NATO Command, Control & Consultation Agency NATO UNCLASSIFIED Secure GSM: Introduction and NC3A Experiences CIS Division NATO Command, Control & Consultation Agency pcs@nc3a.info             NATO UNCLASSIFIED NATO UNCLASSIFIED 20 November 2018

Why GSM ? GSM is global GSM is a standard GSM supports data services Some GSM data services: Data Synch. 9600bps - MO Data Synch. 9600bps - MT SMS Cell Broadcast Transparent Data Automatic Facsimile Grp 3 - MO SMS - MT SMS - MO Data Asynch. 9600bps - MT Data Asynch. 9600bps - MO Automatic Facsimile Grp 3 - MT PAD Access 9600 bps - MO PAD Access 9600 bps - MT GSM is global Networks in 140+ countries GSM is a standard Should be interoperable GSM supports data services Many data services Can be used for any type of communications

GSM services for Military Users GSM “Piconode” Deployable - 20 kg, 0.6 m3 Standalone GSM infrastructure BTS, BSC, MSC, NMS Can be connected to other networks GSM, PSTN, PABX Satellite backhaul Tactical Military GSM & GPS GSM data services support useful services for Emergency Operations Position reporting Status monitoring via SMS GSM is useful, but no security But not just GSM, any digital mobile radio

Pictures courtesy of DERA / Qinetiq (UK) Deployable GSM NATO UNCLASSIFIED Pictures courtesy of DERA / Qinetiq (UK) NATO UNCLASSIFIED 20 November 2018

… GSM deployed for the military in the US Picture courtesy of Charley McMurray, REDCOM Labs

Reasons against “deployed” GSM Frequency allocation GSM bands usually licensed to commercial operators Services don’t always match requirements GSM not designed for Command & Control use but other Professional Mobile Radio systems were So, GSM is not necessarily the best choice if deploying own infrastructure. But it is VERY good if you want to use existing infrastructure

Secure GSM: End-to-end encryption How Secure GSM equipment works - and why it has to be this way NATO UNCLASSIFIED

Overview - Standard GSM Security NATO UNCLASSIFIED AIE A5 AIE A5 GSM GSM Security within GSM Standards (network is trusted) protected vulnerable Air interface encryption The standard security mechanisms described in ETS 300 392-7 are all concerned with protecting the vulnerable air interface. From the operator’s perspective they are there to prevent fraudulent use of the system. A strong authentication mechanism ensures that only genuine subscribers may connect to the system, and the air interface encryption mechanism provides on-going implicit authentication of the MSs. The SwMi-MS signalling is also protected by the encryption to prevent more sophisticated types of attack such as the hijacking of existing connections or the manipulation of the signalling to gain system access. From the user’s perspective nobody equipped with a suitable receiver and decoder can eavesdrop on their traffic unless they are also able to obtain the correct encryption key. However the user traffic passes in clear within the system infrastructure in a similar way to the normal telephone network and theoretically can be accessed by an attacker if they have sufficient motivation. To those users passing highly sensitive information regard the residual risk to their data as significant and require additional steps to protect it. By encrypting the traffic at source (the transmitting MS) and only decrypting it at the destination (the receiving MS) their concerns are met as their data is no longer exposed in the SwMi. Traffic at the air interface is protected by encrypting with the A5 algorithm, Figure courtesy of D Parkinson, BT Exact (UK) NATO UNCLASSIFIED 20 November 2018

Concerns over GSM AIE (but don’t believe what you read on the web) (and yes I do appreciate the irony of that statement in a web based presentation) A5 - The GSM Encryption Algorithm From sci.crypt Fri Jun 17 17:11:49 1994 From: rja14@cl.cam.ac.uk (Ross Anderson) Date: 17 Jun 1994 13:43:28 GMT Newsgroups: sci.crypt,alt.security,uk.telecom Subject: A5 (Was: HACKING DIGITAL PHONES) The GSM encryption algorithm, A5, is not much good. Its effective key length is at most five bytes; and anyone with the time and energy to look for faster attacks can find source code for it at the bottom of this post. EUROCRYPT '97 May 11-15, 1997, Konstanz, Germany Session 8: Stream Ciphers 12:00-12:30 Cryptanalysis of Alleged A5 Stream Cipher Jovan Dj. Goli (Queensland University of Technology, Australia) The Eurocrypt '97 page The information at this site is Copyright by the International Association for Cryptologic Research. http://www.chem.leeds.ac.uk/ICAMS/people/jon/a5.html http://www.iacr.org/conferences/ec97/programf.html

Should we worry about strength of A5 ? GSM was developed by ETSI European Telecommunications Standards Institute GSM algorithms developed by ETSI SAGE Security Algorithms Group of Experts ETSI SAGE Developed Algorithms for many civil telecom standards e.g. GSM, TETRA, DECT, 3G etc SAGE developed the A5 algorithm for GSM Air Interface Encryption A5 provides greater protection than analogue cellular mobiles A5 fit for purpose

Air Interface Encryption is optional NATO UNCLASSIFIED GSM GSM Security within GSM Standards (network is trusted) protected vulnerable Air interface encryption Security within GSM Standards (transmitting OTA in clear) vulnerable Air interface encryption is optional AIE is optional. Users have no control and usually no knowledge of whether AIE is being used Some phones will indicate if AIE is in use - most do not The standard security mechanisms described in ETS 300 392-7 are all concerned with protecting the vulnerable air interface. From the operator’s perspective they are there to prevent fraudulent use of the system. A strong authentication mechanism ensures that only genuine subscribers may connect to the system, and the air interface encryption mechanism provides on-going implicit authentication of the MSs. The SwMi-MS signalling is also protected by the encryption to prevent more sophisticated types of attack such as the hijacking of existing connections or the manipulation of the signalling to gain system access. From the user’s perspective nobody equipped with a suitable receiver and decoder can eavesdrop on their traffic unless they are also able to obtain the correct encryption key. However the user traffic passes in clear within the system infrastructure in a similar way to the normal telephone network and theoretically can be accessed by an attacker if they have sufficient motivation. To those users passing highly sensitive information regard the residual risk to their data as significant and require additional steps to protect it. By encrypting the traffic at source (the transmitting MS) and only decrypting it at the destination (the receiving MS) their concerns are met as their data is no longer exposed in the SwMi. NATO UNCLASSIFIED 20 November 2018

End to End Encryption protected vulnerable Air interface encryption NATO UNCLASSIFIED GSM GSM Security within GSM Standards (network is trusted) protected vulnerable Air interface encryption Security within GSM Standards (transmitting OTA in clear) vulnerable Air interface encryption is optional End to End Encryption over GSM (network is untrusted) protected End-to-end encryption The standard security mechanisms described in ETS 300 392-7 are all concerned with protecting the vulnerable air interface. From the operator’s perspective they are there to prevent fraudulent use of the system. A strong authentication mechanism ensures that only genuine subscribers may connect to the system, and the air interface encryption mechanism provides on-going implicit authentication of the MSs. The SwMi-MS signalling is also protected by the encryption to prevent more sophisticated types of attack such as the hijacking of existing connections or the manipulation of the signalling to gain system access. From the user’s perspective nobody equipped with a suitable receiver and decoder can eavesdrop on their traffic unless they are also able to obtain the correct encryption key. However the user traffic passes in clear within the system infrastructure in a similar way to the normal telephone network and theoretically can be accessed by an attacker if they have sufficient motivation. To those users passing highly sensitive information regard the residual risk to their data as significant and require additional steps to protect it. By encrypting the traffic at source (the transmitting MS) and only decrypting it at the destination (the receiving MS) their concerns are met as their data is no longer exposed in the SwMi. NATO UNCLASSIFIED 20 November 2018

Standard GSM Security Standard GSM encryption (A5) optional over air-interface only (clear within network) There is a need for end to end encryption Voice calls in GSM can be transcoded within the network Transcoding errors are small have a negligible effect on quality of analogue voice Cannot encrypt ordinary GSM voice calls as transcoding errors would prevent decryption

Secure GSM Secure GSM send encrypted voice over a GSM data connection GSM data connections are not transcoded Separate phone number for data connections tells the GSM network not to transcode Secure GSM uses the transparent data service Bearer service 26 (9.6 kbps) or 25 (4.8 kbps) Circuit switched data connection Fixed delays (required for speech) No error correction Initially: GSM used a 13 kbps voice coder (RPE-LPC) Data services limited to 9.6 kbps So using the data service to send encrypted speech required the use of a different voice coder

End to end encrypted GSM End to end secure GSM Voice Coder Error Protection GSM data Crypto GSM data Encrypted speech is transmitted over GSM data connection End to end encrypted GSM Uses the GSM data connection Provides its own Voice Coder Error Protection Error Protection Transparent data service provides no error correction Crypto Encoded speech is encrypted Voice Coder Speech must be encoded (digitised)

Introduction to STANAG 4591 The new NATO Voice Coder NC3A Workshop October 18th 2002 At TNO-FEL, The Hague, The Netherlands Organised by the NATO C3 Agency and the NATO Ad-Hoc Working Group on Narrow Band Voice Coding For more details please email: voice@nc3a.info Topics Include: Need for a new NATO voice coder Tests to select Stanag 4591 Language independence testing Source Code & IPR Performance VoIP with S4591 Stanag 4591 in civil telecom standards Voice Coders End to end secure GSM doesn’t use ‘standard’ GSM voice coder For Secure GSM the choice of voice coder is independent NATO Post-2000 Narrow Band Voice Coder (2400& 1200 bps) Outperforms CELP - 4.8k CVSD - 16k LPC10e - 2.4k Widely used by other secure users Can be used over GSM data services

Plain and secure speech in GSM Voice Number Speech Normal voice call sent through network User calls GSM voice number Transcoder GSM /\ PCM \/ Transcoding in network is possible Data Number Secure Speech Secure speech sent as data call through network User calls GSM data number No transcoding GSM Inter-network connection GSM Network GSM Secure speech sent between GSM networks Relies on inter-network connection supporting GSM transparent data service correctly GSM Network GSM

Secure GSM / PSTN interworking V.110 like Protocol PSTN GSM Network Analogue mode V.32 Modem GSM Interworking Unit The interworking unit provides the interface for data calls between GSM and PSTN Data Number Deskset Crypto Unit PSTN Standard PSTN ‘phone

Results with existing Secure GSM equipment 1999 - 2002 NC3A Experiences Results with existing Secure GSM equipment 1999 - 2002 NATO UNCLASSIFIED

Crypto AG Secure GSM (NC3A Trials 1999) GSM - PSTN interworking via deskset Manual key management Crypto applique on conventional GSM Call set up time approx 40 seconds Encrypted speech only Reliability good on home network variable when roamed variable between GSM and PSTN Voice quality good when strong signal deteriorated when GSM signal was weak

Sagem Secure GSM (NC3A Trials 2000) Crypto applique on conventional GSM Approved to FR Confidential GSM - PSTN interworking via deskset Key Management System Encrypted speech only Call set up time approx 20 seconds Reliability good on home network variable when roamed variable between GSM and PSTN Voice quality Generally good Deteriorated when GSM signal was weak

More Secure GSMs Rhode & Schwarz “TopSec” Half rate GSM Voice coder GE RESTRICTED Released to NATO General Dynamics “Sectera” Includes STANAG 4591 2.4k voice coder US TYPE 1 Being released to NATO Tests of both requested by NC3A during 2000-2

Sectra Secure GSM (NC3A Trials 2000-2001) Military development Swedish/Norwegian Project Crypto integral to terminal Integrated GSM / DECT unit DECT gives PSTN connection Encrypted Voice + Data Key Management System Good voice quality Improved reliability when roamed when GSM signal was low

NSK 200 Secure GSM (NC3A Trials 2001-2002) Norwegian military development Crypto integral to terminal Authentication required Approved to NATO SECRET Tested over GSM, DECT and via Inmarsat Features and operation described in other presentations

Summary of Trials (Things to think about) Support for data calls requires transparent data bearer services 25 & 26 varies with network operator Inter-network connectivity Secure calls between some countries never succeeded Roaming agreements Not always in place in some areas

More on Secure GSM and Secure 3G Symposium on End to End Security in Mobile Cellular Networks London, December 2002 Call for papers Contributions are invited on the subjects of: Secure GSM 3G security End to end security via satellite services Network operators viewpoints Interoperability issues for end to end security Market differences: Commercial vs military users For details and submission of abstract (200 words) please contact: ACT Branch, NC3A, The Hague, The Netherlands. Tel: +31 70 374 3444 or Email. pcs@nc3a.info This event will be unclassified and attendance open to all More on Secure GSM and Secure 3G Interested ? When ? Where ? Just GSM or 3G ?