GSM Presentation8

SIM and Security

 SIM
What i s a Su bscrib er Id ent ity Mod ul e ( SIM)?

The Su bs cr ib er I denti ty Mod ul e (SI M) is a small sma rt card which

contai ns both p rog ramm in g an d inf ormation .

The A3 an d A 8 alg ori th ms are imp lemented i n th e Su bsc rib er

Identi ty Mo dule (SI M).

Sub scri ber informati on, such as the IMS I (I nte rnation al Mob ile
Sub sc ri ber Id enti ty) , is stor ed in the Subscri ber Identity Mod ule
(SIM).

The Subscri ber Iden tity Mod ul e ( SIM) can be use d to store u ser-
def in ed inf ormatio n such as p hon ebook entr ies .

2
IMEI
 International Mobile Equipment Identity

 The IMEI (International Mobile Equipment

Identity) is a unique 15-digit code used to
identify an individual GSM mobile station to
a GSM network.

 The IMEI is stored in the Equipment

Identity Register (EIR).
3
IMEI Classifications
The EIR stores three IMEI classifications:

 White Valid GSM Mobile Stations

 Grey GSM Mobile Stations to be
tracked
 Black Barred Mobile Stations
4
IMEI Format
The format of an IMEI is
AA-BBBB-CC-DDDDDD-E.
 AA Country Code
 BBBB Final Assembly Code
 CC Manufacturer Code
 DDDDDD Serial Number
 E Unused
5
IMSI
 International Mobile Subscriber Identity
 The IMSI (International Mobile Subscriber
Identity) is a unique 15-digit code used to identify
an individual user on a GSM network.

 The IMSI consists of three components:

 Mobile Country Code (MCC)
 Mobile Network Code (MNC)
 Mobile Subscriber Identity Number (MSIN)

 The IMSI is stored in the Subscriber Identity

Module (SIM).
6
 The first three digits of the IMSI form the mobile
country code (MCC) and this is used to identify the
country of the particular subscriber’s home network,
i.e. the network with which the subscriber is
registered.
 The next two digits of the IMSI form the mobile
network code (MNC) and this identifies the
subscriber’s home PLMN within the country indicated
by the MCC.
 The remaining digits of the IMSI are the mobile
subscriber identification number (MSIN) which is
used to uniquely identify each subscriber within the
context of their home PLMN.

7
 MSISDN
 MSISDN refers to the 15-digit number that is
used to refer to a particular mobile station.
 The actual mobile no. starting from the country
code
 The MSISDN is the subscriber's mobile number
which is linked to the IMSI in the HLR.
 Once the Mobile Station's MSISDN has been
used to identify the IMSI, the HLR verifies the
subscription records to ensure that the call can
be delivered to the last known location of the
Mobile Station.
8
Security algorithms in GSM
 3 algorithms specified in GSM
 A3 for authentication (“secret”, open
interface)
 A5 for encryption (standardized)
 A8 for key generation for ciphering
(“secret”, open interface)

9
 Ki, Kc, RAND, and SRES

 Ki is the 128-bit Individual Subscriber Authentication Key

utilized as a secret key shared between the Mobile
Station and the Home Location Register of the
subscriber's home network.

 RAND is 128-bit random challenge generated by the

Home Location Register.

 SRES is the 32-bit Signed Response generated by the

Mobile Station and the Mobile Services Switching Center.

10
 Kc is the 64-bit ciphering key used as a
Session Key for encryption of the over-the-air
channel.
 Kc is generated by the Mobile Station from
the random challenge presented by the GSM
network and the Ki from the SIM utilizing the
A8 algorithm.

11
 How do Authentication and Key
generation work in a GSM
network?
Encryption in the GSM network utilizes a
Challenge/Response mechanism.
 The Mobile Station (MS) signs into the network.

 The Mobile Services Switching Center (MSC) requests 5

triples from the Home Location Register (HLR).

 The Home Location Register creates five triples utilizing

the A8 algorithm. These five triples each contain:

 A 128-bit random challenge (RAND)

 A 32-bit matching Signed Response (SRES)

 A 64-bit ciphering key used as a Session Key (Kc).

12
Authentication Procedure
 1. The MSC/VLR transmits the RAND to the MS.
 2. The MS computes the signature SRES using RAND
and the subscriber authentication key (Ki) through
the A3 algorithm.
 3. The signature SRES is sent back to MSC/VLR,
which performs authentication, by checking whether,
the SRES from the MS and the SRES from the AUC
match.
 If so, the subscriber is permitted to use the network.
If not, the subscriber is barred from network access.

13
14
 Authentication can by operator’s choice
be performed during:
 Each registration
 Each call setup attempt
 Location updating
 Before supplementary service activation
and deactivation

15
Ciphering
 The Mobile Station generates a Session Key
(Kc) utilizing the A8 algorithm, the Individual
Subscriber Authentication Key (Ki) assigned
to the Mobile Station, and the random
challenge received from the Base Transceiver
Station.
 The Mobile Station sends the Session Key
(Kc) to the Base Transceiver Station.

16
 The Mobile Services Switching Center sends
the Session Key (Kc) to the Base Transceiver
Station.
 The Base Transceiver Station receives the
Session Key (Kc) from the Mobile Services
Switching Center.
 The Base Transceiver Station receives the
Session Key (Kc) from the Mobile Station.
 The Base Transceiver Station verifies the
Session Keys from the Mobile Station and the
Mobile Services switching Center.
17
 Encryption
 The A5 algorithm is initialized with the
Session Key (Kc) and the number of the
frame to be encrypted.
 Over-the-air communication channel
between the Mobile Station and Base
Transceiver Station can now be encrypted
utilizing the A5 algorithm.
 This process authenticates the GSM Mobile
Station (MS) to the GSM network.
18
 GSM - authentication
mobile network SIM

RAND
Ki RAND RAND Ki

AC 128 bit 128 bit 128 bit 128 bit

A3 A3
SIM
SRES* 32 bit SRES 32 bit

SRES
MSC SRES* =? SRES SRES
32 bit

Ki: individual subscriber authentication key SRES: signed response

19
What algorithm is utilized for
authentication in GSM networks?
 The authentication algorithm used in
the GSM system is known as the A3
algorithm.

 Most GSM network operators utilize a

version of the COMP128 algorithm as
the implementation of the A3 algorithm.

20
 A3's task is to generate the 32-bit Signed
Response (SRES) utilizing the 128-bit random
challenge (RAND) generated by the Home
Location Register (HLR) and the 128-bit
Individual Subscriber Authentication Key (Ki)
from the Mobile Station's Subscriber Identity
Module (SIM) or the Home Location Register
(HLR).

 The A3 algorithm is implemented in the

Subscriber Identity Module (SIM). 21
 What algorithm is utilized for
encryption in GSM networks?
 The encryption algorithm used in the GSM
system is a stream cipher known as the A5
algorithm.
 Multiple versions of the A5 algorithm exist which
implement various levels of encryption.
 The stream cipher is initialized with the Session
Key (Kc) and the number of each frame.

22
 The same Session Key (Kc) is used as long as
the Mobile Services Switching Center (MSC) does
not authenticate the Mobile Station again. In
practice, the same Session Key (Kc) may be in
use for days.

 The A5 algorithm is implemented in the Mobile

Station (MS).

23
 What algorithm is utilized for key
generation in GSM networks?
 The key generation algorithm used in the GSM system is
known as the A8 algorithm.

 Most GSM network operators utilize the a version of the

COMP128 algorithm as the implementation of the A8
algorithm.

 A8's task is to generate the 64-bit Session Key (Kc),

from the 128-bit random challenge (RAND) received
from the Mobile Services Switching Center (MSC) and
from the 128-bit Individual Subscriber Authentication
Key (Ki) from the Mobile Station's Subscriber Identity
Module (SIM) or the Home Location Register (HLR).
24
 One Session Key (Kc) is used until the MSC
decides to authenticate the MS again. This
might take days.

 A8 actually generates 128 bits of output. The

last 54 bits of those 128 bits form the Session
Key (Kc). Ten zero-bits are appended to this
key before it is given as input to the A5
algorithm.

 The A8 algorithm is implemented in the

Subscriber Identity Module (SIM). 25
 TMSI / TIMSI
The TIMSI (Temporary IMSI) is a pseudo-random number
generated from the IMSI (International Mobile Subscriber Identity)
number.

 The TIMSI is utilized in order to remove the need to transmit the

IMSI over-the-air. This helps to keep the IMSI more secure.

 To track a GSM user via the IMSI/TIMSI, an eavesdropper must

intercept the GSM network communication where the TIMSI is
initially negotiated.

 In addition, because the TIMSI is periodically renegotiated, the

eavesdropper must intercept each additional TIMSI re-negotiation
session.

26
 The "Temporary Mobile Subscriber Identity"
(TMSI) is the identity that is most commonly
sent between the mobile and the network.
 TMSI is randomly assigned by the VLR to
every mobile in the area, the moment it is
switched on.
 The number is local to a location area, and so
it has to be updated, each time the mobile
moves to a new geographical area.
27
 The network can also change the TMSI of the
mobile at any time.
 And it normally does so, in order to avoid the
subscriber from being identified, and tracked
by eavesdroppers on the radio interface. This
makes it difficult to trace which mobile is
which
 A key use of the TMSI is in paging a mobile

28
Subscriber Identity Confidentiality
 Subscriber identity confidentiality means that
the IMSI is not disclosed to unauthorized
individuals, entities or processes.
 This function protects a subscriber’s identity
when the subscriber is using PLMN resources.
 It also prevents tracing the mobile
subscriber’s location by listening to the
signaling exchanges on the radio path.

29
Subscriber Identity Confidentiality contd..,
 Each time a mobile station requests a system
procedure (e.g. location updating, call
attempt), the MSC/VLR can allocate a new
TMSI to an IMSI.
 The MSC/VLR transmits the TMSI to MS that
stores it on the SIM card.
 Signaling between MSC/VLR and MS utilizes
only the TMSI from this point on.
 IMSI is only used in cases when location
updating fails or when the MS has no
allocated TMSI.
30
SIM Fe at ures

 Must be tamper-resistant
 Is removable from the terminal
 Contains all data specific to the end user which have to
reside in the Mobile Station:
 IMSI: International Mobile Subscriber Identity

(permanent user’s identity)

 PIN

 TMSI (Temporary Mobile Subscriber Identity)

 K : User’s secret key

i
 List of the last call attempts

 List of preferred operators

 Supplementary service data (abbreviated dialing, last

short messages received,...)

31