Information and Communication Networks3GPP Security architectureBart VinckSiemens AteaInformation and communication networksCommunications on Airbart.vinck@siemens.atea.beIRR Fraud and Security Conference,London, March 9, 2000Contents Introduction Network access security Authentication and key agreement User identity confidentiality Confidentiality and integrity Connection establishment Mobile equipment identity security Network domain security SummaryIRR Fraud and Security Conference,2London, March 9, 2000Siemens Atea Page 1USECAUSECAInformation and Communication NetworksIntroductionTechnical specificationsPrinciples, objectives and requirements TS 33.120 Security principles and objectives TS 21.133 Security threats and requirementsArchitecture, mechanisms and algorithms TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirementsLawful interception TS 33.106 Lawful interception requirements TS 33.107 Lawful interception architecture and functionsIRR Fraud and Security Conference,3London, March 9, 2000IntroductionTechnical reportsTechnical reports TR 33.900 Guidelines for 3G security TR 33.901 Criteria for cryptographic algorithm design TR 33.902 Formal analysis of authenticationIRR Fraud and Security Conference,4London, March 9, 2000Siemens Atea Page 2USECA USECAInformation and Communication NetworksIntroductionSecurity architecture ...
IRR Fraud and Security Conference, London, March 9, 2000
Page 1
Information and Communication Networks
Siemens Atea
3
4
Introduction Technical specifications Principles, objectives and requirements principles and objectives SecurityTS 33.120 threats and requirements SecurityTS 21.133 Architecture, mechanisms and algorithms TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements Lawful interception LawfulTS 33.106 interception requirements LawfulTS 33.107 interception architecture and functions
IRR Fraud and Security Conference, London, March 9, 2000
Introduction Technical reports Technical reports for 3G security GuidelinesTR 33.900 TR 33.901 Criteria for cryptographic algorithm design TR 33.902 Formal analysis of authentication
IRR Fraud and Security Conference, London, March 9, 2000
Page 2
Information and Communication Networks
Siemens Atea
5
6
Information and Communication Networks
Introduction Security architecture overview Application IV.stratum User Application Provider Application
III.I I.Home . stratum/ TE USIM HE Serving I I.II.Stratum . SN TransportI. Network access security MTI.AN stratumIIII.I.PUrsoevirddeormdaoimnasiencsuerictyurity IV. Application security
IRR Fraud and Security Conference, London, March 9, 2000
Authentication and key agreement Contents Introduction Authentication using sequence numbers Message flow for successful authentication Message flow for re-synchronisation Sequence numbers - fine details An authenticated signalling channel HE→USIM GSM-UMTS interoperation World-wide cross standard roaming Summary
IRR Fraud and Security Conference, London, March 9, 2000
Page 3
Siemens Atea
7
8
Information and Communication Networks
Authentication and key agreement Introduction - New security services GSM AKA security services User-to-network authentication SRES = A3Ki(RAND) KcEstablishment of a 64 bit cipher key = A8Ki(RAND) Additional UMTS AKA security services = f3 CKEstablishment of longer cipher keyK(RAND) IK = f4Establishment of integrity keyK(RAND) User assurance of key freshness (To some extent) network-to-user authentication Authenticated signalling channel HE→USIM
IRR Fraud and Security Conference, London, March 9, 2000
Authentication and key agreement Assurance of key freshness to the user What is freshness assurance ? The user is assured at AKA that the cipher/integrity keys are fresh (i.e., have not been used before) Not provided by GSM AKAnetwork (or intruder) can re-use triplets (and for re-use of “insecure cipher key) Why have key freshness assurance ? To limit the damage when a triplet is exposed or a cipher key is broken How to achieve key freshness assurance? Option 1: mutual challenge/response Option 2: authenticated challenge/response(preferred)
IRR Fraud and Security Conference, London, March 9, 2000
Page 4
Siemens Atea
9
10
Authentication and key agreement Sequence numbers - basics USIM AuC KRAND, SQN, MACK SQNMSSQNHE User (USIM) Home network (AuC) StoresStores SQNMS SQN= last accepted SQNHE= last generated SQN Receives (RAND, SQN, MAC)Selects next SQN > SQNHE ComputesComputes XMAC = fK(RAND, SQN) MAC = f1K(RAND, SQN) Verifies that XMAC = MAC andSends the user SQN > SQNMS(RAND, SQN, MAC) Updates SQNMSUpdates SQNHE IRR Fraud and Security Conference, London, March 9, 2000
Information and Communication Networks
Authentication and key agreement 0/4: Prerequisites USIM VLR or SGSN AuC SQNMSK SQNHEK K = Subscriber authentication key SQNMS= Sequence number counter in the MS SQNHE= Sequence number counter in the HE USIM = UMTS Subscriber Identity Module VLR = Visitor Location Register SGSN = Serving GPRS Support Node AuC = Authentication Centre MS = Mobile Station HE = Home Environment AuC and USIM share secret key K AuC maintains SQNHE= largest sequence number generated by the AuC (for the subscriber)(will be enhanced further on) USIM maintains SQNMS= largest sequence number received and accepted by the USIM(will be enhanced further on) IRR Fraud and Security Conference, London, March 9, 2000
Page 5
Siemens Atea
Information and Communication Networks
Authentication and key agreement 1/4: User-to-network authentication USIM VLR or SGSN AuC RANDSQNMSKRANDSQNHEK RES = f2KDNARSERX(=RSDR)EADNXf2RANK(RAND) RESXRES = RES ?RAND = Network challenge RES = User response XRES = Expected response AuC generates RAND and computes XRES RAND is sent to the USIM; XRES is sent to the VLR/SGSN USIM re-computes RES and sends RES to the VLR/SGSN The VLR/SGSN verifies “RES = XRES? 11IRR Fraud and Security Conference, London, March 9, 2000
Authentication and key agreement 2/4: Cipher/integrity key establishment USIM VLR or SGSN AuC SQNMSK RXARNESDSQNHEK RANDRANDCK, IK RES = f2K(RAND)RXARENSD= f2K(RAND) CK = f3KA=ND)(R IK = f4KKC3fDfN=)IK(4ARKK)NAR(D)NDRA( RES XRES = RES ?CK==KyIkerheipCyekytirgetnI
AuC computes CK and IK from RAND and K RAND is sent to USIM, CK and IK are sent to VLR or SGSN USIM re-computes CK and IK from RAND and K 12IRR Fraud and Security Conference, London, March 9, 2000
Page 6
Siemens Atea
Information and Communication Networks
Authentication and key agreement 3/4: Network-to-user authentication USIM VLR or SGSN AuC RAND SQNMSKXRESSQNHEK RANDSQNRAAUTNNDCAKU,TINKRANDSQN RES = f2K(RAND) ICKK==f4fK3KAND)(RADN)R(AUTN = SQN | MACIERXK=4Sf3CKf=K=K((f2RRKA)ADND)ANN(DR) XMAC = f1K( RAND | SQN)RES XMAC MAC ?AUMTNAC=A=ufth1eKn(tiRcaAtiNonDt|okSenQN) = SQN > SQNMSXRES = RES ?edumbecenquen=SeQSNconioaticntheutaegasseM=CAMr AuC generates fresh SQN > SQNHE, protects the integrity by means of MAC and sends AUTN = SQN | MAC to the USIM USIM verifies the data origin of SQN by “XMAC = MAC ? USIM verifies the freshness of SQN by “SQN > SQNMS data origin verification = entity authenticationFreshness + 13IRR Fraud and Security Conference, London, March 9, 2000
Authentication and key agreement 4/4: An authenticated signalling channel USIM VLR or SGSNQuintetAuC RAND SQNMSKAUTN RANDSQNRANDXRESRANDSSQQNNHEAKMF = f2 RXXEMMSAA=CC=f=2KfM(1KA(RCRAN?D|SQN|D)NAAMF)AUTNCK, IK XRESKK(N||SQD)AN(RDNARAMF) AUTN= SQN |AMF| MACMAC= f1 CSKQN=f>3SKNAQ(RMSf4RESCK=f)DNK=IK3KAN(RD)(ARDN) IK = f4K = RES ?(RAND) XRESAMF = Authentication Management Field Q = Quintet AuC determines AMF AMF is input to f1 and MAC, AMF is part of AUTN USIM receives AMF as part of AUTN verifies authenticity of AMF via “MAC = XMAC ?"USIM 14IRR Fraud and Security Conference, London, March 9, 2000
Page 7
Siemens Atea
Authentication and key agreement Composition of the quintet Quintet bits 128 challengeRAND Network XRES Expected 32-128 response bits keyCK Cipher bits 128 bitsIK Integrity key 128 128 bitsAUTN Authentication token SQN Sequence number 48 bits AMF Authentication management field 16 bits MAC(-A) Message authentication code 64 bits Note The standard allows the possibility to conceal SQN with an anonymity key AK to ensure user identity confidentiality
15IRR Fraud and Security Conference, Source: TS 33.102, Clause 6.3 London, March 9, 2000
Authentication and key agreement Message flow for successful AKA USIM VLR or SGSN AuC Distribution ofauth. data request quintets fromGenerate HLR/AuCQuintetsquintets to VLR/SGSNQ = (RAND, XRES, CK, IK, AUTN) RAND, AUTN Over-the-air Verify MAC, SQN Derive CK, IK, RESoiancitaehtnatuknd RES ey agreement XRES = RES ? Start using CK, IK Start using CK, IK
16 TS 33.102, Clause 6.3IRR Fraud and Security Conference, Source: London, March 9, 2000
Page 8
Information and Communication Networks
Siemens Atea
Authentication and key agreement Failure cases USIM determines that XMAC-A≠MAC-A(new!) USIM: sends indication of integrity failure to VLR VLR: request for identification or try other quintet or request new quintets from HLR/AuC USIM determines that “SQN≤SQNMS(new!) USIM: sends indication of synchronisation failure to VLR, computation of re-synchronisation token VLR: request new quintets from HLR/AuC with indication of synchronisation failure and re-synchronisation token VLR determines that XRES≠RES VLR: reject the user that attempts to access the system Note: same procedures apply for CS and PS, for VLR and SGSN 17 Source: TS 33.102, Clause 6.3IRR Fraud and Security Conference, London, March 9, 2000
Information and Communication Networks
Authentication and key agreement Re-synchronisation mechanism USIM VLR or SGSNQuintetAuC SQNMS SQNK RANDHEK RANDSQNAUTSRAAUTNSDRANDSQN SQN≤SQNMSXRES = f2K(RAND) MAC-S = f1*K(RAND | SQNMS = f1*) XMAC-SK(RAND | SQNMS) “ AUTS = SQNMS| AMF* | MAC-SIFSQNMS> SQNHEAND MAC-S = XMAC-SSET SQNHE= SQN AUTS = Re-synchronisation token MAC-S = MAC for re-synchronisation USIM determines that “SQN≤SQNMS and computes MAC-S USIM sends AUTS to VLR, VLR adds RAND AuC verifies integrity and whether “SQNMS> c and updates SQNMSis necessary 18IRR Fraud and Security Conference, London, March 9, 2000
Page 9
Siemens Atea
Information and Communication Networks
AKA: Re-synchronisation mechanism USIM VLR or SGSN AuC SQN≤SQNMS Compute AUTS Ind. of Sync. Failure AUTS DHiLstRri/bAuutiCotnoofVLquRi/nSteGtsSfNrowmithAR,STUADNuADatath.uestReqVerify AUTS [Modify SQN-HE] fianidliucraetionofsynchronisationQuintets[Generate quintets] RAND, AUTN SQN now acceptable (Continue as in successful AKA)
19IRR Fraud and Security Conference, Source: TS 33.102, Clause 6.3 London, March 9, 2000
Authentication and key agreement Causes of synchronisation failures Re-use VLR/SGSN (or intruder) attempts to re-use quintets VLR/SGSN must not attempt to re-use quintets !! SQNHEneed not be modified Out-of-order use VLR/SGSN attempts to use quintets, while newer quintets have been used already SQN management shall allow out-of-order use (to a certain extent) !!one issue for enhanced SQN management SQNHEneed not be modified Corruption of the counter in the AuC SQNHEneed be modified 20IRR Fraud and Security Conference, Source: TS 33.102, Clause 6.3 London, March 9, 2000
Page 10
Siemens Atea
Information and Communication Networks
Authentication and key agreement Enhanced sequence number management SQN management shall ... allow out-of-order useof a quintet when it is among the50 most recently generated quintets Different mechanisms are available; the USIM keeps track of history information on successful passed authentication events prevent lock-outof a USIM due to SQNMSreaching SQNmax SQN management shall limit the increment of SQNMSto a maximum valueΔsuch that SQNmax/Δis sufficiently large not compromise user anonymity an anonymity key AK, or maySQN can either be concealed with be (partially) clock-based (then no concealment is required) be able to recover from corruption of the AuC database SQN management shall support re-synchronisation procedure as defined before 21 TS 33.102, Clause 6.3IRR Fraud and Security Conference, Source: London, March 9, 2000
Authentication and key agreement Suggested SQN generation at the AuC SEQQNStorage in the AuC SEQ1SEQ2INDEXSEQHE= SEQ1HE|| SEQ2HE Composition of SQN GenUesruaatliocanseof new SQN SEQ1: individual part, # SQN2SEQ1 = SEQ1HE cSyEclQe2sations:ti+#ers-nyhcorinLCsdesab-emG,trapSEQ2 = GLC the eneration atGLC wraps around INDESXrentiffesSQgiQaNte:Ndinstead: SEQ1 = SEQ1HE+ 1 generated at the same GLC>1 batch per time unit Noteinstead: SEQ2 = SEQ2HE+1 GLC: Global Time C unterseveral quintets in one batch oassign INDEX = 0, 1, 2, ...
22IRR Fraud and Security Conference, Source: TS 33.102, Annex C London, March 9, 2000