840 likes | 1.8k Views
GSM. Network Security ‘s Research Project. By: Jamshid Rahimi Sisouvanh Vanthanavong. Contents. GSM Overview GSM Architecture GSM Security Architecture Anonymity Authentication Confidentiality GSM Authentication Protocol GSM Security Flaws Crypto Flaws Invalid Assumptions
E N D
Friday, February 20, 2009 GSM Network Security ‘s Research Project By: JamshidRahimi SisouvanhVanthanavong
Contents • GSM Overview • GSM Architecture • GSM Security Architecture • Anonymity • Authentication • Confidentiality • GSM Authentication Protocol • GSM Security Flaws • Crypto Flaws • Invalid Assumptions • SIM Attacks • Fake base station • GSM Conclusions 1 Friday, February 20, 2009
GSM Overview GSM introduction & History • - GSM: Global System for Mobile communication • GSM frequency is used the 2G and 3G network • - 1982 Beginning of GSM (GroupeSpéciale Mobile) • - 1986 GSM radio standard • - 1987 GroupeSpéciale Mobile (in French) changed to Global System for Mobile communication • - 1989 The European Telecommunications Standards Institute accepted GSM as the digital cellular telephony standard. • - 1990 Phase 1 GSM 900 specification • - 1991 First GSM 900 demonstrated • - 1994 First GSM networks in Africa • - 1995 GSM phase 2 standardization is completed • - 1999 First GPRS network • - 2001 more than 500 million people are GSM users 1 Source: http://www.cellular.co.za/gsmhistory.htm Friday, February 20, 2009
GSM Architecture • - The mobile is a cell phone • - The air interface (a wireless network that transmission from the cell phone to a base station. • - The visited network includes multiple base stations and a base station controller. 1 Friday, February 20, 2009
GSM Architecture Continued… • The PSTN is also referred to as “land lines” to distinguish it from the wireless network. • The home network includes a home location registry or HLR • The authentication center or AuC maintains the crucial billing information for all mobiles for which this particular home network is home 1 Friday, February 20, 2009
GSM Architecture Continued… 1 Friday, February 20, 2009
GSM Architecture Continued… • GSM mobile phone contains Subscriber Identity Module or SIM. • SIM includes a International Mobile Subscriber ID or IMSI. • The SIM also contains a 128-bit key. this key is universally knows as Ki 1 Friday, February 20, 2009
GSM security architecture • The primary security goals set forth by the designers of GSM were: • Make GSM as secure as ordinary telephones • Prevent cell phone cloning • GSM was not designed to resist an active attack. At the time, active attacks were considered infeasible. • The designers of GSM considered the biggest threats to be insecure billing, corruption, and similar low-tech attacks 1 Friday, February 20, 2009
GSM security architecture • GSM consists of 3 security issues: • - Anonymity: • The anonymity goal for GSM is to prevent intercepted traffic from being used to identify the caller. • - Authentication: • Correct authentication is necessary for proper billing. Cloning problems is one of the failures • Confidentiality: • Calls over the air interface is important to customers and company. 1 Friday, February 20, 2009
Anonymity • GSM provides a very limited form of anonymity • IMSI is used to initially identify the caller then a Temporary Mobile Subscriber ID (TMSI), is assigned to the caller • TMSI is subsequently used to identify the caller • Net effect is that if an attacker captures the initial part of the call, where the IMSI is passed • But practically filtering of IMSI not easy. 1 Friday, February 20, 2009
Authentication • In GSM, the caller is authenticated to the base station, but the authentication is not mutual. • GSM authentication employs a challenge-response mechanism • Mobile -> BS -> LHR • Ki is known to LHR which corresponds to caller IMSI • HLR generate RAND and computes the “expected response,” XRES = A3(RAND, Ki) • BS sends RAND to Mobile • Mobile responses as SRES • LHR computes XRES=SRES • Ki never lease the LHR 1 Friday, February 20, 2009
Confidentiality • GSM uses a stream cipher to encrypt the data. • High error rate, which is typically about 1 in 1,000 bits, in the cell phone environment. • Block cipher, each transmission error causes one or two entire plaintext blocks to be garbled (depending on the mode), while a stream cipher garbles only those plaintext bits corresponding to the specific ciphertext bits that are in error. • Encryption symbol is Kc Friday, February 20, 2009
Authentication & Encryption 1 • 1 & 2.IMSI • 3. Kc = A8(RAND, Ki) (Encryption Algorithm) XRES = A3(RAND,Ki) (Authentication … ) • 5. Mobile Computes Kc and Ki to generate SRES • 6. A5(Kc) is shared symmetric key Friday, February 20, 2009
GSM Security Flaws • There are cryptographic flaws • There are protocol flaws as well. • Attacks on GSM are due to invalid security assumptions made by the original designers of GSM Friday, February 20, 2009
GSM Security Flaws Crypto Flaws • HashesA3 andA8 both rely on a hash function known as COMP128 can be broken by 150,000 chosen plaintexts • A seller can determine Ki before selling and clone later Friday, February 20, 2009
GSM Security Flaws Invalid Assumptions • A GSM phone call is encrypted between the mobile and the base station but not from the base station to the base station controller • Nowadays link between BS and BSC is over a microwave link • Since microwave is a wireless media, it is possible for an attacker to eavesdrop on unprotected calls over this link Friday, February 20, 2009
GSM Security Flaws SIM Attacks • Ki is the concern here • One known as optical fault induction, an attacker could force a SIM card to divulge its Ki by using an ordinary flashbulb [209]. • Partitioning attacks Friday, February 20, 2009
GSM Security Flaws Fake Base station 1st: There is no mutual authentication 2nd: BS decides whether to encrypt voice or not. Friday, February 20, 2009
GSM Conclusions • GSM is a security failure— though it is certainly a commercial success • But GSM achieved its security design goals on PSTN • First goal eliminate the cloning and secure as PSTN • 2nd goal is that GSM air interface has the fake base station problem but PSTN has wire-taping • The real problem with GSM security is that the initial design goals were too limited • The major insecurities in GSM include weak crypto, SIM issues, the fake base station attack, and a total lack of replay protection. Friday, February 20, 2009
Friday, February 20, 2009 Thank You ! Comments.