PROVIDING SECURE PERSONAL MOBILITY

Nigel Jefferies

In this paper we look at the security features offered by the first two phases of UPT as
defined by ETSI NA7, and examine their impact on the m i c e provided. We shall then look
beyond UPT, to the results of the RACE WOO3 Mobilise project, which is extending personal
mobility concepts to the PSCS (Personal Service Communication Space).

Personal MoMllty: The Threats With the introduction of personal mobility 58Nic8s into
existing networks, new opporhrnities for potentialmisuse occur. Many of these threats have
already been addressed in existing mobile networks: the challenge in a 'universal' syst
em
is to implement the necessary features across a multi-operator environment invokinga wide
range of different network types.

A detailed analysis of the threats to UPT systems appears in [70401]. The wide-ranging
nature of the threats, either created or exacerbated by UPT-type services, indicates the care
that needs to be taken in the implementation of these services.

Now that users are no longer tied to a particular network access point, a very obvious threat
is that of the impersonation of a user. The countermeasure is clearly some form of user
authentication. Without this, a large amount of fraud is almost certain, leading to a lack of
confidence in the accuracy of a user'sbill.

An important feature of both UFT and UMTS is the ability of a user (or his subscriber) to
modify a service profile, which defines service parameters applicable to that user. Clearly
access to the service profile must be carefully controlled.

Another important aspect of the introduction of personal mobility services is that they may
impact on other users of the network who may not even be aware of the new service. A
classic example would be where a UPT user registers on the terminal which he has
borrowed for a short while. If he forgets to deregister, then the owner of the terminal suffers
the nuisance of incoming calls for the departed UPT user. This sort of thing becomes a
security problem if it is done for malicious reasons. Various solutions have been suggested
(some of which create their own security problems) including allowing the reset of terminals
and setting timeout periods for registrations.

Phase 1 UPT Security Features Phase 1 of UPT is seen as a restrictedservice, providing

some of the basic UPT features on existing networks (PSTN and ISDN) and terminals. This
places considerable restrictions on the security features and the mechanisms used to
implement them. ETSl NA7 identified the following security features as essential for
implementationin Phase 1:
-~~~~ ~~ ~ ~~~ ~

Vodafone Ltd, The Courtyard, 2-4 London Rd, Newbury, Berks RG13 1JL
(C1994 The Institution of Electrical Engineers
Printed and published by the IEE. Savoy Place, Lonaon WCPR OBL. UK

4/1
 UPT user and subscriber authentication;
access control features;
- security management features.

Two mechanismsto provide UPT user authentication have been specified by NA7: weak and
strong. These names reflect the fact that the NA7 security group strongly recommend use
of the strong mechanism.
Weak authentication involves the user typing a PIN into the terminal, in addition to a UPT
Access Code and UPT number. Altematively, these numbers can be programmed into a
DTMF dialling device.

Strong authenticationrequires the use of a UPT device. This is a hand-held device, capable
of emitting DTMF tones and having a keyboard and display. A cryptographic algorithm and
key are stored on the device and used to generate an authentication code (AC) which
changes at each authenticationattempt.

Security Issues for UP1 Phase 2 A major step forward with Phase 2 is the introduction of
the UPT card: a smart card with functionality similar to the GSM SIM. Two of the main
issues being discussed WNI regard to the standardization of security features for UPT Phase
2 are the need for mutual authentication, and the support of UPT over GSM access
networks. The different options for each of these issues are being considered.

A number of r e a m s exist for wanting to make authentication mutual, that is, to authenticate
the service provider to the user as well as the other way round. For instance, it is possible
that the service provider or network operator may be able to access portions of the user's
service profile which are stored on the card. Clearly, this access must be controlled. It
seems likely, from discussions within ETSl SMGS on security [SOSOl], that authentication
of the UMTS m i c e provider will be required. UPT users will expect the same level of
security as UMTS users.

However, the real need for mutual authentication stems from unknown and unquantifiable
risks. In an increasingly complex and mobile environment, with increasingly intelligent
terminals and networks, and increasinglysophisticated services, subtle abuses of protocols
become harder to prevent. Because of this it is better to design in mutual authentication at
this early stage, so that all parties in the protocolcan be authenticated.

The Personal Service Communication Space Personal communication off815 users the
ability to communicate and to organize communication according to their own preferences,
taking into account factors such as: time, space, medium, cost, integrity, security, quality,
accessibility and privacy. The Personal Service Communication Space (PSCS) studied by
RACE Mobilise is a service concept whereby a service provider offers personal
communication to a user. The problem that PSCS is designed to solve is that users will
subscribe to and use many different telecommunication services and will have problems
organizing them.

4/2
It can be seen from the definition of personal communication, that users will expect from
PSCS the ability to ~ ~ ~ and
8 organize
8 8 the services to which they have subscribed from
any location. So PSCS will provkle an advanced form of personal mobility, beyond that
foreseen for UPT Phase 1 and 2.
There is a strong emphasis within the project on usability aspects of personal
communications. The need for user friendliness while at the same time providing complex
services in a secure way has been a great comem. A demonstfator is being developed, for
instance, which incorporatesa vision of a graphical user interfacefor te k om s services.

Basic assumptions about network capabilities need to be made. Within Mobilise, we assume
that universal coverage by QSM and ISDN networks will be available, with IN (CS2)
functionality in the networks.

An early result of the project was the establishment of an enterprise model. This shows the
relationship between the various entities involved in PSCS provision and operation.

Another important PSCS concept is that of the flexible service profile (FSP). This goes
beyond the UPTlUMTS service profile and is designed to permit access by users and
subscribersto set up and organize services, and may contain logic in addition to data.

The security features defined for the PSCS by Mobilise include the following:

User-PIMAuthentication Access by the end user to his PIM (personal identificationmodule,

which may be a smart card, or a built-in software module in a personal computer or
terminal) is controlled by use of a PIN code. This protects the end user against misuse of
the PIM if it is lost or stolen.

PSCS Authentication Following successful User-PIM authentication, the PIM and PSCS
service provider authenticate each other. This process is transparent to the end user (unless
it fails), and uses a cryptographic public-key protocol. Authentication procedures are also
defined between other entities (for instance, between the PSCS service provider and an
application service provider). The precise requirements for currently being studied, as are
methods of managing the necessary revocation lists of end users whose subscriptionshave
been terminated.

Work has been carried out to understand how PSCS authentication interacts with other
authentication procedures (for instance, authentication to an application service provider).

Message Authentication The same mechanism used for PSCS authenticationcan also be
used to provide message authentication,allowing a recipient to verify that the contents of
a message from another PSCS entity were not changed, and to prove that the message
really was sent by the entity who appended the signature to the message.

FSP Access Control The PSCS service provider controls access by subscribers and end
users to the end user's FSP.

Control of Access to Services Before allowing an end user access to services, the PSCS
service provider uses information in the FSP to verify that the access attempt is authorized.
A study has been made of how this can be done.

413
It has also been established that to descrlbe authentication in the global functional plane
(QFP) requires the ability to use SI88 recurshrely. Mobilise has been successful in actively
promoting this hfor inclusion in IN CS2. Work is continuing to define the $lructune of
PSCS authentication within the QFP.

The work described in this paper was undertaken as pert of RACE project I32003 Mobilise.

References
[!50901] FTSl draft ETR (09-01). Spedhl Mobile Group (SMG); Securiry principles for
the Universal Mobile TelecommunicationsSystem (UMTS). Version 0.3.1, May
1994.

[70401] ETSl DTR/NA-70401. Network Aspects (NA); Universal Personal

Telecommunications; Oeneml UPT Securiry Architecture. Version 0.6.1
February 1993.

~231 RACE R2003 Mobilise. Technologyand Feasibilify: N e w & Aspects, security

Aspects, Access Aspects, lfffomatioffFlows. Deliverable no. 23, January
1994.