UMTS Network Level Security; Investigation on Security Improvements

1
UMTS Network Level Security Investigation on
Security Improvements

• Thesis Author Yue Feng
• Supervisor Professor Sven-Gustav Häggman
• Instructor Lic. Tech Michael Hall

2

• Dedicate this thesis to my parents,
• Diwei Feng and Shuhua Yang for being the best
  parents can be

3
Presentation outline

• Background
• Thesis objectives
• Thesis scope
• Network level security of mobile systems
• Introduction to UMTS
• UMTS network level security
• Proposals for secuity impovements
• Conclusions

4
Background

• 3G era is coming, e.g., UMTS
• Security is becoming more and more concerned for
  3G cellular systems, since they are wireless,
  much more complex than 2G cellular systems, and
  especially more sophisticated attacking means are
  available
• It is believed that attacks against mobile
  systems will not cease, as motives are as usual
  for fun, criminality, Premium rate mobile
  services, unintentional attacks
• Network level security attacks can be mainly
  categoried into DoS (location update spoofing,
  and radio jamming), masquerade,
  man-in-the-middle, replay, hijacking
• Network level security focuses on
  confidentiality, authentication, integrity
  protection, user and location confidentiality,
  and availability

5
Thesis objectives

• To present GSM network level security features
  retained in UMTS
• To present UMTS network level security features
  in 3GPP Release 1999, and MAPsec and IPsec based
  Network Domain Security (NDS)
• To present network level security features
  specific for UMTS, prior to GSM network level
  security features
• Proposals for mitigating unintentional radio
  jamming in uplink in UMTS such proposals can
  not totally cancel such radio jamming
• Proposals for interoperation in terms of security
  between UMTS and cdma2000 1X roaming users

6
Thesis scope

• Focuses only on the UMTS network level security
  specified in 3GPP Release 1999, and MAPsec and
  IPsec based Network Domain Security (NDS), i.e.,
  system level security and protocol level security
• Application security, operating system security,
  and physical facilities security are out of the
  scope

7
Network level security of mobile systems

• In 400 B.C, ancient Greeks already mastered the
  encryption skill called as skytals
• A big leap during World War II
• Network level security of 1G cellular systems was
  nothing
• Identities transfer over air ?cloning
• No encryption ? interception
• Lesson was learned that security has to be
  desgined from the beginging phase of the design
  of the whole system, for what ?

8
GSM network level security 1

• GSM network level security features
• Subscriber identity and location confidentiality
• Subscriber identity authentication
• Signalling data and user data confidentiality
• Security features are realized by security
  mechanisms
• GSM network level security mechanisms
• Subscriber identity and location confidentiality
  mechanism
• GSM Authentication and Key Agreement (AKA)
  mechanism
• GSM signalling data and user data confidentiality
  mechanism

9
GSM network level security 2

• GSM network level security relies on
• International Mobile Subscriber Identity (IMSI) ?
  Temporary Mobile Subscriber Identity (TMSI) note
  in exceptional cases GSM subscriber can be only
  identified by IMSI transferred over the air
  interface
• Subscriber Authentication Key Ki (128bits) only
  secured in Subscriber Identity Module (SIM) and
  Authentication Center (AuC)
• COMP-128 based Authentication Algorithm A3 and
  Ciphering Key Generating Algorithm A8 only
  secured in SIM and AuC RES(32bits)A3Ki(RAND)
  Kc(64bits)A8Ki(RAND)
• Stream cipher based Ciphering Algorithm A5
  secured in all Mobile Equipments (MEs) and Base
  Station Transceivers (BTSs) CipheringStream(114bi
  ts)A5(Kc, Frame Number) note ME is the terminal
  part of Mobile Station (MS)!

• Authentication of a user implies
  authenticating the right knowledge of Subscriber
• Authentication Key

10
Weaknesses of GSM network level security 1

• Weaknesses of GSM Network Level Security ?
  Threats against GSM network level security cf.
  Section 2.3.3
• Unilateral authentication of MS towards network
  can cause for active attacks from a false BTS
• An Authenticaion Vector (AV) may be indefinately
  used
• Encryption is provided between the MS and the
  BTS, but not further into the network
• GSM only provides access security but not Network
  Domain Security (NDS) and security data is
  transmitted in plain text between mobile networks
• No cryptographic integrity protection provided
  leaves a door for man-in-the-middle and hijacking
  attacks note Cyclic Reduncy Checking (CRC) is
  not the cryptographic integrity protection
• Therefore, protection against the
  man-in-the-middle and hijacking attacks can
  partialy rely on the encryption unfortunately
  GSM encryption can be disabled
• To be continued

11
Weaknesses of GSM network level security 2

• Cryptographic algorithms are lack of confidence ?
  64-bit Ciphering Key (Kc) is short COMP128 base
  A3/A8 algorithms are poor (published on Internet
  in 1998 by Briceno and Goldberg) Ciphering
  Algorithm A5/2 is the deliberately weakened
  version of Ciphering Algorithm A5/1 for export
  control regulations Biryukov, Shamir, and Wagner
  demonstrated how A5/1 could be cracked less than
  one second on a Personal Computer (PC)
• Interfaces of law enforcement was not included in
  the design of GSM ? could be only considered as
  an afterthought

12
cdma2000 1X network level security 1

• For the later proposals for interoperation in
  terms of security between UMTS and cdma2000 1X
  roaming users
• Two-level network level security hierachy
  wireless network security and RADIUS/AAA
• Wireless network security includes cdma2000 1X
  RAN Authentication Mechanisms
• Initial registration mechanism (Global challenge
  authentication)
• SSD update mechanism (when SSD is shared) is a
  mutual authentication mechansim
• Wireless network security also includes cdma2000
  1X user identity and location confidentiality
  mechanism and cdma2000 1X signalling data and
  user data confidentiality mechanism cf. Section
  2.4.1 and Section 2.4.2.2 in the thesis
• RADIUS/AAA authenticates user access to Packet
  Switched (PS) services by Challenge Handshake
  Authentication Protocol (CHAP), after a
  successful cdma2000 1X RAN Authentication
  procedure it is not the interest in the thesis
• To be continued

13
cdma2000 1X network level security 2

• cdma2000 1X RAN Authentication Mechanisms rely
  on
• User Authentication Key A-Key (64bits) and
  Electronic Serial Number (ESN 32bits) only
  secured in Mobile Terminal (MT) and
  Authentication Center (AC)
• Algorithm Cellular Authentication and Voice
  Encryption (CAVE)
• Shared Secret Data (SSD 128bits) is the
  cornerstone of cdma2000 1X wireless network
  security SSD(128bits)CAVE(A-Key, ESN, RANDSSD)
• SSD(128bits)?Temporary User Authentication Key
  (SSD-A 64bits), i.e., the first 64-bit part
  SSD-A is for the initial registration mechanism
  and SSD update mechanism more precisely unique
  challenge authentication of SSD update mechanism
  since the SSD update procedure is a mutual
  authentication procedure
• Moreover, SSD(128bits)?Temporary User
  Confidentiality Key (SSD-B 64bits), i.e., the
  second 64-bit part SSD-B can generate ciphering
  keys for signalling data and user data
  confidentiality mechanisms, cf. Section 2.4.2.2
  in the thesis

14
Introduction to UMTS 1

• To be continued

15
Introduction to UMTS 2

• UMTS employs Wideband Code Division Multiple
  Access (WCDMA) as the radio access technology
  with 5MHz channel bandwidth, i.e., a DS-CDMA
  technology, and hence many say WCDMA instead of
  UMTS, although it is only a radio access
  technology
• Channel types defined in WCDMA/UMTS are
• Logical channels ?answer what type of data to be
  transferred
• Transport channels ?answer how and with which
  characteristics with the transferred data
• Physical channels ?answer exact the physical
  characteristics of the radio channels
• UMTS Terrestrial Radio Access Network (UTRAN)
  protocol can be further divided into three
  layers physical layer, link layer, and network
  layer
• Medium Access Control (MAC) sublayer belongs to
  the link layer, which coverts the logical
  channels to the transport channels
• To be continued

16
Introduction to UMTS 3

• Radio Link Control (RLC) sublayer belongs to the
  link layer, which provides services to upper
  layers
• Radio Resource Control (RRC) sublayer is the
  lowest sublayer of the network layer and
  terminates in Radio Network Controller (RNC) it
  provides encryption control it performs
  integrity protection of both the RRC-level
  signalling and higher layers signalling

17
UMTS network level security

• 3G security principle defined in 3GPP TS 33.210
• 3G security is built on the security of 2G
  systems security elements within GSM and other
  2G systems which have proved to be needed and
  robust shall be adopted for the 3G security
• 3G security improves the security of 2G systems
  by correcting the real and perceived weaknesses
• New 3G security features are defined as necessary
  to secure the new services offered by 3G
• Requirements capture of UMTS network level
  security is based on the weaknesses analysis pp
  9-10 and threat analysis cf. Section 2.3.3 in the
  thesis
• UMTS retains certain network level security
  features from the 2G systems
• In the following part, network access security
  (3GPP Release 1999) will be addressed MAPsec
  (3GPP Release 4) and IPsec (3GPP Release 5) based
  Network Domain Security (NDS) will be addressed

18
UMTS Authentication and Key Agreement mechanism 1

• Mutual authentication retains the user
  authentication mechanism from GSM, and in
  addition the user can authenticate the network,
• UMTS AKA relies on User Authentication Key K and
  Algorithms f1-f5 only secured in AuC and USIM,
  SQN stored in AuC and USIM Authentication Vector
  (AV) generated in AuC

• Based on Authentication Data Request, AuC
  generates an array of n fresh AVs to be
  sent to VLR/SGSN which selectes AV(i) and in turn
  forwards RAND(i) and AUTN(i) to the User
  Equipment (UE)

19
UMTS Authentication and Key Agreement mechanism 2

• UMTS Subscriber Identity Module (USIM) embeded in
  UE can
• Verify the received AUTN(i) XMAC(i) ? MAC(i)
• SQN(i) is in correct range? If not,
  resynchronization procedure starts, cf. TS 33.102
• Compute RES(i), and establish CK(i), and IK(i)

• USIM sends the RES(i) back to VLR/SGSN, cf.
  Section 4.5.2.3 in the thesis

20
UMTS user identity and location confidentiality
mechanism

• International Mobile Subscriber Identity (IMSI) ?
  Temporary Mobile Subscriber Identity (TMSI) for
  services provided by Circuit Switched (CS)
  domain IMSI ? Packet TMSI (P-TMSI) for services
  provided by Packet Switched (PS) domain note in
  exceptional cases UMTS user can be only
  identified by IMSI over the air interface
• UMTS user may also be identified by Radio Network
  Temporary Identity (RNTI)
• IMSI, TMSI, and P-TMSI are CN-level identities
  for the UE in idle mode such as power up,
  authentication
• RNTI is UTRAN-level identity for the UE in
  connected mode such as UTRAN integrity protection

21
UTRAN encryption mechanism

• Using Cipheing Algorithm f8, a stream cipher
  based on a block cipher KASUMI publicly
  evaluated
• Under the control of the Ciphering Key CK
  (128bits) established during the AKA procedure
• MAC sublayer performs the encryption in
  transparent RLC mode in case of Circuit
  Switched (CS) services
• RLC sublayer performs encryption in both
  acknowledged mode and unacknowledged mode
• Different from the GSM encryption, UTRAN
  encryption protects the communications between a
  ME and the RNC
• UTRAN encryption procedure is optional
• UTRAN encryption procedure is initiated by
  security mode setup procedure cf. Section 4.5.6.3
  in the thesis

22
UTRAN integrity protection of RRC signalling

• Threats against integrity is claimed to be most
  severe
• The purpose of the UTRAN integrity protection of
  Radio Resource Control (RRC) signalling, is to
  authenticate individual control messages.
• RRC sublayer executes the integrity protection of
  both RRC-level and higher layer signalling, by
  using Integrity Algorithm f9 under the control of
  the Integrity Key IK (128bits) established during
  the AKA procedure
• Similar to the Ciphering Algorithm f8, the
  Integrity Algorithm f9 is based on the block
  ciphering KASUMI publicly evaluated
• Not all UTRAN signalling is integrity-protected
• Most of RRC signalling is integrity-protected
  such UTRAN integrity protection does not apply
  for signalling before the Integrity Key IK is in
  place, e.g., RRC Connection Request in the
  security mode setup procedure

23
UMTS Network Domain Security (NDS 1)

• SS7-based Network Domain Security (NDS) was not
  considered in GSM, since only a limitted number
  of well-established entities can access
• Situation is getting changed
• Telecommunication industry is getting deregulated
• In case AVs and sensitive information are
  modified in the network domain or between
  networks of diffrent mobile operators, what a
  desaster!
• IP-based network is the trend
• MAP security (MAPsec) is introduced in 3GPP
  Release 4, however why only Mobile Application
  Part (MAP) signalling is protected?
• IP security (IPsec) is introduced in 3GPP Release
  5.

24
MAPsec (NDS 2)

• MAPsec has three modes, mode 0 no protection,
  mode 1 integrity protection only, mode 2
  encryption with integrity protection
• Borrows the notion of Security Association (SA)
  from IPsec for security keys and other relevant
  information
• 3GPP Release 4 does not specify how to exchange
  SAs
• Automatic Key Management can be an option, which
  has the Key Administration Centre (KAC) as the
  basis
• All SAs are stored in a SAD and Network Elements
  (NEs) must access it
• All SAs are valid on a PLMN-level basis, as a
  PLMN can only address another PLMN not its
  individual NE
• Each KAC maintains a SA Database (SAD) and
  Security Policy Database (SPD) each NE has
  similar databases
• KACs agree on SAs between themselves by using the
  Internet Key Exchangement (IKE) and MAPsec Domain
  of Interpretation (DoI)
• KAC distributes security policies and SAs to NEs
  over the Ze-interface
• A NE must get a valid SA and security policy to
  address a NE in anohter PLMN

25
IPsec (NDS 3)

• IPsec is defined at the network layer to protect
  IP packets
• IPsec three components Authentication Header
  (AH), Encapsulation Security Payload (ESP), and
  IKE only the ESP is talked in detail
• ESP has two modes transport mode and tunnel mode
• The former fits in better with end-to-end
  communications provides both encryption and
  integrity protection but only protects the
  payload
• The latter fits in better between two nodes,
  e.g., Gateways provides both encryption and
  integrity protection protects the whole IP
  packet the implication of the same function as
  the former has UMTS NDS prefers using the latter
  for signalling protection
• Security Gateway (SEG) is the basis of NDS
  IP-based network (NDS/IP)
• Each SEG contains both the SAD and SPD
• SEG uses the IKE to exchage IPsec SAs
• Main difference from the KAC is that SEG also
  uses the negotiated SAs, while KAC can only agree
  SAs over the Zd-interface

26
Proposals for mitigating unintentional radio
jamming in uplink 1

• Proposals for mitigating unintentional radio
  jamming in uplink
• Radio jamming is an ongoing threat to any
  cellular system and hardly to be totally canceled
  in practice
• Unintentional radio jamming is met in civilian
  cellular systems, and may be caused by
  co-existing wireless systems Personal
  Handyphone System (PHS), radar systems and
  broadcasting systems operating on Ultra High
  Frequency (UHF)
• Radio jamming in uplink may be very severe, since
  the Base Station (BS) is visible, static, and
  open
• Smart antenna is the big hope
• Review of results
• GSM is relatively resistant to radio jamming
  thanks for its digital features
• Power Control (PC) and rescue handover mechanisms
  can further ease radio jamming
• WCDMA/UMTS has even better radio jamming
  resistance ability more sophisticated PC and
  handover mechanisms are introduced
• Moderate radio jamming can not make WCDMA/UMTS
  network deaf

27
Proposals for mitigating unintentional radio
jamming in uplink 2

• In case of high radio jamming environments,
  Capital Expenditures (CAPEX) have been invested
  on countermeasures, otherwise Operating Expense
  (OPEX) would be critical for UMTS operators in
  long run
• Mitigating unintentional radio jamming in uplink
  shall set about Identifying radio jamming
  sources, analyzing radio jamming reasons,
  figuring out radio jamming characteristics, and
  evaluating radio jamming impacts before making
  further countermeasures network trial is
  essential for optimizing countermeasures and for
  balancing against the costs
• Based on the above efforts, proposals for
  effectively mitigating unintentional radio
  jamming in uplink in UMTS are made
• In case of static jamming sources such as a power
  plant or a broadcasting system, switched beam
  smart antennas shall be adopted around the
  jamming area network trial can help UMTS
  operator further select Butler matrix or Blass
  matrix the latter performs better while being
  complex, heavy, and expensive switched beam
  smart antenna may cause for intra-cell handover
  and call loss in general some areas are more
  severely influenced than others. Therefore, cell
  splitting and more Node Bs shall be introduced,
  while in turn pushing up the costs
• To be continued

28
Proposals for mitigating unintentional radio
jamming in uplink 3

• In case of dynamic radio jamming sources such as
  radar arrays, airport and harbor radio
  equipments, or co-existing systems in the same
  building or along highways, adaptive array smart
  antennas shall be adopted, since such smart
  antennas can dynamically track UEs and can
  simultaneously adjust beams to desired signals
  while nulling out radio jamming signals Sample
  Matrix Inversion (SMI) DSP performs better
  especially in WCDMA/UMTS, since the SMI DSP can
  take advantage of pilot signal in uplink and the
  SMI algorithm has fast convergence rate, but the
  SMI DSP is complex and expensive Least Mean
  Square (LMS) DSP is simple and cheap
• In case of pervasive jamming environments of high
  power, unintentional radio jamming in uplink may
  be mitigated by means of implementing adaptive
  array smart antennas and minimizing cell size
  UMTS operators shall adopt lines such as copper
  lines or optical fiber, other than radio, to be
  the backbone network transmission medium
• In addition, UMTS operators shall adopt antennas
  with lower side lobes and use electrical
  down-tilt antennas
• UMTS operators must cooperate with authorities or
  legal forces, which would be an easy way to
  prevent the occurrences of radio jamming, or to
  be compensated in case of radio jamming damage

29
Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users 1

• Since inter-system handover and Inter-system
  Packet Switched (PS) domain registration are
  hardly feasible with justifiable efforts and
  network level security only plays a limited part,
  only two other scenarios are considered
• Registration of a UMTS user in a cdma2000 1X SN,
  called USIM roaming
• Registration of a cdma2000 1X user in a UMTS SN,
  called cdma2000 1X Mobile Terminal (MT) roaming
• Principle permanent authentication key material
  would be never disclosed to any network component
  apart from the AuC of HE in UMTS, or the AC of HE
  in cdma2000 1X UE (ME USIM) and MT can run
  both UMTS AKA and cdma2000 1X RAN authentication
  protocols
• Hence, such proposals are based on a UMTS and
  cdma2000 1X Gateway

• To be continued

30
Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users 2

• The necessary adaptation has to be mainly
  facilitated by the features on the user side and
  the Gateway
• In case B-user is roaming in A-SN, to A-SN the
  Gateway acts like the HE of A-SN, while to B-HE
  the Gateway acts like a B-SN
• Proposal for USIM roaming relatively simple as
  no SQN is involved
• Gateway in addition acts as the HE of USIM
• Gateway in a predefined way converts the received
  UMTS AKA authentication data for the purpose of
  a cdma2000 1X SSD update procedure with the UMTS
  user ( Set SSDIK, RANDSSDRAND).
• Gateway runs cdma2000 1X SSD update procedure
  with the USIM via the cdma2000 1X SN
• Proposal for cdma2000 1X Mobile Terminal (MT)
  roaming
• Gateway in addition acts as the HE of cdma2000 1X
  MT
• Gateway requests a cdma2000 1X SSD update
  procedure by abusing the message with especially
  reserved parameters to the cdma2000 1X AC of HE
• Gateway in a predefined way converts the received
  cdma2000 1X authentication data to a UMTS AV
  (RANDRANDSSDRD, 0,0,0,0) and set KSSD
• To be continued

31
Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users 3

• Gateway authenticates the cdma2000 1X user by
  abusing Resynchronization procedure (0, AUTS)
• Only from this point forward, Gateway generates a
  UMTS authentication quintuple (RAND, XRES, CK,
  IK, AUTN), by using Algorithms f1-f5, under the
  control of SSD as the substitute for the UMTS
  User Authentication Key K
• The new UMTS authentication quintuple is sent to
  UMTS SN for further security matters, e.g.,
  mutual authentication, integrity protection and
  so on
• cdma2000 1X does not have SQN approach, hence a
  special manner has to be arranged, every time a
  cdma2000 1X MT attempts to register in UMTS, the
  SQN in both the cdma2000 1X MT and the Gateway
  are forced to 1 it is incremented by 1 for the
  generation of a new UMTS authentication
  quintuplet under the condition of same SSD

32
Conclusions

• UMTS network level security addresses and
  corrects GSM network level securtiy real and
  perceived weaknesses
• UMTS has more robust network level security than
  cdma2000 1X
• UMTS network level security can be the pattern
  for the development of such security matters for
  future cellular systems
• Future work
• Avoid IMSI transfer over the air interface
• Integrity-protect all types of signalling in
  network domain
• Is it possible to introduce public key mechanism
  for UMTS network level security
• Prevent a Base Station (BS)/handset from camping
  on a false handset/ Base Station (BS)
• Firewall shall be introduced to protect network
  domain

33

• Thanks