, 1997
    • Lauri Pesonen “GSM Interception”
    http://www.dia.unisa.it/ads.dir/corso-security/www/CORSO-9900/a5/Netsec/netsec.html
    • 3G TR 33.900 A Guide to 3rd Generation Security
    ftp://ftp.3gpp.org/TSG_SA/WG3_Security/_Specs/33900-120.pdf
    • 3G TS 33.102 Security Architecture
    ftp://ftp.3gpp.org/Specs/2000-12/R1999/33_series/33102-370.zip
    • 3G TR 21.905 Vocabulary for 3GPP Specifications
    http://www.quintillion.co.jp/3GPP/Specs/21905-010.pdf

    21
    Myagmar, Gupta UIUC 2001

    You might also like