ACM Bangalore Chapter was started in 2006 and today it is said to be the most active chapters in India. They conduct a regular monthly TechTalk and I was invited to be the speaker at this month’s event. I was given the liberty to choose the topic. I decided to talk about various aspects of security in wireless cellular systems.
Although I had planned for a 90-minute talk, it stretched an hour more. The audience was more curious than I had expected. The questions were intelligent. The session was quite interactive and it suited well the size of the group. About 50 attended this talk.
I do not intend to write about what I spoke. Slides of my talk be seen on ACM Bangalore’s website. I would like to touch upon some of the interesting questions that the audience posed.
Question#1 – How can a 3G phone with a GSM SIM work on a 3G network?
We must remember that ultimately everything hinges on the security context, which can be either GSM or UMTS. In either case, the same security context should be enabled on the AuC. So if GSM SIM is used, the security context on the AuC ought to be GSM, say a R98- AuC. Triplets are generated and passed on to the VLR or SGSN. Since VLR/SGSN are R99+ and they use UTRAN RAN, VLR/SGSN will have standardized conversion functions (c4 and c5) to convert Kc to CK and IK. CK and IK are then used within UTRAN RAN for securing the air interface.
Question#2 – Does number portability mean that data within an AuC is compromised?
Not really. Number portability does not mean sensitive data from old AuC are transferred to the new AuC. The new operator will issue a new USIM which will have a new IMSI. Number portability only means that MSISDN is kept the same for others to call the mobile. The translation between MSISDN and IMSI is done at a national level register. Such a translation will identify the Home PLMN and the HLR that’s needs to be contacted for an incoming call.
That’s the theory and that’s how it should be done. It will be interesting to know how operators in India do this.
Question#3 – If I am roaming, is the AuC of the visited PLMN involved in AKA?
We know that algorithms in the SIM and AuC are proprietory and kept secret by the operator. So if I am roaming to another PLMN, will that be compromised? The answer is no. Even when roaming, the visited PLMN will contact the HLR of the Home PLMN. It is the HLR which then works with the AuC to perform AKA for the subscriber. Conclusion is that even in the case of roaming, AKA is performed only by the AuC of the Home PLMN. No other AuC is involved.
Question#4 – Why do we have Counter Check Procedure in RRC when we will anyway be unable to decrypt encrypted data if counters are not synchronized?
This procedure was introduced to prevent “man-in-the-middle” attacks. The procedure is invoked to check that all counters are synchronized. It is true that if the receiver is unable to decrypt an already encrypted message, we can probably say that the counters have gone out of synchronization. However, such a case may arise for radio bearers transmitting data. What about those bearers which are idle? Also, RLC-UM and RLC-AM will not know if data has been corrupted or bogus. Only the application can determine that. This procedure facilitates the check of counters on all radio bearers. This gives the network more information. It may close the RRC connection or it may decide to inform MM to start a new AKA.
Question#5 – When changing ciphering key in UMTS, how is the transition from old to new keys managed?
There are activation times within the Security Mode procedure at RRC. Security Mode Command contains RLC SN (RLC UM and AM) and CFN (RLC TM) when the change will be activated on the DL. For the UL, UE send back in the Security Mode Complete the RLC SN at which the change will be made. In addition to this, RLC transmission is suspended on all bearers with exception of the SRB on which the procedure is executed. This is a precaution that takes into account a slow response in receiving Security Mode Complete. Even when RLC entities are suspended they are commanded to suspend only after a certain number of PDUs.
Question#6 – What’s the use of FRESH as an input to f9 integrity algorithm in UMTS?
Changing FRESH gives additional protection without requiring a new AKA for key refreshment. This may happen for instance after SRNS Relocation. However, I have no insights into actual network implementations in this regard.
Question#7 – At which layer do ciphering and integrity happen?
GSM – ciphering happens at PHY in MS and BTS.
GPRS – ciphering happens at LLC in MS and SGSN.
UMTS – ciphering happens at RLC (for UM and AM) and MAC (RLC-TM) in UE and RNC. Integrity happens at RRC in UE and RNC.
Question#8 – When we enter a new location area and Location Updating Procedure is initiated, will it also involve AKA?
Not necessarily. If the CKSN/KSI sent in the Location Updating Request is a valid value and network decides that current keys can continue to be used, no new AKA will be started. For this to be possible, the new VLR must be able to contact the old VLR to retrieve the security context of the mobile.
Hi Arvind,
It was wonderful talk. I have posted my notes about your speech at my blog
http://layers7.blogspot.com/2009/05/securing-wireless-cellular-system.html
Comments are welcome
Manish Panchmatia
http://layers7.blogspot.com
Hi Arvind,
Its an interview question which is mostly asked.
Why ciphering for RLC TM mode is performed in MAC layer? Could you please let me know the answer.
Thanks in adv.
Rajesh.
For ciphering data, a keystream is required. This keystream is the output of the ciphering algorithm f8. For extra security, it is better if the input to f8 is varied for every generation of keystream. Varying the input makes the output less predictable.
For RLC UM and AM, PDU sequence number (SN) is used to form COUNT-C. COUNT-C is one of the inputs to f8. So, COUNT-C is different for every keystream generation. To decipher, the receiver has to first get the SN from RLC header and then call f8 using the assembled COUNT-C.
For RLC TM, there is no sequence number, there is no RLC header. So ciphering is done at MAC. In this case, CFN (which changes for every frame) is used to form COUNT-C.
Hi Arvind,
One of my colleague told me about ur session of Securing Wireless Cellular System’. I am new to this 3G world.
Can u please tell me how can USIM be authenticate in 2G network?
Actually, I want to authenticate a USIM with triplets(backward compatible) and want to configure those triplets in HLR simulator we use in one of our lab for testing purposes.
So if I have quintets in hand, how to convert these to triplets ?
Thanks in advance !1
BR,
Manuj Gupta
[…] an old colleague recently spoke in ACM, Bangalore on the topic of Security. Here is his presentation: Securing Wireless Cellular Systems […]
[…] an old colleague recently spoke in ACM, Bangalore on the topic of Security. Here is his presentation: Securing Wireless Cellular Systems […]