Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 10 Real world security protocols

Similar presentations


Presentation on theme: "Chapter 10 Real world security protocols"— Presentation transcript:

1 Chapter 10 Real world security protocols
GSM Security The Global System for Mobile Communications, GSM (original acronym: Groupe Spécial Mobile) is the most popular standard for mobile phones in the world. GSM service is used by over 2 billion people across more than 212 countries and territories [1] [2]. The ubiquity of the GSM standard makes international roaming very common between mobile phone operators, enabling subscribers to use their phones in many parts of the world. GSM differs significantly from its predecessors in that both signaling and speech channels are Digital call quality, which means that it is considered a second generation (2G) mobile phone system. This fact has also meant that data communication was built into the system from the 3rd Generation Partnership Project (3GPP). From the point of view of the consumers, the key advantage of GSM systems has been higher digital voice quality and low cost alternatives to making calls such as text messaging. The advantage for network operators has been the ability to deploy equipment from different vendors because the open standard allows easy inter-operability. Like other cellular standards GSM allows network operators to offer roaming services which mean subscribers can use their phones all over the world. The GSM logo is used to identify compatible handsets and equipment As the GSM standard continued to develop, it retained backward compatibility with the original GSM phones; for example, packet data capabilities were added in the Release '97 version of the standard, by means of GPRS. Higher speed data transmission has also been introduced with EDGE in the Release '99 version of the standard. GSM is a cellular network, which means that mobile phones connect to it by searching for cells in the immediate vicinity. GSM networks operate in four different frequency ranges. Most GSM networks operate in the 900 MHz or 1800 MHz bands. Some countries in the Americas (including the United States and Canada) use the 850 MHz and 1900 MHz bands because the 900 and 1800 MHz frequency bands were already allocated. Radio interface The rarer 400 and 450 MHz frequency bands are assigned in some countries, notably Scandinavia, where these frequencies were previously used for first-generation systems. In the 900 MHz band the uplink frequency band is MHz, and the downlink frequency band is MHz. This 25 MHz bandwidth is subdivided into 124 carrier frequency channels, each spaced 200 kHz apart. Time division multiplexing is used to allow eight full-rate or sixteen half-rate speech channels per radio frequency channel. There are eight radio timeslots (giving eight burst periods) grouped into what is called a TDMA frame. Half rate channels use alternate frames in the same timeslot. The channel data rate is kbit/s, and the frame duration is ms. GSM has used a variety of voice codecs to squeeze 3.1kHz audio into between 6 and 13kbps. Originally, two codecs, named after the types of data channel they were allocated, were used, called "Full Rate" (13kbps) and "Half Rate" (6kbps). These used a system based upon linear predictive coding (LPC). In addition to being efficient with bitrates, these codecs also made it easier to identify more important parts of the audio, allowing the air interface layer to prioritize and better protect these parts of the signal. The transmission power in the handset is limited to a maximum of 2 watts in GSM850/900 and 1 watt in GSM1800/1900. GSM was further enhanced in the mid-nineties with the GSM-EFR codec, a 12.2kbps codec that uses a full rate channel. Finally, with the development of UMTS, EFR was refactored into a variable-rate codec called AMR-Narrowband, which is high quality and robust against interference when used on full rate channels, and less robust but still relatively high quality when used in good radio conditions on half-rate channels. There are four different cell sizes in a GSM network - macro, micro, pico and umbrella cells. The coverage area of each cell varies according to the implementation environment. Macro cells can be regarded as cells where the base station antenna is installed on a mast or a building above average roof top level. Micro cells are cells whose antenna height is under average roof top level; they are typically used in urban areas. Picocells are small cells whose diameter is a few dozen meters; they are mainly used indoors. On the other hand, umbrella cells are used to cover shadowed regions of smaller cells and fill in gaps in coverage between those cells. Cell radius varies depending on antenna height, antenna gain and propagation conditions from a couple of hundred meters to several tens of kilometers. The longest distance the GSM specification supports in practical use is 35 km or 22 miles. There are also several implementations of the concept of an extended cell, where the cell radius could be double or even more, depending on the antenna system, the type of terrain and the timing advance. Indoor coverage is also supported by GSM and may be achieved by using an indoor picocell base station, or an indoor repeater with distributed indoor antennas fed through power splitters, to deliver the radio signals from an antenna outdoors to the separate indoor distributed antenna system. These are typically deployed when a lot of call capacity is needed indoors, for example in shopping centers or airports. However, this is not a prerequisite, since indoor coverage is also provided by in-building penetration of the radio signals from nearby cells. The modulation used in GSM is Gaussian minimum shift keying (GMSK), a kind of continuous-phase frequency shift keying. In GMSK, the signal to be modulated onto the carrier is first smoothed with a Gaussian low-pass filter prior to being fed to a frequency modulator, which greatly reduces the interference to neighboring channels (adjacent channel interference). A nearby GSM handset is usually the source of the "dit dit dit, dit dit dit, dit dit dit" signal that can be heard from time to time on home stereo systems, televisions, computers, and personal music devices. When these audio devices are in the near field of the GSM handset, the radio signal is strong enough that the solid state amplifiers in the audio chain function as a detector. The clicking noise itself represents the power bursts that carry the TDMA signal. This is a form of RFI, and could be mitigated or eliminated by use of additional shielding and/or bypass capacitors in these audio devices, however, the increased cost of doing so is difficult for a designer to justify. Network structure the Base Station Subsystem (the base stations and their controllers). The network behind the GSM system seen by the customer is large and complicated in order to provide all of the services which are required. It is divided into a number of sections and these are each covered in separate articles. The structure of a GSM network all of the elements in the system combine to produce many GSM services such as voice calls and SMS. the GPRS Core Network (the optional part which allows packet based Internet connections). the Network and Switching Subsystem (the part of the network most similar to a fixed network). This is sometimes also just called the core network. One of the key features of GSM is the Subscriber Identity Module (SIM), commonly known as a SIM card. The SIM is a detachable smart card containing the user's subscription information and phonebook. This allows the user to retain his or her information after switching handsets. Alternatively, the user can also change operators while retaining the handset simply by changing the SIM. Some operators will block this by allowing the phone to use only a single SIM, or only a SIM issued by them; this practice is known as SIM locking, and is illegal in some countries. Subscriber identity module In the United States, Europe and Australia, many operators lock the mobiles they sell. This is done because the price of the mobile phone is typically subsidised with revenue from subscriptions and operators want to try to avoid subsidising competitor's mobiles. A subscriber can usually contact the provider to remove the lock for a fee, utilize private services to remove the lock, or make use of ample software and websites available on the Internet to unlock the handset themselves. While most web sites offer the unlocking for a fee, some do it for free. The locking applies to the handset, identified by its International Mobile Equipment Identity (IMEI) number, not to the account (which is identified by the SIM card). It is always possible to switch to another (non-locked) handset if such other handset is available. Some providers will unlock the phone for free if the customer has held an account for a certain period. Third party unlocking services exist that are often quicker and lower cost than that of the operator. In most countries removing the lock is legal. Cingular provides free unlock services to its customer after 3 months of subscriptions. In countries like India, Belgium, etc., all phones are sold unlocked. However, in Belgium, it is unlawful for operators there to offer any form of subsidy on the phone's price. This was also the case in Finland until April , when selling subsidized combinations of handsets and accounts became legal though operators have to unlock phone free of charge after a certain amount of time (at most 24 months). GSM was designed with a moderate level of security. The system was designed to authenticate the subscriber using shared-secret cryptography. Communications between the subscriber and the base station can be encrypted. The development of UMTS introduces an optional USIM, that uses a longer authentication key to give greater security, as well as mutually authenticating the network and the user - whereas GSM only authenticated the user to the network (and not vice versa). The security model therefore offers confidentiality and authentication, but limited authorization capabilities, and no non-repudiation. GSM security GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. A large security advantage of GSM over earlier systems is that the Ki, the crypto variable stored on the SIM card that is the key to any GSM ciphering algorithm, is never sent over the air interface. Serious weaknesses have been found in both algorithms, and it is possible to break A5/2 in real-time in a ciphertext-only attack. The system supports multiple algorithms so operators may replace that cipher with a stronger one. Core technology: See also 2G 4G 3G 2.5G Architectural elements: Base Station Subsystem (BSS) Base Station Controller (BSC) Subscriber Identity Module (SIM) Mobile Switching Center (MSC) Home Location Register (HLR) Visitors Location Register (VLR) Radio: Equipment Identity Register (EIR) GSM frequency ranges Services: Cellular traffic GSM services GSM localization MMS GSM codes for supplementary services SMS Cell Broadcast GPRS WAP Wireless Application Protocol Standards: European Telecommunications Standards Institute (ETSI) Comparison of mobile phone standards Intelligent network (IN) Common terms: Parlay International Mobile Equipment Identity (IMEI) Handoff Mobile Station Integrated Services Digital Network (MSISDN) International Mobile Subscriber Identity (IMSI) Related technologies: External links GSM-R (GSM-Railway) 3GPP The current standardisation body for GSM with free standards available. GSM Association - the group representing GSM operators (official site) - includes coverage maps for all members GSM and GPRS Tutorials explained with realtime Scenario traces Overview of GSM by John Scourias GSM/Telecom Resources 3GPP numbering scheme Visualtron's tutorial on GSM GSM-security.net FAQ Number of GSM Subscribers GSM technical overview and tutorial from Radio-Electronics.Com GSM - ideas, origin and milestones - a Norwegian perspective from Telenor's journal of technology Telektronikk List of acronyms of GSM network parameters GSM Call Flow Diagrams Selection of GSM Handsets GSM Wireless Terminals Cell Phone Safety and Wireless Facts bat-smg:GSM Smart Car Surveillance System How to trace your missing car using a GSM cell phone (Wiki eHow) GSM in Africa This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer) Translations Donate to Wikimedia Directory > Words > Translations Translations for: Gsm Dansk (Danish) abbr. - Global System for Mobile Communications, globalt system for mobilkommunikation Français (French) abbr. - (abrév = Global Systems for Mobile Communications) GSM, système global de communications mobiles Deutsch (German) abbr. - Globales System zur Standardisierung von Mobile Español (Spanish) abbr. - Sistema Global para Mobile 中文(简体) (Chinese (Simplified)) 全球数字移动电话系统图系统模块 中文(繁體) (Chinese (Traditional)) abbr. - 全球數位移動電話系統圖系統模組 한국어 (Korean) abbr. - general sales manager (판매 부장) עברית (Hebrew) abbr. - ‮רשת תקשורת של טלפון תאי (סלולרי)‬ If you are unable to view some languages clearly, click here. To select your translation preferences click here. GSM is mentioned in these AnswerPages: gsm (Shopping) gsm 95 (Shopping) gsm pda (Shopping) logo gsm (Shopping) S700i Gsm (Shopping) Gsm-fm-2w-4c (Shopping) Gsm Quadband (Shopping) P910 Gsm (Shopping) treo 600 gsm (Shopping) treo 650 gsm (Shopping) More>  Mentioned In Chapter 10 Real world security protocols

2 Chapter 10 Real world security protocols
GSM Architecture VLR (Visitor Location Register) HLR (Home Location Register) AuC (Authentication Center) air interface Mobile Base Station AuC VLR “land line” HLR PSTN Internet Etc. Visited Network Base Station Controller Home Network Chapter 10 Real world security protocols

3 Chapter 10 Real world security protocols
GSM 시스템 구성요소 휴대 전화: cell phone SIM(Subscriber Identity Module)을 내장 Smart card Air interface 방문 네트워크(Visited network) 기지국(base station) 기지국 제어기(base station controller) SIM Chapter 10 Real world security protocols

4 Chapter 10 Real world security protocols
GSM 시스템 구성요소 PSTN (공중 전화망) Home network  휴대전화가 속해 있는 망 HLR (Home Location Register)  AuC (Authentication Center)  IMSI/Ki를 보관 IMSI(International Mobile Subscriber ID) Chapter 10 Real world security protocols

5 Mobile phone: cell phone
SIM(Subscriber Identity Module) 내장 SIM은 security module로서 다음의 정보를 갖는다. IMSI (International Mobile Subscriber ID): 휴대전화 사용자를 구별 사용자 키 Ki (128 bits) SIM을 사용하는 목적은 조작을 방지하기 위한 H/W(smart card)를 제공하는 것이다. SIM Chapter 10 Real world security protocols

6 방문 네트워크(Visited network)
다수의 기지국 하나의 셀(cell) 마다 하나의 기지국 존재 기지국 제어기 VLR (Visitor Location Register)은 기지국 제어기에 존재한다. 현재 Visited network에 방문한 휴대전화의 정보를 기록한다. Chapter 10 Real world security protocols

7 Chapter 10 Real world security protocols
Home network 휴대 전화가 속한 홈 네트워크 각 휴대전화는 하나의 홈 네트워크에 등록되어 있다. HLR (Home Location Register) 등록된 휴대전화가 현재 어떤 방문 네트워크에 있는지 기록한다. AuC (Authentication Center) IMSI(international Mobile Subscriber ID): 가입자 식별 번호 Ki: SIM 사용자 번호 모든 휴대전화 사용자에 대한 요금 정보를 갖는다. Chapter 10 Real world security protocols

8 Chapter 10 Real world security protocols
GSM 보안의 목표 주 목표 GSM를 공중 전화망과 같은 정도의 보안 유지 복제 방지 능동적인 공격은 고려하지 않음! 그때는 이러한 공격은 실현 가능성이 없었다. 가장 큰 위협은 안전하지 않은 요금 관리 Chapter 10 Real world security protocols

9 Chapter 10 Real world security protocols
GSM 보안 특징 익명성(Anonymity) 사용자의 신분이 드러나지 않도록 한다. 전화회사에는 그리 중요하지 않다. 인증(Authentication) 정확한 요금 청구를 위해서 필요 전화 회사에는 가장 중요한 문제! 기밀성(Confidentiality) 전화 회사에는 그리 중요하지 않다. Chapter 10 Real world security protocols

10 Chapter 10 Real world security protocols
GSM: 익명성 IMSI는 처음에 송신자를 식별하는데 사용된다. 공격자가 통신 메시지의 시작 부분을 캡쳐하면 IMSI를 알 수 있다. 그래서 TMSI (Temporary Mobile Subscriber ID)를 사용 TMSI는 자주 변경 TMSI는 보낼 때 암호화함 익명성을 확실하게 보장하지 않는다. 하지만 대부분의 사용자에게는 충분함 Chapter 10 Real world security protocols

11 Chapter 10 Real world security protocols
GSM: 인증 Caller는 기지국에 인증 상호 인증은 아니다. challenge-response에 의한 인증 Home network은 RAND를 생성하고 XRES = A3(RAND, Ki)를 계산한다. (A3는 hash) 그리고 (RAND,XRES)를 기지국에 보낸다. 기지국은 challenge RAND를 휴대 전화에 보낸다. 휴대전화의 response는 SRES = A3(RAND, Ki) 기지국은 검증: SRES = XRES Ki는 홈 네트워크를 벗어나지 않는다! Chapter 10 Real world security protocols

12 Chapter 10 Real world security protocols
GSM: 기밀성 데이터는 stream cipher로 암호화 에러율이 대략 1/1000 에러율이 높아서 block cipher를 사용할 수 없다. Chapter 10 Real world security protocols

13 Chapter 10 Real world security protocols
GSM: 기밀성 홈네트워크가 기지국으로부터 IMSI를 받을 때, 홈네트워크는 다음을 계산한다. Kc = A8(RAND, Ki), where A8 is a hash GSM 암호화 키 : Kc 그러면 Kc는 (RAND,XRES)와 함께 기지국으로 전송된다. 기지국은 앞에서와 같이 인증 절차가 완료되면, 휴대전화는 Kc = A8(RAND, Ki)를 계산 기지국은 이미 Kc를 알고 있다. 따라서 휴대전화와 기지국은 대칭키를 공유한다. A5(Kc)로부터 키스트림을 발생한다. Ki 는 홈 네트워크를 벗어나지 않는다! Chapter 10 Real world security protocols

14 Chapter 10 Real world security protocols
GSM의 보안상의 문제점 GSM에서 사용하는 암호 알고리즘에 결함 또한 프로토콜에 결함 가장 큰 문제는 처음 설계자들의 잘못된 보안의 가정이다. Chapter 10 Real world security protocols

15 GSM 보안 SRES와 Kc는 상관 관계가 없어야 한다.
1. IMSI 2. IMSI 4. RAND 3. (RAND,XRES,Kc) 5. SRES Mobile Base Station Home Network 6. Kc로 암호화 SRES와 Kc는 상관 관계가 없어야 한다. 둘 다 RAND와 Ki에서 유도되었더라도 알려진 RAND/SRES pair에서부터 Ki를 추측하는 것이 가능하지 않아야 한다. (known plaintext attack) 선택된 RAND/SRES pair에서부터 Ki를 추측하는 것이 가능하지 않아야 한다.(chosen plaintext attack)

16 Chapter 10 Real world security protocols
GSM 암호 알고리즘 결함 A3/A8는 해쉬로 COMP128를 사용 150,000개의 선택된 평문으로 해독될 수 있다. SIM에서 2시간에서 10시간 만에 Ki를 구할 수 있다. 암호화 알고리즘 A5/1 알려진 평문 공격에 2초만에 깨진다. Chapter 10 Real world security protocols

17 Chapter 10 Real world security protocols
GSM: 잘못된 가정 GSM의 호(call)는 휴대 전화와 기지국 사이에서 암호화 된다. 오직 휴대전화와 기지국 만을 보호한다. 하지만 기지국과 기지국 제어기 사이에는 암호화되지 않는다. 이 사이에서의 통신은 마이크로파를 사용할 때가 있다. Base Station VLR Base Station Controller Chapter 10 Real world security protocols

18 Chapter 10 Real world security protocols
GSM: SIM 공격 SIM card에 대한 공격 Optical Fault Induction Partitioning Attacks SIM을 갖고 있으면 공격자는 수 초안에 Ki 을 찾아낼 수 있다. 휴대폰을 분실했다면 수초 안에 복제해 낼 수 있다!!! Chapter 10 Real world security protocols

19 Chapter 10 Real world security protocols
GSM: 프로토콜의 결함 (가짜 BS) 가짜 기지국은 프로토콜의 두 가지 결함을 이용한다. ① 상호 인증이 아니다. Caller는 기지국에 인증을 받지만 caller는 기지국을 인증하지 않는다. ② air interface에서의 암호화는 자동적으로 이루어지지 않는다. 기지국이 암호화할 지 않을지를 결정한다. Chapter 10 Real world security protocols

20 Chapter 10 Real world security protocols
GSM: 프로토콜 결함 (2/3) RAND Call to SRES destination No Mobile Fake Base Station encryption Base Station 가짜 기지국은 보통의 전화 같은 역할을 한다. 그래서 가짜 기지국과 합법적인 기지국 사이에는 보통의 GSM 전화 통신이 이루어지고 암호화된다. 기지국은 통화를 엿들을 수 있다. 요금은 가짜 기지국으로 청구된다! Chapter 10 Real world security protocols

21 Chapter 10 Real world security protocols
GSM: 프로토콜 결함 (3/3) RAND Call to SRES destination No Mobile Fake Base Station encryption Base Station 가짜 기지국은 어떤 RAND와 이에 해당하는 값을 보내기 때문에 SIM에 대한 선택 평문 공격(chosen plaintext attack)을 할 수 있다. Chapter 10 Real world security protocols

22 Chapter 10 Real world security protocols
GSM: 프로토콜 결함 (재사용) 기지국은 (RAND, XRES, Kc)을 재사용할 수 있다. 서비스 거부 공격이 가능하다. jamming(이것은 무선 통신에서 영원한 문제이다) Chapter 10 Real world security protocols

23 Chapter 10 Real world security protocols
GSM 결론 GSM은 목표를 달성했는가? 복제 방지? Yes air interface를 PSTN 만큼 안전하게 한다? 아마도… 하지만 설계의 목표는 명백히 제한적이다. GSM의 불안전한 보안 암호화 알고리즘의 약점, SIM 문제, 위조 BS, 재사용 등등. PSTN 불안전성 도청, 적극적 공격, 수동적 공격 (e.g., 코드리스 전화), 등등. GSM의 보안은 어느 정도는 성공적이지 않는가? Chapter 10 Real world security protocols


Download ppt "Chapter 10 Real world security protocols"

Similar presentations


Ads by Google