Kumar gunjan 20160213 mobile communication security
53
Mobile Communication and its Security Analysis by K Gunjan
-
Upload
nullowaspmumbai -
Category
Technology
-
view
255 -
download
2
Transcript of Kumar gunjan 20160213 mobile communication security
Mobile Communication and its Security Analysis
byK Gunjan
Agenda
• evolution of mobile communication• 1G technology• 2G technology• GSM architecture• GSM channels• SIM• Sharing Spectrum• Authentication and Encryption Scheme• GSM calling sequence• GSM called sequence• Security issues
Evolution of Mobile CommAncient time: light for comm... eg ship,becon..150 BC: smoke signals...color/strength1794: optical telegraphy1877: First wireline telephone1895: wireless telegraphy1915: wireless voice transmission(AM)1928: TV broadcast1933: FM patented.. radios in 1950s
Evolution of Mobile Comm
1946: Mobile Telephone was introducedSystem:MTS,Device wt:36KGIn Bell System, used in St. LouisSetup by operator,Only 3 channels for whole metro
1960: Bell Labs -> Celular concept1970: Mobile User M<=>PSTN
System: IMTS(improved mobile tele service)
Reduced size and wtEliminate setup by operator32 channels across 3 bands450-470MHz
Other wireless systems:
Push to talk(PTT)AMTS-Advance Mobile tele system
Etc
These were also called mobile radio systems
1G technology
=>Deployed in early 1990s1.AMPS-Advanced Mobile Phone System
Developed and deployed in USA2.NMT-Nordic mobile Tele System
developed and deployed in Scandinavian countries
3.TACS-Total Access Communication Systemdeveloped in UK, Deployed in Europe
.
1G technologyAll analogFDMA + FMOnly voicePoor Voice qualityPoor battery lifeLarge phone sizePoor handoff reliabilityNo Roaming—
even between two same technology
1G technology
No security Analog Signals does not allow advance encryption methods
hence there is no security
FM receivers can be used to listen in on any conversation
Anyone could collect a large database of identity etc by driving around and go into business by reprogramming stolen phones and reselling them.
Airtime thefts were also reported
2G technologyDeployed in early 90sThree popular systems: GSM, D-AMPS and CDMA One/IS-95Digital systemsSMSMMS-Multi Media MessagesData Service-GPRS-64kbpsRoamingVoice encryption provisionBetter security
GSM
GSM is the most popular 2G TechnologyDeveloped in Europe and has European standards
Low data rate: 9.6 kbps
Higher data rates using 2G:GPRS: General Packet Radio Service
2.5G171kbps(50kbps)
EDGE: Enhanced Data Rates for GSM Evolution
2.75G473.6kbps(100kbps)
GSM
New network elements required to achieve higher data rate:
Serving GPRS Support Node (SGSN),The SGSN handles all packet switched data within the network and is responsible for the authentication and tracking of the users. The SGSN performs the same functions as the MSC for voice traffic
Gateway GPRS Support Node (GGSN).The GGSN is the interface from the GSM/GPRS network to external networks. The GGSN is also responsible for the allocation of IP-addresses.
GSM ARCHITECHTUREService
Provisioning & billing/CRM
CDR archive
CRBT systemUSSD gateways
STPMNP D/B
USAU
SMP Voucher Centers
OMC
Architecture form network perspectiveMPLS,
RoutersE1s
STP
GSM Links
Motivation
Understand it
&
Look for CIA
GSM ARCHITECHTURE
GSM Protocol stack
GSM Protocol stack
Sharing Spectrum
GSM uses TDMA & FDMA
Sharing Spectrum
GSM channels
GSM channels
31
Subscriber Identification Module (SIM)
Smart Card – a single chip computer containing OS, File System, Applications
Protected by PINOwned by operator (i.e. trusted)SIM applications can be written with SIM
ToolkitContains PIN, Ki and Kc
Contains A3, A5 and A8 algos
32
Authentication and Encryption Scheme
A3
Mobile Station Radio Link GSM Operator
A8
A5
A3
A8
A5
Ki Ki
Challenge RAND 128bit
KcKc 64 bit
mi Encrypted Data mi
SIM
Signed response (SRES32 bit) SRESSRES
Fn Fn
Authentication: are SRES values equal?
Authentication and Encryption Scheme
* A3 Input: 128-bit RAND random challenge, Ki 128- bit private key • A3 Output: 32-bit SRES signed response • A8 Input: 128-bit RAND random challenge, Ki 128-bit private key • A8 Output: 64-bit Kc Cipher Key, used for A5
GSM Basic Call Sequence
The process for calling MS and called MS are two independent flow. The calling party begins with channel request and ends with TCH assignment competition. In general, the calling party includes following several stages: access process, authentication and ciphering process, TCH assignment process. So, we take the sequence from mobile to land as example, in this sequence, we mainly devote to the calling party.
Mobile to Land SequenceMS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGNSIGNALING LINK ESTABLISHED
PSTN
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
PSTN
Mobile to Land Sequence
Mobile to Land SequenceMS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGNSIGNALING LINK ESTABLISHED
PSTN
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
PSTN
Mobile to Land Sequence
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
3 AUTHENTICATION
SET Cipher MODE
PSTN
Mobile to Land Sequence
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
3 AUTHENTICATION
SET Cipher MODE
4 SET-UP <SDCCH>
Call Info
PSTN
SFOC
Mobile to Land Sequence
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
3 AUTHENTICATION
SET Cipher MODE
4 SET-UP <SDCCH>
Call Info5 EQUIP. ID REQ.
PSTN
SFOC
Mobile to Land Sequence
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
3 AUTHENTICATION
SET Cipher MODE
4 SET-UP <SDCCH>
Call Info5 EQUIP. ID REQ.
6 COMPLETE CALL
CALL PROCEEDING <SDCCH>
PSTN
SFOC
Mobile to Land Sequence
Mobile to Land Sequence
7 ASSIG. COMMAND <SDCCH>
ASSIG. COMPLETEcircuit<FACCH>
MS BSS MSC VLR HLR PSTN
7 ASSIG. COMMAND<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
circuit<FACCH>
Initial and Final Address 8 Message (IFAM)
MS hears ring tone from land phone
<FACCH>
MS BSS MSC VLR HLR PSTN
Mobile to Land Sequence
7 ASSIG. COMMAND<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
<FACCH>9 Answer (ANS)Connect
circuit<FACCH>
Initial and Final Address 8 Message (IFAM)
MS hears ring tone from land phone
<FACCH>
Ring tone stops
MS BSS MSC VLR HLR PSTN
Mobile to Land Sequence
7 ASSIG. COMMAND<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
<FACCH>9 Answer (ANS)Connect
10 Connect Acknowledge<FACCH>
circuit<FACCH>
<TCH>
Initial and Final Address 8 Message (IFAM)
MS hears ring tone from land phone
<FACCH>
Ring tone stops
HELLO!
MS BSS MSC VLR HLR PSTN
BILLING STARTS
Mobile to Land Sequence
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
3 AUTHENTICATION
SET Cipher MODE
PSTN
Mobile to Land Sequence
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
3 AUTHENTICATION
SET Cipher MODE
4 SET-UP <SDCCH>
Call Info
PSTN
SFOC
Mobile to Land Sequence
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
3 AUTHENTICATION
SET Cipher MODE
4 SET-UP <SDCCH>
Call Info5 EQUIP. ID REQ.
PSTN
SFOC
Mobile to Land Sequence
MS BSS MSC VLR HLR1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK ESTABLISHED
2 REQ. FOR SERVICECRCC
3 AUTHENTICATION
SET Cipher MODE
4 SET-UP <SDCCH>
Call Info5 EQUIP. ID REQ.
6 COMPLETE CALL
CALL PROCEEDING <SDCCH>
PSTN
SFOC
Mobile to Land Sequence
Mobile to Land Sequence
7 ASSIG. COMMAND <SDCCH>
ASSIG. COMPLETEcircuit<FACCH>
MS BSS MSC VLR HLR PSTN
7 ASSIG. COMMAND<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
circuit<FACCH>
Initial and Final Address 8 Message (IFAM)
MS hears ring tone from land phone
<FACCH>
MS BSS MSC VLR HLR PSTN
Mobile to Land Sequence
7 ASSIG. COMMAND<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
<FACCH>9 Answer (ANS)Connect
circuit<FACCH>
Initial and Final Address 8 Message (IFAM)
MS hears ring tone from land phone
<FACCH>
Ring tone stops
MS BSS MSC VLR HLR PSTN
Mobile to Land Sequence
7 ASSIG. COMMAND<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
<FACCH>9 Answer (ANS)Connect
10 Connect Acknowledge<FACCH>
circuit<FACCH>
<TCH>
Initial and Final Address 8 Message (IFAM)
MS hears ring tone from land phone
<FACCH>
Ring tone stops
HELLO!
MS BSS MSC VLR HLR PSTN
BILLING STARTS
Mobile to Land Sequence
GSM Basic Call Sequence
For the called party, the flow for the called party begins when MSC sends paging command to the called party, ends when two party start talk. In general, this call flow includes several stages: access process, authentication and ciphering process, TCH assignment process, talk process, release process.
MS BSS MSC VLR HLR GMSC
(MSISDN)
(MSISDN) (IMSI)
(MSRN)
(MSRN)
(LAI & TMSI)(TMSI)(TMSI)
Initial and Final 1 Address Message
PSTN
(MSRN) (MSRN)
2 Send Routing Info
3 Routing Info Ack
Initial and Final Address Message
4 Send Info For I/C Call Setup
5 PagePaging Request
<PCH>
Land to Mobile Sequence
<FACCH>
(channel) (circuit)<FACCH>
9 Assignment Command
Assignment Complete
Alert<TCH>
<FACCH>10 Connect
Connect ACK ANS
<TCH>
Hello...
Address Complete
MS BSS MSC VLR HLR GMSC PSTN
Billing starts
Ring Tone at the land phone
Ringing stops at land phoneSubscriber
picks up
Land to Mobile Sequence
Attacks on GSM
OSMOCOMBBsniffingMIMT attack on callMIMT attack on SMSAttack using data card…………..…...
Twitter: @[email protected]
