Mobile Communications Mobile Communications Security Types of - PDF document

Mobile Communications Mobile Communications Security  Types of Attacks  802.11 Security  Access Control Lists  Access Control Lists  GSM Security  GSM Security  WEP  Authentication  WPA/WPA2  Encryption  802.1X/EAP  Temporary ID (TMSI)  Tunneling Mobile Communication Security 1 Security Requirements Authorization Which objects are accessible by whom? Authentication Reliable identification of users identity . Confidentiality No access to information for unauthorized users. Integrity Protection of data from manipulation/deletion. Non-repudiation Originator cannot deny being the origin of data. Availability … of resources and data to legitimate users. Sicherheit Mobile Communication Security 2 Attack Types Passive attacks:  Eavesdropping undetected interception and recording of communications by non- authorized persons  Traffic flow analysis By observing transmitted messages By observing transmitted messages Conclusions about behavior, interest and habits of users Security Mobile Communication Security 3

Attack Types Active attacks:  Masquerading Falsifying of identity Falsifying of identity  Tampering Unnoticed manipulation of messages during transmission p g g  Replay Storage of messages and later (unmanipulated) retransmission. g g ( p )  Denial of Service Prevention of users from using a service by overload- or interference attacks. Security Mobile Communication Security 4 GSM / UMTS security mechanisms User Authentication Encryption Temporary Identification (TMSI) T Id tifi ti (TMSI) Security Mobile Communication Security 5 GSM / UMTS security mechanisms User Authentication  For each GSM subscriber, there is a key K i (128 bit)  K i is stored on the SIM (Subscriber Identification Module) and HLR (Home Location Register) Location Register)  K i never leaves the SIM card or the HLR  To authenticate, a "challenge-response" method is used, based on a one- way function, in GSM referred to as A3 algorithm.  Each network operator can define A3 itself, known examples:  COMP128 (already cracked takes less than a minute)  COMP128 (already cracked, takes less than a minute)  COMP128-2 (secret)  COMP128-3 (secret, but some analysis shows that problems of COMP128 have been basically solved) Security Mobile Communication Security 6

GSM / UMTS security mechanisms User Authentication (cont.)  Suppose a mobile station i enters a new cell (eg in a foreign network).  The Authorization Center (AC) at the users HLR is then contacted by the Th A th i ti C t (AC) t th HLR i th t t d b th foreign network.  The AC generates a random number RAND (128 bit) and a value SRES g ( ) (32 bit) by employing A3 with K i to RAND.  HLR sends (RAND, SRES) encrypted and signed to the foreign network.  The foreign network sends RAND (challenge) to the mobile station i and „asks“ it to calculate SRES‘ by executing A3 with K i on RAND.  Then the mobile station sends calculated SRES‘ back to foreign network  Then the mobile station sends calculated SRES back to foreign network (response).  If SRES = SRES‘ the mobile station is authenticated successfully. Security Mobile Communication Security 7 GSM / UMTS security mechanisms Encryption of the air interface (optional)  The challenge response method cannot prevent „Man in the Middle“ attacks  Eavesdropping and unauthorized phone calls on the expense of others E d i d th i d h ll th f th  Therefore, there is another one way function in GSM called "A8 algorithm"  A8 is also determined by the network operator, e.g. also COMP128-3 y p , g  HLR generates a symmetric key K c from RAND and K i by A8  HLR sends (RAND, SRES, K c ) encrypted and signed to the foreign network.  The foreign network sends RAND to mobile station as before.  The mobile station computes K c using RAND and K i employing A8  K i th  K c is then used on the air interface as an encryption key. d th i i t f ti k Security Mobile Communication Security 8 GSM / UMTS security mechanisms Encryption of the Air interface (optional, cont.)  With K c all calls between mobile and base station are encrypted.  The encryption algorithm itself is called „A5-algorithm“ in GSM Th ti l ith it lf i ll d A5 l ith “ i GSM  There are 3 different standardizedA5:  A5/1 stream cipher algorithm, weak p g ,  A5/2 stream cipher algorithm, even weaker  A5/3 block cipher algorithm, strong http://www.gsmworld.com/using/algorithms/index.shtml Security Mobile Communication Security 9

GSM / UMTS security mechanisms Temporary identification (TMSI)  The IMSI number (International Mobile Subscriber Identity) is used as international mobile subscriber identifier international mobile subscriber identifier.  It is transferred only once in a foreign network.  After the transfer the MSC/VLR computes a TMSI (Temporary Mobile p ( p y Subscriber Identity)  For any further communication the TMSI is used  In case of a re-registration at a cell or a cell to cell handover a new TMSI is computed, encrypted and transferred. This mechanism makes it difficult for attackers to create a motion profile, which means mapping of IMSI to TMSI. Security Mobile Communication Security 10 GSM / UMTS security mechanisms Summary Request Security Mobile Communication Security 11 The IEEE 802.11 standard security mechanisms Provision of:  Access Control  Authentication  Encryption yp 802.11 Wireless Client Access Point Service Set Identifier Wired Equivalent Privacy (WEP) (SSID) WiFi Protected Access (WPA) Media Access Control (MAC filtering) Mobile Communication Security 12

Access Control - Service Set Identifier (SSID) Standard Mode  The network name (SSID) doesn‘t have to be known to the client  The network name (SSID) doesn t have to be known to the client  SSID = dividing a Wireless LAN into distinct segments  AP sends "beacon" signals containing the SSID, so that clients can find the desired segment desired segment Hidden Mode (closed network, no broadcast)  AP sends beacon“ signals without SSID therefore the client must know  AP sends „beacon signals without SSID, therefore the client must know the SSID of desired segment upfront.  AP does not reply to SSID broadcasts by clients Unfortunately the SSID is transmitted in other signalling messages in clear text. SSID can be easily intercepted with a „Wireless Sniffer“. Mobile Communication Security 13 Access Control - MAC Address List Access control by means of Access Control Lists (ACL) of MAC addresses ACLs have to be managed via management software centrally on access points points  Not well scalable. Administrative burden is very high. Remedy Remedy  central file with MAC list  RADIUS Server  Username = MAC address  Username = MAC address  Password = „null“ or „none“ MAC addresses are generally transmitted unencrypted MAC addresses are generally transmitted unencrypted  Attacker can intercept MAC address and misuse it on his/her own wireless interface card = MAC address spoofing (identity pretention) Mobile Communication Security 14 Wired Equivalent Privacy (WEP) Radio waves do not stop at the front door of buildings  Unlike wired systems it requires no physical intervention in order to break  Unlike wired systems, it requires no physical intervention in order to break into the network Wired Equivalent Privacy Wi d E i l t P i  safety from interception is supposed to be at least as good as wired systems.  Primary goal is privacy: prevention of eavesdropping  Secondary target is authentication of clients WEP 802.11 is available in a 40-bit and 128-bit version WEP has no method for key management  Keys must be configured manually  Global key <-> personal key  Keys are the same for everyone are secret only for a short period of time  Keys are the same for everyone, are secret only for a short period of time. Mobile Communication Security 15

WEP modes Open System Authentication p y Station Identity result Access Point Wireless Client Shared Key Authentication Station Identity Station Identity Challenge C WEP ( C ) Access Point Wireless Client result Mobile Communication Security 16 WEP: Send and Receive  Th The sender/originator generates a „keystream“ using WEP-Key and d / i i t t k t “ i WEP K d Initialisation Vector (IV) as input to the RC4-algorithm.  The plaintext (actual message in binary code) is then bitwise p ( g y ) exclusively (XOR) „merged“ with the key stream.  The sender computes a 32-bit long checksum (CRC32), using a linear algorithm algorithm.  the sender encrypts both  The IV transmitted unencrypted with the rest of the message and can yp g be changed with every packet.  The receiver uses the IV and WEP-Key to generate the key stream.  Finally the receiver applies XOR operator to key stream and encrypted Finally the receiver applies XOR operator to key stream and encrypted message body to decrypt to the original plaintext. Mobile Communication Security 17 WEP Packet Structure 802.11 Generic Packet Frame Frame Frame Frame Body Frame Body FCS FCS Created by Header Sending Shared before Device communication begins IV Secret Key Integrity Check (24bits) (40bit) Algorithm (CRC32) RC4 Algorithm Frame Body ICV Frame IV Frame Body ICV FCS WEP Packet Frame Header Encrypted Encrypted Mobile Communication Security 18