Sie sind auf Seite 1von 21

3G Security Principles

• Build on GSM security

• Correct problems with GSM security

• Add new security features

Source: 3GPP
1
Myagmar, Gupta UIUC 2001
GSM Network Architecture
PSTN/ISDN

MS
BTS MSC
Um BSC
A-bis A

Mobility
OMC mgt
VLR
HLR
Voice Traffic AUC
EIR

Circuit-switched technology 2
Myagmar, Gupta UIUC 2001
GSM Security Elements, 1
Key functions: privacy, integrity and confidentiality

• Authentication
Protect from unauthorized service access
Based on the authentication algorithm A3(Ki, RAND)=> SRES
Problems with inadequate algorithms
• Encryption
Scramble bit streams to protect signaling and user data
Ciphering algorithm A8(Ki, RAND) => Kc
A5(Kc, Data) => Encrypted Data
Need stronger encryption
• Confidentiality
Prevent intruder from identifying users by IMSI
Temporary MSI
Need more secure mechanism
3
Myagmar, Gupta UIUC 2001
GSM Security Elements, 2
• SIM
A removable hardware security module
Manageable by network operators
Terminal independent
• Secure Application Layer
Secure application layer channel between subscriber module and home
network
• Transparency
Security features operate without user assistance
Needs greater user visibility
• Minimized Trust
Requires minimum trust between HE and SN

4
Myagmar, Gupta UIUC 2001
Problems with GSM Security, 1
• Active Attacks
Impersonating network elements such as false BTS is possible
• Key Transmission
Cipher keys and authentication values are transmitted in clear within
and between networks (IMSI, RAND, SRES, Kc)
• Limited Encryption Scope
Encryption terminated too soon at edge of network to BTS
Communications and signaling in the fixed network portion aren’t
protected
Designed to be only as secure as the fixed networks
• Channel Hijack
Protection against radio channel hijack relies on encryption.
However, encryption is not used in some networks.

5
Myagmar, Gupta UIUC 2001
Problems with GSM Security, 2
• Implicit Data Integrity
No integrity algorithm provided
• Unilateral Authentication
Only user authentication to the network is provided.
No means to identify the network to the user.
• Weak Encryption Algorithms
Key lengths are too short, while computation speed is increasing
Encryption algorithm COMP 128 has been broken
Replacement of encryption algorithms is quite difficult
• Unsecured Terminal
IMEI is an unsecured identity
Integrity mechanisms for IMEI are introduced late

6
Myagmar, Gupta UIUC 2001
Problems with GSM Security, 3
• Lawful Interception & Fraud
Considered as afterthoughts
• Lack of Visibility
No indication to the user that encryption is on
No explicit confirmation to the HE that authentication parameters are
properly used in SN when subscribers roam
• Inflexibility
Inadequate flexibility to upgrade and improve security functionality
over time

7
Myagmar, Gupta UIUC 2001
3G Network Architecture
Circuit
Network Circuit/
Signaling
Gateway Mobility
Manager
Feature
Circuit
IN Services Server(s)
Switch

RNC Call
Agent
Voice Data +
Packet
Voice
IP Core
Radio Access Packet Network
Control
Network (Internet)
Packet
Gateway
IP RAN

2G 2G/2.5G 3G

8
Myagmar, Gupta UIUC 2001
New Security Features, 1
• Network Authentication
The user can identify the network
• Explicit Integrity
Data integrity is assured explicitly by use of integrity algorithms
Also stronger confidentiality algorithms with longer keys
• Network Security
Mechanisms to support security within and between networks
• Switch Based Security
Security is based within the switch rather than the base station
• IMEI Integrity
Integrity mechanisms for IMEI provided from the start

9
Myagmar, Gupta UIUC 2001
New Security Features, 2
• Secure Services
Protect against misuse of services provided by SN and HE
• Secure Applications
Provide security for applications resident on USIM
• Fraud Detection
Mechanisms to combating fraud in roaming situations
• Flexibility
Security features can be extended and enhanced as required by new
threats and services
• Visibility and Configurability
Users are notified whether security is on and what level of security is
available
Users can configure security features for individual services
10
Myagmar, Gupta UIUC 2001
New Security Features, 3
• Compatibility
Standardized security features to ensure world-wide interoperability and
roaming
At least one encryption algorithm exported on world-wide basis
• Lawful Interception
Mechanisms to provide authorized agencies with certain information
about subscribers

11
Myagmar, Gupta UIUC 2001
Summary of 3G Security
Features, 1
• User Confidentiality
Permanent user identity IMSI, user location, and user services cannot be
determined by eavesdropping
Achieved by use of temporary identity (TMSI) which is assigned by
VLR
IMSI is sent in cleartext when establishing TMSI

USIM VLR
IMSI request

IMSI

TMSI allocation

TMSI acknowledgement

12
Myagmar, Gupta UIUC 2001
Summary of 3G Security
Features, 2
• Mutual Authentication
During Authentication and Key Agreement (AKA) the user and network
authenticate each other, and also they agree on cipher and integrity key
(CK, IK). CK and IK are used until their time expires.
Assumption: trusted HE and SN, and trusted links between them.
After AKA, security mode must be negotiated to agree on encryption
and integrity algorithm.

AKA process:
USIM VLR HLR
AV request, send IMSI

Generate authentication
RAND(i) || AUTN(i) data V(1..n)

Generate RES(i)
Compare RES(i) and XRES(i) 13
Myagmar, Gupta UIUC 2001
Summary of 3G Security
Features, 3
Generation of authentication data at HLR:
Generate SQN

Generate RAND

SQN
RAND
AMF

f1 f2 f3 f4 f5

MAC XRES CK IK AK

AUTN := SQN ⊕ AK || AMF || MAC

AV := RAND || XRES || CK || IK || AUTN

14
Myagmar, Gupta UIUC 2001
Summary of 3G Security
Features, 4
Generation of authentication data in USIM:
RAND AUTN

f5 SQN ⊕AK AMF MAC

AK ⊕

SQN
K

f1 f2 f3 f4

XMAC RES CK IK

Verify MAC = XMAC

Verify that SQN is in the correct range

15
Myagmar, Gupta UIUC 2001
Summary of 3G Security
Features, 5
• Data Integrity
Integrity of data and authentication of origin of signalling data must be
provided
The user and network agree on integrity key and algorithm during AKA
and security mode set-up

COUNT-I DIRECTION COUNT-I DIRECTION

MESSAGE FRESH MESSAGE FRESH

IK f9 IK f9

MAC -I XMAC -I

Sender Receiver
UE or RNC RNC or UE

16
Myagmar, Gupta UIUC 2001
Summary of 3G Security
Features, 6
• Data Confidentiality
Signalling and user data should be protected from eavesdropping
The user and network agree on cipher key and algorithm during AKA
and security mode set-up
COUNT-C DIRECTION COUNT-C DIRECTION

BEARER LENGTH BEARER LENGTH

CK f8 CK f8

KEYSTREAM KEYSTREAM
BLOCK BLOCK

PLAINTEXT CIPHERTEXT PLAINTEXT


BLOCK BLOCK BLOCK

Sender Receiver
UE or RNC RNC or UE
17
Myagmar, Gupta UIUC 2001
Summary of 3G Security
Features, 7
• IMEI
IMEI is sent to the network only after the authentication of SN
The transmission of IMEI is not protected
• User-USIM Authentication
Access to USIM is restricted to authorized users
User and USIM share a secret key, PIN
• USIM-Terminal Authentication
User equipment must authenticate USIM
• Secure Applications
Applications resident on USIM should receive secure messages over the
network
• Visibility
Indication that encryption is on
Indication what level of security (2G, 3G) is available
18
Myagmar, Gupta UIUC 2001
Summary of 3G Security
Features, 8
• Configurability
User configures which security features activated with particular
services
Enabling/disabling user-USIM authentication
Accepting/rejecting incoming non-ciphered calls
Setting up/not setting up non-ciphered calls
Accepting/rejecting use of certain ciphering algorithms
• GSM Compatibility
GSM user parameters are derived from UMTS parameters using the
following conversion functions:
cipher key Kc = c3(CK, IK)
random challenge RAND = c1(RAND)
signed response SRES = c2(RES)
GSM subscribers roaming in 3GPP network are supported by
GSM security context (example, vulnerable to false BTS)
19
Myagmar, Gupta UIUC 2001
Problems with 3G Security
• IMSI is sent in cleartext when allocating TMSI to the user

• The transmission of IMEI is not protected; IMEI is not a security feature

• A user can be enticed to camp on a false BS. Once the user camps on the radio
channels of a false BS, the user is out of reach of the paging signals of SN

• Hijacking outgoing/incoming calls in networks with disabled encryption is


possible. The intruder poses as a man-in-the-middle and drops the user once
the call is set-up

20
Myagmar, Gupta UIUC 2001
References
• 3G TS 33.120 Security Principles and Objectives
http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf
• 3G TS 33.120 Security Threats and Requirements
http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF
• Michael Walker “On the Security of 3GPP Networks”
http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/mike_walker.pdf
• Redl, Weber, Oliphant “An Introduction to GSM”
Artech House, 1995
• Joachim Tisal “GSM Cellular Radio Telephony”
John Wiley & Sons, 1997
• Lauri Pesonen “GSM Interception”
http://www.dia.unisa.it/ads.dir/corso-security/www/CORSO-9900/a5/Netsec/netsec.html
• 3G TR 33.900 A Guide to 3rd Generation Security
ftp://ftp.3gpp.org/TSG_SA/WG3_Security/_Specs/33900-120.pdf
• 3G TS 33.102 Security Architecture
ftp://ftp.3gpp.org/Specs/2000-12/R1999/33_series/33102-370.zip
• 3G TR 21.905 Vocabulary for 3GPP Specifications
http://www.quintillion.co.jp/3GPP/Specs/21905-010.pdf

21
Myagmar, Gupta UIUC 2001