Cell 2
Public
Switched
Telephone
Network
(PSTN)
Mobile
Telephone
Switching
Office
(MTSO)
HLR
Mobile User
Cordless connection
Wired connection
VLR
Cell 1
Cell 2
Mobile
Telephone
Switching
Center
(MTSC)
HLR VLR
Public
Switched
Telephone
Network
(PSTN)
Authentication center (AuC) stores the secret keys of all SIM cards.
Overview
Data Rates
2 Mbps
3G
(14.4Kbps to 2Mbps)
1 Mbps
100 Kbps
2.5G
(10-150Kbps)
10 Kbps
2G
(9.6Kbps)
1 Kbps
1G
(<1Kbps)
1980
1990
2000
Years
2010
3G Network Architecture
Wireless
Access Network
Mobile Access
Router
Core Network
Programmable
Softswitch
IP
Base Stations
Gateway
Application
Server
IP Intranet
Acces
s
Point
Telephone
Network
IP Intranet
(HLR)
User Profiles &
Authentication
802.11
3G Air
Interface
802.11
Acces
s
Point
Internet
Wired Access
Licensed
Many providers
Multiple Access
Many users
Wide area of coverage
Traffic management
Location management
Session1
Time
Frequency
Frequency Division
Multiple Access (FDMA)
1G Cellular (AMPS)
All sessions
based on a
code
Time
Time Division
Multiple Access (TDMA)
2G TDMA
3G TDMA
Time
2G CDMA (IS-95)
3G CDMA
Session4
Session3
Session2
Session2
Frequency
Frequency
Session3
Session1
Session4
Code Division
Multiple Access (CDMA)
Up to 160 characters
Sent over control channel
Unicast or broadcast
Authentication
Confidentiality
Anonymity
Mobile station
BSS
BSS consists of base station controller and one or more base transceiver stations
(BTS)
9
BTS
9
Terminating
MSC
10
10
10
4
VLR
2
Gateway
MTSC
5
HLR
10
3
Public
Switched
Telephone
Network
(PSTN)
10
5
1. Call made to mobile unit (cellular phone)
2. Telephone network recognizes number
and gives to gateway MSC
3. MSC cant route further, interrogates
users HLR
4. Interrogates VLR currently serving user
(roaming number request)
5. Routing number returned to HLR and
then to gateway MSC
Legend: MTSC= Mobile Telephone Service Center, BTS = Base Transceiver Station
HLR=Home Location Register, VLR=Visiting Location Register
Enabling Technologies
3G
2 Mbps
CDMA2000
3XRTT
(UMTS)
CDMA Migration
1G-2G Migration
TDMA Migration
500 kbps
2.5G
150 Kbps
GPRS
2G
50 Kbps
10 Kbps
EDGE
CDMA-2000
1XRTT
100 Kbps
1G
W-CDMA
(UMTS)
IS-95
GSM
1 Kbps
AMPS
1980
1999
2000
2001
2002
2003
In this study security of internet access over the Third Generation (3G) telecommunication
systems is considered and Universal Mobile Telecommunications System (UMTS) is
selected as the most popular system among 3G systems.
The study then focuses on network access security mechanism of UMTS, called
Authentication and Key Agreement (AKA).
In addition, twenty types of important attacks and threats in UMTS system are presented
and classified based on three major security factors; authentication, confidentiality, and
data integrity.
The evaluations finally show that the authentication factor is more interesting than other
factors for hackers.
Then, we describe four attacks named; man-in the-middle, denial of service, identity
catching, and redirection as the most significant attacks against authentication mechanism.
Furthermore, we provide some solutions and methods to improve AKA mechanism and
prevent these attacks in UMTS system.
Node B
C
u
Iu
b
Node B
Iu
r
RNC
Node B
UE
MSC/
VLR
UTRA
N
GMSC
External
Networks
U
u
HLR
SGSN
GGSN
CN
UMTS Authentication
USIM
MSC or SGSN
Authentication Data
Request
RAND,SQNAK
|| AMF||MAC
RAND
f2-f4
RES, CK, IK
RES
RES = XRES?
HLR/AuC
AMF
SQN
RAND
f1-f5
XRES, CK,
IK, AK, MAC
Table 8-3
cdmaOne (IS-95)
GSM, DCS-1900
IS-54/IS-136
PDC
Uplink Frequencies
(MHz)
824-849 (Cellular)
1850-1910 (US PCS)
Downlink Frequencies
935-960 (Europa)
1930-1990 (US PCS)
Deplexing
FDD
FDD
FDD
Multiple Access
CDMA
TDMA
TDMA
Modulation
DQPSK
Carrier Seperation
1.25 MHz
200 KHz
30 KHz (IS-136)
(25 KHz PDC)
1.2288 Mchips/sec
270.833 Kbps
64
Speech Coding
CELP at 13Kbps
EVRC at 8Kbps
RPE-LTP at 13 Kbps
Standard
Type
Year
Intro
Multiple
Access
Frequency
Band
(MHz)
Modulation
Channe
l
BW
(KHz)
AMPS
Cellular
1983
FDMA
824-894
FM
30
USDC
Cellular
1991
TDMA
824-894
DQPSK
30
CDPD
Cellular
1993
FH/Packet
824-894
GMSK
30
IS-95
Cellular/PCS
1993
CDMA
824-894
1800-2000
QPSK/BPSK
1250
FLEX
Paging
1993
Simplex
Several
4-FSK
15
DCS-1900 PCS
(GSM)
1994
TDMA
1850-1990
GMSK
200
PACS
1994
TDMA/FDMA
1850-1990
DQPSK
300
Cordless/PC
S
Standard
Type
Year
Intro
Multiple
Access
Frequency
Band
(MHz)
Modulation
Channe
l
BW
(KHz)
ETACS
Cellular
1985
FDMA
900
FM
25
NMT-900
Cellular
1986
FDMA
890-960
FM
12.5
GSM
Cellular/PCS
1990
TDMA
890-960
GMSK
200KHz
C-450
Cellular
1985
FDMA
450-465
FM
20-10
ERMES
Paging
1993
FDMA4
Several
4-FSK
25
CT2
Cordless
1989
FDMA
864-868
GFSK
100
DECT
Cordless
1993
TDMA
1880-1900
GFSK
1728
1993
TDMA
1710-1880
GMSK
200
DCS-1800 Cordless/PC
S
Motivation
MANETS recent popularity
Self-configuration
Self-maintenance
Challenges to security
Approaches
Proactive
Reactive
Considerations
Overhead versus performance
Forwarding attacks
Leave routing tables alone, but change delivery of packets (local
effect)
Non Repudiation
The origin of the message cannot deny having sent the message.
Availability
The normal service provision in face of all kind of attacks.
Security means the security mechanism for all protocols involved in this
(MANET) service to protect the basic function of MANET means security
during bit transfer from one node to another.
continuously keeps an eye on the network traffic thus in turn violating the
message confidentiality constraint. Since they do not initiate any malicious
activity to disrupt the normal functioning of the network, it becomes very difficult
to identify such attacks. Examples of such types of attacks are traffic analysis,
traffic monitoring and eavesdropping.
Challenges
Distribution
Involve multiple layers
Attack awareness
Completeness
Authentication Scenarios
1. Node joins a network
2. Node leaves a cluster
3. Inter cluster comm. by nodes
Thank You