Third generation 3G wireless in evolution, security, threats and analysis

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

CHAPTER 1: INTRODUCTION

1.1. Background

The idea of cells for communication can be traced back to its evolution. No one expected the enormous growth of cellular systems. The era of first generation & second generation has started in between the years 1900's and 2000's; Third generation "3G" came into the world in the early years of 2000's.

Actually what is third generation "3G"?

Third generation "3G" is one of the wireless network standard that provides high data transfer to hand held devices than of its predecessor technologies.

1.2. Aims and Objectives

This thesis aims at:

* Research in different areas related to third generation "3G" wireless, especially in evolution, security, threats and analysis

The objectives of this thesis are:

* A detailed report on third generation "3G" wireless network

* A report on changes took place on security architecture

* A report on wireless security issues and analysis

* Economic impact of 3G wireless network

1.3. Research problems

Today's third generation "3G" wireless has been developed by overcoming many security issues than its predecessors, fulfilling the requirements of this generation needs. There are many problems associated even in the 3G. In my thesis, I am giving a sneak peak of the overcoming the problems in the 3G and its evolution towards the next generation wireless communication, which is popularly known as 3GPP or fourth generation "4G" wireless communication.

1.4. Structure of the Report

The thesis is organised as follow:

Chapter 1: Introduction: presents background and overview of thesis

Chapter 2: Evolution of wireless communication: gives information about & how the evolution started and highlights the difference between the generations of communications.

Chapter 3: Security and Threats: gives information about the security issues which are associated while its evolution from & to the next generation of communication

Chapter 4: Analysis: gives information about the methods followed to resolve the issues and changes took place in the architecture of the networks.

Chapter 5: Future works: gives information about the future works which are been carrying out and implemented, and there impacts on the economy.

Chapter 6: Conclusion: concludes the report on the wireless communication

CHAPTER 2: EVOLUTION OF WIRELESS

2.1. First Generation (1G)

First generation cellular systems where available in the market were deployed in early years of 1980's. Before the first cellular systems, radio telephony was used for the mass communication by governments, while militaries started using since 1940s. The invention of the handover mechanisms, allows moving from one cell to another cell. This enabled to introduce cellular communication to the consumer also.

The first generation cellular systems used analog voice transmission, started in 1983 and were referred to as analog technology. This is because the RF carrier is modulated and transmitter using Frequency Modulation (FM), which is a simple analog modulation technique, called FDMA (frequency Division Multiple Access). In FDMA the entire frequency channel is divided into several sub channels throughout the time period as shown in the fig 2.1.a.

The first cellular system was implemented in Europe. It was introduce by Nordic Mobile Telephone (NMT). This was the first generation cellular system which operated in a unified way in more than one country and allowed mobile communication in the whole of Scandinavia. Even though AMPS is outdated now a days, it is stilled used in some parts of North American continent.

System parameter AMPS NMT 450 NMT 900

Transmission frequency [MHz]

* Base station 869-894 463-467.5 935-960

* Mobile station 824-849 453-457.5 890-915

Frequency separation between

Transmitter and receiver [MHz] 45 10 45

Spacing between channels [kHz] 30 25 25

Number of channels 832 180 1000

Base station coverage radius [km] 2-25 1.8-40 2-20

Modulation of audio signal FM FM FM

* Frequency deviation [kHz] ±12 ±5 ±5

Transmitter output power [W]

* Maximum for base station 100 50 25

* Medium for mobile station 3 1.5 1

Drawbacks:

The first generation cellular systems suffers poor audio quality, poor batter life, size of phone, no security, call drops, limited capacity and poor handoff reliability between cells.

Security flaws:

The MSs in first generation systems transmitted radio signals in clear using FM over UHF. The only security feature was authentication of an MS when initiating roaming - using a network of a given provider -by checking the MS identification number and the subscriber identification number against HLR. The security belief was that the price and complexity of equipment needed to receive and create such transmission was prohibitive for an intruder. The assumption was wrong, and resulted in extensive of 1G system. Two major issues were i. Eavesdropping and ii. Phone Cloning.

i. Eaves dropping: this could easily accomplish by simply picking up the FM signals by using a radio scanner which is tuned to UHF.

ii. Phone cloning: it is involved eavesdropping on authentication exchanges between MS and the network. These things can be reproduced and fraudulent gain to the network.

2.2. Second Generation (2G)

In the mid of 1980's, Europe began approaching their capacity limits in the usage of 1G networks and formed a international coordinating body called Groupe Special Mobile, which is mostly known as Global System for Mobile communications or GSM. It was created to deploy a unified standard in mobile communication. This technology required a lot of support from users, and required a similar or a lower operating cost, a similar or better speech quality, and also should be able to coexist with the existing analog systems. To achieve the objectives, the GSM committee used TDMA (Time Division Multiple Access) over UHF, which is a digital multiplexing technique which is more economic and efficient use of UHF frequencies.

As the development of 2G is based on 1G network, security issues were majorly considered, such as prevention of phone cloning and also preventing the phone conservations unsusceptible to eavesdropping. The basic standards of the 2G are authentication, confidentiality and anonymity.

Basic features of GSM:

Feature GSM 900

Frequency range

Uplink (MS -> BS) 890 -915 MHz

Downlink (BS -> MS) 935 - 960 MHz

Number of duplex channels 124

Frequency intervals between uplink & downlink frequencies 45MHz

Maximum BS power 320 W (55 dBm)

Maximum MS power 8W (39 dBm)

Minimum MS power 0.02W (13 dBm)

Maximum vehicle speed 250 km/h

2.2.1 GSM - 2G (Global System for Mobile Technology)

One of the dominant technologies for the past few years is 2G. This technology is digital and circuit based which supports voice as well as limited data connectivity. One of the popular standards that has been accepted worldwide and has been very stable is GSM. In wireless digital technology, this was one of its kinds to sustain and supported other technologies at its branches. GSM had a huge market share of 60% in the year 2001. GSM technology also supports low rate data services i.e., 9.6kbps and SMS (Short Message Service), in addition to voice.

Technical: The modulation technique that used for GSM is Gaussian Minimum Shift Keying modulation (GSMK). The modulation method which is used is two-level digital FM modulation which is developed specifically for GSM. It uses minimum shift keying with Gaussian filtering, because of the filtering smoothness it rapids transitions and reduces bandwidth usage.

TDMA technology is used primarily in US. This technology is used because it increases the bandwidth by dividing each cellular channel into several time slots by a technique known as time division multiplexing, where in which each cell handles a separate transmission. The channel switches speedily from one slot to other slot, in this way it can handle three communications simultaneously. GSM is based on TDM, but it uses wide carrier frequencies. Each band is 200 khz wide and can support up to 8, coeval.

The development of the GSMK was compromised between different conflicts and goals, such as the need to reduce susceptibility to radio noise, reduce bandwidth and power to increase the battery life of the mobile users. The characteristics helped in deriving several other characteristics such as

1. Increased frequency reuse (which allows supporting more users),

2. Lower distortion (better voice quality) and

3. Higher data rates

To support the demand from users and there usage of various applications, GSM uses a combination of TDMA and FDMA.

Drawbacks:

* GSM does not support higher data rates.

* It cannot support complex data transmissions, such as video

* The hardware devices prepared for GSM have less powerful CPUs, memory and display units, which support only simple functionalities.

* The only messaging service supported by GSM is SMS, which again also depends upon the service provider.

* The GSM networks do not support with the current internet protocols and other common data's because of development of technology in software, hardware and protocols

2.2.2 CDMA, IS-95 (2G):

The major difference we can say between the CDMA and other 2G technologies such as GSM is the modulation scheme used. CDMA (Code Division Multiple Access) is one of the technologies in second generation mobile communication, which is specially designed for the voice as specified in IS-95A, which allow packet data rates up to 14.4kbps. CDMA uses a spread spectrum technology that distributes a signal across wide frequency (1.25 MHz) channel.

Interim Standard 95 (I S-95 ) operates in two bands, which are Band class 0 and Band class 1. The frequencies used Band class 0 are same of AMPS, but now the frequencies are used by Band class 0. The down link and uplink frequencies of the bands are 824- 849 MHz and 869-894 MHz, i.e., there is a difference of 45MHz between both the Bands. The downlink and uplink frequency bands for Band class 1 are 1850-1910 MHz and 1930-1990MHz. In standard the downlink and uplink channels are called forward and reverse channels.

2.3 2+ or 2.5th generation:

The time between the evolution of the Third generation wireless cellular network and changes in the existing network is called second and half generation or 2.5 or 2+ generations.

2.5G provides the benefits of the 3G services and as well as let us use the existing 2G infrastructure. GPRS and EDGE in GSM, CDMA2000 for CDMA are 2.5G technologies. These technologies are qualified to be say as 3G, because they have a data rates above 144 Kbit/s. But, considered to be 2.5G services.

2.4 Third generation (3G):

The next generation wireless cellular network whose aim is to provide a single global system that support mobile communication and networking which includes both terrestrial and satellites. The evolution of the third generation was started in the year 1992 by ITU (International Telecommunication Union). The result of the effort was a new network infrastructure called IMT-2000 (where as IMT stands for International Mobile Telecommunications and 2000 signifies that the technology would be available in year 2000).

Because of the extensive deployment and investment in 2G radio technology during the years 1990's IMT - 2000 became a "family of standards" offering evolution and revolution options from the major existing 2G network standards. The "evolution" option enabled to look for a compatible evolution of a 2G standard to its 3G equivalent, within the existing spectrum allocations for the operators. The "revolution" option enabled to obtain a new spectrum, additional to the existing one and build and an overlay network and utilize dual band mobile equipment.

The two categories of the IMT 2000 had lead to development of some more standards

IMT 2000 "Evolutionary" 3G standards

There are two widely deployed standard for IMT 2000 are

· The evolution from the 2G CDMA standard (IS-95) or cdmaOne to IMT - MC (cdma2000)

· The evolution from the 2G TDMA standard (GSM/IS-136) to IMT - SC (EDGE)

The IS-136 standard can also evolve in to IMT - MC because the core network was same i.e., IS 0 41.

IMT 2000 "Revolutionary" 3G standards are

In this standard a new spectrum allocation was done, which again leads to three, they are

· IMT - DS(W- CDMA) because of the relatively wide channels (5 MHz)

· IMT - TC (TD- SCDMA/ UTRA TDD)

· IMT - FT (DECT) because a TDD frequency assignment is required.

The IMT - DS standard could be deployed in to the existing cellular bands if sufficient spare bandwidth be made available.

2.4.1. IMT - MC (CDMA2000):

IMT - MC (International Mobile Telecommunication - Multi Carrier) or CDMA2000 is one of the mobile technology standard of the Third generation mobile technology. This standard is developed based on the CdmaOne for the better voice, data and signalling.

There are group of standards in CDMA2000, such as CDMA2000 1X, CDMA2000 EV-DO Rev. 0, CDMA2000 EV-DO Rev. A and CDMA2000 EV - DO Rev. B

2.4.1.1. 1X

CDMA2000 1X (IS - 2000), also known as 1x and 1xRTT, is the core CDMA2000 wireless air interface standard. The designation "1x", meaning 1 time Radio Transmission Technology, indicates the same RF bandwidth as IS-95. The 1x standard can support up to a data transmission rate of 153 kbps, where as in a real world its average speed is 60 to 100 kbps. Some of the changes are made in the data link layer, for the greater usage of data services. The data link layer only provided "best effort delivery" for data and circuit switched channel for voice.

2.4.1.2. 1xEV-DO

CDMA2000 1xEV-DO (Evolution-Data Optimized), often abbreviated as EV-DO or EV, is a telecommunication standard for the wireless transmission of data through radio signals, typically for high speed mobile data services. It delivers peak data speeds above 2Mbps and an average data through put of 300 to 600 kbps. It uses two multiplexing techniques, such as CDMA and TDMA for the maximum through put overall. It is accepted many service providers worldwide as a 3GPP standard. This standard is mainly accepted by the providers who are previously providing the CDMA networks. It is also used as a Globalstar Satellite phone network.

2.4.1.3. 1xEV-DO Rev. A

CDMA2000 1xEV-DO Rev. A (Revision A) is the latest generation technology of EV-DO. This technology can transmit the data up to a speed of 3.1 Mbps, which allows the telephone based services such as video telephone, push to talk and voice services over a wireless IP network.

EV-DO Rev. A supports voice service because it provides a fast reverse link (uplink) and end to end QOS. The quality of service is defined by many parameters including its data rate changes and acceptable packet rate and sensitivity to delay. The data sensitivity flow would get a priority over a best flow used for email and music download.

The key features of Revision A could be said as improved broadband speeds, Higher Spectral efficiency, low latency, Advanced QOS, ALL- IP, Advanced services (PTT, PTM, video conferencing and 3D games), Backward compatibility.

2.4.1.4. 1xEV-DO Rev. B

CDMA2000 Rev. B (Revision B) is the build on the efficiencies of Rev. A. The concept of dynamically scalable bandwidth is introduced in Rev. B, and it supports the data traffic to flow in more than one carrier, which improves the data rates for users. In Rev. B peak data rates are proportional to the number of the carriers aggregated, for example if there are 15 channels that are combined with in a 20 MHz bandwidth, and then it delivers a peak rate of 46.5 Mbps in the downlink and 27 Mbps in the uplink. To achieve this performance, the 1.25 MHz carriers do not have to be adjacent to each other, by this it gives flexibility for the service providers to combine the block spectrum from different bands. This is the unique benefit of Rev. B, which is not available in WCDMA/HSDPA.

2.4.2. IMT - SC (EDGE):

IMT - SC or EDGE (Enhanced Data GSM Environment) is the simplest form for GSM/GPRS uses to evolve to IMT 2000 3G standard technology. EDGE was introduced to the world since 2003, initially by Cingular (now AT&T) in US. In this service provides can apply only a software upgrade to support their network to offer 3G services and also continue to provide GSM and GPRS services on common radio channels, by their existing spectrum allocation.

By using EDGE the service providers can provide three times the data capacity of the existing GSM/GPRS; by using EDGE carriers can triple their data rate per subscriber and add extra capacity to their voice communications. EDGE uses the same TDMA frame structure and band width of the existing GSM network, which allows it to be overlaid directly onto an existing GSM network. Generally EDGE is classified as 2.75G due to high transmission data rates, although it is a part of 3G technologies.

2.4.3. IMT - DS (W - CDMA):

IMT - DS (Direct Spread) or W - CDMA (Wideband CDMA) is one of the air interface found in the 3G telecommunication technology. This is one of the most commonly used member of UMTS technology and sometimes it is also called as a synonym for UMTS. It uses the Direct Spread CDMA channel access method and FDD duplexing method to achieve higher data rates and also supports more subscribers when compared to the TDMA schemes which are in use today.

Wideband CDMA was first deployed in Japan in the year 2001 as Freedom of Mobile Multimedia Access by NTT DoCoMo. CDMA2000 transmits radio channels of 1.25 MHz as one or several pairs, where as W-CDMA transmits the radio channels in a wide band of 5 MHz, but it is not a wideband version of CDMA2000. It is a new design by NTT DoCoMo, which differs in many aspects. It provides different balance tradeoffs between cost, performance and cost as well as density. The deployment of W-CDMA is suited for very dense cities. Complete set of specifications are developed for the W-CDMA and in detail protocols for the mobile communication with the towers and also how the signals are modulated and datagram's are structured.

2.4.4. IMT - TC (TD - SCDMA/ UTRA TDD):

IMT - TC (Time Code) or TD - SCDMA (Time Division Synchronous CDMA) is an air interface that is found in the UMTS mobile telecommunication networks in China which is alternative to W - CDMA. It was accepted as one of 3G standard in May 2000 which is significant milestone in the Chinese telecommunication history.

The advanced features of TD-SCDMA allow to provide advanced 3G services which allow high speed data, packet data and excellent voice quality by connecting TD-SCDMA RAN to the existing GSM/GPRS network. The access to the new UMTS spectrum resources increases the network capacity. The outstanding spectrum efficiency of 1.6 MHz bandwidth which is 3 to 5 times higher than existing GSM allows to handle more no of users with lower no of base stations. This technology is very suitable for internet 3G applications and the flexibility for asymmetric data rates, traffic and allocation of radio resources allows maximum adaption of the radio access to the actual traffic load within the network.

2.4.5. IMT - FT (DECT):

IMT - FT (Frequency Time) or DECT (Digital Enhanced Cordless Telecommunications) which is otherwise known as Digital European Cordless Telephone, which are commonly used for corporate and domestic purposes. This standard was fulfilling the requirements of the IMT 2000 and thus was qualified as one of the 3G standard.

DECT was developed by ETSI, but as it was already adopted by many countries worldwide. The original frequency for DECT was 1880 MHz to 1900 MHz in Europe and some changes took place in different countries in allocating the frequencies.

DECT standard is fully specifies a means of portable unit, such as cordless telephone, to access a fixed telecom network via radio. Connectivity to specific or different networks is done through a base station or "Radio Fixed Part", and a gate way connects calls to fixed network. In most cases the base stations are connected to the PSTN. The new technologies allow the DECT to connect with Voice over IP.

Till now we have seen many ways that lead to the evolution of the 3G. Now we will see a architecture of the 3G in detail.

2.5. Architecture of the 3G: UMTS

Third Generation Partnership Project (3GPP) group was formed in the year 1998 to work on the technical specifications. The group has released many standards in the previous years. All the standards have been developed by the regional standards developing organizations. In total 17 different standards were proposed to 3GPP by SDOs. From all the proposals 11 were for terrestrial systems and 6 for mobile systems. All the evaluations, negotiations for building them were completed by the mid of year 1999 and the first release of 3GPP is called 3G rel99. In the first release the basic architecture of the UMTS was discussed.

Later on there are many releases like 3G rel4 which was in year 2001 (3g radios are added), 3G rel5 was in March - June 2002 (soft switching, voice gate ways and packet core are added), 3G rel6 was in Dec'04 - Mar'05, 3G rel7 was in Sep'05 and some of the developments in this release are freeze (freeze: no additional functions as been added. However, detail protocols functions are not complete), 3G rel8 was in Mar'08, 3G rel9 Dec'08 freeze, and the next release would be 3G rel10 which is in Mar'10. All the releases are the achievements of the stages in technical aspects. (3gpp core network doc)

Before discussing the enhancements added to the UMTS architecture in the releases of 3GPP. Let us discuss about the basic architecture and the functionalities carried out in them. UMTS network (i.e., 3GPP Rel'99) can be classified in to three domains

1. Core Network (CN)

2. UMTS Terrestrial Radio Access Network (UTRAN)

3. User Equipment (UE)

Let us discuss in detail about the three domains:

2.5.1. Core Network (CN):

Core network of the UMTS is developed on the basis of GSM and GPRS. All the equipment used for GSM and GPRS are modified for the functionalities of the UMTS. The core network is again divided in to two overlapped domains 1. Circuit Switched (CS) domain and 2. Packet Switched (PS) domain.

Circuit switched domain controls the allocation of the dedicated resources and control of connections, such as establishment and release of the connections during a particular session. Generally, all the components belonging to CS domain handle voice calls. Some of the elements that are under the CS are Mobile services Switching Centre (MSC), Visitor Location Register (VLR) and Gateway MSC (GMSC).

Packet switched domain controls the transport of user data in the form of autonomous packets. These packets are routed independently of each other paths. This is one of the limitations in 2G network to transmit the data efficiently. Some of the elements that are under the PS are Serving GPRS Support Node (SGSN) and Gateway GRPS Support Node (GGSN). Elements like HLR, VLR, EIR and AUC are shared by both the domains.

The core transmission in UMTS is carried out in Asynchronous Transfer Mode (ATM)

2.5.2. UMTS Terrestrial Radio Access Network (UTRAN):

The standards of UMTS can be seen in the existing networks as an extension. In UTRAN, there are two elements in introduced. They are Radio Network Controller (RNC) and Node B. UTRAN is subdivided in to number of individual radio network systems (RNSs). All these radio network systems are controlled by the RNC. One or more of Node B's functionalities are controlled by the RNC and each of Node B's can server one or more cells.

All the elements such as SGSN, MSC, HLR and VLR can be extended to the requirements of UMTS. But, RNC and Node B handset requires new designs. These elements can replace some of the existing elements in the 2G such as RNC will replace BSC and Node B will replace BTS and these two perform mostly same functionalities of previous ones with the new service integrated into the network. Some of the existing interface like A, Abis and Gb and some new interfaces that include 'Iu', interface between Node B and RNC in UTRAN is 'Iub' and interface between two RNCs is 'Iur'.

Now let us see some of the functionalities of the RNC and Node B in detail.

2.5.2.1. Radio Network Controller (RNC):

In UTRAN, RNC enables autonomous radio resource management (RRM). RNC performs as some of the functions of BSC in GSM, such as central control for all the RNSs and Node B. It also handles the protocol exchanges in between interfaces, such as Iu, Iur and Iub. RNC is responsible for all the Operation and Maintenance (O&M) of all RNS and with access to the OSS. As the interfaces are based on ATM, RNC switches ATM cells between them. All the user data (circuit switched and packet switched data) which come from Iu - CS and Iu - PS interfaces are multiplexed together and transmitted to the user equipment through Iur, Iub, and Uu interfaces.

To eliminate burden on the CN, RNC uses a Iur interface. It autonomously handles 100% of RRM. This feature was not available in GSM BSS. A single RNC (SRNC) can entirely control serving functions such as connection between the UE and RRC, admission, congestion and handover or macro density. If one or more RNC are involved in a connection then it is called a drift RNC (DRNC). Code resources are the only responsibility of DRNC. A reallocation of the Serving Radio Network Subsystem (SRNS) functionality to the former DRNC is possible. RNC that controls Logical resource of the UTRAN access points are termed as controlling RNC (CRNC).

2.5.2.2. Node B:

It is the physical unit, which is used for the radio transmission with cells. Node B can serve one or more cells depending upon its sector. One Node B can be used to support both FDD and TDD modes. Node B can be collocated with the BTS in GSM to minimize the implementation costs. Node B connects with the RNC through Iub ATM based interface, the UE through Uu radio interface. For asynchronous transfer mode (ATM), Node B acts as a termination point.

Some of the main functionalities of the Node B are data conversion from and to Uu radio interface with Forward Error Correction (FEC), Quadrature Phase Shifting Key (QPSK), spreading or dispreading of WCDMA and rate adaption on the air interface. It also used to measure the strength and quality of the connection and detect the Frame Error Rate (FER). All these data are transmitted to RNC in the form of measurement report for micro diversity combining and handovers. FDD soft handovers are carried out by Node B. Additional transmission capacity required by the Iub is eliminated by micro diversity combing.

Power controls in the user equipment is also controlled by Node B. It enables the user equipment to adjust its power using downlink (DL) transmission power control (TPC) commands via the inner loop power control on the basis of uplink (UL) TPC information. The predefined values for inner loop power control are derived from the RNC via outer loop power control.

2.5.3. User Equipment (UE):

These are the physical layers used by the users. It consists of Mobile Equipments (ME) and also UMTS Subscriber Identity Module (USIM). The USIM is an removable IC application card, which is used to interoperate with the mobile equipment to provide 3G services and also provides these features.

* Distinctly identifies the user

* Stores information related to the subscriber

* Acts as a mutual authenticator to the network and subscriber

* Security functions are provided

* Stores key information: IC card identification, preferred language, International Mobile Subscriber Number (IMSI), Temporary Mobile Subscriber Identity (TMSI), Packet TMSI, International Mobile Equipment Identity (IMEI), International Mobile Equipment Identity and Software Version (IMEISV) and cipher key

UMTS mobile station can be operated in three modes:

* Circuit Switched mode of operation: In this mode, the mobile station can operate only CS services

* Packet Switched mode of operation: In this mode, the mobile station can operate only PS services and also some of the CS service like VoIP can be operated in this mode.

* Circuit Switched/Packet Switched mode of operation: in this mode, the mobile station can operate both CS and PS service simultaneously.

2.6. Fourth generation (4G)

Fourth generation of cellular standard, which is a successor to the 3G and 2G standards, with a aim to provide ultra-broadband internet access to the users.

Chapter 3: Security

The security principles and objectives of a 3G are derived on the basis of the issues in second generation mobile communication systems.

3.1 3g Security Principles:

There are mainly three principles behind the security principle of 3G:

* The security of 3G is build on the basis of second generation systems. Security elements within GSM and other second generation systems that have proved to be needed and robust shall be adopted for the third generation security. These elements are listed in sub clause 3.1.1

* The securities of second generation systems will be improved in 3G security. 3G security will address and correct real and perceived weakness in second generation systems. The most of the important are given in sub clause 3.1.2.

* The existing and new security features will be developed in 3G to offer better for existing and newly developed services.

3.1.1 2G security elements to be restrain:

The following security elements of the second generation systems in 3G security shall restrain and in some cases might need development.

* Authentication of subscribers for service access

Problems with the inadequate algorithms will be addressed. Conditions regarding the optionality of authentication and its relationship to encryption shall be clarified and tightened.

* Radio interface encryption

The strength of the encryption will be greater than the encryption in second generation systems.

* Subscriber identity confidentiality on the radio interface

However, a more secure mechanism will be provided;

* The SIM as:

a removable, hardware security module that is:

- Manageable by network operators;

- Independent of the terminals as regards its security functionality.

* SIM application toolkit security features providing a secure application layer channel between the SIM and a home network server.

Other application layer channels may also be provided.

* The operation of security features is independent of the user, i.e., the user does not have to do anything for the security features to be in operation.

However, greater user visibility of the operation of security features will be provided to the user;

* HE trust in the SN for security functionality is minimised

3.1.2. Weakness in second generation security:

The following weakness in the security of GSM (and other second generation systems) will be corrected in 3G security:

* Active attacks using a "false BTS" are possible;

* Cipher keys and authentication data are transmitted in clear between and within networks.

* Encryption does not extend far enough towards the core network resulting in the clear text transmission of user and signalling data across microwave links in GSM, from the BTS to the BSC.

* User authentication using a previous generated cipher key (where user authentication RAND, SRES and A3/8 is not provided) and the provision of protection against channel hijack rely on the use of encryption, which provides implicit user authentication. However, encryption is not used in some network, leaving opportunities for fraud.

* Data integrity is not provided. Data integrity defeats certain false BTS attacks and in the absence of encryption, provides protection against channel hijack.

* The IMEI is an unsecured identity and should be treated as such;

* Fraud and LI were not considered in the design phase of second generation systems but as afterthoughts to the main design work;

* There is no HE knowledge or control of how SN uses authentication parameters for HE subscribers roaming in that SN;

* Second generation systems do not have the flexibility to upgrade and improve security functionality over time.

Till now we have seen the security principles of a 3G network and also some of the weakness in 2G systems, some of them which must be restrained and some new security features should be added for the new applications to be added in 3G. Before we move on, let us see the security architecture of UMTS in 3G systems.

3.2 Security architecture of UMTS:

"The security architecture is made of security features and security mechanisms"

A security feature is a service capability that meets one or more several security requirements.

A security mechanism is an element or process that is used to carry out a security requirements.

In UMTS architecture all the security features are categorised in to five types depending up on the each type of specific threats to accomplish certain objectives as shown in the figure below. These groups of features are described below.

* Network access security: This feature provides security to the 3G services and protects radio interface links from attacks.

* Network domain security: This feature provides security to exchange data in between the nodes of a network and also protects from attacks on wireline network.

* User domain security: This feature allows a secure access to mobile stations

* Application domain security: This feature allows secure exchange of messages of applications in the user and in the service provider domain.

* Visibility and configurability of security: This feature allows the user to know information about the security features in operation or not and also provides information whether a service requires an access of security feature or not.

3.2.1 Network access security feature:

This feature is further categorised in to three categories. They are Entity authentication, Confidentiality and Data integrity.

* Entity authentication: some of the security features that come under this are

o User authentication: The network that provides the services verifies the identity of the user.

o Network authentication: The service provider authenticates the user that he is authorised by the network to use the services provided by the network; this also includes that the user was authorised recently

· Confidentiality: This will deal with confidentiality of data on the network access link

o Cipher algorithm agreement: The property that the mobile station and the serving network can securely negotiate the algorithm that they shall use subsequently.

o Cipher key agreement: The property that the mobile station and the serving network agree on a cipher key that they may use subsequently.

o Confidentiality of user data: The property that user data cannot be over heard on the radio interface.

o Confidentiality of signalling data: The property that signalling data cannot be over heard on the radio interface.

Table _: The structure of an authentication vector.

Field Description

RAND Random challenge

CK Cipher key

IK Integrity key

AUTN Authentication token

XRES Expected response

(a) Structure of an authentication vector

Field Description

SQN Sequence number

AMF Authentication management field

MAC-A Message authentication code

(b) Structure of the AUTN field of an authentication vector

· Data integrity: This feature provide to achieve integrity of data on the network access links

o Integrity algorithm agreement: The property that the mobile station and the serving network can securely negotiate the integrity algorithm that they shall use subsequently.

o Integrity key agreement: The property that the mobile station and the serving network agree on an integrity key that they may use subsequently

o Data integrity and origin authentication of signalling data: The property that the receiving entity is able to verify that signalling has not been modified in an unauthorized way since it was sent by the sending entity and that the origin of the signalling data received is indeed the one claimed.

3.2.2. UMTS Authentication and Key Agreement (UMTS AKA)

UMTS AKA is one of the security mechanisms, which are used to fulfil the authentication features and key agreements that are described above. To maintain the compatibility with GSM subscriber authentication and key establishment protocol, AKA mechanism is built on challenge/response authentication protocol. This mechanism maximised compatibility with the GSM and made the easy the implementation of the UMTS. A challenge/response protocol is a security measure, which is used by an entity to verify the identity of the other entity without disclosing the secret shared key between them. The key concept of this mechanism is that each entity should prove other entity that it knows the shared key without actually transmitting or revealing it.

The function of this mechanism is described in the subsection by invoking the UMTS AKA algorithm after first registration of the user, for a service request, for a location update request, for a attach or detach request and for a re-establishment request. To complete the process the relevant information of the user must be sent from the home network to the serving network. Table 2 shows the information fields of the authentication vectors that home networks HLR/AuC provides to the serving network VLR/SGSN.

All the key agreements and authentications algorithms are summarised and showed in the figure_ below:

Stage 1:

1. A set of AVs are requested by Visited network's VLR/SGSN from the HLR/AuC in the user home network.

2. Home network (i.e., HLR/AuC) computes some set of AVs. This is done by using authentication algorithm and private key (K) of the user, which is already stored in the home network and in the USIM.

3. Home network respond by sending 'n' authentication vector (AV1 to AVn) back to the visited network.

Stage 2:

1. Visited network chooses one AV and challenges mobile station (USIM) by sending the RAND and AUTN fields in the vector to it.

2. The mobile station process the AUTN. The user can verify the received data challenge with the private key K. The mobile station also verifies that the authentication vector is not been expired by the sequence number (SEQ) in the field. It also proves that the AV is still valid and the network is still authenticated, then the USIM creates a confidentiality key (CK) and an integrity key (IK) and sends a response to the network (RES).

3. The user responds to the visited network with the RES.

4. Visited network VLR/SGSN verifies the RES by comparing with the expected response (XRES) from the present AV.

In the step 5, mutual authentication is performed in between the USIM and VLR/SGSN after all the condition has been met. First, USIM has verifies that the MAC field in the AUTN equals the value that is generated internally with the key K by using the fields RAND, AMF and SQN. Secondly, VLR/SGSN verifies that the RES value sent by the UE is equal to the XRES.

3.2.3. Integrity and Confidentiality algorithms

The control signal information that are transmitted in between the mobile station and the network provider is sensitive and as well as important. The integrity of these transmissions must be protected. The mechanism used to carry out all these security features are based on UMTS Integrity Algorithm (UIA). This algorithm is implemented in both the mobile station and in the RNC. (figure can seen in the architecture of the UMTS)

The UIA algorithm which is explained below is the f9 algorithm. The step by step verification of this algorithm explained below.

Step 1: In the UE, f9 algorithm computes an authentication code (MAC-I) of size 32 bit. It is computed for the data integrity of the input parameters with the signalling data included in it (MESSAGE).

Step2: The computed 32 bit message authentication code (MAC-I) is attached with the signalling information and sent to the RNC from UE over a radio interface.

Step3: Once the signalling data information is received to the RNC, it computes the expected MAC-I (i.e., XMAC-I) as the mobile station computed the MAC-I.

Step4: By comparing the MAC-I and XMAC-I, the integrity of the signalling information is determined.

A detailed description of each input parameter is out of scope. Further details and their meanings can be found in sites [] and []. The internal structure of the f9 algorithm is shown in the figure below.

The f9 algorithm is based on the block ciphers which implements the KASUMI algorithm. The output of the each block cipher is 64 bit long. But, the output of the complete algorithm is only 32 bit.

The integrity algorithm only uses signalling information for computation, where as the confidentiality algorithm uses both signalling information and user data for computation. The algorithm which is used to compute the confidentiality tasks is called f8 and it is performed as in the steps below.

Step1: In the UE, the f8 algorithm is computed using the ciphering key (CK) and some other parameters to get the output bit stream.

Step2: Each bit of the output bit stream is XORed with the data stream (also called as plain text) in ordered to result a ciphertext or ciphered data block.

Step3: Then, the resultant ciphered data block is sent to the network over a radio interface.

Step4: RNC performs the same computation with the f8 algorithm in it to result a output bit stream as performed in the UE.

Step5: The output bit stream resulted is XORed with the ciphered data block to recover the initial information.

All this steps are shown in the figure below

3.2.4. KASUMI block cipher:

As we have noticed in the former sections that the KASUMI block cipher is one of the core to perform the integrity and confidentiality algorithms in UMTS network. It is a cipher that as a Feistel structure (feistel cipher is a symmetric structure used in the construction of block ciphers []). It operates on 64 bit a data block controlled by a 128 bit key."KASUMI was designed by the Security Algorithms Group of Experts (SAGE), which is a part of ETSI".

KASUMI has the following features due to its Feistel structure:

* It is based on eight rounds of processing

* Input to the first round is the plaintext

* Output at the last round is the cipher text

* A set of round keys KLi, KOi, KIi with encryption key K for each round i.

* A different function is computed in each round, as long as round keys are different.

* For encryption and decryption same algorithm is used.

KASUMI block cipher is developed on the basis of the MISTY1 block cipher. This block cipher was chosen by the foundation of 3GPP ciphering algorithm because, it security has been proved against the most advanced methods to break block ciphers, called cryptanalysis techniques. The other reason of using MISTY1 has it is suitable for hardware implementation.

"Cryptanalysis is the study of the methods for obtaining the encrypted information, without access to the secret information required to do so. Typically it involves finding a secret key. In non technical language it is called code breaking."[]

According to the specifications, both the integrity and confidentiality algorithms are designed such that it can be implemented on the various software and hardware options. In addition, these algorithms take various constraints in to account during the computations. Hardware implementations, for suppose, are required to use at most 10000 gates and also they must achieve encryption rates of 2Mbps and also in order to meet requirement of throughput, the frequencies should upwards 200 MHz's All these requirements should be considered and to perform all the operations and KASUMI block cipher, high performance hardware should be implemented.

Chapter 4: Threats

Many of the security intensification required to 2G systems. These are aimed to counter work attacks which were not recognised to be possible in 2G systems. This includes attacks that are possible or very soon possible, because the intruders have access to new equipments that have more computational capabilities. The new technologies and security of physical equipments in some networks are to be questioned.

To perform an attack, the intruders at least able to perform have to possess some of the following.

* Eavesdropping:

This is the ability to perform from the intruder that he eavesdrops the signal and data connections of the other users. The equipment required is the modified MS.

* Enactment of the user:

This is the ability to perform by which the intruder sends user data and/or signalling to the service provider. This is an attempt to make the service provider or network to believe that, it is originated from the target user. The equipment needed is the modified MS.

* Enactment of the network:

This is the ability to perform by which the intruder sends user data and/or signalling to the target user. This is an attempt made to make believe the target user that it is originated from genuine service provider. The equipment required is the modified BS.

* Man in the middle attack:

This is the ability of the intruder where he puts himself in between the user and the service provider. In this the intruder as the ability to spoof signal, modify, replay, delete and eavesdrop that are done between the user and service provider's network. The equipment required is both modified BS and modified MS.

* Compromising authentication vectors in the network:

The authentication vectors of the network are compromised by the service provider's network. The authentication vectors may include challenge/response pairs, integrity keys and cipher keys. All these data are obtained by compromising the network nodes or the signals in the network.

One of the capabilities which is easiest to achieve is the first one, and others are gradually more complex and requires a greater investment by the attacker. Therefore, in general it is supposed that if the intruder has some capabilities, then it is also assumed that have some more capabilities in the list. From the design of the 2G systems the first two capabilities are acknowledged. However, 3G security should thwart all types of attacks.

In the following we might consider many types of attacks in 3G, although most of them are not fully addressed in 2G. This an attempt to identify whether there are any latest mechanisms and security features available in 3G architecture which can counteract all these type of attacks.

Now let's discuss about the some of threats in detail:

4.1. Denial of service:

We distinguish between the following DOS attacks:

4.1.1. User de-registration request spoofing:

Description:

This type of attack requires a modified MS. This one exploits the weakness of the network, in which the messages received over the radio interface cannot be authenticated. A de-registration request to the network is spoofed by the intruder. The network de registers the user from the VLR and also instructs the HLR. The result would be the user would be unreachable to any mobile services.

Can 3G security architecture counterattack this attack: Yes

Integrity protection of critical messages can protect from this type of attacks. Especially, authentications of data, replay inhibition of the de registration requests are allowed by the service provider to verify that the requests are genuine or not.

4.1.2. Location update request spoofing:

Description:

This type of attack requires a modified MS. This one exploits the weakness of the network, in which the messages received over the radio interface cannot be authenticated. Location update is spoofed by the intruder instead of the de registration request. The intruder registers the new location request from the one in which the user is roaming. The network registers the intruder in the paged new area and the legitimate user is subsequently unreachable for the mobile services.

Can 3G security architecture counterattack this attack: Yes

Integrity protection of critical messages can protect from this type of attacks. Especially, authentications of data, replay inhibition of the location update requests are allowed by the service provider to verify that the requests are genuine or not.

4.1.3. Camping on a false BS:

Description:

This attack requires a modified BS. This one exploits the weakness of the network, once the user entrap to camp on a false BS. Then the user would be out reach of the paging signals of the serving network where the user is registered.

Can 3G security architecture counteract this attack: No

The 3G architecture does not counter act this attack. However, the DOS in this case only persists as long as the attacker is active. All these attacks can be stopped only when the attacker wants to stop. This attack is same as the radio jamming, which is very hard to counteract effectively.

4.1.4. Camping on a false MS/BS:

Description:

This attack requires a modified MS/BS. This weakness can lead the user to camp on a false base station. A false MS/BS can be used as a repeater for some time for any request from the target user, but simultaneously modify or ignore certain services or requests and paging messages related to the target user.

Can 3G security architecture counteract the attack: No

The security architecture of 3G does not prevent any false MS/BS carrying messages between the service provider and the target user. Integrity protection of critical messages can any how help to prevent some attacks, such as DOS which are induced by modifying some messages. This is again same as the above attacks, it depends upon the attacker. The attack can be active until the attacker wants and this is same as the radio jamming which is difficult to stop.

4.2. Identity catching:

Some of the attacks that are categorised against the user identity confidentiality:

4.2.1. Passive identity catching:

Description:

This attack requires a modified MS, which exploits the weakness of the network and requests the identity of the user to be sent in a clear text.

Can 3G security architecture counteract the attack: Yes

This attack can be counteracting by identity confidentiality mechanism. The temporary identities allocated be the service provider makes inefficient. In the passive eavesdropping, the user must wait for a new registration or a mismatch in the service provider's network database, before the identity of the user is captured in plain text. Actually the permanent identity of the may be protected in the event of new registrations or service providers network database failure in order to be strong and efficient for more active attacks.

4.2.2. Active identity catching:

Description:

This attack requires a modified BS. In this attack the attacker uses BS to exploit the weakness of the MS and requests it to send the permanent user identity in clear text. This is done by claiming that temporary identities mismatch due to database failure.

Can 3G security architecture counteract this attack: Yes

This attack is counteracting by using an encryption key. This key is shared by a group of users to protect their identity during the time of new registrations or for the temporary identity database failure by the service provider. The size of the group is to be determined carefully, if the group is small the identity may compromised and if it's too large the encryption key might be vulnerable to attack.

4.3. Impersonation of the network:

Some of the following attacks were identified as the objective of impersonating a genuine network. The aim of these attacks is eavesdropping or the attacker uses to send the user information which subsequently makes user believes to originate from a genuine service provider or with whom he connected through the network.

4.3.1. Impersonation of the network by suppressing encryption between the target user and the intruder

Description:

This attack requires a modified BS. This exploits the weakness of the MS, which cannot authenticate messages received over the radio interface. The intruder entices the target user to camp on the false BS and whenever the target user requests a service, the intruder does not enable the encryption by using the cipher mode command. The attacker maintains the call log or gets the required information as long as the attack remains undetected.

Can 3G security architecture counteract this attack: Yes

A mandatory cipher mode command is used with message authentication and replay inhibition. This allows the mobile to verify the encryption is not suppressed by any attack or attacker.

4.3.2. Impersonation of the network by suppressing encryption between the target user and the true network.

Description:

This attack requires a modified BS/MS. This attack exploits the weakness of the network, which cannot authenticate the messages received over the radio interface. The intruder entices the user to camp on the false BS/MS. When a call is set up, then the false BS/MS modifies the ciphering capabilities of the MS, to make it appear that a genuine incompatibility exists. The network then starts a un ciphered connection, at this time of connection the intruder cuts the connection of the network and depict as a network to the target user.

Can 3g security architecture counteract this attack: Yes

In 3G the network verifies weather the encryption is suppressed by an attacker, by a mobile station class mark with message authentication and replay inhibition.

4.3.3. Impersonation of the network by forcing the use of a compromised cipher key.

Description:

This attack requires a modified BS. If the attacker possesses the compromised authentication vector, then he exploits the weakness that the user has no control over the cipher key. Then the intruder entices the user to camp in false BS/MS. When the user sets up a call then BS/MS forces use of a compromised cipher key on the mobile user. The intruder maintains the call as long as he wants to be active or remains undetected.

Can 3g security architecture counteract this attack: yes

The USIM has a sequence number in the challenge to verify the insolence of the cipher key and also to know whether the cipher key as been forced reused of a compromised authentication vector. However, the architecture does not protect against the force use of any compromised authentication vector, which have been used to authenticate the USIM. Thus, the networks are still assailable to attacks using compromised authentication vectors which have been intercepted between the authentication centre or destruction of the service provider network.

4.4 Eavesdropping on user data

Some of the attacks are with an objective of eavesdropping on the user data. All the transmissions between the target user and genuine network are eavesdropped.

4.4.1. Eavesdropping on the user data by suppressing encryption between the target user and the intruder

4.4.2. Eavesdropping on the user data by suppressing of encryption between the target user and the true network

4.4.3. Eavesdropping on the user data by forcing the use of a compromised cipher key

4.5. Impersonation of the user

4.5.1. Impersonation of the user through the use of by the network of a compromised authentication vector

Description:

This type of attack requires a modified MS and also the intruder needs to have a compromised authentication vector, which is used by the service provider to authenticate its legitimate users. The intruder uses the data to act as a target user to the service provider and for the other party

Can 3G security architecture counteract this attack: Yes

The USIM has a sequence number in the challenge to verify the insolence of the cipher key and also to know whether the cipher key as been forced reused of a compromised authentication vector. However, the architecture does not protect against the force use of any compromised authentication vector, which have been used to authenticate the USIM. Thus, the networks are still assailable to attacks using compromised authentication vectors which have been intercepted between the authentication centre or destruction of the service provider network.

4.5.2. Impersonation of the user through the use by the network of an eavesdropped authentication response

Description:

This type of attack requires a modified MS. In this attack the weakness is that the usage of authentication vector several times. The intruder eavesdrops on the response sent by the user for authentication and then uses it whenever the same challenge is set. Later on the ciphering can be avoided by any of the methods described above. Then the intruder uses the overheard data to act as the target user towards the service provider and the other parties.

Can 3G security architecture counteract this attack: yes

In USIMs the authentication vectors cannot be reused, due to presence of sequence numbers. Sequence numbers tells the freshness of the authentication.

4.5.3. Hijacking outgoing calls in networks with encryption disabled

Description:

This type of attack requires a modified BS/MS. Once the target user camps into a false BS/MS. Then the incoming calls of the target user are paged by intruder. When the target user sets up a call, the intruder allows the communication to occur between the service provider and the target user, but by modifying the signalling elements, such that the target user wants to make a call. Then the network disables the encryption and after the authentication the intruder drops the connection of the target user with the service provider and uses the same connection to make a fraudulent call on the subscription of the target user.

Can 3G security architecture counteract this attack: Partly

Integrity protection of critical messages can protect from this type of attacks. Especially, authentications of data, replay inhibition of the connection set up requests are allowed by the service provider to verify that the requests are genuine or not. After the initial connection is established, if the connection is an un-enciphered connection then there would be periodic integrity protected messages to protect from the hijacking. However, the channel could be hijacked in between the periodic integrity messages. But, it limits the usage to the attacker. In general any connection with the ciphering is disabled is vulnerable to some degree of hijacking.

4.5.4. Hijacking outgoing calls in networks with encryption enabled

Description:

This attack requires a modified BS/MS. In this type of attack the intruder has to suppress encryption by modifying the messages and the MS informs the network of its ciphering capabilities.

Can 3G security architecture counteract this attack: yes

Integrity protection of critical messages can protect from this type of attacks. Especially, authentications of data, replay inhibition of the connection set up requests are allowed by the service provider to verify that the requests are genuine or not. The MS station class mark and the connection set up helps in prevention of the suppression of the encryption.

4.5.5. Hijacking incoming calls in networks with encryption disabled

Description:

This type of attack requires a modified BS/MS. When the target user is in the false BS/MS, one of the accomplices of the intruder would call the target user. The intruder pass on communication between the service provider and the target user until the authentication and call set up is completed between the user and service network. Once the call set up is done, the service provider does not set up the encryption and then the intruder cuts the target user connection with the network and uses the connection to answer the call made by one of his accomplices. But, the target user has to pay for the roaming chargers.

Can 3G security architecture counteract this attack: partly

Integrity protection of critical messages can protect from this type of attacks. Especially, authentications of data, replay inhibition of the connection set up requests are allowed by the service provider to verify that the requests are genuine or not. After the initial connection is established, if the connection is an un-enciphered connection then there would be periodic integrity protected messages to protect from the hijacking. However, the channel could be hijacked in between the periodic integrity messages. But, it limits the usage to the attacker. In general any connection with the ciphering is disabled is vulnerable to some degree of hijacking.

4.5.6. Hijacking incoming calls in networks with encryption enabled

Description:

This type of attacks requires compromising or modifying a BS or MS. In this type of attack the intruder has to suppress the encryption.

Can 3G security architecture counterattack this attack: Yes

Integrity protection of critical messages can protect from this type of attacks. Especially, authentications of data, replay inhibition of the connection set up requests are allowed by the service provider to verify that the requests are genuine or not. The MS station class mark and the connection set up helps in prevention of the suppression of the encryption.

Abbreviations

AMPS: Advanced Mobile Phone Systems

NMT: Nordic Mobile Telephone

TDMA: Time Division Multiple Access

FDMA: Frequency Division Multiple Access

CDMA: Code Division Multiple Access

ITU: International Telecommunication Union

IMT: International Mobile Telecommunication

IMT - MC: IMT - Multi Carrier

IMT - SC: IMT - Single Carrier

IMT -

IMT -

IMT -

BS - Base Station

MS - Mobile statio

REFERENCES:

[] 3rd Generation Partnership Program. Cryptographic Algorithm R

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.