- Shopping Bag ( 0 items )
UMTS (Universal Mobile Telecommunication System) systems are third-generation systems designed for multimedia communication. UMTS Security covers the security aspects of third-generation mobile networks based on WCDMA technology. WCDMA (Wideband Code Division Multiple Access) is the main air interface used for third generation mobile communication systems. UMTS (Universal Mobile Telecommunication System) will offer a consistent set of services to mobile computer and phone users and numerous different radio access technologies may co-exist within the UMTS system's core network. Network security is, therefore, of the utmost importance. UMTS Security brings together material previously only available in specifications, design documents and presentations in one concise form. It is intended to provide a self-contained treatment of the security issues involved and ranges from introductory material to detailed discussions of advanced topics. It will present features and background information that existing experts in the field will find informative. Provides a detailed description of UMTS security architecture Explains the security principles behind UMTS security Includes detailed descriptions of the cryptographic solutions in UMTS Presents the theoretical background and the design process of the UMTS cryptographic algorithms Discusses the new security features to be included in future releases Examines other wireless security solutions Essential reading for UMTS network security & wireless specialists, operators and manufacturers, wireless network researcher, academics and postgraduate students, security engineers, researchers and consultants.
PARTV I: SECURITY ARCHITECTURE FOR UMTS.
1. Introduction to Security and to UMTS.
2. UMTS Secuirty Features in Release 1999.
3. Security Features in Release 4 and 5.
PART II: CRYPTOGRAPHIC ALGORITHMS.
4. Introduction to Cryptography.
5. 3GPP Algorithm Specification Principles.
6. Confidentiality and Integrity Algorithms.
7. Kernel Algorithm KASUMI.
8. Authentication and Key Generation Algorithm.
9. Notation of Parameters, Sets and Functions.
2.1 Access Security to UMTS
Radio access technology will change from TDMA (Time Division Multiple Access) to WCDMA (Wideband Code Division Multiple Access) when the Third Generation (3G) mobile networks are introduced. Despite this shift, requirements for access security will not change. It is an absolute prerequisite of UMTS (Universal Mobile Telecommunications System) that end-users of the system are authenticated (i.e., the identity of each subscriber is verified): nobody wants to pay for fraudulent calls that are made by others.
The confidentiality of voice calls is protected in the Radio Access Network (RAN), as is the confidentiality of transmitted user data. This means that the user has control over choosing the parties he or she wants to communicate with. Users also want to know that confidentiality protection is really applied and so visibility of applied security mechanisms is needed. Privacy of a user's whereabouts is generally appreciated; most of the time an average citizen does not care whether it is possible to trace where he or she is, but if persistent tracking occurs the user would rightly be irritated. Similarly, precise information about the location of people would be useful to burglars. The privacy of user data is another issue that is critical during transfer through thenetwork (privacy and confidentiality are largely synonymous in this presentation).
UMTS accessibility is clearly important for subscribers who are paying for it, but network operators consider reliability of network functionality to be equally important: they need control within network functions to be effective. This is guaranteed by the integrity of radio network signalling, which checks that all control messages have been created by authorized elements of the network. In general, integrity checking protects against any manipulation of a message (e.g., insertion, deletion or substitution).
The most important ingredient in providing security for network operators and subscribers is cryptography, which consists of various techniques that have their roots in the science and art of secret writing. It is sometimes useful to make communication deliberately incomprehensible (i.e., using ciphers or, synonymously, encryption). This is the most effective way to protect communications against eavesdroppers. Cryptographic issues are thoroughly discussed in Part II.
In the present chapter, we go through the security features introduced in the first release of the 3GPP system specifications (Release 1999).
2.1.1 Mutual authentication
There are three entities involved in the authentication mechanism of the UMTS system:
Home Environment (HE);
Serving Network (SN);
terminal, more specifically USIM (Universal Subscriber Identity Module), typically in a smart card.
The basic idea is that the SN checks the subscriber's identity (as in GSM-Global System for Mobile communications) by a challenge-and-response technique while the terminal checks that the SN has been authorized by the home network to do so. The latter part is unique to UMTS (not available with GSM) and through it the terminal can check that it is connected to a legitimate network.
The mutual authentication protocol itself does not prevent the active attack scenario of Figure 1.1, but in combination with other security mechanisms it guarantees that the active attacker cannot get any real benefit out of the situation. The only possible gain for the attacker is to be able to disturb the connection (but an attacker could also do this by means of radio-jamming). At the moment no protocol method can circumvent such an attack.
The cornerstone of the authentication mechanism is a master key or a subscriber authentication key K, which is shared between the USIM of the user and the home network database, Authentication Centre (AuC). The key is permanently kept secret and has a length of 128 bits. The key K is never transferred from these two locations (i.e., the user has no knowledge of the master key).
Apart from mutual authentication, keys for encryption and integrity checking are also derived. These are temporary keys (with the same length of 128 bits) and are derived from the permanent key K during every authentication event. It is a basic principle in cryptography to keep the use of permanent keys to a minimum and, instead, derive temporary keys from it for protection of bulk data.
We now describe the Authentication and Key Agreement (AKA) mechan ism at a general level. The design of the mechanism was begun by combining two different authentication mechanisms: GSM's authentication and key agreement mechanism and a generic authentication mechanism based on sequence numbers specified in an ISO standard.
The authentication procedure begins when the user is identified in the SN. Identification occurs when the identity of the user (i.e., permanent identity International Mobile Subscriber Identity (IMSI), or temporary identity Temporary Mobile Subscriber Identity (TMSI), or Packet TMSI (P-TMSI)), has been transmitted to the VLR (Visitor Location Register)or SGSN (Serving GPRS Support Node). Then the VLR or SGSN sends an authentication data request to the AuC in the home network.
The AuC contains the master key of each user and, based on the knowledge of IMSI, the AuC is able to generate authentication vectors for the user. The generation process contains executions of several cryptographic algorithms, which are described in more detail in Chapter 8. The generated vectors are sent back to the VLR/SGSN in the authentication data response. This process is depicted in Figure 2.1. These control messages are carried on the MAP (Mobile Application Part) protocol .
In the SN, one authentication vector is needed for each authentication instance (i.e., for each run of the authentication procedure). This means that the (potentially-long distance) signal ling between SN and AuC is not needed for every authentication event and that in principle this signalling can be done independently of user actions after initial registration. Indeed, the VLR/SGSN may fetch new authentication vectors from AuC well before the number of stored vectors runs out.
The SN (VLR or SGSN) sends a user authentication request to the terminal, containing two parameters from the authentication vector, called RAND and AUTN. These parameters are transferred to the USIM, which exists inside a tamper-resistant environment (i.e., in the Universal Integrated Circuit Card-UICC). The USIM contains the master key K and, using it with the RAND (random number) and AUTN (authentication token) parameters along with other input values, USIM carries out a computation that resembles the generation of authentication vectors in AuC. This process also involves running several algorithms, just as in the corresponding AuC computation. The result of the computation gives the USIM the ability to verify whether the AUTN parameter:
was indeed generated in AuC;
was not sent beforehand to the USIM.
In the positive case, the computed RES parameter is sent back to the VLR/SGSN as part of the user authentication response. Now, the VLR/SGSN is able to compare the user response (RES) with the expected response (XRES), which is part of the authentication vector. If they match, authentication ends positively. This part of the process is depicted in Figure 2.2.
The keys for Radio Access Network (RAN) encryption and integrity protection (namely, Cipher Key (CK) and Integrity Key (IK)) are created as a by-product in the authentication process. These temporary keys are included in the authentication vector and, thus, are transferred to the VLR/SGSN. These keys are later transferred to the Radio Network Controller (RNC) in the RAN when encryption and integrity protection start. Respectively, the USIM is able to compute the CK and IK after it has obtained the RAND (and verified it through the AUTN). Temporary keys are subsequently transferred from USIM to the Mobile Equipment (ME) where the encryption and integrity protection algorithms are implemented.
In the following sections we take a more detailed look at the mechanisms needed for authentication and key agreement.
188.8.131.52 Authentication vector generation
We now take a closer look at the generation of authentication vectors in the AuC. An illustration of the process is given in Figure 2.3. The process begins by picking an appropriate sequence number (SQN). Roughly speaking, what is required is that SQNs are chosen in ascending order. A more detailed description about how to create SQNs is given in Section 184.108.40.206. The purpose of the SQN is to provide the user (or more technically the USIM) with proof that the generated authentication vector is fresh (i.e., it has not been used before in an earlier run of authentication). In parallel with the choice of SQN, a 128-bit long RAND is generated. This is a demanding task in itself, but in this presentation we just assume that a cryptographic pseudorandom generator is in use that is able to produce large amounts of unpredictable output bits, when a good physical random source is available to produce smaller amounts of random bits that can be used as an input (seed) for the pseudorandom generator.
The key concept in authentication vector computation is a mathematical function, called one-way function, which is relatively easy to compute but practically impossible to invert. In other words, as long as we have input parameters there exists a fast algorithm to compute output parameters, but if the output parameters are not known, then there exist no efficient algorithms to deduce any input that would produce the output. Of course, there is a simple algorithm, called the exhaustive search algorithm, that can be used to find the correct input by trying all possible choices until one gives the requisite output. However, this algorithm quickly becomes extremely inefficient as the length of input increases.
In total, five one-way functions are used to compute the authentication vector. These functions are denoted by f1, f2, f3, f4 and f5. The function f1 differs from the other four in that it takes four input parameters: master key K, RAND, SQN and finally an administrative Authentication Management Field (AMF). All other functions from f2 to f5 only take K and RAND as inputs. The requirement of the one-way property is common to all functions f1-f5. They can all be built around the same core function. However, it is essential that they differ from each other in a fundamental way so that the output of one function reveals no information about the outputs of the other functions. The output of f1 is Message Authentication Code (MAC) (64 bits) and the outputs of f2, f3, f4 and f5 are, respectively, XRES (32-128 bits), CK (128 bits), IK (128 bits) and AK (64 bits). The authentication vector consists of the parameters RAND, XRES, CK, IK and the authentication token (AUTN). The last one is obtained by concatenating three different parameters: SQN added bit by bit to AK, AMF and MAC. All of the functions involved in the AKA procedure are studied in detail in Chapter 8 of this book.
220.127.116.11 Authentication on the USIM side
We now take a closer look into the handling of authentication on the USIM side (illustrated in Figure 2.4). The same functions f1-f5 are involved on this side but in a slighty different order. The function f5 has to be computed before the f1, since f5 is used to conceal the SQN. This concealment is needed in order to prevent eavesdroppers from getting information about the user identity through the SQN. The output of the function f1 is marked XMAC (or XMAC-A) on the user side. This is compared with the MAC received from the network as part of the parameter AUTN. If there is a match it implies RAND and AUTN have been created by some entity that knows K (i.e., the AuC of the user's home network).
Of course, there is still the possibility that some attacker who has recorded an earlier authentication event could ascertain the RAND and AUTN. However, as mentioned above, the SQN protects against this threat. The USIM should simply check that it has not seen the same SQN before, and the easiest way to do this is to require that SQNs appear in ascending order. It is also possible for the USIM to allow some SQNs to arrive out of order (e.g., by maintaining a shortlist of the greatest SQNs received so far). In the next sections we will take a closer look at this issue.
Since the transfer of authentication vectors from the AuC and the actual use of these vectors for authentication are done somewhat independently, there are several reasons why it is possible that authentication vectors may be used in a different order from which they were originally generated. The most obvious reason for this is because of the fact that mobility management functions for the CS (Circuit Switched) and PS (Packet Switched) domain are independent of each other, implying that authentication vectors are fetched to the VLR and SGSN independently of each other and that the vectors are also used independently.
The choice of algorithm (f1-f5) is in principle operator-specific, because they are only used in the AuC and in the USIM and the same home operator controls both of these entities. An example set of algorithms (called MILENAGE) exists in the Third Generation Partnership Project (3GPP) specification TS 35.206 (these algorithms are discussed thoroughly in Chapter 8).
18.104.22.168 SQN generation in the AuC
SQN management is also operator-specific in principle. There are two basic strategies at work in creating SQNs: each user may have an individual SQN, or SQN generation may be based on a global counter (e.g., universal time). A combination of these two strategies is also possible in which the most significant part of the SQN is user-specific but the least significant part is based on a global counter.
In the 3GPP specification 33.102 there is an informative annex C that describes three different options for generating SQNs. Because this part of the specification is only for informative purposes, the network operator is also free to choose some other way of generating SQNs while remaining fully compliant with 3GPP standards. However, it has been observed in practice that excessive diversity inside one standard tends to lead in the long run to interoperability problems of some sort or another. This observation is by no means limited to security mechanisms.
Let us discuss this important issue a bit further. There is a widely-held agreement inside the 3GPP that different optional functionalities for the same purpose in the same standard should be avoided if ever possible.
Excerpted from UMTS Security by Valtteri Niemi Kaisa Nyberg Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.