Upload
123vidya
View
226
Download
1
Embed Size (px)
DESCRIPTION
Public Key Cryptography in 3G
Citation preview
Page : 1 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Lecture-9Mobile Security Fundamentals-III
3rd Generation Security and Public Key Systems
Fundamentals ofCellular and Wireless Networks
Lecture ID: ET- IDA-113/114
20.07.2012 , v11
Prof. W. Adi
Page : 2 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
New Trends in Mobile Security
Lessons learned in security design:
Successful attacks on GSM secret ciphers A5 and COMP128 1999-2003, Lead to standardizing publicly known and reviewed ciphers in the 3rd generation mobile systems
AES is a new International Ciphering Standard
Page : 3 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
AESAdvanced Encryption Standard
Proposed for 3G Mobile Authentication Functions
International Standard competition managed by NIST: US National Institute of Science and Technology 1998-2001
AES Winner Algorithm:The Rijndael Block Cipher, Decision Oct. 2000
Page : 4 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Joan Daemen (of Proton World International)
Vincent Rijmen (of Katholieke Universiteit Leuven).
AES Round-3 Finalist Algorithms (finalized in 2001)
– MARS : IBM (USA)– RC6 : R. Rivest (MIT), creator of the widely used RC4 (USA)– Twofish : Counterpane Internet Security, Inc. (USA)– Serpent : Ross Anderson, Eli Biham and Lars Knudsen (USA)– Rijndael: Designed by J. Daemen and V. Rijmen (Belgium)
Page : 5 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
10 Encryption Rounds R1 … R10
Key
Round Keys
Key Expansion
R1X R2 R9 R10 Y
K1 K2 K9 K10...
...
Rijndael: Basic concept Key size128 to 256 bits
Rijndael: Basic concept
Page : 6 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Basic Encryption Round FunctionsRijndael AES:
b = [M] a-1 + C The Only non-linear mapping !
Byte sub
a2
Byte sub Byte subByte sub..
a1a16 a3
b1b2b3 b16
Clear Text (16 bytes)
Linear mappingB = [C] A
Round-Key Ki (128 bits)
Cipher Text (16 byts)
+B
A
Mix columnMix columnMix columnMix column
4 x 32 bits
Transposition
4 x 32 bits
Page : 7 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
- Published to the scientific community 1998- Is still not broken !!- No proof that Rijndael can not be broken !!
Security of AES/ Rijndael
Page : 8 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Experts learned over the years thatthe only way to assure security is:
• follow an open design process• encourage public scientific review Nobody is better than the rest of the research community.
Important Lessons in Security Design
2nd Generation security lessons
Page : 9 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
New 3G Security Features 1/2• Network Authentication
The user can provably identify the network• Network Security
Mechanisms to support security within and between networks• Switch Based Security
More switch based secrecy rather than only to base station • IMEI Integrity
Integrity mechanisms for IMEI provided from login• Secure Services
Protect against misuse of services provided by Service Network and Home Environment
Page : 10 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
• Secure ApplicationsProvide security for applications resident on USIM
• Fraud DetectionMechanisms to combating fraud in roaming situations
• FlexibilitySecurity features can be extended and enhanced as required by new
threats and services• Visibility and Configurability
Users are notified whether security is on and what level of security is available. Users can configure security features for individual services
• Lawful InterceptionMechanisms to provide authorized agencies with certain information
about subscribers
New 3G Security Features 2/2
In the following slides, the main 3G security functions are summarized.
Page : 11 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
3G User Confidentiality• User Confidentiality
Permanent user identity IMSI, user location, and user services cannot be determined by eavesdroppingAchieved by use of temporary identity (TMSI) which is assigned by VLR(IMSI is sent in clear text when establishing TMSI)
USIM VLR
IMSI
TMSI allocation
TMSI acknowledgement
IMSI request Visiting Location Register
Mobile Network
Page : 12 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
• Mutual AuthenticationDuring Authentication and Key Agreement (AKA) the user and network
authenticate each other, and also they agree on cipher and integrity key (CK, IK). CK and IK are used until their time expires. Assumption: trusted HE and SN, and trusted links between them. After AKA, security mode must be negotiated to agree on encryption and integrity algorithm.
Mutual Authentication Mechanism 1/2
Page : 13 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Generation of authenticationdata at “Home Network” site
K
SQN RAND
f1 f2 f3 f4 f5
MAC XRES CK IK AK
AUTN := SQN AK || AMF || MAC
AV := RAND || XRES || CK || IK || AUTN
Generate SQN
Generate RAND
AMF
KSQN
RAND
f1 f2 f3 f4
f5
XMAC RES CK IK
AK
SQN AK AMF MAC
AUTN
Verify MAC = XMAC
Verify that SQN is in the correct range
3G Mutual Authentication Mechanism 2/2
Generation of authenticationdata at “Mobile” site
K: subscriber seret keySQN: Seuence NumberAK:Authentication KeyCK:Cipher KeyIK:Integrity KeyMAC: Message Authentication Code
AES
: Authentication Token
Page : 14 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
• Data IntegrityIntegrity of data and source authentication of signaling data must be provided.The user and network agree on integrity key IK and algorithm such as f9 during AKA and security mode set-up. MAC (Message Authentication Code) is a mapping of the digest of the message through KSUMI cipher using the agreed integrity key KI. IF MAC-I and XMAC-I are equal, the message is seen as unmodified.
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
MAC -I
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
XMAC -I
SenderUE or RNC
ReceiverRNC or UE
3G Data Integrity Mechanism
KASUMI
Message authentic if equal
Page : 15 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
• Data ConfidentialitySignaling and user data should be protected from eavesdropping.The user and network agree on cipher key CK and algorithm such as f8 (KASUMI) during AKA and security mode set-up. The generated keystream block is added modulo-2 to the plaintext to encrypt and decrypt correspondingly.
PLAINTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
CIPHERTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
PLAINTEXTBLOCK
SenderUE or RNC
ReceiverRNC or UE
3G Data Encryption Mechanism
KASUMI
Page : 16 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Problems with 3G Security• IMSI is sent in clear text when allocating TMSI to the
user
• The transmission of IMEI is not protected; Equipment identity is still not secured
• A user can be brought to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of the network
• Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up
Page : 17 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Published 1976 by (Diffie &Hellman) at Stanford University - Breakthrough: Proved for the first time that it is
possible to share secrets without secret agreement
- Many 3G mobile security applications in user layer
are expected to employ public-key cryptography (Mobile Commerce, mobile IP applications ...)
Modern CryptographyPublic-Key Cryptography
Page : 18 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Public-Key Security Systems
K-secret K-public
Two major schemes in Public Key Cryptography:• Diffie-Hellman key exchange scheme• RSA public key secrecy system
- Open and close with different keys!!- No Secret Key Agreement required
Secret Key Systems
K-open = K-close(Symmetric System)
- Open and close with the same key which has to be agreed secretly !!
K-open K-close(Asymmetric System)
Page : 19 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Open Register
Public-Key Cryptography Breakthrough 1976 (Diffie-Hellman)
Shared Secret without the exchange of secrets “Mechanical Scenario”
A B
! Same thing !Shared Secret
SHIELD
Secret key-A Secret key-B
injectioninjection
Page : 20 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
SHIELD = One Way Function
Secret shielded secret
6 9
How: 2 6 mod 11 = 9
How to “publicly” hide (shield) a secret ?
log2 9 (mod 11) = 6Discrete logarithm : no formula is known to compute log2 9 modulo 11 !
One-Way function:
Page : 21 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Open Agreement and RegisterShielding function is: y = (5 x) mod 7
Example for Diffie-Hellman key exchange scheme 1976Widely use in internet and banking ...
A B
! same thing !Z =515= 6
Shield
Secret key-A= 3 Secret key-B= 55 55 3
5 3.5
K-open-A= 65 3 = 6 K-open-B= 3 5 5 = 3
5 5.3
( )5( )3
5 3
6
5 5
3
Page : 22 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
User A User B
Basic Public Key Secrecy System (RSA system)(Mechanical simulation: user B wants secured message from A)
Public register
Close
Kc open ( )Kc (mod m)
Kc
M
MKc
MKc.Ko = M
Ko= Kc-1
(MKc)Ko
Ko
Page : 23 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Y = E (Zp,X)
ChannelMessage
Sender ReceiverMessage X E ( Zp,X ) D ( Zs,Y )
X
Mathematical Model of a Public-Key Crypto-system
(using asymmetric keys)
Secret-Key Zs
Public-Key Zp Public DirectoryZ..ZpZ...
Public-Key Zp
ZsZp
Page : 24 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
- Theoretically not (no proof !!)- Practically yes : under some conditions and assumptions
Is Exponentiation y = a x mod m a One-Way Function ?
a xSecret shielded secret
x y
M xmessage shielded messageM y
To break, find : x = loga y
To break, find : M = y x -1
(Discrete Log. problem)
(Invert... Factorization)
- Two well known functions to hide something:
Page : 25 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Squaring and Square Roots modulo m (Rabin Lock)
( )2X Y
?
Computing the inverse function is not known (modulo m)
X
Y = X 2 is a one-way-function (mod m), (where m=pq is a product of two large primes p and q)
Page : 26 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Factorizing Problem
Discrete Log.Problem
• Exponentiation Y = a k (mod p)
• Exponentiation Y = M k (mod m)• Factoring m = p . q• Squaring C = M 2 (mod m)
• Knapsack Problem
m = p.q , p, q = large primes
Famous One-Way Functions used for Public-Key Systems
Page : 27 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Public Key System SecurityNon of the claimed one-way functions in public key
systems is proved to be really „one-way“
Open question ?Is modern security a sort of Magic
which could be disclosed at some time ?
Page : 28 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Cryptographic Protocols
No key cryptography, Secret Sharing
Page : 29 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
No Key Cryptography : Shamir 3-Pass Protocol
User A User B
A
A
A
B
B
A
A
Pass 2
ABAB
Pass 3
B B B
B
A
Pass 1
B A
A
A
A
B
Page : 30 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Omura-Massey Lock* for: Shamir’s 3-Pass ProtocolSecrecy without Authenticity
User A User Bp = large primeAll computations modulo p
1
Ea = secret keyDa = Ea
-1
= M EaM
Eb = secret keyDb = Eb
-1
Da( ) Db
Ea EbM
EbM
2
3Ea EbM
EaM( )Eb
EbM( ) = M
* J.L. Massey & J. K. Omura, US Patent, 1986
Page : 31 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Non-Perfect Secret Sharing
1010010010
1010010010Part A Part B
1001010100Secret
1001010100Secret
Page : 32 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Perfect Secret SharingExample: share the secret 10100 between users A and B
11101RandomBSS
10100 Secret
01001 Give User B
+
11101Give User A
Common SecretBetween A and B 10100
+
10100
+ Exchange to generateCommon secret
Page : 33 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
AppendixKnapsack One Way Function
Page : 34 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Problem: Find X = [x1, x2 ......]where xi = {0,1}Solution : X = [ 1 0 1 0 1 0 ]
Easy if:
n
iiixw
1SUM=
Knapsack One Way Function*
W1 W2 W3 W3 W4 W5
SUM= 449
Superincreasing Knapsack: if Wi is more than the sum of all other smaller weights
* Ref. J. Massey
Page : 35 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Merkle-Hellmann Crypto System (1978)
2 5 8 17 35 71 easy knapsack
Encrypt: X = [ 1 0 1 0 1 0 ] Plaintext Y = 174 + 167 + 108 = 449 Cryptogram
Decrypt : Y´ = u-1 . Y = 118 . 449 in Z199 = 48 from Y´ find x´ = [0 1 1 0 1 0] in the easy knapsackpermute to get X = [ 1 0 1 0 1 0 ]
1. Multiplication with u = 113 in Z199 27 167 108 130 174 63 hard knapsack
Conditions : gcd ( u , m) = 1 and m Wi
2. Permute locations and publish 174 27 167 63 108 130 published knapsack
secret key is Z = (m, u) = (199,113)
* Ref. J. Massey
(Broken by Shamir 1984) *