Wireless Security The contents of the following paper will attempt to discuss the various aspects of wireless security on a GSM network. The elements to be discussed are to give the reader an understanding of security from the mobile handset to the network. Wireless data on GSM, GPRS, will also be discussed and explained. Also, the theory of security will be discussed throughout. Security is essential to the integrity of a network. The designers of the GSM standards gave this much thought and have designed the most secure wireless network in the world. Through identity security, authentication, signaling protection, and data protection, the GSM and GPRS networks of today provide a secure transport to conduct daily and critical business on. Why Should You Care about Wireless Security? The casual user of a network would not particularly care about the security of any network. The casual user just wants to make a call or connect to the network and everything works. But how nervous would that casual user be if he found out his personal information was being broadcast to literally square miles of people? This is why the security on the wireless network is important. The technical details of security are of vital importance to any entity that is concerned with the integrity of their network. The network administrator must be able to competently explain and diagnose the security of the network. The network administrator must understand that the data coming into his network is secure. Likewise, the CFO of a large investment firm must feel secure in the knowledge that the phone calls being made regarding her company are not being heard by anyone else. Also, consider the Department of Defense making phone call and data connections on a network. The link must be secure to ensure national security. The body of this paper attempts to educate the reader of how security of the airlink is implemented and exactly what happens when the user presses send on the phone or connect with the wireless data modem. 1. GSM Voice and Circuit Switched Data Security The objective of security for a GSM network is to make the system as secure as the public switched telephone network. The use of radio as the transmission medium makes wireless networks more susceptible to various threats: - Subscriber identity fraud. This is where a modified handset, or other piece of equipment, is used to impersonate a given subscriber on the network. - Eavesdropping. This is where content of the call, or connection, is intercepted by an unauthorized person. a. Subscriber Identity Confidentiality This is the function that prevents an intruder from identifying which subscriber is using a given radio resource by eavesdropping on signaling channels. It also protects against an intruder discovering a user’s location based on intercepted signaling. To obtain the required level of protection, it is necessary that: - a protected identifying method be used instead of the IMSI (International Mobile Subscriber Identity) on the radio path; and - the IMSI is not normally used as an addressing means on the radio path; - when the signaling procedures permit it, signaling information elements that convey information about the mobile subscriber identity must be ciphered for transmission on the radio path. A mobile subscribers identity on the network consists of a TMSI (Temporary Mobile Subscriber Identity). The mobile subscribers location consist of a LAI (Location Area Identification). These two identifiers must accompany each other in order for either to be valid in the network. The VLR (Visitor Location Register) tracks the pairing of the TMSI/LAI combo with the subscribers IMSI. As a subscriber passes from one Location Area to another, a new TMSI and LAI are assigned to the subscriber. This new allocation is then recorded in the VLR, and transmitted to the MS (Mobile Station) in ciphered mode. b. Subscriber Identity Authentication Subscriber Identity Authentication is used to verify the identity of the subscriber to the network. This process follows the following steps: 1. The network transmits a non-predictable 128 bit number (RAND) to the MS. 2. The MS computes the signature of the RAND (SRES) using algorithm A3 and the Individual Subscriber Authentication Key, denoted by Ki. 3. The MS transmits the signature SRES to the network. 4. The network tests SRES for validity. MS Radio path Network side Ki RAND RAND IMSI (1) (note) Ki A3 A3 SRES SRES (2) (3) = (4) yes/no NOTE: IMSI is used to retrieve Ki in the network Figure 3.1: The authentication procedure The authentication procedure is also used to set the ciphering key, Kc. For this reason, this procedure is performed after the subscriber identity is verified by the network and before the channel is encrypted. The Individual Subscriber Authentication Key (Ki) is allocated, along with the IMSI, at subscription time. Ki is stored in an Authentication Center (AuC) on the network side, and in the Subscriber Identity Module (SIM) on the Mobile Station side. The IMSI is stored in the Home Location Register (HLR) and on the SIM in the Mobile Station. c. Traffic Confidentiality The confidentiality of user information on the network only pertains to the information transmitted on a traffic channel between the MS to Base Station System (BSS). It is not an end-to-end confidentiality service. There are 4 steps to setting up a secure traffic channel for user information: 1. The ciphering method; 2. The key setting; 3. The starting of the enciphering and deciphering process; 4. The synchronization. 1. The data transmitted on a Dedicated Control Channel (DCCH) or Traffic Channel (TCH) is ciphered by a bit per bit or stream cipher. The ciphering stream is generated by algorithm A5 using a Ciphering Key (Kc). Deciphering is performed by the exact same method. 2. Key setting is the procedure that allows the Mobile Station and the network to agree on the Ciphering Key (Kc) to use in the ciphering and deciphering algorithms A5. This must occur on a Dedicated Control Channel (DCCH) that has not been encrypted and as soon as the identity of the mobile subscriber (TMSI) is verified by the network. Kc is derived by the Mobile Station from RAND by using algorithm A8 and the Individual Subscriber Authentication Key Ki. The Kc is stored on the Mobile Station until it is updated at the next authentication request. MS Radio path Network side TMSI Ki Ki RAND or TMSI RAND RAND A8 A8 Kc Kc Store Kc Store Kc Figure 4.1: Key setting 3. The Mobile Station and the BSS must co-ordinate the initiation of the enciphering and deciphering processes on the Dedicated Control Channel (DCCH) and/or the Traffic Channel (TCH). The transition from clear text mode to ciphered mode proceeds as follows: deciphering starts in the BSS, which sends in clear text to the Mobile Station a specific message we will call “Start cipher”. Both the enciphering and deciphering start on the Mobile Station after the message “Start cipher” has been received by the Mobile Station. Enciphering on the BSS side starts when a frame or message from the Mobile Station has been correctly deciphered by the BSS. MS Radio path Network side Start deciphering "Start cipher" Start deciphering and Start enciphering any correctly deciphered message Start enciphering Figure 4.2: Starting of the enciphering and deciphering processes 4. A maximum of 7 versions of the A5 algorithm will be defined for use by GSM carriers. When a Mobile Station wishes to establish a connection with the network, the MS shall indicate to the network which of the 7 versions of the A5 algorithm it supports. The network may not provide service to an MS which indicates that it does not support the ciphering algorithm(s) required. The network shall compare its ciphering capabilities and preferences, and any special requirements of the subscription of the MS, with those indicated by the MS and act according to the following rules: 1. If the MS and the network have no versions of the A5 algorithm in common and the network is not prepared to use an unciphered connection, then the connection shall be refused. 2. If the MS and the network have at least one version of the A5 algorithm in common, then the network shall select one of the mutually acceptable versions of the A5 algorithm for use on that connection. 3. If the MS and the network have no versions of the A5 algorithm in common and the network is willing to use an unciphered connection, then an unciphered connection shall be used. GPRS Security The technical security offered by GPRS is very similar to that offered by GSM. As with GSM, identity security, authentication, signaling protection, and data protection are secured. In addition, the GPRS backbone is secured. Mobile Radio Network Auth Req (1) Request (2) MS SGSN Rand (4) HLR/AUC Ki, RAND SRES (5) ? Rand Triplets (3) A3/8 A3/8 Ki Pass/Fail Authentication (6) Key GPRS-Kc GEA (Enhanced A5) Key GPRS-Kc (7) (7) 1. The mobile station sends an authentication request to the network. This arrives at the SGSN and is sent on to the 2. Home Location Register (HLR) and Authentication Center(AuC). Triplets are generated which consist of a Random Number (RAND), SignedResponse (SRES) ad encryption key GPRS-Kc. The first two are used to challenge and response to authenticate the smart card in the mobile station. The key GPRS-Kc is used to encrypt all the data between the MS and the SGSN. GPRS-Kc and SRES are calculated from RAND using the authentication algorithm A3/8. 3. The triplets are sent to the SGSN, which sends RAND to 4. The MS. The MS (and SIM) then uses the same authentication algorithm, A3/8, to calculate SRES and GPRS-Kc. SRES is sent back to 5. The SGSN, which compares the SRES returned to it and the SRES in the authentication triplets. 6. If they are identical, then the MS must have the correct authentication algorithm A3/8 and Ki, and therefore is judged to be genuine. 7. Both the MS and the SGSN also have GPRS-Kc, and both use this key to encipher the session between the MS and the SGSN. User Data and Signaling Protection The GPRS-Kc generated in the authentication process (by A3/8) is used for encryption. After successful authentication, both the SGSN and the MS have the same Kc and encryption can thus be started immediately. The Kc and the present frame number is used to generate a 114-bit enciphering sequence (A5- The A5 is a new enhanced algorithm which is not public) which is added to each burst of transmission and thus securely enciphered. Identity Confidentiality The objective of identity confidentiality is to provide privacy to the subscriber to protect the identity of the person from their radio signal and connection to the SGSN. A temporary identity known as the TLLI (Temporary Logical Link Identifier) is used. The TLLI is accompanied by a RAI (Routing Area Identity). The relationship between the TLLI and IMSi is held in a database within the SGSN. Identity Authentication Authentication is performed within the SGSN. Random numbers and Signed Responses are obtained from the HLR/AUC and stored within the SGSN. The RAND and SRES are compared by the SGSN to decide if the SIM to be identified has the correct authentication algorithm for A3 and the correct Ki. User and signaling data confidentiality Using function A3/8 as in GSM derives the user data and signaling key GPRS- Kc. A 64 bit key called GPRS-Kc is derived. The algorithms GEA1 and GEA2 are the two ETSI defined GRPS Encryption Algorithms approved for use. GEA1 is an enhanced version of the A5 algorithm used in GSM. GEA1/2 is used for the user data confidentiality. End-to-End Security GPRS itself is not an end-to-end secure solution. GPRS is secure from the Mobile to the SGSN and the SGSN to the GGSN. The secure connection between the SGSN and the GGSN is an ETSI specified standard called GTP or GPRS Tunneling Protocol. The SGSN sets up a GTP tunnel to the GGSN once authentication has taken place. If a user wants to employ end to end security that can be done by either implementing internet security protocols, like IPSec, or implementing Virtual Private Networks. These solutions are only as secure as the user dictates so that must be kept in mind while designing these solutions. Acronym List A3 Authentication Algorithm A5 Ciphering Algorithm A8 Ciphering Key Computation AUC Authentication Center BSS Base Station System CEIR Central Equipment Identity Register DCCH Dedicated Control Channel EIR Equipment Identity Register ETSI European Telecommunications Standards Institute GEA GPRS Encryption Algorithm GGSN Gateway GPRS Support Node GPRS General Packet Radio Service GPRS-Kc GPRS Encryption Key GSM Global System for Mobile Communications GTP GPRS Tunneling Protocol HLR Home Location Register IMEI International Mobile Equipment Identifier IMSI International Mobile Subscriber Identity IPSec Internet Protocol Security Kc Ciphering key Ki Authentication Key LAI Location Area Identification RAI Routing Area Identity SGSN Serving GPRS Support Node SRES Signed RESponse SIM Subscriber Identity Module TLLI Temporary Link Level Identity TMSI Temporary Mobile System Identifier VLR Visitor Location Register Appendix A GSM/GPRS SECURITY – THE PARTS TO THE PUZZLE IDENTIFIERS IMSI = International Mobile Subscriber Identity The IMSI is a permanent identifier assigned to the subscriber’s SIM card. It is stored in the MS (SIM), VLR, HLR, and SGSN TMSI = Temporary Mobile Subscriber Identity The TMSI is a temporary identifier assigned to a subscriber while the MS is powered on and within network coverage. It is used to protect the subscriber’s identity while connected to the network. It is stored with the LAI in the MS, VLR, and BSS/MSC. P-TMSI = Packet - Temporary Mobile Subscriber Identity The P-TMSI is a temporary identifier assigned to a subscriber while a GPRS provisioned MS is powered on and within GPRS coverage. It is used to protect the subscriber’s identity while connected to the network. It is stored with the RAI in the MS, VLR, and SGSN. LA = Location Area, LAI = Location Area Identification The LAI identifies a specific group of cells covered by one MSC. An MSC usually consists of several LAs. It is stored with the TMSI in the MS, VLR, and BSS/MSC. RA = Routing Area, RAI = Routing Area Identity The RAI identifies a specific group of cells covered by one SGSN. An SGSN usually consists of several RAs. It is stored with the P-TMSI in the MS, VLR, and SGSN. TLLI = Temporary Logical Link Identity The TLLI identifies the radio path of an MS that is attached to the GPRS network. It is stored with the RAI in the MS and SGSN. SECURITY COMPONENTS RAND = Non-predictable number The RAND is a 128 bit random number generated by the network to be used in authentication and encryption schemes. It is stored with the SRES in the MS, AuC, VLR and HLR. The RAND is not stored in the SGSN, but is retrieved from the AuC or HLR when needed. SRES = The Signature of RAND The SRES is a 32 bit number that is the signature of the RAND derived by network using the A3 algorithm and Ki. It is stored with the RAND in the MS, AuC, VLR and HLR. The SRES is not stored in the SGSN, but is retrieved from the AuC or HLR when needed. A3 Algorithm = Authentication Algorithm The A3 algorithm is used to authenticate a user on the network. The use of this algorithm is optional for the carrier. It uses Ki and RAND to generate an SRES on the MS and the network. If the SRESs are the same, the user is authenticated. The A3 resides in the MS (SIM) and the AuC. Algorithm A8 = Ciphering Key Algorithm The A8 algorithm is used to create the key Kc. The use of the A8 algorithm is optional for the carrier. It uses RAND (or TMSI) and Ki to generate Kc for use in the ciphering and deciphering process. The A8 resides in the MS (SIM) and the AuC. Algorithm A5 = Ciphering Algorithm The A5 algorithm uses Kc to create a stream cipher of the data transmitted on the traffic and control channels. The A5 resides in the BSS. Algorithm GPRS-A5 = GPRS Ciphering Algorithm The GPRS-A5 algorithm uses GPRS-Kc to create a stream cipher of the data transmitted on the traffic and control channels. The GPRS-A5 resides in the SGSN. Ki = Individual Subscriber Authentication Key The Ki is allocated at subscription time. The Ki is a 128 bit number that is stored in the MS (SIM) and the AuC. Kc = Ciphering Key The Kc is a 64 bit number created simultaneously by the network and the MS to be used in the ciphering and deciphering process. The Kc is created using the RAND (or TMSI) and Ki. It is stored in the MS, VLR, HLR, and BSS/MSC GPRS-Kc = GPRS Ciphering Key The Kc is a 64 bit number created simultaneously by the network and the MS to be used in the ciphering and deciphering process. The Kc is created using the RAND (or P-TMSI) and Ki. It is stored in the MS, VLR, HLR, and SGSN. NETWORK COMPONENTS PLMN = Public Land Mobile Network The “network” is also known as the PLMN. BSS/MSC = Base Station System/ Mobile services Switching Center The BSS/MSC stores algorithm A5, Kc, TMSI and LAI. HLR = Home Location Register The HLR is the warehouse for subscriber information for the given PLMN. It stores the Kc, GPRS-Kc, RAND and SRES and IMSI. VLR = Visitor Location Register Where the HLR stores information pertaining to all subscribers, the VLR stores information pertinent only to those subscribers currently using the network. Amongst the items stored here are the IMSI, TMSI, P-TMSI, LAI, RAI, RAND and SRES, Kc and GPRS-Kc. AuC = Authentication Center The AuC is the warehouse for keys and algorithms. The AuC is often part of the HLR. It stores the Ki, RAND and SRES, A3 algorithm, and the A8 algorithm, SGSN = Servicing GPRS Support Node The SGSN handles all authentication and ciphering services for the GPRS network. It stores the TLLI, IMSI, P-TMSI, RAI, RAND and SRES, GPRS-Kc, GPRS-A5. MS = Mobile Station, SIM = Subscriber Identity Module The MS is also known as the terminal, handset, ME (mobile equipment), and phone. The MS permanently stores the algorithm A3, algorithm A5, algorithm A8, IMSI and Ki in the SIM. It receives from the network and stores the RAND, TMSI, P-TMSI, LAI, RAI and TLLI. It generates and stores the SRES, Kc and GPRS-Kc.