NC3A Secure GSM workshop
Download
Report
Transcript NC3A Secure GSM workshop
Secure GSM:
Introduction and
NC3A Experiences
CIS Division
NATO Command, Control & Consultation Agency
[email protected]
1
NATO UNCLASSIFIED
Why GSM ?
Some GSM data services:
• GSM is global
–Networks in 140+ countries
Data Synch. 9600bps - MO
Data Synch. 9600bps - MT
SMS Cell Broadcast
• GSM is a standard
–Should be interoperable
• GSM supports data services
–Many data services
–Can be used for any type of
communications
Transparent Data
Automatic Facsimile Grp 3 - MO
SMS - MT
SMS - MO
Data Asynch. 9600bps - MT
Data Asynch. 9600bps - MO
Automatic Facsimile Grp 3 - MT
PAD Access 9600 bps - MO
PAD Access 9600 bps - MT
2
NATO UNCLASSIFIED
GSM services for Military Users
GSM & GPS
GSM “Piconode”
• GSM data services
support useful services for
Emergency Operations
• Position reporting
• Status monitoring via SMS
• Deployable - 20 kg, 0.6 m3
• Standalone GSM infrastructure
• BTS, BSC, MSC, NMS
• Can be connected to other
networks
• GSM, PSTN, PABX
• Satellite backhaul
• Tactical Military
GSM is useful, but no security
But not just GSM, any digital
mobile radio
3
NATO UNCLASSIFIED
Deployable GSM
Pictures courtesy of DERA / Qinetiq (UK)
4
NATO UNCLASSIFIED
… GSM deployed for the military in the US
Picture courtesy of Charley McMurray, REDCOM Labs
5
NATO UNCLASSIFIED
Reasons against “deployed” GSM
• Frequency allocation
• GSM bands usually licensed to commercial operators
• Services don’t always match requirements
• GSM not designed for Command & Control use
• but other Professional Mobile Radio systems were
• So, GSM is not necessarily the best choice if deploying own
infrastructure.
• But it is VERY good if you want to use existing infrastructure
6
NATO UNCLASSIFIED
Secure GSM:
End-to-end encryption
How Secure GSM equipment works
- and why it has to be this way
7
NATO UNCLASSIFIED
Overview - Standard GSM Security
GSM
AIE
AIE
A5
A5
protected
vulnerable
protected
GSM
Air interface
encryption
Security within GSM Standards (network is trusted)
Traffic at the air interface is protected by encrypting with the A5 algorithm,
Figure courtesy of D Parkinson, BT Exact (UK)
8
NATO UNCLASSIFIED
Concerns over GSM AIE
(but don’t believe what you read on the web)
(and yes I do appreciate the irony of that statement in a web based presentation)
EUROCRYPT '97
A5 - The GSM Encryption
Algorithm
From sci.crypt Fri Jun 17 17:11:49
1994
From: [email protected] (Ross
Anderson)
Date: 17 Jun 1994 13:43:28 GMT
Newsgroups:
sci.crypt,alt.security,uk.telecom
Subject: A5 (Was: HACKING DIGITAL
PHONES)
May 11-15, 1997, Konstanz, Germany
Session 8: Stream Ciphers
12:00-12:30 Cryptanalysis of Alleged A5
Stream Cipher
Jovan Dj. Goli (Queensland University of
Technology, Australia)
The Eurocrypt '97 page
The GSM encryption algorithm, A5, is
not much good. Its effective key
length is at most five bytes; and anyone
with the time and energy to look for
faster attacks can find source code for
it at the bottom of this post.
http://www.chem.leeds.ac.uk/ICAMS/people/jon/a5.html
9
The information at this site is Copyright by the
International Association for Cryptologic
Research.
http://www.iacr.org/conferences/ec97/programf.html
NATO UNCLASSIFIED
Should we worry about strength of A5 ?
• GSM was developed by ETSI
• European Telecommunications Standards Institute
• GSM algorithms developed by ETSI SAGE
• Security Algorithms Group of Experts
• ETSI SAGE
• Developed Algorithms for many civil telecom standards e.g.
GSM, TETRA, DECT, 3G etc
• SAGE developed the A5 algorithm for GSM Air Interface
Encryption
• A5 provides greater protection than analogue cellular mobiles
• A5 fit for purpose
10
NATO UNCLASSIFIED
Air Interface Encryption is optional
GSM
GSM
Air interface
Air interface
protected
vulnerable
vulnerable
protected
vulnerable
encryption
encryption
Security
Security
within
within
GSM
GSM
Standards
Standards
(transmitting
(network isOTA
trusted)
in clear) is optional
AIE is optional. Users have no control and usually no knowledge of whether AIE is being used
Some phones will indicate if AIE is in use - most do not
11
NATO UNCLASSIFIED
End to End Encryption
GSM
GSM
Air interface
Air interface
vulnerable
vulnerable
vulnerable
encryption
protected
vulnerable
protected
encryption
Security
within
GSM
Standards
(transmitting
in clear) is optional
Security
within
GSM
Standards
(network isOTA
trusted)
End-to-end
encryption
protected
End to End Encryption over GSM (network is untrusted)
12
NATO UNCLASSIFIED
Standard GSM Security
• Standard GSM encryption (A5)
• optional
• over air-interface only (clear within network)
• There is a need for end to end encryption
• Voice calls in GSM can be transcoded within the
network
• Transcoding errors are small
–have a negligible effect on quality of analogue voice
• Cannot encrypt ordinary GSM voice calls as
transcoding errors would prevent decryption
13
NATO UNCLASSIFIED
Secure GSM
• Secure GSM send encrypted voice over a GSM data
connection
• GSM data connections are not transcoded
–Separate phone number for data connections tells the GSM
network not to transcode
• Secure GSM uses the transparent data service
• Bearer service 26 (9.6 kbps) or 25 (4.8 kbps)
• Circuit switched data connection
–Fixed delays (required for speech)
–No error correction
• Initially:
• GSM used a 13 kbps voice coder (RPE-LPC)
• Data services limited to 9.6 kbps
• So using the data service to send encrypted speech
required the use of a different voice coder
14
NATO UNCLASSIFIED
End to end secure GSM
GSM data
Error
Protection
Crypto
Voice Coder
15
End tospeech
end is transmitted
Encrypted
GSM data
GSM
overencrypted
GSM data connection
Error
Transparent
data
service
• Uses the GSM
Protection
provides
no
error
correction
• data connection
Encoded
speech
is encryptedCrypto
• Provides
its own
• Voice Coder
• Errormust
Protection
Speech
be encoded (digitised)
Voice Coder
NATO UNCLASSIFIED
Introduction to STANAG 4591
Voice Coders
The new NATO Voice Coder
• End to end secure GSM doesn’t
use ‘standard’ GSM voice coder
• For Secure GSM the choice of
voice coder is independent
• NATO Post-2000 Narrow Band
Voice Coder (2400& 1200 bps)
• Outperforms
–CELP - 4.8k
–CVSD - 16k
–LPC10e - 2.4k
NC3A Workshop
October 18th 2002
At TNO-FEL, The Hague, The Netherlands
Topics Include:
Need for a new NATO voice coder
Tests to select Stanag 4591
Language independence testing
Source Code & IPR
• Widely used by other secure
users
• Can be used over GSM data
services
16
NATO UNCLASSIFIED
Performance
VoIP with S4591
Stanag 4591 in civil
telecom standards
Organised by the NATO C3 Agency and the
NATO Ad-Hoc Working Group on Narrow
Band Voice Coding
For more details please email:
[email protected]
Plain and secure speech in GSM
• Normal voice call sent through network
• User calls GSM voice number
• Transcoding in network is possible
GSM
GSM
Secure
Speech
Speech
GSM Network
Inter-network
connection
Data Number
Number
Voice
GSM Network
GSM
GSM
\/
PCM
GSM
/\
PCM
Transcoder
17
• Secure speech sent as data call
through network
• User calls GSM data number
• No transcoding
• Secure speech sent between GSM
networks
• Relies on inter-network connection
supporting GSM transparent data
service correctly
NATO UNCLASSIFIED
Secure GSM / PSTN interworking
GSM Network
GSM
Data Number
V.110 like
Protocol
V.32
Modem
PSTN
Analogue mode
Interworking Unit
The interworking unit
provides the interface
for data calls between
GSM and PSTN
Deskset Crypto Unit
PSTN
Standard PSTN ‘phone
18
NATO UNCLASSIFIED
NC3A Experiences
Results with existing Secure GSM
equipment
1999 - 2002
19
NATO UNCLASSIFIED
Crypto AG Secure GSM
(NC3A Trials 1999)
• GSM - PSTN interworking via deskset
• Manual key management
• Crypto applique on conventional GSM
• Call set up time approx 40 seconds
• Encrypted speech only
• Reliability
–good on home network
–variable when roamed
–variable between GSM and PSTN
• Voice quality
–good when strong signal
–deteriorated when GSM signal was weak
20
NATO UNCLASSIFIED
Sagem Secure GSM
(NC3A Trials 2000)
• Crypto applique on conventional GSM
• Approved to FR Confidential
• GSM - PSTN interworking via deskset
• Key Management System
• Encrypted speech only
• Call set up time approx 20 seconds
• Reliability
–good on home network
–variable when roamed
–variable between GSM and PSTN
• Voice quality
–Generally good
–Deteriorated when GSM signal was weak
21
NATO UNCLASSIFIED
More Secure GSMs
Rhode & Schwarz “TopSec”
Half rate GSM Voice coder
GE RESTRICTED
Released to NATO
General Dynamics “Sectera”
Includes STANAG 4591 2.4k voice coder
US TYPE 1
Being released to NATO
Tests of both requested by NC3A during 2000-2
22
NATO UNCLASSIFIED
Sectra Secure GSM
(NC3A Trials 2000-2001)
• Military development
• Swedish/Norwegian Project
• Crypto integral to terminal
• Integrated GSM / DECT unit
• DECT gives PSTN connection
• Encrypted Voice + Data
• Key Management System
• Good voice quality
• Improved reliability
• when roamed
• when GSM signal was low
23
NATO UNCLASSIFIED
NSK 200 Secure GSM
(NC3A Trials 2001-2002)
• Norwegian military development
• Crypto integral to terminal
• Authentication required
• Approved to NATO SECRET
• Tested over GSM, DECT and via
Inmarsat
• Features and operation described in
other presentations
24
NATO UNCLASSIFIED
Summary of Trials
(Things to think about)
• Support for data calls
• requires transparent data bearer services 25 & 26
• varies with network operator
• Inter-network connectivity
• Secure calls between some countries never succeeded
• Roaming agreements
• Not always in place in some areas
25
NATO UNCLASSIFIED
Symposium on
End
to End
SecurityGSM
in
More
on Secure
Mobile and
Cellular
Networks
Secure
3G
London, December 2002
Call for papers
Contributions are invited on the subjects of:
Secure GSM
3G security ?
• Interested
End to end
• When
? security via
satellite services
• Where
?
Network
operators
viewpoints
• Just
GSM
or 3G
?
Interoperability issues for end to end
security
Market differences: Commercial vs
military users
For details and submission of abstract (200 words) please contact:
ACT Branch, NC3A, The Hague, The Netherlands.
Tel: +31 70 374 3444 or Email. [email protected]
This event will be unclassified and attendance open to all
26
NATO UNCLASSIFIED