Thanks Thanks:  0
Showing results 1 to 1 of 1

Thread: UMTS Security: A Primer

  1. #1
    BannedUser Reputation: 24
    Join Date
    2008-09-24
    Location
    Orala
    Posts
    157


    Default UMTS Security: A Primer

    <h4>
    By Zahid Ghadialy
    </h4>

    Date: 11/06/2004


    <table><tbody><tr>
    </tr></tbody><colgroup valign="top" width="1500">
    </colgroup><tbody><tr><td>
    <!-- Begin Google Code -->
    <table align="left" border="0"><tbody><tr><td>
    <script type="text/javascript"><!--
    google_ad_client = "pub-4136234335250116";
    google_ad_width = 336;
    google_ad_height = 280;
    google_ad_format = "336x280_as";
    google_ad_type = "text_image";
    google_ad_channel ="";
    google_color_border = "FFFFFF";
    google_color_bg = "FFFFFF";
    google_color_link = "0066CC";
    google_color_url = "000000";
    google_color_text = "000000";
    //--></script>
    <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
    </script><script> window.google_render_ad(); </script><iframe name="google_ads_frame" src="http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-4136234335250116&amp;dt=1222991976203&amp;lmt=1158352770&amp;prev_fmts=728x90_as&amp;format=336x280_as&amp;output=html&amp;correlator=1222991976169&amp;url=http%3A%2F%2Fwww.3g4g.co.uk%2FTutorial%2FZG%2Fzg_security.html&amp;color_bg=FFFFFF&amp;color_text=000000&amp;color_link=0066CC&amp;color_url=000000&amp;color_border=FFFFFF&amp;ad_type=text_image&amp;ea=off&amp;ref=http%3A%2F%2Fwww.3g4g.co.uk%2FTutorial%2F&amp;frm=0&amp;cc=100&amp;ga_vid=323665733.1222991976&amp;ga_sid=1222991976&amp;ga_hid=924694230&amp;flash=9.0.124&amp;u_h=768&amp;u_w=1024&amp;u_ah=738&amp;u_aw=1024&amp;u_cd=32&amp;u_tz=300&amp;u_his=1&amp;u_java=true&amp;u_nplug=30&amp;u_nmime=112" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" width="336" frameborder="0" height="280"></iframe>
    </td></tr></tbody></table>
    <!-- End Google Code -->
    <i>Introduction: </i>
    Security is one of the most important feature of
    the Third Generation Wireless System. At the same time it is one of the
    least understood topics. The aim of this primer is to provide some
    information about this feature. Interested reader can refer to the
    documents provided in the references for detailed understanding.
    The 3G security is built on the 2G (GSM)
    Security architecture. The 2G architecture has been proved to be robust
    and effective. It was hence decided that the 3G security architecture
    will be based on this. At the same time it was decided that the
    shortcomings present in the second generation systems will have to be
    removed. Also it was planned that new features will need to be added
    and the voice and data services will have to be treated the same way. [4] provides a long list of shortcomings in the second generation security architecture. The main among them are:
    <ul><li>active attacks using false BTS are possible
    </li><li>cipher keys and authentication data are transmitted in clear between and within networks
    </li></ul>

    [3] provides a list of objectives that need to be
    acheived with the security architecture. It also provides with list of
    Security threats, etc that makes an interesting reading for the
    theoretical minded people.
    Before we move onto the details, one last point
    to remember is that the security in 3G systems comprises of two things.
    One is the "Data Integrity" and other is "Ciphering". "Data Integrity"
    is the feature that makes sure that no rogue Network will be able to
    send unnecessary signalling messages with the intention or causing any
    undesired effect in an ongoing call. "Ciphering" is the feature that
    makes sure that all Signalling and Data messages are ciphered over the
    air interface so that no one can eavesdrop on them. In case of UMTS
    Integrity Protection is mandatory while Ciphering is optional.
    Integrity protection is done only on Signalling Radio Bearers whereas
    Ciphering is done on Signalling as well as Data Radio Bearers. They
    will be detailed in later sections.
    <i>Overview of Security Architecture:</i>
    There are five security feature groups that are
    defined. Each of these feature groups meets certain threats and
    accomplishes certain security objectives:
    <ul><li><i>Network access security</i>: The set of security features that
    provide users with secure access to 3G services, and which in
    particular protect against attacks on the (radio) access link </li><li><i>Network domain security</i>: The set of security features
    that enable nodes in the provider domain to securely exchange
    signalling data, and protect against attacks on the wireline network
    </li><li><i>User domain security</i>: The set of security features that secure access to mobile stations
    </li><li><i>Application domain security</i>: The set of security features that enable applications in the user and in the provider domain to securely exchange messages
    </li><li>Visibility and configurability of security: The set of
    features that enables the user to inform himself whether a security
    feature is in operation or not and whether the use and provision of
    services should depend on the security feature
    </li></ul>

    In this primer we will discuss only about Network Access Security. Readers interested in other features can refer [5].
    <br>
    <center>
    <img src="http://www.3g4g.co.uk/Tutorial/ZG/Security/image001.gif"><br>
    Figure 1: Overview of the ME registration and connection principles within UMTS for the separate CS and PS CN. (Taken from [7])</font>
    </center>
    Figure 1 gives an overview of the ME registration
    and connection principles within UMTS with a CS service domain and a PS
    service domain. As in GSM/GPRS, user (temporary) identification,
    authentication and key agreement will take place independently in each
    service domain. User plane traffic will be ciphered using the cipher
    key agreed for the corresponding service domain while control plane
    data will be ciphered and integrity protected using the cipher and
    integrity keys from either one of the service domains.
    <i>User Confidentiality </i>
    Every user provided with a USIM is also provided
    with a IMSI (International Mobile Subscriber Identity). It should be
    possible that not one should be able to eavesdrop what services is
    being used by which IMSI on the radio link (air interface). Along with
    User identity confidentiality, it should be possible that user location
    confidentiality is also maintained. Nobody should be able to trace the
    movements of a particular user and also which users are arriving or
    leaving a particular area. The user should also be untraceable. By this
    we mean that it should not be able for anybody to find out what
    services are being used by a particular user. To achieve these objectives, the following steps are taken:
    <ul><li>The user is allocated a temporary identity (TMSI or P-TMSI) and is identified by that.
    </li><li>After a small duration, this temporary identity is changed.
    </li><li>In addition to this, the user data that might reveal the user's identity is ciphered.
    </li></ul>

    The Temporary Mobile Subscriber Identity (TMSI) or
    Packet TMSI (P-TMSI) has local significance only in the location area
    or the routing area in which user is registered. Outside that area it
    should be accompanied by appropriate LAI (Location Area Identification)
    or RAI (Routing Area Identification). Whenever the TMSI/P-TMSI is
    available, it is used to identify the user for Paging Requests,
    Location Update Requests, Attach Requests, Service Requests, Connection
    Re-Establishment and Detach Requests.
    TMSI Reallocation procedure is performed to
    allocate new TMSI/LAI pair to a user by which he mnay subsequently be
    identified over the radio link. This procedure is performed after
    ciphering has been started (discussed in later sections). The
    allocation can be explained with the MSC below:
    UE RNC VLR/SGSN<br>------ --------- ----------<br> | | |<br> | | Direct Transfer |<br> | |&lt;------------------------------|<br> | Downlink Direct Transfer | (TMUI Allocation Command, |<br> |&lt;---------------------------------| TMUIn, LAIn ) |<br> | (TMUI Allocation Command) | |<br> | | |<br> | Uplink Direct Transfer | |<br> |---------------------------------&gt;| |<br> | (TMUI Allocation Complete) | Direct Transfer |<br> | |------------------------------&gt;|<br> | | (TMUI Allocation Complete) |<br> | | |<br></pre>

    Before VLR initiates this procedure, it generates
    new TMSI and stores the association between IMSI and TMSI in the
    database. It then sends the new TMSI using the <i>Temporary Mobile User Identification</i>
    (TMUI) Allocation Command. Once the mobile receives this message, it
    deletes the old TMSI and sends a response back to the VLR. Upon
    reception of TMUI Allocation Complete, VLR removes the associatino
    between the IMSI and the old TMSI
    </td></tr></tbody></table>

  2. # ADS
    Circuit advertisement
    Join Date
    Always
    Location
    Advertising world
    Posts
    Many
     

Bookmarks

Bookmarks

Posting Rules

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •