1

cdma2000 Packet DataSecurity Assessment

Christopher CarrollVerizon Wireless

April 11, 2001

2

Security Issues• MN-AAAh Secret not defined

–Cryptographically strong MN-AAAh key defined

• Mobile IP Key Distribution not defined–MN-HA key and MN-FA key key

agreement defined• Radio Access Layer security not

supported–Access Terminal (AT) key defined

3

Agenda• Entity vs. Message Authentication• Mobile IP Security

– Message authentication codes• AAA Recommendations

– MN-AAA Key Bootstrapping– MIP key distribution– Radio Access Layer Security

4

Why Packet Data Security?

- 802.11 Flaws published!- “The Security of data transmitted on a wireless

data service was a critical adoption issue. It appears that many felt that wireless data could be more vulnerable to interception than if transmitted over a wired connection.”

Verizon Wireless Data Service Qualitative Research Report (In Focus Marketing, September 2000)

5

TR-45 Challenge-Response Entity Authentication

Cell SiteCell SiteSubscriber TelephoneSubscriber Telephone

32-bit Challenge (Question)32-bit Challenge (Question)

18-bit Response (Answer)18-bit Response (Answer)SSD-ASSD-A11 SSD-ASSD-A11

6

TR-45 Entity Authentication

CAVECAVEHashHash

FunctionFunction

SSD-ASSD-A

ESNESN

Dialed DigitsDialed Digits18-bit Response18-bit Response

Random ChallengeRandom Challenge

MINMIN

7

Radius Entity Authentication

MD5MD5HashHash

FunctionFunction

MN-AAAh keyMN-AAAh key

NAINAI

Registration RequestRegistration Request128-bit Response128-bit Response

Random ChallengeRandom Challenge

MN-HA Auth. Ext.MN-HA Auth. Ext.

8

Pseudo-random Number Generator

MD5MD5

MN-AAAh KeyMN-AAAh Key11

MN-AAAh KeyMN-AAAh Key22

MN-AAAh KeyMN-AAAh Key33

MN-AAAh KeyMN-AAAh Keynn

010110100 . . . .010110100 . . . .

001010001 . . . .001010001 . . . .

110010110 . . . .110010110 . . . .

101011000 . . . .101011000 . . . .

9

Radius Authentication

Secret ResponseSecret Response

LibraryLibrary

BookBook

Page/ wordPage/ word

MD5MD5

MN-AAAh KeyMN-AAAh Key

ChallengeChallenge

10

Mobile IP Message Authentication

HashHashFunctionFunction

(MD5)(MD5)

““Send packets Send packets To IP address:To IP address:123.197.8.17”123.197.8.17”

128-bit MAC128-bit MAC

Secret KeySecret Key

11

Entity vs. Message

AuthenticationEntity:• Verify identity of an

entity• Prove shared secret• Vulnerable to Replay

attack• CHAP, MN-AAA

Authentication Ext.

Message:• Prevent manipulation

of message• Prove message sent

from entity• Vulnerable to Replay

attack• MIP Authenticator

12

Preventing Replay Attack(between MN and HA)

HashHashFunctionFunction(Keyed(KeyedMD5)MD5)

Registration RequestRegistration RequestMessageMessage

128-bit MAC128-bit MACMN-HA KeyMN-HA Key

FreshnessFreshness(Randomness (Randomness and/or nonce)and/or nonce)

Identification FieldIdentification Field

13

Challenge Extension

• Allows FA/PDSN or AAA server to authenticate the MN

• 32-bit (at least) Random Challenge issued by FA/PDSN in Agent Advertisement.

• MN includes Challenge before MN-AAA authentication Ext.

• Leverage randomness to generate MN-HA and MN-FA keys

14

Preventing Replay Attack(between MN and FA/PDSN)

HashHashFunctionFunction(Keyed(KeyedMD5)MD5)

Registration RequestRegistration RequestMessageMessage

128-bit MAC128-bit MAC(may be reduced(may be reducedIn length)In length)

MN-FA KeyMN-FA Key

FreshnessFreshness(Randomness (Randomness and/or nonce)and/or nonce)

Identification FieldIdentification Field

Challenge Ext.Challenge Ext.32-bit Randomness32-bit Randomness

15

AAA Authentication Extension

MN HAFA

PDSN

Registration RequestNAI

Extension

Mobile-HomeAuthentication

Extension

MN-FAChallengeExtension

MN-AAAAuthentication

Extension

AAAh

Mobile-Home Authenticator

MN-AAA Authenticator

16

Mobile IPv4 using Radius AAA

AAAH

MN

AAAL

HAFA

Agent AdvertisementChallenge Extension

VerifyMN-AAAAuthenticator(CHAP)

Registration RequestNAI Extension

Mobile-Home Authentication Ext.Challenge Extension

MN-AAA Authentication Extension

Registration RequestNAI

Challenge ExtensionMN-AAA Authentication Extension

(CHAP Response)

Registration RequestNAI Extension

Mobile-Home Authentication Ext.Foreign-Home Authentication Ext. (optional)

Access Accept

VerifyMobile-Home and/orForeign-HomeAuthenticator

MN-AAA Auth. Ext. (CHAP Response)Challenge Extension

17

Password Cracking Attack

Secret ResponseSecret Response

LibraryLibrary

BookBook

Page/ wordPage/ word

MD5MD5

UNIXUNIXPasswordPassword

ChallengeChallenge

Size of Library (Secret Space) significantly reduced Size of Library (Secret Space) significantly reduced by user-selected Books (secrets).by user-selected Books (secrets).

18

1xEV Password Cracking

MN FA

Agent AdvertisementChallenge Extension

Registration RequestMN-AAA AuthenticatorMN-HA Authenticator

Intercepts Challenge, Authenticator, andOther Registration info.Password Cracking Attack:1) Dictionary2) Brute Force Exhaustive Search

Hacker

19

MN-AAAh Key

• Shared secret between MN and AAAh must be cryptographically strong.

• MN-AAAh key field must be 128-bits long.

• MN-AAAh key must be at least 90-bits long.

• MN-AAAh key shall not be shared with the HA or any FA.

20

Internet Password Cracking

FA HA

Registration ResponseMN-HA Authenticator

Registration RequestMN-HA Authenticator

Intercepts Challenge, Authenticator, andOther Registration info.Password Cracking Attack:1) Dictionary2) Brute Force Exhaustive Search

IP PacketSniffer

21

MN-HA Key

• Shared secret between MN and HA must be cryptographically strong.

• MN-HA key field must be 128-bits long.

• MN-HA key must be at least 90-bits long.

• MN-HA key may be derived from the MN-AAAh key using a one-way function.

• MN-HA must protect the Registration Request message.

22

MN-FA Key• Currently optional in 1xEV.• Use MN-FA key to establish Radio Access Layer

SAs.• Shared secret between MN and FA must be

cryptographically strong.• MN-FA key field must be 128-bits long.• MN-FA key must be at least 90-bits long.• MN-FA key may be derived from the MN-AAAh

key using a one-way function.• MN-FA key can be used to generate Access

Terminal (AT) key.

23

Mobile IPv4 Security

• Message Authentication Only– Provided by Security Associations (SA)

• Mobile-Home Authentication Extension– Mobile-Home Secret Key

• Mobile-Foreign Authentication Extension– Mobile-Foreign Secret Key

• Foreign-Home Authentication Extension– Foreign-Home Secret Key

• Only Manual Key Distribution mandatory• Optional – DH, RSA, Secret key distribution• No Encryption / Privacy• IS-835 supplemented with IPsec (no end-to-end

privacy)

24

MIP Bootstrapping Problem

• IS-835 AAA doesn’t have defined scalable MN-AAAh / MN-HA key distribution process!

• Initial key distribution (Bootstrap) common problem for any security system.

• 3GPP2/TR-45 can’t let history repeat – CAVE A-key distribution problem.

• WWW download, manufacturer pre-load/EDI, smart cards, OTASP, Manual.

25

Multi-layer Encryption

BANK

AES 128-bit Stream Cipher

SSL 128-bit IDEA Encryption

IPsec 112-bit Triple DES Encryption

ATFA

PDSNMN

1xEV DOBS

HAPDSN

26

DIAMETER MN-FA Key Distribution

AAAh

MN

AAAL

HAFA

(MN-FA key) AAAh-MN Encrypted

Generate MN-FA keyEncrypt with AAAh-FA keyEncrypt with AAAh-MN key

(MN-FA key) AAAh-FA Encrypted(MN-FA key) AAAh-MN Encrypted

(MN-FA key) AAAh-FA Encrypted(MN-FA key) AAAh-MN Encrypted

27

Diameter MIP Key Distribution Problems

• MIP key is transmitted over-the-air– vulnerable to cryptanalysis

• Additional key management (AAAh-FA secret)

• Inefficient - AAAh encrypts MIP key twice• Redundant – AAA to PDSN interface will be

protected• Slow – MN must register before MN-FA key

delivered.

28

AAAh

Diameter Problem #1 (Rogue FA)(IETF-AAA Registration Keys for Mobile IP)

PDSNMN

MN Encryption Pad == MD5 (MN-AAAh secret, MN Home IP, MN-AAAh secret)

PDSN recovers MN Encryption Pad using the following technique:

MN Encryption Pad == MN-FA key XOR (MN-FA key XOR MN Encryption Pad

Assuming that MN Home IP Address remains constant

PDSN can recover MN-FA key used with other FAs.

29

Diameter Problem #2 (Fixed Mask)

PDSNMN

MN Encryption Pad == MD5 (MN-AAAh secret, MN Home IP, MN-AAAh secret)PDSN sends MN-FA key XOR MN Encryption Pad

Attacker combines MN-FA Update #1 with #2:Delta MN-FA key == ((MN-FA key #1 XOR MN Encryption Pad) XOR (MN-FA key #2XOR MN Encryption Pad))

Assuming that MN Home IP Address remains constant

Password protects Mask - Possible cryptanalysis of MN-FA Authentication

30

AAA Registration Keys for Mobile IP Enhancement

MN-HA key == MD5 (MN-AAAh key, NAI, HA IP address, Randomness)

MN-FA key == MD5 (MN-AAAh key, NAI, FA IP address, Randomness)

Assuming that MIP Keys are derived from root MN-AAAh key

Deliver Randomness in Unsolicited MN-FA or MN-HAKey From AAA Subtype (instead of encrypted key)Delivery keys to FA or HA in MIP Key Attribute.

Lifetime

AAA SPI

FA or HA SPI

MN-FA or MN-HA key Randomness

31

Proposed1xEV MIP Cryptographic Key

Hierarchy MN-AAAh Key

MN-FA Key MN-HA Key

128-bits 128-bits

128-bits

Root Secret key

• Bootstrap MN-AAAh key• MN-HA key = MD5 (MN-AAAh key || MN NAI || HA IP address || Challenge)• MN-HA key = MD5 (MN-AAAh key || MN NAI || FA IP address || Challenge)

FA-HA Key

32

Simple, Efficient, and SecureMIP Key Agreement

• MN-HA or MN-FA key are not exposed to the Air Interface

• Over-the-Air cryptanalysis precluded• Based on GSM, TR-45, 3GPP, and 3GPP2

key agreement techniques – proven key distribution method.

• No additional Air Interface Overhead• MIP key generation within MN and AAAh

independently• Vendor Specific MIP Key Attribute enables

network delivery to HA or FA

33

MN-FA Key Agreement

AAAh

MN

AAAL

HAFA

MN-FA key generated basedon Challenge and MN-AAAh key.

Generate MN-FA keyBased on Challenge and MN-AAAh key.Include in MIP Key Attribute

Access Accept(MN-FA key) MIP Key Attribute

Access Accept(MN-FA key) MIP Key Attribute

Challenge Extension

34

MN-HA Key Agreement

AAAh

MN HA

MN-HA key generated basedon Challenge and MN-AAAh key.

Generate MN-HA keyBased on Challenge and MN-AAAh key.Include in MIP Key Attribute

Access Accept(MN-HA key) MIP Key Attribute

Directed Agent AdvertisementChallenge Extension

(MN-HA key) MIP Key Attribute

35

“Directed” Agent Advertisement• Preference to assign Reserved bit in Agent

Advertisement as “MN-HA Update” bit.• IETF approval could take years.• Alternative – use MN Home IP address as the

Agent Advertisement Destination Address (or globally defined IP address).

• Agent Advertisement currently uses “all systems on this link” or “limited broadcast” as destination address.

• MN-HA key only updated when MN directed by HA.

36

MN-AAAh Key

FTCAuthKey

MN-HA Key

128-bits 128-bits

128-bits

Packet DataRoot

Secret key

MN-FA Key

A-key / NIAHash

1xRTTOTASP or

AAA Update

ManufacturerPreload

AT key

RTCEncKey

FTCEncKey

RTCAuthKey

1xEV DOAccess Layer

EncryptionAnd

Integrity keys

MIP Layer keys

WWWDownload

1xEV Cryptographic Key Hierarchy

37

1xEV DO MIM Attack

MN PDSN

D-H Key Exchange

MIM UATI

Registration Request (NAI)

Session Hijack - Packet Injection

MIM Device

UATI

FALSEPDSN

FALSEMN

D-H Key Exchange

MIM UATI UATI

Packet Injection and/or Information Extraction

38

Access Terminal (AT) Key

• Protects the MN-HA or MN-FA key from disclosure to Rogue AT.

• Enables Access Layer Privacy and Message Authentication.

• Shared secret between AT and RAN must be cryptographically strong.

• AT key field must be 128-bits long.

• AT key = MD5 (MN-HA key || UATI).

• AT key = MD5 (MN-FA key || UATI).

39

AT Key Generation

MN PDSN

Relay ModeMobile Station

AT

AT Key

UATIUATI

Laptop PC

MN-FA Key

MN-FA Key

Foreign Agent

UATI

AT Key

AT Key

AT Key

40

GSM SIM vs. cdma2000 MN

UIM HLR/ACMS

A5 Encryption Key

Smart Card (computer)Authentication Algorithm

Key Generation

Air Interface

BS

A5 Encryption Key

Authentication AlgorithmKey Generation

MNRadiusAAA

MS/AT

AT Key

Laptop computerAuthentication Algorithm

Key Generation

Air Interface

1xEV DOBS

AT Key

Authentication AlgorithmKey Generation

AT Key

AT Key

A5 Key

A5 Key

41

MN

BlueToothAT

1xEV DO UATI

802.11AT

1xEV DOAT

802.11 Radio Access Layer ID

Bluetooth RadioAccess Layer ID

AT Key AT Key AT Key

AT Key Transfer

42

Preventing MIM in 1xEV DO

MN PDSN

D-H Key Exchange

MIM UATI

Registration Request (NAI)

Session Hijack - Packet InjectionImproper MAC

MIM Device

UATI

FALSEPDSN

FALSEMN

D-H Key Exchange

MIM UATI UATI

Packet Injection and/or Information Extraction

Improper MAC

Packet MACFails check –

discarded

Packet MACFails check –

discarded

43

MN HA

RANRadiusAAA

RadiusAAAh

IP Layer Radius Authentication Secret

Access Layer RadiusAuthenticationSecret

AT PDSN

RadiusAAAL

RAN

Redundant AAA Servers

44

Simple IP

• Define MN-AAAh secret as a cryptographically strong secret (e.g., MN-AAAh key).

• MN-AAAh key must be at least 90-bits long.

• RFC 1750 guidelines.

45

1xEV Security Solutions• MN-AAAh Secret defined

–Cryptographically strong MN-AAAh key defined

• Mobile IP Key Distribution defined

–MN-HA key and MN-FA key key agreement defined

• Radio Access Layer security supported

–Access Terminal (AT) key defined