Mobile Communications Mobile Security Fundamentals-3 11.08.03 – v4 W. Adi Lecture-8 Mobile Security Fundamentals-3
Advanced Encryption Standard AES Advanced Encryption Standard Proposed for 3G Mobile Authentication Functions International Standard competition managed by NIST: US National Institute of Science and Technology 1998-2001 AES Winner Algorithm: The Rijndael Block Cipher, Decision Oct. 2000
AES Round-3 Finalist Algorithms (finalized in 2001) MARS : IBM (USA) RC6 : R. Rivest (MIT), creator of the widely used RC4 (USA) Twofish : Counterpane Internet Security, Inc. (USA) Serpent : Ross Anderson, Eli Biham and Lars Knudsen (USA) Rijndael: Designed by J. Daemen and V. Rijmen (Belgium) Joan Daemen (of Proton World International) Vincent Rijmen (of Katholieke Universiteit Leuven).
Rijndael: Basic concept Key Key Expansion Round Keys K1 K2 ... K9 K10 X ... R1 R2 R9 R10 Y 10 Encryption Rounds R1 … R10
Rijndael: Basic Encryption Round Functions Byte sub a3 .. a16 a1 a2 b16 b3 b2 b1 / 8 bits b = [M] a-1 + C The only non-linear mapping ! A is 4x32 bits Transposition B Mix column Linear mapping B = [C] A Round-Key Ki= 128 bits +
Security of AES/ Rijndael Published to the scientific community 1998 Is still not broken !! - No proof that Rijndael can not be broken !!
Important Lessons in Security Business 2nd Generation security lessons Experts learned over the years that the only way to assure security is: follow an open design process encourage public scientific review Nobody is better than the rest of the research community.
New 3G Security Features 1/2 Network Authentication The user can provably identify the network Network Security Mechanisms to support security within and between networks Switch Based Security More secrecy switch based rather than only to base station IMEI Integrity Integrity mechanisms for IMEI provided from login Secure Services Protect against misuse of services provided by Service Network and Home Environment
New 3G Security Features 2/2 Secure Applications Provide security for applications resident on USIM Fraud Detection Mechanisms to combating fraud in roaming situations Flexibility Security features can be extended and enhanced as required by new threats and services Visibility and Configurability Users are notified whether security is on and what level of security is available. Users can configure security features for individual services Lawful Interception Mechanisms to provide authorized agencies with certain information about subscribers
3G User Confidentiality Permanent user identity IMSI, user location, and user services cannot be determined by eavesdropping Achieved by use of temporary identity (TMSI) which is assigned by VLR (IMSI is sent in clear text when establishing TMSI) Network Mobile Visiting Location Register
Mutual Authentication Mechanism 1/2 During Authentication and Key Agreement (AKA) the user and network authenticate each other, and also they agree on cipher and integrity key (CK, IK). CK and IK are used until their time expires. Assumption: trusted HE and SN, and trusted links between them. After AKA, security mode must be negotiated to agree on encryption and integrity algorithm.
3G Mutual Authentication Mechanism 2/2 Generation of authentication data at “Mobile” site Generation of authentication data at “Home Network” site : Authentication Token AES K: subscriber seret key SQN: Seuence Number AK:Authentication Key CK:Cipher Key IK:Integrity Key MAC: Message Authentication Code
3G Data Integrity Mechanism Integrity of data and source authentication of signaling data must be provided. The user and network agree on integrity key IK and algorithm during AKA and security mode set-up KASUMI Message authentic if equal
3G Data Encryption Mechanism Data Confidentiality Signaling and user data should be protected from eavesdropping. The user and network agree on cipher key CK and algorithm during AKA and security mode set-up KASUMI
Problems with 3G Security IMSI is sent in clear text when allocating TMSI to the user The transmission of IMEI is not protected; Equipment identity is still not secured A user can be brought to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of the network Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up
Public Key Cryptography Fundamentals of Public Key Cryptography Published 1976 by (Diffie &Hellman) at Stanford University Breakthrough: Proved for the first time that it is possible to share secrets without secret agreement Many 3G mobile security applications in user layer are expected to employ public key cryptography (Mobile Commerce, mobile IP applications ...)
Secret Key Cryptography (Symmetric System) K-open = K-close - Open and close with the same key !! - Secret Key Agreement required
Public-Key Secrecy Systems K-open K-secret - Open and close with different keys!! - No Secret Key Agreement required Two Major Schemes in Public Key Cryptography: Diffie-Hellman Public Key exchange scheme RSA public Key secrecy system
A B Public-Key Cryptography Breakthrough 1976 (Diffie-Hellman) Shared Secret without exchange of secrets “Mechanical Scenario” Open Register A B Secret key-A Secret key-B injection injection SHIELD ! Same thing ! Shared Secret
How to “publicly” hide (shield) a secret ? shielded secret SHIELD = One Way Function ( commutative ! ) 6 9 How: 2 6 mod 11 = 9 log2 9 (mod 11) = 6 Discrete logarithm : no formula is known to compute log2 modulo 11 !
( ) ( ) A B Example for Diffie-Hellman key exchange scheme 1976 Widely use in internet and banking ... Open Agreement and Register Shielding function is: y = (5 x) mod 7 A B Secret key-A= 3 K-open-A= 6 5 3 = 6 K-open-B= 3 5 5 = 3 Secret key-B= 5 ( ) 5 ( ) 3 5 3 5 5 5 5 3 Shield 5 3 6 5 5.3 5 3.5 ! same thing ! Z = 6
Basic Public Key Secrecy System (RSA system) (Mechanical simulation: user B wants secured message from A) User A User B Public register Ko= Kc-1 close open ( )Kc (mod m) Kc M MKc.Ko = M (MKc)Ko Ko MKc
Mathematical Model of a Public-Key Crypto-system (using asymmetric keys) Sender Receiver Y = E (Zp,X) X X Message Message E ( Zp,X ) D ( Zs,Y ) Channel Secret-Key Zs Public-Key Zp Public Directory Z.. Zp Z... Zs
Cryptographic Protocols No Key Cryptography : Shamir 3-Pass Protocol User A User B A Pass 1 A B A A B A A A B Pass 2 A B A B B B A B Pass 3 B B
( ) ( ) ( ) Omura-Massey Lock* for: Shamir’s 3-Pass Protocol User A Secrecy without Authenticity User A User B p = large prime All computations modulo p Eb = secret key Db = Eb-1 Ea = secret key Da = Ea-1 Ea M ( ) Eb 1 = M Ea M Ea Eb M 2 Da ( ) Ea Eb Db ( ) 3 M Eb Eb M = M M * J.L. Massey & J. K. Omura, US Patent, 1986
Non-Perfect Secret Sharing 1001010100 Secret 10100 10010 Part A Part B 10100 10010 1001010100 Secret
Perfect Secret Sharing Example: share the secret 10100 between users A and B 11101 Random BSS 10100 Secret 01001 User B + 11101 User A 10100 + 10100 + Common Secret