1 / 46

Cryptography in Public Wireless Networks

Cryptography in Public Wireless Networks. Mats Näslund Communication Security Lab Ericsson Research mats.naslund@ericsson.com Feb 27, 2004. Outline. Overview of GSM Cryptography Some possible “attacks” on GSM Overview of WLAN Cryptography

altonk
Download Presentation

Cryptography in Public Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research mats.naslund@ericsson.com Feb 27, 2004

  2. Outline • Overview of GSM Cryptography • Some possible “attacks” on GSM • Overview of WLAN Cryptography • How problems in one technology can spread to another • How can you in practice fix a crypto problemwhen thousands of devices are out there • Overview of “3G” UMTS Cryptography

  3. GSM Security Overview

  4. History – GSM Security • Use of a smart card SIM – Subscriber Identity Module, tamper resistant device containing critical subscriber information, e.g. 128-bit key shared with Home Operator • SIM is the entity which is authenticated, basis for roaming • Initial GSM algorithms (were) not publicly available and under the control of GSM-A, new (3G) algorithms are open • GSM ciphering on “first hop” only: stream ciphers using 54/64 bit keys, future 128 bits • One-sided challenge-response authentication • Basic user privacy support (“pseudonyms”) • No integrity/replay protection GSM crypto is probably (one of) the mostfrequently used crypto in the world.

  5. GPRS - Confidentiality: GEA1 GEA2 GEA3 (new, open) RBS CS - Confidentiality, A5/1 A5/2 A5/3 (new, open) Authentication:A3 Algorithm History – GSM SecurityAccess security SGSN Base Station Controller Radio Base Station MSC

  6. Req(IMSI) RAND, Kc RAND RAND, XRES, Kc RES RES = XRES ? GSM Authentication: Overview Home Network Ki AuC/HLR MSC/VLR RBS Ki Visited Network

  7. rand (128) res (32) Kc (64) frame# encr frame data/speech  GSM Autentication: Details A3 and A8: Authentication and key derivation (proprietary) A5: encryption (A5/1-4, standardized) (No netw auth, no integrity/replay protection) Radio i/f Phone Ki(128) SIM A3A8 Radio Base Station A5/x

  8. Cryptographic Transforms in Wireless • Wireless is subject to • limited bandwidth • bit-errors (up to 1% RBER) • As consequence, most protocols: • use stream ciphers (no padding, no error-propagation) • do not use integrity protection (data expansion, loss)

  9. Sizes: 23, 22, 19 bit (i.e. 64 bit keys) “shift Li if middle bit of Li agrees with majority of middle bits in L1 L2 L3” GSM Encryption I: A5/1 L1 output  L2 cc L3

  10. A5/1 ”leaked” in mid 90’s. A few attacks found. [Biryukov, Wagner, Shamir 01]: 300Gb precomputed data and 2s known plaintext  retrieve Kc  1min. Little “sister”, A5/2 (reverse-engineered @Berkeley) Status of A5/1 All Ax algorithms initially secret.

  11. majority(a, b, c) = ab + bc + ca GSM Encryption II: A5/2 (Export Version)

  12. Let’s take a closer look… August 2003…

  13. R4 controls clocking 3 ”associated” bits, one per R1-R3 A5/2 (clock control) Ri (i =1,2,3) is clocked iff its ”associated” bit agrees with majority of the 3 bits (At least two clocked)

  14. } exploited by attack… The A5/2 Algorithm (details) First, set all four Ri to zero. 1. Kc (64 bits) bitwise sequentially XORed onto each Ri 2. frame # (21 bits) bitwise sequentially XORed onto each Ri 3. Force certain bit in each Ri to ”1” 4. Run for 99 ”clocks” ignoring output 5. Run for 228 ”clocks” producing output

  15. Idea behind the attack A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknowns 0/1 variables, of which 64 are Kc If plaintext known, each 114-bit frame gives 114 equations Only difference between frames is that frame numberincreases by one. After 6 frames (in reality only 4) we have > 660 equations  can solve! If plaintext unknown, can still attack thanks to redundancyof channel coding (SACCH has 227 redundant bits per each 4-frame message).

  16. Attack efficiency Off-line stage (done once): Storage for ”matrices”: approx 200MB Pre-processing time: less than 3 hrs on a PC On-line attack stage: Requires 4-7 frames sent from UE on SACCH. Retrieving Kc then takes less than 1 second. Hardware requirement: normal PC and GSM capable receiver

  17. Consequence 1: Passive attacks in A5/2 Network(Eavesdropping) 1 RAND, RES (and Kc) 2 Cipher start A5/2 < 1 sec of traffic New attack PC Kc, Plaintext< 1 sec

  18. 1 RAND 2 RAND 4 RES 3 RES Consequence 2: Active attacks in any Network(False base-station/man-in-the-middle attacks) 5 Cipher start A5/1 6 Cipher start A5/2 8 Cipher stop 9 Cipher start A5/1 7 Attack:: Kc

  19. 1 RAND, RES (and Kc) 2 Cipher start A5/1 Record 1 RAND, RES (and Kc) 2 Cipher start A5/2 Kc Consequence 3: Passive + Active attack

  20. WLAN (IEEE 802.11b) Security Overview

  21. 24 bits random/per packet 40-104 bits • Will repeat: • - for sure, after 224 msgs • after 5000 msgs (average) •  “two-time pad” RC4 CRC keystream  msg CRC(msg) cipher Wireless LAN (802.11b, WEP) Security Network fixed! IV k

  22. Alice Bob c’ keystream   m CRC(m) keystream m  CRC(m ) c  Eve:  CRC() c’ WLAN Security Problem No 2 CRC is linear: CRC(msg ) = CRC(msg)CRC) and so is any stream cipher: Encr(k, msg ) = Encr k, msg)  

  23. IV || k k This is “solved” by: append RC4 IV WLAN Security Problem No 3 k RC4 RC4 has only one “input”, the key. IV [Fluhrer, Mantin, Shamir, 2001]: The first bits of the RC4 key have significant “influence” on the RC4 ouput. Even if k is 1000 bits, knowing IVs makes it possible to break the WLAN encryption.

  24. chall res  chall = res keystream RC4 Observing a single “authentication”enables impersonation… WLAN Security Problem No 4 Authentication protocol: k k

  25. Node B UTRAN RNC E.g. SIM accessover Bluetooth or SIM reader Node B Charging/Billing Subscriber Mgmt ProxyAAA AAA WLAN-Cellular Interworking Architecture 3GPP Home Network SGSN GGSN/FA Gn Iu Gr(MAP) HSS AuC HLR Radius/Diameter WRAN AP WSN/FA AP 3GPP Visited Network “HOTSPOT” IP Motive: Mobile operators want to offer “hot-spots” for subscriber base. Internet/Intranet Signalling and User Data Signalling Data

  26. WLAN/GSM Interworking Problems GSM Security is not perfect, but “astronomically”better than WLAN (WEP). Can SIM re-use in WLAN threaten also GSM (and conversely)? WLAN improvements under way, but will takesome time. Major GSM upgrades not feasible (expensive,and we will soon have 3G anyway…)

  27. Fix by “gluing” onhigher layers, invisibleto lower layers Security problems,risk of bad “interaction” Security Placement in Protocol Stack L5 (application) “TLS/SSL” L4 (transport) “IPsec” L3 (networking) WLAN sec L2 (media access control) L1 (physical) GSM sec

  28. Problem 1: Bad WLAN Encryption/Integrity Awaiting WLAN fix, use e.g. IPsec and keysderived from SIM

  29. Solution: bootstrap on top of SIM procedure SIM/TerminalNetwork RAND1, RAND2,… Problem 2: Key Material Need SIM can only provide one 64-bit key, goodencryption + integrity might need e.g. 256 bits. f, one-way function, avoid possibly weak A8 variants K1 = A8(RAND1)K2 = A8(RAND2)… f( )f( )

  30. SIM/TerminalNetwork RAND0 RAND1, RAND2,…, MAC(k, RAND0,…) K1 = f(A8(RAND1))K2 = f(A8(RAND2))… Check MAC Problem 2: WLAN Replay Attacks Anybody can put up a “fake” WLAN AP at a very modest cost. Record-GSM-then-WLAN-replay attacks possible.  Network authentication must be added.

  31. Problem 3: GSM Replay Attacks GSM has no replay protection either. Record-WLAN-then-GSM-replay attacks possible. Too expensive to add GSM network authentication.  Previous A5/2 problems must be fixed (As seen, also needed for GSM security as such)

  32. Ideas for GSM (A5/2) Improvements

  33. Recall the “security-relevant” nodes: MSC/VLR AuC/HLR RBS Visited Network Home Network Requirements There are millions of mobile phones and SIMs and Thousands of network side equipment that potentially need upgrades to fix A5/2 problems. Need to affect as little as possible.

  34. Home net (HLR/AuC) signals ”special RAND” (fixed 32-bit prefix) and algorithm policy in RAND: A5/x allowed iff xth bit of RAND = 1 Possible fix I + Simple (Home net+phone) 1 RAND, RES (and Kc) 2 Cipher start A5/x - 40 bits of RAND ”stolen”, impact on security?

  35. Alg_id f New alg: A5/x’ A5/x A5/x Possible fix II (Ericsson) A5/x Phone SIM RAND + Simple (visited net+phone) + Security ”understood”, key separation - Relies more on visited net encr frame 

  36. UMTS Security Overview

  37. 3G Security – UMTS, Improvements to GSM • Mutual Authentication with Replay Protection • Protection of signalling data • Secure negotiation of protection algorithms • Integrity protection and origin authentication • Confidentiality • Protection of user data payload • Confidentiality • “Open” algorithms (block-ciphers) basis for security • AES for authentication and key agreement • Kasumi for confidentiality/integrity • Security level (key sizes): 128 bits • Protection further into the network

  38. UMTS – Security Integrity & Confidentiality UIA & UEA algorithms (based on KASUMI) SGSN Node B Radio Network Controller MSC Node B

  39. Allows check ofauthenticity and “freshness” Integrity protectionkey UMTS – Authentication and Key Agreement AKA Home Network Looks a lot like GSM, but… Ki Req(IMSI) AuC/HLR RAND, AUTN RAND, AUTN RAND, XRES, CK, IK, AUTN RES MSC/VLR RES = XRES ? Ki RBS Visited Network

  40. UMTS AKA Algorithms AUTN XRES IK CK Ek = AES

  41. “Counter” avoidsshort cycles “Masked” offset avoids known input/output pairs UMTS Encryption: UEA/f8 “Provably” secure underassumptions on Kasumi COUNT || BEARER || DIR || 0…0 (64 bits) Kasumi m (const)  c = 1 c = 2 c = B    Kasumi Kasumi Kasumi Kasumi CK(128 bits) keystream

  42. 16 bits 16 bits 9 bits 7 bits FI S9 32 bits 32 bits sec. s + + FI S7 FO + + + k FI S9 + + Inside Kasumi (actually: MISTY) 8 rounds of: security  s8 (3 rounds) security  s4 security  s2

  43. UMTS Integrity Protection: UIA/f9 COUNT || FRESH M2 MB M1    Kasumi Kasumi Kasumi Kasumi IK    Kasumi m’  Variant of CBC-MAC MAC (left 32 bits) (Used only on signaling, not on user data)

  44. Comparison of Security Mechanisms

  45. Any Public Key Techniques? • So far, only mentioned symmetric crypto, but public key is also used, typically for key-exchange (RSA, Diffie-Hellman, elliptic curves…): • on “application level”, e.g. WAP • for inter-operator signaling traffic • In general, too heavy for “bulk” use.

  46. The End Summary • Despite some recent attacks on GSM security, “2G” security is so far pretty much a success story Main reason: convenience and invisibility to user • Insecurity in one system can affect another when interacting • “Fixing” bad crypto is easier said than done, practical cost is an issue • “3G” crypto significantly more open and well-studied  higher confidence

More Related