To scale wireless data access across different administrative domains, the number of security associations should be kept small . For example, there should be no shared security association preconfigured between HA and FA, and between FA and MN. The Diameter Mobile IPv4 application utilizes a Key Distribution Center (KDC) to achieve this goal. After MN is successfully authenticated and authorized, the home Diameter server allocates the session keys. Three keys are generated: the MN-HA key (K1), the MN-FA key (K2), and the FA-HA key (K3). 4 K1 is used between MN and HA. K2 is used b etween MN and FA. Similarly, K3 is used between FA and HA. The keys destined for FA and HA are transmitted via the Diameter protocol and must be encrypted by IPsec or TLS in a network without Diameter agents. If Diameter agents exist, it is recommended that the Diameter CMS (Cryptographic Mess age Syntax) Security Application [41] be used. The keys for the MN (K1 and K2) must be propagated via the Mobile IP protocol. Instead of using them directly as the session keys, they are used as a random value, which is called nonce or key material ,to derive the actual session keys [70]. The MN and the AAAH will use the nonce and the long- term shared secret key, which is preconfigured between the MN and the AAAH, to derive the MN-HA and MN-FA session keys. Once the session keys have been delivered and established, the mobile node can exchange Mobile IP registration information directly without the Diameter infrastructure. The session keys, however, have a limited lifetime. If the lifetime expires, the procedures described above must be invoked again to acquire the new session keys. 5.3 SECURITY IN WIRELESS NETWORKS Many security issues in wireless networks are essentially the same as that in wired networks. However, the open nature of wireless channels makes a wireless system more vulnerable to threats such as unauthorized access to and manipulation of sensitive data and services. It is also possible for an attacker to deploy a fraud wireless base station to deceive wireless users to gather secret information. In addition, more ele- ments in a wireless network are vulnerable to security attacks than in wired net- works. Theseelementsinclude, for example, the radio interface,the removable modules (e.g., SIM or USIM) on a mobile terminal that store confidential information, and the mobile terminal. Take radio interface, for example, an attacker could simply jam the radio so no communication is possible over the wireless channel. Figure 5.23 [39] shows a generic security model used in today’s 2G systems. This generic model is also the basis for security management in 3G systems. As indicated in the figure, there are three steps before user data can be transmitted [39]: . Security provisioning . Local registration . Authentication and key agreement (AKA) 4 The foreign Diameter server may generate K3 in some cases. 328 SECURITY Security provisioning concerns the generation and distribution of credentials to both users and the network. Figure 5.24 [39] illustrates the security provisioning approaches in GSM and IS-41. . In GSM: There is a secret key called K i shared between the network operator and the user. A user’s secret key along with the user’s other identities such as IMSI and MSISDN are stored in a SIM card that is issued to the user by the user’s service provider. The SIM card will be inserted to the mobile device the user wants to use. The secret key never leaves the SIM card. On the network side, the network provider is responsible for safeguarding the secret key to ensure that it will never be revealed to unauthorized parties. Once the secret key K i is provisioned, further security operations are accomplished based on K i . . In IS-41: IS-41 also uses a secret key called A uthentication Key (A-key) shared by the user and the network provider to support security operations. The difference between GSM and IS-41 in how the secret key is managed is that there is no smart card (SIM card) in IS-41-based 2G systems. The secret key is programmed into the handset manually either by the user or the network operator. With the provisioned security information, a user can perform registration with the network in order to gain permission to use the network. Fig. 5.23 Generic security model in cellular systems 5.3 SECURITY IN WIRELESS NETWORKS 329 Once a u ser registers with the network for access control, the AKA protocol is executed to authenticate the user and determine if the user is authorized for the call the user is requesting. The AKA procedures for GSM and IS-41 are illustrated in Figure 5.25 [39]. . For GSM: Once the network receives a request for call setup, it challenges the user and expects a correct response from the user. The challenge essentially is a random number generated by the network. Based on this random number, the shared secret key K i , and a same algorithm in both user and network, the response generated by the user should be the same as the one calculated in the network. If not, the user fails the authentication procedure and its call setup request will be denied. An attacker who intercepts the challenge message will not be able to generate the correct response without the shared secret key K i . Based on the random number and the K i , another cryptographic key will be derived in both user and network to encrypt user traffic. . For IS-41: The AKA procedure in IS-41 is similar to that in GSM. The difference is that IS-41 uses a global challenge that is broadcast periodically by the network. A user picks up the challenge and sends the call setup request with the response embedded to the network. Details of 2G security, including 2.5G of GPRS, are further discussed in Sections 5.4 to 5.6. The security management in 3GPP and 3GPP2 are then elaborated. Fig. 5.24 Key generation and distribution 330 SECURITY 5.4 SECURITY IN IS-41 As discussed in Chapter 1, North America has two major 2G radio systems: IS-136 based on TDMA and IS-95 based on CDMA [47], [58] . The core networks of IS-136 and IS-95, however, are both based on IS-41 [80], [83]. This section reviews the authentication and privacy mechanisms in IS-41 [66], [80], [83]. Because IS-41 specifies the standard of a core network that could be deployed with different RANs (radio access networks), the authentication and privacy in IS-41 is independent of the air interfaces. Using the preprogrammed Authentication Key (A-key), subscribers do not need to be manually involved in the authentication process. That is, subscribers do not need to enter any username or password for authentication. On the network side, the A-key of each user is stored in an Authen- tication Center (AC). The AC is the primary functional entity for authentication and privacy in IS-41. Authentication and privacy are provided using the Cellular Authentication and Voice Encryption (CAVE) algorithm, which will be examined Fig. 5.25 Authentication and key agreement (AKA) 5.4 SECURITY IN IS-41 331 later. In IS-41, the authentication process might be executed in various events, including user registration, call origination, and call termination. 5.4.1 Secret Keys The A-key is a 64-bit permanent secret number shared by Mobile Station (MS) and AC. The installatio n of A-key in MS is not standardized. As mentioned earlier, it could be programmed manually. The process of manual programming is specified in TIA/EIA TSB50 [87]. The IS-725 [49] defines the over-the-air service provisioning (OTASP) method for A-key programming using the Diffie-Hellman (DH) key agreement procedure. In addition to the A-key, there is another secret number, which is called Shared Secret Data (SSD). SSD is a 128-bit temporary secret key calculated in both MS and AC. It can be modified by the network at any time. It can also be shared with a foreign (visited) network, such as by a VLR in a foreign network. The SSD com- prises two parts, and each has 64 bits. The first part is used for authentication and is named as SSD-A. The second part, called SSD-B, is used to support privacy. Figure 5.26 illustrates how an SSD is generated. The network generates the SSD using the CAVE algorithm with the following inputs: . A-key . The mobile station’s Electronic Serial Number (ESN): An ESN is a 32-bit number permanently stored in a terminal by the manufactures to uniquely ide- ntify the terminal. The highest 8 bits of ESN identifies the manufacturer, and Fig. 5.26 Generation of shared secret data (SSD) 332 SECURITY the remaining bits are assigned by the manufacturer to uniquely identify each terminal produced by the manufacturer. It can be viewed as the hardware number of the terminal. . A random number (RANDSSD): A random number RANDSSD is used as one of the inputs to ensure that the SSD generated each time for the subscriber is different from the one generated for the same subscriber before. The RANDSSD is also propagated to HLR/AC, which retri eves the mobile’s ESN and Mobile ID Number (MIN). MIN is a 10-digit North American Numbering Plan (NANP) number that represents a mobile terminal’s identification and directory number. It is assigned by a network operator and programmed into a mobile terminal when the mobile terminal is purchased by the user. The triplet of RANDSSD, MIN, and ESN are further propagated to the serving system (MSC, BS, etc.), and then to the MS. The serving system could be either the mobile’s home network or the visited network. The MS uses the same algorithm and the same inputs as those used by the network to generate the SSD. As the A-key is never transmitted over the air, attackers would not generate the same SSD unless the A-key is stolen. The SSD for a mobile can be updated by the network. Figure 5.27 [80] shows the message flow for SSD update. The network first produces a new SSD (SSD new ) using the procedure described above. The AC then sends the random number RANDSSD used to generate the new SSD to the mobile to order the update of its SSD. Using the RANDSSD with the A-key and ESN stored locally on the mobile as inputs to the CAVE algorithm, the mobile can generate the same SSD new as the one generated by the AC. The mobile, however, will not adopt this new SSD until it verifies the SSD Fig. 5.27 Update of shared secret data (SSD) 5.4 SECURITY IN IS-41 333 Update Order received from the network. Th is is because although attackers may not know the mobile’s A-key, they could simply send a deceitful SSD update order to the mobile. Such a deceitful SSD Update Order could cause the MS to generate a new SSD that is different with the one in the network. To prevent this type of attack, the MS issues a BS Challenge Order to the network, which contains another random number called RANDBS. The network (i.e., the AC in the network) uses SSD new and RANDBS as inputs to its CAVE algorithm to generate the authentication result AUTHBS to be sent back to the mobile. The MS then verifies the response AUTHBS from the network. If the network’s response is the same as the AUTHBS calculated by the mobile using SSD new and RANDBS as inputs, the mobile will update its SSD with SSD new . Because the A-key is a secret between the user and the network, the attacker would not generate same SSD new . It, therefore, would not produce the same AUTHBS. As a result, an attacker will not be able to cause a mobile to update its SSD. 5.4.2 Authentication Section 5.4.1 described how an SSD is generated and updated. User authentication in IS-41 is based on the SSD and will be explained in this section. Before IS-41 was introduced, user authentication in 1G systems has a significant weakness. For example, to authenticate a user in AMPS, the user’s MIN is used like a username and the user’s ESN is used as a password. However, the user’s ESN and MIN are sent over the air to the network in order to authenticate the user. This means that an attacker could easily steal a user’s MIN and ESN by, for example, scanning the radio, and then clone them to other terminals. To overcome the deficiency described above, IS-41 uses a new challenge- response technique for user authentication. To authenticate a user in IS-41, the network issues a challenge message to the user. The challenge message contains a random number as that discussed in Figure 5.27. The user should be able to generate a correct response based on the shared secret data, which is never transmitted over the air. If the response is incorrect, the user fails the authentication and is denied for network access. There are two types of challenges in IS-41: global challenge and unique challenge: . Global challenge: Figure 5.28 illustrates the process of global challenge. A challenge (random number) is generated by the serving system. The challenge is broadcast and updated periodically to all mobile stations using a particular radio control channel. The MS takes the random number along with SSDA, ESN, and MIN as the inputs for the CAVE algorithm. As mentioned in Section 5.4.1, SSD-A is the 64 most-significant-bits in SSD. The authentication result is sent back to the serving system, which relays the authentication result and the random number to the AC. The AC then performs the same calculation by using the CAVE algorithm. It further compares its calculation with the one sent by the MS to either accept or reject the MS. 334 SECURITY . Unique challenge: The unique challenge is depicted in Figure 5.29. Unlike global challenge, the process is initiated by the home network. The AC directs the serving system to issue a challenge to a particular MS, which either is requesting service or is already engaged in a call. Both MS and AC calculate the authentication result using the CAVE algorithm. The authentication results derived by the AC and the MS are sent to the serving system. By verifying the results, the serving system either accepts or rejects the MS. 5.4.3 Privacy Recall that privacy refers to confidentiality service to prevent eavesdropping. The same CAVE algorithm used for authentication is also utilized for Voice Privacy (VP) and Signaling Message Encryption (SME). To encrypt voice conversation, a mask referred to as the Voice Privacy Mask (VPMASK) is generated using the CAVE algori thm with SSD-B to encrypt voice traffic. SSD-B is the 64 least-significant-bits in SSD. Unlike voice traffic, only certain fields of signaling messages are encrypted. Privacy of signaling messages are protected by a Signaling Message Encryption Key (SMEKEY). SMEKEY is also generated using the CAVE algorithm with SSD-B. The Cellular Message Encryption Algorit hm (CME A) [36], [84] then adopts SMEKEY to encrypt the signaling message s to be protected. Unlike the Internet, the core network of IS-41 is accessible only by a li mited number of people. In IS-41, therefore, voice privacy and signaling message encryp- tion are employed only between MS and the serving BS. Fig. 5.28 Global challenge in CAVE algorithm 5.4 SECURITY IN IS-41 335 To close this section, we point out weaknesses in the security management of IS-41 [68]. First, the distribution of A-keys to mobiles is a critical process. Disclosure of an A-key would make the security techniques worthless. Second, IS-41 uses the same algorithm for both authentication and privacy. Breaking this algorithm means that both authentication and privacy are broken. By decoupling them, the authentication and privacy algorithms can also evolve independently. Third, the authentication process based on the generation and periodic update of SSD incurs additional complexity. Fourth, the 64-bit of SSD-A/SSD-B might not be long enough. Such a short key is vulnerable to brute-force attacks that carry out exhaustive analysis of the key space. Fifth, the security management architecture in IS-41 does not support mutual authentication. It allows a network to authenticate a user, but it does not provide sufficient mechanisms for a user to authenticate messages from a network. As mentioned earlier, it is possible for an attacker to deploy a fraud base station to deceive wireless users for secret information. Finally, the current security mechanisms in IS-41 assume that the signaling inside an administrative domain and between two administrative domains is secured. It is also assumed that a mobile’s home network can trust each visited network to get and use cryptographic keys to authenticate users. 5.5 SECURITY IN GSM Security management in GSM emphasizes on authentication and key agreement (AKA) and privacy [39]. As introduced in Section 5.3, AKA provides a methodology to authenticate a user and to generate a new key for the encryption of Fig. 5.29 Unique challenge in CAVE algorithm 336 SECURITY the user’s traffic. As in IS-41, encryption in GSM is only employed over the wireless channels to prevent eavesdropping from the open air space. Unlike IS-41, GSM uses three algorithms for security management: . A3 Algorithm: A3 is used for authentication. . A5 Algorithm: A5 is a stream cipher algorithm used to encrypt the user traffic. . A8 Algorithm: A8 is used to generate a cipher key. As shown in Figure 5.30, a user and the network share a 128-bit long secret key called K i . To authenticate a user, the network sends a challenge, which comprises a 128-bit random number to the user. The user uses its K i and the random number received from the network as the inputs to the A3 algorithm. The user then sends the output of its A3 algorithm to the network as the user’s response to the challenge from the network. The network also uses its K i and the same random number it sent to the user in the challenge message to its A3 algorithm. The network will then compare the response from the user with the output of its own A3 algorithm to decide whether to accept the connection request or not. The A8 algorithm in the network takes the same inputs as the A3 algorithm and generates a 64-bit cipher key called K c . The plaintext, i.e., user traffic, will be encrypted using the A5 algorithm. In addition to the plaintext, the A5 algorithm also takes K c and a 22-bit counter valu e as its input. The changes in counter value can be used to prevent replay attacks. Similarly, the user also uses its own A8 algorithm to generate a 64-bit cipher key K c . The user’s A8 algorithm takes the same secret key Fig. 5.30 GSM security algorithms 5.5 SECURITY IN GSM 337 [...]... vectors 5.7 SECURITY IN 3GPP 341 R98 2 : Refers to a network node or ME that conforms to R97 or R98 specifications R 99 þ : Refers to a network node or ME that conforms to R 99 or later specifications R 99 þ ME capable of UMTS AKA: Either a R 99 þ UMTS only ME, a R 99 þ GSM/UMTS ME, or a R 99 þ GSM only ME that does support USIM-ME interface R 99 þ ME not capable of UMTS AKA: A R 99 þ GSM only ME that does not... exchange (IKE) IETF RFC 24 09, November 199 8 49 TIA/EIA IS-725-A Cellular radio telecommunications intersystem operations - overthe-air service provisioning (OTASP)¶meter administration (OTAPA), July 199 9 50 ITU-T Rec X.5 09 The directory: public-key and attribute certificate frameworks, March 2000 51 S Kent and R Atkinson IP authentication header IETF RFC 2402, November 199 8 52 S Kent and R Atkinson... Technology (NIST), October 199 9 36 TIA/EIA IS-54 Appendix A Dual-mode cellular system: authentication, message encryption, voice privacy mask generation, shared secret data generation, A-key verification, and test data, February 199 2 37 B Aboba and M Beadles The network access identifier IETF RFC 2486, January 199 9 38 TIA TR45 AHAG Enhanced cryptographic algorithms, revision B, 2001 39 D Brown Techniques for... protocol IETF RFC 2246, January 199 9 45 D Durham, J Boyle, R Cohen, S Herzog, R Rajan, and A Sastry The COPS (common open policy service) protocol IETF RFC 2748, January 2000 46 R Glenn and S Kent The NULL encryption algorithm and its use with IPsec IETF RFC 2410, November 199 8 47 D Goodman Wireless Personal Communications Systems Addison-Wesley Publishing Company, Reading, MA, 199 7 48 D Harkins and D Carrel... release 199 9 3GPP TS 01.61, Version 8.0.0, April 2000 14 3rd Generation Partnership Project (3GPP), Digital Cellular Telecommunications system (phase 2þ) Security related network functions, release 199 9 3GPP TS 03.20, Version 8.1.0, October 2000 15 3rd Generation Partnership Project (3GPP), Technical Specification Group Core Network Mobile application part (MAP) specification, release 5 3GPP TS 29. 002,... RFC 2406, November 199 8 53 S Kent and R Atkinson Security architecture for the Internet protocol IETF RFC 2401, November 199 8 54 A Keromytis and N Provos The use of HMAC-RIPEMD-160 -96 within ESP and AH IETF RFC 2857, June 2000 55 H Krawczyk SKEME: a versatile secure key exchange mechanism for Internet In Proc of IEEE Symposium on Network and Distributed Systems Security, February 199 6 56 H Krawczyk,... standard (SHS) National Institute of Standards and Technology (NIST), April 199 5 2 FIPS 186-2 Digital signature standard (DSS) National Institute of Standards and Technology (NIST), January 2000 REFERENCES 361 3 FIPS 197 Advanced encryption standard (AES) National Institute of Standards and Technology (NIST), November 2001 4 FIPS 198 The keyed-hash message authentication code (HMAC) National Institute... end-to-end security in 2G systems Because the core networks in most 2G systems are accessible only by a limited number of people, the network domain security is not a major concern Security protection is employed only in wireless channels Messages including secret keys are transmitted in cleartext inside the core network As the core networks evolve to be IP-based, which is open and easily accessible, protection... For Simple IP access, the visited network may use the PPP Challenge Handshake Authentication Protocol (CHAP) [ 79] or the Password Authentication Protocol (PAP) [ 59] defined for PPP to authenticate and authorize Fig 5.44 Security architecture for circuit-switching domain 5.8 SECURITY IN 3GPP2 3 59 Fig 5.45 Security architecture for packet-switching domain the mobile station However, if the mobile station... to standardize security specifications for 3GPP2 The AHAG continues as a TIA support group The TSG-S WG4 has specified cryptographic algorithms [7], [11], [9] , [8] In addition, the TSG-S WG4 is now also defining security requirements for the all-IP networks Specifications are 5 Please refer to Section 5.7.1 for the definition of UMTS security context 5.8 SECURITY IN 3GPP2 353 Fig 5.40 Protection mode 2 . capable of UMTS AKA: Either a R 99 þ UMTS only ME, a R 99 þ GSM/UMTS ME, or a R 99 þ GSM only ME that does support USIM-ME interface. . R 99 þ ME not capable of UMTS AKA: A R 99 þ GSM only ME that does. SECURITY . R98 2 : Refers to a network node or ME that conforms to R97 or R98 specifications. . R 99 þ : Refers to a network node or ME that conforms to R 99 or later specifications. . R 99 þ ME capable. SECURITY IN WIRELESS NETWORKS Many security issues in wireless networks are essentially the same as that in wired networks. However, the open nature of wireless channels makes a wireless system more