Professional Documents
Culture Documents
Contents
1 Wireless Evolution 2
1.1 Early Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 2G (Digital Cellular) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 3G (IMT-2000) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 4G-LTE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.5 5G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 Spread Spectrum 5
4.1 Frequency Hoping Spread Spectrum (FHSS) . . . . . . . . . . . . . . . . . . . . . 6
4.2 Direct Sequence Spread Spectrum (DSSS) . . . . . . . . . . . . . . . . . . . . . . 7
5 PN Sequences 8
5.1 Important PN Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.2 Period of a Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.3 Properties of M -Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7 CDMA - Authentication 11
7.1 CDMA - Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8 Anonymity 13
10 LTE Security 13
10.1 Cybersecurity Research Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.2 LTE Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1
11 GSM Security 14
11.1 GSM Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
11.2 Subscriber Itentity Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 17
11.3 Subscriber Identity Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . 18
11.4 User and Signaling Data Confidentiality . . . . . . . . . . . . . . . . . . . . . . . 19
11.5 Security Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1 Wireless Evolution
1.1 Early Stage
• The first systems offering mobile telephone service (car phone) were introduced in the late
1940s in the United States and in the early 1950s in Europe.
• Those early single cell systems were severely constrained by restricted mobility, low capac-
ity, limited service, and poor speech quality.
• But the demands for fax, short message, and data transmissions are growing rapidly.
– GSM
– Digital AMPS (D-AMPS)
– Code Division Multiple Access (CDMA)
– Personal Digital Communication (PDC)
1.3 3G (IMT-2000)
• IMT–2000, is a single family of compatible standards that have the following characteristics:
– Used worldwide
– Used for all mobile applications
– Support both packet-switched (PS) and circuit-switched (CS) data transmission
– Offer high data rates up to 2 Mbps (depending on mobility/velocity)
2
– Offer high spectrum efficiency
• Three proposals:
1.4 4G-LTE
• 4G, or the current standard of cellular networks, was released in the late 2000s and is 500
times faster than 3G.
• The first-release Long Term Evolution (LTE) standard was commercially deployed in Oslo,
Norway, and Stockholm, Sweden in 2009, and has since been deployed throughout most
parts of the world.
• When a device is moving, the top speed can be 10s of mbps, and when the device is station-
ary, it can be 100s of mbps.
1.5 5G
• Planned successor to the 4G networks
3
• Wireless messages move through the free-space environment on certain spectrum alloca-
tions, which are scare, heavily regulated, and often unattainable resources.
• Wireless devices are inherently less secure than their wired counterparts
• Wireless technology, by nature, violates the fundamental security principles. It does not
ensure identity of the user and the device (authentication), nor prevent the sender of the
message from denying he or she has sent it (non-repudiation)
• Wireless technology is hardly new, but its application space is immature and quite possibly
disruptive.
– Multiple access is the means by which the limited spectral resources are allocated to
users, all of whom are competing for these resources.
– Single channel, multiple users
– Frequency (FDMA)
– Time (TDMA)
– Code (CDMA)
• CDMA: Many signals share the same times and frequencies but independent codes
4
4 Spread Spectrum
• Spread spectrum is a type of modulation that scatters data transmissions across the available
frequency band in a pseudorandom pattern.
• Spreading the data across the frequency spectrum makes the signal resistant to noise, inter-
ference, and snooping.
• Data input is fed into a channel encoder to produce analog signal with narrow bandwidth
5
• Signal is further modulated using spreading sequence – spread the spectrum
• On receiving end, the same spreading sequence is used to demodulate the spread spectrum
signal
• Advantages
6
– Attempts to jam signal on one frequency succeed only at knocking out a few bits
• One technique combines digital information stream with the spreading code bit stream using
exclusive-OR
7
• The bandwidth is spread by means of a PN code independent of the data.
– PN sequences
– Orthogonal codes
5 PN Sequences
• PN generator produces periodic sequence that appears to be random
• PN Sequences are generated by an algorithm using initial seed. So the sequence is not
statistically random but will pass many test of randomness. Unless algorithm and seed are
known, the sequence is impractical to predict
8
– Uniform distribution:
* Balance property
– Run property
– Independence
– Correlation property
• Unpredictability
• Property 2:
– For a window of length n slid along output for N (= 2n−1 ) shifts, each n-tuple appears
once, except for the all zeros sequence
• Property 3:
9
6 CDMA - Network Security
• The security protocols with CDMA-IS-41 networks are among the best in the industry.
• Unique to CDMA systems, is the 42-bit PN (Pseudo-Random Noise) Sequence called “Long
Code” to scramble voice and data.
– On the forward link (network to mobile), data is scrambled at a rate of 19.2 Kilo sym-
bols per second (Ksps)
– On the reverse link, data is scrambled at a rate of 1.2288 Mega chips per second (Mcps).
• CDMA network security protocols rely on a 64-bit Authentication Key (A-Key) and the
Electronic Serial Number (ESN) of the mobile.
– The A-Key is programmed into the mobile and is stored in the Authentication Center
(AC) of the network.
• A random binary number called RAND Shared Secret Data (SSD), which is generated in the
Home Location Register (HLR)/AC, also plays a role in the authentication procedures.
• In addition to authentication, the A-Key is used to generate the sub-keys for voice privacy
and message encryption.
• CDMA uses the standardized Cellular Authentication and Voice Encryption (CAVE) algo-
rithm to generate a 128-bit sub-key called the “Shared Secret Data” (SSD).
• The A-Key, the ESN and the network HLR supplied RANDSSD are the inputs to the CAVE
that generates SSD. The SSD has two parts:
• The SSD can be shared with roaming service providers to allow local authentication.
• A fresh SSD can be generated when a mobile returns to the home network or roams to a
different system.
10
6.1 CDMA - A-Key
• A-Keys may be programmed by one of the following:
– The factory
– The dealer at the point of sale
– Subscribers via telephone
– OTASP (over the air service provisioning) transactions utilize a 512-bit Diffie-Hellman
key agreement algorithm.
• The A-Key in the mobile can be changed via OTASP, providing an easy way to quickly cut
off service to a cloned mobile or initiate new services to a legitimate subscriber.
7 CDMA - Authentication
• In CDMA networks, the mobile uses the SSD A and the broadcast RAND as inputs to the
CAVE algorithm to generate an 18-bit authentication signature (AUTH SIGNATURE), and
sends it to the base station.
• This signature is then used by the base station to verify that the subscriber is legitimate.
• Both Global Challenge (where all mobiles are challenged with same random number), and
Unique Challenge (where a specific RAND is used for each requesting mobile) procedures
are available to the operators for authentication.
• Both the mobile and the network track the Call History Count (a 6-bit counter).
• This provides a way to detect cloning, as the operator gets alerted if there is a mismatch.
• The A-Key is re-programmable, but both the mobile and the network Authentication Center
must be updated.
– a Private Long Code Mask (derived from an intermediate value called Voice Privacy
Mask, which was used in legacy TDMA systems),
– a Cellular Message Encryption Algorithm (CMEA) key (64 bits), and
11
– a Data Key (32 bits).
• The Private Long Code Mask is utilized in both the mobile and the network to change the
characteristics of a Long code.
• This modified Long code is used for voice scrambling, which adds an extra level of privacy
over the CDMA air interface.
• The Private Long Code Mask doesn’t encrypt information, it simply replaces the well-known
value used in the encoding of a CDMA signal with a private value known only to both the
mobile and the network.
• It is therefore difficult to eavesdrop on conversations without knowing the Private Long Code
Mask.
• Additionally, the mobile and the network use the CMEA key with the Enhanced CMEA
(ECMEA) algorithm to encrypt signaling messages sent over the air and to decrypt the in-
formation received.
• A separate data key, and an encryption algorithm called ORYX, are used by the mobile and
the network to encrypt and decrypt data traffic on the CDMA channels.
• By design, all CDMA phones use a unique PN (Pseudo-random Noise) code for spreading
the signal, which makes it difficult for the signal to be intercepted.
HLR/AC
Mobile Radio Interface MSC
RAND SSD
Generator
RAND SSD
A-Key A-Key ESN
ESN
Broadcast
RANG CAVE
CAVE Generator
SSD_B SSD_A SSD_A SSD_B
Broadcast RAND
CAVE CAVE ?
CAVE CAVE
PLCM 18 bit Signature Check PLCM
Long Code For Authentication Long Code
Voice Voice
Scrambled Voice
Data Key Data Key
12
8 Anonymity
• CDMA systems support the assignment of a Temporary Mobile Station Identifier (TMSI) to
a mobile to represent communications to and from a certain mobile in over the air transmis-
sions.
• This feature makes it more difficult to correlate a mobile user’s transmission to a mobile
user.
• For CDMA2000 networks, new algorithms such as Secure Hashing Algorithm-1 (SHA-1)
are being used for hashing and integrity, and the Advanced Encryption Standard, AES (Ri-
jndael) algorithm for message encryption.
• The AKA (Authentication and Key Agreement) protocol will be used for all releases follow-
ing CDMA2000 Release C.
• The AKA protocol will also be used in WCDMA-MAP networks, along with the Kasumi
algorithm for encryption and message integrity.
10 LTE Security
• LTE – Long Term Evolution
• 4th generation cellular technology standard from the 3rd Generation Partnership Project
(3GPP)
13
• Kicked off at the PSCR stakeholder meeting in June 2013
– Authentication: verified the UE’s identity by challenging the UT use the keys and report
a result
– Integrity: Signaling message receiver verifies the received message using an integrity
checksum
– Encryption: The sender encrypts the data using a secret key shared with the receiver to
prevent eavesdropping
11 GSM Security
GSM provides three distinct security services. These are:
14
Mobile Stations Base Station Network Subscriber and
Subsystem Management terminal equipment
databases
OMC
BTS
Exchange
System
VLR
BTS BSC MSC
HLR AUC
BTS EIR
A5 Encryption
Ki (128 bit) A3
A8 – Voice Privacy Key Generation Algorithm The goal is to generate the session key Kc . The
A8 specification was never made public.
15
RAND (128 bit)
Ki (128 bit) A8
KC (64 bit)
Logic Implementation of A3 and A8 Both A3 and A8 algorithms are implemented on the SIM.
The operator can decide, which algorithm to use. The algorithms implementation is independent
of hardware manufacturers and network operators.
The keyed hash function COMP128 is used for both A3 and A8 in most GSM networks.
RAND (128 bit)
A5 – Encryption Algorithm A5 is a stream cipher. The A5 design was never made public. A5
has three variants
• A5/3 - GSM Association Security Group and 3GPP design. It is based on Kasumi algorithm
used in 3G mobile systems
16
Logic A5 implementation
Mobile Station BTS
A5 A5
SIM Anatomy SIM is a smart card, which is a single chip computer containing OS, File System,
Applications. It can protected by a PIN. The smart card is owned by operator (i.e. trusted) and the
SIM applications can be written with SIM Toolkit.
17
11.3 Subscriber Identity Confidentiality
This service allows MSs to originate calls, update their location, etc, without revealing their Inter-
national Mobile Subscriber Identity (IMSI) to an eavesdropper on the radio path.
It thus prevents location tracing of individual MSs by listening to the signaling exchanges on
the radio path.
All mobiles and networks must be capable of supporting the service, but its use is not manda-
tory.
It is necessary to ensure that the IMSI, or any information which allows an eavesdropper to
derive the IMSI, does not normally be transmitted in clear in any signaling message on the radio
path.
The mechanism used to provide this service is based on the use of a temporary mobile sub-
scriber identity (TMSI), which is securely updated after each successful access to the system.
In principle, the IMSI needs only be transmitted in clear over the radio path at registration.
Mobile Station Radio Link GSM Operator
Challenge RAND
SIM
Ki Ki
A3 Authentication A3
Signed response (SRES)
SRES SRES
Authentication: are SRES values equal?
A8 A8
Key generation
Fn Kc Kc Fn
mi mi
A5 Encrypted Data A5
18
11.4 User and Signaling Data Confidentiality
Confidentiality service consists of three elements:
• physical connections user data confidentiality: provides privacy for all user generated
data, both voice and non-voice, transferred over the radio path on traffic channels.
• connectionless user data confidentiality: provides privacy for user data transferred in
packet mode over the radio path on a dedicated signaling channel.
• signaling information confidentiality: provides privacy for certain user related signaling
elements transferred over the radio path on dedicated signaling channels.
All of these service are provided using the same encryption mechanism, and must be supported
and used by all networks and mobiles.
Encryption is achieved by a stream cipher A5 which produces a key stream with a cipher key
Kc .
This key stream is then bitwise xored with the data transferred over the radio path between the
MS and the base station (BS).
The cipher key is established at the MS as part of the authentication procedure, and is trans-
ferred through the fixed network to the BS after the MS has been identified.
It is essential that the MS and BS synchronize the starting of their cipher algorithms.
When the network intends to issue an authentication challenge, the BS starts deciphering all
data immediately after the MS has been identified using the cipher key Kc , derived upon receipt of
the challenge RAND.
MS starts ciphering and deciphering the moment it has computed Kc (and SRES) from RAND,
and before SRES is transmitted.
On the BS side, enciphering starts as soon as SRES has been received, deciphered and found
to be correct.
To cope with possible transmission loss or errors, the authentication request/response message
are repeated under the control of timers.
19