mobile telephony - radboud universiteit

Advanced Network Security

Mobile telephony

Joeri de Ruiter

2

Agenda

● Introducton● 2G / 3G / 4G

● Security– Authentcaton– Cryptography

● Eavesdropping● Privacy

● Tracking● A solutonn PPMSI

3

Telephony security

Sourcen htpn//sites.psu.edu/thedeepweb/2015/09/17/captain-crunch-and-his-toy-whistle/

4

Introducton

● Standards by ETSI and 3GPP● 2Gn GSPM (Global System for PMobile Communicaton)● 2.5Gn GPRS (General Packet Radio Service)● 3Gn UPMTS (Universal PMobile Telecommunicatons System)● 4Gn LTE (Long Term Evoluton)● 5G● About 8.5 billion connectons and 5 billion subscribers

5

2G (GSPM)

● 1G was analogue without any encrypton in place● 2G deployed in 1990s● 2G is digital and provides authentcaton and encrypton● Stll relevant for ICS/SCADA systems (e.g. ERTPMS)

6

GSPM-R

● Part of ERTPMS (European Rail Trafc PManagement System)● Used for communicaton between personnel as well as trains and track-side

equipment● Used, for example, to grant trains permission to drive on parts of the tracks

and to provide speed limits

7

Identiers

IPMEI (Internatonal PMobile Subscriber Identty)

IPMSI (Internatonal PMobile Subscriber Identty)● Home country● Home network● User

8

2G - Architecture

SIPM(Subscriber Identty PModule)

PME (PMobile Equipment)

MS (Mobile Staton)

Access Network

BTS(Base Transceiver Staton)

BTS(Base Transceiver Staton)

BSC(Base Staton Controller)

PMSC(PMobile Switching Center)

AuC(Authentcaton Center)

VLR(Visitor Locaton Register)

HLR(Home Locaton Register)

Gateways

PSTN and Internet

Core Network

9

2G - Architecture

● Visitor Locaton Register (VLR) keeps track of phones present in its area● PMapping between IPMSI and TPMSI

● Home Locaton Register (HLR) stores permanent informaton about subscribers

● Authentcaton Center (AuC) stores long-term shared secrets with SIPMs

10

2G - Authentcaton

● Authentcaton and Key Agreement (AKA)● Shared symmetric key K between SIPM and home network● Two algorithms, A3 and A8

● Can be determined by the provider

11

2G - Authentcaton

Identty request

Identty response, IMSIIMSI

RAND, XRES, CK

Retrieve K for IPMSIRAND ← {0,1}128

XRES ← A3(K, RAND)CK ← A8(K, RAND)

Authenticton request, RAND

Authenticton response, SRES

SRES ← A3(K, RAND)CK ← A8(K, RAND)

Verify XRES = SRES

Dctc enirypted with CK

12

Roaming

● Phone can use a network diferent than its providers network● Visited Network (VN) or Serving Network● Home Network (HN)

● Visitng Network requests authentcaton informaton from Home Network● Authentcaton informaton provided by Home Network● Visited Network performs authentcaton● Visited Network reports presence of phone

● Home Network informs previous network that phone lef● Home Network keeps track of the current locaton of its subscribers

● Necessary for, e.g., incoming calls

13

2G - Encrypton algorithms

● A5/0● No encrypton

● A5/1● Proprietary stream cipher

● A5/2● Weaker cipher for export

● A5/3● KASUPMI, a block cipher based on PMISTY

– Used with 64 bit keys

14

3G (UPMTS)

● 3G (UPMTS) introduced in 2001● Algorithms used for encrypton and PMACs

● KASUPMI (128 bit key)● SNOW 3G, stream cipher by Lund University

● PMutual authentcaton

15

3G - Architecture

USIPM(Universal Subscriber Identty PModule)

PME (PMobile Equipment)

MS (Mobile Staton)

Access Network

Node B

Node B

RNC(Radio Network Controller)

PMSC(PMobile Switching Center)

AuC(Authentcaton Center)

VLR(Visitor Locaton Register)

HLR(Home Locaton Register)

Gateways

PSTN and Internet

Core Network

16

3G - AuthentcatonIdentty request

Identty response, IMSIIMSI

RAND, AUTN, XRES, CK, IK

Retrieve K and SQN for IPMSIRAND ← {0,1}128

PMAC ← f1(K,SQN,APMF,RAND)XRES ← f2(K,RAND)CK ← f3(K,RAND)IK ← f4(K,RAND)AK ← f5(K,RAND)AUTN ← (SQN XOR AK,APMF,PMAC)Update SQN ← SQN + 1

Authenticton request, RAND, AUTN

Authenticton response, SRES

AK ← f5(K,RAND)XSQN ← (SQN XOR AK) XOR AKXPMAC ← f1(K,XSQN,APMF,RAND)Verify XPMAC = PMACVerify SQN <= XSQN <= SQN + rangeUpdate SQN ← XSQNSRES ← f2(K,RAND)CK ← f3(K,RAND)IK ← f4(K,RAND)

Verify XRES = SRES

Dctc enirypted with CKcnd cuthenticted with IK

17

3G - Authentcaton

● Functons f1 to f5 not standardised● Only used by SIPM card and provider’s authentcaton server

● Recommendaton for f1 to f5 is to use Rijndael

18

4G (LTE)

● 4G (LTE) introduced in 2010● Almost 90% coverage reported by Open Signal in February 2018

● Algorithms used for encrypton and PMACs● SNOW 3G● AES

● Cell towers are assumed to be smarter● Separaton between signal and data channel

● Signal channel encrypted between phone and core network● Data channel encrypted between phone and cell tower● Possible to perform handover directly between cell towers

19

4G - Authentcaton

● Authentcaton protocol the same as 3G● PMore elaborate key hierarchy

● Reduce tmes necessary to execute (slow) AKA protocol● Cell towers get their own keys● PMechanisms to protect against compromise of cell towers

20

Cell tower

4G – Key hierarchy

K

CK, IKAKA

KASPMEID of Visitng Network

KeNB

Signal data keys

User data keys

Home network

Visitnn network

21

4G - Handover

● Handover between cell towers can be done without interference of backend● Key update mechanisms to provide forward and backward security

● Only involving cell towers provides backward security● Involving backend also provides forward security

● SIPM and backend generate the Next-hop parameter (NH)● Based on a shared secret and counter

22

4G – Key derivaton

KeNBKASPME

NH

KeNB

NH

KeNB KeNB

Cell info Cell info

KeNB KeNB KeNB

Cell info Cell info Cell info

KeNB KeNB KeNB

Cell info Cell info Cell info

NCC = 1

NCC = 2

23

Authentcaton comparison

Sourcen PMobile communicaton security, Fabian van den Broek, 2016

24

Eavesdropping

● Diferent approaches● Passive● Actve (i.e. with a man-in-the-middle)

● Works mainly well with 2G● Only authentcaton of the phone● Weak or no encrypton supported

● Ofen fallback to 2G is possible

25

Run your own network

● Possible using a Sofware Deined Radio (SDR) and open source sofware (e.g. OpenBTS)

● Pretend to be your victms network and get them to connect to you● E.g. by jamming or providing a stronger signal

26

PMan-in-the-middle (2G)

Identty request

Identty response, IMSI

Authenticton request, RAND

Authenticton response, SRES

SRES ← A3(K, RAND)CK ← A8(K, RAND)

Unenirypted dctc VoIP

● Use A5/0 (no encrypton)● Forward calls via VoIP

● No incoming calls

27

PMan-in-the-middle (2G)

Identty request

Identty response, IMSI

Authenticton request, RAND

Authenticton response, SRES

SRES ← A3(K, RAND)CK ← A8(K, RAND)

Dummy dctc (A5/2)

Retrieve key CK

Authenticton response, SRES

Dctc (A5/3)Dctc (A5/2)

Identty request

Identty response, IMSI

Authenticton request, RAND

Instant Ciphertext-Only Cryptanalysis of GSPM Encrypted Communicaton, Barkan et al., 2010

28

Eavesdropping

● Complete solutons available for governmental organisatons

29

Interceptng signals

● Again using Sofware Deined Radios (SDR) and open source sofware (e.g. AirProbe)

30

Interceptng signals

● Problemn channel hopping● Solutonn multple or more powerful radios

31

Cracking A5/1

● Weak algorithm● First atack publicly described by Anderson in 1994● PMany more research since then

● A5/1 is a stream cipher, so if you have known plaintext you have part of the keystream

32

Cracking A5/1

● Rainbow tables available to quickly retrieve used key● Known as Berlin tables● Released in 2010● Around 2TB● Probabilistc● Limited amount of known plaintext necessary

● Shortly aferwards the tool Kraken was released that could use these tables to crack GSPM trafc

33

Cracking A5/2

● A5/2 was purposefully weak for export● Can be cracked in seconds

● Barkan et al., 2010● No longer allowed in new phones since 2007

34

Cracking A5/3

● Atack published Dunkelman et al. in 2010● Theoretcal atack that might not be practcal● KASUPMI weaker than PMISTY on which it is based

35

SS7

● Signaling System 7● Used in the core network and to communicate between providers

● For example, used to exchange authentcaton requests, send locaton updates and deliver SPMS messages

● From an era where providers trusted each other...● Originally when sending an SPMS

● Ask Home Network current network of phone (i.e. country and provider)● Send SPMS directly to the phone’s current network

● Fixed when using Home Routng● Home Network delivers the SPMS

● PMight enable interceptng for 3G

36

37

Privacy

● IPMSI catchers (a.k.a. StngRay) can be used to● Track users● PMonitor locatons● Link identtes to devices

● Can pretend to be a base staton to get to phones to connect and learn the IPMSI

Sourcen U.S. Patent and Trademark Ofce / AP Photo

38

Privacy

● IPMSI is always provided upon request● No protecton provided by mutual authentcaton

● TPMSI introduced to provide some anonymity● Temporary PMobile Subscriber Identty● Can be used instead of IPMSI● Provided by the visited network to the phone under encrypton● Should only be used for one locaton

● Can we stll trace users?

39

Allocaton of TPMSI

Eni(CK, TMSI Reclloicton, newTMSI)

Eni(CK, TMSI Reclloicton iompleted)

Discard oldTPMSIStart using newTPMSI

Discard oldTPMSIStart using newTPMSI

40

TPMSI reallocaton atack

Eni(CK, TMSI Reclloicton, newTMSI)

Eni(CK, TMSI Reclloicton iompleted)

Discard oldTPMSIStart using newTPMSI

Discard oldTPMSIStart using newTPMSI

Record TPMSI Reallocatoncommand

Eni(CK, TMSI Reclloicton, newTMSI)

Replay TPMSI Reallocatoncommand

Eni(CK, TMSI Reclloicton iompleted)

New session with same keys

41

TPMSI reallocaton atack

● Atack presented by Arapinis et al.● Atacker records an encrypted TPMSI allocaton command● Replay the recorded command later to distnguish victm’s phone from others

● As long as the same keys (CK and, optonally, IK) are used● Only victm’s phone will respond to the encrypted command

● Other phones will ignore it as decrypton fails● PMainly a theoretcal atack

42

3G linkability atack

● Atack presented by Arapinis et al.● Atack on 3G’s AKA protocol● Uses the fact that diferent error messages are used for

● PMAC failure● Invalid sequence number

43

3G linkability atack

Identty request

Identty response, IMSI

Authenticton request, RAND, AUTN

Authenticton response, SRES

Record RAND, AUTN

Authenticton request, RAND, AUTN

Error, Syni_Fcil

Error, MAC_Fcil

orSame phone

Diferent phone

44

Defeatng IPMSI catchers

● TPMSI does not provide enough protecton● IPMSI can be requested without authentcaton or encrypton● Visited network always learns the IPMSI● IPMSI is needed to determine the provider and retrieve the shared key

● How can we protect against the intercepton of IPMSIs?● Introduce a new identiern a temporary pseudonym PPMSI

– Provided by the home network● Works with minimal modiicaton to the current standards

– IPMSI catching stll possible, but less interestng● Additonal beneitn mutual authentcaton for 2G● Considered for inclusion in one of the 5G proposals

45

Defeatng IPMSI catchers

● PPMSI is shared between the SIPM and provider● Same structure as IPMSI

● First part identies the country and provider● Last part identies the user

● PPMSI is used instead of IPMSI and is regularly updated● How do we get the PPMSI to the SIPM?

● Hijack the RAND variable

46

3G / 4G - AuthentcatonIdentty request

Identty response, IMSIIMSI

RAND, AUTN, XRES, CK, IK

Retrieve K and SQN for IPMSIRAND ← {0,1}128

PMAC ← f1(K,SQN,APMF,RAND)XRES ← f2(K,RAND)CK ← f3(K,RAND)IK ← f4(K,RAND)AK ← f5(K,RAND)AUTN ← (SQN XOR AK,APMF,PMAC)Update SQN ← SQN + 1

Authenticton request, RAND, AUTN

Authenticton response, SRES

AK ← f5(K,RAND)XSQN ← (SQN XOR AK) XOR AKXPMAC ← f1(K,XSQN,APMF,RAND)Verify XPMAC = PMACVerify SQN <= XSQN <= SQN + rangeUpdate SQN ← XSQNSRES ← f2(K,RAND)CK ← f3(K,RAND)IK ← f4(K,RAND)

Verify XRES = SRES

Dctc enirypted with CKAnd cuthenticted with IK

47

3G / 4G - PPMSI (simpliied)Identty request

Identty response, PMSIPMSI

RAND, AUTN, XRES, CK, IK

Retrieve K, KP and SQN for PMSIPMSI’ ← {0,9}10

RAND ← F(KP,PMSI’,SQN)...

Authenticton request, RAND, AUTN

Authenticton response, SRES

…PMSI’, SQN’ ← F-1(KP,RAND)Verify SQN’ = XSQNUpdate PMSI ← PMSI’

Verify XRES = SRES

Dctc enirypted with CKAnd cuthenticted with IK

48

2G - Authentcaton

Identty request

Identty response, IMSIIMSI

RAND, XRES, CK

Retrieve K for IPMSIRAND ← {0,1}128

XRES ← A3(K, RAND)CK ← A8(K, RAND)

Authenticton request, RAND

Authenticton response, SRES

SRES ← A3(K, RAND)CK ← A8(K, RAND)

Verify XRES = SRES

Dctc enirypted with CK

49

2G – PPMSI (simpliied)

Identty requestIdentty response, PMSI PMSI

RAND, XRES, CK

Retrieve K. KP, SQN for PMSIPMSI’ ← {0,9}10

M ← MAC(KP,PMSI’, SQN)RAND ← F(KP,PMSI’,SQN,M)Update SQN ← SQN + 1...

Authenticton request, RAND

Authenticton response, SRES

PMSI’, SQN’, M’ ← F-1(KP,RAND)M ← MAC(KP,PMSI’,SQN’)Verify M = M’Verify SQN < SQN’Update SQN ← SQN’PMSI ← PMSI’...

Verify XRES = SRESDctc enirypted with CK

50

Defeatng IPMSI catchers

● All values it within current lengths of used variables● No modiicaton of messages needed

● Can be implemented by a single provider● Only changes needed in SIPM and authentcaton server

● Actually two PPMSIs stored in SIPM and at provider● Current PPMSI● Next PPMSI

– Once used promoted to current PPMSI and fresh next PPMSI generated● PMAC prevents desynchronisaton atacks in 2G soluton

51

Further actvites

● Read chapters 2 and 3 ofnPMobile communicaton securityFabian van den BroekPhD thesis, 2016

● Optonal readingnDefeatng IPMSI CatchersFabian van den Broek, Roel Verdult and Joeri de Ruiter22nd ACPM SIGSAC Conference on Computer and Communicatons Security (CCS'15), ACPM, 2015

Analysis of privacy in mobile telephony systemsMyrto Arapinis, Loreta Ilaria Mancini, Eike RiterMark D. RyanInternatonal Journal of Informaton Security, October 2017