|
The main security services provided by the GSM security architecture
are:
- Authentication
- Encryption
- User Confidentiality
6.1 Authentication
GSM utilizes the A3 authentication algorithm in order to authenticate mobile users and protect the
network from unauthorized service access. Figure gsm12 shows the stages of the authentication process between a mobile station (MS) and a GSM network represented by a base station
(BS):
- First, the AuC generates a random 128-bit token (RAND), which is sent to the Mobile Switching Centre
(MSC).
- The MSC sends RAND through BS to the MS as an authentication
challenge.
- The MS uses RAND and the secret subscriber key Ki, which is stored in the SIM card, as input arguments for the A3 algorithm in order to produce a 32-bit response
(SRES).
- The AuC retrieves the MS’s shared secret key from the key database, and uses the same algorithm to produce the SRES, which is sent to the
MSC.
- Finally, the MS sends SRES as an authentication response back to the MSC through
BS.
- The MSC verifies that the SRES received from MS is identical to the SRES generated in AuC and authenticates the MS.
|
|
Figure
gsm12. GSM authentication process
(Chatzinotas, 2006)
6.2 Encryption
GSM utilizes two algorithms in order to protect signalling and user data. The A8 algorithm generates the encryption key, whereas the A5 algorithm performs the actual data encryption. Figure gsm13 shows the encryption key generation. The BS represents a GSM network also in this figure. Both the MS and the AuC utilize the Ki and RAND, which are already known from the authentication process, as input arguments for the A8 algorithm. The output is the 64-bit encryption key Kc, which is sent from the AuC to MSC. MSC then sends Kc to the MS, to which the BS is connected.
|
|
Figure
gsm14. GSM encryption process
(Chatzinotas, 2006)
6.3 User Confidentiality
GSM prevents intruders from identifying a certain user by intercepting his IMSI. In this context, a temporary MSI (TMSI) instead of the IMSI is set up and utilized during the communication between base and mobile
station.
6.4 Security Services in a Visited GSM network
The subscriber authentication process, shown in Figure gsm15, is started by the MSC (Mobile Switching Centre) in the visited GSM network. This requests an authentication vector from the AuC of the home GSM network of the MS. The authentication vector, generated by the AuC in the home network, consists of a challenge/response pair (RAND, SRES) and an encryption key Kc. The MSC of the visited network sends the 128-bit RAND to the MS. Upon receiving the RAND, the MS computes within the SIM a 32-bit response (SRES) and an encryption key Kc using the received RAND and the Ki stored in the SIM. The MS sends the computed SRES back to the MSC.
Figure
gsm15. GSM Authentication and Key
Agreement.
The MSC verifies the identity of the MS by comparing the received SRES from the MS with the received SRES from the AuC. If they match, authentication is successful and the MSC sends the encryption key Kc to the BTS serving the MS. Then the MS is granted access to the GSM network service and the communication between the MS and the BTS is encrypted using
Kc.
6.5 Security Vulnerabilities
The GSM security architecture supports confidentiality and authentication, but it provides limited authorization mechanisms and it does not support non-repudiation. More specifically, the GSM security architecture has the following
vulnerabilities:
- Authentication
GSM authenticates the subscriber to the network using a shared secret. Nevertheless, GSM has no provision for authenticating the network namely the base station to the subscriber’s terminal. This can facilitate the execution of active attacks, such as impersonating network elements (e.g. rogue BS) and man-in-the-middle attacks. More specifically, an attacker impersonates a valid base station with respect to the mobile station and at the same time impersonates the victim mobile station to a real base station by simply forwarding the authentication traffic. As a consequence, the attacker can, for example, eavesdrop on all communication by fooling both sides into the use of no encryption on the radio interface.1 Moreover, the scenario allows for call theft and other active attacks
(Mitchell, 2001)
- Information Confidentiality - Encryption
Communication between the subscriber and the base station is encrypted, using temporary keys assigned with respect to the terminal’s identification code. However, authentication values (e.g. IMSI, RAND, and SRES) are transmitted in clear within and between networks. In addition, GSM makes no provision for integrity checking, which makes active attacks even more feasible. GSM uses a range of cryptographic algorithms for securing the wireless traffic. The A5/1 and A5/2 stream ciphers are utilized to encrypt the voice channels over the wireless link. A5/1 was developed first and it is a stronger than A5/2. However, both algorithms suffer from serious vulnerabilities (Biham & Dunkelman, 2000; Biryukov et al., 2000) and it has been proved that A5/2 can be broken in real-time by launching a ciphertext-only attack (Barkan et al., 2003). Fortunately, GSM does not specify a single algorithm and therefore the network operators may choose to deploy a stronger algorithm. Finally, encryption is terminated at the edge of wireless network i.e. at the BS and thus data and signalling in the wired network are not securely
transmitted.
|
