Professional Documents
Culture Documents
Of
“A Security Perspective”
By
Sangram Gayal
and
1. Abstract .............................................................................. 3
4. Conclusion ........................................................................ 14
References ............................................................................. 15
2
1. Abstract
Mobile telephone systems have gained a very bad reputation worldwide on
issues of security and authentication. It is estimated that eavesdropping and
other mobile telephony frauds have accounted for more than US$ 750M of
lost revenue in the United States in the year 2001. There are no such
estimates presently available for India due to the fact of unawareness.
Authentication, security, and Privacy are important issues to be looked into.
There are ongoing efforts to enhance security level of the system and new
technologies are reaching the market with added security features. This
paper attempts to compare the security features provided by GSM mobile
telephony standards and the CDMA standards promoted by 2.5G and 3G.
3
Response [SRES]) back. The operator can check that, given the key of the
mobile, the response to the challenge is correct.
4
! Impersonation
• Of the User
This is the capability whereby the intruder sends signaling and/or user data
to the network, in an attempt to make the network believe they originate
from the target user.
• Of the Network
This is the capability whereby the intruder sends signaling and/or user data
to the target user, in an attempt to make the target user believe they
originate from a genuine network.
Impersonation leads to mainly one kind of attack called the SIM card cloning
attack. This attack enjoys the weaknesses in COMP128 algorithm as listed
below:
The algorithm reveals information about the Ki when the appropriate RANDs
are given as arguments to the A8 algorithm.
The algorithm requires lookup of large tables, which can only be achieved in
a complicated way on simple devices such as SIM cards, which leaks out a lot
of sensitive information on the side channels.
! Over-the-air attack
The over-the-air attack is based upon the fact that the MS is required to
respond to every challenge made by the GSM network. If the signal of the
legitimate BTS is over powered by a rogue BTS of the attacker, the attacker
can bomb the target MS with challenges and re-construct the secret key from
these responses. Again the MS has to be available to the attacker over the
air for the whole time it takes to conduct the attack. It is not known how long
the attack would take when conducted over the air. Estimates vary from
eight to thirteen hours.
5
But the concept of building a BTS is highly impractical as cost required
building a BTS estimates around $10,000.
! Partitioning attack
Extracting secret key information from SIM cards by monitoring side-
channels, such as power consumption and electromagnetic (EM) emanations
help in performing these kinds of attacks.
Scientists have known for some time that by looking at the side channels
such as power consumption and the EM emanations from a computing
device, one can derive some information about its internal workings. The
attack can be easily accomplished by making the card perform the algorithm
just seven times with the unknown key. A hacker, who has possession of a
SIM card for a minute, can easily extract the full 128-bit key.
! Man-in-the-middle attack
This is the capability whereby the intruder puts itself in between the target
user and a genuine network and has the ability to eavesdrop, modify, delete,
re-order, replay, and spoof signaling and user data messages exchanged
between the two parties. Man-in-the-middle attacks mainly deal with
attacking the A5 algorithm. A5 has three versions:
" A5/1 (Stronger version)
Used by USA and European countries
" A5/2 (Weaker version)
Export version. Allowed to be used by developing countries
" A5/0 (No Encryption version)
Allowed to be used by underdeveloped countries
Note that even though India can use A5/2 version but majority subscribers
use no encryption.
Before getting into the vulnerabilities in A5/1 and A5/2, let’s get a hint about
their structure.
! A5/1 Structure
Three LFSR’s (Linear Feedback Shift Registers)
o R1 (19-bit)
o R2 (22-bit)
o R3 (23-bit)
Combination function is XOR. Only non-linear component is the Clock
control mechanism
! A5/2 Structure
Four LFSR’s
o R1 (19-bit)
o R2 (22-bit)
o R3 (23-bit)
o R4 (17-bit)
Combination function is XOR. Only non-linear component is the Clock control
mechanism
6
! Attacks on A5/1 and A5/2
There are mainly two types of attacks on A5/1 and A5/2:
• Hardware based attacks
• Requires FPGA
• Software based attacks
• Known cipher text attacks
• Known plaintext attacks
The best-published attacks against A5/1 require between 240 and 245 steps
and that against A5/2 require 217 steps.
7
down by one third. The attack can also be distributed between multiple
chips, thus drastically decreasing the time required.
SS7 over IP
8
* Higher throughputs and bandwidths possible now, with technologies like
IP over SDH, allowing high-ended machines like SMSC, HLR to be able to
support heavy traffic.
* Enhanced Services, which are quite obvious while implementing IP
* Diversity of solutions possible, which obviates dealing with the complexity
of the SS7 network, by providing interface only at the application level, E.g.:
Using protocols like MTP3 User Application (M3UA), SCCP User Application
(SUA), the application vendor like SMSC has to deal with the application layer
only.
- SIGTRAN defined a new protocol for the transport of signaling protocols.
The reason for not using TCP were attributed to its limitations like stringent
and reliability mechanisms which resulted in unnecessary delays, and made
running of real-time applications inapposite. The limited capability of TCP
sockets, along with weak security features (specially to DoS attacks)
rendered TCP to be replaced by a new architecture.
Attackers can gain access to the network in quite a few no. of ways:
9
Attacks on nodes of SS7 networks
1. SSP
From the periphery of a SS7 network, it is most prone to hacks, because of
weak authentication. It is also prime target for packet sniffing, because a
specific user's data always passes through the same SSP.
A Distributed Denial of Service (DDoS) overloads the STP-SSP connection, by
sending a lot of IAMs to a single SSP. An attacker intercepting at that
compromised SP could modify IAMs to request connection with some
targeted user.
2. STP
It can be done through exploiting weakness in the routing protocols.
Eavesdrop on certain conversations, by having a bogus STP, which collects
and filters the packets received to the hacked STP. SCCP packets may be
forwarded to any location by modifying the destination address.
Sensitive information like Point Codes of the network could be obtained by
accessing the corresponding SCPs. The GTT database could also be modified.
Multiple (compromised) STPs might be modified to re-route all the traffic via
specific STP, causing overloading, and rendering the connected SSP useless.
MTP layer 3 packets, if fabricated would be unable to provide link
management features like notifying surrounding nodes of the failure of
signaling point, which might cause congestion, data loss, and subsequent
crippling of the network.
3. SCP
It contains database information, so it is highly vulnerable. Attacks
associated with Toll-free numbers that involve modification of the number to
direct charges to some other totally unrelated party, or changing of the
billing information, or disrupting some business by forwarding all calls
addressed to it, to some illicit telephone number or more serious problems
like modifying the forwarding address to some emergency service. It also
leads to voice mail hacking, full access to someone's voice mailbox, by
obtaining passwords using TCAP messages.
10
waveform. A large number of CDMA signals share the same frequency
spectrum. If CDMA is viewed in either the frequency or time domain, the
multiple access signals appear to be on top of each other. The signals are
separated in the receiver by using a correlator which accepts only signal
energy from the selected binary sequence and despreads its spectrum. The
other users’ signals, whose codes do not match, do not despread in
bandwidth and as a result, contribute only to the noise and represent a self-
interference generated by the system. The signal-to-interference ratio is
determined by the ratio of desired signal power to the sum of the power of all
the other signals, and is enhanced by the system processing gain or the ratio
of spread bandwidth to baseband data rate. The major parameters that
determine the CDMA digital cellular system capacity are processing gain,
required Eb/N0, voice duty cycle, frequency reuse efficiency, and the number
of sectors in 1 cell. The CDMA cellular telephone system achieves a spectral
efficiency of up to 10 times the analog FM system efficiency when serving the
same area with the same antenna system. This is a capacity of up to one call
per 10 kHz of spectrum.
In the cellular radio frequency reuse concept, interference is accepted but
controlled with the goal of increasing system capacity. CDMA does this
effectively because it is inherently an excellent anti-interference waveform.
Since all calls use the same frequencies, CDMA frequency reuse efficiency is
determined by a small reduction in the signal-to-noise ratio caused by
system users in neighboring cells. CDMA frequency reuse efficiency is
approximately 2/3 compared to 1/7 for narrowband FDMA systems. The
CDMA system can also be a hybrid of FDMA and CDMA techniques where the
total system bandwidth is divided into a set of wideband channels, each of
which contains a large number of CDMA signals.
11
Unlike FDMA or TDMA, CDMA has multiple users simultaneously sharing the
same wide band channel. Individual users are selected by correlation
processing of the pseudonoise waveform.
Note that, for originating a call, the phone number is also input to the
algorithm. This is because the random challenge is broadcast and changes
regularly, instead of being unique to the origination. This saves message
overhead both over the air and within the network. The output from CAVE is
truncated to 18 bits, meaning that there is about 1 chance in ¼ million of
faking a call by sending a random signature. At these odds, we can invest in
the lottery. The shared secret data can be sent to the visited system while
roaming, allowing local authentication. If encryption is supported, the various
privacy keys are generated soon afterwards. CAVE is a hashing algorithm
which works by using a shift register driven walk over the input data and a
somewhat random table, and shuffling the inputs. It takes 23 octets of input
and produces 16 octets of output. Future IS-41 systems will replace most of
12
the functionality of CAVE with SHA-1, the US FIPS-180-1 Secure Hash
Standard.
Data such as numbers dialed, short messages (paging), and DTMF tones are
put into data packets and are encrypted using CMEA (Cellular Message
Encryption Algorithm). This is a variable length block cipher, which works by
a table walk using a key-derived somewhat random table, a self-inverse
“folding” and the inverse of the first step. This makes the algorithm itself
self-inverse, which isn’t such a hot idea in retrospect. The cipher is used in
ECB (Electronic Code Book) mode, ditto. The packet formats differ for the
three standards, but the algorithm is the same. CMEA has been broken.
Data Privacy
ORYX, a LSFR-based stream cipher intended for wireless data services is
used for encrypting data over CDMA wireless networks.
Vendors can implement any algorith (like DES or 3-DES) for data protection
if they wish to.
DCMA uses spread spectrum technologies for communication. The data signal
is spread over the whole available bandwidth. All the users transmit their
data simultaneously. The data is modulated by fast moving PRN whish
spreads it all over the spectrum. The PN numbers of the stations are
orthogonal. The assumption is that when the multiple stations transmit
simultaneously the resultant signals add linearly. Hence there exists a
mathematical algorithm to separate each signal at the receiving end provided
PN numbers of transmitting stations are known.
This means that it is possible to intercept the data of individual base stations
only if the attacker knows the PN. There have been some advances in the
interception of CDMA data, which make it possible to monitor and identify
data meant for a particular base station.
The research done by Gary E. Ford and Michael Golanbari shows that it is
possible using multi-user detectors on board airborne and terrestrial mobile
interceptors; simultaneous detection, in a single receiver, of all
communication signals transmitted by the base station of interest.
13
3.7 Security Concerns in CDMA
CDMA uses the CAVE algorithm for authentication along with encryption
algorithms like CMEA and ORYX for privacy and integrity of data. These
algorithms were considered to be secure till recent times. But it is now
known that there are possible cryptanalytic attacks possible on these
algorithms (ref 1, 3). The attacks are similar to those conducted on GSM
system namely known plaintext and known cipher text attacks. Hence we can
conclude that that the encryption provided by CDMA standards is inadequate.
4. Conclusion
Clearly the CDMA is the next generation technology in terms of Voice and
Data transmissions over the AIR. Even though the cryptographic algorithms
for CDMA have been broken, CDMA interception has a long way to go. This
means that the CDMA transmissions will remain secure at least for few years
from now.
14
References
1. Cryptanalysis of the Cellular Message Encryption Algorithm
By David Wagner Bruce Schneier John Kelsey
i. http://www.cs.berkeley.edu/~daw/papers/cmea-crypto97-
www/paper10.html
2. Qualcomm papers
i. http://www.qualcomm.com/main/whitepapers/1xEV_AirlinkOverview_11
0701.pdf
ii. http://www.qualcomm.com/press/PDF/about_cdma.pdf
iii. http://www.qualcomm.com/press/PDF/GSM1x_Overview.pdf
15
About the Authors
16