31-08-2012, 02:58 PM
Comparative analysis Of GSM and CDMA technologies
1Comparative analysis.pdf (Size: 88.11 KB / Downloads: 186)
Abstract
Mobile telephone systems have gained a very bad reputation worldwide on
issues of security and authentication. It is estimated that eavesdropping and
other mobile telephony frauds have accounted for more than US$ 750M of
lost revenue in the United States in the year 2001. There are no such
estimates presently available for India due to the fact of unawareness.
Authentication, security, and Privacy are important issues to be looked into.
There are ongoing efforts to enhance security level of the system and new
technologies are reaching the market with added security features. This
paper attempts to compare the security features provided by GSM mobile
telephony standards and the CDMA standards promoted by 2.5G and 3G.
Introduction to GSM Architecture
Global System for Mobile communication (GSM) is a globally accepted
standard for digital cellular communication. GSM is the name of a
standardization group that was established in 1982 in an effort to create a
common European mobile telephone standard that would formulate
specifications for a pan-European mobile cellular radio system operating at
900 MHz. Today over 400 million people worldwide use GSM mobile phones
to communicate with each other, via voice and short-message-service (SMS)
text.
SS7 is TDM-based network architecture for performing out-of-band signaling
in support of call establishment, billing, and routing and info exchange. It is
used in telephonic communications.
The security services provided by GSM
Anonymity: Anonymity is provided so that it is not easy to identify the user
of the system. Using temporary identifiers provides it. When a user first
switches on his/her radio set, the real identity (IMSI 1 number) is used, and a
temporary identifier (TMSI 2 number) is then issued. From all future
communication, the temporary identifier is used till end of this session. Only
by tracking the user, it is possible to determine the temporary identity being
used.
Authentication: Authentication is provided so that the operator knows who
is using the mobile system for authorization and accounting purposes.
Authentication is performed by a challenge and response mechanism. A
random (RAND) challenge is issued to the Mobile Station (MS), the mobile
encrypts the challenge using the authentication algorithm (A3) and the key
assigned to the mobile (SIM card key [Ki]), and sends a response (Signed
Response [SRES]) back. The operator can check that, given the key of the
mobile, the response to the challenge is correct.
User Data Protection: Encryption is provided so that user data passing
over the radio path is protected. This is provided by A5 algorithm, input to
which is a session key (Kc) and frame number (Fn) and output is the
keystream, which is XOR’ed with the plain text to get the cipher text. Session
key is generated by the A8 algorithm, inputs to which are the SIM card key
and a random number (RAND) is sent over by Base Station (BTS).
Attacks on nodes of SS7 networks
SSP
From the periphery of a SS7 network, it is most prone to hacks, because of
weak authentication. It is also prime target for packet sniffing, because a
specific user's data always passes through the same SSP.
A Distributed Denial of Service (DDoS) overloads the STP-SSP connection, by
sending a lot of IAMs to a single SSP. An attacker intercepting at that
compromised SP could modify IAMs to request connection with some
targeted user.
STP
It can be done through exploiting weakness in the routing protocols.
Eavesdrop on certain conversations, by having a bogus STP, which collects
and filters the packets received to the hacked STP. SCCP packets may be
forwarded to any location by modifying the destination address.
Sensitive information like Point Codes of the network could be obtained by
accessing the corresponding SCPs. The GTT database could also be modified.
Multiple (compromised) STPs might be modified to re-route all the traffic via
specific STP, causing overloading, and rendering the connected SSP useless.
MTP layer 3 packets, if fabricated would be unable to provide link
management features like notifying surrounding nodes of the failure of
signaling point, which might cause congestion, data loss, and subsequent
crippling of the network.
SCP
It contains database information, so it is highly vulnerable. Attacks
associated with Toll-free numbers that involve modification of the number to
direct charges to some other totally unrelated party, or changing of the
billing information, or disrupting some business by forwarding all calls
addressed to it, to some illicit telephone number or more serious problems
like modifying the forwarding address to some emergency service. It also
leads to voice mail hacking, full access to someone's voice mailbox, by
obtaining passwords using TCAP messages.Attacks on nodes of SS7 networks