Security Issues in Wireless Network

There are many types of Wireless Media

Yes GSM, Bluetooth, WCDMA, Wireless LAN, 802.XX, Satellite.. Wow many ..

GSM Security

Evolution of Cellular Networks

Evolution of Cellular Networks

1G

2G

2.5G

3G

4G

Analog

Digital

Circuit-switching

Packet-switching

1G Systems

Goal: To develop a working system that could provide basic voice service Time frame: 1970-1990 Technology: FDMA/FDD Example Systems: Advanced Mobile Phone System (AMPS-USA) Total Access Communication System (TACS-UK) Nordic Mobile Telephone (NMT-Europe) Incompatible analog systems

2G Systems

Goal: Digital voice service with improved quality and also provide better data services Time Frame: 1990- 2000 Technology: TDMA/TDD, CDMA Example Systems: Global System for Mobile (GSM-Europe) IS-136(TDMA) IS-95 (CDMA)

2.5G Systems

Goal: To provide better data rates and wider range of data services and also act as a transition to 3G Time frame: 2000-2002 Systems: IS-95B High Speed Circuit Switched Data (HSCSD) General Packet Radio Service (GPRS) Enhanced Data rates for GSM Evolution (EDGE)

3G Systems

Goal: High speed wireless data access and unified universal standard Time frame: 2002 Two competing standards One based on GSM, IS-136 and PDC known as 3GPP Other based on IS-95 named 3GPP2 Completely move from circuit switching to packet switching Enhanced data rates of 2-20Mbps

10

4G Systems
Future systems Goal: High mobility, High data rate, IP based network Hybrid network that can interoperate with other networks

11

Briefly on 1G

12

AMPS

1G system developed by Bell Labs Analog system used FDMA/FDD 40Mhz of spectrum 842 channels rate: 10kbps

13

AMPS: Architecture

BTS

Public Switched Telephone Network

BTS

MTSO (MSC)
BTS

BTS MTSO: Mobile Telecommunication Switching Office Also known as MSC (Mobile Switching Center) BTS: Base Transceiver Station

14

AMPS: Conventional Telephone Cell Phone

BTS

Public Switched Telephone Network

BTS MTSOPaging message (MSC) BTS

BTS

15

AMPS: Conventional Telephone Cell Phone

Call arrives at MSC via the PSTN MSC then sends out a paging message via all BTS on the FCC (Forward Control Channel). The paging message contains subscribers Mobile Identification Number (MIN) The mobile unit responds with an acknowledgement on the RCC (Reverse Control Channel) MSC directs BS to assign FVC (Forward Voice Channel) and RVC (Reverse Voice Channel)

16

AMPS: Cell phone initializes a call

Subscriber unit transmits an origination message on the RCC Origination message contains MIN Electronic Serial Number Station Class Mark Destination phone number If BTS receives it correctly then it is passed on to MSC MSC validates the information and connects the call

17

GSM: Architecture
GSM system consists of three interconnected sub-systems Base station Subsystem Mobile station (MS) Base Transceiver Station (BTS) Base Station Controllers (BSC) Network Switching Subsystem (NSS) Mobile Switching Center (MSC) Home Location Register (HLR) Visitor Location Register (VLR) Authentication center (AUC) Operation Support Subsystem Operation Maintenance Centers

18

GSM: Architecture

Mobile Stations

Base Station Subsystem

Network Management

Subscriber and terminal equipment databases

OMC

BTS

Exchange System

VLR
BTS BSC MSC HLR BTS EIR AUC

19

GSM
BTS BTS

BTS
BTS BTS BTS

BSC

BSC BTS BTS Base Station Subsystem The BTS provides last mile connection to the MS and communication is between the BTS and MS BSCs connect the MS to the NSS Handover between BTS within same BSC is handled by the BSC

20

GSM

Network Switching Subsystem BTS BTS BTS BSC HLR VLR AUC

BTS
MSC BTS BTS BSC BTS BTS Base Station Subsystem Operation Support Subsystem
21

Public Networks

OSS

GSM Mobile Station

Mobile Station Mobile Equipment (ME) Physical mobile device Identifiers IMEI International Mobile Equipment Identity Subscriber Identity Module (SIM) Smart Card containing keys, identifiers and algorithms Identifiers Ki Subscriber Authentication Key IMSI International Mobile Subscriber Identity TMSI Temporary Mobile Subscriber Identity MSISDN Mobile Station International Service Digital Network PIN Personal Identity Number protecting a SIM LAI location area identity

22

 The MS consists of the physical equipment, such as the radio transceiver, display and digital signal processors, and the SIM card. It provides the air interface to the user in GSM networks. As such, other services are also provided, which include:

23

 GSM network areas: In a GSM network, the following areas are defined: Cell: Cell is the basic service area: one BTS covers one cell. Each cell is given a Cell Global Identity (CGI), a number that uniquely identifies the cell.
24

 International Mobile Station Equipment Identity (IMEI):

The international mobile station equipment identity (IMEI) uniquely identifies a mobile station internationally. It is a kind of serial number. The IMEI is allocated by the equipment manufacturer and registered by the network operator and registered by the network operator who stores it in the EIR. By means of

25

 Mobile Subscriber ISDN Number ( MSISDN): The real telephone number of a mobile station is the mobile subscriber ISDN number (MSISDN). It is assigned to the subscriber (his or her SIM, respectively), such that a mobile station set can have several MSISDNs depending on the SIM. Mobile Station Roaming Number ( MSRN): The Mobile Station Roaming Number ( MSRN)

26

 Temporary Mobile Subscriber Identity (TMSI): The VLR, which is responsible for the current location of a subscriber, can assign a temporary mobile subscriber identity (TMSI) which has only local significance in the area handled by the VLR. It is stored on the network side only in the VLR and is not passed to the HLR.

Local Mobile Subscriber Identity (LMSI):

27

Call from Mobile Phone to PSTN

When a mobile subscriber makes a call to a PSTN telephone subscriber, the following sequence of events takes place: The MSC/VLR receives the message of a call request. The MSC/VLR checks if the mobile station is authorized to access the network. If so, the mobile
28

 The BSC allocates the traffic channel and passes the information to the mobile station. The called party answers the call and the conversation takes place.

The mobile station keeps on taking measurements of the radio channels in the present cell and neighboring cells and passes the information to the BSC. The BSC decides if

29

Call from PSTN to Mobile Phone

When a PSTN subscriber calls a mobile station, the sequence of events is as follows:
The Gateway MSC receives the call and queries the HLR for the information needed to route the call to the serving MSC/VLR. The GMSC routes the call to the MSC/VLR. The MSC checks the VLR for the location area

30

GSM Security Issues

The two security goals of GSM are to provide: an infrastructure which protects access to the mobile services and, to prevent any information from being disclosed. In other words, GSM aims to prevent fraudulent phone use and to provide privacy for both parties. The following security measures are done to provide security: Authentication for registered users Secure Data Transfer Subscriber Identity protection Mobile phones are inoperable without SIM chip Duplicate SIMS on network are not permitted Keys are securely stored
31

GSM Security Issues

If all the measures listed above are met, GSM will be able to provide anonymity, authentication, confidentiality, and integrity. GSM divides security on three different levels. Each level provides the mechanism for anonymity, authentication, confidentiality, or integrity. On the lowest level of security, GSM provides authentication and anonymity for the user through the SIM card. The SIM chip serves as the identification of the user. Billing and authentication are verified through the SIM chip. The second layer of security identifies the location of the user and reveals the incoming callers name to the receiver so the receiver can choose whether or not to accept the call. The third layer encrypts any data traveling between the two users. With the data encrypted and connection secure, integrity and confidentiality is provided.

32

Encryption Implementation
A cell phone call placed on a GSM network goes through two steps.

Any mobile device must first be authenticated before any data transmission can begin. Following successful authentication, a private key, Kc, is generated for data exchange. Authentication is done through a challenge and response mechanism.

33

 The base station initially sends out a random 128-bit number, r, to the mobile device. Using A3 encryption, with inputs Ki from the SIM and the random number r, a 32-bit encrypted number SRES is generated. The mobile device then sends the SRES generated number back to the network for validation. The network itself knows the mobile devices Ki and can thus compare the value it generated to the value the mobile device generated. Authentication is successful if both numbers are identical.

34

Security in GSM
Principles Only authenticated users are allowed to access the network No user data or voice communication is transmitted in clear text The subscriber identity module (SIM) card is a vital part of GSM security. It stores International Mobile Subscriber Identity (IMSI) Ciphering Key Generating Algorithm (A8) Authentication Algorithm (A3) Personal Identification Number Individual Subscriber Authentication Key (Ki)

35

SIM Anatomy
Subscriber Identification Module (SIM) Smart Card a single chip computer containing OS, File System, Applications Protected by PIN Owned by operator (i.e. trusted) SIM applications can be written with SIM Toolkit

36

SIM Anatomy

37

Microprocessor Card
Typical specification 8 bit CPU 16 K ROM 256 bytes RAM 4K EEPROM Cost: $5-50

Smart Card Technology Based on ISO 7816 defining Card size, contact layout, electrical characteristics I/O Protocols: byte/block based File Structure
38

Security in GSM
Mobile station contains A5 algorithm and IMEI The network stores A3, A5, A8 algorithms The Authentication Center stores IMSI Temporary Mobile Subscriber Identity (TMSI) Individual Subscriber Authentication Key (Ki)

39

Security in GSM: Authentication

Channel Establishment Identity (TMSI or IMSI) Authentication Request (RAND) Run Authentication Algorithm (RAND) Response (SRES,Kc)

Mobile Station SIM

Network
Authentication Response (SRES)

RAND is 128 bit random sequence SRES is signed response generated for authentication

Authentication based on RAND

At the Network end RAND (challenge) A3 Algorithm Ki (128 bit) Proper authentication completed if result is zero At the Mobile user end in the SIM Transmitted to mobile

RAND (challenge)
A3 Algorithm Ki (128 bit) A8 Algorithm

Transmitted back to base station Kc used for encryption of user data and 41 signaling data

Security in GSM: Authentication

Ki is known only to the operator who programs the SIM card and is tied to IMSI IMSI should be transmitted as less as possible. Only TMSI is used for authentication TMSI is periodically updated

42

Security in GSM: Authentication

Kc (from A8 algorithm) A5 algorithm

Xor Encoded message

Count (from TDMA frame)

User Data

43

Initial Authentication Between User and Network

USER
Ki From SIM r 128-Bit from Network

NETWORK
Ki Known r 128-Bit from Network

A3
SRES 32-Bit

A3
SRES 32-Bit

44

A8 Key Generation

If authentication is successful, a connection is made and a new key, Kc, is generated to be shared by the user and network. The key is User and Network generated by applying an A8 algorithm on values Ki and the random value r. By doing this, a private key Kc will be generated for later use when transferring information. A8
Ki From SIM r From network Kc Private Key for both user and network

45

Data Encryption & Decryption

With a private key Kc generated, information can be exchanged between two parties. GSM voice ciphers by using the A5 algorithm with User and Network inputs Kc, which is known by both parties, and Communication the incoming data. At that point data encryption and decryption is completed.
Kc Kc DATA

A5

CIPHERED DATA

A5

46

Effort to Correct the Problems

Lack of Internal Encryption

GSM solved most of the security issues involved with transmission of data through the radio channel. Currently data is only encrypted between the mobile device and the base stations. All other communication and signaling on the fixed telecommunications network is done in plain text.

Short Message Service

Short message service (SMS) is a service provided 47

I believe that 3G/4G will have security issues

By default, yes but we need to study on that

48

How Do You Want Protect Your Network System

Thank You Good Luck in the Exam

49