Chapter 2 - GSM

Question 1

What is GSM?

Answer 1

• 2G standard created by GSM group later 3GPP
• 900/1800/1900 MHz
• 9,6 KBit/s
  
  • Enhancement: 14,4 KBit/s uplink and 43,2 KBit/s downlink
• Cell size: 100-500m in cities, up to 35km countryside

Question 2

What services are offered by GSM?

Answer 2

• Bearer services
• Telemetric services
• Supplementary services

Question 3

What are the components of a GSM network?

Answer 3

• MS: Mobile Station
  
  • ME: Mobile Equipment (Phone)
  • SIM: Subscriber Identification Module (Smartcard)
• Serving Network:
  
  • BSS: Base Station System (All equipment belonging to one MSC)
    
    • BTS: Base Transceiver Station (Antennas/ Cell)
    • BSC: Base Station Controller - controls multiple BTS
  • MSC: Mobile Switching Center - controls multiple BSC
  • VLR: Visitor Location Register (Database)
• Home Network:
  
  • MSC
  • HLR: Home Location Register
  • AuC: Authentication Center

Question 4

Where is the long term subscriber key Ki stored?

Answer 4

On the SIM and in the AuC

Question 5

What are the tasks of the BSC and MSC?

Answer 5

BSC:
- Control multiple BTS
- Manage network resources
- Map radio channel to terrestrial channel
- Perform switching between BTS
MSC:
- Control multiple BSCs
- Route calls in the network
- Manage connections of mobile stations

Question 6

What is the difference between the VLR and HLR?

Answer 6

VLR:
- Data of all mobile stations currently registered in the network
- Phone number
- IMSI and TMSI
- Location area idenitifier
- Last MSC connected to
- HLR address
- Subscription profile
- Traffic information for billing
HLR:
- Data for each subscriber
- IMSI
- Phone number
- Pre-computed authentication vectors
- Current MSC and VLR

Question 7

How is the user identified in GSM?

Answer 7

1. MS sends cipher capabilities to BTS/BSC
2. MS sends TMSI to MSC
3. If MSC knows TMSI proceed, else: MSC requests IMSI from MS

Result: MSC knows IMSI of MS

Question 8

What is the IMSI and how is it structured?

Answer 8

International Mobile Subscriber Identifier

3 digit country code
2-3 digit mobile network code
9-10 digit mobile subscriber identification number

Question 9

What is an GSM authentication vector?

Answer 9

• RAND = 128 bit random challenge
• RES = A3 (K_i, RAND)
  
  • 32 bit expected response
  • A3 algorithm family
• Kc = A8 (K_i, RAND)
  
  • 64 bit secret encryption key

Requested by HLR from AuC, stored in HLR

Question 10

How is authentication and key agreement handled in GSM?

Answer 10

• MSC retrieves IMSI and identifies home network
• MSC requests authentication vectors from home MSC
• MSC chooses one authentication vector and and sends RAND to MS
• MS computes Kc = A8 (K_i, RAND) and RES* = A3 (K_i, RAND)
• MSC checks if RES* == RES

Question 11

How is traffic encrypted in GSM?

Answer 11

• Only on the air interface
• After AKA, Kc is known to MSC and MS
• MSC provides Kc to BTS
• A5 stream cipher family using 64 bit key (implemented on ME and BTS)
  
  • A5/0 - no encryption
  • A5/1
  • A5/2 weak version of A5/1
  • A5/3 and A5/4 based on 3G cipher KASUMI
• BTS selects A5 based on ME cipher capabilities
• BTS send cipher mode command
• MS sends cipher mode complete

Question 12

How is a handover done in GSM ?

Answer 12

• Measurement phase
  
  • MS measures signal strength
  • BSC initiates handover if another BTS is more suitable
• Initiation phase
  
  • Responsible MSC contacts new BTS
  • New channel selected
• Kc transferred to new BSC (MSC if BSC in other BSS)

Question 13

What are the main vulnerabilities of GSM?

Answer 13

• No protection of user identity privacy
• No network authentication
• A3 weak
• Some A5 weak (64 bit key insufficient)
• No integrity protection

Question 14

How does an IMSI catcher work in GSM?

Answer 14

The attacker pretends to be BTS of the home network and requests the IMSI from the MS

Question 15

How does network impersonation work in GSM?

Answer 15

The attacker impersonates a real BTS by selecting A5/0 encryption and choosing a random RAND. After the AKA the attacker can forward the traffic and eavesdrop, since no encryption is used.
This requires the attacker to have impersonate a real MSC to the GSM network

Question 16

What attacks against A5 algorithms are known?

Answer 16

• A5/2 totally broken (Kc known in couple milliseconds)
• A5/1 weak against known-plaintext attacks
• Several A5/2 ciphertext-only attacks with rainbow-tables
• A5/3 related-key attack potential

Question 17

How is network impersonation combined with broken encryption used in GSM?

Answer 17

• Attacker impersonates BTS and is connected to GSM network
• Forwards AKA to real BTS and doesnt check RES
  Method 1:
• Intercepts A5/x command from MSC
• Sends A5/2 cipher mode command to MS
• Break Kc
• Decrypt A5/2 traffic and forward A5/x traffic to MSC
  Method 2:
• Record and forward AKA and A5/x cipher mode command
• Record encrypted traffic
• Repeat AKA with MS using A5/2 to retrieve Kc
• Decrypt recorded traffic

Question 18

How is an bidding down attack done in GSM?

Answer 18

The attacker intercepts the initial cipher capabilities message and sends an A5/0 only message to the BTS. The MSC selects A5/0 after the AKA.

Question 19

How do handovers affect the security in GSM?

Answer 19

Since the same key Kc is passed on at handover, a single BTS with a broken A5/x algorithm is enough to break Kc