GSM – 10EC843 Unit - 6

Unit 6

Privacy and Security in GSM

Cellular fraud is extensive in analog cellular systems since the identity of the subscriber
is sent to the network without encryption ("in the clear"). The GSM system, on the other hand,
has security controls that virtually eliminate cloning fraud. The designers also wanted to ensure
that the users' communications on the GSM system would be private, so the GSM system also
has controls ensuring user privacy.

[Cell phone cloning is a technique wherein secured data from one cell phone is transferred into
another phone. The other cell phone becomes the exact replica of the original cell phone like a
clone. As a result, while calls can be made from and received by both phones, only the legitimate
subscriber is billed as the service provider network does not have a way to differentiate between
the legitimate phone and the “cloned” phone. The cloner can set the options to ring his phone
when you make a call and you will have no idea that the cloner is listening from his own mobile.
He can read text message, phone book entries, look at pictures etc. Also he can dial phone
numbers from their phone and a whole lot more. Though communication channels are equipped
with security algorithms, yet cloners get away with the help of loop holes in systems. So when
one gets huge bills, the chances are that the phone is being cloned. Millions of cell phones users,
be it GSM or CDMA, run at risk of having their phones cloned.]

GSM system privacy and security is achieved using four primary mechanisms.

1. Each subscriber is identified using a cryptographic security mechanism. The algorithm is

highly resistant to attacks by individuals attempting to make fraudulent phone calls.

2. The subscriber's security information is stored in a secure computing platform called a smart
card or a SIM card.

3. The GSM operator maintains the secrecy of the cryptographic algorithms and the keys for
authenticating the subscriber and providing voice privacy. The algorithms are stored in the SIM
card and in the authentication center.
-1 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
 GSM – 10EC843 Unit - 6

4. The cryptographic keys are not shared with other GSM administration.

Wireless Security Requirements

Security in a wireless system is of concern to the system operator and to the user. The system
operator wants to ensure that the user requesting the service is a valid user whose actual identity
is the same as the claimed identity—the operator must authenticate the user. The user wants to
have access to services without compromising privacy. Users get disturbed when their locations,
calling patterns, and details of their conversations are monitored.

I. Privacy of Communications: Fig 1 is a high-level diagram of a PCS system showing areas

where criminals or hackers can compromise the security of the system. At each interface
compromise is possible, so designers must pay attention to each of these areas. A PCS
personal terminal needs privacy in these areas:

i. Call Setup Information. During call setup, the handset will communicate information
such as calling number, calling card number, and type of service requested to the
network. The system must send all this information in a secure way.

ii. Speech. The system must encrypt all spoken communications so that hackers cannot
intercept the signals by listening on the airwaves.

iii. Data. The system must encrypt data communications so that hackers cannot intercept
data by listening on the airwaves.

iv. User location. No information that a user might transmit should enable a listener to
determine the user's location. The usual method to meet this need is to encrypt the user
ID. Protection is needed against:

1. Radio link eavesdropping

2. Unauthorized access by outsiders (hackers) to the user location information stored in

the network at the VLR and HLR

3. Unauthorized access by insiders to the user location information stored in

the network. This is difficult to achieve, but not impossible.

-2 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
 GSM – 10EC843 Unit - 6

v. User ID. When a user interacts with the network, the user ID must be sent in a way that
does not show the user ID. This prevents analysis of user calling patterns based on user
ID.

vi. Calling patterns. No information must be sent from a handset that enables a listener of
the radio interface to do traffic analysis on the PCS user. Typical traffic analysis
information is

1. Calling number

2. Frequency of use of the handsets

3. Caller ID

4. Financial transactions

If the user transmits credit card information over any channel, the system must protect the data.
For example, users may order items from mail order houses via a telephone that is wireless and
may choose to speak their credit card numbers rather than dialing them via a keypad.

Fig 1: Privacy Requirements

II. Authentication Requirements

The system operator may or may not care if a call is placed from a stolen handset as long as the
call is billed to the correct account. However, the owner of a handset will care. The network
operator maintains a list of valid terminals in the EIR.

-3 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

The terminal design should reduce theft of the handset by making reuse of a stolen handset
difficult. Even if the handset is registered to a new legitimate mate account, the use of the stolen
terminal should be stopped. The terminal design should also reduce theft of services by making
reuse of a stolen handset's unique information difficult. To reduce theft, we need

1. Clone-resistant design. In current wireless systems, cloning of handsets is a serious

problem; methods must be put in place to reduce or eliminate fraud from cloning. Handset-
unique information must not be compromised

 Over the air. Someone listening to the radio channel should not be able to determine
information about the handset and then program it into a different handset.

 From the network. The databases in the network must be secure. No unauthorized
people should be able to obtain information from those databases.

 From network interconnect. Systems will need to communicate with each other to
verify the identity of roaming handsets. A fraudulent system operator could perpetrate
fraud by using the security information about roaming handsets to clone handsets.

 From fraudulent systems. The communications scheme used between systems to

validate roaming handsets should be designed so that theft of information by a
fraudulent system does not compromise the security of the handset.

 From security algorithms. Any information passed between systems for the purpose
of security checking of roaming handsets must have enough information to authenticate
the roaming handset. It must also have insufficient information to clone the roaming
handset.

 From users cloning their own handsets. Users themselves can perpetrate fraud on the
system. Multiple users could use one account by cloning handsets.

2. A cryptographic system to reduce installation and repair fraud. Theft of service can
occur at the time of installation of the service or when a terminal is repaired. Multiple
handsets can be programmed with the same information (cloning).
-4 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
 GSM – 10EC843 Unit - 6

3. Unique user ID. More than one person may use a handset, so we must uniquely identify the
correct person for billing and other accounting information.

4. Unique handset ID. When all security information is contained in a separate module (smart
card), the identity of the user is separate from the identity of the handset. Stolen handsets can
then be valuable for obtaining service without purchasing a new (full-price) handset.
Therefore, the handset should have unique information contained within it that reduces or
eliminates the potential for stolen handsets to be re-registered with a new user.

III. System Lifetime Requirements

It has been estimated that computing power doubles every two years. An algorithm that is secure
today may be breakable in 5-10 years. Since any system being designed today must work for
many years, it is reasonable to require that the procedures last at least 20 years. Thus, the
algorithm design must consider the best available cracking algorithms available today and must
have provisions for being upgraded in the field.

IV. Physical Requirements

Any cryptographic system used in a handset must work in the practical environment of a mass-
produced consumer product.

SIM CARDS

The SIM card is a secure microprocessor-based environment implemented on a credit-card-sized

platform. Two types of SIM cards are used in GSM.

 An ID-1 card is the same size as a standard credit card (Figure 2). It looks like a standard
card and has embossing, picture, lettering, and a magnetic stripe similar to a credit card, but
it also includes a microprocessor.

 While some larger GSM phones would use the ID-1 card, most GSM handsets use the plug-
in SIM card (Figure 3).

-5 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

Fig 2: ID-1 sim card Fig 3: Plug-in Sim card

 An ID-1 card can be (permanently) converted to a plug-in SIM card by removing the plug-in
SIM from the plastic of the card.

 The microprocessor platform is designed to be secure. Attempts to reverse engineer the

smart card will render the card inoperative and destroy the data on the card.

 Certain data can be changed only by the manufacturer of the card; other data can only be
changed by entering a PIN.

 The smart card can contain both data and executable files and can support a wide range of
access permissions.

 The file structure (Figure 4) is similar to the file structure used for other operating systems
except that the naming convention is different. The root-level directory is called the Master
File (MF). Under the MF are elementary files (EFs), which can contain data or executable
files. The MF also contains directories called Dedicated Files (DFs) which can contain
either additional DFs or EFs, up to the limit of the storage capacity of the SIM card.

 If EFO is present in a directory, it contains the PIN for the data and executable files in the
directory. If EFO is not present, the card uses the EFO file in the next directory.

-6 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

Fig 4: File structure of SIM card

 The EFO file under the MF contains the PIN for all card functions except those directories
(DFs) that have their own PIN. Each file/directory has access conditions (read and write).

 Several access conditions are defined (see Table 1) that enable executable and data files to be
stored on the card.

 Since some users may not want to enter a PIN each time they access their phones, the smart
card supports a second PIN (CHV2) that can be used to disable PIN checking.

 However, GSM administration may prevent the use of CHV2; thus each time the phone is
powered up, the user must enter a PIN.

Table 1: File Access Conditions

-7 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

The SIM card provides storage capability for

 Administrative information—indicates mode of operation of the SIM (e.g., normal, type

approval)

 ID card identification—a number uniquely identifying the SIM and the card issuer

 SIM service table—indicates which optional services are provided by the SIM

 IMSI

 Location information—comprising TMSI, LAI, periodic location updating timer, and the
location update status

 Encryption keys (Kc, Ki) and encryption key sequence number

 BCCH information—list of carrier frequencies to be used for cell selection

 Access control class(es)

 Forbidden PLMNs

 HPCMN search period—used to control the time interval between HPLMN searches

 Language preference—user-preferred language(s) of Man-Machine Interface (MMI)

 Phase identification

Location information, encryption key, and encryption key sequence number are updated on the
SIM card after each call termination and when the handset is correctly deactivated in accordance
with the manufacturer’s instructions.

 The SIM card may also optionally provide storage capability for

 PLPN selector (for automatic PLPN selection)

 Cell broadcast message identifier selection

 Abbreviated dialing numbers/supplementary service control

 Fixed dialing numbers/supplementary service control

 MSISDN numbers

 Last numbers dialed

-8 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

 Capability configuration parameters (provide the parameters of required bearer

capabilities associated with dialing numbers)

 Called party subaddress

 Short messages and associated parameters

 Accumulated call meter, accumulated call meter maximum value, price per unit, and
currency table

SECURITY ALGORITHMS FOR GSM

GSM uses 3 security algorithms.(Fig 5 and Fig 6)

1. Authentication algorithm (A3). Used by the handset to compute a signed response (SRES)
to the random number (RAND) transmitted by the BS. SRES is transmitted to the BS during
registration and other access messages. The computation also uses a secret key (Ki) that is
stored in the SIM card and is unique to each SIM card. The A3 algorithm is different for
each GSM administration and is secret. Many GSM administrations use a common A3 that
is available from the GSM Memorandum of Understanding (MoU) Security Group.

2. Privacy key generation algorithm (A8). Also uses RAND and Ki to generate a privacy
key (Kc) that is used for voice and data privacy. A8 is also unique to each GSM
administration. A common A8 is available from GSM MoU.

3. Encryption algorithm (A5). Used to encrypt data transmitted on the DCCH and the TCH.
The inputs to A5 are the privacy key (Kc) and the TDMA frame counter. The frame counter
is 22 bits long and each frame is approximately 4.6 ms long. Therefore the encryption mask
repeats approximately every 5 hours. For each frame, two outputs of A5 BLOCK1 and
BLOCK2—are generated. BLOCK1 is used for encryption by the BS and BLOCK2 is used
for encryption by the handset. T details of A5 are available from the GSM MoU. The secret
key (Ki) is 128 bits long. The pseudorandom number transmitted by the BS (RAND) –is
also 128 bits long. The computed signed response (SRES) is 32 bits long.

-9 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

Fig 5: Use of A3 and A8 in GSM Authentication

Fig 6: Encryption and Decryption of the DCCH and TCH using A5.

-10 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

TOKEN –BASED AUTHENTICATION

 All MSs are assigned an electronic serial number—the IMEI—when they are
manufactured. At the time of service installation, the SIM card is assigned a 15-digit
IMSI that is unique worldwide, Ki, and other data.

 When the MS is turned on, it must register with the system. When it registers, it sends
its TMSI and other data to the GSM network.

 The VLR in the visited system then queries the old VLR for the security data and
location of the HLR and assigns a new TMSI to the MS. The MS uses the TMSI for all
further access to that system.

 The TMSI provides anonymity of communications since only the MS and the network
know the identity of the MS with a given TMSI. When an MS roams into a new
system, the GSM system uses the TMSI to query the old VLR and then assigns a new
TMSI; only when a communications failure occurs will the network request that the
MS send its IMSI and then assign a new TMSI.

 The BS transmits a RAND on the DCCH that is received by the MS. When the MS
accesses the system, it calculates SRES. It then transmits the desired message with its
authentication to the network.

 The network does the same calculation and confirms the identity of the MS.

 All communications between the MS and the BS are encrypted to prevent a hacker
from decoding the data and using the data to clone other phones.

 Authentication is performed after the user identity (TMSI or IMSI) is known by the
network and before the channel is encrypted.

 Each system operator can choose its own authentication method. The MS and the HLR
each supports the same method and has common data.

 Each MS sends a registration request; then the network is sent a unique challenge. The
MS calculates the response to its challenge and sends a message back to the network.

-11 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

 The VLR contains a list of triplets—RAND (random number), SRES (signed

response), Kc (privacy key); the network compares the triplet with the response it
receives from the MS. If the response matches, the MS is regis¬tered with the network.
The just-used triplet is discarded. After all triplets are used, the VLR must query the
HLR for a new set. Each query typically results in three to five triplets.

 Security of the MS is maintained by storing all data in the SIM which can be removed
from the MS.

1. Token-based Registration

The call flows for token-based registration are (see Figure 7):

i. The MS sends a registration message to the new system with the old TMSI and old LAI.

ii. The new system queries the old VLR for data.

iii. The old VLR returns security-related information (e.g., unused triplets and location of
HLR).

iv. The new system issues a challenge to the MS.

v. The MS responds to the challenge.

vi. The new system assigns a new TMSI.

vii. The new system sends a message to the HLR with MS location update information.

viii. The HLR, updates its location database with the new location of the MS.

ix. The HLR acknowledges the message and may send additional sect related data
(additional security triplets).

x. The HLR sends a registration cancellation message to the old VLR.

xi. The new system sends an encrypted message to the MS with the TMSI.

xii. The MS acknowledges the message.

-12 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

Steps 11 and 12 can occur any time after step 6 and are not time synchronized with steps 7-10.If
for any reason the old VLR is not reachable, the new visited net will request that the MS send its
IMSI to the network; then the new net will establish communications with the HLR.

Fig 7: Token-based registration

2. Token-based Challenge

The token-based challenge is integrated into the various call flows (e.g., registration, handover).

 Since token-based systems must query the HLR for additional triplets when they are used,
provisions are made to reuse the triplets.

 In those areas of the world where encryption of the radio link is not permitted or during times
of network overload when encryption is disabled, the reuse of triplets can ultimately result in
a security breach since it may be possible for other handsets to send a previously used

-13 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

challenge response pair and falsely gain access to the network. As token-based systems are
more widely deployed, this type of fraud may be seen more and more.

 The security-related information consisting of the RAND, SRES, and Kc triplet is stored in
the VLR. When a VLR has used a token to authenticate an MS, it either deletes the token or
marks it as used. When a VLR needs to use a token, it uses an unused set. If all sets are used,
then the VLR may reuse a set that is marked used. The system operator defines how many
times a token may be reused in the VLR. When a token is used the maximum number of
times, it is deleted.

 When a VLR successfully requests tokens from the HLR or an old VLR, it discards any
tokens that are marked as used.

 When an HLR receives a request for tokens, it sends any sets that are not marked as used.
Those sets shall then be deleted or marked as used. Again, the system operator defines how
many times a set may be reused before being discarded. When the HLR has no tokens, it will
query the authentication center for additional tokens.

When a network must challenge an MS, the network will use one token from the current set of
tokens and use the following call flow (see Figure 8):

1. The network transmits the (nonpredictable) RAND to the MS.

2. The MS computes the signature SRES of RAND using the encryption algorithm
and the user authentication key (KO.

3. The MS transmits the signature SRES to the network.

4. The MSC sends a message to the VLR requesting an authentication.

5. The VLR tests SRES for validity.

6. The VLR returns the status to the MSC.

7. The MSC sends a message to the MS with a success or failure indication.

-14 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in
GSM – 10EC843 Unit - 6

Fig 8: Token-based unique Challenge

-15 -
Shwetha M, Assistant Professor, Department of ECE, Sai Vidya Institute of Technology, Bengaluru – 560 064
m.shwetha@saividya.ac.in