Download presentation
Presentation is loading. Please wait.
Published byAshlee Hart Modified over 9 years ago
1
1 Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell
2
2 Agenda Introduction to SSO. Review of GSM security. How to SSO using GSM. Some Attacks. Conclusions.
3
3 Agenda Introduction to SSO. Review of GSM security. How to SSO using GSM. Some Attacks. Conclusions.
4
4 Why do we need SSO ? Current Situation: Network users interact with multiple service providers.
5
5 Why do we need SSO ? Problems: Usability, security, privacy…
6
6 What is SSO ? A mechanism that allows users to authenticate themselves to multiple service providers, using only one identity.
7
7 SSO – How ? Establish trust relationships, common security infrastructure (e.g. PKI), sign contractual agreements…
8
8 SSO – some examples Kerberos TTP = Kerberos server 1) Authenticates user (password), issues “ticket”. 2) User shows ticket to service provider. Microsoft Passport TTP = www.passport.com 1) Authenticates user (password), installs encrypted cookie. 2) Service Provider reads the cookie. Liberty Alliance TTP = “Identity Provider” 1) Authenticates user, issues “assertion” (XML). 2) Assertion is shown to service provider.
9
9 Agenda Introduction to SSO. Review of GSM security. How to SSO using GSM. Some Attacks. Conclusions.
10
10 Review of GSM Security
11
11 Review of GSM Security
12
12 Review of GSM Security
13
13 Review of GSM Security
14
14 Review of GSM Security
15
15 Review of GSM Security
16
16 Review of GSM Security
17
17 Review of GSM Security
18
18 Review of GSM Security
19
19 Review of GSM Security Encrypted under K c If the visited network can decrypt, then the SIM is authentic (IMSI matches K i )
20
20 Agenda Introduction to SSO. Review of GSM security. How to SSO using GSM. Some Attacks. Conclusions.
21
21 Architecture - before
22
22 Architecture – after (1)
23
23 Architecture – after (2)
24
24 Architecture
25
25 Architecture Service providers form trust relationships with the home network.
26
26 Architecture Singe Sign-On using SIM (IMSI) !
27
27 SSO Protocol
28
28 SSO Protocol
29
29 SSO Protocol
30
30 SSO Protocol
31
31 SSO Protocol
32
32 SSO Protocol
33
33 SSO Protocol
34
34 SSO Protocol
35
35 SSO Protocol
36
36 Agenda Introduction to SSO. Review of GSM security. How to SSO using GSM. Some Attacks. Conclusions.
37
37 Replay Attack Attacker could capture this message and replay it later in order to impersonate the user identified by the IMSI.
38
38 Replay Attack At the time of replay another RAND will be selected by the service provider and the protocol will fail. fresh ! old ! X
39
39 Reflection Attack The service provider SP “A” is malicious. It wants to impersonate the user to SP “B”.
40
40 Reflection Attack
41
41 Reflection Attack
42
42 Reflection Attack
43
43 Reflection Attack
44
44 Reflection Attack
45
45 Reflection Attack
46
46 Reflection Attack X
47
47 Other Attacks SIM theft / cloning SIM PIN is optional! Need two-factor user authentication. Home network server is SPoF Vulnerable to DoS attack. It is assumed that it is well-protected. Attacks on the SP-home network link Link must be integrity-protected and encrypted. SSL/TLS, VPN, IPSec, etc…
48
48 Agenda Introduction to SSO. Review of GSM security. How to SSO using GSM. Some Attacks. Conclusions.
49
49 Advantages no user interaction is required. protocol can be repeated many times. simple single logoff. no sensitive information is sent. no major computational overheads. no changes in deployed GSM infrastructure. fraud management extends to SSO. can easily be extended to enable LBS.
50
50 Disadvantages works only for GSM subscribers. global identifier (IMSI). might incur costs for service providers.
51
51 Extension for UMTS
52
52 Thanks! Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.