1 / 86

Applied Cryptography

Applied Cryptography. Spring 2014. GSM and cryptography. Frequency planning. A cluster is a group of cells which uses the entire radio spectrum. The cluster size N is the number of cells in each cluster. Each cell within a cluster is allocated a distinct set of frequencies

ayala
Download Presentation

Applied Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applied Cryptography Spring 2014 GSM and cryptography

  2. Frequency planning • A cluster is a group of cells which uses the entire radio spectrum. • The cluster size N is the number of cells in each cluster. • Each cell within a cluster is allocated a distinct set of frequencies • (channels) and cells labeled with a given number – i.e. • co-channels reuse the same channel set. • As the cell size decreases, traffic carrier capacity increases, and • thus cells start big and split as system grows. [From C.Chang]

  3. Frequency planning f3 f3 f3 f2 f2 f1 f1 f1 f3 f3 f2 f2 f2 f1 f1 f3 f3 f3 f2 f2 f2 f1 f1 f1 f3 f3 f3 h2 h2 h1 h1 g2 g2 h3 h3 g2 g1 g1 g1 g3 g3 g3 f2 f3 f7 f5 f2 f4 f6 f5 f1 f4 3 cell cluster f3 f7 f1 f3 f2 f6 f2 f5 7 cell cluster 3 cell cluster with 3 sector antennas [From C.Chang]

  4. Handoffs • When a user moves from the coverage area of one BS to the adjacent one, a handoff (handover) has to be executed to continue the call. A handoff contains two main parts: • Find an uplink-downlink channel pair from the new cell to carry on the call • Drop the link form the original BS. • Issues involved in Handoffs: • Optimal BS selection • Ping-pong effect: The call gets bounced back and forth in the boundaries between different cells. This should be avoided. • Data loss • Detection of handoff requirement: Three handoff schemes: • Mobile-initiated: An MT monitors the signal strength and requests a handoff when the strength drops below a threshold. • Network-initiated handoff: The BS forces a handoff if the signals from an MT weaken. • Mobile-assisted handoff: An MT evaluates the signal strength and the BS decides the handoff. [From C.Chang]

  5. Cellular Architecture • Every cell has a Base Station (BS) to which all Mobile Terminals (MTs) in the cell communicate. • A Base Station Controller (BSC) controls a set group of BTSs. Together the BTS and BSC systems are known as the BSS or Base Station System (BSS) . The BSC is vital to the BSS system in that it ensures that subscribers can move freely from one cell to another with no loss in signal strength • A BSC is then connected to a Mobile Switching Center (MSC). The MSC acts as an interface between the cellular radio system and the public switched telephone network (PSTN). • The Authentication Center (AuC) validates the MTs by verifying their identity with the Equipment Identity Register (EIR). • The MSCs are linked through a signaling system 7 (SS7) network, which controls setting up, managing, and releasing of telephone calls. [From C.Chang]

  6. Cellular Architecture • The SS7 protocol introduces certain nodes called Signal Transfer Points (STPs) which help in call routing. • A MT or a mobile station (MS) reports their location to the network periodically. Each user is permanently associated with the home location register (HLR) in his/her subscribed cellular network. • This HLR contains the user profile consisting of the services subscribed by the user, billing information, and location information. • The Visitor Location Register (VLR) maintains the information regarding roaming users in the cell. VLRs download the information from the users’ respective HLRs. [From C.Chang]

  7. Cellular Architecture SS7 Network STP HLR VLR GMSC PSTN EIR MT Mobile Terminal BS Base Station HLR Home Location Register VLR Visitor Location Register EIR Equipment Identity Register AuC Authentication Center MSC Mobile Switching Center STP Signal Transfer Point PSTN Public Switched Telephone Network BSC Base Station Controller MSC VLR MSC AuC BSC BSC [From C.Chang]

  8. Mobile Phone Systems History • 1st Generation • First commercial cellular telephone system began operation in Tokyo in 1979 • AMPS (Advance Mobile Phone System) • Available in Chicago by Ameritech in 1983 • 8oo MHz, FDMA 395 voice and 21 control channels • Digital AMPS (often referred to as TDMA), currently being • phased out (GSM, CDMA2000) • NMT (Nordic Mobile Telephony) • Opened for service in 1981 in Saudi Arabia:), next in Sweden • Large cells, up to 30 km (still operates in Iceland), in Sweden will • be suspended at 31.12.2007 • 150, 450, 900 MHz • Non-encrypted, newer versions support scrambling • Basic but robust messaging services • FFSK modulation (characteristic noises during handovers) [From S.Nguyen]

  9. Mobile Phone Systems History • 2nd Generation • TDMA Interim Standard 54 (TDMA IS-54) in 1991 • TDMA IS-136 (updated version) • GSM (Global System for Mobile Communications) • In 1987, standard created with hybrid of FDMA and TDMA technologies • Accepted in the United States in 1995 • Operated in 1996 • Major carriers of GSM 1900: Omnipoint, Pacific Bell, BellSouth, • Sprint Spectrum, Microcell, Western Wireless, Powertel and Aerial • CDMA IS-95 (Code Division Multiple Access) • Developing by Qualcomm corporation in late 1980s • Operated in 1996 • CDMA2000 (2.5G/3G protocol), incompatible with UMTS (a major • competitor) • Used in a number of weird countries - Venezuela, Latvia (?!) • (Triatel, 450MHz) [From S.Nguyen]

  10. Analog Voice: AMPS • AMPS (Advanced Mobile Phone System) is the analog system (1G) first developed and used in the U.S. Nordic mobile telephony (NMT) is a 1G system developed in Europe. • The cellular structure uses a cluster size of seven, and each cell is roughly 10 – 20 Km across. • The AMPS system uses FDM to separate 832 full-duplex channels. • 832 simplex transmission channels from 824 to 849 MHz • 832 simplex receive channels from 869 to 894 MHz • Each simplex channel is 30 kHz wide. • These channels are divided into four categories: • Control (base to mobile) to manage the system (21 channels) • Paging (base to mobile) to alert users to calls for them • Access (bidirectional) for call setup and channel assignment • Data (bidirectional) for voice, fax, or data (45 channels) • AMPS provides a maximum data transmission rate of 10 Kbps. [From C.Chang]

  11. TDMA (IS-136) • Uses FDMA and TDMA • Channels that are each 30 kHz wide • Cellular (850 band) – uplink/downlink channels separated by 45 MHz • PCS (1900 band) – uplink/downlink channels separated by 80 MHz • Each channel is further divided using TDMA into 6 time slots • Each time slot lasts 6.66 ms and contains 324 bits • Voice call uses 2 times slots in every frame • 20 ms speech sample interleaved over two consecutive bursts A B C A B C 30 kHz frame = 40 ms timeslot = 6.66 ms [FromD.Watkins]

  12. CDMA • CDMA (Code Division Multiple Access) is a standard using spread spectrum transmission (2G). • The original CDMA standard, also known as cdmaOne and still common in cellular telephones in the U.S., offers a transmission speed of up to 14.4 Kbps in its single channel form and up to 115 Kbps in an eight-channel form. • It operates in the 800 and 1900 MHz bands. • Each simplex channel is 1.25 MHz wide. • It can carry data at rates up to 115 kbps. • Operation of CDMA: • In CDMA, the input signals are digitized and transmitted in coded, spread-spectrum mode over a broad range of frequencies. • In CDMA, each bit time is subdivided into m short intervals called chips. Typically, there are 64 or 128 chips per bit. • Each station is assigned a unique m-bit code called a chip sequence. • To transmit a 1 bit, a station sends its chip sequence. To transmit a 0 bit, the station sends the one’s complement of its chip sequence. • The receiver can “tune” into this signal if it knows the chip sequence (pseudo random number), tuning is done via a correlation function [From C.Chang]

  13. CDMA Synchronous CDMA, also known as Code Division Multiplexing (CDM), exploits at its core mathematical properties of orthogonality. Suppose we represent data signals as vectors. For example, the binary string "1011" would be represented by the vector (1, 0, 1, 1). We also use an operation on vectors, known as the dot product, to "multiply" vectors, by summing the product of the components. For the special case when the dot product of two vectors is identically 0, the two vectors are said to be orthogonal to each other. For orthogonal vectors:

  14. CDMA Example of set of orthogonal vectors: To transmit "1", transmit your chip code. To transmit "0", transmit the complement of your chip code (vector multiplied by -1). Asynchronous CDMA: use "pseudo-random" sequences, that are "close to orthogonal", independently from their starting points...

  15. PDC Personal Digital Cellular (PDC) is a 2G mobile phone standard developed and used exclusively in Japan Like D-AMPS and GSM, PDC uses TDMA. The standard was defined by the RCRin April 1991, and NTT DoCoMo launched its Digital MOVA service in March 1993. PDC uses 25 kHz carrier, 3 time slots, pi/4-DQPSK modulation and low bit-rate 11.2 kbit/s and 5.6 kbit/s (half-rate) voice codecs. PDC is implemented in the 800 MHz (downlink 810-888 MHz, uplink 893-958 MHz), and 1.5 GHz (downlink 1477-1501 MHz, uplink 1429-1453 MHz) bands. The air interface is defined in RCR STD-27 and the core network MAP by JJ-70.10. NEC and Ericsson are the major network equipment manufacturers.

  16. PDC Personal Digital Cellular (PDC) The services include voice (full and half-rate), supplementary services (call waiting, voice mail, three-way calling, call forwarding, and so on), data service (up to 9.6 kbit/s CSD), and packet-switched wireless data (up to 28.8 kbit/s PDC-P). Compared to GSM, PDC's weak broadcast strength allows small, portable phones with light batteries at the expense of substandard voice quality and problems maintaining the connection, particularly in enclosed spaces like elevators. After a peak of nearly 80 million subscriber to PDC, it now has 45.856 million subscribers (December 2005) and is slowly being phased out in favor of 3G technologies like W-CDMA and CDMA2000.

  17. GSM • GSM • formerly: Groupe Spéciale Mobile (founded 1982) • now: Global System for Mobile Communication • Pan-European standard (ETSI, European Telecommunications Standardization Institute) • simultaneous introduction of essential services in three phases (1991, 1994, 1996) by the European telecommunication administrations (Germany: D1 and D2)  seamless roaming within Europe possible • today many providers all over the world use GSM (more than 200 countries in Asia, Africa, Europe, Australia, America) • more than 1.3 billion subscribers in more than 630 networks • more than 75% of all digital mobile phones use GSM (74% total) • over 200 million SMS per month in Germany, > 550 billion/year worldwide(> 10% of the revenues for many operators)[be aware: these are only rough numbers…] [From C.Chang]

  18. Performance of GSM • Communication: mobile, wireless communication; support for voice and data services • Total mobility: international access, chip-card enables use of access points of different providers • Worldwide connectivity: one number, the network handles localization • High capacity: better frequency efficiency, smaller cells, more customers per cell • High transmission quality: high audio quality and reliability for wireless, uninterrupted phone calls at higher speeds (e.g., from cars, trains) • Security functions: access control, authentication via chip-card and PIN [From C.Chang]

  19. Latest Global Cellular Statistics (end of 2004) • Global Mobile Users: 1.57 billion • GSM: 1.25 billion • CDMA: 202m • TDMA: 120m • Facts • #1 Mobile Country: China (300m) • Total European users: 342.43m • US Mobile users: 140m • Total African users: 53m • 1.87 billion mobile users by 2007 (27.4% of the world’s population) [From S.Nguyen]

  20. GPRS: General Packet Radio Service Properties • Packet mode service (end-to-end) • Data rates up to 171,2 kbit/s (theoretical), effectively up to 115 Kbit/s • Effektive und flexible Verwaltung der Luftschnittstelle • Adaptive channel coding • Standardised interworking with IP- and X.25 networks • dynamic resource sharing with the „classic“ GSM voice services • advantage: billing per volume, not per connection time [From W.Schneider]

  21. GPRS Security Mechanisms Security in GPRS is very similar to GSM • Authentication through SGSN with Challenge-Response • Use of temporary identities (managed through SGSN) • Encryption algorithm A5/3 (GEA3) • But: no end-to-end encryption • Key generation and managment as in GSM • No authentication and confidentiality of signalling messages within the signalling network [From W.Schneider]

  22. UMTS Universal Mobile Telecommunications System (UMTS) is one of the third-generation (3G) mobile phone technologies. It uses W-CDMA as the underlying standard, is standardized by the 3GPP, and is the European answer to the ITU IMT-2000 requirements for 3G Cellular radio systems. To differentiate UMTS from competing network technologies, UMTS is sometimes marketed as 3GSM, emphasizing the combination of the 3G nature of the technology and the GSM standard which it was designed to succeed.

  23. Migration to 3G

  24. 4G in Latvia (LMT)

  25. GSM security GSM crypto is probably (one of) the mostfrequently used crypto in the world. • Use of a smart card SIM – Subscriber Identity Module, tamper resistant device containing critical subscriber information, e.g. 128-bit key shared with Home Operator • SIM is the entity which is authenticated, basis for roaming • Initial GSM algorithms (were) not publicly available and under the control of GSM-A, new (3G) algorithms are open • GSM ciphering on “first hop” only: stream ciphers using 54/64 bit keys, future 128 bits • One-sided challenge-response authentication • Basic user privacy support (“pseudonyms”) • No integrity/replay protection [From M.Näslund]

  26. Cryptographic features of wireless • Wireless is subject to • limited bandwidth • bit-errors (up to 1% RBER) • As consequence, most protocols: • use stream ciphers (no padding, no error-propagation) • do not use integrity protection (data expansion, loss) [From M.Näslund]

  27. GSM architecture

  28. GSM - establishing communication Immediate assignment procedure: Service Request and Contention Resolution: [From Barkan et al]

  29. GSM - establishing communication Authentication: [From Barkan et al]

  30. GSM security GPRS - Confidentiality: GEA1 GEA2 GEA3 (new, open) RBS CS - Confidentiality, A5/1 A5/2 A5/3 (new, open) Authentication:A3 Algorithm 54 bits is the effective key length of the A5/1 algorithm. 40 bits is the effective key length of the GEA algorithm. Both algorithm employ (“ineffective”) 64-bit keys. SGSN Base Station Controller Radio Base Station MSC [From M.Näslund]

  31. GSM security Mobile Station Radio Link GSM Operator Challenge RAND SIM A3 A3 Ki Ki Signed response (SRES) SRES SRES A8 A8 Authentication: are SRES values equal? Kc Fn Fn Kc A5 A5 mi mi Encrypted Data [From S.Farrell]

  32. GPRS security

  33. Subscriber Identity Module • C1: Supply voltage • (4.5 to 5.5 volts DC). • C2: Reset signal • C3: Clock signal • (1 to 5 MHz, external) • C4: Reserved • C5: Ground • C6: Programming voltage • (if available) • C7: Input/Output • Baudrate is (clock frequency) / 372. • C8: Reserved [From D.Veeneman]

  34. SIM attacks • Repeated authenticate, leaks Ki • (New SIMs have a limit (about 50k) on the number of times the authentication algorithm can be run) • Side-channel attacks • Power consumption • Timing • Electromagnetic emanations [From D.Veeneman]

  35. GSM authentication • A random challenge is issued to the mobile • Mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (Ki) • Mobile sends response back (SRES) • Network checks that the response to the challenge is correct. [From D.Veeneman]

  36. GSM authentication rand (128) res (32) Kc (64) frame# encr frame data/speech  A3 and A8: Authentication and key derivation (proprietary) A5: encryption (A5/1-4, standardized) (No netw auth, no integrity/replay protection) Radio i/f Phone Ki(128) SIM A3A8 Radio Base Station A5/x [From M.Näslund]

  37. GSM authentication Req(IMSI) RAND, Kc RAND RAND, XRES, Kc RES RES = XRES ? Home Network Ki AuC/HLR MSC/VLR RBS Ki Visited Network [From M.Näslund]

  38. GSM authentication

  39. GSM authentication - algorithms A3 and A8 are in the SIM • Operators can choose their own A3/A8 • COMP-128 provided as example algorithm • Can securely pass (RAND,SRES,Kc) while roaming [From D.Veeneman]

  40. COMP128 updates • COMP128-2 • 54-bit Kc • Secret algorithm • COMP128-3 • 64-bit Kc • Secret algorithm • Proposal for new A3/A8 based on MILENAGE • Milenage based on Rijndael (AES) • Algorithm will be public • New A3/A8 requires • AuC software upgrade • New SIMs [From D.Veeneman]

  41. COMP128 - history [From Barkan et al]

  42. COMP128 A3: Signature Response A8: Session Key COMP128: SRES, Session Key

  43. COMP128 pseudocode • Input: 16 byte secret key, 16 byte RAND • Output: 4 byte SRES, 8 byte session key (simoutput[12]) • Load RAND into x[16…31] • Perform the following 8 times • Load secret key into x[0…15] • Compression • Bits to Bytes • Permutation (only on first 7 rounds) • Compress 16 bytes to 12 bytes (simoutput) • Return simoutput[ ]

  44. COMP128

  45. COMP128

  46. COMP128 Permutation: • Bits to Bytes • Only 4 bits in each entry • Example shows bits for x[0], x[1] gets bits 8,25,42,59,76,93,110,127 … … … … … … … … 17 34 51 102 119 0 85 68 Bits: Bytes: x[2] x[0] x[1]

  47. COMP128

  48. COMP128 - what went wrong? • Design of a security cryptosystem should be under the Kerckhoffs’ principle. • GSM design committee kept all security specifications secret.

  49. Attacks on COMP128 • April 13, 1998: Marc Briceno (Director of the Smartcard Developer Association and two U.C.Berkeley researchers-David Wagner and Ian Goldberg The 128bit Ki could be deduced by collecting around 150,000 chosen RAND-SRES pairs. • May 2002:IBM Side-Channel attack (Partitioning Attack) 1000 random inputs, or 255 chosen inputs, or only 8 adaptively chosen inputs.

  50. Cryptanalysis of COMP128 k1 k16 r0 r1 r16 k0 … repeat 8 times k0 r'0 r'1 r'16 k16 r8 • Is it secure? • Well, it has lots of rounds… • The keyed map fk : r | r'is applied 8 times • But: beware collisions! • Attempt #2: Modify bothr0 and r8, and look for aninternal collision [BGW98] It works! A narrow “pipe” exists in COMP128. bytes i, i+8, i+16, i+24 at the output of the 2nd level depend only on bytes i, i+8, i+16, i+24 of the initial input. [From D.Wagner]

More Related