460 likes | 478 Views
Cryptography in Public Wireless Networks. Mats Näslund Communication Security Lab Ericsson Research mats.naslund@ericsson.com Feb 27, 2004. Outline. Overview of GSM Cryptography Some possible “attacks” on GSM Overview of WLAN Cryptography
E N D
Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research mats.naslund@ericsson.com Feb 27, 2004
Outline • Overview of GSM Cryptography • Some possible “attacks” on GSM • Overview of WLAN Cryptography • How problems in one technology can spread to another • How can you in practice fix a crypto problemwhen thousands of devices are out there • Overview of “3G” UMTS Cryptography
History – GSM Security • Use of a smart card SIM – Subscriber Identity Module, tamper resistant device containing critical subscriber information, e.g. 128-bit key shared with Home Operator • SIM is the entity which is authenticated, basis for roaming • Initial GSM algorithms (were) not publicly available and under the control of GSM-A, new (3G) algorithms are open • GSM ciphering on “first hop” only: stream ciphers using 54/64 bit keys, future 128 bits • One-sided challenge-response authentication • Basic user privacy support (“pseudonyms”) • No integrity/replay protection GSM crypto is probably (one of) the mostfrequently used crypto in the world.
GPRS - Confidentiality: GEA1 GEA2 GEA3 (new, open) RBS CS - Confidentiality, A5/1 A5/2 A5/3 (new, open) Authentication:A3 Algorithm History – GSM SecurityAccess security SGSN Base Station Controller Radio Base Station MSC
Req(IMSI) RAND, Kc RAND RAND, XRES, Kc RES RES = XRES ? GSM Authentication: Overview Home Network Ki AuC/HLR MSC/VLR RBS Ki Visited Network
rand (128) res (32) Kc (64) frame# encr frame data/speech GSM Autentication: Details A3 and A8: Authentication and key derivation (proprietary) A5: encryption (A5/1-4, standardized) (No netw auth, no integrity/replay protection) Radio i/f Phone Ki(128) SIM A3A8 Radio Base Station A5/x
Cryptographic Transforms in Wireless • Wireless is subject to • limited bandwidth • bit-errors (up to 1% RBER) • As consequence, most protocols: • use stream ciphers (no padding, no error-propagation) • do not use integrity protection (data expansion, loss)
Sizes: 23, 22, 19 bit (i.e. 64 bit keys) “shift Li if middle bit of Li agrees with majority of middle bits in L1 L2 L3” GSM Encryption I: A5/1 L1 output L2 cc L3
A5/1 ”leaked” in mid 90’s. A few attacks found. [Biryukov, Wagner, Shamir 01]: 300Gb precomputed data and 2s known plaintext retrieve Kc 1min. Little “sister”, A5/2 (reverse-engineered @Berkeley) Status of A5/1 All Ax algorithms initially secret.
majority(a, b, c) = ab + bc + ca GSM Encryption II: A5/2 (Export Version)
Let’s take a closer look… August 2003…
R4 controls clocking 3 ”associated” bits, one per R1-R3 A5/2 (clock control) Ri (i =1,2,3) is clocked iff its ”associated” bit agrees with majority of the 3 bits (At least two clocked)
} exploited by attack… The A5/2 Algorithm (details) First, set all four Ri to zero. 1. Kc (64 bits) bitwise sequentially XORed onto each Ri 2. frame # (21 bits) bitwise sequentially XORed onto each Ri 3. Force certain bit in each Ri to ”1” 4. Run for 99 ”clocks” ignoring output 5. Run for 228 ”clocks” producing output
Idea behind the attack A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknowns 0/1 variables, of which 64 are Kc If plaintext known, each 114-bit frame gives 114 equations Only difference between frames is that frame numberincreases by one. After 6 frames (in reality only 4) we have > 660 equations can solve! If plaintext unknown, can still attack thanks to redundancyof channel coding (SACCH has 227 redundant bits per each 4-frame message).
Attack efficiency Off-line stage (done once): Storage for ”matrices”: approx 200MB Pre-processing time: less than 3 hrs on a PC On-line attack stage: Requires 4-7 frames sent from UE on SACCH. Retrieving Kc then takes less than 1 second. Hardware requirement: normal PC and GSM capable receiver
Consequence 1: Passive attacks in A5/2 Network(Eavesdropping) 1 RAND, RES (and Kc) 2 Cipher start A5/2 < 1 sec of traffic New attack PC Kc, Plaintext< 1 sec
1 RAND 2 RAND 4 RES 3 RES Consequence 2: Active attacks in any Network(False base-station/man-in-the-middle attacks) 5 Cipher start A5/1 6 Cipher start A5/2 8 Cipher stop 9 Cipher start A5/1 7 Attack:: Kc
1 RAND, RES (and Kc) 2 Cipher start A5/1 Record 1 RAND, RES (and Kc) 2 Cipher start A5/2 Kc Consequence 3: Passive + Active attack
24 bits random/per packet 40-104 bits • Will repeat: • - for sure, after 224 msgs • after 5000 msgs (average) • “two-time pad” RC4 CRC keystream msg CRC(msg) cipher Wireless LAN (802.11b, WEP) Security Network fixed! IV k
Alice Bob c’ keystream m CRC(m) keystream m CRC(m ) c Eve: CRC() c’ WLAN Security Problem No 2 CRC is linear: CRC(msg ) = CRC(msg)CRC) and so is any stream cipher: Encr(k, msg ) = Encr k, msg)
IV || k k This is “solved” by: append RC4 IV WLAN Security Problem No 3 k RC4 RC4 has only one “input”, the key. IV [Fluhrer, Mantin, Shamir, 2001]: The first bits of the RC4 key have significant “influence” on the RC4 ouput. Even if k is 1000 bits, knowing IVs makes it possible to break the WLAN encryption.
chall res chall = res keystream RC4 Observing a single “authentication”enables impersonation… WLAN Security Problem No 4 Authentication protocol: k k
Node B UTRAN RNC E.g. SIM accessover Bluetooth or SIM reader Node B Charging/Billing Subscriber Mgmt ProxyAAA AAA WLAN-Cellular Interworking Architecture 3GPP Home Network SGSN GGSN/FA Gn Iu Gr(MAP) HSS AuC HLR Radius/Diameter WRAN AP WSN/FA AP 3GPP Visited Network “HOTSPOT” IP Motive: Mobile operators want to offer “hot-spots” for subscriber base. Internet/Intranet Signalling and User Data Signalling Data
WLAN/GSM Interworking Problems GSM Security is not perfect, but “astronomically”better than WLAN (WEP). Can SIM re-use in WLAN threaten also GSM (and conversely)? WLAN improvements under way, but will takesome time. Major GSM upgrades not feasible (expensive,and we will soon have 3G anyway…)
Fix by “gluing” onhigher layers, invisibleto lower layers Security problems,risk of bad “interaction” Security Placement in Protocol Stack L5 (application) “TLS/SSL” L4 (transport) “IPsec” L3 (networking) WLAN sec L2 (media access control) L1 (physical) GSM sec
Problem 1: Bad WLAN Encryption/Integrity Awaiting WLAN fix, use e.g. IPsec and keysderived from SIM
Solution: bootstrap on top of SIM procedure SIM/TerminalNetwork RAND1, RAND2,… Problem 2: Key Material Need SIM can only provide one 64-bit key, goodencryption + integrity might need e.g. 256 bits. f, one-way function, avoid possibly weak A8 variants K1 = A8(RAND1)K2 = A8(RAND2)… f( )f( )
SIM/TerminalNetwork RAND0 RAND1, RAND2,…, MAC(k, RAND0,…) K1 = f(A8(RAND1))K2 = f(A8(RAND2))… Check MAC Problem 2: WLAN Replay Attacks Anybody can put up a “fake” WLAN AP at a very modest cost. Record-GSM-then-WLAN-replay attacks possible. Network authentication must be added.
Problem 3: GSM Replay Attacks GSM has no replay protection either. Record-WLAN-then-GSM-replay attacks possible. Too expensive to add GSM network authentication. Previous A5/2 problems must be fixed (As seen, also needed for GSM security as such)
Recall the “security-relevant” nodes: MSC/VLR AuC/HLR RBS Visited Network Home Network Requirements There are millions of mobile phones and SIMs and Thousands of network side equipment that potentially need upgrades to fix A5/2 problems. Need to affect as little as possible.
Home net (HLR/AuC) signals ”special RAND” (fixed 32-bit prefix) and algorithm policy in RAND: A5/x allowed iff xth bit of RAND = 1 Possible fix I + Simple (Home net+phone) 1 RAND, RES (and Kc) 2 Cipher start A5/x - 40 bits of RAND ”stolen”, impact on security?
Alg_id f New alg: A5/x’ A5/x A5/x Possible fix II (Ericsson) A5/x Phone SIM RAND + Simple (visited net+phone) + Security ”understood”, key separation - Relies more on visited net encr frame
3G Security – UMTS, Improvements to GSM • Mutual Authentication with Replay Protection • Protection of signalling data • Secure negotiation of protection algorithms • Integrity protection and origin authentication • Confidentiality • Protection of user data payload • Confidentiality • “Open” algorithms (block-ciphers) basis for security • AES for authentication and key agreement • Kasumi for confidentiality/integrity • Security level (key sizes): 128 bits • Protection further into the network
UMTS – Security Integrity & Confidentiality UIA & UEA algorithms (based on KASUMI) SGSN Node B Radio Network Controller MSC Node B
Allows check ofauthenticity and “freshness” Integrity protectionkey UMTS – Authentication and Key Agreement AKA Home Network Looks a lot like GSM, but… Ki Req(IMSI) AuC/HLR RAND, AUTN RAND, AUTN RAND, XRES, CK, IK, AUTN RES MSC/VLR RES = XRES ? Ki RBS Visited Network
UMTS AKA Algorithms AUTN XRES IK CK Ek = AES
“Counter” avoidsshort cycles “Masked” offset avoids known input/output pairs UMTS Encryption: UEA/f8 “Provably” secure underassumptions on Kasumi COUNT || BEARER || DIR || 0…0 (64 bits) Kasumi m (const) c = 1 c = 2 c = B Kasumi Kasumi Kasumi Kasumi CK(128 bits) keystream
16 bits 16 bits 9 bits 7 bits FI S9 32 bits 32 bits sec. s + + FI S7 FO + + + k FI S9 + + Inside Kasumi (actually: MISTY) 8 rounds of: security s8 (3 rounds) security s4 security s2
UMTS Integrity Protection: UIA/f9 COUNT || FRESH M2 MB M1 Kasumi Kasumi Kasumi Kasumi IK Kasumi m’ Variant of CBC-MAC MAC (left 32 bits) (Used only on signaling, not on user data)
Any Public Key Techniques? • So far, only mentioned symmetric crypto, but public key is also used, typically for key-exchange (RSA, Diffie-Hellman, elliptic curves…): • on “application level”, e.g. WAP • for inter-operator signaling traffic • In general, too heavy for “bulk” use.
The End Summary • Despite some recent attacks on GSM security, “2G” security is so far pretty much a success story Main reason: convenience and invisibility to user • Insecurity in one system can affect another when interacting • “Fixing” bad crypto is easier said than done, practical cost is an issue • “3G” crypto significantly more open and well-studied higher confidence