No Slide Title
Download
Report
Transcript No Slide Title
Cryptography in Public Wireless Networks
Mats Näslund
Communication Security Lab
Ericsson Research
[email protected]
Feb 27, 2007
Outline
• Overview of GSM Cryptography
• Some “attacks” on GSM
• Overview of “3G” UMTS Cryptography
– Message Authentication Codes
GSM Cryptography Overview
History – GSM Security
• Use of a smart card SIM – Subscriber Identity Module,
tamper resistant device containing critical subscriber
information, e.g. 128-bit key shared with Home Operator
• SIM is the entity which is authenticated
• Initial GSM algorithms (were) not publicly available and
under the control of GSM-A
• GSM ciphering on “first hop” only: stream ciphers using
54/64 bit keys, future 128 bits
• One-sided challenge-response authentication
• Basic user privacy support (“pseudonyms”)
History – GSM Security
Access security
GPRS - Confidentiality:
GEA1
GEA2
GEA3, GEA4 (new, open)
RBS
SGSN
Base Station Controller
Voice - Confidentiality, Radio Base Station
A5/1
A5/2
A5/3, A5/4 (new, open)
MSC
Authentication:
A3 Algorithm
GSM Authentication: Overview
Home Network
Ki
Req(IMSI)
RAND
RAND, Kc
RES
RAND, XRES, Kc
MSC/VLR
RBS
Ki
Visited Network
RES = XRES ?
AuC/HLR
GSM Authentication: Details
A3 and A8: Authentication and key derivation (proprietary)
A5: encryption (A5/1-4, standardized)
Note: one-sided authentication
Phone
SIM Ki
(128) A3
A8
frame#
data/speech
rand (128)
res (32)
Kc (64)
A5/x
encrypted frame
Bit-by-bit, stream cipher
Cryptographic Transforms in Wireless
Wireless transmission is subject to
• limited bandwidth
• bit-errors (up to 1% RBER)
As consequence, most protocols:
• use stream ciphers (no padding, no error-propagation)
• do not use data authentication (data expansion, loss)
Quick Note: LFSR
(Linear feedback shift register)
key = 0 1 1 0 1 0 1
State:
10 01
1
1
10
01
10
01
output
...0 1
XOR:ed with plaintext
Rich theory (next lecture). Unfortunately very insecure…
• Add non-linearity
• Combine several LFSRs
• Irregular clocking
GSM Encryption: A5/2 (Export Version)
majority(a, b, c) = ab + bc + ca (over GF(2))
A5/2 (clock control)
R4 controls
clocking
Ri (i =1,2,3) is
clocked iff its
”associated”
bit agrees with
majority of the
3 bits
(At least two
clocked)
3 ”associated”
bits, one per
R1-R3
August 2003…
Let’s take a closer look…
Idea behind the attack
A5/2 is highly ”linear”, can be expressed as linear equation
system in 660 unknown 0/1 variables, of which 64 is the key
If plaintext known, each 114-bit frame gives 114 equations
Only difference between frames is that frame number
increases by one.
After 6 frames (in reality only 4) we have > 660 equations
can solve!
If plaintext unknown, can still attack thanks to redundancy
of channel coding (SACCH has 227 redundant bits per
each 4-frame message).
Attack efficiency
Off-line stage (done once):
Storage for ”matrices”: approx 200MB
Pre-processing time: less than 3 hrs on a PC
On-line attack stage:
Requires 4-7 frames sent from UE on SACCH.
Retrieving key then takes less than 1 second.
Hardware requirement: normal PC and GSM capable receiver
Consequence 1: Passive attacks in A5/2 Network
(Eavesdropping)
1 RAND, RES
2 Cipher start A5/2
< 1 sec of traffic
New attack
PC
key, < 1 sec
Consequence 2: Active attacks in any Network
(False base-station/man-in-the-middle attacks)
2
3
6
8
9
RAND
RES
Cipher start A5/2
Cipher stop
Cipher start A5/1
1 RAND
4 RES
5 Cipher start A5/1 (with same key)
7 Attack:: key
Consequence 3: Passive + Active attack
1 RAND, RES (with key)
2 Cipher start A5/1
Record
1 RAND, RES (same key!)
2 Cipher start A5/2
key
Note
• A5/2 is an ”export” version, not used in Sweden
(or Europe)
• Attack does not apply to A5/1, A5/3 and A5/4
• …well almost….
Possible fix (Ericsson)
Phone
A5/x (x = 1, 2, 3, 4)
SIM
RAND
Algo_id
f
Agreed short-term fix is
to phase out A5/2
A5/x
A5/x
encr frame
UMTS Security Overview
3G (UMTS) Security
• Mutual Authentication with Replay Protection
• Protection of signalling data
– Secure negotiation of protection algorithms
– Integrity protection and origin authentication
– Confidentiality
Only feature common
• Protection of user data payload
to GSM
– Confidentiality
• “Open” algorithms (block-ciphers) basis for security
– AES for authentication and key agreement
– Kasumi for confidentiality/integrity
• Security level (key sizes): 128 bits
• Protection further into the network
UMTS – Security
Integrity & Confidentiality
UIA & UEA algorithms (based on KASUMI)
Node B
SGSN
Radio Network Controller
Node B
MSC
UMTS – Authentication and Key Agreement AKA
Home Network
Looks a lot like GSM, but…
Ki
Req(IMSI)
RAND, AUTN
RAND, AUTN
RES
RAND, XRES, CK, IK, AUTN
MSC/VLR
Ki
RBS
Allows check of
authenticity and
“freshness”
AuC/HLR
Visited Network
RES = XRES ?
Integrity protection
key
UMTS Encryption: UEA/f8
COUNT || BEARER || DIR || 0…0 (64 bits)
Kasumi
m
(const)
CK
(128 bits)
“Masked” offset avoids
known input/output pairs
Kasumi
“Counter” avoids
short cycles
c=1
Kasumi
c=2
Kasumi
c=B
Kasumi
“keystream” XOR:ed with plaintext
Inside Kasumi (actually: MISTY)
8 rounds of:
32 bits
+
32 bits
FO
k
security s8
(3 rounds)
16 bits
16 bits
9 bits
FI
S9
+
+
FI
S7
+
+
FI
S9
+
+
security s4
7 bits
security s2
sec.
s
New UMTS Cryptographic Algorithms
Standardization of UMTS Cryptography
•
•
•
•
3GPP (an ETSI body) standardizes UMTS
Crypto developed by SAGE (also ETSI)
UEA1/f8, UIA1/f9 developed 1999 for UMTS Rel-99
About two years ago, SAGE started to look at new
algorithms for UMTS: UEA2, UIA2
– Requirements:
• algorithms substantially ”different” from UEA1, UIA1
• < 10000 gates
• > 10Mbit/s @ 20Mhz
• Specifications released about a year ago
• Independent evaluation by three teams
Data Integrity/Authentication
”Assurance that data originates from the claimed
source and has not been modified”
• Main threat to ”user data” in cellular network is
eavesdropping, modifications of user data is less
realistic/serious encryption needed but not data integrity
• For ”control signaling”, the situation is largely reversed,
”faked” signaling could mean:
–
–
–
–
switch off user data encryption
fool the mobile phone to select another network
make the phone transmit at higher power, drain battery
…etc…
Data Integrity/Authentication
• Can be obtained by digital signatures, e.g. RSA
• Comes at a cost (bandwidth, computation time)
• Symmetric key alternative:
Sender
message
k
Receiver
tag
f
message’ tag’
= ??
f
tag’’
k
Message Authentication Code (MAC)
MAC Requirements (informal)
The attacker observes S = { (m, t) } generated by sender
(possibly some m:s chosen by attacker).
• Should be ”difficult” to produce a (m’, t’) S which is
accepted by receiver
• Could be done by modification or injection
”Difficult” depends on the size of the key and size of the tags
• cannot avoid that the attacker tries to guess the key
• cannot avoid that the attacker tries to guess a tag value
”Security level” is at most min( 2size(key), 2size(tag) )
Note: security level < 2size(tag) is not ”bandwidth optimal”
Provable security
• The “one-time pad” is a unconditionally provably secure
encryption method, but a bit impractical to use
• Key must be random and only be used once
• Entropy arguments can be used to give bounds on the
security when size(key) < size(message)
• Provably secure constructions exist also for MACs !!
• Similarities with OTP:
• Key size vs message size reflected in security bounds
• Key must only be used once
The new UMTS message authentication algorithm UIA2
is such a ”provably secure construction”
Universal Hashing
Definition: Suppose B is an additive group and let
H { h : A B} be a set of functions. H is called
–almost -universal if x x’ A, y B,
Pr h H [ h(x) - h(x’) = y] ≤ .
If it holds for y = 0 then H is called –almost universal.
Notation: –AU and –AU
Notes:
• ”collision resistance” properties
• ”best” –AU is = 1/|B|.
• connection to ECC and comb. designs
Our Concrete Case
Only consider the case A = GF(2n), B = GF(2m).
which means:
–AU if x x’ GF(2n), y GF(2m),
Pr h H [ h(x) h(x’) = y] ≤ ,
and –AU if it holds for y = 0,
Pr h H [ h(x) = h(x’)] ≤ .
Universal Hashing and Message Authentication
Known, ”public”
• Assume H is –AU
• ”key” is index to a random function h H, random s GF(2m).
• “tag”: t = h(m) s.
Secret
Injection probability:
• As difficult as predicting s, 1/|B| = 2-m probability
Modification:
If given (m, t = h(m)), the attacker can find valid (m’, t’ = h(m’))
then
t t’ = (h(m’) s) (h(m) s) = h(m’) h(m)
which is guaranteed to be bounded by .
Plan
• First construct H1 which is –AU, “almost works”
• Combine with H2 to get - AU
Concrete Construction of –AU Hash
• Cut the message m (to be hashed), into 64-bit blocks,
m0, m1, …, mL-1
• Interpret message as an element of GF(264)[t]:
M(t) = m0 + m1t + … + mL-1 tL-1
• Key is random value k GF(264)
• Hk(M) = M(k)
Theorem: H = { Hk(M) } is –AU for = L 2-64.
Proof that H is –AU
We need to bound Pr h H [ h(M) h(M’) = 0], i.e. the prob.
that
Prt [ m0 + m1t + … + mL-1 tL-1 = m0’ + m1’ t + … + mL-1’ tL-1],
i.e.
Prt [ z0 + z1t + … + zL-1 tL-1 = 0 ]
where zi = m0 - m0’ (recall ”+”, ”-” is the same as here).
This is bounded by the number of roots of a degree L-1,
non-zero polynomial over a finite field, i.e. Prob < L 2-64.
Problem
• = L 2-64 is non-optimal (tag is always 64 bits but “long”
messages could make 1)
• Moreover, this is a “real” bound, i.e. forgery probability
does increase with L
• Also, as noted, we need - AU, not just - AU.
Going from AU to AU
• AU gives at least some ”guarantees” that h(x) h(x’) ≠ 0.
• Consider now h(x) and h(x’) for random
• Then h(x) h(x’) = (h(x) h(x’)) = y is uniformly
distributed as long as h(x) h(x’) ≠ 0.
• That is, if { h(x) } is AU then { h(x) } should be AU
H1
AU
A
H2
AU
B
C
General Theorem [Stinson]
Suppose H1 is 1–AU from A to B and H2 is 2–AU from
B to C. Then H1 H2 is –AU from A to C with ≤ 1 + 2.
Idea:
Use the “polynomial hash” as above for inner hash, H1 .
Outer hash H2 defined by h(x) = x for random .
Still one problem: the ”tag” is 64 bits, security level only
guaranteed to L 2-64 , could argue not ”full” security.
Solution: “Compression”
Outer hash H2 : GF(264) GF(232) defined by
”twisted truncation”
h(x) = msb32( x)
which can be proven to be is 2-32-AU
i.e.
h, k(m) = msb32( (m0 + m1k + … + mL-1 kL-1)).
We get 32-bit tags with “security”: L 2-64 + 2-32 2-32.
Did we forget something?
• Yes… We now have an 2-32-AU set of functions of form
•
•
•
•
•
h,k(m) = msb32( (m0 + m1k + … + mL-1 kL-1)).
Initial idea was more like h,k(m) s for random , k and s.
Do we really need s?
Yes!
Notice that h,k(0) = 0
Using only h,k(m) would enable attacker to inject messages.
Note also that a given key (k, , s) must only be used once!
Final Consideration
• In reality, the keys , k, s for the MAC are not random, but
generated by pseudo-random generator (PRG)
• But a good PRG generator is by definition “difficult” to
distinguish from truly random bits…
• If replacing truly random , k, s by PRG values would
mean increase in MAC-attackers success rate, it would
imply a “statistical test” to distinguish the PRG from true
randomness:
– Given a ”test sample” (either truly random or from PRG)
– Run the (presumed) MAC-attack algorithm
– Measure its rate of success, if it is ”higher” we guess the sample is
from the PRG, else we guess the sample is truly random
Final Result
• We loose an additional ’ in provable security, where ’ is
the “quality” of the random generator. I.e. MAC produces
32-bit tags with security
L 2-64 + 2-32 + ’.
•
•
•
•
Maximum L in UMTS is about 27 blocks
Total key size: k (64), (64), s (32), i.e. 160 bits.
The PRG used in UMTS is the stream cipher ”SNOW”
Performance: 100Mbit/s on typical platform, equivalent
RSA approach would be at least 10-100 times slower,
would add about 10 times as much overhead
Summary
• Despite some recent attacks on GSM security,
“2G” security is so far pretty much a success story
Main reason: convenience and invisibility to user
• “3G” crypto significantly more open and
well-studied higher confidence
• Showed a practical, provably secure
construction for message authentication