CIS 6930 - Cellular and Mobile Network Security: End-to-End - - PowerPoint PPT Presentation

cis 6930 cellular and mobile network security end to end
SMART_READER_LITE
LIVE PREVIEW

CIS 6930 - Cellular and Mobile Network Security: End-to-End - - PowerPoint PPT Presentation

Jun 06, 2023 895 likes •1.39k views

CIS 6930 - Cellular and Mobile Network Security: End-to-End Authentication Professor Patrick Traynor 11/8/2018 (Thanks to Adam Doup and Brad Reaves) Florida Institute for Cybersecurity (FICS) Research Announcements Abstracts for Course

slide-1
SLIDE 1

Florida Institute for Cybersecurity (FICS) Research

CIS 6930 - Cellular and Mobile Network Security: End-to-End Authentication

Professor Patrick Traynor 11/8/2018

(Thanks to Adam Doupé and Brad Reaves)

slide-2
SLIDE 2

Florida Institute for Cybersecurity (FICS) Research

Announcements

  • Abstracts for Course Project Due 11/13 (Tuesday)
  • Assignment is already open on Canvas
  • Turn in PDF and .tex source!
  • Tuesday class will be pre-recorded
  • Are your experiments running?
  • You should each be prepping a 12-15 min 


presentation for 11/29…

2

slide-3
SLIDE 3

Florida Institute for Cybersecurity (FICS) Research

What Are We Authenticating?

  • We’ve talked about authentication in the context of 1-4G networks…
  • …so who gets authenticated to what?
  • 1G - Authentication by assertion - nobody to nobody
  • 2G - User to network (BS)
  • 3G - Mutual authentication (UE to Node B)
  • 4G - Mutual authentication (UE to EnB/MME)
  • Is that enough?
  • Like so many other questions, it depends…

3

slide-4
SLIDE 4

Florida Institute for Cybersecurity (FICS) Research

Quiz Time

4

1-800-432-1000

Bank of America

1-800-432-1000

Bank of America

slide-5
SLIDE 5

Florida Institute for Cybersecurity (FICS) Research

Who Are You?

  • We have built an array of mechanisms to attest to identity for the Internet.
  • Well, for well-known entities on the Internet.
  • Phones are our backup, our trusted platform…
  • …and yet even a security expert can not tell who is calling him/her.
  • What we need are stronger notions 

  • f identity for these devices.
  • …or at least an understanding of


the limits…

5

slide-6
SLIDE 6

Florida Institute for Cybersecurity (FICS) Research

End-to-End Authentication

  • Assertion: One of the great technological failures of the 21st century (thus

far) is that my financial institutions, public services and government can’t call me

  • n the phone.
  • So how do we fix it?
  • This set of lectures deals with precisely this problem.
  • We’ll look at a range of mechanisms to help us understand the state of the art

and figure out what comes next.

  • What guarantees do we get from any of these things?

6

slide-7
SLIDE 7

Florida Institute for Cybersecurity (FICS) Research

Modern Telephony Systems

7

IP Networks PSTN Cell Network Gateway Gateway Intermediary Telco Networks Internet VOIP Carrier Web Services VOIP Proxy

slide-8
SLIDE 8

Florida Institute for Cybersecurity (FICS) Research

What Happens in a Call

8

Along the way:

  • 1. Identity is asserted, not attested
  • No authentication of ID
  • 2. Signaling protocols change
  • ID assertion is not easily fixed
  • 3. Audio compression changes

IP Networks PSTN Cell Network Gateway Gateway Intermediary Telco Networks Internet VOIP Carrier Web Services VOIP Proxy

The only thing we can guarantee that is transmitted correctly is voice.

slide-9
SLIDE 9

Florida Institute for Cybersecurity (FICS) Research

Blacklists

  • Blacklist yourself - use the National Do Not Call Registry!
  • If you know which numbers are used as part of scams, just block those!
  • Multiple applications now offer communal blacklists (e.g., True Caller, NoMoRobo,
  • Mr. Number, etc).
  • Under a variety of different monetization models.
  • Problem: Caller ID Values are asserted and not attested.
  • So attackers can simply switch numbers every time


and evade ALL of these systems.

  • We’re going to need something better…

9

slide-10
SLIDE 10

Florida Institute for Cybersecurity (FICS) Research

Recall: Analog vs Digital

  • Phone systems are generally classified as either analog or digital.
  • What exactly does that mean?

  • This is all about how data is represented and delivered through the network.

  • Analog is the translation of voice/sound into electrical impulses.
  • Pure waveform representations of sounds.

  • Digital is an approximation of this waveform,


represented in 0s and 1s.

10

slide-11
SLIDE 11

Florida Institute for Cybersecurity (FICS) Research

What is a Codec?

  • When we chose the digital option, we have to also decide how we are

going to encode our data.

  • At what bit rate?
  • With what expectation of audio quality?
  • At what compression?
  • With what assumptions about loss rates?
  • With what knowledge of network bandwidth?

11

slide-12
SLIDE 12

Florida Institute for Cybersecurity (FICS) Research

Codec- GSM-FR

  • Pulse Code Modulation (PCM) is the basis for GSM Full-Rate (GSM-FR)

voice encoding.

  • 8 kHz samples (64 kbps) reduced to 13.2 kbps using Regular Pulse

Excitation - Long Term Prediction (RPE-LTP).

  • What can vary here?

12 ... ...

20 msec RTP-LTP Encoder 160 Samples 260-bit frame

...

20 msec RTP-LTP Decoder 160 Samples Sender Receiver

...

slide-13
SLIDE 13

Florida Institute for Cybersecurity (FICS) Research

Solution: Call Provenance

  • Information about the source and path taken by a call
  • Where is this call coming from ?
  • Is this really Bank of America calling ?
  • Observe that receiver end call audio embeds artifacts of networks that it

traverses

  • Packet loss in a VoIP network
  • Advantage: Provenance determined completely at the receiving end

without infrastructure modifications

13

slide-14
SLIDE 14

Florida Institute for Cybersecurity (FICS) Research

− − − − − − − − − − − − − − − −

PSTN

PinDr0p Overview

  • Goal
  • What is the path taken by a call ?
  • What is the source of a call ?
  • For each network, extract features
  • Identify and characterize the network
  • Robust to manipulation

Cell Characterize Networks Call Signature (Alice) VoIP Path Traversal Signature Identify Networks

ML Classifier

14

− − − −

Extract Features

  • Packet Loss
  • Noise
  • Quality
slide-15
SLIDE 15

Florida Institute for Cybersecurity (FICS) Research

2 2.2 2.4 2.6 2.8 3 3.2 3.4 3.6 3.8 4 10

−10

10

−5

10 10

5

STE 2 2.2 2.4 2.6 2.8 3 3.2 3.4 3.6 3.8 4 10

−10

10

−5

10 10

5

STE Time (s) 30 ms iLBC Speex 20 ms

Short Term Energy To Detect Packet Loss

  • Short term energy (STE) is used to detect abrupt losses in energy
  • PL detection by looking for significant drop in energy followed by energy floor, accompanied by significant rise
  • Length of energy floor depends on amount of audio lost
  • The exact multiple also indication of codec used - G.729 uses 10 ms, G.711 and Speex use 20 ms and iLBC uses 30 ms
  • STE identifies if there is a VoIP network and the codec used, and characterizes the network based on its loss rate

2 2.2 2.4 2.6 2.8 3 3.2 3.4 3.6 3.8 4 −1 −0.5 0.5 1 Amplitude Packet Loss 2 2.2 2.4 2.6 2.8 3 3.2 3.4 3.6 3.8 4 10

−10

10

−5

10 10

5

Time (s) STE Packet Loss

15

slide-16
SLIDE 16

Florida Institute for Cybersecurity (FICS) Research

Identifying and Characterizing PSTN and Cellular Networks

  • PSTN - G.711
  • Uncompressed (64 kbps) - high fidelity audio
  • Waveform codec - introduces noise only 


during speech activity (multiplicative noise)

  • Cellular - GSM
  • Significant compression (13 kbps) - lower 


quality audio

  • Speech model - no multiplicative noise
  • High fidelity audio detected by spectral clarity
  • Presence of multiplicative noise detected by spectral level range and deviation
  • Combination of noise characteristics used to identify and characterize PSTN and cellular networks

5 10 15 20 9 10 11 12 16 18 20 22 24 26 28 30 Spectral Clarity Noise Spectral Deviation Noise Spectral Range G.711 Speex iLBC G.729 GSM

16

slide-17
SLIDE 17

Florida Institute for Cybersecurity (FICS) Research

Overall PinDr0p Architecture

  • PL and PLC features - identify and

characterize VoIP network

  • Noise features - identify and

characterize PSTN and cellular networks

  • Quality features - identify number of

networks as quality degrades with networks traversed

  • Create combined feature vector for

each call sample

  • Label based on signature required
− − − −

Extract Features PL/PLC Features Noise Features Quality Features STE/ Correlation Noise Statistics P .563 Score

Feature Vector

17

slide-18
SLIDE 18

Florida Institute for Cybersecurity (FICS) Research

Evaluation: Call Signature

  • 16 different locations, each making 10 calls of duration 20 seconds to testbed in Atlanta
  • Train classifier on N (1 - 5) call sets and test on 5 random unseen sets
  • With single call set 90% accuracy, increases to 97.5% with 3 labeled call sets, 100% with 5 labeled call sets
  • London mobile phone misclassified as New

York mobile phone (~origin) or France landline (~distance)

  • Able to distinguish phones from same location, eg., three landline phones from Atlanta
  • Vonage calls show PSTN characteristics - immediately transfers to PSTN backbone for high quality of service
  • Features we extract are consistent for same call source but have enough variability to distinguish different call sources

Atlanta PSTN Origin Cellular Origin MagicJack Origin Skype Origin Vonage Origin MyNetPhone Origin

Accuracy = 90%

ATL-Cell DAL-LL NYC-Cell ATL-Skype ATL-LL PUN-MJack ATL-GT1 ATL-Von ATL-Skype ATL-GT2 DUB-Von BAL-MJack MEL-NFone FRA-LL LON-Cell SJC-Cell (a) ATL-Cell DAL-LL NYC-Cell ATL-Skype ATL-LL PUN-MJack ATL-GT1 ATL-Von ATL-Skype ATL-GT2 DUB-Von BAL-MJack MEL-NFone FRA-LL LON-Cell SJC-Cell

Accuracy = 97.5%

ATL-Cell DAL-LL NYC-Cell ATL-Skype ATL-LL PUN-MJack ATL-GT1 ATL-Von ATL-Skype ATL-GT2 DUB-Von BAL-MJack MEL-NFone FRA-LL LON-Cell SJC-Cell (b) ATL-Cell DAL-LL NYC-Cell ATL-Skype ATL-LL PUN-MJack ATL-GT1 ATL-Von ATL-Skype ATL-GT2 DUB-Von BAL-MJack MEL-NFone FRA-LL LON-Cell SJC-Cell

18

slide-19
SLIDE 19

Florida Institute for Cybersecurity (FICS) Research

Security Limitations

  • Deployment
  • PinDr0p provides a single-ended measure of provenance.
  • That’s great for your bank, but what about for you?
  • Attacks on ML models
  • PinDr0p relies on finely tuned ML models, and attacks against learning

algorithms have become very popular in the literature.

  • These are heuristics, which are fundamentally limited 


in what they can achieve.

19

slide-20
SLIDE 20

Florida Institute for Cybersecurity (FICS) Research

Web Lessons for Telephony

  • The early Web faced similar problems.
  • SSL/TLS was developed largely in response to this problem.
  • Cryptographic verification of well-known parties became widely possible.*
  • These papers brings end-to-end explicit 


authentication to all phone calls

20

slide-21
SLIDE 21

Florida Institute for Cybersecurity (FICS) Research

Network Centric Solutions

  • What if the network helped out?
  • Generate an extended IAM with a digital 


signature using the Caller ID Certificate

  • Validate the IAM signature upon receipt
  • Display security indicator along with call 


request

21

slide-22
SLIDE 22

Florida Institute for Cybersecurity (FICS) Research

Challenges

  • This is a significant improvement, and provides single-sided authentication of

callers.

  • What about the callee? Do we need that?
  • Additional challenges:
  • Stolen identities/phones?
  • Insider attacks?
  • Fixing legacy deployments/devices?

22 Parameter Type Length (octets) UTC Timestamp Optional Part 4-? Signature Algorithm Optional Part 1-? Signature Optional Part 16-? Caller Identity Certificate Optional Part 32-?

slide-23
SLIDE 23

Florida Institute for Cybersecurity (FICS) Research

Authloop

  • Authloop authenticates calls cryptographically & end-to-end for the

existing phone network through the voice channel

  • Authenticates calls
  • Cryptographically
  • End to end
  • Existing phone network
  • Voice channel
  • Note: Many apps provide authenticated VoIP

, but they only authenticate VoIP calls

23

slide-24
SLIDE 24

Florida Institute for Cybersecurity (FICS) Research

Two Challenges

  • Authloop needs two things:
  • A way to send data through the voice channel
  • An secure, efficient authentication protocol

24

slide-25
SLIDE 25

Florida Institute for Cybersecurity (FICS) Research

Problem: Modern Codecs

  • Modern codecs make high-fidelity, low bitrate audio possible.
  • But these codecs make the transmission of anything other than human voices

completely unreliable
 
 
 


  • Almost all of the traditional digital comm. techniques go out the window
  • Amplitude not preserved (ASK, QAM, TCM, & PCM)
  • Phase discontinuities not preserved (PSK & QPSK)

25

a) 1-second chirp sweep from 300 - 3300 Hz before AMR-NB encoding b) 1-second chirp sweep from 300 - 3300 Hz after AMR-NB encoding

slide-26
SLIDE 26

Florida Institute for Cybersecurity (FICS) Research

Codec Agnostic Modem

  • We design a 3-FSK scheme.
  • We modulate a sine-wave using one of three frequencies (1000, 2000 and

3000 Hz).

  • Also use Manchester encoding for limiting distortion, 


codec effects.

26

Header Footer 17 data bits

Punchline: approximately 500 bps goodput in the best case

slide-27
SLIDE 27

Florida Institute for Cybersecurity (FICS) Research

Layer 2 Support

  • Develop L2 support to efficiently detect loss/error.
  • Use channel measurements to appropriately size fields.
  • Bit error rate testing allow the use of a 3-bit CRC.
  • “Stop-and-wait” style ACK/explicit NACK.

27

IDLE (START) SEND ERROR FRAME SEND STANDARD FRAME RECEIVE STANDARD FRAME RECEIVE OTHER FRAME AWAIT ACK SEND ACK SEND REPEAT FRAMES SEND ERROR MESSAGE NACKs>0 Timeout / Error NACKs==0 AWAIT REPEAT BLOCKS SEND ERROR FRAME ANY STATE RECIEVE ERROR FRAME Timeout Receive Repeat Blocks NACKs >0 NACKs==0

slide-28
SLIDE 28

Florida Institute for Cybersecurity (FICS) Research

Strawman: SSL/TLS

  • With a reliable data channel in place, why can’t we use TLS?
  • Problem: Using a standard TLS handshake is too slow
  • Our reliable channel has a good put of 500 bps.
  • Solution: A protocol with the guarantees of TLS 1.2
  • But a fraction of the bandwidth requirement

28

Site Name Total Bits Transmission Time at 500 bps Facebook 41,544 83.088 s Google 42,856 85.712 s Bank of America 53,144 106.288 s Yahoo 57,920 115.840 s Average 48,688 97.232 s

slide-29
SLIDE 29

Florida Institute for Cybersecurity (FICS) Research

AuthLoop

  • Design a protocol based on TLS 1.2
  • Picked secure defaults, used key transport, truncated HMACs, etc.
  • Formally verified using Proverif.

29

Mobile (Verifier) Call Center (Prover) (1) V, NV (2) P, NP, CP,D(KP

  • , P, NP)

(3) E(KP +,S), H(k,'VRFY', #1, #2) (4) H(k,'PROV', #1, #2) (0) Initiate Call C: Certificate D: Digital Signature H: HMAC K+,-: Public/Private Key k: Symmetric Key N: Nonce P: Prover S: Pre-Master Secret V: Verifier ... (n-1) V, NV+1 (n) P, NP+1

slide-30
SLIDE 30

Florida Institute for Cybersecurity (FICS) Research

Great… But Does It Work?

  • On average, in real systems, it takes ~9 seconds to do a full handshake.
  • If we can cache certificates, we can do it in half that time.
  • Audio plays below speaker volume, so this can happen quietly in the initial

moments of a call.

30

Codec Cached Certificate Certificate Exchanged G.711 4.463 s 8.279 s AMR-NB 5.608 s 10.374 s Speex 4.427 s 8.279 s Average 4.844 s 8.977 s

slide-31
SLIDE 31

Florida Institute for Cybersecurity (FICS) Research

Telephony PKI

  • One of the major problems in the Internet is confusion over valid CAs and identity bindings.
  • Telephony naturally lends itself to a singly rooted system using the North American

Numbering Plan (NANPA).

  • CLECs are publicly 


allocated blocks of 
 numbers, so assignments 
 are based on authority.

  • All CLEC certs can be stored


in ~100 KiB.

  • No more long, ambiguous 


certificate chains!

31

bankof america.com Symantec Verisign Root (800) 432-1000 Bank of America AT&T (NPA/NXX Administrator) NANPA Root AddTrust Root Entrust Root xyz.bankof america.com Current Internet PKI Proposed TPKI Stored at Endpoint

. . .

Stored at Endpoint
slide-32
SLIDE 32

Florida Institute for Cybersecurity (FICS) Research

Limitations

  • AuthLoop requires that you answer the call before it can be authenticated.
  • The best chance against social engineering is to NEVER interact with the

attacker.

  • It’s also not the fastest of protocols…
  • AuthLoop provides single-ended authentication
  • Better than PinDr0p because it is not heuristic, but still does not completely

solve the problem.

  • More work needs to be done…

32

slide-33
SLIDE 33

Florida Institute for Cybersecurity (FICS) Research

Insight: Use data channels

  • Most phones now have access to an (often low-bitrate) Internet connection
  • Data channel may not support bandwidth or quality of the phone network
  • How can this data channel be used to authenticate phone calls?

33

Cellular: 2G, 3G, 4G data VoIP: Inherent data Landline: Ubiquitous WiFi

slide-34
SLIDE 34

Florida Institute for Cybersecurity (FICS) Research

AuthentiCall

  • AuthentiCall cryptographically authenticates both call parties and call

content end-to-end for regular phone calls through an auxiliary data channel

  • Before the Call: AuthentiCall verifies identity before the call, making call

experience similar to what users already do

  • Fast: AuthentiCall adds 1-1.4 seconds to call setup
  • Mutual authentication: Both caller and callee are identified
  • Protects content: Call content can be verified as authentic
  • Protects against abuse: Protects callee privacy and can prevent abuse by users

34

slide-35
SLIDE 35

Florida Institute for Cybersecurity (FICS) Research

AuthentiCall Enrollment

  • AuthentiCall issues certificates to

authenticate users

  • Need protocol to ensure the client

actually owns the phone number

  • No human in the loop!
  • Limitations: similar to the Internet

CA model

35

Client (C) CA Server (SCA)

Data Channel Audio Channel

(1)

ID(C), PhNum(C), ID(SCA), K+

C

NNet, ID(C), PhNum(C), ID(SCA), PhNum(SCA), TS

(2)

NAudio

(3)

NAudio, NNet, ID(C), PhNum(C)ID(SCA), TS, Signk−

C

(4)

Cert(ID(C), PhNum(C), K+

C , SignK−

SCA)

(5)

slide-36
SLIDE 36

Florida Institute for Cybersecurity (FICS) Research

AuthentiCall Handshake

36

Handshake complete Both sides authenticated Information to establish a key end-to-end securely in presence of adversary Normal Voice Call Can Proceed

Server (S) Caller (R) Callee (E)

(1)

Call PhNum(E) E ∈ AuthentiCall Users Incoming call from R

(2) (3)

ID(E), PhNum(E), ID(R), PhNum(R) Cert(E), TS2, NE, DHE, SignK−

E

(4a) (4b)

ID(R), PhNum(R), ID(E), PhNum(E) Cert(R), TS1, NR, DHR, SignK−

R

HMACKER1 (msg4a, msg4b, “Caller”) HMACKER2 (msg4a, msg4b, “Callee”)

(5a) (5b) TLS to Server Voice Call Message via Server TLS

slide-37
SLIDE 37

Florida Institute for Cybersecurity (FICS) Research

Handshake Performance

  • Performance = “How long to

authenticate a phone call”

  • Regular calls take many seconds to

set up with high variance

  • AuthentiCall calls experience a

negligible 1-1.4 additional seconds for call establishment

37

slide-38
SLIDE 38

Florida Institute for Cybersecurity (FICS) Research 38

But what about this one?

Telephony Core Telephony Core HI CC#? Content Injection

The Handshake deals with this attack:

Telephony Core Caller ID Spoofing Bank

FBI Telephony Core Call Race Condition Bank AuthentiCall

Or this one?

FBI

slide-39
SLIDE 39

Florida Institute for Cybersecurity (FICS) Research

Call Content Protection

  • We need to bind the voice and data channel and assure liveness and

content integrity

  • How do we use a low bandwidth side channel to authenticate call audio?

39

slide-40
SLIDE 40

Florida Institute for Cybersecurity (FICS) Research

10110101 SHA256 SHA256 “Mr. Watson: come here.”

Phone Network

“Mr. Watson: come here.” 11011110

Phone Network

Solution: Robust Digests

  • Solution: send “digests” of the call audio
  • Digesting is not simple because call audio

is legitimately modified in transit

  • Cryptographic hashes won’t work

here!

  • We need a “robust digest” that preserves

audio semantics while ignoring legitimate modifications

  • Cryptographically authenticating data that

can change in unknown ways is hard

40

11010110 Digest Digest

slide-41
SLIDE 41

Florida Institute for Cybersecurity (FICS) Research

RSH: The Robust Hash

41

1 Second of Audio

r0,0 r0,1 r1,0 r0,10 … r200,0 . . … r200,10

DCT DCT

>

8 8 8 Digest Bits Index l1 Index l2 Audio Features (once per second) Compression Function (64 times per second)

.

Index l1 + w Index l2 + w

Matrix L

B1 B2

RSH compresses 1 second of audio into 512 bits Audio differences can be measured with bit error

  • Y. Jiao, L. Ji, and X. Niu, “Robust Speech Hashing for Content Authentication,” IEEE

Signal Processing Letters, vol. 16, no. 9, pp. 818–821, Sep. 2009.

slide-42
SLIDE 42

Florida Institute for Cybersecurity (FICS) Research

RSH: Our Contribution

  • RSH was not intended for this domain and only briefly analyzed in the

literature

  • We need to show:
  • That the randomized construction indeed protects all of the audio
  • That the algorithm will work in real systems
  • That the algorithm will work in an adversarial setting

42

slide-43
SLIDE 43

Florida Institute for Cybersecurity (FICS) Research

Audio Digest Performance

43

Legitimate changes to audio result in small changes to digests while substituting content results in large changes Making adversaries easy to detect

Difference in digests between different sentences of audio Average case: 48% error Change in digests before and after network transmission Average case: 10-20% of bits

slide-44
SLIDE 44

Florida Institute for Cybersecurity (FICS) Research

Audio Digest Performance

  • Individual seconds of audio: 90%

detection (false positives: 0.58%, or 1 every 3 minutes)

  • 3-out-of-5 seconds: 99%(with a

single FP roughly every 6 years) This ensures both users are on the correct call (channel binding) and that call audio is unmodified

44

slide-45
SLIDE 45

Florida Institute for Cybersecurity (FICS) Research

Take Away

  • AuthentiCall can authenticate calls

before answering — mitigating fraud and unwanted robocalls while increasing trust in the phone system

  • We can protect call content from

modification

  • All at negligible cost to call

experience!

45

(b) (a)

slide-46
SLIDE 46

Florida Institute for Cybersecurity (FICS) Research

Summary

  • Caller ID is an asserted, not attested, identity…
  • …but we don’t treat it that way!
  • Many solutions can be deployed, with varying tradeoffs.
  • Blacklists, heuristics, network changes, application-layer changes…
  • The reality is that this remains one of the most important open challenges for

mobile devices.

  • If you don’t believe me, think about how many times 


each day you receive scam calls.

46