Theory and Practice. IT-Security: GSM Location System Syslog XP 3.7. Mobile Communication. December 18, GSM Location System Syslog XP 3.

Transcription

1 Participant: Hack contacting... IT-Security: Theory and Practice Mobile Communication December 18, 2001 Uwe Jendricke Lecture Homepage: Uwe Jendricke, 11/2001 IT-Security: Theory and Practice Mobile Communication 1 IT-Security: Theory and Practice Mobile Communication 2 Location Retrieval starting... Location Retrieval locked Area: Hamburg Mapping... IT-Security: Theory and Practice Mobile Communication 3 IT-Security: Theory and Practice Mobile Communication 4

2 Location Retrieval locked Area: Hamburg Map: zooming Location: Participant Hack in City: Hamburg Location Retrieval locked Area: Hamburg Map: zooming Location: Participant Hack in City: Hamburg Area: Inner City IT-Security: Theory and Practice Mobile Communication 5 IT-Security: Theory and Practice Mobile Communication 6 Participant: Hack arrested Location Retrieval locked Area: Hamburg Map: zooming Location: Participant Hack in City: Hamburg Area: Jungfernstieg/ Neuer Wall LAI: 1837HH483NJ MSISDN: Aus dem Film `Blues Brothers` IT-Security: Theory and Practice Mobile Communication 7 IT-Security: Theory and Practice Mobile Communication 8

3 Characteristics of Mobile Communication Security aspects Moving participants and devices Limited power (HF, CPU, display, etc) of devices Devices change networks (roaming) Radio transmission: - Air interface (broadcast) - Interferences - Limited bandwidth More risks than in fixed networks Location retrieval Movement profiles Adversarial environment Misuse by third parties Wireless interface Electromagnetic compatibility (EMC) IT-Security: Theory and Practice Mobile Communication 9 IT-Security: Theory and Practice Mobile Communication 10 Example: GSM Cell Structure of GSM Global System for Mobile Communication High mobility, even internationally (roaming) Size depending on local conditions and # of users High reachability with only one call number High capacity High availability Integrated security mechanisms: Picocell Mikrocell Makrocell Hypercell Overlaycell d < 100m d < 1 km d < 20 km d < 60 km d < 400 km Encryption of transmitted data Authentification (PIN, Smart Card) Base station for >= 1 cells Temporary identification (pseudonyms) IT-Security: Theory and Practice Mobile Communication 11 IT-Security: Theory and Practice Mobile Communication 12

4 Frequency Usage Architecture (1/2) Efficiency Problems with over range Efficiency decreases with cell size Downsizing cells: Precise location determination More confidentiality Lower transmission power Four subsystems of GSM Mobile Station (= Mobile Equipment + Subscriber Identity Module) Base Station Sub-System Network Sub-System Mobile Switching Center Home Location Register Visitor Location Register Authentication Center Equipment Identity Register Network Management Center Operation and Maintenance Center IT-Security: Theory and Practice Mobile Communication 13 IT-Security: Theory and Practice Mobile Communication 14 Architecture (2/2) AUC Authentication Center EIR Equipment Identity Register BS Base Station GMSC Gateway MSC MS Mobile Station PSTN Public Switched Telephone Network Example: Calling from fixed network Caller Guest MSC Home MSC Routing to GMSC Connecting to home-msc Reading of HLR VLR-address Guest-MSC address IMSI Connecting to guest-msc Reading from VLR (IMSI -> TMSI) Connecting to MS (with TMSI) Authentication of the MS by challenge-response (with AuC) Call setup Location Areas IT-Security: Theory and Practice Mobile Communication 15 Location AuC Authentication Center BS Base Station EIR Equipment Identity Register GMSC Gateway Mobile Switching Center Location Areas TMSITemporary Mobile Subscriber Number IT-Security: Theory and Practice Mobile Communication Subscriber Identity Module 16

5 Subscriber Identity Module Smart Card in Mobile Station (Mobile Phone) Stores private user data Splitting device- and user mobility K i (user specific, symmetric key) Algorithm A3 for challenge-response-authentication Algorithm A8 for generation of K c LAI PIN IMSI TMSI user specific symmetric session key MS Mobile Station PIN Personal Identification Number TMSI Temporary Mobile Subscriber Number LAI Location Area Identification Home Location Register HLR HLR stores data of the user IMSI (International Mobile Subscriber Number) MSISDN (Mobile Subscriber International ISDN Number) Personal data (name, address, bank account, etc.) Service profile (priorities, call forwarding, restrictions) VLR-address, guest-msc-address Billing data Security conflict: Reachability location information MSISDN Mobile Subscriber International ISDN Number TMSI Temporary Mobile Subscriber Number IT-Security: Theory and Practice Mobile Communication 17 IT-Security: Theory and Practice Mobile Communication 18 Visitor Location Register VLR VLR stores data of the user used at the MSC IMSI, MSISDN TMSI (Temporary Mobile Subscriber Identity) MSRN (Mobile Station Roaming Number) LAI (Location Area Identification) Home-MSC-address, HLR-address Billing data TMSI Temporary Mobile Subscriber Number MSISDN Mobile Subscriber International ISDN Number Authentication Center AuC Stores user key K i Generates session key K c from K i and random number Authentication with challenge-response AuC sends random number to mobile AuC receives response (generated on the by A3 (with challenge as input)) AuC compares response to self generated value Algorithm A3 Not standardized Defined by telecommunication company (telco) Secret algorithm: security by obscurity Subscriber Identity Module symmetric user key, in and in AuC IT-Security: Theory and Practice Mobile Communication 19 IT-Security: Theory and Practice Mobile Communication 20

6 Repeat: Call from fixed network Guest MSC Location Caller Home MSC Location Areas Routing to the GMSC Connecting to home-msc Reading from HLR VLR-address Guest-MSC address IMSI Connecting to guest-msc Reading from VLR (IMSI -> TMSI) Connecting to MS (with TMSI) Authentication of MS by challengeresponse (with AuC) Call setup AUC Authentication Center BS Base Station EIR Equipment Identity Register TMSITemporary Mobile Subscriber Number Subscriber Identity Module User Authentification Mobile Station A3 Initiated at: Location registration Location update with VLR-switching Call setup (in both directions) Activation of additional services Short Message Service (SMS) Authentication Request RAND Unilateral Authentication! AuC RandomGenerator A3 Authentication Response SRES 32 bit = True? 32 bit A3 secret algorithm AuC Authentication Center user specific symmetric key Subscriber Identity Module IT-Security: Theory and Practice Mobile Communication 21 IT-Security: Theory and Practice Mobile Communication 22 Pseudonymization of the user Mobile Station TMSI old IMSI TMSI new (Message with TMSI) old LAI, old TMSI When TMSI not known: identity request identity response(imsi) TMSI reallocation command {new TMSI} TMSI reallocation complete TMSI (Temporary Mobile Subscriber Identity) No linkability of user s actions Algorithm for generation: by telco Transmission of IMSI at first login or after error (attack: IMSI-Catcher) Network VLR: relation TMSI - IMSI VLR: generation of TMSI VLR: storing TMSI BSC:encryption with Deleting old TMSI BSC Base Station Controller user specific symmetric session key LAI Location Area Identification Subscriber Identity Module TMSITemporary Mobile Subscriber Number Link Encryption (1/2) Mobile Station A8 stored in used in MS Key generation Authentication Request RAND AuC RandomGenerator A8 64 bit 64 bit is session key Algorithm A8 In and in authentication center AuC parameterized one way function Standardized interfaces, non-standardized algorithm A3/A8 known as COMP128 stored in HLR used in BSC AuC Authentication Center BSC Base Station Controller user specific symmetric session key MS Mobile Station Subscriber Identity Module IT-Security: Theory and Practice Mobile Communication 23 IT-Security: Theory and Practice Mobile Communication 24

7 Link Encryption (2/2) 64 bit Mobile Station 114 bit bit Cleartext xor block Cleartextblock TDMA- Frame Number Key block 22 bit Transmission Ciphering Mode Command (Encryption Mode) Encrypted text (Ciphering Mode Complete) Algorithm In the mobile station, not in! Worldwide standardization Weak algorithm * or /2 in some countries Netz TDMA- Frame- Number 22 bit 114 bit + xor 64 bit AuC Authentication Center BSC Base Station Controller user specific symmetric session key MS Mobile Station Subscriber Identity Module TDMA Time Division Multiple Access Security in GSM: Overview Mobile Station Base Station (BS) Guest-MSC Home-MSC A3 A8 Encrypted radio transmission BS-Controller RAND SRES Non-encrypted directed radio transmission VLR generatestmsi AuC RandomGenerator = IMSI A3 A8 Non-encrypted transmission by wire HLR IT-Security: Theory and Practice Mobile Communication 25 IT-Security: Theory and Practice Mobile Communication 26 Security Relevant Functionality for access control (PIN) and authentication Unilateral authentication (MS network) by challenge-response Pseudonymization of the participants on the air interface (TMSI) Link encryption on the air interface Security Problems in GSM Confidentiality of location information only against outsider Radio-bearing of MS possible No bit transparency no end-to-end encryption possible No end-to-end authentication Some secret crypto algorithms Only symmetric crypto algorithms Key management without user control No anonymous activity possible Users must trust the billing data IT-Security: Theory and Practice Mobile Communication 27 IT-Security: Theory and Practice Mobile Communication 28

8 Protection of location information Further Information Hannes Federrath: Mobile Communication Database request Database request GSM Security and Links Distribution service Hack by german Chaos Computer Club (in german) Trusted Area Personal Trusted Area Exercise on Thursday, in Building 051, SR Source: Hannes Federrath IT-Security: Theory and Practice Mobile Communication 29 IT-Security: Theory and Practice Mobile Communication 30