GSM and UMTS security

Document Sample
GSM and UMTS security Powered By Docstoc
					IC3 Network Security
Worksheet, week 7
MSc in Information Security 2003/04
ISG, Royal Holloway University of London

                         GSM and UMTS security
                                      Thorsten Fischer
                                       Revision : 1.6
                                          March 22, 2004

1 Basic questions                                       Two
                                                      Suppose that two Vodafone UK customers are lo-
One                                                   cated on a ski piste in the French Alps. What route
                                                      would be taken by the voice traffic between them?
                                                      What effect might this route have on quality of ser-
Find out what you can about attacks on first gen- vice?
eration mobile phone networks. In particular, what Every GSM phone network consists of base stations,
was the situation with respect to phone cloning and an ’outer’ network called the visited network and a
eavesdropping?                                        home network1 . When customer A makes his call,
                                                      his call gets routed via the base station into the
First generation mobile phones did not use any form visited network, from there into the home network
of encryption whatsoever. This means that no con- of his provider. From there, the provider finds the
fidentiality was granted to the user of the phone, receiver of the call, so it gets routed back into the
enabling an eavesdropper to listen to any phone call visited network in France, back to the base station
he wanted to – the lecture notes talk about simply and then finally to the receiver.
tuning a radio to the correct frequency. An obvi-
ous conclusion from the lack of any cryptographic Since the call takes an unnecessary lengthy route,
mechanism also results in the lack of no authenti- there will probably be some noticable delay when
cation in either direction – the phone’s identity was speaking on the phone, even though both parties
announced in the clear.                               are probably very close to each other physically.

In addition, the SIM card (or equivalent) was
not tamper-resistant, enabling anyone to clone cell Three
phones, because they were able to copy the data
from the card that was responsible for authentica- Why does GSM make use of both an HLR and a
tion.                                                VLR?
                                                     When a mobile phone is switched on, it registers its
Also, the network did not authenticate itself to
                                                     current location with the HLR (home location reg-
the mobile equipment. This is a design flaw that
                                                     ister). When the phone is not in its home network,
haunts second generation mobile networks just as
                                                     information is retrieved and stored in the visited lo-
much. The lack of mutual authentication allows
                                                     cation register (VLR). The VLR is acting as a local
an attacker to impersonate any piece of networking
                                                     storage for this information, so roaming in differ-
equipment without knowledge of the user; especially
                                                     ent networks does not make continous retrieval of
basestations are easy to impersonate using so-called
IMSI catchers.                                        1 And of course the mobile equipment.

Thorsten Fischer                                                                                     IC3 work sheet 7

information from the home network necessary.               since it is performing encryption anyway, and the
                                                           encryption algorithms are standardized.

Four                                                On the other hand, a key exchange including mu-
                                                    tual authentication would have to take place be-
(a) Why must the same encryption algorithm be tween the two phones, a process which devices in
used in all GSM networks? Contrast with the a GSM network are not prepared for. Also, ’lawful
A3/A8 algorithms.                                   interception’ would be rendered impossible, unless
                                                    there was some kind of key recovering scheme that
In GSM networks, traffic between the mobile and allowed law enforcement to get hold of a call’s con-
the base station is encrypted. To be able to de- tents.
crypt the contents of the call, the algorithm must
be known to everyone. Since the cryptographic pro-
cesses are taking place within the hardware of the
mobile equipment, that equipment must know all Five
the algorithms used. To have every possible piece
of mobile equipment be able to roam in visited net- foo.
works, all algorithms must be known within all net- The authentication protocol of GSM is a one-way
works, which means that all of them should use the challenge-response protocol. It authenticates the
same algorithms. The encryption algorithm used in mobile equipment to the network, but not the other
GSM is called A5.                                   way around.
A3 and A8 are the authentication function and the
                                                           The authentication centre (AuC) and the mobile
key generating function of GSM, respectively. Since
                                                           equipment (ME) share a 64-bit key; the key of the
authentication always takes place between the mo-
                                                           ME is stored on the SIM card. When the protocol
bile equipment and the MSC (the switching equip-
                                                           is initiated2 , the AuC generates a random number
ment) which has received authentication informa-
                                                           to be used as an authentication challenge, and en-
tion from the AuC (authentication centre) in the
                                                           crypts it using the shared key. It then sends the
home network of the mobile equipment, it is not
                                                           random number and the expected answer to the
necessary to have an authentication standard to be
                                                           MSC (mobile switching centre) which handles the
the same in all networks. The MSC is told by the
                                                           remainder of the protocol on behalf of the AuC.
AuC what answer to espect to the random challenge
it has issued. The is only testing if the answer is    The MSC (which doesn’t know anything about the
the expected one, not how it has been generated.       number generation process) hands the random num-
                                                       ber to the ME, which uses its own key to generate
A3 and A8 are not even standardised.
                                                       a response to that challenge. It sends the response
(a) In GSM systems, in which part of the network to the MSC, which compares it to the expected re-
is the voice traffic encrypted? Why? What would sponse it received from the AuC. If the numbers are
be the difficulties (if any) of providing end-to-end the same, it considers the ME authenticated.
encryption in GSM?
                                                       - auth protocol; challenge/response; derivation of
In a GSM system, the voice traffic is encrypted be- session keys. third party to judge the respones,
tween the mobile equipment and the BSC (base sta- while another one created challenge etc. (non-
tion controller), which is the piece of equipment that standardized auth’ing)
controls the basestation. Encryption is provided to
make it infeasible for an attacker to eavesdrop on
a call. In addition, it becomes impossible to hijack
an established session between the mobile and the Six
basestation, because without the key, an attacker
cannot impersonate the phone.                          foo.
The lack of end-to-end encryption assumes that an          The SIM holds a thing crucial to the communication
attacker is not able to eavesdrop on the lines which       process in a GSM network: the key Ki used for
connect the BSC to the rest of the network. End-to-        authenticating and the phone to the network, and
end encryption would make sure that such an attack         for encrypting the voice traffic between the phone
would do no harm. It would also remove the need            and the base station.
for some of the computing power from the network
devices, while the mobile equipment is not affected,        2 Protocol   initiation varies from operator to operator.

Thorsten Fischer                                                                             IC3 work sheet 7

Seven                                                      Fifteen
foo.                                                       foo.
- Who knows? probably technical reasons; having (a) foo.
a counter that overflows after a certain period of (b) foo.
time; must be finite in any way.


- COMP128 repeated challenges lead to the device           Eighteen
not responding anymore -> dos

- IMSI, TMSI, assigning temporary IDs

- mutual authentication
- encryption extends one step beyond base station
- law enforcement interface built in from the begin-       foo.
foo.                                                       (a) foo.
                                                           - The security design goal of GSM was to provide se-
                                                           curity which was similar to that of a landline phone
foo.                                                       foo.
- no; only signals are authenticated                       (b) Describe the main changes in security features
                                                           that were made to the GSM standard developing the
                                                           UMTS standard. What motivated these changes?
2 Intermediate questions                                   One change was to extend the encryption one step
                                                           further than in GSM. With UMTS phone calls,
Fourteen                                                   encryption of the communication is implemented
                                                           from the mobile equipment, over the base station
foo.                                                       up to the radio network controller (RNC). This
                                                           is to extend prevent eavesdropping attacks against
(a) foo.                                                   base stations which transmit their communication
(b) foo.                                                   through the air to the RNC.

Thorsten Fischer                                                                         IC3 work sheet 7

A mistake that was made with GSM was that the          Twenty-eight
encryption algorithms were kept secret. That led
to the common but wrong assumption it would en-        foo.
hance the security of the system – the designers       IPSec could provide for an end-to-end encryption
were proved wrong. In UMTS, algorithms are be-         between two
ing used which are based on open specifications.
                                                  - necessity to distribute public keys in advance?
UMTS provides for a mechanism to authenticate what if keys in network change?
the network to the mobile phone, in case the mo-
bile phone asks for it. That mechanism defeats
attacks based on technologies like IMSI catchers, Twenty-nine
which simulate a base station in a GSM network.
Unfortunately, the UMTS network provides for a foo.
lot of backward compatibility with GSM networks
to guarantee interoperability. Go figure.
Luckily, UMTS provides integrity protection for cer-
tain types of signalling between mobile and radio foo.
network controller. Since this integrity protection
is partly based on authentication of the network to
the mobile equipment, some additional protection References
against false base stations is provided.
Another fact to take into account is that phone and
data interception mechanisms for law enforcement
are integral part of the UMTS standard. The usage
of these interfaces is subject to the rules regarding 1 Basic questions                                 1
lawful intereception of the country the communica-
tion is travelling through. Since a phone call can 2 Intermediate questions                             3
travel more than just a single country on its way,
it is not easy to assess the entire complexity of a 3 Advanced questions                                4
phone call.

                                                       Random notes
3 Advanced questions
                                                       - need references to A3/A8, A5, COMP128, GSM,
Twenty-three                                           UMTS, GPRS, 3GPP, and etc.
                                                       - what are the ’open’ algorithms in UMTS?

Twenty-four                                            Acknowledgements
foo.                                                   Colette Hanley for spell-checking my bad english in
                                                       the first drafts of this document.




Shared By: