Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fundamentals of Cellular and Wireless Networks

Published byJanel Paul Modified over 6 years ago

Similar presentations

Presentation on theme: "Fundamentals of Cellular and Wireless Networks"— Presentation transcript:

1 Fundamentals of Cellular and Wireless Networks
Lecture ID: ET- IDA-113/114 , v09 Prof. W. Adi Lecture-8 Mobile Security Fundamentals-II Contemporary Mobile Ciphering Mechanisms

2 Secret Key Cryptography in Use Fundamental Concepts for Mobile Ciphers
Conventional Secret Key Cryptography in Use Fundamental Concepts for Mobile Ciphers

3 Secret Key Ciphers + + Have two main types Block Ciphers
no internal memory involved Stream Ciphers includes internal memory n Message General Stream Cipher Cryptogram Additive Stream Cipher Is the most wuidespread stream cipher form pure comb. logic n Key n Cipher Text Clear Text Clear Text + + memory RKG RKG (RKG: Running Key Generator) The main difference between block and stream ciphers is that stream cipher do have a memory in their function

4 Cipher text (Cryptogram)
Block-Ciphers Clear text 3 2 1 m n Combinational Logic (Memory less) Key Z Key size 64, 128, bits m 1 2 3 Cipher text (Cryptogram)

5 Additive Stream Ciphers Running Key Generator, Example: A5 in GSM
Common Stream Ciphers Additive Stream Ciphers Cipher Text Clear Text Clear Text + + Z1 Z2 Z3 ... Z1 Z2 Z3 ... Z RKG Z RKG Running Key Generator, Example: A5 in GSM

6 Ciphering Using Running Key Generators
Cipher Text Clear Text X1 X2 X3 ... Y1 Y2 Y3 ... Z1 Z2 Z3 ... Initial value as a Key RKG RKG: Running Key Generator is a non-linear state machine The fundamentals for designing Running Key Generators (RKG) are given in a simplified form In the next slides

7 Stream Cipher Hagelin M-209 (2nd World War)
Register size values 26, 25, 23, 21,19,17 have no common divisor other than 1. =>Output sequence length= 26x25x23…x17  108 Secret-key = Initial state of the registers Electronic equivalent to the mechanical machine

8 Design Fundamentals of Binary Sequences
Basic definetions: Polynomials over the binary field GF(2) Polynomials having coefficients 1 or 0 With arithmetic over GF(2) A (x) = Example : A(x) =x6 + x5 + x3 +1 over GF(2) is the vector ( ) MSB LSB Addition: A(x) = 1 + x In binary form B(x) = 1 + x + x 3 A(x) + B(x) = x 3 ( as 1+1=0 in GF(2) ) Multiplication: In binary form A(x) B(x) = (1 + x) (1 + x + x 3 ) = 1(1 + x + x 3 ) + x(1 + x + x 3 ) = 1 + x + x 3 + x + x 2 + x 4 = 1 + x 2 + x 3 + x 4

9 Linear Feedback Shift Registers LFSR
Basic Concepts Ex-Or gate for j  L Memory (shift Register) Register Length is L bits The Connection Polynomial: C(D) = 1 + C1 D1 + C2 D CL DL

10 Basic Linear Feedback Shift Register Structure LFSR
Example C(D) = D3 + D + 1 is a primitive Polynomial with Period N = 23-1 =7 Output binary sequence Cycle structure is {1(1), 1(7)}.

11 Breaking LFSR Sequences is very easy !
Can be broken by using Shift Register Synthesis Algorithm Massey-Berlekamp Algorithm Theorem: Connection Polynomial C(D) and its initial state can be found if only 2L bits of the sequence are known Any binary sequence can be generated using some LFSR Definition: The linear Complexity L(S) of a sequence S is the length the of the shortest LFSR that generates the sequence (higher L(s) means that the sequence s is harder to break)

12 Running Key Generators
Hadamard Combiner LFSR1 S 1n C1 (D) & C2 (D) irreducible with periods N1, N2 and degree L1, L2 such that gcd(L1, L2) = 1 Linear complexity L(S0, S1, S2 ...) = L1.L2 Sequence Period is N = lcm(N1, N2) lcm=least common multiple <C (D),L > 1 1 S n LFSR2 <C (D),L > 2 2 S 2n

13 Running Key Generators Geffe´s Running Key Generator
complement C1 (D), C2 (D) and C3 (D) irreducible with periods N1, N2 and N3 and degree L1, L2, L3 such that gcd(Li, Lj) = 1 Linear complexity L(Sn)= L3 + L1.L2 + L2.L3 Sequence Period is N = lcm(N1, N2 ,N3)

14 Running Key Generators Massey-Rueppel proposal
gcd(L1, L2) = 1 C1(D), C2(D) are irreducible L2  L1 Linear complexity L(Sn)= L1.L2 Sequence Period is N = lcm(N1, N2) (GSM stream cipher employes the Idea of different irregular clocking to Multiple LFSR (linear feedback shift registers) Clock f1 Clock f2 < f1/2

15 The Most Widespread Cipher
GSM Mobile Phone Cipher : A5/1,2 .. Unpublished Stream Ciphers ! The Most Widespread Cipher Over 800 Million mobile devices worldwide

16 GSM: Cipher Key (Kc) Agreement Process
Mobile Station Network Random Generator SIM card (Authentication Request) 128 Bit RAND Ki RAND Ki A8 A8 64 Bit 64 Bit Kc Kc= A8(Ki,RAND)

17 Ciphering Mode Command
GSM Data Ciphering Secret Cipher A5 Mobile Network TDMA- TDMA Frame # Ciphering Mode Command Frame # Kc Kc 22 Bit 64 Bit 22 Bit 64 Bit A5 A5 144 Bit Z(t) Cipher text Z(t) Clear text (Voice, data) Clear text

18 GSM A5/1 Stream-Cipher : Unpublished Secret Cipher
LFSR1 LFSR2 LFSR3 Clock Control De-linearizer C Stop/go-1 Stop/go-2 Stop/go-3 Z(t) length = 23 Bits length = 22 Bits length = 19 Bits Effective key length = 40 Bits ! / 1 Linear Feedback Shift Register Un-offecially Published by Berkely Students, Attacked by A. Shamir 1999/2000 Shamir’s Attack: The attack can find the secret key Kc in less than a second on a single PC with 128 MB RAM and two 73 GB hard disks, by analysing the output of the A5/1 algorithm in the first 2 minutes of the conversation

19 The answer of GSM Association was: the new secret Mobile Cipher A5/2
Export version cracked by Barkan, Biham and Keller August. 2003 Barkan’s Attack: A ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer Clock Control LFSR: Linear Feedback Shift Register LFSR1 C1 length = 18 Bits Majority Function LFSR2 C2 length = 21 Bits LFSR3 C3 length = 22 Bits LFSR4 C length = 16 Bits Key-Stream

20 3rd Generation Mobile Cipher is
KASUMI Cipher to replace A5/1,2,.. UMTS/3GPP Standard (March 2000) Based on : Original Mitsubishi’s “ MISTY” Cipher -1997

21 (used to implement KASUMI cipher)
Recursive Structure of MISTY Cipher (used to implement KASUMI cipher) 32 32 32 32 16 16 FO FO FI 9 7 S9 FO FO FI S7 FI S9 FO FO FI Level 3 (3 round) FO Level 2 (3 round) MISTY1 Level 1 (n round) MISTY2 Level 1 (n round)

22 KASUMI: Contents of S7 and S9
Table of S9 over GF (29) Table of S7 over GF (27) 451,203,339,415,483,233,251, 53,385,185,279,491,307, 9, 45,211, 199,330, 55,126,235,356,403,472,163,286, 85, 44, 29,418,355,280, 331,338,466, 15, 43, 48,314,229,273,312,398, 99,227,200,500, 27, 1,157,248,416,365,499, 28,326,125,209,130,490,387,301,244,414, 467,221,482,296,480,236, 89,145, 17,303, 38,220,176,396,271,503, 231,364,182,249,216,337,257,332,259,184,340,299,430, 23,113, 12, 71, 88,127,420,308,297,132,349,413,434,419, 72,124, 81,458, 35, 317,423,357, 59, 66,218,402,206,193,107,159,497,300,388,250,406, 481,361,381, 49,384,266,148,474,390,318,284, 96,373,463,103,281, 101,104,153,336, 8, 7,380,183, 36, 25,222,295,219,228,425, 82, 265,144,412,449, 40,435,309,362,374,223,485,392,197,366,478,433, 195,479, 54,238,494,240,147, 73,154,438,105,129,293, 11, 94,180, 329,455,372, 62,315,439,142,454,174, 16,149,495, 78,242,509,133, 253,246,160,367,131,138,342,155,316,263,359,152,464,489, 3,510, 189,290,137,210,399, 18, 51,106,322,237,368,283,226,335,344,305, 327, 93,275,461,121,353,421,377,158,436,204, 34,306, 26,232, 4, 391,493,407, 57,447,471, 39,395,198,156,208,334,108, 52,498,110, 202, 37,186,401,254, 19,262, 47,429,370,475,192,267,470,245,492, 269,118,276,427,117,268,484,345, 84,287, 75,196,446,247, 41,164, 14,496,119, 77,378,134,139,179,369,191,270,260,151,347,352,360, 215,187,102,462,252,146,453,111, 22, 74,161,313,175,241,400, 10, 426,323,379, 86,397,358,212,507,333,404,410,135,504,291,167,440, 321, 60,505,320, 42,341,282,417,408,213,294,431, 97,302,343,476, 114,394,170,150,277,239, 69,123,141,325, 83, 95,376,178, 46, 32, 469, 63,457,487,428, 68, 56, 20,177,363,171,181, 90,386,456,468, 24,375,100,207,109,256,409,304,346, 5,288,443,445,224, 79,214, 319,452,298, 21, 6,255,411,166, 67,136, 80,351,488,289,115,382, 188,194,201,371,393,501,116,460,486,424,405, 31, 65, 13,442, 50, 61,465,128,168, 87,441,354,328,217,261, 98,122, 33,511,274,264, 448,169,285,432,422,205,243, 92,258, 91,473,324,502,173,165, 58, 459,310,383, 70,225, 30,477,230,311,506,389,140,143, 64,437,190, 120, 0,172,272,350,292, 2,444,162,234,112,508,278,348, 76,450 27, 50, 51, 90, 59, 16, 23, 84, 91, 26,114,115,107, 44,102, 73, 31, 36, 19,108, 55, 46, 63, 74, 93, 15, 64, 86, 37, 81, 28, 4, 11, 70, 32, 13,123, 53, 68, 66, 43, 30, 65, 20, 75,121, 21,111, 14, 85, 9, 54,116, 12,103, 83, 40, 10,126, 56, 2, 7, 96, 41, 25, 18,101, 47, 48, 57, 8,104, 95,120, 42, 76,100, 69,117, 61, 89, 72, 3, 87,124, 79, 98, 60, 29, 33, 94, 39,106,112, 77, 58, 1,109,110, 99, 24,119, 35, 5, 38,118, 0, 49, 45,122,127, 97, 80, 34, 17, 6, 71, 22, 82, 78,113, 62,105, 67, 52, 92, 88,125 KASUMI Cipher - Introduced , Is still not broken !! - No proof that KASUMI can not be broken !!

23 GSM Mobile Device Identities
International Mobile Equipment Identity IMEI SIM Subscriber Identity Module SIM is a secured system entity ! IMEI is not secured !

24 Basis Identification Function for GSM is
Challenge-Response Identification Mechanisms Explicit Secret Key Signature Authenticity without Secrecy Prover A Verifier Ki Set up: Agree on a secret key Ki and a One-Way Function F RES=F(Ki , R) Who are you ? : Prove by using R that you know Ki Authentication Request Generate a random R (Challenge) I am A, and this is the proof : RES (Response) If RES = F(Ki , R) then accept ?

25 GSM Subscriber Identification Mechanism
Authentication function for SIM Using Challenge-Response mechanism Mobil-Station Verifier-Station Identity key max. 128 Bit Ki Random Generator Authentication request 128 bits RAND RAND RAND Attack: Find Ki and clone the SIM card query, 8 hours (ISSAC group Berkely 1998) A3/COMP128 A3/COMP128 Authentication Result 32 Bit = XRES XRES Authentication response XRES SIM Card

26 3rd Generation Mobile Standard Reaction Is the MILENAGE Algorithm
Set for Authentication and Key Generation Functions in 3GPP Standard

27 MILENAGE: USIM Authentication and Key Generation Values in 3GPP
f5 f1 f2 f3 f4

28 3 G Functions f1 f2 f3 f4 f5 Security resides mainly in Ek Ek is a one way function Ek Ek Ek Ek Ek AES Cipher is proposed for Ek instead of the secret A3 and COMP128 f1 f*1 f5 f2 f3 f4 f*5

29 Summary of Main GSM Security Functions
Encryption Scramble bit streams to protect signaling and user data Ciphering algorithm A8(Ki, RAND) => Kc A5(Kc, Data) => Encrypted Data Authentication Protect from unauthorized service access Based on the authentication algorithm A3(Ki, RAND) => SRES User Confidentiality Prevent intruder from identifying users by IMSI (International Mobile Subscriber Identity) by using secured temporary MSI called (TMSI)

30 Major GSM Security Gaps
Active Attacks Possible Impersonating network elements such as false Base Station is possible Key Transmission in Clear Cipher keys and authentication values are transmitted in clear within and between networks (IMSI, RAND, SRES, Kc) Limited Encryption Scope - Encryption terminated too soon at edge of network to Base Station Transactions with the fixed network portion aren’t protected - Designed to be only as secure as the fixed networks Channel Hijacking Protection against radio channel hijacking relies on encryption. However, encryption is not used in some networks.

Download ppt "Fundamentals of Cellular and Wireless Networks"

Similar presentations

Siyang Tian. TOPIC 1.SIM CARD card embedded with subscriber identity module 2. 3G network 3rd generation mobile telecommunications.

Siyang Tian. TOPIC 1.SIM CARD card embedded with subscriber identity module 2. 3G network 3rd generation mobile telecommunications.
An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,
Kingdom Special Operations SJS-KW

Kingdom Special Operations SJS-KW
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security and Encryption

GSM Security and Encryption
Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit

Topics In Information Security Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Presented by Idan Sheetrit
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Myagmar, Gupta UIUC 2001 1 3G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.

Myagmar, Gupta UIUC G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.
SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.

SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.
Information Security of Embedded Systems 20.1.2010: Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
Session 2: Secret key cryptography – stream ciphers – part 1.

Session 2: Secret key cryptography – stream ciphers – part 1.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.

GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.
Cryptography and Network Security (CS435)

Cryptography and Network Security (CS435)
Cellular Mobile Communication Systems Lecture 8

Cellular Mobile Communication Systems Lecture 8

Similar presentations

Ads by Google