Security of Mobile Systems - Universität Hamburg · PDF file–IMEI (International ... –Location Registration –Location Update when changing the VLR –Call Setup ... TI flag

1

SecurityofMobileSystems

Prof.Dr.HannesFederrathSicherheitinverteiltenSystemen(SVS)http://svs.informatik.uni-hamburg.de

2

Contents

§ Introduction§ SecurityfunctionsofGSM

– BasicsandarchitectureofGSM– Securityfunctions– Mobilitymanagementfunctions– Locationbasedsystems– Callmanagement

§ SecurityfunctionsoffurthermobileSystems– UMTS– Bluetooth– WLAN

§ Protectionoflocationsinmobilesystems– GSM– MobileIP

(extendedslidesetonly)

3

Introduction

4

Mobilenetworkcommunicationvs.fixednetworks

§ Usersaremoving/roaming

§ Onairinterface:– Limitedbandwidth– Errors(bitfailures,bursterrors)– Communicationbreaks(lostconnectivity)

§ Newthreads– Sniffing/eavesdroppingofwirelesscommunication– Locationfinding(direction-finding,sense-finding)

5

Sensors

§ Sensorsinmobiledevicesmakenewappspossible– GPS– WiFi– Bluetooth– Microphones– Cameras– Motionsensors– Adaptersformoresensors

• Personal:heartratemonitors• Environmental

– Cars:CANbusadapters– Houses:smartmeter,heater,alarmsystem

…andnewtrackingpossibilities

http://blog.digifit.com/wp-content/uploads/2011/02/

6

Mobilecommunication– Classification

1.TypesofMobility

§ TerminalMobility:– Example:MobilePhone

• Wirelesscommunication• Mobiledevice

§ PersonalMobility:– Example:PublicTerminals

• Mobileuser• Location-independentaddress

– Specialkindofpersonalmobility:SessionMobility:• «SessionFreezing»andreactivationinotherlocationand/ordevice

7

Mobilecommunication– Classification

2.Wavelengths– Radio[waves] (f=100MHzuptoseveralGHz)– Light[waves](infrared)– Sonar[waves](e.g.acousticcoupler)

3.Cellsizes– Picocells d<100m– Microcells d<1km– Macrocells d<20km– Hypercells d<60km– Overlay cells d<400km

Furtherclassifications– Point-to-pointcommunication,Broadcast(pagingservices)– Analogue,Digitalsystems– Simplex,Duplexcommunicationchannels

8

ExamplesformobileSystems

§ Speechcommunication=massmarket

– 1.Generation:analogue

• C-Netz,CordlessTelephone,AMPS

– 2.Generation:digital

• GSM,DCS-1800,DECT

– 3.Generation:serviceintegration

• UMTS/IMT-2000/FPLMTS

§ Satelliteservices

– Iridium,Inmarsat,Globalstar,Odyssey

– GPS(GlobalPositioningSystem),Galileo(Europeansatellitenavigationsystem),GLONASS

§ Internet(MobileIP)

9

Securitydeficitsofexistingmobilenetworks

§ Exampleofsecuritydemands:Cooke,Brewster(1992)– protectionofuserdata– protectionofsignalinginformation,incl.location– userauthentication,equipmentverification– fraudprevention(correctbilling)

§ Generalsecuritydemands– Confidentiality– Integrity– Availability

§ Mobilenetworkcannotbeconsideredtrustworthy

10

§ Theattackermodeldefinesthemaximumstrengthofanadversaryregardingaspecificsecuritymechanism– Protectionagainstanomnipotentattackerisimpossible.

§ Aspectsofanattackermodel– Rolesofattacker(OutsiderorInsider,…)

• combinedrolesalso– Disseminationofattacker

• Whichstationsorchannelscanbecontrolled?– Behaviorofattacker

• passive/active,observing/modificating– Computingpowerofattacker

• unlimited:informationtheoretic• limited:complexitytheoretic

time

money

Attackermodel

11

Attackermodel(concrete)

§ Outsiders– Passiveattacksonly(confidentiality)

§ Insiders– Passiveandactivedatamodificationattacks(integrity)

§ Insidersandoutsiders– DenialofServiceattacksonairinterface

§ Mobiledevice– Trustwothy

§ Networkcomponents– Safeagainstoutsiders,butnotagainstinsiders

§ Airinterface– Location-finding(insidersandoutsiders)

12

GlobalSystemforMobileCommunication(GSM)

13

GlobalSystemforMobileCommunication(GSM)

§ KeyfeaturesofGlobalSystemforMobileCommunication– Veryhighinternationalmobility– WorldwidecallerID– Highgeographiccoverage– Highusercapacity– Highspeechquality– Advancederrorcorrectionmechanisms– Advancedresourceallocationstrategies(e.g.FDMA,OACSU)– Priorityemergencycallservice– Built-inSecurityfunctions

1. SubscriberIdentityModule(SIM,smartcard)2. Authentication(Mobilestation® network)3. Pseudonymization ofusersontheairinterface4. Linkencryptionontheairinterface

15

ArchitectureofGSM

NetworkManagementCallManagementDatabaseManagement

OMC:OperationandMaintainance CenterHLR:HomeLocationRegisterAuC:AuthenticationCenterEIR:EquipmentIdentityRegisterMSC:MobileSwitchingCenterGMSC:GatewayMSCtofixednetworkVLR:VisitorLocationRegisterBSS:BaseStationSubsystemBSC:BaseStationControllerBTS:BaseTransceiverStationMS:MobileStationLA:LocationArea

(G)MSC VLR

MS

BTS

MS

BTS

MSMS MS

MSC

BSC BSCBSS

OMC

VLR

HLR AuC EIR

16

LocationManagementinGSM

§ GSM(GlobalSystemforMobileCommunication)– Distributedstorageatlocationregisters

• HomeLocationRegister(HLR)• VisitorLocationRegister(VLR)

– Networkoperatorhasglobalviewonlocationinformation§ Trackingofmobileusersispossible

HLR

databaserequest

VLRAddress of the VLR:A

Address ofthe LA:LAI

databaserequest

long distance from the location area near the location area

broadcastMSISDN

VLR

17

Securitydeficitsofexistingmobilenetworks

§ Exampleofsecuritydemands:Cooke,Brewster(1992)– protectionofuserdata– protectionofsignalinginformation,incl.location– userauthentication,equipmentverification– fraudprevention(correctbilling)

§ SecuritydeficitsofGSM(selection)– Onlysymmetriccryptography(algorithmsnoofficiallypublished)– Weakprotectionoflocations(againstoutsiders)– Noprotectionagainstinsiderattacks(location,messagecontent)– Noend-to-endservices(authentication,encryption)

§ Summary– GSMprovidesprotectionagainstexternalattacksonly.– «…thedesignersofGSMdidnotaimatalevelofsecuritymuchhigher

thanthatofthefixedtrunknetwork.» Mouly,Pautet (1992)

18

Databases(registers)inGSM

§ HomeLocationRegister(HLR):Semipermanentdata– IMSI(InternationalMobileSubscriberIdentity):max.15numbers

• MobileCountryCode(MCC,262)+MobileNetworkCode(MNC,01/02)+MobileSubscriberIdentificationNumber(MSIN)

– MSISDN(MobileSubscriberInternationalISDNNumber):15numbers• CountryCode(CC,49)+NationalDestinationCode(NDC,171/172)+HLRNumber+SubscriberNumber(SN)

• Numberporting:translationtable– Subscriberdata(name,address,accountetc.)– Serviceprofile(priorities,callforwarding,servicerestrictions,e.g.

roamingrestrictions)

19


§ HomeLocationRegister(HLR):Temporarydata– VLR address,MSCaddress– MSRN(MobileSubscriberRoamingNumber)

• CC+NDC+VLR numberVLR number=MSC number+SN

– AuthenticationSet,consistsofseveralAuthenticationTriplets:• RAND(128Bit),• SRES(32Bit),• Kc(64Bit)

– BillingdatalaterontransferredtoBilling Centres

20


§ VisitorLocationRegister(VLR)– TMSI(TemporaryMobileSubscriberIdentity)– LAI(LocationAreaIdentification)– MSRN– IMSI,MSISDN– MSC-address,HLR-address– CopyofServiceprofile– BillingdatalaterontransferredtoBillingCentres

21


§ EquipmentIdentityRegister(EIR)– IMEI(InternationalMobile

StationEquipmentIdentity):15numbers=serialnumberofmobilestation• white-lists(validmobiles,shortenedIMEI)• grey-lists(mobileswithfailuresareobserved)• black-lists(blocked,stolenmobiles)

– USSD(UnstructuredSupplementaryServiceData)codeforshowingIMEI:*#06#

22

SecurityfunctionsofGSM

§ Overview1. SubscriberIdentityModule(SIM,smartcard)

• Admissioncontrolandcryptoalgorithms2. Authentication(SIM® network)

• Challenge-Response-Authentication(A3)3. Pseudonymization ofusersontheairinterface

• TemporaryMobileSubscriberIdentity(TMSI)4. Linkencryptionontheairinterface

• Generationofsessionkey:A8• Encryption:A5

23

SubscriberIdentityModule(SIM)

§ Specializedsmartcard– DatastoredonSIM:

• IMSI(InternationalMobileSuscriberIdentity)• individualsymmetrickeyKi(SharedSecretKey)• PIN(PersonalIdentificationNumber):admissioncontrol• TMSI(TemporaryMobileSubscriberIdentity)• LAI(LocationAreaIdentification)

– Cryptographicalgorithms:• A3:Challenge-Response-Authentication• A8:SessionKeygeneration:Kc

24

=

MS MSC/VLR/AuC

Authentication RequestRAND

SRESAuthentication Response

Random Generator

A3

Ki

A3

Ki

Authentication Result

max. 128 Bit

32 Bit

128 Bit

Challenge-Response-Authentication

§ Wheninitializedbythemobilenetwork?– LocationRegistration– LocationUpdatewhenchangingtheVLR– CallSetup(bothdirections)– ShortMessageService

25


§ AlgorithmA3– ImplementedonSIMcardandinAuthenticationCenter(AuC)– CryptographiconewayfunctionA3:

SRES’=A3(Ki,RAND) (Ki:individualuserkey)– Interfacesarestandardized,cryptographicalgorithmnot

=

MS MSC/VLR/AuC



Random Generator

A3

Ki

A3

Ki


max. 128 Bit

32 Bit

128 Bit

26


§ Specificalgorithmcanbeselectedbythenetworkoperator– Authenticationdata(RAND,SRES)are

requestedfromAuCbythevisitedMSC– visitedMSC:onlycomparesSRES==SRES’– visitedMSChastotrusthomenetworkoperator

=

MS MSC/VLR/AuC



Random Generator

A3

Ki

A3

Ki


max. 128 Bit

32 Bit

128 Bit

27

Pseudonymizationonairinterface

§ TMSI(TemporaryMobileSubscriberIdentity)– hidesfromtraceabilityofmobileusersbyoutsiders– onairinterface:all(unencrypted)transactionsfromandtomobileuser

isaddressedwithTMSI– algorithmforTMSIgenerationisnetworkindividual(notstandardized)

§ IdentityRequest– firstcontact(homenetwork)– afterfailure

• IMSIisrequestedbyservingnetwork

FirstcontactFailure

IdentityRequest

MS Netz

alte TMSI im SIM (beliebige Nachricht, in der TMSI verwendet wird)

VLR: keine Zuordnung

TMSI — IMSImöglich

Authentikation

VLR: Neuver-gabe TMSI

Identity Response

Identity Request

IMSI aus SIM

IMSI

TMSI Reallocation Command

BSC: Chiffr. A5

cipher(TMSI new)

A5

neue TMSI im SIM

TMSI Reallocation Complete

Kc

LöschungTMSI old

LAI old, TMSI old

SpeicherungTMSI new

SpeicherungTMSI new

MS Netz


alte TMSI im SIM

LAI old, TMSI old

(beliebige Nachricht, in der TMSI verwendet wird)

VLR: Zuordnung TMSI — IMSI

Authentikation

BSC: Chiffr. A5

VLR: Neuver-gabe TMSI

cipher(TMSI new)

A5

neue TMSI im SIM


Kc

SpeicherungTMSI new

LöschungTMSI oldSpeicherung

TMSI new

Normalcase

TMSIused

30

Linkencryptiononairinterface

§ Sessionkeygeneration:AlgorithmA8

MS Netz

(Authentication Request)RAND

Random Generator

A8

Ki

A8

Ki

Kcin HLR gespeichert

in BSC benutzt

max. 128 Bit

64 Bit

128 Bit

Kcin SIM gespeichert

in MS benutzt

31


§ Sessionkeygeneration:AlgorithmA8

– implementedonSIMandinAuthenticationCentre(AuC)– cryptographicone-wayfunction– interfacesarestandardized– COMP128:well-knownimplementationofA3/A8

32


§ Linkencryption:AlgorithmA5

MS Netz

(Verschlüsselungsmodus)

A5

Kc

A5

Kc

TDMA-Rahmen-nummer

64 Bit

Klartext-block

22 Bit

TDMA-Rahmen-nummer

114 BitSchlüssel-block

Schlüsseltext

Klartext-block

Ciphering Mode Command

(Ciphering Mode Complete)

33


§ Linkencryption:AlgorithmA5– implementedinmobilestation(notSIM!)– standardizedalgorithms:

• A5orA5/1• A5*orA5/2«weakvariant»ofA5— (deprecated)• [A5/3basedonKASUMI(UMTS)withlength(Kc)=64bit]• [A5/4sameasA5/3withlength(Kc)=128bit]

§ SecurityofA5/1andA5/2– Cipherisbasedonnon-linearshiftregisters– Algorithmsconsideredinsecuretoday

• A5/1brokenbyNohl 2010– Attackuses≈2TByte ofpre-calculatedrainbowtables

34


§ CipheringModeCommand(GSM04.08)

§ Ciphermodesettinginformationelement

8 7 6 5 4 3 2 1 1 0 0 1 0 0 0 SC=0 Ciph mode set IEI Spare Spare Spare SC=1

SC=0: No ciphering SC=1: Start ciphering

8 7 6 5 4 3 2 1 TI flag TI value Protocol discriminator octet 1

0 N(SD) Message type octet 2

Ciphering Mode Command octet 3

35

ActiveMan-in-the-MiddleAttackonA5/3

A5/1EncryptedCommunication

AuthenticationRequestRAND

AuthenticationResponseSRES

CipheringModeCommandStartCipheringwithA5/1

CipheringModeComplete

A5/1Encrypted«Communication»

MS BTS

AuthenticationRequestRAND


CipheringModeCommandStartCipheringwithA5/3

CipheringModeComplete

A5/3EncryptedCommunication

Attacker

KnowsKc

CrackKcin

realtime

36

GSMsecurityfunctionsoverviewmobile station visited network home network

Location Updating Request

air interface

TMSIKiRANDKi

A3+A8

Kc(encryption

key)

A5

A5

A5

A5

Kc

A3+A8

SRES’

A5

A5

A5

A5

=

auth. result

Authentication Request

RAND

Authentication Response

SRES


Start Ciphering

Ciphering Mode Complete


TMSI new

Location Updating Accept


encryptionkey

challenge-

response

authenti-

cation

encrypted

communi-

cation

37

Attacks– Telephoneattheexpenseofothers

§ SIMcloning– Weaknessofauthenticationalgorithm

§ Interceptionofauthenticationdata– Eavesdroppingofinternalcommunicationlinks

§ IMSIcatcher– Man-in-the-middleattackontheairinterface

38

SIMcloning

§ Scope– Telephoneattheexpenseofothers– DetermineKiinSIMcard

§ Attack1– MarcBriceno (SmartCardDevelopersAssociation),IanGoldbergand

DaveWagner(bothUniversityofCaliforniainBerkeley)• http://www.isaac.cs.berkeley.edu/isaac/gsm.html

– AttackusesaweaknessofalgorithmCOMP128,whichimplementsA3/A8

– SIMcard(incl.PIN)mustbeundercontroloftheattackerforatleast8-12hours

– Needs217 RANDvalues(≈150.000calculations)todetermineKi(max.128bit)

– 6,25calculationspersecondonly,duetoslowserialinterfaceofSIMcard

39

SIMcloning


Source:http://www.ccc.de/gsm/

40

SIMcloning


§ Attack2– SideChannelAttackonSIMcard– Measurementofchippowerconsumptionduringauthenticationreveals

Ki– AttackontheimplementationofCOMP128,notthealgorithmitself– Veryfast:500-1000randominputsusedforpracticalattack

– Morereading:• Rao,Rohatgi,Scherzer,Tinguely:PartitioningAttacks:OrHowtoRapidlyCloneSomeGSMCards.Proc.2002IEEESymposiumonSecurityandPrivacy,2002

41

Interceptionofauthenticationdata

§ Scope– Telephoneattheexpenseofothers– DescribedbyRossAnderson(UniversityofCambridge)– Eavesdroppingofunencryptedinternaltransmissionofauthentication

data(RAND,SRES,Kc)fromAuC tovisitedMSC

§ Weakness– GSMstandardonlydescribesinterfacesbetweennetworkcomponents.– Theyforgotthedemandforinternalencryption.– Microwavelinks arewidelyusedforinternallinkageofnetwork

components.

42

Noencryptionofinternallinks

mobilestation

airinterface(encrypted)

BTS

Microwave link

(notencrypted)(Gateway)-MSC

fixednetwork(notencrypted)

fakedmobilestation visitednetwork homenetwork

(anymessage)

airinterface

TMSIKiRAND

A5

SRES’

A5

auth.res.

Auth.Request

RAND

Auth.Response

SRES

CipheringModeCmd.

StartCiphering

CipheringModeCompl.

ProvideAuth.Info

microwavelink(notencrypted)

AuthenticationInformation

RAND,SRES,Kc

mappingTMSI–IMSI IMSI

storeauth.info

storeauth.info

Lookup

Kc

InterceptionofAuthenticationTriplets

RAND,SRES,Kc

......

...

Kc

A3+A8

=

Interceptionofauthenticationdata

44

IMSI-Catcher

§ Scope– Identitiesofusersofacertainradiocell– Eavesdroppingofcommunications– (Telephoneattheexpenseofothers)

§ Man-in-the-middleattack(Masquerade)

§ Weakness– Noprotectionagainstmaliciousorfakednetworkcomponents

§ EP1051053B1– April2000byRohde&Schwarz

45

IMSI-Catcher

Pictures:Verfassungsschutz,http://www.datenschutz-und-datensicherheit.de/jhrg26/imsicatcher-fox-2002.pdfhttp://www.heise.de/ct/artikel/Digitale-Selbstverteidigung-mit-dem-IMSI-Catcher-Catcher-2303215.html

47

IMSI-Catcher:GettingIMSIandIMEI

LocationUpd.Request(TMSI)

IdentityRequest

IdentityResponse(IMSI,IMEI)

Note: TheIMSI-Catchersendsits«locationareaidentity»withahigherpowerthanthegenuineBTS

BCCH BCCH

MS network

knowsidentities

IMSI-Catcher

LocationUpd.Request(IMSI)

AuthenticationRequest(RAND)

AuthenticationResponse(SRES)

LocationUpdatingAccept



LocationUpdatingAccept… …

onlyrelevantforeavesdropping

48

IMSI-Catcher:EavesdroppingMobileOriginatedCalls

CMServiceRequest

IMSICatcheropensacallonasecondphonewithsuppressedorfakedcallerID

Notencrypted Encrypted



Ciph.ModeCmd.(NoCiphering)

IMSI-Catcher mobilenetworkMScamps oncell of IMSI-Catcher

49

Ciph.ModeCmd.(StartCiphering)

IMSI-Catcher:EavesdroppingMobileTerminatedCalls

PagingRequest


IMSI-Catcher mobilenetworkMScamps oncell of IMSI-Catcher

Incomingcall





CipheringModeComplete(Fault)


suppressciphering

Notencrypted Notencrypted

50

IMSI-Catcher(1)

§ AllBTS'sendalistoffrequenciesofBCCHsoftheirneighboringcellsandtheownLAI

§ Examples:– BTS7:f4,f5,f8;LA2– BTS8:f7,f4,f5,f6,f9;LA2

BTS5:

f5/LA1

BTS4:f4/LA1

BTS6:f6/LA3

BTS2:f2/LA3

BTS1:f1/LA1

BTS3:f3/LA3

BTS8:f8/LA2

BTS7:f7/LA2

BTS9:f9/LA2

IMSI-Catcher

51

IMSI-Catcher(2)

§ IMSI-Catcher– receivefromBCCHofcurrentcell(5)

• BTS5:f1,f2,f3,f4,f6,f7,f8,f9;LA1– selectanyfrequency(e.g.f4)andreceivesfromBCCHonf4

• BTS4:f1,f2,f5,f8,f7;LA1– chooseanyLAIwhichdiffersfromactualLAIsinneighborhood(e.g.LA9)– sendonf4withhighpower

• IMSI-C.:f1,f2,f5,f8,f7;LA9

BTS5:

f5/LA1

BTS4:f4/LA1

BTS6:f6/LA3

BTS2:f2/LA3

BTS1:f1/LA1

BTS3:f3/LA3

BTS8:f8/LA2

BTS7:f7/LA2

BTS9:f9/LA2

IMSI-Catcher

52

IMSI-Catcher(3)

§ MS(campsoncell5)– monitorsBCCHsofcells1-9– findsbestsignalonf4(transmittedbyIMSI-Catcher)andlearnsthatcell

belongstoanewLA– sendaLUPrequesttoIMSI-Catcher

§ IMSI-Catcher– respondswithaIdentityRequest

§ MS– answerswithIMSIandIMEI

BTS5:

f5/LA1

BTS4:f4/LA1

BTS6:f6/LA3

BTS2:f2/LA3

BTS1:f1/LA1

BTS3:f3/LA3

BTS8:f8/LA2

BTS7:f7/LA2

BTS9:f9/LA2

IMSI-Catcher

53

IMSI-Catcher(4)

§ IMSI-Catcher– sendsjunk(non-decodabledata)onPagingChannel(PCH)and– sendsafrequencylistofBTSwhichdonotsendthefrequencyofIMSI-

Catcher(f4)intheirfrequencylists• IMSI-C.:f3,f6,f9;LA9

BTS5:

f5/LA1

BTS4:f4/LA1

BTS6:f6/LA3

BTS2:f2/LA3

BTS1:f1/LA1

BTS3:f3/LA3

BTS8:f8/LA2

BTS7:f7/LA2

BTS9:f9/LA2

IMSI-Catcher

54

IMSI-Catcher(5)

§ MS– receivesjunkonPCHand(accordingtoGSM05.05)doesacell

reselection:– MSmonitorssignalstrengthsoff3,f6,f9– changestothebestcell(LUP)

BTS5:

f5/LA1

BTS4:f4/LA1

BTS6:f6/LA3

BTS2:f2/LA3

BTS1:f1/LA1

BTS3:f3/LA3

BTS8:f8/LA2

BTS7:f7/LA2

BTS9:f9/LA2

IMSI-Catcher

55

IMSI-Catcher(5)

§ Result– MSisbackinthenetworkagain– becauseBTS3,6and9donotsendf4intheirfrequencylists,theMS

doesnotrecognizethepowerfulIMSI-Catchersignalagain(andsubsequentlydoesnotchangebacktoit)

BTS5:

f5/LA1

BTS4:f4/LA1

BTS6:f6/LA3

BTS2:f2/LA3

BTS1:f1/LA1

BTS3:f3/LA3

BTS8:f8/LA2

BTS7:f7/LA2

BTS9:f9/LA2

IMSI-Catcher

56

IMSI-Catcherdetectors

§ AIMSICD– https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector

§ SnoopSnitch– from SRLabs (KarstenNohl)

§ Darshak– TUBerlin

§ GSMKCryptoPhone– special Smarthone

§ IMSI-Catcher-Catcher(ICC)– SBAResearch(Adrian

Dabrowski)

Sources:https://www.privacy-handbuch.de/handbuch_75.htmhttp://www.heise.de/ct/artikel/Digitale-Selbstverteidigung-mit-dem-IMSI-Catcher-Catcher-2303215.html

Picture(ICC):heise.de

57

LocationManagement

§ Centralizedapproach– ChangeofLocationArea(LA),i.e.LocationUpdating,needs

communicationwithHLR(farawayfromLA)– Efficiency:GoodatlowLocationUpdatingrates

§ UsedinMobileIP– HLR=HomeAgent

speichert Adresse des LA zusammen mit der MSISDN

HLR

Broadcast im LA

MSISDNenthältNummer desHLR

incoming call:

Datenbank-abfrage

Vermittlung des Rufs ins LA

MS

besuchtes LA

B

A

BTSMSISDN, LAI

58

LocationManagement

§ 2-stagedapproach– ChangeofLocationArea(LA)changesVLRentry– VLRservesgeographicallylimitedarea(VLR-Area)– RarechangesofVLR-AreachangesHLRentry– Reducedsignalingcostsinwideareanetwork– Tradeoff: Delayedcallsetup(mobileterminated)

HLR

Datenbank-abfrage

Vermittlung des Rufs ins LA

VLRAdressedes VLR:A

Adressedes LA:LAI

Datenbank-abfrage

weit entfernt vom LA in der Nähe des LA

BroadcastMSISDN

VLR

59

LocationManagement

§ Multi-stagedstorage– Manyproposalsfor3rdGenerationSystems(UMTS),neverrealizedin

thefield– Variations:Hierarchicalstorage,Forwardingstrategies

Datenbankabfragen/Weitervermittlung

HLR

BroadcastMSISDN

Entfernung vom LA

A ...

R2 R3 Rn

LAIA A

Granularität der Lokalisierungsinformationgrob

groß klein

fein

R2 R3 R4

R1

LocationUpdatingSituations

§ Legend:a) Changeofradiocellb) ChangeofLAc) ChangeofVLR/MSCaread) ChangeofMSCarea

LA1(belongstoMSC1andVLR1)LA2(belongstoMSC2andVLR2)LA3(belongstoMSC2andVLR2)LA4(belongstoMSC3andVLR2)

MovementofMS

Radiocell

MS MSC/VLR

Location Updating Request


TMSI Reallocation Commandcipher(TMSI new)

Location Updating Accept

AllocationTMSI new

De-AllocationTMSI old

A3 + A8


SRES

Ki

Kc

Authentication Response


Ciphering Mode Complete

=

TMSI old, LAI old

Sicherheitsmanagement:

Authentikation,Verschlüsselungsmodus setzen,Zuweisung TMSI new

Sicherheitsmanagement:

Bestätigung TMSI newLöschen TMSI alt

LocationUpdating:NewLA

§ NewLA,oldVLR(TMSIfound)– LocationUpdatingRequest

(TMSI,LAI)old– Securitymanagement

• Authentication• CipheringMode• TMSIReallocation

– LocationUpdatingAccept

LocationUpdating:NewVLRarea

TMSIold,LAIold

MS MSC/VLRnew MSC/VLRold

LocationUpdating Request

IMSI,Auth.Set

UpdateLocation

UpdateLocationResult

LocationUpdating Accept

Cancel Location

IMSI,MSC/VLRnew

TMSIold,LAIold

HLR

Sicherheitsmanagement:Authentikation,Verschlüsselungsmodussetzen,ZuweisungTMSInew

Sicherheitsmanagement:BestätigungTMSInewLöschenTMSIold

De-AllocationTMSIold

MobileTerminatedCallSetup(MTCSU)

send routing informationMSC2 (eigentlich MSRN)

incoming call

visited MSC2

Broadcast-nachricht im LA1

MSISDN-B enthält Routing-Information zum gebuchten GSM-Netz des Mobilfunkteilnehmers B

Gateway MSC

HLR

MSISDN/IMSI-AMSISDN/IMSI-B...MSISDN/IMSI-XMSISDN/IMSI-YMSISDN/IMSI-Z

MSC3MSC2...MSC4MSC1MSC2

liest den Datenbankeintrag für MSISDN/IMSI-B und vermittelt zum entsprechenden MSC weiter

IMSI-B

VLR2

IMSI-BIMSI-C...

LA1, TMSI-BLA3, TMSI-C...

liest das LA für IMSI-B

send info for incoming call

Station erkennt Verbindungswunschnachricht an ausgestrahlter TMSI-B

TMSI-B

LA1, TMSI-B

B

LA1

KanalanforderunganBSS

KanalzuweisungbeiOACSU

Data

Kanalzuweisungearly TCH

MS

MSC VLR HLR GMSCSendRoutingInformationProvide RoutingInfo.

SendRoutingInfoResultProv.Rout.Info.Result

SendInfo

Pag.Request

InitialAddress Message(MSRN)

Paging Request

Paging Response

AuthenticationTripletsAuthenticationRequestRAND


Ciphering ModeCommandStartCiphering

Ciphering ModeComplete

TMSIRealloc.CommandTMSInew

TMSIRealloc.Complete

Setup

Alert

Connect

Adress Complete Message

Answer Message

Disconnect Release

MSRNMSRN

IMSI MSISDN

LAI,TMSITMSI(evtl.IMSI)

MTCSU

Sicherheitsmanagement

MobileOriginatedCallSetup

MS MSC/VLR PSTN/GMSC

CM Service Request

Kanalanforderung an BSS

Setup

Kanalzuweisung bei early-TCH- Assignment

Alert

Connect

Initial Address Message

Answer Message

Adress Complete Message

Sicherheitsmanagement: Authentikation, Verschlüsselungsmodus

Kanalzuweisung bei OACSU

DisconnectRelease

Data

68

MessageformatGSM04.08

§ Protocoldiscriminator4321 bitnumber0011 callcontrol,packet-mode,connectioncontrolandcallrelatedSSmsgs0101 mobilitymanagementmessages0110 radioresourcesmanagementmessages1001 shortmessageservicemessages1011 noncallrelatedSSmessages1111 reservedfortestsproceduresAllothervaluesarereserved



Data

octet 3 …

69


§ Transactionidentifier(TI)– UsedfordistinctionofparallelactivitiesofMS

• TIflag:0:messagesentfromtheoriginatedTIside1: messagesenttotheoriginatedTIside

§ TIvalue– Number000…110(bin:0…6)– 111reserved



Data

octet 3 …

70


§ 3Classes:– Radio resourcesmanagement– Mobilitymanagement– Callcontrol

§ N(SD)– SequencenumberorExtensionBit



Data

octet 3 …

71

Messagetype(1)

§ Radioresourcesmanagement(1)8 7 6 5 4 3 2 1 bit number-----------------------------------------------------0 0 1 1 1 – – - Channel establishment messages

0 1 1 ADDITIONAL ASSIGNMENT1 1 1 IMMEDIATE ASSIGNMENT0 0 1 IMMEDIATE ASSIGNMENT EXTENDED0 1 0 IMMEDIATE ASSIGNMENT REJECT

0 0 1 1 0 – – - Ciphering messages1 0 1 CIPHERING MODE ASSIGNEMT0 1 0 CIPHERING MODE COMPLETE

0 0 1 0 1 – – - Handover messages1 1 0 ASSIGNEMT COMMAND0 0 0 ASSIGNEMT COMPLETE1 1 1 ASSIGNMENT FAILURE0 1 1 HANDOVER COMMAND1 0 0 HANDOVER COMPLETE0 0 0 HANDOVER FAILURE1 0 1 PHYSICAL INFORMATION

0 0 0 0 1 – – - Channel release messages1 0 1 CHANNEL RELEASE0 1 0 PARTIAL RELEASE1 1 1 PARTIAL RELEASE COMPLETE

...

72

Messagetype(1)

§ Radioresourcesmanagement(2)8 7 6 5 4 3 2 1 bit number-----------------------------------------------------

...

0 0 1 0 0 – – - Paging messages0 0 1 PAGING REQUEST TYPE 10 1 0 PAGING REQUEST TYPE 21 0 0 PAGING REQUEST TYPE 31 1 1 PAGING RESPONSE

0 0 0 1 1 – – - System information messages0 0 1 SYSTEM INFORMATION TYPE 10 1 0 SYSTEM INFORMATION TYPE 20 1 1 SYSTEM INFORMATION TYPE 31 0 0 SYSTEM INFORMATION TYPE 41 0 1 SYSTEM INFORMATION TYPE 51 1 0 SYSTEM INFORMATION TYPE 6

0 0 0 1 0 – – - Miscellaneous messages0 0 0 CHANNEL MODE MODIFY0 1 0 RR-STATUS1 1 1 CHANNEL MODE MODIFY ACKNOWLEDGE1 0 0 FREQUENCY REDEFINITION1 0 1 MEASUREMENT REPORT1 1 0 CLASSMARK CHANGE

73

Messagetype(2)

§ Mobilitymanagement– Bits7and8(value:00)reservedasextensionbits– Bit7:mobileoriginatedonly:1,ifsequencenumberissent

8 7 6 5 4 3 2 1 bit number----------------------------------------------0 x 0 0 – – – - Registration messages

0 0 0 1 IMSI DETACH INDICATION0 0 1 0 LOCATION UPDATING ACCEPT0 1 0 0 LOCATION UPDATING REJECT1 0 0 0 LOCATION UPDATING REQUEST

0 x 0 1 – – – - Security messages0 0 0 1 AUTHENTICATION REJECT0 0 1 0 AUTHENTICATION REQUEST0 1 0 0 AUTHENTICATION RESPONSE1 0 0 0 IDENTITY REQUEST1 0 0 1 IDENTITY RESPONSE1 0 1 0 TMSI REALLOCATION COMMAND1 0 1 1 TMSI REALLOCATION COMPLETE

0 x 1 0 – – – - Connection management messages0 0 0 1 CM SERVICE ACCEPT0 0 1 0 CM SERVICE REJECT0 1 0 0 CM SERVICE REQUEST1 0 0 0 CM REESTABLISHMENT REQUEST

0 x 1 1 – – – - Connection management messages0 0 0 1 MM STATUS

74

Messagetype(3)

§ Callcontrol(1)– Bits7and8(value:00)reservedasextensionbits– Bit7:mobileoriginatedonly:1,ifsequencenumberissent

– Nationallyspecificmessages:nextoctetscontainmessage8 7 6 5 4 3 2 1 bit number-------------------------------------------0 x 0 0 0 0 0 0 Escape to nationally

specific message types0 x 0 0 – – – - Call establishment messages

0 0 0 1 ALERTING1 0 0 0 CALL CONFIRMED0 0 1 0 CALL PROCEEDING0 1 1 1 CONNECT1 1 1 1 CONNECT ACKNOWLEDGE1 1 1 0 EMERGENCY SETUP0 0 1 1 PROGRESS0 1 0 1 SETUP

0 x 0 1 – – – - Call information phasemessages

0 1 1 1 MODIFY1 1 1 1 MODIFY COMPLETE0 0 1 1 MODIFY REJECTED0 0 0 0 USER INFORMATION

...

75

Messagetype(3)

§ Callcontrol(2)– Bits7and8(value:00)reservedasextensionbits– Bit7:mobileoriginatedonly:1,ifsequencenumberissent

8 7 6 5 4 3 2 1 bit number-------------------------------------------

...

0 x 1 0 – – – - Call clearing messages0 1 0 1 DISCONNECT1 1 0 1 RELEASE1 0 1 0 RELEASE COMPLETE

0 x 1 1 – – – - Miscellaneous messages1 0 0 1 CONGESTION CONTROL1 1 1 0 NOTIFY1 1 0 1 STATUS0 1 0 0 STATUS ENQUIRY0 1 0 1 START DTMF0 0 0 1 STOP DTMF0 0 1 0 STOP DTMF ACKNOWLEDGE0 1 1 0 START DTMF ACKNOWLEDGE0 1 1 1 START DTMF REJECT

76

MovementprofilinginGSM

§ Variants:– AccessHLRandVLRdata(insidersonly)– Directionfinding(German: «Peilung»)

§ Protection:– Privacyprotectionofdatabaseentries– DirectSequenceSpreadSpectrum

AccessHLRandVLRdata

OMC

MSC VLR

HLR

BSC

BTSBTS

BSS

kennt VLR bzw. MSC

kennt LA

bei existierender Verbindung:kennt Zelle

hat Zugriff auf Netzkomponenten

LA

... kennt Frequenzsprungparameter (Hopping Parameters)

Directionfindingwithdirectionalantennas

Richtantennennotwendig

Measurementofsignaldelaytimes

BTS

BTS

BTS

Dt

80

LocationBasedServices

§ Terminal-basedlocating

– GlobalPositioningSystem(GPS)• Accuracy:10…100m• Locationtime:upto30sec

– Assisted-GPS(A-GPS)• GPSsignalsre-broadcastedbyBTS• Increasedlocationspeed(andaccuracy)

– ObservedTimeDifference(OTD)• BTS1…BTS3sendalocationsignal• ReceivedafterDt1,Dt2 andDt3 byMS• IfDti ==Dtj thenOTD=0

Assisted-GPS(A-GPS)

BTS MSC

1.MSandA-GPSServerreceivesamesatellitesignals

A-GPSServer

2.Calculatessupportinformationforfastlocalization(doppler shift,pseudorandom noisephase)

6.Calculatesexactlocation

3.Supportinformation

MSwithsimplifiedGPSreceiver

4.PerformsexactmeasureandtransmitsvaluestoA-GPSserver

5.Exactmeasurevalues

82

LocationBasedServices

§ Network-basedlocating

– TimeofArrival(TOA)– Mobilestationsendssignal– BTSreceivesignalafterDti (i=1,2,3)

– CellofOrigin(COO)• Cell-IDisassociatedwithgeographiclocation• Accuracy:100m…35km

83

SpreadSpectrumSystems

§ Radiocommunicationbetweenmilitarydivisions

– Sendersendsonfrequencyf0 withbandwidthB

§ Problems:

– Spectrumanalyzerdetectsenergyaroundf0anddirectionalantennaslocatesourceofsignal

– Jammermayinterferecommunication

f0

84

Sender

Receiver

TransmisionmodelSpreadSpectrumSystems

HFdemodulator Spreadingdemodulator data

data HFmodulatorSpreadingmodulator

Spreadingsequence(highbandwidth)

Highfrequencybearer

Spreadingsequence(highbandwidth)

Highfrequencybearer

85

f0

Spreading

§ Dataismodulatedwithhigh-bandwidthspreadingsequence:– Walshfunctions(orthogonal

codes)– Pseudo-Noise-Sequence(PN-

Code)

86

f0

Spreading

§ Dataismodulatedwithhigh-bandwidthspreadingsequence:– Walshfunctions(orthogonal

codes)– Pseudo-Noise-Sequence(PN-

Code)§ Spectralspreadingofsignal§ Dispersionofenergyonalarge

frequencyspectrum

87

f0

interference

data

De-Spreading

§ Spreaddatainterferedby(random)noise

88

f0

De-Spreading

§ Spreaddatainterferedby(random)noise

§ Spectralspreadingofnoise§ De-spreadingofdata

interference

data

89

Missingend-to-end-ServicesinGSM

§ SpeechchannelsofGSMarenotbittransparentchannels– Lossycompressionofspeechchannels

§ Usedatachannelforadditionalend-to-endencryption– Asanexternaladd-on(e.g.GSMTopSecMed)– Asintegratedservice(e.g.GSMTopSecGSM)

– BothisnotGSMstandardsconformadd-on– UsersneedcompatibledevicesorsoftwareonMS

Signalingofchanneltype(speech,data)inGSM

TX/RX

TA

A5A/D CODEC

MS-A (sendet) BSS

type:=speech

TRAU RateAdaption

Trans-coder

TX/RX

A5 Logik

MS-B (empfängt)

MSC

type:=data

TX/RX

TA

A5A/D CODEC

BSS

TRAU

RateAdaption

Trans-coder

TX/RX

A5 Logik MSC

IF type=data THEN Rate AdaptionELSEIF type=speech THEN Transcoder

MS Mobile Station A5 GSM Link Encryption BSS Base Station Subsystem TX/RX Transmitter/Receiver A/D Analog-Digital-Converter TRAU Transcoder/Rate Adaption Unit CODEC Speech Coder/Decoder MSC Mobile Switching Centre TA Terminal Adaption

Bittransparentdatachannelforend-to-endspeechencryption

TX/RX

TA

A5A/D CODEC

MS-A

TX/RX

A5 TRAU

BSS

MSC

E/DA/D CODEC∗

Zusatz zu MS-A

TX/RX

TA

A5A/D CODEC

MS-B

TX/RX

A5 TRAU

BSS

MSC

E/DA/D CODEC∗

Zusatz zu MS-B

Example:

TopSec MED(Rohde&Schwarz):externaldevicebluetooth connectedtomobilephone

Bittransparentdatachannel– internaluseforend-to-endenc.

MS-A (modifiziert, sendet)

TX/RX

TA

A/D CODEC

MS-B (modifiziert, empfängt)

E/D

A5

Logik

IF edtype=encrypted_speech THEN E/D ELSE TA

BSS

TRAU

TX/RX

A5MSC

BSS

TRAU

TX/RX

A5 MSC

TX/RX

TA

A/D CODEC

E/D

A5

type:=dataedtype:=encrypted_speech

Example:

TopSec GSM(Rohde&Schwarz):modifiedSiemensS35iwith Cryptoprocessor,128bit encryption

93

Softwaresolutionsforend-to-endencryption

§ Example:SecureGSM ·http://www.securegsm.com– ForWindowsMobileSmartphones– Bittransparentdatachannelused– Asymmetrickeyagreement(«4Kbit»)– TripleencryptionwithAES,SerpentandTowfish

withtriple256bitsessionkeys

Screenshots:http://www.securegsm

.com

94

SummaryofsecurityproblemsinGSM

§ Hard– Weaklinkencryption«protects»againstoutsidersonly– Nobittransparentspeechchannels–>noend-to-endencryption– Locationfindingforinsiderspossible– Mutualauthenticationismissing

§ Further– Symmetricencryption– Noanonymousnetworkusagepossible– Trustintoaccountingisnecessary

95

SecurityfunctionsoffurthermobileSystems

UMTSand LTEBluetoothsecurityWiFi security

96

Universalmobiletelecommunicationsystem(UMTS)

§ SecurityfunctionsofUMTS->«inspired»byGSMsecurityfunctions§ FromGSM

– Subscriberidentityconfidentiality(TMSI)– Subscriberauthentication– Radiointerfaceencryption– SIMcard(nowcalledUSIM)– AuthenticationofsubscribertowardsSIMbymeansofaPIN– Delegationofauthenticationtovisitednetwork– Noneedtoadoptstandardizedauthenticationalgorithms

§ AdditionalUMTSsecurityfeatures– EnhancedUMTSauthenticationandkeyagreementmechanism– Integrityprotectionofsignalinginformation(preventsfalse-base-station

attacks)– Newciphering/keyagreement/integrityprotectionalgorithms…andafewminorfeatures

97

UMTSSecurityArchitecture

USIM MSNodeB

(BaseStation) VLR HLR/AuC

HomeEnvironment

ServingNetwork

Ciphering/integrityprotection

Userauthentication

Networkauthentication

cipherkeyCK,integritykeyIKcipheringfunctionf8integrityfunctionf9

authenticationkeyK,authenticationfunctionf1,f2

keygenerationfunctionf3,f4,f5sequencenumbermanagementSQN

USIM UMTS Subscriber Identity ModuleMS Mobile StationRNC Radio Network ControllerVLR Visitor Location Reg.HLR Home Location RegisterAuC Authentication Centre

RNC

98

Generationofauthenticationvectors(networkside)

f1 f2 f3 f4 f5

RAND

K

AMF

SQN

GenerateSQN

GenerateRAND

AUTN:=SQNÅ AK||AMF||MACAV:=RAND||XRES||CK||IK||AUTN

MAC XRES CK IK AK[64] [32…128] [128] [128] [48]

[48][128]

[128]

[16]

99

Abbreviations

SQN Sequence numberRAND Random numberAMF Authenticated Management FieldK Secret Key

MAC Message authentication codeXRES Expected responseRES ResponseCK Cipher keyIK Integrity keyAK Anonymity key

AUTN Authentication tokenAV Authentication vector

[…] # of bits

False-base-stationattackspossibleifattackercaneavesdropAVonnetworkinternalcommunicationlines

100

AuthenticationfunctionintheUSIM(userside)

f5

RAND

K

AMF

SQN

VerifyMAC==XMAC,thanverifythatSQNisinthecorrectrange

AK

SQNÅ AK MAC

f1 f2 f3 f4

XMAC RES CK IK

AUTN

[32…128]

[48]

[128]

[16]

[64] [128][128]

[64][48]

[48]

[128]

102

Cipheralgorithmf8§ CombinationofOutputFeedbackmode(OFB)andcountermode§ FirstencryptionunderCK’preventschosenplaintextattacks(initializationvectoris

encrypted,KM:keymodifier)

KASUMI

COUNT||BEARER||DIRECTION||0…0

BLKCTR=0

KASUMICK KASUMICK

BLKCTR=1

KS[0]…KS[63] KS[64]…KS[127]

KASUMICK

BLKCTR=2

KS[128]…KS[191]

KASUMICK

BLKCTR=n

KS[64·n]…KS[64·(n+1)–1]

KeystreamisXORed withMESSAGEblock

CK’=CKÅ KM

103

IK’=IKÅ KM

COUNT||FRESH

IK IK

MESSAGE[0]…MESSAGE[63]

IK IK

FinalMessageBlock(padded)

MESSAGE[64]…MESSAGE[127]

Integrityalgorithmf9:ISO/IEC9797-1(MACalgorithm2)

§ Senderandreceiverusef9§ ReceiververifiesMAC==XMAC

MACorXMAC(left32bits)

KASUMI

KASUMI KASUMI KASUMI KASUMI

104

OwnbasestationinUMTS

§ Example:VodafoneSuperSignal– basestationconnectedviaIPwithUMTSnetwork– femto cellathome,notarepeater

USIM MS

UMTShomerouter(IP)

VodafoneSuperSignal

viaIP

Source:http://www.vodafone.de/business/hilfe-support/umts-basisstation-vodafone-supersignal.html

105

LongTermEvolution(LTE)Architecture

USIM ME eNode B

USIM UMTS Subscriber Identity ModuleME Mobile EquipmentE-UTRAN Evolved UMTS Terrestrial Radio Access NetworkMME Mobility Management EntityHSS Home Subscriber ServiceS-GW Serving GatewayP-GW Packet Data Network GatewayIP Internet Protocol

E-UTRAN

P-GW(G-MSC)

HSS(HLR/AuC)

IPNetwork

S-GW(MSC)

MME(VLR)

106

LongTermEvolution(LTE)

§ Characteristics– Trafficchannels:Dataservicesonly,SpeechisrealizedviaVoice-over-IP– SMSisrealizedviasignallingmessages(similartoGSM)

§ Security:inspiredandcloselyrelatedtoUMTS– IndividualsymmetrickeyatUSIMandHSS– Authenticationvector

• CalculatedatUSIMandHSS• CheckedatMME

– Pseudonymization onairinterface:• GloballyUniqueTemporaryIdentity(GUTI)

– Dataencryption• Airinterface:AdvancedEncryptionStandard(AES)• Networkinternalcommunication:IPSec

->False-base-stationattacks:impossible

107

Bluetoothsecurity

108

Bluetooth

§ Development– InitiatedbyEricsson– BluetoothSpecialInterestGroup(SIG)

• Ericsson,Nokia,IBM,Toshiba,Intelandmanyother§ Standard

– IEEE802.15.1§ Benefits

– Lowenergyconsumption– Lowinterferencesensibility(spreadspectrumtechniques)

§ Disadvantages– LowBandwidth– Limitedsignalcoverage(radius)– Limitednumberofusers

109

TechnicalDetails

§ PhysicalLayer– LicensefreeISM-Band:2,4GHz(ISM:Industrial,Scientific,Medical)– 2402to2480MHz– 79channelsper1MHzbandwidth– Frequency-Hoppingwith1600chips(changespersecond)

§ LinkLayer(DLL)– Modulationmethod:

• GaussianFrequencyShiftKeying– ForwardErrorCorrection(FEC)– CyclicRedundancyCheck(CRC)

110

TechnischeDetails

§ Specifications– 1.0:Firstspec,stillimmature,ca.732kbpsdatarate– 1.1:Broadlyused– 1.2:AdaptiveFrequencyHopping,improvederrorcorrection– 2.0(Nov2004): Dataratesupto 2Mbps– 3.0(Apr2009):Dataratesupto24Mbps– 4.0(Dec2009):BluetoothLowEnergy

§ Classification– Pico-Bluetooth

• 2,5mW /1mW transmissionpower(Class2and3)• Radiusupto50m/10m

– Mega-Bluetooth• 100mW transmittingpower(Class1)• Radiusupto100m

111

Developmentofnetworks

a) Point-to-Point

b) Pico-Network:1Master,upto7activeslaves

c) Scatter-Network:variousoverlappingPico-Networks

S

S S

S

M

M

S S

S

M

S

M

a)

b)

c)

S S

S

M

112

Protocols

BluetoothRadio

Baseband

LMP L2CAP

RFCOMM

OBEX(vCard,vCal) AT-Commands

SDP

IP

PPP

OBEX OBject EXchange protocolIP Internet ProtocolPPP Point-to-Point ProtocolSDP Service Discovery Protocol

Voice

According to:BluetoothSpecification Version2.0+EDR[vol 4]S.22

AudioTCS …

RFCOMM Serial cable emulation protocolTCS Telephony Control protocol SpecificationLMP Link Manager ProtocolL2CAP Logical Link Control and Adaption Protocol

113

Protocols(2)

§ BluetoothRadio– AirInterface

§ Baseband– FunctionsforLinkconnection,Frequency-Hopping,etc.

§ LinkManagerProtocol(LMP)– Securityfeatures,clocksynchronisation

§ LogicalLinkControlandAdaptionProtocol(L2CAP)– Interfaceforhigherprotocollayerstoaccessbaseband

§ ServiceDiscoveryProtocol(SDP)– Informationaboutdevicetypes,services,etc.

§ RFCOMM(Serialcableemulationprotocol)– BasedonETSITS07.10;foruniversaluse(Modem,IP,…)

§ TelephonyControlprotocolSpecification(TCS)– Fordevicecontrol

114

Security

§ Securityfunctions– Securedevicepairing– Symmetricauthentication(onesidedandmutual)– Symmetricencryption

§ Basicalgorithmforpairingandauthentication– SAFER+

• Publiclyknown• 1of15candidatesforAES(AdvancedEncryptionStandard)

– CharacteristicsofSAFER+• Blockcipherwith128Bitblocklength• 8rounds• Keylength128Bit

– UsedinE21,E22,E1undE3

115

Pairing

§ Objectives– IdentificationoftwodevicesAandB– GeneratesasymmetrickeyKAB

§ PairingProcedure1. ExchangeofdeviceaddressesBD_ADDRA andBD_ADDRB2. GenerateInitializationkeyKinit (intermediatestep)3. GenerateKAB

116

Pairing(1)

§ GenerateInitializationkeyKinit (AlgorithmE22)

§ Input:– Deviceaddress

(BD_ADDRB,48Bit)– PIN(8-128Bit,typ.

atleast4digits)– Randomnumber

(IN_RAND,128Bit)

§ Output:– Kinit (128Bit)

Kinit Kinit

IN_RAND(128Bit)

DeviceA DeviceBAir

interface

E22

PINBD_ADDRB(48Bit)

E22

PIN BD_ADDRB

IN_RAND

BD_ADDRA

BD_ADDRB

PIN

Notoverairinterface

117

KAB

LK_KA LK_KB

KAB

LK_KA LK_KB

Pairing(2)

§ GenerateKAB (AlgorithmE21)

§ Input:– Randomnumbers

(LK_RANDA/B,128Bit)

– Deviceaddress(BD_ADDRA/B,48Bit)

– InitializationkeyKinit

§ Output:– KAB (128Bit)

LK_RANDA(128Bit)

E21BD_ADDR

A

LK_RANDA

E21

BD_ADDRB

LK_RANDB

Kinit

LK_RANDA+Kinit

LK_RANDB+Kinit

Kinit LK_RANDB(128Bit)

E21

BD_ADDRA

LK_RANDA

E21

BD_ADDRB

LK_RANDB

DeviceA DeviceBAirinterface

118

Authentication(onesidedormutual)

§ AlgorithmE1

§ Input:– Randomnumber

AU_RAND– KAB– DeviceaddressA

BD_ADDRA

§ Output:– trueorfalse– ACO(Authenticated

Chiphering Offset,96Bit)

SRESA

E1

BD_ADDRA

AU_RAN

DA

Verifier(A)

KAB

Claimant(B)

AU_RAND(128Bit)

AU_RAND

Airinterface

SRES’A

E1AU

_RANDA

BD_ADDRA

KAB

=?

OK

NOHALT

32Bit

Onesidedauthentication

SRESA

ACOACO

119

Encryption

§ 2Steps– GeneratekeyKc withalgorithmE3– DataencryptionwithstreamcipherE0

§ AlgorithmE3

§ Input:– Randomnumber(EN_RANDA,128Bit)– CipheringOffsetNumber(COF,

96Bit)=ACO(fromAuthentication)– KAB (128Bit)

§ Output:– Kc (8-128Bit,manufacturerspecific)

E3

Kc

EN_RANDA

COF(=ACO)

KAB

AandBidentical:

120

Encryption(2)

§ AlgorithmE0– LinearFeedbackShiftRegister– Streamcipherwithvariableblocklengthupto64Bit

§ Input:– Kc– Deviceaddress(BD_ADDRA)– Clock(counter)– PlaintextorCiphertext

Payloadkeygenerator

Kc

BD_ADDRA

Clock

Payloadkey Keystreamgenerator

Plaintext/Ciphertext

Ciphertext/Plaintext

AandBidentical:

E0

121

Encryption(3)

E0

Kcipher

BD_ADDRA

ClockA

KC

EN_RANDA

«startencryption»

dataA-B

E0

Kcipher

BD_ADDRA

ClockA

KC

Airinterface

DeviceA DeviceB

encrypteddata

122

Summary:Safetyfunctions

§ Initialization(Pairing)– GeneratesymmetrickeyKAB betweendevices– KABsaved– Kinit nolongerneeded

§ Authentication– Challenge-ResponsebasedonKAB

§ Encryption– SessionkeyKc generatedfromKAB– Pseudo-One-Time-Pad– Kc canbechangedautomaticallywhilebeingconnected

123

Vulnerabilities

§ UsedPINwithPairing– Oftentooshort(4digits)– Fixedinthedevice(1234or0000)– Oftenoneforalldevicesusedbyuser(convenience)– Somedevicescanonlyprocessmax.16-digitPINs

§ Locationfindingiseasy– BD_ADDRusedtodiscoverdevices– ServiceDiscoveryProtocol(SDP)– Generatingrouteprofiles

§ Deviceaddresscanbefaked

§ HighlevelofvulnerabilitytoDoS-attacks– Repeatedrefusedqueries

• Result:batteryisdischarged

124

Knownattacks(selection)1/2

§ Range:withantennaupto2km– Salzburgresearch,August2004

§ BlueBug:Usesimplementationerrors– MarcelHoltmann,Sept 2003– BlueSnarf:changephonebook,sendSMS,…– Chaos-Attack:initiateunnoticedcalls,possibilitieslikeBlueSnarf– Nopairingnecessary

§ BlueSmack:– DoS-Attack(useecho-requests)

125

Knownattacks(selection)2/2

PINlengths Timeins

4 0,063

5 0,75

6 7,609

7 76,127

ResultswithPentiumIV3GHz

§ PINCracking– Yaniv Shaked andAvishai Wool,Juni 2005– Brute-forceattackonKinit (andKAB)– Passiveattack

• Pairingprocessissniffedbyattacker– ActiveAttack

• AttackerprovokesRe-PairingandhopesforweakPIN– Notpossible,ifPIN>64Bit≈19digits

126

Security

§ Ingeneral– nouseofBluetooth,asfaraspossible– ifnotused,switchitoff– disablevisibilityofdevice

§ Pairing– nopairinginthepublic– pairingwithothertechnology(e.g.NFC=NearFieldCommunication)– use(morethan18digits)non-trivialPINs– multipledevicesmusthavedifferentPINs

§ Hopeforgoodimplementation– firmwareupdateifnecessary

127

WiFi security

128

WLAN:WirelessLocalAreaNetworks

§ Wirelessconnectionofsystems– increasedmobility– no physical(wired)connections

§ Topologies– Ad-hocmode:peer-to-peerconnections(client-to-client)– Infrastructuremode:viaAccessPoint(AP)

§ IEEE802.11standard– IEEE:InstituteofElectricalandElectronicsEngineers– defineslayer1andpartsoflayer2ofOSIref.model– hasLogicalLinkControl(802.2)togetherwithother802standards

129

IEEE802.11 Standard

mobileterminal

accesspoint

fixedterminal

application

TCP

802.11PHY

802.11MAC

IP

802.3MAC

802.3PHY

application

TCP

802.3PHY

802.3MAC

IP

802.11MAC

802.11PHY

LLC

infrastructurenetwork

LLC LLC

130

IEEE802.11Protocolfamily

§ Well-knownWLAN-standards:– IEEE802.11:

• Infrared(IR)• 1or2Mbpsviaradioin2,4-GHzISMband

– IEEE802.11b:11Mbpsin2,4-GHzISMband– IEEE802.11a:54Mbpsin5-GHzISMband– IEEE802.11g:54Mbpsin2,4-GHzISMband– IEEE802.11n:600Mbpsin2,4-GHzand5-GHzISMband– IEEE802.11p:27Mbpsaround5-GHzCar-to-Car

§ Security– IEEE802.11i:Security(WPA2)– Outdated:

• WEP(WiredEquivalentPrivacy)• WPA(WiFi ProtectedAccess)andothers

131

WLAN

§ Securitydemands

– Confidentiality:• Protectionagainsteavesdropping

– Integrity:• Protectionagainstmodificationofmessages• Protectionagainstunauthorizedaccess

– Availability• Protectionagainstdenial-of-serviceattacks

132

Protectionagainstunauthorizedaccess

§ Weakprotection:MACaddresses– LimitaccesstospecificMACaddressesonthenetwork

§ Problem:– ManagementofvalidMAC

addresses– MACaddressescanbe

spoofed(MACspoofing)

133

WEP:WiredEquivalentPrivacy

§ General– Optionalsub-protocolofIEEE802.11– Encryption,integrityprotectionandauthentication– ImplementedinvirtuallyallWLANdevices

§ Encryption– Symmetricencryptionwith40or104bitkeys,based onRC4

§ Integrityprotection– CRC(CyclicRedundancyCheck)

§ Authentication– Method1:«Open»:noauthentication– Method2:«SharedKey»:Challenge-Response-Authentication

134

WEP:Encryption

§ Symmetricstreamcipher– PlaintextXORed withkeystream

§ Generationof keystream– Initializationvector(IV,24bit)– Key(K,40or104bit)– RC4algorithmusedasPseudoRandomNumberGenerator(PRNG)

§ IVissendinclear

§ Decryption– Receivergeneratessamekeystream– Ciphertext XORed withkeystream– CiphertextandkeystreamlinkedagainwithXOR

135

WEP:EncryptionandIntegrityprotection

InitializationvectorIV24BitCiphertextC

IV

KeyK RC4(PZZG)seed Keystream

||

PlaintextM

40or104Bit

CRC

||

|| concatenation

XOR IV||(M||CRC(M))Å RC4(IV||K)

64or128Bit

IV,(M,CRC(M))Å RC4(IV,K)Orshorter:

ICVIntegrityCheckValue

137

WEP:Decryptionandintegrityprotection

CiphertextCIV

K

M

|| RC4(PZZG)seed

CRCICV

ICV’?=

OK

NO

HALT

|| concatenation

XOR

||Reversefunctionof

138

WEP:Authentication

§ Twooptions– OpenandSharedKey

§ Open(=noauthentication)– disableauthentication(onlySSID,ServerSetID)

§ SharedKey– Challenge-Response-Authentication– AccessPointsendsunencryptedchallengevalue– Clientsendschallengevaluebackasencryptedresponse– Accesstonetwork,ifchallengeisencryptedcorrectly

139

WEP:Vulnerabilities

1. Initializationvector– IVtooshort,repeatedusageofequalIVs– SomeproductsimplementIV++withstartvalueIV=0– ResultsinKnown-Plaintext-Attack:

• Attackercanstoreatableof(IV,Keystream):– Ciphertext C=(M,CRC(M))Å RC4(IV,K)– Attackerknowsciphertext,IVandM:

CalculateKeystream=RC4(IV,K)IfIVagainoccurs,attackercandecrypt

– Message-relatedbreak:Breakindividualmessages,withoutfindingthekeyK

1. KeyK– Tooshortkeylengthwith40Bit(Brute-Force-Attack)

140

WEP:Vulnerabilities

3. WeaknessinRC4anditsusage– «weak»IVscanbeusedtocalculateKwithstatisticattack:

• AttackerknowsIV,ciphertext andbeginningofplaintext– Beginningofplaintext:Data packetsstartwithM=0xAAAA03(SNAP-Header,SubNetworkAccessProtocol)->Attackerknowsfirstthreebytesofkeystream

– DetermineKeystream(outputofRC4)fromciphertext andMC=KeystreamXORM

• WithknowledgeofmanyIVsandmanyKeystreams:– PossibleexploitationofvulnerabilityfromRC4:partialLinearityofRC4allowsdeterminationofKKeystream=RC4(IV,K)

red =knownblue =unknown

141

WEP:Vulnerabilities

3. WeaknessinRC4anditsusageIV

CiphertextIV

K RC4(PZZG)seed KeystreamS

||

M

CRC

||

|| concatenation

XOR

AAAA03…

searchedStatisticalanalysis:RC4(IV1,K)=S1RC4(IV2,K)=S2RC4(IV3,K)=S3RC4(IV4,K)=S4…Resultofweakness:K canbecalculated

red=knownblue=unknown

143

WEP:Vulnerabilities

3. WeaknessinRC4anditsusage– Practicalattack

• 4-6milliondatapacketsrequiredtogather«weak»IVs:≈5%IVsareweak(≈900.000of224).

• needs8-12hours(avg.netloadof1Mbps)andupto12GBHDDspace

• alldatapacketsbeginswithSNAPpattern0xAAAA03• partiallinearityofRC4onweakIVs

– Improvement1:• AttackercanenforceusageofweakIVstoreducenetworkloadbychoosingtheIV,andsendingandreceivingpackets

– Improvement2:• Tews etal(2007)foundfurtherweakness inRC4toimprovespeedofWEPattackto≈ 1minandnoneedofweakIVs

WeakIVs:AttackonlypossibleifcertainbitcombinationsinIV

144

WEP:Vulnerabilities

3. WeaknessinRC4anditsusage

– Literature:• ScottFluhrer,Itsik Mantin,Adi Shamir:WeaknessesintheKeySchedulingAlgorithmofRC4.2001.

• AdamStubblefield,JohnIoannidis,Aviel D.Rubin:UsingtheFluhrer,Mantin,andShamirAttacktoBreakWEP.2001.

• ErikTews,Ralf-PhilippWeinmann,AndreiPyshkin:Breaking104bitWEPinlessthan60seconds.2007

145

WEP:Vulnerabilities

4. WeaknessofCRC– CRCandencryptionarelinear:

• c(aÅ b)=c(a)Å c(b)– Modificationofdatapacketsiseasy:

• XORarandomnumberto(encrypted)plaintext• XORaCRCto(encrypted)checksum

146

WEP:Vulnerabilities

4. WeaknessofCRC– Let

(M,CRC(M))Å RC4(IV,K)=C– AttackersendsaCÅ X:with X=(M’,CRC(M’))

XÅ (M,CRC(M))Å RC4(IV,K)=CÅ X– Recipient decrypts:

XÅ (M,CRC(M))=(M’,CRC(M’))Å (M,CRC(M))– Becauseofthedataformat andthelinearityoftheencryption (orXOR)

andCRC:CRC(MÅM’)=CRC(M)Å CRC(M’)

– Result:AttackerhassentavalidmessageMÅM’• CRCcanbeusedtodetectrandomerrors,butnottodetect

modificationsofdatabyanattacker

147

WEP:Vulnerabilities

4. WeaknessofCRCC=(M,CRC(M))Å RC4(IV,K)Ciphertext fromsender:

X=(M’,CRC(M’))

(M’,CRC(M’))Å (M,CRC(M))Å RC4(IV,K))

Xofattacker:

AttackersendsCÅ X:

(M’,CRC(M’))Å (M,CRC(M))Receiverdecrypts:

ReceiverchecksCRC(alwayssuccessfulhere),

CRC(aÅb)=CRC(a)Å CRC(b)

CRC(M)Å CRC(M’)

ICV

?=OK

NO

STOP

CRC

Å

M CRC(M)

M’ CRC(M’)Å

MÅM’

148

WEP:Vulnerabilities

5. Nomutualauthentication– NoprotectionagainstfalseAccessPoints

6. Ineffectiveauthentication– AttackereavesdropsChallenge-Response-Pairs(x/C)

• Knowsx=MandC(andIV)• CalculatesKeystream=RC4(IV,K)

– AttackeropenshisownSession• ReceivesaChallengex’• Calculates:x’Å RC4(IV,K)• Weakness:AttackerchoosessameIV

149

WEP:Vulnerabilities:Ineffectiveauthentication

§ AttackermonitorsIV,xandxÅ RC4(IV,K)§ CalculatesKeystreamRC4(IV,K)fromx

Auth Request

Challengex

xÅ RC4(IV,K),IV- KnowsK- Choosesarandomx

- KnowsK- ChoosesIV

Auth Request

Challengex’

x’Å RC4(IV,K),IV- KnowsK- Choosesarandomx’

- KnowsKeystream- ChoosesmonitoredIV

AuthorizedClient

Attacker

150

DevelopmentofWiFi Security

§ Evolutionsteps– WEP128– WEPplus– FastPacketKeying– WEP2– EAP(ExtensibleAuthenticationProtocol)– WPA(WiFi ProtectedAccess)

§ IEEE802.11i– «WPA2»– coverssomeoftheevolutionalextensionsbyonestandard

151

ComparisonofWEP,WPA,WPA2

WEP WPA WPA2

Encryption RC4 RC4 AES

Keylength 40Bit 128Bit 128Bit

IV 24Bit 48Bit 48Bit

Dataintegrity CRC-32 Michael CCM

Headerintegrity – Michael CCM

Replayattacks – IVsequence IVsequence

Keymanagement – Based onEAP Based onEAP

152

Evolutionarysolutions

§ WEP128– ProprietaryextensionofWEPstandard– WEPwith128bitencryption(24BitIVplus104Bitkey)

§ WEPplus– AnotherproprietaryextensionofWEPstandard– DefinedbyAgere Systems(ORiNOCO-Chipsetproducer)– Preventoccurrenceof«weak»IVs

§ Unsolved:– Nousefulauthentication– Nocryptographicintegrity– Replay/repetitionofIVsstillverylikely

153

TATKIV

128Bit 48Bit16Bit

128Bit

24Bit 104Bit

FastPacketKeying

§ ExtensionforWEPby RSASecurityInc.(DeveloperofRC4)– prevent«weak»IVs– preventrepeatedcombinationsofIV andKey– Keystream=RC4(PHASE2(PHASE1(TK,TA),IV))

TKTemporalKeyTATransmitterAddressPPKPerPacketKeyTTAKKeyMixingof TKand TAPhase1:KeyMixingPhase2:GeneratingaPerPacketKey

TTAK=PHASE1(TK,TA)

PPK=PHASE2(TTAK,IV)

RC4

||

154

FastPacketKeying

§ Functionality– SymmetrickeyTK(TemporalKey),128Bit– KeyMixing:newkeyisgeneratedfromTKanddeviceaddressTA

(TransmitterAddress),48Bit– PacketKeyGeneration:24BitIVandWEPKeyisgeneratedfroma16Bit

IVandmixedkey– InputofRC4isrepeatedafter4·1021years

§ Unsolved:– Nousefulauthentication– Nocryptographicintegrity

155

WEP2

§ TaskGroupi(TGi)withinIEEE:– Objective:ImprovementofWEP– Newstandards:WEP2,WPA,WPA2

§ WEP2– ExtensionofIVto128Bit– OptionalauthenticationofAccessPointsandClientsviaKerberos– IntroductionofSessionKeys

§ Problems:– ReplayofIVsstillpossible– WeakIVsnotexcluded– SecurityvulnerabilityinKerberos– Ineffectiveauthentication

156

EAP

§ ExtensibleAuthenticationProtocol– IntroducedforRemoteAccesswithDial-Inconnections– Partof802.1Xstandard– Authenticationandkeymanagement– LowimplementationcostsinAccessPoints(AP)– Nofirmware-Upgradenecessary

§ Functionality– Threesystemsinvolved:Client,AP,Authenticationserver– APworksasaproxybetweenclientandAuthenticationserver– APgrantsaccesstonetworkaftersuccessfulauthentication

157

WPA(WiFi ProtectedAccess)

§ WPAispartofIEEE802.11i

§ Functionality– AuthenticationviaEAP– EncryptionbasedonRC4with128Bitkeys– Newcryptographicintegrityprotectionbyalg.«Michael»– Mechanismtonegotiatekeylengthandauthenticationprocedure– either:SessionKey DistributionoverRADIUSservers(Remote

AuthenticationDial-InUserService)– or:withoutserverviaBroadcast/Multicast– IVisincrementedwitheachpacket(preventreplayofIV)

158

WPA(WiFi ProtectedAccess)

§ WPAispartofIEEE802.11i

§ Problems– Broadcast/Multicastkeyisknowntoallstations– «Michael»isrelativelyweak:O(220..30)– 1-minuteshut-downofAPwhilereceivingmorethanonewrong

authenticatepacket(withinagiventime)• Denial-of-Service attackseasy• Possibleimprovements:

– Reductionofdeactivation/disconnectiontime(ca.100ms)– Afternauthenticationerrors,renegotiateSession Keys

159

802.11i

§ WPA2-StandardadoptedinJuly2004– IncludesWPA– RequireshardwareupgradeofAPandClient

§ Functionality– AuthenticationviaEAP– AESforencryption– Newprotocolforintegrityprotection

Documents

Security of Mobile Systems - Universität Hamburg · PDF file–IMEI (International ... –Location Registration –Location Update when changing the VLR –Call Setup ... TI flag