Security Of Wireless Networks - Ethz.ch
Security of Wireless NetworksSrdjan ČapkunDepartment of Computer ScienceETH ZurichSome material adapted from Hubaux, Buttyan, “Security and Cooperation in Wireless Networks”
Network AccessGSM/UMTS
GSMGSM (Global System for Mobile Communica?ons) is s?llthe most widely used cellular standard 600 million users, mostly in Europe and Asia; limitedcoverage and support in USA Based on TDMA radio access and PCM trunking Use SS7 signalling with mobile-specific extensions Provides authen?ca?on and encryp?on capabili?es Third genera?on (3G) and future (4G)Security of Wireless Networks, AS 2010
GSM900 MHz (or 1800 MHz) band uplink frequency band 890-915 MHz downlink frequency band is 935-960 MHz 25 MHz subdivided into 124 carrier frequency channels,each 200 kHz apartTime division mul?plexing (TDMA) allows 8 speech channels per radio frequency channel Channel data rate is 270.833 kbps Voice transmi ed at 13 kbpsHandset power max. 2 wa s in GSM850/900 and 1 wa inGSM1800/1900Cell size up to 35 kmSecurity of Wireless Networks, AS 2010
GSM ArchitectureMobile StationsBase StationSubsystemNetworkManagementSubscriber and terminalequipment EIRHLR Home Location RegisterVLR Visitor Location RegisterAC Authentication centerEIR - Equipment Identity RegisterMSC (Mobile Switching Center) sets up and releases the end-to-end connection, handles mobility and hand-overrequirements during the call and takes care of charging and real time pre-paid account monitoring.Security of Wireless Networks, AS 2010
GSM Security GoalsOperators Bills right people Avoid fraud Protect ServicesCustomers Privacy AnonymityMake a system at least secure as PSTN?Security of Wireless Networks, AS 2010
GSM Security GoalsConfidenIality and Anonymity on the radio pathStrong client authen*ca*on to protect the operatoragainst the billing fraudPreven?on of operators from compromising of eachothers’ security Inadvertently Compe?on pressureSecurity of Wireless Networks, AS 2010
my grandgrandma .Two issues: Talking for free: How do you prove that you are thecostumer of a network? Talking on someone else’s expense: How do you differbetween two costumers? we need a way to dis?nguish between users(authenIcaIon)Security of Wireless Networks, AS 2010
SIM (Subscriber Iden?fica?on Module)Subscriber Iden?fica?on Module (SIM) Smart Card – a single chip computer containing OS, FileSystem, Applica?ons Owned by operator (i.e. trusted)Security of Wireless Networks, AS 2010
SIM CardsTypical specifica?on 8 bit CPU 16 K ROM 256 bytes RAM 4K EEPROM Cost: 5-50Smart Card Technology Based on ISO 7816 defining Card size, contact layout, electrical characteris?cs I/O Protocols: byte/block based File StructureSecurity of Wireless Networks, AS 2010
GSM MobileMobile Equipment (ME) Physical mobile device Iden?fiers IMEI – Interna?onal Mobile Equipment Iden?tySubscriber Iden?ty Module (SIM) Smart Card containing keys, iden?fiers and algorithms Iden?fiers Ki – Subscriber Authen?ca?on Key IMSI – Interna?onal Mobile Subscriber Iden?ty TMSI – Temporary Mobile Subscriber Iden?ty MSISDN – Mobile Sta?on Interna?onal ServiceDigital Network PIN – Personal Iden?ty Number protec?ng a SIM LAI – loca?on area iden?tySecurity of Wireless Networks, AS 2010
The Key is in the CardKi – Subscriber Authen?ca?on Key Shared 128 bit key used for authen?ca?on of subscriberby the operatorKey Storage Subscriber’s SIM (owned by operator, i.e. trusted) Operator’s Home Locator Register (HLR) of thesubscriber’s home networkSecurity of Wireless Networks, AS 2010
GSM User Authen?ca?onMobile phoneRadio LinkGSM OperatorChallenge RANDSIMKiA3A3Signed response (SRES)SRESAuthentication: are SRESvalues equal?A8miA5Security of Wireless Networks, AS 2010SRESA8KcKcFnKiEncrypted DataA5Fnmi
GSM User Authen?ca?onAuC – Authen?ca?on Center Provides parameters for authen?ca?on and encryp?onfunc?ons (RAND, SRES, Kc)HLR – Home Loca?on Register Provides MSC (Mobile Switching Center) with triples(RAND, SRES, Kc) Handles MS loca?onVLR – Visitor Loca?on Register Stores generated triples by the HLR when a subscriberis not in his home network One operator doesn’t have access to subscriber keys ofthe another operator.Security of Wireless Networks, AS 2010
A3 and A8 (Authen?ca?on and Session Key)Both A3 and A8 algorithms are implemented on the SIM Operator can decide, which algorithms to use. Algorithm implementa?on is independent of HW andoperators. A8 was never made publicRAND (128 bit)Ki (128 bit)RAND (128 bit)Ki (128 bit)A3SRES (32 bit)A8KC (64 bit)RAND (128 bit)Ki (128 bit)COMP128Logical implementaIonof A3 and A8COMP128 is a keyed hashfuncIon128 bit outputSRES 32 bit and Kc 54 bitSecurity of Wireless Networks, AS 2010
A5 (Confiden?ality)A5 is a stream cipher Implemented very efficiently on hardwareDesign was never made public Leaked to Ross Anderson and Bruce SchneierVariants: A5/1 – the strong version, A5/2 – the weak version,A5/3GSM Associa?on Security Group and 3GPP designBased on Kasumi algorithm used in 3G mobile systemsBTSMobile StationFn (22 bit)Kc (64 bit)Fn (22 bit)A5Kc (64 bit)A5114 bitData (114 bit)Ciphertext (114 bit)XORSecurity of Wireless Networks, AS 2010114 bitData (114 bit)XOR
A ack History (Authen?ca?on and Confiden?ality)1991: First GSM implementa?on.April 1998 The Smartcard Developer Associa?on (SDA) together withU.C. Berkeley researchers cracked COMP128 algorithmstored in SIM and succeeded to get Ki within several hours.They discovered that Kc uses only 54 bits.August 1999 The weak A5/2 was cracked using a single PC withinseconds.December 1999 Alex Biryukov, Adi Shamir and David Wagner have publishedthe scheme breaking the strong A5/1 algorithm. Within twominutes of intercepted call the a ack ?me was only 1second.May 2002Security of Wireless Networks, AS 2010
A ack: Extrac?ng the Key from the SIM cardA ack Goal Ki stored on SIM card Knowing Ki it’s possible to clone SIMCardinal Principle Relevant bits of all intermediate cycles and their valuesshould be sta?s?cally independent of the inputs,outputs, and sensi?ve informa?on.A ack Idea Find a viola?on of the Cardinal Principle, i.e. sidechannels with signals does depend on input, outputsand sensi?ve informa?on Try to exploit the sta?s?cal dependency in signals toextract a sensi?ve informa?onSecurity of Wireless Networks, AS 2010
A ack: Extrac?ng the Key from the SIM to ProcessingSensitive InformationSecurity of Wireless Networks, AS 2010
A ack: Extrac?ng the Key from the SIM cardSide Channel AttacksSide Channels Power Consumption Electromagnetic radiation Timing Errors Etc.InputOutputCrypto ProcessingSensitive InformationSecurity of Wireless Networks, AS 2010
A ack: Fake BS IMSI catcher by Law Enforcement Intercept mobile originated calls Can be used for over-the-air cloningUsed to be .Today:USRP, OpenBTSSecurity of Wireless Networks, AS 2010
Signaling SecurityMobile networks primarily use Signaling System no. 7 (SS7)for communica?on between networks for such ac?vi?es asauthen?ca?on, loca?on update, and supplementaryservices and call control. The messages unique to mobilecommunica?ons are MAP messages.The security of the global SS7 network as a transportsystem for signaling messages e.g. authen?ca?on andsupplementary services such as call forwarding is open tomajor compromise.The problem with the current SS7 system is that messagescan be altered, injected or deleted into the global SS7networks in an uncontrolled mannerSecurity of Wireless Networks, AS 2010
Low Tech FraudFrauds Call forwarding to premium rate numbers Bogus registra?on details Roaming fraud Terminal thep Mul?ple forwarding, conference callsCountermeasures: Mul?ple calls at the same ?me, Large varia?ons in revenue being paid to other par?es, Large varia?ons in the dura?on of calls Changes in customer usage Monitor the usage of a customer closely during a'proba?onary period'Security of Wireless Networks, AS 2010
Network AccessGSM/UMTS
UMTSUMTS (Universal Mobile Telecommunica?ons System)Uses W-CDMA, 1885-2025 MHz for the mobile-to-base (uplink) and2110-2200 MHz for the base-to-mobile (downlink) supports up to 14 Mbps (in theory) (with HSDPA), users in deployed networks can expect up to 384 kbit/sfor R99 handsets, and 3.6 Mbit/s for High-SpeedDownlink Packet Access (HSDPA) handsetsSecurity of Wireless Networks, AS 2010
UMTS SecurityReuse of 2nd genera?on security principles (GSM): Removable hardware security module In GSM: SIM card In 3GPP: USIM (User Services Iden?ty Module) Radio interface encryp?on Limited trust in the Visited Network Protec?on of the iden?ty of the end user Correc?on of the following weaknesses of the previousgenera?on: ATacks from a faked base staIon Cipher keys and authenIcaIon data transmiTed inclear between and within networks EncrypIon not used in some networks Data integrity not providedSecurity of Wireless Networks, AS 2010
UMTS Authen?ca?on (with a Visited Network)Mobile StationVisited NetworkHome EnvironmentSequence number (SQN) RAND(i)K: User’ssecret keyKUser authentication request IMSI/TMSIRAND(i) AUTN(i)Verify AUTN(i)Compute RES(i)User authentication response RES(i)KCompute CK(i)and IK(i)Security of Wireless Networks, AS 2010Compare RES(i)and XRES(i)Select CK(i)and IK(i)Generation ofcryptographic materialAuthentication vectors
Genera?on of Authen?ca?on Vectors(by the Home Environment)Generate SQNGenerate RANDAMFKf1f2f3f4f5MAC cation token: AUTN (SQN AK) AMF MACAuthentication vector: AV RAND XRES CK IK AUTNAMF: Authentication and Key Management FieldSecurity of Wireless Networks, AS 2010
User Authen?ca?on Func?ons in USIMAUTNRANDAMFMACf5AKSQNKf1f2f3f4XMAC(Expected MAC)RES(Result)CK(CipherKey)IK(IntegrityKey) Verify MAC XMAC Verify that SQN is in the correct rangeUSIM: User Services Identity ModuleSecurity of Wireless Networks, AS 2010
More About Authen?ca?on and Key Genera?onIn addi?on to f1, f2, f3, f4 and f5, two more func?ons aredefined: f1* and f5*, used in case the authen?ca?onprocedure gets desynchronized (detected by the range ofSQN).f1, f1*, f2, f3, f4, f5 and f5* are operator-specificHowever, 3GPP provides a detailed example of algorithmset, called MILENAGEMILENAGE is based on the Rijndael block cipherIn MILENAGE, the genera?on of all seven func?ons f1 f5*is based on the Rijndael algorithmSecurity of Wireless Networks, AS 2010
Authen?ca?on and Key Genera?onFunc?ons (f1.f5*)RANDSQN AMFOPOPcEKOPcEKOPcOPcOPcrotateby r1c1rotateby r2c2EKf1rotateby r3c3EKOPcOPcf1*f5 f2OP: operator-specific parameterr1, , r5: fixed rotation constantsc1, , c5: fixed addition constantsSecurity of Wireless Networks, AS 2010OPcOPcrotateby r4c4EKOPcc5EKOPcf3rotateby r5EKOPcf4f5*EK : Rijndael block cipher with128 bits text input and 128 bits key
Signaling Integrity Protec?onSIGNALLING MESSAGESIGNALLING CTIONf9MAC-IXMAC-ISender(Mobile Station orRadio Network Controller)Receiver(Radio Network Controlleror Mobile Station)FRESH: random inputSecurity of Wireless Networks, AS 2010
f9 integrity func?onCOUNT FRESH KASUMI DIRECTION 1 0 0IKKASUMI KASUMI: block cipher (64 bits input,64 bits output; key: 128 bits) PS: Padded String KM: Key ModifierSecurity of Wireless Networks, AS KMKASUMIMAC-I (left 32-bits)
KEYSTREAMBLOCKPLAINTEXTBLOCKSender(Mobile Station orRadio Network PHERTEXTBLOCKPLAINTEXTBLOCKReceiver(Radio Network Controlleror Mobile Station)BEARER: radio bearer identifier48COUNT-C: ciphering sequence counterSecurity of Wireless Networks, AS 2010
f8 keystream generatorCOUNT BEARER DIRECTION 0 0KM: Key ModifierKS: KeystreamCKKMKASUMIRegisterBLKCNT 0CKBLKCNT 1KASUMIKS[0] KS[63]Security of Wireless Networks, AS 2010CKBLKCNT 2KASUMICKBLKCNT BLOCKS-1KASUMIKS[64] KS[127] KS[128] KS[191]CKKASUMI
Conclusion on UMTS SecuritySome improvement with respect to 2nd genera?onCryptographic algorithms are publishedIntegrity of the signaling messages is protectedQuite conserva?ve solu?on2nd/3rd generaIon interoperaIon will be complicated and might open securitybreachesAll that can happen to a fixed host aTached to the Internet could happen to a3G terminalPrivacy/anonymity of the user not completely protected: IMSI is sent incleartext when the user is registering for the first ?me in the serving network(trusted third party can be a solu?on)A user can be en?ced to camp on a false BS. Once the user camps on the radiochannels of a false BS, the user is out of reach of the paging signals of SNHijacking outgoing/incoming calls in networks with disabled encryp?on ispossible. The intruder poses as a man-in-the-middle and drops the user oncethe call is set-upSecurity of Wireless Networks, AS 2010
Other Topics DoS a acks, SMS security, . Reference:P. Traynor, P. McDaniel and T. La Porta, Security forTelecommunicaIons Networks. Springer, Series:Advances in InformaIon Security, August, 2008. ISBN:978-0-387-72441-6.)Freely available via the ETH library (Springer) Modern Mobile Phone System Security (Android/iOS/Symbian, .)Security of Wireless Networks, AS 2010
SS7 elp-36225Security of Wireless Networks, AS 2010
SS7 securitySecurity of Wireless Networks, AS 2010
Security of Wireless Networks, AS 2010 UMTS UMTS (Universal Mobile Telecommunica?ons System) Uses W-CDMA, 1885-2025 MHz for the mobile-to-base (uplink) and 2110-2200 MHz for the base-to-mobile (downlink) supports up to 14 Mbps (in theory) (with HSDPA), users in deployed networks can expect up to 384 kbit/s
Exam question (6 min to solve in exam, 10 min now, in pairs) spcl.inf.ethz.ch @spcl_eth Solution . spcl.inf.ethz.ch @spcl_eth Address Tag Set Offset Miss? 0x050 0 2 16 Y 0x028 0 1 8 Y 0x158 2 2 24 Y 0x0E0 1 3 0 Y 0x040 0 2 0 N 0x080 1 0 0 Y Solution Block 0 Block 1 Set 0 1 (6) Set 1 0 (2)
wireless networks there are one or more intermediate nodes along the path that re-ceive and forward packets via wireless links. Multi-hop wireless networks have several benefits: Compared to networks with single wireless links, multi-hop wire-less networks can e
TRENDnet’s AC1750 Dual Band Wireless Router, model TEW-812DRU, produces the ultimate wireless experience with gigabit wireless speeds. Manage two wireless networks—the 1300 Mbps Wireless AC band for the fastest wireless available and the 450 Mbps Wireless N ba
W2E2 Wireless Women for Entrepreneurship & Empowerment W3C World Wide Web Consortium W4C Wireless for Communities WAS Wireless Access System W-CDMA Wideband Code Division Multiple Access WCN Wireless community networks Wi-Fi Wireless Fidelity WiMAX Worldwide Interoperability for Microwave Access WLAN Wireless local area network WLL Wireless in .
Wireless, Mobile Networks 6-3 Elements of a wireless network network infrastructure Wireless, Mobile Networks 6-4 . CDMA, GSM 2.5G: UMTS/WCDMA, CDMA2000 802.11a,g 3G: UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO 4G: LTWE WIMAX 802.11a,g point-to-point 200 802.11n s) Wireless, Mobile Networks 6-8 infrastructure mode !
Wireless / Mobile Networks indigoo.com Contents 1. Wireless technologies overview 2. Radio technology 3. Radio technology problems 4. 802.11 WLAN Wireless LAN 5. Overview 1G / 2G / 2.5G / 2.75G / 3G / 4G networks 6. 2G / 2.5G / 3G networks 7. 4G LTE - Long Term Evolution 8. Satellite Internet Access 9. Wireless mobility 10. Mobile IP RFC2002
Chapter 2 Wireless Security Checklist Simultaneous Dual-Band Wireless-N Router 3 Chapter 2: Wireless Security Checklist Wireless networks are convenient and easy to install, so homes with high-speed Internet access are adopting them at a rapid pace. Because wireless networking operates by sending information over radio waves, it can be more
API RP 581 is a well-established methodology for conducting RBI in the downstream industry and the 3rd edition of the standard has just been published in April 2016. This paper examines the new features of the 3rd edition particularly for internal and external thinning and corrosion under insulation and it also discusses a case study of application of this latest RBI methodology in France .
