3G Security Principles

Build on GSM security

Correct problems with GSM security Add new security features

Source: 3GPP
Myagmar, Gupta

1
UIUC 2001

GSM Network Architecture

PSTN/ISDN MS
Um

BTS
A-bis

MSC

BSC

OMC

Mobility mgt
VLR HLR AUC EIR

Voice Traffic

Circuit-switched technology
Myagmar, Gupta

2
UIUC 2001

GSM Security Elements, 1

Key functions: privacy, integrity and confidentiality

Authentication
Protect from unauthorized service access Based on the authentication algorithm A3(Ki, RAND)=> SRES Problems with inadequate algorithms

Encryption
Scramble bit streams to protect signaling and user data Ciphering algorithm A8(Ki, RAND) => Kc A5(Kc, Data) => Encrypted Data Need stronger encryption

Confidentiality
Prevent intruder from identifying users by IMSI Temporary MSI Need more secure mechanism
3
Myagmar, Gupta UIUC 2001

GSM Security Elements, 2

SIM
A removable hardware security module Manageable by network operators Terminal independent

Secure Application Layer

Secure application layer channel between subscriber module and home network

Transparency
Security features operate without user assistance Needs greater user visibility

Minimized Trust
Requires minimum trust between HE and SN
4
Myagmar, Gupta UIUC 2001

Problems with GSM Security, 1

Active Attacks
Impersonating network elements such as false BTS is possible

Key Transmission
Cipher keys and authentication values are transmitted in clear within and between networks (IMSI, RAND, SRES, Kc)

Limited Encryption Scope

Encryption terminated too soon at edge of network to BTS Communications and signaling in the fixed network portion arent protected Designed to be only as secure as the fixed networks

Channel Hijack
Protection against radio channel hijack relies on encryption. However, encryption is not used in some networks.

5
Myagmar, Gupta UIUC 2001

Problems with GSM Security, 2

Implicit Data Integrity
No integrity algorithm provided

Unilateral Authentication
Only user authentication to the network is provided. No means to identify the network to the user.

Weak Encryption Algorithms

Key lengths are too short, while computation speed is increasing Encryption algorithm COMP 128 has been broken Replacement of encryption algorithms is quite difficult

Unsecured Terminal
IMEI is an unsecured identity Integrity mechanisms for IMEI are introduced late
6
Myagmar, Gupta UIUC 2001

Problems with GSM Security, 3

Lawful Interception & Fraud
Considered as afterthoughts

Lack of Visibility
No indication to the user that encryption is on No explicit confirmation to the HE that authentication parameters are properly used in SN when subscribers roam

Inflexibility
Inadequate flexibility to upgrade and improve security functionality over time

7
Myagmar, Gupta UIUC 2001

3G Network Architecture
Circuit Network
Circuit Switch
IN Services

Circuit/ Signaling Gateway Feature Server(s)

Mobility Manager

RNC Voice Radio Access Control

Data + Packet Voice

Call Agent

IP Core Network
Packet Gateway

Packet Network (Internet)

IP RAN

2G

2G/2.5G

3G 8
Myagmar, Gupta UIUC 2001

New Security Features, 1

Network Authentication
The user can identify the network

Explicit Integrity
Data integrity is assured explicitly by use of integrity algorithms Also stronger confidentiality algorithms with longer keys

Network Security
Mechanisms to support security within and between networks

Switch Based Security

Security is based within the switch rather than the base station

IMEI Integrity
Integrity mechanisms for IMEI provided from the start

9
Myagmar, Gupta UIUC 2001

New Security Features, 2

Secure Services
Protect against misuse of services provided by SN and HE

Secure Applications
Provide security for applications resident on USIM

Fraud Detection
Mechanisms to combating fraud in roaming situations

Flexibility
Security features can be extended and enhanced as required by new threats and services

Visibility and Configurability

Users are notified whether security is on and what level of security is available Users can configure security features for individual services
10
Myagmar, Gupta UIUC 2001

New Security Features, 3

Compatibility
Standardized security features to ensure world-wide interoperability and roaming At least one encryption algorithm exported on world-wide basis

Lawful Interception
Mechanisms to provide authorized agencies with certain information about subscribers

11
Myagmar, Gupta UIUC 2001

Summary of 3G Security Features, 1

User Confidentiality
Permanent user identity IMSI, user location, and user services cannot be determined by eavesdropping Achieved by use of temporary identity (TMSI) which is assigned by VLR IMSI is sent in cleartext when establishing TMSI
USIM IMSI request IMSI TMSI allocation TMSI acknowledgement VLR

12
Myagmar, Gupta UIUC 2001

Summary of 3G Security Features, 2

Mutual Authentication
During Authentication and Key Agreement (AKA) the user and network authenticate each other, and also they agree on cipher and integrity key (CK, IK). CK and IK are used until their time expires. Assumption: trusted HE and SN, and trusted links between them. After AKA, security mode must be negotiated to agree on encryption and integrity algorithm.
AKA process:
USIM VLR AV request, send IMSI RAND(i) || AUTN(i) Generate RES(i) Generate authentication data V(1..n) Compare RES(i) and XRES(i)
Myagmar, Gupta

HLR

13
UIUC 2001

Summary of 3G Security Features, 3

Generation of authentication data at HLR:
Generate SQN Generate RAND SQN AMF K

RAND

f1

f2

f3

f4

f5

MAC

XRES

CK

IK

AK

AUTN := SQN AK || AMF || MAC AV := RAND || XRES || CK || IK || AUTN

14
Myagmar, Gupta UIUC 2001

Summary of 3G Security Features, 4

Generation of authentication data in USIM:
RAND SQN AK AUTN f5 AK AMF MAC

SQN

f1

f2

f3

f4

XMAC

RES

CK

IK

Verify MAC = XMAC Verify that SQN is in the correct range

15
Myagmar, Gupta UIUC 2001

Summary of 3G Security Features, 5

Data Integrity
Integrity of data and authentication of origin of signalling data must be provided The user and network agree on integrity key and algorithm during AKA and security mode set-up
COUNT-I DIRECTION FRESH COUNT-I DIRECTION FRESH

MESSAGE

MESSAGE

IK

f9

IK

f9

MAC -I Sender UE or RNC

XMAC -I Receiver RNC or UE

16
Myagmar, Gupta UIUC 2001

Summary of 3G Security Features, 6

Data Confidentiality
Signalling and user data should be protected from eavesdropping The user and network agree on cipher key and algorithm during AKA and security mode set-up
COUNT-C DIRECTION LENGTH COUNT-C DIRECTION LENGTH

BEARER

BEARER

CK

f8

CK

f8

KEYSTREAM BLOCK

KEYSTREAM BLOCK

PLAINTEXT BLOCK Sender UE or RNC

CIPHERTEXT BLOCK Receiver RNC or UE

PLAINTEXT BLOCK

17
Myagmar, Gupta UIUC 2001

Summary of 3G Security Features, 7

IMEI
IMEI is sent to the network only after the authentication of SN The transmission of IMEI is not protected

User-USIM Authentication
Access to USIM is restricted to authorized users User and USIM share a secret key, PIN

USIM-Terminal Authentication
User equipment must authenticate USIM

Secure Applications
Applications resident on USIM should receive secure messages over the network

Visibility
Indication that encryption is on Indication what level of security (2G, 3G) is available
18
Myagmar, Gupta UIUC 2001

Summary of 3G Security Features, 8

Configurability
User configures which security features activated with particular services Enabling/disabling user-USIM authentication Accepting/rejecting incoming non-ciphered calls Setting up/not setting up non-ciphered calls Accepting/rejecting use of certain ciphering algorithms

GSM Compatibility
GSM user parameters are derived from UMTS parameters using the following conversion functions: cipher key Kc = c3(CK, IK) random challenge RAND = c1(RAND) signed response SRES = c2(RES) GSM subscribers roaming in 3GPP network are supported by GSM security context (example, vulnerable to false BTS)
19
Myagmar, Gupta UIUC 2001

Problems with 3G Security

IMSI is sent in cleartext when allocating TMSI to the user The transmission of IMEI is not protected; IMEI is not a security feature A user can be enticed to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of SN Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up

20
Myagmar, Gupta UIUC 2001

References
3G TS 33.120 Security Principles and Objectives
http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf

3G TS 33.120 Security Threats and Requirements

http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF

Michael Walker On the Security of 3GPP Networks

http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/mike_walker.pdf

Redl, Weber, Oliphant An Introduction to GSM

Artech House, 1995

Joachim Tisal GSM Cellular Radio Telephony

John Wiley & Sons, 1997

Lauri Pesonen GSM Interception

http://www.dia.unisa.it/ads.dir/corso-security/www/CORSO-9900/a5/Netsec/netsec.html 3G TR 33.900 A Guide to 3rd Generation Security ftp://ftp.3gpp.org/TSG_SA/WG3_Security/_Specs/33900-120.pdf

3G TS 33.102 Security Architecture

ftp://ftp.3gpp.org/Specs/2000-12/R1999/33_series/33102-370.zip

3G TR 21.905 Vocabulary for 3GPP Specifications

http://www.quintillion.co.jp/3GPP/Specs/21905-010.pdf

21
Myagmar, Gupta UIUC 2001