WirelessMoves

This ‘Deep Inside the Network episode’ focuses on UMTS security mechanisms and enhancements over GSM. Like the previous ‘Deep Inside’ articles I expect the target audience to be rather small. Nevertheless, I decided to post it anyway as I haven’t found this information in a similarly compressed form anywhere else.

Introduction

Like GSM, UMTS has strong security measures which are described in detail in [1] to prevent unauthorized use and eavesdropping on user data traffic and conversations. Over the years, a number of weaknesses have been found in the way GSM protects networks. These have been addressed with a number of enhancements in UMTS. 

These main ones are:

• The GSM circuit switched part does not protect the link between the base station and the BSC. In many cases, microwave links are used which are vulnerable to third party monitoring.
• GSM allows man in the middle attacks with equipment that masquerades as a GSM base station.
• The ciphering key length used in GSM is 64 bits. While having been secure when GSM was first developed back in the early 1990’s it is considered insufficient today. A number of weaknesses with the A5/1 stream cipher have been detected such as described in [2] which allow to decrypt a voice conversation with the appropriate equipment.

UMTS Authentication Vector vs. GSM Authentication Triplet

UMTS addresses these weaknesses in a number of ways. Like in GSM, a one pass authentication and key agreement (AKA) procedure is used with immediate activation of ciphering after successful authentication. When a mobile station first connects to the network it sends its identity (IMSI or T-IMSI) which is stored on the SIM card. In case the subscriber is not known by the MSC/VLR, which is responsible for circuit switched connections, or the SGSN, responsible for packet sessions, authentication information has to be requested from the authentication center which is part of HLR (cp. figure 1.14). In addition to the random number (RAND), the expected response (SRES, referred to as XRES in UMTS) and the ciphering key (Kc, referred to as CK in UMTS) which are already known from GSM, two additional values are returned. These are the integrity key (IK) and the authentication token (AUTN). Together, these five values form an authentication vector.

Authentication Token and Sequence Numbers:

The authentication token (AUTN), which is new in UMTS, serves two purposes. The AuC generates the AUTN using a random number and the secret key of the subscriber. It is then forwarded together with the random number to the mobile in a mobility management (MM) authentication request message. All other values are retained at the MSC/VLR or SGSN for the moment. The mobile station then uses the AUTN to verify that the authentication procedure was initiated by an authorized network. The authentication token additionally includes a sequence number which is increased in both the network and the mobile after every successful authentication. This prevents third parties from using intercepted authentication vectors for fake authentications later on.

Like in GSM, a UMTS mobile station has to generate a response value which it returns to the network in the MM authentication response message. The MSC/VLR or SGSN then compares the response value to the expected response value (XRES) which it has received as part of an authentication vector from the HLR/AuC. If both values match, the subscriber is authenticated.

128 Bit Ciphering Key

In a further step, ciphering between the mobile and the network is activated by the network by sending a RANAP Security Mode Command message to the RNC. This message contains the 128 bit ciphering key. While in GSM ciphering for circuit switched calls is a function of the base station, UMTS calls are ciphered by the RNC. This prevents eavesdropping on the Iub interface between the RNC and the base station which is vulnerable to interception especially if transported over microwave links. A RRC security mode command message informs the mobile that ciphering is to be activated. Like in GSM the ciphering key is not sent to the mobile as this would compromise security. Instead, the mobile calculates the ciphering key itself by using, among other values, its secret key and the random number.

Message Integrity Checking

Security mode command messages do not only activate ciphering but also integrity checking for signaling messages, which was not done in GSM. While ciphering is optional, integrity checking is mandatory to activate after authentication. Integrity checking is performed for RRC, CC, SM, MM and GMM messages between the mobile station and the network. User data on the other hand has to be verified by the application layer if required. To allow the receiver to check the validity of a message a integrity stamp field is added to signaling messages. The most important parameters for the RNC to calculate the stamp the content of the signaling message and the integrity key (IK) which is part of the authentication vector received from the authentication center. Integrity checking is done for both uplink and downlink signaling messages. In order to perform integrity checking for incoming messages and to be able to append the stamp for outgoing messages, the mobile station calculates the integrity key itself after the authentication procedure. This is done by the SIM card by using the secret key and the random number which was part of the authentication request message. This way, the integrity key is also never exchanged between the mobile station and the network.

Key Lifetime

Keys for ciphering and integrity checking have a limited lifetime to prevent attempts to break the cipher or integrity protection by brute force long duration monitoring attacks. The value of the expiry timers are variable and are sent to the mobile station at connection establishment. Upon expiry, a new set of ciphering and integrity keys are generated with a re-authentication between the mobile and the network.

Authentication, ciphering and integrity checking are performed independently for the circuit switched and the packet switched connections. This is because the MSC handles circuit switched calls while the SGSN is responsible for packet sessions. As these devices are independent they have to use different sets of authentication vectors and sequence numbers.

New Algorithms

UMTS also introduces new algorithms to calculate the different parameters used for authentication, ciphering and integrity checking. These are referred to as f0-f9. Details on the purpose and use of these algorithms can be found in [1].

GSM SIM Card Backwards Compatibility

On the user side, all actions which require the secret key are performed on the SIM card to protect the secret key. As older GSM SIM cards are not able to perform the new UMTS authentication procedures, a backwards compatibility mode has been specified to enable UMTS mobile stations to use UMTS networks with an old GSM SIM card. When the mobile station detects an old GSM SIM card it informs the network during connection establishment that a GSM backwards compatible authentication procedure is required. Instead of requesting an authentication vector from the authentication center, the MSC/VLR or SGSN will instead request a GSM compatible authentication triplet. The UMTS ciphering and integrity keys are then computed by the mobile station based on the GSM ciphering key Kc (note: not the secret key!) which is returned by the SIM card. As the SIM card is not able to process the authentication token, it is not sent by the network during authentication. On the network side the MSC/VLR and SGSN are responsible for computing these values. To be backwards compatible, the mobile informs the network during connection establishment that a SIM instead of a USIM is used. The network will then request a standard authentication triplet from the HLR/AuC.

Further Reading

If you are also interested in other topics concerning GSM, GPRS, UMTS, Wifi, WiMAX and Bluetooth, take a closer look at the book to this blog “From GSM to LTE-Advanced: An Introduction to Mobile Networks and Mobile Broadband“, which you can find here.

References:

[1]    3GPP, „3G Security ; Security Architecture“, TS 33.102

[2]    Patrick Ekdahl and Thomas Johansson, „Another Attack on A5/1“, IEEE Transactions on Information Theory, Vol. 49, No.1, January 2003, page 284 – 289

Update 22. Feb. 2016: Spelling errors corrected, link to book updated

Blogs, news web sites, tech tips are all on the web these days. Books, however, are far from being pushed to the side by it as they can explore topics in a much deeper way than articles on the web. So if you are like me and like to read a good book on telecoms and communication, the Telecoms Book Blog might just be the right resource that will help you to find your next book. Check it out, I am listed as well 😉

There is web 2.0, mobile web 2.0 and, believe it or not, Bluetooth 2.0… One of the main benefits of the new version is the enhanced data rates (EDR) feature which promises data rates of up to 2.1 MBit/s. That’s quite a step from the 0.7 MBit/s of previous versions of the standard. To test the higher data rates in action I performed some speed measurements between a notebook with an Anycom Bluetooth 250 USB stick and a Nokia N93.

While measurements between two Bluetooth 2.0 USB sticks might actually show higher transfer speeds than between a notebook and a mobile phone, I nevertheless decided to go for this test setup as I use Bluetooth mostly between such devices for file transfers and to connect my notebook to the Internet via the mobile phone and the 3G network.

The test setup:

• Mobile phone: A Nokia N93, firmware V 10.0.025
• Notebook: Anycom BT200/250 Bluetooth 2.0 USB stick with Widcom Stack V 5.1.0.2100
• File for transfer: A 34 minutes 64 kbit/s MP3 podcast with a file size of 15 MB (16.142.336 bytes)
• For reference tests: A Nokia 6680 with a Bluetooth 1.x chipset

From the notebook to the N93

This is a typical side-loading scenario, i.e. a user downloads a podcast from the Internet to the PC and then sends it via Bluetooth the mobile device. Over Bluetooth the 34 minute podcast was transfered to the N93 in 120 seconds. The resulting transfer speed was thus 16.142.336 bytes / 120 seconds = 134.5 kByte/s. That’s about half of the theoretical maximum speed Bluetooth 2.0+EDR offers with 272.25 kByte/s (2178 kbit/s). Nevertheless, the transfer was about twice as fast as what could be achieved with previous Bluetooth versions.

From the N93 to the notebook

I also transfer a lot of files from the mobile phone to the notebook, mostly images and videos. In order to better compare transmission speeds of both directions I used the same file to test the reverse direction. In this direction, the file was transfered to the notebook in 110 seconds. The resulting transfer speed was thus 16.142.336 bytes / 110 seconds = 146,78 kByte/s.

Bluetooth and the Nokia 6680

To compare the improvement, I ran the same tests once more with a Nokia 6680, a S60 2nd edition phone and predecessor of the Nokia N70. It uses a Bluetooth 1.x stack and the transfer of the file from the notebook to the mobile phone took 273 seconds. That’s a transfer speed of 57.4 kByte/s. In the other direction the file transfer took 313 seconds which corresponds to a transfer speed of about 50 kByte/s.

Summary

While end users won’t care much for the transmission speeds, the time required to transfer a file between two devices is quite important. Compared to the 273 seconds (4.5 minutes) it takes to transfer the file to the 6680, the 110 seconds (slightly less than 2 minutes) required to send the file to the N93 is a vast improvement. There is also still potential to increase the speed further as the transfer rates are far below the theoretical maximum. When using Bluetooth 2.0 capabilities to the fullest, the transfer time could be reduced from 2 minutes to around 1 minute for the 34 minute podcast file.

With file sizes especially of video files getting larger and larger due to the improved capabilities offered by new phones, it is only a matter of time before it becomes impractical to transfer such large files even over an optimized Bluetooth 2.0 connection. Also, 3G network features such as HSDPA with data transfer rates of up to 3.6 MBit/s today and 7.2 MBit/s in the future, Bluetooth definitely becomes the bottleneck.

It is time to think about alternatives. Many of today’s N-series phones already have a built in wireless LAN (wifi) adapter. Adding access point functionalities to the phone as suggested in this blog entry would surely remove this bottleneck.

IMS, the IP Multimedia Subsystem, a buzzword that has been around in the mobile industry for quite a number of years now. However, up to date no IMS services are commercially available and the industry is still working on getting the complex setup and terminal software in place.  In the past year, however, a number of things have happened which might improve chances we are going to see some interesting commercial services soon:

• 3GPP Release 6 integrates WLAN access in IMS. Previously, IMS was only specified for 3G access.With WLAN integration dual mode 3G/Wifi devices that are now available on the market can be used for IMS services while camped in a wireless lan.
• The IMS has become the carrier SIP environment of choice for both fixed line and wireless IP networks. Especially wireless operators with DSL access will be able to offer integrated fixed and wireless services. This is also referred to as Fixed Mobile Convergence.

And here are the services which I see coming (soon?):

• Instant Messaging (IM): This is an easy service to implement from a network point of view as there are no special bandwidth and latency requirements. IM however is already done today via proprietary IM clients from Microsoft, Yahoo and others. Thus, I think IM via IMS will have a difficult time unless operators find a way to include Microsoft, Yahoo and other customers, have international connectivity in mind and offer interesting pricing for the service.

• Push to Talk over Cellular (PoC): Another service that has been with us for quite a number of years now. One US operator had and still has an interesting PoC service but it is based on proprietary hardware/software which hurts general usage. There have been proprietary approaches to bring PoC to the GSM/UMTS world as well but none have really gained great traction due to pricing, user unfriendly clients on mobile phones and non interoperability between national and international mobile networks. IM can change this as the OMA PoC specification now allows vendors for the first time to offer standardized and interworking PoC Servers. This enables talk groups which span multiple national and international wireless networks. A standardized PoC solution will also bring better PoC clients on handsets and will increase the number of PoC capable handsets.

• Addition of video during a voice call: Today, circuit switched 3G wireless networks a capable of transporting voice and video calls. In many cases, however, users would like to add a video stream to an ongoing voice call rather to start a video call in the first place. IMS offers a nice way of doing that by either adding video to an ongoing IMS voice call or to add a video session to an ongoing circuit switched call which is not controlled by the IMS. The later scenario is probably the one going to hit the market first as I thing circuit switched voice calls will be the dominant way voice calls are transported over the network for qutie some time to come. The transmission of the video can also be stopped at any time during the call to continue the conversation in voice only mode.

• Voice Call Continuity (VCC): Standardized in 3GPP TS 23.206 this new IMS service offers quite a number of new possibilities for voice calls: Ongoing calls can be switched from Wireless to Wifi at any time using 2G/3G/Wifi handsets such as the Nokia N-series and E-series phones. Also, a call can be transfered at any time to another handset. Quite nice when you come home and would like to continue the call via the fixed line table phone with good hands-free/loudspeaker facilities. VCC requires a special client in the mobile again but since it is standardized it’s possible that many vendors will likely implement this. Imagine a combined VCC + addition of video during call scenario. You talk to somebody over the 3G network while you drive in the car, carry the phone with you into your apartment and then you transfer the call to your home entertainment system to activate a video feed for the rest of the conversation. Here’s a video from the Daidalos project which impressively demonstrates the possibilities.

In 2006, HSDPA was an important topic during the 3GSMWorldCongress in Barcelona. Let’s see, maybe IMS will be the topic of the year in 2007 during the conference. It would be nice to see real demos of some of the applications above.

While VoIP and video streaming in the home network might have been exotic applications just a year or two ago, they are more and more moving into the main stream segment. Quite a number of VoIP phones are on the market now such as the Linksys Skype phone, the UTStarcom F1000G SIP phone or the Nokia E-series 3G/Wifi phones. While network load on the wireless link is low, speech quality is usually rather good. Things start to deteriorate, however, once the network starts to get loaded, e.g. due to a high bandwidth file transfer.

To improve things, the IEEE standards body has created the 802.11e standard which defines a number of Quality of Service measures for 802.11b/g/n Wifi networks. All are backwards compatible so 802.11e compatible Wifi access points can handle new and old devices simultaneously. In addition, the Wifi Alliance has created the WMM (Wireless Multimedia) certification program to ensure that devices are interoperable with each other and implement the most important options of the 802.11e standard, priorities and prioritized scheduling (EDCA, Enhanced DCF Channel Access).

While researching the topic, I was wondering how applications running on a PC or notebook for example can take advantage of WMM. After all, not all packets originating from a single device should be treated alike by the wireless card. While packets of a VoIP SIP client running on a machine should be treated with the highest priority, packets of a simultaneously ongoing download or web session should be treated with less priority in order for the VoIP packets to flow smoothly. It took quite some reading to find the answer to the puzzle:

• The WMM certification requires that an application shall control the setting of the QoS field in the 802.11 header by setting the DSCP (Differentiated Services Code Point) field in IP (layer 3) packets according to the priority needs of the application. I gave it a try with a SIP soft-phone client and indeed the DSCP field is set to "Expedited Forwarding" instead of "default" as is the case in other packets (see picture above).

• This and this blog entry by Gabe Frost explain how an application can set the DSCP field when opening a socket connection in Windows Vista and how a WMM compatible wifi network driver then makes use of this information to add a QoS header to the 802.11 MAC (layer 2) frame. In addition, wireless devices will only get the "Designed for Windows Vista" sticker if they implement WMM. Good thing!

Once the frame is maked with a QoS header it is delivered to the wifi card. The wifi card then uses the layer 2 QoS header field to put the frame into the correct priority queue. The following parameters, which are broadcast by the wifi access point, are then used by the network card to decide how long to wait before attempting to send a packet once the air interface is not used by another device:

• The number of slots to wait before starting the random backoff procedure. This value is called the AIFSN (Arbitrary Inter-Frame Space Number). The highest priority queue has to wait for the fewest number of slots before the random backoff procedure is started.

• The random backoff procedure is used to prevent several network clients to start transmitting at the same time. The backoff window size for a frame also depends on the priority queue it is currently waiting in. High priority queues have lower maximum backoff window sizes then lower priority queues. This allows other wireless clients to send their high priority frames before low priority frames of other clients.

• The maximum time before the client has to cease transmitting (TXOP). High priority frames are usually very short (e.g. 74 bytes of a VoIP RTP packet compared to 1500 bytes of data contained in a frame which transports part of a web page). A low TXOP time for high priority queues prevents applications mis-using a high priority for large data transfers and they are also not able to interfere with high priority frames from other local and remote applications.

So if access point vendors, network card manufacturers and operating system designers do their homework VoIP calls and video streaming over wifi should be smooth in the future, no matter what other users are doing in the network simultaneously.

P.S.: QoS issues do not end at the Wifi access point of course. Other measures have to be taken to let the VoIP packets flow in the DSL up- and downlink just as nicely. But that’s another story for another day 🙂

In lots of places 1 MBit/s ADSL connections are almost a thing of the past already and telcos are starting to offer fast ADSL2+ connections with speeds up to 24 MBit/s. These speeds are quite challenging for todays home networks for two reasons. First of all, the TCP parameters of PCs and notebooks in the network have to be tweaked. Otherwise, a single connection to a server on the Internet will level out at 5 MBit/s with the standard TCP window settings of Windows XP. More about TCP windows and how to adapt them can be found in this blog entry. Secondly, Wifi access points and Wifi adapters in PCs and notebooks used to connect to the ADSL line are also not always capable of transferring data at such high speeds.

If you still use either 802.11b access points or wireless network adapters in the PC/notebook, think about replacing this kit when getting a faster ADSL line. The maximum speed that can be reached in a 802.11b network is around 5 to 6 MBit/s. This is far too slow for an ADSL2+ connection.

Most people these days probably have an 802.11g wifi access point which in many cases has a built in ADSL or ADSL2+ DSL modem. But even here, with theoretical speeds of 54 MBit/s, the air gets "virtually" thin. Due to the way data is sent and received in a Wifi networks, actual data rates in 11g networks are much less than the advertised 54 MBit/s.

To see how well the combination of my wifi access points and devices in work together I used iperf to generate traffic on my wireless network. Iperf is a free program and can be found here. To simulate a download from the Internet one of the computers used in the tests was connected to the wifi access point via a 100 MBit/s Ethernet cable. Like when receiving data from the internet, packets are thus only sent once over the wireless link. Here are my results:

Netgear DG834GB access point and Intel Centrino notebook with 802.11g chipset: This is the fastest possible setup as both access point and client device are 11g compatible. No other devices were present in the network for the test. With packet bursting activated, the maximum transmission speed was 20.7 MBit/s. Not bad for a wireless link but not enough if you should be lucky enough to get the best possible ADSL2+ speed of 24 MBit/s.

Same setup as above with an additional Intel Centrino notebook with 802.11b chipset: As soon as 11g devices detect a device which still uses the older 11b standard, additional safeguards are automatically activated for peaceful coexistence of 11b and 11g devices in the same network. For details on how this co-existence works, take a look at the book on the left (sorry, shameless self advertisement). In this mode, the maximum data rate I got on the 802.11g notebook was 12 MBit/s. This is already far from the 24 MBit/s of a good ADSL2+ line. Also beware of neighbors using old 11b access points or devices on the same frequency band used by your network as the effect will be the same.

Shame on the Siemens SE515DSL

I repeated the same tests using my Siemens SE515DSL access point with the latest router firmware. No matter what I tried I was never able to get more than 12 MBit/s out of this router. Even switching to 11g only mode on the router and the notebook brought no improvements. Quite a frustrating experience.

802.11n

802.11g reaches its limits quickly with new ADSL 2+ lines. Should you be one of the happy few to get the full 24 MBit/s out of your ADSL2+ line, you might want to think about other wireless network alternatives. Unfortunately, the long awaited 802.11n standard, which promises speeds of 100 MBit/s and more, is still not finalized. This blog entry describes the situation back in October 2006. Pre-N devices with Mimo (Multiple Input Multiple Output) technology are already on the market for quite some time now, but might not be to everybody’s taste due to a lack of compatibility between different products and bulky PC cards sticking out of notebooks.

The next generation of even faster Internet connections at home and office like for example VDSL with 50+ MBit/s per second and fiber are already on the horizon. Also, video streaming at home over wifi which requires high bandwidths is also getting more and more main-stream. Let’s hope 802.11n will be finished soon in order to leave notebook manufacturers, chipset vendors and the market enough time to put inter-operable devices into the homes and offices before wireless home networks become the bottleneck.

I’ve recently come across an interesting article by Jürgen Schmidt on Heise Security describing how Skype establishes a direct call between two subscribers behind NAT (Network Address Translation) firewalls. NAT firewalls only allow the initiation of a connection from the inside and reject packets which are not a response to a previously sent packet. In addition, some NAT firewalls also map internal TCP and UDP port numbers to new values which are used externally. This in theory prevents establishment of a connection between two computers behind two NAT firewalls which is required for a Skype connection. Skype clients, however, are quite clever and use a number of different schemes to find the right port in the firewall of the other party. In case the right port can not be found, Skype clients use a fallback mechanism and communicate via a super node in the network which bridges their media flows. For details, see this article.

So what does this have to do with wireless? Well, Skype can be used over a 3G connection as well and many operators use NAT and a private IP address space for their 3G subscribers.

In addition: As with firewalls, Skype seems to be quite flexible in regard to the Internet connection available and adapts to a UMTS bearer nicely as shown in this presentation of Tobias Hoßfeld called "Skype over UMTS".

Today I came across this interesting video which shows the vision of the Daidalos project for pervasive communication in the future. There is lots of talk in the industry lately on voice call continuity, i.e. switching a voice call between circuit and packet switched networks. The vision of the Daidalos project goes one step beyond and shows how a call could be switched between different networks and devices and how additional information such as video streams and textual information are automatically included in the call when the current device allows and the situation requires. The roots of this concept are also known as "rich call".

So far, I’ve been somewhat reluctant to see a benefit in voice call continuity (VCC). Since watching the video however, I can quite clearly see the benefits of VCC and its evolution. An interesting example made in the video is two people discussing a trip to the airport. The person at the other of the connection end gives his conversational partner further information about whom he is to meet at the airport and when. The call continues when he goes to his car and the on-board computer automatically extracts the location information given by the other party to calculate a route to the airport and to reserve a parking place.

Diadalos stands for "Designing Advanced network Interfaces for the Delivery and Administration of Location independent, Optimised personal Services" and is a project funded as an EU Framework Programme 6 Integrated Project.

Here’s a
statement made by Anssi Vanjoki at the recent Nokia World Conference: “Broadband Internet is not a socket in the
wall, it is all around us”.

He draws
and interesting picture and I think he is right. Today, many people already use
Wifi access points to create their personal broadband Internet cloud. Thus, the
broadband Internet IS virtually all around them. In the future people will not
only use this cloud with desktop computers and notebooks but also with smaller
devices such as mobile phones with built in Wifi capabilities (like Nokia
N-series phones for example) or physical widgets .
Smaller devices will also change the way we perceive the Internet cloud. No
longer do you have to sit down at a specific place, e.g. in front of a
computer, in order to communicate (VoIP, eMail, IM), to get information, or to
publish information to the web yourself (pictures, blog entries, videos, etc.).
Even today you don’t need to be in your personal Internet cloud anymore to
perform these activities. When you leave your personal broadband cloud, 3G and
3.5G networks and WiMAX in the future are a natural extension. Instead of using Wifi, mobile Internet
devices then switch over to the cellular network. As we move into the future
the cloud will extend into areas not covered today, available bandwidth will
increase and moving between the personal Internet cloud at home and the larger external
cloud will become ever more seamless.

An
interesting scenario for handset manufacturers like Nokia and others developing
3G/Wifi integrated multimedia handsets, for innovators of cool mobile services
and for network operators such as Vodafone, O2 and Orange who have decided to include DSL lines
into their portfolio to offer a home cloud in addition to the larger network
coverage. It’s time to start the integration of handset, personal cloud and
external cloud and mobile services into a homogeneous experience.

"Well, you know I like the fireworks" said Rudy De Waele to me today after announcing that the MobileMonday Global Peer Awards Ceremony 2007 is to be held during the 3GSMWorldCongress week in Barcelona next February. And indeed, a firework of ideas, conversations and fun this is going to be. I haven’t been to the  Espacio Movistar where the event will take place yet but the pictures on the Mobile Monday Barcelona blog look impressive. So if you are at the 3GSMWC in February, this is the event you definitely don’t want to miss. So, no time to waste, head over to the MoMo Barcelona blog to get more info and reserve your ticket.