Post on 31-Dec-2016
transcript
Putting LTE Security Functions to the Test:
A Framework to Evaluate Implementation Correctness
Kai Jansen
Ruhr-University Bochum
David Rupprecht
Ruhr-University Bochum
Christina Pöpper
NYU Abu Dhabi
More than 8 billion mobile subscribers
estimated for 2019 [1]
Image source: http://www.mypostcard.com/blog/wp-content/uploads/2015/06/mypostcard_app_iphone_reise_travel.jpg
3Image source: http://www.blogcdn.com/slideshows/images/slides/279/787/9/S2797879/slug/l/vacation-1.jpg
4
Eavesdropping of
unencrypted data
5
LTE provides
mutual authentication
and encryption
6
Implementation flaw:
Undermine LTE security
7
Implementation flaws in LTE
devices
Eavesdroppingon private information
Testing securityfunctions of
devices
Putting LTE Security Functions to the Test
LTE Architecture
Communication Establishment and Security Algorithms
9
LTE Architecture
User Equipment
UE
10
LTE Architecture
eNodeB
Evolved Node B
UE
11
LTE Architecture
Mobility Management Entity
eNodeB
MME
UE
12
LTE Architecture
eNodeB
Home Subscriber Server
HSS
MME
UE
13
LTE Architecture
E-UTRAN EPC
MME
HSS
eNodeB
Internet
Access Stratum (AS)Non-Access Stratum (NAS)
UE
14
Security Procedures
eNodeBUE HSSMME
1a. Authentication and Key Agreement
2. NAS Security Mode Command (EEAX, EIAX)
3. AS Security Mode
Command (EEAX, EIAX)
1b. Authentication
Information Request
15
Security Algorithms
eNodeBUE HSSMME1a. Authentication and Key Agreement
2. NAS Security Mode Command (EEAX, EIAX)
3. AS Security Mode
Command (EEAX, EIAX)
1b. Authentication
Information Request
Security algorithms are
selected by the provider
16
Security Algorithms
eNodeBUE HSSMME1a. Authentication and Key Agreement
2. NAS Security Mode Command (EEAX, EIAX)
3. AS Security Mode
Command (EEAX, EIAX)
1b. Authentication
Information Request
Encoding Integrity Ciphering Algorithm
X000X000 EIA0 EEA0 NULL
X001X001 128-EIA1 128-EEA1 SNOW3G
X010X010 128-EIA2 128-EEA2 AES
X011X011 128-EIA3 128-EEA3 ZUC
Security algorithms are
selected by the provider
17
Security Algorithms
eNodeBUE HSSMME1a. Authentication and Key Agreement
2. NAS Security Mode Command (EEAX, EIAX)
3. AS Security Mode
Command (EEAX, EIAX)
1b. Authentication
Information Request
Encoding Integrity Ciphering Algorithm
X000X000 EIA0 EEA0 NULL
X001X001 128-EIA1 128-EEA1 SNOW3G
X010X010 128-EIA2 128-EEA2 AES
X011X011 128-EIA3 128-EEA3 ZUC
Null Algorithms:
No Security
Security algorithms are
selected by the provider
18
NULL Algorithms
Encoding Integrity Ciphering Algorithm
X000X000 EIA0 EEA0 NULL
Null Integrity:
Emergency calls even
when no key is available
Image source: https://www.percona.com/sites/default/files/icons/emergency.png
19
NULL Algorithms
Encoding Integrity Ciphering Algorithm
X000X000 EIA0 EEA0 NULL
Null Encryption:
1. Ciphering indicator
2. SIM card flag
3. User interface
Framework
Design and Tests
21
Baseband
• Processor for communication: Qualcomm, HiSilicon, Mediatek, Samsung
• (Proprietary) Baseband is always exposed
Security functions are
implemented on the Baseband
22
Approach
Reverse Engineering
CMP r0, r1ADDGE r2, r2, r3ADDLT r2, r2, r4
23
Approach
Test Cases Test Cases
Fuzzing of input Validation of output
Reverse Engineering
CMP r0, r1ADDGE r2, r2, r3ADDLT r2, r2, r4
24
Approach
Test Cases Test Cases
Fuzzing of input Validation of output
Design Criteria
• Low-cost
• Automated testing
• Portability
Reverse Engineering
CMP r0, r1ADDGE r2, r2, r3ADDLT r2, r2, r4
25
Approach
Test Cases Test Cases
Fuzzing of input Validation of output
Reverse Engineering
CMP r0, r1ADDGE r2, r2, r3ADDLT r2, r2, r4
Fuzzing (our choice)
Design Criteria
• Low-cost
• Automated testing
• Portability
26
Tests
Encoding Integrity Ciphering Algorithm
X000X000 EIA0 EEA0 NULL
X011X011 128-EIA3 128-EEA3 ZUC
X100X100 EIA4 EEA4 Not specified
… … … …
• Undefined Values
• Sequence of Messages
• Ciphering Indicator with Null Encryption
eNodeBUE
MME
1. Authentication and Key Agreement
2. NAS Security Mode Command (EEAX, EIAX)
3. AS Security Mode
Command (EEAX, EIAX)
27
Framework Architecture
28
Framework Architecture
29
Framework Architecture
30
Framework Architecture
Framework Architecture
Low-Cost Hardware
• Ettus B2X0
• BladeRF
• LimeSDR
Evaluation
Analysis Results
33
ResultsNone of the devices show the
Ciphering Indicator
34
ResultsNull Integrity Algorithm:
Normal data connections
35
Results
CommercialNetworkUE
1. Authentication and Key Agreement
2. NAS Security Mode Command (EEA0, EIA0)
3. AS Security Mode Command (EEA0, EIA0)
1. Authentication and Key Agreement
Attacker
Conclusion
37
Conclusion
Implementation Flaws can
Undermine the LTE Security
• No Ciphering Indicator
• Authentication procedure
Attacker
38
Conclusion
LTE Security Testing
Framework
• Low-cost
• Software Defined Radio
• Automated testing
• Logical implementation flaws
Implementation Flaws can
Undermine the LTE Security
• No Ciphering Indicator
• Authentication procedure
Attacker
39
Conclusion
Standard Test of Security
Functions
• Standard Radio Testing
• Standard Security Testing
LTE Security Testing
Framework
• Low-cost
• Software Defined Radio
• Automated testing
• Logical implementation flaws
Implementation Flaws can
Undermine the LTE Security
• No Ciphering Indicator
• Authentication procedure
Attacker
Test Cases Test Cases
40
Thank You! Questions?
Standard Test of Security
Functions
• Standard Radio Testing
• Standard Security Testing
LTE Security Testing
Framework
• Low-cost
• Software Defined Radio
• Automated testing
• Logical implementation flaws
Implementation Flaws can
Undermine the LTE Security
• No Ciphering Indicator
• Authentication procedure
Attacker
Test Cases Test Cases
UEK
MMEHSS
K
1. Authentication Information Request(IMSI)
2. Authentication Information Answer(RAND, XRES, AUTN, KAMSE)
a) Check AUTNb) Compute RESc) Compute K AMSE
Check RES == XRES
eNodeB
1. Authentication and Key Agreement
Attach Request(IMSI)
2. NAS Security Mode Command
3. RRC Security Mode Command
1. NAS Security Mode Command(EIA, EEA, MAC(EIA,EEA))
2. NAS Security Mode CompleteMAC()
3. Authentication Request(RAND, AUTN)
4.Authentication Response(RES)
1. Initial Context Setup(KeNodeB)2. RRC Security Mode Command
(EIA, EEA, MAC(EIA,EEA))
3. RRC Security Mode CompleteMAC()
Attach Accept
Attach Complete
Backup