Outline

§ CellularNetworkArchitecture

§ SecurityRequirements

§ Authenticationin1Gto4G

§ Issuesrelatedtoauthentication

§ Conclusion

Slide 2

Note:SomeresourcesinthispresentationareusedfromthecourseIusedtoteachatTUBerlinwithProf.Jean-PierreSeifert.

SIM– pillarforauthentication

§ SubscriberIdentityModule

§ UniversalIntegratedCircuitCard(UICC)§ InGSM,refersasSIM§ InUMTSsystem,runsUSIMsoftware(entirecardisnottheUSIM)

§ Supportsdifferentsoftwaremodules:ISIM(IMS),CSIM(CDMA)

§ R-UIM(RemovableUserIdentityModule)- CDMAsystem

Slide 3

Hardware/OS

§ Hardwareistypicallyasmartcardpunchout (25x15mm)§ UICCcontainsCPU,ROM,RAM,EEPROM,andI/Ocircuits

§ SIMoperatingsystemsareeitherproprietaryorJavaCard

§ JavaCardiscommonlyfoundonbothSIMsandATMcards§ UsesasubsetoftheJavalanguage§ Optimizedbyte-codeformat§ Appletsare“firewalled”fromoneanother

Slide 4

SIMData(1)

§ IntegratedCircuitCardID(ICC-ID)(akaSIMSerialNumber-SSN)

§ UniquelyidentifiesaSIMcard(hardware)§ ConformstoISO/IEC7812(19-20digits)

§ InternationalMobileSubscriberIdentityModule(IMSI)§ Uniquelyidentifiesthemobilesubscriber(15digits,ITUE.212standard)

§ MCC(3digits),MNC(2or3digits),MSIN(9or10digits)§ AuthenticationKey(Ki)

§ Keysharedwithprovider§ NeverleavestheSIMinanycomputation

§ authenticationalgorithmsperformedon-chip

Slide 5

SIMData(2)

§ LocationAreaIdentity(LAI)§ Storesthelastknownlocationarea(savestimeonpowercycle)

§ AddressbookandSMSmessages§ Highercapacityinmoreadvancedcards§ Haveyouseen“Inboxfullmessage”inoldphones?

§ Andmore...§ SMSCnumber§ ServiceProviderName(SPN)§ ServiceDialingNumbers(SDN)§ value-added-services

Slide 6

CurrentSIMarchitecture

Source:ofcom

Slide 7

SIMApplicationToolkit

§ Beforesmartphonesbecamepopular,theSIMApplicationToolkit(STK)wasapopularmethodofdeployingapplicationsonmobilephones

§ Allowedformobilebankingapplications(andothervalueaddedservices)torunofftheSIM(nohandsethardware/OSdependence)

§ CommonlywritteninJava(forJavaCard)usingpredefinedcommands(applicationsaremenudriven)

§ SenddatatoremoteapplicationusingSMS§ OTAupdatemethodwereeventuallyincorporated

§ STKinUMTSdefinedastheUSIMApplicationToolkit(USAT)-3GPPTS31.111,securityis3GPPTS23.048

§ WillnewmobilephoneOSesmakeSTKandUSATobsolete?

Slide 8

SIMCardReaders

§ SIMcardscanbeconnectedtoaPCforvariouspurposes

§ SIMcardreadersarecheap(~$10-20)orbuildyourself§ Provideaserial(TTY)interface(DB9orUSB)

§ Allowsyouto:backupcontactsandSMS,seelistofpreviouslycallednumbers,probekeyingdatatoextractKi ...

§ FrequentlyusedforForensics§ SeeNIST“GuidelinesonCellPhoneForensics”,SpecialPub800-101

§ IncludeslistofSIMtools

Slide 9

LockingSIMandUSSDcodes

§ TheSIMcardrestrictsaccessusingtwoPINs(4-8digits)§ PIN1:Ifset,thePINisrequiredtomakecalls§ PIN2:Protectscertainnetworksettings

§ WhathappensifyouforgetyourPIN?§ Commonly,threefailedattemptslockstheSIM

§ WhatarethewaystounlockSIM?USSDattackstory?

§ UnlockingalockedSIMcard§ PersonalUnblockingCode(PUC)orPersonalUnblockingKey(PUK)§ Commonlyacquiredfromthenetworkprovider§ TenfailedattemptsoftenpermanentlylockstheSIM

Slide 10

SecurityinSIMcards

§ IdentityandAccesscontrol(IMSI,PINcode)

§ Authentication tonetworkoperator(Ki,A3)

§ Confidentiality (Kc,A8)

§ Anonymity(TMSI)

§ SIMapplicationtoolkit

Slide 11

SIMCloning§ SIMCloningistheprocessofextractingKifromoneSIMcardandwritingitontoanother.

§ Itlessfrequentlythanbeforeduetoupdatesincryptoalgorithmsandauthenticationprotocols,butisstillpossibleinsomecases.

§ Manysoftwareandhardwareclonersexist

§ Whyclone?- stealservice,forensics,SIM/networklockcircumvention,noteavesdropping(butknowingKi helps)

§ NetworkcandetectclonedSIMs;protectionsvary§ Simultaneouscallscannotoccur§ CannetworkdetecttheclonedSIMcard?§ WhogetstheSMSincaseofcloning?

Slide 12

PowerAnalysis

§ SIMcardsaresmartcards,therefore,theyarealsovulnerabletopoweranalysisattacks(requiresspecialequipment).

§ Hardwareimplementationscausepowerconsumptionofthechiptobecomeaside-channeltodeterminethekeyusedtoperformsomecryptographicalgorithms.

§ SeeworkbyKocheretal.(DifferentialPowerAnalysis)

§ GoalistorecoverKifromtheanalysis

Slide 13

Securityattacks

� SIMCloning(1998)§ Comp128algorithmleaked§ Reverseengineered&cryptanalyzed

� SIMtoolkitattacks§ FuzzingSMS§ SendpremiumSMS

� CrackingSIMUpdatekeys§ RecoverDESOTAkeys§ Singedmaliciousappletswithkey

Slide 14

ChangingTelcoworld

§ Goalachievedinlat 25years- “billionsusersconnectingeverycontinent”

§ Nextgoal- “Connectingbillionsofdevices(m2mdevices,vehicles,IoT

devices)”

§ SIMtoUSIMtoeSIM

§ EmbeddedSIMvsSoftSIM

§ Newsecurityarchitecture

Slide 15

EmbeddedSIM

� DesignedforM2Mdevices

� Non-removable

� NoSoft/virtualSIM

� Newsecuritystandard

� Nochangeinauthentication/encryptiontotheoperator

� Securityarchitectureforremoteprovisioning

Slide 16

2G,3Gand4GArchitecture

Slide 17

Network Components (GSM)

§ HLR stores records of all mobile subscribers

§ MSC/VLR connect wired and wireless components of the network and responsible handoffs

§ BS communicate with mobile devices over radio link

§ MS is a subscriber’s mobile device

Slide 18

HLR

§ Storesrecordsofmobilesubscribersandtheircurrentlocationservingarea

§ AuthenticationCenter(AuC)§ InternationalMobileSubscriberIdentity(IMSI)ofallsubscribers§ Storescryptokeys(Ki)andperformsoperationsforauthentication

§ Devicelevelauthentication§ EquipmentIdentityRegister(EIR)

§ Includesablacklist(e.g.,forstolenphones)§ InternationalMobileEquipmentIdentity(IMEI)identifiesamobiledevice

Slide 19

MSCandVLR

§ TheMobileSwitchingCenter(MSC)deliverscircuitswitchedtelephonytrafficwithinthecellularnetwork

§ GatewayMSCisthetermgiventoanMSCbridgingthecellularnetworkandanothernetwork,e.g.,PublicSwitchedTelephoneNetwork(PSTN)oranothercellularnetwork.

§ ServingMSCisthetermgiventoanMSCcurrentlyservinganMS§ TheMSCalsoassistshandoffsbetweenbasestationsandbilling

§ TheVisitorLocationRegister(VLR)cachesinformationfromtheHLRforfastlookupbyanMSC

§ AparticularVLRmayservemultipleMSCcomponents(notalways)§ TheVLRstores“triplets”fromHLR(forauthentication)

Slide 20

BSS

§ BaseStationSubsystem(BSS)linksmobiledevicestothecorenetworkandconsistsof

§ BaseTransceiverStation(BTS):thetransmissionradio(multipledirectionalantennasdividingthecellintosectors)

§ BaseStationController(BSC):intelligenceforradios(includeschedulingandencryption),controllingoneormoreBTSs

§ GenerallyreferredasbasestationandoftengroupedintoLocationAreas(LAs)correspondingtogeographicregions

§ DevicescanmovebetweenbasestationsinanLAwithoutre-registering (handover)

Slide 21

PhoneRegistration

Slide 22

3GArchitectureandComponents

Slide 23

3GArchitectureandComponents(Simplified)

Slide 24

4GArchitecture

Slide 25

Authenticationin1G,GSM,3G

Slide 26

Authenticationin1Gnetworks

§ Noauthentication

§ Noencryption

§ Whatarepossiblethreats?

Slide 27

Source:Ericsson

PhoneAuthentication(GSM)

§ threealgorithms(basedon128-bitkey,Ki)§ A3- Authentication§ A8- Generatescipherkey§ A5- Cipheringdata

§ VLRretrievestripletsfromHLR(AuC)§ RAND- randomchallenge§ SRES- expectedresponse§ [SRES=A3(Ki,RAND),32bits]§ Kc - correspondingcipherkey§ [Kc =A8(Ki,RAND),64bits]

§ OnlytheHLRandSIMcardknowKi

Slide 28

SecurityissuesinGSM

§ IMSIistransferredinplaintext

§ IMEIcanberequestedinplaintextandnotauthenticated

§ Nomutualauthentication

§ Encryptionendsatthebasestation

Slide 29

Authentication/EncryptioninGSM

A3

MobileStation RadioLink GSMOperator

A8

A5

A3

A8

A5

Ki Ki

ChallengeRAND

KcKc

mi EncryptedData mi

SIM

Signedresponse(SRES) SRESSRES

Fn Fn

Authentication:areSRESvaluesequal?

Slide 30

AuthenticationandKeyAgreementinUMTS

Slide 31

AKAprotocolissue

Slide 32

Source:Arapinis M,ManciniL,RitterE,RyanM,Golde N,RedonKandBorgaonkarR(2012), "NewPrivacyIssuesinMobileTelephony:FixandVerification",In

Proceedingsofthe2012ACMconferenceonComputerandcommunicationssecurity.,pp.205-216

SecurityissuesinUMTS

§ IMSIistransferredinplaintext

§ IMEIcanberequestedinplaintextandnotauthenticated

§ EncryptionendsatRNCbutstillnotendtoend

§ Privacyissue– allowstrackingofsubscribers

Slide 33

Authenticationin4G

Slide 34

NeedofLTENetworks

§ Higherdatarates

§ upto 100Mbps

§ Highlevelofsecurity

§ strongerthanGSM/3G§ Enhancedqualityofservice

§ Capabilitiesforinternetworkingwithnon3GPPsystems(for

exampleWiMAX)

Slide 35

LTE/SAENetworks

§ RadionetworkE-UTRANwithanewradiointerface

§ FlatIPbasedcorenetworkEPC

§ E-UTRAN:EvolvedUniversalTerrestrialRadioAccessNetwork)§ EPC:EvolvedPacketCore§ LTE:LongTermEvolution§ SAE:SystemArchitectureEvolution

Slide 36

LTESecurityFeatures

§ Reuseof3GAKA

§ Reuseof3GUSIM(2GSIMisnotallowed)

§ Extendedkeyhierarchy

§ Tokeepsecuritybreacheslocal

§ Morecomplexinternetworkingsecurity

§ AdditionalsecurityforeNodeB (comparedtoNBin3GandBTS

inGSM)

Slide 37

LTENetworkArchitecture

Source:ETSIpresentation,CharlesBrookson – ChairmanETSIOCGSecurity

Slide 38

NewNetworkComponents

§ MME– MobileManagementEntity§ Keycontrolnode§ Userauthentication,autherization,NASsignalling,lawfulinterception

etc.

§ eNB§ Radioresourcemanagement§ IPheadercompressionandencryption

§ ServingGateway§ Routesandforwardsuserdatapackets§ Actsasanchorformobillity betweenLTEandothersystems.

Slide 39

Rolesofcomponents

Source:Artiza Networks

Slide 40

AuthenticationandKeyAgreement

Slide 41

LTEAKAprotocol(simplified)

ME+UICC MME HSS

GenerateAV

IMSI,SNid

RAND,XRES,AUTNKASME

RAND,AUTN

VerifyAUTNComputeRES RES

RES≠XRES

ComputeKASME

Authenticationandkeyestablishment

DistributionofAVfromHSStoMME

Slide 42

KeyHierarchy

Slide 43

MotivationforKeyHierarchy

§ Cryptographickeyseparation

§ Keysfromonecontextcannotbeusedinother

§ Keyrenewal

§ Minimizedistributionofsamesecretkeyelements

§ Keyfreshnessisimportantforsecuredsystems

Slide 44

SecurityAlgorithms§ Twosetsofalgorithms– whatIfonebreaksup,otheroneasbackup§ AESandSnow3Galgorithmsarechoosen§ Botharekeptpossiblydifferent,crackingofonealgorithmsshouldnot

revealotherone§ IntegrityAlgorithms

§ 128-EIA1Snow3G§ 128-EIA2AES

§ CipheringAlgorithms§ 128-EEA1Snow3G§ 128-EEA2AES

§ Keysize128bitbutpossibilityofextendingto256bits§ ThirdsetbasedonChineseZUCalgorithmisdeveloped

Slide 45

Attacksin2G,3G,and4G

Slide 46

Securityevolutioninmobilenetworks

Base Station

Phone

nomutualauthentication

mutualauthenticationintegrityprotection

mutualauthenticationdeepermandatoryintegrityprotection

2G

3G

4G

decidesencryption/authenticationrequestsIMSI/IMEI

Slide 47

Securityaspects

Authentication

AvailabilityConfidentialityIntegrity

Slide 48

Securityaspectsandattacks

Authentication

AvailabilityConfidentialityIntegrity

FakeBTS

DoSInterceptionTracking

Securitytradeoffsplayessentialroleinprotocoldesign.

Slide 49

Lowcostattackinginfrastructure

§ 2G/3G/4G*networksetupcost<1000USD§ Opensourcesoftware&hardware§ USRP,Osmocom,OpenBTS,OpenLTE,etc

§ IMSIcatcherdeviceproblem

§ Targetedattacksfromillegalactors

§ Almostnodetectioncapabilitiesfortheend-users

Slide 50

Emergingattackexamples

Slide 51

IMSIcatchers(1)

• Exploitweaknessinauthenticationmethods

• Locationtrackingandinterception

• Protectionfor‘activeattacks’notconsidered

• Lackofsecurityindicatorimplementation

Slide 52

ImplementationissuesonRAN

FromTS124.008v11.8.0:IfMACfailure,thenphoneshouldnotcommunicationwithBTS(2G)Tablefromthepaper“ImplementinganAffordableandEffectiveGSMIMSICatcherwith3GAuthentication”

Slide 53

3GAKAvulnerability(2)

• LinkabilityattackbyArpanisetal

• Affectsin4Gaswell

Slide 54

3GPPSpecificationissues

•RRCprotocol– 3GPPTS36.331

•‘UEMeasurementReport’messages

•Necessaryforhandovers&troubleshooting

•Noauthenticationformessages

•Reportsnotencrypted

Slide 55

Vulnerabilitiesinthefeature

activeattacker

SendmeMeasurement/RLFreport

Specification

UEmeasurementreports– Requestsnotauthenticated– Reportsarenotencrypted

Implementations

RLFreports– Requestsnotauthenticated– Reportsarenotencrypted– Allbasebandvendors

Slide 56

4GFeature:MobilityManagement

TrackingAreaUpdate(TAU)procedure§ DuringTAU,MME&UEagreeonnetworkmode(2G/3G/4G)

§ “TAUReject”usedtorejectsomeservicesservices(e.g.,4G)toUE

Specificationvulnerability:Rejectmessagesarenotintegrityprotected

EMMprotocol– 3GPPTS36.331

Slide 57

3GPPSpecificationissues

• EMMprotocol– 3GPPTS36.331

• ‘TrackingAreaUpdateReject’messages

• NecessaryforUEmobility

• Nointegrityprotectionforrejectmessages

• Recoverymechanismnoteffective

Slide 58

PracticalAttackswithlowcosttools

Slide 59

LocationLeaks:trackingsubscribercoarselevel

Semi-passiveAttacker(TA/cell)

paging

Target

Target

LocationAccuracy:2Sq.Km

MappingGUTItoSocialIdentity

Slide 60

DoSAttacks

• Downgradetonon-LTEnetworkservices(2G/3G)

• Denyallservices(2G/3G/4G)

• Denyselectedservices(blockincomingcalls)

• GSM– IMSIdetach,RACHflood

• FloodingDOSattackstowardsHLR

• Jammingattacks

Slide 61

Tradeofbetweensecurityand

• Performance

• Availability

• Functionality

• Attackingcost

Reasons for differentvulnerabilities

Slide 62

5G Networks Perspective

Authentication

Asymmetric keysforIMSI

protection

Improve AKAprotocols

Availability

Removeunnecessary

protocolmessages

Effectiverecoverymechanisms

Slide 63

5G Networks Perspective

Confidentiality&Integrity

EncryptionIndicators& APIs

DynamicPolicies

Slide 64