Network Security Cellular Security Tuomas Aura T110 5241

Network Security: Cellular Security Tuomas Aura T-110. 5241 Network security Aalto University, Nov-Dec 2014

Outline Cellular networks, 3 G Counters for freshness UMTS AKA and session protocols 2

Cellular networks

UMTS architecture 6

Threats against cellular networks Discussion: What are threats? Charging fraud, unauthorized use Charging disputes Handset cloning (impersonation attack) → multiple handsets on one subscription → let someone else pay for your calls Voice interception → casual eavesdropping and industrial espionage Location tracking Call and location data retention Handset theft Handset unlocking (locked to a specific operator) Network service disruption (Do. S) What about integrity? 7

Security architecture Home location register (HLR) of the subscriber’s home operator keeps track of the mobile’s location Visitor location register (VLR) keeps track of roaming (visiting) mobiles at each network SIM card has a globally unique international mobile subscriber identifier (IMSI) Shorter, temporary identifier TMSI allocated by the current network Shared key between SIM and authentication center (HRL/Au. C) at the home network Only symmetric cryptography VLR of the visited network obtains authentication tuples (triplets in 2 G) from Au. C of the mobile’s home network and authenticates the mobile Main goals: authentication of the mobile for charging purposes, and encryption of the radio channel

GSM security (2 G) We’ll start with the GSM protocol because its is so simple. It is easier to understand the 3 G security protocol by following the historical development. Besides, the networks and phones are still backward compatible.

GSM authentication ! 10

GSM authentication Alice-and-Bob notation: 1. Network → MS: RAND 2. MS → Network: A 3 (Ki, RAND) Ki = shared master key between SIM and Au. C Kc = A 8 (Ki, RAND) = session key After authentication, BS asks mobile to turn on encryption on the radio interface Kc is generated in the SIM, used by the mobile equipment Encryption: A 5 cipher with the key Kc 11

GSM security Mobile authenticated → prevents charging fraud Encryption on the air interface → No casual sniffing → Encryption of signalling gives some integrity protection Temporary identifier TMSI used instead of the globally unique IMSI TMSI → not easy to track mobile with a passive radio Hash algorithms A 3, A 8 can be replaced by home operator Au. C and SIM must use the same algorithms Encryption algorithm A 5 implemented in the phone and BS Many versions of the algorithm Non-protocol features: Subscriber identity module (SIM) is separate from the handset → Flexibility → Thiefs and phone unlockers don’t even try to break the SIM International mobile equipment identity (IMEI) to track stolen devices 12

Counters for freshness

Using counters for freshness Simple shared-key authentication with nonces: 1. A → B: NA 2. B → A: NB, MACK(Tag 2, A, B, NA, NB) 3. A → B: MACK(Tag 3, A, B, NA, NB) K = master key shared between A and B SK = h(K, NA, NB) Using counters can save one message or roundtrip: 1. A → B: 15

Using counters Counters must be monotonically increasing Absolutely never accept previously used values Persistent counter storage needed Recovering from lost synchronization: Verifier can maintain a window of acceptable counter values to recover from message loss or reordering Nonce-based protocol for resynchronization if counters get badly out of sync Counter values must not run out or wrap to zero Limit the rate at which values can be consumed But support bursts of activity Use long enough counter to last the equipment lifetime or lifetime of the shared key in use 16

UMTS (3 G) authentication and key agreement (AKA) The AKA protocol is used in 3 G/4 G networks

UMTS AKA (simplified) 19

UMTS AKA (simplified) 20

UMTS AKA ! 22

RSQ Resynchronization needed if the sequence number gets out of sync between USIM and Au. C. 26

Remaining UMTS security weaknesses IMSI may still be sent in clear, when requested by base station Authentication tuples available to thousands of operators around the world, and all they can create fake base stations Equipment identity IMEI still not authenticated Non-repudiation for call and roaming charges is still based on server logs, not on public-key signatures Still no end-to-end security Thousands of legitimate radio network operators Any government or big business gain control of one and intercept calls at RNC 32

User authentication with mobile phone 33

Generic bootstrapping architecture (GBA) The mobile operator provides an authentication service for the mobile subscriber to third parties e. g. to web-based services Authentication is based on AKA and the secret key K in the USIM 3 GPP standard, implemented but not widely deployed 34

GBA architecture [Image source: Abu Shohel Ahmed 2010] Mobile operator functions for GBA: Home Subscriber Server (HSS) / Au. C has the subscriber master key K, which is also in the USIM (=UICC) Bootstrapping Server Function (BSF) performs AKA to derive a session key Ks with the user equipment UE Application server that wants to authenticate users with GBA: Implements the Network Application Function (NAF) Has a contract with the operator and typically pays for each authentication event 35

GBA message flow [Image source: Abu Shohel Ahmed 2010] 36

Mobile signature service (MSS) = “mobile certificate” Standardized by ETSI Competing idea with GBA SIM card contains a public signature key pair and certificate, which is used to authenticate to third parties You can register as MSS use with any Finnish mobile operator (may require a new SIM card) Use it e. g. at http: //password. aalto. fi/ Detailed documentation: http: //www. mobiilivarmenne. fi/en/, http: //www. mobiilivarmenne. fi/documents/MSS_Fi. Com_Implementation_guideline_ 2. 2. pdf 37

MSS message flow Home operator’s mobile signature service provider (MSSP) needed every time to send an authentication request to the SIM Application provider (AP) can have a contract with one mobile operator, subscriber with another (four-corner model) Cross-operator authentication works within Finland, not between countries Typically, both subscriber and AP pay a fee for each authentication event [Image source: Ficom] 38

Text messages for authentication Assumes that text messages cannot be intercepted Google, Microsoft etc. send a secret code to the user’s mobile phone for a second method of authentication (used in addition to a password) Banks send transaction details and a secret code to the phone (used in addition to the password and one-time passcode) 39

Exercises Who could create false location traces in the GSM HLR and how? Is this possible in UMTS? Consider replacing the counter with the phone’s nonce in AKA. What would be lost? Try to design a protocol where the IMSI is never sent over the air interface, i. e. the subscriber identity is never sent in clear. Remember that the terminal may have just landed from an intercontinental flight, and the terminal does not know whether it has or not Find the current cost of an IMSI catcher and fake GSM/3 G base station for intercepting calls User authentication with GBA and MSS requires interaction with the operator. Could the protocols have been designed differently, to support offline authentication? In GBA and MSS, there is a concept called four-corner model. Tupas authentication follows the three-corner model. What do they mean? Can you find a link between roaming and the four-corner model. 40

Related reading Gollmann, Computer security, 3 rd ed. chaptes 19. 2– 19. 3 41