Cur Suri

Network security
Introduction
Lecture 1
Security and Applied Logic Master
Adela Georgescu
Facultatea de Matematica – Informatica
Universitatea Bucuresti
Logistics
• People
Course
Adela Georgescu
[email protected]
[email protected]
Lab
Adela Georgescu
Logistics
1. Lectures
» 2h course weekly – Tuesday 8.10 - 10
» 2h lab/every 2 weeks – Tuesday 10-12
2. Grading
Ø 1,5 p lab
Ø 1,5 p lab project
Ø 2p course project
Ø 5p exam
Ø +1p bonus – for activity during lectures
3. Passing criteria
Ø ≥ 4.5p at the *inal exam
Ø ≥ 4.5p in total
• Moodle – all info and materials for course and lab

Security domains
• Computer Security - protects data and resources (usually

refers to computer systems)
• Security policies, access control, malware etc.
• Network Security - protects data during transmission and

communication
• Web Security - protection against a web attacker
• Software Security - protects the software used in a computer

system
What’s in this course?
• General security principles (today)
• Wi-Fi – security: WEP, WPA, WPA2 – protocols
• Mobile security: GSM, LTE, 5G
• Internet protocol security: TLS, IPSec

Security objectives
• C-I-A: confidentiality, integrity, availability
• Confidentiality – protected goods can only be seen by authorized persons
• Integrity - protected goods can only be modified by authorized persons
• Availability - protected goods can only be used by authorized persons

Security principles
• Criptographic
üKerkoff (open design): secret key, public algorithms
and design
üKey separation principle: use different keys for

different goals (confidentiality, integrity,
authentication)
üPrinciple of diversity: use different types of

cryptographic algorithms (avoid the same attack
against all)
Security principles
• Other principles
• Principle of simplicity: keep it simple
• Security by default: keep the default

configuration as secure as possible
Security principles
• Other principles
• Principle of minimal trust: minimize the number of
trusted entities
• Principle of the weakest link: the security of a

system is given by its weakest point
• Principiul of least privilege: grant the exact

privilege required to perform an activity
Security principles
• Principle of modularization: keep

everything modular – makes changes easier
• Defence in depth – security at different

layers
Network security
- Lecture 2.1 -
Introduction (Wireless Security)
Adela Georgescu*
Faculty of Mathematics and Computer Science
University of Bucharest
*slides belonging to Ruxandra Olimid

Contents
1. What do we learn about wireless security?
2. Why?
3. What is the difference between wireless and wired networks?
2/13
About
Wireless • Security technologies, methods, protocols

Networks
• Models, design principles
WiFi
(IEEE 802.11) • Vulnerabilities and attacks
Mobile
networks
Others
Ethical
aspects!
3/13
IEEE 802.11 Wireless LAN / Wi-Fi
Cryptography
Security
Requirements
Security
Principles
Security
Architecture
Vulnerabilities
Attacks
Security aspects only! No pure networking!
4/13
Mobile networks
Cryptography
Security
Requirements
Security
Principles
Security
Architecture
Vulnerabilities
Attacks
Security aspects only! No pure telecom!
5/13
Motivation ITU: Measuring the Information Society Report 2018
https://www.itu.int/en/ITU-D/Statistics/Pages/publications/misr2018.aspx
https://www.itu.int/en/ITU-D/Statistics/Documents/publications/misr2018/MISR-2018-Vol-1-E.pdf
7/13
Motivation
ITU: Measuring the Information Society Report 2018
https://www.itu.int/en/ITU-D/Statistics/Pages/publications/misr2018.aspx
https://www.itu.int/en/ITU-D/Statistics/Documents/publications/misr2018/MISR-2018-Vol-2-E.pdf
8/13
Motivation
HACKERS REMOTELY KILL A JEEP ON THE HIGHWAY—WITH ME IN IT
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
9/13
Motivation
10/13
Motivation
http://ruxandraolimid.weebly.com/uploads/2/0/1/0/20109229/final_lte.pdf
11/13
Motivation
https://www.krackattacks.com/
Video: https://youtu.be/Oh4WURZoR98
Paper: https://papers.mathyvanhoef.com/ccs2017.pdf
12/13
Why is wireless security different?
• In theory: not much different from the security of wired

networks
• In practice:
• Direct access to the transmission medium

• Hard to detect passive attacks
• Broadcast communication
• Dinamicity (roaming, mobility, etc.)
• Constraint devices (computing power, energy consumption,
etc.)
• Men-in-the-Middle (MitM), radio jamming
• …
13/13
Network Security
- Lecture 2.2 -
IEEE 802.11 Wireless LAN / Wi-Fi Intro
Adela Georgescu*

Contents
1. IEEE 802.11 / Wi-Fi, history, evolution
2. IEEE 802.11 Wireless LAN Architecture
2/11
About
• IEEE 802.11: technical standard (Physical layer and MAC sublayer)

for implementing Wireless LAN (WLAN) networks
• Wi-Fi: (products / equipment of) wireless network(s) implementing

the IEEE 802.11 standard; a technology based on IEEE 802.11;
trademark of the Wi-Fi Alliance
3/11
WiFi evolution
[Source: https://www.wi-fi.org/who-we-are/history ]
4/11
IEEE 802.11 Wireless LAN - Arhitecture
STA: Station Network types:

AP: Access Point • Ad-hoc
BSS: Basic Service Set
IBSS: Independent BSS
• infrastructure (with AP)
ESS: Extended Service Set
DS: Distribution System
5/11
IEEE 802.11 Wireless LAN - Arhitecture
• STA (Stations):
• Laptops, Tablets, Smartphones…
• AP (Access Point):
• A device that acts as a communication hub
• BSS (Basic Service Set):

• Identified by Service Set ID (SSID)
• Either several STAs directly connected to any other(ad-hoc - IBSS),
either several STAs connected by an AP
• ESS (Extended Service Set):

• Identified by Extended SSID (ESSID)
• Several APs connected to the same wired network
6/11
IEEE 802.11 Wireless LAN vs. OSI
[Source: https://technet.microsoft.com/pt-pt/library/cc757419(v=ws.10).aspx ]
Defines in OSI :
• Physical layer
• Media Access Control (MAC) sublayer of Data Link layer (data is
grouped in frames, error detection – FCS/CRC)
7/11
IEEE 802.11 MAC Frame Format
FCS: Frame Check Sequence

DS: Distribution System
WEP: Wired Equivalent Privacy
8/11
IEEE 802.11 MAC Frame Format
• Frame control: frame type (control - indicates start/stop/retransmit, management -
negotiation between AP and STA, or data), control information
• Duration/connection ID: channel allocation time
• Addresses: source, destination and AP MAC addresses
• Sequence control: numbering and reassembly
• Frame body: MAC Service Data Unit (MSDU) or fragment of MSDU, data
• Frame Check Sequence (FCS): 32-bit Cyclic Redundancy Check (CRC)
• Protocol version: 802.11 version

• Type: control, management, or data
• Subtype: identifies function of frame
• To DS: 1 if destined for DS
• From DS: 1 if leaving DS
• More fragments: 1 if fragments follow
• Retry: 1 if retransmission of previous frame
• Power management: 1 if transmitting station is in sleep mode
• More data: Indicates that station has more data to send
• WEP: 1 if Wired Equivalent Privacy is implemented
• Order: 1 if any data frame is sent using the strictly ordered service
9/11
IEEE 802.11 Wireless LAN / Wi-Fi
Cryptography
Security
Requirements
Security
Principles
Security
Architecture
Vulnerabilities
Attacks
Security aspects only! No pure networking!
10/11
IEEE 802.11 Security
• By default OFF
Improved security
• Authorization to AP based on MAC address
• IEEE 802.11: Wired Equivalent Privacy (WEP)

Bad designed
• IEEE 802.11i-draft: WPA (Wi-Fi Protected Access)

WEP + TKIP (Wi-Fi industry fix)
• IEEE 802.11i: Robust Security Network (RSN) /WPA2
11/11
Network Security
- Lecture 2.3 -
Wired Equivalent Privacy (WEP)
Adela Georgescu*

Contents
1. Protocol description
2. Vulnerabilities and attacks
3. Lessons to learn
2/19
• By default OFF

Improved security

Bad designed

3/19
Wired Equivalent Privacy (WEP)
• Original security mechanism IEEE 802.11 (1999)
• Deprecated since 2008, but still in use
• Interesting to study as a negative example J
[Source: https://wigle.net/stats ]
4/19
Security goals
• Data confidentiality:
• Ensures protection against eavesdropping (on the radio channel)
• Data integrity:
• Protects against message insertion and modification
• Network access control:

• Protects the use of WLAN resources
• Others:
• Exportable
• Hardware and software efficient
5/19
How WEP works?
6/19
Design idea
• Key management:
• A single key for all devices in a BSS
• Export: 40-bit keys
• Data confidentiality:
• Encryption of data frames transmitted over the wireless
communication medium using the cryptographic key
• Data integrity:
• Use of Cyclic Redundancy Check (CRC)
7/19
WEP authentication
STA AP
• Auth Challenge:
• AP sends a random challenge on 128 bits
• Auth Response:
• The STA encrypts the challenge with the secret key using
WEP and sends the encrypted text to the AP
• Auth Success:
• AP decrypts and compares the plaintext with the challenge; if
they are equal, authentication is successful
8/19
WEP Encryption (in theory)
M CRC(M)
IV || K RC4 keystream
=
IV C
• Uses RC4 IV: Initialization Vector

K: Cryptographic Key
• IV: 24 bits, K: 104 bits (40 bits) RC4: Rivest Code 4
• IV is used in counter mode (0, 1, 2, …) CRC: Cyclic Redundancy Check
9/19
WEP Encryption (in practice)
IV: Initialization Vector

PRNG: Pseudo-Random
Number
Generator
ICV: Integrity Check Value
10/19
Security issues?
11/19
Problem 1 - Authentication
Question: What can the adversary learn through a passive attack?
Answer: A passive adversary eavesdrops on the plaintext ( the

challenge) și ciphertext-ul and finds out the keystream for a given IV:
𝑐 ⨁𝑚 = 𝑚⨁𝑘𝑒𝑦𝑠𝑡𝑟𝑒𝑎𝑚⨁𝑚 = 𝑘𝑒𝑦𝑠𝑡𝑟𝑒𝑎𝑚
Question: Is authentication secure (it can be forged)?
Answer: No, it is not secure! The adversary knows the keystream

for a given IV. He reuses the IV, XORs the challenge with the
keystream found as before and returns a valid ciphertext to the AP.
12/19
Problem 1 - Authentication
Question: Is this mutual authentication?
Answer: No! The AP is not authenticated to STA.
Question: Why is this a a problem?
Answer: : In general, the absence of mutual authentication enables

the emergence of rogue APs (a false AP that sends challenges and
receives answers)
13/19
Problem 2 - Linearity
Question: If there is no CRC, can the adversary change certain bits in
the clear message as desired?
Answer: Yes!
• intercept c; change c to 𝑐′ = 𝑐⨁𝑚′ and send c’ instead of c
• at destination:
𝑐 ! ⨁𝑘𝑒𝑦𝑠𝑡𝑟𝑒𝑎𝑚 = 𝑐⨁𝑚! ⨁𝑘𝑒𝑦𝑠𝑡𝑟𝑒𝑎𝑚 = 𝑚⨁𝑘⨁𝑚′ ⨁𝑘 = 𝑚⨁𝑚′
CRC is linear: for any m1, m2, CRC(m1 ⨁ m2) = CRC(m1) ⨁ F(m2)
This allows an adversary to modify the ciphertext (by xor-ing with some
desired value) and, due to linearity, modify the CRC accordingly
CRC provides no integrity (against intended attacks), it is only

an error correction-mechanism (unintended attacks)! 14/19
Problem 3 – Re-use of the same IV
Question: What happens when using the same IV for a fixed key K?
Answer: we get the same keystream (since RC4 is deterministic!)
Question: Can we say that WEP is secure?

Answer: No!
𝑐1 = 𝑚1||𝐶𝑅𝐶(𝑚1) ⨁𝑘𝑒𝑦𝑠𝑡𝑟𝑒𝑎𝑚
c2 = 𝑚2||𝐶𝑅𝐶 𝑚2 ⨁𝑘𝑒𝑦𝑠𝑡𝑟𝑒𝑎𝑚
⇒ c1⨁𝑐2 = 𝑚1||𝐶𝑅𝐶(𝑚1)⨁𝑚2||𝐶𝑅𝐶 𝑚2
This reveals information about m1 and m2
Question: How many possible values can IV take?
Answer: Only 224 !
(IV will repeat every few hours; moreover, IV is reset to 0 at every
power cycle) 15/19
Other problems…
• RC4 is not a secure PRG! Weak keys, attacks,…
• Replay attacks (there is no protection mechanism) …
• Message injection (if keystream is known for a given IV)
• Man-in-the-Middle (MitM): directly, by recovering the key, or by

using rogue AP (open auth. mode)
16/19
Recovering the key
• 5-10 seconds for finding

the key on 104 biți
• …
[Video: https://www.youtube.com/watch?v=JDG9ZAmfIBs ]
17/19
Design WEP…
• Clear design goals
• Open standard
• Use of well-known and studied cryptographic primitives
• Public review / analysis / competition
18/19
Lessons to learn…
• Difficult to design a secure protocol
• Use well-known and analisyed cryptographic primitives
• Make the protocol public (Kerckhoffs’s principle); public security

analysis is important
• Use clear definitions and security proofs
19/19
Network Security
- Lecture 3 -
Wi-Fi Protected Access (WPA)
Adela Georgescu*

Contents
1. Improvements on WEP
2. Description
2/15
• By default OFF

Improved security

Bad designed

• WPA3
3/15
Wi-Fi Protected Access (WPA)
• Wi-Fi industry fix of Wi-Fi Alliance (802.11i-draft) – easy to
adopt solution
• WEP + Temporal Key Integrity Protocol (TKIP)
• Deprecated since 2014, but still in use
4/15
Recall WEP
• No confidentiality:
• short IV ⇒ reuse of keystream RC4
• Key recovery (< 60 seconds)
• No integrity:
• CRC is not a MAC!
• No protection against replay attack

• No key management:
• Unique key (104 biți) for encrypting messages
• Unique key used by all WLAN users
5/15
Improvements on WEP
• Encryption:
• TKIP to improve WEP encryption (e.g., a new key for every
packet/frame)
• Posibility to use AES (optional, not all the devices could handle AES)
• Integrity:
• Michael, a new algorithm
• Authentication:
• 802.1X (initially defined for Ethernet networks, later adopted for
802.11 WLAN)
• 802.11 - optional 802.1X authentication, WPA – mandatory 802.1X
authentication
• Key generation and distribution:

• 802.1X
6/15
TKIP
(Temporary Key Integrity Protocol)
TKIP (Temporary Key Integrity Protocol)
Base key
Transmitter Key RC4 key
MAC Address Mixing
Packet seq.
/counter (48 bits) WEP ciphertext
MIC key
Transmitter MIC
MAC Address Michael ||
Receiver
MAC Address
plaintext
8/15
TKIP for transmission
[Source: Course book, Edney &Arbaugh, Chapter 11]
9/7
TKIP for reception
10/7
Michael MIC key
Transmitter
Michael MIC (8 bytes)
MAC Address
Receiver
MAC Address
plaintext
• MIC key: 64 bits
• Output: 64 bits (8 bytes)
• Problem: 20 bits security level;

Question: Why is this a problem?
Answer: Adversary can try random MIC with probability one in a
million to guess a valid one (220 = 1048576).
Solution? Limitation of MIC verification by the adversary (delay of 1
min. when detecting attacks). A new problem arises : DoS!
11/15
TKIP – Key Mixing
(per session)
(bytes)
(bytes)
[Source: IEEE 802.11i Overview http://ieee802.org/16/liaison/docs/80211-05_0123r1.pdf ]
12/15
TKIP (Temporary Key Integrity Protocol)
• Temporary keys:
• 2 mixing stages
• Equipment dependent, via transmitter MAC address
• Dependent on packet sequence (48 bits, not 24 as IV had in WEP)
• Goal:
• Avoid keystream reuse (keys become temporary) / collision attacks are
avoided
• Avoid packet retransmission on IV reuse (possible space now becomes 248) /
replay attacks
13/15
TKIP (Temporary Key Integrity Protocol) – key
mixing
14/7
generation
• Pairwise keys – communication between STA and AP
• Group keys – for broadcast messages
• Preshared keys – pre-installed on STA and AP

• Server-based keys – derived in upper-layer authentication
15/7
generation
• PMK (Pairwise Master Key) / 2 variants:

• pre-shared key, 256 bits
• 802.1X PMK is unique for every STA, sent by the authentication
server to the AP (upper layer authentication)
• Base key / PTK (Pairwise Transient Key) – computed by STA

and AP:
𝑃𝑇𝐾 = 𝑓(𝑃𝑀𝐾, 𝑁𝑜𝑛𝑐𝑒𝐴𝑃, 𝑁𝑜𝑛𝑐𝑒𝑆𝑇𝐴, 𝑀𝐴𝐶𝐴𝑃 , 𝑀𝐴𝐶𝑆𝑇𝐴)
16/15
TKIP (Temporary Key Integrity Protocol) – 4-way
handshake
• allows STA and AP to

exchange nonces for
computing temporal keys
[Source: https://www.wifi-professionals.com/2019/01/4-way-handshake]
17/7
TKIP Pairwise Key Hierarchy
Input (base) key in the

key mixing process
18/15
TKIP Key Hierarchy
𝑃𝑇𝐾 = 𝑓(𝑃𝑀𝐾, 𝑁𝑜𝑛𝑐𝑒𝐴𝑃, 𝑁𝑜𝑛𝑐𝑒𝑆𝑇𝐴, 𝑀𝐴𝐶𝐴𝑃 , 𝑀𝐴𝐶𝑆𝑇𝐴) 𝐺𝑇𝐾 = 𝑓(𝐺𝑀𝐾, 𝑁𝑜𝑛𝑐𝑒𝐴𝑃, 𝑀𝐴𝐶𝐴𝑃 )

Pairwise Key Hierarchy Group Key Hierarchy
19/15
*Group Key Hierarchy: folosit la broadcast communication
WPA design
• It tries to address all WEP issues
• Limited by device capabilities (software upgrade)
• Compatible with 802.11i (WPA as draft 802.11i)
20/15
Network Security
- Lecture 4.1 -
802.1X & EAPOL
Adela Georgescu*

Outline
1. 802.1X architecture
2. EAPOL authentication
2/8
802.1X
• Standard initially defined for Ethernet networks, later on adopted for
802.11 WLAN
• Defines access control in the network (port-based), but also offers

authenticated access in the network
• Extensible Authentication Protocol (EAP) over LAN (EAPOL) is an

authentication mechanism Point to Point Protocol (PPP) adopted
for LAN.
• 802.1X uses EAPOL for transmitting messages between entitites.
3/8
IEEE 802.1X architecture
• Supplicant:
• An entity who requests the services
(wants to join the network); e.g.: a laptop
• Authenticator:
• An entity who controls access before
granting access to services; e.g.: an AP
• Authentication Server:
• Makes authorization decisions e.g.:
sometimes inside AP but more often
through RADIUS (Remote
Authentication Dial-In User Service)
4/8
5/8

EAPOL Authentication Sequence
EAPOL Authentication
• Generic framework for authentication
• Encapsulates specific protocols (e.g., TLS, AKA)
• Goal: prove that both entities know the same secret
• 4 specific messages: Request, Response, Success, Failure
6/8
EAPOL Encapsulation
[Source: https://en.wikipedia.org/wiki/IEEE_802.1X ]
[Source: Course book, Edney &Arbaugh, Chapter 8] 7/8

RADIUS
• Remote Authentication Dial In User Service (RADIUS)
• Defines:
– A set of functionalities common across authentication servers
– A protocol that allows accesing these functionalities
• Specified by IETF
• EAP over RADIUS extension (RFC2869)
• Challenge-response mechanism
8/8
Network Security
- Lecture 4.2 -
IEEE 802.11i RSN / WPA2
Adela Georgescu*

Outline
• RNS
• CCMP
• Key Hierarchy
• Security / Attacks
3
• By default OFF

Improved security

Bad designed

• WPA3
4/15
Wi-Fi Protected Access II (WPA2)
• Introduced by the Wi-Fi Alliance in 2004 as a long-term solution
to replace WEP
• Known as 802.11i
• Used until the introduction of WPA3 (although key

reinstallation attacks were published in 2017)
5/15
Robust Security Network (RSN)
RSN: a protocol for establishing a secure communication over 802.11 wireless networks
RSN Information Element (IE): data structure for advertising and negotiating security
capabilities
Advertise WLAN
security policy
Select cipher, AKM

(Authentication and
Key Management)
[Source: He and Mitchell Security Analysis and Improvements for IEEE 802.11i
suite from advertised
https://theory.stanford.edu/~jcm/papers/NDSS05.pdf ]
6
Robust Security Network (RSN)
Backward
compatibility with
WEP!
If the cryptosystems
are broken, easily
change to new ones!
RSN IE
[Source: 802.11i Overview doc.: IEEE 802.11-04/0123r1]

7
Security Goals Tries to address all known WEP Problems
• Reply detection
Packet Number (PN), replay counter
• Key management protocols

Similar to WPA, discussed in more details
• Access control
Uses 802.1X architecture
8
Security Goals Tries to address all known WEP Problems
Authenticated encryption using CTR

mode and CBC-MAC assumes 128-
bit blocks and a single crypto key
• Confidentiality
Uses Advanced Encryption Standard (AES), instead of RC4
• Message integrity and authentication

Uses 128 bits Counter Mode with CBC-MAC Protocol (CCMP)
9
CCM Mode
• Authenticated encryption (with associated data) combining CTR
mode and CBC-MAC:
• appends a CBC-MAC on the header, length of the header and plaintext
• encrypts in CTR mode (plaintext blocks with 1,2,3… and MIC with counter
value 0)
• Uses a single crypto key (temporal key shared by STA and AP) and
assumes 128-bit blocks
10
CCM Mode
1) Unencrypted MPDU; MAC
header contains source and
destination addresses;
2) CCMP header (32 bits) is
constructed
3) MIC is computed to protect
fields from the MAC header,
the CCMP header and the
data
4) Data and MIC are encrypted;
CCMP header is pre-
appended
5) MAC header is pre-appended
11
CCMP MPDU Format
12
CCM Mode
constructed
data
CCMP header is pre-
appended
13
CCMP Header
Purposes:
• Provides the Packet Number (PN) that provides replay protection and gives to the receiver
the nonce required for decryption
• In case of multicast, it gives to the receiver the group key used for encryption
• Packet Number (PN): 48 bits (6

bytes)
• 1: indicates RSN
• KeyID: to select the group key
id (from max.4 provisioned) [Source: Course book, Edney &Arbaugh, Chapter 12]
14
CCM Mode
constructed
data
CCMP header is pre-
appended
15
MIC Computation
• Uses CBC-MAC, with a starting block – see CCMP Encapsulation slide
• 64-bit (8 bytes) MIC, so last 64 bits are discarded
Starting block (IV) is formed in a

special way:
• Flag: 01011001 (fixed)
• Nonce: contains both the PN and
the source address to assure
uniqueness (the PN could have
been already used by one of the
two communicating parties in
another conversation); priority
might refer to different streams
(audio, video, etc.);
• DLen: length of the data
16
CCM Mode
constructed
data
CCMP header is pre-
appended
17
Encryption
• Uses CTR-AES
Counter block (PL0,PL1…):

• Flag: 01011001 (fixed)
• Nonce: contains both the PN and the
source address to assure uniqueness
(the PN could have been already
used by one of the two
communicating parties in another
conversation); priority might refer to
different streams (audio, video, etc.);
• Ctr: starts at 1 and increases
18
CCMP Encapsulation
CBC-MAC
CTR-AES
More details in the course book – Edney & Arbaugh, Chapter 12

19
Key hierarchy (TKIP vs CCMP)

Pairwise
Group
TKIP CCMP 20
Pairwise CCMP Key Hierarchy
• Pairwise Master Key (PMK):

• 256 bits, symmetric key
• Preshared or server supplied by upper
layers (e.g.: authentication server sends
to AP)
• Pairwise Transient Key (PTK): [Source: Course book, Edney &Arbaugh, Chapter 10]
𝑃𝑇𝐾 = 𝑓(𝑃𝑀𝐾, 𝑁𝑜𝑛𝑐𝑒𝐴, 𝑁𝑜𝑛𝑐𝑒𝐵, 𝐴, 𝐵)

• Temporal Keys:
• Up to 3 keys (128 bits):
• EAPOL-keys: encryption key, integrity key
• Data encryption and data integrity key (a single key!)
21
Group CCMP Key Hierarchy
• Used for multi- and broadcast communication
• Group Master Key (GMK):

• 256 bits, symmetric key
• Generated by the AP
• Group Transient Keys (GTK):

𝐺𝑇𝐾 = 𝑓(𝐺𝑀𝐾, 𝑁𝑜𝑛𝑐𝑒, 𝐴𝑃)
• Temporal Key:
• Encryption and integrity key 128 bits
(a single key!)
22
802.11 Key Derivation Function (KDF)
PTK ← KDF(PMK, min 𝐴𝑑𝑑𝑟!" , 𝐴𝑑𝑑𝑟#$! || max 𝐴𝑑𝑑𝑟!" , 𝐴𝑑𝑑𝑟#$! , max{𝑁!" , 𝑁#$! }))
• KDF is based on HMAC-SHA-1
23
4-Way Handshake protocol
EAPOL MICKey
(KCK)
AA: Authenticator Address

SPA: Supplicant Address
ANonce: nonce generated by Encrypted data communication follows
the Authenticator (AP)
SNonce: nonce generated by
the Supplicant (STA) [Source: He and Mitchell Security Analysis and Improvements for IEEE 802.11i
sn: sequence number https://theory.stanford.edu/~jcm/papers/NDSS05.pdf ]
24
4WHS properties
• No forward secrecy
• PMK + MACs + Nonces enough to derive PTK
• Can decrypt old recorded communication sessions
• Vulnerable to dictionary attacks

• If PMK derived from weak password
• Capture MACs + Nonces → guess password → derive PMK
25
Group Key Generation and Distribution
EAPOL EncrKey (KEK)
EAPOL MICKey (KCK)

Encryption data communication follows
SA: Supplicant Address
ANonce: nonce generated by
the Supplicant (STA) [Source: He and Mitchell Security Analysis and Improvements for IEEE 802.11i
sn: sequence number https://theory.stanford.edu/~jcm/papers/NDSS05.pdf ]
26
RSN/WPA2
Association Overview
RSN IE: RSN Identification
Element (set of capabilities)
the Supplicant (STA)
27
RSN/WPA2
28
RSN/WPA2
Both parties
prove to know the
same MSK

SNonce: nonce generated by Remember 802.1x
the Supplicant (STA) [Source: Course book, Edney
&Arbaugh, Chapter 8]
29
RSN/WPA2
30
Security / Attacks
• CCM Mode: theoretical security proof
[Jonsson, J. (2003, January). On the security of CTR+ CBC-MAC. In SelectedAreas in Cryptography(pp. 76-93). Springer Berlin Heidelberg]
• In practice: does the security proof model applies to the protocol?
https://www.krackattacks.com/
Paper: https://papers.mathyvanhoef.com/ccs2017.pdf
Video: https://youtu.be/Oh4WURZoR98
31
WPA2
• We will look into WPA3 next time
32
Network Security
- Lecture 5 -
WPA3
Adela Georgescu*

Outline
• WPA2 security issues
• Introduce WPA3
• SAE
• Dragonfly Handshake
• Attacks / Vulnerabilities
2
WPA2-PSK: Problem 1 – Scalability, Dynamicity
• The same value PSK (=PMK) for all entities in WLAN
Hash 4096 Output

times length
• If PMK is derived from password, then
PMK ← PBKDF2(password, SSID, 4096, 256)

[Generate PMK from passphrase: http://jorisvr.nl/wpapsk.html ]
• Question: What are the problems here?
• Answer:
• PSK has to be manually installed on APs and STAs, so it is not

scalable
• When changing the password, all equipment must be updated
• If one piece of equipment is compromised, all are compromised
WPA2-PSK: Problem 2 - Insider Attack
• Question: Why WPA2-PSK is vulnerable to insider attack?
https://theory.stanford.edu/~jcm/papers/NDSS05.pdf
• Hint:
[Source: He and Mitchell Security Analysis and

Improvements for IEEE 802.11i
• Answer: An insider can eavesdrop on the nonce values and
determine the CCMP key, so both confidentiality and integrity are
compromised
]
WPA2-PSK: Problem 3 - Outsider Attack
• Question: Why is WPA2-PSK vulnerable (outsider attack) if PSK is a

weak password?
• Answer: It is vulnerable to dictionary attack

WPA2-Enterprise
password password
{pwd}
Client Access point Server
Authentication
Key transport
4WHS
[Slide ack: Håkon Jacobsen]

RSN/
WPA2
Authentication
Key transport

SA: Supplicant Address 4WHS
Upper-layer Authentication
Authentication
• Methods that can be used for authentication in RSN:

• Protected EAP (PEAP)
• Transport Layer Security (TLS) – default for WPA
• GSM-SIM
• … (many others)
WPA3 - Changes
• WPA3 Personal and WPA3 Enterprise

• Introduces Simultaneous Authentication of Equals (SAE) to replace
the pre-shared key exchange
• SAE is a variant of the Dragonfly Handshake
• Enterprise: must offer at least 192 bits of security (e.g., 384-bit EC)
• Enforces 802.11w – security of management frames (e.g., radio
management, QoS)
10
The Dragonfly Handshake
• Is a Password Authenticated Key Exchange (PAKE)
• Starts with a password and generates a higher entropy key
• Supports Elliptic Curve Cryptography (ECC)
• Has 2 phases:
• Commit
• Confirm
11
WPA3 – SAE
Handshake
[Source: Vanhoef, M. and Ronen, E., 2020,
May. Dragonblood: Analyzing the Dragonfly
Handshake of WPA3 and EAP-pwd. In 2020
IEEE Symposium on Security and Privacy
(SP) (pp. 517-533). IEEE.]
P: Password
k: the final / negotiated key
(k is further used in the 4WH, as
in WPA2; i.e. k is like the PMK)
12
WPA3 – Security
against a
dictionary attack
[Source: Vanhoef, M. and Ronen, E., 2020,
May. Dragonblood: Analyzing the Dragonfly
Handshake of WPA3 and EAP-pwd. In 2020
IEEE Symposium on Security and Privacy
(SP) (pp. 517-533). IEEE.]
P: Password
k: the final / negotiated key
Remember: WPA2 was vulnerable

to a dictionary attack by capturing
a handshake.
WPA3 offers protection, why?
13
Backward compatibility
• Scenario: both WPA2 and WPA3 are supported, and the same
password is used
• WPA3 has some detection of downgrade to WPA2 (at changing the AP
capabilities in the RSN IE), but this does not help (until detection, a
handshake capture already makes the password vulnerable to a
dictionary attack in WPA2).
[Source: Vanhoef, M. and Ronen, E., 2020, May. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In 2020 IEEE
Symposium on Security and Privacy (SP) (pp. 517-533). IEEE.]
14
Other problems
• DoS: spoof commit frames to the AP (the AP will have to do too many
verifications)
• Timing attacks, side-channels attacks (mostly caused by how the pre-
shared password is encoded into a group element in the Dragonfly
handshake)
[Source: Vanhoef, M. and Ronen, E., 2020, May. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In 2020 IEEE
Symposium on Security and Privacy (SP) (pp. 517-533). IEEE.]
15
16
https://wpa3.mathyvanhoef.com/
Dragonblood (2020)
WiFi Networks
• We have now finished studying WiFi security
17
Network Security
- Lecture 6 -
TLS
Adela Georgescu
Outline
1. Security levels
2. TLS
2/8
Security levels
TLS
Accepts / denies proofs of identity

Authentication Layer Delegates power to the Access Control Layer
once approved for an entity
Communicates to the Authentication Layer to
IEEE 802.1x know when to open security contexts
Access Control Layer Stops any data to/from entities without a
security context
Advertises capabilities
Deals with raw communication
Wireless LAN Layer Encrypts / decrypts data (if security context is
established)
IEEE 802.11
TLS
• First versions: SSL – Netscape (1995) – SSL 3.0 most well-known
• TLS 1.0 – 1999; TLS 1.1 – 2006; TLS 1.2 – 2008; TLS 1.3 - 2018
4/7
[Source: https://www.ssllabs.com/ssl-pulse/]
TLS
• Provides authentication, encryption and data compression
• 2 layers: handshake protocol and record protocol

5/7
TLS 1.3 handshake
[Source: https://www.thesslstore.com/blog/tls-1-3-handshake-tls-1-2/]
6/7
TLS 1.3 handshake
7/7
TLS 1.3 handshake
• Supported ciphersuites
• TLS_AES_128_GCM_SHA256
• TLS AES 256 GCM SHA384
• TLS CHACHA20 POLY1305 SHA256
• TLS AES 128 CCM SHA256
• TLS AES 128 CCM 8 SHA256
• Transcript – all messaged sent in the protocol until the current
moment
• keys 𝑘′! and 𝑘′" only used during handshake
8/7
EAP-TLS
[Source: RFC 9190] 9/7

Network Security
- Lecture 7 -
Mobile Security
Adela Georgescu

Outline
• Intro to Mobile Security
• GSM Architecture
• GSM Security Requirements / Principles
• Vulnerabilities and Attacks
2
Evolution
[Source: Qualcomm – The Evolution of Mobile Technologies, ’14] 3

Overview
• User device
• Access network
• Radio link
• Core network
[Source: ITU EMF Guide http://emfguide.itu.int/emfguide.html]
5
GSM - Architecture
MS: Mobile Station BSS: Base Station Subsystem NSS: Network Subsystem
ME: Mobile Equipment BTS: Base Transceiver Station MSC: Mobile Services Switching Center
SIM: Subscriber Identity Module BSC: Base Station Controller HLR: Home Location Register
VLR: Visitor Location Register
EIR: Equipment Identity Register
PSTN: Public Switched Telephone Network AuC: Authentication Center 6
GSM - Arhitecture
• MS (Mobile Station):
• Consists in a Mobile Equipment (ME) and the Subscriber’s Identity Module (SIM)
• BSS (Base Station Subsystem):
• Consists in several BTSs and BSCs
• The BSC is a central element that controls the radio network, maintaining radio
connectivity with several BTSs and providing connection to the NSS
• BTS is the element to which the MS connects to in the GSM network via radio link; its
functions include signal processing, signaling, ciphering
• NSS (Network SubSystem):
• MSC is the main element of the NSS with respect to call functions, being responsible for
call control, BSS control, and interconnecting to the external networks (PSTN)
7
GSM - Arhitecture
• VLR (Visitor Location Register):
• Stores information about subscribers that are served by the MSC (it maintains copies of
the data from HLR, increasing efficiency: decreases the number of messages that are
exchanged between the MSC and the HLR)
• Usually is not independent hardware, but a software component of the MSC
• HLR (Home Location Register):
• It is the main database in GSM
• Maintains information for each subscriber: IMSI, phone no. - MSISDN (Mobile Station
International Subscriber Directory Number), available services for the subscriber,
location, etc.
• AuC (Authentication Center):
• For each subscriber, stores the permanent key Ki that is also stored in the SIM
• Generates the authentication vectors (RAND, SRES, KC) in the authentication phase
8
GSM - Arhitecture
• EIR (Equipment Identity Register):
• Keeps inventory of the devices in the mobile network, which are identified by their IMEI
• Keeps up to date 3 lists:

• White list: contains the equipment that are compliant to the operator and can
access the mobile network without any restriction
• Black list: contains the equipment that have been reported as stolen or that have
been proved to affect the network functionality, and that are restricted to access
the mobile network
• Gray list: contains the equipment that are not fully compliant to the operator, and
are allowed to access the network but there are under surveillance
9
GSM – Security Principles
Goal: GSM should be as secure as the wired network (PSTN) …
…but, security mechanisms should not have a negative impact on the
usability of the system
• Security requirements in GSM:
• Access control to the MS: provide authenticated user access to the mobile station
• Anonymity of subscribers (privacy): keep the identity of the subscribers (and their location, possibility of
linking calls, etc.) hidden to external parties
• Authentication of subscribers: subscribers must prove their identity and their right to access mobile services
• Confidentiality: maintain the confidentiality on the radio link
10
GSM – Security Principles
Weaknesses in GSM security:
• No specification about the integrity of the data

• Breaking Kerckhoffs’ principle: cryptographic algorithms were kept confidential (e.g.:
A5/1, A5/2), and their strength was not publicly tested
• Limited encryption: data is encrypted on the radio link only
• Short keys; cryptosystems are vulnerable to exhaustive search attack
• Unilateral authentication: The mobile station does not authenticate the network (only
the network authenticates the mobile station)
• Active attacks are possible; e.g.: IMSI Catchers, when an adversary masquerades a
legitimate BTS
11
Mobile Equipment (ME)
• Identification:
• IMEI (International Mobile Equipment Identity), a number
used to identify the mobile phone; it is printed on the
device, and it can be displayed by dialing *#06#
• IMEISV (IMEI Software Version) discards the check digit
from the IMEI and adds 2 digits SVN (Software Version
Number)
• Access control:
• IMEI can be used to deny connectivity to the network for stolen phones based
on a blacklist stored by the operator
• Biometric authentication; e.g.: fingerprint recognition, voice recognition
• Screen unlock mechanisms; e.g.: codes, patterns
12
SIM Card
• Identification:
• IMSI (International Mobile Subscriber Identity), a global unique identifier for
the subscriber (≅15 digits)
• ICCID (Integrated Circuit Card ID) it is the identifier of the SIM itself and
printed on the SIM card
• Access control:
• PIN (Personal Identification Number), a sequence of numbers required to unlock the SIM card
• PUK (Personal Unlocking Key), a code required when the PIN has been introduced incorrectly
several times
IMSI (International Mobile Subscriber Identity)
MCC MNC MSIN
(Mobile Country Code) (Mobile Network Code) (Mobile Subscriber Identification Number)
- 3 digits - - 2 digits (EU) / 3 digits (US) -
242 (Norway) 01 (Telenor) / 02 (Telia) XXXXXXXXXX
226 (Romania) 01 (Vodafone) / 10 (Orange) XXXXXXXXXX
List of MCCs and MNCs: http://mcc-mnc.com/ 13

SIM Card
• Authentication and Confidentiality:
• IMSI (International Mobile Subscriber Identity)
• TMSI (Temporary Mobile Subscriber Identity), a temporary identity used
to restrict the sending of IMSI over the air and mitigate eavesdrop attacks
• Ki a 128-bits permanent key
• Cryptographic mechanisms: a challenge-response mechanism that uses
the permanent key for the authentication of the subscriber and a key
generation mechanism for confidentiality of communication
SIM cards must be tamper-resistant (i.e. an adversary should not be able to read / modify the
security information stored on the SIM card). Otherwise, SIM cards become vulnerable to cloning
attacks, for which the attacker creates copies of the SIM card to use in different purposes
(eavesdropping on the victim, making calls on the victim behalf, etc.)
*Terminology: Initially, the card itself was also called a SIM, later the card itself was called UICC
(Universal Integrated Circuit Card) and the SIM was considered the application running on the card
14
Anonymity of Subscribers
• Goal: Keep the identity (presence/absence in an area, location, etc.) of the subscriber private
to unauthorized parties
• A subscriber can identify itself by one of the following identifiers:

• IMSI - permanent identity
• TMSI - temporary identity
• Principles:
• Introduce the TMSI as a way to avoid IMSI exposure on the radio interface
• e.g.: IMSI uniquely identifies a subscriber, and if it intercepted it suffice to prove the
presence of the subscriber in a location
• TMSI is assigned to the MS when authenticates to the network, and it is local in the
visiting network (VLR keeps the IMSI – TMSI correspondence); the MS stores the TMSI
in the SIM to use it even after rebooting
• TMSI must be renewed at specific intervals (tradeoff with efficiency); a TMSI that is not
changed often enough can break privacy too
15
Authentication of Subscribers
• Goal: Prove the identity of the subscriber to the mobile network, and avoid unauthorized
parties to access the mobile services
• The authentication mechanism uses:

• The permanent key Ki , unique for each subscriber, that is stored:
• in the SIM card (subscriber’s side)
• in the AuC (network operator’s side)
• Cryptographic algorithms: A3 (subscriber authentication), A8 (key generation)
• Principles:
• Ki does never leave the 2 locations (SIM, AuC);
• Authentication consists in checking if the subscriber knows the correct key Ki by
using a challenge-response mechanism
• The serving network does not have access to the key Ki, so it cannot perform
authentication without help from the home network
• During authentication phase, is derived a key Kc that will be later used for encryption
16
Authentication of Subscribers
Kc = A8(Ki, RAND)
SRES / XRES = A3(Ki, RAND)
17
Authentication Triplets
• Goal: Allow the visiting network to authenticate the MS without knowing Ki and improve
efficiency by using batches of triplets
• A triplet used for authentication is
(RAND, XRES, Kc)
where XRES = A3(Ki, RAND) and Kc = A8(Ki, RAND)
• Operation:
• AuC produces batches of triplets for each MS, each with a different RAND and sends
them to the HLR
• For a single request, the VLR receives a batch of triplets from the HLR (to avoid often
communication between the VLR and the HLR)
• If the network runs out of triplets, it should request more from the HLR, but if not it is
allowed to reuse triples
18
Encryption
• Goal: Encrypt all communication between the mobile station and the BTS (both phone calls
and sensitive signaling information such as TMSI, MSISDN, etc.)
• The GSM encryption uses:

• The key Kc, derived in the authentication mechanism
• Encryption algorithm: A5 (radio encryption)
• Principles:
• Encryption is only performed on the radio link (!)
• The encryption algorithm uses as input the session ley Kc derived from the
authentication phase
• Operation:
• The key Kc is used as the encryption key for a stream cipher (LFSR-based):
Ciphertext = A5(Kc, Plaintext)
19
Encryption
• Both A5/1 and A5/2 were not public, breaking Kerckhoffs’ principle
• Encryption operates at the physical layer (Layer 1), which brings some advantages:
• Maximum amount of data is encrypted (both user and signaling data)
• The encryption algorithm can be implemented in hardware
• A5 algorithms are stream ciphers, so encryption is performed bit-by-bit
• A frame counter (22 bits) is used as an additional input together with the key Kc
• Vulnerability! The frame counter repeats every 222 frames (approx. every 3.5 hours), so the
key stream repeats if the Kc is not renewed meanwhile
• GSM is full duplex: for each frame, first 114-bit block (Block1) is used for encryption of data
that is being transmitted, and the second 114-bit block (Block2) is used for decryption of
data that is being received
20
Encryption
[Source: P.S.Pagliusi – A Contemporany Foreword on GSM Security, InfraSec '02]
21
Overview
22
Overview
23
Crypto
Key Length / Input + Output Info
Ki 128 bits Key shared between the subscriber and the network
operator, stored in the SIM and AuC
Kc 54/64 bits Secret session key, that will be used for encryption
Kc = A8(Ki, RAND)
RAND 128 bits Random challenge
SRES / XRES 32 bits Response to the challenge request / Expected
(Signed Response / Expected response to the challenge request
Response) SRES / XRES = A3(Ki, RAND)
A3, resp. A8 Input: Ki, RAND Generic algorithms for authentication, resp. key
Output: SRES, resp. Kc generation (no specific algorithms)
e.g.: COMP128 combines A3 and A5 and generates
XRES (32 bits) and Kc (54 random bits concatenated to
10 bits of 0)
Stored in the SIM
A5 Input: Kc, plaintext Class of standardized encryption algorithms:
Output: ciphertext A5/0 (no encryption), A5/1 (CEPT + USA), A5/2 (Asia),
A5/3 (Kasumi, UMTS)
Stored in the mobile equipment (not SIM!)
24
Network Security
- Lecture 8 -
Mobile Security
GSM II
Adela Georgescu

Security Principles
• Modularity:
• GSM is modular in the sense that the cryptographic algorithms can be replaced
with others, as long as maintain the same input-output structure
• A5 refers to a family of algorithms; e.g.: A5/1, A5/2, A5/3 (64 bits key Kc); A5/0
(no encryption), A5/4 (128 bits key Kc) – some used for UMTS (e.g.: A5/3)
• Standardization:
• A5 must be standardized (e.g.: MS must communicate to BTS in roaming)
• A3, A8 must not necessary be standardized, because both parties involved (the
SIM and the AuC) belong to the same network operator; however, 3GPP gave
an example algorithm set TS55.205
[ETSI TS 155 205 V9.0.0 (2010-02): link]

2
Security Principles
• Use the SIM as a security module:
• Authentication and confidentiality are performed based on a shared secret (Ki)
• The SIM stores secret information of the subscriber (Ki, IMSI) and cryptographic
algorithms (A3, A8)
• Should be tamper-resistant
• Security in the visiting network:

• The key Ki must not be shared to the visitor network
• Authentication triplets allow authentication in visitor networks
• Algorithms’ requirements:
• Statistically impossible to guess SRES
• Statistically impossible to find Ki, Kc from the eavesdropped data
• … (assumptions that exclude trivial attacks)
3
Vulnerabilities and Attacks
• Passive attacks:
• The adversary eavesdrops on the radio link and gets the IMSI
• The attack is possible because the IMSI is sent in clear over the radio link when the
MS posses no TMSI or it cannot be identified by using the TMSI
• Active attacks:
• The adversary requests the IMSI from the MS
• IMSI Catcher: the adversary masquerades a legitimate BTS and asks the MS for the
IMSI
• The attack is possible because the MS does not authenticate the network - and cell
reselection criteria is signal strength
• We will learn more on IMSI Catchers when we will study LTE
4
• Cryptanalysis:
• Key length
• the key length of Kc (54/64 bits) is too small to provide security
• Exhaustive search (brute force) can break the key in a few hours
• COMP128 was cracked in 1998 (by Wagner and Goldberg, but apparently known
before by some operators)
• Chosen plaintext attack: Ki is found when about 160 000 pairs RAND-SRES are
collected
• Possible ways to collect RAND-SRES pairs:
• Steal the SIM and connect to a phone emulator (2 to 10 hours, dependent on
the phone)
• Use a false BTS (longer in time, but does not require physical access to the
SIM)
5
• Cryptanalysis:
• A5/1 was broken in 1999 (by Biryukov, Shamir, later the attack was improved together
with Wagner)
• Time-memory trade-off:
• Pre-processing phase: Compute a large database of states and related keys
of the stream system
• Attack phase: search subsequences of the key stream in the database; if a
match is found, the state is the one in the database (with high probability)
• 2s of known plaintext (both uplink and downlink) to succeed
• A5/2 was cryptanalysed in 1999 (Goldberg, Wagner, Green), 2003 (Barkan, Biham,
Keller), etc.
6
• Radio links:
• BTS to BSC link is sometimes not wired, making it easily susceptible to
eavesdropping
• Possible because GSM security does NOT consider encryption beyond the BTS-
BSC link (but only on the MS – BTS radio link)
• Engineering attacks:
• Attacks against the chip card, side-channel attacks
• Software attacks
• Optionality:
• Encryption was introduced as an optional feature
• Very few terminals inform the user if encryption is taking place or not
7
Network Security
- Lecture 8 -
Universal Mobile Telecommunication System
(UMTS) – 3G
Adela Georgescu


Outline
1. UMTS architecture
2. Security principles and implementation
3. Man-in-the-Middle Attack
[Source: http://www.3gpp.org/]
2/8
UMTS architecture
UE: User Equipment

ME: Mobile Equipment CN CS : Core Network Circuit Switched
USIM: Universal SIM UTRAN: UMTS Terrestrial Radio GMSC: Gateway MSC
Access Network CN PS : Core Network Packet Switched
RNC: Radio Network Controller SGSN: Serving GPRS Support Node
ISDN: Integrated Services Digital Network GGSN: Gateway GPRS Support Node
PSTN: Public Switched Telephone Network
UMTS architecture (vs.GSM)
UMTS architecture
GSM architecture
4/7
• UE (User Equipment):
• Consists in a Mobile Equipment (ME) and a Universal Subscriber’s
Identity Module (USIM)
• Notice the name change: MS vs. UE, SIM vs USIM
• UTRAN (UMTS Terrestrial Radio Access Network):

• NodeB is the base station UMTS (corresponds to BTS in GSM)
• RNC (Radio Network Controller) is the controller in UMTS
(coresponds to BSC in GSM)
• Authentication:
• The same elements as in GSM: VLR, HLR, EIR, AuC
• The core part is now divided according to the technology used:
packet switched and circuit switched
• CN CS Domain (Core Network Circuit Switched Domain):

• Coresponds to NSS in GSM
• Realises connectivity with ISDN / PSTN
• CN PS Domain (Core Network Packet Switched Domain):

• It is new to UMTS, being responsible for switching and subscriber
control for packet switching technology
• Achieves internet connectivity
UMTS – Security principles
• Taken from GSM:
• Subscriber authentication, use of (U)SIM
• Radio interface encryption (for confidentiality)
• Use of temporary identities (for privacy of subscribers)
• Use of registers: HLR, VLR, AuC
• Designed to withstand GSM attacks

GSM – short recap
Weaknesses in GSM security:
• No specification about the integrity of the data
• Breaking Kerckhoffs’ principle: cryptographic algorithms were kept confidential (e.g.: A5/1,
A5/2), and their strength was not publicly tested
• Limited encryption: data is encrypted on the radio link only
• Short keys; cryptosystems are vulnerable to exhaustive search attack
• Unilateral authentication: The mobile station does not authenticate the network (only the
network authenticates the mobile station)
• Active attacks are possible; e.g.: IMSI Catchers, when an adversary masquerades a
legitimate BTS
Weaknesses in GSM security: Addressed in UMTS!
• Kerckhoffs’ principle: cryptographic algorithms were kept confidential

(e.g.,
• A5/1, A5/2)
Cryptographic algorithms are public
• Short cryptographic keys: brute force vulnerable

• Longer cryptographic keys (128 bits)
• Limited encryption: data in encrypted only from MS to BTS
• Data encryption up to RNC
• Unilateral authentication: MS does not authenticate the network, only the

network authenticates MS
• Mutual authentication (UE and network authenticate each other)
• No integrity of data
• Use of Message Authentication Code (MAC)
• New security principles, as an improvement over GSM :
• … (previous slide)
• KASUMI encryption algorithm is exported worldwide
• The UE and the network negotiate to agree on the encryption and

integrity algorithms used
• Enter SQN (SeQuence Number) in authentication triplets (in AUTN) to

avoid replay attacks and to ensure key freshness
Weaknesses in UMTS:
• Active attacks are possible; e.g.: IMSI Catchers, when an adversary

impersonates a NodeB
• Users are not (generally) aware of the security level
• End-to-end (UE-to-UE) security is not considerred
• Weaknesses in authentication process (no use of PKI)
We will meet them again in

LTE!
Man-in-the-Middle Attack
UMTS – Man-in-the-Middle Attack
• Goal: mount a MitM (Man-in-the-Middle) attack against UMTS - all traffic

initiated by the mobile station (UE) is transmitted through the adversary,
which has access to the information
• Main idea:
• The adversary obtains an authentication token from any real network,
and uses this token to impersonate a GSM base station to the UMTS
user
• The attack is possible due to:

• Inter-operability GSM / UMTS
• GSM does not support integrity protection, so the adversary can foofle
the UE not to use encryption
• The attack was introduces by Meyer and Wetzel in 2004
[U.Meyer, S.Wetzel - A Man-in-the-Middle Attack on UMTS, WiSe’04 ]

• MitM is known to be easy in GSM:
• Because there is no authentication of the serving network to the user,
so that an adversary can impersonate a BTS
• An adversary can impersonate the MS to BTS by simpli forwarding
authentication traffic
• The attacker can easvesdrop on the communication by fooling both

parties into not using encryption (i.e., use A5/0)
• If the attack is possible in GSM, then UMTS subscribers which use

GSM are vulnerables
• … but UMTS subscribers are vulnerable even though they roam in UMTS
and UMTS authentication is applied
• Roll-back attack: An attack which exploits weaknesses of old versions

defined to ensure bacdward compatibility
• 2 types of authentication are of interest for the attack:
• UE (UMTS) – NodeB (UMTS): UMTS subscriber connects to UMTS

network by means of NodeB
• UE (UMTS) - BTS (GSM): UMTS subscriber with UE that allows

connecting to GSM, connects to the serving network by means of
BTS
AKA: UE (UMTS) – NodeB (UMTS)
RRC: Radio Resource Control

GSN: GPRS Support Node
Authentication Data
RAND: random challenge
AUTN: authentication token
IK: integrity Key
CK: encryption key
XRES: authentication expected
response
MAC: Message Authentication
Code, used to
provide integrity of the [Source: U.Meyer, S.Wetzel - A Man-in-the-Middle Attack on UMTS, WiSe’04 ]
authentication data
AKA: UE (UMTS) – BTS (GSM)
[Source: U.Meyer, S.Wetzel - A Man-in-the-Middle Attack on UMTS, WiSe’04 ]
Message in step12 can be modified by the adversary because it is not

integrity protected (GSM does not support integrity protection)
• The attacks consists of 2 phases (+1):
• Phase 0: the adversary finds the IMSI of the victim (and its
cryptographic capabilities)
• It is feasible, by initiating an authentication procedure before the

attack (IMSI Catcher)
• Phase 1: The adversary acts on behalf of the victim to get a valid

authentication token AUTN (from the network)
• Phase 2: The adversary impersonates a BTS (GSM) to determine the

victim connect to this fake BTS
Phase 1
Phase 1: The adversary acts on behalf of the victim to get a valid

authentication token AUTN (from the network)
Faza 2
• Phase 2: The adversary impersonates a BTS (GSM) to

determine the victim connect to this fake BTS
• The adversary can decide to use A5/0 (no encryptiob), if this is accepted
byt the MS/UE (in phase 1, security capabilities)
• The attack does not work if there is another authentication between Phase
1 and Phase 2, otherwise out of range SQN
• The attack does not allow impersonating both MS/UE and BTS/NodeB in
the same time
Network Security
- Lecture 8 -
Long term evolution
(LTE) – 4G
Adela Georgescu


Outline
• LTE (Security) Architecture
• Security Requirements / Principles
• Vulnerabilities and Attacks
2
LTE - Architecture
UE: User Equipment EUTRAN: Evolved UTRAN EPC: Evolved Packet Core
ME: Mobile Equipment eNodeB: Evolved NodeB MME: Mobility Management Entity
USIM: Universal SIM S-GW: Serving Gateway
P-GW: PDN (Packet Data Network) Gateway
HSS: Home Subscriber Server
3
LTE - Arhitecture
• UE (User Equipment):
• Same as in UMTS: consists of the Mobile Equipment (ME) and the Universal Subscriber’s
Identity Module (USIM)
• EUTRAN (Evolved UTRAN):
• Consists in several eNodeBs
• A difference from UMTS is that the eNodeBs can communicate directly between
themselves
• EPC (Evolved Packet Core):
• UE is authenticated by the MME is responsible for selecting the SGSN at 2G/3G
handovers, authentication and resources allocation to UEs. It manages the mobility of
UEs in the network when eNodeBs cannot
• S-GW is an interconnection point between EUTRAN and EPC, is responsible for packet
routing and forwarding, buffering download packets, being a mobility anchor for inter-
3GPP mobility
• P-GW is a routing point to provide connectivity to the external PDN
4
Terminology
• LTE (Long Term Evolution):
• The new radio technology
• SAE/LTE (System Architecture Evolution / LTE):
• Stands for the entire system: LTE technology with access to previous technologies such
as GSM and 3G
• LTE includes the EUTRAN, while SAE includes the EPC
• EPS (Evolved Packet System):
• The technical term for SAE/LTE, but the brand name of the new system has been chosen
to be LTE
5
EPS Security Architecture
• GSM and UMTS security mechanisms are used as a basis, but adapted to the EPS
architecture
• Protection is performed in both planes:

• Signalling plane
• User plane
• There exists both confidentiality and integrity protection mechanisms:

• Confidentiality: both signalling and user planes
• Integrity: just signalling plane
6
[Source: D.Forsberg et al. – LTE Security, Wiley 2012]

NAS: Non-Access Stratum
AS: Access Stratum
UP: User Plane
7
• MME fetches authentication data from the HSS
• MME triggers the authentication and key agreement protocol with the UE, resulting a key
KASME
• 2 derived keys are used for confidentiality (KNASenc) and integrity (KNASint) protection of the
signalling data between the MME and the UE - NAS protection
• One key is transported to the eNodeB (KeNB), from which 3 other keys are derived:
• 2 derived keys are used for confidentiality (KRRCenc) and integrity (KRRCint) protection of
the signalling data between the eNodeB and the UE - AS protection
• 1 derived key (KUPenc) is used for confidentiality protection of the user plane data between
the eNodeB and the UE
8
Key Hierarchy

9
Key Hierarchy
Key Length Info
K 128 bits Key shared between the subscriber and the
network operator, stored in the USIM and
AuC; permanent key of the subscriber
CK, IK 128 bits Ciphering key CK and integrity key IK are for
UMTS interconnection
KASME 256 bits A local master key of the subscriber from
which all other keys will be derived; Shared
between the UE and the MME
KNASenc, KNASint 128 / 256 bits Ciphering key KNASenc and integrity key KNASint
for NAS protection
KeNB / NH 256 bits Intermediate key stored in the eNodeB
NH (Next Hop) is used in handover
KRRCenc, KRRCint 128 / 256 bits Ciphering key KRRCenc and integrity key KRRCint
for AS protection
KUPenc 128 / 256 bits Ciphering key KUPenc for user data
10
EPS Signalling Plane Protection
NAS: Non-Access Stratum

RRC: Radio Resource Control [Source: D.Forsberg et al. – LTE Security, Wiley 2012]
PDCP: Packet Data Convergence Protocol
IP: Internet Protocol
11
EPS Signalling Plane Protection
• NAS (Non-Access Stratum): network layer communication between the UE and the core
network
• RRC (Radio Resource Control): layer 3 protocol in the AS (Access Stratum) protocol stack
that provides communication between the UE and the eNodeB (the AS level signalling
protocol)
• PDCP (Packet Data Convergence Protocol): both RRC signalling and user data are carried by
the PDCP, and here is where security is implemented
• S1-AP: signalling service between the E-UTRAN and the EPC
12
EPS User Plane Protection
PDCP: Packet Data Convergence Protocol [Source: D.Forsberg et al. – LTE Security, Wiley 2012]
GTP: GPRS Tunneling Protocol
13
EPS User Plane Protection
• PDCP (Packet Data Convergence Protocol): if for signalling data both confidentiality and
integrity are supported, user plane protection does not consider integrity
• GTP-U: is used for carrying data from the access network to the core network
Confidentiality is optional for both signalling and user plane!
14
EPS Security Requirements
• High level and service-related security requirements:
• EPS should provide authenticity of information between the terminal and the network
• EPS shall ensure that unauthorized users cannot establish communication through the system
• EPS shall allow the network to hide its internal structure from the terminal
• Security policies should be under home operator control
• EPS shall provide support for lawful interception
• EPS shall support emergency calls
• Rel-99 or newer USIM is required for authentication
15
EPS Security Requirements
• Privacy related security requirements:
• EPS shall provide several appropriate levels of user privacy for communication, location
and identity
• Communication content, origin and destination shall be protected against disclosure to

unauthorized parties
• EPS shall be able to hide user identities from unauthorized parties
• EPS shall be able to hide user location from unauthorized parties
16
EPS Security Features
• Features that are carried over from GSM and UMTS:
• Subscriber authentication, usage of USIM (IMEI stored in the ME and IMSI stored in the UICC)
• Mutual authentication (from UMTS)
• Encryption on the radio interface (for confidentiality), which remains optional to the network
operator
• Usage of temporary identities (for privacy of subscribers)
• Visibility and configurability of security at the UE (e.g. ciphering indicator) is optional
• Lawful interception
17
EPS Security Features
• New features in EPS to overcome the shortcomings in GSM/UMTS:
• The endpoint for encryption in the network side remains the eNodeB, but physical
security requirements are introduced for eNodeB (in UMTS is the RNC, but in GSM is the
BTS)
• No integrity mechanism for the user data (reason: risk to tamper the user data is
considered too low to introduce significant overhead by integrity protection, especially for
voice)
• New key hierarchy, more elaborated
• Improvements on crypto algorithms and protocols
18
EPS Security Standards
• TS 33.401: 3GPP System Architecture Evolution (SAE); Security architecture / ETSI 133 401
• EPS security architecture
• EPS security features, procedures, mechanisms
• Main reference
• TS 33.402: Security aspects of non-3GPP accesses / ETSI 133.402

• TS 33.320: Security of Home evolved Node B (HeNB) / ETSI 133.320
• TS 36.331: Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control
(RRC); Protocol specification / ETSI 136 331
• TS 24.301: Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS) / ETSI 124
301
3GPP: The 3rd Generation Partnership Project
• … ETSI: European Telecommunications Standards Institute
19
To remember!
1. LTE (security) architecture
2. Security mechanisms on both the signalling and the user plane
3. Security features (build on previous generations’ features)
20
Network Security
- Lecture 11 -
LTE (cont.)
Adela Georgescu


Outline
• UE Identification
• EPS AKA
• Key hierarchy (again)
• Cryptographical aspects
• AS / NAS Protection
2
UE Identification
• Similar to identification in GSM and UMTS
• IMSI
• IMEI , IMEI SV
• GUTI (Global Unique Temporary UE Identity), allocated to provide user identity

confidentiality
• Similar to TMSI in GSM
• C-RNTI (Cell Radio Network Temporary Identifier) with security role in

handover preparation
3
UE Identification
• MME assigns a GUTI to the UE in Attach Accept or Tracking Area Update Accept
messages
• MME can also assign GUTI in a separate GUTI Reallocation procedure
GUTI (Global Unique Temporary UE Identity)

GUMMEI (Globally Unique MME Identifier)
MCC MNC MMEI M-TMSI

(Mobile (Mobile (MME Identifier) (MME Temporary Subscriber
Country Network Identifier)
MMEGI MMEC
Code) Code)
(MME Group ID) (MME Code)
Identifies the MME that allocated the GUTI Identifies the UE within the MME
4
EPS AKA
SN id: Serving Network Identity

AV: Authentication Vector
AUTN: Authentication Token
RES: Response
XRES: Expencted Response
CK: Ciphering Key
IK: Integrity Key
ASME: Access Security
Management Entity
[Source: D.Forsberg et al. – LTE Security, Wiley 2012] 5

EPS AKA – Network side
• The recommendation is to send a single AV at a time (not more)…
… because the need to request fresh AV is reduced due to the existence of the KASME,
which is not exposed as the CK and IK were exposed in UMTS
• Precomputed AV are not longer used when the UE moves to another network...
... because the SN id is input to the KDF
• Each AV is used only once
• CK and IK do not leave the HSS
• Operator specific: if AK=0, then AK XOR SQN = SQN (if the operator decides no need for
concealment of SQN is required)
6
EPS AKA –
Network side
AuC
UMTS AV:
(RAND, XRES, CK, IK, AUTN)
EPS AV:
(RAND, XRES,KASME, AUTN)
HSS
AMF: Authentication
Management Field
AK: Anonymity Key

7
EPS AKA – Network side
• Both UMTS and EPS authentication vectors are generated
• The AuC generates the AVs in exactly the same way as for UMTS
• The HSS derives the KASME from CK and IK
• The AuC generates fresh SQN and unpredictable random RAND
• AMF (Authentication Management Field):

• Indicates the algorithm used to generate a particular auth vector when several exist
• Sets threshold values for key lifetimes
• First bit is set to 1 to mark that the AV is for EPS use (this should be checked in the MME)
8
EPS AKA – User side
9
• SQN verification has not been standardized (generation and verification takes place in the
home network, so it can be operator specific)
• Requirements for SQN:
• No SQN should be used twice: USIM should not accept 2 AUTN with the same SQN after
AUTN was verified
• Allow, in a given threshold, out of order SQN numbers

(might not accept a SQN if the jump from the last one is too big)
• Reject too old time-based SQN
• Verification is performed in the USIM

10
• If USIM supports GSM, then it converts (CK, IK) to a GSM key Kc and sends it the the ME
12
Handover and Roaming
• When the UE changes MME, it identifies itself by GUTI in the Attach Request and
Tracking Area Update Request
• The MME is unaware of the GUTI, so it has 2 possibilities:

• Request the IMSI – breaks confidentiality!
• Ask the old MME to translate the GUTI to IMSI
• Data exchanged between the old and the new MME in 2 scenarios:
• Old and new MME are in the same network (Handover)

• Transfer the EPS security context*
• The old MME transfers the remaining AVs (if any)
• Old and new MME are in networks of different operators (Roaming)
• The current security context* is allowed, depending on the security of the networks
(EPS to EPS only)
• The old MME does not transfer the remaining AVs (if any), because they are not
good in the new network
13
Security Context
• A security context is a set of parameters agreed by 2 parties when they engage in a secured
communication
• Contains: algorithm identifiers, cryptographic keys, etc.
14
Key hierarchy (remember!)
Key Length Info
K 128 bits Key shared between the subscriber and the
network operator, stored in the USIM and
AuC; permanent key of the subscriber
CK, IK 128 bits Ciphering key CK and integrity key IK are for
UMTS interconnection
KASME 256 bits A local master key of the subscriber from
which all other keys will be derived; Shared
between the UE and the MME
KNASenc, 128 / Ciphering key KNASenc and integrity key KNASint
KNASint 256 bits for NAS protection
KeNB /NH 256 bits Intermediate key stored in the eNodeB
NH (Next Hop) is used in handover
KRRCenc, 128 / Ciphering key KRRCenc and integrity key KRRCint
KRRCint 256 bits for AS protection
KUPenc 128 / Ciphering key KUPenc for user data
256 bits [Source: D.Forsberg et al. – LTE Security, Wiley 2012]
15
Key hierarchy
• KASME is derived in the ME (not the USIM!) and the HSS => its derivation must be
standardized; others not necessarily
• KDF used to derive keys in the hierarchy must be one-way; why?
• KDF based on HMAC-SHA-256
• Encryption and integrity keys (KNASenc, KNASint, KRRCint, KRRCenc, KUPenc) are on 256 bits and
truncated to 128 last significant bits (EPS accepts both 256 and 128 bits keys)
• Keys are derived in hierarchical manner, with additional parameters as input (e.g.: SN id,
SQN xor AK, etc.) – the params are all assumed to be known by a potential attacker
because they are sent in clear or easy computable from unencrypted communication
16
Key hierarchy
• A principle that brings advantages:
• Cryptographic key separation:

• Each key is used to one context only (e.g.: encryption of signalling traffic)
• Prevents expanding of leakage: leakage of keys in one context do not help finding
the key in another context
• Related key attacks: the attacker can ask the exchange of the key in a way that he
predetermines the relation between the old and new keys
• Key freshness:
• Keys can be renewed without affecting other keys (e.g.: renew of KeNB does not
require renewal of the KASME , X2 hadover)
• Renewal of keys takes place more often

• … and disadvantages: added complexity
17
Key hierarchy
Question: Can KNASenc, KNASint be refreshed without refreshing the KASME ? How?
Just by changing the other param, NAS-enc/int-alg Alg_ID 18
Cryptography
• Algorithm agility / flexibility: the cryptographic algorithms should be replaced without much
difficulty
• Allows removal of out-dated algorithms

• The number of algorithms should be keep small (for synchronization and management
reasons), but more than 1…
• … because if one algorithms fails (is broken), others will be used
• Algorithms diversity: the design of the algorithms should differ from each other as much as
possible
• Why? Where did you encounter this principle before (in crypto)?
• Emergency scenarios
19
Emergency
• Null algorithm: provides no cryptographic protection
• Must exist for emergency cases
• Problematic from security perspective because it can be triggered in cases where
protection should be enabled
• Turn-off principle: the cryptographic protection should be by default on, and only by
request (on special scenarios) should be turned off
• EEA0 (EPS Encryption Algorithm): the identity function (i.e. ciphertext equals the cleartext)
• EIA0 (EPS Integrity Algorithm) : a 32-bit string of 0’s is appended to the message
• Reason: keep the protected and non-protected scenarios as similar as possible

(e.g.: same length)
20
Confidentiality
• Same structure for NAS and AS protection
• Out-of-the shelf algorithms (easier than to invite submission and go through a selection
process) …
• … keeping in mind reusability from 3G (compatibility reasons)
• 128-EEA1: SNOW 3G adapted to the EPS security architecture

• 128 bits keys
• 128-EEA2: AES
• 128 bits keys
• Counter mode
21
Integrity
• Same principles as for confidentiality
• Usage of the same main cryptographic blocks (re-usability)
• 128-EIA1: UIA 2 (SNOW 3G) adapted to the EPS security architecture

• 128 bits keys
• 128-EIA2: Cipher- based MAC (AES)

• 128 bits keys
• The key length in the naming implies that other key lengths (e.g.:192, 256) can be used in
case of improved security
22
Key derivation
• One-way: an adversary cannot use one key to derive a key located upper in the hierarchy
• Independence: 2 keys derived from the same key should be independent
• SHA-256 used in the HMAC mode
23
Algorithm negotiation
• Algorithms are negotiated separately for AS (between UE and eNodeB) and NAS (between
UE and MME)
• Negotiation is based on the UE capabilities and a list of allowed cryptographic algorithms in the
eNodeB, respectively MME in priority order
• eNodeB and MME are responsible for selecting the AS level, respectively the NAS level
algorithms, after UE sends its capabilities in the attachment procedure
• Selection is indicated in AS Security Mode

Command, respectively NAS Security
Mode Commands
24
NAS signalling protection
Integrity protection
Integrity protection New enc.key

&
Encryption Old enc.key
(if any)
eKSI: key set identifier that identifies the key KASME

NONCEUE, NONCEMME: used for mobility
Question: Why is the NAS Security Mode Command not encrypted?

The UE does not know what algorithm and key to use for decryption
25
Integrity protection New enc.key

&
Encryption Old enc.key
(if any)
eKSI: key set identifier that identifies the key KASME

NONCEUE, NONCEMME: used for mobility
Question: Why is the NAS Security Mode Complete encrypted?

To not expose IMEI 26
• Integrity and replay protection are part of the NAS protocol itself
• Integrity algorithm’s input params:

• KNASint , 128 bits key
• COUNT, 32 bits
• DIRECTION, 1 bit indicating upstream or downstream signalling
• BEARER, constant value – used for similarity with AS
COUNT = 0x00 || NAS OVERFLOW || NAS SQN
• NAS OVERFLOW, 16 bits – incremented every time NAS SQN overflows
• Integrity algorithm’s output:

• NAS-MAC, 32 bits
• For efficiency reasons, NAS Service Request message uses 16 bits NAS-MAC (e.g.:
when UE responds to paging from the MME)
27
• General rule: messages that are not integrity protected are discarded in the UE and MME
once the NAS protection has been activated
• Exceptions: emergency calls, etc.
• Ciphering: same inputs, except KNASenc instead of KNASint and an additional parameter LENGTH
that specifies the length of the keystream to be generated
28
AS signalling protection
Uplink enc.
starts only after
AS Sec.Mode
Complete is
sent
Question: Why is the AS Security Mode Complete not encrypted?

No need, it contains no private information
29
AS signalling and User data protection
• Radio Resource Control (RRC): the AS level signalling protocol
• The security is implemented in the PDCP (Packet Data Convergence Protocol) layer,
which carries both RRC and user data
Same inputs as for NAS, but a
• Integrity algorithm’s input params:
different key and BEARER not
• KRRCint , 128 bits key constant
• COUNT, 32 bits, for each radio bearer (PDCP seg.no).
• DIRECTION, 1 bit, indicating upstream or downstream
• BEARER, 5 bits indicating the radio bearer identity, mapped from RRC bearer identity:
Signalling Radio SRB0 SRB1 SRB2

Bearers (SRB): RRC control messages RRC control messages NAS messages
not protected protected after sec. activation Always protected
Data Radio Bearers multiple
(DRB) ciphered, but not integrity-protected
• Integrity algorithm’s output:

30
• MAC-I, 32 bits
AS signalling and User data protection
• Ciphering: same inputs, except KRRCenc instead of KRRCint and an additional parameter LENGTH
that specifies the length of the keystream to be generated
31
NAS vs AS Security Mode Commands (SMC)
AS (Access Stratum) NAS (Non-Access Stratum)
• Signalling protection and user data • Signalling protection

protection
• Security is implemented in the PDCP • Security is implemented in the NAS
protocol protocol itself
• It is not possible to change algorithms using • It is possible to change algorithms using

AS Security Mode Command NAS Security Mode Command
• Encryption starts after the AS Security • Encryption starts with the NAS Security
Mode Complete Mode Complete
• Several bearers (there are several AS level • One bearer of constant value (there is only
connections between UE and eNodeB) one NAS level connection between UE and
MME)
32
To remember!
1. The principles of EPS AKA
2. The advantages of key hierarchy
3. Principles to select and use cryptographic algorithms
4. Implementation in LTE
36
Network Security
- Lecture 12 -
5G
Adela Georgescu


Outline
• Arhitecture
• EPS AKA
• Key hierarchy
• Cryptographical aspects
• New concepts
2
5G Security
https://www.3gpp.org/
https://www.ieee.org/ https://www.etsi.org/
https://www.itu.int https://www.ietf.org/
[ENISA – Security in 5G Specifications – Controls in 3GPP

Available at: https://www.enisa.europa.eu/publications/security-in-5g-specifications ] 3
3GPP Security Standards
[Source: https://www.3gpp.org/DynaReport/33-series.htm] 4
Security Architecture
[ENISA – Security in 5G Specifications – Controls in 3GPP

Available at: https://www.enisa.europa.eu/publications/security-in-5g-specifications ] 5
UE Privacy
SUCI: Subscription Concealed Identifier
SUPI: Subscription Permanent Identifier
GUTI: Globally Unique Temporary UE Identity
[Source: 3GPP TS 33.501 V17.1.0 (2021-03)]
6
Protection of SUPI by encryption
[Source: https://www.mpirical.com/blog/5g-anonymity-and-the-suci]
7
[Source: 3GPP TS 33.501 V17.1.0 (2021-03)]
8
Protection of SUPI – SUCI – encryption
[Source: 3GPP TS 33.501 V17.1.0 (2021-03)]
9
Protection of SUPI – SUCI - decryption
5G-AKA
[Source: 3GPP TS 33.501 V17.1.0 (2021-03)]

AUSF: AUthentication Server Function
ARPF: Authentication credential
Repository and Processing Function
SIDF: Subscription Identifier De-
concealing Function
SEAF: SEcurity Anchor Function
10
Key Hierarchy
[Source: 3GPP TS 33.501 V17.1.0 (2021-03)]

AUSF: AUthentication Server Function
ARPF: Authentication credential
Repository and Processing Function
SEAF: SEcurity Anchor Function
AMF Access and Mobility Management
Function
Non-3GPP
11
[Source: 3GPP TS 33.501 V17.1.0 (2021-03)]
Cryptographical Aspects
12
[Source: 3GPP TS 33.501 V17.1.0 (2021-03)]
Cryptographical Aspects
13

Cur Suri

Uploaded by

Copyright:

Available Formats

Cur Suri

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cur Suri

Uploaded by

Copyright:

Available Formats

Network security

• Moodle – all info and materials for course and lab

• Computer Security - protects data and resources (usually

• Network Security - protects data during transmission and

• Software Security - protects the software used in a computer

• General security principles (today)

• Wi-Fi – security: WEP, WPA, WPA2 – protocols

• Mobile security: GSM, LTE, 5G

• Internet protocol security: TLS, IPSec

• Confidentiality – protected goods can only be seen by authorized persons

• Integrity - protected goods can only be modified by authorized persons

• Availability - protected goods can only be used by authorized persons

üKey separation principle: use different keys for

üPrinciple of diversity: use different types of

• Security by default: keep the default

• Principle of the weakest link: the security of a

• Principiul of least privilege: grant the exact

• Principle of modularization: keep

• Defence in depth – security at different

*slides belonging to Ruxandra Olimid

1. What do we learn about wireless security?

3. What is the difference between wireless and wired networks?

Wireless • Security technologies, methods, protocols

Security aspects only! No pure networking!

Security aspects only! No pure telecom!

ITU: Measuring the Information Society Report 2018

• In theory: not much different from the security of wired

• Direct access to the transmission medium

*slides belonging to Ruxandra Olimid

1. IEEE 802.11 / Wi-Fi, history, evolution

2. IEEE 802.11 Wireless LAN Architecture

• IEEE 802.11: technical standard (Physical layer and MAC sublayer)

• Wi-Fi: (products / equipment of) wireless network(s) implementing

STA: Station Network types:

• BSS (Basic Service Set):

• ESS (Extended Service Set):

FCS: Frame Check Sequence

• Protocol version: 802.11 version

Security aspects only! No pure networking!

• Authorization to AP based on MAC address

• IEEE 802.11: Wired Equivalent Privacy (WEP)

• IEEE 802.11i-draft: WPA (Wi-Fi Protected Access)

• IEEE 802.11i: Robust Security Network (RSN) /WPA2

*slides belonging to Ruxandra Olimid

2. Vulnerabilities and attacks

• Authorization to AP based on MAC address

• IEEE 802.11: Wired Equivalent Privacy (WEP)

• IEEE 802.11i-draft: WPA (Wi-Fi Protected Access)

• IEEE 802.11i: Robust Security Network (RSN) /WPA2

• Original security mechanism IEEE 802.11 (1999)

• Deprecated since 2008, but still in use

• Interesting to study as a negative example J

• Network access control:

• Uses RC4 IV: Initialization Vector

IV: Initialization Vector

Answer: A passive adversary eavesdrops on the plaintext ( the

Question: Is authentication secure (it can be forged)?

Answer: No, it is not secure! The adversary knows the keystream

Answer: No! The AP is not authenticated to STA.

Question: Why is this a a problem?