Security of Wireless Networks - ETH Zürich · OMC BTS BTS BTS AC ... • PIN – Personal Iden?ty...

SecurityofWirelessNetworks

SrdjanČapkunDepartmentofComputerScience

ETHZurich

Some material adapted from Hubaux, Buttyan, “Security and Cooperation in Wireless Networks”

NetworkAccess GSM/UMTS

SecurityofWirelessNetworks,AS2010

GSM

GSM(GlobalSystemforMobileCommunica?ons)iss?llthemostwidelyusedcellularstandard• >600millionusers,mostlyinEuropeandAsia;limited

coverageandsupportinUSA• BasedonTDMAradioaccessandPCMtrunking• UseSS7signallingwithmobile-specificextensions• Providesauthen?ca?onandencryp?oncapabili?es• Thirdgenera?on(3G)andfuture(4G)


GSM

900MHz(or1800MHz)band• uplinkfrequencyband890-915MHz• downlinkfrequencybandis935-960MHz• 25MHzsubdividedinto124carrierfrequencychannels,

each200kHzapartTimedivisionmul?plexing(TDMA)• allows8speechchannelsperradiofrequencychannel• Channeldatarateis270.833kbps• Voicetransmi`edat13kbpsHandsetpowermax.2wa`sinGSM850/900and1wa`inGSM1800/1900Cellsizeupto35km


GSMArchitecture

Mobile Stations Base Station Subsystem

Exchange System

Network Management

Subscriber and terminal equipment databases

BSC MSC VLR

HLR

EIR

AUC

OMC BTS

BTS

BTS

EIR - Equipment Identity Register AC = Authentication center

HLR = Home Location Register VLR = Visitor Location Register

MSC (Mobile Switching Center) sets up and releases the end-to-end connection, handles mobility and hand-over requirements during the call and takes care of charging and real time pre-paid account monitoring.


GSMSecurityGoals

Operators• Billsrightpeople• Avoidfraud• ProtectServicesCustomers• Privacy• AnonymityMakeasystematleastsecureasPSTN?


GSMSecurityGoals

ConfidenIalityandAnonymityontheradiopathStrongclientauthen*ca*ontoprotecttheoperatoragainstthebillingfraudPreven?onofoperatorsfromcompromisingofeachothers’security• Inadvertently• Compe??onpressure


mygrandgrandma...

Twoissues:• Talkingforfree:Howdoyouprovethatyouarethe

costumerofanetwork?• Talkingonsomeoneelse’sexpense:Howdoyoudiffer

betweentwocostumers?

=>weneedawaytodis?nguishbetweenusers(authenIcaIon)


SIM(SubscriberIden?fica?onModule)

SubscriberIden?fica?onModule(SIM)• SmartCard–asinglechipcomputercontainingOS,File

System,Applica?ons• Ownedbyoperator(i.e.trusted)


SIMCards

Typicalspecifica?on• 8bitCPU• 16KROM• 256bytesRAM• 4KEEPROM• Cost:$5-50SmartCardTechnology• BasedonISO7816defining• Cardsize,contactlayout,electricalcharacteris?cs• I/OProtocols: byte/blockbased• FileStructure


GSMMobile

MobileEquipment(ME)• Physicalmobiledevice• Iden?fiers

• IMEI–Interna?onalMobileEquipmentIden?tySubscriberIden?tyModule(SIM)• SmartCardcontainingkeys,iden?fiersandalgorithms• Iden?fiers

• Ki–SubscriberAuthen?ca?onKey• IMSI–Interna?onalMobileSubscriberIden?ty• TMSI–TemporaryMobileSubscriberIden?ty• MSISDN–MobileSta?onInterna?onalService

DigitalNetwork• PIN–PersonalIden?tyNumberprotec?ngaSIM• LAI–loca?onareaiden?ty


TheKeyisintheCard

Ki–SubscriberAuthen?ca?onKey• Shared128bitkeyusedforauthen?ca?onofsubscriber

bytheoperator

KeyStorage• Subscriber’sSIM(ownedbyoperator,i.e.trusted)• Operator’sHomeLocatorRegister(HLR)ofthe

subscriber’shomenetwork


GSMUserAuthen?ca?on

A3

Mobile phone Radio Link GSM Operator

A8

A5

A3

A8

A5

Ki Ki

Challenge RAND

Kc Kc

mi Encrypted Data mi

SIM

Signed response (SRES) SRES SRES

Fn Fn

Authentication: are SRES values equal?


GSMUserAuthen?ca?on

AuC–Authen?ca?onCenter• Providesparametersforauthen?ca?onandencryp?on

func?ons(RAND,SRES,Kc)HLR–HomeLoca?onRegister• ProvidesMSC(MobileSwitchingCenter)withtriples

(RAND,SRES,Kc)• HandlesMSloca?onVLR–VisitorLoca?onRegister• StoresgeneratedtriplesbytheHLRwhenasubscriber

isnotinhishomenetwork• Oneoperatordoesn’thaveaccesstosubscriberkeysof

theanotheroperator.


A3andA8(Authen?ca?onandSessionKey)BothA3andA8algorithmsareimplementedontheSIM• Operatorcandecide,whichalgorithmstouse.• Algorithmimplementa?onisindependentofHWand

operators.• A8wasnevermadepublic

A3

RAND (128 bit)

Ki (128 bit)

SRES (32 bit)

A8

RAND (128 bit)

Ki (128 bit)

KC (64 bit)

COMP128

RAND (128 bit)

Ki (128 bit)

128 bit output SRES 32 bit and Kc 54 bit

LogicalimplementaIonofA3andA8

COMP128isakeyedhashfuncIon


A5(Confiden?ality)A5isastreamcipher• ImplementedveryefficientlyonhardwareDesignwasnevermadepublic• LeakedtoRossAndersonandBruceSchneierVariants:A5/1–thestrongversion,A5/2–theweakversion,A5/3GSMAssocia?onSecurityGroupand3GPPdesignBasedonKasumialgorithmusedin3Gmobilesystems

A5

Kc (64 bit) Fn (22 bit)

114 bit

XOR Data (114 bit)

A5

Kc (64 bit) Fn (22 bit)

114 bit

XOR Ciphertext (114 bit) Data (114 bit)

Mobile Station BTS


A`ackHistory(Authen?ca?onandConfiden?ality)

1991:FirstGSMimplementa?on.April1998• TheSmartcardDeveloperAssocia?on(SDA)togetherwith

U.C.BerkeleyresearcherscrackedCOMP128algorithmstoredinSIMandsucceededtogetKiwithinseveralhours.TheydiscoveredthatKcusesonly54bits.

August1999• TheweakA5/2wascrackedusingasinglePCwithin

seconds.December1999• AlexBiryukov,AdiShamirandDavidWagnerhavepublished

theschemebreakingthestrongA5/1algorithm.Withintwominutesofinterceptedcallthea`ack?mewasonly1second.

May2002


Aàck:Extrac?ngtheKeyfromtheSIMcard

AàckGoal• KistoredonSIMcard• KnowingKiit’spossibletocloneSIMCardinalPrinciple• Relevantbitsofallintermediatecyclesandtheirvalues

shouldbesta?s?callyindependentoftheinputs,outputs,andsensi?veinforma?on.

AàckIdea• Findaviola?onoftheCardinalPrinciple,i.e.side

channelswithsignalsdoesdependoninput,outputsandsensi?veinforma?on

• Trytoexploitthesta?s?caldependencyinsignalstoextractasensi?veinforma?on



Traditional Cryptographic

Attacks

Input Crypto Processing

Sensitive Information

Output



Side Channels • Power Consumption • Electromagnetic radiation • Timing • Errors • Etc.

Side Channel Attacks

Input Crypto Processing

Sensitive Information

Output


A`ack:FakeBS

• IMSIcatcherbyLawEnforcement• Interceptmobileoriginatedcalls• Canbeusedforover-the-aircloning

Usedtobe...

Today: USRP,OpenBTS


SignalingSecurity

MobilenetworksprimarilyuseSignalingSystemno.7(SS7)forcommunica?onbetweennetworksforsuchac?vi?esasauthen?ca?on,loca?onupdate,andsupplementaryservicesandcallcontrol.Themessagesuniquetomobilecommunica?onsareMAPmessages.

ThesecurityoftheglobalSS7networkasatransportsystemforsignalingmessagese.g.authen?ca?onandsupplementaryservicessuchascallforwardingisopentomajorcompromise.

TheproblemwiththecurrentSS7systemisthatmessagescanbealtered,injectedordeletedintotheglobalSS7networksinanuncontrolledmanner


LowTechFraud

Frauds• Callforwardingtopremiumratenumbers• Bogusregistra?ondetails• Roamingfraud• Terminalthep• Mul?pleforwarding,conferencecallsCountermeasures:• Mul?plecallsatthesame?me,• Largevaria?onsinrevenuebeingpaidtootherpar?es,• Largevaria?onsinthedura?onofcalls• Changesincustomerusage• Monitortheusageofacustomercloselyduringa

'proba?onaryperiod'

NetworkAccess GSM/UMTS


UMTS

UMTS(UniversalMobileTelecommunica?onsSystem)UsesW-CDMA,• 1885-2025MHzforthemobile-to-base(uplink)and

2110-2200MHzforthebase-to-mobile(downlink)• supportsupto14Mbps(intheory)(withHSDPA),• usersindeployednetworkscanexpectupto384kbit/s

forR99handsets,and3.6Mbit/sforHigh-SpeedDownlinkPacketAccess(HSDPA)handsets


UMTSSecurity

Reuseof2ndgenera?onsecurityprinciples(GSM):• Removablehardwaresecuritymodule

• InGSM:SIMcard• In3GPP:USIM(UserServicesIden?tyModule)

• Radiointerfaceencryp?on• LimitedtrustintheVisitedNetwork• Protec?onoftheiden?tyoftheenduser• Correc?onofthefollowingweaknessesoftheprevious

genera?on:• ATacksfromafakedbasestaIon• CipherkeysandauthenIcaIondatatransmiTedin

clearbetweenandwithinnetworks• EncrypIonnotusedinsomenetworks• Dataintegritynotprovided


UMTSAuthen?ca?on(withaVisitedNetwork)

Generation of cryptographic material

Home Environment Visited Network Mobile Station Sequence number (SQN) RAND(i)

Authentication vectors

K: User’s secret key

IMSI/TMSI User authentication request

Verify AUTN(i) Compute RES(i)

User authentication response RES(i)

Compare RES(i) and XRES(i)

Select CK(i) and IK(i)

Compute CK(i) and IK(i)

K

K

RAND(i)||AUTN(i)


Genera?onofAuthen?ca?onVectors (bytheHomeEnvironment)

Generate SQN

Generate RAND

f1 f2 f3 f4 f5

K

AMF

MAC (Message Authentication

Code)

XRES (Expected

Result)

CK (Cipher Key)

IK (Integrity

Key)

AK (Anonymity

Key)

AMF: Authentication and Key Management Field

Authentication token: AUTN = (SQN⊕AK)|| AMF|| MAC

Authentication vector: AV = RAND|| XRES ||CK || IK || AUTN


UserAuthen?ca?onFunc?onsinUSIM

USIM: User Services Identity Module

f1 f2 f3 f4

K

XMAC (Expected MAC)

RES (Result)

CK (Cipher

Key)

IK (Integrity

Key)

f5

RAND

AK

SQN

AMF MAC

AUTN

•  Verify MAC = XMAC •  Verify that SQN is in the correct range


MoreAboutAuthen?ca?onandKeyGenera?on

Inaddi?ontof1,f2,f3,f4andf5,twomorefunc?onsaredefined:f1*andf5*,usedincasetheauthen?ca?onproceduregetsdesynchronized(detectedbytherangeofSQN).

f1,f1*,f2,f3,f4,f5andf5*areoperator-specificHowever,3GPPprovidesadetailedexampleofalgorithmset,calledMILENAGE

MILENAGEisbasedontheRijndaelblockcipherInMILENAGE,thegenera?onofallsevenfunc?onsf1…f5*isbasedontheRijndaelalgorithm


Authen?ca?onandKeyGenera?on Func?ons(f1...f5*)

rotate by r4

OPc

c4

EK

OPc

rotate by r2

OPc

c2

EK

OPc

rotate by r3

OPc

c3

EK

OPc

rotate by r5

OPc

c5

EK

OPc

rotate by r1

OPc

c1

EK

OPc

EK

SQN||AMF OPc EK OP OPc

f1 f1* f5 f2 f3 f4 f5*

RAND

OP: operator-specific parameter r1,…, r5: fixed rotation constants c1,…, c5: fixed addition constants

EK : Rijndael block cipher with 128 bits text input and 128 bits key


SignalingIntegrityProtec?on

f9

MAC-I

IK

SIGNALLING MESSAGE

COUNT-I

FRESH

DIRECTION

Sender (Mobile Station or

Radio Network Controller)

f9

XMAC-I

IK

SIGNALLING MESSAGE

COUNT-I

FRESH

DIRECTION

Receiver (Radio Network Controller

or Mobile Station)

FRESH: random input


f9integrityfunc?on

COUNT || FRESH || MESSAGE ||DIRECTION||1|| 0…0

KASUMI IK KASUMI IK KASUMI IK KASUMI IK

KASUMI IK KM

PS0 PS1 PS2 PSBLOCKS-1

MAC-I (left 32-bits)

•  KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits) •  PS: Padded String •  KM: Key Modifier


Encryp?on

48

f8

KEYSTREAM BLOCK

CK

BEARER

COUNT-C

LENGTH

DIRECTION

PLAINTEXT BLOCK

f8

KEYSTREAM BLOCK

CK

BEARER

COUNT-C

LENGTH

DIRECTION

PLAINTEXT BLOCK

CIPHERTEXT BLOCK

Sender (Mobile Station or

Radio Network Controller)

Receiver (Radio Network Controller

or Mobile Station)

BEARER: radio bearer identifier COUNT-C: ciphering sequence counter


f8keystreamgenerator

KASUMI KASUMI KASUMI KASUMI KASUMI CK KASUMI CK KASUMI CK KASUMI CK

KASUMI CK KM

KS[0]…KS[63]

Register

KS[64]…KS[127] KS[128]…KS[191]

BLKCNT=0 BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1

COUNT || BEARER || DIRECTION || 0…0 KM: Key Modifier KS: Keystream


ConclusiononUMTSSecurity

Someimprovementwithrespectto2ndgenera?onCryptographicalgorithmsarepublishedIntegrityofthesignalingmessagesisprotectedQuiteconserva?vesolu?on2nd/3rdgeneraIoninteroperaIonwillbecomplicatedandmightopensecuritybreachesAllthatcanhappentoafixedhostaTachedtotheInternetcouldhappentoa3GterminalPrivacy/anonymityoftheusernotcompletelyprotected:IMSIissentincleartextwhentheuserisregisteringforthefirst?meintheservingnetwork(trustedthirdpartycanbeasolu?on)Ausercanbeen?cedtocamponafalseBS.OncetheusercampsontheradiochannelsofafalseBS,theuserisoutofreachofthepagingsignalsofSNHijackingoutgoing/incomingcallsinnetworkswithdisabledencryp?onispossible.Theintruderposesasaman-in-the-middleanddropstheuseroncethecallisset-up


OtherTopics

• DoSa`acks,SMSsecurity,...• Reference:

P.Traynor,P.McDanielandT.LaPorta,SecurityforTelecommunicaIonsNetworks.Springer,Series:AdvancesinInformaIonSecurity,August,2008.ISBN:978-0-387-72441-6.) FreelyavailableviatheETHlibrary(Springer)

• ModernMobilePhoneSystemSecurity(Android/iOS/Symbian,...)


SS7security

https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225

https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225


SS7security

Security of Wireless Networks - ETH Zürich · OMC BTS BTS BTS AC ... • PIN – Personal Iden?ty...

Documents

Transcript of Security of Wireless Networks - ETH Zürich · OMC BTS BTS BTS AC ... • PIN – Personal Iden?ty...