Comparative analysis Of GSM and CDMA technologies

“A Security Perspective”

By Sangram Gayal and Dr. S. A. Vetha Manickam

Network Security Solutions Ltd. Pune.

......4 Authentication Signatures ..... Overview of CDMA technologies ..... 14 4.. Abstract ............. 4 2........................................................1 The security services provided by GSM...........................................7 Security Concerns in CDMA................................................................................................................................13 3... 3 2.. 13 3...............1THE CDMA CONCEPT ...3 Authentication and security in CDMA................... 3 2..................... Introduction to GSM Architecture ........................................................5 Signaling data privacy ......... 10 3........................ 3 2............ 10 3....... 14 References ......... 15 2 ...........................2 Advantages of CDMA technology ....................................................2 GSM security issues and their vulnerabilities ...6 CDMA Design Security and interception of signals ..........Table Of Contents 1... 14 3..8 Comparison of Security in GSM and CDMA technologies .................................................... 12 3............................................. 12 3................................. Conclusion ............................................3 SS7 Protocol .............. 8 3.................... 12 3..

1. Introduction to GSM Architecture Global System for Mobile communication (GSM) is a globally accepted standard for digital cellular communication. the temporary identifier is used till end of this session. it is possible to determine the temporary identity being used. the mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (SIM card key [Ki]). the real identity (IMSI 1 number) is used.5G and 3G. and a temporary identifier (TMSI 2 number) is then issued. It is estimated that eavesdropping and other mobile telephony frauds have accounted for more than US$ 750M of lost revenue in the United States in the year 2001. Authentication is performed by a challenge and response mechanism. and routing and info exchange. SS7 is TDM-based network architecture for performing out-of-band signaling in support of call establishment. Using temporary identifiers provides it. via voice and short-message-service (SMS) text. and sends a response (Signed 3 . Today over 400 million people worldwide use GSM mobile phones to communicate with each other. Abstract Mobile telephone systems have gained a very bad reputation worldwide on issues of security and authentication. When a user first switches on his/her radio set. From all future communication. Authentication: Authentication is provided so that the operator knows who is using the mobile system for authorization and accounting purposes. and Privacy are important issues to be looked into. There are no such estimates presently available for India due to the fact of unawareness. It is used in telephonic communications. 2. A random (RAND) challenge is issued to the Mobile Station (MS). There are ongoing efforts to enhance security level of the system and new technologies are reaching the market with added security features. 2. GSM is the name of a standardization group that was established in 1982 in an effort to create a common European mobile telephone standard that would formulate specifications for a pan-European mobile cellular radio system operating at 900 MHz. This paper attempts to compare the security features provided by GSM mobile telephony standards and the CDMA standards promoted by 2. Only by tracking the user.1 The security services provided by GSM Anonymity: Anonymity is provided so that it is not easy to identify the user of the system. security. Authentication. billing.

Although the BTS are usually connected to the Base Station Controller (BSC) through a cable. This is provided by A5 algorithm. Eavesdropping helps the hacker to attack at two vulnerable points: ! Over-the-air data transfer: Over-the-air data transfers include transmission of IMSI number. ! Signaling Network beyond BTS: The transmissions are encrypted only between the MS and the BTS. If the attacker can access the operator's signaling network. cipher text. This information can be of great help to the attacker as anonymity of the user. After the BTS. which is XOR’ed with the plain text to get the cipher text. 2. input to which is a session key (Kc) and frame number (Fn) and output is the keystream.Response [SRES]) back. ____________________________ 1 International Mobile Subscriber Identification 2 Temporary Mobile Subscriber Identification 4 . inputs to which are the SIM card key and a random number (RAND) is sent over by Base Station (BTS). the response to the challenge is correct. TMSI number. is lost. This link would be relatively easy to attack with the right kind of equipment. SRES and Kc. one of the basic services provided by GSM. etc.2 GSM security issues and their vulnerabilities ! Eavesdropping This is the capability that the intruder eavesdrops signaling and data connections associated with other users. some of them are connected to the BSC through a microwave or even a satellite link. User Data Protection: Encryption is provided so that user data passing over the radio path is protected. the data is transmitted in plain text within the operator’s network. Session key is generated by the A8 algorithm. COMP128 is a one-way (hash) function that is currently used in most GSM networks for A3 and A8. given the key of the mobile. including the actual phone call as well as the RAND. The operator can check that. The SS7 signaling network used in the operator's GSM network is completely insecure if the attacker gains direct access to it. SRES. RAND. he will be able to listen to everything that is transmitted.

in an attempt to make the network believe they originate from the target user. based upon the challenge and the secret key. ! Over-the-air attack The over-the-air attack is based upon the fact that the MS is required to respond to every challenge made by the GSM network. which can only be achieved in a complicated way on simple devices such as SIM cards. It is not known how long the attack would take when conducted over the air. 5 . The algorithm requires lookup of large tables. compared to the actual attack. which leaks out a lot of sensitive information on the side channels. Thus.000 challenges to the SIM and the SIM generates SRES and the session key. the attacker needs to have physical access to the target SIM for at least eight hours. in an attempt to make the target user believe they originate from a genuine network. The smart card reader used in implementing the attack can make 6. So the attack requires about eight hours to complete. ! SIM card cloning attack • SIM card under physical access The SIM is accessed through a smart card reader connected to a PC. • Of the Network This is the capability whereby the intruder sends signaling and/or user data to the target user. Impersonation leads to mainly one kind of attack called the SIM card cloning attack. the attacker can bomb the target MS with challenges and re-construct the secret key from these responses. Kc. If the signal of the legitimate BTS is over powered by a rogue BTS of the attacker. but this is apparently very quick.25 queries per second to the SIM card. The PC makes about 150. Estimates vary from eight to thirteen hours. The results have to be analyzed as well.! Impersonation • Of the User This is the capability whereby the intruder sends signaling and/or user data to the network. Again the MS has to be available to the attacker over the air for the whole time it takes to conduct the attack. This attack enjoys the weaknesses in COMP128 algorithm as listed below: The algorithm reveals information about the Ki when the appropriate RANDs are given as arguments to the A8 algorithm. The secret key can be deduced from the SRES responses through differential cryptanalysis.

Allowed to be used by developing countries " A5/0 (No Encryption version) Allowed to be used by underdeveloped countries Note that even though India can use A5/2 version but majority subscribers use no encryption. one can derive some information about its internal workings. The attack can be easily accomplished by making the card perform the algorithm just seven times with the unknown key. ! A5/1 Structure Three LFSR’s (Linear Feedback Shift Registers) o R1 (19-bit) o R2 (22-bit) o R3 (23-bit) Combination function is XOR. Man-in-the-middle attacks mainly deal with attacking the A5 algorithm. Scientists have known for some time that by looking at the side channels such as power consumption and the EM emanations from a computing device. re-order. Before getting into the vulnerabilities in A5/1 and A5/2.But the concept of building a BTS is highly impractical as cost required building a BTS estimates around $10. such as power consumption and electromagnetic (EM) emanations help in performing these kinds of attacks. Only non-linear component is the Clock control mechanism 6 . Only non-linear component is the Clock control mechanism ! A5/2 Structure Four LFSR’s o R1 (19-bit) o R2 (22-bit) o R3 (23-bit) o R4 (17-bit) Combination function is XOR. who has possession of a SIM card for a minute. A5 has three versions: " A5/1 (Stronger version) Used by USA and European countries " A5/2 (Weaker version) Export version. let’s get a hint about their structure. ! Partitioning attack Extracting secret key information from SIM cards by monitoring sidechannels. A hacker. replay. ! Man-in-the-middle attack This is the capability whereby the intruder puts itself in between the target user and a genuine network and has the ability to eavesdrop. delete. and spoof signaling and user data messages exchanged between the two parties.000. modify. can easily extract the full 128-bit key.

! Attacks on A5/1 and A5/2 There are mainly two types of attacks on A5/1 and A5/2: • Hardware based attacks • Requires FPGA • Software based attacks • Known cipher text attacks • Known plaintext attacks The best-published attacks against A5/1 require between 240 and 245 steps and that against A5/2 require 217 steps. Attacker derives the session key or keystream for other frame numbers from ciphertext. A key space of 254 keys would thus require about 900.000 seconds. This would cut the required time • 7 . A real-time brute-force attack against the GSM security system is not feasible. If we have a Pentium III class chip with approximately 20 million transistors and the implementation of one set of LFSRs (A5/1) would require about 2000 transistors. 250 hours. with one chip. as stated above. Giving up on a specific key after the first invalid keystream bit can optimize the attack. It might be possible to record the frames between the MS and the BTS and launch the attack afterwards though. A distributed implementation of thousand ASICs3 can get the session key in less than a minute. ! Software based attacks on A5/1 stream cipher • Known ciphertext attack: In known ciphertext attack hacker has knowledge of ciphertext only.000 parallel A5/1 implementations on one chip. but not to software-based attacks on multiple targets by hackers. If the chip was clocked to 600 MHz and each A5 implementation would generate one output bit for each clock cycle and we would need to generate 100+114+114 output bits. Brute-force attack: It takes around 20000 days for single PC to crack plain text or the session key Kc given the cipher text. * This level of security makes it vulnerable to hardware-based attacks by large organizations. ! Hardware based attack on A5/1 stream cipher The test is implemented in VHDL and compiled with the Xilinx Foundation software for a Xilinx XC4062 FPGA. This requires too much time in order to be feasible in eavesdropping on GSM calls in real time. we could try approximately 2 Million keys per second per A5/1 implementation. we would have a set of 10. The time complexity of the attack is 254 (264 if the ten bits were not zeroed out). A network of 100 PC may be able to crack it in a few weeks.

All known plaintext are based on subtle flaws in the tap structure of the registers. Also he knows the corresponding frame numbers. * IP architecture for supporting SS7 technology. 2. a set of standards proposed to put signaling architectures over IP. their noninvertible clocking mechanism. data is becoming more significant as a proportion of traffic compared to voice. . i.Explosive growth of IP's driving and enabling convergence: * Integration of circuit networks and IP networks.e. Protocol Stack (low to high) The protocol stack used in the SS7 protocols are 1.down by one third. • Known plaintext attack: In this type of attack attacker has complete knowledge of ciphertext and plaintext. How the "message content" sent over the layers. and their frequent resets. Message Transfer Part (Level1) Message Transfer Part (Level2) Message Transfer Part (Level3) Signaling Connection Control Part (SCCP) Transaction Control Application Part (TCAP) Operations Maintenance Administration Part (OMAP) ISDN User Part SS7 over IP Increasing need of convergence. The attack can also be distributed between multiple chips. * Ease of deployment. . 4. 2. provides umpteen benefits. Each functional program modules (corresponding to a protocol in the OSI model) is termed as "User Part".Signaling Transport (SIGTRAN). 3.3 SS7 Protocol Introduction Defines how the communication should be handled in the wired network. 5. Using above information he derives the session key or the keystream for other frame numbers. 8 . the addressal of transport issues in a packet based PSTN signaling in IP networks. 6. thus drastically decreasing the time required. use of Access Service Group (ASG) as the signaling gateway doesn’t require the existing SS7 network to be disrupted. 7.

SIGTRAN defined a new protocol for the transport of signaling protocols. HLR to be able to support heavy traffic.* Higher throughputs and bandwidths possible now. 3.g. which are quite obvious while implementing IP * Diversity of solutions possible. such as management indications. along with weak security features (specially to DoS attacks) rendered TCP to be replaced by a new architecture. as they could easily resort to using the flaws associated with Local Number Portability (LNP). SCCP User Application (SUA). an attacker can send malicious packets onto the network.: Using protocols like MTP3 User Application (M3UA). by providing interface only at the application level. which uses a ISDN line. SUA. This architecture consists of 3 components: 1. M2PA. the application vendor like SMSC has to deal with the application layer only. Security in SS7 networks: SS7 protocol designed for closed telecommunication networks possesses limited authentication facilities. Competitive Local Exchanges (CLECs) also offer chances. and made running of real-time applications inapposite. The Standard IP layer 2. owing to their poor network security. with technologies like IP over SDH. 9 . An Adaption sub-layer containing supporting specific primitives. The limited capability of TCP sockets. IUA etc. like M3UA. E. The reason for not using TCP were attributed to its limitations like stringent and reliability mechanisms which resulted in unnecessary delays. Stream Control Transport Protocol (SCTP) serves as the common signaling transport protocol. which allows the users to switch their local providers without having to change their local phone number. of ways: • • • • At ISDN connection with SSP: Spoofing a source telephone. Vulnerabilities in SS7 networks Attackers can gain access to the network in quite a few no. which obviates dealing with the complexity of the SS7 network. . an attacker might be able to gain entry into the SS7 network via the Internet. The attacker could easily compromise a single computer. Tracing of attackers is an arduous task. * Enhanced Services. Any user capable of generating SS7 packets can gain entry in to the SS7 network. required by a particular signaling application protocol. allowing high-ended machines like SMSC. Increasing dependence of PSTN & Internet creates loopholes.

It also leads to voice mail hacking. The GTT database could also be modified. causing overloading. and subsequent crippling of the network. A Distributed Denial of Service (DDoS) overloads the STP-SSP connection. by having a bogus STP. SSP From the periphery of a SS7 network. SCCP packets may be forwarded to any location by modifying the destination address. and rendering the connected SSP useless. to some illicit telephone number or more serious problems like modifying the forwarding address to some emergency service. full access to someone's voice mailbox. by sending a lot of IAMs to a single SSP. It is also prime target for packet sniffing.Attacks on nodes of SS7 networks 1. it is most prone to hacks. data loss. With CDMA. each signal consists of a different pseudorandom binary sequence that modulates the carrier. because of weak authentication. Sensitive information like Point Codes of the network could be obtained by accessing the corresponding SCPs. 2. a well-established technology that has been applied only recently to digital cellular radio communications and advanced wireless technologies. Eavesdrop on certain conversations. by obtaining passwords using TCAP messages. because a specific user's data always passes through the same SSP. or changing of the billing information. 3. SCP It contains database information. MTP layer 3 packets. Attacks associated with Toll-free numbers that involve modification of the number to direct charges to some other totally unrelated party. Multiple (compromised) STPs might be modified to re-route all the traffic via specific STP. 3. spreading the spectrum of the 10 . if fabricated would be unable to provide link management features like notifying surrounding nodes of the failure of signaling point. or disrupting some business by forwarding all calls addressed to it. STP It can be done through exploiting weakness in the routing protocols. so it is highly vulnerable. which might cause congestion. Overview of CDMA technologies 3. An attacker intercepting at that compromised SP could modify IAMs to request connection with some targeted user.1 THE CDMA CONCEPT CDMA is a modulation and multiple access scheme based on spread spectrum communication. which collects and filters the packets received to the hacked STP.

do not despread in bandwidth and as a result. TDMA. Figure 1: Frequency and Time Domain Representations of FDMA. Since all calls use the same frequencies. The major parameters that determine the CDMA digital cellular system capacity are processing gain. voice duty cycle. required Eb/N0. CDMA frequency reuse efficiency is determined by a small reduction in the signal-to-noise ratio caused by system users in neighboring cells. whose codes do not match. A large number of CDMA signals share the same frequency spectrum. The CDMA system can also be a hybrid of FDMA and CDMA techniques where the total system bandwidth is divided into a set of wideband channels. and is enhanced by the system processing gain or the ratio of spread bandwidth to baseband data rate. each of which contains a large number of CDMA signals. The other users’ signals. CDMA frequency reuse efficiency is approximately 2/3 compared to 1/7 for narrowband FDMA systems. In the cellular radio frequency reuse concept. CDMA does this effectively because it is inherently an excellent anti-interference waveform. If CDMA is viewed in either the frequency or time domain. frequency reuse efficiency. and the number of sectors in 1 cell. interference is accepted but controlled with the goal of increasing system capacity. The CDMA cellular telephone system achieves a spectral efficiency of up to 10 times the analog FM system efficiency when serving the same area with the same antenna system. The signal-to-interference ratio is determined by the ratio of desired signal power to the sum of the power of all the other signals. the multiple access signals appear to be on top of each other. contribute only to the noise and represent a selfinterference generated by the system. This is a capacity of up to one call per 10 kHz of spectrum. 11 . and CDMA.waveform. The signals are separated in the receiver by using a correlator which accepts only signal energy from the selected binary sequence and despreads its spectrum.

lower cost per subscriber • Exploitation of multipath diversity • Low transmission power. 3.2 Advantages of CDMA technology The advantages of the CDMA technology are • Fewer cells needed. CAVE is detailed in an export-controlled appendix to the standard. Future IS-41 systems will replace most of 12 . instead of being unique to the origination. meaning that there is about 1 chance in ¼ million of faking a call by sending a random signature. we can invest in the lottery. intermediate keys called “Shared Secret Data (SSD)” are generated. These are each 64 bits. The output from CAVE is truncated to 18 bits.4 Authentication Signatures Before allowing a mobile phone to access the network. the various privacy keys are generated soon afterwards. It takes 23 octets of input and produces 16 octets of output. and hence is standardized in all the phones.Unlike FDMA or TDMA. In IS-41 the phone itself contains the secret key. In IS-41. and an SSD-B which is used for cryptographic key generation. At these odds. and the algorithm (CAVE). and shuffling the inputs. The shared secret data can be sent to the visited system while roaming. the phone number is also input to the algorithm. the phone must present a response to a challenge. allowing local authentication. There is an SSD-A which is used in authentication signatures. This is because the random challenge is broadcast and changes regularly. moderate processing power required • High voice quality (variable rate vocoder) • Enhanced privacy • Easy introduction of new features 3.3 Authentication and security in CDMA The authentication for CDMA access has been defined in IS-41 standard. which is used to calculate the signature. There • • • are also three session keys generated from SSD-B: The CMEA key (64 bits) The Voice Privacy Mask (520 bits) The DataKey (32 bits) 3. for originating a call. based on the SSD-A (IS-41) or the master key (GSM). This saves message overhead both over the air and within the network. CAVE is a hashing algorithm which works by using a shift register driven walk over the input data and a somewhat random table. If encryption is supported. Note that. Individual users are selected by correlation processing of the pseudonoise waveform. CDMA has multiple users simultaneously sharing the same wide band channel.

13 . This makes the algorithm itself self-inverse. This is a variable length block cipher. simultaneous detection. The data signal is spread over the whole available bandwidth. CMEA has been broken. The packet formats differ for the three standards. a self-inverse “folding” and the inverse of the first step.6 CDMA Design Security and interception of signals DCMA uses spread spectrum technologies for communication. Hence there exists a mathematical algorithm to separate each signal at the receiving end provided PN numbers of transmitting stations are known. the US FIPS-180-1 Secure Hash Standard. 3. There have been some advances in the interception of CDMA data. short messages (paging). ditto. a LSFR-based stream cipher intended for wireless data services is used for encrypting data over CDMA wireless networks. This means that it is possible to intercept the data of individual base stations only if the attacker knows the PN. Data Privacy ORYX. which isn’t such a hot idea in retrospect. All the users transmit their data simultaneously. but the algorithm is the same. The PN numbers of the stations are orthogonal. The research done by Gary E. of all communication signals transmitted by the base station of interest. The assumption is that when the multiple stations transmit simultaneously the resultant signals add linearly.the functionality of CAVE with SHA-1. in a single receiver. 3. Ford and Michael Golanbari shows that it is possible using multi-user detectors on board airborne and terrestrial mobile interceptors. Vendors can implement any algorith (like DES or 3-DES) for data protection if they wish to. and DTMF tones are put into data packets and are encrypted using CMEA (Cellular Message Encryption Algorithm).5 Signaling data privacy Data such as numbers dialed. which make it possible to monitor and identify data meant for a particular base station. which works by a table walk using a key-derived somewhat random table. The data is modulated by fast moving PRN whish spreads it all over the spectrum. The cipher is used in ECB (Electronic Code Book) mode.

3. Then what differentiates these both systems in terms of security? The fact is that due to the inherent design of CDMA AIR INTERFACE it has not been possible for any attacker to successfully capture the CDMA digital packets. Conclusion Clearly the CDMA is the next generation technology in terms of Voice and Data transmissions over the AIR. The security of CDMA lies in solving the complex filtering function to separate out the data and as technology progresses this also would be possible. But it is now known that there are possible cryptanalytic attacks possible on these algorithms (ref 1. The CDMA technologies have already been applied to CONVERGENT networks. 3).7 Security Concerns in CDMA CDMA uses the CAVE algorithm for authentication along with encryption algorithms like CMEA and ORYX for privacy and integrity of data.8 Comparison of Security in GSM and CDMA technologies We can see that the encryption algorithms used in both CDMA and GSM are susceptible to attacks. CDMA interception has a long way to go. Till then CDMA can be considered more secure than other existing technologies. Even though the cryptographic algorithms for CDMA have been broken. 3. These algorithms were considered to be secure till recent times. This means that the CDMA transmissions will remain secure at least for few years from now. This gives an additional level of security to CDMA technology. Hence the problems faced currently by CDMA are more of the nature of computer attacks and exploits in the network management protocol (SNMP). The attacks are similar to those conducted on GSM system namely known plaintext and known cipher text attacks. But this does not mean that it would never be possible to capture CDMA packet intended for a particular base station over the air. Thus the future problem of CDMA may lie in the domain of computer networks rater than telecommunication domain. 4. GSM data for a particular base station can be captured over the air and subjected to cryptanalytic attacks. 14 . Hence we can conclude that that the encryption provided by CDMA standards is inadequate. which yet is not possible in CDMA.

Cryptanalysis of the A5/1 GSM Stream Cipher Eli Biham Orr Dunkelman 14.htm.cs. http://www. Paper on “Real time cryptanalysis of A5/1 on a PC” Alex Birukov & Adi Shamir (1999) 9.berkeley. http://www. Paper on “A cryptanalytic time-memory trade-off” By Hellman 12.com/press/PDF/about_cdma.qualcomm. Qualcomm papers i.cs.berkeley.com/main/whitepapers/1xEV_AirlinkOverview_11 0701.pdf 3.qualcomm.References 1. Book on “Global System for Mobile Communication” By Asha Mehrotra 7. Wireless Communications Principles and Practice By Rapport.html 15 . ii.html 2. Cryptanalysis of the Cellular Message Encryption Algorithm By David Wagner Bruce Schneier John Kelsey i. Paper on “Real-time Cryptanalysis of the Alleged A5/1 on a PC” By Alex Birukov & Adi Shamir (2000) 8. Paper on “Cryptanalysis of alleged A5 stream cipher” By Golic (1997) 10. Cryptanalysis of ORYX by David Wagner Bruce Schneier and others.htm.pdf http://www.edu/~daw/papers/cmea-crypto97www/paper10.edu/~daw/papers/ 4. http://www. WebPages – http://kiwibyrd.ru/gsm/a3a8. Paper on “Cryptanalysis of A5/2 algorithm” By Solobodan Petrovic and Amparo Fuster-Sabater (1999) 11. iii. /a512.chat.pdf http://www. TIA standards 92-95 5.com/press/PDF/GSM1x_Overview.qualcomm. Pearson publications 6. /a51. Book on “Applied Cryptography” – Second edition (2001) By Bruce Schneier 13.

He currently is researching on wireless LAN vulnerabilities and countermeasures. Department of Atomic Energy (DAE). Head of Technology S. Sangram S. He was a Fellow of National Board for Higher Mathematics (NBHM). Gayal. He has been doing secure code auditing for many banking applications. Vetha Manickam holds a PhD degree in Scientific Computing and Numerical Analysis from Indian Institute of Technology. Chennai.About the Authors Dr. A. He currently is an Information Security Consultant with Network Security Solutions India Ltd. Dr. Aurangabad. He has spearheaded development teams in iKey integration. Vetha Manickam. Information Security Consultant Sangram S. desktop security development. and Associate researcher at Center for Information and Network Security. He is also involved in cryptanalysis for mobile and Wireless LAN encryption algorithms. where his dissertation was in "Object Oriented Methodologies". Manickam has extensive experience in implementing e Security for organizations and defining the Information Risk Management Policies. 16 . integrity and Digital Signature. vulnerability scanner development and incorporation of Digital Signature for the Enterprise solutions. confidentiality. A. He has also been involved in development of cryptographic algorithms and PKI products for authentication. S. Gayal is Bachelor of Engineering in Electronics and Telecommunications from Government College of Engineering. Bombay. University of Pune. He has a Masters in Applied Mathematics from Anna University. India during the doctoral and post doctoral degree.