420 likes | 841 Views
Cryptography in Mobile Networks. Mats Näslund Communication Security Lab Ericsson Research mats.naslund@ericsson.com March 6, 2009. Outline. Overview of GSM Cryptography Some “attacks” on GSM Lessons to be learnt Overview of “3G” UMTS Cryptography The new ”thing”: Cryptography in LTE.
E N D
Cryptography in Mobile Networks Mats Näslund Communication Security Lab Ericsson Research mats.naslund@ericsson.com March 6, 2009
Outline • Overview of GSM Cryptography • Some “attacks” on GSM • Lessons to be learnt • Overview of “3G” UMTS Cryptography • The new ”thing”: Cryptography in LTE
- Protection of buisness (robust charging of subscribers) - User privacy History • Mobile (wireless) communication has inherent threats • Eavesdropping • Impersonation • Connection hijacking • ... • Except early systems (e.g. NMT), use of cryptography has been deemed necessary • Early systems were not perfect and under restrictions...
GSM Security • Use of a smart card SIM – Subscriber Identity Module, tamper resistant device holding critical information, • e.g. 128-bit key shared with Home Operator • The SIM is the entity which is authenticated • Challenge response mechanism (one-sided) • At the time (ca 1990) crypto was considered “weapon” • Initial GSM algorithms (were) not publicly available • Limited key size • Special “export version” of encryption algorithms • GSM ciphering on “first hop” only: stream ciphers using 54/64 bit keys • In a “free” world, we will soon see 128 bits in GSM • Basic user identity protection (“pseudonyms”) GSM crypto is probably (one of) the mostfrequently used crypto in the world.
K Encryption: A5/1, A5/3 (64 bit) A5/2 (”export” version) A5/4 (128 bits, new) Authentication, shared key, A3 Algorithm K 128-bit key MSC: Mobile Switching Center BSC: Base Station ControllerRBS: Radio Base Station MS: Mobile Station HLR: Home Location RegisterAuC: Authentication Center SIM: Subcriber Identity Module GSM Architecture (”2G”) HLR/AuC To other (mobile) network(s) MSC BSC RBS MS SIM
Req(IMSI) RAND, Kc RAND RAND, XRES, Kc RES RES = XRES ? GSM Authentication: Overview Home Network K AuC/HLR MSC K RBS Visited Network
RAND (128) RES (32) Kc (64) frame# encrypted frame data/speech Bit-by-bit, stream cipher GSM Authentication: Details A3 and A8: Authentication and key derivation (proprietary) A5: encryption (A5/1-4, standardized) Note: one-sided authentication Phone Ki(128) SIM A3A8 A5/x
output 1 0 1 0 1 1 0 1 1 0 1 0 1 0 1 XOR:ed with plaintext Used by A5/1 and A5/2 Quick Note: LFSR (Linear feedback shift register) key = 0 1 1 0 1 0 1 State: ...0 1 • Very efficient, rich theory, unfortunately very insecure… • Add non-linear components • Combine several LFSRs • Irregular clocking
Idea behind the attack A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknown 0/1 variables, of which 64 is the key If plaintext known, each 114-bit frame gives 114 equations Only difference between frames is that frame numberincreases by one. Lesson #1: Avoid using the same key for twodifferent things After 6 frames (in reality only 4) we have > 660 equations can solve! (Takes about 1sec on a PC) Even if “speech” plaintext unknown, GSM control channelscontains known info and uses same key as speech channel!
1 RAND 2 RAND 4 RES 3 RES Impact 1: Find key, eavesdrop (passive attack) Impact 2: Active attacks in any network(False base-station/man-in-the-middle attacks) Lesson #2: Signalling that controls the security should be authentciated/integrityprotected 5 Start encr: A5/1 6 Start encr: A5/2 8 Stop encr 9 Start encr: A5/1 Lesson #3: If you change encryptionalgorithm, change also the key 7 Attack key
Note • A5/2 is an ”export” version, not used in Sweden (or Europe) • Attack does not apply to A5/1, A5/3 • …well almost…. • Various countermeasures proposed but expensive toupgrade all equipment • Adding integrity, change of keys as proposed on previous slidefall into the ”not-for-free” category • Simple and quite good solution is to phase out A5/2 • - This is in progress (done?)
GSM Summary • GSM was desiged in the ”dark ages” of crypto • It addresses the threats that were considered at the time • It targeted a 10-year ”economic lifetime” • The best feature of GSM security is that securiy is built-in • as a user, you don’t need to do ”configuration” etc
Describedlater Only feature commonto GSM Lesson #2… 3G (UMTS) Security • Mutual Authentication with Replay Protection • Protection of signalling data • Secure negotiation of protection algorithms • Integrity protection and origin authentication • Encryption • Protection of user data payload • Encryption • “Open” algorithms basis for security • AES for authentication and key agreement • Kasumi (block cipher) for confidentiality/integrity • Security level (key sizes): 128 bits • Protection further into the network
K GPRS, ”2.5G” Encryption: UEA1 or UEA2 Authentication, shared keyMilenage (AES) algorithm ”secure env” Signalling integrity: UIA1 or UIA2 ”insecure env” UMTS SIM (USIM) GSN: GPRS Support Node SGSN: Serving GSN GGSN: Gateway GSNRNC: Radio Network Controller ME: Mobile Equipment UMTS Architecture (”3G”) HLR/AuC To other (mobile) network(s) ”Internet” MSC SGSN GGSN RNC NodeB K ME
UMTS Encryption Example: UEA1 COUNT || BEARER || DIR || 0…0 (64 bits) Kasumi m (const) c = 1 c = 2 c = B “Provably” secure underassumptions on Kasumi Kasumi Kasumi Kasumi Kasumi CK(128 bits) “keystream” XOR:ed with plaintext
Note • There are no known security problems with UMTS • HSPA (a.k.a. ”Mobile broadband”, ”Turbo 3G”,...) is from crypto/security point of view identical to 3G/UMTS • You can feel safe when using it!
Disclaimer on Notation • ”LTE” refers only to the radio part of the new standard • Also other parts of the mobile network is upgraded • Refered to as EPC, ”Evolved Packet Core” • Will for simplicty use ”LTE” to denote the entire architecture • If you do look at the standards document (3GPP TS 33.401) you will not see the same names for keys etc
First LTE release just finished after intense efforts • - Example: considering only Ericsson and only security, we had 240 contributions during 2008 Background: Standardization • Mobile standards (including security functions) are definedby 3GPP (part of ETSI) • Participation by mobile vendors and operators • The cryptography is defined by SAGE (also part of ETSI) • Special Algorithm Group of Experts • 2006: initiative for ”next generation”, LTE, started • Slogan: ”At least as secure as UMTS”
IP part, efficient, cheap, attaractive services: keep and optimize! split Oldfashioned ”telephony”: get rid of it! Powerful but complex,adds delay/latency ? But what do we dowith encryption? New ”radio”, 100Mb/s (OFDM) High security: keep SIM concept LTE ThinkingStarting from a UMTS network... HLR/AuC After 1 years of discussion instandardization it was decided to terminate (most) security in NodeB. ”Internet” MSC SGSN GGSN RNC ”secure env” ”insecure env” NodeB ME
K ”split” into control and user plane Re-encryption of user traffic(IPsec) Authentication, similar to UMTS Encryption/integrity, for network control signalling Encryption/integrity, for radio control signalling 5 different keys used... Encryption for user traffic Same USIM as in UMTSbut K may be up to 256 bits HSS: Home Subscriber System MME: Mobility Management Entity eNodeB: Evolved NodeB encryption intgegrity LTE- A simplified network - HSS Internet & IP services “Gateway” MME eNodeB K ME
F(Key, ”1”) F(Key, ”2”) Key Key1 Key2 Recap of Lesson #1 and #3 Suppose we have a function, F, from a set of pseudo random functions (outputs ”look” random): ”Don’t use the same key for two different things” • Applications: • Key1 for algorithm1, Key2 for algorithm2 • Key1 for encryption, Key2 for integrity • Key1 for user data, Key2 for control sign. • ...etc... * Key1 can not be reverse-engineered from Key2 (or v.v.) * Key can not be reverse-engineered from Key1 and/or Key2
Fasten Seatbelts... • Notation: • black color for unprotected info • red color for encrypted into • yellow color for integrity protected info • blue color for encrypted and integrity protected • Next slides does not show which-key-is-used-for-what • F denotes a PRF based on HMAC_SHA256 • AES1, AES2, AES3 denotes 3 PRFs based on AES
- Does AUTN come from HSS? - Have I seen it before? ATTACH REQUEST(IMSI, SUPPORTED_ALGS) AUTH VECT FETCH (IMSI) 1. Check (AES1(K, RAND), SQN, AUTN)) RAND, XRES, AUTN, KA RAND, AUTN 2. RES = AES2(K, RAND) 3. (Ck, Ik) = AES3(K, RAND) RAND = RANDOM()SQN = SQN + 1 AUTN = AES1(K, RAND, SQN) RES = AES2(K, AND) (Ck, Ik) = AES3(K, RAND)KA = F(Ck, Ik, ...) Check: RES == XRES ?? RES, Ck, Ik RES ”OK”, SELECTED_ALG, SUPPORTED_ALGS Derive KA, Ke .... MME eNB HSS - Verify ”OK”- Switch ”on” security [”OK”] KA F Ke Ke KN-enc KN-int Protected traffic Protected signaling Ke F KeUP-enc KeRRC-int KeRRC-enc LTE: Initial Attach K K
”Downward” derivation by one-way function, infeasible to get ”high” key from a ”low” key KeRRC-enc KeRRC-int CK Ke KA IK K KN-int KN-enc KeUP-enc LTE: Key Hirearchy USIM/HSS ME/HSS ME/MME ME/eNB ME/MME PRF: infeasible to to get another key on ”same level”
Example Ck, Ik HSS KA = F(Ck, Ik, ....) KA MME Ke = F(KA, ....) Ke eNodeB
Handover Ke2 Ke2 ”Handoverto eNodeB2” Ke2 LTE Key Handling at Handover (1/3) ”Backard Security” Gateway MME KA Ke2 = F(Ke1,...) eNodeB1 Ke1 eNodeB2 KA, Ke1, ...
Handover Ke2 Ke2 Ke2 = F(Ke1,...) Ke2 LTE Key Handling at Handover (2/3) Gateway MME KA eNodeB1 Ke1 eNodeB2 KA, Ke1, ...
Handover Ke2* Ke2* keys etc Ke2* LTE Key Handling at Handover (3/3) ”Forward Security” Ke2* = F(KA,...) Gateway MME KA eNodeB1 Ke1 eNodeB2 Ke2 Ke2 = F(Ke1,...) Ke2 KA, Ke1, ...
Inter-System Handover/Mobility • 3GPP systems support optimized handover between systems,e.g. GSM UMTS during an ongoing call • Waiting for (re)authentication too expensive • The ongoing call would be halted • Solution: key transfer and implict authentication...
May need transatalanticcommunication... KUMTS = c(KGSM) KGSM Also, c is a weakXOR-function KUMTS The fact that user wasable to produce the correct KUMTS ”proves”that it is the same user KUMTS = c(KGSM) Implicit Authetication ... moves to UMTS User already authenticated in GSM HLR/AuC KGSM MSC SGSN BSC RNC or...? KGSM NodeB RBS KGSM
KLTE LTE Inter-system Key HandlingExample: UMTS LTE UMTS LTE KUMTS KLTE = F1(KUMTS) KUMTS = F2(KLTE) SGSN MME RNC NodeB eNodeB F1, F2 based on HMAC_SHA256
Dedicated Crypto HW Quite high ”crypto load”, say ~ 102 base stations Gateway May serve 3-6”cells” / ”phones” Note on ”Crypto capacity” 600Mb/s 100Mb/s NodeB 100Mb/s
LTE Crypto Algorithms... • Key derivation (128 or 256 bits) functions using • AES on the USIM card • HMAC_SHA256 in ”the phone” • Integrity protection • AES-CMAC • Function based on polynomials over finite fields • Can be ”proven” to be secure • Encryption • AES-CounterMode • SNOW 3G
SNOW 3G Basic design by T. Johansson & P. Ekdahl (U. Lund) Improvements by ETSI SAGE
The End Summary • Despite some attacks on GSM security, the security is so far pretty much a success story Main reason: convenience and invisibility to user • UMTS crypto significantly improved, use with confidence Main reason: free world, longer keys, “open” standard • LTE much more complex, needed to meet “at least as secure as 3G” Main reason: security “ends” at the base station