ACM Bangalore TechTalk – Wireless Cellular Security

ACM Bangalore Chapter was started in 2006 and today it is said to be the most active chapters in India. They conduct a regular monthly TechTalk and I was invited to be the speaker at this month’s event. I was given the liberty to choose the topic. I decided to talk about various aspects of security in wireless cellular systems.

Although I had planned for a 90-minute talk, it stretched an hour more. The audience was more curious than I had expected. The questions were intelligent. The session was quite interactive and it suited well the size of the group. About 50 attended this talk.

I do not intend to write about what I spoke. Slides of my talk be seen on ACM Bangalore’s website. I would like to touch upon some of the interesting questions that the audience posed.

Question#1 – How can a 3G phone with a GSM SIM work on a 3G network?

We must remember that ultimately everything hinges on the security context, which can be either GSM or UMTS. In either case, the same security context should be enabled on the AuC. So if GSM SIM is used, the security context on the AuC ought to be GSM, say a R98- AuC. Triplets are generated and passed on to the VLR or SGSN. Since VLR/SGSN are R99+ and they use UTRAN RAN, VLR/SGSN will have standardized conversion functions (c4 and c5) to convert Kc to CK and IK. CK and IK are then used within UTRAN RAN for securing the air interface.
Question#2 – Does number portability mean that data within an AuC is compromised?

Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.

That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.
Question#3 – If I am roaming, is the AuC of the visited PLMN involved in AKA?

We know that algorithms in the SIM and AuC are proprietory and kept secret by the operator. So if I am roaming to another PLMN, will that be compromised? The answer is no. Even when roaming, the visited PLMN will contact the HLR of the Home PLMN. It is the HLR which then works with the AuC to perform AKA for the subscriber. Conclusion is that even in the case of roaming, AKA is performed only by the AuC of the Home PLMN. No other AuC is involved.

Question#4 – Why do we have Counter Check Procedure in RRC when we will anyway be unable to decrypt encrypted data if counters are not synchronized?

This procedure was introduced to prevent “man-in-the-middle” attacks. The procedure is invoked to check that all counters are synchronized. It is true that if the receiver is unable to decrypt an already encrypted message, we can probably say that the counters have gone out of synchronization. However, such a case may arise for radio bearers transmitting data. What about those bearers which are idle? Also, RLC-UM and RLC-AM will not know if data has been corrupted or bogus. Only the application can determine that. This procedure facilitates the check of counters on all radio bearers. This gives the network more information. It may close the RRC connection or it may decide to inform MM to start a new AKA.

Question#5 – When changing ciphering key in UMTS, how is the transition from old to new keys managed?

There are activation times within the Security Mode procedure at RRC. Security Mode Command contains RLC SN (RLC UM and AM) and CFN (RLC TM) when the change will be activated on the DL. For the UL, UE send back in the Security Mode Complete the RLC SN at which the change will be made. In addition to this, RLC transmission is suspended on all bearers with exception of the SRB on which the procedure is executed. This is a precaution that takes into account a slow response in receiving Security Mode Complete. Even when RLC entities are suspended they are commanded to suspend only after a certain number of PDUs.

Question#6 – What’s the use of FRESH as an input to f9 integrity algorithm in UMTS?

Changing FRESH gives additional protection without requiring a new AKA for key refreshment. This may happen for instance after SRNS Relocation. However, I have no insights into actual network implementations in this regard.

Question#7 – At which layer do ciphering and integrity happen?

GSM – ciphering happens at PHY in MS and BTS.

GPRS – ciphering happens at LLC in MS and SGSN.

UMTS – ciphering happens at RLC (for UM and AM) and MAC (RLC-TM) in UE and RNC. Integrity happens at RRC in UE and RNC.

Question#8 – When we enter a new location area and Location Updating Procedure is initiated, will it also involve AKA?

Not necessarily. If the CKSN/KSI sent in the Location Updating Request is a valid value and network decides that current keys can continue to be used, no new AKA will be started. For this to be possible, the new VLR must be able to contact the old VLR to retrieve the security context of the mobile.

MPLS on a WiMAX Base Station

Recently I was asked if WiMAX base stations come with MPLS support. This might have sounded an innocuous question for someone from an IP background. If you are from a wireless background like I am, it might sound a little strange. A WiMAX base station provides wireless connectivity at the physical layer. In particular, WiMAX provides last mile connectivity to the end user. It can also be used to provide point-to-point (PTP) backhaul links.

From this perspective, anything above the physical layer can run transparently on WiMAX. While this is so, WiMAX has defined Convergence Sublayers (CS) at its interface which can then be mapped correctly to 802.16 MAC layer before the packets are sent on the wireless channel. The supported CS Specifications include ATM and Packet (IPv4, IPv6, Ethernet, 802.1Q-VLAN) CS. So where does MPLS fit in, if at all?

MPLS is a technology that sits between Layer 2 and Layer 3. It can be seen to be outside the scope of a WiMAX base station and certainly outside the scope of the WiMAX standards. This is where we, as engineers, have to look at the whole thing from a deployment and operational angle.

Firstly, operators want MPLS because of the many advantages it offers. It leverages on both IP and Ethernet, technologies which are cheap and ubiquitous. It offers QoS. It provides multipoint connectivity but in a simpler way than IP. Its faster to switch at Layer 2 using labels than perform routing decisions at Layer 3. The attractiveness about MPLS in the coming years is that it is set to enable the move towards all-IP transport networks. When IP replaces TDM and ATM architectures, MPLS is set to play a major role.

So operators are interested in MPLS. Before they install new devices into their network, they want to know if it supports MPLS. The problem is that there is a clear distinction between core networks and access networks. MPLS is usually limited to the core. However, there has been significant push towards bringing MPLS to the access networks. This enables end-to-end traffic engineering, right up to the WiMAX base station. 3ROAM offers such a base station with MPLS built-in. Likewise, New Edge Networks is another company that is taking MPLS beyond the core to edge networks.

What if the WiMAX base station did not support MPLS? In this case, an MPLS-enabled network would terminate at an MPLS edge router (ingress or egress). This router would then be co-located and connected to the WiMAX base station. The problem for the operator in this situation would be to have a router for every base station. This is simply not cost-effective.

In general, WiMAX base stations operate in bridge mode (Layer 2) or routing mode (Layer 3). If a base station has to be MPLS-enabled, it has to work in Layer 3 mode. In other words, the base station doubles as an ingress/egress router. It does more than simply provide wireless connectivity.

Sprint has in its long-term roadmap this architecture in mind for backhauling of its WiMAX network. Sprint’s WiMAX base stations would be  MPLS-enabled and the backhaul between such a base station and its ASN Gateway would be IP over MPLS. One of Sprint’s providers for its WiMAX backhaul is Ciena which uses PBB-TE. This may very well carry IP over MPLS right up to the base station. The backhaul itself is wireless with equipment supplied by DragonWave.

To answer the question with which we started, WiMAX base stations may very well support MPLS for cost-effectiveness from operator’s point of view. Practically, it makes a difficult case since the MPLS-enabled network is likely to be from a different provider than the base station itself. Integration becomes an issue. It is well-known that managing an MPLS network is a challenge and requires a steep learning curve. Nonetheless, MPLS may be that small factor to choose one base station over another when an operator is unable to decide otherwise.

Markup Language for the Wireless World

While HTML has been the traditional markup language for the wired world, it was too complex and not strictly structured to suit the wireless world. To start with, mobile devices of the early days were power hungry and less on resources. Due to such limitations devices would end up implementing them in a partial way leading to a disconnect between content providers and mobile browser support. It is therefore no surprise that in the early days mobile devices did not support HTML. Rather, a few proprietary markup languages reared their independent heads (HDML from Openwave, ITTP from Ericsson, TTML from Nokia). From the point of adoption, they were never independent. Independence comes only by way of standardization.

Standardization is a beautiful thing. Like we use English universally as a language of choice, it enables content to run on any number of browsers that conform to the standard. It builds competence by enabling developers to learn one language and use it across many projects and companies. It is something that’s good for the industry, those who work in it and consumers of devices. It is that comfort and familiarity that in a fast changing and varied world, there are some things that help us (and our devices) to connect.

The currently recommended standard for the wireless world comes from Open Mobile Alliance (OMA). It is called XHTML-MP which was standardized way back in 2000. Almost a decade has gone and it is still going strong. It’s predecessor, WML, was in rage for many years but all new websites meant for the wireless world are using XHTML-MP. When WML came out, it was right for the mobile devices of the time. HTML was too complex for those devices with small screen, static display, monochrome rendering and little by way of scrolling. WML had this concept of deck/cards that made best use of precious air resources. It introduced compression in the form of WAP Binary XML (WBXML). It had programmable softkeys that was a great idea to ease user interaction. It enabled client-side scripting through its WML Scripting. So WML was a success, at least for a while.

Figure 1: Timeline of Markup Languages

The problem with WML was that it was too different from HTML. When WML came out in 1998, HTML had been around for a good number of years. This coupled with the steady growth of the Internet and the popularity of HTML, meant that it had it all – better browers, better and larger developer community, better tools. Websites written in HTML could not easily be viewed on mobile devices. Site developers had to re-write in WML.

In an effort to bring WML closer to HTML, a radical approach was adopted. Dump WML and create something new out of XHTML (eXtensible HyperText Markup Language), a new standard. This may be appalling to many on account of its backward incompatibility but this has been a sensible and logical decision on part of the standardization community. During the time WML has evolved, a new language had taken shape that had revolutionized every other language – XML. XML had become a popular language for data representation. It was being used in backend processing, data storage or transfer. It was being used on websites to represent data processed or rendered on client-side by Javascript or Flash. XHTML is in fact a combination of both XML and HTML – the former provided strictness of structure while the latter provided document semantics.

XHTML formed the basis of XHTML Basic, a stripped down version that was suitable for adoption by the mobile community. That’s exactly what they adopted it but they extended XHTML Basic into what we call XHTML-MP, XHTML Mobile Profile. This is the beauty of XHTML – it is extensible and modular without loss of strictness in its syntax. One of the extensions over XTHML Basic is the use of WAP CSS. XHTML-MP is also influenced by cHTML (Figure 2), which is a standard used by NTT DoCoMo in its iMode.

Figure 2: Evolution of XHTML-MP

XHTML-MP is the official markup language for WAP 2.0. All sites for WAP 2.0 must use only XHTML-MP. Although WML 2.0 exists, it is only WML 1.x re-engineering with XHTML syntax for backwards compatibility. WML 2.0 is rarely used and is discouraged.

XHTML-MP has worked well so far. It’s future however is not so certain. With devices getting better all the time, with mobile phones getting almost as good as laptops, with better browsers such as Opera Mini that is able to display full websites in XHTML on devices with bigger colour screens, site developers may forget about XHTML-MP in the years to come.

Software Testing – How, When and Who?

There are so many different techniques to test software. Sometimes it is difficult to decide what technique is most suitable. In part, the decision also depends on the software development phase. A techique that applies at unit test phase may not necessarily be suitable for acceptance testing.

Table 1 is a summary of the different techniques commonly used, mapped against testing phases. All applicable mappings are shaded in green. The table also gives the mapping of the roles of particular teams during the testing cycle. Definitions of different testing techniques can easily be found on many websites [1,2] and books [3,4].

Table 1: Testing Techniques and Roles Mapped against Testing Phases

This mapping is based on my personal experience with testing. Every system is different. In some cases it may make sense to use a particular technique in a certain phase even if such a mapping is not listed in Table 1. For example, the table indicates the “Load & Stress Testing” does not apply to the integration phase. In some projects, it may make sense to do this during integration if the designer knows that the performance bottleneck for the system is at the interfaces.

Knowing correctly what to test – which dictates how to test – when indicates a certain maturity of the product team and management. It involves an understanding of the sytem, in and out. In involves anticipating things that could go wrong. It involves application of prior experience and collective knowledge building.

For example, it is easy to understand why “Usability Testing” should be performance during product acceptance but why would anyone want to do that during “Unit Testing”? Such a test performed at an earlier stage gives scope for user feedback and avoid expensive rework at a later stage. Another example is “Intrusive Testing” which is a dangerous activity during system integration and beyond, simply because the system could be delivered with the changes. If a similar test is needed at system integration phase, “Negative Testing” is better suited.

It will be seen that some activities span the entire test cycle. Regressing and test automation go hand-in-hand in many projects. The degree of automation and regression vary from project to project based on how much of present resources can be spared or how often the product undergoes changes.

Considering the test teams, it is seen in Table 1 that either development team or integration team may perform integration. The former is true of small organizations and the latter for bigger organizations. In general, there is no separate team for performing system integration. This is generally done by the test team straight after system testing.

References

1. http://www.aptest.com/testtypes.html
2. http://www.softwaretestinghelp.com/types-of-software-testing/
3. John Watkins. Testing IT: An Off-the-Shelf Software Testing Process. Cambridge University Press. 2001.
4. Publications of the Software Testing Institute.