implications of unlicensed mobile access for gsm security n.
Skip this Video
Download Presentation
Implications of Unlicensed Mobile Access for GSM security

Loading in 2 Seconds...

play fullscreen
1 / 16

Implications of Unlicensed Mobile Access for GSM security - PowerPoint PPT Presentation

  • Uploaded on

Implications of Unlicensed Mobile Access for GSM security. From : Proceeding of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks, 2005 Author : Sandro Grech, Pasi Eronen Presented by : Ying Long Chen. Outline.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Implications of Unlicensed Mobile Access for GSM security' - alaina

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
implications of unlicensed mobile access for gsm security

Implications of Unlicensed Mobile Access for GSM security

From:Proceeding of the First International

Conference on Security and Privacy for Emerging

Areas in Communications Networks, 2005

Author:Sandro Grech, Pasi Eronen

Presented by:Ying Long Chen

  • Overview of UMA
    • Introduction
    • Background: GSM and GPRS security
    • UMA overview
  • Security Analysis
  • Protecting against the attack
  • Conclusion
  • Why UMA
    • Indoor coverage issue for GSM
    • Bandwidth issue
    • The standardization work is continued by 3GPP
gsm and gprs security
GSM and GPRS Security
  • Authentication:avoid fraudulent access by a cloned MS
  • Encryption:avoid unauthorized listening
  • Parameters:
    • Ki:used to achieve authentication(128 bit)
      • Ki is stored in AUC and SIM
      • Ki is not known to the subscriber
    • Rand:128-bit random number by the home system
    • SRES:32-bit generated by Algorithm A3
    • Kc:generated by Algorithm A8 for the encryption
    • Frame number:a TDMA frame number encoded in the data bits
gsm and gprs security1
GSM and GPRS Security
  • Authentication algorithm:
    • A3
      • Authentication function
      • Stored in AUC and SIM
  • Encryption algorithm:
    • A8
      • To generated the encryption key
      • Stored in AUC and SIM
    • A5
      • An algorithm stored in the MS (handset hardware) and the visit system
      • Used for data ciphering and deciphering
uma overview
UMA overview

UMA security mechanisms

uma overview1
UMA overview

1. Unlicensed Interface Security:

  • Outside the scope of UMA

2. Up Interface Security

  • Traffic between the phone and the UNC is protected by IPSec ESP tunnel, which is established and maintained using IKEv2

3. CN authentication, GPRS ciphering

  • The authentication between the phone and UNC does not replace the normal GSM authentication between the phone and MSC

4. Data application security

  • Outside the scope of UMA
uma security mechanisms
UMA Security Mechanisms
  • Authentication Mechanisms
    • UMA stage 2 states that mutual authentication between Mobile Station and UNC shall be accomplished using Internet Key Exchange (IKEv2) protocol and the Extensible Authentication Protocol (EAP)
  • Confidentiality Mechanisms
    • IPsec protect all signal and user traffic sent between MS and UNC-SGW over the Up interface.
uma security mechanisms1
UMA Security Mechanisms
  • Integrity Mechanisms
    • As part of IPsec, messages could be integrity protected. IPsec use a hash with a secret key to provide integrity protection. This scheme is called an HMAC(Hashed Message Authentication Code)
  • User Credentials
    • All long-term security credentials used for subscriber and network authentication are stored on the SIM
uma security analysis
UMA Security Analysis
  • IKEv2
    • IMSI not protected enough
      • During the initial stage of the EAP-SIM and EAP-AKA procedures, when the Mobile Station sends IKE SA INIT, it will transfer its Network Access Identifier (NAI), containing the IMSI. This message is encrypted.
      • But an attacker intercepting traffic to the UNC-SGW could act as a false UNC-SGW and receive the NAI of the Mobile Station before it has to authenticate itself as a valid UNC. This information could be used to locate a mobile subscriber, hence violating the subscriber identity. This identity probing is a known issue caused by the IKEv2 protocol
    • Dos attack:
      • Before the responder authenticate the initiator,the responder will compute DH agreed key (指數運算),so the attacker can make a lot of request to build IKE SA.
uma security analysis1
UMA Security Analysis
  • Open Platform
    • Unauthorized access and identity spoofing
      • By virus or Trojan horse
    • Exploitation of implementation weakness
      • Such as buffer overflow
    • Denial of service
      • Attack from WLAN、internet
    • Eavesdropping
    • Location spoofing
protecting against the attack
Protecting against the attack
  • Protecting non-malicious users’ terminals
  • Technical prevention of unapproved terminals
  • Legal prevention of unapproved terminals
  • Detecting and disabling misbehaving terminals
  • Increasing core network resistance to attacks
conclusion future work
Conclusion & Future Work
  • Since the UMA specifications have been published only recently, it is possible that they contain problems with potential security implications.
  • Future work is also required to determine the security impact of UMA in roaming situations, to identify better countermeasures against denial-of-service attacks, and to investigate mechanisms for detecting misbehavior and fraud