1.1 Target Applications
We envision that in the future mobile users may use their personal communication devices to invoke many different kind of services, which can be classified under several categories according to the functionality involved:
Mode: |
Examples |
Access |
|
Control |
|
Communication |
|
Reactive |
|
It should be noted that the user will have different levels of trust and desired security for different services, for example weather forecast vs. controlling actions in a house. One required system feature is user-selectable trust, security, and revokation.
Given this scenario, we assume the following:
- The underlying GSM authentication protocol (described in 2.1) is sufficient for secure access to services i.e. issues such as those presented in the references have somehow been resolved).
- GSM phones are not programmable, and only have the ability
to:
- Select and call phone numbers
- Send numeric data
- Send messages to other GSM phones using the same provider (limited text entry)
- Transmit voice
- Services can run for any amount of time - the user may stay connected, or may disconnect and reconnect again to get results, but that in the latter case the phone does not maintain any state.
- Participants considered in the service access are:
- Handsets and SIM cards
- Base station (BS)
- Authentication station / GSM Network (AS)
- Service gateway (SG)
- Individual service server
- Intermediate proxies
- Trust: What does "trust" mean? Specifically, what
does "A trusts B" mean?
- B has the power to do something detrimental to A (such as release/distribute a shared secret), but A feels that this is not likely to happen for some reason, or accepts that risk.
- A feels sure that B will not invoke a service in A's name without authorization, and that if B knows private things about A, it will not act except on A's request or with A's knowledge.
- Compromise of B would make it easy to compromise A (B is in A's trusted computing base).
- The number of required changes to the existing protocols (especially GSM) and/or participants' equipment
- Potential attacks (spoofing, eavesdropping, replay, DOS, ...)
- Trust extent/duration for participants
- Memory/functionality required
- Complexity
- The execution time/delay for service access and the number of control messages or hops involved
2.0 GSM Security & Service Access
Groupe Special Mobile(GSM) is the first mobile digital cellular
network architecture that provides security services, as detailed
in GSM 11.14 V5.1.0 (GSM references). Since GSM is originally designed with
voice applications in mind, it does not provide for facilities to
access services or transmit data securedly. A new packet
data service called GPRS (General Packet Radio Service) has been
standardized and implemented in the GSM system. However, the security
functionality for GPRS is equivalent to the existing GSM
security. An agent in the fixed network performs authentication and
cipher setting procedures based on the same algorithms, keys, and
criteria as in existing GSM. GPRS uses a ciphering algorithm
optimized for packet data transmission.
In this section, we will briefly describe the GSM security model
in and several possible solutions to integrate it with existing
network security modules.
In detail:
However, we there are numerous limitations that make this approach
less attractive, as listed below:
2.1 GSM Security Overview
The real identity of a GSM subscriber is a permanently attached
number (IMSI) stored in the SIM (Subscriber Identity Module)
card. There are four basic security services provided by GSM:
The establishment of communication between mobile users and fixed
phone networks is controlled by the authentication center (AS),
which is co-located with the local message switching center (MSC).
When the user turns on the handset and makes a phone call, the MS
sends a call set-up message to the MSC, and transmits its own
identity and IMSI. Upon every call the MSC/VLR allocates to the
IMSI a new TMSI and transmits it to the MS with the order to
substitute the TMSI for the IMSI in all future communications
within the GSM system. From then on, the IMSI is not sent
over the radio path again.
After the IMSI is known by the network, the AS generates a
"challenge" in the form of a triplet: (RAND, SRES,
Kc) and forwards it back to the base station,
BS. RAND is a 128-bit random value generated by the AS. The
SRES (Signed RESponse authentication result) and ciphering
key, Kc are computed with the A3 and
A8 algorithms, respectively, using RAND and the secret
key Ki:
RAND is forwarded by the BS to the MS, where it is used to
generate (SRES, Kc). Another input required is
Ki which is stored in the SIM card. The BS
compares the SRESs from the AS and the MS. If they agree, user
authentication is complete. All the subsequent traffic
between the MS and the fixed network (BS/MSC) is encrypted with
Kc using the A5 algorithm.
Note that the BS/MSC are trusted per session by the handset and
the AS, because they know the ciphering key, Kc.
One weakness in the GSM authentication approach is its reliance on
the security of the links in internal GSM networks (MSC-HLR,
VLR-HLR, HLR-AS, some of which may be air links). Another weakness
is the security of the SIM card itself. However, in this
project, we assume that GSM authentication and data encryption are
reliable for service access purposes.
2.2 Ideal GSM Service Access
Ideally, we would like to limit the trust we put in the phone
company (both the BS and the AS, as well as the links). In this
section, we develop a solution for service access authentication
that only assumes data confidentiality of the GSM air link.
Basic Protocol
This solution requires the SIM card to have two sets of keys,
Ki1 and Ki2. The service
gateway is fully trusted and has knowledge of all keys (although
it doesn't really need Ki1 - in this case, we
assume the SG is trusted completely by the MS). For instance,
another key is added to the SIM card at a later time. The phone
company (HLR) only knows Ki1. We assume the
traditional security model of GSM. Therefore the BS only knows the
authentication key, Kc (generated the same way
as described in the previous section) for authentication and
billing purposes.
On call connect, we assume the mobile user is authenicated with a
traditional GSM challenge-based authentication. The air link is
now encrypted using Kc. The BS then detects service
requests (i.e. when the user dials special phone number) and notifies
the service gateway (SG) for secondary authentication.
Trust models
Required Changes
Advantages & Limitations
One of the main advantages of this approach is the end-to-end
protection from the MS to the SG, and therefore limiting the trust
of the phone company. In addition there are no replay attacks
possible. The only possible attack is the denial of service
attack. The third advantage is that although this solution works
only for known SIM cards, users can use any GSM phones that
support the double encryption.
2.3 Realistic GSM Service Access
The inherent limitations of the GSM phones force some trust to be
put in the BS. We rely on the GSM user authentication mechanism
and some shared secret between the phone company and the service
gateway, SG. The remaining questions are
There are several solutions to the problem of authenticating users
for service access. One possibility is to somehow use the
rechallenge capability in GSM to get a second SRES or key
that could be uses for the service. It is crucial to be able to
distinguish a service request versus a voice call in progress in
the challenge. (Please refer to Section 3 for
further discussion of the design of service gateways and
interaction between the SG with the BS/AS).
2.3.1 Fully Trusted SG & AS (a la Rechallenge)
Basic Protocol
This approach is similar to the previous case, where a call still
goes through the AS for billing/authentication. The
encrypted channel is set up between the BS and the MS in the same
way as described in Section 2.1.
Upon the service request, a GSM re-challenge, i.e. a new triplet
(RAND2, SRES2, Kc2) is
sent by the SG to the BS, and the phone re-authenticates itself, this
time to the SG.
In details:
- After the usual GSM authentication,
- The BS contacts the SG.
- the SG sends (RAND2, SRES2, Kc2) to the BS.
- The BS forwards RAND2 to the SIM.
- The SIM computes (SRES2, Kc2) and sends (SRES2) to the BS.
- The BS compares SRES2 and authenticates the user for the SG. Kc2 is used to encrypt future packets over the air link.
Trust Model
- The MS trusts the AS and the SG (either can impersonate the user).
- The MS has to trust the BS more per session, since the BS handles both the GSM authentication and the service authentication. Both the AS and the SG trust the BS for authentication, and for everything after authentication, including data integrity, since the BS knows the ciphering keys in both cases, Kc1 and Kc2.
- The AS & the SG are trusted to authenticate user.
- The AS & the SG trust each other on a per-user bases, since both know the user's secret key, Ki.
- The following connections: MS-BS, AG-BS, SG-BS, SG-S are trusted. Note that additional encryption can be used to make most of these links safe (some of which are discusses in section 3).
Required Changes
- Additional intelligence is needed in the BS in
the optional case (if it is feasible):
- It needs to be able to retrieve and store the second key, Kc2 transmitted over the encrypted air channel.
- It must be able to use Kc2 to decrypt and re-encrypt (or decrypt, store, and re-packetize) the service request/data that it receives from the MS and forward it to the SG. Similarly, it has to be able to process the packets from the SG, decipher them and re-encrypt them with the proper key before sending them over the air to the MS. This will be more processing- and/or memory-intensive.
- The SIM card needs to store two Kcs and has to be able to distinguish between them.
- The MS must be able to send Kc2 as data to the BS.
Advantages & Limitations
One of the obvious advantages is that we do not need double encryption in this approach. However the trade off is that we have to trust the BS more. Other disadvantages include the following:- A lot more intelligence is needed in BS. The cost involved in upgrading the BS software is probably not insignificant. Also, if the BS hardware is insufficient it may be necessary to replace all the base stations, which would be VERY expensive.
- It is heavily dependent on what happens after a re-challenge... (Can you still use the old key?) There may still be some hardware, software, and protocol changes here. If so, this case could be used to invoke a service while in the middle of a call... (Question - so what happens with call waiting on GSM phones, or dialing a second call?).
2.3.2 Semi Trusted SG & Fully Trusted AS
Basic Idea
To work around the inherent limitation of the GSM network, we introduce some modifications to the previous cases. In this approach, the SG is no longer completely trusted by the user - now the phone company (AS) is trusted to negotiate with the SG, using some shared secret. Optionally, the AS could pass a temporary ticket of some sort to the BS/MSC/WCP, to improve performance. We make the same assumptions: a phone number indicates the service, and user authentication is as in the GSM spec.
Trust models
- The MS user trusts the AS completely for (a)authentication, and to (b)access the SG correctly. The MS trusts the BS per session.
- The AS trusts the SG (shared secret - we do not discuss how this is set up). The AS trusts the BS per session.
- The SG trusts the GSM provider. Perhaps we can limit the trust by requesting the user to punch in some keyswords on the handset - this would protect against attacks against the static phone company database, but not "sniffer" attacks.
- The connections: MS-BS, BS-AS, AS-SG, and SG-S are trusted.
Required Changes
- The AS/GSM Network has to be changed to be able to connect to the SG, or to grant keys/tickets in the optional case.
- No changes to the phone are required. We just need the user to know a special access phone number to call...
Advantages
- Don't have to trust the service gateway as much (similar to phone orders with credit cards...).
- Don't have to change the handset/SIM (Usual GSM authentication).
Limitations
- We need a way to ensure privacy & prevent replay attacks.
- The MS ends up trusting the AS and the BS. It is especially bad if the AS gets compromised. (Effects of BS compromise can be reduced by the use of time-based tickets.)
Possible Extensions
- Some kind of higher-layer authentication request can be forwarded to the phone through the GSM network, to provide separate stackable authentication for the SG . For instance, after connecting to the SG, the user can be required to use a special security device, such as a hardware random number generator...
2.3.3 Open Trust
This approach does not require any changes beyond the BS detection
and forwarding of the service request. It is simple! No
modifications to handset, SIM, or AS.
Of course, there are lots of limitations - it's totally unsafe.
(i.e. after authentication, the BS can invoke services...)
The second option was to have a separate set of base stations
for services, that would then do their own authentication and
bypass the phone company completely. The cost of infrastructure
for this would clearly be majorly prohibitive, but the
possibility of dual-band digital phones or perhaps having the
handset and base station determine whether something is a phone
call or service or types of services based on frequency seems
somewhat interesting.
The first two models are clearly more secure, since the length
of time during which the base station is trusted is limited.
The user must, of course, trust the service gateway with some
sort of shared secret. Eavesdroppers may be able to get a
general idea of which services users are accessing, and very
technology-equipped eavesdroppers may be able to figure out who
is accessing which service based on the setup times and
connections - an option would be to have some sort of noise
traffic as well. Finally, the phone network provider can cause
denial of service.
The third model can use several different methods to set up an
encrypted channel between base stations and services, but
requires greater (= complete) trust in the phone company to
handle access properly and not leak secrets or access patterns.
Something similar to SSL would work if there was a common
trusted agency that authorized services, but it is not clear at
this point that such an agency will ever exist. Public key
distribution is difficult, but if the number of phone companies
and service gateways (perhaps a "service gateway portal", and
some sort of hierarchical system?) is small, the exchange of key
lists might be feasible. Something like SSH might work, with a
per-SG key downloaded when used the first time, but then one
needs to deal with the issue of attackers intercepting the
initial and subsequent communications (up until they miss
one...). The same eavesdropping and DOS attacks as in models 1
and 2 apply.
In the ICEBERG setup, the base station is connected via an E1
(European standard ethernet) line to two machines, the UPSIM and
the IPPAD. The base station exchanges control packets with the
UPSIM, which can run programs written in a proprietary language
to control the base station. When a connection is made, the
base station forwards the actual (voice) data to the IPPAD,
which can then format it for other applications (for example,
the IPPAD can support the RTP format for realtime vat audio.
The ICEBERG group has implemented proxies that handle the timing
and convert the European ethernet packets coming into the IPPAD
from the base station into udp packets.). The current ICEBERG
prototype system does not provide any authentication, but that
is not a problem, since all of our prototyping occurs only
after the connection event itself, which the base station
simulates.
Given the limited means of indicating the desire to access a
service, we decided that the logical initial step would be to
use a special phone number (numeric data) to indicate a service
request, since using GSM messaging and voice recognition would add too
much complexity to the situation. However, getting even the
dialed phone number proved to be a significant challenge. After
spending some time trying to understand the proprietary language
used to control the base station, which is very verbose and
fairly low-level, we were fortunate to be able to gain access to
a piece of code just completed by another ICEBERG member that
allowed us to get three digits of the phone number punched into
the mobile handset. This code simplified the data streams by
gathering together both the control and data streams in an
intermediate java proxy, which we incorporated into our system
flow. We added another component, still considered part of the
base station in our model in section 2.3, that looked at the
phone number and determined the service type based on the
number. The base station service intelligence uses the service
type to determine whether it should connect to a kerberos server
(using the rest of the number as the password) and then connect
to the service using the ticket, or just connect to a service in
the open. The secure prototype code is based on and works with
kerberos 4, since that was the security set up on the cluster,
but we also confirmed that it can be easily extended to kerberos
5. The implementation, while simple, does work, and can be
demonstrated upon request.
It is not enough just to secure the wireless link itself, but
one also needs to integrate the security model of the wireless
applications seamlessly into existing wired networks. There are
two likely alternatives that the research community has looked
at: end-to-end security at the application layer and end-to-end
security at the transport layer. However, either approach would
require modifying the software base of either the fixed-node
network, or the wireless infrastructure.
The lack of satisfactory solutions and standard protocol stacks
across heterogencous networks has gradually drawn the attention of
researchers from both academia and industry, especially now that
PDAs such as the Pilot have become extremely popular, and have
begun to be integrated into cell phones. The following are some
of the related research efforts we came across:
Ericsson uses a concept known as virtual private dial-up
networking (VPDN) in its intranet solution, where it secures a
tunnel for carrying data protocols through the public
network. The tunneling techniques demonstrate that secure
virtual private networks may be created through the
Internet. The tunneled data can be encrypted to provide
privacy and data confidentiality to users. However no
additional security solutions are provided. It is up to the
corporate organizations to implement their own security
mechanisms to authenticate users.
We were not able to implement the ideal level of security that
we wished for because of protocol and device limitations, but we
were able to pinpoint some options that could be easily deployed
to improve the existing (open) trust model. Our implementation
requires only time-limited trust in the base station while
securing a channel between the base station and the services.
2.4 Other (Infeasible) Cases Considered
While brain-storming for GSM we came upon two other possibilities
that we thought had merit, but are currently not feasible. The
first would be to change the handling of Kc so that the
handset-AS link would be end-to-end encrypted. Unfortunately,
since all of the signaling data is encrypted using Kc,
and since the encrypted air link is the first thing set up, the
base station has to know Kc.
3.0 Accessing the Service Gateway
The role of the service gateway is slightly ambiguous. The
service gateway could be, among other things,
Clearly, there are multiple types of re-authentication and
security that one would want depending on the situation. In some
of the cases the user may not care whether anyone else sees the
requests and it doesn't matter who the user is, but in many this
is an important issue. Since, from section 2, we know that we
need to trust the base station a great deal, the danger of a
compromised base station is potentially very large - it would be
nice to have some way of allowing the user to generate a temporary
session key that would become obsolete soon after the service
access was complete. One notion that we had was to use a personal
hardware number generator such as those used for authenticating
logins in some companies (perhaps someday make that part of the
phone?) and have the service send a challenge to the phone.
Unfortunately, this is not an option with the current batch of
phones, but the capability really isn't that far out in the future.
3.1 Different Levels of Security (aka The Security
Access Slider)
(Slider notion borrowed from Dave Wagner :)
Model
Basic Idea / Features
1. Keys/tickets (a la Charon)
2. Keys/tickets (a la Kerberos)
3. Keys and Certificates
4. Open
4.0 Prototype Implementation
We began our project with grand dreams and visions of the
interesting services that we would soon be able to access via our
phones. While the benefit of simulating in software was suggested
instead of implementing using the actual hardware, we thought that
it would be much more interesting to have a working
proof-of-concept. Thus, our goal was to:
Our experience in building this infrastructure and dealing with
the complexity of the available GSM infrastructure was a bit
frustrating.
Prototype System Diagram:
5.0 Related Work/Analysis
The need for wireless access to fixed networks is evident, but
there are difficult issues in designing a secure communication
protocol that provides for both the confidentiality of wireless
data communications and authenticity of the communicating
parties. Besides the additional risks posed by the wireless
medium, the existing wireless devices usually have limited
capabilities and impose software/hardware constraints.
The Qualcomm QTM phone provides secured connection
with clear digital voice quality using CDMA technology. It
also works as an alphanumeric pager, and provides access to
stock quotes, online schedules, weather and email. It is
claimed to provide private and secure communications, but we
do not have any detailed information about the security
infrastructure that is used.
Charon is a Kerberos-based mechanism for indirect
authentication and secure communications with PDA-class mobile
devices, proposed by Armando Fox and Steve Gribble at
U.C. Berkeley.
Most of the computational resources needed for user
authentication (via Kerberos) and for the establishment of a
secured channel (key negotiation) are located in a proxy in
the wired infrastructure. Since the functionality has been
partitioned, the client module is extremely lightweight and
could be run on a PDA (the Sony Magiclink PDA is used). The
proxy is trusted with a temporary session ticket, but it does
not have access to the user password that is entered at the
client module. Charon's security is at least as strong as that
of Kerberos -- the user's password never leaves the mobile
device. For detailed information, please refer to [FG 96].
WISETM is a new program defined by Ericsson to help
connect GSM to the Internet and Intranet. The goal is to
extend mobile users' access beyond information and
applications in the GSM network. The first step in the program
is a more direct data link from the GSM network to the
Internet to improve data-communication capabilities.
As mentioned earlier in Section 2.0.
6.0 Conclusion
In conclusion, we believe that extending the capabilities of
wireless clients to be able to access the Internet securely will
enable a vast number of useful and beneficial services to mobile
users. However, our project, which ended up exploring the design
space more than the implementation space, indicated that both the
protocols as well as the basic (hardware and software)
capabilities in this area are still somewhat lacking (although
improving). Device advances that have brought cell phones to the level
of PDAs promise to make secure mobile service access much more
feasible. It is not clear that trying to adapt currently deployed
protocols and soon-to-be-outdated hardware is worthwhile when
technology is advancing so rapidly. Hopefully the next generation
of protocols will have built-in support for services and more
robust security.
Future Trends
We expect that, as the cost of handsets drops and capabilities and
usage increase, there will be phenomenal progress in this area.
It will be crucial to have a clear set of service APIs and
standard protocols for choosing and interacting with services.
One important future issue will be how to fit proxies into the
trust model for secure mobile services - proxies will certainly be
very useful for providing device- or user-specific service
enhancements, but fitting them into the security picture looks like
a daunting task.
Acknowledgements
We would like to thank Bhaskar Raman for his help and especially
for sharing his base station control code with us!!! It would
have taken us months to duplicate his work. Sreedhar Mukkamalla
was helpful in answering questions about the base station as well.
Finally, we would like to thank Dave Wagner and Randy Katz for
their input and feedback...
Links
References
Chen-Nee Chuah
Mark D. Spiller