Security 3rd Gen Pub Key V11

Fundamentals of
Cellular and Wireless Networks

Lecture ID: ET- IDA-113/114
Lecture-9
Mobile Security Fundamentals-III

3rd Generation Security and Public Key Systems
20.07.2012 , v11
Prof. W. Adi
Technical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Cellular & Wireless Networks
Page : 1
New Trends in Mobile Security

Lessons learned in security design:
Successful attacks on GSM secret ciphers A5 and COMP128
1999-2003, Lead to standardizing publicly known and
reviewed ciphers in the 3rd generation mobile systems
AES is a new International Ciphering Standard
Page : 2
AES
Advanced Encryption Standard
Proposed for 3G Mobile Authentication
Functions
International Standard competition managed by NIST:
US National Institute of Science and Technology 1998-2001
AES Winner Algorithm:

The Rijndael Block Cipher, Decision Oct. 2000
Page : 3
AES Round-3 Finalist Algorithms (finalized in 2001)
MARS : IBM (USA)

RC6
: R. Rivest (MIT), creator of the widely used RC4 (USA)
Twofish : Counterpane Internet Security, Inc. (USA)
Serpent : Ross Anderson, Eli Biham and Lars Knudsen (USA)
Rijndael: Designed by J. Daemen and V. Rijmen (Belgium)
Joan Daemen (of Proton World International)

Vincent Rijmen (of Katholieke Universiteit Leuven).
Page : 4
Rijndael: Basic concept

Key
Key size128 to 256 bits
Key Expansion
Round Keys
K1
K2
...
K9
K10
R1
R2
...
R9
R10
10 Encryption Rounds R1 R10
Page : 5
Rijndael AES: Basic Encryption Round Functions

Clear Text (16 bytes)
a16
Byte sub
a3
..
b16
Byte sub
a2
Byte sub
b3
b2
a1
b = [M] a-1 + C
Byte sub
b1
The Only non-linear mapping !
Transposition
A
Mix column
Mix
column
Mix column
Mix column
4 x 32 bits
B = [C] A
Linear mapping
B
4 x 32 bits
Round-Key Ki (128 bits)

Cipher Text (16 byts)
Page : 6
Security of AES/ Rijndael

- Published to the scientific community 1998
- Is still not broken !!
- No proof that Rijndael can not be broken !!
Page : 7
Important Lessons in Security Design

2nd Generation security lessons
Experts learned over the years that

the only way to assure security is:
follow an open design process
encourage public scientific review
Nobody is better than the rest of the research community.
Page : 8
New 3G Security Features 1/2

Network Authentication
The user can provably identify the network
Network Security
Mechanisms to support security within and between networks
Switch Based Security

More switch based secrecy rather than only to base station
IMEI Integrity
Integrity mechanisms for IMEI provided from login
Secure Services
Protect against misuse of services provided by Service Network
and Home Environment
Page : 9
New 3G Security Features 2/2

Secure Applications
Provide security for applications resident on USIM
Fraud Detection
Mechanisms to combating fraud in roaming situations
Flexibility
Security features can be extended and enhanced as required by new
threats and services
Visibility and Configurability

Users are notified whether security is on and what level of security is available.
Users can configure security features for individual services
Lawful Interception
Mechanisms to provide authorized agencies with certain information

about subscribers
In the following slides, the main 3G security functions are summarized.
Page : 10
3G User Confidentiality
User Confidentiality
Permanent user identity IMSI, user location, and user services cannot be
determined by eavesdropping
Achieved by use of temporary identity (TMSI) which is assigned by VLR
(IMSI is sent in clear text when establishing TMSI)
Mobile
USIM
VLR
Network
IMSI request
Visiting Location Register
IMSI
TMSI allocation
TMSI acknowledgement
Page : 11
Mutual Authentication Mechanism 1/2

Mutual Authentication
During Authentication and Key Agreement (AKA) the user and network
authenticate each other, and also they agree on cipher and integrity key
(CK, IK). CK and IK are used until their time expires.
Assumption: trusted HE and SN, and trusted links between them.
After AKA, security mode must be negotiated to agree on encryption and
integrity algorithm.
Page : 12
3G Mutual Authentication Mechanism 2/2

Generation of authentication
data at Mobile site
Generation of authentication
data at Home Network site
AUTN : Authentication Token
RAND
f5
SQN AK
AK
AMF
Generate SQN
MAC
Generate RAND
SQN
RAND
AMF
SQN
K
AES
f1
f2
f3
f4
XMAC
RES
CK
IK
Verify MAC = XMAC

Verify that SQN is in the correct range
f1
MAC
K: subscriber seret key

SQN: Seuence Number
AK:Authentication Key
CK:Cipher Key
IK:Integrity Key
MAC: Message Authentication Code
f2
f3
f4
f5
XRES
CK
IK
AK
AUTN := SQN AK || AMF || MAC

AV := RAND || XRES || CK || IK || AUTN
Page : 13
3G Data Integrity Mechanism

Data Integrity
Integrity of data and source authentication of signaling data must be
provided.The user and network agree on integrity key IK and algorithm such as
f9 during AKA and security mode set-up. MAC (Message Authentication Code)
is a mapping of the digest of the message through KSUMI cipher using the
agreed integrity key KI. IF MAC-I and XMAC-I are equal, the message is seen as
unmodified.
COUNT-I
DIRECTION
MESSAGE
IK
f9
MAC -I
Sender
UE or RNC
COUNT-I
FRESH
DIRECTION
MESSAGE
IK
Message authentic if equal
FRESH
KASUMI
f9
XMAC -I
Receiver
RNC or UE
Page : 14
3G Data Encryption Mechanism

Data Confidentiality
Signaling and user data should be protected from eavesdropping.
The user and network agree on cipher key CK and algorithm such as f8 (KASUMI)
during AKA and security mode set-up. The generated keystream block is added
modulo-2 to the plaintext to encrypt and decrypt correspondingly.
COUNT-C
DIRECTION
BEARER
CK
COUNT-C
LENGTH
f8
BEARER
CK
KEYSTREAM
BLOCK
PLAINTEXT
BLOCK
DIRECTION
LENGTH
f8
KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK
Sender
UE or RNC
KASUMI
PLAINTEXT
BLOCK
Receiver
RNC or UE
Page : 15
Problems with 3G Security

IMSI is sent in clear text when allocating TMSI to the
user
The transmission of IMEI is not protected; Equipment
identity is still not secured
A user can be brought to camp on a false BS. Once the
user camps on the radio channels of a false BS, the user
is out of reach of the paging signals of the network
Hijacking outgoing/incoming calls in networks with
disabled encryption is possible. The intruder poses as a
man-in-the-middle and drops the user once the call is
set-up
Page : 16
Modern Cryptography
Public-Key Cryptography
Published 1976 by (Diffie &Hellman) at Stanford University
- Breakthrough: Proved for the first time that it is

possible to share secrets without secret agreement
- Many 3G mobile security applications in user layer
are expected to employ public-key cryptography
(Mobile Commerce, mobile IP applications ...)
Page : 17
Secret Key Systems
Public-Key Security Systems

K-public
K-secret
K-open = K-close
(Symmetric System)
- Open and close with the same
key which has to be agreed
secretly !!
K-open K-close
(Asymmetric System)
- Open and close with different keys!!

- No Secret Key Agreement required
Two major schemes in Public Key Cryptography:
Diffie-Hellman key exchange scheme
RSA public key secrecy system
Page : 18
Public-Key Cryptography Breakthrough 1976
(Diffie-Hellman)
Shared Secret without the exchange of secrets Mechanical Scenario
Open Register
B
Secret key-B
Secret key-A
tion
injec
SHIELD
! Same thing !
Shared Secret
Page : 19
How to publicly hide (shield) a secret ?

One-Way function:
Secret
shielded secret
SHIELD = One Way Function
How:
2 6 mod 11 = 9
log2 9 (mod 11) = 6
Discrete logarithm : no formula is known to compute log2 9 modulo 11 !
Page : 20
Example for Diffie-Hellman key exchange scheme 1976

Widely use in internet and banking ...
Open Agreement and Register
Shielding function is: y = (5 x) mod 7
A
53=6
Secret key-A= 3
K-open-A= 6
53
K-open-B=
5 5.3
55=3
Secret key-B= 5
55
55
Shield
! same thing !
Z =515= 6
53
5 3.5
Page : 21
Basic Public Key Secrecy System (RSA system)

(Mechanical simulation: user B wants secured message from A)
User A
Public register
User B
Ko= Kc-1
Close
Kc
( )Kc (mod m)
MKc.Ko = M
Kc
open
Ko
MKc
(MKc)Ko
Page : 22
Mathematical Model of a
Public-Key Crypto-system
(using asymmetric keys)
Sender
Message
Receiver
E ( Zp,X )
Y = E (Zp,X)
D ( Zs,Y )
Message
Channel
Zp
Zs
Secret-Key Zs
Public-Key Zp
Public-Key Zp
Public Directory
Z..
Zp
Z...
Page : 23
Is Exponentiation y = a x mod m a One-Way Function ?

- Theoretically not (no proof !!)
- Practically yes : under some conditions and assumptions
- Two well known functions to hide something:

Secret
ax
message
shielded secret
shielded message
To break, find : x = loga y

(Discrete Log. problem)
To break, find : M = y
(Invert... Factorization)
-1
Page : 24
Squaring and Square Roots modulo m (Rabin Lock)

Y = X 2 is a one-way-function (mod m),
(where m=pq is a product of two large primes p and q)
( )2
X
?
Computing the inverse function

is not known (modulo m)
Page : 25
Famous One-Way Functions

used for Public-Key Systems
Exponentiation
Y = ak
(mod p)
Exponentiation
Factoring
Squaring
Y = M k (mod m)
m= p.q
C = M 2 (mod m)
Discrete Log.
Problem
Factorizing
Problem
Knapsack Problem
m = p.q , p, q = large primes
Page : 26
Public Key System Security

Non of the claimed one-way functions in public key
systems is proved to be really one-way
Open question ?
Is modern security a sort of Magic
which could be disclosed at some time ?
Page : 27
Cryptographic Protocols
No key cryptography, Secret Sharing
Page : 28
No Key Cryptography : Shamir 3-Pass Protocol

User B
Pass 1
User A
Pass 2
Pass 3
B
Page : 29
Omura-Massey Lock* for: Shamirs 3-Pass Protocol

Secrecy without Authenticity
User A
User B
p = large prime
All computations modulo p
Eb = secret key
Db = Eb-1
Ea = secret key
Da = Ea-1
1
=M
Ea Eb
Da
Ea
Ea
Eb
Ea Eb
Eb
Eb
Db
=M
* J.L. Massey & J. K. Omura, US Patent, 1986

Page : 30
Non-Perfect Secret Sharing

Secret
Part A
10010
1001010100
10100
Part B
Secret 1001010100 10100

10010
Page : 31
Perfect Secret Sharing

Example: share the secret 10100 between users A and B
Random
BSS
11101
10100
Secret
+
Give User A
11101
+
10100
01001
Exchange to generate
Common secret
Common Secret
Between A and B
Give User B
+
10100
Page : 32
Appendix
Knapsack One Way Function
Page : 33
Knapsack One Way Function*
W1
W2
W3
W3
W4
W5
SUM=
449
SUM= w i x i
Problem: Find X = [x1, x2 ......]where xi = {0,1}

Solution :
X=[101010]
i 1
Easy if:
Superincreasing Knapsack: if Wi is more than the sum of all other smaller weights
* Ref. J. Massey
Page : 34
Merkle-Hellmann Crypto System (1978)

(Broken by Shamir 1984) *
1. Multiplication with
u = 113 in Z199
17
35
27 167 108 130 174
71
63
easy knapsack
hard knapsack
secret key is Z = (m, u) = (199,113)
2. Permute locations
and publish
174 27 167
63
108 130
published knapsack
Encrypt:
X=[1 0 1 0 1 0]
Y = 174 + 167 + 108 = 449
Plaintext
Cryptogram
Decrypt :
Y = u-1 . Y = 118 . 449 in Z199 = 48

from Y find x = [0 1 1 0 1 0] in the easy knapsack
permute to get
X=[1 0 1 0 1 0]
Conditions : gcd ( u , m) = 1 and m Wi

* Ref. J. Massey
Page : 35

Security 3rd Gen Pub Key V11

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security 3rd Gen Pub Key V11

Uploaded by

Copyright:

Available Formats

Fundamentals of

Cellular and Wireless Networks

Mobile Security Fundamentals-III

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

New Trends in Mobile Security

AES is a new International Ciphering Standard

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

AES Winner Algorithm:

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

AES Round-3 Finalist Algorithms (finalized in 2001)

MARS : IBM (USA)

Joan Daemen (of Proton World International)

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

Rijndael: Basic concept

Key size128 to 256 bits

10 Encryption Rounds R1 R10

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

Rijndael AES: Basic Encryption Round Functions

The Only non-linear mapping !

Round-Key Ki (128 bits)

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

Security of AES/ Rijndael

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

Important Lessons in Security Design

Experts learned over the years that

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

New 3G Security Features 1/2

Switch Based Security

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

New 3G Security Features 2/2

Mechanisms to combating fraud in roaming situations

Visibility and Configurability

Mechanisms to provide authorized agencies with certain information

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

Mutual Authentication Mechanism 1/2

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering

Cellular & Wireless Networks

3G Mutual Authentication Mechanism 2/2

AUTN : Authentication Token

Verify MAC = XMAC

Technical University of Braunschweig

IDA: Institute of Computer and Network Engineering