You are on page 1of 184

Wireless Networks Security

Onoriu Bradeanu

Contents

1. Communication Networks
2. The GSM/GPRS network
3. 3G WCDMA network
4. LTE network
5. IMS approach
6. IEEE 802.11 and Handheld Devices

http://ec.europa.eu/information_society/index_en.htm

Network & Information Security (NIS)


Definition: the ability of a network or an
information system to resist, at a given
level of confidence, accidental events or
malicious actions that compromise the
availability, authenticity, integrity and
confidentiality of stored or transmitted
data and the related services offered by or
accessible via these networks and
systems.
Source: COM(2001)298 of 6.6.2001
http://eur-lex.europa.eu/LexUriServ/site/en/com/2001/com2001_0298en01.pdf

Qualitt der Angriffe vs. Kenntnisse der Angreifer

Telecom World

Network intelligence

Requirements

Access

Trunk network/transport
Network management

Access

Standards

End user segments Services


Residential
Small business
Medium business
Large business
Universities
Hospitals
...

POTS
Video
Data
LAN
VPN
Conf.
WWW
E-mail
VoIP
VoATM
Games
Information
...

Technology

SEK

$
DM
HK$

Services

Business

Telecom Act

Vendors

Incumbent

Intruder

Service provider

Regulator

What is a threat in a communication network?

Abstract Definition:
A threat in a communication network is any possible event or sequence of actions
that might lead to a violation of one or more security goals
The actual realization of a threat is called an attack

Examples:

A hacker breaking into a corporate computer


Disclosure of emails in transit
Someone changing financial accounting data
A hacker temporarily shutting down a website
Someone using services or ordering goods in the name of others

Security goals technically defined


Confidentiality:
Data transmitted or stored should only be revealed to an intended
audience
Confidentiality of entities is also referred to as anonymity

Data Integrity:
It should be possible to detect any modification of data
This requires to be able to identify the creator of some data

Accountability:
It should be possible to identify the entity responsible for any
communication event

Availability:
Services should be available and function correctly

Controlled Access:
Only authorized entities should be able to access certain services or
information
9

Threats technically defined


Masquerade:
An entity claims to be another entity

Eavesdropping:
An entity reads information it is not intended to read

Authorization Violation:
An entity uses a service or resources it is not intended to use

Loss or Modification of (transmitted) Information:


Data is being altered or destroyed

Denial of Communication Acts (Repudiation):


An entity falsely denies its participation in a communication act

Forgery of Information:
An entity creates new information in the name of another entity

Sabotage:
Any action that aims to reduce the availability and / or correct functioning
of services or systems
10

Threats and technical security goals


General Threats
Technical
Masquer- Eaves- Authori- Loss or Mo- Denial of Forgery
Security Goals
ade
dropping sation dification of Communi- of InforViolation (transmitted) cation acts mation
information
Confidentiality

Data Integrity

Accountability

Availability

Controlled
Access

Sabotage
(e.g. by
overload)

x
x

x
x

x
x

These threats are often combined in order to perform an attack!

11

Communications security: Some terminology


Security Service:
An abstract service that seeks to ensure a specific security property
A security service can be realised with the help of cryptographic
algorithms and protocols as well as with conventional means:
One can keep an electronic document on a floppy disk confidential by storing it
on the disk in an encrypted format as well as locking away the disk in a safe
Usually a combination of cryptographic and other means is most effective

Cryptographic Algorithm:
A mathematical transformation of input data (e.g. data, key) to output
data
Cryptographic algorithms are used in cryptographic protocols

Cryptographic Protocol:
A series of steps and message exchanges between multiple entities in
order to achieve a specific security objective

12

Security services Overview


Authentication
The most fundamental security service which ensures, that an entity has
in fact the identity it claims to have

Integrity
In some kind, the small brother of the authentication service, as it
ensures, that data created by specific entities may not be modified
without detection

Confidentiality
The most popular security service, ensuring secrecy of protected data

Access Control
Controls that each identity accesses only those services and information
it is entitled to

Non-Repudiation
Protects against that entities participating in a communication exchange
can later falsely deny that the exchange occurred
13

Reference model for security architecture

Layered defense strategy

GSM Security Features and Design Limitations

Access authentication of user


cryptographic based
implemented in a physically secure module the SIM

Protection against eavesdropping on the radio interface


air-interface encryption terminated at base station
confined to user traffic
security parameters constrained by industry practice
for financial sector)

Prevention of identity tracking


use of TMSI
No authentication of networks
No protection against active attacks

(DES

A complex telecommunications world


a multiplicity of networks
Service control

Network intelligence
Mobility

Access
Radio
Copper
Fiber
Terminals

IP
PLMN
PSTN/ISDN
Frame relay
ATM

Transport
Network management

Radio
Copper
Fiber

Servers
and other
equipment
for value
added
services

Access
Terminals

Contents

1. Communication Networks
2. The GSM/GPRS network
3. 3G WCDMA network
4. LTE network
5. IMS approach
6. IEEE 802.11 and Handheld Devices

GSM Network Components

GSM identities (I)

Temporary Mobile Subscriber Identity (TMSI)


The Temporary Mobile Subscriber Identity (TMSI) is a temporary IMSI number made
known to an MS at registration. It is used to protect the subscriber's identity on the air
interface.

GSM identities (II)

GSM identities (III)

TAC Type Approval Code, determined by a central GSM body


FAC Final Assembly Code, identifies the manufacturer
SNR Serial Number, an individual serial number of six digits uniquely identifies all equipment
within each TAC and FAC
spare A spare digit for future use. When transmitted by the MS this digit should always be zero
SVN Software Version Number allows the mobile equipment manufacturer to identify different
software versions of a given type approved mobile. SVN value 99 is reserved for future use

THE RELATIONSHIP BETWEEN BURSTS AND FRAMES

Traffic cases: MS in idle mode

Authentication Procedure (I)

GSM Triplet Generation, Distribution and Subscriber Management

Authentication and Encryption for GSM using triplets and SIM

Algorithms technical and political constraints

Encryption restricted to the air interface between mobile and base station
three algorithms of different strengths A5/1, A5/2 and recently A5/3
Encryption specifications should not be published
so peer review was not really possible
Encryption implemented in hardware
so it could not readily be used for other applications
because encrypted bits are transmitted and received at 200 kb/s
and need at most 3000 transistors
Encryption must not propagate errors, not create additional processing delays
and re-synchronise on every TDMA frame
COMP 128 made available as an example authentication and key generation
algorithm, although there was no need for a standard

Simple definition of a cypher system

Symmetric encryption
General description:
The same key KA,B is used for enciphering and deciphering of messages:

Encrypt
Plaintext

Ciphertext

Decrypt
Ciphertext

Plaintext

Notation:
If P denotes the plaintext message E(KA,B, P) denotes the
ciphertext and it holds D(KA,B, E(KA,B, P)) = P
Alternatively we sometimes write {P} KA,B for E(KA,B, P)
Examples: DES, 3DES, IDEA, ...
37

Asymmetric cryptography (1)


General idea:
Use two different keys -K and +K for encryption and decryption
Given a random ciphertext c = E(+K, m) and +K it should be infeasible to
compute m = D(-K, c) = D(-K, E(+K, m))

This implies that it should be infeasible to compute -K when given +K


The key -K is only known to one entity A and is called As private key KA
The key +K can be publicly announced and is called As public key +KA

Encrypt
Plaintext

Ciphertext

+K
Decrypt
Ciphertext

Plaintext

-K
38

Asymmetric cryptography (2)


Applications:
Encryption:
If B encrypts a message with As public key +KA, he can be sure that only A can
decrypt it using KA

Signing:
If A encrypts a message with his own private key KA, everyone can verify this
signature by decrypting it with As public key +KA

Attention:
It is crucial that everyone can verify that he really knows As public key and not
the key of an adversary!

Practical considerations:
Asymmetric cryptographic operations are about magnitudes slower than
symmetric ones
Therefore, they are often not used for encrypting / signing bulk data
Symmetric techniques are used to encrypt / compute a cryptographic
hash value and asymmetric cryptography is just used to encrypt a key /
hash value
39

A5 coding

A5/1

Operation of A5 at the mobile station

Atacuri impotriva algoritmului A5/1


Atacul de tip Brute Force (in forta)

- Este unul rudimentar

- Complexitate de 2^64

- Nu se poate desfasura practic in timp real

Atacuri impotriva algoritmului A5/1


Atacul de tip Divide-and-Conquer (Divide si cucereste)

- Complexitate de 2^45 (2^9=512 ori mai rapid)

- Necesita cunoasterea a 64 de biti consecutivi

- Este nevoie de cunoasterea in prealabil a corespondentei intre un text in clar si unul


cifrat

Atacuri impotriva algoritmului A5/2

Atacul Biham, Barkan and Keller

- A5/2 foloseste aceeasi cheie ca si A5/1


- Necesita interceptarea catorva
milisecunde de date criptate
- Complexitate de 2^16

The False BS Threat

Atacuri impotriva algoritmului A5/3

Man-in-the-middle attack

ALORITMUL A8
Este algoritmul care genereaz cheia de confidentialitate a vocii , Kc.
A8 genereaz cheia de sesiune, Kc, odata ce MS primeste RAND, de la MSC .

Specificatiile acestui algoritm nu au fost niciodata facute publice.


O cheie de sesiune Kc,se utilizeaza pn cand MSC decide s autentifice MS din
nou.

RAND (128 bit)


Ki (128 bit)

A8
KC (64 bit)

ALGORITMUL A8
Foloseste Algoritmul COMP 128 la fel ca si algoritmul A3.
Aproape fiecare operator GSM foloseste COMP128 sau o varianta derivata .
Intrarile COMP128 :- RAND (128 biti)
- Ki (128 biti)
Iesirile COMP128:- SRES (32 biti)
- Kc (54 bii).
Va rezulta o cheie Kc, de 54biti in loc de 64 biti (se reduce spatiul ocuat )

RAND (128 bit)


Ki (128 bit)

COMP128
128 bit output
SRES 32 bit si Kc 54 bit

Atacul WGB

n 1998, Asociatia Smartcard Developer (Marc Briceno),


mpreun cu 2 cercettori de la U.C. Berkeley (Wagner si
Goldberg) a produs primul atac mediatizat pe COMP128.
Cheia Ki (128biti) ar putea fi dedusa prin realizarea a
aproximativ 150,000 interogari.
Este necesar accesul fizic la SIM, un cititor de card si un
computer.
Foloseste conceptul Narrow Pipe.

COMP128

La o singura rulare a COMP 128 sunt calculate SRES si KC .


Structura COMP128 are o structur asemanatoare cu cea a FFT.
Este un algoritm rapid ca si timp de executie ( 9 etape principale) .
Are totusi un numar numr de vulnerabiliti (predispus la atacuri) .

A fost dedus prin inginerie invers n 1998 de catre grupul WGB


Marc Briceo, Ian Goldberg i David Wagner.

COMP128

In urma vulnerabilitatilor descoperite s-au lansat noi versiuni COMP128:


COMP128-1 a setat un numar maxim de provocari RAND.
COMP128-2 foloseste o noua modalitate de a calcula raspunsurile .
COMP128-3 a marit lungimea raspunsului chei Kc, pentru initializarea A5.
COMP128-4 a fost construit pe baza AES si este folosit in UMTS .

Procesarea COMP128

Procesarea COMP128
RAND(16octeti) si Ki(16octeti) sunt concatenate la intrarea x
Intrarea este trunchiata pana se reduce de la 32 la 16 octeti( 8 etape)
Dupa fiecare trunchiere valoarea rezultatului x este permutata
Rezultatul permutarii este utilizat ca intrare aleatorie pentru etapa urmatoare
Dupa cele 8 trunchieri, valoarea rezultata este folosita ca iesire a
algoritmului fara a fi permutata.

Procesarea COMP128

Atacul Narrow Pipe


Bitii i, i+8, i+16, i+24 de la iesirea celui de-al doilea nivel depind
numai de bitii i, i+8, i+16, i+24 de la intrarea initial.
Paradoxul zilei de nastere spune c ne putem atepta la o
coliziune, dup aproximativ 24*7/2 =214 =20538 provocri diferite.
Cheia ntreag rezult dup aproximativ 8* 214=164,300
provocri.
Perioada total de capturare a datelor este de aproximativ 7,5h .

Atacul de partitionare
Avem nevoie s
A.

B.

C.

Gsim R[0], astfel nct:


K [0] + 2R [0] (mod 512) <256
K [0] + 2 (R [0] +1) (MOD 512)> = 256
Gsim R [0], astfel nct:
2K [0] + R [0] (mod 512) <256
2K [0] + R [0] + 1 (mod 512)> = 256
Unul din K [0] de la A) s se potriveasc cu un K [0] de la B)

Eficienta:
1000 provocri aleatoare
255 provocri alese
8 provocri alese adaptiv

Imbunatatirea atacului WGB

S-au calculat tabele cu 8 intrri


De fiecare dat cand se gseste o coliziune, doar se
verific tabelele de coresponden pentru a gsi cheia.
Cerinele de spaiu sunt de ordinul GB
Aceast tehnic ar putea s reduc necesarul de calcul al
computerului, dar timpul nu va scdea att de mult.
In acest caz numrul mediu de provocri necesare pentru a
determina o cheie este de aproximativ 60.000

Noul atac
Exist 769 componente mai puternice fapt care genereaz chei puternice
cu o lungime efectiv de 8 log2 769 = 76.7 bii.

Noul atac trece la inducerea coliziunilor la Nivelul 3.

Trebuie determinati biii i+16, i+20, i+24, i+28 , fiecare dintre ei fiind
construit pe baza a dou dintre cele 769 componente puternice i, i+8.

Cnd biii i+16, i+20, i+24, i+28 produc o coliziune, 769 769 valori
posibile ale elementelor i, i+4, i+8, i+12 sunt cutate pn cnd se
gsete una care d, o coliziune pentru aceeai pereche de biti i i+16,
i+20, i+24, i+28 .

GPRS Packet data transfer

GPRS Mobility Management States

GPRS Attach Process (Mobility Management)

GPRS ATTACH Procedure

MS

BTS/BSC

SGSN

GPRS Attach Request

GGSN MSC/VLR

HLR

AUC

Reuest for Triplets


Asks for Tiplets

RAND: Request SRES


Rrespond: SRES

RespondTriplets
OK!

Update Location
Respond: MS srvice profile

Attach Accept & P-TMSI

Attach Complete

RespondTriplets

GPRS A5 Algorithm

GPRS PDP Context Activation (Session Mgt.)

Access Point Name - APN

Authentication in GPRS - Remote Authentication


Dial In User Service (RADIUS)
ISP
HLR

BTS

BSC

SGSN

Backbone

RADIUS
server

GGSN
RADIUS
client

PAP/CHAP

RADIUS server is used primarily for authentication


IP address allocation is optional
RADIUS server validates PAP/CHAP sent from MS and
returns Access - Accept/-Reject

Accept
/ Reject

UP/Down-link data transfer

Packet Routing and Tunneling


Destination /source private IP addresses
Application
server

BTS

BSC
Corp.
Network

GTP tunnel
SGSN

Backbone

IPSec tunnel
GGSN

FW

FW

GGSN/FW public IP addresses

Contents

1. Communication Networks
2. The GSM/GPRS network
3. 3G WCDMA network
4. LTE network
5. IMS approach
6. IEEE 802.11 and Handheld Devices

From 1st to 3rd Generation

1st generation

3rd generation

2nd generation

Analogue speech

High speed data

Digital speech +
medium-rate data

Global roaming

Multiple services

NMT, AMPS, TACS

1980

GSM, PDC, IS-95,


IS-136 (D-AMPS)

1990

2000

Quality
IMT-2000/UMTS

Coexistence of GSM and UMTS


network elements
PSTN/ISDN

Common Core Network


Internet
GSM
Base Station
Subsystem

UMTS Terrestrial
Radio Access
Network

BSS

UTRAN

UMTS/GSM Reference model


UE

AN

CN
MSC

External
Networks

SCF
GMSC

BSS
SIM

MT

BTS

BSC

MSC
HLR

Iu
EIR
RNS
USIM

ME

BS

Gb
RNC

Iu SGSN
Iur

AUC

SMSGMSC
SMSIWMSC
GGSN

RNS
USIM

ME

BS

RNC
SGSN

UTRAN

Note:
Not all interfaces
shown and named

ISDN
PSTN
PSPDN
CSPDN
PDN:
-Intranet
-Extranet
-Internet

Technical Vision
Vertical vs Horizontal Integration
Todays Solutions

Future Solutions

Services

Connectivity

Access Transport & Switching Networks

CATV

Data/IP
Networks

PSTN/ISDN

PLMN

CATV

Data/IP Networks

PSTN/ISDN

PLMN

Services/Applications

The Vision
Layered Network Design
Application

Service Capability
Servers

Application

Services

MSC
Server

SGSN
Server

HLR

GMSC/Transit
Server

Control

Connectivity
Network
GSM
EDGE
WCDMA

Media Gateway

Media Gateway

PSTN/
ISDN

Packet Backbone Network

GGSN

User data

Internet
Intranets

Control

UTRAN Model
3GPP TS 25.201 4.0

UTRAN OSI Model


Layer 3

Radio Resource Control


(RRC)

Logical channels
Layer 2

Medium Access Control (MAC)

- grouped by information content


- User Data
- Control and signaling

Transport channels
- grouped by method of transport
Layer 1

Physical layer

Physical channels
Direct RRC control
of the physical layer

Air Interface

Physical Channels Distinguished by:


- RF Frequency
- Channelization Code
- Spreading Code
- Modulation (I/Q) Phase (uplink)
- Timeslot (TDD mode)

WCDMA Code Types


Channelization Codes (Orthogonal Codes)
Used to orthogonally code different data channels from BS, UE

Scrambling Codes (Spread Spectrum Codes)


BS Scrambling Codes:
UE Scrambling Codes:

Used by UE to distinguish the desired BS


Used by BS to distinguish the desired UE

Synchronization Codes
Primary Sync. Code:

Fixed 256-bit code


Helps UE identify the presence of a WCDMA BS
Helps UE achieve Slot Synchronization

Secondary Sync. Codes:

Group of 256-bit codes


Helps UE achieve Frame Synchronization

Pilot Codes
A full-time common Pilot (CPICH) provides coherent reference for UE receiver
Pilot data bits are embedded into each timeslot of the Dedicated Data Channel

Random Access Preamble Codes


Preamble Signatures; Used by BS to distinguish between UE making access attempts
Preamble Scrambling Codes; Used to identify which BS is being accessed

Code Layering
3GPP TS 25.201 4.2.1, 4.2.3

WCDMA Code Layering

OVSF Data
Channelization
Codes

OVSF Modulation
Symbol
Rate

Scrambling
Codes
(Distinguishes
BTS or UE)

FDD
DOWNLINK

FDD
UPLINK

TDD
DOWNLINK

TDD
UPLINK

OVSF
4 ~ 512 chips

OVSF
4 ~ 256 chips

OVSF
{ 1 or 16 chips )

OVSF
{ 1 , 2, 4, 8, or 16
chips )

960 ksps ~ 7.5 ksps

960 ksps ~ 15 ksps

3.84 Msps, 240 ksps

3.84 Msps ~
240 ksps

Complex (I,jQ) Code


38,400 chips of a
218 Gold Sequence

Complex (I,jQ) Code


38,400 chips of a
225 Gold Sequence
or
256-chip S(2) code
* multiplied by
HPSK rotator codes

Code length same as OVSF length


( 1 , 2, 4, 8, or 16 chips )
127 scrambling codes specified in
TS25.223 V 3.0.0 Annex A
Each cell has a specific scrambling code
from the group of 127 codes

PN & Orthogonal Codes

Pilot, Broadcast
PN1 + OCp + OCb

1 Data channel

2 Data channels
PN1 + OC1 + OC2

PN1 + OC3

2 Data channels
PN3 + OC1 + OC2

2 Data channels
PN4 + OC1 + OC2

BS1

User 1

User 2

Pilot, Broadcast
PN2 + OCp + OCb

3 Data channel
PN2+OC4+OC5+OC6

3 Data channels
PN2+OC1+OC2+OC3
3 Data channels
PN5+OC1+OC2+OC3

User 3

BS2

3 Data channels
PN6+OC1+OC2+OC3

User 4

Acquisition and Synchronization


Physical Layer Procedures
1) UE Acquisition and Synchronization

P-CCPCH
(PSC + SSC + BCH)

Initiate Cell Synchronization

UE Monitors Primary SCH code, detects peak in matched filter output


Slot Synchronization Determined ------>
UE Monitors Secondary SCH code, detects SCG and frame start time offset
Frame Synchronization and Code Group Determined ------>
UE Determines Scrambling Code by correlating all possible codes in group
Scrambling Code Determined ------>
UE Monitors and decodes BCH data
BCH data, Super-frame synchronization determined ------>
UE adjusts transmit timing to match timing of BS + 1.5 Chips

Cell Synchronization Complete

Random Access
Physical Layer Procedures
2) UE Requests System Access and Registration

Cell Synchronization Complete

UE Reads Random Access parameters from BS;


Calculates Random Access probe power

Initiate Random Access Attempt;


Respond to Authentication challenge

When system Registration is complete,


UE enters Idle mode

P-CCPCH
(PSC + SSC + BCH)

Downlink Transmission Timing


3GPP TS 25.211 7.0

10 ms Frame

Primary SCH

SCH (PSC+SSC)
P-CCPCH
S-CCPCH
PICH
AICH
PDSCH
DPCH

Secondary SCH

Common Pilot
Channel

CPICH (Common Pilot Channel)


P-CCPCH, (SFN modulo 2 = 1)

P-CCPCH, (SFN modulo 2 = 0)


Primary CCPCH
(Broadcast Data)
Secondary CCPCH
(Paging, Signaling)

S-CCPCH,k
PICH

k:th S-CCPCH

Paging Indication Channel

Dedicated Physical
Control/Data Channel

PICH for n:th S-CCPCH

DPCH,n

Downlink Shared Channel

AICH access slots

n:th DPCCH/DCDPH

Any PDSCH

#0

#1

#2

#3

#4

#5

#6

#7

#8

#9

#10 #11 #12 #13 #14

S-CCPCH,k = N x 256 chips


DPCH,n = N x 256 chips
PICH = 7680 chips (3 slots)

Downlink Scrambling Codes


3GPP TS 25.213 5.2.2

Downlink Scrambling Codes


Used to distinguish Base Station transmissions on Downlink
Each Cell is assigned one and only one Primary Scrambling Code
The Cell always uses the assigned Primary Scrambling Code for the Primary and Secondary CCPCHs
Secondary Scrambling Codes may be used over part of a cell, or for other data channels

8192 Downlink Scrambling Codes


Each code is 38,400 chips of a 218 - 1 (262,143 chip) Gold Sequence

Code Group #1

Code Group #64

Primary SC0

Primary SC7

Primary SC504

Primary SC511

Secondary
Scrambling
Codes

Secondary
Scrambling
Codes

Secondary
Scrambling
Codes

Secondary
Scrambling
Codes

(15)

(15)

(15)

(15)

Downlink Scrambling Codes


3GPP TS 25.213 5.2.2

Downlink Scrambling Code Generation


10 mSec Gold Code formed by Modulo-2 Addition of 38,400 chips from two m-sequences

Primary Scrambling code i (where i = 0,...,511) is generated


by offsetting the X sequence by (16*i) clock cycles from the Y sequence

17

16

15

14

13

12

11

10

I
Q
Y

17

16

15

14

13

12

11

10

Initial Conditions:
x(0) =1; X(1)... X(17) = 0
y(0) ... Y(17) = 1

Synchronization Codes
3GPP TS 25.213 5.2.3

Synchronization Codes (PSC, SSC)


P-CCPCH
256 Chips

PSC
SSCi

2304 Chips

(PSC + SSC + BCH)

Broadcast Data (18 bits)

Broadcast by BS
First 256 chips of every SCH time slot

Allows UE to achieve fast synchronization in an asynchronous system


Primary Synchronization Code (PSC)
Fixed 256-chip sequence with base period of 16 chips
Provides fast positive indication of a WCDMA system
Allows fast asynchronous slot synchronization

Secondary Synchronization Codes (SSC)


A set of 16 codes, each 256 bits long
Codes are arranged into one of 64 unique permutations
Specific arrangement of SSC codes provide UE with frame timing, BS code group

Primary Synchronization Code


3GPP TS 25.213 5.2.3

Primary Synchronization Code (PSC)


let a = <1, 1, 1, 1, 1, 1, -1, -1, 1, -1, 1, -1, 1, -1, -1, 1>
PSC(1...256) = < a, a, a, -a, -a, a, -a, -a, a, a, a, -a, a, -a, a, a >
Note: PSC is transmitted Clear (Without scrambling)

SCH

BCH

256 Chips

2304 Chips

PSC
Broadcast Data (18 bits)
SSCi

10

11

1 Frame = 15 slots = 10 mSec

12

13

14

15

Secondary Synchronization Code Group


3GPP TS 25.213 5.2.3

16 Fixed 256-bit Codes; Codes arranged into one of 64 patterns


SSCi

SSC1
SSC2
SSC3
SSC4
SSC5
SSC6
SSC7
SSC8
SSC9
SSC10
SSC11
SSC12
SSC13
SSC14
SSC15
SSC16

Scrambling
Code Group

slot number
#1

#2

#3

#4

#5

#6

#7

#8

#9

#10

#11

#12

#13

#14

#15

Group 1

10

15

10

16

15

16

Group 2

16

14

16

10

12

14

12

10

Group 3

15

12

16

11

16

11

15

12

SSC1

SSC15

Group 62

10

13

10

11

15

15

16

12

14

13

16

14

11

Group 63

11

12

15

12

13

13

11

14

10

16

15

14

16

Group 64

12

10

15

13

14

14

15

11

11

13

12

16

10

10

11

12

13

14

15

1 Frame = 15 slots = 10 mSec


Note:
The SSC patterns positively identify one and only one of the 64 Scrambling Code Groups.
This is possible because no cyclic shift of any SSC is equivalent to any cyclic shift of any other SSC.

Slot Synchronization
3GPP TS 25.214 Annex C

Slot Synchronization using Primary Synchronization Code


10 mSec Frame (15 slots x 666.666 uSec)
PSC
[1]

BCH
Data

PSC
[2]

BCH
Data

PSC
[3]

BCH
Data

PSC
[4]

BCH
Data

PSC
[15]

BCH
Data

Matched Filter
(Matched to PSC)

P-CCPCH
(PSC)
Matched
Filter
Output

time

Frame Synchronization, SCG ID


3GPP TS 25.214 Annex C

Frame Synchronization using Secondary Synchronization Code


10 mSec Frame (15 slots x 666.666 uSec)
SSC
[1]

BCH
Data

SSC
[2]

BCH
Data

SSC
[3]

BCH
Data

SSC
[4]

BCH
Data

SSC
[15]

BCH
Data

Matched Filter
SSC
[1]

SSC
[2]

SSC
[3]

SSC
[4]

SSC
[5]

SSC
[6]

SSC
[7]

SSC
[8]

SSC
[9]

SSC
[10]

SSC
[11]

SSC
[12]

SSC
[13]

SSC
[14]

SSC
[15]

Matched to SSC
code group pattern

SSC Code Group Pattern provides


Matched
Filter
Output

Frame Synchronization
Positive ID of Scrambling Code Group
Remember, no cyclic shift of any SSC is equal to any other SSC

time

3G Security Principles
3GPP TS 33.120

1) 3G security will build on the security of second generation systems. Security elements

within GSM and other second generation systems that have proved to be needed and
robust shall be adopted for 3G security.
2) 3G security will improve on the security of second generation systems - 3G security
will address and correct real and perceived weaknesses in second generation systems.
3) 3G security will offer new security features and will secure new services offered by 3G.

Second Generation Security Elements to be retained


3GPP TS 33.120
a) authentication of subscribers for service access.
Problems with inadequate algorithms will be addressed. Conditions regarding the optionality of authentication
and its relationship to encryption shall be clarified and tightened;
b) radio interface encryption.
The strength of the encryption will be greater than that used in second generation
systems (the strength is a combination of key length and algorithm design). This is to meet
the threat posed by the increased computing power available to those attempting cryptanalysis
of the radio interface encryption.
c) subscriber identity confidentiality on the radio interface.
However, a more secure mechanism will be provided;
d) the SIM as: a removable, hardware security module that is:
- manageable by network operators;
- independent of the terminal as regards its security functionality.
e) SIM application toolkit security features providing a secure application layer channel
between the SIM and a home network server.
Other application layer channels may also be provided;
f) the operation of security features is independent of the user, i.e. the user does not have to do anything
for the security features to be in operation.
However, greater user visibility of the operation of security features will be provided to the user;
g) HE trust in the SN for security functionality is minimised.

Weaknesses in Second Generation security


3GPP TS 33.120
1) active attacks using a false BTS are possible;
2) cipher keys and authentication data are transmitted in clear between and within networks;
3) encryption does not extend far enough towards the core network resulting in the cleartext transmission of user
and signalling data across microwave links (in GSM, from the BTS to the BSC);
4) user authentication using a previously generated cipher key (where user authentication using RAND, SRES and
A3/8 is not provided) and the provision of protection against channel hijack rely on the use of encryption, which
provides implicit user authentication. However, encryption is not used in some networks, leaving opportunities
for fraud;
5) data integrity is not provided. Data integrity defeats certain false BTS attacks and, in the absence of encryption,
provides protection against channel hijack;
6) the IMEI is an unsecured identity and should be treated as such;
7) fraud and LI were not considered in the design phase of second generation systems but as afterthoughts to the
main design work;
8) there is no HE knowledge or control of how an SN uses authentication parameters for HE subscribers roaming in
that SN;
9) second generation systems do not have the flexibility to upgrade and improve security functionality over time.

New Security Features and the Security of New Service Features


3GPP TS 33.120
there will be new and different providers of services. For example: content providers, data service providers, HLR
only service providers;
-

3G mobile systems will be positioned as the preferred means of communications for users. They will be
preferable to fixed line systems;

there will be a variety of prepaid and pay-as-you-go services which may be the rule rather than the exception. A
long-term subscription between the user and a network operator may not be the paradigm. (3G security will
provide satisfactory security for such systems and will not be content with insecure systems such as GSM
Advice of Charge);

there will be increased control for the user over their service profile (which they might manage over the Internet)
and over the capabilities of their terminal (it will be possible to download new services and functions using
systems such as MExE and SAT);

there will be active attacks on users. (In active attacks, equipment is used to impersonate parts of the network to
actively cause lapses in security. In passive attacks, the attacker is outside the system and listens in, hoping
security lapses will occur);

non-voice services will be as important as, or more important than, voice services;

the terminal will be used as a platform for e-commerce and other applications. Multi-application smartcards
where the USIM is one application among many can be used with the terminal. The smartcard and terminal will
support environments such as Java to allow this. The terminal may support personal authentication of the user
using biometric methods.

3G Security Objectives
3GPP TS 33.120

a) to ensure that information generated by or relating to a user is adequately protected against misuse or
misappropriation;
b) to ensure that the resources and services provided by serving networks and home environments are adequately
protected against misuse or misappropriation;
c) to ensure that the security features standardised are compatible with world-wide availability. (There shall be at
least one ciphering algorithm that can be exported on a world-wide basis (in accordance with the Wassenaar
agreement));
d) to ensure that the security features are adequately standardised to ensure world-wide interoperability and
roaming between different serving networks;
e) to ensure that the level of protection afforded to users and providers of services is better than that provided in
contemporary fixed and mobile networks (including GSM);
f) to ensure that the implementation of 3GPP security features and mechanisms can be extended and enhanced as
required by new threats and services.

Vedere de ansamblu a arhitecturii de securitate

Cinci grupe de faciliti de securitate:

Securitatea accesului n reea


Securitatea domeniului reea
Securitatea accesului utilizatorului
Securitatea aplicaiilor
Vizibilitatea i configurabilitatea facilitilor de securitate

Vedere de ansamblu a arhitecturii de securitate

Network access security (I):


the set of security features that provide users with secure
access to 3G services, and which in particular protect against
attacks on the (radio) access link.
Protokolle: AKA, UEA mit f8, Integrittsschutz mit f9

Securitatea

Network domain security (II):


the set of security features that enable nodes in the provider
domain to securely exchange signalling data, and protect
against attacks on the wireline network.
Protocols: VPN mit IPSec, Firewalls, Intrusion Detection

Application domain security (IV):


the set of security features that enable applications in the
user and in the provider domain to securely exchange messages.
Visibility and configurability of security (V):
the set of features that enables the user to inform himself
whether a security feature is in operation or not and whether
the use and provision of services should depend on the
security feature.
Konzepte: Anzeige der verwendeten Verfahren, Zertifikate etc.

Autentificarea i stabilirea cheii IK


Procesul AKA http://www.3gpp.org/specifications/60-confidentiality-algorithms

Autentificarea i stabilirea cheii IK


Generarea AV

UMTS Authentication Vector

Autentificarea i stabilirea cheii III


Lungimea parametrilor de autentificare

- cheia

de autentificare K: 128 bii

- challenge-ul aleator RAND: 128 bii


- numerele de secven SQN : 48 bii
- cheia anonim AK: 48 bii
- cmpul de gestiune a autentificrii AMF: 16 bii.
- MAC din AUTN i MAC-S din AUTS: 64 bii.
- cheia de criptare CK: 128 bii.
- cheia de integritate IK: 128 bii.
- rspunsul de autentificare RES/XRES: 4 16 octei.

Autentificarea local i stabilirea conexiunii

Autentificarea local se obine din funcionalitatea de protecie a integritii.


- setarea cheilor de criptare i integritate - CK i IK n USIM i VLR/SGSN
- negocierea modurilor de criptare i integritate classmark UIA i UEA
- timpul de via al cheilor de criptare / integritate
- idenitificarea cheilor de criptare i integritate - KSI

Integritatea datelor pe legtura de acces

- MS (MM) supervizeaz asigurarea integritii datelor


- nivelul de asigurare a integritii: RRC
- selectarea cheii de integritate: IKcs i IKps
- identificatorul algoritmului de integritate UAI: 4 bii

Confidenialitatea legturii de acces

- nivelul criptrii (RNC - ME):


-> RLC netransparent: RLC; RLC transparent: MAC
- selecia cheii de criptare: CKcs i CKps
- identificarea algoritmului de criptare UEA: 4 bii

UMTS Access Security Summary

Contents

1. Communication Networks
2. The GSM/GPRS network
3. 3G WCDMA network
4. LTE network
5. IMS approach
6. IEEE 802.11 and Handheld Devices

What is LTE/SAE/EPC?

LTE (Long Term Evolution) is the 4G wireless access technology from 3GPP like
UMTS was the 3G or GPRS the 2.5G.
Evolved Packet Core (EPC) is the core network architecture of 3GPPs LTE
wireless communication standard:
Increased Bandwidth and lower latency
End-to-End IP
Simplified Architecture
Support for and mobility between multiple radio access technologies

Evolved Packet System (EPS) = EPC and the LTE access network (E-UTRAN)
together

LTE technical objectives and architecture


Downlink Capacity: Peak data rate of 100 Mbps in 20 MHz maximum bandwidth
Uplink Capacity: Peak data rate of 50 Mbps in 20 MHz maximum bandwidth
Active users in a cell: Up to 200 active users in a cell (5 MHz)
Latency: Transition time less than 5 ms in ideal conditions (user plane), 100 ms control plane
Mobility: optimized for 0 ~ 15 km/h, supported with high performance for 15~120 km/h,
supported up to up to 350 km/h or even up to 500 km/h
Simplified architecture: Simpler E-UTRAN architecture: no RNC, no CS domain
Scalable bandwidth: 1.25MHz to 20MHz: Deployment possible in GSM bands.
End-to-End QoS: Enhanced support for end-to-end QoS
Always-on model: All registered users have a default bearer established used for signaling
IP addressing: IPv6 by default with dual stack sessions (IPv4v6)
Multiple radio access technologies: mobility between 3GPP and non 3GPP systems

All IP Principle: the IP connectivity should be available immediately after registration


with the network and not only on specific demand

Global LTE Adoption Forecast

117

14 December 2014

Live Commercial LTE Services

Marketing LTE: Early Service Trends in Europe


Advisory Report, October 11, 2011

Live Commercial LTE Services (Continued)

Marketing LTE: Early Service Trends in Europe


Advisory Report, October 11, 2011

UTRAN&E-UTRAN - Comparison

The main difference between UMTS and LTE: the removing of RNC network element
and the introduction of X2 interface, which make the network more simple and flat,
leading lower networking cost, higher networking flexibility and low latency

EPS Architecture - Non-roaming architecture for 3GPP accesses

The Evolved Packet Core consists of three main functional entities, namely the Mobility
Management Entity (MME), the Serving Gateway (S-GW) and the Packet Data Gateway
(P-GW), which as a system perform the following logical functions:
Network access control functions.
Packet routing and transfer functions.
Mobility management functions.
Security functions.
Radio resource management functions.
Network management functions.

EPS Architecture - Non-roaming architecture for 3GPP accesses, MME

Key control-node for the LTE access-network.


Responsible for idle mode UE tracking and paging procedure including retransmissions.
Involved in the bearer activation/deactivation process
Responsible for choosing the SGW for a UE at the initial attach
Responsible for authenticating the user (by interacting with the HSS).
Responsible for generation and allocation of temporary identities to UEs.
It checks the authorization of the UE to camp on PLMN and enforces UE roaming restrictions.
The MME is the termination point in the network for ciphering/integrity
Lawful interception of signaling is also supported by the MME.
MME provides the control plane function for mobility between LTE and 2G/3G access networks.
Interacts with HSS for user authentification, profile download.

EPS Architecture - Non-roaming architecture for 3GPP accesses, S-GW

Routes and forwards user data packets


Mobility anchor for the UPduring inter-eNB handovers
Anchor for mobility between LTE and other 3GPP technologies (terminating S4
interface and relaying the traffic between 2G/3G systems and PDN GW).
For idle state UEs, the SGW terminates the DL data path and triggers paging when
DL data arrives for the UE.
It manages and stores UE contexts, e.g. parameters of the IP bearer service,
network internal routing information.
It also performs replication of the user traffic in case of lawful interception.

EPS Architecture - Non-roaming architecture for 3GPP accesses, PDN-GW

Provides connectivity to the UE to external packet data networks by being the


point of exit and entry of traffic for the UE.
A UE may have simultaneous connectivity with more than one PDN GW for
accessing multiple PDNs.
Performs policy enforcement, packet filtering nfor each user, charging support,
lawful Interception and packet screening.
Acts as the anchor for mobility between 3GPP and non-3GPP technologies
such as WiMAX and 3GPP2 (CDMA 1X and EvDO).

EPS Architecture - Non-roaming architecture for 3GPP accesses, HSS

Centralised database holding user profile:


Interacts with MME for user authentication and profile download
Stores current location information (e.g. assigned MME, Serving
SGW)
One or more subscription profiles containing IMSI, QoS, Services,
etc.

EPS Architecture - Non-roaming architecture for 3GPP accesses, PCRF

Policy&Charging Rule Function (PCRF)


User and application-aware policy decision point:
Interacts with PGW to enforce per session or per flow policies
Gets event notification from PGW (mobilty and/or traffic related)
Interacts with application for admission control and policy definitiion
Supports roaming capabilities

LTE Security: UMTS Security and LTE Architectural impact


UMTS security enhancements:
Mutual authentication
Integrity keys
Public algorithms
Deeper encryption
Longer key length
LTE Architecture:
Flat architecture
Separation of control plane and user plane
eNodeB instead of NodeB/RNC
All-IP network
Interworking with legacy and non-3GPP networks
Characteristics of LTE Security
Re-use of UMTS Authentication and Key Agreement (AKA)
Use of USIM required (GSM SIM excluded)
Extended key hierarchy
Possibility for longer keys
Greater protection for backhaul
Integrated interworking security for legacy and non-3GPP networks

Two important security tools that frequently


pop up in 3GPP specs
UICC, a.k.a. (also known as) the SIM card
Place to hold secret keys and perform sensitive functions
But, not only a chip. It is the link which provides the ownership of the customer to the operator

Authentication and Key Agreement algorithm, a.k.a. AKA


Algorithm to authenticate the identity on the UICC to the network and vice
versa
Provides keys as a by-product which can be used to protect communication

AKA

Uses of UICC and AKA


overview

Second
coming with
single sign-on
(SSO)?

Generic Bootstrapping
Architecture (GBA/GAA)

HTTP digest AKA


for GBA

NAF
BSF

HTTP digest AKA


for IMS

Becoming
deployed,
e.g. VoLTE

BM-SC

P-CSCF

S-CSCF

HSS

IMS security

Access security

2G AKA
3G AKA
EAP SIM
EAP AKA
EPS AKA
EAP AKA

GERAN

UTRAN

2G Core

3G Core

WLAN
2G AKAbased

E-UTRAN

Non-3GPP
access

EPS Core

Widely
deployed,
has security
issues

Widely
deployed.

Rapidly
growing with
LTE

Becoming
more
important, e.g.
WiFi roaming

Some design principles

Successful attacks shall be local to the environment.


E.g., attacks on an eNB shall not affect core NW security.
One eNB shall have no (or as little as possible) knowledge of keys used in another
eNB.

Successful attacks shall be local in time.


E.g. Keys used in an eNB at one point in time does not help attacker getting access
to keys used earlier or later (even in the same eNB).

Prefer prevention, but resort to detection if prevention not


cost effective.

LTE Trust model and threat environment

Internet

Core NW

Trusted location
HSS

MME

PDN

S-GW

IPsec
RAN

Secure environment
eNB

eNB

Non trusted location

Security termination points


Internet

RRC:
Integrity and ciphering
NAS signalling:
Integrity and ciphering

global control plane

HSS

MME

RAN

User plane:
Ciphering only

Core NW

local control plane

eNB

PDN

S-GW

eNB

Key Derivation Functions (KDF)


A KDF takes a key as input and produces a different
key as output.
Key1
Scoping data1

KDF
Key2

Scoping data2

KDF
Key3

If you have a key, you can compute all keys below in the chain,
but it is infeasible to compute keys higher up in the chain.

LTE key hierarchy


(Basic structure)

Notation:
An Access Security Management Entity (ASME)
is an entity which receives the top-level keys in an
access network from the HSS, i.e., the MME.
K

Established via AKA


CK

USIM/AUC

IK

UE/HSS
K_ASME

UE/MME

NAS security context


K_NAS-int

K_NAS-enc

UE/MME

K_eNB

UE/eNB
AS sec security context
K_eNB-UP-enc

K_eNB-RRC-int

K_eNB-RRC-enc

Authentication and Key Agreement

Security for System Improvement for


Machine-type communications
Work ongoing in 3GPP on system improvements for machine-type communications
Analysis of security aspects ongoing in SA3
Work ongoing on SMS triggering security and USIM-device binding in Rel-11
IP-SM-GW

SMS -SC/
GMSC/
IWMSC

HSS

Tsms

CDF/
CGF

T4
S6 m

SME

Rf/Ga
MTC-IWF

Tsp

Control plane
User plane

Services
Capability
Server
(SCS )

Application
Server
(AS)

Application
Server
(AS)

Gi/SGi
GGSN/
P-GW

T5c
T5b

Gi/SGi

T5a

HPLMN
VPLMN
MSC
MME
MTC UE
Application

RAN

UE

SGSN
S-GW

Um//
Uu
LTE-Uu

Indirect Model

Direct Model

Hybrid Model

1 + 2

LTE Summary:
UP security termination in eNB the main reason
behind the elaborate key handling.
Subscriber authentication almost exactly as in
UMTS.
Several layers of security to make effects of
successful attacks less severe.

Key hierarchy.
AS security context derived from current NAS security context as needed.
Key separation between eNBs (space/time).
Separate AS and NAS algorithm negotiation.

Contents

1. Communication Networks
2. The GSM/GPRS network
3. 3G WCDMA network
4. LTE network
5. IMS approach
6. IEEE 802.11 and Handheld Devices

IMS Architecture
IMS is introduced and defined as
part of 3GPP Release 5 standards.
IMS is an architecture designed to
support the control layer for packet
based services, which uses the
bearer services of the access
network to support the media
associated with the service.

SIP Application
Servers
HSS

SIP Application
Servers

IMS

I-CSCF
MRF

P-CSCF

MGCF

CDMA 2000

S-CSCF

MGW

MSC(Server)
RNC

Corporate

SGSN
GGSN

BSC

UMTS/GPRS

IMS is access agnostic, as shown. In


a multi access environment it
ensures service availability to all
access networks (subject to the
limitations of the access networks).

CN
MGW

WLAN

Architecture Elements: Main Categories


Database Elements
HSS (Home Subscriber Server) is the main DB element. It is
an evolution of the HLR and provides the following functions:
HLR functions (subscriber data and authentication data)
Location Register
Storage of Service and Subscription Data
Authentication

CSE(SCP)

SIP Application
Servers

OSA Application
Server

OSA-SCS

IM-SSF

SLF - Subscription Locator Function


A supplementary node that supports a distributed HSS
solution
HSS

IMS Control Elements


Nodes acting on the control (SIP) signalling flows. These
nodes are x-CSCFs, each with different roles and behavior. :
S-CSCF
P-CSCF
I-CSCF

Control Plane Interworking Elements


Elements involved in interworking with legacy networks 2G
CS, PSTN, Internet:
MGCF - Media Gateway Control Function
BGCF - Breakout Gateway Control Function
T-SGW - Transport Signaling Gateway

P-CSCF

S-CSCF

I-CSCF

MRF
MGCF
BGFC

T-SGW
MGW

Interfaces of IMS
SIP Application
Servers

CSE(SCP)

Home IMS
Network

OSA Application
Server

ISC
Si

OSA-SCS

IM-SSF

Sh

ISC

ISC
Cx

HSS

Cx

Mi

Mw

Mw
Mr

P-CSCF

BGCF

S-CSCF
I-CSCF

Mg

Gi

MRF

Mw
MGW

Gi

T-SGW

MGCF

ISUP/BICC

GGSN
Home Access
Network
Visited IMS
Network

P-CSCF

PSTN
PLMN
Internet
IP networks

GGSN Visited Access


Network

SIP
Diameter
IP
TDM
SS7

Security threats and requirements


Threats
Theft of service
Impersonating a UA to get unauthorised access to resources or to avoid charges
Bypassing proxies
Network must prevent a malicious UA bypassing a proxy to avoid charges
Registration hijacking
Impersonating a UA to de-register existing contacts for a URI and registering new ones
that redirect requests to attackers device
Third party registration not supported in 3GPP Rel. 5
Impersonation of a server
Blocking UA requests or redirecting them to inappropriate resources
Requirements
Forcing all future REGISTER requests to go to the wrong resource
Authentication
of participants in a session
Tampering
with messages
Confidentiality,
integrity
andmedia
replaystreams
protection
of messagesdevice
Modifying
SDP bodies
to point
to interception
Modifying
header
to make
request look like spam
Preventing
denial
of service
Tearing down sessions
Forging BYE messages or Forged re-INVITEs
Denial of service
Sending bogus requests with a falsified source IP address to large numbers of SIP
elements to generate DoS traffic aimed at the falsified IP address
Deregistration of UAs
Registration of large numbers of contacts to use SIP registrar as an amplifier in DoS
attacks

IMS security architecture

Access domain security architecture


Requirements

Scalability and efficiency

Large numbers of users


Global roaming among large number of domains

Bandwidth and roundtrips

Computation

Independence of transport protocol

VISITED NETWORK

Must be possible to provide security without requiring terminal to support


public key operations

ISIM

UA

HOME NETWORK

P-CSCF

S-CSCF

HSS

Should work with any transport protocol allowed by SIP

ISIM

ISIM is a term that indicates the collection of IMS security data and
functions on a UICC used for access domain security. The following
options are permitted:

Use of a distinct ISIM application on a UICC which does not share security
functions with the USIM
Use of a distinct ISIM application on a UICC which does share security
functions with the USIM
Use of a R99/Rel-4 USIM application on a UICC

Authentication
Session keys

Session keys
Message protection

Access security architecture

Initial authentication based on long-term SA

Subsequent signalling messages between UA and first hop SIP proxy (the
P-CSCF) are protected using short-term SA created during initial
authentication

Protocol is run between UA and SIP proxy server (the S-CSCF) in home
network
UA uses SA credentials and functions stored in ISIM
SIP proxy server (S-CSCF) interacts with authentication server (the HSS) in
home network

Session keys for integrity at SIP proxy server (S-CSCF) are passed to an
authorised first hop SIP proxy (P-CSCF) further downstream
ISIM at user side securely delegates keys to UA

Message protection provided is applied directly after initial authentication

Long term SA
Short term SA
Shared with HSS shared with P-CSCF

Short term SA
shared with UA

Long term SA
Shared with ISIM

Access domain message protection


Requirements
SIP entities must be able to communicate using
integrity and replay protection
Confidentiality protection
3GPP Rel-5 relies on the bearer network to
protect the confidentiality of SIP signalling
In future it may be required to provide IMS
confidentiality

Security mechanism agreement


Security mechanism agreement is based on
RFC3329
Integrated into SIP by adding new headers to
Register procedure
Does not add any extra roundtrips

This allows the UA to securely negotiate the


mechanism with the first hop SIP proxy (P-CSCF)
Must be possible to provide protection on a per hop
basis as some proxies need to read/modify message 3GPP Release 5 negotiates the following
contents
parameters of the ipsec-3gpp mechanism defined
Per hop protection is adequate for 3GPP Rel-5
in Appendix A of RFC3329
due to trust model
Authentication algorithm
hmac-md5-96
Must protect complete message (body and header)
hmac-sha-1-96
Must be compatible with header compression /
Encryption algorithm
removal and SIP compression
NULL
IPsec is used to protect SIP signalling
Protocol
IPsec ESP shall provide integrity protection of SIP
ESP (Encapsulated Security Payload)
signalling
Mode
Transport
The SAs (one for inbound and one for outbound) are
derived from the UMTS AKA session keys (IK)
SPI (security Parameter Index)
Port number for inbound protected SIP messages
Unprotected messages
Error messages
Initial register
IPsec ESP is used hence SIP has to send protected
messages on one port number and unprotected
messages on another port number

Network domain security


Why security gateways?
IPsec is used to protect SIP signalling in network domain
Confidentiality, integrity and replay protection

Smaller number of gateway-to-gateway connections


compared to node-to-node connections leading to simpler
key management

Part of general purpose IPsec/IKE architecture to protect all


IP-based control plane interfaces in 3GPP network (not just
IMS)

Availability of high-capacity IPsec gateways


No need to deploy security in all network elements

Security Gateways (SEG)


Inter-operator signalling is done via security gateways (a)

Supported IPsec options

End-to-end security (b) between Network Elements (NE) can


be added after key management evolves towards PKI
(Release 6)

ESP for protection of packets (no AH)


Tunnel mode (no transport mode)
3DES as mandatory encryption algorithm

Network A

Network B
a

a
SEGA

NEA

Intermediate
IP network
b

SEGB

NEB

IKE for key exchange


Pre-shared secrets (Release 5 does not support PKI)
Main mode in phase 1
Generic IP security issues (see also Domain 6 of the All IP
programme)
Protection mechanisims
Traffic separation
Firewalling, filterring and demilitarised zones
Node hardening
Site security
Detection mechanisms

Media security
IMS user plane security currently relies on bearer network security
i.e. UMTS/GPRS packet domain ciphering in 3GPP Release 5
Opportunities in future releases to integrate end-to-end key agreement
with SIP/SDP using MIKEY
Candidate end-to-end encryption mechanisms:
Protection at application layer: S-RTP
Protection at network layer: IPsec

Contents

1. Communication Networks
2. The GSM/GPRS network
3. 3G WCDMA network
4. LTE network
5. IMS approach
6. IEEE 802.11 and Handheld Devices

IEEE 802.11
IEEE 802.11 standardizes medium access control (MAC) and
physical characteristics of a wireless local area network (LAN)
The standard comprises three physical layer units:
Frequency Hop Spread Spectrum: 2.4 GHz band; 1, 2, 5.5, and 11 Mbit/s
Direct Sequence Spread Spectrum: 2.4 GHz band, 1, 2, 5.5, 11 and 22
Mbit/s
Baseband infrared: diffuse infrared; 1 and 2 Mbit/s
Transmission in the license-free 2.4 GHz band implies:
Medium sharing with un-volunteering 802.11 devices
Overlapping of logical separated wireless LANs
Overlapping with non-802.11 devices
The medium access control (MAC) supports operation under control
of an access point as well as between independent stations
In this class we will mainly focus on the standards security aspects:
Many equipment vendors claim that IEEE 802.11 is as secure as a wired
network

802.11 - Architecture of an Infrastructure Network

Station (STA): Terminal with access


mechanisms to the wireless medium and radio
contact to the access point
Basic Service Set (BSS): Group of stations
using the same radio frequency
Access Point: Station integrated into the
wireless LAN and the distribution system
Portal: Bridge to other (wired) networks
Distribution System: Interconnection network
to form one logical network (extended service
set, ESS) based on several BSS

802.11 - Architecture of an Ad-Hoc Network

Station (STA): Terminal with access


mechanisms to the wireless medium
Basic Service Set (BSS): Group of stations
using the same radio frequency
Ad-Hoc networks allow direct communication
between end systems within a limited range
As there is no infrastructure, no
communication is possible between different
BSSs

Security Services of IEEE 802.11

Security services of IEEE 802.11 are realized by:


Entity authentication service
Wired Equivalent Privacy (WEP) mechanism
WEP is supposed to provide the following security
services:
Confidentiality
Data origin authentication / data integrity
Access control in conjunction with layer management
WEP makes use of the following algorithms:
The RC4 stream cipher
The Cyclic Redundancy Code (CRC) checksum for
detecting errors

The Cyclic Redundancy Code (1)

The Cyclic Redundancy Code (2)

IEEE 802.11 Entity Authentication (1)

IEEE 802.11 Entity Authentication (2)

IEEE 802.11s Wired Equivalence Privacy (1)

IEEE 802.11s Wired Equivalence Privacy (2)

Weakness #1: The Keys

Weakness #2: WEP Confidentiality is Insecure

Weakness #3: WEP Data Integrity is Insecure

Weakness #4: WEP Access Control is Insecure

Weakness #5: Weakness in RC4 Key Scheduling

Conclusions

Also was knnen wir noch auf Endgerte-Seite tun?

Password-Settings
Device-PolicySettingsber funktionierendes Device-Management
Terminal-OShrten
Sichern/Abschalten unsicherer Protokolle, Ports &Schnittstellen (Bluetooth,
APIsetc.)
"Jailbreak" / rooting detection
App-Securityerhhen, Installationsmglichkeiten limitieren
(App-Signatures, Company/SecureApp-Storesetc.)
ApplicationSandboxing
2-Faktor-Authentisierung (Besitz und Wissen)
VPN-und Encryption-Solutions(On-DeviceData!)
RemoteWipe-/RemoteLock-Lsung im Reparatur-, Verlust-und Diebstahl-Fall
Return-und Maintenance-Prozesse
Audittrail/logging

Mobile DeviceManagement
3rd Party Lsungen

Elements of MDM (by Gardner)

Software Distribution The ability to


manage & support mobile application
incl. deploy, install, update, delete or
block
Policy Management Development,
control & operations of enterprise
mobile policy
Security ManagementThe
enforcement of standard device
security, authentication and
encryption
Inventory ManagementBeyond basic
inventory mgmt, thisincludes
provisioning and support
Service ManagementRating of
telecom services

Empfehlung fr den Einsatz in Unternehmen

Thank you.