Security Architecture Day2 Last Session

Workshop on 3G, HSPA & LTE/4G – Day 2

Dr. Manodha Gamage

Consultant – TRCSL,

Senior Lecturer (visiting)

[email protected]

Tel. 0777-789781

March 19, 2012

Security Aspects of 3G

Goals of Cryptography

1. Confidentiality (secrecy):

– Use of encryption to protect information from unauthorized parties

2. Data Integrity:

– Make sure no attempts to change the data by unauthorized parties

3. Authentication:

– Services related to identification

– Entity Authentication and Data Origin Authentication

– Information on a channel should be authenticated for :– Information on a channel should be authenticated for :

• Origin

• Data

• Content

• Date of origin and time sent

– Uses Key Exchange (eg. DH) & Digital Signatures (eg. DSA)

4. Non-Repudiation:

– To prevent an entity from denial of previous commitments/actions

3

Copyright © Dr. Manodha Gamage 2011

Classification of Security Primitives/Cryptographic Tools

(Encrypt group of

characters/words)

(Operate on individual

characters)characters)

4


Basics of Cryptography

• Plain text

• Cipher text

• Symmetric Key (Private Key)；Secure Key exchange is important1. Block Ciphers

• Input: a block of plaintext and a key

• Output: a block of cipher-text of the same size of plaintext

• Encrypt group of characters/words

2. Stream Ciphers2. Stream Ciphers

• Create an arbitrarily long stream of key material

• Combine Key with plaintext

– Bit-by-bit

• Output stream created based on an internal state (changes as cipher operates)

• That state's change is controlled by key (in some by plaintext stream too)

• Public Key (Asymmetric Key);

– Encrypt Key is publicly available

– Decrypt Key is Private

5


Symmetric Key Cryptography

Step 1: Key Delivery (via secure channel)

Alice Bob

Step 2: Encrypted Communication

Alice Bob

Shared

Secret

Key

6


Symmetric Key Encryption

Data

(Plaintext)

Alice

Data

(Plaintext)

Bob

Example

Alice wants to encrypt a message

that only Bob can read by using

Symmetric Key Cryptography

Shared

Secret

Key

Shared

Secret

Key

Communications LinkData

(Ciphertext)

Encrypt

Data

(Ciphertext)

Decrypt

7Copyright © Dr. Manodha Gamage 2011

Asymmetric/Public Key Cryptography

Step 1: Each Party has a

Key Pair (public/private)

Public

key

Private

Alice

and

Bob

Step 3: Encrypted Communication

Step 2: Each obtains the other’s

Public Key from trusted source.

(Certificate Center)

Private

key

Private

key

Private

key

Bob’s

Public keyAlice’s

Public key

Alice Bob

used to decrypt

used to decrypt


Data

(Plaintext)

Data

(Plaintext)

Bob’s

Asymmetric/Public Key Encryption

Alice BobExample

Alice wants to encrypt a message

that only Bob can read by using

Public Key Cryptography.

Note that Alice must obtain Bob’s

public key and use it to encrypt.

Bob’s

Public Key

Data

(Ciphertext)

Data

(Ciphertext)Communications Link

Encryption DecryptionBob’s

Private

Key

9


Alice’s

(Plaintext/Cipher text

by Bob’s pub. key)

Data

(Plaintext/Cipher text

by Bob’s pub. key) Compare

Public Key Digital Signature

Hash

Example

Alice wants to sign a message

so that Bob can authenticate

that it really came from Alice.

Alice’s

Public Key

Alice’s

Private Key

Encrypt

(Sign)

Signature

+ DataCommunications Link

Signature

+ Data

Decrypt

(Verify)Hash

10


Security of GSM

GSM Network Architecture��Which related to the security system

• IMSI : International Mobile Subscriber Identity

• TMSI : Temporary Mobile Subscriber Identity

• MSRN : Mobile Station Roaming Number

• MSISDN : Mobile Station ISDN

• LAI : Local Area Identity

• Ki : authentication key

• Kc : ciphering key

• SRES : Signed Response

• RAND : random number

12


GSM Security Algorithms

• A3 : Subscriber authentication algorithm

• A8 : Cipher key generation algorithm

• A5 : Ciphering/deciphering algorithm

13


TMSI Assignment

• Objective : to protect the IMSI.

• 5 digit TMSI replace at each location update procedure.

• TMSI sent encrypted by A5 algorithm from BTS to MS.

Weaknesses:

� No protection for IMSI which transmitted between MS and fixed network.

� TMSI only encrypted between BTS and MS.

14


Authentication

RAND SRESnetwork

A3

Ki

SRESMS

=

SRES

No

RAND

SRES

challenge

• Objective : to know subscriber identity fidelity.

• Known as Challenge-Response method.

Weaknesses:

� No protection for RAND and SRESMS which transmitted.

SRESnetwork

?

YesAccess

granted

Deny accessSRES

MS

SRESMS

MS

Fixed network

response

15


Ciphering - Deciphering

Kc64 bit

Nomor Frame22 bit

Algoritma A5

S1

Kc64 bit

Nomor Frame22 bit

Algoritma A5

S1

Ciphertext

Codeword downlink

114 bit

• Ciphering process are held on BTS and MS, using A5 algorithm.

• Symmetry cryptography.

S2 Plaintext

114 bit

MS

S2Plaintext

114 bit

BTS

Ciphertext

114 bit

Codeword uplink

114 bit

Weaknesses:

� There is no security outside BTS-MS path.


MSC

HLR

AuC

MS

1. Register to

network

4. RAND

2. Request

authentication

triplet

3. Authentication

triplet

(RAND,SRES,Kc)

Authentication in GSM Network

AuC

6. Check

SRES5.

SRES

SRES = A3(RAND,Ki)

Kc = Air interface

encryption key


GSM Network Security Defects

• Network not authenticated

– Faking base station principally possible

• Algorithm weaknesses

– Both A5 and COMP128 defective

• Data integrity not checked

– Makes alteration of data possible

• Authentication data transmitted in clear both inside and • Authentication data transmitted in clear both inside and

between networks

– Contains also air interface encryption key

• Encryption does not extend toward core Network

• Lack of visibility

– User can not know whether encryption used or not

– No confirmation to home network, whether serving network uses

correctly authentication parameters when user roams

18


Security of UMTS

UMTS Security Features• Mutual Authentication

– Mobile user and the serving network authenticate each other

• Data Integrity

– Signaling messages between MS and RNC/Core, protected by integrity code

• Network to Network Security – Secure communication between serving networks using IPsec

• Wider Security Scope – Security is based within the RNC rather than the base station

• Secure IMSI (International Mobile Subscriber Identity) Usage– The User is assigned temporary IMSI by servicing network

• User –Mobile Station Authentication – The user and the mobile station share a secret key, PIN

• Secure Services – Protect against misuse of services provided by home network &serving network

• Secure Applications

– Provide security for applications resident on mobile station

20


UMTS Security Features cont..

• Fraud Detection – Mechanisms to combating fraud in roaming situations

• Flexibility – Security features can be extended and enhanced as required by new threats and services

• Visibility and Configurability

– Users are notified whether security is on and what level of security is available

• Multiple Cipher and Integrity Algorithms • Multiple Cipher and Integrity Algorithms

– User and network negotiate and agree on cipher and integrity algorithms (KASUMI or SNOW3G)

• Lawful Interception

– Mechanisms to provide authorized agencies with certain information about subscribers

• GSM Compatibility

– GSM subscribers roaming in 3G network are supported by GSM security context

21


Security Mechanism

• Authentication and Key Agreement

• Encryption

• Integrity Protection


Authentication & Key Agreement

• Authentication Center (AuC) and USIM share

– Permanent secret key, K

– Message authentication functions f1, f1*, f2

– Key generating functions f3, f4, f5

• AuC has a random number generator • AuC has a random number generator

• AuC has scheme to generate fresh sequence numbers

•

• USIM has scheme to verify freshness of received sequence

numbers


MS VLR/SGSN HE/HLR

Generate authentication

vectors AV(1..n)

Store authentication vectors

Select authentication vector AV(i)

Authentication data request

Authentication data response

AV(1..n)

Distribution of

authentication

vectors from HE

to SN

AKA Procedure for 3G UMTS (TS 33.102)Commonly stored in USIM &

AuC/HE

• f1, f2, f3, f4, f5

• K-Long term Secret Key

NOTES:

RAND: Un-predictable Challenge

AMF: An authentication and key

Authentication Vector

Select authentication vector AV(i)

User authentication request

RAND(i) || AUTN(i)

User authentication response

RES(i)

Compare RES(i) and XRES(i)

Verify AUTN(i)

Compute RES(i)

Compute CK(i) and IK(i) Select CK(i) and IK(i)

Authentication and

key establishment

Authentication and key agreement


management field (16b)

AUTN: Authentication Token

For each user, HE/AuC keeps track of a

counter: SQNHEAK-Anonymity Key

24

Generation of AV at HE/AuC (TS 33.102)

K

SQNRAND

f1 f2 f3 f4 f5

Generate SQN

Generate RAND

AMF

1

1

NOTES:

RAND: Un-predictable Challenge


management field (16b)

AUTN: Authentication Token

MAC XRES CK IK AK

AUTN := SQN ⊕ AK || AMF || MAC

AV := RAND || XRES || CK || IK || AUTN

2

3

4

For each user, HE/AuC keeps track of a

counter: SQNHEAK-Anonymity Key

25


AKA Procedure: User Authentication function at USIM

K

SQN

RAND

f5

AK

SQN ⊕ AK AMF MAC

AUTN

⊕

1

1

Commonly stored in USIM &

AuC/HE

• f1, f2, f3, f4, f5

• K-Long term Secret Key

Receive RAND & AUTN from Network

f1 f2 f3 f4

XMAC RES CK IK

Verify MAC = XMAC

Verify that SQN is in the correct range

2

3

4

If a mismatch, Reject

Authentication & abandon

If not, synchronization

failure & abandon


UMTS AKA

27Copyright © Dr. Manodha

Gamage 2011

UMTS AKA


Gamage 2011

UMTS AKA


Gamage 2011

Length of Authentication Parameter (TS 33.102)

• Authentication key (K) shall have a length of 128 bits

• Random challenge (RAND) shall have a length of 128 bits

• Sequence numbers (SQN) shall have a length of 48 bits

• Anonymity key (AK) shall have a length of 48 bits

• Authentication management field (AMF) shall have a length of 16 bits• Authentication management field (AMF) shall have a length of 16 bits

• Message authentication codes, MAC in AUTN and MAC-S in AUTS shall have a length of 64 bits

• Cipher key (CK) shall have a length of 128 bits

• Integrity key (IK) shall have a length of 128 bits

• Authentication response (RES) shall have a variable length of 4-16 octets 30


Life Time of CK and IK (6.4.3 of TS 33.102)

• Generating CK & IK is not mandatory at call set-up;

• A mechanism is needed to ensure usage of CK/IK for an unlimited period of time

• USIM shall contain a mechanism to limit amount of data that is protected by an access link key set

• Each time an RRC connection is released, STARTCS & STARTPS of bearers that were protected in that RRC connection are compared with THRESHOLD (set by the operator and stored in the USIM)1. If START and/or START have reached THRESHOLD, 1. If STARTCS and/or STARTPS have reached THRESHOLD,

• ME marks it/them as invalid by setting to THRESHOLD

• Deletes CK&IK stored on USIM and

• Sets KSI (Key Set ID) to invalid

2. Otherwise, the STARTCS and STARTPS are stored in the USIM.

• When RRC connection is established START values are read from USIM– Then, ME shall trigger generation of a new access link key set

(CK&IK) if STARTCS and/or STARTPS has reached THRESHOLD

• This mechanism will ensure that a cipher/integrity key set cannot be reused beyond the limit set by the operator 31

• Ciphering of U-plane data & C-plane (RRC&NAS Signalling)

– Algorithms in 3G;• UEA 1 & 2 : Kasumi and SNOW 3G based f8 algorithm

– Algorithms in LTE• EEA 1 & 2 : SNOW 3G and AES based f8 algorithm

Ciphering Algorithms in 3G and LTE

• Integrity Protection for c-plane

– Algorithms in 3G;• UIA 1 & 2 : Kasumi and SNOW 3G based f9 algorithm

– Algorithms in LTE• EIA 1 & 2 : SNOW 3G & AES based f9 algorithm

32


Ciphering (f8) and Integrity Check (f9) for Control Plane

ENCRYPT

PDCP PDU

MAC-I Calculated over this

PDCP

HdrPDCP SDU MAC-I

PDCP Hdr= 1 or 2 Octets

1. Ciphering and Integrity Check (MAC-I) is done for Control Plane data

2. Two different Keys derived from AS Base Key, KeNB to be used for

Ciphering and MAC-I

3. First Calculate MAC-I over PDCP PDU (i.e. Hdr + SDU) using f9

4. Then Encrypt (SDU + MAC-I) using f8

5. Algorithms to be used;1. EIA1 (for f9) and EEA1 (for f8); SNOW3G based Algorithms

2. EIA2 (for f9) and EEA2 (for f9); AES Algorithms (Counter & CMAC modes)


Ciphering (f8) for User Plane

ENCRYPT

PDCP PDUPDCP

HdrPDCP SDU

PDCP Hdr= 1 or 2 Octets

1. Ciphering ONLY for User Plane data

2. Ciphering Key derived from AS Base Key, KeNB to be used;

Note: Two different Ciphering Keys to be used for User plane and Control plane


Thank you

Documents

Security Architecture Day2 Last Session