La lecture en ligne est gratuite
Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres
Télécharger Lire

IIR-tutorial-2

30 pages
Information and Communication Networks3GPP Security architectureBart VinckSiemens AteaInformation and communication networksCommunications on Airbart.vinck@siemens.atea.beIRR Fraud and Security Conference,London, March 9, 2000Contents Introduction Network access security Authentication and key agreement User identity confidentiality Confidentiality and integrity Connection establishment Mobile equipment identity security Network domain security SummaryIRR Fraud and Security Conference,2London, March 9, 2000Siemens Atea Page 1USECAUSECAInformation and Communication NetworksIntroductionTechnical specificationsPrinciples, objectives and requirements TS 33.120 Security principles and objectives TS 21.133 Security threats and requirementsArchitecture, mechanisms and algorithms TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirementsLawful interception TS 33.106 Lawful interception requirements TS 33.107 Lawful interception architecture and functionsIRR Fraud and Security Conference,3London, March 9, 2000IntroductionTechnical reportsTechnical reports TR 33.900 Guidelines for 3G security TR 33.901 Criteria for cryptographic algorithm design TR 33.902 Formal analysis of authenticationIRR Fraud and Security Conference,4London, March 9, 2000Siemens Atea Page 2USECA USECAInformation and Communication NetworksIntroductionSecurity architecture ...
Voir plus Voir moins
Siemens Atea
2
3GPP Security architecture
Bart Vinck Siemens Atea Information and communication networks Communications on Air bart.vinck@siemens.atea.be
IRR Fraud and Security Conference, London, March 9, 2000
Contents
 Introduction  Network access security Authentication and key agreement User identity confidentiality Confidentiality and integrity Connection establishment Mobile equipment identity security  Network domain security  Summary
IRR Fraud and Security Conference, London, March 9, 2000
Page 1
Information and Communication Networks
Siemens Atea
3
4
Introduction Technical specifications Principles, objectives and requirements  principles and objectives SecurityTS 33.120  threats and requirements SecurityTS 21.133 Architecture, mechanisms and algorithms TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements Lawful interception  LawfulTS 33.106 interception requirements  LawfulTS 33.107 interception architecture and functions
IRR Fraud and Security Conference, London, March 9, 2000
Introduction Technical reports Technical reports  for 3G security GuidelinesTR 33.900 TR 33.901 Criteria for cryptographic algorithm design TR 33.902 Formal analysis of authentication
IRR Fraud and Security Conference, London, March 9, 2000
Page 2
Information and Communication Networks
Siemens Atea
5
6
Information and Communication Networks
Introduction Security architecture overview Application IV.stratum User Application Provider Application
III.I I.Home . stratum/ TE USIM HE Serving I I.II.Stratum . SN TransportI. Network access security MTI.AN stratumIIII.I .PUrsoevirddeormdaoimnasiencsuerictyurity IV. Application security
IRR Fraud and Security Conference, London, March 9, 2000
Authentication and key agreement Contents Introduction Authentication using sequence numbers Message flow for successful authentication Message flow for re-synchronisation Sequence numbers - fine details An authenticated signalling channel HEUSIM GSM-UMTS interoperation World-wide cross standard roaming Summary
IRR Fraud and Security Conference, London, March 9, 2000
Page 3
Siemens Atea
7
8
Information and Communication Networks
Authentication and key agreement Introduction - New security services GSM AKA security services User-to-network authentication SRES = A3Ki(RAND)  KcEstablishment of a 64 bit cipher key = A8Ki(RAND) Additional UMTS AKA security services  = f3 CKEstablishment of longer cipher keyK(RAND)  IK = f4Establishment of integrity keyK(RAND) User assurance of key freshness (To some extent) network-to-user authentication Authenticated signalling channel HEUSIM
IRR Fraud and Security Conference, London, March 9, 2000
Authentication and key agreement Assurance of key freshness to the user  What is freshness assurance ? The user is assured at AKA that the cipher/integrity keys are fresh (i.e., have not been used before) Not provided by GSM AKAnetwork (or intruder) can re-use triplets (and for re-use of “insecure” cipher key)  Why have key freshness assurance ? To limit the damage when a triplet is exposed or a cipher key is broken  How to achieve key freshness assurance? Option 1: mutual challenge/response Option 2: authenticated challenge/response(preferred)
IRR Fraud and Security Conference, London, March 9, 2000
Page 4
Siemens Atea
9
10
Authentication and key agreement Sequence numbers - basics USIM AuC KRAND, SQN, MACK SQNMSSQNHE User (USIM) Home network (AuC) StoresStores SQNMS SQN= last accepted SQNHE= last generated SQN Receives (RAND, SQN, MAC)Selects next SQN > SQNHE ComputesComputes XMAC = fK(RAND, SQN) MAC = f1K(RAND, SQN) Verifies that XMAC = MAC andSends the user SQN > SQNMS(RAND, SQN, MAC) Updates SQNMSUpdates SQNHE IRR Fraud and Security Conference, London, March 9, 2000
Information and Communication Networks
Authentication and key agreement 0/4: Prerequisites USIM VLR or SGSN AuC SQNMSK SQNHEK K = Subscriber authentication key SQNMS= Sequence number counter in the MS SQNHE= Sequence number counter in the HE USIM = UMTS Subscriber Identity Module VLR = Visitor Location Register SGSN = Serving GPRS Support Node AuC = Authentication Centre MS = Mobile Station HE = Home Environment AuC and USIM share secret key K AuC maintains SQNHE= largest sequence number generated by the AuC (for the subscriber)(will be enhanced further on) USIM maintains SQNMS= largest sequence number received and accepted by the USIM(will be enhanced further on) IRR Fraud and Security Conference, London, March 9, 2000
Page 5
Siemens Atea
Information and Communication Networks
Authentication and key agreement 1/4: User-to-network authentication USIM VLR or SGSN AuC RANDSQNMSKRANDSQNHEK RES = f2KDNARSERX(= RS  DR)EADNXf2RANK(RAND) RES XRES = RES ?RAND = Network challenge RES = User response XRES = Expected response AuC generates RAND and computes XRES RAND is sent to the USIM; XRES is sent to the VLR/SGSN USIM re-computes RES and sends RES to the VLR/SGSN The VLR/SGSN verifies “RES = XRES?” 11IRR Fraud and Security Conference, London, March 9, 2000
Authentication and key agreement 2/4: Cipher/integrity key establishment USIM VLR or SGSN AuC SQNMSK RXARNESDSQNHE K RANDRANDCK, IK RES = f2K(RAND)RXARENSD= f2K(RAND) CK = f3KA=ND) (R IK = f4K  KC3f DfN =)IK( 4ARK K)NAR( D)NDRA( RES XRES = RES ?C K= =K yIker heip C yek ytirgetnI  
AuC computes CK and IK from RAND and K RAND is sent to USIM, CK and IK are sent to VLR or SGSN USIM re-computes CK and IK from RAND and K 12IRR Fraud and Security Conference, London, March 9, 2000
Page 6
Siemens Atea
Information and Communication Networks
Authentication and key agreement 3/4: Network-to-user authentication USIM VLR or SGSN AuC RAND SQNMSKXRESSQNHEK RANDSQNRAAUTNNDCAKU,TINKRANDSQN RES = f2K(RAND) ICK K=  =f 4fK3KAND)(RADN)R( AUTN = SQN | MACIERX K = 4Sf3CK f =K=K( (f2RRKA )ADND)ANN(DR) XMAC = f1K( RAND | SQN)RES XMAC MAC ?AUMTNA C= A=ufth1eK n(tiRcaAtiNonDt|o kSenQN) = SQN > SQNMSXRES = RES ?edumbece nquen= SeQS Ncon ioaticntheuta egasseM = CAMr AuC generates fresh SQN > SQNHE, protects the integrity by means of MAC and sends AUTN = SQN | MAC to the USIM USIM verifies the data origin of SQN by “XMAC = MAC ?” USIM verifies the freshness of SQN by “SQN > SQNMS” data origin verification = entity authenticationFreshness + 13IRR Fraud and Security Conference, London, March 9, 2000
Authentication and key agreement 4/4: An authenticated signalling channel USIM VLR or SGSNQuintetAuC RAND SQNMSKAUTN RANDSQNRANDXRESRANDSSQQNNHEAKMF = f2 RXXEMMSAA=CC   =f=2 KfM (1KA(R CRA N?D | SQN | D)NAAMF)AUTNCK, IK XRESK K( N | | SQD)AN(RDNARAMF) AUTN= SQN |AMF| MACMAC= f1 CSKQ N=  f>3 SKNAQ(R MSf4RES CK =f) DN K =IK3KAN(RD)( ARDN)  IK = f4K = RES ?(RAND) XRESAMF = Authentication Management Field Q = Quintet AuC determines AMF AMF is input to f1 and MAC, AMF is part of AUTN USIM receives AMF as part of AUTN verifies authenticity of AMF via “MAC = XMAC ?"USIM 14IRR Fraud and Security Conference, London, March 9, 2000
Page 7
Siemens Atea
Authentication and key agreement Composition of the quintet Quintet  bits 128 challengeRAND Network XRES Expected 32-128 response bits  keyCK Cipher bits 128  bitsIK Integrity key 128  128 bitsAUTN Authentication token – SQN Sequence number 48 bits – AMF Authentication management field 16 bits – MAC(-A) Message authentication code 64 bits Note The standard allows the possibility to conceal SQN with an anonymity key AK to ensure user identity confidentiality
15IRR Fraud and Security Conference, Source: TS 33.102, Clause 6.3 London, March 9, 2000
Authentication and key agreement Message flow for successful AKA USIM VLR or SGSN AuC Distribution ofauth. data request quintets fromGenerate HLR/AuCQuintetsquintets to VLR/SGSNQ = (RAND, XRES, CK, IK, AUTN) RAND, AUTN Over-the-air Verify MAC, SQN Derive CK, IK, RESoiancitaehtnatuknd RES ey agreement XRES = RES ? Start using CK, IK Start using CK, IK
16 TS 33.102, Clause 6.3IRR Fraud and Security Conference, Source: London, March 9, 2000
Page 8
Information and Communication Networks
Siemens Atea
Authentication and key agreement Failure cases  USIM determines that XMAC-AMAC-A(new!) USIM: sends indication of integrity failure to VLR VLR: request for identification or try other quintet or request new quintets from HLR/AuC  USIM determines that “SQNSQNMS”(new!) USIM: sends indication of synchronisation failure to VLR, computation of re-synchronisation token VLR: request new quintets from HLR/AuC with indication of synchronisation failure and re-synchronisation token  VLR determines that XRESRES VLR: reject the user that attempts to access the system Note: same procedures apply for CS and PS, for VLR and SGSN 17 Source: TS 33.102, Clause 6.3IRR Fraud and Security Conference, London, March 9, 2000
Information and Communication Networks
Authentication and key agreement Re-synchronisation mechanism USIM VLR or SGSNQuintetAuC SQNMS SQNK RANDHEK RANDSQNAUTS RAAUTNSDRANDSQN SQNSQNMSXRES = f2K(RAND)  MAC-S = f1*K(RAND | SQNMS = f1*) XMAC-SK(RAND | SQNMS) AUTS = SQNMS| AMF* | MAC-SIFSQNMS> SQNHE” AND MAC-S = XMAC-S  SET SQNHE= SQN AUTS = Re-synchronisation token  MAC-S = MAC for re-synchronisation USIM determines that “SQNSQNMS” and computes MAC-S USIM sends AUTS to VLR, VLR adds RAND AuC verifies integrity and whether “SQNMS> c” and updates SQNMSis necessary 18IRR Fraud and Security Conference, London, March 9, 2000
Page 9
Siemens Atea
Information and Communication Networks
AKA: Re-synchronisation mechanism USIM VLR or SGSN AuC SQNSQNMS Compute AUTS Ind. of Sync. Failure AUTS DHiLstRri/bAuutiCo tno  ofV LquRi/nSteGtsS fNr owmit hAR ,STUADNuADatath. uest ReqVerify AUTS [Modify SQN-HE] fianidliucraetion of synchronisationQuintets[Generate quintets] RAND, AUTN SQN now acceptable (Continue as in successful AKA)
19IRR Fraud and Security Conference, Source: TS 33.102, Clause 6.3 London, March 9, 2000
Authentication and key agreement Causes of synchronisation failures  Re-use VLR/SGSN (or intruder) attempts to re-use quintets VLR/SGSN must not attempt to re-use quintets !! SQNHEneed not be modified  Out-of-order use VLR/SGSN attempts to use quintets, while newer quintets have been used already SQN management shall allow out-of-order use (to a certain extent) !!one issue for enhanced SQN management SQNHEneed not be modified  Corruption of the counter in the AuC SQNHEneed be modified 20IRR Fraud and Security Conference, Source: TS 33.102, Clause 6.3 London, March 9, 2000
Page 10
Siemens Atea
Information and Communication Networks
Authentication and key agreement Enhanced sequence number management  SQN management shall ... … allow out-of-order useof a quintet when it is among the50 most recently generated quintets Different mechanisms are available; the USIM keeps track of history information on successful passed authentication events … prevent lock-outof a USIM due to SQNMSreaching SQNmax SQN management shall limit the increment of SQNMSto a maximum valueΔsuch that SQNmax/Δis sufficiently large … not compromise user anonymity an anonymity key AK, or maySQN can either be concealed with be (partially) clock-based (then no concealment is required) … be able to recover from corruption of the AuC database SQN management shall support re-synchronisation procedure as defined before 21 TS 33.102, Clause 6.3IRR Fraud and Security Conference, Source: London, March 9, 2000
Authentication and key agreement Suggested SQN generation at the AuC SEQQNStorage in the AuC SEQ1SEQ2INDEXSEQHE = SEQ1HE|| SEQ2HE Composition of SQN GenUesruaatli ocans eof new SQN SEQ1: individual part, # SQN2SEQ1 = SEQ1HE cSyEclQe2sations: ti + #ers-nyhcorinLCs desab-emG ,trap SEQ2 = GLC the eneration atGLC wraps around IND ESXrentiffes SQgiQaNte:Nd instead: SEQ1 = SEQ1HE+ 1 generated at the same GLC>1 batch per time unit Noteinstead: SEQ2 = SEQ2HE+1 GLC: Global Time C unterseveral quintets in one batch oassign INDEX = 0, 1, 2, ...
22IRR Fraud and Security Conference, Source: TS 33.102, Annex C London, March 9, 2000
Page 11
Un pour Un
Permettre à tous d'accéder à la lecture
Pour chaque accès à la bibliothèque, YouScribe donne un accès à une personne dans le besoin