Secure GSM Introduction and NC 3 A Experiences

Secure GSM: Introduction and NC 3 A Experiences CIS Division NATO Command, Control & Consultation Agency pcs@nc 3 a. info 1 NATO UNCLASSIFIED

Why GSM ? Some GSM data services: • GSM is global –Networks in 140+ countries Data Synch. 9600 bps - MO Data Synch. 9600 bps - MT SMS Cell Broadcast • GSM is a standard –Should be interoperable • GSM supports data services –Many data services –Can be used for any type of communications Transparent Data Automatic Facsimile Grp 3 - MO SMS - MT SMS - MO Data Asynch. 9600 bps - MT Data Asynch. 9600 bps - MO Automatic Facsimile Grp 3 - MT PAD Access 9600 bps - MO PAD Access 9600 bps - MT 2 NATO UNCLASSIFIED

GSM services for Military Users GSM & GPS GSM “Piconode” • GSM data services support useful services for Emergency Operations • Position reporting • Status monitoring via SMS • Deployable - 20 kg, 0. 6 m 3 • Standalone GSM infrastructure • BTS, BSC, MSC, NMS • Can be connected to other networks • GSM, PSTN, PABX • Satellite backhaul • Tactical Military GSM is useful, but no security But not just GSM, any digital mobile radio 3 NATO UNCLASSIFIED

Deployable GSM Pictures courtesy of DERA / Qinetiq (UK) 4 NATO UNCLASSIFIED

… GSM deployed for the military in the US Picture courtesy of Charley Mc. Murray, REDCOM Labs 5 NATO UNCLASSIFIED

Reasons against “deployed” GSM • Frequency allocation • GSM bands usually licensed to commercial operators • Services don’t always match requirements • GSM not designed for Command & Control use • but other Professional Mobile Radio systems were • So, GSM is not necessarily the best choice if deploying own infrastructure. • But it is VERY good if you want to use existing infrastructure 6 NATO UNCLASSIFIED

Secure GSM: End-to-end encryption How Secure GSM equipment works - and why it has to be this way 7 NATO UNCLASSIFIED

Overview - Standard GSM Security GSM AIE A 5 protected vulnerable protected GSM Air interface encryption Security within GSM Standards (network is trusted) Traffic at the air interface is protected by encrypting with the A 5 algorithm, Figure courtesy of D Parkinson, BT Exact (UK) 8 NATO UNCLASSIFIED

Concerns over GSM AIE (but don’t believe what you read on the web) (and yes I do appreciate the irony of that statement in a web based presentation) EUROCRYPT '97 A 5 - The GSM Encryption Algorithm From sci. crypt Fri Jun 17 17: 11: 49 1994 From: rja 14@cl. cam. ac. uk (Ross Anderson) Date: 17 Jun 1994 13: 43: 28 GMT Newsgroups: sci. crypt, alt. security, uk. telecom Subject: A 5 (Was: HACKING DIGITAL PHONES) May 11 -15, 1997, Konstanz, Germany Session 8: Stream Ciphers 12: 00 -12: 30 Cryptanalysis of Alleged A 5 Stream Cipher Jovan Dj. Goli (Queensland University of Technology, Australia) The Eurocrypt '97 page The GSM encryption algorithm, A 5, is not much good. Its effective key length is at most five bytes; and anyone with the time and energy to look for faster attacks can find source code for it at the bottom of this post. /www. chem. leeds. ac. uk/ICAMS/people/jon/a 5. html 9 The information at this site is Copyright by the International Association for Cryptologic Research. http: //www. iacr. org/conferences/ec 97/program NATO UNCLASSIFIED

Should we worry about strength of A 5 ? • GSM was developed by ETSI • European Telecommunications Standards Institute • GSM algorithms developed by ETSI SAGE • Security Algorithms Group of Experts • ETSI SAGE • Developed Algorithms for many civil telecom standards e. g. GSM, TETRA, DECT, 3 G etc • SAGE developed the A 5 algorithm for GSM Air Interface Encryption • A 5 provides greater protection than analogue cellular mobiles • A 5 fit for purpose 10 NATO UNCLASSIFIED

Air Interface Encryption is optional GSM Air interface vulnerable protected vulnerable encryption is optional Security within GSM Standards (transmitting OTA in clear) Security within GSM Standards (network is trusted) AIE is optional. Users have no control and usually no knowledge of whether AIE is being used Some phones will indicate if AIE is in use - most do not 11 NATO UNCLASSIFIED

End to End Encryption GSM Air interface vulnerable encryption is protected vulnerable protected encryption optional Security within GSM Standards (transmitting OTA in clear) Security within GSM Standards (network is trusted) End-to-end encryption protected End to End Encryption over GSM (network is untrusted) 12 NATO UNCLASSIFIED

Standard GSM Security • Standard GSM encryption (A 5) • optional • over air-interface only (clear within network) • There is a need for end to end encryption • Voice calls in GSM can be transcoded within the network • Transcoding errors are small –have a negligible effect on quality of analogue voice • Cannot encrypt ordinary GSM voice calls as transcoding errors would prevent decryption 13 NATO UNCLASSIFIED

Secure GSM • Secure GSM send encrypted voice over a GSM data connection • GSM data connections are not transcoded – Separate phone number for data connections tells the GSM network not to transcode • Secure GSM uses the transparent data service • Bearer service 26 (9. 6 kbps) or 25 (4. 8 kbps) • Circuit switched data connection –Fixed delays (required for speech) –No error correction • Initially: • GSM used a 13 kbps voice coder (RPE-LPC) • Data services limited to 9. 6 kbps • So using the data service to send encrypted speech required the use of a different voice coder 14 NATO UNCLASSIFIED

End to end secure GSM data Error Protection Crypto Voice Coder 15 End to end GSM data Encrypted speech is transmitted encrypted GSM over GSM data connection Error Transparent data service • Uses the GSM Protection provides no error correction • data connection Crypto • Encoded speech is encrypted Provides its own • Voice Coder • Error Protection Speech must be encoded (digitised) Voice Coder NATO UNCLASSIFIED

Voice Coders Introduction to STANAG 4591 The new NATO Voice Coder • End to end secure GSM doesn’t use ‘standard’ GSM voice coder • For Secure GSM the choice of voice coder is independent • NATO Post-2000 Narrow Band Voice Coder (2400& 1200 bps) • Outperforms – CELP - 4. 8 k – CVSD - 16 k – LPC 10 e - 2. 4 k NC 3 A Workshop October 18 th 2002 At TNO-FEL, The Hague, The Netherlands Topics Include: Need for a new NATO voice coder Tests to select Stanag 4591 Language independence testing Source Code & IPR • Widely used by other secure users • Can be used over GSM data services 16 NATO UNCLASSIFIED Performance Vo. IP with S 4591 Stanag 4591 in civil telecom standards Organised by the NATO C 3 Agency and the NATO Ad-Hoc Working Group on Narrow Band Voice Coding For more details please email: voice@nc 3 a. info

Plain and secure speech in GSM • Normal voice call sent through network • User calls GSM voice number • Transcoding in network is possible GSM Secure Speech GSM Network Inter-network connection Data Number Voice Number GSM Network GSM / PCM GSM / PCM Transcoder 17 • Secure speech sent as data call through network • User calls GSM data number • No transcoding • Secure speech sent between GSM networks • Relies on inter-network connection supporting GSM transparent data service correctly NATO UNCLASSIFIED

Secure GSM / PSTN interworking GSM Network GSM Data Number V. 110 like Protocol V. 32 Modem PSTN Analogue mode Interworking Unit The interworking unit provides the interface for data calls between GSM and PSTN Deskset Crypto Unit PSTN Standard PSTN ‘phone 18 NATO UNCLASSIFIED

NC 3 A Experiences Results with existing Secure GSM equipment 1999 - 2002 19 NATO UNCLASSIFIED

Crypto AG Secure GSM (NC 3 A Trials 1999) • GSM - PSTN interworking via deskset • Manual key management • Crypto applique on conventional GSM • Call set up time approx 40 seconds • Encrypted speech only • Reliability – good on home network – variable when roamed – variable between GSM and PSTN • Voice quality – good when strong signal – deteriorated when GSM signal was weak 20 NATO UNCLASSIFIED

Sagem Secure GSM (NC 3 A Trials 2000) • Crypto applique on conventional GSM • Approved to FR Confidential • GSM - PSTN interworking via deskset • Key Management System • Encrypted speech only • Call set up time approx 20 seconds • Reliability – good on home network – variable when roamed – variable between GSM and PSTN • Voice quality – Generally good – Deteriorated when GSM signal was weak 21 NATO UNCLASSIFIED

More Secure GSMs Rhode & Schwarz “Top. Sec” Half rate GSM Voice coder GE RESTRICTED Released to NATO General Dynamics “Sectera” Includes STANAG 4591 2. 4 k voice coder US TYPE 1 Being released to NATO Tests of both requested by NC 3 A during 2000 -2 22 NATO UNCLASSIFIED

Sectra Secure GSM (NC 3 A Trials 2000 -2001) • Military development • Swedish/Norwegian Project • Crypto integral to terminal • Integrated GSM / DECT unit • DECT gives PSTN connection • Encrypted Voice + Data • Key Management System • Good voice quality • Improved reliability • when roamed • when GSM signal was low 23 NATO UNCLASSIFIED

NSK 200 Secure GSM (NC 3 A Trials 2001 -2002) • Norwegian military development • Crypto integral to terminal • Authentication required • Approved to NATO SECRET • Tested over GSM, DECT and via Inmarsat • Features and operation described in other presentations 24 NATO UNCLASSIFIED

Summary of Trials (Things to think about) • Support for data calls • requires transparent data bearer services 25 & 26 • varies with network operator • Inter-network connectivity • Secure calls between some countries never succeeded • Roaming agreements • Not always in place in some areas 25 NATO UNCLASSIFIED

Symposium on More on Secure GSM End to End Security in Mobile Cellular Networks and Secure 3 G London, December 2002 Call for papers Contributions are invited on the subjects of: Secure GSM 3 G security • Interested ? End to end security via • When ? satellite services • Where ? Network operators viewpoints • Just GSM or 3 G ? Interoperability issues for end to end security Market differences: Commercial vs military users For details and submission of abstract (200 words) please contact: ACT Branch, NC 3 A, The Hague, The Netherlands. Tel: +31 70 374 3444 or Email. pcs@nc 3 a. info This event will be unclassified and attendance open to all 26 NATO UNCLASSIFIED