Mobile Security

Wolfgang Schneider wolfgang.schneider@sit.fraunhofer.de Fraunhofer-Institute SIT Dolivostr. 15 Darmstadt Germany

Wireless Communication Overview

GSM
GSM Properties
cellular radio network digital transmission up to 9600 bit/s roaming (mobilitt among different network providers, international) Good transmission quality (error recognition and correction) scalable (groe Teilnehmerzahlen mglich) worldwide 900 million subscribers Europe : over 300 million subscribers security mechanisms provided (authentication, authorisation, encryption) good usage of resources (frequency- and time-multiplex) integration with ISDN and analogue telephone network standard (ETSI, European Telecommunications Standards Institute)
3

GSM
GSM Security Requirements Network providers view
correct Billing: authenticity of the user no misuse of the service, correct billing of content-usage efficiency: no more bandwidth needed for security, no long delays (user acceptance), cost-efficient

Users view
confidentiality of communication (voice and data) privacy, no profiles of the movements of the users connection with authentic base station correct billing

Content providers view

correct billing
4

GSM

Overview of GSM Security Services

Smartcard-based authentication of the user Identification of the through worldwide unique name IMSI
Algorithm A3 for authentication is not public, Algorithms: up to 7 A5 variants unique, permanent subscriber key Ki and dynamicly generated communication keys Kc use of temporary identities

Confidentiality on the radio link:

Anonymity:

GSM-Architecture

Radio subsystem

Network and provider subsystem

6

GSM-Architecture
Handover und Roaming

Roaming Handover

MSC HLR VLR AC

MSC HLR

VLR

AC
7

GSM Security

GPRS: General Packet Radio Service Properties

Packet mode service (end-to-end) Data rates up to 171,2 kbit/s (theoretical), effectively up to 115 Kbit/s Effektive und flexible Verwaltung der Luftschnittstelle Adaptive channel coding Standardised interworking with IP- and X.25 networks dynamic resource sharin with the classic GSM voice services advantage: billing per volume, not per connection time

GPRS Security Mechanisms

Security in GPRS eng very similar to GSM

Authentification through SGSN with Challenge-Response Use of temporary identities (managed through SGSN) Encryption algorithm A5/3 (GEA3) But: no end-to-end encryption Key generation and managment as in GSM No authentication and confidentiality of signalling messages within the signalling network

10

UMTS
UMTS properties
packet oriented, all-IP, 2-10 Mb/s throughput, Rich Telephony (voice with video, sound), audio-, video-streaming (movies etc.), better QoS, more user control, video-conferencing as killer application?? worldwide roaming It is basically a merge of mobile telephony, wireless and paging technologies into a common system Support of different carrier systems
Real time / not real time Line switching / packet switching

roaming between UMTS and GSM as well as satellite networks asymmetric data rates for up-link/down-link

11

UMTS Cell Structure

12

UMTS Service Concept

UMTS Service Concept

Virtual Home Environment (VHE): services freely configurable through user service quality and according cost can be chosen dynamic Anpassung an die Verbindung

UPT: Universal Personal Telecommunication Service

One subscriber number for multiple devices (call management) virtual mobility of the terrestric network

13

UMTS Security

Adaptation of GSM security Confidentiality of the user identity Authentication of the user towards the network Encrypted communication over the radio link, SIM card as personal security module with authentication of the user towards the SIM card USIM (UMTS Subscriber Identity Module)

14

UMTS Security UMTS Extensions

extended UMTS Authentification and key agreement
home network authenticated towards the user, sequence numbers: prevents replay of authentication data, keyed MAC

Integrity of control data:

control data during connection establishment are secured with MAC

USIM controlled use of keys

the USIM provides new authentication if the encrypted data exceed a certain volume

Periodic key renewal Integrity and confidentiality of communication data:

128-bit communication key, MACs for integrity

15

UMTS Problems

Problems Interoperability between 2G, 2.5G und 3G mobile networks different security features: what does it mean in case of roaming between old and new networks?

16

Wireless Network Infrastructures

Wireless local area networks (WLAN) and wireless personal area networks (PAN) advantages
flexibility Ad-hoc networks easy to establish No cables robustness

disadvantages
Comparatively low data rates (11 Mbit/s or 54 Mbit/s) Higher vulnerability on the transmission link in comparison to cabled local area networks no international standards for frequency bands security

17

WLAN Standards/ IEEE 802.11

IEEE Standard 802.11a, 11b, 11g, 1x (development since 1997)
Intended for
cost effective and simple use of mobile devices e.g. campus networks with wireless infrastructure Ad-hoc networks without infrastructure Hot spots, e.g. airports, hotels, restaurants

two modes: infrastructure und ad-hoc

Infrastructure mode:
User communicate wireless with Access Points (AP), AP is the bridge between the radio and the wired network

Ad-hoc mode:
Direct point-to-point communication between users

18

WLAN Standards/ IEEE 802.11

Infrastructure mode

Ad-Hoc mode

Peer-to-Peer Network

19

IEEE 802.11 Security WEP Wired Equivalent Privacy

Encryption with RC4 stream cipher with 40 or 104 bit key with a 24 bit initialisation vector Relies on a single static shared key No key management protocol Cryptanalysis showed that the way how RC4 is used in WEP makes it vulnerable to eavesdropping attacks Automatic tools which recover the RC4 key through eavesdropping are available in the internet In 2005 a group from the US FBI demonstrated that they were able to break a WEP-protected WLAN within 3 minutes using publicly available tools
20

IEEE 802.11 Security

Wi-Fi Protected Access (WPA, IEEE 802.11i)
Major improvement over WEP Designed to use with an authentication server, but can be configured in a pre-shared key mode (PSK) for home and small office environments Uses RC4 stream cipher with 128 bit keys Dynamic key change with Temporal Key Integrity Protocol (TKIP) Improved payload integrity through use of a message integrity code (MIC) instead of a CRC Includes frame counter to prevent replay attacks

21

IEEE 802.11 Security

What else can be done? Separation of the insecure WLAN from the secure company intranet Additional security on higher levels: IPSec or SSL or SSH Additional authentication server Closed shop (only registered MAC addresses) Supression of the network name Next step is the use of AES instead of RC4

22

PANs Standards/ Bluetooth

Bluetooth short overview Created 1998 by Ericsson,Intel,IBM,Nokia,Toshiba Intended for wireless ad-hoc pico networks ( < 10m) goal: cheap one-chip solution for short distance wireless communication Areas of use Connectiion of peripheric devices Support of ad-hoc networks Frequency band 2,4 GHz

23

PANs Standards/ Bluetooth

Bluetooth short overview (cont..) Point-to-point and point-to-multipoint transmission possible range 10 cm to 10 m with 1 mW, up to 100m with 100mW synchronous voice channels 1 asynchronous data channel 1 channel data or voice support data rates of: 433,9 kbit/s asynchronous-symmetric 723,2 kbit/s / 57,6 kbit/s asynchronous-asymmetric 64 kbit/s synchronous, voice

24

PANs Standards/ Bluetooth

Bluetooth network infrastructures

Example of a piconet

Examples for master/slaves networking

25

PANs Standards/ Bluetooth

Bluetooth services Two modes Synchronous Connection-oriented Link, SCO Needed for voice Master reserves time slots Asynchronous Connectionless Link, ACL Needed for packet oriented data transfer Master uses polling

26

Security Architecture of Bluetooth

Central component of the Bluetooth security architecture is the Security Manager with the following tasks: Administration of security attributes of services and devices Access control from and to devices authentication Encryption/decryption support Moderation of the connection establishment between two devices which dont know each other

27

Security Architecture of Bluetooth

Security services comprise : mutual authentification of devices, which are identified through a Bluetooth address Encryption of transfered data authorisation of the use of services Subjects in Bluetooth are solely devices, i.e. authorisation is always done on the basis of the device identities and attributes Objects are the services

28

Security Architecture of Bluetooth

Access can be granted on the basis of the trustworthyness of the device, or whether a succesful authentication has been done before Identification means is the device address (BD_ADDR) BD_ADDR is a 48 bit long unique address which is assigned by IEEE device authorisation is based on device attributes

29

Security Architecture of Bluetooth

Bluetooth security on link level is based on 128 bit link key and on the symmetric E0 algorithm
A link key is being established between two or more communication partners for one session Link key and E0 algorithm are used for the device authentication Encryption keys are derived from the link key and can have a length between 8 bit and 128 bit. The length of the encryption keys is device-dependent and cannot be changed by the user

30