210 likes | 349 Views
Rogue Mobile Shell Problem Verizon Wireless October 26, 2000 Christopher Carroll. Agenda. Rogue Shell Issues 3GPP AKA 3GPP2 Authentication Rogue Shell Problem Lucent Solution Existing 3GPP Solution Recommendation. Rogue Shell Issues.
E N D
Rogue Mobile Shell ProblemVerizon WirelessOctober 26, 2000Christopher Carroll
Agenda • Rogue Shell Issues • 3GPP AKA • 3GPP2 Authentication • Rogue Shell Problem • Lucent Solution • Existing 3GPP Solution • Recommendation
Rogue Shell Issues • Is the Rogue Shell Problem a potential vulnerability? Yes. • Is the Lucent solution acceptable? No. • Does 3GPP AKA provide an adequate solution? Yes.
3GPP2 Cryptographic Key Hierarchy Root Secret key K 128-bits Authentication Vector (AV) IK CK Per-AV 128-bits 128-bits Per-AV Session MAC Key Data Privacy Key Voice Privacy key 128-bits Per-Session/Call 128-bits Per-Session 128-bits Per-call
AKA and Authentication • 3GPP AKA used to create IK and CK Security Association (SA) • Each AV creates unique IK and CK (SA) • SA duration can vary (can vary from 1 call to several weeks) – depending on Carrier • IK (IK Session Key) used for Service Request authentication • Message Authentication Code (MAC) or Challenge response can authenticate Mobile/Message
3GPP AKA (HE-to-SN) AV = (IK, CK, RAND, XRES, AUTN) AUTN = (SQNAK, AMF, MAC) HE IK, CK AUTH Success Report Home Network K Root Key Serving Network (SN) SN sends RAND and AUTN to UE SN compares XRES with SRES calculated in USIM
3GPP AKA (SN-to-USIM) 64-bit Challenge (RAND) 48-bit (SQNAK) 64-bit Challenge (RAND) 48-bit (SQNAK) AV (IK, CK, RAND, XRES, AUTN) AUTN (SQN, AK, AMF, MAC) USIM K Root Key 32-bit Response (SRES) 32-bit Response (SRES) Smart Card USIM derives IK, CK, and AK using K and RAND with SHA-1 algorithm Checks SQN, MAC Generates SRES User Equipment (UE) Serving Network (SN)
3GPP AKA (IK and CK transfer from USIM to UE) UE uses IK and CK To calculate session IK, MACs, and Session CKs (Voice/Data Session Privacy Keys) 128-bit IK 128-bit CK USIM K Root Key Limited Bandwidth Too Slow to Calculate Real-time MACS or Encryption pads Smart Card User Equipment (UE)
3GPP2 (ANSI-41) Authentication ANSI-41 Global Challenge (RAND) Or Order MACed using IK (or IK Session Key) IK, CK, Session IK, Session CK Session CK used for Encryption IK (or Session IK) used to Check Authentication response Response (AUTHR) Or Service Request MACed using IK (or IK Session Key) Serving Network (SN) User Equipment (UE)
AKA vs. Authentication • 3GPP AKA and Mobile Authentication are different processes! • AKA establishes the SA • Mobile Authentication performed using IK or session Authentication key derived from IK.
Rogue Mobile Shell Problem • UIM (Smart Card) serial interface too slow to pass Encryption in real time or MACs efficiently for authentication. • UIM must pass IK and CK to the Mobile Shell (UE) to enable real time security. • Mobile Shell must be trusted to erase IK and CK after UIM transfer. • Rogue Mobile can retain IK and CK and obtain service until new SA created (using new AV).
Rogue Mobile Shell ANSI-41 Global Challenge (RAND) Or Order MACed using IK (or IK Session Key) IK (or Session IK) used to Check Authentication Response (or MAC) IK, CK, Session IK, Session CK No USIM present Response (AUTHR) Or Service Request MACed using IK (or IK Session Key) Serving Network (SN) User Equipment (UE) Rogue Mobile Shell
Rogue Mobile Shell Scenario • Fraudsters setup Rogue Mobile terminal at Airport terminal. • Subscriber uses USIM at terminal to check e-mail or surf web. • Rogue Mobile retains IK and CK after user removes USIM. • Rogue Mobile uses or transfers IK and CK to create Call-Cell operation. • Service available until legitimate subscriber registers in new system or AV update.
Rogue Mobile Shell Characteristics • Fraudsters must entice subscribers to use the Rogue Mobile Shell • Rogue Shell and/or Fraudsters are exposed to identification • Rogue Shell attack is localized (Airport, Taxi, Hotel, etc…) • Rogue Shell is physically traceable. • Rogue Shell attack is limited in scope (location, type of users, enticement technique, duration) • Verizon Wireless can authorize “trusted” terminals (shells) for subscribers • UIM transfer performed infrequently.
Lucent Solution • Lucent solution creates a new secret (key) between the SN and UIM • UIM Authentication Key (UAK) • UAK not known by Rogue Mobile (UE) • UAK allows for Global or unique challenge of USIM. • UAK challenge-response will defeat Rogue Mobile Shell
UAK Authentication Global Challenge (or Unique) Global Challenge USIM UAK UAK SN Checks AUTHL Response (AUTHL) Response (AUTHL) Smart Card UIM derives LAK from 48-bit AK (or using F function) USIM calculate AUTHL using LAK and challenge Serving Network (SN) Rogue Mobile Shell Doesn’t know UAK
UAK Generation Options • UAK is 128-bit secret key. • (Option 1) UAK generated Locally. • (Option 2) UAK created by Home System and transmitted to SN in AV – more secure.
UAK Solution Disadvantages • 3GPP/3GPP2 USIM Interoperability significantly impaired • 3GPP USIM must store LAK • New function (F11) added to 3GPP USIM • 3GPP AuC must provide UAK for user roaming in ANSI-41 network (if UAK not derived from AK) • UAK (created at HE) requires expansion of AV • UAK derived from AK is very weak • Only 48-bits • Sequence number (SQN) may be known to attacker
3GPP AKA Rogue Shell Solution • Perform 3GPP AKA for each Mobile service request, i.e. use a new AV for each mobile call • New IK and CK generated per call • Old IK and CK useless to Rogue Mobile Shell • 3GPP addressing Rogue Mobile problem by using AV-per-service-request for roaming mobiles • In cdma2000, AV-per-service-request only necessary until Rogue Mobile threat eliminated
3GPP AKA Rogue Shell Solution 64-bit Challenge (RAND) 48-bit (SQNAK) 64-bit Challenge (RAND) 48-bit (SQNAK) AV (IK, CK, RAND, XRES, AUTN) AUTN (SQN, AK, AMF, MAC) USIM K Root Key 32-bit Response (SRES) 32-bit Response (SRES) Smart Card USIM derives IK, CK, and AK using K and RAND with SHA-1 algorithm Checks SQN, MAC Generates SRES Rogue Mobile Shell Can’t use former IK,CK Or current IK, CK later Serving Network (SN)