Cryptography in Public Wireless Networks

1
Cryptography in Public Wireless Networks

• Mats Näslund
• Communication Security Lab
• Ericsson Research
• mats.naslund_at_ericsson.com
• Feb 27, 2007

2
Outline

• Overview of GSM Cryptography
• Some attacks on GSM
• Overview of 3G UMTS Cryptography
• Message Authentication Codes

3
GSM Cryptography Overview
4
History GSM Security

• Use of a smart card SIM Subscriber Identity
  Module, tamper resistant device containing
  critical subscriber information, e.g. 128-bit key
  shared with Home Operator
• SIM is the entity which is authenticated
• Initial GSM algorithms (were) not publicly
  available and under the control of GSM-A
• GSM ciphering on first hop only stream ciphers
  using 54/64 bit keys, future 128 bits
• One-sided challenge-response authentication
• Basic user privacy support (pseudonyms)

GSM crypto is probably (one of) the
mostfrequently used crypto in the world.
5
History GSM SecurityAccess security
SGSN
Base Station Controller
Radio Base Station
MSC
6
GSM Authentication Overview
Home Network
Ki
AuC/HLR
MSC/VLR
RBS
Ki
Visited Network
7
GSM Authentication Details
A3 and A8 Authentication and key derivation
(proprietary)
A5 encryption (A5/1-4, standardized)
Note one-sided authentication
Phone
Ki(128)
SIM
A3A8
A5/x
8
Cryptographic Transforms in Wireless

• Wireless transmission is subject to
• limited bandwidth
• bit-errors (up to 1 RBER)
• As consequence, most protocols

• use stream ciphers (no padding, no
  error-propagation)
• do not use data authentication (data expansion,
  loss)

9
Quick Note LFSR

• (Linear feedback shift register)

key 0 1 1 0 1 0 1
State
...0
1

• Rich theory (next lecture). Unfortunately very
  insecure
• Add non-linearity
• Combine several LFSRs
• Irregular clocking

10
GSM Encryption A5/2 (Export Version)
11
A5/2 (clock control)
Ri (i 1,2,3) is clocked iff its associated bit
agrees with majority of the 3 bits (At least two
clocked)
12
August 2003
13
Idea behind the attack
A5/2 is highly linear, can be expressed as
linear equation system in 660 unknown 0/1
variables, of which 64 is the key
If plaintext known, each 114-bit frame gives 114
equations
Only difference between frames is that frame
numberincreases by one.
After 6 frames (in reality only 4) we have gt 660
equations ? can solve!
If plaintext unknown, can still attack thanks to
redundancyof channel coding (SACCH has 227
redundant bits per each 4-frame message).
14
Attack efficiency
Off-line stage (done once) Storage for
matrices approx 200MB Pre-processing time
less than 3 hrs on a PC
On-line attack stage Requires 4-7 frames sent
from UE on SACCH. Retrieving key then takes less
than 1 second.
Hardware requirement normal PC and GSM capable
receiver
15
Consequence 1 Passive attacks in A5/2
Network(Eavesdropping)
1 RAND, RES
2 Cipher start A5/2
lt 1 sec of traffic
New attack
PC
key, lt 1 sec
16
Consequence 2 Active attacks in any
Network(False base-station/man-in-the-middle
attacks)
5 Cipher start A5/1 (with same key)
6 Cipher start A5/2
8 Cipher stop
9 Cipher start A5/1
7 Attack key
17
Consequence 3 Passive Active attack
18
Note

• A5/2 is an export version, not used in Sweden
  (or Europe)
• Attack does not apply to A5/1, A5/3 and A5/4
• well almost.

19
Possible fix (Ericsson)
A5/x (x 1, 2, 3, 4)
Phone
SIM
RAND
Agreed short-term fix isto phase out A5/2
encr frame
?
20
UMTS Security Overview
21
3G (UMTS) Security

• Mutual Authentication with Replay Protection
• Protection of signalling data
• Secure negotiation of protection algorithms
• Integrity protection and origin authentication
• Confidentiality
• Protection of user data payload
• Confidentiality
• Open algorithms (block-ciphers) basis for
  security
• AES for authentication and key agreement
• Kasumi for confidentiality/integrity
• Security level (key sizes) 128 bits
• Protection further into the network

22
UMTS Security
Integrity Confidentiality UIA UEA algorithms
(based on KASUMI)
SGSN
Node B
Radio Network Controller
MSC
Node B
23
UMTS Authentication and Key Agreement AKA
Home Network
Looks a lot like GSM, but
Ki
Req(IMSI)
AuC/HLR
RAND, AUTN
RAND, AUTN
RAND, XRES, CK, IK, AUTN
RES
MSC/VLR
RES XRES ?
Ki
RBS
Visited Network
24
UMTS Encryption UEA/f8
COUNT BEARER DIR 00 (64 bits)
Kasumi
m (const)
?
c 1
c 2
c B
?
?
?
Provably secure underassumptions on Kasumi
Kasumi
Kasumi
Kasumi
Kasumi
CK(128 bits)
keystream XORed with plaintext
25
Inside Kasumi (actually MISTY)
8 rounds of
security ? s8 (3 rounds)
security ? s2
security ? s4
26
New UMTS Cryptographic Algorithms
27
Standardization of UMTS Cryptography

• 3GPP (an ETSI body) standardizes UMTS
• Crypto developed by SAGE (also ETSI)
• UEA1/f8, UIA1/f9 developed 1999 for UMTS Rel-99
• About two years ago, SAGE started to look at new
  algorithms for UMTS UEA2, UIA2
• Requirements
• algorithms substantially different from UEA1,
  UIA1
• lt 10000 gates
• gt 10Mbit/s _at_ 20Mhz
• Specifications released about a year ago
• Independent evaluation by three teams

28
Data Integrity/Authentication
Assurance that data originates from the claimed
source and has not been modified

• Main threat to user data in cellular network
  iseavesdropping, modifications of user data is
  less realistic/serious ?encryption needed but not
  data integrity
• For control signaling, the situation is largely
  reversed,faked signaling could mean
• switch off user data encryption
• fool the mobile phone to select another network
• make the phone transmit at higher power, drain
  battery
• etc

29
Data Integrity/Authentication

• Can be obtained by digital signatures, e.g. RSA
• Comes at a cost (bandwidth, computation time)
• Symmetric key alternative

Message Authentication Code (MAC)
30
MAC Requirements (informal)
The attacker observes S (m, t) generated
by sender (possibly some ms chosen by attacker).

• Should be difficult to produce a (m, t) ? S
  which is accepted by receiver
• Could be done by modification or injection

• Difficult depends on the size of the key and
  size of the tags
• cannot avoid that the attacker tries to guess
  the key
• cannot avoid that the attacker tries to guess a
  tag value

Security level is at most min( 2size(key),
2size(tag) )
Note security level lt 2size(tag) is not
bandwidth optimal
31
Provable security

• The one-time pad is a unconditionally provably
  secure encryption method, but a bit impractical
  to use
• Key must be random and only be used once
• Entropy arguments can be used to give bounds on
  thesecurity when size(key) lt size(message)

• Provably secure constructions exist also for
  MACs !!
• Similarities with OTP
• Key size vs message size reflected in security
  bounds
• Key must only be used once

The new UMTS message authentication algorithm
UIA2 is such a provably secure construction
32
Universal Hashing

• Definition Suppose B is an additive group and
  let
• H ? h A ? B be a set of functions. H is
  called
• ?almost ?-universal if ? x ? x ? A, ? y ?
  B, Pr h ? H h(x) - h(x) y ?.

If it holds for y 0 then H is called ?almost
universal.
Notation ?A?U and ?AU

• Notes
• collision resistance properties
• best ?A?U is ? 1/B.
• connection to ECC and comb. designs

33
Our Concrete Case

• Only consider the case A GF(2n), B GF(2m).

which means ?A?U if ? x ? x ? GF(2n), ? y ?
GF(2m), Pr h ? H h(x) ? h(x) y ?,
and ?AU if it holds for y 0, Pr h ? H
h(x) h(x) ?.
34
Universal Hashing and Message Authentication

• Assume H is ?A?U
• key is index to a random function h ? H, random
  s ? GF(2m).
• tag t h(m) ? s.

• Injection probability
• As difficult as predicting s, 1/B 2-m
  probability

Modification If given (m, t h(m)), the
attacker can find valid (m, t h(m)) then
t ? t
(h(m) ? s) ? (h(m) ? s)
h(m) ? h(m)
which is guaranteed to be bounded by ?.
35
Plan

• First construct H1 which is ?AU, almost works
• Combine with H2 to get ? - A?U

36
Concrete Construction of ?AU Hash

• Cut the message m (to be hashed), into 64-bit
  blocks, m0, m1, , mL-1
• Interpret message as an element of
  GF(264)t M(t) m0 m1t mL-1 tL-1
• Key is random value k ? GF(264)
• Hk(M) M(k)

Theorem H Hk(M) is ?AU for ? L 2-64.
37
Proof that H is ?AU

• We need to bound Pr h ? H h(M) ? h(M) 0,
  i.e. the prob.
• that
• Prt m0 m1t mL-1 tL-1 m0 m1 t
  mL-1 tL-1,

i.e. Prt z0 z1t zL-1 tL-1 0
where zi m0 - m0 (recall , - is the
same as ? here).
This is bounded by the number of roots of a
degree L-1, non-zero polynomial over a finite
field, i.e. Prob lt L 2-64.
38
Problem

• ? L 2-64 is non-optimal (tag is always 64 bits
  but long messages could make ? ? 1)
• Moreover, this is a real bound, i.e. forgery
  probability does increase with L
• Also, as noted, we need ? - A?U, not just ? - AU.
  

39
Going from AU to A?U

• AU gives at least some guarantees that h(x) ?
  h(x) ? 0.
• Consider now ?h(x) and ?h(x) for random ?
• Then ? h(x) ? ? h(x) ? (h(x) ? h(x)) y is
  uniformly distributed as long as h(x) ? h(x) ?
  0.
• That is, if h(x) is AU then ? h(x) should
  be A?U

40
General Theorem Stinson

• Suppose H1 is ?1AU from A to B and H2 is ?2A?U
  from
• B to C. Then H1 ? H2 is ?A?U from A to C with ?
  ?1 ?2.

Idea Use the polynomial hash as above for
inner hash, H1 . Outer hash H2 defined by h?(x)
? x for random ?.
Still one problem the tag is 64 bits, security
level onlyguaranteed to L 2-64 , could argue
not full security.
41
Solution Compression
Outer hash H2 GF(264) ? GF(232) defined by
twisted truncation h?(x) msb32(? x)which
can be proven to be is 2-32-A?U i.e. h?, k(m)
msb32(? (m0 m1k mL-1 kL-1)).
We get 32-bit tags with security L 2-64
2-32 ? 2-32.
42
Did we forget something?

• Yes We now have an 2-32-A?U set of functions of
  form h?,k(m) msb32(? (m0 m1k mL-1
  kL-1)).
• Initial idea was more like h?,k(m) ? s for random
  ?, k and s.
• Do we really need s?
• Yes!
• Notice that h?,k(0) 0
• Using only h?,k(m) would enable attacker to
  inject messages.

Note also that a given key (k, ?, s) must only be
used once!
43
Final Consideration

• In reality, the keys ?, k, s for the MAC are not
  random, but generated by pseudo-random generator
  (PRG)
• But a good PRG generator is by definition
  difficult to distinguish from truly random
  bits
• If replacing truly random ?, k, s by PRG values
  would mean increase in MAC-attackers success
  rate, it would imply a statistical test to
  distinguish the PRG from true randomness
• Given a test sample (either truly random or
  from PRG)
• Run the (presumed) MAC-attack algorithm
• Measure its rate of success, if it is higher we
  guess the sample is from the PRG, else we guess
  the sample is truly random

44
Final Result

• We loose an additional ? in provable security,
  where ? is the quality of the random
  generator. I.e. MAC produces 32-bit tags with
  security L 2-64 2-32 ?.
• Maximum L in UMTS is about 27 blocks
• Total key size k (64), ? (64), s (32), i.e. 160
  bits.
• The PRG used in UMTS is the stream cipher SNOW
• Performance ? 100Mbit/s on typical platform,
  equivalent RSA approach would be at least 10-100
  times slower, would add about 10 times as much
  overhead

45
Summary

• Despite some recent attacks on GSM security,
  2G security is so far pretty much a success
  story

Main reason convenience and invisibility to user

• 3G crypto significantly more open and
  well-studied ? higher confidence

• Showed a practical, provably secure
  construction for message authentication