Idea Transcript
Network Security: Cellular Security Ravishankar Borgaonkar / Tuomas Aura T-‐110.5241 Network Security Aalto University, Autumn 2015
Outline !
Cellular networks and threats
!
2G/GSM Security & piJalls
!
3G/UMTS Security
!
3G/UMTS AKA and session protocols
!
4G/LTE improvements
2
Cellular networks
History !
GSM (2G) ! !
! !
!
Groupe Spéciale Mobile (GSM) founded in 1982 Standardized by European TelecommunicaWon Standards InsWtute (ETSI) Renamed Global System for Mobile CommunicaWons (GSM) First Release in 1990, GPRS (2.5G) in 1997
UMTS (3G) ! !
! !
!
Universal Mobile TelecommunicaWons System (UMTS) Standardized by the 3rd GeneraWon Partnership Project (3GPP) formed by ETSI and Japanese, Korean and Chinese standards bodies First Release 1999, including the new security architecture High-‐Speed Downlink Packet Access (HSDPA) standardized in 2001; came into wide use in 2007-‐8 LTE (4G networks) standardized in 2009 4
Cellular networks ! ! !
Complex inter-‐connected systems 6 Billon+ subscribers use for essenWal services Provides voice, video,& data services
Base Stations
Mobile Switching Centre Source: GSMA
5
Different stakeholders ! ! ! ! !
cellular network providers user equipment vendors infrastructure & support services content, applicaWons, and other services standard organizaWons
6
Threats against cellular networks Discussion: What are the threats? ! Charging fraud, unauthorized use ! Charging disputes ! Handset cloning (impersonaWon ahack) → mulWple handsets on one subscripWon → let someone else pay for your calls
! ! ! ! ! ! !
Voice intercepWon → casual eavesdropping and industrial espionage LocaWon tracking Call and locaWon data retenWon Handset thek Handset unlocking (locked to a specific operator) Network service disrupWon (DoS) What about integrity? 7
1G networks ! ! ! !
TransformaWon from Military to commercial usage Nordic Mobile Telephone system (NMT) in northern Europe Advanced Mobile Phone system (AMPS) in the USA Consist of mobile staWons (in car), base staWons & telephone switch
Source: Ericsson
8
Security in 1G networks ! ! !
No authenWcaWon No encrypWon What are possible threats?
Source: Ericsson -‐ hhp://www.ericssonhistory.com/products/mobile-‐telephony/MTX-‐-‐the-‐first-‐mobile-‐switch/
9
GSM security (2G) We’ll start with the GSM protocol because its is so simple. It is easier to understand the 3G security protocol by following the historical development. Besides, the networks and phones are still backward compatible.
GSM authenBcaBon Ki
Ki MS = ME + SIM
BS
MSC/VLR
IMSI or TMSI
HLR/AuC IMSI SRES = A3 (Ki, RAND) Kc = A8 (Ki, RAND)
!
On or more authentication triplets: < RAND, SRES, Kc > Challenge: RAND RES = Kc =
A3 (Ki, RAND) A8 (Ki, RAND) Response: RES RES = SRES ? Kc
Encryption with Kc TMSI
11
GSM authenBcaBon Alice-‐and-‐Bob notaWon: 1. Network → MS: RAND 2. MS → Network: A3 (Ki, RAND) Ki = shared master key between SIM and AuC Kc = A8 (Ki, RAND) = session key Aker authenWcaWon, BS asks mobile to turn on encrypWon on the radio interface
!
!
! !
Kc is generated in the SIM, used by the mobile equipment EncrypWon: A5 cipher with the key Kc
12
GSM security ! !
Mobile authenWcated → prevents charging fraud EncrypWon on the air interface
→ No casual sniffing → EncrypWon of signalling gives some integrity protecWon
! ! !
Temporary idenWfier TMSI used instead of the globally unique IMSI TMSI → not easy to track mobile with a passive radio Hash algorithms A3, A8 can be replaced by home operator !
!
EncrypWon algorithm A5 implemented in the phone and BS !
!
AuC and SIM must use the same algorithms Many versions of the algorithm
Non-‐protocol features: !
!
Subscriber idenWty module (SIM) is separate from the handset → Flexibility → Thiefs and phone unlockers don’t even try to break the SIM InternaWonal mobile equipment idenWty (IMEI) to track stolen devices 13
GSM security issues ! ! !
No mutual authenWcaWon -‐ Mobile authenWcated but not network AcWve ahacks not considered (fake base staWon problem) Weak crypto algorithms (A5/1, A5/2) ! !
! !
Secret and weak Comp128 -‐ SIM cloning Smaller key size -‐ 64 bits
EncrypWon ends early on base staWons Plaintext communicaWon within and between networks 14
UMTS improvements over GSM !
RAN separate from CN !
! ! !
EncrypWon endpoint moved from BS to RNC Mutual authenWcaWon protocol AKA Support for mulWple service domains !
! !
Roles of radio-‐network operator and service operator separated
Circuit-‐switched, packet-‐switched, mulWmedia, WLAN
ProtecWon of core-‐network signalling Security indicator to user (e.g. encrypWon off) !
Implemented early 3G handsets, maybe not in new ones? 15
UMTS (3G) network ! ! ! ! !
! !
Based on the earlier GSM architecture User equipment (UE) i.e. terminal = mobile equipment (ME) + universal subscriber idenWty module (USIM) UMTS terrestrial radio access network (UTRAN) = radio network controller (RNC) + base staWons (Node B = BS) Core network = mulWple service domains + home locaWon register 3GPP Release 8 specifies an all-‐IP network for signalling and data, replacing old SS7 telephony signalling network Circuit-‐switched (CS) domain for voice Packet-‐switched (PS) domain for IP data 16
UMTS architecture UMTS terrestrial radio network (UTRAN)
Core network CS domain
Base station BS = Node B
Radio network controller RNC
Terminal BS
Mobile switching center MSC / Visitor location register VLR
Public switched telephone network PSTN
MSC
Home location register HLR / Authentication center AuC
MSC
PS domain Internet BS
Serving GPRS support node (SGRN) IMS domain etc.
17
Security architecture ! ! !
Home locaWon register (HLR) of the subscriber’s home operator keeps track of the mobile’s locaWon Visitor locaWon register (VLR) keeps track of roaming (visiWng) mobiles at each network SIM card has a globally unique internaWonal mobile subscriber idenWfier (IMSI) !
!
Shared key between SIM and authenWcaWon center (HRL/ AuC) at the home network !
!
!
Shorter, temporary idenWfier TMSI allocated by the current network
Only symmetric cryptography
VLR of the visited network obtains authenWcaWon tuples (triplets in 2G) from AuC of the mobile’s home network and authenWcates the mobile Main goals: authenWcaWon of the mobile for charging purposes, and encrypWon of the radio channel
Counters for freshness
Using counters for freshness !
!
! !
Simple shared-‐key authenWcaWon with nonces: 1. A → B: NA 2. B → A: NB, MACK(Tag2, A, B, NA, NB) 3. A → B: MACK(Tag3, A, B, NA, NB) K = master key shared between A and B SK = h(K, NA, NB) Using counters can save one message or roundtrip: 1. A → B: 2. B → A: NB, SQN, MACK(Tag2, A, B, SQN, NB) 3. A → B: MACK(Tag3, A, B, SQN, NB) SK = h(K, SQN, NB) Another benefit: B can pre-‐compute message 2 A must check that the counter always increases 20
Using counters !
Counters must be monotonically increasing ! !
!
Recovering from lost synchronizaWon: !
!
!
Absolutely never accept previously used values Persistent counter storage needed Verifier can maintain a window of acceptable counter values to recover from message loss or reordering Nonce-‐based protocol for resynchronizaWon if counters get badly out of sync
Counter values must not run out or wrap to zero ! ! !
Limit the rate at which values can be consumed But support bursts of acWvity Use long enough counter to last the equipment lifeWme or lifeWme of the shared key in use 21
UMTS (3G) authenBcaBon and key agreement (AKA)
The AKA protocol is used in 3G/4G networks
UMTS AKA ! ! ! !
AKA = authenWcaWon and key agreement Design based on GSM authenWcaWon Mutual authenWcaWon Sequence number for freshness to mobile → saves one roundtrip to AuC → authenWcaWon vectors can be retrieved early, several at a Wme !
Q: Why is this so important? Why not just use a client nonce?
23
UMTS AKA (simplified) K, SQN
Network
K, SQN
Phone MAC = XRES = CK = IK =
f1 (K, RAND,SQN) f2 (K, RAND) f3 (K, RAND) f4 (K, RAND)
RAND, AUTN [SQN, MAC] XMAC = f1 (K, RAND,SQN) RES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) MAC = XMAC?
RES RES= XRES?
Encryption and integrity protection with CK, IK
24
UMTS AKA (simplified) K, SQN
K, SQN Phone
RNC
MSC/VLR
AuC IMSI MAC = XRES = CK = IK =
f1 (K, RAND,SQN) f2 (K, RAND) f3 (K, RAND) f4 (K, RAND)
RAND, AUTN [SQN, MAC], XRES, CK, IK RAND, AUTN [SQN, MAC] MAC = XRES = CK = IK =
f1 (K, RAND,SQN) f2 (K, RAND) f3 (K, RAND) f4 (K, RAND)
MAC = XMAC?
RES CK, IK
RES= XRES?
Encryption and integrity protection with CK, IK
25
UMTS AKA K, SQN
Network
K, SQN
UE = ME + USIM MAC = XRES = CK = IK = AK =
f1 (K, RAND,SQN,AMF) f2 (K, RAND) f3 (K, RAND) f4 (K, RAND) f5 (K, RAND)
RAND, AUTN [SQN AK, AMF, MAC] MAC = XRES = CK = IK = AK =
f1 (K, RAND,SQN,AMF) f2 (K, RAND) f3 (K, RAND) f4 (K, RAND) f5 (K, RAND)
MAC = XMAC?
RES RES= XRES?
Encryption and integrity protection CK, IK
26
K, SQN
K, SQN UE = ME + USIM
RNC
MSC/VLR
AuC
MAP authentication data request: IMSI
UMTS AKA
!
MAC = XRES = CK = IK = AK =
MAP authentication data response: one of more authentication vectors
User authentication request: RAND, AUTN [SQN⊕AK, AMF, MAC] MAC = XRES = CK = IK = AK =
f1 (K, RAND,SQN,AMF) f2 (K, RAND) f3 (K, RAND) f4 (K, RAND) f5 (K, RAND)
f1 (K, RAND,SQN,AMF) f2 (K, RAND) f3 (K, RAND) f4 (K, RAND) f5 (K, RAND)
MAC = XMAC?
User authentication response: RES RES= XRES? RANAP security mode command: CK, IK
RRC security mode command Encryption and integrity protection with CK, IK
27
UMTS authenBcaBon !
Alice-‐and-‐Bob notaWon: 1. Network → terminal: 2. Terminal → Network: CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND)
! ! !
RAND, SQN⊕AK, f1 (K, RAND, SQN) f2 (K, RAND)
USIM must store the highest received SQN value AuC must also store SQN and increment it for each authenWcaWon TMSI used in 3G just like in GSM !
Masking SQN with AK prevents the use of SQN to idenWfy the mobile 28
Sequence number SQN !
ImplementaWon can be changed in USIM and AuC !
!
Length is fixed to 48 bits
One suggested implementaWon: SEQ1 (19 bits) !
!
!
!
SEQ2 (24 bits)
IND (5 bits)
SEQ2 — Wme counter, 224 seconds = 194 days, individual mobile may run ahead of the global Wme but can never be lek behind (Note: the clock is local to AuC; mobile has no secure clock!) SEQ1 — per-‐mobile epoch counter, incremented when SEQ2 wraps, or appears to wrap IND — parWWons the SQN space to independent sequences; highest used SEQ1|SEQ2 stored independently for each IND value 0..31
IND enables creaWon of mulWple simultaneously valid authenWcaWon vectors ! !
Enables buffering of unused authenWcaWon vectors in VLR Enables parallel authenWcaWon in CS, PS, IMS and WLAN domains 29
Staying in sync SEQ1 (19 bits) ! !
IND (5 bits)
Mobile may run ahead of the global Wme counter SEQ2 if it needs a burst of values; long-‐term authenWcaWon rate capped at 1/s IncremenWng SEQ at AuC: ! ! !
!
SEQ2 (24 bits)
if SEQ2 is less than the global Wme counter, set equal if equal or slightly (at most 216) higher than global Wme, increment by 1 otherwise, SEQ2 has wrapped → set SEQ2 equal to global Wme and increment SEQ1
USIM stores the largest received value of SEQ1|SEQ2 for each IND value 0..31 ! !
!
If mobile receives a lower or equal value, authenWcaWon fails If mobile receives a slightly higher value (SEQ1|SEQ2 increased by at most 228 = 8.5 years), USIM updates the stored value If the increment is larger than 228, USIM iniWates a resynchronizaWon procedure
30
RSQ ResynchronizaBon K, SQN UE = ME + USIM
ResynchronizaWon needed if the sequence number gets out of sync between USIM and AuC.
K, SQN MSC/VLR
AuC IMSI
RAND, AUTN [SQN⊕AK, AMF, MAC], XRES, CK,IK,AK RAND, AUTN [SQN⊕AK, AMF, MAC] MAC = f1 (K, RAND,SQN,AMF) AK = f5 (K, RAND) MAC = XMAC? SQN too high! MAC-S = f1* (K, RAND,SQN,AMF) AUTS [ SQN AK, MAC-S ]
RAND, AUTS [ SQN AK, MAC-S ] Update stored SQN
31
AKA Protocol Linkability ASack
Source: Borgaonkar et al.
32
SQN resynchronizaBon If USIM receives an SEQ1|SEQ2 value that is too much higher than the previous stored value, it sends AUTS to the AuC: AUTS = SQN⊕AK, MAC-‐S MAC-‐S = f1*(K, SQN, RAND, AMF) SQN = USIM’s stored sequence number One extra roundtrip to AuC
!
!
!
!
May cause a noWceable delay, similar to when switching on a phone in a new country for the first Wme The delay only takes place in excepWonal situaWons à example of an opWmisWc protocol 33
Session protocol: encrypBon !
EncrypWon of MAC SDUs and RLC PDUs between terminal and RNC with the 128-‐bit session key CK !
!
BS does not have the key → can use untrusted BS hardware
Ciphertext = PDU ⊕ f8(CK, COUNT-‐C, bearer, direcWon, length) ! ! !
! ! !
f8 — based on block cipher KASUMI CK = f3(K, RAND) bearer – radio bearer idenWty, to enable simultaneous connecWon to mulWple bearers, e.g. 3G and WLAN direcWon — one bit, uplink or downlink length — PDU length COUNT-‐C = HFN|CFN CFN — RLC frame number HFN — hyper frame number, incremented when CFN wraps HFN is set to zero when rekeying with AKA 34
Session protocol: signalling integrity ! !
AuthenWcaWon for RRC messages between terminal and RNC — signalling only! Message authenWcaWon code = f9(IK, message, direcWon, COUNT-‐I, FRESH) ! ! ! !
!
! !
f9 — based on block cipher KASUMI IK = f4(K, RAND) direcWon — one bit, uplink or downlink COUNT-‐I = HFN|RRC sequence number HFN — incremented if the RRC sequence number wraps HFN is set to zero when rekeying with AKA FRESH — random nonce chosen by RNC
Monotonously increasing counter COUNT-‐I protects against replays during one session USIM stores highest COUNT-‐I, but RNC might not remember it. FRESH prevents the replay of old signalling messages if the RNC reuses old authenWcaWon tuples and, thus, old session keys 35
Session protocol: data integrity !
Integrity of voice data is not protected ! ! !
!
Bit errors on the radio link are common Voice encodings cope well with bit errors Resending corrupt data would lead to lower voice quality
Periodic local authenWcaWon: counter check !
!
!
!
Terminal and RNC periodically compare the high-‐order bits of COUNT-‐C Integrity of the counter check is protected by the MAC on RRC signalling Release connecWon if large difference in counters detected Makes it more difficult to spoof significant amounts of data 36
Backward compaBbility !
3G users may roam in GSM networks: ! ! !
!
Challenge RAND = c1(RAND) Response SRES = c2(RES) EncrypWon key Kc = c3 (CK, IK)
Possible because the keys and algorithms are shared between SIM and AuC only, not by the mobile equipment or radio network
37
Remaining UMTS security weaknesses ! !
! ! !
IMSI may sWll be sent in clear, when requested by base staWon AuthenWcaWon tuples available to thousands of operators around the world, and all they can create fake base staWons Equipment idenWty IMEI sWll not authenWcated Non-‐repudiaWon for call and roaming charges is sWll based on server logs, not on public-‐key signatures SWll no end-‐to-‐end security !
Thousands of legiWmate radio network operators à Any government or big business gain control of one and intercept calls at RNC 38
LTE network security
39
LTE security architecture
S-‐GW
UP protection AS protection
ME +UICC
c IPSe IPSec
eNodeB
HSS MME
NAS protection Serving Network
ME Mobile Equipment UICC Universal Integrated Circuit Card eNodeB Evolved NodeB AS Access Stratum UP User Plane
Home Network
S-‐GW Security Gateway MME Mobility Management EnWty HSS Home Subscriber Server NAS Non Access Stratum 40
LTE AKA protocol (simplified) MME
ME +UICC
HSS IMSI, SN id
DistribuWon of AV from HSS to MME
Generate AV RAND, XRES, AUTN KASME RAND, AUTN Verify AUTN Compute RES
RES RES ≠ XRES
Compute KASME
AuthenWcaWon and key establishment 41
Key hierarchy
! !
Cryptographic key separaWon Key renewal ! !
Minimize distribuWon of same key elements Key freshness is important Source: NTT Docomo Whitepaper 42
IMSI catcher problem !
passive and acWve types : affects all security aspects !
! !
!
for 3G and 4G, legiWmate BTS ahacks ! !
!
AuthenWcaWon, confidenWality, integrity, availability works for 2G networks only Fake BTS ahacks Rogue femtocell Sokware defined radios (USRP)
deficiency in security standards and regulaWon ! !
no security indicaWon in mobile phones ulWmate power (encrypWon on/off) is to BTS Source: product manuals
43
Exercises ! ! !
!
Who could create false locaWon traces in the GSM HLR and how? Is this possible in UMTS? Consider replacing the counter with the phone’s nonce in AKA. What would be lost? Try to design a protocol where the IMSI is never sent over the air interface, i.e. the subscriber idenWty is never sent in clear. Remember that the terminal may have just landed from an interconWnental flight, and the terminal does not know whether it has or not Why IMSI catcher ahack would not work easily in LTE? What are possible ways for normal users to detect fake base staWon? 44
Related reading Gollmann, Computer security, 3rd ed. chaptes 19.2–19.3 ! hhp://www.ericsson.com/ericsson/corpinfo/publicaWons/review/ 2006_03/files/3_fiky_years.pdf ! New privacy issues in mobile telephony: fix and verificaWon hhp://dl.acm.org/citaWon.cfm?id=2382221 ! LTE Security, 2nd EdiWon, Dan Forsberg, Gunther Horn, Wolf-‐Dietrich Moeller, Valheri Niemi ISBN: 978-‐1-‐118-‐35558-‐9 (Check E-‐book in Aalto Library) !
45
Historical: GSM (2G) network ! !
Mobile staWon (MS) = mobile equipment (ME) + subscriber idenWty module (SIM) Base staWon subsystem (BSS) = base staWon controller (BSC) + base transceiver staWons (BTS) !
!
Network switching subsystem (NSS) = mobile switching centers (MSC) and their support funcWons ! !
!
BTS = base staWon (BS)
MSC is an advanced telephone exchange MSC uses the SS7 signalling network (but moving to IP)
Advanced funcWons (not covered in this lecture): ! ! !
Text messages GPRS, HSDPA IP mulWmedia subsystem (IMS)
Historical: GSM network architecture
47
User authenBcaBon with mobile phone
48
Generic bootstrapping architecture (GBA) !
! !
The mobile operator provides an authenWcaWon service for the mobile subscriber to third parWes e.g. to web-‐based services AuthenWcaWon is based on AKA and the secret key K in the USIM 3GPP standard, implemented but not widely deployed
49
GBA architecture
[Image source: Abu Shohel Ahmed 2010]
!
Mobile operator funcWons for GBA: !
!
!
Home Subscriber Server (HSS) / AuC has the subscriber master key K, which is also in the USIM (=UICC) Bootstrapping Server FuncWon (BSF) performs AKA to derive a session key Ks with the user equipment UE
ApplicaWon server that wants to authenWcate users with GBA: ! !
Implements the Network ApplicaWon FuncWon (NAF) Has a contract with the operator and typically pays for each authenWcaWon event 50
GBA message flow
[Image source: Abu Shohel Ahmed 2010]
51
Mobile signature !
Mobile signature service (MSS) = “mobile cerWficate” ! !
! !
SIM card contains a public signature key pair and cerWficate, which is used to authenWcate to third parWes You can register as MSS use with any Finnish mobile operator (may require a new SIM card) !
!
Standardized by ETSI CompeWng idea with GBA
Use it e.g. at hhp://password.aalto.fi/
Detailed documentaWon:
hhp://www.mobiilivarmenne.fi/en/, hhp://www.mobiilivarmenne.fi/documents/ MSS_FiCom_ImplementaWon_guideline_2.2.pdf
52
MSS message flow !
!
Home operator’s mobile signature service provider (MSSP) needed every Wme to send an authenWcaWon request to the SIM ApplicaWon provider (AP) can have a contract with one mobile operator, subscriber with another (four-‐corner model) !
!
Cross-‐operator authenWcaWon works within Finland, not between countries
Typically, both subscriber and AP pay a fee for each authenWcaWon event [Image source: Ficom] 53
Text messages for authenBcaBon ! !
!
Assumes that text messages cannot be intercepted Google, Microsok etc. send a secret code to the user’s mobile phone for a second method of authenWcaWon (used in addiWon to a password) Banks send transacWon details and a secret code to the phone (used in addiWon to the password and one-‐Wme passcode)
54