1. 1 Rogue Mobile Shell Problem Verizon Wireless October 26, 2000 Christopher Carroll

2. 2 Agenda Rogue Shell Issues 3GPP AKA 3GPP2 Authentication Rogue Shell Problem Lucent Solution Existing 3GPP Solution Recommendation

3. 3 Rogue Shell Issues Is the Rogue Shell Problem a potential vulnerability? Yes. Is the Lucent solution acceptable? No. Does 3GPP AKA provide an adequate solution? Yes.

4. 4 3GPP2 Cryptographic Key Hierarchy K IKCK Per-AV 128-bits Per-call Root Secret key Voice Privacy keySession MAC Key 128-bits Per-Session Authentication Vector (AV) Data Privacy Key 128-bitsPer-Session/Call Per-AV

5. 5 AKA and Authentication 3GPP AKA used to create IK and CK Security Association (SA) Each AV creates unique IK and CK (SA) SA duration can vary (can vary from 1 call to several weeks) – depending on Carrier IK (IK Session Key) used for Service Request authentication Message Authentication Code (MAC) or Challenge response can authenticate Mobile/Message

6. 6 3GPP AKA (HE-to-SN) Home Network AV = (IK, CK, RAND, XRES, AUTN) AUTN = (SQN  AK, AMF, MAC) IK, CK Serving Network (SN) HE SN sends RAND and AUTN to UE SN compares XRES with SRES calculated in USIM AUTH Success Report K Root Key

7. 7 3GPP AKA (SN-to-USIM) Smart Card Smart Card USIM derives IK, CK, and AK using K and RAND with SHA-1 algorithm Checks SQN, MAC Generates SRES User Equipment (UE) 64-bit Challenge (RAND) 48-bit (SQN  AK) 32-bitResponse(SRES) Serving Network (SN) USIM 32-bitResponse(SRES) 64-bit Challenge (RAND) 48-bit (SQN  AK) AV (IK, CK, RAND,XRES,AUTN)AUTN (SQN, AK, AMF, MAC) K Root Key

8. 8 Generation of authentication vector in HE

9. 9 3GPP AKA (IK and CK transfer from USIM to UE) Smart Card User Equipment (UE) USIM 128-bit IK 128-bit CK UE uses IK and CK To calculate session IK, MACs, and Session CKs (Voice/Data Session Privacy Keys) Limited Bandwidth Too Slow to Calculate Real-time MACS or Encryption pads K Root Key

10. 10 3GPP2 (ANSI-41) Authentication User Equipment (UE) ANSI-41 Global Challenge (RAND) Or Order MACed using IK (or IK Session Key) Response(AUTHR)Or Service Request MACed using IK (or IK Session Key) Serving Network (SN) IK, CK, Session IK, Session CK used for Encryption IK (or Session IK) used to CheckAuthenticationresponse

11. 11 AKA vs. Authentication 3GPP AKA and Mobile Authentication are different processes! AKA establishes the SA Mobile Authentication performed using IK or session Authentication key derived from IK.

12. 12 Rogue Mobile Shell Problem UIM (Smart Card) serial interface too slow to pass Encryption in real time or MACs efficiently for authentication. UIM must pass IK and CK to the Mobile Shell (UE) to enable real time security. Mobile Shell must be trusted to erase IK and CK after UIM transfer. Rogue Mobile can retain IK and CK and obtain service until new SA created (using new AV).

13. 13 Rogue Mobile Shell User Equipment (UE) Rogue Mobile Shell ANSI-41 Global Challenge (RAND) Or Order MACed using IK (or IK Session Key) Response(AUTHR)Or Service Request MACed using IK (or IK Session Key) Serving Network (SN) IK, CK, Session IK, Session CK No USIM present IK (or Session IK) used to CheckAuthentication Response (or MAC)

14. 14 Rogue Mobile Shell Scenario Fraudsters setup Rogue Mobile terminal at Airport terminal. Subscriber uses USIM at terminal to check e-mail or surf web. Rogue Mobile retains IK and CK after user removes USIM. Rogue Mobile uses or transfers IK and CK to create Call-Cell operation. Service available until legitimate subscriber registers in new system or AV update.

15. 15 Rogue Mobile Shell Characteristics Fraudsters must entice subscribers to use the Rogue Mobile Shell Rogue Shell and/or Fraudsters are exposed to identification Rogue Shell attack is localized (Airport, Taxi, Hotel, etc…) Rogue Shell is physically traceable. Rogue Shell attack is limited in scope (location, type of users, enticement technique, duration) Verizon Wireless can authorize “trusted” terminals (shells) for subscribers UIM transfer performed infrequently.

16. 16 Lucent Solution Lucent solution creates a new secret (key) between the SN and UIM –UIM Authentication Key (UAK) UAK not known by Rogue Mobile (UE) UAK allows for Global or unique challenge of USIM. UAK challenge-response will defeat Rogue Mobile Shell

17. 17 UAK Authentication Smart Card Smart Card UIM derives LAK from 48-bit AK (or using F function) USIM calculate AUTH L using LAK and challenge Rogue Mobile Shell Doesn’t know UAK Global Challenge (or Unique) Response (AUTH L ) Serving Network (SN) USIM Response (AUTH L ) Global Challenge UAK SN Checks AUTH L UAK

18. 18 UAK Generation Options UAK is 128-bit secret key. (Option 1) UAK generated Locally. (Option 2) UAK created by Home System and transmitted to SN in AV – more secure.

19. 19 UAK Solution Disadvantages 3GPP/3GPP2 USIM Interoperability significantly impaired –3GPP USIM must store LAK –New function (F11) added to 3GPP USIM 3GPP AuC must provide UAK for user roaming in ANSI-41 network (if UAK not derived from AK) UAK (created at HE) requires expansion of AV UAK derived from AK is very weak –Only 48-bits –Sequence number (SQN) may be known to attacker

20. 20 3GPP AKA Rogue Shell Solution Perform 3GPP AKA for each Mobile service request, i.e. use a new AV for each mobile call –New IK and CK generated per call –Old IK and CK useless to Rogue Mobile Shell 3GPP addressing Rogue Mobile problem by using AV-per-service-request for roaming mobiles In cdma2000, AV-per-service-request only necessary until Rogue Mobile threat eliminated

21. 21 3GPP AKA Rogue Shell Solution Smart Card Smart Card USIM derives IK, CK, and AK using K and RAND with SHA-1 algorithm Checks SQN, MAC Generates SRES Rogue Mobile Shell Can’t use former IK,CK Or current IK, CK later 64-bit Challenge (RAND) 48-bit (SQN  AK) 32-bitResponse(SRES) Serving Network (SN) USIM 32-bitResponse(SRES) 64-bit Challenge (RAND) 48-bit (SQN  AK) AV (IK, CK, RAND,XRES,AUTN)AUTN (SQN, AK, AMF, MAC) K Root Key