ImageVerifierCode 换一换
格式:PPT , 页数:45 ,大小:153.50KB ,
资源ID:379413      下载积分:2000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-379413.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(CELLULAR TELEPHONE NETWORK SECURITY.ppt)为本站会员(terrorscript155)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

CELLULAR TELEPHONE NETWORK SECURITY.ppt

1、CELLULAR TELEPHONE NETWORK SECURITY,Ari Vesanen, ari.vesanenoulu.fi Department of Information Processing Sciences, University of Oulu,Contents,Introduction to GSM GSM network structure and properties GSM network security model GSM network security threats GPRS vs. GSM Security UMTS vs. GSM Security,

2、Introduction to GSM,GSM worlds most widely used cellular phone system About 1000 million users First digital cellular phone standard 1982 GSM (Groupe Special Mobile) committee to create standard 1989 ETSI (European Telecommunications Standards Institute) responsible for development 1990 first specif

3、ications frozen,GSM specifications developed secretly No public evaluation according to scientific procedure Kerckhoffs principle violated: Algorithm strength should depend on secrecy of key and not on the secrecy of the algorithm itself GSM specifications and encryption algorithms have leaked and b

4、een subject to criticism,GSM Network Structure,Mobile station MS,SIM,PHONE,BTS,BTS,BSC,BSC,HLR,AuC,EIR,VLR,Base Station subsystem BSS,Network Switching Subsystem NSS,MSC,PLMN, PSTN, .,Abis,Um,A,Mobile Station = phone + SIM SIM = Subscriber Identity Module User identity IMSI (International Mobile Sub

5、scriber Identity) on SIM MSISDN (Mobile Subscriber International Integrated Services Digital Network) number = Phone number on SIM Phone identity IMEI (International Mobile Equipment Identity) in phone Got from phone: type *#06#,BSS components: Base Transceiver Station (BTS) and Base Station Control

6、ler (BSC) BTS controls radio communication with phone, encrypts calls and does decryption BSC can control several BTSs, tasks Initialization of radio channel Frequency hopping Handover (transferring user between cells) Traffic between BSS and MSC,NSS = MSC + SMSC + Registers (+ OSS) Mobile Services

7、Switching Centre (MSC) Main component of NSS Works as link to wired network Services for registering and authenticating mobile user Services related to mobility Short Message Service Centre (SMSC) Transmission of short messages Needs routing information - works in co-operation with HLR,HLR (Home Loc

8、ation Register) Information on subscribers registered in this GSM network Current location of users (location networks VLR address) One network can contain only one HLR VLR (Visitor Location Register) Relevant information on all active users in GSM network AuC (Authentication Center) User secret key

9、 information by IMSI EIR (Equipment Identity Register) Valid equipments by their IMEI code,GSM Network Radio Interface,Band control: combined TDMA/FDMA FDMA divides band into 200 kHz wide channels GSM 900 124 channels GSM 1800 374 channels Channels grouped and distributed to operators Carrier freque

10、ncy into time frames according to TDMA model TDMA frame = eight time intervals (slots) Message in one slot = burst Logical channel = one slot in one frame,Frequency hopping 216,7 hops/second After each burst frequency changed according to predefined pattern Spreads disturbances Makes eavesdropping m

11、ore difficultTDMA/FDMA model technically challenging,Establishing Call,Updating location Uses MSC, HLR and VLR When MS moves to new location area or to new operator area - must register for update Location update message to new MSC/VLR pair that registers new information and sends it to subscribers

12、HLR. HLR sends the previous VLR information that subscriber left its area,Phones home MSC,Phones location MSC,Incoming call,HLR,VLR,BTS,BSC,MS,Call Routing,1,6,2,3,4,5,GSM Network Security Model,Identification of subscriber IMSI IMSI consists of three components: Mobile Country Code (MCC) Mobile Net

13、work Code (MNC) Mobile Subscriber Identity Number (MSIN) TMSI temporary identifier, used instead of IMSI in communication Changed when location changed Makes IMSI capturing and subscriber communication monitoring more difficult,Authentication Actors: SIM card and (home networks) Authentication Cente

14、r (AuC) Authenticates user to network (not vice versa) Based on secret 128 bit key Ki (resides only on SIM and in AuC) Authentication always in home network! Authentication algorithm may be changed, yet works in visited networks Authentication method challenge-response Algorithm A3,MSC,HLR,AuC,MS,Re

15、gister to network,6. Check SRES,4. RAND,5. SRES,2. Request authentication triplet,3. Authentication triplet (RAND,SRES,Kc),Authentication in GSM Network,SRES = A3(RAND,Ki) Kc = Air interface encryption key,Air interface encryption Encryption algorithm A5 must reside in phone, for all network operato

16、rs common algorithm Key generated using algorithm A8 on SIM, hence may be operator specific Uses (64 bit) session key Kc = A8(RAND, Ki) and (22 bit) TDMA frame number A5 stream cipher, re-synchronized for each frame Kc rarely updated (in connection with authentication) Only air interface encrypted i

17、n GSM network, no encryption in operator network Relied on physical security,MS (A),BTS (B),Air Interface Encryption in GSM Network,A5,A5,Kc (64 bit),Frame no (22 bit),Kc (64 bit),CIPHER A-B,XOR,XOR,PLAIN A-B,CIPHER B-A,PLAIN B-A,XOR,XOR,PLAIN B-A,PLAIN A-B,Frame no (22 bit),114 bit,114 bit,114 bit,

18、114 bit,Algorithms,SAGE group under ETSI designed algorithms Composition secret A3, Device authentication algorithm Takes as parameters 128 bit key Ki and random number RAND, computes 32 bit fingerprint, SRES. Almost without exception: COMP128 algorithm used both as A3 and A8 COMP128 proposed in GSM

19、 specification,A8 air interface encryption key generation algorithm Mostly COMP128 Takes as parameters 128 bit key Ki and random number RAND, computes 64 bit session key Kc Kc used until MSC decides to re-authenticate device Both A3 and A8 on SIM card Operator can decide algorithms Authentication do

20、ne in subscribers home network - local network does not have to know algorithms, yet authentication works also when user roams,COMP128 not public, found out using SIM cards and leaked specifications http:/www.iol.ie/kooltek/a3a8.txt (Marc Briceno, Ian Goldberg and David Wagner) implementation Publis

21、hed in April 1998 Produces both SRES and Kc in one run Upper 32 bits SRES Lowest 54 bits + 10 zeros Kc - effectively Kc is 54 bit!,A5 Air Interface Encryption Algorithm,Stream cipher algorithm ”Original” European algorithm A5 leaked in general already in 1994, details in May 1999 (Briceno from GSM p

22、hone) Initialized each sent frame Key Kc used during call, but 22-bit frame number changed,European A5 Three feedback shift registers (LFSR = Linear Feedback Shift Register) of different lengths Register lengths 19, 22 and 23 bits Register values XORed and obtained bit XORed with plaintext bit Regis

23、ters initialized using session key Kc and frame number After initialization 228 bits pseudo random bit stream formed: 114 first bits to encrypt frame from device to base station, rest 114 bits from base station to device Cf. http:/cryptome.org/a51-bsw.htm,| | | | | | | | | | | | | | | | | |,| | | |

24、| | | | | | | | | | | | | | | | |,| | | | | | | | | | | | | | | | | | | | | |,XOR,XOR,XOR,XOR,R1 (19),R2 (22),R3 (23),A5 - cipher,18,13,C1,C2,21,22,C3,7,Rotation: Majority of C1,C2 and C3,0,0,0,Algorithm in many forms, original A5/1 Stronger than other A5/x s A5/0 = No encryption A5/2 decidedly weak

25、ened form (used e.g. in USA) Published and analyzed in August 1999 (very weak)Other A5/x s not become public (if any),GSM Network Security Defects,Network not authenticated Faking base station principally possible Algorithm weaknesses Both A5 and COMP128 defective Data integrity not checked Makes al

26、teration of data possible,Authentication data transmitted in clear both inside and between networks Contains also air interface encryption key Lack of visibility User can not know whether encryption used or not No confirmation to home network, whether serving network uses correctly authentication pa

27、rameters when user roams,Threats,Attacks against A5 A5 implementation (Mike Roe): http:/ Breaking air interface encryption - call eavesdropping Many methods proposed for breaking A5: Almost practical attack by Golic: ” Cryptanalysis of Alleged A5 Stream Cipher” cf. http:/ Birthday attack type time/m

28、emory -optimization,Attack applicable in real time: Biryukov, Shamir and Wagner (cf. http:/cryptome.org/a51-bsw.htm): Real time break algorithm on PC against the strong algorithm A5/1 Basic assumption: Attacker knows or guesses part of bit stream produced by cipher Basic idea: Great number of pre-co

29、mputed states stored (possible, since feedback registers can only be in 264 different states) Idea by Golic,Key can be deduced from initial state of each frame A5/1 can be effectively implemented on PC (each register small enough to store their states in computers memory as three cyclic arrays) A5/1

30、 can be run backwards effectively However, backward computation not entirely deterministic: one state can be arrived at from several states,Suitable 16-bit number alpha in advance chosen and only frames that include alpha considered The number of register states producing alpha is about 248 States c

31、omputed in advance and stored on disk - attack demands large amount of space Three different attacks (all require at least two 73GB hard drives),Estimate: First type attack (”biased birthday attack” two versions), needs about 2 minutes of call data Alpha appears sufficiently many times (ca. 71) in d

32、ata Direct collision with disk data and cipher data Encryption broken in one second Third type attack (”random subgraph attack”): call data 2 seconds Performing attack takes minutes No crypto attack carried out in practice (presumably),SIM card cloning (by physical contact) Subscribers secret key on

33、 SIM and security depends on this key - if attacker obtains SIM security can be broken An identical copy of SIM can be made If card noticed missing, it can quickly be shut out of services If copy and original simultaneously used, network notices and invalidates both In principal cloned card can be u

34、sed such that subscriber is billed,Revealing key Ki from SIM Based on weakness of COMP128 Inventors: SDA (Smartcard Developer Association) and ISAAC (Internet Security, Applications, Authentication and Cryptography) Cf. http:/www.isaac.cs.berkeley.edu/isaac/gsm-faq.html Flaw in algorithm - informati

35、on on Ki obtained by giving suitable random number inputs RAND as an argument to A8 Input RAND slightly changed and observed when identical answer obtained 217.5 inputs enough to deduce Ki,Test attack: SIM in card reader attached to PC; PC generated 150 000 challenges, using which SIM computed SRES

36、response and session key Kc - based on information Ki computed. Took ca. 8 hours April 1998 Used attack technique standard -like Cf. e.g. Serge Vaudenay ”FFT-Hash-II is not yet Collision-Free” http:/lasecwww.epfl.ch/pub/lasec/doc/liens-92-17.A4.ps,SIM cloning over-the-air ISAAC: According to experts

37、 possible in practice (faking base station) Cf. http:/www.isaac.cs.berkeley.edu/isaac/ gsm.html Type 1: Attacker builds fake base station, covering subscribers valid BTS - Subscribers SIM may be bombed with self-generated authentication requests,Estimate: Attack duration 8 13 hours, victim device ha

38、s to be in operating area of fake base station (not necessarily continuously) Subscriber can not detect attack Enhanced version of COMP128 exists (COMP128-2) Some operators use Not (known to be) brokenType 2: Attack from legal network Client outside home network (e.g. abroad) Attacker inside locatio

39、n network,Building fake (rogue) base station Cost estimate 10 000 euros Can capture IMSI Gathered information might be used in networks with more loose authenticationCounter: Temporary identifier TMSI, changed when subscriber location updated TMSI not entirely prevents IMSI capture since IMSI has to

40、 be sent once Also other attacks (e.g. mentioned SIM cloning),Cell change in GSM network Phone sends audibility reports to BTS BTS adds own information and sends to BSC BSC cell change request to MSC (if necessary) MSC resource allocation request to new BSC, that waits for MS to arrive New BSC send

41、acknowledgement to MSC that sends cell change command to old BSC, this forwards it to MS MS breaks connection to old base station and continues with new one,How to hook up a phone to my fake base station? Item 5: Cell change command from the network - Attacker may simulate command and force the phon

42、e to change No authentication for base stations - Device can not know communicating with a rogue base station,GPRS vs. GSM Security,GPRS transition phase to 3G, supports packet switched traffic Voice (circuit switched traffic) as in GSM GPRS data uses multiple slots Air interface encryption (differe

43、nces with GSM) New A5 algorithm GEA Yet secret GPRS traffic encryption extends further (base stations cannot cope with traffic using several slots),Authentication (differences with GSM) Separate authentication for circuit switched and packet switched traffic Packet switched backbone has own security

44、 features Not considered here,UMTS design applies open standardization Specs: 3GPP ( 3rd Generation Partnership Project) WWW site http:/www.3gpp.org, contains specifications etc. Cf. TTAE.3G-33.102 ”3G Security; Security Architecture” UMTS network constructed on (and parallel to) existing GSM networ

45、ks - Security model constructed on GSM security model,UMTS vs. GSM Security,Authentication method as in GSM Based on a secret key K, residing only on USIM and in home network AuC Comparison: in GSM network authentication vectors triplets (RAND, SRES ,Kc) in UMTS network quintets (RAND, XRES, CK, IK,

46、 AUTN) IK integrity key for data integrity AUTN authentication token for network authentication,Improvements to GSM security Encryption algorithms use longer keys Network also authenticated Signaling data authenticated and integrity checkedUMTS GSM compatible GSM users have GSM context GSM users have practically GSM security in UMTS network,

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1