GSMNetwork Security ‘s Research ProjectBy:
Jamshid RahimiSisouvanh Vanthanavong 1
Friday, February 20, 2009
LOGO
Friday, February 20, 2009
Contents
1
• GSM Overview• GSM Architecture • GSM Security Architecture
• Anonymity• Authentication• Confidentiality
• GSM Authentication Protocol • GSM Security Flaws
• Crypto Flaws• Invalid Assumptions• SIM Attacks• Fake base station
• GSM Conclusions2
LOGO
Friday, February 20, 2009
GSM OverviewGSM introduction & History
1
- GSM: Global System for Mobile communication- GSM frequency is used the 2G and 3G network- 1982 Beginning of GSM (Groupe Spéciale Mobile) - 1986 GSM radio standard - 1987 Groupe Spéciale Mobile (in French) changed to Global System for Mobile communication - 1989 The European Telecommunications Standards Institute accepted GSM as the digital cellular telephony standard. - 1990 Phase 1 GSM 900 specification - 1991 First GSM 900 demonstrated - 1994 First GSM networks in Africa - 1995 GSM phase 2 standardization is completed - 1999 First GPRS network - 2001 more than 500 million people are GSM users
Source: http://www.cellular.co.za/gsmhistory.htm3
LOGO
Friday, February 20, 2009
GSM Architecture
1
- The mobile is a cell phone - The air interface (a wireless network that transmission from the cell phone to a base station. - The visited network includes multiple base stations and a base station controller.
4
LOGO
Friday, February 20, 2009
GSM Architecture
1
-The PSTN is also referred to as “land lines” to distinguish it from the wireless network.-The home network includes a home location registry or HLR-The authentication center or AuC maintains the crucial billing information for all mobiles for which this particular home network is home
Continued…
5
LOGO
Friday, February 20, 2009
GSM ArchitectureContinued…
1
6
LOGO
Friday, February 20, 2009
GSM Architecture
1
-GSM mobile phone contains Subscriber Identity Module or SIM.-SIM includes a International Mobile Subscriber ID or IMSI.-The SIM also contains a 128-bit key. this key is universally knows as Ki
Continued…
7
LOGO
Friday, February 20, 2009
GSM security architecture
1
The primary security goals set forth by the designers of GSM were:
-Make GSM as secure as ordinary telephones-Prevent cell phone cloning
•GSM was not designed to resist an active attack. At the time, active attacks were considered infeasible. •The designers of GSM considered the biggest threats to be insecure billing, corruption, and similar low-tech attacks
8
LOGO
Friday, February 20, 2009
GSM security architecture
1
GSM consists of 3 security issues:- Anonymity:The anonymity goal for GSM is to prevent intercepted traffic from being used to identify the caller.- Authentication:Correct authentication is necessary for proper billing. Cloning problems is one of the failures- Confidentiality:Calls over the air interface is important to customers and company.
9
LOGO
Friday, February 20, 2009
Anonymity
1
-GSM provides a very limited form of anonymity-IMSI is used to initially identify the caller then a Temporary Mobile Subscriber ID (TMSI), is assigned to the caller-TMSI is subsequently used to identify the caller-Net effect is that if an attacker captures the initial part of the call, where the IMSI is passed-But practically filtering of IMSI not easy.
10
LOGO
Friday, February 20, 2009
Authentication
1
•In GSM, the caller is authenticated to the base station, but the authentication is not mutual.•GSM authentication employs a challenge-response mechanism•Mobile -> BS -> LHR•Ki is known to LHR which corresponds to caller IMSI•HLR generate RAND and computes the “expected response,” XRES = A3(RAND, Ki)•BS sends RAND to Mobile•Mobile responses as SRES•LHR computes XRES=SRES•Ki never lease the LHR
11
LOGO
Friday, February 20, 2009
Confidentiality
• GSM uses a stream cipher to encrypt the data.
• High error rate, which is typically about 1 in 1,000 bits, in the cell phone environment.
• Block cipher, each transmission error causes one or two entire plaintext blocks to be garbled (depending on the mode), while a stream cipher garbles only those plaintext bits corresponding to the specific ciphertext bits that are in error.
• Encryption symbol is Kc12
LOGO
Friday, February 20, 2009
Authentication & Encryption
11 & 2.IMSI3. Kc = A8(RAND, Ki) (Encryption Algorithm) XRES = A3(RAND,Ki) (Authentication … )5. Mobile Computes Kc and Ki to generate SRES 6. A5(Kc) is shared symmetric key
13
LOGO
Friday, February 20, 2009
GSM Security Flaws
There are cryptographic flawsThere are protocol flaws as well. Attacks on GSM are due to invalid
security assumptions made by the original designers of GSM
14
LOGO
Friday, February 20, 2009
GSM Security Flaws
HashesA3 andA8 both rely on a hash function known as COMP128 can be broken by 150,000 chosen plaintexts
A seller can determine Ki before selling and clone later
Crypto Flaws
15
LOGO
Friday, February 20, 2009
GSM Security Flaws
A GSM phone call is encrypted between the mobile and the base station but not from the base station to the base station controller
Nowadays link between BS and BSC is over a microwave link
Since microwave is a wireless media, it is possible for an attacker to eavesdrop on unprotected calls over this link
Invalid Assumptions
16
LOGO
Friday, February 20, 2009
GSM Security Flaws
Ki is the concern hereOne known as optical fault
induction, an attacker could force a SIM card to divulge its Ki by using an ordinary flashbulb [209].
Partitioning attacks
SIM Attacks
17
LOGO
Friday, February 20, 2009
GSM Security Flaws
1st: There is no mutual authentication
2nd: BS decides whether to encrypt voice or not.
Fake Base station
18
LOGO
Friday, February 20, 2009
GSM Conclusions
GSM is a security failure— though it is certainly a commercial success
But GSM achieved its security design goals on PSTN
First goal eliminate the cloning and secure as PSTN 2nd goal is that GSM air interface has the fake base
station problem but PSTN has wire-taping The real problem with GSM security is that the initial
design goals were too limited The major insecurities in GSM include weak crypto,
SIM issues, the fake base station attack, and a total lack of replay protection.
19
Comments.
20
Friday, February 20, 2009
Top Related