Overview of cellular system
Base
transceiver
station
Public switching
network
Mobile
telecomunication
switching
office
Base
transceiver
station
Base
transceiver
station
Principles of cellular network
Cellular radio is a technique that was developed to increase the capacity
available for mobile radio telephone service
Each cell is allocated a band of frequencies and is served by the base station,
consisting of transmitter, receiver and control unit.
Each cell has a base transceiver.The transmission power is carefully controlled
to allow communication within the cell using a given frequency while limiting
the power at that frequency that escapes the cell
into adjacent ones.
The objective is to use the same frequency
in other near by cells, thus allowing the
frequency to be used for multiple
simultaneous conversations.
Handoff between base station
Security Threats
Authentication-only valid users are allowed to use the network.
Privacy-Ensure that conversation cannot be listened to
Data and Voice Integrity-Ensure that voice and data traffic cannot
be read or compromised while in transmit
Network and System availability- Networks must be capable of
withstanding Denial of service
Physical protection-The cell sites and equipment are deployed
remotely in untrusted areas, must be protected by firewalls.
Spectrum Allocation
Frequency Division Multiple Access(FDMA)-The available spectrum is
divided into channels and each channel can be used for a single conversation.
Advanced mobile phone service (AMPS) uses FDMA.
Limitation: low calling capacity, limited spectrum, poor data communications,
privacy concerns, and vulnerability to fraud
Time Division Multiple Access(TDMA)- TDMA is a digital transmission technology
that allows a number of users to access a single radio frequency without interference by
allocating unique time slots to each user within each channel.
Used by GSM(Europe), JDC(Japan), NADC(North America)
Code Division Multiple Access(CDMA) -CDMA is a "spread spectrum" technology,
which means that it spreads the information contained in a particular signal over a much greater
bandwidth than the original signal. CDMA adds a unique code onto each packet before
transmission. Better security without SIM card.
GSM Architecture
Mobile
station
AuC
BTS
BTS
Mobile
station
BSC
Mobile
switching
center
HLR
VLR
EIR
BTS-Base transceiver station AuC-Authentication center
BSC-Base station controller EIR-Equipment Identity register
HLR-Home location register VLR-visitor location register
References
http://istpub.berkeley.edu:4201/bcc/Winter2000/net.cellular.html
http://spyhard.narod.ru/phreak/gsm-secur.html
http://www.dia.unisa.it/ads.dir/corso-security/www/CORSO-9900/a5/Netsec/netsec.html
Books
Wireless communication and networks-William stallings
Wireless Security- Merrit Maxim, David Pollino
GSM Security
A3 - An algorithm used to authenticate a handset to a GSM network.
A5/1 or A5/2 - A block cipher algorithm used to encrypt voice and
data after a successful authentication.
A8 -A key generation algorithm used to generate symmetric
encryption keys.
SIM card Contains:
IMSI -an electronic serial number
Individual subscriber’s Authentication Key(Ki)
A3 & A8 algorithm
User PIN (personal Identification number) code
A3 authentication Algorithm
Ki(128bit),RAND
(128 bit)
A3
SRES(32 bit)
A3 algorithm gets the RAND from the MSC and the secret keyKi from the SIM as input
and generate SRES(signed response)
A8, the voice privacy key algorithm
Ki(128bit),RAND
(128 bit)
A8
Kc(64 bit)
A8 algorithm generates the Kc. The BTS received the same Kc from the MSC.HLR was
able to generate the Kc,because the HLR knows both the RAND and secret key Ki.
GSM Authentication
The base station generates a 128-bit random value (RAND) and send to Mobile station(MS)
The MS computes the 32-bit signed response(SRES) based on the encryption of the
RAND with the authentication algorithm (A3) using the individual subscriber authentication
key(Ki)
Simultaneously the VLR calculates the SRES.This is easy because the VLR possess the Ki,
RAND andA3.
VLR compares the SRES value from phone and the SRES value calculated by the VLR.
If both are same, authentication is successful.
GSM Confidentiality
The SIM card contain ciphering key generating algorithm(A8) which is used to produce
the 64-bit ciphering key(Kc).
The ciphering key is computed by applying the random number RAND used in the
authentication process to the ciphering key generating algorithm(A8)with an individual
subscriber authentication key(Ki)
The ciphering key is used to encrypt and decrypt the data between
the mobile station and the base station.