Mobile telephony has become an indivisible part of almost every second human being. The level of security offered for information exchanged through mobile systems, is not only a personal security issue but also a social security issue as a whole. This paper provides a brief review of the GSM and 3G security architectures. The flow of discussion starts with the analysis GSM security features. After the GSM security modules are looked into, the possible security threats to GSM are discussed. Since 3G standards were designed to overcome the flaws of GSM the focus is then shifted to the 3G security architecture. This paper then discusses the 3G security architecture keeping in mind that 3G is considered to be an enhancement over GSM.
Keywords:
IMSI, TMSI, GSM, 3G, KI, KC, MSC, BST, 3G, UMTS, AKC.
1. Introduction
Mobile communication has rapidly grown over years. Today mobile communication stands as a very substantial part of communication globe. In 1946 the first system for car-based phones was set-up in St Louis.[11].Since then mobile communication has never looked back. In 1960 IMTS (Improved Mobile telephone system) was installed. IMTS was followed by AMPS (Advanced Mobile Phone System) in 1982 and then D-AMPS (Digital voice).[11]. The exceptional growth in mobile communication has also brought along with it some serious security problems which might be at subscriber, network operator or service provider level.
In 1992 the first truly global mobile system GSM was born. GSM was designed with moderate level of service security.[12]. However close observations were made that GSM security features are incorporated keeping operator in mind .User privacy was left to the operators. In order to provide a much more secure environment to the mobile users so that they feel confident enough to place their commercial transactions and exchange sensitive information on cellular network, 3GPP (Third Generation partnership project) decided to make some subtle modifications to the GSM security standards. So came into existence 3G. As some of the security features of GSM were still pretty good, 3GPP decided to retain those features and add some new so have a complete secure system.
This paper gives a brief introduction to the GSM. After discussing the GSM security architecture, this paper highlights the possible threats and security flaws in GSM. The shortcomings in GSM security lead this paper to a introduction of 3G security architecture which is considered an enhancement of GSM.
2. GSM Architecture
Figure 2: GSM Architecture
The GSM network can be divided into three parts.
Mobile Station: MS consists of mobile equipment and the Subscriber Identity Module (SIM). The most common mobile equipment is the mobile phone. By inserting the SIM card into a cellular phone, the user is able to make calls, receive calls from that phone, and use other subscribed services like web browsing, SMS etc. The mobile equipment uniquely identifies the International Mobile Equipment Identity (IMEI). The SIM card stores the sensitive information such as the International Mobile Subscriber Identity (IMSI), KI (a secret key for authentication), and other user information. All this information may be protected by personal identity number (PIN). The SIM card itself is a smart card and is in accordance with the smart card standard. The GSM specifications sheets have the detailed information about the SIM card.
The Base Station Subsystem controls the radio transmission to the Mobile Station. The Base Station Subsystem consists of the Base Transceiver Station (BTS) and the Base Station Controller (BSC). The Base Transceiver Station looks after the radio transceivers that define a cell and handles the over-air signaling with the Mobile Station. Larger the geographical, more are the number of BTS required. The Base Station Controller manages the radio resources for one or more BTS. It handles radio channel setup, frequency hopping, and handovers. The BSC is the connection between the mobile and the Mobile service Switching Center (MSC).
The Network Subsystem which comprises of the visitor location register (VLR), home location register (HLR), Mobile switching center and Authentication center. The Base Station Subsystem and the Network Subsystem are also called the fixed network. The MSC acts like a normal switching node of the PSTN or ISDN, and in addition serves all the functionality needed to handle a mobile subscriber, such as registration, authentication, location updating, handovers, and call routing to a roaming subscriber. It provides the connection to the public fixed network (PSTN or ISDN). The Home Location Register (HLR) and Visitor Location Register (VLR), together with the MSC, provide the call routing and (possibly international) roaming capabilities of GSM. The HLR contains all the secure information of each subscriber registered in the corresponding GSM network, along with the current location of the mobile device. There is logically one HLR per GSM network, but it may be implemented as a distributed database. The Visitor Location Register contains selected administrative information from the HLR, necessary for call control and provision of the subscribed services, for each mobile currently located in the geographical area controlled by the VLR. The Equipment Identity Register (EIR) is a database that contains a list of all valid mobile equipment on the network, where each mobile station is identified by its International Mobile Equipment Identity (IMEI). In case IMEI is stolen then a note of it made in the EIR. The Authentication Center is a protected database that stores a copy of the KI stored in each subscriber's SIM card, which is used for later at the time of authentication.
3. Purpose of GSM Security:
The use of radio frequency makes GSM more prone to security attacks. The common attacks to which GSM network falls prey to are broadly classified as
Eavesdropping: The intruder eavesdrops signaling and data connections associated with other users. For doing this the intruder needs to have a modified mobile station.[4].
Impersonation of an user: In this case an unauthorized person sends signaling data on the network to misguide the network .The network has a misconception that the data is coming from the authorized user.
Impersonation of the network: This is an exactly opposite case where the intruder misguides the target user. Signaling or user data is sent to the target user, in such way that the target user believes that it has originated from a genuine network.
Man-in-the-middle attack: In this attack the intruder is intermediate between the target user and a genuine network and has the ability to eavesdrop, change, delete, re-order, replay, spoof signaling and user data messages exchanged between the network and the subscriber. [4].
To tackle these threats and prevent misuse of the resources by intruders, some security features are implemented in GSM.
4. GSM Security Model
4.1 GSM Security Features
GSM architecture has implemented the following security features
Authentication of only those subscribers that are registered.
Secure over-air data transfer through the use of encryption algorithms.
Individual subscriber authentication key KI [14].
Subscriber identity protection.
Subscriber Identity Module dependability.
Duplicate SIM are not allowed on the network.
4.2 Authentication of registered subscribers
GSM subscribers are uniquely identified on the network be means of International Mobile Subscriber identity number (IMSI). Once the user is authenticated a temporary identity number (TMSI) is assigned to the subscriber which is then used instead of the (IMSI). The purpose of this authentication security feature is to protect the network against unauthorized use. It also enables the protection of GSM subscribers by denying the possibility for intruders to impersonate authorized users.[14].
Figure 4.2: Authentication procedure
The authentication procedure shown in figure 4.2 works as follows:
The mobile station sends IMSI to the network.
The network receives the IMSI and finds the correspondent KI of that IMSI.
The network generates a 128 bit random number and sends it to the mobile station.
The mobile station calculates a signed response using the A3 algorithm, Challenge (RAND) and the KI residing in the SIM and sends it to the network.[14]
At the same time, the network has already calculated the signed response using the same algorithm and the same inputs.
The network now cross verifies the response and authenticates the subscriber.
When a new GSM subscriber turns on his phone for the first time, its IMSI (International mobile subscriber identity) is transmitted to the Authentication Center (AuC) on the network. After which, a Temporary Mobile Subscriber Identity (TMSI) is assigned to the subscriber. The IMSI is rarely transmitted after this point unless it is absolutely necessary. This prevents a potential eavesdropper from identifying a GSM user by the IMSI. The user continues to use the same TMSI, depending on the how often, location changes. Every time a location is updated, the network assigns a new temporary mobile subscriber identity (TMSI) to the mobile phone. The TMSI is stored along with the IMSI in the network. The mobile station uses the TMSI to report to the network or during call initiation. Similarly, the network uses the TMSI, to communicate with the mobile station. When switched off, the mobile station stores the TMSI on the SIM card to make sure it is available when it is switched on again.
4.3 Encryption of the data
Figure 4.3.a Cipher Key Generation
GSM makes use of a ciphering key (KC) to protect both user data and signal on the air interface. Once the user is authenticated by the network, the RAND (delivered from the network) together with the KI (from the SIM) is sent through the A8 ciphering key generating algorithm, to produce a ciphering key (KC). The A8 algorithm is stored on the SIM card. The ciphering key (KC) created by the A8 algorithm, is then used with the A5 ciphering algorithm to encipher or decipher the data. Figure 4.3.a is a black-box representation of the A8 algorithm.
Figure 4.3.b Ciphering of voice data
The pictorial representation of ciphering of voice data is shown in figure 4.3.b. The network sends a ciphering mode request command. The mobile station receives this command and starts the encryption and decryption of data. The data send is encrypted every time with a different key stream. The A5 algorithm takes the ciphering key as the input and the number of frames to be encrypted and generates a different key stream for every frame. The same KC is continuously used until and unless the mobile switching center wants to authenticate the mobile station again. If the MSC wants to do so then a new key is generated. The MS authentication is an optional procedure at the beginning of the call. It is usually skipped. So it is very likely that the KC will not change during calls. The A5 algorithm is implemented in the hardware of the mobile phone, for the encryption and decryption.[14]
4.4 Subscriber identity protection
The IMSI number is stored in the SIM card. To ensure subscriber identity confidentiality, a TMSI is assigned to the subscriber. The network sends a TMSI to the mobile station after the authentication is done. The mobile station sends a confirmation after receiving the TMSI. The TMSI is valid only in the area in which it was issued. For communications outside the location area, the Location Area Identification (LAI) is necessary in addition to the TMSI.
4.5 Smart card
A smartcard has the following fundamental components:
A random access memory (RAM)
A read-only memory part (ROM) containing the operating system.
A non volatile memory (EEPROM-electrically erasable programmable ROM)
A central processing unit (CPU).
Smartcard serves the following general-security functions
application of cryptographic functions (encipherment, decipherment and electronic signatures)
user authentication (personal identity number (PIN) or password)
device authentication with the aid of cryptographic protocols.
Figure 4.5: Smartcard chip with a 32bit-CPU [5]
The storage capacity and computing power of these mobile devices is still limited, but they provide higher security than ordinary PCs. By programming the ROM, it can store the sensitive data with very high security level. So it provides a good way to store the KI and IMSI and other sensitive user data. Figure 4.5 shows the block diagram of a smartcard chip with 32-bit CPU.[5]
4.6 GSM Security Algorithms
4.6.1 The mobile station Authentication Algorithm (A3 Algorithm)
A3 algorithm uses the 128-bit random number and 128-bit KI from SIM as inputs and generates 32-bit response. A3 algorithm is a one way hash function. A one way has hash function produces a fixed length output for a given arbitrary input. The hash functions are designed such that the input cannot decoded from the hash values. All the GSM operators in the world use an algorithm called COMP128 to do the job of A3. This COMP128 algorithm takes RAND and KI as the input 8 output and generates a 128-bit output instead of a 32-bit response. The higher 32 bits of the COMP128's output represent the signed response. Figure 4.6.1 shows the block representation of the comp-128 algorithm.
Figure 4.6.1 COMP128 Algorithm
4.6.2 The ciphering Key Generation Algorithm (A8 Algorithm)
A8 algorithm is a key generation algorithm in GSM security model. The A8 algorithm generates a 64 bit output from the two 128-bit inputs (RAND and KI). The 64 bit output of the A8 algorithm is called as the session key. As discussed above COMP128 is an algorithm that is widely used and does the job of the A8 and A3 algorithm together in one run. Out of the 128-bit output of the COMP128 algorithm lower 54 bits forms the cipher key. However COMP128 generates a 54 bit cipher key which is then appended with ten zeros to form a complete 64 bit KC. This process of converting 54 bit key to 64 bit KC is done by the A5 algorithm. This is how the A8 algorithm works. Both A3 and A8 algorithms reside in the SIM. Patched versions of COMP128 are now available (called COMP128-2 and COMP 128-3). [15].
4.6.3 The stream-ciphering algorithm (A5 Algorithm)
A5 algorithm encrypts the radio transmissions. There are three different options used in GSM, A5/0(unencrypted) or A5/1 or A5/2 to secure data. This classification was done due to the export regulations of Europe. A5/1 is used in Europe and the United States. A5/2 was a deliberate weakening of the algorithm for certain export regions. A5/1 was developed in 1987, when GSM was not yet considered for use outside Europe, and A5/2 was developed in 1989. The present A5/1 algorithm can be used by countries which are members of European Conference of Post and Telecommunication Administrations (CEPT). The algorithm A5/2 is intended for any operators in countries that do not fall into the above category. The algorithms after A5/1 have been named as A5/x. Most of the A5/x algorithms are considerably weaker than the A5/1. The A5/3 Algorithm is a latest discovery. It ensures a high degree of security against eavesdropping. A5/3 is based on Kausi algorithm.
4.7 Problems with GSM Security
The algorithms used in GSM are not available publicly. Security analysts over the world believe that since these algorithms are not available to public indicate that these can be broken and are not secure. [14][15].
The GSM networks are prone to man in middle attack.
GSM encryption was heavily criticized all over the world as both A5/1 and A5/2 algorithms were developed in secret.[17]
In April 1998, the Smartcard Developer Association (SDA) and the ISAAC research group pointed out a critical glitch in the COMP128 algorithm. SDA claimed that it was possible extract KI with a few hours .Ultimately IBM researchers proposed an attack called partitioning attack. The intruder could now extract the KI if he could access the subscriber's SIM for not more than a minute [9].This lead to an emergence of a new threat called SIM cloning.[16]
On December 9, 1999 three cryptographers (Alex Biryukov, Adi Shamir and David Wagner) claimed to have cracked the strong A5/1 algorithm responsible for encrypting conversations. They proved that they can find the A5/1 key in less than a second on a single PC with 128 MB RAM and two 73 GB hard disks, by analyzing the output of the A5/1 algorithm in the first two minutes of the conversation.
Elad Barkhan, Eli Biham and Nathan Keller of Technion, the Israel Institute of Technology, showed a cipher text-only attack against A5/2 that requires only few dozen milliseconds of encrypted off-the-air traffic and finds the key in less than one second on a PC.
The ciphering is controlled by the base transceiver station. The user have no idea if the ciphering is been done or not. An intruder may set up a dummy (BTS) and can deactivate the ciphering. Now if the MS sends data in an unencrypted manner then it can be easily hacked. Figure 4.7 shows a fraud BTS setup.
Figure 4.7: Fraud BTS Setup
The encryption in GSM is only accomplished over the airway path between MS and BTS. There is not any protection over other parts of network and the information is clearly sent over the fixed parts.
In GSM, the attacker can misuse the previously exchanged messages between the subscriber and network in order to perform the replay attacks.
4.8 Possible improvement in GSM
GSM security could be improved with simple modifications in the existing structures.
One of the solutions could be using a more cryptographically secure algorithm instead of the A3 algorithm. But this solution comes with an overhead of issuing new SIM-cards to all the subscribers and updating the Home location register with the new information. This step will help to eradicate the SIM cloning attack.
Another possible improvement could be that the operators can reconstruct the A5 algorithm to serve strong encryption. However this will require a co-operation of the hardware and software manufactures as new versions of softwares and hardware will have to be released.[1]
Third solution would be to encrypt the traffic on the operator's backbone network between the network components. By doing this the attacker would be unable to wiretap the backbone network.
This solution could be implemented without the interference of the GSM consortium but will require the approbation of the hardware manufacturers.[1]
5. 3G Entry
5.1 Need for 3G?
To overcome the security drawbacks in GSM, 3GPP (Third generation Partnership project) in charge of developing standards for UMTS (Universal Mobile Telephony System ) decided to give transperancy more importance over obscurity and hence came into existance 3G.
Figure 5.1 Development of 3G security architecture
The entire focus was now on designing a much more secure system. And in order to achieve this a lot of time was spent in risk analysis. The results of the risk analyis are documented and published as a part of 3GPP specifications.[4]
5.2 Threat analysis
It was taken into consideration that mobile communication with time would go more and more commercial. New high-value services would naturally get added. This would entice the application layer attacks. Also analyst thought that, as effort we put into improving the network access security the probability of the core network being attacked will also increase.
Since the mobile radio test equipment was available in market, many attackers would make optimum use of it.
Also as this equipment was a software product it would be a cakewalk to modify this test equipment and impersonate parts of the network.
As terminal would become increasingly flexible and software-based, attacks on the terminal software and operation using rogue mobile code or viruses will become a real possibility.[8]
Based on the threat analysis, a comprehensive list of security requirements were captured and categorised. The security requirements help identify which security features need to be introduced in order to counteract the threats. The requirements capture lead to the identification of additional security features beyond those retained from GSM. Figure 5.1 shows the how the 3G security architecture was developed taking the risk factors into consideration.
Note that even though the security features were enchanced in 3G, some of the security elements of the second generation systems are retained. These include
Subscriber authetication for service access.
Radio interface encryption.However the strengh of encrytion is has been increased.
Suscriber identity is kept confidential on radio interface.
SIM has retained its significance in 3G
The operation of security features is still independent of the user.[4]
5.3 Objectives of 3G Security
The prime most objective of 3G is to ensure that user data is protected against any misuse or misappropriation
Ensure that the resources and services provided are adequately secure.
Make sure that the implementation of 3GPP security features can be modified or reworked to cope with newer threats.
Ensure that the security features are compatible with world-wide availablity and interoperability.
5.4 3G Security Features
3G incorporated changes defeat the false base station attack.
The security mechanisms include a sequence number that ensures that the mobile can identify the network. Also key lengths are increased to allow for the possibility of stronger algorithms for encryption and integrity.
Mechanisms are included to support security within and between networks.
Security is based within the switch rather than the base station as in GSM. Therefore links are protected between the base station and switch
The first version of 3GPP specifications did not contain mechanism for core network security. However, mechanisms are currently being developed within 3GPP to protect control plane communications within the core network and it is expected that these mechanisms will shortly be included in the 3GPP specifications. These mechanisms will be applicable to both IP-based communications and communications that are based on Signaling System Number 7 (SS7).
SIM toolkit security is documented in 3GPP specifications. It represents the most advanced practically realized telecommunications security.
3G systems allow services to be created using a rangeof standardized toolkits, as opposed to the situation in 2G where the services that could be offered were for the large part drawn from a fixed, standardized set.
5.5 Authentication, Encryption and Integrity Features (AKA Algorithm)
To achieve secure authentication of subscribers standardized Authentication and Key Agreement (AKA) algorithm is used in 3G.
The AKA algorithm uses universal SIM (USIM) and GSM's SIM for its working.
Figure 5.5.a: AKA Message Flow [6]
AKA algorithm operates in three stages: initiation, transfer of credentials, and challenge-response exchange. During the initiation stage of AKA, the mobile station sends International Mobile Subscriber Identity (IMSI) or Temporary Mobile Subscriber Identity of the subscriber to the VLR/MSC based on the data in the USIM. If the subscriber is authenticated by the network for the first time then IMSI has to be sent as the TMSI is not available. In the transfer of credential stage the VLR receives some authentication vectors from the home location register or the authetication center. Each authentication vector comprises of five values named RAND, XRES, CK, IK, and AUTN.RAND is the random challenge generated by AuC, XRES is the expected user response corresponding to RAND, CK is 128-bit session cipher key used for encryption, IK is 128-bit session integrity key, AUTN is the authentication token. Figure 5.5.a depicts the message flow in AKA . The values of the parameters in the authentication vector are generated using subscriber-specific 128-bit secret key K as follows:
RAND = f0(); RAND is 128-bit in Length
XRES = f2(K, RAND); XRES is 32-128 bits in Length
CK = f3(K, RAND); Cipher-key is 128 bits in Length
IK = f4(K, RAND); IK is 128 bits in Length
AUTN = SQN xor AK || AMF || MAC
MAC = f1(K, SQN || RAND || AMF)
AK = f5(K, RAND)
Where SQN is a sequence number of 48 bits;
AK is an anonymity key;
AMF is authentication management field;
MAC: Message Authetication code;
f0: random challenge generation function;
f1: network authentication function;
f2: user challenge-response authentication function;
f3: cipher key derivation function;
f4: integrity key derivation function;
f5: anonymity key derivation function;
Figure 5.5.b Authetication in USIM
In the final stage of AKA, mobile station and VLR authenticate each other. First, VLR sends one of the received <RAND, AV> combination to mobile station/ USIM. MS/USIM then calculates sequence number as follows to detect replay attacks: SQN = (SQN xor AK) xor f5(K,RAND). Then a message authentication code (MAC) is checked. After confirming, MS/USIM computes actual user response as f4(K, RAND).The visitor location register (VLR) the compares the expected used response against the actual user response. If it they are the same, MS/USIM and VLR are mutually authenticated and proceed to set up a secure channel via cipher key and integrity key. Two additional functions f8 and f9 are defined by UTMS for encryption and integrity protection.
Figure5.5.c: Function F8 [10]
UMTS standard defines two additional functions f8 and f9 respectively which are implemented using KASUMI a 128 bit block cipher. These set of cryptographic functions F0- F5, F1*, F5*, F8 and F9 are designated as Milenage.[12] The F8 function is known as the confidentality functions and F9 is the integrity function.
Figure 5.5.d : Function F9 [10]
In the 3G Security, user data and some signaling information elements are considered sensitive and may be
confidentiality protected. The need for a protected mode of transmission is fulfilled by a confidentiality function f8 as shown in Fig.5.5.c. The encryption function is applied on dedicated channels between the ME and the RNC [10].
Figure 5.5.d illustrates the use of integrity function f9 to authenticate the data integrity of an RRC signalingmessage. Input Parameters to the integrity function are COUNT, IK, FRESH and Message.[10]
5.6 Drawbacks of AKA
Although AKA was more secure than GSM as claimed by 3GPP, there still exists several weaknesses.
Sequence number: In UMTS AKA, one of the main drawbacks was the adoption of sequence numbers. Because of this the HLR had to be kept record and update a sequence number for every mobile user. The synchronization and re-synchronization involves complicated work (generation, allocation, verification, and management), especially with regard to the protection against an attack to force the sequence number wrap around and the compromise of user identity confidentiality. A thorough analysis of operational difficulty with sequence numbers is given in [3]. Several scenarios which could result in synchronization failures are discussed in [2, 3]. Once a synchronization fails, the re-synchronization procedure involves quite a few entities and network domains. Moreover, a possible crash in the database which stores the sequence numbers will cost a lot to re-establish the synchronization [2].
HE/HLR Bottleneck: In UMTS AKA, the HE/HLR is responsible for generating authentication vectors upon receipt of requests from all VLRs/SGSNs. While the number of subscribers is usually large, the HE/HLR experiences heavy authentication traffic and actually becomes the bottleneck of the entire AKA scheme. This is even worse if the mobile user roams to a far away foreign network. This issue has been studied in. Each work proposes an algorithm to investigate the traffic and determine the optimal number of authentication vectors.
Attacks in UMTS AKA: UMTS AKA is proved by BAN logic [7] in [2]. However, it has been suggested that the BAN logic is unable to deal with security flaws resulting from interleaving of protocol steps. Recently, there are two attacks found in [2]: redirection attacks, active attacks in corrupted networks. The redirection attack occurs when an adversary entices a legitimate mobile station to camp on the radio channels of the false base station. Since the authentication vectors can be used for any serving network, an adversary can intercept the vector and impersonate both the mobile user and the serving network. Consequently, the adversary can redirect user traffic to an unintended network. The active attack occurs while a network is corrupted and an adversary could forge an authentication data request from the corrupted network to obtain authentication vectors. In addition, the adversary could force the sequence number to be set in a very high value by flooding the authentication data to the home network. As a result, the adversary can start an active attack against legitimate users.
So overcome these weakesses in AKA an enhanced AKA based on vector combination (VCAKA) can be used . In UMTS AKA, each authentication vector is used only once. After that, it should be abandoned in order to defend replay attacks. In fact, we observe that a combination of two vectors can also be used for authentication in condition that this combination should also be used only once. For example, suppose (RANDi, XRESi) and (RAND2, XRES2) are two challenge-response pairs of two vectors in UMTS AKA, then (RAND xor RAND2, XRESi xor XRES2) can also be used for authentication since only the user who passes the single vector authentication can compute the correct response. Of course, extra works need to be done in order to defend replay and impersonation attacks.In this way, a size n authentication vectors can have up to (2^N - 1) combinations (including combinations with only one vector as in UMTS AKA). The HE/HLR can control the combinations allowed to be used or simply allow both the VLR/SGSN and the MS to use all combinations.
5.7 Is 3G Secure?
The 3G security definitely gives somewhat improvement over GSM. Activities like SIM cloning and eavesdropping are kept at a distance by using longer keys and more secure algorithms. Mutual authentication through the AKA algorithm prevents rogue base station attacks. However not all the security mechanisms are available in 3G. There is no support for non-repudiation and no clear access control model. The security of 3g can be evaluated on the basis of how well the key issues of availability integrity and confidentiality are served. 3G addresses the availability concerns by authenticating users and securing operators' networks. AKA is considered to be secure with the algorithms used by UMTS and CDMA2000. IP-based operator network, on the other hand, is not and IPsec use isn't mandatory. This can be a potential vulnerability and IP-based DDoS attacks on 3G operator networks may prove to be real threats. Confidentiality is perhaps the best tackled security issue by 3G. But one cannot say it has been completely dealt with. The information on 3G networks can be accessed by exploiting AKA's compatibility with GSM authentication. In 2003 Barkan, Biham, and Keller described an instant cipher-text only attack on A5/2 which exploited the fact that error-correcting codes employed in GSM reveal information about the plaintext. This attack, requiring several hours of pre-computation, needed only 8 GSM frames and recovered the key within seconds. This is also a potential threat 3G. Another possible threat is when a user is authenticated by the network for the first time TSMI is unavailable and so ISMI is transmitted. The attacker can retrieve IMSI is he has access to the operators network. In other words, despite the use of strong encryption provided by 128-bit keys and Rijndael, confidentiality objective isn't fully achieved on 3G networks.
Integrity option in 3G is only provided for signaling channels - this objective is perhaps the least achieved in availability-confidentiality-integrity framework. To sum up, from the point of view of availability-confidentiality-integrity framework, 3G systems aren't fully secure. Having said that, 3G systems are also very open and perhaps do not require high levels of security.
6. Conclusion:
The GSM networks were designed keeping in mind a
secure mobile system and they did provide a considerable level of subscriber authentication and over-the-air transmission encryption. However the GSM networks were vulnerable to some attacks targeted at different parts of the operator's network. This was because some of the algorithms and specifications leaked out and some critical glitches were found out. It was found that A5/x algorithms used for encrypting the over-the-air transmission channel are vulnerable against known-plain-text and divide-and-conquer attacks. The COMP128 algorithm used in most GSM networks as the A3/A8 algorithm does not seem to be convincing. Even if security algorithms were not broken, the GSM architecture would still be vulnerable to attacks from inside which means the attack targeting the operator's backbone network or home location register. Well aware of the shortcomings of the GSM network, 3GPP, incharge of the developing standards for Universal Mobile Telephony System introduced 3G standards. The 3G security could be considered as the enhanced version of GSM. To address risks, most security controls of GSM are retained with additional features in 3G technology. Malpractices like SIM cloning, eavesdropping are put a stop by using longer keys and secure algorithms. To achieve secure authentication of subscribers standardized Authentication and Key Agreement (AKA) algorithm is used. A set of cryptographic functions F0 t oF9 are added. Mechanisms to combating fraud in roaming situations are introduced. However all security mechanisms are not in place in 3G. 3G security deals with the issue of confidentiality in a better way as compared to GSM. But the security issues concerning availability and integrity are yet to be addressed on a satisfactory level
