Security 3rd Gen Pub Key V11

Page : 1 Cellular & Wireless NetworksTechnical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Lecture-9Mobile Security Fundamentals-III

3rd Generation Security and Public Key Systems

Fundamentals ofCellular and Wireless Networks

Lecture ID: ET- IDA-113/114

20.07.2012 , v11

Prof. W. Adi

http://www.ida.ing.tu-bs.de/lehre/veranstaltungen/ag_jukan/network_security_netzwerksicherheit_et_ida_082/



New Trends in Mobile Security

Lessons learned in security design:

Successful attacks on GSM secret ciphers A5 and COMP128 1999-2003, Lead to standardizing publicly known and reviewed ciphers in the 3rd generation mobile systems

AES is a new International Ciphering Standard



AESAdvanced Encryption Standard

Proposed for 3G Mobile Authentication Functions

International Standard competition managed by NIST: US National Institute of Science and Technology 1998-2001

AES Winner Algorithm:The Rijndael Block Cipher, Decision Oct. 2000



Joan Daemen (of Proton World International)

Vincent Rijmen (of Katholieke Universiteit Leuven).

AES Round-3 Finalist Algorithms (finalized in 2001)

– MARS : IBM (USA)– RC6 : R. Rivest (MIT), creator of the widely used RC4 (USA)– Twofish : Counterpane Internet Security, Inc. (USA)– Serpent : Ross Anderson, Eli Biham and Lars Knudsen (USA)– Rijndael: Designed by J. Daemen and V. Rijmen (Belgium)



10 Encryption Rounds R1 … R10

Key

Round Keys

Key Expansion

R1X R2 R9 R10 Y

K1 K2 K9 K10...

...

Rijndael: Basic concept Key size128 to 256 bits

Rijndael: Basic concept



Basic Encryption Round FunctionsRijndael AES:

b = [M] a-1 + C The Only non-linear mapping !

Byte sub

a2

Byte sub Byte subByte sub..

a1a16 a3

b1b2b3 b16

Clear Text (16 bytes)

Linear mappingB = [C] A

Round-Key Ki (128 bits)

Cipher Text (16 byts)

+B

A

Mix columnMix columnMix columnMix column

4 x 32 bits

Transposition

4 x 32 bits



- Published to the scientific community 1998- Is still not broken !!- No proof that Rijndael can not be broken !!

Security of AES/ Rijndael



Experts learned over the years thatthe only way to assure security is:

• follow an open design process• encourage public scientific review Nobody is better than the rest of the research community.

Important Lessons in Security Design

2nd Generation security lessons



New 3G Security Features 1/2• Network Authentication

The user can provably identify the network• Network Security

Mechanisms to support security within and between networks• Switch Based Security

More switch based secrecy rather than only to base station • IMEI Integrity

Integrity mechanisms for IMEI provided from login• Secure Services

Protect against misuse of services provided by Service Network and Home Environment



• Secure ApplicationsProvide security for applications resident on USIM

• Fraud DetectionMechanisms to combating fraud in roaming situations

• FlexibilitySecurity features can be extended and enhanced as required by new

threats and services• Visibility and Configurability

Users are notified whether security is on and what level of security is available. Users can configure security features for individual services

• Lawful InterceptionMechanisms to provide authorized agencies with certain information

about subscribers

New 3G Security Features 2/2

In the following slides, the main 3G security functions are summarized.



3G User Confidentiality• User Confidentiality

Permanent user identity IMSI, user location, and user services cannot be determined by eavesdroppingAchieved by use of temporary identity (TMSI) which is assigned by VLR(IMSI is sent in clear text when establishing TMSI)

USIM VLR

IMSI

TMSI allocation

TMSI acknowledgement

IMSI request Visiting Location Register

Mobile Network



• Mutual AuthenticationDuring Authentication and Key Agreement (AKA) the user and network

authenticate each other, and also they agree on cipher and integrity key (CK, IK). CK and IK are used until their time expires. Assumption: trusted HE and SN, and trusted links between them. After AKA, security mode must be negotiated to agree on encryption and integrity algorithm.

Mutual Authentication Mechanism 1/2



Generation of authenticationdata at “Home Network” site

K

SQN RAND

f1 f2 f3 f4 f5

MAC XRES CK IK AK

AUTN := SQN AK || AMF || MAC

AV := RAND || XRES || CK || IK || AUTN

Generate SQN

Generate RAND

AMF

KSQN

RAND

f1 f2 f3 f4

f5

XMAC RES CK IK

AK

SQN AK AMF MAC

AUTN

Verify MAC = XMAC

Verify that SQN is in the correct range

3G Mutual Authentication Mechanism 2/2

Generation of authenticationdata at “Mobile” site

K: subscriber seret keySQN: Seuence NumberAK:Authentication KeyCK:Cipher KeyIK:Integrity KeyMAC: Message Authentication Code

AES

: Authentication Token



• Data IntegrityIntegrity of data and source authentication of signaling data must be provided.The user and network agree on integrity key IK and algorithm such as f9 during AKA and security mode set-up. MAC (Message Authentication Code) is a mapping of the digest of the message through KSUMI cipher using the agreed integrity key KI. IF MAC-I and XMAC-I are equal, the message is seen as unmodified.

f 9

COUNT-I DIRECTION

MESSAGE FRESH

IK

MAC -I

f 9

COUNT-I DIRECTION

MESSAGE FRESH

IK

XMAC -I

SenderUE or RNC

ReceiverRNC or UE

3G Data Integrity Mechanism

KASUMI

Message authentic if equal



• Data ConfidentialitySignaling and user data should be protected from eavesdropping.The user and network agree on cipher key CK and algorithm such as f8 (KASUMI) during AKA and security mode set-up. The generated keystream block is added modulo-2 to the plaintext to encrypt and decrypt correspondingly.

PLAINTEXTBLOCK

f8

COUNT-C DIRECTION

BEARER LENGTH

CK

KEYSTREAMBLOCK

CIPHERTEXTBLOCK

f8

COUNT-C DIRECTION

BEARER LENGTH

CK

KEYSTREAMBLOCK

PLAINTEXTBLOCK

SenderUE or RNC

ReceiverRNC or UE

3G Data Encryption Mechanism

KASUMI



Problems with 3G Security• IMSI is sent in clear text when allocating TMSI to the

user

• The transmission of IMEI is not protected; Equipment identity is still not secured

• A user can be brought to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of the network

• Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up



Published 1976 by (Diffie &Hellman) at Stanford University - Breakthrough: Proved for the first time that it is

possible to share secrets without secret agreement

- Many 3G mobile security applications in user layer

are expected to employ public-key cryptography (Mobile Commerce, mobile IP applications ...)

Modern CryptographyPublic-Key Cryptography



Public-Key Security Systems

K-secret K-public

Two major schemes in Public Key Cryptography:• Diffie-Hellman key exchange scheme• RSA public key secrecy system

- Open and close with different keys!!- No Secret Key Agreement required

Secret Key Systems

K-open = K-close(Symmetric System)

- Open and close with the same key which has to be agreed secretly !!

K-open K-close(Asymmetric System)



Open Register

Public-Key Cryptography Breakthrough 1976 (Diffie-Hellman)

Shared Secret without the exchange of secrets “Mechanical Scenario”

A B

! Same thing !Shared Secret

SHIELD

Secret key-A Secret key-B

injectioninjection



SHIELD = One Way Function

Secret shielded secret

6 9

How: 2 6 mod 11 = 9

How to “publicly” hide (shield) a secret ?

log2 9 (mod 11) = 6Discrete logarithm : no formula is known to compute log2 9 modulo 11 !

One-Way function:



Open Agreement and RegisterShielding function is: y = (5 x) mod 7

Example for Diffie-Hellman key exchange scheme 1976Widely use in internet and banking ...

A B

! same thing !Z =515= 6

Shield

Secret key-A= 3 Secret key-B= 55 55 3

5 3.5

K-open-A= 65 3 = 6 K-open-B= 3 5 5 = 3

5 5.3

( )5( )3

5 3

6

5 5

3



User A User B

Basic Public Key Secrecy System (RSA system)(Mechanical simulation: user B wants secured message from A)

Public register

Close

Kc open ( )Kc (mod m)

Kc

M

MKc

MKc.Ko = M

Ko= Kc-1

(MKc)Ko

Ko



Y = E (Zp,X)

ChannelMessage

Sender ReceiverMessage X E ( Zp,X ) D ( Zs,Y )

X

Mathematical Model of a Public-Key Crypto-system

(using asymmetric keys)

Secret-Key Zs

Public-Key Zp Public DirectoryZ..ZpZ...

Public-Key Zp

ZsZp



- Theoretically not (no proof !!)- Practically yes : under some conditions and assumptions

Is Exponentiation y = a x mod m a One-Way Function ?

a xSecret shielded secret

x y

M xmessage shielded messageM y

To break, find : x = loga y

To break, find : M = y x -1

(Discrete Log. problem)

(Invert... Factorization)

- Two well known functions to hide something:



Squaring and Square Roots modulo m (Rabin Lock)

( )2X Y

?

Computing the inverse function is not known (modulo m)

X

Y = X 2 is a one-way-function (mod m), (where m=pq is a product of two large primes p and q)



Factorizing Problem

Discrete Log.Problem

• Exponentiation Y = a k (mod p)

• Exponentiation Y = M k (mod m)• Factoring m = p . q• Squaring C = M 2 (mod m)

• Knapsack Problem

m = p.q , p, q = large primes

Famous One-Way Functions used for Public-Key Systems



Public Key System SecurityNon of the claimed one-way functions in public key

systems is proved to be really „one-way“

Open question ?Is modern security a sort of Magic

which could be disclosed at some time ?



Cryptographic Protocols

No key cryptography, Secret Sharing



No Key Cryptography : Shamir 3-Pass Protocol

User A User B

A

A

A

B

B

A

A

Pass 2

ABAB

Pass 3

B B B

B

A

Pass 1

B A

A

A

A

B



Omura-Massey Lock* for: Shamir’s 3-Pass ProtocolSecrecy without Authenticity

User A User Bp = large primeAll computations modulo p

1

Ea = secret keyDa = Ea

-1

= M EaM

Eb = secret keyDb = Eb

-1

Da( ) Db

Ea EbM

EbM

2

3Ea EbM

EaM( )Eb

EbM( ) = M

* J.L. Massey & J. K. Omura, US Patent, 1986



Non-Perfect Secret Sharing

1010010010

1010010010Part A Part B

1001010100Secret

1001010100Secret



Perfect Secret SharingExample: share the secret 10100 between users A and B

11101RandomBSS

10100 Secret

01001 Give User B

+

11101Give User A

Common SecretBetween A and B 10100

+

10100

+ Exchange to generateCommon secret



AppendixKnapsack One Way Function



Problem: Find X = [x1, x2 ......]where xi = {0,1}Solution : X = [ 1 0 1 0 1 0 ]

Easy if:

n

iiixw

1SUM=

Knapsack One Way Function*

W1 W2 W3 W3 W4 W5

SUM= 449

Superincreasing Knapsack: if Wi is more than the sum of all other smaller weights

* Ref. J. Massey



Merkle-Hellmann Crypto System (1978)

2 5 8 17 35 71 easy knapsack

Encrypt: X = [ 1 0 1 0 1 0 ] Plaintext Y = 174 + 167 + 108 = 449 Cryptogram

Decrypt : Y´ = u-1 . Y = 118 . 449 in Z199 = 48 from Y´ find x´ = [0 1 1 0 1 0] in the easy knapsackpermute to get X = [ 1 0 1 0 1 0 ]

1. Multiplication with u = 113 in Z199 27 167 108 130 174 63 hard knapsack

Conditions : gcd ( u , m) = 1 and m Wi

2. Permute locations and publish 174 27 167 63 108 130 published knapsack

secret key is Z = (m, u) = (199,113)

* Ref. J. Massey

(Broken by Shamir 1984) *

Documents

Security 3rd Gen Pub Key V11