Mobile Network Security

(1)

Mobile Network Security

Refik MOLVA

_{Institut Eurécom}

B.P. 193

06904 Sophia Antipolis

Cedex

[email protected]

 Institut Eurecom 2005

(2)

Mobile Network Security -R . Molva

Outline

• Wireless LAN

• 802.11 (WiFi)

• M

obile Telecommunications Security

• G

SM Secur

ity Featur

es

• 3GPP Secur

ity Architectur

e

• CDPD

Key agreement and authentication

• F

raud management

•M

obile I

P

• IPsec-bas

ed solution

• F

irewalls vs. Mobile IP vs. Packet Filtering

(3)

802.11 Wireless Networks

Ad Hoc Mode In fra str uc tu re Mode

(4)

Association Establishment in

Infrastructure Mode

Client Access Point

Probe Request (SSID)

Beacon(SSID)

OR

Authentication

Association Response

Association Request Deassociate

OR

Deauthenticate

Various Alternatives

Data

Client is associated Client is not ass

oci

at

(5)

Mobile

Network Security

-R

. Molva

Specific Vulnerabilities and

Threats

•

(6)

Eavesdropping

• 802.11is viewed as a standard Ethernet

but

–

m

edia is shared as opposed to switched

–

each node can receive all frames

•

(7)

Mobile

Network Security

-R

. Molva

Man in the Middle Attack

Victim Access Point Deass o ciat e(Vi ctim’s

MAC@) Victim is not associated

Attacker

Beacon as Access Point on different channel

Association Req. (Victim’s MAC@)

Victim’s data traffic

Ass o ciati o n Res p.

Association Req. (Victim’s MAC@)

Ass o ciati o n Res p.

Victim’s data traffic

Main reason why this attack

works: Management frames

(ass oci a te , deas

are not authenticated except in 802.11i.

AP

Victim

Man in the Middle

(8)

Denial

of Service

•J

am

m

in

g

• V

irtual carrier-sense attack

• S

poofing of deauthentication/deassociation messages

• D

(9)

Security Requirements

• n o identification based

on the physical access

→

Peer Entity Authentication

→

Data Origin Authentication

• e as e of disclosure and t ampering wit h dat a → Data Confidentialit y and In teg rity → Privacy (Anonymity) • e as e of access t o c ommunic at ion m edia →

Access Control (data link layer)

→

DoS

p

(10)

Mobile

Network Security

-R

. Molva

802.11 Network Access Control

• N

etwork Identification based on SSID (Service Set

Identifier)

–

“secret” SSID shared by too many

–

E

xchanged in cleartext

–

E

ase of replay

• A

ccess Control: MAC-address based authorization to

Access Point

–

M

AC-addres

ses are not authenticated

–

M

AC-addres

ses are easy to set on most cards

• 802.1x

–

C

lients authenticated and screened by Radius Server

–

A

P serves as proxy

–

E

(11)

Mobile

Network Security

-R

. Molva

802.11 Client and Data Security

_•

W

ireless Equivalent Privacy (WEP)

• W

i-Fi

Protected Access (WPA)

•

(12)

802.1x

• G

eneral purpose network

access

control

m

echanism

• 802.1x support in Access

point

• N

o impact on clients’ wireless interface

• A

uthentication and Authorization by RADIUS server

_–

E

xtensible

A

uthentication

Protocol

(EAP) RFC

2284

• A

lternative methods: password,

smartcard, tokens, OTP

• A

lternative protocols: simple challenge response,

EAP-TLS.

–

R

ADIUS

server determines whether

access

to

controlled

ports

of the AP should

be

allowed

(13)

802.1x Operational Flows

Client RADIUS Access Point Ass o ciati o n Req. Ass o ciati o n Res p. Authentication Success

Authentication using EAP

Authentication Success

Data

Access Authorized

(14)

WEP Services

–

D

ata Confidentiality

–

D

ata Integrity

–

D

ata Origin Authentication

–

A

ccess control through client

(15)

WEP

• RC4 stream cipher

• 40bit and 104bit keys

• W

EP key shared by all

• N

(16)

WEP operation

• K

: shared key (40 or 104 bits)

• integrity check: IC = h(header|data)

• random initialization vector: IV (24 bits)

• K

eystream

generation:

k = RC4(K, IV)

• E

ncryption of data fragment m:

E

K

(m) = m

⊕

(17)

WEP packet

header IV ciphertex t data IC k 802.11 packet header

(18)

Mobile

Network Security

-R

. Molva

WEP Encryption flaws

• secret parts of

P

1

can be retrieved based on known parts of

P

2

.

• keystream

can be retrieved similarly.

• once keystreams

are identified, new ciphertext

can be decrypted

based on (cleartext) IV used as index to an array of known keystreams

if keystreams

are reused.

• reuse of the same keystream:

–

standards recommend, but do not require, a per-stream IV to combat this

–

S

ome PCMCIA cards reset IV to 0 each time they’re re-initialized

and increment by 1, so expect reuse of low-value IVs

–

W

EP only uses 24-bit IVs

Î

“birthday paradox”

If C

1

= P

1

⊕

RC4(v,k) and C

2

= P

2

⊕

RC4(v,k)

C

1

⊕

C

2

= (P

1

⊕

RC4(v,k))

⊕

(P

2

⊕

RC4(v,k))

= P

1

⊕

P

2

(19)

Mobile

Network Security

-R

. Molva

WEP Message Authentication Flaws

• H

ash function h, based on CRC-32,

is a linear function of the

message: h(X)

⊕

h(Y) = h(X

⊕

Y)

Modification attack:

New (valid) ciphertext

can be computed from

existing ciphertext

without the knowledge of the keystream:

• E

xi

sting ciphertext

C = RC4(k,v)

⊕

(M | h(M))

• N

ew ciphertext

resulting from a desired modification(D) on C:

C’= C

⊕

(D | h(D)) = RC4(k,v)

⊕

(M | h(M))

⊕

(D | h(D))

=

RC4(k,v)

⊕

(M

⊕

D | h(M)

⊕

h(D))

=

RC4(k,v)

⊕

(M

⊕

D | h(M

⊕

D))

(20)

Mobile

Network Security

-R

. Molva

WEP flaws continued

• U

si

ng flaws in encryption and message authentication, further

attacks such as spoofing, dictionar

y attacks,

traffic injection,

route

subversion can be mounted. Tools are available.

• M

anagement messages (deassoci

ate, deauthenticate) are not

authenticated: DoS

and MITM attacks still work.

• A

dvanced attack:

Retrieve WEP keys using the attack described in "Weak

nesses in

the Key Scheduling Algorithm of

RC4“ by Fluhrer, Mantin, and

Shamir

–

A

irsnort

http://airsnort.shmoo.com

–

W

EPCrack

http://w

epcrack.sourceforge.net/

(21)

Wi-Fi

P

rotected Access (WPA)

• subset of the forthcoming IEEE 802.11i security standard (als

known as W

P

A2)

• des

igned to overcome the weak

nesses of WEP

• C

ompatible with existing 802.11 hardware using firmware

upgrades

• Features of WPA

• E

nhanced encryption scheme: Temporal Key Integrity Protocol

(TKIP)

–

RC4, dynamic session keys

–

48 bit IV

• N

on-linear Message Integrity

Checks (MIC) based on Michael

• S

trong User Authentication using

one of the standard Extens

(22)

WPA2

-802.11i

Ultimate improvements over WPA

802.11i Features

• N

ew encryption algorithm: Advanced

Encryption Standard (AES)

_→

impact on hardware

• D

ynamic keys both for encryption and

(23)

Outline

• Wireless LAN

• 802.11 (WiFi)

• M

obile Telecommunications Security

• G

SM Secur

ity Featur

es

• 3GPP Secur

ity Architectur

e

• CDPD

Key agreement and authentication

• F

raud management

•M

obile I

P

• IPsec-bas

ed solution

• F

irewalls vs. Mobile IP vs. Packet Filtering

(24)

Mobile

Network Security

-R

. Molva

GSM

Mobile Switching Center (MSC) Base Station (BS) Mobile Subscriber (MS) = Mobile Equipment

(ME) + Subscriber Identity Module (SIM)

Home Location Registry (HLR) Authentication Center (AuC) Visiting Location Registry (VLR)

Wired Network HLR VLR MSC BTS BTS B TS BTS BTS BTS MSC VLR roaming Radio link MS AuC MS

(25)

Security Requirements

• S

ecurity Threats

_–

E

avesdropping on the Radio interface

• data confidentiality

• U

se

r anonymity

–

M

S Impersonation (masquerade)

• S

ecurity Services

_–

S

ubscriber identity protection

_–

S

ubscriber authentication

_–

D

ata confidentiality

(26)

Mobile

Network Security

-R

. Molva

Subscriber Identity Protection in GSM

•

IMSI: universal identity (15 digits

-9 octets)

•

replaced by TMSI (temporary mobile

subscriber identity) (4 octets)

• F irst registrati on or aft er f ail ure in V L R IMSI is sent in clear. • T MSI allocat ed by t h e V LR wh ere t h e MS is regist ered. • T

MSI protected by Data Confidentia

lity Service transmitted to MS.

•

S

ubsequent identification of

(27)

Authentication in GSM

•

bandwidth optimization: severa

l verifications by the VL

R can take place locally

without communicating with the remote HLR. •sec

urit y: Ki is not disclos ed t o t h e V L R's of t h e visited area s. MS Id (IMSI or TMSI) MS Id, VLR RAND SRES

repeated with a different (RAND,

SRE S ) for each authentication attempt

MSC/VLR

HLR/AuC

Ki

wired network (trusted)

radio link (vulner

able)

MS

Ki Ki

A

3 SIM Ki

A

3 {(RAND, SRE S , Kc)} SRES Gener ation of {(SRE S , RAND, Kc)}

(28)

Data confidentiality in GSM

Kc Plaintext Ciphertext Frame Number 22 114 +2 64 114

A

5 128

A

8 Ki 128 RAND SIM

MSC/VLR

radio link

MS

Kc Plaintext Frame Number +2

A

5

Triplets from HLR {(RAND, SRE

S

, Kc)}

(29)

GSM Algorithms

• A

3 and A8

_–

D

efined by the network operator

_–

S

oftware implementation in the SIM

• A

(30)

Mobile

Network Security

-R

. Molva

• Algorithm left at the discretion of the

operator

• COMP128

-ill-advised by GSM standards

–

128-bit hash function

–

first 32 bits producing the A3 output

–

last 64 bits producing the A8 output

–

major weaknesses

• A collision just requires 2

14

attempts

(31)

A5/1

• B

ased on a combination of LFSRs

clocking based on majority rule

0 22 0 21 0 18

(32)

Mobile

Network Security

-R

. Molva

Security of A5/1 and A5/2

•A

5/

1 –

E

xhaustive search, complexity=2

64 –

A

ttacks based on time-memory trade-off

–A

tta

ck

• 2 disks (73 GB)

• 2 seconds of plaintext

• K

ey retrieved in a minute

•A

5/

2 –

S

(33)

A5/3

• B

ased on Block cipher

• O

utput Feedback Mode with BLCKCNT

to prevent short cycles

• N

o security by obscurity

• D

esign by ETSI SAGE

_–

B

ased on Kasumi, derived from MISTY1

(Mitsubishi)

•

(34)

Mobile

Network Security

-R

. Molva

Pros

• Effective solution to cloning

• Higher confidentiality compared with analogue systems

Cons

• Security limited to access network

• Lack of network authentication

–

Risk of bogus base stations

• Security by obscurity

• Ill advised use of weak algorithms

• Lack of control over activation of security for user and home network

• Lack of lawful interception

GSM Security

-S

(35)

Outline

• W

ir

ele

ss LAN

• 802.11 (WiFi)

• M

obile Telecommunications Security

• G

SM Secur

ity Featur

es

• 3GPP Secur

ity Architectur

e

• CDPD

Key agreement and authentication

• F

raud management

•M

obile I

P

• IPsec-bas

ed solution

• F

irewalls vs. Mobile IP vs. Packet Filtering

(36)

Mobile

Network Security

-R

. Molva

• Build on the security of GSM

–

adopt security features that have proved to be

needed and that are robust

–

ensure compatibility with GSM to ease inter-

working and handover

• Fix the security flaws of GSM

• Enhance with new security features to suit

–

new services

–

changes in network architecture

• Keep minimal trust in intermediate components

(37)

Mobile

Network Security

-R

. Molva

• Mutual authentication between user and

base station

• No security by obscurity

–

Make sure chosen algorithms have been tested

by the scientific community

• Flexibility in standards

• Change in law enforcement for

cryptography: longer keys (

≥

128 bits)

(38)

Mobile

Network Security

-R

. Molva

• Mutual Authentication between User and

Network

• Data Confidentiality (user traffic and

signalling data) (like GSM)

• User identity protection (like GSM)

• Data Integrity (over the air interface)

(39)

Mobile

Network Security

-R

. Molva

Authentication & Key Agreement (AKA)

Objectives

• M

utually authenticate user to network

• E

stablish shared keys between user and

network

–

C

K: 128-bit encryption key

–

IK: 128-bit integrity key

• A

ssure freshness of CK/IK

• A

uthenticated management field HLR

→

USIM

–

A

uthentication key and algorithm identifiers

–

(40)

Mobile

Network Security

-R

. Molva

AKA Message Flows

Authentication data r

equest

RAND, AUTN RES

Mutual authentication And key agr

eement

VLR/SGSN

HLR/AuC

K

USIM

K {(RAND, XRE S , CK, IK, AUTN)} Verify MAC, SQN

Derive CK, IK, RES

Verify: RES=XRES ? Start using CK, I K Start using CK, I K MS Id (IMSI or TMSI) Protected Data

(41)

Data Encryption

• A

pplied on User & Signaling Data

• O

ver the air interface

• S

tream Cipher

• P

rovision for different Algorithms

•

(42)

Outline

• W

ir

ele

ss LAN

• 802.11 (WiFi)

• M

obile Telecommunications Security

• G

SM Secur

ity Featur

es

• 3GPP Secur

ity Architectur

e

• CDPD

Key agreement and authentication

• F

raud management

•M

obile I

P

• IPsec-bas

ed solution

• F

irewalls vs. Mobile IP vs. Packet Filtering

(43)

Mobile

Network Security

-R

. Molva

Cellular Digital Packet Data (CDPD)

•

Data communication over the analog AMPS network

_•

F

ull-fledge network architectu

re including several layers

• S

ecurity services:

• m

obile unit

authentication

• data confid

entiality over the wireless link

•

(44)

CDPD

-M

obile Unit Authentication

NEI : mobile unit id ARN : nonce ASN : sequence number

Key exchange using Diffie-H ellman MD-IS k ey exchange

M-ES key exchange M-ES hello

Redir

ection r

equest

NEI, ARN, ASN Redir

ection confirm ARN’, ASN + 1 Verification MD-IS confirm RC 4 (Ks,

NEI, ARN’, ASN+1)

RC

4

(Ks,

NEI, ARN, ASN)

Ks = g yx Ks = g xy MD-IS “home” MD-IS “remote” Wired networ k (trusted) M-ES

Radio link (vulner

(45)

Mobile

Network Security

-R

. Molva

Fraud Management in Mobile Networks

Threats: •A

ccess fraud

•

S

ubscription fraud

Security mechanisms like authentication and

confidentiality prevent access fraud but

they cannot help with

subscription fraud.

Solution: real-time fraud detection Principle: •m

onitor subscriber behavior in real-time

•

b

ased on connection tickets

• d et ect devi ati o ns wit h res p ect t o us er/ class profile • prompt sus p ec te d us ers with ex plicit aut h enti cati o n chall eng e •

adapt user/class profile

(46)

Outline

•

Wireless LAN

• 802.11 (WiFi)

• M

obile Telecommunications Security

• G

SM Secur

ity Featur

es

• 3GPP Secur

ity Architectur

e

• CDPD

Key agreement and authentication

• F

raud management

•M

obile I

P

• IPsec-bas

ed solution

• F

irewalls vs. Mobile IP vs. Packet Filtering

(47)

Mobile IP

Mobile Node (MN) -C orrespondent Node (CN)

Home Agent (HA)

-F

oreign Agent (FA)

CN

→

MN :

IP within IP tunneling between HA and FA: •o

ut er I P : dst @ : care of address(COA), src @ : HA@ • inner IP: dst@: MN@, src@: CN@ MN → CN : regular IP HA FA MN CN Internet home network

(48)

Mobile

Network Security

-R

. Molva

Mobile IP Security Requirements

MN registration

•impersonation of MN by intruders or malicious FA •r e pl ay •

subversion of traffic destined to MN

Solution: authentication of MN by HA •M o bi le I P v4

•Authentication based on keyed MD5 or

HMAC using timestamps or nonces

•M o bi le I P v6 • d efault IP AH support • sec urit y ass oc iati o n b e tween MN and HA •

(49)

Mobile

Network Security

-R

. Molva

Mobile IP Security Requirements

CN

→

HA

→

MN

Difference / wired networks:

MN possibly located in an

untrusted

remote network

Solution: IPsec -IP Authentication Header -IP Encapsulating Security Payload -Key Management Mandatory requirement: Security

Association between HA and MN.

End-to-end security:

SA between CN and MN

MN

→

CN

Exposure is similar Solution:

IPsec

w

(50)

Mobile IP vs. Firewalls

• Firewall trav ersal f or M o bil e I P Firewall policy ( usually) does

not allow inbound connections

from external networks.

How can a remote MN co

nnect to the home net

work under such policy.

•

ingress filtering

Even if there is no firewa

ll, simple packet filtering

exists in most networks.

Mobile IP traffic can be bl

ock ed by suc h filteri ng. • CN's

inside home network may use

private

IP addresses together with NAT

MN

→

CN packets may simply not

get routed in Internet.

Solution for all: IPsec

(51)

Mobile

Network Security

-R

. Molva

Mobile IP vs. Packet Filtering

MN@ does not belong to

remote network.

If packet filtering is impl

em

ent

e

d probl

ems may arise:

•M

N

→

CN packets gets rejected by remote ne

twork filtering bec a us e t h ey h

an illegal source address (outbound packet

with an external source address).

•M

N

→

home network packets get

rejected by the filter

in g at t h e ho me net

because they have an il

legal source address (inboun

d packet with

an internal

source address). Such packet filtering

(52)

Mobile

Network Security

-R

. Molva

Anti-spoofing

IP Spoofing Attacks based on IP pack

ets with bogus source address:

•

Land attacks: src@=dst@,

destination host hangs.

• smurf: pi ng wit h direct ed broa dc ast a d dress may us e a bog us s o urce

address in the same networ

k as the destination; the host at the source

address gets flooded by the re

plies to the broadcast.

•

S

YN attacks: TCP SYN packet causes

allocation of kernel memory,

m

use bogus source address belonging

to the destination network.

Anti-spoofing measures

Drop packets with ob

vious inconsistency:

•

o

utbound packet with an ex

te

rnal s

ource add

ress

•

inbound packet with an in

ternal source address

•

inbound packets with priv

ate IP source address

Cisco IOS anti-spoofing rules

for network 192.65.32.0/24

•

o

n the external router

interface (inbound packets):

access-list 101 deny ip 192. 65.32.0 0.0.0.255 any • o n t he i n te rnal rout er int erf ac e (out bound p ack ets): access-list 101 permit ip 192.65.32.0 0.0.0.255 any access-list 101 deny ip

(53)

Mobile

Network Security

-R

. Molva

Anti-spoofing vs. Mobile IP

Why MIP packets get blocked by anti-spoofing ? MN

→

CN

1

packets blocked by the ingress anti-spoofing in router R

1 : access-list 101 permit ip 192.35.73.0 0.0.0.255 any access-list 101 deny ip

any any log

MN → CN 2 packets bl ock e d by egres s anti-spoofing in router R 2 : access-list 101 deny ip 172.4 5.0.0 0.0.255.255 any MN R 1 Ingr ess f iltering Egr ess filtering CN 1 CN 2 R 2 Internet 172.45.3.2 remote _network 192.35.73.x 203.74.21.5 172.45.3.1 home _network 172.45.x.x

(54)

Mobile

Network Security

-R

. Molva

How can MIP pass through anti-spoofing

Reverse tunneling to by-pass anti-spoofing Pack

ets origi n at ed at MN •

take the path MN

→ FA → HA → CN 2 • IPwithinIP

encapsulation between FA and HA:

No illegal addresses any more.

Packet filtering FA MN CN 1 CN 2 HA Internet R 1 R 2 HA@ FA@ M N@ CN 2 @ inner IP header outer IP header

(55)

Mobile

Network Security

-R

. Molva

New problem with Reverse Tunnelling

Intruders can perpetrate

spoofi ng at ta cks by sendi n g enc aps ul at ed (IPI

packets with bogus addres

ses in the inner header.

⇒

(56)

Mobile

Network Security

-R

. Molva

How can MIP pass through anti-spoofing

Direct tunnelling

of data traffic by MN:

IPwithinIP

encapsulation between MN and CN:

COA:

Car

e of addr

ess

Problem: CN must be able do

de -en cap su late IPIP pa cke ts. Internet CN MN R 1 CN@ C OA MN@ C N@ inner IP header outer IP header

(57)

Mobile

Network Security

-R

. Molva

Solution: Firewall compatible with Mobile IP

Idea:MN

should enjoy the sa

me level of connectivity and se

curity as if it were in the

secure home network. Principle: all traffic bet

ween MN and home networ

k goes through a firewall.

Problems due to filtering and addr

essing discrepancies are also solved.

Possible approaches: •A pplication gateway or circuit gateway: •

strong authentication • com pl ex int eractions • n

o data confidentiality and integrity

• IPsec tunnelling • m os t su itab le to cr eate a

virtual home network abroad

•

external links can be viewed as

secure as internal ones

•

d

ata confidentiality and integrity

(58)

Mobile Network Security -R . Molva 57

IPsec

tunnelling

F

irewall

Registration request SA Internet FW HA MN Router remote network home network •

Optional tunnel SA between FW and HA

•

S

A's

m

ust be established manually or

using key management (

IKE, ISAKMP)

•

F

W

retr

ieves security paramet

er

s of the SA using the SPI

in the

IPsec

(AH or ESP) header

IP Datagram between MN and FW

Tunnel Mode SA

IP Datagram between FW and HA

IP2 E SP IP1 IP2 A H IP1

registration request registration r

equest

IP1 : src@=COA; dst@=HA@ IP2 : src@=COA; dst@=FW@

registration r

equest

IP1

COA : car

e of addr

ess obtained from DHCP

COA

∈

(59)

IPsec

tunnelling

F

irewall

Data flow • Optional FW-CN tunnel SA or MN-CN tr ansport/tunnel SA • S A's m

ust be established manually or

using key management (

IKE, ISAKMP)

•

F

W

retr

ieves security paramet

er

s of the SA using the SPI

in the

IPsec

(AH or ESP) header

SA Internet FW CN MN Router remote network home network

IP Datagram between MN and FW

Tunnel Mode SA IP2 E SP IP1 IP2 A H IP1 data data

IP Datagram between FW and CN

data

IP1

IP1 : src@=MN@; dst@=CN@ IP2 : src@=COA; dst@=FW@

COA ∈ remote networ k MN @ ∈ home network

(60)

IPsec

tunnelling

F

irewall

-C

onclusion

• S ec ure ext e nsion of prot ect ed hom e

network to mobile nodes abroad

•

B

y-product: packet filter

ing problems are avoided

•

communications between MN at home

and external CN: regular (non-mobile)

security controls app

ly in this case.

•

communications between MN on public netwo

rk and external CN:

use bi-directional

IPsec