Escolar Documentos
Profissional Documentos
Cultura Documentos
4 GSM
Prof. JP Hubaux
Objectives Unique standard for European digital cellular networks International roaming Signal quality Voice and data services Standardization of the air and the network interfaces Security Principles Strong integration with the telephone network (PSTN) Interfaces inspired by the Integrated Services Digital
Network (ISDN) Hence, supervision by means of Signaling System 7 (SS7)
2
Enhanced services requested by users require bidirectional signaling capabilities, flexibility of call setup and remote database access With SS7, a signaling channel conveys, by means of labeled messages, signaling information relating to call processing and to network management SS7 is the most important signaling system in the world: it supervises the PSTN, the cellular networks (GSM), and the Intelligent Network
ISDN
SS7
ISDN
CPE
UNI
NNI
Switch Switch
UNI
CPE
Interface between the circuit switching network and the signaling network
Signaling Links
Signaling Point
Signaling Point
Control Unit
SP STP
Signaling link
SP
Signaling Plane
SP
STP
SP
Switching Plane
Voice circuits
STP
STP
SP
SP
SP
STP
PTS
SP
Operator 1
Operator 2
SP
7
SS7 Architecture
OSI Layers 7 4, 5 et 6 3 2 1
ASE: Application Service Element INAP: Intelligent Network Application Part MAP: Mobile Application Part MTP: Message Transfer Part
SCCP
MTP Level 3 MTP Level 2 MTP Level 1
OMAP: Operations, Maintenance and Administration Part SCCP: Signaling Connection Control Part TCAP: Transaction Capabilities Application Part
8
SS7
ISDN SSP
STP
IAM
Call Proceeding
IAM
SETUP
Call Proceeding
ACM
ALERTING CONNECT CONNECT ACK
ACM
ANM
ANM
IAM: Initial Message; ACM: Address Complete Message; ANM: Answer Message
SSP
DISCONN
REL
REL
DISCONN
RLC
RELEASE
RLC
RELEASE
RELACK
REL: Release
10
Addressing in GSM
Call to Nr 085-123456
SIM: Subscriber Identity Module IMSI: International Mobile Subscriber Identity IMEI: International Mobile Equipment Identity MSISDN: Mobile Station ISDN Number
MSISDN 085-123456
IMSI 208347854033
11
GSM Architecture
Equipment Identity Register F C Um Mobile Station BTS Abis A E
Authentication Center
D
BSC BSS MSC B Visitor Location Register
G
BSS: Base Station System BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center MSC Visitor Location Register
12
Paging Coordination of call set up from all MSs in its jurisdiction Dynamic allocation of resources Location registration Interworking function with different networks (e.g., PSTN) Handover management Billing for all subscribers based in its area Reallocation of frequencies to BTSs in its area to meet heavy demand Encryption Echo canceler operation control Signaling exchange between different interfaces Gateway to Short Message Service
13
Air interface Um
CM MM RRM
MPT3
LAPDm radio LAPDm radio LAPDm radio LAPDm radio MPT2 MTP1
MTP3
MTP2 MPT1
Mobile Base transceiver station station CM: call management MM: mobility management RRM: Radio resources management (ISDN) BSSAP: BSS Application Part
Base station Mobile switching controller center SCCP: Signal connection control part MTP: message transfer part LAPD: link access - protocol D channel
14
Location updating
MS Mobile turns on Channel setup, radio resource reservation Location updating request Authentication challenge Authentication response BSS MSC/VLR HLR
Authentication info request Authentication info Update location Insert subscriber data Insert subscriber data ack
TMSI reallocation command TMSI reallocation complete Location updating accept Release radio channel Clear command
15
PSTN switch
Network
BSS MSC/VLR
Network
BSS
6 MSC/VLR
Data channels are setup after the messages shown have been sent
Basic principle: the calling party pays Exception: the calling party does not pay for extra charges induced by initiatives of the callee: roaming call forwarding
18
Short Message Service (SMS) Similar to advanced paging systems Makes use of the control channel General Packet Radio Service (GPRS) Aimed at interfacing the Internet (e.g., for Web browsing) Rates up to 170kb/s High Speed Circuit-Switched Data (HSCSD)
19
Service Center
Message transfer
Paging
Channel setup Authentication and ciphering Message Message ACK Release of the radio channel
Forward message
Message ACK
20
128.178.151.82
LAN: 128.178.151
21
GPRS architecture
Laptop MSC HLR GR
: signaling + data : signaling only GR: GPRS Register: manages the association between the IP address and the IMSI SGSN: Serving GPRS Support Node (router) GGSN: Gateway GPRS Support Node (router)
22
Network SNDCP
Network
GTP IP
LAPG
RLC MAC RLC BSSGP MAC
LAPG
BSSGP MAC Data link Data link
Physical layer
MS
Phys. L. Phys. L.
BSS
Phys. L. Phys. L.
SGSN
RLC: Radio Link Control BSSGP: BSS GPRS Protocol GTP: GPRS Tunnel Protocol
SNDCP: Subnetwork Dependent Convergence Protocol LAPG: Link Access Protocol on G channel
23
Mobility management
IDLE Detachment or time out Detachment Time out STAND-BY READY Attachment to the network
Idle: no active GPRS session Ready: session established; ongoing data exchange; precise mobile location (which cell) Stand-by: session established, with no ongoing data exchange; approximate mobile location, the mobile has to be tracked in its routing area During a GPRS session (Ready or Stand-by states), the session itself is identified by a TLLI (Temporary Logical Link Identity)
24
25
GSM Frequencies
DCS = Digital Cellular System: same principles as GSM, but at frequencies better suited for microcells
26
Must be tamper-resistant Protected by a PIN code (checked locally by the SIM) Is removable from the terminal Contains all data specific to the end user which have to reside in the Mobile Station:
27
Ki
A3
A8
Kc
Triplet
Authentication
Kc: ciphering key S : signed result A3: subscriber authentication (operator-dependent algorithm) A5: ciphering/deciphering (standardized algorithm) A8: cipher generation (operator-dependent algorithm)
A5
Ciphering algorithm
28
Home network
Ki R
Authenticate (R) Ki R
A8 Kc
A3 S
Auth-ack(S) S=S?
29
Ciphering in GSM
Kc A5
FRAME NUMBER
Kc A5
FRAME NUMBER
PLAINTEXT SEQUENCE
30
Focused on the protection of the air interface No protection on the wired part of the network (neither for privacy nor for confidentiality) The visited network has access to all data (except the secret key of the end user) Generally robust, but a few successful attacks have been reported: faked base stations cloning of the SIM card
31
GSM today
The common digital cellular technique deployed throughout Europe Probably the leading cellular technology worldwide Hundreds of millions of subscribers in more than 100 countries 7000+ pages of standards...
32
Radio interface encryption Limited trust in the Visited Network Protection of the identity of the end user (especially on the radio
interface)
Possible attacks from a faked base station Cipher keys and authentication data transmitted in clear between
and within networks Encryption not used in some networks open to fraud Data integrity not provided
33
New security features New kind of service providers (content providers, HLR only
service providers,) Increased control for the user over their service profile Enhanced resistance to active attacks Increased importance of non-voice services
34
Authentication in 3GPP
Mobile Station Visited Network Home Environment
Sequence number (SQN) RAND(i)
K: Users secret key
Verify AUTN(i) Compute RES(i) User authentication response RES(i) K Compute CK(i) and IK(i) Compare RES(i) and XRES(i) Select CK(i) and IK(i)
Authentication vectors
35
CK (Cipher Key)
IK (Integrity Key)
AK (Anonymity Key)
Authentication vector: AV
36
SQN AK
f5 AK
AMF
MAC
SQN
K f1 f2 f3 f4
RES (Result)
CK (Cipher Key)
IK (Integrity Key)
In addition to f1, f2, f3, f4 and f5, two more functions are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN). f1, f1*, f2, f3, f4, f5 and f5* are operator-specific However, 3GPP provides a detailed example of algorithm set, called MILENAGE MILENAGE is based on the Rijndael block cipher In MILENAGE, the generation of all seven functions f1f5* is based on the Rijndael algorithm
38
OPc
EK
OPc rotate by r1 c1
EK OPc
OPc rotate by r2 c2
EK OPc
OPc rotate by r3 c3
EK OPc
OPc rotate by r4 c4
EK OPc
OPc rotate by r5 c5
EK OPc
f1
f1*
f5 f2
f3
f4
f5*
OP: operator-specific parameter r1,, r5: fixed rotation constants c1,, c5: fixed addition constants
EK : Rijndael block cipher with 128 bits text input and 128 bits key
39
IK
f9
IK
f9
MAC-I
XMAC-I
40
f9 integrity function
COUNT || FRESH || MESSAGE PS1 PS2 ||DIRECTION||1|| 00 PSBLOCKS-1
PS0
IK
KASUMI
IK
KASUMI
IK
KASUMI
IK
KASUMI
KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits) PS: Padded String KM: Key Modifier
IK
KM
KASUMI
41
Ciphering method
BEARER COUNT-C
LENGTH
DIRECTION
BEARER COUNT-C
LENGTH
DIRECTION
CK
f8
CK
f8
KEYSTREAM BLOCK
CIPHERTEXT BLOCK
PLAINTEXT BLOCK
f8 keystream generator
COUNT || BEARER || DIRECTION || 00
KM: Key Modifier KS: Keystream
CK
KM
KASUMI
Register
BLKCNT=0
BLKCNT=1
BLKCNT=2
BLKCNT=BLOCKS-1
CK
KASUMI
CK
KASUMI
CK
KASUMI
CK
KASUMI
KS[0]KS[63]
KS[64]KS[127] KS[128]KS[191]
43
L0 32
KL1
Detail of Kasumi
64 KO1 , KI1 R0 32 16 32 KOi,1 16 9 16 7
S9
Zero-extend
FL1
KO2 , KI2
FO1
KL2
FIi1
KIi,1
FO2
KL3
FL2
KOi,2 KO3 , KI3
S7
FIi2
KIi,2
FL3
FO3
KL4
KO4, KI4
FO4
KL5
FL4 FIi3
KO5 , KI5
KOi,3 KIi,3
S9
Zero-extend
FL5
FO5
KL6
S7
truncate
KO6 , KI6
FO6
KL7
FL6
KO7 , KI7
Fig. 3 : FI Function 16
FL7
KO8 , KI8
FO7
KL8
FO8
FL8
<<<
KLi,2
<<<
L8 R8 Fig. 4 : FL Function
C
Fig. 1 : KASUMI Bitwise AND operation
KLi, KOi , KIi : subkeys used at ith round S7, S9: S-boxes
Bitwise OR operation
<<<
44
Session key
Authentication Data integrity Confidentiality Location privacy wrt correspondents wrt foreign domain Protection of foreign domain against repudiation by user Lawful interception
Authentication vector
f1,, f5* (e.g. MILENAGE) f9 (Kasumi) f8 (Kasumi) Yes No (it can require the IMSI) No (cryptographic material provided in advance) Yes
Registration key
AH AH ESP Yes (e.g., with rev. tunnelling) Partial ?
45
Some improvement with respect to 2nd generation Cryptographic algorithms are published Integrity of the signalling messages is protected Quite conservative solution No real size experience so far Privacy/anonymity of the user not completely protected 2nd/3rd generation interoperation will be complicated and might open security breaches
46
References
On Signalling System 7
Telecommunications, 1998. Uyless Black, ISDN and SS7, Prentice Hall, 1997 Abdi Modaressi and Ronald A. Skoog, Signaling System N7: A tutorial, IEEE Communications Magazine, July 1990, pp 19-35.
On GSM
Addison-Wesley, 1997 S. Redl et al.: GSM and Personal Communication Handbook Artech House Publ, 1998 A. Mehrotra: GSM System Engineering Artech House Publ, 1997
On GPRS
On 3GPP