Krypto för mobila system

Transcription

1 Inst för Elektro- och Informationsteknik Lunds Universitet Box 118, Lund Internetdagarna 2009

2 Introduction Communication standards for mobile systems: GSM, UMTS (3G), 4G, Bluetooth, WiMax, WLAN,... Symmetric cryptography; stream ciphers, block ciphers, MACs Higher levels: IPsec, SSL (TLS),... Symmetric and asymmetric cryptography; digital signatures, key exchange, identifcation,...

3 Introduction Communication standards for mobile systems: GSM, UMTS (3G), 4G, Bluetooth, WiMax, WLAN,... Symmetric cryptography; stream ciphers, block ciphers, MACs Higher levels: IPsec, SSL (TLS),... Symmetric and asymmetric cryptography; digital signatures, key exchange, identifcation,... We look at GSM!

4 GSM Security GSM is an old communication protocol and has security problems. Problem 1: Cloning of SIM cards. Problem 2: Interception of voice and data.

5 GSM Security GSM is an old communication protocol and has security problems. Problem 1: Cloning of SIM cards. Problem 2: Interception of voice and data. The problems come from weak cryptographic algorithms.

6 GSM and an introduction to its security Services: Voice communication, SMS, packet-switched data with GPRS,...

7 GSM and an introduction to its security Services: Voice communication, SMS, packet-switched data with GPRS,... GSM was designed with a moderate level of security.

8 GSM and an introduction to its security Services: Voice communication, SMS, packet-switched data with GPRS,... GSM was designed with a moderate level of security. The system was designed to authenticate the subscriber using a pre-shared key and challenge-response.

9 The GSM infrastructure

10 Databases The HLR database: administrative information about each registered user of a GSM network along with the current location of the MS. The VLR tracks mobiles that are out of their home network, so that the network will know where to find them. The EIR contains a list of each MS IMEI allowed on the network. White listed: Allowed to connect to the network Grey listed: Under observation for possible problems Black listed: Not allowed to connect to the network

11 Databases The HLR database: administrative information about each registered user of a GSM network along with the current location of the MS. The VLR tracks mobiles that are out of their home network, so that the network will know where to find them. The EIR contains a list of each MS IMEI allowed on the network. White listed: Allowed to connect to the network Grey listed: Under observation for possible problems Black listed: Not allowed to connect to the network AUC database contains IMSI: International Mobile Subscriber Identity TMSI: Temporary Mobile Subscriber Identity LAI: Location Area Identity K i : Authentication Key

12 Security Measures in GSM PIN code (authentication of SIM = local security measure, network not involved).

13 Security Measures in GSM PIN code (authentication of SIM = local security measure, network not involved). User authentication (performed by network).

14 Security Measures in GSM PIN code (authentication of SIM = local security measure, network not involved). User authentication (performed by network). Encryption of information sent over air interface.

15 Security Measures in GSM PIN code (authentication of SIM = local security measure, network not involved). User authentication (performed by network). Encryption of information sent over air interface. Usage of TMSI (instead of IMSI) over air interface.

16 User Authentication

17 Encryption in GSM For each call a new encryption key (K c ) is generated during authentication!

18 Security through Obscurity Authentication and encryption algorithms were never made public Whole security model developed in secret Suspicion that cryptographic algorithms are weak Although never published, encryption algorithm has been reverse engineered!

19 Other major security concerns Only air interface transmission is encrypted

20 Other major security concerns Only air interface transmission is encrypted Encryption key (K C ) used for encryption is only bits long

21 Other major security concerns Only air interface transmission is encrypted Encryption key (K C ) used for encryption is only bits long MS is authenticated to the BS, but the BS is not authenticated to the MS. Allows false base stations (man-in-the-middle attack)

22 A3 and A8 encryption algorithms Operator selected algorithms

23 A3 and A8 encryption algorithms Operator selected algorithms Many operators used COMP128-1

24 A3 and A8 encryption algorithms Operator selected algorithms Many operators used COMP128-1 Reverse engineered by Briceno, Goldberg, Wagner 1998

25 A3 and A8 encryption algorithms Operator selected algorithms Many operators used COMP128-1 Reverse engineered by Briceno, Goldberg, Wagner 1998 They also performed cryptanalysis, allowing to find the preshared secret K i. This makes SIM card cloning possible. The attack requires 2 17 chosen values of RAND (a few hours over-the-air using a fake base station). Side-channel attacks will be much stronger.

26 A3 and A8 encryption algorithms Operator selected algorithms Many operators used COMP128-1 Reverse engineered by Briceno, Goldberg, Wagner 1998 They also performed cryptanalysis, allowing to find the preshared secret K i. This makes SIM card cloning possible. The attack requires 2 17 chosen values of RAND (a few hours over-the-air using a fake base station). Side-channel attacks will be much stronger. New algorithms COMP128-2 and COMP128-3 have been developed.

27 A5 encryption algorithms keystream generator z 1, z 2,... m 1, m 2,... c 1, c 2,... Figure: A binary additive stream cipher A5/0, A5/1, A5/2, A5/3, A5/4

28 A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret.

29 A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret. The general design was leaked in 1994

30 A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret. The general design was leaked in 1994 Reverse engineered in 1999 by Marc Briceno (from a GSM telephone)

31 A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret. The general design was leaked in 1994 Reverse engineered in 1999 by Marc Briceno (from a GSM telephone) In 2002 a new algorithm A5/3 was adopted, based on the Kasumi block cipher.

32 A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret. The general design was leaked in 1994 Reverse engineered in 1999 by Marc Briceno (from a GSM telephone) In 2002 a new algorithm A5/3 was adopted, based on the Kasumi block cipher. A5/4

33 Description of A5/1 A register is clocked if its clocking bit (orange) agrees with the majority of the clocking bits of all three registers.

34 Attacking A5/1 in practice Guess-and-Determine - needs some additional FPGA hardware

35 Attacking A5/1 in practice Guess-and-Determine - needs some additional FPGA hardware Time-Memory Tradoff - needs huge precomputations and a large disk

36 Attacking A5/1 in practice Guess-and-Determine - needs some additional FPGA hardware Time-Memory Tradoff - needs huge precomputations and a large disk Correlation Attacks - need a lot of known plaintext

37 Tapping the channel How difficult is it to tap the channel?

38 Tapping the channel How difficult is it to tap the channel? GNU Radio is a free software development toolkit. Provides the signal processing runtime and processing blocks to implement software radios using readily-available, low-cost external RF hardware and commodity processors.

39 Tapping the channel How difficult is it to tap the channel? GNU Radio is a free software development toolkit. Provides the signal processing runtime and processing blocks to implement software radios using readily-available, low-cost external RF hardware and commodity processors. The Universal Software Radio Peripheral (USRP) is a high-speed USB-based board for making software radios. It consists of four high-speed analog-to-digital converters, four high-speed digital-to-analog converters, an FPGA and some glue logic. The USRP is intended to be a relatively cheap hardware device facilitating the building of a software radio. The USRP has an open design, with freely available schematics and drivers, and free software to integrate with GNU Radio.

40 Tapping the channel How difficult is it to tap the channel? GNU Radio is a free software development toolkit. Provides the signal processing runtime and processing blocks to implement software radios using readily-available, low-cost external RF hardware and commodity processors. The Universal Software Radio Peripheral (USRP) is a high-speed USB-based board for making software radios. It consists of four high-speed analog-to-digital converters, four high-speed digital-to-analog converters, an FPGA and some glue logic. The USRP is intended to be a relatively cheap hardware device facilitating the building of a software radio. The USRP has an open design, with freely available schematics and drivers, and free software to integrate with GNU Radio. Ettus Research LLC sells USRPs for US$700.

41 Reflections A wireless channel is extremely vulnerable to passive attacks.

42 Reflections A wireless channel is extremely vulnerable to passive attacks. Also organizations with very small budget can do something.

43 Case study - a Master s project Intercepting GSM traffic

44 Case study - a Master s project Intercepting GSM traffic Undergaduate Sebastian Nilsson, no prior knowledge

45 Case study - a Master s project Intercepting GSM traffic Undergaduate Sebastian Nilsson, no prior knowledge gave him a USRP, and asked him to see what he could do...

46 Case study - results legal issues - unclear situation

47 Case study - results legal issues - unclear situation quickly locate the different base stations and download traffic

48 Case study - results legal issues - unclear situation quickly locate the different base stations and download traffic Traffic statistics, IMSI, TMSI,...

49 Case study - what remains for full interception? technical problems when frequency hopping is used

50 Case study - what remains for full interception? technical problems when frequency hopping is used use some approach to break A5/1 and then recover the conversation

51 Case study - what remains for full interception? technical problems when frequency hopping is used use some approach to break A5/1 and then recover the conversation Hacker organization THC have been working on this...

52 Conclusions Downloading GSM traffic is easy!

53 Conclusions Downloading GSM traffic is easy! If someone develops (free) software for this task, interception of voice and data is possible with almost no additional cost.

54 Conclusions Downloading GSM traffic is easy! If someone develops (free) software for this task, interception of voice and data is possible with almost no additional cost. Passive interception is very difficult to protect against.

55 Conclusions Downloading GSM traffic is easy! If someone develops (free) software for this task, interception of voice and data is possible with almost no additional cost. Passive interception is very difficult to protect against. Do not use GSM if interception is a threat!