Beruflich Dokumente
Kultur Dokumente
4 GSM
Prof. JP Hubaux
Objectives iUnique standard for European digital cellular networks iInternational roaming iSignal quality iVoice and data services iStandardization of the air and the network interfaces iSecurity Principles iStrong integration with the telephone network (PSTN) iInterfaces inspired by the Integrated Services Digital
Network (ISDN) iHence, supervision by means of Signaling System 7 (SS7)
2
CPE
UNI
NNI
Switch Switch
UNI
CPE
Interface between the circuit switching network and the signaling network
Signaling Links
Signaling Point
Signaling Point
Control Unit
SP STP
Signaling link
SP
Signaling Plane
SP
STP
SP
Switching Plane
Voice circuits
STP SP
STP
SP
SP
...
STP
PTS SP
7
SP
Operator 1
Operator 2
SS7 Architecture
OSI Layers 7 4, 5 et 6 3 2 1
ASE: Application Service Element INAP: Intelligent Network Application Part MAP: Mobile Application Part MTP: Message Transfer Part
ISDNUser Part For further study (ISUP) SCCP MTP Level 3 MTP Level 2 MTP Level 1
OMAP: Operations, Maintenance and Administration Part SCCP: Signaling Connection Control Part TCAP: Transaction Capabilities Application Part
8
ISDN
IAM
Call Proceeding
IAM
SETUP Call Proceeding
ACM
ALERTING CONNECT CONNECT ACK
ACM ANM
ANM
IAM: Initial Message; ACM: Address Complete Message; ANM: Answer Message
DISCONN
REL
REL
DISCONN
RELEASE
RLC
RLC
RELEASE
RELACK
REL: Release
10
Addressing in GSM
Call to Nr 085-123456
SIM: Subscriber Identity Module IMSI: International Mobile Subscriber Identity IMEI: International Mobile Equipment Identity MSISDN: Mobile Station ISDN Number
MSISDN 085-123456
IMSI 208347854033
11
GSM Architecture
Equipment Identity Register F C Um Mobile Station BTS Abis A E
Authentication Center
BSC BSS
MSC
BSS: Base Station System BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center
g g g g
Paging Coordination of call set up from all MSs in its jurisdiction Dynamic allocation of resources Location registration Interworking function with different networks (e.g., PSTN) Handover management Billing for all subscribers based in its area Reallocation of frequencies to BTSs in its area to meet heavy demand Encryption Echo canceler operation control Signaling exchange between different interfaces Gateway to Short Message Service
13
LAPDm radio
LAPDm radio
LAPDm radio
LAPDm radio
MPT2 MTP1
Mobile Base transceiver station station CM: call management MM: mobility management RRM: Radio resources management (ISDN) BSSAP: BSS Application Part
Base station Mobile switching controller center SCCP: Signal connection control part MTP: message transfer part LAPD: link access - protocol D channel
14
Location updating
MS BSS Mobile turns on Channel setup, radio resource reservation Location updating request Authentication challenge Authentication response MSC/VLR HLR
Authentication info request Authentication info Update location Insert subscriber data Insert subscriber data ack
TMSI reallocation complete Location updating accept Clear command Release radio channel
15
PSTN switch
Data channels are setup after the messages shown have been sent
g g
Basic principle: the calling party pays Exception: the calling party does not pay for extra charges induced by initiatives of the callee: iroaming icall forwarding
18
Short Message Service (SMS) iSimilar to advanced paging systems iMakes use of the control channel General Packet Radio Service (GPRS) iAimed at interfacing the Internet (e.g., for Web browsing) iRates up to 170kb/s High Speed Circuit-Switched Data (HSCSD)
19
Service Center
Message transfer
20
128.178.151.82
LAN: 128.178.151
21
GPRS architecture
Laptop MSC HLR GR
: signaling + data : signaling only GR: GPRS Register: manages the association between the IP address and the IMSI SGSN: Serving GPRS Support Node (router) GGSN: Gateway GPRS Support Node (router)
22
Network
Network GTP IP
SNDCP: Subnetwork Dependent Convergence Protocol LAPG: Link Access Protocol on G channel
23
Mobility management
IDLE Detachment or time out Detachment Time out STAND-BY Sending or reception of data READY Attachment to the network
Idle: no active GPRS session Ready: session established; ongoing data exchange; precise mobile location (which cell) Stand-by: session established, with no ongoing data exchange; approximate mobile location, the mobile has to be tracked in its routing area During a GPRS session (Ready or Stand-by states), the session itself is identified by a TLLI (Temporary Logical Link Identity)
24
25
GSM Frequencies
DCS = Digital Cellular System: same principles as GSM, but at frequencies better suited for microcells
26
Must be tamper-resistant Protected by a PIN code (checked locally by the SIM) Is removable from the terminal Contains all data specific to the end user which have to reside in the Mobile Station:
iIMSI: International Mobile Subscriber Identity (permanent users iPIN iTMSI (Temporary Mobile Subscriber Identity) iKi : Users secret key iKc : Ciphering key iList of the last call attempts iList of preferred operators iSupplementary service data (abbreviated dialing, last short
messages received,...) identity)
27
A3
A8
Kc
Triplet
Authentication Kc: ciphering key S : signed result A3: subscriber authentication (operator-dependent algorithm) A5: ciphering/deciphering (standardized algorithm) A8: cipher generation (operator-dependent algorithm)
A5
Ciphering algorithm
28
Home network
Ki R
A3 S
Authenticate (R) Ki R
A8 Kc
A3 S
Auth-ack(S) S=S?
29
Ciphering in GSM
Kc A5
FRAME NUMBER
Kc A5
FRAME NUMBER
PLAINTEXT SEQUENCE
30
g g
Focused on the protection of the air interface No protection on the wired part of the network (neither for privacy nor for confidentiality) The visited network has access to all data (except the secret key of the end user) Generally robust, but a few successful attacks have been reported: ifaked base stations icloning of the SIM card
31
GSM today
g g
The common digital cellular technique deployed throughout Europe Probably the leading cellular technology worldwide Hundreds of millions of subscribers in more than 100 countries 7000+ pages of standards...
32
iRadio interface encryption iLimited trust in the Visited Network iProtection of the identity of the end user (especially on the radio
interface)
g
iPossible attacks from a faked base station iCipher keys and authentication data transmitted in clear between iEncryption not used in some networks iData integrity not provided i
and within networks open to fraud
33
New security features iNew kind of service providers (content providers, HLR only
service providers,) iIncreased control for the user over their service profile iEnhanced resistance to active attacks iIncreased importance of non-voice services i
34
Authentication in 3GPP
Mobile Station Visited Network Home Environment
Sequence number (SQN) RAND(i) K: Users secret key
Authentication vectors
Verify AUTN(i) Compute RES(i) User authentication response RES(i) K Compute CK(i) and IK(i) Compare RES(i) and XRES(i) Select CK(i) and IK(i)
35
CK (Cipher Key)
IK (Integrity Key)
AK (Anonymity Key)
Authentication token: AUTN := ( SQN AK ) AMF MAC Authentication vector: AV := RAND XRES CK IK AUTN
AMF: Authentication and Key Management Field
36
SQN AK
f5 AK
AMF
MAC
SQN
K f1 f2 f3 f4
RES (Result)
CK (Cipher Key)
IK (Integrity Key)
g g
g g
In addition to f1, f2, f3, f4 and f5, two more functions are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN). f1, f1*, f2, f3, f4, f5 and f5* are operator-specific However, 3GPP provides a detailed example of algorithm set, called MILENAGE MILENAGE is based on the Rijndael block cipher In MILENAGE, the generation of all seven functions f1f5* is based on the Rijndael algorithm
38
f1
f1*
f5 f2
f3
f4
f5*
OP: operator-specific parameter r1,, r5: fixed rotation constants c1,, c5: fixed addition constants
EK : Rijndael block cipher with 128 bits text input and 128 bits key
39
IK
f9
IK
f9
MAC-I
XMAC-I
40
f9 integrity function
COUNT || FRESH || MESSAGE PS1 PS2 ||DIRECTION||1|| 00 PSBLOCKS-1
PS0
IK
KASUMI
IK
KASUMI
IK
KASUMI
IK
KASUMI
KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits) PS: Padded String KM: Key Modifier
IK
KM
KASUMI
41
Ciphering method
BEARER COUNT-C LENGTH DIRECTION BEARER COUNT-C LENGTH DIRECTION
CK
f8
CK
f8
PLAINTEXT BLOCK
f8 keystream generator
COUNT || BEARER || DIRECTION || 00
KM: Key Modifier KS: Keystream
CK
KM
KASUMI
CK
KASUMI
CK
KASUMI
CK
KASUMI
CK
KASUMI
KS[0]KS[63]
KS[64]KS[127] KS[128]KS[191]
43
L0 32
KL1
Detail of Kasumi
64 KO1 , KI1 R0 32 16 32 KOi,1 16 9 16 7
S9
Zero-extend
FL1
KO2 , KI2
FO1
KL2
FIi1
KIi,1
FO2
KL3
FL2
S7
FIi2
KIi,2
FL3
FO3
KL4
KO4, KI4
FO4
KL5
FL4
KOi,3
S9
Zero-extend
FIi3
KO5 , KI5
KIi,3
FL5
FO5
KL6 Fig. 2 : FO Function 16 KLi,1 KL8 32
S7
truncate
KO6 , KI6
FO6
KL7
FL6
KO7 , KI7
Fig. 3 : FI Function 16
FL7
KO8 , KI8
FO7
FO8
FL8
<<<
KLi,2
<<<
L8 R8 Fig. 4 : FL Function
C
Fig. 1 : KASUMI Bitwise AND operation
KLi, KOi , KIi : subkeys used at ith round S7, S9: S-boxes
Bitwise OR operation
<<<
44
Mobile IP Manual or via the Internet Key Exchange (IKE) Registration key AH AH ESP Yes (e.g., with rev. tunnelling) Partial ?
Manual (KMH) + roaming agreements Authentication vector f1,, f5* (e.g. MILENAGE) f9 (Kasumi) f8 (Kasumi) Yes No (it can require the IMSI) No (cryptographic material provided in advance) Yes
45
g g g
Some improvement with respect to 2nd generation iCryptographic algorithms are published iIntegrity of the signalling messages is protected Quite conservative solution No real size experience so far Privacy/anonymity of the user not completely protected 2nd/3rd generation interoperation will be complicated and might open security breaches
46
References
On Signalling System 7 iTravis Russel, Signaling System #7, Second Edition, McGraw-Hill
Telecommunications, 1998. iUyless Black, ISDN and SS7, Prentice Hall, 1997 iAbdi Modaressi and Ronald A. Skoog, Signaling System N7: A tutorial, IEEE Communications Magazine, July 1990, pp 19-35.
iS. Redl et al.: GSM and Personal Communication Handbook iA. Mehrotra: GSM System Engineering
Artech House Publ, 1997
g
Addison-Wesley, 1997