Cellular Network Security Threats and Solutions

Slide Note
Embed
Share

This article delves into the security aspects of cellular networks, focusing on threats such as charging fraud, unauthorized use, handset cloning, voice interception, location tracking, and network service disruptions. It also explores the security architecture involving Home Location Register (HLR), Visitor Location Register (VLR), SIM cards, authentication centers, and encryption methods used in GSM and UMTS networks.


Uploaded on Sep 12, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Network Security: Cellular Security Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014

  2. Outline Cellular networks, 3G Counters for freshness UMTS AKA and session protocols 2

  3. Cellular networks

  4. UMTS architecture UMTS terrestrial radio network (UTRAN) Core network CS domain Public switched telephone network PSTN Mobile switching center MSC / Visitor location register VLR Base station BS = Node B MSC Home location register HLR / Authentication center AuC Radio network controller RNC Terminal MSC BS PS domain Internet Serving GPRS support node (SGRN) BS IMS domain etc. 6

  5. Threats against cellular networks Discussion: What are the threats? Charging fraud, unauthorized use Charging disputes Handset cloning (impersonation attack) multiple handsets on one subscription let someone else pay for your calls Voice interception casual eavesdropping and industrial espionage Location tracking Call and location data retention Handset theft Handset unlocking (locked to a specific operator) Network service disruption (DoS) What about integrity? 7

  6. Security architecture Home location register (HLR) of the subscriber s home operator keeps track of the mobile s location Visitor location register (VLR) keeps track of roaming (visiting) mobiles at each network SIM card has a globally unique international mobile subscriber identifier (IMSI) Shorter, temporary identifier TMSI allocated by the current network Shared key between SIM and authentication center (HRL/AuC) at the home network Only symmetric cryptography VLR of the visited network obtains authentication tuples (triplets in 2G) from AuC of the mobile s home network and authenticates the mobile Main goals: authentication of the mobile for charging purposes, and encryption of the radio channel

  7. GSM security (2G) We ll start with the GSM protocol because its is so simple. It is easier to understand the 3G security protocol by following the historical development. Besides, the networks and phones are still backward compatible.

  8. GSM authentication Ki Ki MS = ME + SIM BS MSC/VLR HLR/AuC IMSI or TMSI IMSI SRES = A3 (Ki, RAND) Kc = A8 (Ki, RAND) ! On or more authentication triplets: < RAND, SRES, Kc > Challenge: RAND RES = A3 (Ki, RAND) Kc = A8 (Ki, RAND) Response: RES RES = SRES ? Kc Encryption with Kc TMSI 10

  9. GSM authentication Alice-and-Bob notation: 1. Network MS: RAND 2. MS Network: A3 (Ki, RAND) Ki = shared master key between SIM and AuC Kc = A8 (Ki, RAND) = session key After authentication, BS asks mobile to turn on encryption on the radio interface Kc is generated in the SIM, used by the mobile equipment Encryption: A5 cipher with the key Kc 11

  10. GSM security Mobile authenticated prevents charging fraud Encryption on the air interface No casual sniffing Encryption of signalling gives some integrity protection Temporary identifier TMSI used instead of the globally unique IMSI TMSI not easy to track mobile with a passive radio Hash algorithms A3, A8 can be replaced by home operator AuC and SIM must use the same algorithms Encryption algorithm A5 implemented in the phone and BS Many versions of the algorithm Non-protocol features: Subscriber identity module (SIM) is separate from the handset Flexibility Thiefs and phone unlockers don t even try to break the SIM International mobile equipment identity (IMEI) to track stolen devices 12

  11. Counters for freshness

  12. Using counters for freshness Simple shared-key authentication with nonces: 1. A B: NA 2. B A: NB, MACK(Tag2, A, B, NA, NB) 3. A B: MACK(Tag3, A, B, NA, NB) K = master key shared between A and B SK = h(K, NA, NB) Using counters can save one message or roundtrip: 1. A B: 2. B A: NB, SQN, MACK(Tag2, A, B, SQN, NB) 3. A B: MACK(Tag3, A, B, SQN, NB) SK = h(K, SQN, NB) Another benefit: B can pre-compute message 2 A must check that the counter always increases 15

  13. Using counters Counters must be monotonically increasing Absolutely never accept previously used values Persistent counter storage needed Recovering from lost synchronization: Verifier can maintain a window of acceptable counter values to recover from message loss or reordering Nonce-based protocol for resynchronization if counters get badly out of sync Counter values must not run out or wrap to zero Limit the rate at which values can be consumed But support bursts of activity Use long enough counter to last the equipment lifetime or lifetime of the shared key in use 16

  14. UMTS (3G) authentication and key agreement (AKA) The AKA protocol is used in 3G/4G networks

  15. UMTS AKA (simplified) K, SQN K, SQN Network Phone MAC = f1 (K, RAND,SQN) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) RAND, AUTN [SQN, MAC] XMAC = f1 (K, RAND,SQN) RES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) MAC = XMAC? RES RES= XRES? Encryption and integrity protection with CK, IK 19

  16. UMTS AKA (simplified) K, SQN K, SQN Phone RNC MSC/VLR AuC IMSI MAC = f1 (K, RAND,SQN) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) RAND, AUTN [SQN, MAC], XRES, CK, IK RAND, AUTN [SQN, MAC] MAC = f1 (K, RAND,SQN) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) MAC = XMAC? RES RES= XRES? CK, IK Encryption and integrity protection with CK, IK 20

  17. K, SQN K, SQN UE = RNC MSC/VLR AuC ME + USIM MAP authentication data request: IMSI MAC = f1 (K, RAND,SQN,AMF) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND) UMTS AKA ! MAP authentication data response: one of more authentication vectors <RAND, AUTN [SQN AK, AMF, MAC], XRES, CK, IK, AK> User authentication request: RAND, AUTN [SQN AK, AMF, MAC] MAC = f1 (K, RAND,SQN,AMF) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND) MAC = XMAC? User authentication response: RES RES= XRES? RANAP security mode command: CK, IK RRC security mode command Encryption and integrity protection with CK, IK 22

  18. RSQ Resynchronization Resynchronization needed if the sequence number gets out of sync between USIM and AuC. K, SQN K, SQN UE = MSC/VLR AuC ME + USIM IMSI RAND, AUTN [SQN AK, AMF, MAC], XRES, CK,IK,AK RAND, AUTN [SQN AK, AMF, MAC] MAC = f1 (K, RAND,SQN,AMF) AK = f5 (K, RAND) MAC = XMAC? SQN too high! MAC-S = f1* (K, RAND,SQN,AMF) AUTS [ SQN AK, MAC-S ] RAND, AUTS [ SQN AK, MAC-S ] Update stored SQN 26

  19. Remaining UMTS security weaknesses IMSI may still be sent in clear, when requested by base station Authentication tuples available to thousands of operators around the world, and all they can create fake base stations Equipment identity IMEI still not authenticated Non-repudiation for call and roaming charges is still based on server logs, not on public-key signatures Still no end-to-end security Thousands of legitimate radio network operators Any government or big business gain control of one and intercept calls at RNC 32

  20. User authentication with mobile phone 33

  21. Generic bootstrapping architecture (GBA) The mobile operator provides an authentication service for the mobile subscriber to third parties e.g. to web-based services Authentication is based on AKA and the secret key K in the USIM 3GPP standard, implemented but not widely deployed 34

  22. GBA architecture [Image source: Abu Shohel Ahmed 2010] Mobile operator functions for GBA: Home Subscriber Server (HSS) / AuC has the subscriber master key K, which is also in the USIM (=UICC) Bootstrapping Server Function (BSF) performs AKA to derive a session key Ks with the user equipment UE Application server that wants to authenticate users with GBA: Implements the Network Application Function (NAF) Has a contract with the operator and typically pays for each authentication event 35

  23. GBA message flow [Image source: Abu Shohel Ahmed 2010] 36

  24. Mobile signature Mobile signature service (MSS) = mobile certificate Standardized by ETSI Competing idea with GBA SIM card contains a public signature key pair and certificate, which is used to authenticate to third parties You can register as MSS use with any Finnish mobile operator (may require a new SIM card) Use it e.g. at http://password.aalto.fi/ Detailed documentation: http://www.mobiilivarmenne.fi/en/, http://www.mobiilivarmenne.fi/documents/MSS_FiCom_Implementation_guideline_ 2.2.pdf 37

  25. MSS message flow Home operator s mobile signature service provider (MSSP) needed every time to send an authentication request to the SIM Application provider (AP) can have a contract with one mobile operator, subscriber with another (four-corner model) Cross-operator authentication works within Finland, not between countries Typically, both subscriber and AP pay a fee for each authentication event [Image source: Ficom] 38

  26. Text messages for authentication Assumes that text messages cannot be intercepted Google, Microsoft etc. send a secret code to the user s mobile phone for a second method of authentication (used in addition to a password) Banks send transaction details and a secret code to the phone (used in addition to the password and one-time passcode) 39

  27. Exercises Who could create false location traces in the GSM HLR and how? Is this possible in UMTS? Consider replacing the counter with the phone s nonce in AKA. What would be lost? Try to design a protocol where the IMSI is never sent over the air interface, i.e. the subscriber identity is never sent in clear. Remember that the terminal may have just landed from an intercontinental flight, and the terminal does not know whether it has or not Find the current cost of an IMSI catcher and fake GSM/3G base station for intercepting calls User authentication with GBA and MSS requires interaction with the operator. Could the protocols have been designed differently, to support offline authentication? In GBA and MSS, there is a concept called four-corner model. Tupas authentication follows the three-corner model. What do they mean? Can you find a link between roaming and the four-corner model. 40

  28. Related reading Gollmann, Computer security, 3rd ed. chaptes 19.2 19.3 41

Related


More Related Content