Main:advertisement
This is a technical article on the security provided by GSM networks. It is an advanced topic, so I suggest you at least know about the layout of GSM networks and challenge-response protocols.
GSM security
This article focuses on the security put in place on GSM networks. The first generation mobile phone network devices were vulnerable in a variety of ways, the most notable being connection eavesdropping and handset cloning. Subsequent mobile systems introduced protection against these attacks. Throughout this article I refer to GSM, which is the basis for the 2G network in the UK.
Before analysing the security of any system, it is important to review the design goals of the system in question. For GSM, the design goals were to provide the same protection as a fixed line system. This was achieved using cryptographic mechanisms, which were implemented to provide authentication of the handset to the network, confidentiality of the data transferred, and anonymity of the customer.
Authentication is provided using a challenge-response protocol, based around the knowledge of a pre-shared 128-bit key, Ki. The key is held at the authentication centre (AuC) for the mobile provider, and an identical copy is held on the SIM card. The AuC also generates a random number, and passes it through one of a set of algorithms, implemented at the AuC and on the mobile device. Here is the protocol run, with the terminology defined:
ME: Mobile Device <---- Wireless ----> MSC: Mobile Switching Centre <---- Wired ----> AuC: Authentication centre
RAND: 128-bit Random number
Ki: 128-bit shared key
Kc: 64-bit encryption key
XRES: Expected response
RES: Response
1) MSC -> AuC: Authentication Request
2) AuC generates a random number, RAND, and uses it along with Ki to compute: XRES and Kc
3) AuC -> MSC: {RAND, XRES, Kc}
4) MSC -> ME: RAND
5) ME uses RAND and Ki from the SIM to calculate: RES and Kc
6) ME -> MSC: RES
7) MSC: XRES == RES ??
If the response is equal to the expected response, then authentication is successful, and the network can be sure the SIM is authentic. The transaction also set up a shared encryption key, Kc, which was never transmitted, but was calculated at both ends. This key is now used along with TDMA frame sequence numbers to generate keystream, which is fed into the stream cipher to encrypt voice traffic. Since the keystream depends on sequence numbers, it is effectively re-synchronised at each frame.
There are several problems with these security measures. The first is that the voice data is only encrypted up to the base station, which sits between the ME and the MSC. If the link between the base station and the MSC is wireless (for example, via microwave dish), the data will be sent unencrypted, and anyone with the proper sniffing equipment can gather unencrypted voice data. Another problem is that it is not unfeasible for a malicious user (or more likely, a government or security agency) to obtain a microcell, or base station, which can be configured to act as a man-in-the-middle.
This attack is possible due to the use of unilateral entity authentication, because the handset gets no guarantee of the identity of the network. 3G networks use mutual entity authentication, so rogue base station attacks can no longer be used, as the cannot know the secret key, Ki.
This has been a very quick and dirty review of GSM security. I have left out most of the details, as the article would go on forever if I hadn't. I hope you have all learnt something from this article, please take the time to rate and comment. If I find the time I will do a follow-up on UMTS and 3G networks soon.
This article focuses on the security put in place on GSM networks. The first generation mobile phone network devices were vulnerable in a variety of ways, the most notable being connection eavesdropping and handset cloning. Subsequent mobile systems introduced protection against these attacks. Throughout this article I refer to GSM, which is the basis for the 2G network in the UK.
Before analysing the security of any system, it is important to review the design goals of the system in question. For GSM, the design goals were to provide the same protection as a fixed line system. This was achieved using cryptographic mechanisms, which were implemented to provide authentication of the handset to the network, confidentiality of the data transferred, and anonymity of the customer.
Authentication is provided using a challenge-response protocol, based around the knowledge of a pre-shared 128-bit key, Ki. The key is held at the authentication centre (AuC) for the mobile provider, and an identical copy is held on the SIM card. The AuC also generates a random number, and passes it through one of a set of algorithms, implemented at the AuC and on the mobile device. Here is the protocol run, with the terminology defined:
ME: Mobile Device <---- Wireless ----> MSC: Mobile Switching Centre <---- Wired ----> AuC: Authentication centre
RAND: 128-bit Random number
Ki: 128-bit shared key
Kc: 64-bit encryption key
XRES: Expected response
RES: Response
1) MSC -> AuC: Authentication Request
2) AuC generates a random number, RAND, and uses it along with Ki to compute: XRES and Kc
3) AuC -> MSC: {RAND, XRES, Kc}
4) MSC -> ME: RAND
5) ME uses RAND and Ki from the SIM to calculate: RES and Kc
6) ME -> MSC: RES
7) MSC: XRES == RES ??
If the response is equal to the expected response, then authentication is successful, and the network can be sure the SIM is authentic. The transaction also set up a shared encryption key, Kc, which was never transmitted, but was calculated at both ends. This key is now used along with TDMA frame sequence numbers to generate keystream, which is fed into the stream cipher to encrypt voice traffic. Since the keystream depends on sequence numbers, it is effectively re-synchronised at each frame.
There are several problems with these security measures. The first is that the voice data is only encrypted up to the base station, which sits between the ME and the MSC. If the link between the base station and the MSC is wireless (for example, via microwave dish), the data will be sent unencrypted, and anyone with the proper sniffing equipment can gather unencrypted voice data. Another problem is that it is not unfeasible for a malicious user (or more likely, a government or security agency) to obtain a microcell, or base station, which can be configured to act as a man-in-the-middle.
This attack is possible due to the use of unilateral entity authentication, because the handset gets no guarantee of the identity of the network. 3G networks use mutual entity authentication, so rogue base station attacks can no longer be used, as the cannot know the secret key, Ki.
This has been a very quick and dirty review of GSM security. I have left out most of the details, as the article would go on forever if I hadn't. I hope you have all learnt something from this article, please take the time to rate and comment. If I find the time I will do a follow-up on UMTS and 3G networks soon.
Posted by 
