15-05-2013, 01:10 PM
VLSI CDMA GSM TECHNOLOGY
[attachment=53924]
ABSTRACT
Mobile telephone systems have gained a very bad reputation worldwide on issues of security and authentication. It is estimated that eavesdropping and other mobile telephony frauds have accounted for more than US$ 750M of lost revenue in the United States in the year 2001. There are no such estimates presently available for India due to the fact of unawareness. Authentication, security, and Privacy are important issues to be looked into. There are ongoing efforts to enhance security level of the system and new technologies are reaching the market with added security features. This paper attempts to compare the security features provided by GSM mobile telephony standards and the CDMA standards promoted by 2.5G and 3G.
Mobile networks not only provide great benefits to their users but they also introduce inherent security issues. With respect to security, the emerging risks of denial of service (DoS) attacks will evolve into a critical danger as the availability of mobile networks becomes more and more important for the modern information society. This paper outlines a series of flaws in such networks, particularly DoS attacks and confidentiality threats in GSM networks.
Introduction to GSM Architecture
Global System for Mobile communication (GSM) is a globally accepted standard for digital cellular communication. GSM is the name of a standardization group that was established in 1982 in an effort to create a common European mobile telephone standard that would formulate specifications for a pan-European mobile cellular radio system operating a 900 MHz. Today over 400 million people worldwide use GSM mobile phones to communicate with each other, via voice and short-message-service (SMS) text. SS7 is TDM-based network architecture for performing out-of-band signalling in support of call establishment, billing, and routing and info exchange. It is used in telephonic communications.
The latest buzzword in computer science is ubiquitous networking. We not only connect individual computers and networks, we want to connect every electronic gadget around. Technology has evolved much in the past years so it supports devices so small that they are at the usability margin. True mobile computing and internetworking is possible using wireless connections which themselves further complicate the current security state of facts. There are several standards with respect to WAN, LAN and PAN networks and their current penetration is insignificant compared to the vast potential of the wireless networks. Wireless telephony exceeds land telephony in terms of number of subscriptions in most of the European and Asian countries and the new generation of GPRS and 3G devices truly enable mobile Internet access. Widespread acceptance of 802.11 and Bluetooth enable seamless integration of laptop, PDA and cell phone platforms with support for powerful new mobile applications. The immense benefits of ubiquitous networking do come with a unique set of
Risks. Wireless technology is extremely complex. Unfortunately, radio engineers are almost never security experts and the general tendency is to consider that security will be added later, if required. This is a very unhealthy way of thinking since security must be “blended” together with the radio technology. Another major mistake that is done more often than not is to consider that security procedures are sophisticated enough as to deter attacks of any kind. This is wrong. An attacker may never attempt to attack a strongcryptographic system instead will choose the weakest link in the communication chain. That link is the radio domain. This judgment has already resulted in some careless implementations, such as the IEEE 802.11b WEP and Bluetooth [1].
The security services provided by GSM
Anonymity: Anonymity is provided so that it is not easy to identify the user of the system. Using temporary identifiers provides it. When a user first switches on his/her radio set, the real identity (IMSI 1 number) is used, and a temporary identifier (TMSI 2 number) is then issued. From all future communication, the temporary identifier is used till end of this session. Only by tracking the user, it is possible to determine the temporary identity being
used.
Authentication: Authentication is provided so that the operator knows who is using the mobile system for authorization and accounting purposes. Authentication is performed by a challenge and response mechanism. A random (RAND) challenge is issued to the Mobile Station (MS), the mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (SIM card key [Ki]), and sends a response (Signed 4 Response [SRES]) back. The operator can check that, given the key of the mobile, the response to the challenge is correct.
User Data Protection: Encryption is provided so that user data passing over the radio path is protected. This is provided by A5 algorithm, input to which is a session key (Kc) and frame number (Fn) and output is the keystream, which is XOR’ed with the plain text to get the cipher text. Session key is generated by the A8 algorithm, inputs to which are the SIM card key and a random number (RAND) is sent over by Base Station (BTS). COMP128 is a one-way (hash) function that is currently used in most GSM networks for A3 and A8.
Attacks on nodes of SS7 networks
1. SSP
From the periphery of a SS7 network, it is most prone to hacks, because of weak authentication. It is also prime target for packet sniffing, because a specific user's data always passes through the same SSP. A Distributed Denial of Service (DDoS) overloads the STP-SSP connection, by sending a lot of IAMs to a single SSP. An attacker intercepting at that
compromised SP could modify IAMs to request connection with some targeted user.
2. STP
It can be done through exploiting weakness in the routing protocols. Eavesdrop on certain conversations, by having a bogus STP, which collects and filters the packets received to the hacked STP. SCCP packets may be forwarded to any location by modifying the destination address. Sensitive information like Point Codes of the network could be obtained by accessing the corresponding SCPs. The GTT database could also be modified. Multiple (compromised) STPs might be modified to re-route all the traffic via specific STP, causing overloading, and rendering the connected SSP useless. MTP layer 3 packets, if fabricated would be unable to provide link management features like notifying surrounding nodes of the failure of signaling point, which might cause congestion, data loss, and subsequent crippling of the network.
3. SCP
It contains database information, so it is highly vulnerable. Attacks associated with Toll-free numbers that involve modification of the number to direct charges to some other totally unrelated party, or changing of the billing information, or disrupting some business by forwarding all calls addressed to it, to some illicit telephone number or more serious problems like modifying the forwarding address to some emergency service. It also leads to voice mail hacking, full access to someone's voice mailbox, by obtaining passwords using TCAP messages.
THE CDMA CONCEPT
CDMA is a modulation and multiple access scheme based on spread spectrum communication, a well-established technology that has been applied only recently to digital cellular radio communications and advanced wireless technologies. With CDMA, each signal consists of a different pseudorandom binary sequence that modulates the carrier, spreading the spectrum of the 11 waveform. A large number of CDMA signals share the same frequency spectrum. If CDMA is viewed in either the frequency or time domain, the multiple access signals appear to be on top of each other. The signals are separated in the receiver by using a correlator which accepts only signal energy from the selected binary sequence and despreads its spectrum. The other users’ signals, whose codes do not match, do not despread in bandwidth and as a result, contribute only to the noise and represent a selfinterference generated by the system. The signal-to-interference ratio is determined by the ratio of desired signal power to the sum of the power of all the other signals, and is enhanced by the system processing gain or the ratio of spread bandwidth to baseband data rate. The major parameters that determine the CDMA digital cellular system capacity are processing gain, required Eb/N0, voice duty cycle, frequency reuse efficiency, and the number of sectors in 1 cell. The CDMA cellular telephone system achieves a spectral efficiency of up to 10 times the analog FM system efficiency when serving the same area with the same antenna system. This is a capacity of up to one call per 10 kHz of spectrum.
In the cellular radio frequency reuse concept, interference is accepted but controlled with the goal of increasing system capacity. CDMA does this effectively because it is inherently an excellent anti-interference waveform. Since all calls use the same frequencies, CDMA frequency reuse efficiency is determined by a small reduction in the signal-to-noise ratio caused by system users in neighboring cells. CDMA frequency reuse efficiency is approximately 2/3 compared to 1/7 for narrowband FDMA systems. The CDMA system can also be a hybrid of FDMA and CDMA techniques where the total system bandwidth is divided into a set of wideband channels, each of which contains a large number of CDMA signals.
Conclusion
Clearly the CDMA is the next generation technology in terms of Voice and Data transmissions over the AIR. Even though the cryptographic algorithms for CDMA have been broken, CDMA interception has a long way to go. This means that the CDMA transmissions will remain secure at least for few years from now.
The CDMA technologies have already been applied to CONVERGENT networks. Hence the problems faced currently by CDMA are more of the nature of computer attacks and exploits in the network management protocol (SNMP). Thus the future problem of CDMA may lie in the domain of computer networks rater than telecommunication domain.
Security in wireless networks is a complex thing. Whereas in a wired network tapping is usually done by physically accessing the communication links and securing those may improve information security to some extent
[attachment=53924]
ABSTRACT
Mobile telephone systems have gained a very bad reputation worldwide on issues of security and authentication. It is estimated that eavesdropping and other mobile telephony frauds have accounted for more than US$ 750M of lost revenue in the United States in the year 2001. There are no such estimates presently available for India due to the fact of unawareness. Authentication, security, and Privacy are important issues to be looked into. There are ongoing efforts to enhance security level of the system and new technologies are reaching the market with added security features. This paper attempts to compare the security features provided by GSM mobile telephony standards and the CDMA standards promoted by 2.5G and 3G.
Mobile networks not only provide great benefits to their users but they also introduce inherent security issues. With respect to security, the emerging risks of denial of service (DoS) attacks will evolve into a critical danger as the availability of mobile networks becomes more and more important for the modern information society. This paper outlines a series of flaws in such networks, particularly DoS attacks and confidentiality threats in GSM networks.
Introduction to GSM Architecture
Global System for Mobile communication (GSM) is a globally accepted standard for digital cellular communication. GSM is the name of a standardization group that was established in 1982 in an effort to create a common European mobile telephone standard that would formulate specifications for a pan-European mobile cellular radio system operating a 900 MHz. Today over 400 million people worldwide use GSM mobile phones to communicate with each other, via voice and short-message-service (SMS) text. SS7 is TDM-based network architecture for performing out-of-band signalling in support of call establishment, billing, and routing and info exchange. It is used in telephonic communications.
The latest buzzword in computer science is ubiquitous networking. We not only connect individual computers and networks, we want to connect every electronic gadget around. Technology has evolved much in the past years so it supports devices so small that they are at the usability margin. True mobile computing and internetworking is possible using wireless connections which themselves further complicate the current security state of facts. There are several standards with respect to WAN, LAN and PAN networks and their current penetration is insignificant compared to the vast potential of the wireless networks. Wireless telephony exceeds land telephony in terms of number of subscriptions in most of the European and Asian countries and the new generation of GPRS and 3G devices truly enable mobile Internet access. Widespread acceptance of 802.11 and Bluetooth enable seamless integration of laptop, PDA and cell phone platforms with support for powerful new mobile applications. The immense benefits of ubiquitous networking do come with a unique set of
Risks. Wireless technology is extremely complex. Unfortunately, radio engineers are almost never security experts and the general tendency is to consider that security will be added later, if required. This is a very unhealthy way of thinking since security must be “blended” together with the radio technology. Another major mistake that is done more often than not is to consider that security procedures are sophisticated enough as to deter attacks of any kind. This is wrong. An attacker may never attempt to attack a strongcryptographic system instead will choose the weakest link in the communication chain. That link is the radio domain. This judgment has already resulted in some careless implementations, such as the IEEE 802.11b WEP and Bluetooth [1].
The security services provided by GSM
Anonymity: Anonymity is provided so that it is not easy to identify the user of the system. Using temporary identifiers provides it. When a user first switches on his/her radio set, the real identity (IMSI 1 number) is used, and a temporary identifier (TMSI 2 number) is then issued. From all future communication, the temporary identifier is used till end of this session. Only by tracking the user, it is possible to determine the temporary identity being
used.
Authentication: Authentication is provided so that the operator knows who is using the mobile system for authorization and accounting purposes. Authentication is performed by a challenge and response mechanism. A random (RAND) challenge is issued to the Mobile Station (MS), the mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (SIM card key [Ki]), and sends a response (Signed 4 Response [SRES]) back. The operator can check that, given the key of the mobile, the response to the challenge is correct.
User Data Protection: Encryption is provided so that user data passing over the radio path is protected. This is provided by A5 algorithm, input to which is a session key (Kc) and frame number (Fn) and output is the keystream, which is XOR’ed with the plain text to get the cipher text. Session key is generated by the A8 algorithm, inputs to which are the SIM card key and a random number (RAND) is sent over by Base Station (BTS). COMP128 is a one-way (hash) function that is currently used in most GSM networks for A3 and A8.
Attacks on nodes of SS7 networks
1. SSP
From the periphery of a SS7 network, it is most prone to hacks, because of weak authentication. It is also prime target for packet sniffing, because a specific user's data always passes through the same SSP. A Distributed Denial of Service (DDoS) overloads the STP-SSP connection, by sending a lot of IAMs to a single SSP. An attacker intercepting at that
compromised SP could modify IAMs to request connection with some targeted user.
2. STP
It can be done through exploiting weakness in the routing protocols. Eavesdrop on certain conversations, by having a bogus STP, which collects and filters the packets received to the hacked STP. SCCP packets may be forwarded to any location by modifying the destination address. Sensitive information like Point Codes of the network could be obtained by accessing the corresponding SCPs. The GTT database could also be modified. Multiple (compromised) STPs might be modified to re-route all the traffic via specific STP, causing overloading, and rendering the connected SSP useless. MTP layer 3 packets, if fabricated would be unable to provide link management features like notifying surrounding nodes of the failure of signaling point, which might cause congestion, data loss, and subsequent crippling of the network.
3. SCP
It contains database information, so it is highly vulnerable. Attacks associated with Toll-free numbers that involve modification of the number to direct charges to some other totally unrelated party, or changing of the billing information, or disrupting some business by forwarding all calls addressed to it, to some illicit telephone number or more serious problems like modifying the forwarding address to some emergency service. It also leads to voice mail hacking, full access to someone's voice mailbox, by obtaining passwords using TCAP messages.
THE CDMA CONCEPT
CDMA is a modulation and multiple access scheme based on spread spectrum communication, a well-established technology that has been applied only recently to digital cellular radio communications and advanced wireless technologies. With CDMA, each signal consists of a different pseudorandom binary sequence that modulates the carrier, spreading the spectrum of the 11 waveform. A large number of CDMA signals share the same frequency spectrum. If CDMA is viewed in either the frequency or time domain, the multiple access signals appear to be on top of each other. The signals are separated in the receiver by using a correlator which accepts only signal energy from the selected binary sequence and despreads its spectrum. The other users’ signals, whose codes do not match, do not despread in bandwidth and as a result, contribute only to the noise and represent a selfinterference generated by the system. The signal-to-interference ratio is determined by the ratio of desired signal power to the sum of the power of all the other signals, and is enhanced by the system processing gain or the ratio of spread bandwidth to baseband data rate. The major parameters that determine the CDMA digital cellular system capacity are processing gain, required Eb/N0, voice duty cycle, frequency reuse efficiency, and the number of sectors in 1 cell. The CDMA cellular telephone system achieves a spectral efficiency of up to 10 times the analog FM system efficiency when serving the same area with the same antenna system. This is a capacity of up to one call per 10 kHz of spectrum.
In the cellular radio frequency reuse concept, interference is accepted but controlled with the goal of increasing system capacity. CDMA does this effectively because it is inherently an excellent anti-interference waveform. Since all calls use the same frequencies, CDMA frequency reuse efficiency is determined by a small reduction in the signal-to-noise ratio caused by system users in neighboring cells. CDMA frequency reuse efficiency is approximately 2/3 compared to 1/7 for narrowband FDMA systems. The CDMA system can also be a hybrid of FDMA and CDMA techniques where the total system bandwidth is divided into a set of wideband channels, each of which contains a large number of CDMA signals.
Conclusion
Clearly the CDMA is the next generation technology in terms of Voice and Data transmissions over the AIR. Even though the cryptographic algorithms for CDMA have been broken, CDMA interception has a long way to go. This means that the CDMA transmissions will remain secure at least for few years from now.
The CDMA technologies have already been applied to CONVERGENT networks. Hence the problems faced currently by CDMA are more of the nature of computer attacks and exploits in the network management protocol (SNMP). Thus the future problem of CDMA may lie in the domain of computer networks rater than telecommunication domain.
Security in wireless networks is a complex thing. Whereas in a wired network tapping is usually done by physically accessing the communication links and securing those may improve information security to some extent