Authentication and Security in Mobile Phones



Similar documents
Development of Wireless Networks

GSM and UMTS security

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

TETRA Security. TETRA MoU Association Association House South Park Road Macclesfield Sk11 6SH England

Chapters 1-21 Introduction to Wireless Communication Systems

GSM v. CDMA: Technical Comparison of M2M Technologies

Hello viewers, welcome to today s lecture on cellular telephone systems.

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Mobile Communications TCS 455

Global System for Mobile Communication Technology

Mobile Phone Security. Hoang Vo Billy Ngo

Lecture 9 - Message Authentication Codes

1 Data Encryption Algorithm

CLOUD COMPUTING SECURITY ARCHITECTURE - IMPLEMENTING DES ALGORITHM IN CLOUD FOR DATA SECURITY

The Misuse of RC4 in Microsoft Word and Excel

Mobile Office Security Requirements for the Mobile Office

UMTS security. Helsinki University of Technology S Security of Communication Protocols

Wireless Cellular Networks: 1G and 2G

How To Use A Femtocell (Hbn) On A Cell Phone (Hbt) On An Ipad Or Ipad (Hnt) On Your Cell Phone On A Sim Card (For Kids) On The Ipad/Iph

Ch GSM PENN. Magda El Zarki - Tcom Spring 98

Table of Contents. Bibliografische Informationen digitalisiert durch

Message Authentication

Client Server Registration Protocol

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

Wireless Mobile Telephony

CS Cellular and Mobile Network Security: GSM - In Detail

GSM Risks and Countermeasures

The GSM and GPRS network T /301

SPINS: Security Protocols for Sensor Networks

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Security in Near Field Communication (NFC)

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

CS Cellular and Mobile Network Security: CDMA/UMTS Air Interface

FIGURE 12-1 Original Advanced Mobile Phone Service (AMPS) frequency spectrum

Theory and Practice. IT-Security: GSM Location System Syslog XP 3.7. Mobile Communication. December 18, GSM Location System Syslog XP 3.

MOBILE COMMUNICATION SYSTEMS AND SECURITY

ETSI ETR 278 TECHNICAL March 1996 REPORT

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

Module 5. Broadcast Communication Networks. Version 2 CSE IIT, Kharagpur

SecureCom Mobile s mission is to help people keep their private communication private.

IT Networks & Security CERT Luncheon Series: Cryptography

Chapter 6 CDMA/802.11i

ETSI TS V1.2.1 ( )

Chapter 6 Bandwidth Utilization: Multiplexing and Spreading 6.1

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23


Security Requirements for Wireless Networking

Network Security: Cryptography CS/SS G513 S.K. Sahay

SAS Data Set Encryption Options

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Message Authentication Codes

Bit Chat: A Peer-to-Peer Instant Messenger

Security in Wireless Local Area Network

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

Wireless Security: Token, WEP, Cellular

Indian Journal of Advances in Computer & Information Engineering Volume.1 Number.1 January-June 2013, Academic Research Journals.

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cellular Network Organization. Cellular Wireless Networks. Approaches to Cope with Increasing Capacity. Frequency Reuse

A NOVEL STRATEGY TO PROVIDE SECURE CHANNEL OVER WIRELESS TO WIRE COMMUNICATION

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

TLS and SRTP for Skype Connect. Technical Datasheet

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

!!! "# $ % & & # ' (! ) * +, -!!. / " 0! 1 (!!! ' &! & & & ' ( ' 3 ' Giuseppe Bianchi

Cellular Networks: Background and Classical Vulnerabilities

Wireless Access of GSM

Authentication requirement Authentication function MAC Hash function Security of

Global System for Mobile Communication (GSM)

Network Security - ISA 656 Introduction to Cryptography

Security features include Authentication and encryption to protect data and prevent eavesdropping.

Dashlane Security Whitepaper

Wireless Networks. Welcome to Wireless

Security Policy for Oracle Advanced Security Option Cryptographic Module

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Recommendation for Applications Using Approved Hash Algorithms

GSM Research. Chair in Communication Systems Department of Applied Sciences University of Freiburg 2010

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

CS263: Wireless Communications and Sensor Networks

Content Teaching Academy at James Madison University

Securing Host Operations with a Dedicated Cryptographic IC - CryptoCompanion

The next generation of knowledge and expertise Wireless Security Basics

Victor Shoup Avi Rubin. Abstract

Mobile Wireless Overview

CS 758: Cryptography / Network Security

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Installation and usage of SSL certificates: Your guide to getting it right

How To Understand Cellular Communications

Security Evaluation of CDMA2000

Network Security. A Quick Overview. Joshua Hill josh-web@untruth.org

Global System for Mobile Communications (GSM)

Transcription:

Authentication and Security in Mobile Phones Greg Rose QUALCOMM Australia ggr@qualcomm.com ABSTRACT Mobile telephone systems have a checkered reputation regarding security and authentication features after incidents such as Squidgy in the U.K. and eavesdropping on Newt Gingrich s calls in the U.S.. Cellphone fraud accounted for approximately US$750M in lost revenue in North America in 1996. Authentication and security in cellular phones are therefore important issues, and there is existing and ongoing efforts both in the United States and Europe. This paper provides an introduction to these facilities. Introduction Security and authentication features were rudimentary in the original analog cellular phones. This led to a strong industry performing cellular phone fraud. In 1996 this industry cost the legitimate service providers some US$750M in revenue in the United States alone, which represented approximately 3% of total industry revenue. [ctia] Authentication and security in cellular phones are therefore important issues, and there is existing and ongoing work both in the United States and Europe. Second generation phones have attempted to address the authentication problem, and to a lesser extent the security and privacy problems. The reason for this ordering is simply that authentication is linked to revenue, while at the moment customers are generally unwilling to pay for security and privacy. The original cellular phone standard is colloquially known as AMPS (Analog Mobile Phone Standard). The second generation analog standard is, not surprisingly, called NAMPS (New AMPS). There are also a number of different digital standards. Australia uses GSM (Groupe Speciale Mobile), developed in Europe, while the U.S. has two competing standards, TDMA and CDMA (Time and Code (resp) Division Multiple Access). TDMA is similar in concept to GSM, but very different in detail, while CDMA is radically different being a spread spectrum system. Note: The term PCS (Personal Communication System) is often thought of as a different type of cellular system. Really the only difference between PCS and Cellular communication is the frequencies used. Cellular systems operate in the 800-900 MHz band, while PCS is in the 1.8-1.9GHz band. There are PCS versions of the digital standards, but not for analog. All of the cryptographic content of the various standards is based on secret key technology. The main reasons for this are: the processors in phones, and particularly for GSM as will become evident, are quite limited. 1

air bandwidth for call setup argues for short messages, while public key systems tend to send large chunks of data around. This may change in the next few years, or it may not. Public Key technology based around Elliptic Curves along with faster processors may alleviate these problems. As far as the authentication and security infrastructure goes, the new standards fall into two groups; GSM stands alone, while the various U.S. standards share quite a lot of infrastructure and architecture. Since the standard which defines the common infrastructure was called the ANSI accredited TIA IS-41 standard [is41] these are commonly called IS-41 systems, even though the standard has subsequently been accredited by ANSI. In the following discussion I will use the IS-41 name for anything which has an analog in GSM. At the time of writing, third generation standards are being developed. The new European standard is called UMTS; the international standard is called IMT-2000, and will probably incorporate both UMTS and future US-developed standards. Where decisions have been made in these efforts, they will be noted below. Keys At the top level, both systems have a master key, called the A-Key in IS-41. This is 64 bits (IS-41), or 128 bits (GSM). (In future, all keys in both systems will be 128 bits.) This is used for authentication of the mobile, and for generation of subkeys. In GSM, the top level key is used to generate authentication signatures (64 bits) and session keys (64 bits) directly. In IS-41, intermediate keys called Shared Secret Data are generated. There is an SSD-A which is used in authentication signatures, and an SSD-B which is used for cryptographic key generation. These are each 64 bits. There are also three session keys generated from SSD-B: The CMEAkey (64 bits) The Voice Privacy Mask (520 bits) The DataKey (32 bits) 2

SSD-A A-key CAVE SSD-B Figure 1 - generation of Shared Secret Data in IS-41. Details of the algorithms which use these various keys appear below. Figure 1 shows the manner in which the various keys are generated in IS-41. The inputs from the mobile phone are things like the Equipment Serial Number and software revision. The network broadcasts a random number, which is also input to the algorithm. Authentication Signatures Before allowing a mobile phone to access the network, the phone must present a response to a challenge, based on the SSD-A (IS-41) or the master key (GSM). In IS-41 the phone itself contains the secret key, and the algorithm (CAVE) which is used to calculate the signature. CAVE is detailed in an export-controlled appendix to the standard, and hence is standardised in all the phones. Figure 2 details the signature calculation process. SSD-A CAVE 1-800-555-1212 Figure 2 - IS-41 authentication signature calculation. 3

Note that, for originating a call, the phone number is also input to the algorithm. This is because the random challenge is broadcast and changes regularly, instead of being unique to the origination. This saves message overhead both over the air and within the network. The output from CAVE is truncated to 18 bits, meaning that there is about 1 chance in ¼ million of faking a call by sending a random signature. At these odds, I would invest in the lottery. The shared secret data can be sent to the visited system while roaming, allowing local authentication. If encryption is supported, the various privacy keys are generated soon afterward. CAVE is a hashing algorithm which works by using a shift register driven walk over the input data and a somewhat random table, and shuffling the inputs. It takes 23 octets of input and produces 16 octets of output. Future IS-41 systems will replace most of the functionality of CAVE with SHA-1, the US FIPS-180-1 Secure Hash Standard. In GSM, the picture is quite different, although conceptually similar. The challenge is unique, and is generated within the home system (the system where the phone is registered). The algorithm and the master key are both stored on a smart card called a SIM (Subscriber Identity Module). This allows for the possibility that the algorithm may actually vary with different service providers, and indeed this is the case for about 40% of phones. The interface to which the algorithm adheres is called A3, and it accepts a 64 bit challenge and produces a 64 bit response, based on the secret key in the SIM. At the same time, an algorithm whose interface is called A8 calculates the corresponding session key for privacy during the call. The standard algorithm performing these functions together is called COMP128. This algorithm is held tightly secret by the GSM MoU (Memorandum of Understanding Group); only the interface to it is public. Because the algorithm might not even be known at a visited system, the home system has to perform all of the verification and key generation functions. As an optimisation for network traffic, a number of triplets are forwarded upon the first access. These consist of: 1. A challenge to be sent to the mobile station 2. The expected response 3. The session key to be used after authentication succeeds. Relying on the secrecy of the algorithm is rarely a good move, and indeed COMP128 was disclosed in 1998. Furthermore, the algorithm is weak, allowing disclosure of the A-Key with a few million interactions with the SIM card. The architecture for UMTS is largely settled. The "triples" will be called the Authentication Vector, and have five elements. There are now two session keys, one for privacy and one for message origin authentication (MAC). The fifth element authenticates the network to the mobile; combined with freshness guarantees, this prevents any form of man-in-the-middle attacks. Encryption for secrecy in GSM In GSM the situation for secrecy of voice, signaling data and user data is simple. Once the session has been authenticated, encryption is turned on and everything is protected by the same algorithm, a stream cipher notionally known as A5. Actually, there are three different 4

algorithms, which are negotiated between the phone and the network. A5/1 is based on three shift registers with complicated stepping control, similar to the algorithm mentioned in Schneier [sch96] but not quite. The exact algorithm was reverse engineered early in 1999. A5/2 is a weakened version of A5/1, in which the stepping is controlled by a fourth independent shift register. There is also the option of no encryption, colloquially called A5/0. The first two of these algorithms are also tightly controlled by the GSM MoU. Unlike the A3/A8 algorithm(s), though, these ones are built into the phone itself, because the SIM doesn t have enough CPU power to calculate the outputs in real time. Encryption for secrecy in IS-41 In the U.S. standards the situation is much more complicated. Voice privacy AMPS, NAMPS none at all. TDMA a fixed voice privacy mask is XORed with the digitised voice. Cryptographically insecure. CDMA most of the voice privacy mask is ignored, but the last 42 bits are used as an offset for the output of a linear feedback shift register. Cryptographically this is also not very strong, but this output is used as a spreading code for the spread spectrum transmission. This means that, without knowing the code in advance, it is difficult to even sort out the signal from the background noise. Signaling data privacy Data such as numbers dialed, short messages (paging), and DTMF tones are put into data packets and are encrypted using CMEA (Cellular Message Encryption Algorithm). This is a variable length block cipher, which works by a table walk using a key-derived somewhat random table, a self-inverse folding and the inverse of the first step. This makes the algorithm itself self-inverse, which isn t such a hot idea in retrospect. The cipher is used in ECB (Electronic Code Book) mode, ditto. The packet formats differ for the three standards, but the algorithm is the same. CMEA has been broken [wag97]. A short term drop-in replacement has been proposed and adopted, but is not yet widely deployed. Data encryption A stream cipher called ORYX (not an acronym, but upper case anyway) is used for data encryption. It has three Galois configuration linear feedback shift registers, one of which steps normally, and controls the other two; one of these steps according to two different polynomials; the other steps once or twice per byte. The high bytes are passed through a lookup table and combined to form one octet of the output mask. The key length is intentionally very short, for export purposes. ORYX has also been broken. Future development There is a long term plan to replace the architecture in IS-41 so that hopefully there won t be so many different algorithms in use. New algorithms in IS-41 will be strong, publicly 5

scrutinised algorithms. In the short term both CMEA and ORYX are being replaced with a strengthened version of CMEA. [ctia] [is41] [sch96] [wag97] Cellular Telecommunications Industry Association, exerpt from confidential report, June 1997. TIA IS-41C, Telecommunications Industry Association, 1995. B. Schneier, Applied Cryptography, Second edition, Wiley 1996 B. Schneier, J. Kelsey and D. Wagner, Cryptanalysis of the Cellular Message Encryption Algorithm, Proc. Crypto 97. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information