Post on 15-Jun-2018
SecurityofWirelessNetworks
SrdjanČapkunDepartmentofComputerScience
ETHZurich
Some material adapted from Hubaux, Buttyan, “Security and Cooperation in Wireless Networks”
NetworkAccess GSM/UMTS
SecurityofWirelessNetworks,AS2010
GSM
GSM(GlobalSystemforMobileCommunica?ons)iss?llthemostwidelyusedcellularstandard• >600millionusers,mostlyinEuropeandAsia;limited
coverageandsupportinUSA• BasedonTDMAradioaccessandPCMtrunking• UseSS7signallingwithmobile-specificextensions• Providesauthen?ca?onandencryp?oncapabili?es• Thirdgenera?on(3G)andfuture(4G)
SecurityofWirelessNetworks,AS2010
GSM
900MHz(or1800MHz)band• uplinkfrequencyband890-915MHz• downlinkfrequencybandis935-960MHz• 25MHzsubdividedinto124carrierfrequencychannels,
each200kHzapartTimedivisionmul?plexing(TDMA)• allows8speechchannelsperradiofrequencychannel• Channeldatarateis270.833kbps• Voicetransmi`edat13kbpsHandsetpowermax.2wa`sinGSM850/900and1wa`inGSM1800/1900Cellsizeupto35km
SecurityofWirelessNetworks,AS2010
GSMArchitecture
Mobile Stations Base Station Subsystem
Exchange System
Network Management
Subscriber and terminal equipment databases
BSC MSC VLR
HLR
EIR
AUC
OMC BTS
BTS
BTS
EIR - Equipment Identity Register AC = Authentication center
HLR = Home Location Register VLR = Visitor Location Register
MSC (Mobile Switching Center) sets up and releases the end-to-end connection, handles mobility and hand-over requirements during the call and takes care of charging and real time pre-paid account monitoring.
SecurityofWirelessNetworks,AS2010
GSMSecurityGoals
Operators• Billsrightpeople• Avoidfraud• ProtectServicesCustomers• Privacy• AnonymityMakeasystematleastsecureasPSTN?
SecurityofWirelessNetworks,AS2010
GSMSecurityGoals
ConfidenIalityandAnonymityontheradiopathStrongclientauthen*ca*ontoprotecttheoperatoragainstthebillingfraudPreven?onofoperatorsfromcompromisingofeachothers’security• Inadvertently• Compe??onpressure
SecurityofWirelessNetworks,AS2010
mygrandgrandma...
Twoissues:• Talkingforfree:Howdoyouprovethatyouarethe
costumerofanetwork?• Talkingonsomeoneelse’sexpense:Howdoyoudiffer
betweentwocostumers?
=>weneedawaytodis?nguishbetweenusers(authenIcaIon)
SecurityofWirelessNetworks,AS2010
SIM(SubscriberIden?fica?onModule)
SubscriberIden?fica?onModule(SIM)• SmartCard–asinglechipcomputercontainingOS,File
System,Applica?ons• Ownedbyoperator(i.e.trusted)
SecurityofWirelessNetworks,AS2010
SIMCards
Typicalspecifica?on• 8bitCPU• 16KROM• 256bytesRAM• 4KEEPROM• Cost:$5-50SmartCardTechnology• BasedonISO7816defining• Cardsize,contactlayout,electricalcharacteris?cs• I/OProtocols: byte/blockbased• FileStructure
SecurityofWirelessNetworks,AS2010
GSMMobile
MobileEquipment(ME)• Physicalmobiledevice• Iden?fiers
• IMEI–Interna?onalMobileEquipmentIden?tySubscriberIden?tyModule(SIM)• SmartCardcontainingkeys,iden?fiersandalgorithms• Iden?fiers
• Ki–SubscriberAuthen?ca?onKey• IMSI–Interna?onalMobileSubscriberIden?ty• TMSI–TemporaryMobileSubscriberIden?ty• MSISDN–MobileSta?onInterna?onalService
DigitalNetwork• PIN–PersonalIden?tyNumberprotec?ngaSIM• LAI–loca?onareaiden?ty
SecurityofWirelessNetworks,AS2010
TheKeyisintheCard
Ki–SubscriberAuthen?ca?onKey• Shared128bitkeyusedforauthen?ca?onofsubscriber
bytheoperator
KeyStorage• Subscriber’sSIM(ownedbyoperator,i.e.trusted)• Operator’sHomeLocatorRegister(HLR)ofthe
subscriber’shomenetwork
SecurityofWirelessNetworks,AS2010
GSMUserAuthen?ca?on
A3
Mobile phone Radio Link GSM Operator
A8
A5
A3
A8
A5
Ki Ki
Challenge RAND
Kc Kc
mi Encrypted Data mi
SIM
Signed response (SRES) SRES SRES
Fn Fn
Authentication: are SRES values equal?
SecurityofWirelessNetworks,AS2010
GSMUserAuthen?ca?on
AuC–Authen?ca?onCenter• Providesparametersforauthen?ca?onandencryp?on
func?ons(RAND,SRES,Kc)HLR–HomeLoca?onRegister• ProvidesMSC(MobileSwitchingCenter)withtriples
(RAND,SRES,Kc)• HandlesMSloca?onVLR–VisitorLoca?onRegister• StoresgeneratedtriplesbytheHLRwhenasubscriber
isnotinhishomenetwork• Oneoperatordoesn’thaveaccesstosubscriberkeysof
theanotheroperator.
SecurityofWirelessNetworks,AS2010
A3andA8(Authen?ca?onandSessionKey)BothA3andA8algorithmsareimplementedontheSIM• Operatorcandecide,whichalgorithmstouse.• Algorithmimplementa?onisindependentofHWand
operators.• A8wasnevermadepublic
A3
RAND (128 bit)
Ki (128 bit)
SRES (32 bit)
A8
RAND (128 bit)
Ki (128 bit)
KC (64 bit)
COMP128
RAND (128 bit)
Ki (128 bit)
128 bit output SRES 32 bit and Kc 54 bit
LogicalimplementaIonofA3andA8
COMP128isakeyedhashfuncIon
SecurityofWirelessNetworks,AS2010
A5(Confiden?ality)A5isastreamcipher• ImplementedveryefficientlyonhardwareDesignwasnevermadepublic• LeakedtoRossAndersonandBruceSchneierVariants:A5/1–thestrongversion,A5/2–theweakversion,A5/3GSMAssocia?onSecurityGroupand3GPPdesignBasedonKasumialgorithmusedin3Gmobilesystems
A5
Kc (64 bit) Fn (22 bit)
114 bit
XOR Data (114 bit)
A5
Kc (64 bit) Fn (22 bit)
114 bit
XOR Ciphertext (114 bit) Data (114 bit)
Mobile Station BTS
SecurityofWirelessNetworks,AS2010
A`ackHistory(Authen?ca?onandConfiden?ality)
1991:FirstGSMimplementa?on.April1998• TheSmartcardDeveloperAssocia?on(SDA)togetherwith
U.C.BerkeleyresearcherscrackedCOMP128algorithmstoredinSIMandsucceededtogetKiwithinseveralhours.TheydiscoveredthatKcusesonly54bits.
August1999• TheweakA5/2wascrackedusingasinglePCwithin
seconds.December1999• AlexBiryukov,AdiShamirandDavidWagnerhavepublished
theschemebreakingthestrongA5/1algorithm.Withintwominutesofinterceptedcallthea`ack?mewasonly1second.
May2002
SecurityofWirelessNetworks,AS2010
A`ack:Extrac?ngtheKeyfromtheSIMcard
A`ackGoal• KistoredonSIMcard• KnowingKiit’spossibletocloneSIMCardinalPrinciple• Relevantbitsofallintermediatecyclesandtheirvalues
shouldbesta?s?callyindependentoftheinputs,outputs,andsensi?veinforma?on.
A`ackIdea• Findaviola?onoftheCardinalPrinciple,i.e.side
channelswithsignalsdoesdependoninput,outputsandsensi?veinforma?on
• Trytoexploitthesta?s?caldependencyinsignalstoextractasensi?veinforma?on
SecurityofWirelessNetworks,AS2010
A`ack:Extrac?ngtheKeyfromtheSIMcard
Traditional Cryptographic
Attacks
Input Crypto Processing
Sensitive Information
Output
SecurityofWirelessNetworks,AS2010
A`ack:Extrac?ngtheKeyfromtheSIMcard
Side Channels • Power Consumption • Electromagnetic radiation • Timing • Errors • Etc.
Side Channel Attacks
Input Crypto Processing
Sensitive Information
Output
SecurityofWirelessNetworks,AS2010
A`ack:FakeBS
• IMSIcatcherbyLawEnforcement• Interceptmobileoriginatedcalls• Canbeusedforover-the-aircloning
Usedtobe...
Today: USRP,OpenBTS
SecurityofWirelessNetworks,AS2010
SignalingSecurity
MobilenetworksprimarilyuseSignalingSystemno.7(SS7)forcommunica?onbetweennetworksforsuchac?vi?esasauthen?ca?on,loca?onupdate,andsupplementaryservicesandcallcontrol.Themessagesuniquetomobilecommunica?onsareMAPmessages.
ThesecurityoftheglobalSS7networkasatransportsystemforsignalingmessagese.g.authen?ca?onandsupplementaryservicessuchascallforwardingisopentomajorcompromise.
TheproblemwiththecurrentSS7systemisthatmessagescanbealtered,injectedordeletedintotheglobalSS7networksinanuncontrolledmanner
SecurityofWirelessNetworks,AS2010
LowTechFraud
Frauds• Callforwardingtopremiumratenumbers• Bogusregistra?ondetails• Roamingfraud• Terminalthep• Mul?pleforwarding,conferencecallsCountermeasures:• Mul?plecallsatthesame?me,• Largevaria?onsinrevenuebeingpaidtootherpar?es,• Largevaria?onsinthedura?onofcalls• Changesincustomerusage• Monitortheusageofacustomercloselyduringa
'proba?onaryperiod'
NetworkAccess GSM/UMTS
SecurityofWirelessNetworks,AS2010
UMTS
UMTS(UniversalMobileTelecommunica?onsSystem)UsesW-CDMA,• 1885-2025MHzforthemobile-to-base(uplink)and
2110-2200MHzforthebase-to-mobile(downlink)• supportsupto14Mbps(intheory)(withHSDPA),• usersindeployednetworkscanexpectupto384kbit/s
forR99handsets,and3.6Mbit/sforHigh-SpeedDownlinkPacketAccess(HSDPA)handsets
SecurityofWirelessNetworks,AS2010
UMTSSecurity
Reuseof2ndgenera?onsecurityprinciples(GSM):• Removablehardwaresecuritymodule
• InGSM:SIMcard• In3GPP:USIM(UserServicesIden?tyModule)
• Radiointerfaceencryp?on• LimitedtrustintheVisitedNetwork• Protec?onoftheiden?tyoftheenduser• Correc?onofthefollowingweaknessesoftheprevious
genera?on:• ATacksfromafakedbasestaIon• CipherkeysandauthenIcaIondatatransmiTedin
clearbetweenandwithinnetworks• EncrypIonnotusedinsomenetworks• Dataintegritynotprovided
SecurityofWirelessNetworks,AS2010
UMTSAuthen?ca?on(withaVisitedNetwork)
Generation of cryptographic material
Home Environment Visited Network Mobile Station Sequence number (SQN) RAND(i)
Authentication vectors
K: User’s secret key
IMSI/TMSI User authentication request
Verify AUTN(i) Compute RES(i)
User authentication response RES(i)
Compare RES(i) and XRES(i)
Select CK(i) and IK(i)
Compute CK(i) and IK(i)
K
K
RAND(i)||AUTN(i)
SecurityofWirelessNetworks,AS2010
Genera?onofAuthen?ca?onVectors (bytheHomeEnvironment)
Generate SQN
Generate RAND
f1 f2 f3 f4 f5
K
AMF
MAC (Message Authentication
Code)
XRES (Expected
Result)
CK (Cipher Key)
IK (Integrity
Key)
AK (Anonymity
Key)
AMF: Authentication and Key Management Field
Authentication token: AUTN = (SQN⊕AK)|| AMF|| MAC
Authentication vector: AV = RAND|| XRES ||CK || IK || AUTN
SecurityofWirelessNetworks,AS2010
UserAuthen?ca?onFunc?onsinUSIM
USIM: User Services Identity Module
f1 f2 f3 f4
K
XMAC (Expected MAC)
RES (Result)
CK (Cipher
Key)
IK (Integrity
Key)
f5
RAND
AK
SQN
AMF MAC
AUTN
• Verify MAC = XMAC • Verify that SQN is in the correct range
SecurityofWirelessNetworks,AS2010
MoreAboutAuthen?ca?onandKeyGenera?on
Inaddi?ontof1,f2,f3,f4andf5,twomorefunc?onsaredefined:f1*andf5*,usedincasetheauthen?ca?onproceduregetsdesynchronized(detectedbytherangeofSQN).
f1,f1*,f2,f3,f4,f5andf5*areoperator-specificHowever,3GPPprovidesadetailedexampleofalgorithmset,calledMILENAGE
MILENAGEisbasedontheRijndaelblockcipherInMILENAGE,thegenera?onofallsevenfunc?onsf1…f5*isbasedontheRijndaelalgorithm
SecurityofWirelessNetworks,AS2010
Authen?ca?onandKeyGenera?on Func?ons(f1...f5*)
rotate by r4
OPc
c4
EK
OPc
rotate by r2
OPc
c2
EK
OPc
rotate by r3
OPc
c3
EK
OPc
rotate by r5
OPc
c5
EK
OPc
rotate by r1
OPc
c1
EK
OPc
EK
SQN||AMF OPc EK OP OPc
f1 f1* f5 f2 f3 f4 f5*
RAND
OP: operator-specific parameter r1,…, r5: fixed rotation constants c1,…, c5: fixed addition constants
EK : Rijndael block cipher with 128 bits text input and 128 bits key
SecurityofWirelessNetworks,AS2010
SignalingIntegrityProtec?on
f9
MAC-I
IK
SIGNALLING MESSAGE
COUNT-I
FRESH
DIRECTION
Sender (Mobile Station or
Radio Network Controller)
f9
XMAC-I
IK
SIGNALLING MESSAGE
COUNT-I
FRESH
DIRECTION
Receiver (Radio Network Controller
or Mobile Station)
FRESH: random input
SecurityofWirelessNetworks,AS2010
f9integrityfunc?on
COUNT || FRESH || MESSAGE ||DIRECTION||1|| 0…0
KASUMI IK KASUMI IK KASUMI IK KASUMI IK
KASUMI IK KM
PS0 PS1 PS2 PSBLOCKS-1
MAC-I (left 32-bits)
• KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits) • PS: Padded String • KM: Key Modifier
SecurityofWirelessNetworks,AS2010
Encryp?on
48
f8
KEYSTREAM BLOCK
CK
BEARER
COUNT-C
LENGTH
DIRECTION
PLAINTEXT BLOCK
f8
KEYSTREAM BLOCK
CK
BEARER
COUNT-C
LENGTH
DIRECTION
PLAINTEXT BLOCK
CIPHERTEXT BLOCK
Sender (Mobile Station or
Radio Network Controller)
Receiver (Radio Network Controller
or Mobile Station)
BEARER: radio bearer identifier COUNT-C: ciphering sequence counter
SecurityofWirelessNetworks,AS2010
f8keystreamgenerator
KASUMI KASUMI KASUMI KASUMI KASUMI CK KASUMI CK KASUMI CK KASUMI CK
KASUMI CK KM
KS[0]…KS[63]
Register
KS[64]…KS[127] KS[128]…KS[191]
BLKCNT=0 BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1
COUNT || BEARER || DIRECTION || 0…0 KM: Key Modifier KS: Keystream
SecurityofWirelessNetworks,AS2010
ConclusiononUMTSSecurity
Someimprovementwithrespectto2ndgenera?onCryptographicalgorithmsarepublishedIntegrityofthesignalingmessagesisprotectedQuiteconserva?vesolu?on2nd/3rdgeneraIoninteroperaIonwillbecomplicatedandmightopensecuritybreachesAllthatcanhappentoafixedhostaTachedtotheInternetcouldhappentoa3GterminalPrivacy/anonymityoftheusernotcompletelyprotected:IMSIissentincleartextwhentheuserisregisteringforthefirst?meintheservingnetwork(trustedthirdpartycanbeasolu?on)Ausercanbeen?cedtocamponafalseBS.OncetheusercampsontheradiochannelsofafalseBS,theuserisoutofreachofthepagingsignalsofSNHijackingoutgoing/incomingcallsinnetworkswithdisabledencryp?onispossible.Theintruderposesasaman-in-the-middleanddropstheuseroncethecallisset-up
SecurityofWirelessNetworks,AS2010
OtherTopics
• DoSa`acks,SMSsecurity,...• Reference:
P.Traynor,P.McDanielandT.LaPorta,SecurityforTelecommunicaIonsNetworks.Springer,Series:AdvancesinInformaIonSecurity,August,2008.ISBN:978-0-387-72441-6.) FreelyavailableviatheETHlibrary(Springer)
• ModernMobilePhoneSystemSecurity(Android/iOS/Symbian,...)
SecurityofWirelessNetworks,AS2010
SS7security
https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225
SecurityofWirelessNetworks,AS2010
SS7security