Académique Documents
Professionnel Documents
Culture Documents
Mario agalj
University of Split
8.1.2013.
Introduction
Nowadays, mobile phones are used by 80-90% of the
2G: digital cellular networks with GSM (Global System for Mobile
Communications) beign the most popular and the most widely used standard (circuit switching)
other 2G: technologies IS-95 CDMA based (US), PDC (Japan), etc.
Mobile Station
Base Station
External Network
Cellular Network
EPFL, JPH
3
Nr: 079/4154678
079/4154678 079/8132627
079/4154678 079/8132627
EPFL, JPH
079/8132627?
079/8132627? 079/8132627?
079/8132627?
079/8132627
079/8132627
EPFL, JPH
Channel 47
Channel 47
Channel 68
Channel 68
EPFL, JPH
EPFL, JPH
EPFL, JPH
10
Periodic registration
Periodic registration
Service request
Paging broadcast
Paging broadcast
Paging response Paging response Tune to Ch. 68
Assign Ch. 68
Alert tone
User response User response
11
BS (base station)
MSC (mobile switching center) LR (location register)
subsystems RSS (radio subsystem): covers all radio aspects NSS (network and switching subsystem): call forwarding, handover, switching OSS (operation subsystem): management of the network
13
GSM: overview
OMC, EIR, AUC NSS with OSS VLR MSC HLR GMSC
fixed network
MSC
VLR
14
SS7
HLR
15
Components
MS (Mobile Station)
BSS (Base Station Subsystem):
consisting of
BTS (Base Transceiver Station):
sender and receiver BSC (Base Station Controller): controlling several transceivers
MSC
16
Radio subsystem
The Radio Subsystem (RSS) comprises the cellular mobile
cell
use of several carrier frequencies not the same frequency in adjoining cells cell sizes vary from some 100 m up to 35 km depending on user density,
geography, transceiver power etc. hexagonal shape of cells is idealized (cells overlap, shapes depend on geography) if a mobile user changes cells
handover of the connection to the neighbor cell
18
EIR SS7
ISDN (Integrated Services Digital Network) PSTN (Public Switched Telephone Network) PSPDN (Packet Switched Public Data Net.) CSPDN (Circuit Switched Public Data Net.)
HLR
Databases HLR (Home Location Register) VLR (Visitor Location Register) EIR (Equipment Identity Register)
19
system control
Components
Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR)
central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)
Visitor Location Register (VLR)
local database for a subset of user data, including data about all user currently in the domain of the VLR
20
GSM
switching functions additional functions for mobility support management of network resources
21
Operation subsystem
The OSS (Operation Subsystem) enables centralized operation,
encryption of user data on the air interface within the GSM system
Equipment Identity Register (EIR)
registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes even
localized
Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the network subsystem
22
4 5 7
VLR
3 6 1
PSTN
8 9 14 15
MSC
GMSC
10 11
10 13 16
BSS
10
BSS
11 11 12 17
MS
11
23
VLR
3 4 6 7
MS GMSC
5 8
MSC
2 9
1 10
BSS
24
MTC
paging request channel request immediate assignment paging response authentication request
BTS
MS
MOC
channel request immediate assignment service request authentication request
BTS
authentication response
ciphering command ciphering complete setup call confirmed assignment command assignment complete alerting connect connect acknowledge data/speech exchange
authentication response
ciphering command ciphering complete setup call confirmed assignment command assignment complete alerting connect connect acknowledge data/speech exchange
25
Security in GSM
Based on:
Security in the GSM system by Jeremy Quirke
The GSM Standard (An overview of its security) by SANS Institute InfoSec Reading Room
Confidentiality
voice and signaling encrypted on the wireless link (after successful
authentication)
Anonymity
temporary identity TMSI
(Temporary Mobile Subscriber Identity) newly assigned at each new location update (LUP) encrypted transmission
27
highly protected the mobile phone never learns this key, mobile only forwards any required material to the SIM known only to the SIM and network AUC (Authentication Center)
SRES* 32 bit
SRES 32 bit
SRES 32 bit
MSC
SRES* =? SRES
SRES
29
30
Ki
AC 128 bit
RAND
128 bit A8
RAND
128 bit A8
Ki
128 bit SIM
A3 and A8 algorithms are both run in SIM at the same time on the
Encryption algorithm A5
symmetric encryption algorithm voice/data encryption performed by a phone using generated encryption key Kc
32
A5 algorithms
A5/0 no encryption used A5/1 and A5/2 developed far from public domain and later found
flawed
stream ciphers based on linear feedback shift registers A5/2 completely broken (not used anymore in GSM) A5/1 is a bit stronger but also broken by many researchers
33
34
36
Subscriber Identity)
when a phone turned on, IMSI from SIM transmitted in clear to the AUC
after this TMSI is assigned to this user for location privacy after each location update or a predefined time out, a new TMSI is assigned to the
38
39
using the IDENTITY REQUEST and IDENTITY RESPONSE mechanism however, the connection cannot be encrypted if the network does not know the IMSI and so the IMSI is sent in plain text the attacker can use this to map known TMSI and unknown and user-specific IMSI
40
Countermeasures: UMTS
UMTS defines 2-way authentication and mandates the
Still many reasons to worry about most mobiles support < 3G standards (GPRS, EDGE)
when signal is bad, hard to supprot UMTS rates mobile providers already invested a lot of money and do not give up upon
41
hat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_PerezPico_Mobile_Attacks-Slides.pdf
http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-
labs.tu-berlin.de%2Fbh2011.pdf
42