Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research Feb 27, 2004

Outline Overview of GSM Cryptography Some possible “attacks” on GSM Overview of WLAN Cryptography How problems in one technology can spread to another How can you in practice fix a crypto problem when thousands of devices are out there Overview of “3G” UMTS Cryptography

GSM Security Overview

History – GSM Security Use of a smart card SIM – Subscriber Identity Module, tamper resistant device containing critical subscriber information, e.g. 128-bit key shared with Home Operator SIM is the entity which is authenticated, basis for roaming Initial GSM algorithms (were) not publicly available and under the control of GSM-A, new (3G) algorithms are open GSM ciphering on “first hop” only: stream ciphers using 54/64 bit keys, future 128 bits One-sided challenge-response authentication Basic user privacy support (“pseudonyms”) No integrity/replay protection GSM crypto is probably (one of) the most frequently used crypto in the world.

History – GSM Security Access security Radio Base Station RBS MSC SGSN Base Station Controller CS - Confidentiality, A5/1 A5/2 A5/3 (new, open) GPRS - Confidentiality: GEA1 GEA2 GEA3 (new, open) Authentication: A3 Algorithm

GSM Authentication: Overview RBS MSC/VLR AuC/HLR Visited Network Home Network Req(IMSI) RAND, XRES, Kc RES RES = XRES ? RAND RAND, Kc Ki

GSM Autentication: Details A3 and A8: Authentication and key derivation (proprietary) A5: encryption (A5/1-4, standardized) Ki (128) rand (128) res (32) Kc (64) A5/x Phone SIM  encr frame Radio i/f Radio Base Station A3 A8 (No netw auth, no integrity/replay protection) data/speech frame#

Cryptographic Transforms in Wireless Wireless is subject to limited bandwidth bit-errors (up to 1% RBER) As consequence, most protocols: use stream ciphers (no padding, no error-propagation) do not use integrity protection (data expansion, loss)

GSM Encryption I: A5/1 output cc  L1L1 L2L2 L3L3 “shift L i if middle bit of L i agrees with majority of middle bits in L 1 L 2 L 3 ” Sizes: 23, 22, 19 bit (i.e. 64 bit keys)

Status of A5/1 All Ax algorithms initially secret. A5/1 ”leaked” in mid 90’s. A few attacks found. [Biryukov, Wagner, Shamir 01]: 300Gb precomputed data and 2s known plaintext  retrieve Kc  1min. Little “sister”, A5/2

GSM Encryption II: A5/2 (Export Version) majority(a, b, c) = ab + bc + ca

August 2003… Let’s take a closer look…

A5/2 (clock control) R4 controls clocking 3 ”associated” bits, one per R1-R3 Ri (i =1,2,3) is clocked iff its ”associated” bit agrees with majority of the 3 bits (At least two clocked)

The A5/2 Algorithm (details) 1. Kc (64 bits) bitwise sequentially XORed onto each Ri First, set all four Ri to zero. 2. frame # (21 bits) bitwise sequentially XORed onto each Ri 3. Force certain bit in each Ri to ”1” 4. Run for 99 ”clocks” ignoring output 5. Run for 228 ”clocks” producing output } exploited by attack…

Idea behind the attack A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknowns 0/1 variables, of which 64 are Kc If plaintext known, each 114-bit frame gives 114 equations Only difference between frames is that frame number increases by one. After 6 frames (in reality only 4) we have > 660 equations  can solve! If plaintext unknown, can still attack thanks to redundancy of channel coding (SACCH has 227 redundant bits per each 4-frame message).

Attack efficiency Off-line stage (done once): Storage for ”matrices”: approx 200MB Pre-processing time: less than 3 hrs on a PC On-line attack stage: Requires 4-7 frames sent from UE on SACCH. Retrieving Kc then takes less than 1 second. Hardware requirement: normal PC and GSM capable receiver

Consequence 1: Passive attacks in A5/2 Network ( Eavesdropping) 2 Cipher start A5/2 1 RAND, RES (and Kc) Kc, Plaintext < 1 sec New attack PC < 1 sec of traffic

Consequence 2: Active attacks in any Network ( False base-station/man-in-the-middle attacks) 6 Cipher start A5/2 2 RAND 8 Cipher stop 9 Cipher start A5/1 5 Cipher start A5/1 1 RAND 7 Attack:: Kc 3 RES 4 RES

Consequence 3: Passive + Active attack 2 Cipher start A5/1 1 RAND, RES (and Kc) Record 2 Cipher start A5/2 1 RAND, RES (and Kc) Kc

WLAN (IEEE b) Security Overview

Wireless LAN (802.11b, WEP) Security CRC CRC(msg) keystream RC4 kIV bits 24 bits random/per packet msg  cipher Network fixed! Will repeat: - for sure, after 2 24 msgs -after 5000 msgs (average)  “two-time pad”

WLAN Security Problem No 2 CRC is linear: CRC(msg   ) = CRC(msg)  CRC   )  c’ keystream  m   CRC(m   ) mCRC(m) keystream  c Alice c’ Bob and so is any stream cipher: Encr(k, msg   ) = Encr  k, msg)    CRC(  ) Eve:

WLAN Security Problem No 3 RC4 has only one “input”, the key. RC4 k IV This is “solved” by: RC4 k IV append IV || k [Fluhrer, Mantin, Shamir, 2001]: The first bits of the RC4 key have significant “influence” on the RC4 ouput. Even if k is 1000 bits, knowing IVs makes it possible to break the WLAN encryption.

WLAN Security Problem No 4 Authentication protocol: k keystream RC4 chall k  chall = res res Observing a single “authentication” enables impersonation…

WLAN-Cellular Interworking Architecture UTRAN RNC Node B WSN/FA WRAN AP 3GPP Home Network SGSN HLR AuC AAA HSS GGSN/FA Gn Gr(MAP) Radius/ Diameter IP Iu Proxy AAA Signalling and User Data Signalling Data Subscriber Mgmt Charging/Billing “HOTSPOT” Internet/ Intranet 3GPP Visited Network E.g. SIM access over Bluetooth or SIM reader Motive: Mobile operators want to offer “hot-spots” for subscriber base.

WLAN/GSM Interworking Problems GSM Security is not perfect, but “astronomically” better than WLAN (WEP). Can SIM re-use in WLAN threaten also GSM (and conversely)? WLAN improvements under way, but will take some time. Major GSM upgrades not feasible (expensive, and we will soon have 3G anyway…)

Security Placement in Protocol Stack L2 (media access control) L1 (physical) L3 (networking) L4 (transport) L5 (application) GSM sec WLAN sec “IPsec” “TLS/SSL” Fix by “gluing” on higher layers, invisible to lower layers Security problems, risk of bad “interaction”

Problem 1: Bad WLAN Encryption/Integrity Awaiting WLAN fix, use e.g. IPsec and keys derived from SIM

f( ) Problem 2: Key Material Need SIM can only provide one 64-bit key, good encryption + integrity might need e.g. 256 bits. RAND 1, RAND 2,… Solution: bootstrap on top of SIM procedure SIM/Terminal Network K 1 = A8(RAND 1 ) K 2 = A8(RAND 2 ) … f, one-way function, avoid possibly weak A8 variants

Problem 2: WLAN Replay Attacks Anybody can put up a “fake” WLAN AP at a very modest cost. Record-GSM-then-WLAN-replay attacks possible.  Network authentication must be added. RAND 1, RAND 2,…, SIM/Terminal Network K 1 = f(A8(RAND 1 )) K 2 = f(A8(RAND 2 )) … RAND 0 MAC(k, RAND 0,…) Check MAC

Problem 3: GSM Replay Attacks GSM has no replay protection either. Record-WLAN-then-GSM-replay attacks possible. Too expensive to add GSM network authentication.  Previous A5/2 problems must be fixed (As seen, also needed for GSM security as such)

Ideas for GSM (A5/2) Improvements

Requirements There are millions of mobile phones and SIMs and Thousands of network side equipment that potentially need upgrades to fix A5/2 problems. Need to affect as little as possible. RBS MSC/VLR AuC/HLR Visited NetworkHome Network Recall the “security-relevant” nodes:

Possible fix I 1 RAND, RES (and Kc) 2 Cipher start A5/x Home net (HLR/AuC) signals ”special RAND” (fixed 32-bit prefix) and algorithm policy in RAND: A5/x allowed iff xth bit of RAND = 1 + Simple (Home net+phone) - 40 bits of RAND ”stolen”, impact on security?

Possible fix II (Ericsson) + Simple (visited net+phone) + Security ”understood”, key separation RAND Phone SIM A5/x  encr frame A5/x Alg_id f New alg: A5/x’ - Relies more on visited net

UMTS Security Overview

3G Security – UMTS, Improvements to GSM Mutual Authentication with Replay Protection Protection of signalling data –Secure negotiation of protection algorithms –Integrity protection and origin authentication –Confidentiality Protection of user data payload –Confidentiality “Open” algorithms (block-ciphers) basis for security –AES for authentication and key agreement –Kasumi for confidentiality/integrity Security level (key sizes): 128 bits Protection further into the network

UMTS – Security Node B MSC SGSN Integrity & Confidentiality UIA & UEA algorithms (based on KASUMI) Node B Radio Network Controller

UMTS – Authentication and Key Agreement AKA RBS MSC/VLR AuC/HLR Visited Network Home Network Req(IMSI) RAND, XRES, CK, IK, AUTN RAND, AUTN RES RES = XRES ? RAND, AUTN Ki Allows check of authenticity and “freshness” Integrity protection key Looks a lot like GSM, but…

UMTS AKA Algorithms AUTNXRES CK IK E k = AES

UMTS Encryption: UEA/f8 Kasumi    c = 1c = 2c = B  CK (128 bits) m (const) keystream COUNT || BEARER || DIR || 0…0 (64 bits) “Provably” secure under assumptions on Kasumi “Masked” offset avoids known input/output pairs “Counter” avoids short cycles

Inside Kasumi (actually: MISTY) FI + 16 bits FI rounds of: FO + 32 bits k security  s 2 S9 + S7 + S9 + 9 bits7 bits sec. s security  s 4 security  s 8 (3 rounds)

UMTS Integrity Protection: UIA/f9 Kasumi  IK COUNT || FRESH  M1M1  M2M2  MBMB  MAC (left 32 bits) m’  Variant of CBC-MAC (Used only on signaling, not on user data)

Comparison of Security Mechanisms

Any Public Key Techniques? So far, only mentioned symmetric crypto, but public key is also used, typically for key-exchange (RSA, Diffie-Hellman, elliptic curves…): on “application level”, e.g. WAP for inter-operator signaling traffic In general, too heavy for “bulk” use.

Summary Despite some recent attacks on GSM security, “2G” security is so far pretty much a success story Main reason: convenience and invisibility to user Insecurity in one system can affect another when interacting “Fixing” bad crypto is easier said than done, practical cost is an issue The End “3G” crypto significantly more open and well-studied  higher confidence