ECE816: Cryptography and Network

Lecture 18: Wireless Security

Lecturer: Prof. J. Ren

Contents
1 Wireless Evolution 2
1.1 Early Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 2G (Digital Cellular) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 3G (IMT-2000) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 4G-LTE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.5 5G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Why is wireless different? 3

3 Multiple Access Schemes 4

4 Spread Spectrum 5
4.1 Frequency Hoping Spread Spectrum (FHSS) . . . . . . . . . . . . . . . . . . . . . 6
4.2 Direct Sequence Spread Spectrum (DSSS) . . . . . . . . . . . . . . . . . . . . . . 7

5 PN Sequences 8
5.1 Important PN Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.2 Period of a Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.3 Properties of M -Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

6 CDMA - Network Security 10

6.1 CDMA - A-Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

7 CDMA - Authentication 11
7.1 CDMA - Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

8 Anonymity 13

9 3G CDMA 2000 Security 13

10 LTE Security 13
10.1 Cybersecurity Research Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.2 LTE Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1
11 GSM Security 14
11.1 GSM Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
11.2 Subscriber Itentity Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 17
11.3 Subscriber Identity Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . 18
11.4 User and Signaling Data Confidentiality . . . . . . . . . . . . . . . . . . . . . . . 19
11.5 Security Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1 Wireless Evolution
1.1 Early Stage
• The first systems offering mobile telephone service (car phone) were introduced in the late
1940s in the United States and in the early 1950s in Europe.

• Those early single cell systems were severely constrained by restricted mobility, low capac-
ity, limited service, and poor speech quality.

• The equipment was heavy, bulky, expensive, and susceptible to interference.

1.2 2G (Digital Cellular)

• Speech transmission dominates the airways

• But the demands for fax, short message, and data transmissions are growing rapidly.

• 2G cellular systems include:

– GSM
– Digital AMPS (D-AMPS)
– Code Division Multiple Access (CDMA)
– Personal Digital Communication (PDC)

1.3 3G (IMT-2000)
• IMT–2000, is a single family of compatible standards that have the following characteristics:

– Used worldwide
– Used for all mobile applications
– Support both packet-switched (PS) and circuit-switched (CS) data transmission
– Offer high data rates up to 2 Mbps (depending on mobility/velocity)

2
 – Offer high spectrum efficiency

• Three proposals:

– IMT–2000, or UMTS (W-CDMA), proposed as the successor to GSM: developed by

Third-Generation Partnership Project (3GPP), a joint venture of Europe, USA, China,
South Korea, and Japan.
– CDMA2000 as the interim standard ’95 (IS–95) successor: developed by Third-Generation
Partnership Project (3GPP2) and is leading by Telecommunications Industrial Associ-
ation (TIA, USA).
– Time division–synchronous CDMA (TD–SCDMA) (universal wireless communica-
tion–136 (UWC–136]/EDGE) as TDMA–based enhancements to D–AMPS/GSM.

1.4 4G-LTE
• 4G, or the current standard of cellular networks, was released in the late 2000s and is 500
times faster than 3G.

• Support high-definition mobile TV, video conferencing and much more.

• The first-release Long Term Evolution (LTE) standard was commercially deployed in Oslo,
Norway, and Stockholm, Sweden in 2009, and has since been deployed throughout most
parts of the world.

• When a device is moving, the top speed can be 10s of mbps, and when the device is station-
ary, it can be 100s of mbps.

• The 20MHz bandwidth sector has peak capacity of 400Mbps.

1.5 5G
• Planned successor to the 4G networks

• Predicted to have more than 1.7 billion subscribers worldwide by 2025

• Download speeds ranges from 50 Mbit/s to over a gigabits/s

2 Why is wireless different?

• Wireless communications is the process of communicating information in electromagnetic
media over a distance through the free-space environment, rather than through traditional
wired or other physical conduits.

3
 • Wireless messages move through the free-space environment on certain spectrum alloca-
tions, which are scare, heavily regulated, and often unattainable resources.

• Wireless devices are inherently less secure than their wired counterparts

– Due in part to their limited bandwidth, memory, and processing capabilities.

– They send data into the air where anyone with the technology can intercept it.

• Wireless technology, by nature, violates the fundamental security principles. It does not
ensure identity of the user and the device (authentication), nor prevent the sender of the
message from denying he or she has sent it (non-repudiation)

• Wireless technology is hardly new, but its application space is immature and quite possibly
disruptive.

3 Multiple Access Schemes

• What Do We Mean by Multiple Access?

– Multiple access is the means by which the limited spectral resources are allocated to
users, all of whom are competing for these resources.
– Single channel, multiple users

• Three basic multiple access strategies:

– Frequency (FDMA)
– Time (TDMA)
– Code (CDMA)

• CDMA: Many signals share the same times and frequencies but independent codes

4
4 Spread Spectrum
• Spread spectrum is a type of modulation that scatters data transmissions across the available
frequency band in a pseudorandom pattern.

• Spreading the data across the frequency spectrum makes the signal resistant to noise, inter-
ference, and snooping.

• Data input is fed into a channel encoder to produce analog signal with narrow bandwidth

5
 • Signal is further modulated using spreading sequence – spread the spectrum

• On receiving end, the same spreading sequence is used to demodulate the spread spectrum
signal

• Signal is fed into a channel decoder to recover data

• What can be gained from apparent waste of spectrum?

– Immunity from various kinds of noise and multipath distortion

– Can be used for hiding and encrypting signals
– Several users can independently use the same higher bandwidth with very little inter-
ference

• Types of spread spectrum

– Frequency hopping spread spectrum

Direct sequence spread spectrum
– Time hopping spread spectrum
– ...

4.1 Frequency Hoping Spread Spectrum (FHSS)

• Signal is broadcast over seemingly random series of radio frequencies

– A number of channels allocated for the FH signal

– Width of each channel corresponds to bandwidth of input signal

• Signal hops from frequency to frequency at fixed intervals

– Transmitter operates in one channel at a time

– Bits are transmitted using some encoding scheme
– At each successive interval, a new carrier frequency is selected

• Channel sequence dictated by spreading code

• Receiver, hopping between frequencies in synchronization with transmitter, picks up mes-

sage

• Advantages

– Eavesdroppers hear only unintelligible blips

6
 – Attempts to jam signal on one frequency succeed only at knocking out a few bits

• FHSS Performance Considerations

– Large number of frequencies used

– Results in a system that is quite resistant to jamming: Jammer must jam all frequencies;
with fixed power, this reduces the jamming power in any one

4.2 Direct Sequence Spread Spectrum (DSSS)

• Each bit in the original signal is represented by multiple bits in the transmitted signal

• Spreading code spreads signal across a wider frequency band

• Spread is in direct proportion to number of bits used

• One technique combines digital information stream with the spreading code bit stream using
exclusive-OR

7
 • The bandwidth is spread by means of a PN code independent of the data.

• Categories of spread sequences:

– PN sequences
– Orthogonal codes

5 PN Sequences
• PN generator produces periodic sequence that appears to be random

• PN Sequences are generated by an algorithm using initial seed. So the sequence is not
statistically random but will pass many test of randomness. Unless algorithm and seed are
known, the sequence is impractical to predict

5.1 Important PN Properties

• Randomness

8
 – Uniform distribution:
* Balance property
– Run property
– Independence
– Correlation property

• Unpredictability

5.2 Period of a Sequence

• For a given LFSR with n registers. Because the register has a finite number of possible
states, it must eventually enter a repeating cycle – called period of the sequence.
• The period is longest when the feedback polynomial is primitive
The period is 2n − 1.
The sequence is called an m-sequence.

5.3 Properties of M -Sequences

• Property 1:

– Has 2n−1 ones and 2n−1 − 1 zeros

• Property 2:

– For a window of length n slid along output for N (= 2n−1 ) shifts, each n-tuple appears
once, except for the all zeros sequence

• Property 3:

– Sequence contains one run of ones, length n

– One run of zeros, length n − 1
– One run of ones and one run of zeros, length n − 2
– Two runs of ones and two runs of zeros, length n − 3
– 2n−3 runs of ones and 2n−3 runs of zeros, length 1

• Property 4: The periodic autocorrelation of (a0 , a1 , · · · , av−1 is equal to

v−1
(
X v i = 0 mod v
C(τ ) = =
i=0
−1 otherwise.
where v is the period

9
6 CDMA - Network Security
• The security protocols with CDMA-IS-41 networks are among the best in the industry.

• By design, CDMA technology makes eavesdropping very difficult.

• Unique to CDMA systems, is the 42-bit PN (Pseudo-Random Noise) Sequence called “Long
Code” to scramble voice and data.

– On the forward link (network to mobile), data is scrambled at a rate of 19.2 Kilo sym-
bols per second (Ksps)
– On the reverse link, data is scrambled at a rate of 1.2288 Mega chips per second (Mcps).

• CDMA network security protocols rely on a 64-bit Authentication Key (A-Key) and the
Electronic Serial Number (ESN) of the mobile.

– The A-Key is programmed into the mobile and is stored in the Authentication Center
(AC) of the network.

• A random binary number called RAND Shared Secret Data (SSD), which is generated in the
Home Location Register (HLR)/AC, also plays a role in the authentication procedures.

• In addition to authentication, the A-Key is used to generate the sub-keys for voice privacy
and message encryption.

• CDMA uses the standardized Cellular Authentication and Voice Encryption (CAVE) algo-
rithm to generate a 128-bit sub-key called the “Shared Secret Data” (SSD).

• The A-Key, the ESN and the network HLR supplied RANDSSD are the inputs to the CAVE
that generates SSD. The SSD has two parts:

– SSD A (64 bit), for creating authentication signatures.

– SSD B (64 bit), for generating keys to encrypt voice and signaling messages.

• The SSD can be shared with roaming service providers to allow local authentication.

• A fresh SSD can be generated when a mobile returns to the home network or roams to a
different system.

10
6.1 CDMA - A-Key
• A-Keys may be programmed by one of the following:

– The factory
– The dealer at the point of sale
– Subscribers via telephone
– OTASP (over the air service provisioning) transactions utilize a 512-bit Diffie-Hellman
key agreement algorithm.

• The A-Key in the mobile can be changed via OTASP, providing an easy way to quickly cut
off service to a cloned mobile or initiate new services to a legitimate subscriber.

• Security of the A-Key is the most important component of CDMA system.

7 CDMA - Authentication
• In CDMA networks, the mobile uses the SSD A and the broadcast RAND as inputs to the
CAVE algorithm to generate an 18-bit authentication signature (AUTH SIGNATURE), and
sends it to the base station.

• This signature is then used by the base station to verify that the subscriber is legitimate.

• Both Global Challenge (where all mobiles are challenged with same random number), and
Unique Challenge (where a specific RAND is used for each requesting mobile) procedures
are available to the operators for authentication.

• The Global Challenge method allows very rapid authentication.

• Both the mobile and the network track the Call History Count (a 6-bit counter).

• This provides a way to detect cloning, as the operator gets alerted if there is a mismatch.

• The A-Key is re-programmable, but both the mobile and the network Authentication Center
must be updated.

7.1 CDMA - Privacy Issues

• The mobile uses the SSD B, and the CAVE algorithm to generate:

– a Private Long Code Mask (derived from an intermediate value called Voice Privacy
Mask, which was used in legacy TDMA systems),
– a Cellular Message Encryption Algorithm (CMEA) key (64 bits), and

11
 – a Data Key (32 bits).

• The Private Long Code Mask is utilized in both the mobile and the network to change the
characteristics of a Long code.
• This modified Long code is used for voice scrambling, which adds an extra level of privacy
over the CDMA air interface.
• The Private Long Code Mask doesn’t encrypt information, it simply replaces the well-known
value used in the encoding of a CDMA signal with a private value known only to both the
mobile and the network.
• It is therefore difficult to eavesdrop on conversations without knowing the Private Long Code
Mask.
• Additionally, the mobile and the network use the CMEA key with the Enhanced CMEA
(ECMEA) algorithm to encrypt signaling messages sent over the air and to decrypt the in-
formation received.
• A separate data key, and an encryption algorithm called ORYX, are used by the mobile and
the network to encrypt and decrypt data traffic on the CDMA channels.
• By design, all CDMA phones use a unique PN (Pseudo-random Noise) code for spreading
the signal, which makes it difficult for the signal to be intercepted.

HLR/AC
Mobile Radio Interface MSC
RAND SSD
Generator
RAND SSD
A-Key A-Key ESN
ESN
Broadcast
RANG CAVE
CAVE Generator
SSD_B SSD_A SSD_A SSD_B
Broadcast RAND
CAVE CAVE ?
CAVE CAVE
PLCM 18 bit Signature Check PLCM
Long Code For Authentication Long Code

Voice Voice
Scrambled Voice
Data Key Data Key

Data ORYX ORYX Data

CMEA Key Encrypted Data CMEA Key
Signaling E-CMEA E-CMEA Signaling
Encrypted Signaling
messages

12
8 Anonymity
• CDMA systems support the assignment of a Temporary Mobile Station Identifier (TMSI) to
a mobile to represent communications to and from a certain mobile in over the air transmis-
sions.

• This feature makes it more difficult to correlate a mobile user’s transmission to a mobile
user.

9 3G CDMA 2000 Security

• Third Generation technologies add more security protocols, including the use of 128-bit
privacy and authentication keys.

• For CDMA2000 networks, new algorithms such as Secure Hashing Algorithm-1 (SHA-1)
are being used for hashing and integrity, and the Advanced Encryption Standard, AES (Ri-
jndael) algorithm for message encryption.

• The AKA (Authentication and Key Agreement) protocol will be used for all releases follow-
ing CDMA2000 Release C.

• The AKA protocol will also be used in WCDMA-MAP networks, along with the Kasumi
algorithm for encryption and message integrity.

10 LTE Security
• LTE – Long Term Evolution

– Evolutionary step from GSM to UMTS

• 4th generation cellular technology standard from the 3rd Generation Partnership Project
(3GPP)

• Deployed worldwide and installations are rapidly increasing

• LTE is completely packet-switched

• Technology to provide increased data rates

10.1 Cybersecurity Research Objectives

• Led by the Information Technology Laboratory’s Computer Security Division with support
from Software and System Division and Information Access Division

13
 • Kicked off at the PSCR stakeholder meeting in June 2013

• LTE architecture, standards, and security (NISTIR)

• Identity management for public safety (NISTIR 8014)

• Mobile application security for public safety

• Enabling cybersecurity features in the PSCR demonstration network

• Mapping public safety communication network requirements to standard cybersecurity con-

trols and frameworks (NISTIR)

• Usable cybersecurity for public safety

10.2 LTE Security Architecture

• LTE’s security architecture is defined by 3GPP’s TS 33.401

• There are many, many, many references to other standards within

• Key security services:

– Authentication: verified the UE’s identity by challenging the UT use the keys and report
a result
– Integrity: Signaling message receiver verifies the received message using an integrity
checksum
– Encryption: The sender encrypts the data using a secret key shared with the receiver to
prevent eavesdropping

11 GSM Security
GSM provides three distinct security services. These are:

• subscriber identity authentication

• subscriber identity confidentiality

• user and signaling data confidentiality

– physical connections user data confidentiality

– connectionless user data confidentiality
– signaling information confidentiality

14
 Mobile Stations Base Station Network Subscriber and
Subsystem Management terminal equipment
databases

OMC
BTS
Exchange
System

VLR
BTS BSC MSC
HLR AUC

BTS EIR

A5 Encryption

11.1 GSM Algorithms

A3 - Authentication Algorithm The goal is the generation of SRES (signed response) to MSC’s
random challenge RAND

RAND (128 bit)

Ki (128 bit) A3

SRES (32 bit)

A8 – Voice Privacy Key Generation Algorithm The goal is to generate the session key Kc . The
A8 specification was never made public.

15
 RAND (128 bit)

Ki (128 bit) A8

KC (64 bit)

Logic Implementation of A3 and A8 Both A3 and A8 algorithms are implemented on the SIM.
The operator can decide, which algorithm to use. The algorithms implementation is independent
of hardware manufacturers and network operators.
The keyed hash function COMP128 is used for both A3 and A8 in most GSM networks.
RAND (128 bit)

Ki (128 bit) COMP128

128 bit output

SRES 32 bit and Kc 64 bit

A5 – Encryption Algorithm A5 is a stream cipher. The A5 design was never made public. A5
has three variants

• A5/1 - the strong version

• A5/2 - the weak version

• A5/3 - GSM Association Security Group and 3GPP design. It is based on Kasumi algorithm
used in 3G mobile systems

16
 Logic A5 implementation
Mobile Station BTS

Fn (22 bit) Kc (64 bit) Fn (22 bit) Kc (64 bit)

A5 A5

114 bit 114 bit

Data (114 bit) Ciphertext (114 bit) Data (114 bit)
XOR XOR

Real A5 output is 228 bit for both directions

11.2 Subscriber Itentity Authentication

Subscriber identity authentication service is the heart of the GSM security system. It enables the
fixed network to authenticate the identity of mobile subscribers (MSs), and to establish and manage
the encryption keys needed to provide the confidentiality services.
The service must be supported by all networks and mobiles, although the frequency of appli-
cation is at discretion of the network.
Authentication is initiated by the fixed network, and is based upon a simple challenge-response
protocol. When a MS attempts to access the system, the network issues it a random challenge
RAND. The MS computes a signed response SRES to RAND using a one-way function A3 under
control of a subscriber authentication key Ki . The key Ki is unique to the subscriber, and is shared
only between the subscriber and an authentication center (AuC).
The value SRES computed by the MS is signaled to the network, where it is compared with
a pre-computed value. If the two values of SRES agree, the call is allowed to proceed; otherwise
access is denied. The same mechanism is also used to establish a cipher key Kc for encrypting
user and signaling data. The key is computed by the MS using a one-way function A8, controlled
by Ki , and is pre-computed for the network by the AuC.
At the end of a successful authentication exchange, both parties possess a fresh cipher key
Kc . The pre-computed triples (RAND, SRES, Kc ), held by the fixed networks for a particular
subscriber, are passed from the home network’s AuC to visited networks upon demand. The AuC
never sends the same triple to two distinct networks, and a network never reuses a challenge.

SIM Anatomy SIM is a smart card, which is a single chip computer containing OS, File System,
Applications. It can protected by a PIN. The smart card is owned by operator (i.e. trusted) and the
SIM applications can be written with SIM Toolkit.

17
11.3 Subscriber Identity Confidentiality
This service allows MSs to originate calls, update their location, etc, without revealing their Inter-
national Mobile Subscriber Identity (IMSI) to an eavesdropper on the radio path.
It thus prevents location tracing of individual MSs by listening to the signaling exchanges on
the radio path.
All mobiles and networks must be capable of supporting the service, but its use is not manda-
tory.
It is necessary to ensure that the IMSI, or any information which allows an eavesdropper to
derive the IMSI, does not normally be transmitted in clear in any signaling message on the radio
path.
The mechanism used to provide this service is based on the use of a temporary mobile sub-
scriber identity (TMSI), which is securely updated after each successful access to the system.
In principle, the IMSI needs only be transmitted in clear over the radio path at registration.
Mobile Station Radio Link GSM Operator

Challenge RAND
SIM
Ki Ki
A3 Authentication A3
Signed response (SRES)
SRES SRES
Authentication: are SRES values equal?
A8 A8
Key generation
Fn Kc Kc Fn

mi mi
A5 Encrypted Data A5

18
11.4 User and Signaling Data Confidentiality
Confidentiality service consists of three elements:

• physical connections user data confidentiality: provides privacy for all user generated
data, both voice and non-voice, transferred over the radio path on traffic channels.

• connectionless user data confidentiality: provides privacy for user data transferred in
packet mode over the radio path on a dedicated signaling channel.

• signaling information confidentiality: provides privacy for certain user related signaling
elements transferred over the radio path on dedicated signaling channels.

All of these service are provided using the same encryption mechanism, and must be supported
and used by all networks and mobiles.
Encryption is achieved by a stream cipher A5 which produces a key stream with a cipher key
Kc .
This key stream is then bitwise xored with the data transferred over the radio path between the
MS and the base station (BS).
The cipher key is established at the MS as part of the authentication procedure, and is trans-
ferred through the fixed network to the BS after the MS has been identified.
It is essential that the MS and BS synchronize the starting of their cipher algorithms.
When the network intends to issue an authentication challenge, the BS starts deciphering all
data immediately after the MS has been identified using the cipher key Kc , derived upon receipt of
the challenge RAND.
MS starts ciphering and deciphering the moment it has computed Kc (and SRES) from RAND,
and before SRES is transmitted.
On the BS side, enciphering starts as soon as SRES has been received, deciphered and found
to be correct.
To cope with possible transmission loss or errors, the authentication request/response message
are repeated under the control of timers.

11.5 Security Attacks

• Attack against A5

• Accessing the Signaling Network

• Retrieving the Key from the SIM

• Radio-link interception attacks

• Operator network attacks: GSM does not protect an operator’s network

19