Print Email Download Reference This Send to Kindle Reddit This
submit to reddit

Study And Implementation Of 3G Mobile Security Computer Science Essay

In the last decade there has been an exponential rise in use of mobile devices. 3G is the latest mobile technology that is currently in widespread use. The Universal Mobile Telecommunications System (UMTS) is one of the new third generation mobile cellular communication systems, which builds on the success of the ‘second generation’ GSM system by introducing high quality services while retaining its essential and robust security features. Wireless access is inherently less secure, and mobility entails higher security risks than stationary devices. Security is the foremost concern in today’s mobile communication systems. New services introduced in UMTS require new security features to protect them. The security framework for 3G mobile networks is considered, and the various protocols for protection of the network access interface are studied and analyzed.

In the last decade there has been a proliferation in the use of mobile technology for communication. The rapid growth in use of mobile devices and the advancement of technology led to the introduction of high end and cheap mobile equipments which can support high quality mobile services. The third generation (3G) mobile technology has much superior bandwidth than 2G and supports high quality data and voice services. Universal Mobile Telecommunication System (UMTS), standardized by the 3GPP, is the 3G mobile communication technology successor to GSM and GPRS. UMTS improves upon the existing GSM by providing increased capacity, data capability and a greater range of services using a new radio interface standard called UMTS Terrestrial Radio Access (UTRA). Apart from normal talking services users can now use interactive services like internet access, chat services, online banking, data transfer, music and movies download etc. But as services increase and mobile networks become more complex and open, so do the security risks and type of attacks from potential hackers. Valuable and precious information sent through wireless networks has to be protected from potential hackers. The advanced network infrastructure, which supports higher access rates, and the complex network topologies, which enable “anywhere-anytime” connectivity, may increase the number and the impact of potential attacks. Furthermore, the introduction of IP layer [1] in the network domain, for signaling and user data transport, shifts towards open and easily accessible networks. UMTS security architecture as proposed by 3GPP builds on the success of GSM by retaining (and to some extent improving) its important and robust security features.

CHAPTER 2: ARCHITECTURE

2.1) OVERVIEW OF 3G ARCHITECTURE

Universal Mobile Telecommunications System (UMTS), standardized by the 3GPP, is the 3G mobile communication technology successor to GSM and GPRS. UMTS combines the W-CDMA, TD-CDMA, or TD-SCDMA air interfaces, GSM's Mobile Application Part (MAP) core, and the GSM family of speech codecs. W-CDMA is the most popular cellular mobile telephone variant of UMTS in use. UMTS, using W-CDMA, supports up to 14.0 Mbit/s data transfer rates in theory with High Speed Downlink Packet Access (HSDPA), although the performance in deployed networks could be much lower for both uplink and downlink connections.

A major difference of UMTS compared to GSM is the air interface forming Generic Radio Access Network (GeRAN). It can be connected to various backbone networks like the Internet, ISDN, and GSM or to a UMTS network. GeRAN includes the three lowest layers of OSI model. The network layer (OSI 3) protocols form the Radio Resource Management protocol (RRM). They manage the bearer channels between the mobile terminals and the fixed network including the handovers.

The UMTS standard is an extension of existing networks based on the GSM and GPRS technologies. In UMTS release 1, a new radio access network UMTS terrestrial radio access network (UTRAN) is introduced. UTRAN, the UMTS radio access network (RAN), is connected via the Iu to the GSM Phase 2+ core network (CN). The Iu is the UTRAN interface between the radio network controller (RNC) and CN; the UTRAN interface between RNC and the packet-switched domain of the CN (Iu–PS) is used for PS data and the UTRAN interface between RNC and the circuit-switched domain of the CN (Iu–CS) is used for CS data.

img2.JPG

Figure : 3G rel99 architecture

UTRAN is subdivided into individual radio network systems (RNSs), where each RNS is controlled by an RNC. The RNC is connected to a set of Node B elements, each of which can serve one or several cells. Two new network elements, namely RNC and Node B, are introduced in UTRAN. The RNC enables autonomous radio resource management (RRM) by UTRAN. It performs the same functions as the GSM BSC, providing central control for the RNS elements (RNC and Node Bs). Node B is the physical unit for radio transmission/reception with cells. Node B connects with the UE via the W–CDMA Uu radio interface and with the RNC via the Iub asynchronous transfer mode (ATM)–based interface.

2.2) 3G SECURITY ARCHITECTURE

The primary reason for the advent of 3G was to make higher value services available to as many users across the globe using a universal handset. However this increased the level of interaction between users, service providers and market operators and also increased the vulnerability of the networks to external attacks.

Motivation

The UMTS security framework focused on addressing the weaknesses in GSM while enhancing the already successful robust and important methods.

Some of the weaknesses in GSM security architecture are:

False base station attacks

Transmission in the open of encryption keys and authentication data

No encryption provision in the microwave links of the core network

No integrity protection of data

No provision for upgrade of security features over time.

3G security provides additional security features and services apart from improving on the above deficiencies of GSM. The aim of 3G security architecture is not to provide a fool proof security solution but to build a flexible system adaptive to future changes.

2G security overlooked several kinds of attacks [8] which 3G security architecture has handled successfully.

To launch these attacks an intruder must have the following capabilities:

Eavesdropping

Impersonation of a user

Impersonation of the network

Man-in-the-middle attack

Compromising authentication vectors in the network.

The various types of attacks by a user possessing the above qualities are [8]:

Denial of service

Identity catching

Impersonation of the network and subsequent eavesdropping

Impersonation of the user

2.3) THE UMTS SECURITY ARCHITECTURE

The 3G security architecture defines five distinct security classes, designed to address certain threats [5] and to provide appropriate security services [7]:

Network access security: provides confidentiality of user identity and that of the user and signaling data, integrity protection of critical signaling data, authentication of user and network, and identification of Mobile Equipment (ME).

Network domain security: enables different points in the serving network(SN) domain to securely exchange signaling data, and protects against attacks on the core wire line network.

User domain security: ensures only authorized access to Universal Subscriber Identity Module (USIM) and Mobile Station (MS) [2].

Application domain security: extends security to the application layer allowing applications in the user and service domain to securely exchange messages.

Visibility and configurability of security: notifies the user of the various security features available and the applicability of these features to various services.

Fig 2: Overview of UMTS security ARCHITECTURE [7]

CHAPTER 3: NETWORK ACCESS SECURITY

This security class is concerned with security features that provide users with secure access to 3G services, as well as protect against attacks on the radio interface [7]. Network access security takes place independently in each service domain. Our work was to implement the network access security .In this work we implemented the MILENAGE algorithm [14,15] and KASUMI [13] algorithm presented in this chapter.

3.1) User Identity confidentiality

This mechanism allows the identification of a user on the radio access link by means of a Temporary Mobile Subscriber Identity (TMSI)[1]. A TMSI has a local scope only in the location area or the routing area, in which the user is registered. The association between the permanent and temporary user identities is stored in the Visited Location Register/Service GPRS Support Node (VLR/SGSN), in which the user is registered. To avoid user traceability , and possible tracking of user identities the temporary id(TMSI) of the user are changed frequently .Also , any signaling or user data that might reveal the user's identity are sent in encrypted form on the radio access link.

3.2) Authentication and key agreement

This mechanism achieves mutual authentication between the mobile user and the SN using a secret key K. The authentication method is composed of a challenge/response protocol, and was chosen such that it achieves maximum compatibility with the GSM/GPRS security architecture helping the transgression from GSM/GPRS to UMTS. Furthermore, the User Service Identity Module (USIM) and the HE maintain counters SQNMS and SQNHE respectively, to support the network authentication. Each user maintains its own counter SQNHE, while the SQNMS denotes the highest sequence number that the USIM has accepted [1].

On receiving a request from the VLR/SGSN, the HE Authentication Center (HE/AuC) sends an ordered array of Authentication Vectors (AV) to the VLR/SGSN. Each AV consists of a random number RAND, an expected response XRES, a cipher key CK, an integrity key IK, and an authentication token AUTN and is used in the authentication and key agreement procedure between the VLR/SGSN and the USIM.

The HE/AuC starts with generating a fresh sequence number SQN and an unpredictable challenge RAND [1]. Then computes:

The Message Authentication Code MAC = f1k (SQN || RAND || AMF), where f1 is a message authentication function, and the Authentication and key Management Field (AMF) is used to optimize the performance,or bring a new authentication key stored in the USIM into use[7,4].

The expected response XRES = f2k (RAND) where f2 is a (possibly truncated) message authentication function.

The Cipher Key CK = f3k (RAND),

The Integrity Key IK = f4K (RAND),

The Anonymity Key AK = f5K (RAND) where f3, f4 and f5 are key generating functions.

Finally, the HE/AuC combines the authentication token

AUTN = SQN  AK || AMF || MAC.

When the VLR/SGSN initiates an authentication and key agreement procedure, it selects the next AV from the ordered array, and sends the parameters RAND and AUTN to the user. The USIM first computes the AK, AK = f5K (RAND), and retrieves the SQN, SQN = (SQN  AK) AK. Then, it computes XMAC = f1K (SQN || RAND || AMF), and checks whether the received AUTN and the retrieved SQN values are acceptable [7](see fig 3).

If the above condition satisfies then USIM computes the RES = f2K (RAND), and asks the MS to send back a user authentication response. Afterwards, the USIM computes the CK, CK = f3K (RAND) and the IK, IK = f4K (RAND).The VLR/SGSN checks the received RES with the XRES field of the AV. If they match, then the authentication and key agreement exchange is successfully completed. Finally, the USIM and the VLR/SGSN send the established keys, CK and IK, to the mobile equipment and the Radio Network Controller (RNC) that perform ciphering and integrity functions.

Fig 3: authentication and key agreement procedure [7]

3.3) MILENAGE ALGORITHM

3.3.1) Introduction

The MILENAGE algorithm set[14,15] was prepared by the 3GPP Task Force and meant to be used as an example set for authentication and key agreement procedure[7].It consists of seven functions f1, f1*, f2, f3, f4, f5 and f5* which may be used as authentication and key generating functions. This algorithm is not standardized rather it is provided as an example set for operators to use if they do not want design an algorithm of their own. All seven functions are operator specific.

The functions used in authentication and key agreement [14] are:

f0: the random challenge generating function

f1: the network authentication function

f1*: the resynchronization message authentication function

f2: the user authentication function

f3: the cipher key derivation function

f4: the integrity key derivation function

f5: the anonymity key derivation function

f5*: the anonymity key derivation function for resynchronization

3.3.2) Key Features

Resilience: The functions are designed such that they last for a period of at least 20 years. Successful attacks with a workload significantly less than exhaustive key search through the effective key space should be impossible.

The algorithm fulfils all the requirements specified in 3G TS 33.105.

The algorithm can be personalized based on an 128 bit operator variant configuration algorithm field.

The kernel function used in the algorithm uses standard/publicly available algorithms.

Resistant to Simple Power Analysis, Differential Power Analysis and other 'side-channel' attacks when implemented on a USIM.

Without knowledge of secret keys, the functions f1, f1*, f2, f3, f4, f5 and f5* are practically indistinguishable from independent random functions of their inputs (RAND||SQN||AMF) and RAND.

It is practically impossible to determine any part of the secret key K, or the operator variant algorithm configuration field, OP, by manipulation of the inputs and examination of the outputs to the algorithm.

Events tending to violate above criteria occur with probability approximately 2128

3.3.3) List of variables [15]

AK

A 48 bit anonymity key that is the output of either of the functions f5 and f5*

AMF

A 16-bit authentication management field that is an input to the functions f1 and f1*.

c1, c2, c3, c4, c5

128-bit constants, which are XORed onto intermediate variables.

CK

A 128-bit confidentiality key that is the output of the function f3.

IK

A 128-bit integrity key that is the output of the function f4.

INI

a 128-bit value constructed from SQN and AMF and used in the computation of the f1 and f1*.

K

a 128-bit subscriber key that is an input to the functions that is an input to the f1, f1*, f2, f3, f4, f5 and f5*.

MAC-A

A 64-bit network authentication code that is the output of the function f1.

MAC-S

A 64-bit resynchronisation authentication code that is the output of the function f1*.

OP

A 128-bit Operator Variant Algorithm Configuration Field that is a component of the functions f1, f1*, f2, f3, f4, f5 and f5*.

OPc

A 128-bit value derived from OP and K and used within the computation of the functions.

OUT1,OUT2,OUT3,

OUT4,OUT5

128-bit computed values from which the outputs of the functions f1, f1*, f2, f3, f4, f5 and f5* are obtained

r1, r2, r3, r4, r5

integers in the range 0–127 inclusive, which define amounts by which intermediate variables are cyclically rotated

RAND

A 128-bit random challenge that is an input to the functions f1, f1*, f2, f3, f4, f5 and f5*.

RES

A 64-bit signed response that is the output of the function f2

SQN

A 48-bit sequence number that is an input to either of the functions f1 and f1*. (For f1* this input is more commonly called SQNMS.

TEMP

A 128-bit value used within the computation of the functions

The algorithm makes use of the following two components:

A block cipher encryption function, which takes a 128-bit input and a 128-bit key and returns a 128-bit output. If the input is x, the key is k and the output is y, then y = E[x]k.

A 128-bit value OP. This is an Operator Variant Algorithm Configuration Field, which provides separation between the functionality of the algorithms when used by different operators. Each operator is expected to select its own OP. The algorithm set is designed to be secure whether or not OP is publicly known.

3.3.4) Algorithm Framework

A 128-bit value OPC is obtained from OP and K as follows [15]: OPC = OP  E [OP] K. An intermediate 128-bit value TEMP is computed as follows: TEMP = E [RAND  OPC] K. A 128-bit value IN1 is constructed as follows: IN1 [0] ... IN1 [47] = SQN [0] ... SQN[47] IN1 [48] ... IN1 [63] = AMF [0]... AMF[15] IN1 [64] ... IN1 [111] = SQN [0]... SQN[47] IN1 [112] ... IN1 [127] = AMF [0]... AMF[15]

Five 128-bit constants c1, c2, c3, c4, c5 are defined as follows:

c1 [i] = 0 for 0  i  127

c2 [i] = 0 for 0  i  127, except that c2 [127] = 1

c3 [i] = 0 for 0  i  127, except that c3 [126] = 1

c4 [i] = 0 for 0  i  127, except that c4 [125] = 1

c5 [i] = 0 for 0  i  127, except that c5 [124] = 1

Five integers r1, r2, r3, r4, r5 are defined as follows:

r1 = 64; r2 = 0; r3 = 32; r4 = 64; r5 = 96

Five 128-bit blocks OUT1, OUT2, OUT3 , OUT4 and OUT5 are computed as follows:

OUT1 = E [TEMP  rot (IN1  OPC, r1)  c1] K  OPC

OUT2 = E [rot (TEMP OPC, r2)  c2] K  OPC

OUT3 = E [rot (TEMP OPC, r3)  c3] K  OPC

OUT4 = E [rot (TEMP OPC, r4)  c4] K  OPC

OUT5 = E [rot (TEMP OPC, r5)  c5] K  OPC

The outputs of the various functions are then defined as follows:

Output of f1 = MAC-A, where MAC-A[0] .. MAC-A[63] = OUT1[0] .. OUT1[63]

Output of f1* = MAC-S, where MAC-S [0] .. MAC-S[63] = OUT1[64]... OUT1[127]

Output of f2 = RES, where RES [0] .. RES [63] = OUT2 [64] ... OUT2 [127]

Output of f3 = CK, where CK [0] .. CK [127] = OUT3 [0] ... OUT3 [127]

Output of f4 = IK, where IK [0] .. IK [127] = OUT4 [0] ... OUT4 [127]

Output of f5 = AK, where AK [0] .. AK [47] = OUT2 [0] ... OUT2 [47]

Output of f5* = AK, where AK [0] .. AK [47] = OUT5 [0] ... OUT5 [47]

3.3.5) Implementation concerns

There are two implementations considerations this algorithm:

OPc computed on or off the USIM [15]

Choice of Block Cipher.

FIG 4: Definition of f1, f1*, f2, f3, f4, f5 and f5*[15]

3.4) integrity protection of signaling messages

The radio access interface in 3G mobile systems has been designed such that they support integrity protection on the signaling channels, which enables the receiving nodes (MS or SN) to verify that the signaling data have not been changed or tampered with illegally since it was sent[1]. Furthermore, it ensures that the origin of the signaling data received is authentic and the one it claims. The integrity mechanism also protects against network impersonation attacks, and prevents potential intruders to try to hijack connections where ciphering is not applied [8].The function f9 is used to authenticate the integrity and the origin of signaling data between the MS and the RNC in UMTS. It computes a 32-bit Message Authentication Code (MAC)(see fig 5), which is appended to the frame, and is checked by the receiver.

The main inputs to the algorithm are a 128-bit secret Integrity key IK, and the variable-length frame content MESSAGE. Additional inputs, which are used to ensure that MACs for two frames with identical content are different, are a 32-bit value COUNT, a 32-bit value FRESH and a 1-bit value DIRECTION. For the UMTS release ’99, the f9 is based on the Kasumi algorithm [13].

FIG 5: DERIVATION OF MAC (OR XMAC) ON A SIGNALING MESSAGE [12]

3.5) Data confidentiality

User and signaling data, which are sent over the radio interface, are encrypted using the function f8 [1]. The f8 is a symmetric synchronous stream cipher algorithm that is used to encrypt frames of variable length. The main input to the f8 is a 128-bit secret Cipher Key CK. Additional inputs, which are used to ensure that two frames are encrypted using different keystream, are a 32-bit value COUNT, a 5-bit value BEARER and a 1-bit value DIRECTION (see Fig. 6). The output is a stream of bits (the ‘keystream’) of the same length as the frame. The frame is encrypted by XORing the data with the keystream. For UMTS release ’99, f8 is based on the Kasumi algorithm [12,13].

FIG 6: CIPHERING OVER RADIO ACCESS LINK[12]

3.6) KASUMI ALGORITHM

3.6.1) Introduction

Within the security architecture of the 3GPP system there are two standardized algorithms: A confidentiality algorithm f8, and an integrity algorithm f9 [12]. Each of these algorithms is based on the KASUMI algorithm [13]. KASUMI is a block cipher that produces a 64-bit output from a 64-bit input under the control of a 128-bit key.

3.6.2) LIST OF VARIABLE [12]

A, B

Are 64-bit registers that are used within the f8 and f9 functions to hold intermediate values.

BEARER

A 5-bit input to the f8 function

BLKCNT

A 64-bit counter used in the f8 function

BLOCKS

An integer variable indicating the number of successive applications of KASUMI that needs to be performed, for both the f8 and f9 functions.

DIRECTION

A 1-bit input to both the f8 and f9 functions indicating the direction of transmission (uplink or downlink).

FRESH

A 32-bit random input to the f9 function

IBS

the input bit stream to the f8 function

IK

A 128-bit integrity key.

KM

A 128-bit constant that is used to modify a key. This is used in both the f8 and f9 functions. (It takes a different value in each function).

KS[i]

The ith bit of key stream produced by the key stream generator

KSBi

The ith block of keystream produced by the keystream generator. Each block of keystream comprises 64 bits.

LENGTH

An input to the f8 and f9 functions. It specifies the number of bits in the input bitstream

MAC-I

The 32-bit message authentication code (MAC) produced by the integrity function f9.

MESSAGE

The input bitstream of LENGTH bits that is to be processed by the f9 function

OBS

The output bit streams from the f8 function

PS

The input padded string processed by the f9 function.

REGISTER

A 64-bit value that is used within the f8 function

3.6.3) Confidentiality algorithm f8

The confidentiality algorithm f8 is a stream cipher that is used for encryption/decryption of blocks of data using a confidentiality key CK [12]. The size of a block of data is between 1 and 20000 bits long. The algorithm uses KASUMI in a form of output-feedback mode as a keystream generator and generates the output keystream in blocks of 64-bits. The feedback data is modified by static data held in a 64-bit register A, and an (increasing) 64-bit counter BLKCNT.

Table : f8 input [12]

Parameter

Size(bits)

Comment

COUNT

32

Frame dependent input COUNT[0]……..COUNT[31]

BEARER

5

Bearer identify BEARER[0]…..BEARER[4]

DIRECTION

1

Direction of transmission DIRECTION[0]

CK

128

Confidentiality key CK[0]….CK[127]

LENGTH

The number of bits to be Encrypted/Decrypted

IBS

1-20000

Input bit stream IBS[0]….IBS[LENGTH-1]

Table 2: f8 output [12]

Parameter

Size(bits)

Comment

OBS

1-20000

Output bit stream OBS[0]…….OBS[LENGTH-1]

FIG 7: f8 Keystream Generator [12]

Initialization

The 64-bit register A is set to COUNT || BEARER || DIRECTION || 0…0 (left justified with the right most 26 bits set to 0).i.e.

A = COUNT[0]…COUNT[31] BEARER[0]…BEARER[4] DIRECTION[0] 0…0. The counter BLKCNT is set to zero. The key modifier KM is set to 0x55555555555555555555555555555555, Then the KSB0 is set to zero [12]. One operation of KASUMI is then applied to the register A, using a modified version of the confidentiality key. A = KASUMI [ A ]CK  KM

Keystream Generation

Once the keystream generator has been initialized in the manner defined above, it can be used to generate keystream bits [12]. The plaintext/ciphertext to be encrypted/decrypted consists of LENGTH bits (1-20000) whilst the keystream generator produces keystream bits in multiples of 64 bits. Between 0 and 63 of the least significant bits are discarded from the last block basing on the total number of bits needed by LENGTH. So let BLOCKS be equal to (LENGTH/64) rounded up to the nearest integer. (For example, if LENGTH = 128 then BLOCKS = 2; if LENGTH = 129 then BLOCKS = 3).

To output each keystream block (KSB) the following operation is performed:

For each integer n with 1 ≤ n ≤ BLOCKS :

KSBn = KASUMI[ A  BLKCNT  KSBn-1]CK

where BLKCNT = n-1

The individual bits of the keystream are extracted from KSB1 to KSBBLOCKS in turn, most significant bit first, by applying the operation: For n = 1 to BLOCKS and for each integer i with 0  i  63 we define: KS [((n-1)*64) +i] = KSBn[i]

Encryption/Decryption

Encryption/decryption operations are similar and are performed by the exclusive-OR of the input data (IBS) with the generated keystream (KS) [12].

For each integer i with 0  i  LENGTH-1 we define:

OBS[i] = IBS[i]  KS[i]

3.6.4) Integrity algorithm f9

The integrity algorithm f9 computes a Message Authentication Code (MAC) on an input message using an integrity key IK. There is no limit of size on the input message length of the f9 algorithm. The algorithm uses KASUMI [13] block cipher in a form of CBC-MAC mode.

Table 1:f9 Input [12]

Parameter

Size(bits)

Comment

COUNT-I

32

Frame dependent input COUNT[0]….COUNT[31]

FRESH

32

Random number FRESH[0]…..FRESH[31]

DIRECTION

1

Direction of transmission DIRECTION[0]

IK

128

Integrity key IK[0]…IK[127]

LENGTH

X-19

The number of bits to be ‘MAC’ d

MESSAGE

LENGTH

Input bit streams

Table 2:f9 Output [12]

Parameter

Size(bits)

Comment

MAC-I

32

Message authentication code

MAC-I[0]……MAC-I[31]

FIG 8: f9 integrity function [12]

KASUMI is used in a chained mode to generate a 64-bit intermediate of the message input. Finally the leftmost 32-bits of the intermediate are taken as the output value MAC-I.

Initialization

The integrity function is initialized with the key variables before the calculation starts. The working variables: A=0 and B = 0 are set to zero. The key modifier KM=0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA. The variables COUNT,FRESH,MESSAGE and DIRECTION are then concatenated [12]. Then a single ‘1’ bit is appended, followed by between 0 and 63 ‘0’ bits so that the total length of the resulting string PS (padded string) is an integral multiple of 64 bits, i.e.: PS=COUNT[0]…COUNT[31]FRESH[0]…FRESH[31]MESSAGE[0]…MESSAGE [LENGTH-1]DIRECTION[0]10*. Where 0* indicates between 0 and 63 ‘0’ bits.

Calculation

The padded string PS is split into 64-bit blocks PSi where:

PS = PS0 || PS1 || PS2 || …. || PSBLOCKS-1

We perform the following operations for each integer n with 0 ≤ n ≤ BLOCKS-1:

A = KASUMI [A  PSn ] IK

B = B  A

Finally one more application of KASUMI is performed using a modified form of the integrity key IK. B = KASUMI [B] IK  KM The 32-bit MAC-I consists of the left-most 32 bits of the result.

MAC-I = lefthalf [ B ] i.e. For each integer i with 0  i  31 we define:

MAC-I[i] = B[i] .

Bits B[32]…B[63] are discarded [12].

CHAPTER 4: IMPLEMENTATION DETAILS

4.1) AUTHENTICATION AND KEY AGREEMENT (AKA)

We implemented the example set of MILENAGE algorithm[15] to establish the authentication and key agreement[7, 14] between the USIM and VLR/SGSN .The authentication and key agreement procedure in 3G security framework has been described in section 3.2 of this thesis.

The programming language used is C.

To simulate the real life situation on two machines we used socket programming to represent the USIM and AuC as client and server respectively. All communication was done between client and server programs residing on two different machines.

The block cipher used in the kernel function is Rijndael[15].The Rijndael block cipher is based on AES. "Rijndael is an iterated block cipher with a variable block length and a variable key length. The block length and the key length can be independently specified to 128, 192 or 256 bits". For our purpose, Rijndael is used only in encryption mode and has the block and key length both set to 128 bits.

The client and server shared a symmetric key through secret procedure.

The AuC initiates the procedure by selecting an array of authentication vectors. Each AV consists of a unpredictable challenge RAND, and expected XRES, cipher key CK and integrity key IK and authentication token AUTN. The AuC forwards the parameters RAND and AUTN(SQN⊕AK||AMF||MAC) to the user. The USIM using also the secret key K computes the AK. Then it computes the XMAC=f1k(SQN||RAND||AMF) and checks whether the received AUTN and retrieves the SQN values where indeed generated in AuC[1,7].

If so, the USIM computes the RES =f2k (RAND) and triggers the mobile station to send back a user authentication response. After the USIM computes the CK and the IK. Then the VLR/SGSN compares the received RES with the XRES field of the AV. If it matches it considers that the authentication and key agreement exchange has been successfully completed.

4.2) Socket Programming

We now give a brief introduction to socket programming in c and specify the functions used for our purpose.

A socket is an Application Programming Interface (API) used for Inter Process Communication(IPC).[A well defined method of connecting two processes locally or across a network].It is protocol and language independent and is often referred to as Berkeley Sockets or BSD Sockets.

Two important protocols:

TCP/IP-Provides reliable in-order transfer of bytes between client and server.

UDP-Provides unreliable transfer of groups of bytes between server and client.

primary socket calls

socket()-creates a new socket and returns it descriptor.

bind()-associates a socket with a port and address.

listen()-establish a queue for connection request.

accept()-accepts a connection request.

connect()-initiate a connection to a remote host.

recv()-receives data from socket descriptor.

send()-sends data to a socket descriptor.

close()-“one way” close of a socket descriptor.

primary header files

Include file sequence may affect processing(order is important!)

<sys/types.h>-prerequisite typedefs

<errno.h>names for “errno” values (error numbers)

<sys/socket.h>-struct sockaddr;system prototypes and structures.

<netdb.h>-network info lookup prototypes and structures

<netinet/in.h>-struct sockaddr_in; byte ordering macros

<arpa/inet.h>-utility function prototypes.

4.3) CONFIDENTIALITY AND INTEGRITY

We implemented the confidentiality algorithm f8 for data confidentiality and the integrity algorithm f9 using the example algorithm set in Annex 2[12,13]. Each of these algorithms is based on the KASUMI algorithm [13].

The programming language used is C.

The block cipher used is Kasumi. KASUMI is a block cipher that produces a 64-bit output from a 64-bit input under the control of a 128-bit key.

We used socket programming as before to simulate MS and RNC as client and server respectively. All communication was done between client and server programs residing on two different machines. From here on we will refer to MS and RNC as client as server respectively.

In addition we used the concepts of file handling to send files in encrypted form from server to client and vice versa.

The server encrypts the source file using the function f8 and stores it in another file. It then computes the 32 bit MAC code and appends it to the end of the file. The file is sent to the client using socket connection. The client extracts the MAC code. It calculates its own MAC code from previously generated IK and checks the calculated MAC with the received MAC. If they match then the integrity of the incoming message is verified. If so, then the receiver decrypts the incoming message using the function f8 and CK generated before. The same process is applied when the client sends a message to the server.

4.4) SCREENSHOTS

server.JPG

Server (RNC) side

client.JPG

Client (USIM) side

CHAPTER 5 CONCLUSION AND FUTURE WORK

5.1) CONCLUSION

In this thesis we outlined the 3G Rel99 architecture and the framework of the 3G security architecture. We have discussed the main features of 3G security architecture and its improvements over the 2G GSM system. Security mechanisms like two way authentication, integrity protection of user data and signaling data and the extension of security to the core network are robust and can successfully prevent most of the threats and intrusion from potential hackers. However there are a few loopholes like transmission in the open of permanent user identity in the initial allocation of temporary identity and user domain data not integrity protected, that may be exploited by potential hijackers.

5.2) FUTURE WORK

In this thesis we have implemented the security algorithms to protect the interface between the mobile station and the RNC (network access security).This implementation can be extended to the security features like MAPSEC[9] and IPSEC[10] for protection of the core network(network domain security).

Print Email Download Reference This Send to Kindle Reddit This

Share This Essay

To share this essay on Reddit, Facebook, Twitter, or Google+ just click on the buttons below:

Request Removal

If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please click on the link below to request removal:

Request the removal of this essay.


More from UK Essays