Mobile telephony Joeri de Ruiter Agenda Introducton 2G / 3G / 4G - - PowerPoint PPT Presentation

Advanced Network Security

Mobile telephony

Joeri de Ruiter

2

Agenda

• Introducton
• 2G / 3G / 4G
• Security

–

Authentcaton

–

Cryptography

• Eavesdropping
• Privacy
• Tracking
• A solutonn PPNSI

3

Telephony security

Sourcen htpn/ /sites.psu.edu/thedeepweb/2015/09/17/captain-crunch-and-his-toy-whistle/

4

Introducton

• Standards by ETSI and 3GPP
• 2Gn GSPN (Global System for PNobile Communicaton)
• 2.5Gn GPRS (General Packet Radio Service)
• 3Gn UPNTS (Universal PNobile Telecommunicatons System)
• 4Gn LTE (Long Term Evoluton)
• 5G
• About 8.5 billion connectons and 5 billion subscribers

5

2G (GSPN)

• 1G was analogue without any encrypton in place
• 2G deployed in 1990s
• 2G is digital and provides authentcaton and encrypton
• Stll relevant for ICS/SCADA systems (e.g. ERTPNS)

6

GSPN-R

• Part of ERTPNS (European Rail Trafc PNanagement System)
• Used for communicaton between personnel as well as trains and track-side

equipment

• Used, for example, to grant trains permission to drive on parts of the tracks

and to provide speed limits

7

Identiers

IPNEI (Internatonal PNobile Subscriber Identty) IPNSI (Internatonal PNobile Subscriber Identty)

• Home country
• Home network
• User

8

2G - Architecture

SIPN (Subscriber Identty PNodule) PNE (PNobile Equipment) MS (Mobile Staton) Access Network BTS (Base Transceiver Staton) BTS (Base Transceiver Staton) BSC (Base Staton Controller) PNSC (PNobile Switching Center) AuC (Authentcaton Center) VLR (Visitor Locaton Register) HLR (Home Locaton Register) Gateways PSTN and Internet Core Network

9

2G - Architecture

• Visitor Locaton Register (VLR) keeps track of phones present in its area
• PNapping between IPNSI and TPNSI
• Home Locaton Register (HLR) stores permanent informaton about

subscribers

• Authentcaton Center (AuC) stores long-term shared secrets with SIPNs

10

2G - Authentcaton

• Authentcaton and Key Agreement (AKA)
• Shared symmetric key K between SIPN and home network
• Two algorithms, A3 and A8
• Can be determined by the provider

11

2G - Authentcaton

Identty request Identty response, IMSI IMSI RAND, XRES, CK Retrieve K for IPNSI RAND ← {0,1}128 XRES ← A3(K, RAND) CK ← A8(K, RAND) Authenticton request, RAND Authenticton response, SRES SRES ← A3(K, RAND) CK ← A8(K, RAND) Verify XRES = SRES Dctc enirypted with CK

12

Roaming

• Phone can use a network diferent than its providers network
• Visited Network (VN) or Serving Network
• Home Network (HN)
• Visitng Network requests authentcaton informaton from Home Network
• Authentcaton informaton provided by Home Network
• Visited Network performs authentcaton
• Visited Network reports presence of phone
• Home Network informs previous network that phone lef
• Home Network keeps track of the current locaton of its subscribers
• Necessary for, e.g., incoming calls

13

2G - Encrypton algorithms

• A5/0
• No encrypton
• A5/1
• Proprietary stream cipher
• A5/2
• Weaker cipher for export
• A5/3
• KASUPNI, a block cipher based on PNISTY

– Used with 64 bit keys

14

3G (UPNTS)

• 3G (UPNTS) introduced in 2001
• Algorithms used for encrypton and PNACs
• KASUPNI (128 bit key)
• SNOW 3G, stream cipher by Lund University
• PNutual authentcaton

15

3G - Architecture

USIPN (Universal Subscriber Identty PNodule) PNE (PNobile Equipment) MS (Mobile Staton) Access Network Node B Node B RNC (Radio Network Controller) PNSC (PNobile Switching Center) AuC (Authentcaton Center) VLR (Visitor Locaton Register) HLR (Home Locaton Register) Gateways PSTN and Internet Core Network

16

3G - Authentcaton

Identty request Identty response, IMSI IMSI RAND, AUTN, XRES, CK, IK

Retrieve K and SQN for IPNSI RAND ← {0,1}128 PNAC ← f1(K,SQN,APNF,RAND) XRES ← f2(K,RAND) CK ← f3(K,RAND) IK ← f4(K,RAND) AK ← f5(K,RAND) AUTN ← (SQN XOR AK,APNF,PNAC) Update SQN ← SQN + 1

Authenticton request, RAND, AUTN Authenticton response, SRES

AK ← f5(K,RAND) XSQN ← (SQN XOR AK) XOR AK XPNAC ← f1(K,XSQN,APNF,RAND) Verify XPNAC = PNAC Verify SQN <= XSQN <= SQN + range Update SQN ← XSQN SRES ← f2(K,RAND) CK ← f3(K,RAND) IK ← f4(K,RAND) Verify XRES = SRES

Dctc enirypted with CK cnd cuthenticted with IK

17

3G - Authentcaton

• Functons f1 to f5 not standardised
• Only used by SIPN card and provider’s authentcaton server
• Recommendaton for f1 to f5 is to use Rijndael

18

4G (LTE)

• 4G (LTE) introduced in 2010
• Almost 90% coverage reported by Open Signal in February 2018
• Algorithms used for encrypton and PNACs
• SNOW 3G
• AES
• Cell towers are assumed to be smarter
• Separaton between signal and data channel
• Signal channel encrypted between phone and core network
• Data channel encrypted between phone and cell tower
• Possible to perform handover directly between cell towers

19

4G - Authentcaton

• Authentcaton protocol the same as 3G
• PNore elaborate key hierarchy
• Reduce tmes necessary to execute (slow) AKA protocol
• Cell towers get their own keys
• PNechanisms to protect against compromise of cell towers

20 Cell tower

4G – Key hierarchy

K CK, IK

AKA

KASPNE ID of Visitng Network KeNB Signal data keys User data keys

Home network Visitnn network

21

4G - Handover

• Handover between cell towers can be done without interference of backend
• Key update mechanisms to provide forward and backward security
• Only involving cell towers provides backward security
• Involving backend also provides forward security
• SIPN and backend generate the Next-hop parameter (NH)
• Based on a shared secret and counter

22

4G – Key derivaton

KeNB KASPNE NH KeNB NH KeNB KeNB

Cell info Cell info

KeNB KeNB KeNB

Cell info Cell info Cell info

KeNB KeNB KeNB

Cell info Cell info Cell info

NCC = 1 NCC = 2

23

Authentcaton comparison

Sourcen PNobile communicaton security, Fabian van den Broek, 2016

24

Eavesdropping

• Diferent approaches
• Passive
• Actve (i.e. with a man-in-the-middle)
• Works mainly well with 2G
• Only authentcaton of the phone
• Weak or no encrypton supported
• Ofen fallback to 2G is possible

25

Run your own network

• Possible using a Sofware Deined Radio (SDR) and open source sofware (e.g.

OpenBTS)

• Pretend to be your victms network and get them to connect to you
• E.g. by jamming or providing a stronger signal

26

PNan-in-the-middle (2G)

Identty request Identty response, IMSI Authenticton request, RAND Authenticton response, SRES SRES ← A3(K, RAND) CK ← A8(K, RAND) Unenirypted dctc VoIP

• Use A5/0 (no encrypton)
• Forward calls via VoIP
• No incoming calls

27

PNan-in-the-middle (2G)

Identty request Identty response, IMSI Authenticton request, RAND Authenticton response, SRES SRES ← A3(K, RAND) CK ← A8(K, RAND) Dummy dctc (A5/2) Retrieve key CK Authenticton response, SRES Dctc (A5/3) Dctc (A5/2) Identty request Identty response, IMSI Authenticton request, RAND

Instant Ciphertext-Only Cryptanalysis of GSPN Encrypted Communicaton, Barkan et al., 2010

28

Eavesdropping

• Complete solutons available for governmental organisatons

29

Interceptng signals

• Again using Sofware Deined Radios (SDR) and open source sofware (e.g.

AirProbe)

30

Interceptng signals

• Problemn channel hopping
• Solutonn multple or more powerful radios

31

Cracking A5/1

• Weak algorithm
• First atack publicly described by Anderson in 1994
• PNany more research since then
• A5/1 is a stream cipher, so if you have known plaintext you have part of the

keystream

32

Cracking A5/1

• Rainbow tables available to quickly retrieve used key
• Known as Berlin tables
• Released in 2010
• Around 2TB
• Probabilistc
• Limited amount of known plaintext necessary
• Shortly aferwards the tool Kraken was released that could use these tables

to crack GSPN trafc

33

Cracking A5/2

• A5/2 was purposefully weak for export
• Can be cracked in seconds
• Barkan et al., 2010
• No longer allowed in new phones since 2007

34

Cracking A5/3

• Atack published Dunkelman et al. in 2010
• Theoretcal atack that might not be practcal
• KASUPNI weaker than PNISTY on which it is based

35

SS7

• Signaling System 7
• Used in the core network and to communicate between providers
• For example, used to exchange authentcaton requests, send locaton

updates and deliver SPNS messages

• From an era where providers trusted each other...
• Originally when sending an SPNS
• Ask Home Network current network of phone (i.e. country and provider)
• Send SPNS directly to the phone’s current network
• Fixed when using Home Routng
• Home Network delivers the SPNS
• PNight enable interceptng for 3G

36

37

Privacy

• IPNSI catchers (a.k.a. StngRay) can be used to
• Track users
• PNonitor locatons
• Link identtes to devices
• Can pretend to be a base staton to get to

phones to connect and learn the IPNSI

Sourcen U.S. Patent and Trademark Ofce / AP Photo

38

Privacy

• IPNSI is always provided upon request
• No protecton provided by mutual authentcaton
• TPNSI introduced to provide some anonymity
• Temporary PNobile Subscriber Identty
• Can be used instead of IPNSI
• Provided by the visited network to the phone under encrypton
• Should only be used for one locaton
• Can we stll trace users?

39

Allocaton of TPNSI

Eni(CK, TMSI Reclloicton, newTMSI) Eni(CK, TMSI Reclloicton iompleted)

Discard oldTPNSI Start using newTPNSI Discard oldTPNSI Start using newTPNSI

40

TPNSI reallocaton atack

Eni(CK, TMSI Reclloicton, newTMSI) Eni(CK, TMSI Reclloicton iompleted) Discard oldTPNSI Start using newTPNSI Discard oldTPNSI Start using newTPNSI Record TPNSI Reallocaton command Eni(CK, TMSI Reclloicton, newTMSI) Replay TPNSI Reallocaton command Eni(CK, TMSI Reclloicton iompleted)

New session with same keys

41

TPNSI reallocaton atack

• Atack presented by Arapinis et al.
• Atacker records an encrypted TPNSI allocaton command
• Replay the recorded command later to distnguish victm’s phone from others
• As long as the same keys (CK and, optonally, IK) are used
• Only victm’s phone will respond to the encrypted command
• Other phones will ignore it as decrypton fails
• PNainly a theoretcal atack

42

3G linkability atack

• Atack presented by Arapinis et al.
• Atack on 3G’s AKA protocol
• Uses the fact that diferent error messages are used for
• PNAC failure
• Invalid sequence number

43

3G linkability atack

Identty request Identty response, IMSI Authenticton request, RAND, AUTN Authenticton response, SRES

Record RAND, AUTN

Authenticton request, RAND, AUTN Error, Syni_Fcil Error, MAC_Fcil

• r

Same phone Diferent phone

44

Defeatng IPNSI catchers

• TPNSI does not provide enough protecton
• IPNSI can be requested without authentcaton or encrypton
• Visited network always learns the IPNSI
• IPNSI is needed to determine the provider and retrieve the shared key
• How can we protect against the intercepton of IPNSIs?
• Introduce a new identiern a temporary pseudonym PPNSI

– Provided by the home network

• Works with minimal modiicaton to the current standards

– IPNSI catching stll possible, but less interestng

• Additonal beneitn mutual authentcaton for 2G
• Considered for inclusion in one of the 5G proposals

45

Defeatng IPNSI catchers

• PPNSI is shared between the SIPN and provider
• Same structure as IPNSI
• First part identies the country and provider
• Last part identies the user
• PPNSI is used instead of IPNSI and is regularly updated
• How do we get the PPNSI to the SIPN?
• Hijack the RAND variable

46

3G / 4G - Authentcaton

Identty request Identty response, IMSI IMSI RAND, AUTN, XRES, CK, IK

Retrieve K and SQN for IPNSI RAND ← {0,1}128 PNAC ← f1(K,SQN,APNF,RAND) XRES ← f2(K,RAND) CK ← f3(K,RAND) IK ← f4(K,RAND) AK ← f5(K,RAND) AUTN ← (SQN XOR AK,APNF,PNAC) Update SQN ← SQN + 1

Authenticton request, RAND, AUTN Authenticton response, SRES

AK ← f5(K,RAND) XSQN ← (SQN XOR AK) XOR AK XPNAC ← f1(K,XSQN,APNF,RAND) Verify XPNAC = PNAC Verify SQN <= XSQN <= SQN + range Update SQN ← XSQN SRES ← f2(K,RAND) CK ← f3(K,RAND) IK ← f4(K,RAND) Verify XRES = SRES

Dctc enirypted with CK And cuthenticted with IK

47

3G / 4G - PPNSI (simpliied)

Identty request Identty response, PMSI PMSI RAND, AUTN, XRES, CK, IK

Retrieve K, KP and SQN for PMSI PMSI’ ← {0,9}10 RAND ← F(KP,PMSI’,SQN) ...

Authenticton request, RAND, AUTN Authenticton response, SRES

… PMSI’, SQN’ ← F-1(KP,RAND) Verify SQN’ = XSQN Update PMSI ← PMSI’ Verify XRES = SRES

Dctc enirypted with CK And cuthenticted with IK

48

2G - Authentcaton

Identty request Identty response, IMSI IMSI RAND, XRES, CK Retrieve K for IPNSI RAND ← {0,1}128 XRES ← A3(K, RAND) CK ← A8(K, RAND) Authenticton request, RAND Authenticton response, SRES SRES ← A3(K, RAND) CK ← A8(K, RAND) Verify XRES = SRES Dctc enirypted with CK

49

2G – PPNSI (simpliied)

Identty request Identty response, PMS MSI PMS MSI RAND, XRES, CK

Retrieve K. KP, SQN for PMSI PMSI’ ← {0,9}10 M ← MAC(KP,PMSI’, SQN) RAND ← F(KP,PMSI’,SQN,M) Update SQN ← SQN + 1 ...

Authenticton request, RAND Authenticton response, SRES

PMSI’, SQN’, M’ ← F-1(KP,RAND) M ← MAC(KP,PMSI’,SQN’) Verify M = M’ Verify SQN < SQN’ Update SQN ← SQN’ PMSI ← PMSI’ ... Verify XRES = SRES

Dctc enirypted with CK

50

Defeatng IPNSI catchers

• All values it within current lengths of used variables
• No modiicaton of messages needed
• Can be implemented by a single provider
• Only changes needed in SIPN and authentcaton server
• Actually two PPNSIs stored in SIPN and at provider
• Current PPNSI
• Next PPNSI

– Once used promoted to current PPNSI and fresh next PPNSI generated

• PNAC prevents desynchronisaton atacks in 2G soluton

51

Further actvites

• Read chapters 2 and 3 ofn

PNobile communicaton security

Fabian van den Broek PhD thesis, 2016

• Optonal readingn

Defeatng IPNSI Catchers

Fabian van den Broek, Roel Verdult and Joeri de Ruiter 22nd ACPN SIGSAC Conference on Computer and Communicatons Security (CCS'15), ACPN, 2015

Analysis of privacy in mobile telephony systems

Myrto Arapinis, Loreta Ilaria Mancini, Eike RiterMark D. Ryan Internatonal Journal of Informaton Security, October 2017