1 / 21

Topics In Information Security

Topics In Information Security. Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. Elad Barkan Eli Biham Nathan Keller. Presented by Idan Sheetrit idanshee@post.tau.ac.il. Introduction.

kenton
Télécharger la présentation

Topics In Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Elad Barkan Eli Biham Nathan Keller Presented by Idan Sheetrit idanshee@post.tau.ac.il

  2. Introduction • GSM is the most widely used cellular system in the world (over a billion customers). • Based on second generation cellular technology (offer digitalized voice). • GSM was the first cellular system which seriously considered security threats. • GSM was influenced by the political atmosphere around cryptology at the 1980s (did not allow civilians to use strong cryptography). • Protect only the air interface.

  3. AuC BTS BTS GSM structure MSC BSC ISDN/ PSTN Modem/ TA Internet BSC - Base Station Controller BTS - Base Transceiver Station MSC - Mobile Switching Center AuC - Authentication Centre TA - Terminal Adapter

  4. Challenge RAND Signed response (SRES) SRES SRES A3 A3 Kc Kc A8 A8 Authentication: are SRES values equal? Fn Fn A5 A5 mi mi Encrypted Data GSM Security Mobile Station Radio Link GSM Operator • Ki – pre-shared secret • A3,A8 – One way functions. • A5/0 – no encryption. A5/1 – export restricted. A5/2 – for export (weaker) SIM Ki Ki

  5. Description of A5/2 The key setup of A5/2:

  6. Description of A5/2 (2) • First initialize A5/2 with Kc and f. • Run A5/2 for 99 cycles • Run A5/2 for 228 cycles and use the output as keystream. • First 114 bits is used as a keystream to encrypt the downlink and the second half of 114 bits is used for the uplink.

  7. Previous work • A5/1 and A5/2 was reversed engineered • Several Known-plaintext attacks were published • The best attack requires only four plaintext data frames.

  8. Ciphertext-Only Attack on A5/2 • GSM must use error correction to withstand reception errors. • During transmission a message is first subjected to an error-correction code, Then encrypted. • Structured redundancy in the message, Can be used for ciphertext-only attack.

  9. Ciphertext-Only Attack on A5/2 • Coding and interleaving operations can be modeled as a multipication of the message by constant matrix. • P - 184 bit message • G – constant 456x184 matrix over GF(2) • g – constant vector • M = (G · P) xor g (divided into 4 data frames) • G is binary matrix so there are 456-184=272 equations that describe the kernel of the inverse transformation. • H – the matrix that describes these 272 equations i.e. H·(M xor g) = 0

  10. Ciphertext-Only Attack on A5/2 • C = M xor k (k is the keystream) • H·(C xor g) = H·(M xor k xor g) = H·(M xor g) xor H·k = 0 xor H·k = H·k • C known, so we have linear equations over the bits of k.

  11. SIM MSC AuC RAND Ki A3 A8 XRES Kc RAND Ki A3 A8 Kc RES GSM Service Request and Authentication Protocol Service Req Ack (Use A5/1) Authentication Data Request {RAND, XRES, Kc} AUTHREQ(RAND) SRES = XRES? AUTHREQ(SRES) Cipher

  12. Phone Attacker Class-Mark Attack An attacker can change the class-mark information that the phone sends to the network. Network Service Req (A5/1) Service Req (A5/2) Use A5/2 The signal of the attacker must override the phone signal or by man-in-the-middle attack.

  13. SIM Attacker RAND Ki A3 A8 Kc RES Recovering Kc of Past or Future Conversations The protocol doesn’t provide any key separation (all encryption algorithms use the same key) An attacker can use a fake base station and instruct the phone to use A5/2 and then easily resolve Kc (Future Conversation Attack). If an attacker recorded the conversation he can sends the recorded RAND to the phone. RAND If the attacker has access to the sim he can easily get Kc. RES If he doesn’t he can instruct the phone to use A5/2. Use A5/2 Cipher (A5/2)

  14. Victim Attacker Network RAND Ki Find A5/2 key A3 A8 Kc RES Man in the middle attack RAND RAND RES CIPHMODCMD:A5/2 CIPHMODCMD (Encrypted) RES CIPHMODCMD:A5/1 CIPHMODCMD (Encrypted)

  15. Attacks Scenarios • Call Wire-Tapping • Call Hijacking • Alerting of Data Messages (SMS) • Call Theft – Dynamic Cloning

  16. Protocol Weakness • Authentication protocol can execute at the beginning of the call. The phone cannot ask for authentication. In case that there is no authentication Kc stays as in previous conversation • The network chooses the encryption algorithm (the phone only reports the ciphers it support) • The class-mark message is not protected. • There is no mechanism that authenticates the network to the phone • No key separation between the algorithms or method of communication • RAND reuse is allowed

  17. Acquire a Specific Victim • GSM includes a mechanism that is intended to provide protection on the identity of the mobile phone. • Each subscriber is allocated a Temporary Mobile Subscriber Identity (TMSI) over an encrypted link • The TMSI can be reallocated every once in a while in particular when there is a change in the location. • TMSI used to page on incoming calls and for identification during un-encrypted parts. • The fixed identification of the subscriber is its International Mobile Subscriber Identity (IMSI) • If both TMSI and IMSI are unknown to the attacker he may forced to listen in to all the conversations in the area.

  18. Acquire a Specific Victim (2) • The attacker has the victim's phone number and wish to associate it with the subscriber's IMSI or TMSI. • Solutions : • Can call the victim, and monitor all the calls (recognize his own caller ID). • Send a malformed SMS message. • When performing an active attack, the attacker needs to lure the mobile into his own fake base station.

  19. GSM-Security • Cryptographic methods secret, not “well examined“ • Symmetric procedure • consequence: storage of user special secret keys with net operators required • No end-to-end encryption • Key generation and administration not controlled by the participants • Same key uses for A5/1 and A5/2. • No mutual authentication intended • consequence: Attacker can pretend a GSM-Net • No end-to-end authentication • As a result of the initial publication of this paper GSM security group are working to remove A5/2 from the handsets.

  20. Thank you

  21. Homework • Define in one line the following: GSM, UMTS, DECT, TETRA, ERMES. • Why using a SIM helps security? • How would you attack someone’s GSM mobile phone? describe the system and the steps on the attack. • Describe at least 3 known weaknesses of GSM and how you can fix them if you could change the standard or the system. • Bonus: Describe a new attack (which isn't mentioned in the paper) on GSM network. E-Mail : idanshee@post.tau.ac.il

More Related