IIR-tutorial-1

Opsue

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

17 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Opsue
Nombre de lectures	55
Langue	English

Extrait

USECUSECA
3G Security: Background and Context
Peter Howard
ReReseseararchch and and Sta Standandarrdds Es Ennggiinneereer
Communications Security and Advanced Development
Vodafone Limited
peter.howard@vf.vodafone.co.uk
IIR Fraud and Security Conference, March 2000 - 1 - 3G Security: Background and Context
USECA
Contents
• Review of GSM security
• Principles and objectives for 3G security
• 3G threat analysis and security requirements capture
IIR Fraud and Security Conference, March 2000 - 2 - 3G Security: Background and Context
1USECA
GSM security
• One of the aspects of GSM that has played a significant part in
its global appeal is its set of security features
• GSM was the first public telephone system to use integrated
cryptographic mechanisms
• By virtue of GSM penetration, these mechanisms have achieved
the status of being the most widespread household use of
cryptography
• GSM security model has been adopted, modified and extended
for DECT, TETRA and now 3GPP
IIR Fraud and Security Conference, March 2000 - 3 - 3G Security: Background and Context
USECA
Background
• Security has always been an issue for mobile telephones
– Scanners to eavesdrop calls
– Re-chipped mobiles to commit fraud by making calls on
someone else’s bill
– Low power base stations to capture identities required to re-
chip mobiles for organised cloning
• Against this background, some GSM designers decided to
provide the system with an integrated set of security features
• Others were concerned that cryptographic mechanisms would
unduly complicate the system and make mobile telephones too
large, too complex or simply unreliable
• Integration of cryptographic mechanisms met with some
resistance and some restrictions were imposed
IIR Fraud and Security Conference, March 2000 - 4 - 3G Security: Background and Context
2USECA
GSM security objectives
• The most significant restriction was that GSM only needed to be
as secure as the fixed networks to which it would be connected
– Interpreted to mean that wherever fixed network technology
was used cryptographic features where not needed (they
are, after all, not generally used by fixed carriers)
• Protection against so-called active attacks which involved
impersonating a network element was not addressed
• These restrictions became design constraints intended to
ensure low complexity of the security features and low impact
on system performance
• In hindsight the concerns about complexity were largely
unfounded
IIR Fraud and Security Conference, March 2000 - 5 - 3G Security: Background and Context
USECA
GSM security features
• Secure user access to telecommunications services
– Allows a network operator to authenticate the identity of a
user in such a way that it is practically impossible for
someone to make fraudulent calls by masquerading as a
genuine user
• User and signalling traffic confidentiality
– Protects user traffic, both voice and data, and sensitive
signalling data, such as dialled telephone numbers, against
eavesdropping on the radio path
• User anonymity
– Designed to protect the user against someone, who knows
the user’s IMSI, from using this information to track the
location of the user or to identify calls made to or from that
user by eavesdropping on the radio path
IIR Fraud and Security Conference, March 2000 - 6 - 3G Security: Background and Context
3USECA
GSM security mechanisms
• Cryptographic authentication verifies the subscription with the
home network when service is requested
– Challenge / response authentication protocol based on a
subscriber specific secret authentication key
• Radio interface encryption prevents eavesdropping and
authenticates the use of the radio channel - the latter is often
forgotten
– The encryption mechanism is based on a symmetric stream
cipher
– The key for encryption is established as part of the
authentication protocol
• The allocation and use of temporary identities helps to provide
user anonymity
IIR Fraud and Security Conference, March 2000 - 7 - 3G Security: Background and Context
USECA
The SIM
• The SIM (Subscriber Identity Module) is the basis of the
provision and management of GSM security features
• It is a smart card based security module which is inserted into
the MS (Mobile Station)
• With the exception of traffic encryption, all security functions at
the user side of the radio interface are implemented on the SIM
• The SIM contains all the identification data and cryptographic
keys that the subscriber needs to make or receive a call
• The SIM is the object of the home network’s location
management and the SIM to which calls are charged
• A smart card is used to prevent duplication of the subscription
by maintaining secrecy of the authentication key
IIR Fraud and Security Conference, March 2000 - 8 - 3G Security: Background and Context
4USECA
Overview of the GSM security architecture
• Authentication and key agreement
• Encryption
• Allocation and use of temporary identities
IIR Fraud and Security Conference, March 2000 - 9 - 3G Security: Background and Context
USECA
Authentication and key agreement
• The subscriber-specific secret authentication key and the
security algorithms for authentication and key agreement are
only contained
– At the network side, in the Authentication Centre (AuC)
associated with the Home Location Register (HLR)
– At the user side, in the Subscriber Identity Module (SIM)
inserted into the Mobile Station (MS)
• Security data is generated in the HLR/AuC and distributed to the
Visitor Location Register (VLR) as part of registration - this
allows the VLR to authenticate and agree an encryption key with
the user
• Security data is typically sent in batches which means that the
serving network can authenticate and agree a new encryption
key with the user several times before having to contact the
home system again
IIR Fraud and Security Conference, March 2000 - 10 - 3G Security: Background and Context
5USECA
Authentication and key agreement protocol
• Protocol goals
– Authentication of the user
– Agreement of a shared secret encryption key
• Mechanism properties
– Symmetric key authentication based on a shared secret
subscriber authentication key contained in the AuC and SIM
– User authentication by challenge / response
– Encryption key derived from authentication key and
challenge
IIR Fraud and Security Conference, March 2000 - 11 - 3G Security: Background and Context
USECA
Authentication and key agreement protocol
MS/SIM MSC/VLR HLR/AuC
RAND
Ki Ki: Subscriber authentication key
A3: Algorithm for calculating RES
A8: Algorithm forlating Kc A3 A8
RAND: User challenge
(X)RES: (Expected) user response
Kc: Encryption key XRES Kc Authentication Data Request
{RAND, XRES, Kc}: Security triplet
{RAND, XRES, Kc}
RAND
RAND
MS/SIM Mobile Station / SubscriberKi
Identity Module
MSC/VLR Mobile Switching Centre /
A3 A8 Visitor Location Register
HLR/AuC Home Location Register /
Authentication CentreRES
RES Kc
IIR Fraud and Security Conference, March 2000 - 12 - 3G Security: Background and Context
6USECA
Encryption
• The VLR uses security data generated in the HLR/AuC to agree
an encryption key with the user during authentication of the user
• The VLR selects a GSM security triplet from the batch received
from the HLR/AuC
• The VLR sends the RAND to the user and compares the user
response RES with the expected response XRES in the triplet
• During call establishment, an encrypted mode of transmission is
established where the MSC/VLR transports the current Kc to the
base station and then instructs the MS to select the same Kc
generated in the SIM during authentication
• Once the encryption keys are in place, the encryption of user
traffic between the mobile station and the base station is started
IIR Fraud and Security Conference, March 2000 - 13 - 3G Security: Background and Context
USECA
The encryption mechanism
• The layer 1 data flow (DCCH or TCH) is encrypted before
modulation but after interleaving using the A5 stream cipher and
the encryption key Kc
• Plaintext is organised into blocks of 114 bits which are
transmitted during a time slot - successive slots for a given
physical channel are separated by at least 4.615 ms
• For encryption, A5 produces, each 4.615 ms, a sequence of
2x114 encryption bits (the keystream) which are bit-wise modulo
2 added to the plaintext blocks in each direction of transmission
• Decryption is performed by exactly the same method
• For each slot, decryption is performed on the MS side using the
first block of 114 keystream bits, and encryption is performed
using the second block
• On the BS side, the first block is used for encryption and the
second for decryption
IIR Fraud and Security Conference, March 2000 - 14 - 3G Security: Background and Context
7USECA
The encryption mechanism
MS/SIM BS MSC/VLR
Authentication and key agreement protocol
Kc
Kc Kc
Kc: Encryption key
A5: Algorithm forplaintext ciphertext ciphertext plaintext
encryption /
A5 A5 decryption
Uplink tra