Donate to us!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Friday, September 21, 2018
 Need Help?
Members Online
Total Online: 162
Guests Online: 158
Members Online: 4

Registered Members: 106648
Newest Member: Sherrywearo
Latest Articles

GSM Security

Arrow Image This is a technical article on the security provided by GSM networks. It is an advanced topic, so I suggest you at least know about the layout of GSM networks and challenge-response protocols.

GSM security

This article focuses on the security put in place on GSM networks. The first generation mobile phone network devices were vulnerable in a variety of ways, the most notable being connection eavesdropping and handset cloning. Subsequent mobile systems introduced protection against these attacks. Throughout this article I refer to GSM, which is the basis for the 2G network in the UK.

Before analysing the security of any system, it is important to review the design goals of the system in question. For GSM, the design goals were to provide the same protection as a fixed line system. This was achieved using cryptographic mechanisms, which were implemented to provide authentication of the handset to the network, confidentiality of the data transferred, and anonymity of the customer.

Authentication is provided using a challenge-response protocol, based around the knowledge of a pre-shared 128-bit key, Ki. The key is held at the authentication centre (AuC) for the mobile provider, and an identical copy is held on the SIM card. The AuC also generates a random number, and passes it through one of a set of algorithms, implemented at the AuC and on the mobile device. Here is the protocol run, with the terminology defined:

ME: Mobile Device <---- Wireless ----> MSC: Mobile Switching Centre <---- Wired ----> AuC: Authentication centre

RAND: 128-bit Random number
Ki: 128-bit shared key
Kc: 64-bit encryption key
XRES: Expected response
RES: Response

1) MSC -> AuC: Authentication Request
2) AuC generates a random number, RAND, and uses it along with Ki to compute: XRES and Kc
3) AuC -> MSC: {RAND, XRES, Kc}
4) MSC -> ME: RAND
5) ME uses RAND and Ki from the SIM to calculate: RES and Kc
6) ME -> MSC: RES
7) MSC: XRES == RES ??

If the response is equal to the expected response, then authentication is successful, and the network can be sure the SIM is authentic. The transaction also set up a shared encryption key, Kc, which was never transmitted, but was calculated at both ends. This key is now used along with TDMA frame sequence numbers to generate keystream, which is fed into the stream cipher to encrypt voice traffic. Since the keystream depends on sequence numbers, it is effectively re-synchronised at each frame.

There are several problems with these security measures. The first is that the voice data is only encrypted up to the base station, which sits between the ME and the MSC. If the link between the base station and the MSC is wireless (for example, via microwave dish), the data will be sent unencrypted, and anyone with the proper sniffing equipment can gather unencrypted voice data. Another problem is that it is not unfeasible for a malicious user (or more likely, a government or security agency) to obtain a microcell, or base station, which can be configured to act as a man-in-the-middle.

This attack is possible due to the use of unilateral entity authentication, because the handset gets no guarantee of the identity of the network. 3G networks use mutual entity authentication, so rogue base station attacks can no longer be used, as the cannot know the secret key, Ki.

This has been a very quick and dirty review of GSM security. I have left out most of the details, as the article would go on forever if I hadn't. I hope you have all learnt something from this article, please take the time to rate and comment. If I find the time I will do a follow-up on UMTS and 3G networks soon.


MrMayhemon November 23 2009 - 22:46:45
Brief but very interesting article. Would be interested to see the extent of the difference between 2G and 3G security, google time I think..
jjbutler88on November 23 2009 - 23:12:30
3G is very different, as I hinted at in the penultimate paragraph. I would have gone on but its pretty tiring work, I wrote that all myself, kot a word copied or pasted, and im still not fully comfortable with colemak so its pretty hard :s
COMon November 24 2009 - 23:27:20
I'd like to point out that 2G is not synonymous with GSM. While GSM is 2G as it's based on that technology, 2G isn't GSM as 2G doesn't have encryption as standard, just provides a more efficient way of sending information.
jjbutler88on November 25 2009 - 19:45:50
COM, I had a longer version of this written up, but I cut it down onto here, just realised I made that bit unclear. I'll amend it now.
stealth-on November 28 2009 - 06:10:12
This is the type of article I like to see at HBH! Not in the way as being about phone networks, but in the way of being interesting, informative, and explanatory. I felt it was a bit short, but much better than some of the crap that's already on here. Well done Smile
mamboon January 15 2010 - 13:14:41
So is the GSM security similar to a PKI?
MjWasHereon January 31 2010 - 06:29:30
Very precise and too good ! Thanks a lot Smile
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.