Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit Elad Barkan Eli Biham Nathan Keller
Introduction GSM is the most widely used cellular system in the world (over a billion customers). GSM is the most widely used cellular system in the world (over a billion customers). Based on second generation cellular technology (offer digitalized voice). Based on second generation cellular technology (offer digitalized voice). GSM was the first cellular system which seriously considered security threats. GSM was the first cellular system which seriously considered security threats. GSM was influenced by the political atmosphere around cryptology at the 1980s (did not allow civilians to use strong cryptography). GSM was influenced by the political atmosphere around cryptology at the 1980s (did not allow civilians to use strong cryptography). Protect only the air interface. Protect only the air interface.
MSC BSC Modem/ TA ISDN/ PSTN Internet BTS BSC- Base Station Controller BTS - Base Transceiver Station MSC - Mobile Switching Center AuC - Authentication Centre TA - Terminal Adapter GSM structure BTS AuC
GSM Security A3 Mobile StationRadio LinkGSM Operator A8 A5 A3 A8 A5 Ki Kc mi Encrypted Data mi SIM Signed response (SRES) SRES Authentication: are SRES values equal? Ki – pre-shared secret Ki – pre-shared secret A3,A8 – One way functions. A3,A8 – One way functions. A5/0 – no encryption. A5/1 – export restricted. A5/2 – for export (weaker) A5/0 – no encryption. A5/1 – export restricted. A5/2 – for export (weaker) Fn Challenge RAND
Description of A5/2 The key setup of A5/2:
Description of A5/2 (2) First initialize A5/2 with Kc and f. First initialize A5/2 with Kc and f. Run A5/2 for 99 cycles Run A5/2 for 99 cycles Run A5/2 for 228 cycles and use the output as keystream. Run A5/2 for 228 cycles and use the output as keystream. First 114 bits is used as a keystream to encrypt the downlink and the second half of 114 bits is used for the uplink. First 114 bits is used as a keystream to encrypt the downlink and the second half of 114 bits is used for the uplink.
Previous work A5/1 and A5/2 was reversed engineered A5/1 and A5/2 was reversed engineered Several Known-plaintext attacks were published Several Known-plaintext attacks were published The best attack requires only four plaintext data frames. The best attack requires only four plaintext data frames.
Ciphertext-Only Attack on A5/2 GSM must use error correction to withstand reception errors. GSM must use error correction to withstand reception errors. During transmission a message is first subjected to an error-correction code, Then encrypted. During transmission a message is first subjected to an error-correction code, Then encrypted. Structured redundancy in the message, Can be used for ciphertext-only attack. Structured redundancy in the message, Can be used for ciphertext-only attack.
Ciphertext-Only Attack on A5/2 Coding and interleaving operations can be modeled as a multipication of the message by constant matrix. Coding and interleaving operations can be modeled as a multipication of the message by constant matrix. –P bit message –G – constant 456x184 matrix over GF(2) –g – constant vector –M = (G · P) xor g (divided into 4 data frames) G is binary matrix so there are =272 equations that describe the kernel of the inverse transformation. G is binary matrix so there are =272 equations that describe the kernel of the inverse transformation. H – the matrix that describes these 272 equations i.e. H(M xor g) = 0 H – the matrix that describes these 272 equations i.e. H·(M xor g) = 0
Ciphertext-Only Attack on A5/2 C = M xor k (k is the keystream) C = M xor k (k is the keystream) H(C xor g) = H(M xor k xor g) = H(M xor g) xor Hk = 0 xor Hk = Hk H·(C xor g) = H·(M xor k xor g) = H·(M xor g) xor H·k = 0 xor H·k = H·k C known, so we have linear equations over the bits of k. C known, so we have linear equations over the bits of k.
GSM Service Request and Authentication Protocol MSCAuCSIM AUTHREQ(RAND) AUTHREQ(SRES) {RAND, XRES, Kc} Authentication Data Request A3A8 Ki RAND Kc RES A3A8 Ki RAND XRES SRES = XRES? Cipher Service Req Ack (Use A5/1)
Class-Mark Attack AttackerPhone Service Req (A5/1) Service Req (A5/2) An attacker can change the class-mark information that the phone sends to the network. Use A5/2 Network The signal of the attacker must override the phone signal or by man-in-the- middle attack.
Recovering Kc of Past or Future Conversations AttackerSIM RAND RES Kc RES A3A8 Ki RAND The protocol doesn’t provide any key separation (all encryption algorithms use the same key) An attacker can use a fake base station and instruct the phone to use A5/2 and then easily resolve Kc (Future Conversation Attack). Use A5/2 Cipher (A5/2) If the attacker has access to the sim he can easily get Kc. If he doesn’t he can instruct the phone to use A5/2. If an attacker recorded the conversation he can sends the recorded RAND to the phone.
Man in the middle attack AttackerNetworkVictim RAND RES RAND Kc RES A3A8 Ki RAND CIPHMODCMD:A5/2 CIPHMODCMD (Encrypted) RES CIPHMODCMD:A5/1 CIPHMODCMD (Encrypted) Find A5/2 key
Attacks Scenarios Call Wire-Tapping Call Wire-Tapping Call Hijacking Call Hijacking Alerting of Data Messages (SMS) Alerting of Data Messages (SMS) Call Theft – Dynamic Cloning Call Theft – Dynamic Cloning
Protocol Weakness Authentication protocol can execute at the beginning of the call. The phone cannot ask for authentication. In case that there is no authentication Kc stays as in previous conversation Authentication protocol can execute at the beginning of the call. The phone cannot ask for authentication. In case that there is no authentication Kc stays as in previous conversation The network chooses the encryption algorithm (the phone only reports the ciphers it support) The network chooses the encryption algorithm (the phone only reports the ciphers it support) The class-mark message is not protected. The class-mark message is not protected. There is no mechanism that authenticates the network to the phone There is no mechanism that authenticates the network to the phone No key separation between the algorithms or method of communication No key separation between the algorithms or method of communication RAND reuse is allowed RAND reuse is allowed
Acquire a Specific Victim GSM includes a mechanism that is intended to provide protection on the identity of the mobile phone. GSM includes a mechanism that is intended to provide protection on the identity of the mobile phone. Each subscriber is allocated a Temporary Mobile Subscriber Identity (TMSI) over an encrypted link Each subscriber is allocated a Temporary Mobile Subscriber Identity (TMSI) over an encrypted link The TMSI can be reallocated every once in a while in particular when there is a change in the location. The TMSI can be reallocated every once in a while in particular when there is a change in the location. TMSI used to page on incoming calls and for identification during un-encrypted parts. TMSI used to page on incoming calls and for identification during un-encrypted parts. The fixed identification of the subscriber is its International Mobile Subscriber Identity (IMSI) The fixed identification of the subscriber is its International Mobile Subscriber Identity (IMSI) If both TMSI and IMSI are unknown to the attacker he may forced to listen in to all the conversations in the area. If both TMSI and IMSI are unknown to the attacker he may forced to listen in to all the conversations in the area.
Acquire a Specific Victim (2) The attacker has the victim's phone number and wish to associate it with the subscriber's IMSI or TMSI. The attacker has the victim's phone number and wish to associate it with the subscriber's IMSI or TMSI. Solutions : Solutions : –Can call the victim, and monitor all the calls (recognize his own caller ID). –Send a malformed SMS message. When performing an active attack, the attacker needs to lure the mobile into his own fake base station. When performing an active attack, the attacker needs to lure the mobile into his own fake base station.
GSM-Security Cryptographic methods secret, not “well examined“ Cryptographic methods secret, not “well examined“ Symmetric procedure Symmetric procedure –consequence: storage of user special secret keys with net operators required No end-to-end encryption No end-to-end encryption Key generation and administration not controlled by the participants Key generation and administration not controlled by the participants Same key uses for A5/1 and A5/2. Same key uses for A5/1 and A5/2. No mutual authentication intended No mutual authentication intended –consequence: Attacker can pretend a GSM-Net No end-to-end authentication No end-to-end authentication As a result of the initial publication of this paper GSM security group are working to remove A5/2 from the handsets. As a result of the initial publication of this paper GSM security group are working to remove A5/2 from the handsets.
Thank you
Homework 1. Define in one line the following: GSM, UMTS, DECT, TETRA, ERMES. 2. Why using a SIM helps security? 3. How would you attack someone’s GSM mobile phone? describe the system and the steps on the attack. 4. Describe at least 3 known weaknesses of GSM and how you can fix them if you could change the standard or the system. 5. Bonus: Describe a new attack (which isn't mentioned in the paper) on GSM network.
AuCAuthentication Centre BSS Base Station Subsystem BSCBase Station Controller BTSBase Transceiver Station EIREquipment Identity Register HLRHome Location Register MSMobile Station (G)MSC(Gateway) Mobile Switching Centre OMCOperation and Maintenance Centre PSTN Public Switched Telephone Network VLRVisitor Location Register ISDNIntegrated Services Digital Network Fixed network Switching Subsystems VLR Radio Subsystems HLRAuCEIR (G)MSC OMC BTS BSC BSS MS Network Management Call Management Data networks PSTN/ ISDN MS GSM structure
GSM: protocols, incoming call VLR BSS MSCGMSC HLRBSS (4) (2) (4) (5) (3) (10) (6) (11) (7) (8) (9) (12) (8) (1) (12) (9) (8) PSTN/ ISDN (1) Call from fixed network was switched via GMSC (2) GMSC finds out HLR from phone number and transmits need of conversation (3) HLR checks whether participant for a corresponding service is authorized and asks for MSRN at the responsible VLR (4) MSRN will be returned to GMSC, can now contact responsible MSC
GSM: protocols, incoming call VLR BSS MSCGMSC HLRBSS (4) (2) (4) (5) (3) (10) (6) (11) (7) (8) (9) (12) (8) (1) (12) (9) (8) PSTN/ ISDN (5) GMSC transmits call to current MSC (6) ask for the state of the mobile station (7) Information whether end terminal is active (8) Call to all cells of the Location Area (LA) (9) Answer from end terminal ( ) security check and connection construction
GSM: protocols, outgoing call VLR BSS MSCGMSC HLR BSS (5) (3)(4) (2)(1) (1) Demand on connection (2) Transfer by BSS (3-4) Control for authorization (5) Switching of the call demand to fixed net
Protocol