GSM and UMTS Security
GSM : Introduction, Brief History and How It Works
GSM originally stood for The Group Spéciale Mobile, a French organisation who wanted to create a digital standard for all European countries that stayed as close to the established ISDN as possible. Eight years later, in 1990, using the same initials, they produced the first Global System for Mobile Communication specification. Today, it has come a long way and is now used by over a billion people, in over 200 countries, making it 70% of the world’s mobile phone market.
Map of the world showing GSM coverage
Courtesy of www.3gamericas.org
In Europe, the GSM network is handled by the European Telecommunications Standards Institute and the GSM Association. The main method of GSM use in Europe is GSM 900, which uses two separate bands for uplinks and downlinks, namely 890-915Mhz and 935-960Mhz respectively.
GSM can handle three different types of service. Bearer services are for interacting with the IDSN and PSDN areas of the network. Tele services are the basic services you expect from a mobile phone: high-quality encrypted voice transmissions, Short Message Service (up to 160 characters) and fax facilities. These services were later enhanced when features such as the Wireless Application Protocol (WAP) promoted internet applications and the general packet radio service (GPRS) which enabled larger packets of data to be sent, hence adding more features and a new ‘data based’ way for companies to bill customers rather than the usual time based way. Supplementary services are network provider services such as call forwarding and user identification.
The GSM Network is best described by breaking it up into its three main components. The Base Station Subsystem is made up of many base transceiver stations (BTC) which handles all reception and communication to your mobile phone. These BTCs come in many shapes and forms, with different ranges and capacities. Together these BTCs form a cell structure to cover the entire area with cells, large and spread out in rural areas and small and tight in urban areas. There even exist picocells for use indoors in shopping centres, airports, etc. These BTCs communicate with a base station controller (BSC) which controls the ‘handover’ (i.e. when you go from one cell to another, so that your call isn’t dropped), ‘paging’ (i.e. sending out a signal to which a specific phone responds) and connecting to the mobile switching centre (MSC).
This MSC is the backbone of GSM and is in the Network and Switching Subsystem. It performs tasks such as handover between different BSCs and supplementary services mentioned above. Also in this part of the network is the home location register (HLR) and visitor location register (VLR). These work together as a database of user information for all people in the network and the immediate location area. While the HLR stores the user records permanently, the VLR dynamically stores the user records of people in their location area to save time connecting to the HLR.
The third component is the Operation Subsystem, which contains an authentication centre (AUC) and equipment identity register (EIR), is used for security.
The flash movie below shows how these components work together to connect a phone call
GSM security is needed to provide the customer of a network with anonymity and privacy when making a call, to ensure the network operator bills the correct customer and to make sure that operators don't interfere with each other either accidentally or intentionally.
The first thing the network must do is identify and authenticate the customer. To do this the network sends a 128-bit challenge to the customer phone. The SIM in the phone then uses the A3 algorithm and the Individual Subscriber Authentication Key (Ki, Unique to every different SIM) to compute a Signed RESponse(SRES) and sends it back to the base station. If the SRES matches the pre-computed value in the base station the next step takes place.
Here the SIM uses a different algorithm, A8, Ki and the original challenge to compute a Session Key (Kc) and sends this to the base station. This session key is now used along with the A5 algorithm to encrypt the data for over the air tranmission.
Courtesy of www.cs.huji.ac.il/~sans/ students_lectures/GSM%20Security.ppt
The A3 and A8 algorithms implemented on the SIM are usually used together as one algorithm (A38) to compute SRES and Kc in parallel. These two algorithms use COMP-128 a keyed hash function. It takes the 128-bit challenge, the 128-bit Ki as inputs and outs a 128-bit value, split into: 32bits of the challenge, 32bits for the SRES, and 64bits for the Kc. This algorithm can be broken in about 8 hours, and the specification for COMP-128 is readily available on the Internet . This has lead to new versions of COMP-128 coming out.
The A5 algorithm is a stream cipher. It is implemented very efficiently in hardware and the design was never made public. There are 3 different versions of A5: A5/1 a strong versions, A5/2 a weak version and A5/3 based on algorithms used n 3G phones. There is also A5/0 but it has no encryption.
These algorithms can also be cracked fairly easily. By analysing the output of A5/1 for 2 minutes it can be cracked in less then a second. The weaker A5/2 algorithm can be cracked in milliseconds and attacks against A5/3 have been described.
All handsets have a International Mobile Equipment Identity (IMEI) number that is stored in the Equipment Identity Register (EIR). This number is totally independent of the SIM and completely unique. The EIR has classifications for every IMEI number: White: Valid phone. Grey: Phones to be tracked. Black: Barred phones. (Lost or stolen)
Individuals can be identified by the International Mobile Subscriber Identity on their SIM. To avoid people listening for this a temporary IMSI is sent when communicating with the base station, when the phone is switched on or a call is being initialised.
UMTS - Introduction, Brief History and How It Works
We live in technological age where innovative techniques in telecommunications continue to allow us to move forward into a mobile world, allowing effortless portability of information. Since the early 1990's market leaders such as Siemens have been developing and improving 3rd generation (3G) telecommunications standards in order to provide bandwidths that would allow high quality video transmissions. One of their aims was to define a world wide accepted standard to give users international wireless coverage area of service. The result of this gave rise to UMTS (Universal Mobile Telecommunications System), as defined by the International Telecommunications Union (ITU).
UMTS technology is a further development of the second generation GSM (Global System for Mobile) communication standard. It uses a new transfer procedure for wireless data transfer between a mobile phone and a base station. UMTS aims to provide a broadband, packet-based service for transmitting video, text, digitized voice, and multimedia at data rates of up to 2 megabits per second while remaining cost effective.
UMTS is built on top of the existing GSM infrastructure and integrates both packet and circuit data transmission. The design allows UMTS to be used in parallel with GSM therefore allowing reception in areas where UMTS has not yet been fully implemented. Integration of these two components leads to a smooth transition into UMTS, so GSM is still very important and will continue to run in parallel for some years to come (as shown in the graph below). UMTS separates itself from GSM by using different frequency bands. With its fast transmission rates UMTS offers a wide array of multimedia services and parallel applications such as surfing the web while still talking on the phone.
The world wide roaming access provided by UMTS is implemented using a combination of cell sizes, giving service to the isolated regions of the world. The cells are "In building" Pico cells, "Urban" Micro cells, "Suburban" Macro cells and "Global" World cells. FDD (Frequency Division Duplex) and TDD (Time Division Duplex) are the two operating modes that allow users to avail from this wide spectrum of usage. The FDD mode is appropriate for general urban and rural areas and uses W-CDMA to provide data rates of up to 384 Kbit/s with high mobility. TDD is suited for hot spots and general urban areas. It uses TD-CDMA, and operates in Pico and Micro cell environments. Mobility is low but data rates are high (2 Mbit/s). As TDD allows for asymmetric access mobile operators can offer mobile broadband data service in areas of high density such as office complexes.
CDMA (Code Division Mulitple Access) is an access procedure that enables multiple participants to telephone simultaneously via a single base station, while their conversations are kept separate. UMTS utilizes CDMA as it is far better suited for fast data stream transfer.
UMTS security builds on the security of GSM, inheriting the proven GSM security features. This maximizes the compatibility between GSM and UMTS i.e. GSM subscribers roaming in a UMTS network are supported by GSM security features. UMTS also provides a solution to the weaknesses of GSM security and adds security features for new 3G radio access networks and services.
UMTS consists of five security feature groups:
1) Network Access Security (A in diagram below) provides
users with secure access to UMTS services and protect against attacks on
the radio access link.
2) Network Domain Security (B in diagram below) protects against attacks on the wireline network and allows nodes in the provider domain to exchange signaling data securely.
3) User Domain Security (C in diagram below) provides secure access to mobile stations.
4) Application Domain Security (D in diagram below) allows the secure exchange of messages between applications in the user and in the provider domain.
5) Visibility and configurability of security allows the user to observe whether a security feature is currently in operation and if certain services depend on this security feature
TE: Terminal Equipment
USIM: User Service Identity Module
SN: Serving Network
HN: Home Network
MT: Mobile Termination
AN: Access Network
Unlike GSM, which has authentication of the user to the network only, UMTS uses mutual authentication which means the mobile user and the serving network authenticate each other, providing security against false base stations. This mutual authentication uses an authentication quintet which helps to ensure that a bill is issued to the correct person. The authentication quintet consists of the user challenge (RAND), expected user response (X(RES)), the encryption key (CK), the integrity key (IK) and the authentication token for network authentication (AUTN). Also UMTS provides a new data integrity mechanism which protects the messages being signaled between the mobile station and the radio network controller (RNC). The user and network negotiate and agree on cipher and integrity algorithms. Both the integrity mechanism and enhanced authentication combine to provide protection against active attacks on the radio interface.
Diagram courtesy of http:www.isrc.rhul.ac.uk/useca/OtherPublications/IIR-overview.pdf
K: Subscriber Authentication Key
SQNms: Sequence number information at user
SQNhe: Sequence number information at home system
UE: User Equipments / SIM
VLR: Visitor Location Register
HLR/AuC: Home Location Register/ Authentication Centre
UMTS provides enhanced encryption which ensures that messages are not available to unauthorized users. With UMTS, encryption is completed in the radio network controller (RNC) rather than the base station, as is the case with GSM. The improved confidentiality has come about by using longer encryption key lengths, which (along with other UMTS security functions) are easier to upgrade than the GSM counterpart. Also, as GSM’s ciphering keys were not secure, UMTS added a confidentiality algorithm.
UMTS also provides different security features for maintaining identity confidentiality.
1) User identity confidentiality is maintained by ensuring
the permanent user identity (IMSI) of a user using the service cannot be
eavesdropped on the radio link. 2) User location confidentiality means
that one cannot determine whether the presence of a user by eavesdropping
on the radio access link.
3) User untraceability ensures that it cannot be determined if different services are available to the same user by eavesdropping on the radio access link.
It is clear to see UMTS boasts many security advantages over GSM including a data integrity mechanism, enhanced authentication and encryption, identity confidentiality, a potential for secure roaming and greater facilities for upgrading. However UMTS also has security problems. For example everything that could happen to a fixed host attached to the internet could also happen to a UMTS terminal. Also if encryption is disabled hijacking calls is possible. And if the user is drawn to a false base station, he/she is beyond reach of the paging signals of the serving network. Finally when the user is registering for the first time in the serving network the permanent user identity (IMSI) is sent in cleartext.
Even though it is clear that UMTS and 3G improves on GSM in many ways, including security, GSM will still remain a strong part of the world's phone network for a few years to come if only to provide a smooth transition to 3G.
- Friedhelm Hillebrand, GSM and UMTS : the creation of global mobile communication, 2002
- Timo Halonen, Javier Romero and Juan Melero, GSM, GPRS and EDGE performance: evolution towards 3G/UMTS , 2002
- UMTS Security by Valtteri Niemi, Kaisa Nyberg