1 / 47

Network Security

Network Security. Chapter 6. Security in Traditional Wireless Networks. Objectives. Security in First Generation TWNs Security in Second Generation TWNs Security in 2.5 Generation TWNs Security in 3G TWNs Summary. Security in 1G TWNs.

della
Télécharger la présentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Security Chapter 6. Security in Traditional Wireless Networks

  2. Objectives • Security in First Generation TWNs • Security in Second Generation TWNs • Security in 2.5 Generation TWNs • Security in 3G TWNs • Summary

  3. Security in 1G TWNs • To the designer, they had too many other problems before security became a priority. • Since AMPS radio interface was analog and AMPS used no encryption. • Authentication • Mobile station sends ESN(Electronic Serial Number) to MTSO in clear text over the air interface. • Eavesdrop on cellular telephone conversation • Can capture valid ESN  cloning.

  4. Security in 2G TWNs

  5. Security in 2G TWNs • use digital system • Beyond the BTS is considered a controlled environment. • Aims to secure only the access network(MS/MEBTS).

  6. Anonymity in GSM • IMSI(International Mobile Subscriber Identity) • MS inform the network about IMSI’s new location when it crosses a cell boundary. • this allows the network to route an incoming call to the correct cell. • If eavesdropper can capture the IMSI over the air, they can determine the identity of the subscriber and their location. • TMSI(temporary mobile Subscriber Identity) • When a ISIM has authenticated with the network, the VLR allocate a TMSI to the scriber. • GSM protects against subscriber traceability by using TMIS. • Has only local significance. • IMSI-TMSI mapping is maintained in VLR/MSC • When it is switched off, the mobile station stores the TMSI on the SIM card to make sure it is available when it is switched on again,

  7. Anonymity in GSM

  8. Key Establishment in GSM • No key establishment protocol in the GSM security architecture model. • Use 128-bit pre-shared key Ki • Stored in SIM and AuC

  9. Authentication in GSM (1) MS  BTS : sign-on msg {IMSI or TMSI} . (2) MSC  HLR : request 5 triplets { RAND, SRES, Kc} (3) HLR  MSC : send 5 triplets (4) MSC  MS : RAND (5) MS  MTS: SRES (6) authenticated!! • BSC-MSC-HLR channels are assumed to be secure

  10. Authentication in GSM • Why 5 triplets request? • To improve roaming performance. • Instead of contacting the HLR for security triplets each time a ME roams into its coverage, the MSC gets five set of triplets : one for the current authentication process and four for future use.

  11. Authentication and ciphering information transmission

  12. Session Key Kc Generation Ki(128 bit), RAND(128bit) A8 Kc (64 bits : appened with10 zeros)

  13. Authentication • GSM : assume the core network beyond the BSC is secure. • BTS  BSC link is not part of core. • GSM does not specify how to this link need to be connected. • In practice, connected by microwave. • susceptible to attacks. • Protection against equipment theft. • Authenticate SIM card and not the subscriber of the SIM card. • When a ME was stolen, the user of the ME reports it to the service provider. • The service provider maintain the compromised SIM card.

  14. Confidentiality in GSM • Provide confidentiality over the wireless(ME-BTS) interface. • A5 : GSM standard stream-ciphering algorithm. • A5/0 – unencrypted, • A5/1 (54 bit) – original, used by countries members of CEPT (CEPT: European Conference of Post and Telecommunication Administrations) • A5/2 (16 bit)– countries of non CEPT members. • A5/3 – for 3G • Implemented in hardware of ME. • Kc : encryption key.

  15. What’s wrong with GSM Security? • No provision for any integrity protection of data and message. • Open to man-in-the-middle attack. • Only securing the ME-BTS interface. • BTS-BSC interface is not cryptographically protected. • Sometimes this link is wireless  attractive target for attacks. • Cipher algorithms(A5 family) are not published along with the SGM standards.  does not allow public review. • Small key length - Kc : 64bits (54bits + 10 zeros) • Big enough to protect against real-time attack, but weak to off-line attack. • GSM security architecture is inflexible - difficult to replace.

  16. What’s wrong with GSM Security? • SIM cloning – recover Ki from SIM card • Chosen plaintext attack – (RAND, SRES) pair, 8 adaptively chosen plaintexts within a minute. • Recover Ki using differential cryptanalysis or side channel attack. • (1)Physical access to SIM card and communicate with SIM through smartcard reader. • Recover in a matter of few hours. • (2)Wireless contact over the air interface. • Must be capable of masquerading as a rouge BTS • ME is moving, not enough time to collect enough (chosen-plaintext, cipher text) pairs

  17. What’s wrong with GSM Security • SIM cloning (continue) • (3)Attempt to have the AuC generate the SRES of given RANDs instead of using the SIM. • Exploits the lack of security in the SS7 signaling network. • Core signaling network is not cryptographically protected and incoming messages are not verified for authenticity. • So possible to use the AuC to generate SRESs for chosen RANDs

  18. What’s wrong with GSM Security? • Clear transmission of cipher keys and Authentication values within and between networks • Signaling system vulnerable to interception and impersonation. • One way authentication : no network authentication. • Attacker masquerade as BTS and hijack the ME. • Service provider can choose null encryption(A5/0) • ME is allowed to connect to.

  19. Security in 2.5 Generation TWNs

  20. Security in 2.5G(GPRS) TWNs • For data service : allocate multiple time slots • Encryption/decryption : MSSGSN • Protect link between BTS-SGSN

  21. GPRS Authentication and Key Derivation

  22. WAP(Wireless Application Protocol) • GPSR – provide ME to connect to internet. • End-to-end security is required. • HTTP/HTML is not optimized to ME(CPU-power, screen, bandwidth, memory)

  23. WAP(Wireless Application Protocol) • WAP Gateway : WTP/WML  HTTP/HTML • WTLS(Wireless Transport Layer Security) : • provide end-to-end security • similar to TLS

  24. Code Security • ME in GPRS can download and run applets. • Malicious applet can harm the ME. • Applets are signed by CAs. • Before executing the applet, the subscriber can be informed of CA which has signed the applet. • If the subscriber trusts that CA, they can allow the applet be executed on their applet.

  25. Security in 3G TWNs

  26. Security in 3G TWNs • UMTS(Universal Mobile telecommunications System) Security Architecture • Designed using the GSM Security as the starting point • Adopt the GSM features that have proved to be secure • Redesign the features that have been found to be weak. • To ensure interoperability between GSM and UMTS.

  27. Building on GSM Security-Architecture

  28. UMTS Security Architecture overview

  29. Anonymity in UMTS • Chicken and egg situation • First ME identify(its IMSI) to the network. • TMSI allocation should be performed after initiation of ciphering to ensure TMSI protection • Ciphering can not start unless CK(cipher key) has been established between USIM and network. • CKcan not be established unless the network first identifies the subscriber using its IMSI. • VLRo : old VLR (previous VLR), VLRn : new VLR • ME  VLRn : TMSI_old (previous one) • VLRn  VLRo : request IMSI corresponding to this TMSI • If VLRn cannot retrieve, request ME to identify itself by its IMSI • Now AKA starts or use a previous existing set of keys. • Can you identify UMTS’s bottom line? See the text book.

  30. AKA • After completion of AKA(authentication and key agreement) procedure, establish the KC between USIM and network • Now assign a new TMSI to the ME • SQN(sequence number) : can be exploited to trace a subscriber. • Network maintains a per-subscriber SQN • Need to be encrypted. • AK(Anonymity key) - protect SQN to protect traceability.

  31. Key establishment in UMTS • No key establishment protocol in UMTS. • 128-bit pre-shared secret key Ki between USIM and AuC. • Authentication in UMTS is mutual.

  32. Authentication in UMTS • USIM VLR/MSC : sign-on • VLR  AuC/HLR : Auth data req. • AuC VLR : Auth vectors(several sets of Auth data) • VLR select the first vector and store the rest. • VLRUSIM : RAND(128bit), AUTN(128bit) • USIM : if MAC in AUTH ?= XMAC, • SQN is in correct range ? then authenticated. • (7) If verification is OK, USIM  VLR : RES • (8) VLR : If RES ?= XRES from AuC, then authenticated

  33. AKA Variables and Functions

  34. UMTS Authentication Vector Generation • AMF : authentication Management Field Computation in HLR by VLR request (Step 2 in p.32)

  35. UMTS Response Generation at USIM (1) From VLR (2) Inside of USIM (3) Send RES to VRL

  36. Authentication in UMTS • After Mutual authentication has completed, • VLR and USMI establish CK, IK, AK • MILENAGE : recommended function for UMTS Authentication.(corresponding to COMP-128) • But service provider can choose another function.

  37. Confidentiality in UMTS • f8 : key stream generation algorithm KASUMI, use 128-bit session key. • Count-C (32-bit) : ciphering sequence number, updated every sequentially every plaintext block • BARIER (5-bit) : bearer channel number • DIRECTION(1-bit): the direction of link(uplink or downlink) • LENGTH(16-bit) : length of key stream block

  38. UMTS Stream Cipher f8 About KASUMI

  39. Confidentiality in UMTS • Provide confidentiality to the link between ME – RNC • Include BTS-RNC link which is equivalent to BTS-BSC. • Closing loopholes of GSM Security in BTS-BSC link. • UMTS encryption is applied to all subscriber traffic as well as signaling messages.

  40. Integrity Protection in UMTS • GSM security did not provided integrity protection. • MUTS solve this problem using integrity key IK. • MAC-1 : attached to the message by the sender. • FRESH: 32-bit per connection nonce.

  41. UMTS Integrity Function f9

  42. Voice data integrity Protection in UMTS • Integrity protection involves a lot of overhead in terms of processing and bandwidth. • For a voice integrity, to integrity protect the number of user packets in conversation is sufficient. • Inserting, deleting or modifying words in a conversation would lead to a change in the number of packets. • In UMTS, periodically RNC send a message containing sequence number to the ME. This message is integrity protected.

  43. Layer in UMTS • The MAC layer offers Data transfer to RLC and higher layers • The RLC(Radio Link Control) layer offers the following services to the higher layers: • Layer 2 connection establishment/release • Transparent data transfer, i.e., no protocol overhead is appended to the information unit received from the higher layer • Assured and un assured data transfer • The RRC(Radio Resource Control) layer offers the core network the following services: • General control service, which is used as an information broadcast service • Notification service, which is used for paging and notification of a selected UEs • Dedicated control service, which is used for establishment/release of a connection and transfer of messages using the connection.

  44. Putting the Pieces Together • MS RNC : L2 connection {User Encryption Algorithms(UEAs) • User Integrity Algorithms(UIAs)…} • (2) MSVRL : L3 connection Msg.(location update req., routing update req., attach req...) • {IMIS or TMIS, Key set Identifier(KSI) for CK,IK..,} • (3) Authentication and key generation(CK, IK) • { new key or old key} • (4) –(11)

  45. Network Domain Security • MAP(Mobile Application Part) : an SS7 protocol for UMTS. • MAPSEC : protect MAP message – In SS7 Network • KAC(Key Administration Center) establish a SA(Security Association) with another KAC. • KACs use IKE(Internet Key Exchange) protocol. • KACs distribute SA to NEs ( key distribution ) • NE use SAs to protect MAP messages.

  46. Network Domain Security for IP-based Network • UMTS is expected to be more closely tied to IP-based network. • Replacing SS7 signaling(MAP) with IP-based signaling(like SIP) • MAP over IP for legacy networks. • SEG(Security Gateway) : establish SA with other SEG. • Provide MAP message protection for NEs.

  47. Resources • GSM SECURITY : http://www.gsm-security.net/ • FAQs, Papers, Standars, books, news,….

More Related