1
1
GSM Security Overview
GSM Security Overview
(Part 2)
(Part 2)
Max Stepanov
Max Stepanov
2
2
Agenda
Agenda
GSM Security Objectives
GSM Security Objectives

Concerns, Goals, Requirements
Concerns, Goals, Requirements
GSM Security Mechanisms
GSM Security Mechanisms
SIM Anatomy
SIM Anatomy
Algorithms and Attacks
Algorithms and Attacks

COMP128
COMP128

Partitioning Attack on COMP128
Partitioning Attack on COMP128
(
(

J. Rao, P. Rohantgi, H. Scherzer, S. Tunguely
J. Rao, P. Rohantgi, H. Scherzer, S. Tunguely
)
)
3
3
GSM Security Concerns
GSM Security Concerns
Operators
Operators

Bills right people
Bills right people

Avoid fraud
Avoid fraud

Protect Services
Protect Services


Customers
Customers

Privacy
Privacy

Anonymity
Anonymity
Make a system at least secure as PSTN

Make a system at least secure as PSTN
4
4
GSM Security Goals
GSM Security Goals
Confidentiality and Anonymity on the radio
Confidentiality and Anonymity on the radio
path
path
Strong client authentication to protect the
Strong client authentication to protect the
operator against the billing fraud
operator against the billing fraud
Prevention of operators from
Prevention of operators from
compromising of each others’ security
compromising of each others’ security

Inadvertently
Inadvertently

Competition pressure
Competition pressure
5
5
GSM Security Design
GSM Security Design
Requirements
Requirements
The security mechanism

The security mechanism

MUST NOT
MUST NOT
Add significant overhead on call set up
Add significant overhead on call set up
Increase bandwidth of the channel
Increase bandwidth of the channel
Increase error rate
Increase error rate
Add expensive complexity to the system
Add expensive complexity to the system

MUST
MUST
Cost effective scheme
Cost effective scheme

Define security procedures
Define security procedures
Generation and distribution of keys
Generation and distribution of keys
Exchange information between operators
Exchange information between operators
Confidentiality of algorithms
Confidentiality of algorithms
6
6
GSM Security Features
GSM Security Features

Key management is independent of equipment
Key management is independent of equipment

Subscribers can change handsets without compromising
Subscribers can change handsets without compromising
security
security
Subscriber identity protection
Subscriber identity protection

not easy to identify the user of the system intercepting a user
not easy to identify the user of the system intercepting a user
data
data
Detection of compromised equipment
Detection of compromised equipment

Detection mechanism whether a mobile device was
Detection mechanism whether a mobile device was
compromised or not
compromised or not
Subscriber authentication
Subscriber authentication

The operator knows for billing purposes who is using the system
The operator knows for billing purposes who is using the system
Signaling and user data protection
Signaling and user data protection

Signaling and data channels are protected over the radio path

Signaling and data channels are protected over the radio path
7
7
GSM Mobile Station
GSM Mobile Station
Mobile Station
Mobile Station

Mobile Equipment (ME)
Mobile Equipment (ME)
Physical mobile device
Physical mobile device
Identifiers
Identifiers

IMEI – International Mobile Equipment Identity
IMEI – International Mobile Equipment Identity

Subscriber Identity Module (SIM)
Subscriber Identity Module (SIM)
Smart Card containing keys, identifiers and algorithms
Smart Card containing keys, identifiers and algorithms
Identifiers
Identifiers

K
K
i
i
– Subscriber Authentication Key

– Subscriber Authentication Key

IMSI – International Mobile Subscriber Identity
IMSI – International Mobile Subscriber Identity

TMSI – Temporary Mobile Subscriber Identity
TMSI – Temporary Mobile Subscriber Identity

MSISDN – Mobile Station International Service Digital
MSISDN – Mobile Station International Service Digital
Network
Network

PIN – Personal Identity Number protecting a SIM
PIN – Personal Identity Number protecting a SIM

LAI – location area identity
LAI – location area identity
8
8
GSM Architecture
GSM Architecture
Mobile Stations Base Station
Subsystem
Exchange
System
Network
Management
Subscriber and terminal
equipment databases

BSC MSC
VLR
HLR
EIR
AUC
OMC
BTS
BTS
BTS
9
9
Subscriber Identity Protection
Subscriber Identity Protection
TMSI – Temporary Mobile Subscriber Identity
TMSI – Temporary Mobile Subscriber Identity

Goals
Goals
TMSI is used instead of IMSI as an a temporary subscriber identifier
TMSI is used instead of IMSI as an a temporary subscriber identifier
TMSI prevents an eavesdropper from identifying of subscriber
TMSI prevents an eavesdropper from identifying of subscriber

Usage
Usage
TMSI is assigned when IMSI is transmitted to AuC on the first phone
TMSI is assigned when IMSI is transmitted to AuC on the first phone
switch on
switch on
Every time a location update (new MSC) occur the networks assigns

Every time a location update (new MSC) occur the networks assigns
a new TMSI
a new TMSI
TMSI is used by the MS to report to the network or during a call
TMSI is used by the MS to report to the network or during a call
initialization
initialization
Network uses TMSI to communicate with MS
Network uses TMSI to communicate with MS
On MS switch off TMSI is stored on SIM card to be reused next time
On MS switch off TMSI is stored on SIM card to be reused next time

The Visitor Location Register (VLR) performs assignment,
The Visitor Location Register (VLR) performs assignment,
administration and update of the TMSI
administration and update of the TMSI
10
10
Key Management Scheme
Key Management Scheme
K
K
i
i
– Subscriber Authentication Key
– Subscriber Authentication Key

Shared 128 bit key used for authentication of subscriber by
Shared 128 bit key used for authentication of subscriber by
the operator

the operator

Key Storage
Key Storage
Subscriber’s SIM (owned by operator, i.e. trusted)
Subscriber’s SIM (owned by operator, i.e. trusted)
Operator’s Home Locator Register (HLR) of the subscriber’s
Operator’s Home Locator Register (HLR) of the subscriber’s
home network
home network
SIM can be used with different equipment
SIM can be used with different equipment
11
11
Detection of Compromised
Detection of Compromised
Equipment
Equipment
International Mobile Equipment Identifier (IMEI)
International Mobile Equipment Identifier (IMEI)

Identifier allowing to identify mobiles
Identifier allowing to identify mobiles

IMEI is independent of SIM
IMEI is independent of SIM

Used to identify stolen or compromised equipment
Used to identify stolen or compromised equipment
Equipment Identity Register (EIR)

Equipment Identity Register (EIR)

Black list – stolen or non-type mobiles
Black list – stolen or non-type mobiles

White list - valid mobiles
White list - valid mobiles

Gray list – local tracking mobiles
Gray list – local tracking mobiles
Central Equipment Identity Register (CEIR)
Central Equipment Identity Register (CEIR)

Approved mobile type (type approval authorities)
Approved mobile type (type approval authorities)

Consolidated black list (posted by operators)
Consolidated black list (posted by operators)
12
12
Authentication
Authentication
Authentication Goals
Authentication Goals

Subscriber (SIM holder) authentication
Subscriber (SIM holder) authentication

Protection of the network against
Protection of the network against

unauthorized use
unauthorized use

Create a session key
Create a session key
Authentication Scheme
Authentication Scheme

Subscriber identification: IMSI or TMSI
Subscriber identification: IMSI or TMSI

Challenge-Response authentication of the
Challenge-Response authentication of the
subscriber by the operator
subscriber by the operator
13
13
Authentication and Encryption
Authentication and Encryption
Scheme
Scheme
A3
Mobile Station Radio Link GSM Operator
A8
A5
A3
A8
A5
K
i

K
i
Challenge RAND
K
c
K
c
m
i
Encrypted Data
m
i
SIM
Signed response (SRES)
SRES
SRES
F
n
F
n
Authentication: are SRES
values equal?
14
14
Authentication
Authentication
AuC – Authentication Center
AuC – Authentication Center

Provides parameters for authentication and encryption

Provides parameters for authentication and encryption
functions (RAND, SRES, K
functions (RAND, SRES, K
c
c
)
)
HLR – Home Location Register
HLR – Home Location Register

Provides MSC (Mobile Switching Center) with triples
Provides MSC (Mobile Switching Center) with triples
(RAND, SRES, K
(RAND, SRES, K
c
c
)
)

Handles MS location
Handles MS location
VLR – Visitor Location Register
VLR – Visitor Location Register

Stores generated triples by the HLR when a subscriber
Stores generated triples by the HLR when a subscriber
is not in his home network
is not in his home network

One operator doesn’t have access to subscriber keys

One operator doesn’t have access to subscriber keys
of the another operator.
of the another operator.
15
15
A3 – MS Authentication Algorithm
A3 – MS Authentication Algorithm
Goal
Goal

Generation of SRES response to MSC’s
Generation of SRES response to MSC’s
random challenge RAND
random challenge RAND
A3
RAND (128 bit)
K
i
(128 bit)
SRES (32 bit)