30 pages

English

IIR-tutorial-2

Zoed

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

30 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Information and Communication Networks3GPP Security architectureBart VinckSiemens AteaInformation and communication networksCommunications on Airbart.vinck@siemens.atea.beIRR Fraud and Security Conference,London, March 9, 2000Contents Introduction Network access security Authentication and key agreement User identity confidentiality Confidentiality and integrity Connection establishment Mobile equipment identity security Network domain security SummaryIRR Fraud and Security Conference,2London, March 9, 2000Siemens Atea Page 1USECAUSECAInformation and Communication NetworksIntroductionTechnical specificationsPrinciples, objectives and requirements TS 33.120 Security principles and objectives TS 21.133 Security threats and requirementsArchitecture, mechanisms and algorithms TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirementsLawful interception TS 33.106 Lawful interception requirements TS 33.107 Lawful interception architecture and functionsIRR Fraud and Security Conference,3London, March 9, 2000IntroductionTechnical reportsTechnical reports TR 33.900 Guidelines for 3G security TR 33.901 Criteria for cryptographic algorithm design TR 33.902 Formal analysis of authenticationIRR Fraud and Security Conference,4London, March 9, 2000Siemens Atea Page 2USECA USECAInformation and Communication NetworksIntroductionSecurity architecture ...

Informations

Publié par	Zoed
Nombre de lectures	21
Langue	English

Extrait

Siemens Atea

3GPP Security architecture

Bart Vinck Siemens Atea Information and communication networks Communications on Air bart.vinck@siemens.atea.be

IRR Fraud and Security Conference, London, March 9, 2000

Contents

Introduction Network access security Authentication and key agreement User identity confidentiality Confidentiality and integrity Connection establishment Mobile equipment identity security Network domain security Summary

IRR Fraud and Security Conference, London, March 9, 2000

Page 1

Information and Communication Networks

Siemens Atea

Introduction Technical specifications Principles, objectives and requirements  principles and objectives SecurityTS 33.120  threats and requirements SecurityTS 21.133 Architecture, mechanisms and algorithms TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements Lawful interception  LawfulTS 33.106 interception requirements  LawfulTS 33.107 interception architecture and functions

IRR Fraud and Security Conference, London, March 9, 2000

Introduction Technical reports Technical reports  for 3G security GuidelinesTR 33.900 TR 33.901 Criteria for cryptographic algorithm design TR 33.902 Formal analysis of authentication

IRR Fraud and Security Conference, London, March 9, 2000

Page 2

Information and Communication Networks

Siemens Atea

Information and Communication Networks

Introduction Security architecture overview Application IV.stratum User Application Provider Application

III.I I.Home . stratum/ TE USIM HE Serving I I.II.Stratum . SN TransportI. Network access security MTI.AN stratumIIII.I .PUrsoevirddeormdaoimnasiencsuerictyurity IV. Application security

IRR Fraud and Security Conference, London, March 9, 2000

Authentication and key agreement Contents Introduction Authentication using sequence numbers Message flow for successful authentication Message flow for re-synchronisation Sequence numbers - fine details An authenticated signalling channel HE→USIM GSM-UMTS interoperation World-wide cross standard roaming Summary

IRR Fraud and Security Conference, London, March 9, 2000

Page 3

Siemens Atea

Information and Communication Networks

Authentication and key agreement Introduction - New security services GSM AKA security services User-to-network authentication SRES = A3Ki(RAND)  KcEstablishment of a 64 bit cipher key = A8Ki(RAND) Additional UMTS AKA security services  = f3 CKEstablishment of longer cipher keyK(RAND)  IK = f4Establishment of integrity keyK(RAND) User assurance of key freshness (To some extent) network-to-user authentication Authenticated signalling channel HE→USIM

IRR Fraud and Security Conference, London, March 9, 2000

Authentication and key agreement Assurance of key freshness to the user What is freshness assurance ? The user is assured at AKA that the cipher/integrity keys are fresh (i.e., have not been used before) Not provided by GSM AKAnetwork (or intruder) can re-use triplets (and for re-use of “insecure cipher key) Why have key freshness assurance ? To limit the damage when a triplet is exposed or a cipher key is broken How to achieve key freshness assurance? Option 1: mutual challenge/response Option 2: authenticated challenge/response(preferred)

IRR Fraud and Security Conference, London, March 9, 2000

Page 4

Siemens Atea

Authentication and key agreement Sequence numbers - basics USIM AuC KRAND, SQN, MACK SQNMSSQNHE User (USIM) Home network (AuC) StoresStores SQNMS SQN= last accepted SQNHE= last generated SQN Receives (RAND, SQN, MAC)Selects next SQN > SQNHE ComputesComputes XMAC = fK(RAND, SQN) MAC = f1K(RAND, SQN) Verifies that XMAC = MAC andSends the user SQN > SQNMS(RAND, SQN, MAC) Updates SQNMSUpdates SQNHE IRR Fraud and Security Conference, London, March 9, 2000

Information and Communication Networks

Authentication and key agreement 0/4: Prerequisites USIM VLR or SGSN AuC SQNMSK SQNHEK K = Subscriber authentication key SQNMS= Sequence number counter in the MS SQNHE= Sequence number counter in the HE USIM = UMTS Subscriber Identity Module VLR = Visitor Location Register SGSN = Serving GPRS Support Node AuC = Authentication Centre MS = Mobile Station HE = Home Environment AuC and USIM share secret key K AuC maintains SQNHE= largest sequence number generated by the AuC (for the subscriber)(will be enhanced further on) USIM maintains SQNMS= largest sequence number received and accepted by the USIM(will be enhanced further on) IRR Fraud and Security Conference, London, March 9, 2000

Page 5

Siemens Atea

Information and Communication Networks

Authentication and key agreement 1/4: User-to-network authentication USIM VLR or SGSN AuC RANDSQNMSKRANDSQNHEK RES = f2KDNARSERX(= RS DR)EADNXf2RANK(RAND) RES XRES = RES ?RAND = Network challenge RES = User response XRES = Expected response AuC generates RAND and computes XRES RAND is sent to the USIM; XRES is sent to the VLR/SGSN USIM re-computes RES and sends RES to the VLR/SGSN The VLR/SGSN verifies “RES = XRES? 11IRR Fraud and Security Conference, London, March 9, 2000

Authentication and key agreement 2/4: Cipher/integrity key establishment USIM VLR or SGSN AuC SQNMSK RXARNESDSQNHE K RANDRANDCK, IK RES = f2K(RAND)RXARENSD= f2K(RAND) CK = f3KA=ND) (R IK = f4K KC3f DfN =)IK( 4ARK K)NAR( D)NDRA( RES XRES = RES ?C K= =K yIker heip C yek ytirgetnI

AuC computes CK and IK from RAND and K RAND is sent to USIM, CK and IK are sent to VLR or SGSN USIM re-computes CK and IK from RAND and K 12IRR Fraud and Security Conference, London, March 9, 2000

Page 6

Siemens Atea

Information and Communication Networks

Authentication and key agreement 3/4: Network-to-user authentication USIM VLR or SGSN AuC RAND SQNMSKXRESSQNHEK RANDSQNRAAUTNNDCAKU,TINKRANDSQN RES = f2K(RAND) ICK K= =f 4fK3KAND)(RADN)R( AUTN = SQN | MACIERX K = 4Sf3CK f =K=K( (f2RRKA )ADND)ANN(DR) XMAC = f1K( RAND | SQN)RES XMAC MAC ?AUMTNA C= A=ufth1eK n(tiRcaAtiNonDt|o kSenQN) = SQN > SQNMSXRES = RES ?edumbece nquen= SeQS Ncon ioaticntheuta egasseM = CAMr AuC generates fresh SQN > SQNHE, protects the integrity by means of MAC and sends AUTN = SQN | MAC to the USIM USIM verifies the data origin of SQN by “XMAC = MAC ? USIM verifies the freshness of SQN by “SQN > SQNMS data origin verification = entity authenticationFreshness + 13IRR Fraud and Security Conference, London, March 9, 2000

Authentication and key agreement 4/4: An authenticated signalling channel USIM VLR or SGSNQuintetAuC RAND SQNMSKAUTN RANDSQNRANDXRESRANDSSQQNNHEAKMF = f2 RXXEMMSAA=CC =f=2 KfM (1KA(R CRA N?D | SQN | D)NAAMF)AUTNCK, IK XRESK K( N | | SQD)AN(RDNARAMF) AUTN= SQN |AMF| MACMAC= f1 CSKQ N= f>3 SKNAQ(R MSf4RES CK =f) DN K =IK3KAN(RD)( ARDN) IK = f4K = RES ?(RAND) XRESAMF = Authentication Management Field Q = Quintet AuC determines AMF AMF is input to f1 and MAC, AMF is part of AUTN USIM receives AMF as part of AUTN verifies authenticity of AMF via “MAC = XMAC ?"USIM 14IRR Fraud and Security Conference, London, March 9, 2000

Page 7

Siemens Atea

Authentication and key agreement Composition of the quintet Quintet  bits 128 challengeRAND Network XRES Expected 32-128 response bits  keyCK Cipher bits 128  bitsIK Integrity key 128  128 bitsAUTN Authentication token SQN Sequence number 48 bits AMF Authentication management field 16 bits MAC(-A) Message authentication code 64 bits Note The standard allows the possibility to conceal SQN with an anonymity key AK to ensure user identity confidentiality

15IRR Fraud and Security Conference, Source: TS 33.102, Clause 6.3 London, March 9, 2000

Authentication and key agreement Message flow for successful AKA USIM VLR or SGSN AuC Distribution ofauth. data request quintets fromGenerate HLR/AuCQuintetsquintets to VLR/SGSNQ = (RAND, XRES, CK, IK, AUTN) RAND, AUTN Over-the-air Verify MAC, SQN Derive CK, IK, RESoiancitaehtnatuknd RES ey agreement XRES = RES ? Start using CK, IK Start using CK, IK

16 TS 33.102, Clause 6.3IRR Fraud and Security Conference, Source: London, March 9, 2000

Page 8

Information and Communication Networks

Siemens Atea

Authentication and key agreement Failure cases USIM determines that XMAC-A≠MAC-A(new!) USIM: sends indication of integrity failure to VLR VLR: request for identification or try other quintet or request new quintets from HLR/AuC USIM determines that “SQN≤SQNMS(new!) USIM: sends indication of synchronisation failure to VLR, computation of re-synchronisation token VLR: request new quintets from HLR/AuC with indication of synchronisation failure and re-synchronisation token VLR determines that XRES≠RES VLR: reject the user that attempts to access the system Note: same procedures apply for CS and PS, for VLR and SGSN 17 Source: TS 33.102, Clause 6.3IRR Fraud and Security Conference, London, March 9, 2000

Information and Communication Networks

Authentication and key agreement Re-synchronisation mechanism USIM VLR or SGSNQuintetAuC SQNMS SQNK RANDHEK RANDSQNAUTS RAAUTNSDRANDSQN SQN≤SQNMSXRES = f2K(RAND) MAC-S = f1*K(RAND | SQNMS = f1*) XMAC-SK(RAND | SQNMS) “ AUTS = SQNMS| AMF* | MAC-SIFSQNMS> SQNHE AND MAC-S = XMAC-S SET SQNHE= SQN AUTS = Re-synchronisation token MAC-S = MAC for re-synchronisation USIM determines that “SQN≤SQNMS and computes MAC-S USIM sends AUTS to VLR, VLR adds RAND AuC verifies integrity and whether “SQNMS> c and updates SQNMSis necessary 18IRR Fraud and Security Conference, London, March 9, 2000

Page 9

Siemens Atea

Information and Communication Networks

AKA: Re-synchronisation mechanism USIM VLR or SGSN AuC SQN≤SQNMS Compute AUTS Ind. of Sync. Failure AUTS DHiLstRri/bAuutiCo tno ofV LquRi/nSteGtsS fNr owmit hAR ,STUADNuADatath. uest ReqVerify AUTS [Modify SQN-HE] fianidliucraetion of synchronisationQuintets[Generate quintets] RAND, AUTN SQN now acceptable (Continue as in successful AKA)

19IRR Fraud and Security Conference, Source: TS 33.102, Clause 6.3 London, March 9, 2000

Authentication and key agreement Causes of synchronisation failures Re-use VLR/SGSN (or intruder) attempts to re-use quintets VLR/SGSN must not attempt to re-use quintets !! SQNHEneed not be modified Out-of-order use VLR/SGSN attempts to use quintets, while newer quintets have been used already SQN management shall allow out-of-order use (to a certain extent) !!one issue for enhanced SQN management SQNHEneed not be modified Corruption of the counter in the AuC SQNHEneed be modified 20IRR Fraud and Security Conference, Source: TS 33.102, Clause 6.3 London, March 9, 2000

Page 10

Siemens Atea

Information and Communication Networks

Authentication and key agreement Enhanced sequence number management SQN management shall ...  allow out-of-order useof a quintet when it is among the50 most recently generated quintets Different mechanisms are available; the USIM keeps track of history information on successful passed authentication events  prevent lock-outof a USIM due to SQNMSreaching SQNmax SQN management shall limit the increment of SQNMSto a maximum valueΔsuch that SQNmax/Δis sufficiently large  not compromise user anonymity an anonymity key AK, or maySQN can either be concealed with be (partially) clock-based (then no concealment is required)  be able to recover from corruption of the AuC database SQN management shall support re-synchronisation procedure as defined before 21 TS 33.102, Clause 6.3IRR Fraud and Security Conference, Source: London, March 9, 2000

Authentication and key agreement Suggested SQN generation at the AuC SEQQNStorage in the AuC SEQ1SEQ2INDEXSEQHE = SEQ1HE|| SEQ2HE Composition of SQN GenUesruaatli ocans eof new SQN SEQ1: individual part, # SQN2SEQ1 = SEQ1HE cSyEclQe2sations: ti + #ers-nyhcorinLCs desab-emG ,trap SEQ2 = GLC the eneration atGLC wraps around IND ESXrentiffes SQgiQaNte:Nd instead: SEQ1 = SEQ1HE+ 1 generated at the same GLC>1 batch per time unit Noteinstead: SEQ2 = SEQ2HE+1 GLC: Global Time C unterseveral quintets in one batch oassign INDEX = 0, 1, 2, ...

22IRR Fraud and Security Conference, Source: TS 33.102, Annex C London, March 9, 2000

Page 11