Krypto för mobila system

Similar documents
UMTS security. Helsinki University of Technology S Security of Communication Protocols

GSM and UMTS security

Mobile Security. Practical attacks using cheap equipment. Business France. Presented the 07/06/2016. For. By Sébastien Dudek

GSM Research. Chair in Communication Systems Department of Applied Sciences University of Freiburg 2010

Mobile network security report: Poland

Theory and Practice. IT-Security: GSM Location System Syslog XP 3.7. Mobile Communication. December 18, GSM Location System Syslog XP 3.

Mobile network security report: Greece

GSM Risks and Countermeasures

Mobile network security report: Norway

PM ASSIGNMENT. Security in Mobile Telephony and Voice over IP

Mobile Office Security Requirements for the Mobile Office

Mobile network security report: Poland

GSM security country report: USA

Mobile network security report: Belgium

Mobile network security report: Germany

GSM security country report: Germany

An Example of Mobile Forensics

Security in the GSM Network

Mobile Phone Security. Hoang Vo Billy Ngo

Mobile network security report: Netherlands

Defending mobile phones. Karsten Nohl, Luca Melette,

IMSI Catcher. Daehyun Strobel. 13.Juli Seminararbeit Ruhr-Universität Bochum. Chair for Communication Security Prof. Dr.-Ing.

Authentication and Secure Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography

International Journal of Computing and Business Research (IJCBR)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

WHITE PAPER. August, Contacts: Christopher Wingert Mullaguru Naidu

Using an approximated One-Time Pad to Secure Short Messaging Service (SMS)

The GSM and GPRS network T /301

2G/3G Mobile Communication Systems

Mobile Communications

Privacy through Pseudonymity in Mobile Telephony Systems

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

LTE Security How Good Is It?

Encrypted SMS, an analysis of the theoretical necessities and implementation possibilities

Security Evaluation of CDMA2000

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

GSM. Global System for Mobile Communications, Security in mobile phones. System used all over the world. Sikkerhed04, Aften Trusler

GSM Databases. Virginia Location Area HLR Vienna Cell Virginia BSC. Virginia MSC VLR

On the Security of 3GPP Networks

Wireless Networks. Welcome to Wireless

The GSM Standard (An overview of its security)

Solution for Non-Repudiation in GSM WAP Applications

RADIUS. Brief brochure. Product Purpose

SPYTEC 3000 The system for GSM communication monitoring

M E M O R A N D U M. Wireless Roaming Services for Emergency Medical Facilities

2 System introduction

How To Understand The Gsm And Mts Mobile Network Evolution

Communication Infrastructure: GSM Communication

!!! "# $ % & & # ' (! ) * +, -!!. / " 0! 1 (!!! ' &! & & & ' ( ' 3 ' Giuseppe Bianchi

Authentication and Security in Mobile Phones

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Karsten Nohl, Breaking GSM phone privacy

Network Security. Security of Wireless Local Area Networks. Chapter 15. Network Security (WS 2002): 15 Wireless LAN Security 1 Dr.-Ing G.

The Misuse of RC4 in Microsoft Word and Excel

NAVAL POSTGRADUATE SCHOOL THESIS

Wireless LANs vs. Wireless WANs

Karsten Nohl, Chris Paget 26C3, Berlin GSM SRSLY?

Message Authentication Codes

A study of user authentication using mobile phone

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

TETRA Security for Poland

TETRA Security. TETRA MoU Association Association House South Park Road Macclesfield Sk11 6SH England

Security in the GSM network

Global System for Mobile Communication Technology

Cellular Networks: Background and Classical Vulnerabilities

Computer security Lecture 10. Web security, Mobile security

Chap. 1: Introduction

Chapter 6 CDMA/802.11i

Authentication in WLAN

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Mobile Wireless Overview

Global System for Mobile Communications (GSM)

Chapter 8. Network Security

Wireless Local Area. Network Security

Mobile Phone Network Security

Ch GSM PENN. Magda El Zarki - Tcom Spring 98

SECURITY ISSUES AND CHALLENGES IN MOBILE COMPUTING AND M-COMMERCE

GPRS Network Security

GSM Architecture Training Document

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

Wireless Mobile Internet Security. 2nd Edition

Security in cellular-radio access networks

CS Cellular and Mobile Network Security: GSM - In Detail

Mobile Banking in Developing Countries: Secure Framework for Delivery of SMS-banking Services MASTER THESIS

Security Measures and Weaknesses of the GPRS Security Architecture

Security in Wireless Local Area Network

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Security of phone communications

IT Networks & Security CERT Luncheon Series: Cryptography

ECE 297:11 - Lecture 1. Security Services. Basic Concepts of Cryptology. Security Threats and Security Services. Need for information security

GSM GPRS. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides)

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Mobile Services (ST 2010)

WIRELESS NETWORKING SECURITY

Mobile Terminal Security

Problems of Security in Ad Hoc Sensor Network

Lecture overview. History of cellular systems (1G) GSM introduction. Basic architecture of GSM system. Basic radio transmission parameters of GSM

Transcription:

Inst för Elektro- och Informationsteknik Lunds Universitet Box 118, 221 00 Lund Internetdagarna 2009

Introduction Communication standards for mobile systems: GSM, UMTS (3G), 4G, Bluetooth, WiMax, WLAN,... Symmetric cryptography; stream ciphers, block ciphers, MACs Higher levels: IPsec, SSL (TLS),... Symmetric and asymmetric cryptography; digital signatures, key exchange, identifcation,...

Introduction Communication standards for mobile systems: GSM, UMTS (3G), 4G, Bluetooth, WiMax, WLAN,... Symmetric cryptography; stream ciphers, block ciphers, MACs Higher levels: IPsec, SSL (TLS),... Symmetric and asymmetric cryptography; digital signatures, key exchange, identifcation,... We look at GSM!

GSM Security GSM is an old communication protocol and has security problems. Problem 1: Cloning of SIM cards. Problem 2: Interception of voice and data.

GSM Security GSM is an old communication protocol and has security problems. Problem 1: Cloning of SIM cards. Problem 2: Interception of voice and data. The problems come from weak cryptographic algorithms.

GSM and an introduction to its security Services: Voice communication, SMS, packet-switched data with GPRS,...

GSM and an introduction to its security Services: Voice communication, SMS, packet-switched data with GPRS,... GSM was designed with a moderate level of security.

GSM and an introduction to its security Services: Voice communication, SMS, packet-switched data with GPRS,... GSM was designed with a moderate level of security. The system was designed to authenticate the subscriber using a pre-shared key and challenge-response.

The GSM infrastructure

Databases The HLR database: administrative information about each registered user of a GSM network along with the current location of the MS. The VLR tracks mobiles that are out of their home network, so that the network will know where to find them. The EIR contains a list of each MS IMEI allowed on the network. White listed: Allowed to connect to the network Grey listed: Under observation for possible problems Black listed: Not allowed to connect to the network

Databases The HLR database: administrative information about each registered user of a GSM network along with the current location of the MS. The VLR tracks mobiles that are out of their home network, so that the network will know where to find them. The EIR contains a list of each MS IMEI allowed on the network. White listed: Allowed to connect to the network Grey listed: Under observation for possible problems Black listed: Not allowed to connect to the network AUC database contains IMSI: International Mobile Subscriber Identity TMSI: Temporary Mobile Subscriber Identity LAI: Location Area Identity K i : Authentication Key

Security Measures in GSM PIN code (authentication of SIM = local security measure, network not involved).

Security Measures in GSM PIN code (authentication of SIM = local security measure, network not involved). User authentication (performed by network).

Security Measures in GSM PIN code (authentication of SIM = local security measure, network not involved). User authentication (performed by network). Encryption of information sent over air interface.

Security Measures in GSM PIN code (authentication of SIM = local security measure, network not involved). User authentication (performed by network). Encryption of information sent over air interface. Usage of TMSI (instead of IMSI) over air interface.

User Authentication

Encryption in GSM For each call a new encryption key (K c ) is generated during authentication!

Security through Obscurity Authentication and encryption algorithms were never made public Whole security model developed in secret Suspicion that cryptographic algorithms are weak Although never published, encryption algorithm has been reverse engineered!

Other major security concerns Only air interface transmission is encrypted

Other major security concerns Only air interface transmission is encrypted Encryption key (K C ) used for encryption is only 54-64 bits long

Other major security concerns Only air interface transmission is encrypted Encryption key (K C ) used for encryption is only 54-64 bits long MS is authenticated to the BS, but the BS is not authenticated to the MS. Allows false base stations (man-in-the-middle attack)

A3 and A8 encryption algorithms Operator selected algorithms

A3 and A8 encryption algorithms Operator selected algorithms Many operators used COMP128-1

A3 and A8 encryption algorithms Operator selected algorithms Many operators used COMP128-1 Reverse engineered by Briceno, Goldberg, Wagner 1998

A3 and A8 encryption algorithms Operator selected algorithms Many operators used COMP128-1 Reverse engineered by Briceno, Goldberg, Wagner 1998 They also performed cryptanalysis, allowing to find the preshared secret K i. This makes SIM card cloning possible. The attack requires 2 17 chosen values of RAND (a few hours over-the-air using a fake base station). Side-channel attacks will be much stronger.

A3 and A8 encryption algorithms Operator selected algorithms Many operators used COMP128-1 Reverse engineered by Briceno, Goldberg, Wagner 1998 They also performed cryptanalysis, allowing to find the preshared secret K i. This makes SIM card cloning possible. The attack requires 2 17 chosen values of RAND (a few hours over-the-air using a fake base station). Side-channel attacks will be much stronger. New algorithms COMP128-2 and COMP128-3 have been developed.

A5 encryption algorithms keystream generator z 1, z 2,... m 1, m 2,... c 1, c 2,... Figure: A binary additive stream cipher A5/0, A5/1, A5/2, A5/3, A5/4

A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret.

A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret. The general design was leaked in 1994

A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret. The general design was leaked in 1994 Reverse engineered in 1999 by Marc Briceno (from a GSM telephone)

A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret. The general design was leaked in 1994 Reverse engineered in 1999 by Marc Briceno (from a GSM telephone) In 2002 a new algorithm A5/3 was adopted, based on the Kasumi block cipher.

A5 history The original design was A5/1 (1987), but due to export restrictions the weaker A5/2 was developed (1989). Both were kept secret. The general design was leaked in 1994 Reverse engineered in 1999 by Marc Briceno (from a GSM telephone) In 2002 a new algorithm A5/3 was adopted, based on the Kasumi block cipher. A5/4

Description of A5/1 A register is clocked if its clocking bit (orange) agrees with the majority of the clocking bits of all three registers.

Attacking A5/1 in practice Guess-and-Determine - needs some additional FPGA hardware

Attacking A5/1 in practice Guess-and-Determine - needs some additional FPGA hardware Time-Memory Tradoff - needs huge precomputations and a large disk

Attacking A5/1 in practice Guess-and-Determine - needs some additional FPGA hardware Time-Memory Tradoff - needs huge precomputations and a large disk Correlation Attacks - need a lot of known plaintext

Tapping the channel How difficult is it to tap the channel?

Tapping the channel How difficult is it to tap the channel? GNU Radio is a free software development toolkit. Provides the signal processing runtime and processing blocks to implement software radios using readily-available, low-cost external RF hardware and commodity processors.

Tapping the channel How difficult is it to tap the channel? GNU Radio is a free software development toolkit. Provides the signal processing runtime and processing blocks to implement software radios using readily-available, low-cost external RF hardware and commodity processors. The Universal Software Radio Peripheral (USRP) is a high-speed USB-based board for making software radios. It consists of four high-speed analog-to-digital converters, four high-speed digital-to-analog converters, an FPGA and some glue logic. The USRP is intended to be a relatively cheap hardware device facilitating the building of a software radio. The USRP has an open design, with freely available schematics and drivers, and free software to integrate with GNU Radio.

Tapping the channel How difficult is it to tap the channel? GNU Radio is a free software development toolkit. Provides the signal processing runtime and processing blocks to implement software radios using readily-available, low-cost external RF hardware and commodity processors. The Universal Software Radio Peripheral (USRP) is a high-speed USB-based board for making software radios. It consists of four high-speed analog-to-digital converters, four high-speed digital-to-analog converters, an FPGA and some glue logic. The USRP is intended to be a relatively cheap hardware device facilitating the building of a software radio. The USRP has an open design, with freely available schematics and drivers, and free software to integrate with GNU Radio. Ettus Research LLC sells USRPs for US$700.

Reflections A wireless channel is extremely vulnerable to passive attacks.

Reflections A wireless channel is extremely vulnerable to passive attacks. Also organizations with very small budget can do something.

Case study - a Master s project Intercepting GSM traffic

Case study - a Master s project Intercepting GSM traffic Undergaduate Sebastian Nilsson, no prior knowledge

Case study - a Master s project Intercepting GSM traffic Undergaduate Sebastian Nilsson, no prior knowledge gave him a USRP, and asked him to see what he could do...

Case study - results legal issues - unclear situation

Case study - results legal issues - unclear situation quickly locate the different base stations and download traffic

Case study - results legal issues - unclear situation quickly locate the different base stations and download traffic Traffic statistics, IMSI, TMSI,...

Case study - what remains for full interception? technical problems when frequency hopping is used

Case study - what remains for full interception? technical problems when frequency hopping is used use some approach to break A5/1 and then recover the conversation

Case study - what remains for full interception? technical problems when frequency hopping is used use some approach to break A5/1 and then recover the conversation Hacker organization THC have been working on this...

Conclusions Downloading GSM traffic is easy!

Conclusions Downloading GSM traffic is easy! If someone develops (free) software for this task, interception of voice and data is possible with almost no additional cost.

Conclusions Downloading GSM traffic is easy! If someone develops (free) software for this task, interception of voice and data is possible with almost no additional cost. Passive interception is very difficult to protect against.

Conclusions Downloading GSM traffic is easy! If someone develops (free) software for this task, interception of voice and data is possible with almost no additional cost. Passive interception is very difficult to protect against. Do not use GSM if interception is a threat!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information