IC3 Network Security
Worksheet, week 7
MSc in Information Security 2003/04
ISG, Royal Holloway University of London
GSM and UMTS security
Revision : 1.6
March 22, 2004
1 Basic questions Two
Suppose that two Vodafone UK customers are lo-
One cated on a ski piste in the French Alps. What route
would be taken by the voice traﬃc between them?
What eﬀect might this route have on quality of ser-
Find out what you can about attacks on ﬁrst gen- vice?
eration mobile phone networks. In particular, what Every GSM phone network consists of base stations,
was the situation with respect to phone cloning and an ’outer’ network called the visited network and a
eavesdropping? home network1 . When customer A makes his call,
his call gets routed via the base station into the
First generation mobile phones did not use any form visited network, from there into the home network
of encryption whatsoever. This means that no con- of his provider. From there, the provider ﬁnds the
ﬁdentiality was granted to the user of the phone, receiver of the call, so it gets routed back into the
enabling an eavesdropper to listen to any phone call visited network in France, back to the base station
he wanted to – the lecture notes talk about simply and then ﬁnally to the receiver.
tuning a radio to the correct frequency. An obvi-
ous conclusion from the lack of any cryptographic Since the call takes an unnecessary lengthy route,
mechanism also results in the lack of no authenti- there will probably be some noticable delay when
cation in either direction – the phone’s identity was speaking on the phone, even though both parties
announced in the clear. are probably very close to each other physically.
In addition, the SIM card (or equivalent) was
not tamper-resistant, enabling anyone to clone cell Three
phones, because they were able to copy the data
from the card that was responsible for authentica- Why does GSM make use of both an HLR and a
When a mobile phone is switched on, it registers its
Also, the network did not authenticate itself to
current location with the HLR (home location reg-
the mobile equipment. This is a design ﬂaw that
ister). When the phone is not in its home network,
haunts second generation mobile networks just as
information is retrieved and stored in the visited lo-
much. The lack of mutual authentication allows
cation register (VLR). The VLR is acting as a local
an attacker to impersonate any piece of networking
storage for this information, so roaming in diﬀer-
equipment without knowledge of the user; especially
ent networks does not make continous retrieval of
basestations are easy to impersonate using so-called
IMSI catchers. 1 And of course the mobile equipment.
Thorsten Fischer IC3 work sheet 7
information from the home network necessary. since it is performing encryption anyway, and the
encryption algorithms are standardized.
Four On the other hand, a key exchange including mu-
tual authentication would have to take place be-
(a) Why must the same encryption algorithm be tween the two phones, a process which devices in
used in all GSM networks? Contrast with the a GSM network are not prepared for. Also, ’lawful
A3/A8 algorithms. interception’ would be rendered impossible, unless
there was some kind of key recovering scheme that
In GSM networks, traﬃc between the mobile and allowed law enforcement to get hold of a call’s con-
the base station is encrypted. To be able to de- tents.
crypt the contents of the call, the algorithm must
be known to everyone. Since the cryptographic pro-
cesses are taking place within the hardware of the
mobile equipment, that equipment must know all Five
the algorithms used. To have every possible piece
of mobile equipment be able to roam in visited net- foo.
works, all algorithms must be known within all net- The authentication protocol of GSM is a one-way
works, which means that all of them should use the challenge-response protocol. It authenticates the
same algorithms. The encryption algorithm used in mobile equipment to the network, but not the other
GSM is called A5. way around.
A3 and A8 are the authentication function and the
The authentication centre (AuC) and the mobile
key generating function of GSM, respectively. Since
equipment (ME) share a 64-bit key; the key of the
authentication always takes place between the mo-
ME is stored on the SIM card. When the protocol
bile equipment and the MSC (the switching equip-
is initiated2 , the AuC generates a random number
ment) which has received authentication informa-
to be used as an authentication challenge, and en-
tion from the AuC (authentication centre) in the
crypts it using the shared key. It then sends the
home network of the mobile equipment, it is not
random number and the expected answer to the
necessary to have an authentication standard to be
MSC (mobile switching centre) which handles the
the same in all networks. The MSC is told by the
remainder of the protocol on behalf of the AuC.
AuC what answer to espect to the random challenge
it has issued. The is only testing if the answer is The MSC (which doesn’t know anything about the
the expected one, not how it has been generated. number generation process) hands the random num-
ber to the ME, which uses its own key to generate
A3 and A8 are not even standardised.
a response to that challenge. It sends the response
(a) In GSM systems, in which part of the network to the MSC, which compares it to the expected re-
is the voice traﬃc encrypted? Why? What would sponse it received from the AuC. If the numbers are
be the diﬃculties (if any) of providing end-to-end the same, it considers the ME authenticated.
encryption in GSM?
- auth protocol; challenge/response; derivation of
In a GSM system, the voice traﬃc is encrypted be- session keys. third party to judge the respones,
tween the mobile equipment and the BSC (base sta- while another one created challenge etc. (non-
tion controller), which is the piece of equipment that standardized auth’ing)
controls the basestation. Encryption is provided to
make it infeasible for an attacker to eavesdrop on
a call. In addition, it becomes impossible to hijack
an established session between the mobile and the Six
basestation, because without the key, an attacker
cannot impersonate the phone. foo.
The lack of end-to-end encryption assumes that an The SIM holds a thing crucial to the communication
attacker is not able to eavesdrop on the lines which process in a GSM network: the key Ki used for
connect the BSC to the rest of the network. End-to- authenticating and the phone to the network, and
end encryption would make sure that such an attack for encrypting the voice traﬃc between the phone
would do no harm. It would also remove the need and the base station.
for some of the computing power from the network
devices, while the mobile equipment is not aﬀected, 2 Protocol initiation varies from operator to operator.
Thorsten Fischer IC3 work sheet 7
- Who knows? probably technical reasons; having (a) foo.
a counter that overﬂows after a certain period of (b) foo.
time; must be ﬁnite in any way.
- COMP128 repeated challenges lead to the device Eighteen
not responding anymore -> dos
- IMSI, TMSI, assigning temporary IDs
- mutual authentication
- encryption extends one step beyond base station
- law enforcement interface built in from the begin- foo.
foo. (a) foo.
- The security design goal of GSM was to provide se-
curity which was similar to that of a landline phone
- no; only signals are authenticated (b) Describe the main changes in security features
that were made to the GSM standard developing the
UMTS standard. What motivated these changes?
2 Intermediate questions One change was to extend the encryption one step
further than in GSM. With UMTS phone calls,
Fourteen encryption of the communication is implemented
from the mobile equipment, over the base station
foo. up to the radio network controller (RNC). This
is to extend prevent eavesdropping attacks against
(a) foo. base stations which transmit their communication
(b) foo. through the air to the RNC.
Thorsten Fischer IC3 work sheet 7
A mistake that was made with GSM was that the Twenty-eight
encryption algorithms were kept secret. That led
to the common but wrong assumption it would en- foo.
hance the security of the system – the designers IPSec could provide for an end-to-end encryption
were proved wrong. In UMTS, algorithms are be- between two
ing used which are based on open speciﬁcations.
- necessity to distribute public keys in advance?
UMTS provides for a mechanism to authenticate what if keys in network change?
the network to the mobile phone, in case the mo-
bile phone asks for it. That mechanism defeats
attacks based on technologies like IMSI catchers, Twenty-nine
which simulate a base station in a GSM network.
Unfortunately, the UMTS network provides for a foo.
lot of backward compatibility with GSM networks
to guarantee interoperability. Go ﬁgure.
Luckily, UMTS provides integrity protection for cer-
tain types of signalling between mobile and radio foo.
network controller. Since this integrity protection
is partly based on authentication of the network to
the mobile equipment, some additional protection References
against false base stations is provided.
Another fact to take into account is that phone and
data interception mechanisms for law enforcement
are integral part of the UMTS standard. The usage
of these interfaces is subject to the rules regarding 1 Basic questions 1
lawful intereception of the country the communica-
tion is travelling through. Since a phone call can 2 Intermediate questions 3
travel more than just a single country on its way,
it is not easy to assess the entire complexity of a 3 Advanced questions 4
3 Advanced questions
- need references to A3/A8, A5, COMP128, GSM,
Twenty-three UMTS, GPRS, 3GPP, and etc.
- what are the ’open’ algorithms in UMTS?
foo. Colette Hanley for spell-checking my bad english in
the ﬁrst drafts of this document.