Docstoc

Wireless Security

Document Sample
Wireless Security Powered By Docstoc
					                           Wireless Security


The contents of the following paper will attempt to discuss the various aspects of
wireless security on a GSM network. The elements to be discussed are to give
the reader an understanding of security from the mobile handset to the network.
Wireless data on GSM, GPRS, will also be discussed and explained. Also, the
theory of security will be discussed throughout.

Security is essential to the integrity of a network. The designers of the GSM
standards gave this much thought and have designed the most secure wireless
network in the world. Through identity security, authentication, signaling
protection, and data protection, the GSM and GPRS networks of today provide a
secure transport to conduct daily and critical business on.

Why Should You Care about Wireless Security?

The casual user of a network would not particularly care about the security of any
network. The casual user just wants to make a call or connect to the network
and everything works. But how nervous would that casual user be if he found out
his personal information was being broadcast to literally square miles of people?
This is why the security on the wireless network is important.

The technical details of security are of vital importance to any entity that is
concerned with the integrity of their network. The network administrator must be
able to competently explain and diagnose the security of the network. The
network administrator must understand that the data coming into his network is
secure. Likewise, the CFO of a large investment firm must feel secure in the
knowledge that the phone calls being made regarding her company are not being
heard by anyone else. Also, consider the Department of Defense making phone
call and data connections on a network. The link must be secure to ensure
national security. The body of this paper attempts to educate the reader of how
security of the airlink is implemented and exactly what happens when the user
presses send on the phone or connect with the wireless data modem.
1. GSM Voice and Circuit Switched Data Security
  The objective of security for a GSM network is to make the system as
  secure as the public switched telephone network. The use of radio as the
  transmission medium makes wireless networks more susceptible to
  various threats:
  -      Subscriber identity fraud. This is where a modified handset, or
  other piece of equipment, is used to impersonate a given subscriber on
  the network.
  -      Eavesdropping. This is where content of the call, or connection, is
  intercepted by an unauthorized person.

     a. Subscriber Identity Confidentiality

        This is the function that prevents an intruder from identifying which
        subscriber is using a given radio resource by eavesdropping on
        signaling channels. It also protects against an intruder discovering
        a user’s location based on intercepted signaling.

        To obtain the required level of protection, it is necessary that:
           - a protected identifying method be used instead of the IMSI
              (International Mobile Subscriber Identity) on the radio path;
              and
           - the IMSI is not normally used as an addressing means on
              the radio path;
           - when the signaling procedures permit it, signaling
              information elements that convey information about the
              mobile subscriber identity must be ciphered for transmission
              on the radio path.

        A mobile subscribers identity on the network consists of a TMSI
        (Temporary Mobile Subscriber Identity). The mobile subscribers
        location consist of a LAI (Location Area Identification). These two
        identifiers must accompany each other in order for either to be valid
        in the network. The VLR (Visitor Location Register) tracks the
        pairing of the TMSI/LAI combo with the subscribers IMSI. As a
        subscriber passes from one Location Area to another, a new TMSI
        and LAI are assigned to the subscriber. This new allocation is then
        recorded in the VLR, and transmitted to the MS (Mobile Station) in
        ciphered mode.
b. Subscriber Identity Authentication

   Subscriber Identity Authentication is used to verify the identity of
   the subscriber to the network. This process follows the following
   steps:
   1. The network transmits a non-predictable 128 bit number
      (RAND) to the MS.
   2. The MS computes the signature of the RAND (SRES) using
      algorithm A3 and the Individual Subscriber Authentication Key,
      denoted by Ki.
   3. The MS transmits the signature SRES to the network.
   4. The network tests SRES for validity.

                         MS             Radio path         Network side
                    Ki                    RAND            RAND             IMSI
                                           (1)                            (note)



                                                                          Ki




                         A3                                         A3

                  SRES                    SRES
                   (2)                     (3)                       =
                                                                    (4)


                                                               yes/no

                 NOTE: IMSI is used to retrieve Ki in the network

                              Figure 3.1: The authentication procedure




   The authentication procedure is also used to set the ciphering key,
   Kc. For this reason, this procedure is performed after the
   subscriber identity is verified by the network and before the channel
   is encrypted.

   The Individual Subscriber Authentication Key (Ki) is allocated,
   along with the IMSI, at subscription time. Ki is stored in an
   Authentication Center (AuC) on the network side, and in the
   Subscriber Identity Module (SIM) on the Mobile Station side. The
   IMSI is stored in the Home Location Register (HLR) and on the SIM
   in the Mobile Station.
c. Traffic Confidentiality

   The confidentiality of user information on the network only pertains
   to the information transmitted on a traffic channel between the MS
   to Base Station System (BSS). It is not an end-to-end
   confidentiality service.

   There are 4 steps to setting up a secure traffic channel for user
   information:
       1. The ciphering method;
       2. The key setting;
       3. The starting of the enciphering and deciphering process;
       4. The synchronization.

      1. The data transmitted on a Dedicated Control Channel
      (DCCH) or Traffic Channel (TCH) is ciphered by a bit per bit or
      stream cipher. The ciphering stream is generated by algorithm
      A5 using a Ciphering Key (Kc).

      Deciphering is performed by the exact same method.

      2. Key setting is the procedure that allows the Mobile Station
      and the network to agree on the Ciphering Key (Kc) to use in
      the ciphering and deciphering algorithms A5. This must occur
      on a Dedicated Control Channel (DCCH) that has not been
      encrypted and as soon as the identity of the mobile subscriber
      (TMSI) is verified by the network.

      Kc is derived by the Mobile Station from RAND by using
      algorithm A8 and the Individual Subscriber Authentication Key
      Ki. The Kc is stored on the Mobile Station until it is updated at
      the next authentication request.
               MS                 Radio path               Network side

                                         TMSI
              Ki                                                     Ki
                                    RAND or TMSI

                          RAND                               RAND

               A8                                              A8

                    Kc
                                                                    Kc
             Store Kc                                      Store Kc


                                 Figure 4.1: Key setting




3. The Mobile Station and the BSS must co-ordinate the
initiation of the enciphering and deciphering processes on the
Dedicated Control Channel (DCCH) and/or the Traffic Channel
(TCH).

The transition from clear text mode to ciphered mode proceeds
as follows: deciphering starts in the BSS, which sends in clear
text to the Mobile Station a specific message we will call “Start
cipher”. Both the enciphering and deciphering start on the
Mobile Station after the message “Start cipher” has been
received by the Mobile Station. Enciphering on the BSS side
starts when a frame or message from the Mobile Station has
been correctly deciphered by the BSS.
              MS                 Radio path            Network side


                                                      Start deciphering
                            "Start cipher"



           Start deciphering
                  and
           Start enciphering

                         any correctly deciphered message



                                                           Start enciphering


        Figure 4.2: Starting of the enciphering and deciphering processes
4. A maximum of 7 versions of the A5 algorithm will be defined
for use by GSM carriers.

When a Mobile Station wishes to establish a connection with the
network, the MS shall indicate to the network which of the 7
versions of the A5 algorithm it supports. The network may not
provide service to an MS which indicates that it does not
support the ciphering algorithm(s) required.

The network shall compare its ciphering capabilities and
preferences, and any special requirements of the subscription of
the MS, with those indicated by the MS and act according to the
following rules:

   1. If the MS and the network have no versions of the A5
      algorithm in common and the network is not prepared to
      use an unciphered connection, then the connection shall
      be refused.

   2. If the MS and the network have at least one version of
      the A5 algorithm in common, then the network shall
      select one of the mutually acceptable versions of the A5
      algorithm for use on that connection.

   3. If the MS and the network have no versions of the A5
      algorithm in common and the network is willing to use an
      unciphered connection, then an unciphered connection
      shall be used.
GPRS Security

The technical security offered by GPRS is very similar to that offered by GSM.
As with GSM, identity security, authentication, signaling protection, and data
protection are secured. In addition, the GPRS backbone is secured.
                   Mobile                Radio                  Network


                                         Auth Req (1)                              Request (2)
                    MS                                         SGSN
                                           Rand (4)



                                                                                                 HLR/AUC
   Ki,
  RAND                      SRES (5)                                ?                                    Rand
                                                                          Triplets (3)
     A3/8
                                                                                                  A3/8          Ki


                                                               Pass/Fail
                                                           Authentication (6)



                Key GPRS-Kc            GEA (Enhanced A5)
                                                            Key GPRS-Kc
                     (7)                                         (7)




            1. The mobile station sends an authentication request to the network.
               This arrives at the SGSN and is sent on to the
            2. Home Location Register (HLR) and Authentication Center(AuC).
               Triplets are generated which consist of a Random Number (RAND),
               SignedResponse (SRES) ad encryption key GPRS-Kc. The first
               two are used to challenge and response to authenticate the smart
               card in the mobile station. The key GPRS-Kc is used to encrypt all
               the data between the MS and the SGSN. GPRS-Kc and SRES are
               calculated from RAND using the authentication algorithm A3/8.
            3. The triplets are sent to the SGSN, which sends RAND to
            4. The MS. The MS (and SIM) then uses the same authentication
               algorithm, A3/8, to calculate SRES and GPRS-Kc. SRES is sent
               back to
            5. The SGSN, which compares the SRES returned to it and the SRES
               in the authentication triplets.
            6. If they are identical, then the MS must have the correct
               authentication algorithm A3/8 and Ki, and therefore is judged to be
               genuine.
            7. Both the MS and the SGSN also have GPRS-Kc, and both use this
               key to encipher the session between the MS and the SGSN.
User Data and Signaling Protection
The GPRS-Kc generated in the authentication process (by A3/8) is used for
encryption. After successful authentication, both the SGSN and the MS have the
same Kc and encryption can thus be started immediately. The Kc and the
present frame number is used to generate a 114-bit enciphering sequence (A5-
The A5 is a new enhanced algorithm which is not public) which is added to each
burst of transmission and thus securely enciphered.

Identity Confidentiality
The objective of identity confidentiality is to provide privacy to the subscriber to
protect the identity of the person from their radio signal and connection to the
SGSN. A temporary identity known as the TLLI (Temporary Logical Link
Identifier) is used. The TLLI is accompanied by a RAI (Routing Area Identity).
The relationship between the TLLI and IMSi is held in a database within the
SGSN.

Identity Authentication
Authentication is performed within the SGSN. Random numbers and Signed
Responses are obtained from the HLR/AUC and stored within the SGSN.

The RAND and SRES are compared by the SGSN to decide if the SIM to be
identified has the correct authentication algorithm for A3 and the correct Ki.

User and signaling data confidentiality
Using function A3/8 as in GSM derives the user data and signaling key GPRS-
Kc. A 64 bit key called GPRS-Kc is derived.

The algorithms
GEA1 and GEA2 are the two ETSI defined GRPS Encryption Algorithms
approved for use. GEA1 is an enhanced version of the A5 algorithm used in
GSM. GEA1/2 is used for the user data confidentiality.
End-to-End Security
GPRS itself is not an end-to-end secure solution. GPRS is secure from the
Mobile to the SGSN and the SGSN to the GGSN. The secure connection
between the SGSN and the GGSN is an ETSI specified standard called GTP or
GPRS Tunneling Protocol. The SGSN sets up a GTP tunnel to the GGSN once
authentication has taken place.

If a user wants to employ end to end security that can be done by either
implementing internet security protocols, like IPSec, or implementing Virtual
Private Networks. These solutions are only as secure as the user dictates so
that must be kept in mind while designing these solutions.
Acronym List
A3        Authentication Algorithm
A5        Ciphering Algorithm
A8        Ciphering Key Computation
AUC       Authentication Center
BSS       Base Station System
CEIR      Central Equipment Identity Register
DCCH      Dedicated Control Channel
EIR       Equipment Identity Register
ETSI      European Telecommunications Standards Institute
GEA       GPRS Encryption Algorithm
GGSN      Gateway GPRS Support Node
GPRS      General Packet Radio Service
GPRS-Kc   GPRS Encryption Key
GSM       Global System for Mobile Communications
GTP       GPRS Tunneling Protocol
HLR       Home Location Register
IMEI      International Mobile Equipment Identifier
IMSI      International Mobile Subscriber Identity
IPSec     Internet Protocol Security
Kc        Ciphering key
Ki        Authentication Key
LAI       Location Area Identification
RAI       Routing Area Identity
SGSN      Serving GPRS Support Node
SRES      Signed RESponse
SIM       Subscriber Identity Module
TLLI      Temporary Link Level Identity
TMSI      Temporary Mobile System Identifier
VLR       Visitor Location Register
Appendix A
            GSM/GPRS SECURITY – THE PARTS TO THE PUZZLE


IDENTIFIERS

IMSI = International Mobile Subscriber Identity
         The IMSI is a permanent identifier assigned to the subscriber’s SIM card.
It is stored in the MS (SIM), VLR, HLR, and SGSN

TMSI = Temporary Mobile Subscriber Identity
        The TMSI is a temporary identifier assigned to a subscriber while the MS
is powered on and within network coverage. It is used to protect the subscriber’s
identity while connected to the network. It is stored with the LAI in the MS, VLR,
and BSS/MSC.

P-TMSI = Packet - Temporary Mobile Subscriber Identity
       The P-TMSI is a temporary identifier assigned to a subscriber while a
GPRS provisioned MS is powered on and within GPRS coverage. It is used to
protect the subscriber’s identity while connected to the network. It is stored with
the RAI in the MS, VLR, and SGSN.

LA = Location Area, LAI = Location Area Identification
       The LAI identifies a specific group of cells covered by one MSC. An MSC
usually consists of several LAs. It is stored with the TMSI in the MS, VLR, and
BSS/MSC.

RA = Routing Area, RAI = Routing Area Identity
      The RAI identifies a specific group of cells covered by one SGSN. An
SGSN usually consists of several RAs. It is stored with the P-TMSI in the MS,
VLR, and SGSN.

TLLI = Temporary Logical Link Identity
      The TLLI identifies the radio path of an MS that is attached to the GPRS
network. It is stored with the RAI in the MS and SGSN.


SECURITY COMPONENTS

RAND = Non-predictable number
       The RAND is a 128 bit random number generated by the network to be
used in authentication and encryption schemes. It is stored with the SRES in the
MS, AuC, VLR and HLR. The RAND is not stored in the SGSN, but is retrieved
from the AuC or HLR when needed.
SRES = The Signature of RAND
      The SRES is a 32 bit number that is the signature of the RAND derived by
network using the A3 algorithm and Ki. It is stored with the RAND in the MS,
AuC, VLR and HLR. The SRES is not stored in the SGSN, but is retrieved from
the AuC or HLR when needed.

A3 Algorithm = Authentication Algorithm
        The A3 algorithm is used to authenticate a user on the network. The use
of this algorithm is optional for the carrier. It uses Ki and RAND to generate an
SRES on the MS and the network. If the SRESs are the same, the user is
authenticated. The A3 resides in the MS (SIM) and the AuC.

Algorithm A8 = Ciphering Key Algorithm
        The A8 algorithm is used to create the key Kc. The use of the A8
algorithm is optional for the carrier. It uses RAND (or TMSI) and Ki to generate
Kc for use in the ciphering and deciphering process. The A8 resides in the MS
(SIM) and the AuC.

Algorithm A5 = Ciphering Algorithm
      The A5 algorithm uses Kc to create a stream cipher of the data
transmitted on the traffic and control channels. The A5 resides in the BSS.

Algorithm GPRS-A5 = GPRS Ciphering Algorithm
       The GPRS-A5 algorithm uses GPRS-Kc to create a stream cipher of the
data transmitted on the traffic and control channels. The GPRS-A5 resides in the
SGSN.

Ki = Individual Subscriber Authentication Key
       The Ki is allocated at subscription time. The Ki is a 128 bit number that is
stored in the MS (SIM) and the AuC.

Kc = Ciphering Key
      The Kc is a 64 bit number created simultaneously by the network and the
MS to be used in the ciphering and deciphering process. The Kc is created using
the RAND (or TMSI) and Ki. It is stored in the MS, VLR, HLR, and BSS/MSC

GPRS-Kc = GPRS Ciphering Key
      The Kc is a 64 bit number created simultaneously by the network and the
MS to be used in the ciphering and deciphering process. The Kc is created using
the RAND (or P-TMSI) and Ki. It is stored in the MS, VLR, HLR, and SGSN.


NETWORK COMPONENTS

PLMN = Public Land Mobile Network
     The “network” is also known as the PLMN.
BSS/MSC = Base Station System/ Mobile services Switching Center
     The BSS/MSC stores algorithm A5, Kc, TMSI and LAI.

HLR = Home Location Register
        The HLR is the warehouse for subscriber information for the given PLMN.
It stores the Kc, GPRS-Kc, RAND and SRES and IMSI.

VLR = Visitor Location Register
       Where the HLR stores information pertaining to all subscribers, the VLR
stores information pertinent only to those subscribers currently using the network.
Amongst the items stored here are the IMSI, TMSI, P-TMSI, LAI, RAI, RAND and
SRES, Kc and GPRS-Kc.

AuC = Authentication Center
        The AuC is the warehouse for keys and algorithms. The AuC is often part
of the HLR. It stores the Ki, RAND and SRES, A3 algorithm, and the A8
algorithm,

SGSN = Servicing GPRS Support Node
      The SGSN handles all authentication and ciphering services for the GPRS
network. It stores the TLLI, IMSI, P-TMSI, RAI, RAND and SRES, GPRS-Kc,
GPRS-A5.

MS = Mobile Station, SIM = Subscriber Identity Module
        The MS is also known as the terminal, handset, ME (mobile equipment),
and phone. The MS permanently stores the algorithm A3, algorithm A5,
algorithm A8, IMSI and Ki in the SIM. It receives from the network and stores the
RAND, TMSI, P-TMSI, LAI, RAI and TLLI. It generates and stores the SRES, Kc
and GPRS-Kc.

				
DOCUMENT INFO