Title: UMTS Network Level Security; Investigation on Security Improvements
1UMTS Network Level Security Investigation on
Security Improvements
- Thesis Author Yue Feng
- Supervisor Professor Sven-Gustav Häggman
- Instructor Lic. Tech Michael Hall
2- Dedicate this thesis to my parents,
- Diwei Feng and Shuhua Yang for being the best
parents can be
3Presentation outline
- Background
- Thesis objectives
- Thesis scope
- Network level security of mobile systems
- Introduction to UMTS
- UMTS network level security
- Proposals for secuity impovements
- Conclusions
4Background
- 3G era is coming, e.g., UMTS
- Security is becoming more and more concerned for
3G cellular systems, since they are wireless,
much more complex than 2G cellular systems, and
especially more sophisticated attacking means are
available - It is believed that attacks against mobile
systems will not cease, as motives are as usual
for fun, criminality, Premium rate mobile
services, unintentional attacks - Network level security attacks can be mainly
categoried into DoS (location update spoofing,
and radio jamming), masquerade,
man-in-the-middle, replay, hijacking - Network level security focuses on
confidentiality, authentication, integrity
protection, user and location confidentiality,
and availability
5Thesis objectives
- To present GSM network level security features
retained in UMTS - To present UMTS network level security features
in 3GPP Release 1999, and MAPsec and IPsec based
Network Domain Security (NDS) - To present network level security features
specific for UMTS, prior to GSM network level
security features - Proposals for mitigating unintentional radio
jamming in uplink in UMTS such proposals can
not totally cancel such radio jamming - Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users
6Thesis scope
- Focuses only on the UMTS network level security
specified in 3GPP Release 1999, and MAPsec and
IPsec based Network Domain Security (NDS), i.e.,
system level security and protocol level security - Application security, operating system security,
and physical facilities security are out of the
scope
7Network level security of mobile systems
- In 400 B.C, ancient Greeks already mastered the
encryption skill called as skytals - A big leap during World War II
- Network level security of 1G cellular systems was
nothing - Identities transfer over air ?cloning
- No encryption ? interception
- Lesson was learned that security has to be
desgined from the beginging phase of the design
of the whole system, for what ?
8 GSM network level security 1
- GSM network level security features
- Subscriber identity and location confidentiality
- Subscriber identity authentication
- Signalling data and user data confidentiality
- Security features are realized by security
mechanisms - GSM network level security mechanisms
- Subscriber identity and location confidentiality
mechanism - GSM Authentication and Key Agreement (AKA)
mechanism - GSM signalling data and user data confidentiality
mechanism
9GSM network level security 2
- GSM network level security relies on
- International Mobile Subscriber Identity (IMSI) ?
Temporary Mobile Subscriber Identity (TMSI) note
in exceptional cases GSM subscriber can be only
identified by IMSI transferred over the air
interface - Subscriber Authentication Key Ki (128bits) only
secured in Subscriber Identity Module (SIM) and
Authentication Center (AuC) - COMP-128 based Authentication Algorithm A3 and
Ciphering Key Generating Algorithm A8 only
secured in SIM and AuC RES(32bits)A3Ki(RAND)
Kc(64bits)A8Ki(RAND) - Stream cipher based Ciphering Algorithm A5
secured in all Mobile Equipments (MEs) and Base
Station Transceivers (BTSs) CipheringStream(114bi
ts)A5(Kc, Frame Number) note ME is the terminal
part of Mobile Station (MS)!
- Authentication of a user implies
authenticating the right knowledge of Subscriber - Authentication Key
10Weaknesses of GSM network level security 1
- Weaknesses of GSM Network Level Security ?
Threats against GSM network level security cf.
Section 2.3.3 - Unilateral authentication of MS towards network
can cause for active attacks from a false BTS - An Authenticaion Vector (AV) may be indefinately
used - Encryption is provided between the MS and the
BTS, but not further into the network - GSM only provides access security but not Network
Domain Security (NDS) and security data is
transmitted in plain text between mobile networks - No cryptographic integrity protection provided
leaves a door for man-in-the-middle and hijacking
attacks note Cyclic Reduncy Checking (CRC) is
not the cryptographic integrity protection - Therefore, protection against the
man-in-the-middle and hijacking attacks can
partialy rely on the encryption unfortunately
GSM encryption can be disabled - To be continued
11Weaknesses of GSM network level security 2
- Cryptographic algorithms are lack of confidence ?
64-bit Ciphering Key (Kc) is short COMP128 base
A3/A8 algorithms are poor (published on Internet
in 1998 by Briceno and Goldberg) Ciphering
Algorithm A5/2 is the deliberately weakened
version of Ciphering Algorithm A5/1 for export
control regulations Biryukov, Shamir, and Wagner
demonstrated how A5/1 could be cracked less than
one second on a Personal Computer (PC) - Interfaces of law enforcement was not included in
the design of GSM ? could be only considered as
an afterthought
12cdma2000 1X network level security 1
- For the later proposals for interoperation in
terms of security between UMTS and cdma2000 1X
roaming users - Two-level network level security hierachy
wireless network security and RADIUS/AAA - Wireless network security includes cdma2000 1X
RAN Authentication Mechanisms - Initial registration mechanism (Global challenge
authentication) - SSD update mechanism (when SSD is shared) is a
mutual authentication mechansim - Wireless network security also includes cdma2000
1X user identity and location confidentiality
mechanism and cdma2000 1X signalling data and
user data confidentiality mechanism cf. Section
2.4.1 and Section 2.4.2.2 in the thesis - RADIUS/AAA authenticates user access to Packet
Switched (PS) services by Challenge Handshake
Authentication Protocol (CHAP), after a
successful cdma2000 1X RAN Authentication
procedure it is not the interest in the thesis - To be continued
13cdma2000 1X network level security 2
- cdma2000 1X RAN Authentication Mechanisms rely
on - User Authentication Key A-Key (64bits) and
Electronic Serial Number (ESN 32bits) only
secured in Mobile Terminal (MT) and
Authentication Center (AC) - Algorithm Cellular Authentication and Voice
Encryption (CAVE) - Shared Secret Data (SSD 128bits) is the
cornerstone of cdma2000 1X wireless network
security SSD(128bits)CAVE(A-Key, ESN, RANDSSD) - SSD(128bits)?Temporary User Authentication Key
(SSD-A 64bits), i.e., the first 64-bit part
SSD-A is for the initial registration mechanism
and SSD update mechanism more precisely unique
challenge authentication of SSD update mechanism
since the SSD update procedure is a mutual
authentication procedure - Moreover, SSD(128bits)?Temporary User
Confidentiality Key (SSD-B 64bits), i.e., the
second 64-bit part SSD-B can generate ciphering
keys for signalling data and user data
confidentiality mechanisms, cf. Section 2.4.2.2
in the thesis
14Introduction to UMTS 1
15Introduction to UMTS 2
- UMTS employs Wideband Code Division Multiple
Access (WCDMA) as the radio access technology
with 5MHz channel bandwidth, i.e., a DS-CDMA
technology, and hence many say WCDMA instead of
UMTS, although it is only a radio access
technology - Channel types defined in WCDMA/UMTS are
- Logical channels ?answer what type of data to be
transferred - Transport channels ?answer how and with which
characteristics with the transferred data - Physical channels ?answer exact the physical
characteristics of the radio channels - UMTS Terrestrial Radio Access Network (UTRAN)
protocol can be further divided into three
layers physical layer, link layer, and network
layer - Medium Access Control (MAC) sublayer belongs to
the link layer, which coverts the logical
channels to the transport channels - To be continued
16Introduction to UMTS 3
- Radio Link Control (RLC) sublayer belongs to the
link layer, which provides services to upper
layers - Radio Resource Control (RRC) sublayer is the
lowest sublayer of the network layer and
terminates in Radio Network Controller (RNC) it
provides encryption control it performs
integrity protection of both the RRC-level
signalling and higher layers signalling
17UMTS network level security
- 3G security principle defined in 3GPP TS 33.210
- 3G security is built on the security of 2G
systems security elements within GSM and other
2G systems which have proved to be needed and
robust shall be adopted for the 3G security - 3G security improves the security of 2G systems
by correcting the real and perceived weaknesses - New 3G security features are defined as necessary
to secure the new services offered by 3G - Requirements capture of UMTS network level
security is based on the weaknesses analysis pp
9-10 and threat analysis cf. Section 2.3.3 in the
thesis - UMTS retains certain network level security
features from the 2G systems - In the following part, network access security
(3GPP Release 1999) will be addressed MAPsec
(3GPP Release 4) and IPsec (3GPP Release 5) based
Network Domain Security (NDS) will be addressed
18UMTS Authentication and Key Agreement mechanism 1
- Mutual authentication retains the user
authentication mechanism from GSM, and in
addition the user can authenticate the network, - UMTS AKA relies on User Authentication Key K and
Algorithms f1-f5 only secured in AuC and USIM,
SQN stored in AuC and USIM Authentication Vector
(AV) generated in AuC
- Based on Authentication Data Request, AuC
generates an array of n fresh AVs to be
sent to VLR/SGSN which selectes AV(i) and in turn
forwards RAND(i) and AUTN(i) to the User
Equipment (UE)
19UMTS Authentication and Key Agreement mechanism 2
- UMTS Subscriber Identity Module (USIM) embeded in
UE can - Verify the received AUTN(i) XMAC(i) ? MAC(i)
- SQN(i) is in correct range? If not,
resynchronization procedure starts, cf. TS 33.102 - Compute RES(i), and establish CK(i), and IK(i)
- USIM sends the RES(i) back to VLR/SGSN, cf.
Section 4.5.2.3 in the thesis
20UMTS user identity and location confidentiality
mechanism
- International Mobile Subscriber Identity (IMSI) ?
Temporary Mobile Subscriber Identity (TMSI) for
services provided by Circuit Switched (CS)
domain IMSI ? Packet TMSI (P-TMSI) for services
provided by Packet Switched (PS) domain note in
exceptional cases UMTS user can be only
identified by IMSI over the air interface - UMTS user may also be identified by Radio Network
Temporary Identity (RNTI) - IMSI, TMSI, and P-TMSI are CN-level identities
for the UE in idle mode such as power up,
authentication - RNTI is UTRAN-level identity for the UE in
connected mode such as UTRAN integrity protection
21UTRAN encryption mechanism
- Using Cipheing Algorithm f8, a stream cipher
based on a block cipher KASUMI publicly
evaluated - Under the control of the Ciphering Key CK
(128bits) established during the AKA procedure - MAC sublayer performs the encryption in
transparent RLC mode in case of Circuit
Switched (CS) services - RLC sublayer performs encryption in both
acknowledged mode and unacknowledged mode - Different from the GSM encryption, UTRAN
encryption protects the communications between a
ME and the RNC - UTRAN encryption procedure is optional
- UTRAN encryption procedure is initiated by
security mode setup procedure cf. Section 4.5.6.3
in the thesis
22UTRAN integrity protection of RRC signalling
- Threats against integrity is claimed to be most
severe - The purpose of the UTRAN integrity protection of
Radio Resource Control (RRC) signalling, is to
authenticate individual control messages. - RRC sublayer executes the integrity protection of
both RRC-level and higher layer signalling, by
using Integrity Algorithm f9 under the control of
the Integrity Key IK (128bits) established during
the AKA procedure - Similar to the Ciphering Algorithm f8, the
Integrity Algorithm f9 is based on the block
ciphering KASUMI publicly evaluated - Not all UTRAN signalling is integrity-protected
- Most of RRC signalling is integrity-protected
such UTRAN integrity protection does not apply
for signalling before the Integrity Key IK is in
place, e.g., RRC Connection Request in the
security mode setup procedure
23UMTS Network Domain Security (NDS 1)
- SS7-based Network Domain Security (NDS) was not
considered in GSM, since only a limitted number
of well-established entities can access - Situation is getting changed
- Telecommunication industry is getting deregulated
- In case AVs and sensitive information are
modified in the network domain or between
networks of diffrent mobile operators, what a
desaster! - IP-based network is the trend
- MAP security (MAPsec) is introduced in 3GPP
Release 4, however why only Mobile Application
Part (MAP) signalling is protected? - IP security (IPsec) is introduced in 3GPP Release
5.
24MAPsec (NDS 2)
- MAPsec has three modes, mode 0 no protection,
mode 1 integrity protection only, mode 2
encryption with integrity protection - Borrows the notion of Security Association (SA)
from IPsec for security keys and other relevant
information - 3GPP Release 4 does not specify how to exchange
SAs - Automatic Key Management can be an option, which
has the Key Administration Centre (KAC) as the
basis - All SAs are stored in a SAD and Network Elements
(NEs) must access it - All SAs are valid on a PLMN-level basis, as a
PLMN can only address another PLMN not its
individual NE - Each KAC maintains a SA Database (SAD) and
Security Policy Database (SPD) each NE has
similar databases - KACs agree on SAs between themselves by using the
Internet Key Exchangement (IKE) and MAPsec Domain
of Interpretation (DoI) - KAC distributes security policies and SAs to NEs
over the Ze-interface - A NE must get a valid SA and security policy to
address a NE in anohter PLMN
25IPsec (NDS 3)
- IPsec is defined at the network layer to protect
IP packets - IPsec three components Authentication Header
(AH), Encapsulation Security Payload (ESP), and
IKE only the ESP is talked in detail - ESP has two modes transport mode and tunnel mode
- The former fits in better with end-to-end
communications provides both encryption and
integrity protection but only protects the
payload - The latter fits in better between two nodes,
e.g., Gateways provides both encryption and
integrity protection protects the whole IP
packet the implication of the same function as
the former has UMTS NDS prefers using the latter
for signalling protection - Security Gateway (SEG) is the basis of NDS
IP-based network (NDS/IP) - Each SEG contains both the SAD and SPD
- SEG uses the IKE to exchage IPsec SAs
- Main difference from the KAC is that SEG also
uses the negotiated SAs, while KAC can only agree
SAs over the Zd-interface
26Proposals for mitigating unintentional radio
jamming in uplink 1
- Proposals for mitigating unintentional radio
jamming in uplink - Radio jamming is an ongoing threat to any
cellular system and hardly to be totally canceled
in practice - Unintentional radio jamming is met in civilian
cellular systems, and may be caused by
co-existing wireless systems Personal
Handyphone System (PHS), radar systems and
broadcasting systems operating on Ultra High
Frequency (UHF) - Radio jamming in uplink may be very severe, since
the Base Station (BS) is visible, static, and
open - Smart antenna is the big hope
- Review of results
- GSM is relatively resistant to radio jamming
thanks for its digital features - Power Control (PC) and rescue handover mechanisms
can further ease radio jamming - WCDMA/UMTS has even better radio jamming
resistance ability more sophisticated PC and
handover mechanisms are introduced - Moderate radio jamming can not make WCDMA/UMTS
network deaf
27Proposals for mitigating unintentional radio
jamming in uplink 2
- In case of high radio jamming environments,
Capital Expenditures (CAPEX) have been invested
on countermeasures, otherwise Operating Expense
(OPEX) would be critical for UMTS operators in
long run - Mitigating unintentional radio jamming in uplink
shall set about Identifying radio jamming
sources, analyzing radio jamming reasons,
figuring out radio jamming characteristics, and
evaluating radio jamming impacts before making
further countermeasures network trial is
essential for optimizing countermeasures and for
balancing against the costs - Based on the above efforts, proposals for
effectively mitigating unintentional radio
jamming in uplink in UMTS are made - In case of static jamming sources such as a power
plant or a broadcasting system, switched beam
smart antennas shall be adopted around the
jamming area network trial can help UMTS
operator further select Butler matrix or Blass
matrix the latter performs better while being
complex, heavy, and expensive switched beam
smart antenna may cause for intra-cell handover
and call loss in general some areas are more
severely influenced than others. Therefore, cell
splitting and more Node Bs shall be introduced,
while in turn pushing up the costs - To be continued
28Proposals for mitigating unintentional radio
jamming in uplink 3
- In case of dynamic radio jamming sources such as
radar arrays, airport and harbor radio
equipments, or co-existing systems in the same
building or along highways, adaptive array smart
antennas shall be adopted, since such smart
antennas can dynamically track UEs and can
simultaneously adjust beams to desired signals
while nulling out radio jamming signals Sample
Matrix Inversion (SMI) DSP performs better
especially in WCDMA/UMTS, since the SMI DSP can
take advantage of pilot signal in uplink and the
SMI algorithm has fast convergence rate, but the
SMI DSP is complex and expensive Least Mean
Square (LMS) DSP is simple and cheap - In case of pervasive jamming environments of high
power, unintentional radio jamming in uplink may
be mitigated by means of implementing adaptive
array smart antennas and minimizing cell size
UMTS operators shall adopt lines such as copper
lines or optical fiber, other than radio, to be
the backbone network transmission medium - In addition, UMTS operators shall adopt antennas
with lower side lobes and use electrical
down-tilt antennas - UMTS operators must cooperate with authorities or
legal forces, which would be an easy way to
prevent the occurrences of radio jamming, or to
be compensated in case of radio jamming damage
29Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users 1
- Since inter-system handover and Inter-system
Packet Switched (PS) domain registration are
hardly feasible with justifiable efforts and
network level security only plays a limited part,
only two other scenarios are considered - Registration of a UMTS user in a cdma2000 1X SN,
called USIM roaming - Registration of a cdma2000 1X user in a UMTS SN,
called cdma2000 1X Mobile Terminal (MT) roaming - Principle permanent authentication key material
would be never disclosed to any network component
apart from the AuC of HE in UMTS, or the AC of HE
in cdma2000 1X UE (ME USIM) and MT can run
both UMTS AKA and cdma2000 1X RAN authentication
protocols - Hence, such proposals are based on a UMTS and
cdma2000 1X Gateway
30Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users 2
- The necessary adaptation has to be mainly
facilitated by the features on the user side and
the Gateway - In case B-user is roaming in A-SN, to A-SN the
Gateway acts like the HE of A-SN, while to B-HE
the Gateway acts like a B-SN - Proposal for USIM roaming relatively simple as
no SQN is involved - Gateway in addition acts as the HE of USIM
- Gateway in a predefined way converts the received
UMTS AKA authentication data for the purpose of
a cdma2000 1X SSD update procedure with the UMTS
user ( Set SSDIK, RANDSSDRAND). - Gateway runs cdma2000 1X SSD update procedure
with the USIM via the cdma2000 1X SN - Proposal for cdma2000 1X Mobile Terminal (MT)
roaming - Gateway in addition acts as the HE of cdma2000 1X
MT - Gateway requests a cdma2000 1X SSD update
procedure by abusing the message with especially
reserved parameters to the cdma2000 1X AC of HE - Gateway in a predefined way converts the received
cdma2000 1X authentication data to a UMTS AV
(RANDRANDSSDRD, 0,0,0,0) and set KSSD - To be continued
31Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users 3
- Gateway authenticates the cdma2000 1X user by
abusing Resynchronization procedure (0, AUTS) - Only from this point forward, Gateway generates a
UMTS authentication quintuple (RAND, XRES, CK,
IK, AUTN), by using Algorithms f1-f5, under the
control of SSD as the substitute for the UMTS
User Authentication Key K - The new UMTS authentication quintuple is sent to
UMTS SN for further security matters, e.g.,
mutual authentication, integrity protection and
so on - cdma2000 1X does not have SQN approach, hence a
special manner has to be arranged, every time a
cdma2000 1X MT attempts to register in UMTS, the
SQN in both the cdma2000 1X MT and the Gateway
are forced to 1 it is incremented by 1 for the
generation of a new UMTS authentication
quintuplet under the condition of same SSD
32Conclusions
- UMTS network level security addresses and
corrects GSM network level securtiy real and
perceived weaknesses - UMTS has more robust network level security than
cdma2000 1X - UMTS network level security can be the pattern
for the development of such security matters for
future cellular systems - Future work
- Avoid IMSI transfer over the air interface
- Integrity-protect all types of signalling in
network domain - Is it possible to introduce public key mechanism
for UMTS network level security - Prevent a Base Station (BS)/handset from camping
on a false handset/ Base Station (BS) - Firewall shall be introduced to protect network
domain
33