Authentication

Published on June 2016 | Categories: Documents | Downloads: 37 | Comments: 0 | Views: 260
of 12
Download PDF   Embed   Report

Comments

Content

Authentication, Encryption and Voice Privacy
Document by: Rahul Chauhan
Version 1 Date: 07-08-2001 INDEX 1. Glossary of Technical Terms 2. References 3. Introduction 4. Authentication 5. NAM Programming the A-Key 6. Encryption 7. When to do Encryption? 8. Voice Privacy 9. Something about Algorithms Index for Tables and Figures 1. Table 1: Auth_Signature Parameters 2. Table 2: CAVE Table 3. Figure 1 : Auth_Signature Input Parameters 4. Figure 2:SSD Update Message 5. Figure 3:Flow Diagram to generate CMEA Key and VPM 6. Figure 4:Specification of CMEA

1 Glossary of Technical Terms
The terms are arranged in the order of their occurrence in the document. DTMF tones: DTMF stands for Dual Tone Multiple Frequency. The key pressed digits are represented by two frequencies. ORYX: ORYX is the algorithm used to encrypt data sent over digital cellular phones. It is a stream cipher based on three 32-bit LFSRs. It is distinct from CMEA, which is a block cipher used to encrypt the cellular data control channel. CAVE: CAVE expands to Cellular Authentication Voice and Encryption Algorithm. CMEA: CMEA is the encryption algorithm developed by the Telecommunications Industry Association to encrypt digital cellular phone data. It uses a 64-bit key and features a variable block length. CMEA is used to encrypt the control channel of cellular phones. It is distinct from ORYX, an also insecure stream cipher that is used to encrypt data transmitted over digital cellular phones. A Key: A 64-bit cryptographic key variable stored in the semi-permanent memory of the mobile station and also known to the Authentication Center (AC or HLR/AC) of the wireless system. It is entered when the mobile station is first put into service with a particular subscriber, and usually will remain unchanged unless the operator determines that its value has been compromised. The A-key is used in the SSD generation procedure. SSD: SSD is an abbreviation for Shared Secret Data. It consists of two quantities, SSD_A and SSD_B.

1

SSD_A: The SSD_A is a 64-bit binary quantity in the semi-permanent memory of the mobile station and also known to the Authentication Center. It may be shared with the serving MSC.

SSD_B: The SSD_B is used in the computation of the authentication response. A 64-bit binary quantity in the semipermanent memory of the mobile station and also known to the authentication Center. It may be shared with the serving MSC. It is used in the computation of the CMEA key, VPM (Voice Privacy Mask) and DataKey(for data services). UCRP: UCRP expands to Unique Challenge Response Procedure. This procedure is carried out when Authentication fails. IMSI IMSI is International Mobile Subscriber Identity. It is a 34-bit quantity. The first 24 LSB“s form the IMSI_S1 and the first 10 MSB“s form IMSI_S2. ESN: The 32-bit electronic serial number of the mobile station. It is unique for a mobile station. VPM: Voice Privacy Mask. This name describes a 520-bit entity that may be used for voice privacy functions as specified in wireless system standards. NAM NAM stands for Number Assignment Module. Certain important values are entered through keypad. These values are NAM parameters. The procedure to enter them into the mobile is called NAM Programming. PACA: PACA stands for Priority Access and Channel Assignment. A priority mobile station originated call for which no traffic channel or voice channel was immediately available, and which has been queued for a priority access channel assignment. This is called a PACA Call.

2 References
Standards documents for TIA/EIA-95-A, TIA/EIA-95-B, Common Cryptographic Algorithms. .

2

3 Introduction
The Cellular communications industry is booming, so it is necessary to prevent unauthorized access to cellular network, to increase security to as to maintain privacy and prevent fraud attacks. Something, which today“s computer networks are susceptible to. Cellphones identify themselves by sending identification information over the air and anyone can misappropriate others identity information to make calls or get PIN numbers sent as DTMF tones. To fight the menace of phone cloning, Authentication is must. Cellular communications are sent over a radio link and anyone with a appropriate receiver can eavesdrop over the transmission. So to make the security robust we go in for cryptography methods. That explains the need for Encryption and Voice Privacy. Hence we go in for Authentication, Encryption and Voice Privacy. In the document we are going to see how these are achieved in the CDMA system.

4 Authentication
Now we are ready to define Authentication. Authentication is the process by which information is exchanged between a mobile station and base station for the purpose of confirming the identity of the mobile station. A successful outcome of the authentication process occurs only when it can be demonstrated that the mobile station and base station possess identical sets of shared secret data.

4.1

Standard Authentication Mode

For the mobile to go into the standard authentication mode the base station (BS) fills the following fields of the Access Parameters Message (it is a part of the Overhead Parameter Messages which gives the configurations to the mobile when it latches to a CDMA system) auth = 01H rand = Some 32 bit random value. So the understanding till now is that, for the mobile to perform Authentication procedures the BS should send the mobile into standard authentication mode.

4.2

When shall Authentication be performed

Authentication is performed when the mobile is performing any of the following procedures. 1. Registration: When the mobile does autonomous registration. 2. Unique Challenge :When the mobile performs a UCRP 3. Origination: When the mobile station originates a call. 4. Terminations: When the mobile station responds with a page message. 5. Mobile Station Data: When it sends a Data Burst Message. E.g. SMS 6. Base Station Challenge: During SSD Update. 7. TMSI Assignment: When a mobile responds to a TMSI Assignment. 8. PACA Cancellation: When a mobile cancels a PACA Call. Note: Authentication procedures 7 and 8 are not there in IS-95A, since these TMSI mode of addressing and PACA call are not supported by IS-95A.These procedures are supported in IS-95B and IS-2000.

4.3

Computation of a Signature for Authentication

We will be computing a signature variable Auth_Signature, which is unique for a given set of inputs. This Auth_Signature variable is the output of the CAVE (Refer chapter 7) when we given a set of inputs specific to a procedure. Lets us call the context use of the CAVE process here as the Auth_Signature procedure.

3

4.4

Auth_Signature Input Parameters
RAND_CHALLENGE 32bits ESN 32 bits AUTH_DATA 24 bits SSD_AUTH 64bits

Auth_Signature Procedure (CAVE Algorithm)

Auth_Signature 18 bits Figure 1: The Figure shows the input,s and outputs for computation of signature variable.

The table below gives the inputs to the Auth_Signature procedure for different Authentication procedures. The parameters used will also be explained shortly. Table 1: Auth_Signature Parameters Procedure Registration Unique Challenge RAND_CHALLENGE RAND RANDU and 8 LSB“s of IMSI_S2 RAND ESN ESN ESN AUTH_DATA IMSI_S1 IMSI_S1 SSD_AUTH SSD_A SSD_A

Origination

ESN

Terminations

RAND

ESN

Fill with IMSI_S1 and overwrite with Last 6 Dialed Digits IMSI_S1

SSD_A

SSD_A

Mobile Station Data Bursts

RAND

ESN

Fill with IMSI_S1and overwrite with Digits (according to BURST_TYPE in Data Burst Message ) IMSI_S1

SSD_A

Base Station Challenge TMSI Assignment PACA Cancellation

RANDBS

ESN

SSD_A_NEW

RAND RAND

ESN ESN

IMSI_S1 IMSI_S1

SSD_A SSD_A

4

4.5

Authentication Procedures

4.5.1 Registration
Authentication is performed when the mobile attempts to send a Registration Message on the access channel. The Auth_Signature procedure is filled with the parameters as shown in the Table 1 (RAND, ESN,IMSI_S1,SSD_A). The mobile station shall then execute the Auth_Signature procedure. The 18-bit output Auth_Signature shall be used to fill the AUTHR field of the Registration Message. The RANDC (eight most significant bits of RAND) and COUNT fields of the message shall be filled with the current values stored in the mobile station. The base station shall execute the same procedure and compare AUTHR, RANDC and COUNT. If the comparison fails meaning authentication was not successful, the base station may start a Unique Challenge Response Procedure (UCRP) or carry out a SSD update.

4.5.2 Unique Challenge Response Procedure
UCRP expands to Unique Challenge Response Procedure. This procedure is carried out when Authentication fails. The base station always initiates the UCRP procedure. The base station generates the 24-bit quantity RANDU and sends it to the mobile station in the Authentication Challenge Message. Upon receipt of the Authentication Challenge Message, the mobile station shall set the input parameters of the Auth_Signature procedure (see Table1 RAND and 8 LSB“s of IMSI_S2, ESN,IMSI_S1,SSD_A). The 24 most significant bits of the RAND_CHALLENGE input parameter shall be filled with RANDU, and the 8 least significant bits of RAND_CHALLENGE shall be filled with the 8 least significant bits of IMSI_S2. The mobile shall than execute the Auth_Signature procedure and sends the output AUTHU to the base station in Authentication Challenge Response Message. The base station than executes the same procedure at its side but at with the internally stored value of SSD_A. If the procedure fails the base station may deny service to the mobile station.

4.5.3 Mobile Station Origination
Authentication is performed, when the mobile station attempts to place a call by sending the Origination Message. The Auth_Signature is filled with parameters shown in the Table 1 (RAND, ESN, Fill with IMSI_S1 and overwrite with Last 6 Dialed Digits, SSD_A). The 18-bit output Auth_Signature shall be used to fill the AUTHR field of the Origination Message. The RANDC (eight most significant bits of RAND) and COUNT fields of the message shall be filled with the current values stored in the mobile station. The base station shall execute the same procedure and compare AUTHR, RANDC and COUNT.

4.5.4 Mobile Station Termination
The mobile station responds to a page (by sending a Page Response Message on the Access Channel), the following authentication procedures shall be performed. The Auth_Signature is filled with parameters shown in the Table 1 (RAND, ESN,IMSI_S1,SSD_A). The 18-bit output Auth_Signature shall be used to fill the AUTHR field of the Page Response Message. The RANDC (eight most significant bits of RAND) and COUNT fields of the Page Response Message shall be filled with the current values stored in the mobile station. The base station shall execute the same procedure and compare AUTHR, RANDC and COUNT.

4.5.5 Mobile Station Data Bursts
The mobile station attempts to send a data burst message, the following authentication procedures shall be performed. The Auth_Signature is filled with parameters shown in the Table 1 (RAND, ESN, Fill with IMSI_S1 and overwrite with Digits (according to BURST_TYPEin Data Burst Message, SSD_A). The 18bit output Auth_Signature shall be used to fill the AUTHR field of the Page Response Message. The RANDC (eight most significant bits of RAND) and COUNT fields of the message shall be filled with the

5

current values stored in the mobile station. The base station shall execute the same procedure and compare AUTHR, RANDC and COUNT.

4.5.6 Base Station Challenge
The mobile station carries out the base station challenge procedure when the base station does a SSD update. The message flow diagram (Figure 2 ) on the next page shall illustrate the procedure.

4.5.7 TMSI Assignment
The mobile station responds to a TMSI Assignment with a TMSI Assignment Completion Message. The Auth_Signature is filled with parameters shown in the Table 1 (RAND, ESN, Fill with IMSI_S1,SSD_A). The 18-bit output Auth_Signature shall be used to fill the AUTHR field of the TMSI Assignment Completion Message. The RANDC (eight most significant bits of RAND) and COUNT fields of the message shall be filled with the current values stored in the mobile station. The base station shall execute the same procedure and compare AUTHR, RANDC and COUNT.

4.5.8 PACA Cancellation
When the mobile cancels a PACA call it will send a PACA Cancel Message. The Auth_Signature is filled with parameters shown in the Table 1(RAND, ESN, Fill with IMSI_S1,SSD_A). The 18-bit output Auth_Signature shall be used to fill the AUTHR field of the PACA Cancel Message. The RANDC (eight most significant bits of RAND) and COUNT fields of the message shall be filled with the current values stored in the mobile station. The base station shall execute the same procedure and compare AUTHR, RANDC and COUNT.

6

Figure 2: SSD Update Procedure
MOBILE STATION BASE STATION Base Station initiates SSD Update SSD UPDATE MESSAGE Base (Has random value RANDSSD) Inputs to SSD_Generation Procedure: A-Key (64 bits), RANDSSD, ESN (32 bits) SSD_Genaration Procedure (CAVE Process) SSD_Genaration Procedure (CAVE Process)

SSD_A_NEW

SSD_B_NEW

SSD_A_NEW

SSD_B_NEW

Base Station Challenge Procedure starts here MS generates a random number RANDBS BASE STATION CHALLENGE ORDER (RANDBS) Inputs to Auth_Signature Procedure: RANDBS, ESN, IMSI_S1, SSD_A_NEW Auth_Signature Procedure (CAVE Process) Auth_Signature Procedure (CAVE Process)

AUTHR Base Station Challenge Confirmation Order (AUTHR the Auth_Signature generated) AUTHRmobilestation = AUTHRbasestation?

AUTHR

SSD Update Confirmation Order/ SSD Update Rejection Order The MS and BS will than update the values of SSD on receiving the confirmation order

7

5 NAM Programming the A Key
From the Authentication procedures it is clear that Authentication will be successful if same copies of SSD is maintained at both the mobile station and base station. For the generation of SSD one of the input parameters is the A key. This A key is maintained at the mobile associated Authentication Center (AuC). The same copy of the A Key is entered manually (via keypad called as NAM Programming). For security, algorithms we can keep the algorithm open source and algorithm“s input secret or keep the inputs known and the algorithm secret. The standards body has gone for the former method to maintain security. We understand from Figure 2 that the inputs for SSD Generation are A Key, ESN (this number is printed on the mobile case) and RANDSSD (which is a number). For the above reasons we maintain the Akey secret and see that the value of A Key is not compromised. The standards body also prevents the manufacturer of the mobile to give any interface to view A Key and SSD.

5.1

Generating the A Key Checksum

The generation of the A-key is the responsibility of the service provider. A-keys should be chosen and managed using procedures that minimize the likelihood of compromise. The 20 A-Key digits are converted into a 64-bit representation to serve as an input to CAVE, along with the mobile station's ESN and AAV (Authentication Algorithm Version) are inputs to the CAVE. CAVE is then run in the same manner as for the Auth_Signature procedure, and its 18-bit response is the A-Key checksum. The checksum provides a check for the accuracy of the A-Key when entered into a mobile station. The checksum is returned as 6 decimal digits for entry into the mobile station. Note: Generation of the A Key checksum is external to mobile, it is generated on a system.

5.2

Why generate a A Key Checksum

The A Key is never directly entered into the mobile, since anyone with the privilege to change the A Key can do so. Hence the A Key is entered into the mobile along with the A Key checksum. This checks that we don“t make any arbitrary string of digits the A Key.

5.3

Verification of A Key

While A-key digits are being entered from a keypad, the mobile station transmitter shall be disabled. When the A-key digits are entered from a keypad, the number of digits entered is to be at least 6, and may be any number of digits up to and including 26 digits (i.e. 20 digits of A Key and 6 digits of checksum). In a case where the number of digits entered is less than 26, the leading most significant digits will be set equal to zero, in order to produce a 26-digit quantity called the ” entry value„. The verification procedure checks the accuracy of the 26 decimal digit entry value. If the verification is successful, the 64-bit pattern determined by the first 20 digits of the entry value will be written to the subscriber's semi-permanent memory as the Akey. And, the SSD_A and the SSD_B will be set to zero. Note: When the A key is changed the SSD becomes zero. When the mobile is shipped the A key stored is a string of zeros.

6 Encryption
In an effort to enhance the authentication process and to protect sensitive information (example PIN“s sent as DTMF tones), certain fields which carry these sensitive information in Traffic Channel messages are encrypted. All type specific fields in traffic channel messages will be encrypted using the CMEA process. For encryption to be carried to the mobile should be in standard authentication mode.

8

6.1

When to do Encryption?

The encryption capacity supported by the mobile software of the mobile is known in the Origination Message (MO call) and Page Response Message (MT call). The ENCRYPTION_SUPPORTED in these messages tell the encryption capacity of the mobile. The base station by sending the Channel Assignment Message turns on the initial mode. The ENCRYPT_MODE field in this message tells the mode of encryption to be used on traffic channel. If the field value is 0H than no encryption of type specific fields is to be done. If the value is 1H or 2H than CMEA or Enhanced CMEA as the case maybe, is used for encrypting the type specific fields. Encryption can be turned ON (if not done in Channel Assignment Message) or OFF after this message when on a traffic channel. Sending the General Handoff Direction Message or Extended Handoff Direction Message does this by the setting the value of the field ENCRYPT_MODE in theses messages to 1H or 0H as the case may be. Take for example the Alert with Information Message (AWI) which is sent on the forward traffic channel. The use of this message during call setup is to give a ring back tone to the calling mobile and a CLI (Caller Line Identification) to the called mobile. So AWI has different uses as the case may be. The record fields that are for ring back tone, CLI are included as the case maybe, these fields are called type specific fields. Such fields are there in all traffic channel messages like Flash with Information, Data Burst Message, DTMF etc. These type specific fields may contain DTMF tones (which can be PIN numbers), or some SMS message sent in Data Burst Message. These fields are encrypted.

7 Voice Privacy
Users claim an interest in being able to communicate among them, using Cellphones, without routine monitoring of their communications by other persons or organizations. This is Voice privacy. Voice privacy is provided in the CDMA system by means of the private long code mask used for PN spreading. Transition to this private long code mask is done only when a mobile is in the standard authentication mode and is on a traffic channel. All calls are initiated using the public long code mask for PN spreading. The mobile station user may request voice privacy during call setup using the Origination Message or Page Response Message, and during Traffic Channel operation using the Long Code Transition Request Order. To initiate a transition to the private or public long code mask, either the base station or the mobile station sends a Long Code Transition Request Order on the Traffic Channel. The mobile station or the base station responds to this with a Long Code Transition Completion Order. The base station can also cause a transition to the private or public long code mask by sending the Extended Handoff Direction Message or the General Handoff Direction Message with the PRIVATE_LCM bit set appropriately.

8 Something on Algorithms
As I said earlier, we use cryptography methods to increase the robustness of the system. The TIA standard describes four cryptographic methods for use in digital cellular systems. 1. CAVE (Cellular Authentication Voice Privacy and Encryption) algorithm. It is intended for performing authentication and key generation. 2. XOR mask for voice privacy. CDMA uses SS technique for security. 3. ORYX a stream cipher for wireless data services. 4. CMEA (Cellular Message Encryption Algorithm), a block cipher used to encrypt type specific fields on traffic channel.

8.1
1. 2. 3. 4. 5.

Uses of CAVE
CAVE is used to generate a set of cryptovariables for the Cellular Message Encryption Algorithm (CMEA) message encryption process. CAVE is used in the generation of 520 bits for the duplex voice privacy masks. The generation of a subscriber's Shared Secret Data (SSD) from his unique A-key. A procedure to verify the manual entry of the A-key. CAVE is used for Authentication procedures.

9

We will be looking into these shortly.

8.2

The CAVE Process

Lets us not get into the technicalities of the CAVE and CMEA but get a working knowledge of the CAVE process. For the core details you can always refer to TR45 Appendix A of IS-54. CAVE is a software-compatible non-linear mixing function. Its primary components are a 32-bit linear-feedback shift register (LFSR), sixteen 8-bit mixing registers, and a 256-entry lookup table. We shall call it the CAVE Table. The table is organized as two (256 x 4 bit) tables. The low order four bits of the entries comprise table 0 and the high order four bits of the entries comprise table 1.

8.2.1 Steps in CAVE operation
The algorithm operation consists of three steps: 1. An initial loading, a repeated randomization consisting of four or eight ” rounds„, and processing of the output. Initial loading consists of filling the LFSR, register stages R00 through R15, and the pointer offsets with information that is specific to the application. 2. The randomization process. The output processing utilizes the final (randomized) contents of R00 through R15 in a simple function whose result is returned to the calling process.

8.3

The CMEA Message Encryption Process

8.3.1 Steps in CMEA Process
CMEA consists of three layers. 1. The first step performs one non-linear pass on the block; this effects left-to-right diffusion. 2. The second step is a purely linear, unkeyed operation intended to make changes propagate in the opposite direction. One can think of the second step as (roughly speaking) Xoring the right half of the block onto the left half. 3. The third step performs a final nonlinear pass on the block from left to right; in fact, it is the inverse of the first step. CMEA obtains the non-linearity in the first and third layer from a 8-bit keyed lookup table known as the Tbox. The T-box calculates its 8-bit output as T (x) = C (((C (((C (((C ((x ⊕ K0) + K1) + x)⊕ K2) + K3) + x) ⊕ K4) + K5)+x) ⊕K6) + K7) + x Given input byte x and 8-byte key K0:::7. In this equation C is an unkeyed 8-bit lookup table known as the CaveTable; all operations are performed using 8-bit arithmetic. The CaveTable is given in the figure on the next page.

8.4

Generation of CMEA Key and VPM (Voice Privacy Mask)

The generation of the 8 byte CMEA Key and VPM is taken together since VPM generation is the continuation of the CMEA Key. The generation of these keys is carried out only after a global challenge and not any unique challenge. The CAVE is reinitialized with the post authentication contents and SSD_B and not SSD_A as is the case for Authentication. The CMEA key is got by running first 8 iterations of CAVE and than two 4 iterations of CAVE. In the first four round we get k1, k2, k3, k4 and in the second iteration we get the remaining bytes of the key. There on the CAVE is run for eleven more iterations beyond that of the CMEA to get the VPM.

10

Figure 3: The Flow Diagram below shows the flow to generate the CMEA Key and VPM.

11

8.4.1 Specification of CMEA
The algorithm encrypts a n-byte message P0.._1 to a cipher text C0
_1 under

the key K0..7 as follows:

Figure 4 Specification of CMEA

Step 1 à

Step 2 à Step 3 à

Here all operations are byte-wide arithmetic: + and - are addition and subtraction modulo 256, ⊕ stands for a logical bitwise exclusive or, ∨ represents a logical bitwise or, and the keyed T function is as described previously. Table 2: CAVE Table

12

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close