Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 cdma2000 Packet Data Security Assessment Christopher Carroll Verizon Wireless April 11, 2001.

Published byGrant Blankenship Modified over 9 years ago

Similar presentations

Presentation on theme: "1 cdma2000 Packet Data Security Assessment Christopher Carroll Verizon Wireless April 11, 2001."— Presentation transcript:

1 1 cdma2000 Packet Data Security Assessment Christopher Carroll Verizon Wireless April 11, 2001

2 2 Security Issues MN-AAAh Secret not defined –Cryptographically strong MN- AAAh key defined Mobile IP Key Distribution not defined –MN-HA key and MN-FA key key agreement defined Radio Access Layer security not supported –Access Terminal (AT) key defined

3 3 Agenda Entity vs. Message Authentication Mobile IP Security –Message authentication codes AAA Recommendations –MN-AAA Key Bootstrapping –MIP key distribution –Radio Access Layer Security

4 4 Why Packet Data Security? - 802.11 Flaws published! - “The Security of data transmitted on a wireless data service was a critical adoption issue. It appears that many felt that wireless data could be more vulnerable to interception than if transmitted over a wired connection.” Verizon Wireless Data Service Qualitative Research Report (In Focus Marketing, September 2000)

5 5 TR-45 Challenge-Response Entity Authentication Cell Site Subscriber Telephone 32-bit Challenge (Question) 18-bit Response (Answer) SSD-A 1

6 6 TR-45 Entity Authentication CAVEHashFunction SSD-A ESN Dialed Digits 18-bit Response Random Challenge MIN

7 7 Radius Entity Authentication MD5HashFunction MN-AAAh key NAI Registration Request 128-bit Response Random Challenge MN-HA Auth. Ext.

8 8 Pseudo-random Number Generator MD5 MN-AAAh Key 1 MN-AAAh Key 2 MN-AAAh Key 3 MN-AAAh Key n 010110100.... 001010001.... 110010110.... 101011000....

9 9 Radius Authentication Secret Response Library Book Page/ word MD5 MN-AAAh Key Challenge

10 10 Mobile IP Message Authentication HashFunction(MD5) “Send packets To IP address: 123.197.8.17” 128-bit MAC Secret Key

11 11 Entity vs. Message Authentication Entity: Verify identity of an entity Prove shared secret Vulnerable to Replay attack CHAP, MN-AAA Authentication Ext. Message: Prevent manipulation of message Prove message sent from entity Vulnerable to Replay attack MIP Authenticator

12 12 Preventing Replay Attack (between MN and HA) HashFunction(KeyedMD5) Registration Request Message 128-bit MAC MN-HA Key Freshness (Randomness and/or nonce) Identification Field

13 13 Challenge Extension Allows FA/PDSN or AAA server to authenticate the MN 32-bit (at least) Random Challenge issued by FA/PDSN in Agent Advertisement. MN includes Challenge before MN-AAA authentication Ext. Leverage randomness to generate MN-HA and MN-FA keys

14 14 Preventing Replay Attack (between MN and FA/PDSN) HashFunction(KeyedMD5) Registration Request Message 128-bit MAC (may be reduced In length) MN-FA Key Freshness (Randomness and/or nonce) Identification Field Challenge Ext. 32-bit Randomness

15 15 AAA Authentication Extension MNHA FA PDSN Registration Request NAI Extension Mobile-Home Authentication Extension MN-FA Challenge Extension MN-AAA Authentication Extension AAAh Mobile-Home Authenticator MN-AAA Authenticator

16 16 Mobile IPv4 using Radius AAA AAAH MN AAAL HAFA Agent Advertisement Challenge Extension Verify MN-AAA Authenticator (CHAP) Registration Request NAI Extension Mobile-Home Authentication Ext. Challenge Extension MN-AAA Authentication Extension Registration Request NAI Challenge Extension MN-AAA Authentication Extension (CHAP Response) Registration Request NAI Extension Mobile-Home Authentication Ext. Foreign-Home Authentication Ext. (optional) Access Accept Verify Mobile-Home and/or Foreign-Home Authenticator MN-AAA Auth. Ext. (CHAP Response) Challenge Extension

17 17 Password Cracking Attack Secret Response Library Book Page/ word MD5 UNIXPassword Challenge Size of Library (Secret Space) significantly reduced by user-selected Books (secrets).

18 18 1xEV Password Cracking MNFA Agent Advertisement Challenge Extension Registration Request MN-AAA Authenticator MN-HA Authenticator Intercepts Challenge, Authenticator, and Other Registration info. Password Cracking Attack: 1)Dictionary 2)Brute Force Exhaustive Search Hacker

19 19 MN-AAAh Key Shared secret between MN and AAAh must be cryptographically strong. MN-AAAh key field must be 128-bits long. MN-AAAh key must be at least 90-bits long. MN-AAAh key shall not be shared with the HA or any FA.

20 20 Internet Password Cracking FAHA Registration Response MN-HA Authenticator Registration Request MN-HA Authenticator Intercepts Challenge, Authenticator, and Other Registration info. Password Cracking Attack: 1)Dictionary 2)Brute Force Exhaustive Search IP Packet Sniffer

21 21 MN-HA Key Shared secret between MN and HA must be cryptographically strong. MN-HA key field must be 128-bits long. MN-HA key must be at least 90-bits long. MN-HA key may be derived from the MN- AAAh key using a one-way function. MN-HA must protect the Registration Request message.

22 22 MN-FA Key Currently optional in 1xEV. Use MN-FA key to establish Radio Access Layer SAs. Shared secret between MN and FA must be cryptographically strong. MN-FA key field must be 128-bits long. MN-FA key must be at least 90-bits long. MN-FA key may be derived from the MN-AAAh key using a one-way function. MN-FA key can be used to generate Access Terminal (AT) key.

23 23 Mobile IPv4 Security Message Authentication Only –Provided by Security Associations (SA) Mobile-Home Authentication Extension –Mobile-Home Secret Key Mobile-Foreign Authentication Extension –Mobile-Foreign Secret Key Foreign-Home Authentication Extension –Foreign-Home Secret Key Only Manual Key Distribution mandatory Optional – DH, RSA, Secret key distribution No Encryption / Privacy IS-835 supplemented with IPsec (no end-to-end privacy)

24 24 MIP Bootstrapping Problem IS-835 AAA doesn’t have defined scalable MN-AAAh / MN-HA key distribution process! Initial key distribution (Bootstrap) common problem for any security system. 3GPP2/TR-45 can’t let history repeat – CAVE A-key distribution problem. WWW download, manufacturer pre- load/EDI, smart cards, OTASP, Manual.

25 25 Multi-layer Encryption BANK AES 128-bit Stream Cipher SSL 128-bit IDEA Encryption IPsec 112-bit Triple DES Encryption AT FA PDSN MN 1xEV DO BS HA PDSN

26 26 DIAMETER MN-FA Key Distribution AAAh MN AAAL HAFA (MN-FA key) AAAh-MN Encrypted Generate MN-FA key Encrypt with AAAh-FA key Encrypt with AAAh-MN key (MN-FA key) AAAh-FA Encrypted (MN-FA key) AAAh-MN Encrypted (MN-FA key) AAAh-FA Encrypted (MN-FA key) AAAh-MN Encrypted

27 27 Diameter MIP Key Distribution Problems MIP key is transmitted over-the-air –vulnerable to cryptanalysis Additional key management (AAAh-FA secret) Inefficient - AAAh encrypts MIP key twice Redundant – AAA to PDSN interface will be protected Slow – MN must register before MN-FA key delivered.

28 28 AAAh Diameter Problem #1 (Rogue FA) (IETF-AAA Registration Keys for Mobile IP) PDSNMN MN Encryption Pad == MD5 (MN-AAAh secret, MN Home IP, MN-AAAh secret) PDSN recovers MN Encryption Pad using the following technique: MN Encryption Pad == MN-FA key XOR (MN-FA key XOR MN Encryption Pad Assuming that MN Home IP Address remains constant PDSN can recover MN-FA key used with other FAs.

29 29 Diameter Problem #2 (Fixed Mask) PDSNMN MN Encryption Pad == MD5 (MN-AAAh secret, MN Home IP, MN-AAAh secret) PDSN sends MN-FA key XOR MN Encryption Pad Attacker combines MN-FA Update #1 with #2: Delta MN-FA key == ((MN-FA key #1 XOR MN Encryption Pad) XOR (MN-FA key #2 XOR MN Encryption Pad)) Assuming that MN Home IP Address remains constant Password protects Mask - Possible cryptanalysis of MN-FA Authentication

30 30 AAA Registration Keys for Mobile IP Enhancement MN-HA key == MD5 (MN-AAAh key, NAI, HA IP address, Randomness) MN-FA key == MD5 (MN-AAAh key, NAI, FA IP address, Randomness) Assuming that MIP Keys are derived from root MN-AAAh key Deliver Randomness in Unsolicited MN-FA or MN-HA Key From AAA Subtype (instead of encrypted key) Delivery keys to FA or HA in MIP Key Attribute. Lifetime AAA SPI FA or HA SPI MN-FA or MN-HA key Randomness

31 31 Proposed 1xEV MIP Cryptographic Key Hierarchy MN-AAAh Key MN-FA KeyMN-HA Key 128-bits Root Secret key Bootstrap MN-AAAh key MN-HA key = MD5 (MN-AAAh key || MN NAI || HA IP address || Challenge) MN-HA key = MD5 (MN-AAAh key || MN NAI || FA IP address || Challenge) FA-HA Key

32 32 Simple, Efficient, and Secure MIP Key Agreement MN-HA or MN-FA key are not exposed to the Air Interface Over-the-Air cryptanalysis precluded Based on GSM, TR-45, 3GPP, and 3GPP2 key agreement techniques – proven key distribution method. No additional Air Interface Overhead MIP key generation within MN and AAAh independently Vendor Specific MIP Key Attribute enables network delivery to HA or FA

33 33 MN-FA Key Agreement AAAh MN AAAL HAFA MN-FA key generated based on Challenge and MN-AAAh key. Generate MN-FA key Based on Challenge and MN-AAAh key. Include in MIP Key Attribute Access Accept (MN-FA key) MIP Key Attribute Access Accept (MN-FA key) MIP Key Attribute Challenge Extension

34 34 MN-HA Key Agreement AAAh MNHA MN-HA key generated based on Challenge and MN-AAAh key. Generate MN-HA key Based on Challenge and MN-AAAh key. Include in MIP Key Attribute Access Accept (MN-HA key) MIP Key Attribute Directed Agent Advertisement Challenge Extension (MN-HA key) MIP Key Attribute

35 35 “Directed” Agent Advertisement Preference to assign Reserved bit in Agent Advertisement as “MN-HA Update” bit. IETF approval could take years. Alternative – use MN Home IP address as the Agent Advertisement Destination Address (or globally defined IP address). Agent Advertisement currently uses “all systems on this link” or “limited broadcast” as destination address. MN-HA key only updated when MN directed by HA.

36 36 MN-AAAh Key FTCAuthKey MN-HA Key 128-bits Packet Data Root Secret key MN-FA Key A-key / NIA Hash 1xRTT OTASP or AAA Update Manufacturer Preload AT key RTCEncKey FTCEncKey RTCAuthKey 1xEV DO Access Layer Encryption And Integrity keys MIP Layer keys WWW Download 1xEV Cryptographic Key Hierarchy

37 37 1xEV DO MIM Attack MN PDSN D-H Key Exchange MIM UATI Registration Request (NAI) Session Hijack - Packet Injection MIM Device UATI FALSE PDSN FALSE MN D-H Key Exchange MIM UATI UATI Packet Injection and/or Information Extraction

38 38 Access Terminal (AT) Key Protects the MN-HA or MN-FA key from disclosure to Rogue AT. Enables Access Layer Privacy and Message Authentication. Shared secret between AT and RAN must be cryptographically strong. AT key field must be 128-bits long. AT key = MD5 (MN-HA key || UATI). AT key = MD5 (MN-FA key || UATI).

39 39 AT Key Generation MNPDSN Relay Mode Mobile Station AT AT Key UATI Laptop PC MN-FA Key Foreign Agent UATI AT Key

40 40 GSM SIM vs. cdma2000 MN UIMHLR/ACMS A5 Encryption Key Smart Card (computer) Authentication Algorithm Key Generation Air Interface BS A5 Encryption Key Authentication Algorithm Key Generation MN Radius AAA MS/AT AT Key Laptop computer Authentication Algorithm Key Generation Air Interface 1xEV DO BS AT Key Authentication Algorithm Key Generation AT Key A5 Key

41 41 MN BlueTooth AT 1xEV DO UATI 802.11 AT 1xEV DO AT 802.11 Radio Access Layer ID Bluetooth Radio Access Layer ID AT Key AT Key Transfer

42 42 Preventing MIM in 1xEV DO MN PDSN D-H Key Exchange MIM UATI Registration Request (NAI) Session Hijack - Packet Injection Improper MAC MIM Device UATI FALSE PDSN FALSE MN D-H Key Exchange MIM UATI UATI Packet Injection and/or Information Extraction Improper MAC Packet MAC Fails check – discarded Packet MAC Fails check – discarded

43 43 MNHA RAN Radius AAA Radius AAAh IP Layer Radius Authentication Secret Access Layer Radius Authentication Secret ATPDSN Radius AAAL RAN Redundant AAA Servers

44 44 Simple IP Define MN-AAAh secret as a cryptographically strong secret (e.g., MN-AAAh key). MN-AAAh key must be at least 90-bits long. RFC 1750 guidelines.

45 45 1xEV Security Solutions MN-AAAh Secret defined –Cryptographically strong MN- AAAh key defined Mobile IP Key Distribution defined –MN-HA key and MN-FA key key agreement defined Radio Access Layer security supported –Access Terminal (AT) key defined

Download ppt "1 cdma2000 Packet Data Security Assessment Christopher Carroll Verizon Wireless April 11, 2001."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Sun Microsystems, Inc. Security for Mobile IP in the 3G Networks Pat R. Calhoun Network and Security Center Sun Microsystems, Inc.

Sun Microsystems, Inc. Security for Mobile IP in the 3G Networks Pat R. Calhoun Network and Security Center Sun Microsystems, Inc.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.

G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).

Similar presentations

Ads by Google