SecurityAnalysisandImprovementsofGSMAir.doc

精品论文security analysis and improvements of gsm airinterface protocolqijie tang*, xu likey lab. of universal wireless communications, ministry of educationbeijing university of posts and telecommunicationsbeijing, p. r. china 100876abstractthis paper presents an overview of the most widely used communications network-global system of mobile communications (gsm) and investigates the current situation of the security feature. in the paper, we analyze the security structure and mechanisms in three aspects, then several attacks against the protocol including denial of service (dos) attack and man-in-the-middle (mitm) attack are described. last part of the paper focuses on countermeasures. pre-authentication procedure and mutual authentication are considered to be effective ways to mitigate these threats.keywords: gsm security, dos, man-in-the-middle1introduction before second generation mobile communications came up, amps and tacs has prevailed for many years. however, its cellular drop rate, interference/interception rate and general fraud was extensive. its easy for someone who is simply special communication tool supported to tune in and eavesdrop mobile conversations because of lack of encryption of the voice and user data transmitted over the network. to prevent such flaws in mobile communication and make mobile phone traffic more reliable, gsm became a better solution. gsm platform was formed in 1982, it indeed provides a far more secure and confidential method of communication.nowadays, thousands of millions of people use gsm for communication at any time and anywhere, for business and convenience. undoubtedly the gsm network is a hugely successful wireless technology and an unprecedented invention of global achievement. gsm network incorporates security mechanisms. network operators and their customers rely on these mechanisms for the privacy of their calls and for the integrity of the cellular network. the security mechanisms protect the network by authenticating customers to the network, and provide privacy for the customers by encrypting the conversations while transmitted over the air. but in recent years, researchers have been investigating on the vulnerabilities of the protocol and system proving it unsafe actually.since encryption methods have been adopted by the network, researches of cracking them are ongoing simultaneously. alex biryukov, adi shamir and david wagner showed that they can find the a5/1 key in less than a second on a single pc with 128 mb ram and two 73 gb hard disks, by analyzing the output of the a5/1 algorithm in the first two minutes of the conversation 1.ian goldberg and david wagner of the university of california at berkeley published an analysis of the weaker a5/2 algorithm showing a work factor of 216, or approximately 10 milliseconds.elad barkhan, eli biham and nathan keller of technion, the israel institute of technology, have shown a ciphertext-only attack against a5/2 that requires only a few dozen milliseconds of encrypted off-the-air traffic. they also described new attacks against a5/1 and a5/3 2.at a later time, ian goldberg and david wagner demonstrated that all a8 implementations they looked at, including the few that did not use comp128, were deliberately weakened. the a8 algorithm takes-7-a 64-bit key, but ten key bits were set to zero. the attack on the a8 algorithm takes just 219 queries to the gsm sim (subscriber identity module), which takes roughly 8 hours.josyula r. rao, pankaj rohatgi and helmut scherzer of ibm and stephane tinguely of the swiss federal institute of technology have shows a method by which comp128 can be broken in less than a minute 3.all above researches are based on the vulnerability of the encryption, which will not be included in this paper. if necessary, readers can download them for research of their own. this paper is mainly concerned about flaws in the protocol and their related attacks.the paper is structured as followed: in the second part, we take a look at the mechanisms of gsm that how it works to ensure its security. section 3 will be the classic attacks to the network. next part presents some effective measurements against threats. conclusion will be made in the section 5.2security analysis of gsm security in wireless networks is an important issue since users are more and more likely to put personal, important or mission-critical data over an infrastructure that is not truly secure. the gsm system indeed provides solutions to a few important aspects of security: subscriber authentication, subscriber identity confidentiality and confidentiality of voice and data over the radio path. in the following, we put every aspect in detail.2. 1subscriber identity c o n f identi ality the purpose of this function is to avoid an interceptor of the mobile traffic being able to identify which subscriber is using a given resource on the radio path. every phone has a unique international mobile subscriber identification (imsi) number and to each imsi is associated a key ki. the imsi and the ki is stored in the sim card and in a database at the service provider called the home location register (hlr), which means it wont and shouldnt be transmitted in clear text over the air 5. to hide the location of the phone, a temporary mobile subscriber identification (tmsi) is used instead of imsi to identify a mobile subscriber on the radio path. the tmsi is allocated by the vlr where the ms is registered. a new tmsi is allocated by the vlr at least on every location update. in certain special circumstances, the fixed part of the network can require the ms to send the imsi in clear. a new tmsi is then allocated and sent to the ms in ciphertext.2. 2subscriber identity authe n ticati on this function can be launched by the network whenever one of the following events happens 4.1.subscriber applies for a change of subscriber-related information element in the vlr or hlr. the subscriber-related information element includes location updating involving change of vlr, registration, or erasure of supplementary services.2.subscriber accesses to a service. the service may be setting up mobile originated or terminated calls, activation or deactivation of a supplementary service.3.first network access after restart of ms of vlr.4.in the condition that the cipher key sequence number mismatch.the authentication protocol is based on the combination of a3/a8 algorithms. the a3 algorithm is implemented at both the network side and the ms side.the procedure contains following steps to complete the authentication:1)the system sends a non-predictable number rand to the ms;2)the ms uses ki and rand with algorithm a3 to computes the result, outputting sres. meanwhile algorithm a8 at both sides is also working to calculate another ciphering key kc with ki and rand;3)on the network side, system has already calculates the sres in the same way like the ms;4)ms re-transmit the sres to the network for validation, and stores the kc in its own sim;5)if both sres matched, ms connects to the system; otherwise, network loses connection with msand free channels.ms ki ki bs s /m s cra nd vl r/auc ge n e r a te ran dki ki a8 a3a3 a8 sr e s kc sr e s=?kc fn a5 en c r y p te d da taa5fn pla in te x tcip h e r te x tpla in te x tfigure 1: authentication and encryption procedure of gsmprotocol stipulates that kc wont be transmitted over the air, diminishing the risk of kc stolen.2. 3confidenti a lity of si gna ling informa t i o n el ements , c o nnecti o nles s data and user infor m ati o n ele m ents since personal mobile communication is a private activity between two partied, all the signals, including signaling information, user data, user identity, and so on, should be strictly protected. in order to achieve this confidentiality, gsm has established an encryption scheme at osi lay 1.a ciphering method a5 is used to encrypt voice and signaling data. it is a stream cipher based on three clock-controlled lfsrs using a ciphering key kc. the layer 1 data flow (transmitted on dedicated control channel (dcch) or traffic channel (tch) is obtained by the bit per bit binary addition of the user data flow and a ciphering bit stream. the detailed ciphering can be found in 2.we should note that there is a distinction between data on a dcch and data on a tch:1.on a dcch the start of enciphering is under control of the network. the bs sends in clear text a message start cipher and deciphering is started in the bs. the ms starts enciphering and deciphering and sends its next message enciphered. when this message is enciphered correctly in the bs, enciphering is started in the bs.2.on a tch, enciphering and deciphering are started as soon as a key is present, unless null ciphermode is selected.the enciphering stream at one end and deciphering stream at the other end must be synchronized.3threats to the gs m netw ork although many efforts have been made to protect the security level of gsm system, undeniably there are still some obvious flaws in the protocol, and attacks may cause devastating consequences. in the following parts, the paper is specializing on the protocol flaws that can cause attacks rather than the algorithm crack methods.3. 1dos in the gs m ne tw orks the most common way of denial of service attack is causing the network not to transmit messages it should be sending in order to provide a service to legitimate clients or causing the network to send messages it should not. one obvious cause of dos attacks is that the preliminary communication takes place before authentication. the typical preliminary communication before connected to the networks is as follows:1.the ms requests assignment of a control channel from the bsc.2.the bts decodes the channel request message, calculates the timing advance (the msbts distance) and forwards the complete information to the bsc by a channel required message. the type of requested service is also indicated.3.after receiving and processing a channel required message, the bsc informs the btswhat channel type and which channel number shall be reserved by a channel active message.4.the bts acknowledges the receipt by sending a channel active acknowledgemessage.5.the bsc sends the immediate assignment command message to the bts which in turn informs the ms upon the allocated channel.figure 2: channel assignment procedure in gsmwe can conclude that in every situation when a ms apply to the network for access, two parties will always implement above five steps according to the protocol. on the other hand, we all know that radio link resources which are limited are precious in every wireless system, and if too many users are connecting to the network at the same time, the servers at the network becomes locally congested and wont react to all the requests in time due to lack of available channels. the bsc will eventually time-out the incomplete requests and free the resources. because the network cannot distinguish legitimate traffic from the fake one, the attack itself is not detected easily. the goal can be achieved when attacker deliberately repeats only the first step of the process, and thus the available traffic channels will never be serviced to legitimate clients 7.figure 3: denial of service attacks in gsm networksthere are also variations of dos attacks which will be described in the next part.3. 2the fa lse ba se sta t ion atta ck from the description of the gsm security scheme, we note that the ms is authenticated to the bs, but the bs is not authenticated to the ms, which means unilateral authentication is taken place rather than mutual authentication. this allows the possibility of attacks where a malicious third party impersonates as a bs.3. 2. 1confidenti a lity-lo ss atta ck although generally tmsi shall be used over the air, the protocol stipulates that a bs, in some special situations, can request a ms to send its imsi across the air interface in clear text. thus attacker has been granted a very straightforward way to compromise imsi confidentiality. the false bs simply transmits the identity request message to the target ms, which responds with the imsi.3. 2. 2man-in -the -middle attack the first kind of attack can be upgraded into a more complex and more effective attack; we call itman-in-the-middle attack 8, 11.the attacker becomes a combination of ms and bts/bsc. when it communicates with target ms, it acts as a bs, while when it communicates with bs, it acts as a ms. this combination should permit transparent routing of call information from a legitimate ms to a genuine bs, via the attackers own ms.3. 2. 3deri ved a t t a cks fr om ab ove tw o w ays o f at t a cks the two ways of attack mentioned above are the typical threats to the gsm networks. still, there are several attacks derived from typical ways, and also make damages to the network and users. lets briefly mention a few of them 5.1.dos attack together with false bs enables such threats to be realised. one feasible way is simply for a false bs to capture the target ms, and then simply prevent the ms making any contacts with the real bs and vice versa, just like putting it into a cage.2.if target user makes a call, the false bs can take over the connection after doing previous accessing work, once it captures the called number, attacker can do whatever it wants, either never attempt to get through the call to the real bs, or answer the call as if it were the called party.3.once the attacker got the target ms, it can deliberately set up spoof calls to annoy user or sends continuously signaling messages towards the user, which can block the radio channels without being discovered.4.in the previous man-in-the-middle attack, we adopt the cracking a5 way. after some relevant research, we can also achieve the same goal even without cracking the algorithm a5. just alter several steps in the attack:1)when authentication needs to take place, the false bs can send an arbitrary rand and can ignore the sres returned in response. of course, the false bs will not know the correct value of kc,but this will not matter, as we see below;2)when the real bs require the traffic to be enciphered, and the encryption will take place in thenormal way between the real bs and the false bs, where if will be decrypted. the false bs will never send the start cipher command to the target ms, and thus the fact that the false bs does notknow the value of kc for the mobile does not matter;3)when the target ms makes a call, the false bs detects this, and can capture the dialled number since the ms will not be encrypted.5.during the authentication process, the bs should hold the triplet, which is rand, sres and cipher key kc. because of lack of some flag or something, a type of replay attack comes up. on the assumption that a single triplet is compromised, the false bs can impersonate a real network attacking the ms using the same triplet all the time, even if the ms traffic has been encrypted.4suggestions and improvements to gsm security schemes published in gsm protocol are to a large extent protecting the reliability of network and the confidentiality of users, but we can absolutely not neglect the serious flaws of the protocol. once malicious person imposes attacks on our widely-used network taking advantage of the flaws, we may not be affording to the giant loss. since the emergence of the gsm network, researchers are devoting to improvements of gsm.4. 1co un ter-m e asureme n t t o do s at tac ksince bs wont validate any user before authentication and permits anyone sending channel request message to attach the network, dos attack is of high possibility. to handle the dos attacks, we introduce a process during the accessing procedure kind of similar to authentication. when the number of access channels has been taken over by attacker to some critical value, new protective measurement launched. bts broadcasts a message called authentication beacon containing a short-lived 128-bit value predetermined by bsc. the length of 128 bits is considered to be safe against the pre-computation from the key space, which is discussed in 7.the ms stores the coming challenge and calculates the response, adding it in subsequent channel requests, sending it in designated ttl time.the bts retrieves the response, comparing it with its own result which has been calculated already. once mismatched, then the following channel distribution procedure ceased, ensuring recourses wont be depleted.4. 2co un ter-m e asureme n ts to m a n - in-t he- m idd l e at tac ks as we have discussed previously, this kind of attack is really tough in current gsm network. unilateral authentication only protects network from malicious users, but can not protect users from false bs effectively. until now, researchers have reached a consensus that mutual authorization and authentication should be adopted in the coming 3g network. for example, umts network has introduced more complicated procedures and more reliable algorithms to prevent threats 10. new specification is a great progress in security level, but new problems are arriving, some high-level attackers, taking advantage of umts upgrading from gsm, are trying to break into