GSM and UMTS Security

Vishal Prajapati (08305030)Vishal Sevani (07405010)

Om Pal (07405702)Sudhir Rana (05005002)

GSM Security Architecture

Homenetwork

Switching and

routing

Other Networks (GSM, fixed, Internet, etc.)

Visited network

HLR/AuCVLR

SIM

GSM Security Features• Authentication

– network operator can verify the identity of the subscriber making it infeasible to clone someone else’s mobile phone

• Confidentiality– protects voice, data and sensitive signalling information (e.g.

dialled digits) against eavesdropping on the radio path• Anonymity

– protects against someone tracking the location of the user or identifying calls made to or from the user by eavesdropping on the radio path

GSM Authentication ProtocolMSC orSGSN

HLR/AuCSIM

RAND

RES

{RAND, XRES, Kc}

Authentication Data Request A3 A8

Ki RAND

Kc

Kc RES

A3 A8

Ki RAND

XRES

RES = XRES?

Encryption in GSM

GSM Encryption Principles

• Data on the radio path is encrypted between the Mobile Equipment (ME) and the Base Transceiver Station (BTS)– protects user traffic and sensitive signalling data against

eavesdropping– extends the influence of authentication to the entire

duration of the call• Uses the encryption key (Kc) derived during

authentication

GSM User Identity Confidentiality

• User identity confidentiality on the radio access link– temporary identities (TMSIs) are allocated and used

instead of permanent identities (IMSIs)• Helps protect against:

– tracking a user’s location– obtaining information about a user’s calling pattern

IMSI: International Mobile Subscriber IdentityTMSI: Temporary Mobile Subscriber Identity

Specific GSM Security Problems

• The GSM cipher A5/2– A5/2 is now so weak that the cipher key can

be discovered in near real time using a very small amount of known plaintext

– Aim find the initial internal state of the registers.• Each frame in - 4.615 ms• So 2^8 frames in a sec.• After finding the initial state go backward and can

generate Kc

False Base Station Attack(1)

• Compromises User Identity Confidentiality

• Force MS to send IMSI• Cipher mode fault

False Base Station Attack(2)

• Active attack• IDENTITY REQUEST• Compromises User Data

Confidentiality

Source: LiTH-ISY-EX-3559-2004

Accessing Signaling network• No requirement of

decrypting skills• Need a instrument

that captures microwave

• Gains control of communication between MS and intended receiver

UMTS Security Mechanisms

Limitations of GSM Security

• Design only provides access security - communications and signalling in the fixed network portion aren’t protected

• Design does not address active attacks, whereby network elements may be impersonated

• Design goal was only ever to be as secure as the fixed networks to which GSM systems connect

• Short key size of Kc (64 bits) makes it more vulnerable to various attacks

Enhancements in UMTS vs GSM

• Mutual Authentication• provides enhanced protection against false base

station attacks by allowing the mobile to authenticate the network

• Data Integrity• provides enhanced protection against false base

station attacks by allowing the mobile to check the authenticity of certain signalling messages

• Network to Network Security• Secure communication between serving networks.

MAPSEC or IPsec can be used

UMTS Enhancements (contd)

• Wider Security Scope• Security is based within the RNC rather than

the base station

• Flexibility• Security features can be extended and

enhanced as required by new threats and services

• Longer Key Length• Key length is 128 as against 64 bits in GSM

HLRHLR AuCAuC

Access Network(UTRAN)

VisitedNetwork

User Equipment

D

RNCBTSUSIMUSIM MEME

SGSNSGSN

HMSCMSC

HomeNetwork

(2) Authentication

(1) Distribution of authentication vectors

UMTS Radio Access Link Security

(4) Protection of the access link (ME-RNC)

(3) CK,IK (3) CK, IK

MSC – circuit switched services

SGSN – packet switched services

Authentication and Key Agreement

• Mutual Authentication between user and the network

• Establishes a cipher key and integrity key

• Assures user that cipher/integrity keys were not used before, thereby providing protection against replay attacks

Authentication and Key Agreement

Authentication and Key Agreement

UMTS Integrity Protection Principles

• Protection of some radio interface signalling• protects against unauthorised modification, insertion and replay of

messages• applies to security mode establishment and other critical signalling

procedures • Helps extend the influence of authentication when encryption

is not applied• Uses the 128-bit integrity key (IK) derived during

authentication• Integrity applied at the Radio Resource Control (RRC) layer of

the UMTS radio protocol stack• signalling traffic only

Integrity and authentication of origin of signalling data provided. The integrity algorithm (KASUMI) uses 128 bit key and generates 64 bit message authentication code.

Integrity CheckIntegrity Check

UMTS Encryption Principles

• Data on the radio path is encrypted between the Mobile Equipment (ME) and the Radio Network Controller (RNC)

• protects user traffic and sensitive signalling data against eavesdropping

• extends the influence of authentication to the entire duration of the call

• Uses the 128-bit encryption key (CK) derived during authentication

Encryption

Signaling and user data protected from eavesdropping. Secret key, block cipher algorithm (KASUMI) uses 128 bit cipher key.

Protection Against Active Attacks

False Base Station Attack(1)

• Compromises User Identity Confidentiality

Reason

• No provision to ascertain the origin of information ie. lack of integrity check

False Base Station Attack(2)

• Exploits – user data confidentiality

Reason • No provision to ascertain

the origin of information ie. lack of integrity check

Source: LiTH-ISY-EX-3559-2004

False Base False Base Station AttackStation Attack

SolutionSolution

• Use of Integrity Use of Integrity CheckCheck

• After AKA SRNC After AKA SRNC sends integrity sends integrity protected message protected message containing security containing security capabilities of the capabilities of the ME, which the ME, which the mobile verifies to mobile verifies to ensure there is no ensure there is no foul playfoul play

Lack of Network Domain Security

• No security for communication between network elements in GSM

• Easy to gain access to sensitive information such as Kc

• Network Domain Security in UMTS foils these attacks

Summary of UMTS Security

UMTS builds upon security mechanisms of GSM, and in addition provides following enhancements,

Encryption terminates at the radio network controller Mutual authentication and integrity protection of critical

signalling procedures to give greater protection against false base station attacks

Longer key lengths (128-bit) Network Domain Security using MAPSEC or IPSec

References• UMTS security, Boman, K. Horn, G. Howard, P. Niemi, V.

Electronics & Communication Engineering Journal, Oct 2002, Volume: 14, Issue:5, pp. 191- 204

• "Evaluation of UMTS security architecture and services“, A. Bais, W. Penzhorn, P. Palensky, Proceedings of the 4th IEEE International Conference on Industrial Informatics, p. 6, Singapore, 2006

• UMTS Security, Valtteri Niemi, Kaisa Nyberg, published by John Wiley and Sons, 2003

• GSM-Security: a Survey and Evaluation of the Current Situation, Paul Yousef, Master’s thesis, Linkoping Institute of Technology, March 2004

• GSM: Security, Services, and the SIM Klaus Vedder, LNCS 1528, pp. 224-240, Springer-Verlag 1998

• Instant ciphertext-only cryptanalysis of GSM encrypted communication, Elad Barkan, Eli Biham, Nathan Keller, Advances in Cryptology – CRYPTO 2003