Đang tải... (xem toàn văn)
Tài liệu tham khảo đồ án tốt nghiệp chuyên ngành viễn thông GSM Security
11GSM Security Overview GSM Security Overview (Part 2)(Part 2)Max StepanovMax Stepanov 22AgendaAgendaGSM Security ObjectivesGSM Security ObjectivesConcerns, Goals, RequirementsConcerns, Goals, RequirementsGSM Security MechanismsGSM Security MechanismsSIM AnatomySIM AnatomyAlgorithms and AttacksAlgorithms and AttacksCOMP128COMP128Partitioning Attack on COMP128 Partitioning Attack on COMP128 ((J. Rao, P. Rohantgi, H. Scherzer, S. TunguelyJ. Rao, P. Rohantgi, H. Scherzer, S. Tunguely)) 33GSM Security ConcernsGSM Security ConcernsOperators Operators Bills right peopleBills right peopleAvoid fraudAvoid fraudProtect ServicesProtect Services CustomersCustomersPrivacyPrivacyAnonymityAnonymityMake a system at least secure as PSTNMake a system at least secure as PSTN 44GSM Security GoalsGSM Security GoalsConfidentiality and Anonymity on the radio Confidentiality and Anonymity on the radio pathpathStrong client authentication to protect the Strong client authentication to protect the operator against the billing fraudoperator against the billing fraudPrevention of operators from Prevention of operators from compromising of each others’ securitycompromising of each others’ securityInadvertentlyInadvertentlyCompetition pressureCompetition pressure 55GSM Security Design GSM Security Design Requirements Requirements The security mechanism The security mechanism MUST NOTMUST NOTAdd significant overhead on call set upAdd significant overhead on call set upIncrease bandwidth of the channelIncrease bandwidth of the channelIncrease error rateIncrease error rateAdd expensive complexity to the system Add expensive complexity to the system MUST MUST Cost effective schemeCost effective schemeDefine security proceduresDefine security proceduresGeneration and distribution of keysGeneration and distribution of keysExchange information between operatorsExchange information between operatorsConfidentiality of algorithms Confidentiality of algorithms 66GSM Security FeaturesGSM Security FeaturesKey management is independent of equipmentKey management is independent of equipmentSubscribers can change handsets without compromising Subscribers can change handsets without compromising security security Subscriber identity protectionSubscriber identity protectionnot easy to identify the user of the system intercepting a user not easy to identify the user of the system intercepting a user datadataDetection of compromised equipmentDetection of compromised equipmentDetection mechanism whether a mobile device was Detection mechanism whether a mobile device was compromised or notcompromised or notSubscriber authenticationSubscriber authenticationThe operator knows for billing purposes who is using the systemThe operator knows for billing purposes who is using the systemSignaling and user data protectionSignaling and user data protectionSignaling and data channels are protected over the radio pathSignaling and data channels are protected over the radio path 77GSM Mobile StationGSM Mobile StationMobile StationMobile StationMobile Equipment (ME)Mobile Equipment (ME)Physical mobile devicePhysical mobile deviceIdentifiersIdentifiersIMEI – International Mobile Equipment IdentityIMEI – International Mobile Equipment IdentitySubscriber Identity Module (SIM)Subscriber Identity Module (SIM)Smart Card containing keys, identifiers and algorithmsSmart Card containing keys, identifiers and algorithmsIdentifiersIdentifiersKKii – Subscriber Authentication Key – Subscriber Authentication KeyIMSI – International Mobile Subscriber IdentityIMSI – International Mobile Subscriber IdentityTMSI – Temporary Mobile Subscriber IdentityTMSI – Temporary Mobile Subscriber IdentityMSISDN – Mobile Station International Service Digital MSISDN – Mobile Station International Service Digital NetworkNetworkPIN – Personal Identity Number protecting a SIMPIN – Personal Identity Number protecting a SIMLAI – location area identityLAI – location area identity 88GSM ArchitectureGSM ArchitectureMobile Stations Base Station SubsystemExchange SystemNetwork ManagementSubscriber and terminal equipment databasesBSC MSCVLRHLREIRAUCOMCBTSBTSBTS 99Subscriber Identity ProtectionSubscriber Identity ProtectionTMSI – Temporary Mobile Subscriber IdentityTMSI – Temporary Mobile Subscriber IdentityGoalsGoalsTMSI is used instead of IMSI as an a temporary subscriber identifierTMSI is used instead of IMSI as an a temporary subscriber identifierTMSI prevents an eavesdropper from identifying of subscriberTMSI prevents an eavesdropper from identifying of subscriberUsageUsageTMSI is assigned when IMSI is transmitted to AuC on the first phone TMSI is assigned when IMSI is transmitted to AuC on the first phone switch onswitch onEvery time a location update (new MSC) occur the networks assigns Every time a location update (new MSC) occur the networks assigns a new TMSI a new TMSITMSI is used by the MS to report to the network or during a call TMSI is used by the MS to report to the network or during a call initializationinitializationNetwork uses TMSI to communicate with MSNetwork uses TMSI to communicate with MSOn MS switch off TMSI is stored on SIM card to be reused next timeOn MS switch off TMSI is stored on SIM card to be reused next timeThe Visitor Location Register (VLR) performs assignment, The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI administration and update of the TMSI 1010Key Management SchemeKey Management SchemeKKii – Subscriber Authentication Key – Subscriber Authentication KeyShared 128 bit key used for authentication of subscriber by Shared 128 bit key used for authentication of subscriber by the operatorthe operatorKey StorageKey StorageSubscriber’s SIM (owned by operator, i.e. trusted)Subscriber’s SIM (owned by operator, i.e. trusted)Operator’s Home Locator Register (HLR) of the subscriber’s Operator’s Home Locator Register (HLR) of the subscriber’s home networkhome networkSIM can be used with different equipmentSIM can be used with different equipment [...]... and A8 in most GSM networks COMP128 is a keyed hash function RAND (128 bit) Ki (128 bit) COMP128 128 bit output SRES 32 bit and Kc 54 bit 18 A5 – Encryption Algorithm A5 is a stream cipher Implemented very efficiently on hardware Design was never made public Leaked to Ross Anderson and Bruce Schneier Variants A5/1 – the strong version A5/2 – the weak version A5/3 GSM Association Security Group... byte/block based File Structure 24 Algorithm Implementations and Attacks 25 Attack Categories SIM Attacks Radio-link interception attacks Operator network attacks GSM does not protect an operator’s network 26 Attack History 1991 First GSM implementation April 1998 The Smartcard Developer Association (SDA) together with U.C Berkeley researches cracked the COMP128 algorithm stored in SIM and succeeded... Authentication Scheme Subscriber identification: IMSI or TMSI Challenge-Response authentication of the subscriber by the operator 12 Authentication and Encryption Scheme Mobile Station Radio Link GSM Operator Challenge RAND SIM Ki A3 A3 Signed response (SRES) SRES Authentication: are SRES values equal? A8 mi A5 SRES A8 Kc Kc Fn Ki Encrypted Data A5 Fn mi 13 Authentication AuC – Authentication Center . 1 1GSM Security Overview GSM Security Overview (Part 2)(Part 2)Max StepanovMax Stepanov 22AgendaAgendaGSM Security ObjectivesGSM Security ObjectivesConcerns,. others’ securitycompromising of each others’ security InadvertentlyInadvertentlyCompetition pressureCompetition pressure 5 5GSM Security Design GSM Security