PM ASSIGNMENT. Security in Mobile Telephony and Voice over IP

Transcription

1 PM ASSIGNMENT Security in Mobile Telephony and Voice over IP Christian Wallin Danlu Fu David Alfonso

2 1. Security of Mobile Telephony 1.1 Zero Generation Mobile radio telephone system were the predecessor of the first generation of cellular telephones. So it s sometimes referred as 0G (zero generation) systems. Four technologies are used in this system: PTT (Push to Talk or manual), MTS (Mobile Telephone System), IMTS (Improved Mobile Telephone Service), and AMTS (Advanced Mobile Telephone System) systems. The mobile telephone of this generation were usually mounted in cars or trucks. It s not a real mobile telephony system in definition. 1.2 First Generation First Generation (1G) are analog cellphone standards introduces in the 1980s. They include three main standards: NMT (Nordic Mobile Telephone), AMPS (Advanced Mobile Phone System) and TACS (Total Access Communications System). These are all analog standard, so it is very susceptible to static and noise and has no protection from eavesdropping using a scanner. In the 1990s, "cloning" was an epidemic that cost the industry millions of dollars. An unscrupulous eavesdropper with specialized equipment can intercept a handset's ESN (Electronic Serial Number), which is a packet of data sent by the handset to the cellular system for billing purposes. If a ESN is intercepted, it could then be cloned onto a different phone and used in other areas for making calls without paying. 1.3 Second Generation(include 2.5G) The main difference between 1G and 2G is that the radio signals that 1G networks use are analog, while 2G networks are digital. Global System for Mobile communications (GSM) and cdmaone (brand name of Interim Standard 95 (IS-95)) is two main technologies in this generation. And General Packet Radio Service (GPRS) and Enhanced Data rates for GSM Evolution (EDGS) are extended on 2G, which are referred as 2.5G for market purpose Security of GSM We will talk mainly about GSM in this section.

3 Figure 1 GSM architecture(from Figure 2 security elements store on different platforms( the gray one shows it will change with the time, the white one never changes) (from zhangfz.ppt?phpsessid=6d63982a64f114d8ede3e1e4b09c1120) Anonymity or Subscriber Identity Confidentiality. IMSI (International Mobile Subscriber Identity) is a unique number stored in the Subscriber Identity Module (SIM) inside the phone and is sent by the phone to the network. In order to avoid the subscriber being identified and tracked by eavesdroppers on the radio interface, the IMSI is sent as rarely as possible and a TMSI is sent instead. The Temporary Mobile Subscriber Identity (TMSI) is the identity that is most commonly sent between the mobile

4 and the network.. It is a randomly allocated number that is given to the mobile, the moment it is switched on. VLR will store the relation between TMSI and IMSI. Subscriber identity authentication. AuC will give a random number RAND and use algorithm A3 and A8 to produce Vector(RAND,SRES,Kc). When MSC/VLR need vectors, it will send a request MAP-SEND-AUTHENTICATION-INFO to HLR (it will include the IMSI).VLR/MSC receive the vectors and store it. When the MS register on this VLR, it will give one of the RANDS to MS (and other Vectors will be invalid). MS receive the RAND and use the A3,A8 in SIM card to compute the SRES and Kc. A3 is for SRES and A8 is for Kc. It send SRES to VLR/MSC, if SRES equal to the SRES stored in VLR/MSC, this MS complete the authentication. Kc in AuC and SIM will never sent over air. It s calculated by Ki with A8. Key Ki is stored in encryption form in SIM and AuC. See Figure 3. Encryption of user traffic and user control data. When the authentication has completed, MSC send the Kc in vector to BTS. This make the wireless tunnel between MS and BTS can use encrypt way to send sata. This can avoid eavesdropping. MS will use Kc (64 bit) and Fn (22 bit, the frame counter) as parameters of A5, to get the keystream. And use the keystream to encrypt the data.then it send the data to BTS. BTS get the data and use the same keystream to decrypt. The A5/1 and A5/2 stream ciphers are two kinds of A5. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. The weakness of them will be introduced in the following section. See Figure 3. Figure 3 Authentication and Encryption Scheme(fromwww.cs.huji.ac.il/~sans/students_lectures/GSM%20Security.ppt ) A3,A8,A5,Ki,Kc will all not be transported in network, this make the system more secure. See figure Third Generation 3G is the third generation of mobile phone standards and technology, after 2G. It is based on the International Telecommunication Union (ITU) family of standards under the International Mobile Telecommunications program, "IMT-

5 2000". it supports greater numbers of voice and data customers especially in urban areas and higher data rates at lower incremental cost than 2G. Universal Mobile Telecommunications System (UMTS) is one of the thirdgeneration (3G) cell phone technologies. Currently, W-CDMA is used most commonly. Compared with GSM security, 3G have these new security features: For the encryption of data transport: The system define 11 secure algorithm. Key is 128 bit, it s much longer than GSM s. And the algorithm is no more fixed. For the integrity protect: GSM have not but 3G have. User authentication: A new block cipher algorithm called Kasumi is used. IMSI is no more send by cleartext. It will use EUIC to authenticate the user. 1.5Fourth Generation 4G (a.k.a. beyond 3G), an acronym for Fourth-Generation Communications System, is a term used to describe the next step in wireless communications. There is no formal definition for what 4G is; however, there are certain objectives that are projected for 4G. These objectives include: that 4G will be a fully IP-based integrated system. This will be achieved after wired and wireless technologies converge and will be capable of providing 100 Mbit/sec and 1 Gbit/sec speeds both indoors and outdoors, with premium quality and high security. 4G will offer all types of services at an affordable cost. We can not confirm which security mechanism will 4G use now, but it will concerns lot about IP security. reference wikipedia (2007),Mobile Phone< University of Waterloo, Introduction to Mobile Security, < > Dr. S. Muhammad Siddique, Muhammad Amir, GSM Security Issues and Challenges, University of Engineering and Technology Peshawar Pakistan Geir M. Køien and Thomas Haslestad, Security Aspects of 3G-WLAN Interworking, Telenor R&D, Norway

6 2. Security problems with GSM The first security problem with GSM is that the algorithms where held secret so they couldn t be studied. But in 1999 Briceno used a mobile phone and reversed engineered the design of the A5/1 and A5/2 algorithms. Since the basic security of these algorithms are based on that the shared key in the SIM card and the mobile station are kept secret the whole system is vulnerable to anyone who can get their hands on this key. If you get access to the a SIM card you can use a smartcard reader and a normal computer and by brute force calculate the secret key in 8hours with a reader that can make 6.25 queries/sec. After getting the key you can make your own SIM card and make your own calls using the account of the other SIM card. However the operators have a defense mechanism that disables the account if more than one person tries to use the same account at the same time. But this doesn t protect against someone using this information only to listen to calls made by the real SIM card. Getting access to a card for 8hours might be hard once the card is delivered but any corrupted person selling SIM cards could easy make copy of the keys and then listen to calls made by the purchaser. The A5/1 is the most common used algorithm in the western world and is also the most secure of the two. One problem with this is that the key used is still only 64bit long and also the 10 least significant bits are always zero in the deployed versions. There are several attacks today that require different lengths of data and different amount of hard disk space. The most effective attacks use pre computed tables of the initial states of the A5/1 algorithm and then try to match the intercepted output to these tables and then derive the key from the initial state. In a document from 2000 available on site [1] they state different kind of attacks into a table which look like following: Attack Type Preprocessing steps Available data Number of 73GB disks Attack time Biased Birthday attack (1) Biased Birthday attack (2) minutes 4 1 second minutes 2 1 second Random Subgraph attack seconds 4 minutes At the time this document was written 73 GB was the largest available hard disks. Today you will be able to fit all these tables in a single disk and you will even be able to double the size of the biggest table. Since the time of the

7 attacks where calculated based on what computing power was available, also the attack time of these attacks would be a lot less. By increasing the table you can minimize the required data and still have a good chance of finding a match between the pre computed initial states and the intercepted data. Another problem with the standard SIM cards is that you only authenticate the user to the network not the network to the user. Yet another possible problem is that stated on site [2] the operators backbone network is not encrypted at all, so if you manage to get access to their network you will be able to see the key in clear text and also listen to the calls without any encryption. Improvements There is a new USIM card developed that uses a longer key and also make a mutual authentication between the user and the network. This together with an update of the key-function inside the phone will make it much harder to obtain the key from the SIM card. With a longer key there will be much harder to get any information about the key from the encrypted data but these require an update of the A5 algorithm. Another easy way to improve the security is to make the operators encrypt their internal traffic which would take away one more possible attack. Sources: [1] [2] /1999/papers/gsminterception/netsec.html [3] [4]

8 3. Security in Voice over IP Before the voice worked over computer networks, conventional voice also had its own problems. These problems were: 1. Steal of identity: Someone can make a call and he can be identified with a false identity. 2. Illegal listening: An intruder can interfere your conversations. 3. Imprecise costs: This are caused by bad intentioned parts that charge you more money than the real cost. 4. Not requested calls: Is a way of telephone spam. What changed with voice over IP: Something obvious is that when voice came into computer s world, it took all the security problems of this area. The most common attacks are: 1. Denial of Service: With this attack, someone can make the server temporarily unavailable by generating a lot of false requirements and collapsing the server. 2. Attacks that only produce damage to the system: Attacker get into the system and destroy or modify something inside.. 3. Steal: The main purpose of this attack is to steal information or money. It can be done getting or modifying private information. Coming back to VoIP, we can see that things have not changed at all. 1. Steal of identity: The most important point is how can we know who is the person making the call. To do this, the most used protocol is the Session Initiation Protocol (SIP). This protocol can work in three different ways: - With an User Agent (UA). In this case exists an user in the FQDN (Fully Qualified Domain Name), that usually is the telephone number and a password that is used when asking for a connection. A disadvantage is that this process is done using clear text, so the user can be supplanted easily. - Another way is to register using an username, a password, and a telephone number. This system is safer, specially when some information is sent using MD5, but anyway it continues being vulnerable, because it uses security technologies that can be easily broken. - The most insecure system is when sending information without a previous register. Also there had been attempts to use different techniques, such as Access Lists, but it continued being insecure. The safest option is the use of AAA (Authentication, Authorization and Accounting). But it is not a native option in all the systems, and combining it with MD5 is the safest way for preventing this attacks.

9 Only the most expensive systems have this option, the rest make a sip request to a proxy, and this proxy makes the AAA request to a radius, but the call can be intercepted before it reaches the proxy, and there is no security in it. Another protocol that we can use is H323. The most common ways to authenticate a person with this protocol are with a H323 ID, using AAA, using the IP address, using a set of numbers, or combining some of this methods. Although one of the advantages of H323 is that it doesn t send plain text, the safest thing of this method is AAA and the use of H323 ID. Another important point is that in the implementation of H323 we can find the protocol H235, which uses algorithms such as Diffie-Hellman to provide confidentiality between servers and endpoints. 2. Illegal listening: Here we have to say that as voice is sent like data, all the security systems available for data, are also used when sending voice. Is very important the use of VPN, MPLS networks with QoS and this kind of technologies. The problem using this technologies is that we need more headers and we need more bandwidth. Some people are working in a RTP codified protocol, that will help in solving this problem. 3. Imprecise costs: In this area there is no a specific regulation, so users must trust their communication companies. We can note some differences if we use SIP or H323. Using SIP is more difficult to trust in the fare system, because in standard SIP we don t have a complete control of the traffic. It requires that all traffic should go through the server, and it supposes a big amount of work to it. In the case of H323, in the basic implementation is designed that all endpoints should send their status to the gatekeeper, so it can control in a good way the time of the calls and send it to an AAA server in order that price can be charged to a credit card or a similar service. 4. Not requested calls: SIP protocol can accept calls in the endpoints without authentication and is very easy to have access to them only knowing their IP. A thing that we can do to protect against this is to create black or white lists in our systems. Also we can use in H323 a password to have access to our gatekeeper, but it is only available in the most expensive systems. Sources: