EE 588 - NETWORK SECURITY

Agenda
Introduction
GSM Overview
GSM Security Principles
Weakness of GSM
Solutions for Weakness
Introduction
Billions of user
Most of computer users know basic concepts, such
new value
as virus, antivirus, trojan…
But people do not even have any idea about GSM
security.
They blindly trust GSM

GSM Overview – GSM History
1876 - First telephone was invented by Alexander Bell.
1973 - First handheld cellular phone was released by Motorola.
1978 - First cellular network was setup in Bahrain
1982 - The European Conference of Post and
Telecommunications Administrations (CEPT) formed a group
called Group Spéciale Mobile (GSM) to develop a European
cellular system that would replace the many existing
incompatible cellular systems already in place in Europe.
1987 – A milestone was achieved with the signing of the GSM
Memorandum of Understanding (MoU) by operators, agreeing
to implement cellular networks, based on the GSM
specifications. While it was clear from the start that GSM
would be a digital system, it was officially announced in 1987.
1991 - GSM service started. In the same year, GSM was
renamed to Global System for Mobile Communications from
Group Spéciale Mobile.
 GSM Overview – GSM Features
International Roaming - single subscriber number worldwide
Superior speech quality - better than existing analog cellular
technology
Short Message Service (SMS)
Packet Radio Service (GPRS)
Digital compatibility - easily interfaces with existing digital
networks like Integrated with Services Digital Network (ISDN)
 GSM Overview – GSM Architecture
Cells and Cluster Structure
 GSM Overview – GSM Architecture
Device Structure
 GSM Overview – GSM Architecture
Device Structure – 2
Subscriber Identity Module (SIM) Card: It is operator dependent
smart card which contains A3/8 algorithms, IMSI and Ki.
Mobile Equipment (ME): It is operator independent
communication device. It contains A5 algorithm.
Base Transceiver Station (BTS): Base stations form a patchwork
of radio cells over a given geographic coverage area.
Base Station Controller (BSC)
It is a node controlling a number of BTS, coordinating
handovers and performing BS co-ordination not related to
switching.
 GSM Overview – GSM Architecture
Device Structure – 3
Mobile Switching Center (MSC): It is a node controlling a number of
BSC. It is center device and has a lot of function in GSM system.
Home Location Register (HLR) : It is used for recording the most
recent known location of all MS belonging to MS’s home area. It
contains all administrative information about each registered
user
Visited Location Register (VLR): It is used for recording information
about all MS when they are at the “visiting” area.
Authentication Centre (AuC): It is used by a HLR to generate
random challenges (RAND) and to store secret key information
(Ki) relating to each of its MS.
Equipment Identity Register (EIR): Suspicious Devices; the white list,
the gray list, and the black list.
 GSM Security – Goals & Concerns

Billing the right person

Providing systems to avoid fraud
Protecting services against attacks
Customers should have privacy, nobody should be able to
detect their identification or their location
Communication on the air should be encrypted to avoid
eavesdropping
Mobile equipment independent
 GSM Security – Goals & Concerns
Security mechanisms;

Shouldn’t add much load to the voice calls or data

communication
Shouldn’t increase the bit error rate
Shouldn’t bring expensive complexity to the system
Should be useful and cost efficient
Should be able to detect suspicious mobile equipment
 GSM Security Mechanisms
4 Main Security Mechanisms;
Authentication of a user; accessing network
Ciphering of the data and signaling; signaling and
user data protection
Confidentiality of a user identity; using TMSI
instead of IMSI
Using SIM as security module; PIN code, it contains
IMSI, Ki, A3 and A8 algorithms
GSM Security Algorithms
A3 Algorithm; Kept in SIM card, used for Authentication
of a user
GSM Security Algorithms
A8 Algorithm; Kept in SIM card, used for producing
Voice Key
GSM Security Algorithms
COMP128;

COMP128 is hash function which is an

implementation of the A3 and A8 algorithms in
the GSM standard.
The Algorithm Expert Group invented in 1987

Most of the operators use example COMP128

design
GSM Security Algorithms
COMP128;
 The COMP128 takes the RAND and the Ki as input

 128 bits of output.

 The first 32 bits SRES response

 the last 54 bits session key, Kc

GSM Security Algorithms
A5 Algorithm; Kept in Mobile Equipment, used for
Ciphering Data
It is stream cipher, works on a bit by bit basis (and not on
blocks, as DES and AES).
Error in the received cipher text will only result in the
corresponding plaintext bit being in error
GSM Security Algorithms
A5 Algorithm; Kept in Mobile Equipment, used for
Ciphering Data
Kc: produced by A8
Plaintext: Voice
Fn: Fn is the frame bits which come from LFSR process.
 LFSR STRUCTURE
18 17 16 0

01
1 0111
0011
0100
1100
1101
0011
0011
001 10 R1
C1
10
clock
21 20 control
0

11 10
0 0 0 01 10 00 01 10 011001100111111000011
1111 R2

C2
1

22 21 20 0

0
1100
1100
110 01 0 10 1 01 10 11 11 01 10 11 01 00 10 01 1001 R3
C3
0
A5/1 : Operation
All 3 registers are zeroed
64 cycles (without the stop/go clock) :
Each bit of Kc (lsb to msb) is XOR'ed in parallel into the
lsb's of the registers
22 cycles (without the stop/go clock) :
Each bit of Fn (lsb to msb) is XOR'ed in parallel into the
lsb's of the registers
100 cycles with the stop/go clock control,
discarding the output
228 cycles with the stop/go clock control which
produce the output bit sequence.
GPRS Security
 The same A3/8 algorithms are used with the same Ki,
different RAND
 The resulting Kc is different than voice communication key

and this Kc is used to encrypt GPRS data. This Kc is refered

GPRS-Kc
 Similarly, SRES and RAND are referred as GPRS-SRES and

GPRS-RAND. GPRS cipher is also referred to GPRS A5 or

GEA (GPRS Encryption Algorithm).
Weakness of GSM
Operators use COMP128 function without even
changing it.
The bit size of the algorithms is weak. A5/1 algorithm
uses 64 bit Kc in the best case. (COMP128, 54 bit Kc)
Authentication only exists BTS-MS communication.
No authentication for MS-BTS
Caller ID or Sender ID verification, data and IDs are
transmitted in different channels
IMSI is sent as plain text in the first communication
 History of Craching Algorithms
1991: GSM implementation.

April 1998: The Smartcard Developer Association (SDA)

together with U.C. Berkeley researches cracked the COMP128
algorithm stored in SIM and succeeded to get Ki within several
hours. They discovered that Kc uses only 54 bits.
August 1999: The week A5/2 was cracked using a single PC
within seconds.
December 1999: Alex Biryukov, Adi Shamir and David Wagner
have published the scheme breaking the strong A5/1 algorithm.
Within two minutes of intercepted call the attack time was only
1 second.
May 2002: The IBM Research group discovered a new way to
quickly extract the COMP128 keys using side channels.
Side Channels
Popular Attack Types – Capturing Mobile
Stations

Modified BTS behaves as the identity the network to

the MS, while the modified MS impersonates the MS
to the network
The fake BTS can request IMSI, IMEI or TMSI
Popular Attack Types – Attacks on the
Authentication Algorithm

Clonning SIM Card

COMP128 was never made public, but the design has
been reverse engineered and cryptanalyzed.
All that is needed to clone a SIM card is the 128 bit
COMP128 secret key Ki and the IMSI which is coded
in the SIM.
By copying Ki and IMSI into an empty SIM, opponen
can beahve as user.
Ki is needed for clonning SIM card.
Popular Attack Types – Attacks on the
Authentication Algorithm

Clonning SIM Card - 2

MS uses 66 frames in authentication process
The duration of the whole signaling sequence is 4.615
ms/frame x 66 frames = 0.30459 s.
It is known that the cryptographic attack requires
approximately 150 000 challenge-response pairs.
This means that the attack takes approximately
45,689 seconds (150 000 challenges x 0.30459 s), that
is approximately 13 hours.
Popular Attack Types – Attacks on the
Authentication Algorithm

Clonning SIM Card - 3

MS uses 66 frames in authentication process
The duration of the whole signaling sequence is 4.615
ms/frame x 66 frames = 0.30459 s.
It is known that the cryptographic attack requires
approximately 150 000 challenge-response pairs.
This means that the attack takes approximately
45,689 seconds (150 000 challenges x 0.30459 s), that
is approximately 13 hours.
The attack can be performed in parts the attacker
could make requery the MS for 30 minutes every day
 Popular Attack Types – Attacks on the
Confidentiality of GSM

Brute-Force Attacks:
Kc is 64 bits although the last 10 bits are set to zero. It
reduces the key space from 2^64 to 2^54
A5/2 can be broken in real time with a work factor of
approximately 2^16
A5/1 can be break with a work factor of 2^40
A key space of 2^54 would thus require about 18
hours
 Popular Attack Types – Attacks on the
Confidentiality of GSM

Goldberg, Wagner and Green

Known Plaintext Attacks:
T is the calculation number, 2^20 calculations can
made in 1 second by personal computers
 Popular Attack Types – Attacks on the
Confidentiality of GSM

Israelian Researchers; A Biryukov, A Shamir, and D

Wagne Attack
 Popular Attack Types – Denial of Service
(DoS) Attacks

DoS attacks can be performed by physically

disturbing radio signals or by logical means
The attacker could for example cut the wire leaving a
base station.
Jamming affects GSM radio signals badly.
 Some Useful Solutions against Attacks - 1
Using secure algorithms for A3/A8 implementations

All the operators are using COMP128, they should

change algorithm
Prevent SIM card cloning attack.
Operators can perform such improvement themselves
and without any need to the software and hardware
This solution requires providing and distributing new
SIM cards and modifying the software of the HLR.
 Some Useful Solutions against Attacks - 2
Using secure ciphering algorithms

Operators can use newer and more secure algorithms

such as A5/3
The deployed cryptographic algorithms should be
implemented on both BTS and mobile phones
 Some Useful Solutions against Attacks - 3

End-to-end Security

Most of GSM security vulnerabilities (except SIM

cloning and DoS attacks) do not aim ordinary people
Their targets are usually restricted to special groups
It is reasonable and economical that such groups
make their communications secure by the end-to-end
security
Encryption and security establishment should be
performed at the end-entities
Thank You !