Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit

Slides:



Advertisements
Similar presentations
Introduction to Public Land Mobile Network (PLMN)
Advertisements

GSM Network Overview Um Abis A BSC BTS Mobile Station HLR VLR EIR AuC
GSM.
An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security and Encryption
Islamic University-Gaza Faculty of Engineering Electrical & Computer Engineering Department Global System for Mobile Communication GSM Group Alaa Al-ZatmaHosam.
Mario Čagalj University of Split 2013/2014. Security of Cellular Networks: Man-in-the Middle Attacks ‘Security in the GSM system’ by Jeremy Quirke, 2004.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Su Youn Lee, Su Mi Lee and Dong Hoon Lee Current Trends in Theory and Practice of Computer Science Baekseok College of Cultural Studies GSIS.
GSM Network. GSM-Introduction Architecture Technical Specifications Frame Structure Channels Security Characteristics and features Applications Contents.
Security of Mobile Banking
GSM Global System for Mobile Communications
1 Channel Overview 3 Types 1.Broadcast Control Channel: Point to Multipoint, Downlink (BTS) to MS) (A)BCCH (Board cast Control Channel) It inform the Mobile.
GSM (GLOBAL SYSTEM FOR MOBILE COMMUNICATION) Submitted to :-> MR. Ajmer Submitted by :-> HIMANI, POOJA (11 A) IP PROJECT WORK III Term SESSION –
By Neha choudhary Asst.Professor CSE/IT LHST-A.  GSM-Introduction  Architecture  Technical Specifications  Characteristics and features  Applications.
GSM System Architecture
GSM—Global System for Mobile. 2 How does GSM handle multiple users The 1G cellular systems used FDMA. The first cellular standard adopting TDMA was GSM,
GSM standard (continued)
SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.
Modes Mobile Station ( MS )
Information Security of Embedded Systems : Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
Cellular Mobile Communication Systems Lecture 7
Mobile Handset Cellular Network Basics + GSM. Cellular Network Basics There are many types of cellular services; before delving into details, focus on.
 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.
Evolution from GMS to UMTS
17.1 Cellular Telephony Frequency Reuse Principle Transmitting Receiving Handoff Roaming First Generation Second Generation Third Generation Cellular telephony.
Basic Concepts of Cellular Networks and Mobile IP Aug 31, 2005.
GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.
GSM Continued.
 Global System for Mobile Communications (GSM) is a second generation (2G) cellular standard developed to cater voice services and data delivery using.
GSM: The European Standard for Mobile Telephony Presented by Rattan Muradia Requirement for course CSI 5171 Presented by Rattan Muradia Requirement for.
ZAC Technical Institute GSM Foundation Course Prepared by Syed Amir Abbas.
Members of our Presentation  (Bsts09-08) Hafiz Umer Ejaz  (Bsts09-09) Rai-Habib Ullah  (Bsts09-31) M.Arsalan Qureshi  (Bsts09-32) Shoaib Ansari 
GSM Network Structure Lance Westberg.
GSM TOWARDS LTE NETWORKS Lecture # 2. CELLULAR GENERATIONS First Generation Wireless : Analog Second Generation Wireless (2G): Digital Second Generation.
Network components of the Switching Subsystem The switching Subsystem comprises the following subsystems. MSC (Mobile Switching Centre) HLR (Home location.
Cellular Mobile Communication Systems Lecture 8
NETWORK SIGNALING. GSM Network Architecture (protocols) CM MM RR MM LAPD m radio LAPD m radio LAPD PCM RR’ BTSM CM LAPD PCM RR’ BTSM UmUm A bis A SS7.
Mobile Telephone System And GSM Security. The Mobile Telephone System First-Generation Mobile Phones First-Generation Mobile Phones Analog Voice Analog.
GSM NETWORK ARCHITECTURE CH 2. In this chapter we will see : In this chapter we will see : 1.GSM NETWORK ARCHITECTURE 2.The Radio Subsystem 3.The Network.
GSM TOWARDS LTE NETWORKS
4.1 Security in GSM Security services – access control/authentication user  SIM (Subscriber Identity Module): secret PIN (personal identification number)
GSM Mobile Computing IT644.
GSM Network Architecture
A SEMINAR REPORT ON CELLULAR SYSTEM Introduction to cellular system The cellular concept was developed and introduce by the bell laboratories in the.
Overview of cellular system
OMA GSM Communication Flow
(Global System for Mobile Communication)
GPRS General Packet Radio Service Shay Toder – Ori Matalon The Department of Communication System Engineering Ben-Gurion University June 19, 2002.
1 Lecture 19 EEE 441 Wireless And Mobile Communications.
Cellular Network Base stations transmit to and receive from mobiles at the assigned spectrum Multiple base stations use the same spectrum The service area.
Mobile Telephone System And GSM Security. The Mobile Telephone System First-Generation Mobile Phones First-Generation Mobile Phones Analog Voice Analog.
Mobile Communications: Wireless Telecommunication Systems  Market  GSM  Overview  Services  Sub-systems  Components.
Wireless Network PMIT- By-
GLOBAL SYSTEM FOR MOBILE COMMUNICATION
GSM SECURITY AND ENCRYPTION
GSM.
GSM location updating procedure
Name:Shivalila A H,Shima
GSM (GLOBAL SYSTEM FOR MOBILE COMMUNICATION). It all started like this First telephone (photophone) – Alexander Bell, 1880 First telephone (photophone)
Subject Name: GSM Subject Code: 10EC843
Global system for Mobile Communications
GSM location updating procedure
Dept. of Business Administration
Security in Wide Area Networks
Presentation transcript:

Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit Elad Barkan Eli Biham Nathan Keller

Introduction GSM is the most widely used cellular system in the world (over a billion customers). GSM is the most widely used cellular system in the world (over a billion customers). Based on second generation cellular technology (offer digitalized voice). Based on second generation cellular technology (offer digitalized voice). GSM was the first cellular system which seriously considered security threats. GSM was the first cellular system which seriously considered security threats. GSM was influenced by the political atmosphere around cryptology at the 1980s (did not allow civilians to use strong cryptography). GSM was influenced by the political atmosphere around cryptology at the 1980s (did not allow civilians to use strong cryptography). Protect only the air interface. Protect only the air interface.

MSC BSC Modem/ TA ISDN/ PSTN Internet BTS BSC- Base Station Controller BTS - Base Transceiver Station MSC - Mobile Switching Center AuC - Authentication Centre TA - Terminal Adapter GSM structure BTS AuC

GSM Security A3 Mobile StationRadio LinkGSM Operator A8 A5 A3 A8 A5 Ki Kc mi Encrypted Data mi SIM Signed response (SRES) SRES Authentication: are SRES values equal? Ki – pre-shared secret Ki – pre-shared secret A3,A8 – One way functions. A3,A8 – One way functions. A5/0 – no encryption. A5/1 – export restricted. A5/2 – for export (weaker) A5/0 – no encryption. A5/1 – export restricted. A5/2 – for export (weaker) Fn Challenge RAND

Description of A5/2 The key setup of A5/2:

Description of A5/2 (2) First initialize A5/2 with Kc and f. First initialize A5/2 with Kc and f. Run A5/2 for 99 cycles Run A5/2 for 99 cycles Run A5/2 for 228 cycles and use the output as keystream. Run A5/2 for 228 cycles and use the output as keystream. First 114 bits is used as a keystream to encrypt the downlink and the second half of 114 bits is used for the uplink. First 114 bits is used as a keystream to encrypt the downlink and the second half of 114 bits is used for the uplink.

Previous work A5/1 and A5/2 was reversed engineered A5/1 and A5/2 was reversed engineered Several Known-plaintext attacks were published Several Known-plaintext attacks were published The best attack requires only four plaintext data frames. The best attack requires only four plaintext data frames.

Ciphertext-Only Attack on A5/2 GSM must use error correction to withstand reception errors. GSM must use error correction to withstand reception errors. During transmission a message is first subjected to an error-correction code, Then encrypted. During transmission a message is first subjected to an error-correction code, Then encrypted. Structured redundancy in the message, Can be used for ciphertext-only attack. Structured redundancy in the message, Can be used for ciphertext-only attack.

Ciphertext-Only Attack on A5/2 Coding and interleaving operations can be modeled as a multipication of the message by constant matrix. Coding and interleaving operations can be modeled as a multipication of the message by constant matrix. –P bit message –G – constant 456x184 matrix over GF(2) –g – constant vector –M = (G · P) xor g (divided into 4 data frames) G is binary matrix so there are =272 equations that describe the kernel of the inverse transformation. G is binary matrix so there are =272 equations that describe the kernel of the inverse transformation. H – the matrix that describes these 272 equations i.e. H(M xor g) = 0 H – the matrix that describes these 272 equations i.e. H·(M xor g) = 0

Ciphertext-Only Attack on A5/2 C = M xor k (k is the keystream) C = M xor k (k is the keystream) H(C xor g) = H(M xor k xor g) = H(M xor g) xor Hk = 0 xor Hk = Hk H·(C xor g) = H·(M xor k xor g) = H·(M xor g) xor H·k = 0 xor H·k = H·k C known, so we have linear equations over the bits of k. C known, so we have linear equations over the bits of k.

GSM Service Request and Authentication Protocol MSCAuCSIM AUTHREQ(RAND) AUTHREQ(SRES) {RAND, XRES, Kc} Authentication Data Request A3A8 Ki RAND Kc RES A3A8 Ki RAND XRES SRES = XRES? Cipher Service Req Ack (Use A5/1)

Class-Mark Attack AttackerPhone Service Req (A5/1) Service Req (A5/2) An attacker can change the class-mark information that the phone sends to the network. Use A5/2 Network The signal of the attacker must override the phone signal or by man-in-the- middle attack.

Recovering Kc of Past or Future Conversations AttackerSIM RAND RES Kc RES A3A8 Ki RAND The protocol doesn’t provide any key separation (all encryption algorithms use the same key) An attacker can use a fake base station and instruct the phone to use A5/2 and then easily resolve Kc (Future Conversation Attack). Use A5/2 Cipher (A5/2) If the attacker has access to the sim he can easily get Kc. If he doesn’t he can instruct the phone to use A5/2. If an attacker recorded the conversation he can sends the recorded RAND to the phone.

Man in the middle attack AttackerNetworkVictim RAND RES RAND Kc RES A3A8 Ki RAND CIPHMODCMD:A5/2 CIPHMODCMD (Encrypted) RES CIPHMODCMD:A5/1 CIPHMODCMD (Encrypted) Find A5/2 key

Attacks Scenarios Call Wire-Tapping Call Wire-Tapping Call Hijacking Call Hijacking Alerting of Data Messages (SMS) Alerting of Data Messages (SMS) Call Theft – Dynamic Cloning Call Theft – Dynamic Cloning

Protocol Weakness Authentication protocol can execute at the beginning of the call. The phone cannot ask for authentication. In case that there is no authentication Kc stays as in previous conversation Authentication protocol can execute at the beginning of the call. The phone cannot ask for authentication. In case that there is no authentication Kc stays as in previous conversation The network chooses the encryption algorithm (the phone only reports the ciphers it support) The network chooses the encryption algorithm (the phone only reports the ciphers it support) The class-mark message is not protected. The class-mark message is not protected. There is no mechanism that authenticates the network to the phone There is no mechanism that authenticates the network to the phone No key separation between the algorithms or method of communication No key separation between the algorithms or method of communication RAND reuse is allowed RAND reuse is allowed

Acquire a Specific Victim GSM includes a mechanism that is intended to provide protection on the identity of the mobile phone. GSM includes a mechanism that is intended to provide protection on the identity of the mobile phone. Each subscriber is allocated a Temporary Mobile Subscriber Identity (TMSI) over an encrypted link Each subscriber is allocated a Temporary Mobile Subscriber Identity (TMSI) over an encrypted link The TMSI can be reallocated every once in a while in particular when there is a change in the location. The TMSI can be reallocated every once in a while in particular when there is a change in the location. TMSI used to page on incoming calls and for identification during un-encrypted parts. TMSI used to page on incoming calls and for identification during un-encrypted parts. The fixed identification of the subscriber is its International Mobile Subscriber Identity (IMSI) The fixed identification of the subscriber is its International Mobile Subscriber Identity (IMSI) If both TMSI and IMSI are unknown to the attacker he may forced to listen in to all the conversations in the area. If both TMSI and IMSI are unknown to the attacker he may forced to listen in to all the conversations in the area.

Acquire a Specific Victim (2) The attacker has the victim's phone number and wish to associate it with the subscriber's IMSI or TMSI. The attacker has the victim's phone number and wish to associate it with the subscriber's IMSI or TMSI. Solutions : Solutions : –Can call the victim, and monitor all the calls (recognize his own caller ID). –Send a malformed SMS message. When performing an active attack, the attacker needs to lure the mobile into his own fake base station. When performing an active attack, the attacker needs to lure the mobile into his own fake base station.

GSM-Security Cryptographic methods secret, not “well examined“ Cryptographic methods secret, not “well examined“ Symmetric procedure Symmetric procedure –consequence: storage of user special secret keys with net operators required No end-to-end encryption No end-to-end encryption Key generation and administration not controlled by the participants Key generation and administration not controlled by the participants Same key uses for A5/1 and A5/2. Same key uses for A5/1 and A5/2. No mutual authentication intended No mutual authentication intended –consequence: Attacker can pretend a GSM-Net No end-to-end authentication No end-to-end authentication As a result of the initial publication of this paper GSM security group are working to remove A5/2 from the handsets. As a result of the initial publication of this paper GSM security group are working to remove A5/2 from the handsets.

Thank you

Homework 1. Define in one line the following: GSM, UMTS, DECT, TETRA, ERMES. 2. Why using a SIM helps security? 3. How would you attack someone’s GSM mobile phone? describe the system and the steps on the attack. 4. Describe at least 3 known weaknesses of GSM and how you can fix them if you could change the standard or the system. 5. Bonus: Describe a new attack (which isn't mentioned in the paper) on GSM network.

AuCAuthentication Centre BSS Base Station Subsystem BSCBase Station Controller BTSBase Transceiver Station EIREquipment Identity Register HLRHome Location Register MSMobile Station (G)MSC(Gateway) Mobile Switching Centre OMCOperation and Maintenance Centre PSTN Public Switched Telephone Network VLRVisitor Location Register ISDNIntegrated Services Digital Network Fixed network Switching Subsystems VLR Radio Subsystems HLRAuCEIR (G)MSC OMC BTS BSC BSS MS Network Management Call Management Data networks PSTN/ ISDN MS GSM structure

GSM: protocols, incoming call VLR BSS MSCGMSC HLRBSS (4) (2) (4) (5) (3) (10) (6) (11) (7) (8) (9) (12) (8) (1) (12) (9) (8) PSTN/ ISDN (1) Call from fixed network was switched via GMSC (2) GMSC finds out HLR from phone number and transmits need of conversation (3) HLR checks whether participant for a corresponding service is authorized and asks for MSRN at the responsible VLR (4) MSRN will be returned to GMSC, can now contact responsible MSC

GSM: protocols, incoming call VLR BSS MSCGMSC HLRBSS (4) (2) (4) (5) (3) (10) (6) (11) (7) (8) (9) (12) (8) (1) (12) (9) (8) PSTN/ ISDN (5) GMSC transmits call to current MSC (6) ask for the state of the mobile station (7) Information whether end terminal is active (8) Call to all cells of the Location Area (LA) (9) Answer from end terminal ( ) security check and connection construction

GSM: protocols, outgoing call VLR BSS MSCGMSC HLR BSS (5) (3)(4) (2)(1) (1) Demand on connection (2) Transfer by BSS (3-4) Control for authorization (5) Switching of the call demand to fixed net

Protocol