GSM Security
GSM Security
GSM security
This article focuses on the security put in place on GSM networks. The first generation mobile phone network devices were vulnerable in a variety of ways, the most notable being connection eavesdropping and handset cloning. Subsequent mobile systems introduced protection against these attacks. Throughout this article I refer to GSM, which is the basis for the 2G network in the UK.
Before analysing the security of any system, it is important to review the design goals of the system in question. For GSM, the design goals were to provide the same protection as a fixed line system. This was achieved using cryptographic mechanisms, which were implemented to provide authentication of the handset to the network, confidentiality of the data transferred, and anonymity of the customer.
Authentication is provided using a challenge-response protocol, based around the knowledge of a pre-shared 128-bit key, Ki. The key is held at the authentication centre (AuC) for the mobile provider, and an identical copy is held on the SIM card. The AuC also generates a random number, and passes it through one of a set of algorithms, implemented at the AuC and on the mobile device. Here is the protocol run, with the terminology defined:
ME: Mobile Device <–– Wireless ––> MSC: Mobile Switching Centre <–– Wired ––> AuC: Authentication centre
RAND: 128-bit Random number Ki: 128-bit shared key Kc: 64-bit encryption key XRES: Expected response RES: Response
- MSC -> AuC: Authentication Request
- AuC generates a random number, RAND, and uses it along with Ki to compute: XRES and Kc
- AuC -> MSC: {RAND, XRES, Kc}
- MSC -> ME: RAND
- ME uses RAND and Ki from the SIM to calculate: RES and Kc
- ME -> MSC: RES
- MSC: XRES == RES ??
If the response is equal to the expected response, then authentication is successful, and the network can be sure the SIM is authentic. The transaction also set up a shared encryption key, Kc, which was never transmitted, but was calculated at both ends. This key is now used along with TDMA frame sequence numbers to generate keystream, which is fed into the stream cipher to encrypt voice traffic. Since the keystream depends on sequence numbers, it is effectively re-synchronised at each frame.
There are several problems with these security measures. The first is that the voice data is only encrypted up to the base station, which sits between the ME and the MSC. If the link between the base station and the MSC is wireless (for example, via microwave dish), the data will be sent unencrypted, and anyone with the proper sniffing equipment can gather unencrypted voice data. Another problem is that it is not unfeasible for a malicious user (or more likely, a government or security agency) to obtain a microcell, or base station, which can be configured to act as a man-in-the-middle.
This attack is possible due to the use of unilateral entity authentication, because the handset gets no guarantee of the identity of the network. 3G networks use mutual entity authentication, so rogue base station attacks can no longer be used, as the cannot know the secret key, Ki.
This has been a very quick and dirty review of GSM security. I have left out most of the details, as the article would go on forever if I hadn’t. I hope you have all learnt something from this article, please take the time to rate and comment. If I find the time I will do a follow-up on UMTS and 3G networks soon.
ghost 14 years ago
Brief but very interesting article. Would be interested to see the extent of the difference between 2G and 3G security, google time I think..
ghost 14 years ago
3G is very different, as I hinted at in the penultimate paragraph. I would have gone on but its pretty tiring work, I wrote that all myself, kot a word copied or pasted, and im still not fully comfortable with colemak so its pretty hard :s
ghost 14 years ago
I'd like to point out that 2G is not synonymous with GSM. While GSM is 2G as it's based on that technology, 2G isn't GSM as 2G doesn't have encryption as standard, just provides a more efficient way of sending information.
ghost 14 years ago
COM, I had a longer version of this written up, but I cut it down onto here, just realised I made that bit unclear. I'll amend it now.
stealth- 14 years ago
This is the type of article I like to see at HBH! Not in the way as being about phone networks, but in the way of being interesting, informative, and explanatory. I felt it was a bit short, but much better than some of the crap that's already on here. Well done :)