810 likes | 989 Views
Mobile Networks – Module H1. The security of existing wireless networks (Ch. 1 of the SeCoWiNet book). Cellular networks: GSM; UMTS; LTE; WiFi LANs; Bluetooth;. Why is security more of a concern in wireless?. no inherent physical protection
E N D
Mobile Networks – Module H1 The security of existing wireless networks(Ch. 1 of the SeCoWiNet book) Cellular networks: GSM; UMTS; LTE; WiFi LANs; Bluetooth;
Why is security more of a concern in wireless? • no inherent physical protection • physical connections between devices are replaced by logical associations • sending and receiving messages do not need physical access to the network infrastructure (cables, hubs, routers, etc.) • broadcast communications • wireless usually means radio, which has a broadcast nature • transmissions can be overheard by anyone in range • anyone can generate transmissions, • which will be received by other devices in range • which will interfere with other nearby transmissions and may prevent their correct reception (jamming) • eavesdropping is easy • injecting bogus messages into the network is easy • replaying previously recorded messages is easy • illegitimate access to the network and its services is easy • denial of service is easily achieved by jamming
Wireless communication security requirements • confidentiality • messages sent over wireless links must be encrypted • authenticity • origin of messages received over wireless links must be verified • replay detection • freshness of messages received over wireless links must be checked • integrity • modifying messages on-the-fly (during radio transmission) is not so easy, but possible … • integrity of messages received over wireless links must be verified • access control • access to the network services should be provided only to legitimate entities • access control should be permanent • it is not enough to check the legitimacy of an entity only when it joins the network and its logical associations are established, because logical associations can be hijacked • protection against jamming
Chapter outline 1.3.1 Cellular networks 1.3.2 WiFi LANs 1.3.3 Bluetooth
GSM architecture 1.3.1 Cellular networks GSM security
GSM Security • main security requirement • subscriber authentication (for the sake of billing) • challenge-response protocol • long-term secret key shared between the subscriber and the home network operator • supports roaming without revealing long-term key to the visited networks • other security services provided by GSM • confidentiality of communications and signaling over the wireless interface • encryption key shared between the subscriber and the visited network is established with the help of the home network as part of the subscriber authentication protocol • protection of the subscriber’s identity from eavesdroppers on the wireless interface • usage of short-term temporary identifiers 1.3.1 Cellular networks GSM security
The SIM card (Subscriber Identity Module) • Must be tamper-resistant • Protected by a PIN code (checked locally by the SIM) • Is removable from the terminal • Contains all data specific to the end user which have to reside in the Mobile Station: • IMSI: International Mobile Subscriber Identity (permanent user’s identity) • PIN • TMSI (Temporary Mobile Subscriber Identity) • Ki :User’s secret key • Kc : Ciphering key • List of the last call attempts • List of preferred operators • Supplementary service data (abbreviated dialing, last short messages received,...) 1.3.1 Cellular networks GSM security
Cryptographic algorithms of GSM Random number User’s secret key Ki R A8 A3 R S Kc Triplet Authentication Ciphering algorithm A5 Kc: ciphering key S : signed result A3: subscriber authentication (operator-dependent algorithm) A5: ciphering/deciphering (standardized algorithm) A8: cipher generation (operator-dependent algorithm) 1.3.1 Cellular networks GSM security
Ki Ki R R A8 A3 A8 A3 S S’ Kc Kc Authentication principle of GSM Mobile Station Visited network Home network IMSI/TMSI IMSI (or TMSI) IMSI Triplets (Kc, R, S) Triplets Authenticate (R) Auth-ack(S’) S=S’? 1.3.1 Cellular networks GSM security
Ciphering in GSM FRAME NUMBER Kc FRAME NUMBER Kc A5 A5 CIPHERING SEQUENCE CIPHERING SEQUENCE CIPHERTEXT SEQUENCE PLAINTEXT SEQUENCE PLAINTEXT SEQUENCE Sender (Mobile Station or Network) Receiver (Network or Mobile Station) 1.3.1 Cellular networks GSM security
Problems with GSM security • Only provides access security – communications and signaling traffic in the fixed network are not protected. • Does not address active attacks, whereby some network elements (e.g. BTS: Base Station) • Only as secure as the fixed networks to which they connect • Lawful interception only considered as an after-thought • Terminal identity cannot be trusted • Difficult to upgrade the cryptographic mechanisms • Lack of user visibility (e.g. doesn’t know if encrypted or not) • Cryptographic problems • A3/A5/A8 algorithms 1.3.1 Cellular networks GSM security
Attacks on GSM • Eavesdropping. The required equipment is a modified MS. • Impersonation of a user. The required equipment is a modified MS. • Impersonation of the network. The required equipment is modified BTS. • IMSI catcher • Man-in-the-middle. The required equipment is modified BTS in conjunction with a modified MS. • Compromising authentication vectors in the network. 1.3.1 Cellular networks GSM security
Conclusion on GSM security • Focused on the protection of the air interface • No protection on the wired part of the network (neither for privacy nor for confidentiality) • The visited network has access to all data (except the secret key of the end user) • Generally robust, but a few successful attacks have been reported: • faked base stations • cloning of the SIM card 1.3.1 Cellular networks GSM security
3GPP Security Principles • Reuse of 2ndgenerationsecurityprinciples (GSM): • Removable hardware security module • In GSM: SIM card • In 3GPP: USIM (User Services Identity Module) • Radio interface encryption • Limited trust in the Visited Network • Protection of the identity of the end user (especially on the radio interface) • Correction of the following weaknesses of the previous generation: • Possible attacks from a faked base station • Cipher keys and authentication data transmitted in clear between and within networks • Encryption not used in some networks open to fraud • Data integrity not provided • … 1.3.1 Cellular networks UMTS security
UMTS vs. GSM security • A change was made to defeat the false base station attack. The security mechanismensures that the mobile can identify the network. • Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity. • Mechanisms were included to support security within and between networks. • The presence of a sequence number in the challenge allows the USIM to verify the freshness of the cipher key to help guard against forced re-use of a compromised authentication vector. • A mandatory cipher mode command with message authentication and replay inhibition allows the mobile to verify that encryption has not been suppressed by an attacker. 1.3.1 Cellular networks UMTS security
Authentication in 3GPP Mobile Station Visited Network Home Environment RAND(i) Sequence number (SQN) Generation of cryptographic material K: User’ssecret key IMSI/TMSI Authentication vectors User authentication request K Verify AUTN(i) Compute RES(i) User authentication response RES(i) Compare RES(i)and XRES(i) K Compute CK(i)and IK(i) Select CK(i)and IK(i) 1.3.1 Cellular networks UMTS security
Generation of the authentication vectors Generate SQN Generate RAND AMF K f1 f2 f3 f4 f5 MAC (Message Authentication Code) XRES (Expected Result) CK (Cipher Key) IK (Integrity Key) AK (Anonymity Key) AMF: Authentication and Key Management Field AUTN: Authentication Token AV: Authentication Vector 1.3.1 Cellular networks UMTS security
User Authentication Function in the USIM AUTN RAND AMF MAC f5 AK SQN K f1 f2 f3 f4 XMAC (Expected MAC) RES (Result) CK (Cipher Key) IK (Integrity Key) • Verify MAC = XMAC • Verify that SQN is in the correct range USIM: User Services Identity Module 1.3.1 Cellular networks UMTS security
More about the authentication and key generation • In addition to f1, f2, f3, f4 and f5, two more functions are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN). • f1, f1*, f2, f3, f4, f5 and f5* are operator-specific • However, 3GPP provides a detailed example of algorithm set, called MILENAGE • MILENAGE is based on the Rijndael block cipher • In MILENAGE, the generation of all seven functions f1…f5* is based on the Rijndael algorithm 1.3.1 Cellular networks UMTS security
Authentication and key generation functions f1…f5* RAND OPc OP EK SQN||AMF OPc EK OPc OPc OPc OPc OPc rotate by r1 rotate by r2 rotate by r3 rotate by r4 rotate by r5 c1 c2 c3 c4 c5 EK EK EK EK EK OPc OPc OPc OPc OPc f1 f1* f5 f2 f3 f4 f5* OP: operator-specific parameter r1,…, r5: fixed rotation constants c1,…, c5: fixed addition constants EK : Rijndael block cipher with 128 bits text input and 128 bits key 1.3.1 Cellular networks UMTS security
Signalling integrity protection method SIGNALLING MESSAGE SIGNALLING MESSAGE FRESH FRESH COUNT-I DIRECTION COUNT-I DIRECTION IK f9 IK f9 XMAC-I MAC-I Receiver (Radio Network Controller or Mobile Station) Sender (Mobile Station or Radio Network Controller) FRESH: random input 1.3.1 Cellular networks UMTS security
Ciphering method LENGTH LENGTH BEARER BEARER COUNT-C COUNT-C DIRECTION DIRECTION CK f8 CK f8 KEYSTREAM BLOCK KEYSTREAM BLOCK PLAINTEXT BLOCK PLAINTEXT BLOCK CIPHERTEXT BLOCK Sender (Mobile Station or Radio Network Controller) Receiver (Radio Network Controller or Mobile Station) BEARER: radio bearer identifier COUNT-C: ciphering sequence counter 1.3.1 Cellular networks UMTS security
The keystream generator f8 COUNT || BEARER || DIRECTION || 0…0 KM: Key Modifier KS: Keystream KASUMI CK KM Register BLKCNT=0 BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1 KASUMI KASUMI KASUMI KASUMI KASUMI KASUMI KASUMI KASUMI CK CK CK CK KS[0]…KS[63] KS[64]…KS[127] KS[128]…KS[191] 1.3.1 Cellular networks UMTS security
KLi, KOi , KIi : subkeys used at ith round S7, S9: S-boxes Details of Kasumi L0 32 R0 32 64 32 16 16 16 9 7 KOi,1 KL1 KO1 , KI1 FIi1 S9 FL1 FO1 KIi,1 Zero-extend KO2 , KI2 KL2 FO2 FL2 S7 truncate KOi,2 FIi2 KIi,j,2 KO3 , KI3 KL3 KIi,2 KIi,j,1 FL3 FO3 KO4, KI4 KL4 S9 FO4 FL4 KOi,3 FIi3 Zero-extend KIi,3 KO5 , KI5 KL5 FL5 FO5 S7 truncate KO6 , KI6 KL6 FO6 FL6 Fig. 2 : FO Function Fig. 3 : FI Function KO7 , KI7 KL7 FL7 FO7 32 16 16 KLi,1 KO8 , KI8 KL8 <<< FO8 FL8 Bitwise AND operation KLi,2 <<< Bitwise OR operation L8 C Fig. 1 : KASUMI R8 <<< One bit left rotation Fig. 4 : FL Function 1.3.1 Cellular networks UMTS security
Conclusion on 3GPP security • Some improvement with respect to 2nd generation • Cryptographic algorithms are published • Integrity of the signalling messages is protected • Quite conservative solution • Privacy/anonymity of the user not completely protected 1.3.1 Cellular networks UMTS security
LTE • Evolution of UMTS • Provides seamless Internet Protocol (IP) connectivity between user equipment (UE) and the packet data network (PDN) • No disruption to the end users’ applications during mobility • System: Evolved packet system (EPS) • Evolved packet core (EPC) network • Responsible for the overall control of the establishment of the bearers (set of network parameter that defines data specific treatment) and the UE • Radio access network (E-UTRAN) • Responsible for all radio-related functions Cellular networks LTE security
LTE Architecture Cellular networks LTE security
Logical nodes in the EPC (I) • Policy Control and Charging Rules Function (PCRF) responsible for • Policy control and decision-making, • Control of the flow-based charging functionalities, • QoS authorization provision • Home Subscriber Server (HSS) holds • Users subscription data, • Information about the PDNs, • Dynamic information the identity of the MME • PDN Gateway (P-GW) is responsible for • IP address allocation for the UE, • Filtering of downlink user IP packets into the different QoS-based bearers, • QoS enforcement for guaranteed bit rate bearers Cellular networks LTE security
Logical nodes in the EPC (II) • Serving Gateway (S-GW) serves as • Local mobility anchor for the data bearers when the UE moves between eNodeBs • Buffer of downlink data while the MME paging • Administrative functions • Mobility Management Entity (MME) is the control node that processes the signaling between the UE and the CN • Non Access Stratum (NAS) protocols running between the UE and the CN • Functions related to bearer management • Functions related to connection management Cellular networks LTE security
LTE security - Overview • Re-use of UMTS Authentication and Key Agreement (AKA) • Use of USIM required (GSM SIM excluded) • Extended key hierarchy • Possibility for longer keys • Greater protection for backhaul • Integrated interworking security for legacy and non-3GPP networks • Current keylength 128 bits • Possibility to extend to 256 in the future (longer keys) Cellular networks LTE security
LTE key hierarchy AuC: Authentication center CK: Encryption key IK: integrity protection key NAS: Non-access stratum, maintaining connectivity and active sessions with user equipment as the user moves RRC: Radio resource control ASME: Access Security Management Entity Cellular networks LTE security
LTE Security Architecture • Network access security • Provides the UEs with secure access to the EPC and protect against various attacks on the radio link • Network domain security • Protects against attacks on the wire line network and enable nodes to exchange signaling data and user data in a secure manner • User domain security • Provides a mutual authentication between the USIM and the MME • Application domain security • Enables applications in the UE and in the provider domain to securely exchange messages. • Non 3GPP domain security • Enables the UEs to securely access to the EPC via non-3GPP access networks and provides security protection on the radio access link Cellular networks LTE security
LTE - Network Access Security (I) • LTE cellular security • Mutual authentication between an UE and the EPC using Authentication and Key Agreement (AKA) • Serving network identity (SN ID) has been added to the EPS AKA procedure to avoid attacks such as redirection attacks and false base station attacks • Generates a ciphering key (CK) and an integrity key (IK) to derive different session keys for the encryption and the integrity protection • A new key hierarchy is introduced to protect the security of the signaling and user data traffic • When an UE connects to the EPC over the E-UTRAN, the MME asks the EPC to perform a mutual authentication with the UE by the EAP AKA • For non-3GPP access, several different AKA procedures are implemented • EAP-AKA for trusted non-3GPP access network • IPsec tunnel establishment between UE and packet data gateway and Internet Key Exchange Protocol for untrusted non-3GPP access network Cellular networks LTE security
LTE – Encryption and Integrity Protection in the Control Plane • LTE supports two levels on security on the control plane • The NAS traffic between the MME and the UE is protected with NAS level keys • The RRC connection traffic between the MME and the UE is protected with RRC level keys Cellular networks LTE security
LTE – Encryption and Integrity Protection in the User Plane • User plane data is encrypted with the KUPenc key Cellular networks LTE security
LTE - Network Access Security (II) • LTE handover security • The current eNB and the target eNB are managed by the same MME • In handovers, a new session key used between the UE and the target eNB, derived from the active session key • Mobility between the E-UTRAN and UTRAN/GERAN (2G/3G) • Handover from the E-UTRAN to the UTRAN or the GERAN • The target Service GPRS Supporting Node (SGSN) and the UE replace all stored parameters with the ones received from MME to generate the session key. • Handover from the UTRAN/GERAN to the E-UTRAN • UE and MME derive the same key via the target Service GPRS Supporting Node (SGSN) • Mobility between E-UTRAN and non-3GPP access networks • Handovers from trusted or untrusted non-3GPP access networks to the E-UTRAN • Handovers from the E-UTRAN to trusted or untrusted non-3GPP access networks • The UE, the target access network and the EPC implements a full access authentication procedure before the UE handovers to the new access network Cellular networks LTE security
LTE Vulnerabilities (I) • The flat IP-based architecture of the LTE networks results in more security risks (virus, worm, DoS attacks, etc.) • New risks exist due to several different mobility scenarios when an UE moves away from an eNB/HeNB to a new HeNB/eNB • The EPS-AKA scheme lacks a privacy protection (disclosure of IMSI at some instances, subject to MitM attack, etc.) • Several new AKA schemes proposed • DoS attacks cannot be prevented (MME forwards the UE’s requests to the HSS/AuC even before the UE is authenticated by the MME) Cellular networks LTE security
LTE Vulnerabilities (II) • Security flaws in handover process • Since the key chaining architecture is used, the current eNB may derive new keys for multiple target eNBs by chaining the current key with the eNB specific parameters • Once an attacker compromises the current eNB, the subsequent session keys will be obtained • Energy consumption of an UE and system complexity increased • Two AKA protocols Cellular networks LTE security
References • 3GPP LTE Security Aspects • 3GPP Initiative • http://www.3gpp.org/ftp/information/presentations/presentations_2011/2011_05_Bangalore/DZBangalore290511.pdf • GSM Security • Helsinki University of Technology • http://www.netlab.tkk.fi/opetus/s38153/k2003/Lectures/g42GSM_security.pdf • On the Security of 3GPP Networks • University of London • http://www.esat.kuleuven.be/cosic/eurocrypt2000/mike_walker.pdf • Security Investigation in 4G LTE Wireless Networks • Nanyang Technological University, Singapore • http://www.ieee-globecom.org/2012/private/T10F.pdf • GSM and 3G Security • Emmanuel Gadaix (Black Hat Conference Singapore) • LTE Security • EventHelix.com • http://www.eventhelix.com/lte/security/LTE-Security-Presentation.pdf Cellular networks LTE security
Chapter outline 1.3.1 Cellular networks 1.3.2 WiFi LANs 1.3.3 Bluetooth
STA association request association response • beacon • MAC header • timestamp • beacon interval • capability info • SSID (network name) • supported data rates • radio parameters • power slave flags Reminder on WiFi scanning on each channel “connected” AP 1.3.2 WiFi LANs
Reminder on WiFi Internet AP 1.3.2 WiFi LANs
WEP – Wired Equivalent Privacy • part of the IEEE 802.11 specification • goal • make a WiFi network at least as secure as a wired LAN (that has no particular protection mechanisms) • WEP was never intended to achieve strong security • services • access control to the network • message confidentiality • message integrity 1.3.2 WiFi LANs Wired Equivalent Privacy (WEP)
WEP – Access control • before association, the STA needs to authenticate itself to the AP • authentication is based on a simple challenge-response protocol: STA AP: authenticate request AP STA: authenticate challenge (r) // r is 128 bits long STA AP: authenticate response (eK(r)) AP STA: authenticate success/failure • once authenticated, the STA can send an association request, and the AP will respond with an association response • if authentication fails, no association is possible 1.3.2 WiFi LANs Wired Equivalent Privacy (WEP)
WEP – Message confidentiality and integrity • WEP encryption is based on RC4 (a stream cipher developed in 1987 by Ron Rivest for RSA Data Security, Inc.) • operation: • for each message to be sent: • RC4 is initialized with the shared secret (between STA and AP) • RC4 produces a pseudo-random byte sequence (key stream) • this pseudo-random byte sequence is XORed to the message • reception is analogous • it is essential that each message is encrypted with a different key stream • the RC4 generator is initialized with the shared secret and an IV (initial value) together • shared secret is the same for each message • 24-bit IV changes for every message • WEP integrity protection is based on an encrypted CRC value • operation: • ICV (integrity check value) is computed and appended to the message • the message and the ICV are encrypted together 1.3.2 WiFi LANs Wired Equivalent Privacy (WEP)
WEP – Message confidentiality and integrity message+ ICV K RC4 IV secret key encode IV message+ ICV decode K RC4 IV secret key K: pseudo-random sequence message+ ICV 1.3.2 WiFi LANs Wired Equivalent Privacy (WEP)
WEP – Keys • two kinds of keys are allowed by the standard • default key (also called shared key, group key, multicast key, broadcast key, key) • key mapping keys (also called individual key, per-station key, unique key) • in practice, often only default keys are supported • the default key is manually installed in every STA and the AP • each STA uses the same shared secret key in principle, STAs can decrypt each other’s messages id:X | key:abc id:X | key:def default key key mapping key id:Y | key:abc id:Y | key:ghi id:Z | key:abc id:Z | key:jkl id:X | key:def id:Y | key:ghi id:Z | key:jkl key:abc 1.3.2 WiFi LANs Wired Equivalent Privacy (WEP)
WEP – Management of default keys • the default key is a group key, and group keys need to be changed when a member leaves the group • e.g., when someone leaves the company and shouldn’t have access to the network anymore • it is practically impossible to change the default key in every device simultaneously • hence, WEP supports multiple default keys to help the smooth change of keys • one of the keys is called the active key • the active key is used to encrypt messages • any key can be used to decrypt messages • the message header contains a key ID that allows the receiver to find out which key should be used to decrypt the message 1.3.2 WiFi LANs Wired Equivalent Privacy (WEP)
Œ abc* --- abc* --- abc* def abc def* abc* --- Ž --- def* abc def* --- def* --- def* WEP – The key change process time * active key 1.3.2 WiFi LANs Wired Equivalent Privacy (WEP)
WEP flaws – Authentication and access control • authentication is one-way only • AP is not authenticated to STA • STA is at risk to associate to a rogue AP • the same shared secret key is used for authentication and encryption • weaknesses in any of the two protocols can be used to break the key • no session key is established during authentication • access control is not continuous • once a STA has authenticated and associated to the AP, an attacker send messages using the MAC address of STA • correctly encrypted messages cannot be produced by the attacker, but replay of STA messages is still possible • STA can be impersonated • … next slide 1.3.2 WiFi LANs Wired Equivalent Privacy (WEP)