2. Conventional networks 2.

4 GSM

Prof. JP Hubaux

GSM: Global System for Mobile communications

g

Objectives iUnique standard for European digital cellular networks iInternational roaming iSignal quality iVoice and data services iStandardization of the air and the network interfaces iSecurity Principles iStrong integration with the telephone network (PSTN) iInterfaces inspired by the Integrated Services Digital
Network (ISDN) iHence, supervision by means of Signaling System 7 (SS7)
2

Signaling System Number 7

Enhanced services requested by users require bidirectional signaling capabilities, flexibility of call setup and remote database access With SS7, a signaling channel conveys, by means of labeled messages, signaling information relating to call processing and to network management SS7 is the most important signaling system in the world: it supervises the PSTN, the cellular networks (GSM), and the Intelligent Network

SS7 in the PSTN

Analog ISDN SS7 SS7 Analog ISDN

CPE

UNI

NNI
Switch Switch

UNI

CPE

Circuit Switching Network

CPE: Customer Premises Equipment UNI: User-Network Interface NNI: Network-Network Interface ISDN: Integrated Services Digital Network
4

Interface between the circuit switching network and the signaling network
Signaling Links

Signaling Point

Signaling Network (SS7)

Fabric Fabric

Signaling Point

Control Unit

Control Unit Voice Circuits

Signaling and Switching Planes

SP: Signaling Point STP: Signaling Transfer Point

SP STP
Signaling link

SP

Signaling Plane

SP

STP

SP

Switching Plane
Voice circuits

Example of Signaling Network

STP SP

STP

SP

SP
...

STP

PTS SP
7

SP

Operator 1

Operator 2

SS7 Architecture
OSI Layers 7 4, 5 et 6 3 2 1
ASE: Application Service Element INAP: Intelligent Network Application Part MAP: Mobile Application Part MTP: Message Transfer Part

SS7 Layers OMAP ASE TCAP

MAP and INAP

ISDNUser Part For further study (ISUP) SCCP MTP Level 3 MTP Level 2 MTP Level 1
OMAP: Operations, Maintenance and Administration Part SCCP: Signaling Connection Control Part TCAP: Transaction Capabilities Application Part
8

ISUP Call setup phase

ISDN SSP
SETUP

SS7 STP SSP

ISDN

IAM
Call Proceeding

IAM
SETUP Call Proceeding

ACM
ALERTING CONNECT CONNECT ACK

ACM ANM

ALERTING CONNECT CONNECT ACK

9

ANM

IAM: Initial Message; ACM: Address Complete Message; ANM: Answer Message

ISUP Call Release phase

ISDN SSP SS7 STP SSP ISDN

DISCONN

REL

REL
DISCONN

RELEASE

RLC

RLC

RELEASE

RELACK

REL: Release

RLC: Release Complete

10

Addressing in GSM
Call to Nr 085-123456

SIM card User (identifier: IMSI) (identifier: MSISDN)

Terminal (identifier: IMEI)

SIM: Subscriber Identity Module IMSI: International Mobile Subscriber Identity IMEI: International Mobile Equipment Identity MSISDN: Mobile Station ISDN Number

MSISDN 085-123456

IMSI 208347854033

11

GSM Architecture
Equipment Identity Register F C Um Mobile Station BTS Abis A E

Authentication Center

Home Location Register D Visitor Location Register G

BSC BSS

MSC

BSS: Base Station System BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center

MSC Visitor Location Register

12

Functions of the MSC

g g g g g g g g

g g g g

Paging Coordination of call set up from all MSs in its jurisdiction Dynamic allocation of resources Location registration Interworking function with different networks (e.g., PSTN) Handover management Billing for all subscribers based in its area Reallocation of frequencies to BTSs in its area to meet heavy demand Encryption Echo canceler operation control Signaling exchange between different interfaces Gateway to Short Message Service
13

Air interface Um CM MM RRM

GSM air interface protocols

A Abis CM MM RRM RRM BSSAP SCCP MPT3 BSSAP SCCP MTP3 MTP2 MPT1

LAPDm radio

LAPDm radio

LAPDm radio

LAPDm radio

MPT2 MTP1

Mobile Base transceiver station station CM: call management MM: mobility management RRM: Radio resources management (ISDN) BSSAP: BSS Application Part

Base station Mobile switching controller center SCCP: Signal connection control part MTP: message transfer part LAPD: link access - protocol D channel
14

Location updating
MS BSS Mobile turns on Channel setup, radio resource reservation Location updating request Authentication challenge Authentication response MSC/VLR HLR

Authentication info request Authentication info Update location Insert subscriber data Insert subscriber data ack

Ciphering mode command Ciphering mode complete

Cipher mode command

Update location ack

Cipher mode complete TMSI reallocation command

TMSI reallocation complete Location updating accept Clear command Release radio channel

15

Role of SS7: location updating

HLR

PSTN switch

Network BSS MSC/VLR

: messages conveyed by SS7

16

Role of SS7: call supervision

HLR PSTN switch 3 1 MSC 5 2 4

Network BSS 6 MSC/VLR

Data channels are setup after the messages shown have been sent

: messages conveyed by SS7

17

Billing Principles in GSM

g g

Basic principle: the calling party pays Exception: the calling party does not pay for extra charges induced by initiatives of the callee: iroaming icall forwarding

18

Data services of GSM

Short Message Service (SMS) iSimilar to advanced paging systems iMakes use of the control channel General Packet Radio Service (GPRS) iAimed at interfacing the Internet (e.g., for Web browsing) iRates up to 170kb/s High Speed Circuit-Switched Data (HSCSD)

19

Short Message Service: message sent to a MS

MS BSS MSC/VLR HLR SMS-MSC Routing info req. Routing info Paging Channel setup Authentication and ciphering Message Message ACK Release of the radio channel Message ACK Forward message

Service Center

Message transfer

Message tr. report

Assumption: before being paged, the terminal is idle

20

General Packet Radio Service

IP address: 137.32.171.176 Laptop GPRS Network 137.32 Internet

128.178.151.82

LAN: 128.178.151

21

GPRS architecture
Laptop MSC HLR GR

SGSN GGSN GPRS network (based on IP) Data Network (IP)

: signaling + data : signaling only GR: GPRS Register: manages the association between the IP address and the IMSI SGSN: Serving GPRS Support Node (router) GGSN: Gateway GPRS Support Node (router)

22

User plane protocols

Application Network layer: IP, X.25,(Packet Data Protocol) GTP SNDCP LAPG RLC MAC Physical layer MS RLC: Radio Link Control BSSGP: BSS GPRS Protocol GTP: GPRS Tunnel Protocol RLC BSSGP MAC Phys. L. Phys. L. BSS SNDCP LAPG RLC MAC Phys. L. Phys. L. SGSN Physical layer GGSN Data link Data link IP To the data network

Network

Network GTP IP

SNDCP: Subnetwork Dependent Convergence Protocol LAPG: Link Access Protocol on G channel
23

Mobility management
IDLE Detachment or time out Detachment Time out STAND-BY Sending or reception of data READY Attachment to the network

Idle: no active GPRS session Ready: session established; ongoing data exchange; precise mobile location (which cell) Stand-by: session established, with no ongoing data exchange; approximate mobile location, the mobile has to be tracked in its routing area During a GPRS session (Ready or Stand-by states), the session itself is identified by a TLLI (Temporary Logical Link Identity)
24

Network attachment + context activation

MS BSS Channel setup GPRS attach request (IMSI) Authentication Ciphering activation GPRS attach result (TLLI) (MS is attached) Activate PDP context req (TLLI, PDP addr of MS) Provide registration Record request (IMSI) Security functions Provide registration Record response (IP address of the GGSN,) GGSN update request (PDP addr of MS, QoS) Activate PDP context response GGSN update response SGSN HLR/GR GGSN

Profile + auth. request Profile + auth. info

25

GSM Frequencies

GSM (Europe) Frequency band 890-915 MHz 935-960 MHz

DCS (Europe) 1710-1785 MHz 1805-1880 MHz

GSM (USA) 1850-1910 MHz 1930-1990 MHz

DCS = Digital Cellular System: same principles as GSM, but at frequencies better suited for microcells

26

GSM Security: The SIM card (Subscriber Identity Module)

g g g g

Must be tamper-resistant Protected by a PIN code (checked locally by the SIM) Is removable from the terminal Contains all data specific to the end user which have to reside in the Mobile Station:

iIMSI: International Mobile Subscriber Identity (permanent users iPIN iTMSI (Temporary Mobile Subscriber Identity) iKi : Users secret key iKc : Ciphering key iList of the last call attempts iList of preferred operators iSupplementary service data (abbreviated dialing, last short
messages received,...) identity)

27

Cryptographic algorithms of GSM

Random number R Users secret key Ki

A3

A8

Kc

Triplet

Authentication Kc: ciphering key S : signed result A3: subscriber authentication (operator-dependent algorithm) A5: ciphering/deciphering (standardized algorithm) A8: cipher generation (operator-dependent algorithm)

A5

Ciphering algorithm

28

Authentication principle of GSM

Mobile Station Visited network
IMSI/TMSI IMSI (or TMSI) IMSI A8 Kc

Home network
Ki R

A3 S

Triplets (Kc, R, S) Triplets

Authenticate (R) Ki R

A8 Kc

A3 S

Auth-ack(S) S=S?
29

Ciphering in GSM

Kc A5

FRAME NUMBER

Kc A5

FRAME NUMBER

CIPHERING SEQUENCE PLAINTEXT SEQUENCE

CIPHERING SEQUENCE CIPHERTEXT SEQUENCE

PLAINTEXT SEQUENCE

Sender (Mobile Station or Network)

Receiver (Network or Mobile Station)

30

Conclusion on GSM security

g g

Focused on the protection of the air interface No protection on the wired part of the network (neither for privacy nor for confidentiality) The visited network has access to all data (except the secret key of the end user) Generally robust, but a few successful attacks have been reported: ifaked base stations icloning of the SIM card

31

GSM today

g g

The common digital cellular technique deployed throughout Europe Probably the leading cellular technology worldwide Hundreds of millions of subscribers in more than 100 countries 7000+ pages of standards...

32

3GPP Security Principles (1/2)

g

Reuse of 2nd generation security principles (GSM):

iRemovable hardware security module

iRadio interface encryption iLimited trust in the Visited Network iProtection of the identity of the end user (especially on the radio
interface)
g

In GSM: SIM card In 3GPP: USIM (User Services Identity Module)

Correction of the following weaknesses of the previous generation:

iPossible attacks from a faked base station iCipher keys and authentication data transmitted in clear between iEncryption not used in some networks iData integrity not provided i
and within networks open to fraud

33

3GPP Security Principles (2/2)

g

New security features iNew kind of service providers (content providers, HLR only
service providers,) iIncreased control for the user over their service profile iEnhanced resistance to active attacks iIncreased importance of non-voice services i

34

Authentication in 3GPP
Mobile Station Visited Network Home Environment
Sequence number (SQN) RAND(i) K: Users secret key

Generation of cryptographic material

User authentication request IMSI/TMSI RAND(i ) AUTN (i )

Authentication vectors

Verify AUTN(i) Compute RES(i) User authentication response RES(i) K Compute CK(i) and IK(i) Compare RES(i) and XRES(i) Select CK(i) and IK(i)

35

Generation of the authentication vectors (by the Home Environment)

Generate SQN Generate RAND AMF K f1 f2 f3 f4 f5

MAC (Message Authentication Code)

XRES (Expected Result)

CK (Cipher Key)

IK (Integrity Key)

AK (Anonymity Key)

Authentication token: AUTN := ( SQN AK ) AMF MAC Authentication vector: AV := RAND XRES CK IK AUTN
AMF: Authentication and Key Management Field
36

User Authentication Function in the USIM

RAND AUTN

SQN AK
f5 AK

AMF

MAC

SQN

K f1 f2 f3 f4

XMAC (Expected MAC)

RES (Result)

CK (Cipher Key)

IK (Integrity Key)

Verify MAC = XMAC Verify that SQN is in the correct range

37

USIM: User Services Identity Module

More about the authentication and key generation function

g

g g

g g

In addition to f1, f2, f3, f4 and f5, two more functions are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN). f1, f1*, f2, f3, f4, f5 and f5* are operator-specific However, 3GPP provides a detailed example of algorithm set, called MILENAGE MILENAGE is based on the Rijndael block cipher In MILENAGE, the generation of all seven functions f1f5* is based on the Rijndael algorithm

38

Authentication and key generation functions f1f5*

RAND SQN||AMF OPc EK OPc rotate by r1 c1 EK OPc OPc c2 EK OPc OPc rotate by r2 c3 EK OPc OPc rotate by r3 c4 EK OPc OPc rotate by r4 c5 EK OPc rotate by r5 OP EK OPc

f1

f1*

f5 f2

f3

f4

f5*

OP: operator-specific parameter r1,, r5: fixed rotation constants c1,, c5: fixed addition constants

EK : Rijndael block cipher with 128 bits text input and 128 bits key

39

Signalling integrity protection method

SIGNALLING MESSAGE FRESH COUNT-I DIRECTION COUNT-I SIGNALLING MESSAGE FRESH DIRECTION

IK

f9

IK

f9

MAC-I

XMAC-I

Sender (Mobile Station or Radio Network Controller)

Receiver (Radio Network Controller or Mobile Station)

FRESH: random input

40

f9 integrity function
COUNT || FRESH || MESSAGE PS1 PS2 ||DIRECTION||1|| 00 PSBLOCKS-1

PS0

IK

KASUMI

IK

KASUMI

IK

KASUMI

IK

KASUMI

KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits) PS: Padded String KM: Key Modifier

IK

KM

KASUMI

MAC-I (left 32-bits)

41

Ciphering method
BEARER COUNT-C LENGTH DIRECTION BEARER COUNT-C LENGTH DIRECTION

CK

f8

CK

f8

KEYSTREAM BLOCK PLAINTEXT BLOCK

KEYSTREAM BLOCK CIPHERTEXT BLOCK

PLAINTEXT BLOCK

Sender (Mobile Station or Radio Network Controller)

Receiver (Radio Network Controller or Mobile Station)

BEARER: radio bearer identifier COUNT-C: ciphering sequence counter
42

f8 keystream generator
COUNT || BEARER || DIRECTION || 00
KM: Key Modifier KS: Keystream

CK

KM

KASUMI

Register BLKCNT=0 BLKCNT=1 BLKCNT=2

BLKCNT=BLOCKS-1

CK

KASUMI

CK

KASUMI

CK

KASUMI

CK

KASUMI

KS[0]KS[63]

KS[64]KS[127] KS[128]KS[191]

43

L0 32
KL1

Detail of Kasumi
64 KO1 , KI1 R0 32 16 32 KOi,1 16 9 16 7

S9
Zero-extend

FL1
KO2 , KI2

FO1
KL2

FIi1

KIi,1

FO2
KL3

FL2

KOi,2 KO3 , KI3

S7

truncate KIi,j,2 KIi,j,1

FIi2

KIi,2

FL3

FO3
KL4

KO4, KI4

FO4
KL5

FL4

KOi,3

S9
Zero-extend

FIi3
KO5 , KI5

KIi,3

FL5

FO5
KL6 Fig. 2 : FO Function 16 KLi,1 KL8 32

S7
truncate

KO6 , KI6

FO6
KL7

FL6

KO7 , KI7

Fig. 3 : FI Function 16

FL7
KO8 , KI8

FO7

FO8

FL8

<<<
KLi,2

<<<
L8 R8 Fig. 4 : FL Function

C
Fig. 1 : KASUMI Bitwise AND operation

KLi, KOi , KIi : subkeys used at ith round S7, S9: S-boxes

Bitwise OR operation

<<<

44

One bit left rotation

Security: 3GPP vs Mobile IP

3GPP Key management Session key Authentication Data integrity Confidentiality Location privacy wrt correspondents g wrt foreign domain
g

Mobile IP Manual or via the Internet Key Exchange (IKE) Registration key AH AH ESP Yes (e.g., with rev. tunnelling) Partial ?

Manual (KMH) + roaming agreements Authentication vector f1,, f5* (e.g. MILENAGE) f9 (Kasumi) f8 (Kasumi) Yes No (it can require the IMSI) No (cryptographic material provided in advance) Yes

Protection of foreign domain against repudiation by user Lawful interception

45

Conclusion on 3GPP security

g g g

Some improvement with respect to 2nd generation iCryptographic algorithms are published iIntegrity of the signalling messages is protected Quite conservative solution No real size experience so far Privacy/anonymity of the user not completely protected 2nd/3rd generation interoperation will be complicated and might open security breaches

46

References
On Signalling System 7 iTravis Russel, Signaling System #7, Second Edition, McGraw-Hill
Telecommunications, 1998. iUyless Black, ISDN and SS7, Prentice Hall, 1997 iAbdi Modaressi and Ronald A. Skoog, Signaling System N7: A tutorial, IEEE Communications Magazine, July 1990, pp 19-35.

On GSM iD. Goodman: Wireless Personal Communications Systems

iS. Redl et al.: GSM and Personal Communication Handbook iA. Mehrotra: GSM System Engineering
Artech House Publ, 1997
g

Addison-Wesley, 1997

Artech House Publ, 1998

On 3GPP i3rd Generation Partnership Project: http://www.3gpp.org

47