Chap5 - Sécurité Du Réseau Cellulaire PDF

Concepts Cellulaires et Paramètres Radio
Réseaux mobiles et sans fil First Generation (1G)

Techniques d’accès multiples dans les réseaux cellulaires Second Generation (2G)
MAC : Medium Access Control Third generation (3G)
Sécurité du Réseau Cellulaire Fourth Generation (4G)
Réseaux locaux sans fil (WiFi ) et Sécurité
Plan du cours
1 Concepts Cellulaires et Paramètres Radio Généralités

Présentation du réseau cellulaire Eléments sur la transmission sur un canal
La liaison radio & QoS Méthodes par consultation
La planification cellulaire Méthodes par compétition
Les fonctions de mobilité Méthodes par Multiplexage
2 Réseaux mobiles et sans fil Conclusion
Standards et Technologies de Réseau 5 Sécurité du Réseau Cellulaire
Mobile First Generation (1G)
Réseaux fixes sans fil Second Generation (2G)
Réseaux mobiles Third generation (3G)
3 Techniques d’accès multiples dans les réseaux Fourth Generation (4G)
cellulaires 6 Réseaux locaux sans fil (WiFi ) et Sécurité
Duplexing Introduction
Accès multiples au support de Aspects théoriques
communication Architecture de réseau
4 MAC : Medium Access Control Déploiement du réseau radio
M. Désiré GUEL Informatique mobile et sans fil - L3S5 IFOAD - UJKZ - 2023 254 / 383
Outline

p h o n e signaling. H e n c e , s t a n d a r d switching t e c h n i q u es are required
within t h e M T S O . In addition, t h e Mmobiles
Réseaux T S O m u s t (i) adniinister
et sans fil Firstradio
Generation (1G)
c h a Techniques
n n e l s allocated
d’accès A M P S , (ii) c o o r d i n a te t h e grid of cell sites
to multiples dans les réseaux cellulaires Second a n dGeneration (2G)
moving subscribers, a n d ( MAC Hi) m :a iMedium
n t a i n t hAccess
e integrity of t h e local
Control ThirdA Mgeneration
PS (3G)
s y s t e m a s a whole. T h e s e new switching
Sécurité du Réseau functions require extensive
Cellulaire Fourth Generation (4G)
use of s t o r e d - p r Réseaux
o g r am technology
locaux sans withinfil (WiFi t h)e et
M TSécurité
SO.
3.4 Interconnection of subsystems First Generation (1G)

I n t e r c o n n e c t i o n of t h e t h r e e major control e l e m e n t s is shown in Fig.
3. T h e mobile t e l e p h o n e c o m m u n i c a t e s with a n e a r b y cell site over a
Main goal: connect mobile phone users to the

radio c h a n n e l assigned t o t h a t cell. T h e cell site, in t u r n , is connected
b y land-line facilities to t h e M T S O , which interfaces with t h e wire-line
Objectif principal : Connecter les utilisateurs de téléphones mobiles au réseau de
network. A s Fig. 3 also indicates, a considerable a m o u n t of d a t a is
téléphonie fixe
fixed telephony network
exchanged b e t w e e n pairs of A M P S control elements. F o r instance, call
s e t u p d a t a are exchanged between t h e mobile t e l e p h o n e a n d t h e cell
site over radio c h a n n e l s reserved for thi s purpose. T h e voice channels
also carry d a t a to control a n d to confirm various mobile telephone
COMMUNICATION »4« COMMUNICATION
Fig. 3 — A M P S s y s t e m control elements.
46 THE BELL SYSTEM TECHNICAL JOURNAL. JANUARY 1979

Fig. 5 — S A T spatial allocation.
SAT SAT
RECEIVED NOT RECEIVED
ST MOBILE
ON ON-HOOK*
M. Désiré GUEL 5 Informatique mobile et sans fil - L3S5 IFOAD - UJKZ - 2023
MOBILE
IN FADE
256 / 383
First Generation (1G)

AMPS - Mobile Originates Call
Func8onality 1: Mobile Originated Call
Fonctionnalité 1 : Appel provenant d’un mobile
Base station Mobile station
Pass to PSTN Origination message

(MIN, ESN, called party)
Control message Tune to voice channel
Send supervisory signal

to confirm forward channel
Answers and starts Send supervisory signal

conversation to confirm reverse channel
MIN
MIN
Telcom =
=2720Mobile
Mobile Identification
Identification Number
Number PSTN = Public Switched Telephone
32
Network
ESN
ESN= =Electronic Serial
Electronic Number
Serial Number
PSTN = Public Switched Telephone Network
M. Désiré GUEL 6 Informatique mobile source: University
et sans fil of Pittsburg
- L3S5 IFOAD lecture
- UJKZ - 20232720 257 / 383
AMPS - Mobile Receives Call

Func8onality 2: Mobile Terminated Call
Fonctionnalité 2 : Appel terminé par un mobile
Base station Mobile station
Mobile ID from PSTN; Receives page

page control message
Page response message

(MIN, ESN)
Control message; tune Tune to voice channel

to voice channel
Send supervisory signal Send supervisory signal

to confirm forward channel to confirm reverse channel
Telcom 2720 M. Désiré GUEL Informatique mobile et sans fil - L3S5 35 - 2023
IFOAD - UJKZ 258 / 383
BS2
Telcom 2720 Concepts Cellulaires et Paramètres Radio 39
Func8onality 3: Handover
AMPS Handoff
Fonctionnalité 3 : Handover
Original New
MTSO Base Station Base Station Terminal
conversation
RVC and FVC
Fig. 5 — S A T spatial allocation.
SAT SAT
MTSO = Mobile Telecommunications

RECEIVED NOT RECEIVED
Switching Office ST
ON
MOBILE
ON-HOOK*
MOBILE
RVC = Reverse Voice Channel

IN FADE
OR
MOBILE
TRANSMITTER
OFF
Telcom 2720 ST
OFF
40
FVC = Forward Voice Channel MOBILE
OFF-HOOK
8
SAT - S U P E R V I S O R Y A U D I O TONE
ST = S I G N A L I N G T O N E
M. Désiré GUEL Informatique mobile et sans fil - L3S5 IFOAD - UJKZ - 2023
RING C O N F I R M A T I O N REOUIRES THE 259 / 383

First genera8on security?
First generation security ?
No
• security !
No security!
Identification
• Iden&fica&on: : Serial Number
Serial (ESN)
Number andand
(ESN) Telephone Number
Telephone (MIN)
Number (MIN)
Control messages and voice : analog tones
• Control messages and voice: analog tones
Obvious problems
Eavesdropping → privacy problem
• Mobile
Obvious problems
cloning → billing fraud
• Eavesdropping —> privacy problem
• Mobile cloning —> billing fraud
Outline

Second Generation
Second genera8on
Powered by evolving mobile technologies for better experiences

Mobile 1G Mobile 2G Mobile 3G Mobile 4G LTE
AMPS, NMT, TACS D-AMPS, GSM/GPRS, CDMA2000/EV-DO, LTE, LTE Advanced
cdmaOne WCDMA/HSPA+, TD-SCDMA
N/A <0.5 Mbps1 63+ Mbps2 300+ Mbps3

Analog Voice Digital Voice + Simple Data Mobile Broadband Faster and Better
Richer Content More

(Video) Connections
1Peak data rate for GSM/GPRS, latest Evolved EDGE has peak DL data rates capable of up to 1.2 Mbps; 2 Peak data rate for HSPA+ DL 3-carrier CA; HSPA+ specification includes additional potential CA + use of multiple antennas, but no announcements to 5
date; 3 Peak data rate for LTE Advanced Cat 6 with 20 + 20 MHz DL CA; LTE specification includes additional potential CA + additional use of multiple antennas, but no announcements to date
M. Désiré GUEL 10 Informatique mobile et sans fil - L3S5 IFOAD - UJKZ - 2023 262 / 383
Second Generation
2G overview
Digital system
Voice calls and text messages
Introduced in the early 1990’s
Medium access
Combination of FDMA and TDMA
Split carrier into time slots that are organized as frames
Each voice call is assigned a time slot
Digital voice transmission
Compression, error correction, less power, more capacity
Digital control channels
Services like text messages and security...
Second Generation
GSM standard
GSM (Global System for Mobile Communications)
Popular in Europe and Asia
Initially limited coverage and support in USA
Radio link properties
Uplink (890-915 MHz), downlink (935-960 MHz)
25 MHz subdivided into 124 carrier frequency channels
TDMA : 8 speech channels per radio frequency channel
Channel data rate is 270.833 [kbps]
Voice transmieed at 13 [kbps]
Handset power
Max 2 watts in GSM900 and 1 watt in GSM1800
Cell size up to 35 km
Second Generation
GSM Medium Access
GSM Medium Access
Second Generation
GSM Architecture
GSM Architecture
Mobile Stations Base Station Network Subscriber and terminal

Subsystem Management equipment databases
OMC
BTS Database of
Exchange {IMEI, IMSI, Ki}
System
VLR
Mobile station: BTS BSC MSC
IMEI, IMSI, Ki HLR AUC
BTS EIR
HLR = Home Location Register VLR = Visitor Location Register

AC = Authentication center EIR - Equipment Identity Register
IMEI = International Mobile Equipment Identity MSC = Mobile Switching Center

IMSI = International Mobile Subscriber Identity • connects wireless to core network
Ki = shared symmetric key • gateway to PTSN
• assists in handoffs, billing…
14
Second Generation
Example: mobile device registra8on

Example : Mobile device registration
Source : Traynor et al. Source:

SecurityTraynor
for etTelecommunications
al. Security for Telecommunications
Networks.Networks. Springer2008
Springer 2008
Second Generation
GSM Security Goals and Mechanisms
Main security goals for operators

Correct billing (to avoid fraud)
Protect services
Main security goals for customers
Privacy protection
Correct billing
Main security mechanisms
1 User authentication
2 Communication encryption
Second Generation
GSM Security Goals and Mechanisms
Both authentication and encryption based on shared key

Ki - Subscriber Authentication Key
Shared 128 bit key
Resides in subscriber SIM (owned by operator, trusted)
HLR of the subscriber’s home network
GSM standard assumes 3 crypto algorithms
A3 for authentication
A8 for key derivation
A5 for encryption
Algorithms initially supposed to be secret.
Second Generation
GSM Authen8ca8on and Encryp8on overview

GSM Authentication and Encryption overview
Mobile phone Radio Link GSM Operator
Challenge RAND
SIM
Ki Ki
A3 A3
Signed response (SRES)
SRES SRES
A8 Authentication: are SRES A8

values equal?
Fn Kc Kc Fn
mi Encrypted Data mi
A5 A5
A3 and A8 on implemented SIM

A3 and A8 on
• implemented SIM
operator can choose! designed for efficient hardware im-
operator• can plementation
common choice: COMP128 keyed hash algorithm
choose !
common choice : COMP128 keyed
A5 is a stream cipher
hash algorithm variants : A5/1 strong, A5/2 inten-
• designed for efficient hardware implementa8on
A5 is a stream cipher tionally weakened
• variants: A5/1 “strong”, A5/2 inten8onally weakened
Second Generation
Some A3 and A8 details

Some A3 and A8 details
Recall : A3 = authentication, A8 = key derivation Implementation chosen by
Recall: A3 = authen8ca8on, A8 = key deriva8on
operators
Implementa8on chosen by operators
RAND (128 bit) RAND (128 bit)
Ki (128 bit) A3 Ki (128 bit) A8
SRES (32 bit) KC (64 bit)
RAND (128 bit)
Ki (128 bit)
Logical implementa.on
COMP128
of A3 and A8
COMP128 is a keyed hash
128 bit output
func.on
SRES 32 bit and Kc 54 bit
Second Generation
Some A5 details
Some A5 details
A5 = stream cipher (that can be implemented easily and efficiently on
A5 = stream cipher (that can be implemented easily and efficiently on simple
simple hardware)
hardware)
Design Design originally confiden8al, but later leaked
originally confiden8al, but later leaked
Variants: A5/1 – the strong version, A5/2 – the weak version
Variants : A5/1 - the strong version, A5/2 - the weak version
Mobile Station BTS
Fn (22 bit) Kc (64 bit) Fn (22 bit) Kc (64 bit)
A5 A5
114 bit 114 bit

Data (114 bit) Ciphertext (114 bit) Data (114 bit)
XOR XOR
21
Second Generation
GSM Crypto Aeack History
1991 : First GSM implementa8on.

April 1998 : Smartcard Developer Associa8on (SDA) and U.C. Berkeley cracked
COMP128 and extracted Ki from SIM within hours.Found that Kc uses only 54
bits.
August 1999 : The weak A5/2 variant was cracked using a single PC within
seconds.
December 1999 : Biryukov et al. break the strong A5/1 variant with two minutes
of intercepted call in 1 second.
May 2002 : The IBM Research group discovered a new way to quickly extract the
COMP128 keys using side channels.
Second Generation
Authen8ca8on process observa8ons
Authentication process observations
Request contains
IMSI (or TMSI)
Two observations:
1. Communication before
authentication
2. No network
authentication
Source: Traynor et al. Security for Telecommunications Networks. Springer 2008

Source : Traynor et al. Security for Telecommunications Networks. Springer 2008
Second Generation
GSM security summary
One of the main problems : weak crypto algorithms

Initially secret algorithms
Eventually leaked or reverse-engineered and broken
No strong user authentication or call confidentiality
Also several other issues
No network authentication → fake BS
IMSI shared in plaintext → user tracking
Encryption is optional and limited to radio link ...
No integrity protection ...
Second Generation
GSM core network (SS7)

GSM core network
Network (SS7)
overview
MSC/ MSC/
SMSC SMSC VLR
VLR
SS7 SS7
SS7 interconnect
MSC/ MSC/
VLR HLR VLR
HLR
Basestation Subsystem Core Network Core Network Basestation Subsystem
Carrier A Carrier B
Signalling •System
Signalling System #7 (SS7) is a protocol suite used by most
#7 (SS7) est une suite de protocoles utilisée par la plupart des fournisseurs
télécommunicationThis
pourtalk
telecommunica8on service providers to talk to each other
de services de communiquer entre eux.
Normalisé •dans
Standardized in 1980’s. Trust model: Service providers trust each other. No
les années 1980. Modèle de confiance : les fournisseurs de services
SS7: Locate. Track. Manipulate. 7
se font
confiance. Aucune authentification intégrée.
authen0ca0on built in.
L’accès SS7 peut être acheté auprès des fournisseurs de télécommunications pour quelques
• SS7 access can be bought from telecom providers for a few hundred dollars
centaines de dollars par mois. En outre, de nombreux hubs SS7 non sécurisés sont présents sur
a month. Also, many unsecured SS7 hubs present on the web.
le Web.
Second Generation
Cell Level Tracking with SS7/MAP
• Aeack: Loca8on Tracking using SS7
Attack
When the attacker : Location
knows the IMSI ofTracking using
the subscriber and SS7
the Global Title, the
MSC/VLR can be asked for the cell id of the subscriber
Step 1: Get IMSI and address of current MSC
Home Visited network
network
MSC/
HLR
VLR
sendRoutingInfoForSM
req
sendRoutingInfoForSM
resp
provideSubscriberInfo req
Paging Request
provideSubscriberInfo resp Paging Response
Step 2: Request the cell id of the subscriber to the current MSC

Several
Several onlineonline services
services allowallow locating
locating thethe subscriber
subscriber using
using thepaging
the paging response
response.
29
Denial of Service
Techniques d’accès multiples dans les réseaux cellulaires
MAC : Medium Access Control
Sécurité du Réseau Cellulaire
Second Generation (2G)
Third generation (3G)
Fourth Generation (4G)
• It is not only possible to read subscriber

Second data - it can also be modified, since
Generation
most network’s VLR/MSC don’t do any plausibility checks
• Control every aspect of what a subscriber is allowed to do: enable or disable

Aeack: Denial of Service using SS7
Attack : Denial of Service using SS7
incoming and/or outgoing calls / SMS or data or delete the subscriber from the
VLR altogether
Visited network
MSC/
VLR
Get IMSI / VLR

address from HLR
insertSubscriberData req
deleteSubscriberData req /
cancelLocation req
X
• Aeacker can modify subscriber data as well. No checks implemented
Attacker by most telecom providers.
can modify subscriber data as well. No checks implemented by most
telecom•providers.
Once IMSI and VLR addresses are available to the aeacker, he can
Once IMSIcontrol all kinds of service availability to the subscriber e.g., disabling
and VLR addresses are available to the attacker, he can control all
outgoing calls etc.
kinds of service availability to the subscriber e.g., disabling outgoing calls etc.
Second Generation
Intercepting calls with CAMEL
• Attacker overwrites gsmSCF address in subscriber’s MSC/VLR with it’s own,

Attack : Intercepting Calls using SS7
Aeack: Intercep8ng Calls using SS7
“fake gsmSCF” address
Caller network
Intercepting calls with CAMEL MSC/
VLR
insertSubscriberData req
with address of attacker
• MSC sets up call to +210987..., which bridges it to the original +345678...
as gsmSCF
• Attacker
Both subscribers can talk to overwrites
each other,service control
while the attacker records the
conversation function’s address with a fake one
Caller network +345678...
+210987...
MSC/
VLR
Setup Attacker can redirect the call to a

+345678... initialDP
+345678... proxy relay which can then fully
connect
M. Désiré GUEL +210987... record
Informatique theet sans
mobile conversation
fil - L3S5 IFOAD - UJKZ - 2023 279 / 383
Second Generation
SS7 network security
Legacy system with no security protec8ons

Turned out to be major vulnerability
Root causes
Designed for an outdated threat model
Bad network management
Many of these issued have been fixed (since 2014)
Outline

Third Generation
Third genera8on


Richer Content More

(Video) Connections
1Peak data rate for GSM/GPRS, latest Evolved EDGE has peak DL data rates capable of up to 1.2 Mbps; 2 Peak data rate for HSPA+ DL 3-carrier CA; HSPA+ specification includes additional potential CA + use of multiple antennas, but no announcements to 5
33
Third Generation
3G overview
Introduced early 2000’s

Common 3G standard :
UMTS (Universal Mobile Telecommunications System)
Medium access :
W-CDMA : wideband code-division multiple access
Several transmitters over single communica8on channel
Each user’s data signal is spread across the spectrum using a separate spreading
1885-2025 MHz uplink and 2110-2200 MHz downlink
Supports up to 14 Mbps (in theory)
Third Generation
Updated terminology (GSM to UMTS)

Updated terminology (GSM to UMTS)
• SIM —> USIM
SIM → USIM • BTS —> eNodeB BSC → RNC (Radio Network
BTS → eNodeB Controller)
• BSC —> RNC (Radio Network Controller)
BSC MSC GMSC
PSTN
BTS GSM BSS
HLR, AuC, VLR
RNC SGSN GGSN
eNodeB Core Network Internet

UMTS RAN
35
Third Generation
3G main security updates
Main goal : fix the main problems of 2G (GSM) security

Specific measures :
1 Use stronger crypto algorithms
2 Protect user identities against fake base stations
3 Less trust in visited network in general
4 Mandate encryption
5 Extend encryption to core network
6 Provide integrity protection
Third Generation
Authentication and Key Agreement
New protocol
roughly same design used in 4G and 5G
Assumes five functions f1, f2, f3, f4, f5
these functions can be operator-specific
Adds nonce management for better replay protection
two more functions f1* and f5*
used for re-synchronization if operator and SIM get out of synch (not discussed in
this lecture)
Two additional functions for encryption (f8) and integrity (f9)
Third Generation
Authen8ca8on Vector genera8on
(operator side)
Authentication Vector generation (operator side)
Generate SQN
Generate RAND
AMF
f1 f2 f3 f4 f5
MAC (Message XRES CK IK AK

Authentication (Expected (Cipher (Integrity (Anonymity
Code) Result) Key) Key) Key)
Authentication token: AUTN = (SQN⊕AK)|| AMF|| MAC
Authentication vector: AV = RAND|| XRES ||CK || IK || AUTN
AMF: Authentication and Key Management Field
AMF : Authentication and Key Management Field

39
Third Generation
User Authen8ca8on
(on USIM) (on USIM)
User Authentication
RAND AUTN
AMF MAC
f5
AK
SQN
K
f1 f2 f3 f4
XMAC RES CK IK
(Expected MAC) (Result) (Cipher (Integrity
Key) Key)
•  Verify MAC = XMAC

•  Verify that SQN is in the correct range
USIM: User Services Identity Module
40
Third Generation
UMTS Authen8ca8on
UMTS Authentication (in Visited Network)
(in Visited Network)
Mobile Station Visited Network Home Environment
Sequence number (SQN) RAND(i)
K: User’s Generation of
secret key cryptographic material
User authentication request IMSI/TMSI Authentication vectors

K
RAND(i)||AUTN(i)
Verify AUTN(i)
Compute RES(i) Network authenticated!
User authentication response RES(i)

Compare RES(i) User authenticated!
K
and XRES(i)
Compute CK(i) Select CK(i)

and IK(i) and IK(i)
Third Generation
Encryp8on using f8 func8on
(data and signaling)
Encryption using f8 function (data and signaling)
BEARER LENGTH BEARER LENGTH

COUNT-C DIRECTION COUNT-C DIRECTION
CK f8 CK f8
KEYSTREAM KEYSTREAM
BLOCK BLOCK
PLAINTEXT CIPHERTEXT PLAINTEXT

BLOCK BLOCK BLOCK
Sender Receiver
(Mobile Station or (Radio Network Controller
Radio Network Controller) or Mobile Station)
BEARER: radio bearer identifier

48
COUNT-C: ciphering sequence counter
f8 = KASUMI block cipher
44
Third Generation
Some f8 details
(use block cipher to generate a key stream)
Some f8 details (use block cipher to generate a key stream)
COUNT || BEARER || DIRECTION || 0…0
KM: Key Modifier
KS: Keystream
CK KM KASUMI
Register
BLKCNT=0 BLKCNT=1 BLKCNT=2 BLKCNT=BLOCKS-1
CK KASUMI CK KASUMI CK KASUMI CK KASUMI
KS[0]…KS[63] KS[64]…KS[127] KS[128]…KS[191]
45
Third Generation
Integrity Protec8on using f9

Integrity Protection using f9 (mandatory for signaling, optional for voice
(mandatory for signaling, op8onal for voice and data)
and data)
SIGNALLING MESSAGE SIGNALLING MESSAGE
FRESH FRESH
COUNT-I DIRECTION COUNT-I DIRECTION
IK f9 IK f9
MAC-I XMAC-I
Sender Receiver
(Mobile Station or (Radio Network Controller
Radio Network Controller) or Mobile Station)
f9 = KASUMI FRESH: random input
DISCUSS: Why define integrity as op&onal?

Third Generation
3G Confidentiality
Confidentiality based on KASUMI block cipher

8-round Feistel Network
Means ”mist” in Japanese :)
Good design process : public review
Has proven to be secure design
Example cryptanalysis / partial attacks :
Attacks that break subset of rounds in feasible time
Attacks that assume strange models (”related key attack”)
Third Generation
Registra8on and paging

Registration and paging
Source: Borgaonkar et al. New Privacy Threats on 3G, 4G and Upcoming 5G AKA protocols. PETS’19.
Registration Registra8on
• User iden8ty (IMSI) sent in plaintext before authen8ca8on
User identity (IMSI) sent in plaintext before authentication
• Awer registra8on, serving network assigns UE a random and
Awer registration, serving network assigns UE a random and temporary identifier
called TMSI temporary iden8fier called TMSI
Paging • Paging
• of
Awer period Awer period of inac8vity, UE switches to idle mode
inactivity, UE switches to idle mode
• Serving network sends paging messages using TMSI for
Serving network sends paging messages using TMSI for incoming calls and mes-
sages incoming calls and messages
49
Third Generation
User Tracking
Assume an adversary that is able to eavesdrop traffic

Possible sources of user identity and location leakage
New registration → leaks permanent IMSI
Paging messages → leaks temporary TMSI
Refresh rate of TMSI is operator-specific sexng...
Third Generation
3G Summary
Better crypto algorithms

Authentication based on AES
Confidentiality and integrity based KASUMI
Improved authentication protocol (AKA)
Mutual authentication
Better replay protection with sequence numbers
Remaining issues
Optional integrity protection ...
User (IMSI / TMSI) tracking ...
Downgrade attack ...
Outline


4G


Richer Content More

(Video) Connections
1 Peak data rate for GSM/GPRS, latest Evolved EDGE has peak DL data rates capable of up to 1.2 Mbps; 2 Peak data rate for HSPA+ DL 3-carrier CA; HSPA+ specification includes additional potential CA + use of multiple antennas, but no announcements to
5
1980’s 1990’s 2000’s 2010’s
4G Overview
Known also as LTE (Long-Term Evolution)

Introduced around 2008
Updated architecture
Fully packet-switched
Core network called Evolved Packet Core (EPC)
Radio network called Evolved-UTRAN (E-UTRAN)
Interoperable with legacy systems
New physical layer
Orthogonal frequency division mulEplex (OFDM)
Multiple antenna techniques like MIMO
300 Mbps downlink, 70 Mbps uplink, 5ms latency
] to accurately Concepts Cellulaires et Paramètres Radio
s or trilateration A. LTE infrastructure
by that UE. We MAC : Medium Access Control
We consider a simplified LTESécurité
architecture
Third generation (3G)
re vulnerable to du Réseauinvolving
Cellulaire com-
ponents required to setRéseaux
up access
locaux network protocols
sans fil (WiFi between
) et Sécurité
a base station and mobile devices. We hide other details of
er attacks where the architecture which are not relevant fromFourth
the pointGeneration
of view (4G)
f service against of understanding our attacks. Figure 1 depicts this simplified
orced into using architecture which contains three main components: User
which can then Equipment (UE), Evolved Universal Terrestrial Radio Access
acks against that Network (E-UTRAN), and Evolved Packet Core (EPC). All
ied access to all LTE Architecture and Terminology (1/2)
three components are collectively referred to as Evolved Packet
electively limit a System (EPS) according to 3GPP terminology. In the interest
voice calls). The
ire explicit user LTE architecture and terminology
of simplicity, throughout this paper we refer to the whole
system as LTE. The three components are described below
er. (A list of common acronyms related to LTE appear in the full UE : User Equipment (MS)
version of this paper [6]).
xcept one) and
ial LTE devices •eNB
UE: User Equipment (MS)
: enhanced NodeB (BS)
several carriers.
nexpensive and •E-UTRAN
eNB: enhanced NodeB (BS)
: Evolved Universal Terrestrial
e manufacturers Radio Access Network
dardization body • E-UTRAN: Evolved Universal Terrestrial Radio Acc
le writing.
•MME
MME: Mobility Management EnEty (MSC)
: Mobility Management Entity (MSC)
E is a complex
nflicting require- •HSS
HSS: Home Subscriber Server (HLR)
: Home Subscriber Server (HLR)
lnerabilities and
s that may have •S-GW
S-GW: Serving Gateway
: Serving Gateway
ased on this we
andardization as Fig. 1.
LTE Network
LTE system architecture •P-GW
P-GW: Packet Gateway
: Packet Gateway
User Equipment: UE refers to the actual communication
ssive and active
device which can be, for example, a smartphone . A UE
es to LTE tem-
contains a USIM (Universal Subscriber Identity Module)[7],
d to track user
which represents the IMSI and stores the corresponding au-
h higher levels
thentication credentials [8]. This IMSI is used to identify an Informatique mobile et sans fil - L3S5
M. Désiré GUEL IFOAD - UJKZ - 2023 300 / 383
r can selectively limit a
g., no voice calls). The
es require explicit user LTE architecture and terminology
of simplicity, throughout thisConcepts
paper weCellulaires
refer to et
system as LTE. The three components areRéseaux
theParamètres
described
whole Radio
belowet sans fil
mobiles First Generation (1G)
o recover. (A list of common acronyms
Techniques relatedmultiples
d’accès to LTE appear
dans lesinréseaux
the full cellulaires Second Generation (2G)
version of this paper [6]). MAC : Medium Access Control Third generation (3G)
acks (except one) and Sécurité du Réseau Cellulaire Fourth Generation (4G)
ommercial LTE devices • UE: User Equipment (MS)
works of several carriers.
ks is inexpensive and
ks to the manufacturers
Fourth• eNB: enhanced NodeB (BS)
Generation (4G)
he standardization body • E-UTRAN: Evolved Universal Terrestrial Radio Access Network
ay while writing.
• MME: Mobility Management EnEty (MSC)
ike LTE is a complex
ong conflicting require- • HSS: Home Subscriber Server (HLR)
LTE vulnerabilities and
derations that may have • S-GW: Serving Gateway #RSAC
lace. Based on this we LTE Architecture and Terminology (2/2)
• P-GW: Packet Gateway
uture standardization as Fig. 1.
LTE Network
LTE system architecture
User Equipment: UE refers to the actual communication

New passive and active
device which can be, for example, a smartphone . A UE
identities to LTE tem-
contains a USIM (Universal Subscriber Identity Module)[7],
hem and to track user
which represents the IMSI and stores the corresponding au-
o much higher levels
thentication credentials [8]. This IMSI is used to identify an
ously thought possible.
LTE user (generally referred to as “subscriber” in 3GPP ter-
minology) uniquely. The USIM participates in LTE subscriber
acks: New active DoS authentication protocol and generates cryptographic keys that
nd persistently down- form the basis for the key hierarchy subsequently used to
venting their access to protect signaling and user data communication between the
to less secure 2G/3G UE and base stations over the radio interface.
k access altogether) or
E-UTRAN: E-UTRAN consists of base stations. It manages
E services. (Section VI)
the radio communication with the UE and facilitates commu-
Inexpensive software nication between the UE and EPC. In LTE, a base station
implement the attacks is technically referred as “evolved NodeB (eNodeB)”. The
and Universal Software eNodeB uses a set of access network protocols, called Access
ection IV), and evalua- Stratum (AS) for exchanging signaling messages with its UEs.
mercially available LTE These AS messages include Radio Resource control (RRC)
ions V–VII) protocol messages. Other functions of eNodeB include paging
UEs, over-the-air security, physical layer data connectivity, and
outlining possible un-
lnerabilities, including
handovers. Each eNodeB is connected to the EPC through an 5
interface named S1.
etween security/privacy
bility, performance and MME in EPC: EPC provides core network functionalities by 12
mmending fixes. (Sec- a new all-IP mobile core network designed for LTE systems. It
consists of several new elements as defined in [9]. However, for
2 M. Désiré GUEL Informatique mobile et sans fil - L3S5 IFOAD - UJKZ - 2023 301 / 383
Some Some LTE physical layer details

LTE physical layer details
OFDM downlink
OFDM downlink
• MulEple narrow sub-carriers spread over a wide channel bandwidth
MulEple narrow sub-carriers spread over a wide channel bandwidth
• mutually
Sub-carriers Sub-carriers mutually orthogonal in the frequency domain
orthogonal in the frequency domain
• MiEgates inter-symbol interference, allows flexible uElizaEon of spectrum
Mitigates inter-symbol interference, allows flexible utilizaEon of spectrum
SC-FDMA uplink
SC-FDMA uplink
Single-carrier FDMA
• Single-carrier FDMA
Source: Lichtman et al. LTE/LTE-A Jamming, Spoofing, and Sniffing: Threat

Assessment and Mitigation. IEEE Communications 2016.

LTE network protocols
LTE Network Protocols
• MAC layer
MAC layer ; it manages access to radio re-
sources • manages access to radio resources
• RLC (Radio Link Control) Control plane
• error correcEon, segmentaEon, ordering User plane
RLC (Radio Link Control) error correction,
• PDCP (Packet Data Convergence Protocol)
segmentation, ordering
• compression, encrypPon, integrity
PDCP• RRC (Radio Resource Control)
(Packet Data Convergence Proto-
col) compression, encryption, integrity
• system informaEon broadcast, AKA
• NAS (Non-Access Stratum)
• mobility management with the
RRC (Radio Resource Control)
core network
system information broadcast, AKA
Source: NIST. Guide to LTE Security. 2017.

NAS (Non-Access Stratum) mobility mana-
gement with the core network
7
LTE Security Overview
Similar Authentication and Key Agreement (AKA) as in 3G

Mutual authentication, SQN used for replay protection
New crypto algorithms (3 variants)
EEA = encryption, EIA = integrity
EEA1 and EIA1 based on Snow (similar to KASUMI)
EEA2 is AES-CTR and EIA2 is AES-CMAC
EEA3 and EIA3 based on ZUC
Other security updates
Extended Key Hierarchy
Possibility for longer keys (256 bits)
X2 handover (between eNodeBs)
Backhaul (S1) protection
LTE Key Hierarchy

LTE Key Hierarchy
K = master key (128 bits, shared between HSS and USIM)

K = master key (128 bits, shared between HSS and USIM)
CK = confidenEality key (128 bits)
CK = confidentiality key (128 bits)
IK = integrity key (128 bits)
IK = integrity key (128 bits)
K_ASME = MME base key (256 bits)
K_ASME = MME base key (256 bits) and so on ...
and so on…
Source: NIST. Guide to LTE Security. 2017.


LTE backhaul and EPC protecEon
LTE backhaul and EPC protection
Backhaul (S1) protecPon
• Physical protecEon (difficult for long distances)
Backhaul (S1) protection
• Standard IP security (VPN, IPsec, PKI…)
Physical protection (difficult for long distances)
Standard IP security (VPN, IPsec, PKI...)
EPCEPC protecPon
protection
• Spec is vague: “Physical and logical division to security domains”
Spec is vague : ”Physical and logical division to security domains”
• Likely pracEce: standard IP security
Likely practice : standard IP security
4G / LTE security summary
Security updates
New crypto algorithms (Snow and AES)
New core network (EPC)
Minor security updates like extended key hierarchy, handover protection, backhaul
protection...
Remaining issues
Limited user tracking
Minor integrity violation
User traffic profiling

Langue

Chap5 - Sécurité Du Réseau Cellulaire PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Chap5 - Sécurité Du Réseau Cellulaire PDF

Transféré par

Droits d'auteur :

Formats disponibles

Concepts Cellulaires et Paramètres Radio

Réseaux mobiles et sans fil First Generation (1G)

1 Concepts Cellulaires et Paramètres Radio Généralités

1 Concepts Cellulaires et Paramètres Radio Généralités

3.4 Interconnection of subsystems First Generation (1G)

Main goal: connect mobile phone users to the

COMMUNICATION »4« COMMUNICATION

Fig. 3 — A M P S s y s t e m control elements.

46 THE BELL SYSTEM TECHNICAL JOURNAL. JANUARY 1979

First Generation (1G)

Base station Mobile station

Pass to PSTN Origination message

Control message Tune to voice channel

Send supervisory signal

Answers and starts Send supervisory signal

First Generation (1G)

AMPS - Mobile Receives Call

Base station Mobile station

Mobile ID from PSTN; Receives page

Page response message

Control message; tune Tune to voice channel

Send supervisory signal Send supervisory signal

First Generation (1G)

Fig. 5 — S A T spatial allocation.

MTSO = Mobile Telecommunications

RVC = Reverse Voice Channel

First Generation (1G)

1 Concepts Cellulaires et Paramètres Radio Généralités

Powered by evolving mobile technologies for better experiences

N/A <0.5 Mbps1 63+ Mbps2 300+ Mbps3

Richer Content More

Mobile Stations Base Station Network Subscriber and terminal

HLR = Home Location Register VLR = Visitor Location Register

IMEI = International Mobile Equipment Identity MSC = Mobile Switching Center

Example: mobile device registra8on

Source : Traynor et al. Source:

GSM Security Goals and Mechanisms

Main security goals for operators

GSM Security Goals and Mechanisms

Both authentication and encryption based on shared key

GSM Authen8ca8on and Encryp8on overview

A8 Authentication: are SRES A8

A3 and A8 on implemented SIM

Some A3 and A8 details

RAND (128 bit) RAND (128 bit)

Ki (128 bit) A3 Ki (128 bit) A8

SRES (32 bit) KC (64 bit)

RAND (128 bit)

Mobile Station BTS

Fn (22 bit) Kc (64 bit) Fn (22 bit) Kc (64 bit)

114 bit 114 bit

GSM Crypto Aeack History

1991 : First GSM implementa8on.

Source: Traynor et al. Security for Telecommunications Networks. Springer 2008

GSM security summary

One of the main problems : weak crypto algorithms

GSM core network (SS7)

Basestation Subsystem Core Network Core Network Basestation Subsystem

provideSubscriberInfo resp Paging Response

SS7: Locate. Track. Manipulate. 17

Step 2: Request the cell id of the subscriber to the current MSC

• It is not only possible to read subscriber

•  Verify MAC = XMAC