GSM: the security of your information.

GSM: the security of your information.

GSM: the security of your information

Radio communication is inherently more vulnerable to wiretapping and fraud than wire communication. For example, it is very easy to impersonate someone else (and thereby force them to pay the bills!) if special security measures are not provided.

Therefore, in order to guarantee a high level of protection of information transmitted via radiotelephone, it is necessary to solve two main problems.

Firstly, to ensure protection of the radiotelephone network from unauthorized access. This is achieved by authenticating the subscriber (or his mobile station).

Secondly, to guarantee the confidentiality of user conversations. There are several options for protecting information. For example, in order to prevent eavesdropping on messages on the air, the transmission can be encrypted. The transmitted signals are protected in a similar way, thereby preventing unauthorized persons from finding out, in particular, to whom the call is addressed. Finally, it is possible to replace the subscriber identifier with a temporary pseudonym.

Confidentiality mechanisms are implemented only for the air. Within the infrastructure, messages are transmitted in plain text, as they pass through the public telephone network.

Since the mobile telephone network has a number of undeniable advantages over other means of communication, the number of its subscribers is now steadily growing and according to forecasts, by the end of the century, about 100 million users are expected in Europe alone,

The first mobile phone network was created 50 years ago in St. Louis, USA. The cellular principle was first proposed by Bell Labs in the USA, and was tested in different parts of the world in the 70s. In 1979, the first cellular network with a frequency range of 800 MHz began operating in Chicago.

The modern development of mobile telephone communications required the adoption of a new international standard for digital mobile telephony. As a result, a «Memorandum of Understanding» was signed, which implied the creation of a completely new communications infrastructure. The novelty of the project was to provide international roaming (the ability to use your mobile phone without losing connection when crossing a national border) and adaptability to a large number of subscribers. Previously, many networks and standards within one country made international roaming very limited.

Due to its high capacity, efficiency and open international standards, GSM became known as the Global System for Mobile Communications and was chosen as the international standard for the new digital network.

GSM provides increased traffic (phone load), full automatic roaming throughout Europe (and beyond), «seamless handover», full integration of voice and data, and compatibility with the Integrated Services Digital Network (ISDN) and other public networks. Let's look at how GSM is «built» and what enables it to offer users such a high level of service.

In order to provide communication over huge distances, a network of adjacent radio cells was created. Each cell has a base transceiver station (BTS) operating on a set of radio channels allocated to it, which differ from the radio channels used in neighboring cells. The main function of the BTS is to provide radio transmission and reception. The station may contain one or more transceivers in order to guarantee the required throughput. In this case, the cell can be omnidirectional or divided into 3 directional cells (a typical option). All base stations are logically grouped and controlled by a base station controller (BSC) for call transfer when a subscriber moves from one cell to another (the so-called relay) and power control. During a call, the mobile station «listens» to all surrounding base stations and provides continuous messages about the quality of reception of their signals to the base station controller BSC. This allows the BSC to make an accurate decision on when to transfer the call and to which cell. GSM controls the power of mobile and base stations — this reduces the level of interference for other users of the system, and also increases battery life,

The BSC group is served by the Mobile Services Switching Centre (MSC). It routes calls to the public switched telephone network (PSTN), the Integrated Services Digital Network (ISDN) and other networks — private or public, fixed or mobile. The connecting element of the GSM network is the MSC, it is responsible for routing or switching calls from the place of origin to their destination. We can say that the MSC «manages» the call, responsible for the establishment, routing, control and termination of the call, its transmission between MSCs, and is also responsible for additional services, collection of data on charges and bills. The MSC acts as an interface between the GSM network and the telephone network and data networks. It can also be connected to other MSCs of the same network and to other GSM networks.

In turn, the necessary information about subscribers is stored in databases. Information that relates a subscriber to its network (subscription levels, additional services, current or last used network and location) is stored in the Home Location Register (HLR).

The Authentication Centre (A&C) works closely with the HLR to provide the information necessary to verify the identity of the subscriber using the network. This is a mandatory protection against possible fraud, use of stolen subscriber cards or unpaid bills.

The Visitor Location Register (VLR) stores information about all subscribers who use the service in the territory served by the VLR. It tracks the location of all subscribers and keeps a record of them, making it possible to correctly route incoming calls.

Information about the type of mobile station used is stored in the Equipment Identity Register (EIR). This data can be used to identify and ban or track a mobile station if it is stolen, not approved for use, or has a fault that could affect the network.

All GSM security mechanisms are under the exclusive control of operators: users have no way to influence the use or absence of authentication, encryption, etc. Moreover, users do not always know which security functions are used by the system. On the contrary, as a rule, security services are not advertised and are not included in the paid ones. Below we offer a more detailed look at the methods of information protection used in GSM mobile networks.

Here we will talk about authentication and encryption as means of protecting user identity.

Using a password (or PIN code — personal identification number code) is one of the simple authentication methods. It provides a very low level of protection in radio communication conditions. It is enough to hear this personal code just once to bypass the security measures. In reality, GSM uses a PIN-CODE in combination with SIM (Subscriber Identify Module): this PIN-CODE is checked on the spot by the SIM itself without being transmitted over the air. In addition to it, GSM uses a more complex method, which consists of using a random number (from 0 to 2^128-1), which can only be answered by the corresponding subscriber equipment (in this case, the SIM). The essence of this method is that there are a huge number of such numbers and therefore it is unlikely that it will be used twice.

Fig. 1. Authentication calculation
Authentication is performed by requiring the correct answer to the following puzzle: what answer SRES can the subscriber derive from the received RAND, using the A3 algorithm with the private (secret) key Ki?

The response, called SRES (Signed RESult), is obtained in the form of a calculation result, including a secret parameter belonging to the user, called Ki (Fig. 1). The secrecy of Ki is the cornerstone of all security mechanisms — even the subscriber cannot know his own Ki. The algorithm describing the order of calculation is called the A3 algorithm. As a rule, such an algorithm is kept secret (extra precautions never hurt!).

In order to achieve the required level of security, the A3 algorithm must be a one-way function, as cryptographic experts call it. This means that calculating SRES given Ki and RAND must be easy, and the reverse action — calculating Ki given RAND and SRES — must be as difficult as possible. Of course, this is what ultimately determines the level of security. The value calculated by the A3 algorithm must be 32 bits long. Ki can have any format and length.

Cryptographic methods make it possible to achieve a high level of security using relatively simple means. GSM uses uniform methods to protect all data, be it user information, the transmission of user-related signals (e.g. messages containing the numbers of the telephones being called), or even the transmission of system signals (e.g. messages containing the results of radio measurements to prepare for transmission). It is necessary to distinguish only between two cases: either the communication is secure (then all information can be sent in encrypted form), or the communication is unsecured (then all information is sent as an unencrypted digital sequence),

Fig. 2. Encryption and decryption
Algorithm A5 outputs an encryption sequence of 1 14 bits for each packet separately, taking into account the frame number and the encryption key Kc.

English: Both encryption and decryption are performed by applying the exclusive or operation to the 114 «coded» bits of the radio packet and a 114-bit encryption sequence generated by a special algorithm called A5. In order to obtain the encryption sequence for each packet, the A5 algorithm performs a calculation using two inputs: one is the frame number and the other is a key (called Kc) known only to the mobile station and the network (Figure 2). Two different sequences are used in both directions of the connection: in each packet, one sequence is used for encryption at the mobile station and for decryption at the BTS, while the other sequence is used for encryption at the BTS and decryption at the mobile station.

The frame number varies from packet to packet for all types of radio channels. The Kc key is controlled by the signaling means and usually changes with each message. This key is not made public, but since it changes frequently, it does not need such strong protection as the Ki key; for example, Ks can be freely read in SIM.

The A5 algorithm needs to be established internationally, since it needs to be implemented in every base station (as well as in any mobile equipment) to support MS roaming. Currently, only one A5 algorithm is established for use in all countries. Currently, base stations can support three main variants of the A5 algorithm: A5/1 — the most secure algorithm used in most countries; A5/2 — a less secure algorithm implemented in countries where strong cryptography is undesirable; A5/3 — no encryption. The A5/1 algorithm is used in Russia. For security reasons, its description is not published. This algorithm is the property of the GSM MoU. However, its external specifications are made public, and it can be thought of as a “black box” that accepts a 22-bit parameter and a 64-bit parameter in order to create 114-bit sequences. As with the A3 authentication algorithm, the level of protection offered by the A5 algorithm is determined by the complexity of the inverse calculation, i.e. the calculation of Kc given two 114-bit encryption sequences and the frame number.

The Kc key must be agreed upon by the mobile station and the network before encryption begins. The peculiarity of the GSM standard is that the Kc key is calculated before encryption begins during the authentication process. Then Kc is entered into the non-volatile memory inside the SIM so that it is stored there even after the end of the communication session. This key is also stored in the network and is used for encryption.

Fig. 3. Calculating Kc
Whenever a mobile station goes through the authentication process, the mobile station and the network also compute the encryption key Kc using the A8 algorithm with the same inputs RAND and Ki that are used to compute SRES using the A3 algorithm.

The A8 algorithm is used to compute Kc from RAND and Ki (Figure 3). In fact, the A3 and A8 algorithms could be implemented as a single computation. For example, as a single algorithm whose output consists of 96 bits: 32 bits to generate SRES and 64 bits to generate Kc.

It should also be noted that the length of the significant part of the Kc key, as output by the A8 algorithm, is set by the GSM MoU signature group and may be less than 64 bits. In this case, the significant bits are padded with zeros to ensure that all 64 bits are always used in this format.

Encryption is very effective in protecting privacy, but it cannot be used to protect each individual radio exchange. Encryption using Kc is used only when the network knows the identity of the subscriber being spoken to. It is clear that encryption cannot be used for common channels such as BCCH, which is received simultaneously by all mobile stations in a given cell and in neighboring cells (in other words, it can be used using a key known to all mobile stations, which completely defeats the purpose of its security mechanism). When a mobile station moves to a special channel, there is a «bootstrapping» period during which the network does not yet know the identity of the subscriber, say, Vladimir, and therefore encryption of his message is impossible. Therefore, all signaling messages carrying information about the identity of an unspecified subscriber must be unencrypted. At this stage, any third party may overhear information about this identity. This is considered to be an infringement on Vladimir's right to privacy, so GSM has a special feature to ensure this kind of privacy.

Security is also provided by the use of a pseudonym, or TMSI (Temporary Mobile Subscriber Identity), which is used instead of the IMSI (International Mobile Subscriber Identity) subscriber identifier where possible. This pseudonym must be agreed upon in advance between the mobile station and the network.

The actors and protocols involved in security are essentially the same as in the case of location management, and this justifies their inclusion in a similar functional area. However, in security management the leading roles are reversed and should be assigned to the SIM on the mobile side, and to the Authentication Centre (AiC), which can be considered as part of the HLR on the network side.

SIM and AiS are the storage of the subscriber's Ki key. They do not transmit these keys, but perform the A3 and A8 calculations themselves. When it comes to authentication and installing the Kc key, all other types of equipment play an intermediate role.

AiS does not participate in other functions. It can be implemented as a separate device or HLR modules. The main reason for distinguishing between AiS and HLR in the «Technical Conditions» is to draw the attention of operators and manufacturers to the security issue. AiS is a means of creating an additional layer of protection around the Ki keys.

The SIM is responsible for most of the security functions on the mobile side. It stores Ki, computes the operator-dependent A3/A8 algorithms, and stores the «dormant» key Kc. The existence of the SIM as a physical unit separate from the mobile equipment is one element that allows flexibility in the choice of A3/A8. Mobile equipment manufacturers do not need to know the specifications of these algorithms intended for operators. On the other hand, SIM manufacturers are obliged to implement potentially different algorithms for each of their operator customers, but the problems of competition, mass production, and distribution are fundamentally different from those in the mobile equipment market.

The SIM protects the Ki completely from being read. The chip card technology, introduced some time before GSM began producing these miniature electronic safes, was ideal for this purpose. The only access to the Ki occurs during the initial personalization phase of the SIM.

Today, the periodical press often discusses the issue of the uncontrolled sale of radio interception equipment allowing anyone to listen in on other people's cell phone conversations and view paging messages. Therefore, it should be noted that digital GSM cellular networks protect their subscribers from such a scourge. It is impossible to listen in on a specific subscriber's entire conversation. His movement from the coverage area of ​​one base station to the coverage area of ​​another is unpredictable. In addition, even within one cell, the switch can switch the subscriber to another radio channel.

Using a panoramic receiver (which is very expensive and not widely available), you can catch the working frequency of a radiotelephone. However, recording even a short conversation of a specific subscriber is almost impossible in the conditions in which GSM mobile operators operate today. In addition, in this case there is a factor of economic feasibility: it is much cheaper to directly connect to unprotected telephone wires and record information.

In general, we have considered in sufficient detail the means used by GSM to protect transmitted information. It remains to add that additional complications have recently appeared in this area, related to the order «06 Organization of Work to Ensure Investigative Operations on Mobile Communications Networks», issued by the Ministry of Communications of the Russian Federation.

This document resulted in the development of the «Technical Requirements for the System of Technical Means for Ensuring Functions of Operational-Investigative Activities on Mobile Radiotelephone Networks» (SORM SPRS). The «Requirements» stipulate that the system of technical means for ensuring operational-investigative activities on mobile radiotelephone networks must ensure: organization of a database for storing information on monitored mobile communication users and operational data management with the control point (CP); interaction with the CP via data transmission channels, as well as output to the control point of conversation channels for connection control; interface with 2048 kbps linear path equipment, in some cases, with physical lines; protection against unauthorized access, including protection against access by technical personnel of switching centers to communication system information; access to the database and receipt of information on the ownership of radiotelephones, indicating the exact addresses of individuals or organizations (regardless of the form of ownership) — users of mobile radiotelephone networks.

In addition, this system is designed, firstly, to control outgoing and incoming calls of mobile subscribers and outgoing calls (local, intra-zone, long-distance and international) from all subscribers to certain subscribers; secondly, to provide data on the location of controlled subscribers, mobile stations when they move along the communication system; thirdly, to maintain control over the established connection during call control transfer procedures (handover) both between base stations within one switching center and between different centers; fourthly, to control calls when providing additional communication services to subscribers, in particular, changing the direction of the call (Call Forwarding).

It is implied that this order grants greater rights to those who suffered from unauthorized wiretapping and have facts to go to court. However, according to experts, it is almost impossible to detect a working radio interceptor and detain the intruder, since the scanner is a passive device that does not give itself away by radio emission or transmitting any messages over the air.

With the approval of this order, North-West GSM encountered «certain difficulties». The digital standard used by the company does not allow the possibility of including a «third party» in a conversation. And the development of equipment for monitoring conversations in the digital standard requires large financial costs. It can be said with confidence that GSM as a federal communication standard, including advanced protection mechanisms, will require long-term work to be able to carry out operational activities. According to experts, this will require two to three years and approximately 7-15 million dollars. The fact that the financing mechanisms for SORM are uncertain gives subscribers additional confidence in the confidentiality of their cellular conversations.