1 / 39

Cryptography in Mobile Networks

Cryptography in Mobile Networks. Mats Näslund Communication Security Lab Ericsson Research mats.naslund@ericsson.com March 6, 2009. Outline. Overview of GSM Cryptography Some “attacks” on GSM Lessons to be learnt Overview of “3G” UMTS Cryptography The new ”thing”: Cryptography in LTE.

asha
Télécharger la présentation

Cryptography in Mobile Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography in Mobile Networks Mats Näslund Communication Security Lab Ericsson Research mats.naslund@ericsson.com March 6, 2009

  2. Outline • Overview of GSM Cryptography • Some “attacks” on GSM • Lessons to be learnt • Overview of “3G” UMTS Cryptography • The new ”thing”: Cryptography in LTE

  3. - Protection of buisness (robust charging of subscribers) - User privacy History • Mobile (wireless) communication has inherent threats • Eavesdropping • Impersonation • Connection hijacking • ... • Except early systems (e.g. NMT), use of cryptography has been deemed necessary • Early systems were not perfect and under restrictions...

  4. GSM Cryptography Overview

  5. GSM Security • Use of a smart card SIM – Subscriber Identity Module, tamper resistant device holding critical information, • e.g. 128-bit key shared with Home Operator • The SIM is the entity which is authenticated • Challenge response mechanism (one-sided) • At the time (ca 1990) crypto was considered “weapon” • Initial GSM algorithms (were) not publicly available • Limited key size • Special “export version” of encryption algorithms • GSM ciphering on “first hop” only: stream ciphers using 54/64 bit keys • In a “free” world, we will soon see 128 bits in GSM • Basic user identity protection (“pseudonyms”) GSM crypto is probably (one of) the mostfrequently used crypto in the world.

  6. K Encryption: A5/1, A5/3 (64 bit) A5/2 (”export” version) A5/4 (128 bits, new) Authentication, shared key, A3 Algorithm K 128-bit key MSC: Mobile Switching Center BSC: Base Station ControllerRBS: Radio Base Station MS: Mobile Station HLR: Home Location RegisterAuC: Authentication Center SIM: Subcriber Identity Module GSM Architecture (”2G”) HLR/AuC To other (mobile) network(s) MSC BSC RBS MS SIM

  7. Req(IMSI) RAND, Kc RAND RAND, XRES, Kc RES RES = XRES ? GSM Authentication: Overview Home Network K AuC/HLR MSC K RBS Visited Network

  8. RAND (128) RES (32) Kc (64) frame# encrypted frame data/speech  Bit-by-bit, stream cipher GSM Authentication: Details A3 and A8: Authentication and key derivation (proprietary) A5: encryption (A5/1-4, standardized) Note: one-sided authentication Phone Ki(128) SIM A3A8 A5/x

  9. output 1 0 1 0 1 1 0 1 1 0 1 0 1 0 1  XOR:ed with plaintext Used by A5/1 and A5/2 Quick Note: LFSR (Linear feedback shift register) key = 0 1 1 0 1 0 1 State: ...0 1 • Very efficient, rich theory, unfortunately very insecure… • Add non-linear components • Combine several LFSRs • Irregular clocking

  10. Idea behind the attack A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknown 0/1 variables, of which 64 is the key If plaintext known, each 114-bit frame gives 114 equations Only difference between frames is that frame numberincreases by one. Lesson #1: Avoid using the same key for twodifferent things After 6 frames (in reality only 4) we have > 660 equations  can solve! (Takes about 1sec on a PC) Even if “speech” plaintext unknown, GSM control channelscontains known info and uses same key as speech channel!

  11. 1 RAND 2 RAND 4 RES 3 RES Impact 1: Find key, eavesdrop (passive attack) Impact 2: Active attacks in any network(False base-station/man-in-the-middle attacks) Lesson #2: Signalling that controls the security should be authentciated/integrityprotected 5 Start encr: A5/1 6 Start encr: A5/2 8 Stop encr 9 Start encr: A5/1 Lesson #3: If you change encryptionalgorithm, change also the key 7 Attack  key

  12. Note • A5/2 is an ”export” version, not used in Sweden (or Europe) • Attack does not apply to A5/1, A5/3 • …well almost…. • Various countermeasures proposed but expensive toupgrade all equipment • Adding integrity, change of keys as proposed on previous slidefall into the ”not-for-free” category • Simple and quite good solution is to phase out A5/2 • - This is in progress (done?)

  13. GSM Summary • GSM was desiged in the ”dark ages” of crypto • It addresses the threats that were considered at the time • It targeted a 10-year ”economic lifetime” • The best feature of GSM security is that securiy is built-in • as a user, you don’t need to do ”configuration” etc

  14. UMTS Security Overview

  15. Describedlater Only feature commonto GSM Lesson #2… 3G (UMTS) Security • Mutual Authentication with Replay Protection • Protection of signalling data • Secure negotiation of protection algorithms • Integrity protection and origin authentication • Encryption • Protection of user data payload • Encryption • “Open” algorithms basis for security • AES for authentication and key agreement • Kasumi (block cipher) for confidentiality/integrity • Security level (key sizes): 128 bits • Protection further into the network

  16. K GPRS, ”2.5G” Encryption: UEA1 or UEA2 Authentication, shared keyMilenage (AES) algorithm ”secure env” Signalling integrity: UIA1 or UIA2 ”insecure env” UMTS SIM (USIM) GSN: GPRS Support Node SGSN: Serving GSN GGSN: Gateway GSNRNC: Radio Network Controller ME: Mobile Equipment UMTS Architecture (”3G”) HLR/AuC To other (mobile) network(s) ”Internet” MSC SGSN GGSN RNC NodeB K ME

  17. UMTS Encryption Example: UEA1 COUNT || BEARER || DIR || 0…0 (64 bits) Kasumi m (const)  c = 1 c = 2 c = B    “Provably” secure underassumptions on Kasumi Kasumi Kasumi Kasumi Kasumi CK(128 bits) “keystream” XOR:ed with plaintext

  18. Note • There are no known security problems with UMTS • HSPA (a.k.a. ”Mobile broadband”, ”Turbo 3G”,...) is from crypto/security point of view identical to 3G/UMTS • You can feel safe when using it!

  19. LTE: Long Term Evolution

  20. Disclaimer on Notation • ”LTE” refers only to the radio part of the new standard • Also other parts of the mobile network is upgraded • Refered to as EPC, ”Evolved Packet Core” • Will for simplicty use ”LTE” to denote the entire architecture • If you do look at the standards document (3GPP TS 33.401) you will not see the same names for keys etc

  21. First LTE release just finished after intense efforts • - Example: considering only Ericsson and only security, we had 240 contributions during 2008 Background: Standardization • Mobile standards (including security functions) are definedby 3GPP (part of ETSI) • Participation by mobile vendors and operators • The cryptography is defined by SAGE (also part of ETSI) • Special Algorithm Group of Experts • 2006: initiative for ”next generation”, LTE, started • Slogan: ”At least as secure as UMTS”

  22. IP part, efficient, cheap, attaractive services: keep and optimize! split Oldfashioned ”telephony”: get rid of it! Powerful but complex,adds delay/latency ? But what do we dowith encryption? New ”radio”, 100Mb/s (OFDM) High security: keep SIM concept LTE ThinkingStarting from a UMTS network... HLR/AuC After  1 years of discussion instandardization it was decided to terminate (most) security in NodeB. ”Internet” MSC SGSN GGSN RNC ”secure env” ”insecure env” NodeB ME

  23. K ”split” into control and user plane Re-encryption of user traffic(IPsec) Authentication, similar to UMTS Encryption/integrity, for network control signalling Encryption/integrity, for radio control signalling 5 different keys used... Encryption for user traffic Same USIM as in UMTSbut K may be up to 256 bits HSS: Home Subscriber System MME: Mobility Management Entity eNodeB: Evolved NodeB encryption intgegrity LTE- A simplified network - HSS Internet & IP services “Gateway” MME eNodeB K ME

  24. F(Key, ”1”) F(Key, ”2”) Key Key1 Key2 Recap of Lesson #1 and #3 Suppose we have a function, F, from a set of pseudo random functions (outputs ”look” random): ”Don’t use the same key for two different things” • Applications: • Key1 for algorithm1, Key2 for algorithm2 • Key1 for encryption, Key2 for integrity • Key1 for user data, Key2 for control sign. • ...etc... * Key1 can not be reverse-engineered from Key2 (or v.v.) * Key can not be reverse-engineered from Key1 and/or Key2

  25. Fasten Seatbelts... • Notation: • black color for unprotected info • red color for encrypted into • yellow color for integrity protected info • blue color for encrypted and integrity protected • Next slides does not show which-key-is-used-for-what • F denotes a PRF based on HMAC_SHA256 • AES1, AES2, AES3 denotes 3 PRFs based on AES

  26. - Does AUTN come from HSS? - Have I seen it before? ATTACH REQUEST(IMSI, SUPPORTED_ALGS) AUTH VECT FETCH (IMSI) 1. Check (AES1(K, RAND), SQN, AUTN)) RAND, XRES, AUTN, KA RAND, AUTN 2. RES = AES2(K, RAND) 3. (Ck, Ik) = AES3(K, RAND) RAND = RANDOM()SQN = SQN + 1 AUTN = AES1(K, RAND, SQN) RES = AES2(K, AND) (Ck, Ik) = AES3(K, RAND)KA = F(Ck, Ik, ...) Check: RES == XRES ?? RES, Ck, Ik RES ”OK”, SELECTED_ALG, SUPPORTED_ALGS Derive KA, Ke .... MME eNB HSS - Verify ”OK”- Switch ”on” security [”OK”] KA F Ke Ke KN-enc KN-int Protected traffic Protected signaling Ke F KeUP-enc KeRRC-int KeRRC-enc LTE: Initial Attach K K

  27. ”Downward” derivation by one-way function, infeasible to get ”high” key from a ”low” key KeRRC-enc KeRRC-int CK Ke KA IK K KN-int KN-enc KeUP-enc LTE: Key Hirearchy USIM/HSS ME/HSS ME/MME ME/eNB ME/MME PRF: infeasible to to get another key on ”same level”

  28. Example Ck, Ik HSS KA = F(Ck, Ik, ....) KA MME Ke = F(KA, ....) Ke eNodeB

  29. Handover Ke2 Ke2 ”Handoverto eNodeB2” Ke2 LTE Key Handling at Handover (1/3) ”Backard Security” Gateway MME KA Ke2 = F(Ke1,...) eNodeB1 Ke1 eNodeB2 KA, Ke1, ...

  30. Handover Ke2 Ke2 Ke2 = F(Ke1,...) Ke2 LTE Key Handling at Handover (2/3) Gateway MME KA eNodeB1 Ke1 eNodeB2 KA, Ke1, ...

  31. Handover Ke2* Ke2* keys etc Ke2* LTE Key Handling at Handover (3/3) ”Forward Security” Ke2* = F(KA,...) Gateway MME KA eNodeB1 Ke1 eNodeB2 Ke2 Ke2 = F(Ke1,...) Ke2 KA, Ke1, ...

  32. Inter-System Handover/Mobility • 3GPP systems support optimized handover between systems,e.g. GSM  UMTS during an ongoing call • Waiting for (re)authentication too expensive • The ongoing call would be halted • Solution: key transfer and implict authentication...

  33. May need transatalanticcommunication... KUMTS = c(KGSM) KGSM Also, c is a weakXOR-function KUMTS The fact that user wasable to produce the correct KUMTS ”proves”that it is the same user KUMTS = c(KGSM) Implicit Authetication ... moves to UMTS User already authenticated in GSM HLR/AuC KGSM MSC SGSN BSC RNC or...? KGSM NodeB RBS KGSM

  34. KLTE LTE Inter-system Key HandlingExample: UMTS  LTE UMTS LTE KUMTS KLTE = F1(KUMTS) KUMTS = F2(KLTE) SGSN MME RNC NodeB eNodeB F1, F2 based on HMAC_SHA256

  35. Dedicated Crypto HW Quite high ”crypto load”, say ~ 102 base stations Gateway May serve 3-6”cells” / ”phones” Note on ”Crypto capacity” 600Mb/s 100Mb/s NodeB 100Mb/s

  36. LTE Crypto Algorithms... • Key derivation (128 or 256 bits) functions using • AES on the USIM card • HMAC_SHA256 in ”the phone” • Integrity protection • AES-CMAC • Function based on polynomials over finite fields • Can be ”proven” to be secure • Encryption • AES-CounterMode • SNOW 3G

  37. SNOW 3G Basic design by T. Johansson & P. Ekdahl (U. Lund) Improvements by ETSI SAGE

  38. The End Summary • Despite some attacks on GSM security, the security is so far pretty much a success story Main reason: convenience and invisibility to user • UMTS crypto significantly improved, use with confidence Main reason: free world, longer keys, “open” standard • LTE much more complex, needed to meet “at least as secure as 3G” Main reason: security “ends” at the base station

More Related