1 cdma2000 Packet Data Security Assessment Christopher Carroll Verizon Wireless April 11, 2001.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
1 Security in Wireless Protocols Bluetooth, , ZigBee.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Sun Microsystems, Inc. Security for Mobile IP in the 3G Networks Pat R. Calhoun Network and Security Center Sun Microsystems, Inc.
1 Mobile IP Myungchul Kim Tel:
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.
Georgy Melamed Eran Stiller
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Network Security Sorina Persa Group 3250 Group 3250.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
WEP Protocol Weaknesses and Vulnerabilities
Karlstad University IP security Ge Zhang
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
AAA Registration Keys Charles E. Perkins/Nokia Research Pat R. Calhoun/Sun Microsystems.
All Rights Reserved © Alcatel-Lucent 2007, ##### 1 | Presentation Title | January 2007 UMB Security Evolution Proposal Abstract: This contribution proposes.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Focus On Bluetooth Security Presented by Kanij Fatema Sharme.
Wireless and Mobile Security
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
1 HRPD Roamer Authentication Zhibi Wang, Sarvar Patel, Simon Mizikovsky, Nancy Lee.
Draft-ietf-aaa-diameter-mip-15.txt Tom Hiller et al Presented by Pete McCann.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
An Introduction to Mobile IPv4
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
Network Layer Security Network Systems Security Mort Anvari.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Mobile IP Aamir Sohail NGN MS(TN) IQRA UNIVERSITY ISLAMABAD.
1 Rogue Mobile Shell Problem Verizon Wireless October 26, 2000 Christopher Carroll.
MIPv4-Diameter Update Tom Hiller Lucent Technologies.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
DMET 602: Networks and Media Lab
DMET 602: Networks and Media Lab
Security Activities in IETF in support of Mobile IP
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Presentation transcript:

1 cdma2000 Packet Data Security Assessment Christopher Carroll Verizon Wireless April 11, 2001

2 Security Issues MN-AAAh Secret not defined –Cryptographically strong MN- AAAh key defined Mobile IP Key Distribution not defined –MN-HA key and MN-FA key key agreement defined Radio Access Layer security not supported –Access Terminal (AT) key defined

3 Agenda Entity vs. Message Authentication Mobile IP Security –Message authentication codes AAA Recommendations –MN-AAA Key Bootstrapping –MIP key distribution –Radio Access Layer Security

4 Why Packet Data Security? Flaws published! - “The Security of data transmitted on a wireless data service was a critical adoption issue. It appears that many felt that wireless data could be more vulnerable to interception than if transmitted over a wired connection.” Verizon Wireless Data Service Qualitative Research Report (In Focus Marketing, September 2000)

5 TR-45 Challenge-Response Entity Authentication Cell Site Subscriber Telephone 32-bit Challenge (Question) 18-bit Response (Answer) SSD-A 1

6 TR-45 Entity Authentication CAVEHashFunction SSD-A ESN Dialed Digits 18-bit Response Random Challenge MIN

7 Radius Entity Authentication MD5HashFunction MN-AAAh key NAI Registration Request 128-bit Response Random Challenge MN-HA Auth. Ext.

8 Pseudo-random Number Generator MD5 MN-AAAh Key 1 MN-AAAh Key 2 MN-AAAh Key 3 MN-AAAh Key n

9 Radius Authentication Secret Response Library Book Page/ word MD5 MN-AAAh Key Challenge

10 Mobile IP Message Authentication HashFunction(MD5) “Send packets To IP address: ” 128-bit MAC Secret Key

11 Entity vs. Message Authentication Entity: Verify identity of an entity Prove shared secret Vulnerable to Replay attack CHAP, MN-AAA Authentication Ext. Message: Prevent manipulation of message Prove message sent from entity Vulnerable to Replay attack MIP Authenticator

12 Preventing Replay Attack (between MN and HA) HashFunction(KeyedMD5) Registration Request Message 128-bit MAC MN-HA Key Freshness (Randomness and/or nonce) Identification Field

13 Challenge Extension Allows FA/PDSN or AAA server to authenticate the MN 32-bit (at least) Random Challenge issued by FA/PDSN in Agent Advertisement. MN includes Challenge before MN-AAA authentication Ext. Leverage randomness to generate MN-HA and MN-FA keys

14 Preventing Replay Attack (between MN and FA/PDSN) HashFunction(KeyedMD5) Registration Request Message 128-bit MAC (may be reduced In length) MN-FA Key Freshness (Randomness and/or nonce) Identification Field Challenge Ext. 32-bit Randomness

15 AAA Authentication Extension MNHA FA PDSN Registration Request NAI Extension Mobile-Home Authentication Extension MN-FA Challenge Extension MN-AAA Authentication Extension AAAh Mobile-Home Authenticator MN-AAA Authenticator

16 Mobile IPv4 using Radius AAA AAAH MN AAAL HAFA Agent Advertisement Challenge Extension Verify MN-AAA Authenticator (CHAP) Registration Request NAI Extension Mobile-Home Authentication Ext. Challenge Extension MN-AAA Authentication Extension Registration Request NAI Challenge Extension MN-AAA Authentication Extension (CHAP Response) Registration Request NAI Extension Mobile-Home Authentication Ext. Foreign-Home Authentication Ext. (optional) Access Accept Verify Mobile-Home and/or Foreign-Home Authenticator MN-AAA Auth. Ext. (CHAP Response) Challenge Extension

17 Password Cracking Attack Secret Response Library Book Page/ word MD5 UNIXPassword Challenge Size of Library (Secret Space) significantly reduced by user-selected Books (secrets).

18 1xEV Password Cracking MNFA Agent Advertisement Challenge Extension Registration Request MN-AAA Authenticator MN-HA Authenticator Intercepts Challenge, Authenticator, and Other Registration info. Password Cracking Attack: 1)Dictionary 2)Brute Force Exhaustive Search Hacker

19 MN-AAAh Key Shared secret between MN and AAAh must be cryptographically strong. MN-AAAh key field must be 128-bits long. MN-AAAh key must be at least 90-bits long. MN-AAAh key shall not be shared with the HA or any FA.

20 Internet Password Cracking FAHA Registration Response MN-HA Authenticator Registration Request MN-HA Authenticator Intercepts Challenge, Authenticator, and Other Registration info. Password Cracking Attack: 1)Dictionary 2)Brute Force Exhaustive Search IP Packet Sniffer

21 MN-HA Key Shared secret between MN and HA must be cryptographically strong. MN-HA key field must be 128-bits long. MN-HA key must be at least 90-bits long. MN-HA key may be derived from the MN- AAAh key using a one-way function. MN-HA must protect the Registration Request message.

22 MN-FA Key Currently optional in 1xEV. Use MN-FA key to establish Radio Access Layer SAs. Shared secret between MN and FA must be cryptographically strong. MN-FA key field must be 128-bits long. MN-FA key must be at least 90-bits long. MN-FA key may be derived from the MN-AAAh key using a one-way function. MN-FA key can be used to generate Access Terminal (AT) key.

23 Mobile IPv4 Security Message Authentication Only –Provided by Security Associations (SA) Mobile-Home Authentication Extension –Mobile-Home Secret Key Mobile-Foreign Authentication Extension –Mobile-Foreign Secret Key Foreign-Home Authentication Extension –Foreign-Home Secret Key Only Manual Key Distribution mandatory Optional – DH, RSA, Secret key distribution No Encryption / Privacy IS-835 supplemented with IPsec (no end-to-end privacy)

24 MIP Bootstrapping Problem IS-835 AAA doesn’t have defined scalable MN-AAAh / MN-HA key distribution process! Initial key distribution (Bootstrap) common problem for any security system. 3GPP2/TR-45 can’t let history repeat – CAVE A-key distribution problem. WWW download, manufacturer pre- load/EDI, smart cards, OTASP, Manual.

25 Multi-layer Encryption BANK AES 128-bit Stream Cipher SSL 128-bit IDEA Encryption IPsec 112-bit Triple DES Encryption AT FA PDSN MN 1xEV DO BS HA PDSN

26 DIAMETER MN-FA Key Distribution AAAh MN AAAL HAFA (MN-FA key) AAAh-MN Encrypted Generate MN-FA key Encrypt with AAAh-FA key Encrypt with AAAh-MN key (MN-FA key) AAAh-FA Encrypted (MN-FA key) AAAh-MN Encrypted (MN-FA key) AAAh-FA Encrypted (MN-FA key) AAAh-MN Encrypted

27 Diameter MIP Key Distribution Problems MIP key is transmitted over-the-air –vulnerable to cryptanalysis Additional key management (AAAh-FA secret) Inefficient - AAAh encrypts MIP key twice Redundant – AAA to PDSN interface will be protected Slow – MN must register before MN-FA key delivered.

28 AAAh Diameter Problem #1 (Rogue FA) (IETF-AAA Registration Keys for Mobile IP) PDSNMN MN Encryption Pad == MD5 (MN-AAAh secret, MN Home IP, MN-AAAh secret) PDSN recovers MN Encryption Pad using the following technique: MN Encryption Pad == MN-FA key XOR (MN-FA key XOR MN Encryption Pad Assuming that MN Home IP Address remains constant PDSN can recover MN-FA key used with other FAs.

29 Diameter Problem #2 (Fixed Mask) PDSNMN MN Encryption Pad == MD5 (MN-AAAh secret, MN Home IP, MN-AAAh secret) PDSN sends MN-FA key XOR MN Encryption Pad Attacker combines MN-FA Update #1 with #2: Delta MN-FA key == ((MN-FA key #1 XOR MN Encryption Pad) XOR (MN-FA key #2 XOR MN Encryption Pad)) Assuming that MN Home IP Address remains constant Password protects Mask - Possible cryptanalysis of MN-FA Authentication

30 AAA Registration Keys for Mobile IP Enhancement MN-HA key == MD5 (MN-AAAh key, NAI, HA IP address, Randomness) MN-FA key == MD5 (MN-AAAh key, NAI, FA IP address, Randomness) Assuming that MIP Keys are derived from root MN-AAAh key Deliver Randomness in Unsolicited MN-FA or MN-HA Key From AAA Subtype (instead of encrypted key) Delivery keys to FA or HA in MIP Key Attribute. Lifetime AAA SPI FA or HA SPI MN-FA or MN-HA key Randomness

31 Proposed 1xEV MIP Cryptographic Key Hierarchy MN-AAAh Key MN-FA KeyMN-HA Key 128-bits Root Secret key Bootstrap MN-AAAh key MN-HA key = MD5 (MN-AAAh key || MN NAI || HA IP address || Challenge) MN-HA key = MD5 (MN-AAAh key || MN NAI || FA IP address || Challenge) FA-HA Key

32 Simple, Efficient, and Secure MIP Key Agreement MN-HA or MN-FA key are not exposed to the Air Interface Over-the-Air cryptanalysis precluded Based on GSM, TR-45, 3GPP, and 3GPP2 key agreement techniques – proven key distribution method. No additional Air Interface Overhead MIP key generation within MN and AAAh independently Vendor Specific MIP Key Attribute enables network delivery to HA or FA

33 MN-FA Key Agreement AAAh MN AAAL HAFA MN-FA key generated based on Challenge and MN-AAAh key. Generate MN-FA key Based on Challenge and MN-AAAh key. Include in MIP Key Attribute Access Accept (MN-FA key) MIP Key Attribute Access Accept (MN-FA key) MIP Key Attribute Challenge Extension

34 MN-HA Key Agreement AAAh MNHA MN-HA key generated based on Challenge and MN-AAAh key. Generate MN-HA key Based on Challenge and MN-AAAh key. Include in MIP Key Attribute Access Accept (MN-HA key) MIP Key Attribute Directed Agent Advertisement Challenge Extension (MN-HA key) MIP Key Attribute

35 “Directed” Agent Advertisement Preference to assign Reserved bit in Agent Advertisement as “MN-HA Update” bit. IETF approval could take years. Alternative – use MN Home IP address as the Agent Advertisement Destination Address (or globally defined IP address). Agent Advertisement currently uses “all systems on this link” or “limited broadcast” as destination address. MN-HA key only updated when MN directed by HA.

36 MN-AAAh Key FTCAuthKey MN-HA Key 128-bits Packet Data Root Secret key MN-FA Key A-key / NIA Hash 1xRTT OTASP or AAA Update Manufacturer Preload AT key RTCEncKey FTCEncKey RTCAuthKey 1xEV DO Access Layer Encryption And Integrity keys MIP Layer keys WWW Download 1xEV Cryptographic Key Hierarchy

37 1xEV DO MIM Attack MN PDSN D-H Key Exchange MIM UATI Registration Request (NAI) Session Hijack - Packet Injection MIM Device UATI FALSE PDSN FALSE MN D-H Key Exchange MIM UATI UATI Packet Injection and/or Information Extraction

38 Access Terminal (AT) Key Protects the MN-HA or MN-FA key from disclosure to Rogue AT. Enables Access Layer Privacy and Message Authentication. Shared secret between AT and RAN must be cryptographically strong. AT key field must be 128-bits long. AT key = MD5 (MN-HA key || UATI). AT key = MD5 (MN-FA key || UATI).

39 AT Key Generation MNPDSN Relay Mode Mobile Station AT AT Key UATI Laptop PC MN-FA Key Foreign Agent UATI AT Key

40 GSM SIM vs. cdma2000 MN UIMHLR/ACMS A5 Encryption Key Smart Card (computer) Authentication Algorithm Key Generation Air Interface BS A5 Encryption Key Authentication Algorithm Key Generation MN Radius AAA MS/AT AT Key Laptop computer Authentication Algorithm Key Generation Air Interface 1xEV DO BS AT Key Authentication Algorithm Key Generation AT Key A5 Key

41 MN BlueTooth AT 1xEV DO UATI AT 1xEV DO AT Radio Access Layer ID Bluetooth Radio Access Layer ID AT Key AT Key Transfer

42 Preventing MIM in 1xEV DO MN PDSN D-H Key Exchange MIM UATI Registration Request (NAI) Session Hijack - Packet Injection Improper MAC MIM Device UATI FALSE PDSN FALSE MN D-H Key Exchange MIM UATI UATI Packet Injection and/or Information Extraction Improper MAC Packet MAC Fails check – discarded Packet MAC Fails check – discarded

43 MNHA RAN Radius AAA Radius AAAh IP Layer Radius Authentication Secret Access Layer Radius Authentication Secret ATPDSN Radius AAAL RAN Redundant AAA Servers

44 Simple IP Define MN-AAAh secret as a cryptographically strong secret (e.g., MN-AAAh key). MN-AAAh key must be at least 90-bits long. RFC 1750 guidelines.

45 1xEV Security Solutions MN-AAAh Secret defined –Cryptographically strong MN- AAAh key defined Mobile IP Key Distribution defined –MN-HA key and MN-FA key key agreement defined Radio Access Layer security supported –Access Terminal (AT) key defined

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.