Embed Size (px)
Citation preview
Analysis of CryptographyAnalysis of Cryptographyin in
GSM NetworksGSM Networks
Research ProjectResearch ProjectMaster of the Sciences Degree in Communication and Information Engineering Master of the Sciences Degree in Communication and Information Engineering
University of PeradeniyaUniversity of Peradeniya
By: By: Tharindu WeerasingheTharindu Weerasinghe (PG/EE/08/MSc/24) (PG/EE/08/MSc/24)
OutlineOutline IntroductionIntroduction Common Security RequirementsCommon Security Requirements CryptographyCryptography
Symmetric KeySymmetric Key Public keyPublic key Cryptographic hashesCryptographic hashes
GSMGSM Cryptography in GSM (A5/1, A5/3….)Cryptography in GSM (A5/1, A5/3….) Their issuesTheir issues My proposalMy proposal ConclusionConclusion
IntroductionIntroduction
The world today is hostile…
Eavesdropping
Impersonation
Hacker
Modification
Internet
Common Security RequirementsCommon Security Requirements
Privacy (Confidentiality)Privacy (Confidentiality) User AuthenticationUser Authentication Data Authentication (Data Integrity)Data Authentication (Data Integrity) Non-repudiation (Non-refutation)Non-repudiation (Non-refutation) Access ControlAccess Control AvailabilityAvailability
How to protect?How to protect?
Cryptography
What Cryptography can do?What Cryptography can do?
Encryption:Encryption: Only the authorized party can understand Only the authorized party can understand the message after the process of encryption.the message after the process of encryption.
Data authentication:Data authentication: Ascertain that information Ascertain that information exchanged is indeed the one from the sender.exchanged is indeed the one from the sender.
Signature:Signature: Allow people to verify the authenticity of Allow people to verify the authenticity of the message or authenticate the peer user.the message or authenticate the peer user.
CryptographyCryptography
CryptographyCryptography symmetric-key cryptographysymmetric-key cryptography public-key cryptographypublic-key cryptography cryptographic hashescryptographic hashes
Used forUsed for authentication, integrity protection, encryption, key authentication, integrity protection, encryption, key
managementmanagement
Symmetric-Key CryptographySymmetric-Key Cryptography
EncryptionEncryption
C=EC=Ekk(M)(M)
DecryptionDecryption
M=DM=Dkk(C)(C)
Encryption/Decryption uses the same or similar keyEncryption/Decryption uses the same or similar key
Ideally, a different key for each pair of usersIdeally, a different key for each pair of users
For example, For example, DESDES ( (DData ata EEncryption ncryption SStandard )tandard )
Symmetric-Key Cryptography:Symmetric-Key Cryptography: Encryption / DecryptionEncryption / Decryption
encoder
decoder
(plain text in -cipher text out)
cipher text cipher text msgmsg
(cipher text in - plain text out)
(should understand nothingnothing about the msg)
eavesdropper
bla-bla
cmb-cmb-cmbcmb
bla-bla
Shared KeyAliceAlice
BobBob
How can Alice & Bob How can Alice & Bob share the secret key in share the secret key in advance?advance?
Symmetric-Key Cryptography:Symmetric-Key Cryptography: Authentication & Key AgreementAuthentication & Key Agreement
However, this suffers from “However, this suffers from “Man-In-The-MiddleMan-In-The-Middle”” attack. attack.
Man-In-the-middle attackMan-In-the-middle attack
Public Key EncryptionPublic Key Encryption Each user has a public/private key pair. Keys are Each user has a public/private key pair. Keys are
inverses of each other.inverses of each other.
Only the owner knows the private key, but everyone Only the owner knows the private key, but everyone knows the public key.knows the public key.
If the message is encrypted with the private key, If the message is encrypted with the private key, then everyone with the public key can recover the then everyone with the public key can recover the message, but only the owner can generate the message, but only the owner can generate the encrypted message .encrypted message .
If the message is encrypted with the public key, only If the message is encrypted with the public key, only the owner can decrypt it using its private key.the owner can decrypt it using its private key.
The first property can be used for signature and the The first property can be used for signature and the second property can be used for encryption.second property can be used for encryption.
Examples: RSA, Digital SignaturesExamples: RSA, Digital Signatures
Public Key Encryption (contd.)Public Key Encryption (contd.)
Public Key Encryption : Public Key Encryption : ProblemsProblems
If an Attacker can substitute their own public If an Attacker can substitute their own public key for another users, the attacker can recover key for another users, the attacker can recover messages intended for the other user.messages intended for the other user.
Require method of binding user’s ID with Require method of binding user’s ID with their public key.their public key.
Public Key InfrastructurePublic Key Infrastructure User ( or entity ) gets a related key pair:User ( or entity ) gets a related key pair:
. one private key, known only to the user. one private key, known only to the user
. one public key, distributable to the user. one public key, distributable to the user
A message encrypted with one key requires the other A message encrypted with one key requires the other key for decryptionkey for decryption
Public Key Infrastructure Public Key Infrastructure (Contd.)(Contd.)
Need this infrastructure to prevent A from Need this infrastructure to prevent A from claiming that B uses the public key that A claiming that B uses the public key that A generates.generates.
All users have incorruptible copy of All users have incorruptible copy of Certificate Authority’s (Certificate Authority’s (CACA) public key.) public key.
CA signs each users ID/Public Key pair.CA signs each users ID/Public Key pair. However, certificate revocation list a major However, certificate revocation list a major
headache.headache.
Public Key CertificatesPublic Key Certificates
Cryptographic hashesCryptographic hashes
A A cryptographic hash functioncryptographic hash function is a deterministic procedure is a deterministic procedure that that takes an arbitrary blocktakes an arbitrary block of data and of data and returns a fixed-sizereturns a fixed-size bit bit string, the (string, the (cryptographiccryptographic) ) hash valuehash value, such that an accidental , such that an accidental or intentional change to the data will change the hash value. The or intentional change to the data will change the hash value. The data to be encoded is often called the "message", and the hash data to be encoded is often called the "message", and the hash value is sometimes called the value is sometimes called the message digestmessage digest or simply or simply digestdigest..
The ideal cryptographic hash function has four main properties:The ideal cryptographic hash function has four main properties:
it is easy to compute the hash value for any given message, it is easy to compute the hash value for any given message, it is it is infeasibleinfeasible to find a message that has a given hash, to find a message that has a given hash, it is infeasible to modify a message without changing its hash, it is infeasible to modify a message without changing its hash, it is infeasible to find two different messages with the same hash. it is infeasible to find two different messages with the same hash.
Cryptographic hashes: ExampleCryptographic hashes: Example
Well…Well…
that was Cryptography in a nut-shell….that was Cryptography in a nut-shell….
Now we will see what is GSM..?Now we will see what is GSM..?
GSM
GSMGSM ( (Global System for Mobile communicationsGlobal System for Mobile communications : originally from : originally from Groupe Spécial MobileGroupe Spécial Mobile) is the most popular standard for mobile phones in ) is the most popular standard for mobile phones in the world. Its promoter, the GSM Association, estimates that 80% of the the world. Its promoter, the GSM Association, estimates that 80% of the global mobile market uses the standard. GSM is used by over 3 billion global mobile market uses the standard. GSM is used by over 3 billion people across more than 212 countries and territories.people across more than 212 countries and territories.
GSM SECURITY
Cryptography in GSM Cryptography in GSM
GSM was designed with a moderate level of security. The system GSM was designed with a moderate level of security. The system was designed to authenticate the subscriber using a was designed to authenticate the subscriber using a pre-sharedpre-shared keykey and and challenge-responsechallenge-response..
Communications between the Communications between the subscribersubscriber and the and the base stationbase station can be encrypted. can be encrypted.
The development of UMTS (The development of UMTS (UUniversalniversal M Mobileobile TTelecommunicationselecommunications S System) introduces an optional USIM ystem) introduces an optional USIM ((UUniversal niversal SSubscriber ubscriber IIdentity dentity MModule, a software application odule, a software application for UMTS mobile telephony, that uses a longer authentication for UMTS mobile telephony, that uses a longer authentication key to give greater security, as well as mutually authenticating the key to give greater security, as well as mutually authenticating the network and the user - whereas network and the user - whereas GSM only authenticates the GSM only authenticates the user to the network (not vice versa). user to the network (not vice versa).
The security model therefore offers confidentiality and The security model therefore offers confidentiality and authentication, but limited authorization capabilities, and no authentication, but limited authorization capabilities, and no non-repudiation. non-repudiation.
GSM uses several cryptographic algorithms for security. GSM uses several cryptographic algorithms for security. A5/1A5/1 & & A5/2A5/2 stream ciphersstream ciphers are used for ensuring “ are used for ensuring “over-the-air voiceover-the-air voice”” privacy. A5/1 was developed first and it is a stronger algorithm privacy. A5/1 was developed first and it is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used within Europe and the United States; A5/2 is weaker and used in other countries. used in other countries.
Serious weaknesses have been found in both algorithms: it is Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a possible to break A5/2 in real-time with a Ciphertext-Only Ciphertext-Only AttackAttack, and in February 2008, Pico Computing, Inc revealed its , and in February 2008, Pico Computing, Inc revealed its ability and plans to commercialize ability and plans to commercialize FPGAsFPGAs that allow A5/1 to be that allow A5/1 to be broken with a broken with a RRainbow Table Attackainbow Table Attack. .
The system supports multiple algorithms so operators may The system supports multiple algorithms so operators may replace that cipher with a stronger one. replace that cipher with a stronger one.
How do Authentication & Key generation How do Authentication & Key generation work in a GSM network?work in a GSM network?
Encryption in the GSM network utilizes a Challenge/Response mechanism.Encryption in the GSM network utilizes a Challenge/Response mechanism.
The Mobile Station (The Mobile Station (MSMS) signs into the network.) signs into the network. The Mobile Services Switching Center (The Mobile Services Switching Center (MSCMSC) requests 5 triples from the ) requests 5 triples from the
Home Location Register (Home Location Register (HLRHLR).).
The Home Location Register creates five triples utilizing the The Home Location Register creates five triples utilizing the A8A8 algorithm. algorithm. These five triples each contain: These five triples each contain: A 128-bit Random Challenge (A 128-bit Random Challenge (RANDRAND) ) A 32-bit matching Signed Response (A 32-bit matching Signed Response (SRESSRES) ) A 64-bit ciphering key used as a Session Key (A 64-bit ciphering key used as a Session Key (KcKc). ).
The Home Location Register sends the Mobile Services Switching Center the The Home Location Register sends the Mobile Services Switching Center the five triples. five triples.
The Mobile Services Switching Center sends the Random Challenge from the The Mobile Services Switching Center sends the Random Challenge from the first triple to the Base Transceiver Station (first triple to the Base Transceiver Station (BTSBTS). ).
The Base Transceiver Station sends the random challenge from the first triple The Base Transceiver Station sends the random challenge from the first triple to the Mobile Station. to the Mobile Station.
The Mobile Station receives the random challenge from the Base Transceiver The Mobile Station receives the random challenge from the Base Transceiver Station and encrypts it with the Individual Subscriber Authentication Key Station and encrypts it with the Individual Subscriber Authentication Key (Ki) assigned to the Mobile Station utilizing the A3 algorithm. (Ki) assigned to the Mobile Station utilizing the A3 algorithm.
The Mobile Station sends the Signed Response to the Base Transceiver The Mobile Station sends the Signed Response to the Base Transceiver Station. Station.
The Base Transceiver Station sends the Signed Response to the Mobile The Base Transceiver Station sends the Signed Response to the Mobile Services Switching Center. Services Switching Center.
The Mobile Services Switching Center verifies the Signed Response.The Mobile Services Switching Center verifies the Signed Response. The Mobile Station generates a Session Key (Kc) utilizing the A8 algorithm, The Mobile Station generates a Session Key (Kc) utilizing the A8 algorithm,
the Individual Subscriber Authentication Key (Ki) assigned to the Mobile the Individual Subscriber Authentication Key (Ki) assigned to the Mobile Station, and the random challenge received from the Base Transceiver Station, and the random challenge received from the Base Transceiver Station. Station.
The Mobile Station sends the Session Key (Kc) to the Base Transceiver The Mobile Station sends the Session Key (Kc) to the Base Transceiver Station.Station.
The Mobile Services Switching Center sends the Session Key (Kc) to the Base The Mobile Services Switching Center sends the Session Key (Kc) to the Base
Transceiver Station.Transceiver Station. The Base Transceiver Station receives the Session Key (Kc) from the Mobile The Base Transceiver Station receives the Session Key (Kc) from the Mobile
Services Switching Center.Services Switching Center. The Base Transceiver Station receives the Session Key (Kc) from the Mobile The Base Transceiver Station receives the Session Key (Kc) from the Mobile
Station.Station. The Base Transceiver Station verifies the Session Keys from the Mobile The Base Transceiver Station verifies the Session Keys from the Mobile
Station and the Mobile Services switching Center. Station and the Mobile Services switching Center.
The A5 algorithm is initialized with the Session Key (Kc) and the number of The A5 algorithm is initialized with the Session Key (Kc) and the number of the frame to be encrypted.the frame to be encrypted.
Over-the-air communication channel between the Mobile Station and Base Over-the-air communication channel between the Mobile Station and Base Transceiver Station can now be encrypted utilizing the A5 algorithm.Transceiver Station can now be encrypted utilizing the A5 algorithm.
This process authenticates the GSM Mobile Station (MS) to the GSM This process authenticates the GSM Mobile Station (MS) to the GSM
network. One known security limitation of GSM networks is that the GSM network. One known security limitation of GSM networks is that the GSM network is never authenticated by the GSM Mobile Station (MS).network is never authenticated by the GSM Mobile Station (MS).
This one-way authentication makes it possible for an attacker to pretend to be This one-way authentication makes it possible for an attacker to pretend to be a GSM network provider.a GSM network provider.
Authentication in GSMAuthentication in GSM Home Location Register (HLR)Home Location Register (HLR) Visitor Location Register (VLR)Visitor Location Register (VLR) MS (Mobile Station)MS (Mobile Station) AP (Access Point or Base Station)AP (Access Point or Base Station) MSC (Mobile Exchange Center)MSC (Mobile Exchange Center)
GSM Authentication ProtocolGSM Authentication Protocol
1.IMSI
MS VLR HLR
2.IMSI
3.IMSI,RAND,SRES,Kc
4.RAND
5.SRES
6.A5(Kc,TMSI)
SRES=A3(Ki, RAND)
Kc=A8(Ki, RAND)
SRES=A3(Ki, RAND)
Kc=A8(Ki, RAND)
Let us talk about Let us talk about the algorithms used…the algorithms used…
There are 3 main types:There are 3 main types: A5 – A stream cipher used for encryptionaA5 – A stream cipher used for encryptiona A3 – An authentication algorithmA3 – An authentication algorithm A8 – A key agreement algorithmA8 – A key agreement algorithm
From those A3 and A8 are From those A3 and A8 are NOTNOT specified in GSM. Yet they are specified in GSM. Yet they are used in some occasions.used in some occasions.
So I pay my attention more on A5 (A5/1, A5/2 and A5/3, But So I pay my attention more on A5 (A5/1, A5/2 and A5/3, But the most famous and widely used one is A5/1)the most famous and widely used one is A5/1)
Let us talk about A5/1Let us talk about A5/1
A5/1 A5/1 A5/1 is a A5/1 is a stream cipherstream cipher used to provide used to provide over-the-airover-the-air communication communication
privacy in the GSM cellular telephone standard. It was initially kept privacy in the GSM cellular telephone standard. It was initially kept secret, but became public knowledge through leaks and reverse secret, but became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the cipher have been engineering. A number of serious weaknesses in the cipher have been identified.identified.
Stream Cipher:Stream Cipher: In cryptography, a In cryptography, a stream cipherstream cipher is a symmetric key cipher where plaintext bits is a symmetric key cipher where plaintext bits
are combined with a pseudorandom cipher bit stream (keystream), typically by an are combined with a pseudorandom cipher bit stream (keystream), typically by an exclusive-or (exclusive-or (xorxor) operation. In a stream cipher the plaintext digits are encrypted ) operation. In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the one at a time, and the transformation of successive digits varies during the encryption. encryption.
A5/1 is used in Europe and the United States. It was developed in 1987, A5/1 is used in Europe and the United States. It was developed in 1987, when GSM was not yet considered for use outside Europe, and A5/2 was when GSM was not yet considered for use outside Europe, and A5/2 was developed in 1989. Both were initially kept secret. However, the general developed in 1989. Both were initially kept secret. However, the general design was leaked in 1994, and the algorithms were entirely reverse design was leaked in 1994, and the algorithms were entirely reverse engineered in 1999 by Marc Briceno from a GSM telephone. In 2000, engineered in 1999 by Marc Briceno from a GSM telephone. In 2000, around 130 million GSM customers relied on A5/1 to protect the around 130 million GSM customers relied on A5/1 to protect the confidentiality of their voice communications. confidentiality of their voice communications.
Description of A5/1Description of A5/1
A GSM transmission is organized as sequences of A GSM transmission is organized as sequences of burstsbursts. In a typical . In a typical channel and in one direction, one burst is sent every channel and in one direction, one burst is sent every 4.615ms4.615ms and and contains contains 114 bits114 bits available for information. available for information.
A5/1 is used to produce for each burst a A5/1 is used to produce for each burst a 114 bit sequence of keystream114 bit sequence of keystream
which is which is XORXORed with the 114 bits prior to modulation.ed with the 114 bits prior to modulation.
A5/1 is initialized using a A5/1 is initialized using a 64-bit key64-bit key together with a together with a publicly-known publicly-known 22-bit frame number22-bit frame number. In fielded GSM implementations 10 of the key . In fielded GSM implementations 10 of the key bits are fixed at zero, resulting in an bits are fixed at zero, resulting in an effective key length of 54 bitseffective key length of 54 bits..
A5/1 can also be used for data encryptions in EDGE, in which case up A5/1 can also be used for data encryptions in EDGE, in which case up
to eight bursts are sent every 4.615 ms, each containing to eight bursts are sent every 4.615 ms, each containing 348 data bits348 data bits. .
A5/1 is based around a combination of three A5/1 is based around a combination of three LLinear inear FFeedback eedback SShift hift RRegisters (egisters (LFSRLFSRs) with irregular clocking.s) with irregular clocking.
The three shift registers are specified as follows: The three shift registers are specified as follows:
The bits are indexed with the least significant bit (LSB) as 0.The bits are indexed with the least significant bit (LSB) as 0.
The registers are clocked in a stop/go fashion using a majority rule. Each The registers are clocked in a stop/go fashion using a majority rule. Each register has an associated clocking bit. At each cycle, the clocking bit of register has an associated clocking bit. At each cycle, the clocking bit of all three registers is examined and the majority bit is determined.all three registers is examined and the majority bit is determined.
A register is clocked if the clocking bit agrees with the majority bit. Hence A register is clocked if the clocking bit agrees with the majority bit. Hence
at each step two or three registers are clocked, and each register steps at each step two or three registers are clocked, and each register steps with probability 3/4.with probability 3/4.
Initially, the registers are set to zero. Then for 64 cycles, the 64-bit secret Initially, the registers are set to zero. Then for 64 cycles, the 64-bit secret key is mixed in according to the following scheme: in cycle , the key is mixed in according to the following scheme: in cycle , the iith key th key bit is added to the least significant bit of each register using XOR —bit is added to the least significant bit of each register using XOR —
Each register is then clocked.Each register is then clocked.
Similarly, the 22-bits of the frame number are added in 22 cycles. Then Similarly, the 22-bits of the frame number are added in 22 cycles. Then the entire system is clocked using the normal majority clocking the entire system is clocked using the normal majority clocking mechanism for 100 cycles, with the output discarded. After this is mechanism for 100 cycles, with the output discarded. After this is completed, the cipher is ready to produce two 114 bit sequences of completed, the cipher is ready to produce two 114 bit sequences of output keystream, first 114 for downlink, last 114 for uplink.output keystream, first 114 for downlink, last 114 for uplink.
Graphical Notation of A5/1Graphical Notation of A5/1
Some Attacks on A5/1Some Attacks on A5/1
Passive Ciphertext-Only Attack[1]Passive Ciphertext-Only Attack[1] Biased Birthday Attack[2]Biased Birthday Attack[2] Random Subgraph Attack[2]Random Subgraph Attack[2]
Possible Attack ScenariosPossible Attack Scenarios
Attacks on A5 can be in the following forms:[1]Attacks on A5 can be in the following forms:[1] Call wire-tappingCall wire-tapping Call HijackingCall Hijacking Altering of SMSAltering of SMS Call theft – Dynamic CloningCall theft – Dynamic Cloning
What I Propose?What I Propose?
(STREAM & BLOCK CIPHER) COMBINED (STREAM & BLOCK CIPHER) COMBINED ALGORITHM FOR DATA ENCRYPTION & ALGORITHM FOR DATA ENCRYPTION & DECRYPTIONDECRYPTION
Provides more security to data, making it hard Provides more security to data, making it hard to cryptanalysis the cipher textto cryptanalysis the cipher text
Encryption procedureEncryption procedure
Decryption procedureDecryption procedure
My Next StepMy Next Step
Implementation of the above mentioned Implementation of the above mentioned algorithm in a normal PCalgorithm in a normal PC
Verify it is better than A5/1Verify it is better than A5/1
Reference:Reference:
[1]
[2]
[3] Lecture Notes of Haojin Zhu and Xiaodong Lin of the Department of Electrical and Computer Engineering, University of Waterloo, Canada.
[4] Types & modes combined algorithm for data encryption and decryption by [4] Types & modes combined algorithm for data encryption and decryption by
D.M.A.B MailewaD.M.A.B Mailewa, , T.D.B WeerasingheT.D.B Weerasinghe, , C.A MunasingheC.A Munasinghe, , Piyal J. PereraPiyal J. Perera of the of the Department of Computer Engineering, University of Peradeniya.Department of Computer Engineering, University of Peradeniya.
Thank You!Thank You!
