Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research Feb 27, 2007.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research Feb 27, 2007."— Presentation transcript:

1 Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research mats.naslund@ericsson.com Feb 27, 2007

2 Outline Overview of GSM Cryptography Some “attacks” on GSM Overview of “3G” UMTS Cryptography –Message Authentication Codes

3 GSM Cryptography Overview

4 History – GSM Security Use of a smart card SIM – Subscriber Identity Module, tamper resistant device containing critical subscriber information, e.g. 128-bit key shared with Home Operator SIM is the entity which is authenticated Initial GSM algorithms (were) not publicly available and under the control of GSM-A GSM ciphering on “first hop” only: stream ciphers using 54/64 bit keys, future 128 bits One-sided challenge-response authentication Basic user privacy support (“pseudonyms”) GSM crypto is probably (one of) the most frequently used crypto in the world.

5 History – GSM Security Access security Radio Base Station RBS MSC SGSN Base Station Controller Voice - Confidentiality, A5/1 A5/2 A5/3, A5/4 (new, open) GPRS - Confidentiality: GEA1 GEA2 GEA3, GEA4 (new, open) Authentication: A3 Algorithm

6 GSM Authentication: Overview RBS MSC/VLR AuC/HLR Visited Network Home Network Req(IMSI) RAND, XRES, Kc RES RES = XRES ? RAND RAND, Kc Ki

7 GSM Authentication: Details A3 and A8: Authentication and key derivation (proprietary) A5: encryption (A5/1-4, standardized) Ki (128) rand (128) res (32) Kc (64) A5/x Phone SIM  encrypted frame A3 A8 Note: one-sided authentication data/speech frame# Bit-by-bit, stream cipher

8 Cryptographic Transforms in Wireless Wireless transmission is subject to limited bandwidth bit-errors (up to 1% RBER) As consequence, most protocols: use stream ciphers (no padding, no error-propagation) do not use data authentication (data expansion, loss)

9 Quick Note: LFSR (Linear feedback shift register) 0110101 key = 0 1 1 0 1 0 1 State: output 1...0 1 1011010  XOR:ed with plaintext Rich theory (next lecture). Unfortunately very insecure… Add non-linearity Combine several LFSRs Irregular clocking

10 GSM Encryption: A5/2 (Export Version) majority(a, b, c) = ab + bc + ca (over GF(2))

11 A5/2 (clock control) R4 controls clocking 3 ”associated” bits, one per R1-R3 Ri (i =1,2,3) is clocked iff its ”associated” bit agrees with majority of the 3 bits (At least two clocked)

12 August 2003… Let’s take a closer look…

13 Idea behind the attack A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknown 0/1 variables, of which 64 is the key If plaintext known, each 114-bit frame gives 114 equations Only difference between frames is that frame number increases by one. After 6 frames (in reality only 4) we have > 660 equations  can solve! If plaintext unknown, can still attack thanks to redundancy of channel coding (SACCH has 227 redundant bits per each 4-frame message).

14 Attack efficiency Off-line stage (done once): Storage for ”matrices”: approx 200MB Pre-processing time: less than 3 hrs on a PC On-line attack stage: Requires 4-7 frames sent from UE on SACCH. Retrieving key then takes less than 1 second. Hardware requirement: normal PC and GSM capable receiver

15 Consequence 1: Passive attacks in A5/2 Network ( Eavesdropping) 2 Cipher start A5/2 1 RAND, RES key, < 1 sec New attack PC < 1 sec of traffic

16 Consequence 2: Active attacks in any Network ( False base-station/man-in-the-middle attacks) 6 Cipher start A5/2 2 RAND 8 Cipher stop 9 Cipher start A5/1 5 Cipher start A5/1 (with same key) 1 RAND 7 Attack:: key 3 RES 4 RES

17 Consequence 3: Passive + Active attack 2 Cipher start A5/1 1 RAND, RES (with key) Record 2 Cipher start A5/2 1 RAND, RES (same key!) key

18 Note A5/2 is an ”export” version, not used in Sweden (or Europe) Attack does not apply to A5/1, A5/3 and A5/4 …well almost….

19 Possible fix (Ericsson) RAND Phone SIM A5/x  encr frame A5/x (x = 1, 2, 3, 4) A5/x Algo_id f Agreed short-term fix is to phase out A5/2

20 UMTS Security Overview

21 3G (UMTS) Security Mutual Authentication with Replay Protection Protection of signalling data –Secure negotiation of protection algorithms –Integrity protection and origin authentication –Confidentiality Protection of user data payload –Confidentiality “Open” algorithms (block-ciphers) basis for security –AES for authentication and key agreement –Kasumi for confidentiality/integrity Security level (key sizes): 128 bits Protection further into the network Only feature common to GSM

22 UMTS – Security Node B MSC SGSN Integrity & Confidentiality UIA & UEA algorithms (based on KASUMI) Node B Radio Network Controller

23 UMTS – Authentication and Key Agreement AKA RBS MSC/VLR AuC/HLR Visited Network Home Network Req(IMSI) RAND, XRES, CK, IK, AUTN RAND, AUTN RES RES = XRES ? RAND, AUTN Ki Allows check of authenticity and “freshness” Integrity protection key Looks a lot like GSM, but…

24 UMTS Encryption: UEA/f8 Kasumi    c = 1c = 2c = B  CK (128 bits) m (const) “keystream” XOR:ed with plaintext COUNT || BEARER || DIR || 0…0 (64 bits) “Masked” offset avoids known input/output pairs “Counter” avoids short cycles “Provably” secure under assumptions on Kasumi

25 Inside Kasumi (actually: MISTY) FI + 16 bits FI + + 8 rounds of: FO + 32 bits k security  s 2 S9 + S7 + S9 + 9 bits7 bits sec. s security  s 4 security  s 8 (3 rounds)

26 New UMTS Cryptographic Algorithms

27 Standardization of UMTS Cryptography 3GPP (an ETSI body) standardizes UMTS Crypto developed by SAGE (also ETSI) UEA1/f8, UIA1/f9 developed 1999 for UMTS Rel-99 About two years ago, SAGE started to look at new algorithms for UMTS: UEA2, UIA2 –Requirements: algorithms substantially ”different” from UEA1, UIA1 < 10000 gates > 10Mbit/s @ 20Mhz Specifications released about a year ago Independent evaluation by three teams

28 Data Integrity/Authentication Main threat to ”user data” in cellular network is eavesdropping, modifications of user data is less realistic/serious  encryption needed but not data integrity For ”control signaling”, the situation is largely reversed, ”faked” signaling could mean: –switch off user data encryption –fool the mobile phone to select another network –make the phone transmit at higher power, drain battery –…etc… ”Assurance that data originates from the claimed source and has not been modified”

29 Data Integrity/Authentication Can be obtained by digital signatures, e.g. RSA Comes at a cost (bandwidth, computation time) Symmetric key alternative: tag f Sender Receiver message kk message’tag’ f tag’’ = ?? Message Authentication Code (MAC)

30 MAC Requirements (informal) Should be ”difficult” to produce a (m’, t’)  S which is accepted by receiver Could be done by modification or injection The attacker observes S = { (m, t) } generated by sender (possibly some m:s chosen by attacker). ”Difficult” depends on the size of the key and size of the tags cannot avoid that the attacker tries to guess the key cannot avoid that the attacker tries to guess a tag value ”Security level” is at most min( 2 size(key), 2 size(tag) ) Note: security level < 2 size(tag) is not ”bandwidth optimal”

31 Provable security The “one-time pad” is a unconditionally provably secure encryption method, but a bit impractical to use Key must be random and only be used once Entropy arguments can be used to give bounds on the security when size(key) < size(message) Provably secure constructions exist also for MACs !! Similarities with OTP: Key size vs message size reflected in security bounds Key must only be used once The new UMTS message authentication algorithm UIA2 is such a ”provably secure construction”

32 Universal Hashing Definition: Suppose B is an additive group and let H  { h : A  B} be a set of functions. H is called  –almost  -universal if  x  x’  A,  y  B, Pr h  H [ h(x) - h(x’) = y] ≤ . Notes: ”collision resistance” properties ”best”  –A  U is  = 1/|B|. connection to ECC and comb. designs Notation:  –A  U and  –AU If it holds for y = 0 then H is called  –almost universal.

33 Our Concrete Case Only consider the case A = GF(2 n ), B = GF(2 m ). which means:  –A  U if  x  x’  GF(2 n ),  y  GF(2 m ), Pr h  H [ h(x)  h(x’) = y] ≤ , and  –AU if it holds for y = 0, Pr h  H [ h(x) = h(x’)] ≤ .

34 Universal Hashing and Message Authentication Assume H is  –A  U ”key” is index to a random function h  H, random s  GF(2 m ). “tag”: t = h(m)  s. Injection probability: As difficult as predicting s, 1/|B| = 2 -m probability Modification: If given (m, t = h(m)), the attacker can find valid (m’, t’ = h(m’)) then t  t’ Known, ”public” Secret = (h(m’)  s)  (h(m)  s) = h(m’)  h(m) which is guaranteed to be bounded by .

35 Plan First construct H1 which is  –AU, “almost works” Combine with H2 to get  - A  U

36 Concrete Construction of  –AU Hash Cut the message m (to be hashed), into 64-bit blocks, m 0, m 1, …, m L-1 Interpret message as an element of GF(2 64 )[t]: M(t) = m 0 + m 1 t + … + m L-1 t L-1 Key is random value k  GF(2 64 ) H k (M) = M(k) Theorem: H = { H k (M) } is  –AU for  = L 2 -64.

37 Proof that H is  –AU We need to bound Pr h  H [ h(M)  h(M’) = 0], i.e. the prob. that Pr t [ m 0 + m 1 t + … + m L-1 t L-1 = m 0 ’ + m 1 ’ t + … + m L-1 ’ t L-1 ], i.e. Pr t [ z 0 + z 1 t + … + z L-1 t L-1 = 0 ] where z i = m 0 - m 0 ’ (recall ”+”, ”-” is the same as  here). This is bounded by the number of roots of a degree L-1, non-zero polynomial over a finite field, i.e. Prob < L 2 -64.

38 Problem  = L 2 -64 is non-optimal (tag is always 64 bits but “long” messages could make   1) Moreover, this is a “real” bound, i.e. forgery probability does increase with L Also, as noted, we need  - A  U, not just  - AU.

39 Going from AU to A  U AU gives at least some ”guarantees” that h(x)  h(x’) ≠ 0. Consider now h(x) and h(x’) for random Then h(x)  h(x’) = (h(x)  h(x’)) = y is uniformly distributed as long as h(x)  h(x’) ≠ 0. That is, if { h(x) } is AU then { h(x) } should be A  U AB C H1H1 H2H2 AU AUAU

40 General Theorem [Stinson] Suppose H 1 is  1 –AU from A to B and H 2 is  2 –A  U from B to C. Then H 1  H 2 is  –A  U from A to C with  ≤  1 +  2. Idea: Use the “polynomial hash” as above for inner hash, H 1. Outer hash H 2 defined by h (x) = x for random. Still one problem: the ”tag” is 64 bits, security level only guaranteed to L 2 -64, could argue not ”full” security.

41 Solution: “Compression” Outer hash H 2 : GF(2 64 )  GF(2 32 ) defined by ”twisted truncation” h (x) = msb 32 ( x) which can be proven to be is 2 -32 -A  U i.e.h, k (m) = msb 32 ( (m 0 + m 1 k + … + m L-1 k L-1 )). We get 32-bit tags with “security”: L 2 -64 + 2 -32  2 -32.

42 Did we forget something? Yes… We now have an 2 -32 -A  U set of functions of form h,k (m) = msb 32 ( (m 0 + m 1 k + … + m L-1 k L-1 )). Initial idea was more like h,k (m)  s for random, k and s. Do we really need s? Yes! Notice that h,k (0) = 0 Using only h,k (m) would enable attacker to inject messages. Note also that a given key (k,, s) must only be used once!

43 Final Consideration In reality, the keys, k, s for the MAC are not random, but generated by pseudo-random generator (PRG) But a good PRG generator is by definition “difficult” to distinguish from truly random bits… If replacing truly random, k, s by PRG values would mean increase in MAC-attackers success rate, it would imply a “statistical test” to distinguish the PRG from true randomness: –Given a ”test sample” (either truly random or from PRG) –Run the (presumed) MAC-attack algorithm –Measure its rate of success, if it is ”higher” we guess the sample is from the PRG, else we guess the sample is truly random

44 Final Result We loose an additional  ’ in provable security, where  ’ is the “quality” of the random generator. I.e. MAC produces 32-bit tags with security L 2 -64 + 2 -32 +  ’. Maximum L in UMTS is about 2 7 blocks Total key size: k (64), (64), s (32), i.e. 160 bits. The PRG used in UMTS is the stream cipher ”SNOW” Performance:  100Mbit/s on typical platform, equivalent RSA approach would be at least 10-100 times slower, would add about 10 times as much overhead

45 Summary Despite some recent attacks on GSM security, “2G” security is so far pretty much a success story Main reason: convenience and invisibility to user The End “3G” crypto significantly more open and well-studied  higher confidence Showed a practical, provably secure construction for message authentication

Download ppt "Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research Feb 27, 2007."

Similar presentations

Siyang Tian. TOPIC 1.SIM CARD card embedded with subscriber identity module 2. 3G network 3rd generation mobile telecommunications.

Siyang Tian. TOPIC 1.SIM CARD card embedded with subscriber identity module 2. 3G network 3rd generation mobile telecommunications.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Cryptography in Mobile Networks

Cryptography in Mobile Networks
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security and Encryption

GSM Security and Encryption
Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research Feb 27, 2004.

Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research Feb 27, 2004.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google