This ‘Deep Inside the Network episode’ focuses on UMTS security mechanisms and enhancements over GSM. Like the previous ‘Deep Inside’ articles I expect the target audience to be rather small. Nevertheless, I decided to post it anyway as I haven’t found this information in a similarly compressed form anywhere else.
Introduction
Like GSM, UMTS has strong security measures which are described in detail in [1] to prevent unauthorized use and eavesdropping on user data traffic and conversations. Over the years, a number of weaknesses have been found in the way GSM protects networks. These have been addressed with a number of enhancements in UMTS.
These main ones are:
- The GSM circuit switched part does not protect the link between the base station and the BSC. In many cases, microwave links are used which are vulnerable to third party monitoring.
- GSM allows man in the middle attacks with equipment that masquerades as a GSM base station.
- The ciphering key length used in GSM is 64 bits. While having been secure when GSM was first developed back in the early 1990’s it is considered insufficient today. A number of weaknesses with the A5/1 stream cipher have been detected such as described in [2] which allow to decrypt a voice conversation with the appropriate equipment.
UMTS Authentication Vector vs. GSM Authentication Triplet
UMTS addresses these weaknesses in a number of ways. Like in GSM, a one pass authentication and key agreement (AKA) procedure is used with immediate activation of ciphering after successful authentication. When a mobile station first connects to the network it sends its identity (IMSI or T-IMSI) which is stored on the SIM card. In case the subscriber is not known by the MSC/VLR, which is responsible for circuit switched connections, or the SGSN, responsible for packet sessions, authentication information has to be requested from the authentication center which is part of HLR (cp. figure 1.14). In addition to the random number (RAND), the expected response (SRES, referred to as XRES in UMTS) and the ciphering key (Kc, referred to as CK in UMTS) which are already known from GSM, two additional values are returned. These are the integrity key (IK) and the authentication token (AUTN). Together, these five values form an authentication vector.
Authentication Token and Sequence Numbers:
The authentication token (AUTN), which is new in UMTS, serves two purposes. The AuC generates the AUTN using a random number and the secret key of the subscriber. It is then forwarded together with the random number to the mobile in a mobility management (MM) authentication request message. All other values are retained at the MSC/VLR or SGSN for the moment. The mobile station then uses the AUTN to verify that the authentication procedure was initiated by an authorized network. The authentication token additionally includes a sequence number which is increased in both the network and the mobile after every successful authentication. This prevents third parties from using intercepted authentication vectors for fake authentications later on.
Like in GSM, a UMTS mobile station has to generate a response value which it returns to the network in the MM authentication response message. The MSC/VLR or SGSN then compares the response value to the expected response value (XRES) which it has received as part of an authentication vector from the HLR/AuC. If both values match, the subscriber is authenticated.
128 Bit Ciphering Key
In a further step, ciphering between the mobile and the network is activated by the network by sending a RANAP Security Mode Command message to the RNC. This message contains the 128 bit ciphering key. While in GSM ciphering for circuit switched calls is a function of the base station, UMTS calls are ciphered by the RNC. This prevents eavesdropping on the Iub interface between the RNC and the base station which is vulnerable to interception especially if transported over microwave links. A RRC security mode command message informs the mobile that ciphering is to be activated. Like in GSM the ciphering key is not sent to the mobile as this would compromise security. Instead, the mobile calculates the ciphering key itself by using, among other values, its secret key and the random number.
Message Integrity Checking
Security mode command messages do not only activate ciphering but also integrity checking for signaling messages, which was not done in GSM. While ciphering is optional, integrity checking is mandatory to activate after authentication. Integrity checking is performed for RRC, CC, SM, MM and GMM messages between the mobile station and the network. User data on the other hand has to be verified by the application layer if required. To allow the receiver to check the validity of a message a integrity stamp field is added to signaling messages. The most important parameters for the RNC to calculate the stamp the content of the signaling message and the integrity key (IK) which is part of the authentication vector received from the authentication center. Integrity checking is done for both uplink and downlink signaling messages. In order to perform integrity checking for incoming messages and to be able to append the stamp for outgoing messages, the mobile station calculates the integrity key itself after the authentication procedure. This is done by the SIM card by using the secret key and the random number which was part of the authentication request message. This way, the integrity key is also never exchanged between the mobile station and the network.
Key Lifetime
Keys for ciphering and integrity checking have a limited lifetime to prevent attempts to break the cipher or integrity protection by brute force long duration monitoring attacks. The value of the expiry timers are variable and are sent to the mobile station at connection establishment. Upon expiry, a new set of ciphering and integrity keys are generated with a re-authentication between the mobile and the network.
Authentication, ciphering and integrity checking are performed independently for the circuit switched and the packet switched connections. This is because the MSC handles circuit switched calls while the SGSN is responsible for packet sessions. As these devices are independent they have to use different sets of authentication vectors and sequence numbers.
New Algorithms
UMTS also introduces new algorithms to calculate the different parameters used for authentication, ciphering and integrity checking. These are referred to as f0-f9. Details on the purpose and use of these algorithms can be found in [1].
GSM SIM Card Backwards Compatibility
On the user side, all actions which require the secret key are performed on the SIM card to protect the secret key. As older GSM SIM cards are not able to perform the new UMTS authentication procedures, a backwards compatibility mode has been specified to enable UMTS mobile stations to use UMTS networks with an old GSM SIM card. When the mobile station detects an old GSM SIM card it informs the network during connection establishment that a GSM backwards compatible authentication procedure is required. Instead of requesting an authentication vector from the authentication center, the MSC/VLR or SGSN will instead request a GSM compatible authentication triplet. The UMTS ciphering and integrity keys are then computed by the mobile station based on the GSM ciphering key Kc (note: not the secret key!) which is returned by the SIM card. As the SIM card is not able to process the authentication token, it is not sent by the network during authentication. On the network side the MSC/VLR and SGSN are responsible for computing these values. To be backwards compatible, the mobile informs the network during connection establishment that a SIM instead of a USIM is used. The network will then request a standard authentication triplet from the HLR/AuC.
Further Reading
If you are also interested in other topics concerning GSM, GPRS, UMTS, Wifi, WiMAX and Bluetooth, take a closer look at the book to this blog “From GSM to LTE-Advanced: An Introduction to Mobile Networks and Mobile Broadband“, which you can find here.
References:
[1] 3GPP, „3G Security ; Security Architecture“, TS 33.102
[2] Patrick Ekdahl and Thomas Johansson, „Another Attack on A5/1“, IEEE Transactions on Information Theory, Vol. 49, No.1, January 2003, page 284 – 289
Update 22. Feb. 2016: Spelling errors corrected, link to book updated