17-03-2011, 02:36 PM
[attachment=10409]
GSM Security and Encryption
1.0 Introduction
The motivations for security in cellular telecommunications systems are to secure conversations and signaling data from interception as well as to prevent cellular telephone fraud. With the older analog-based cellular telephone systems such as the Advanced Mobile Phone System (AMPS) and the Total Access Communication System (TACS), it is a relatively simple matter for the radio hobbyist to intercept cellular telephone conversations with a police scanner. A well-publicized case involved a potentially embarrassing cellular telephone conversation with a member of the British royal family being recorded and released to the media. Another security consideration with cellular telecommunications systems involves identification credentials such as the Electronic Serial Number (ESN), which are transmitted "in the clear" in analog systems. With more complicated equipment, it is possible to receive the ESN and use it to commit cellular telephone fraud by "cloning" another cellular phone and placing calls with it. Estimates for cellular fraud in the U.S. in 1993 are as high as $500 million. The procedure wherein the Mobile Station (MS) registers its location with the system is also vulnerable to interception and permits the subscriber’s location to be monitored even when a call is not in progress, as evidenced by the recent highly-publicized police pursuit of a famous U.S. athlete.
The security and authentication mechanisms incorporated in GSM make it the most secure mobile communication standard currently available, particularly in comparison to the analog systems described above. Part of the enhanced security of GSM is due to the fact that it is a digital system utilizing a speech coding algorithm, Gaussian Minimum Shift Keying (GMSK) digital modulation, slow frequency hopping, and Time Division Multiple Access (TDMA) time slot architecture. To intercept and reconstruct this signal would require more highly specialized and expensive equipment than a police scanner to perform the reception, synchronization, and decoding of the signal. In addition, the authentication and encryption capabilities discussed in this paper ensure the security of GSM cellular telephone conversations and subscriber identification credentials against even the determined eavesdropper.
2.0 Overview of GSM
GSM (group special mobile or general system for mobile communications) is the Pan-European standard for digital cellular communications. The Group Special Mobile was established in 1982 within the European Conference of Post and Telecommunication Administrations (CEPT). A Further important step in the history of GSM as a standard for a digital mobile cellular communications was the signing of a GSM Memorandum of Understanding (MoU) in 1987 in which 18 nations committed themselves to implement cellular networks based on the GSM specifications. In 1991 the first GSM based networks commenced operations. GSM provides enhanced features over older analog-based systems, which are summarized below:
• Total Mobility:
The subscriber has the advantage of a Pan-European system allowing him to communicate from everywhere and to be called in any area served by a GSM cellular network using the same assigned telephone number, even outside his home location. The calling party does not need to be informed about the called person's location because the GSM networks are responsible for the location tasks. With his personal chipcard he can use a telephone in a rental car, for example, even outside his home location. This mobility feature is preferred by many business people who constantly need to be in touch with their headquarters.
• High Capacity and Optimal Spectrum Allocation:
The former analog-based cellular networks had to combat capacity problems, particularly in metropolitan areas. Through a more efficient utilization of the assigned frequency bandwidth and smaller cell sizes, the GSM System is capable of serving a greater number of subscribers. The optimal use of the available spectrum is achieved through the application Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), efficient half-rate and full-rate speech coding, and the Gaussian Minimum Shift Keying (GMSK) modulation scheme.
• Security:
The security methods standardized for the GSM System make it the most secure cellular telecommunications standard currently available. Although the confidentiality of a call and anonymity of the GSM subscriber is only guaranteed on the radio channel, this is a major step in achieving end-to- end security. The subscriber’s anonymity is ensured through the use of temporary identification numbers. The confidentiality of the communication itself on the radio page link is performed by the application of encryption algorithms and frequency hopping which could only be realized using digital systems and signaling.
• Services:
The list of services available to GSM subscribers typically includes the following: voice communication, facsimile, voice mail, short message transmission, data transmission and supplemental services such as call forwarding.
Digital 2G systems, such as GSM, PDC, IS-136 TDMA and IS-95 CDMA, use cryptographic methods for authentication and confidentiality. GSM standard implements security features which ensure physical security, confidentiality, user authentication, and user anonymity.
Slow frequency hopping and modulation techniques enhance the physical security. Information sent between a mobile station and the network is encrypted. GSM security is based on a shared secret key Ki and on a unique number, the International Mobile Subscriber Identity (IMSI). Both are saved on the user’s Subscriber Identity Module (SIM) and in the Authentication Centre (AuC) of the operator.
2.1 GSM Radio Channel
The GSM standard specifies the frequency bands of 890 to 915 MHz for the uplink band, and 935 to 960 MHz for the downlink band, with each band divided up into 200 kHz channels. Other features of the radio channel interface include adaptive time alignment, GMSK modulation, discontinuous transmission and reception, and slow frequency hopping. Adaptive time alignment enables the MS to correct its transmit timeslot for propagation delay. GMSK modulation provides the spectral efficiency and low out-of-band interference required in the GSM system. Discontinuous transmission and reception refers to the MS powering down during idle periods and serves the dual purpose of reducing co-channel interference and extending the portable unit's battery life. Slow frequency hopping is an additional feature of the GSM radio channel interface which helps to counter the effects of Rayleigh fading and co-channel interference.
2.2 TDMA Frame Structures, Channel Types, and Burst Types
The 200 kHz channels in each band are further subdivided into 577 ms timeslots, with 8 timeslots comprising a TDMA frame of 4.6 ms. Either 26 or 51 TDMA frames are grouped into multiframes (120 or 235 ms), depending on whether the channel is for traffic or control data. Either 51 or 26 of the multiframes (again depending on the channel type) make up one superframe (6.12 s). A hyperframe is composed of 2048 superframes, for a total duration of 3 hours, 28 minutes, 53 seconds, and 760 ms. The TDMA frame structure has an associated 22-bit sequence number which uniquely identifies a TDMA frame within a given hyperframe
GSM Security and Encryption
1.0 Introduction
The motivations for security in cellular telecommunications systems are to secure conversations and signaling data from interception as well as to prevent cellular telephone fraud. With the older analog-based cellular telephone systems such as the Advanced Mobile Phone System (AMPS) and the Total Access Communication System (TACS), it is a relatively simple matter for the radio hobbyist to intercept cellular telephone conversations with a police scanner. A well-publicized case involved a potentially embarrassing cellular telephone conversation with a member of the British royal family being recorded and released to the media. Another security consideration with cellular telecommunications systems involves identification credentials such as the Electronic Serial Number (ESN), which are transmitted "in the clear" in analog systems. With more complicated equipment, it is possible to receive the ESN and use it to commit cellular telephone fraud by "cloning" another cellular phone and placing calls with it. Estimates for cellular fraud in the U.S. in 1993 are as high as $500 million. The procedure wherein the Mobile Station (MS) registers its location with the system is also vulnerable to interception and permits the subscriber’s location to be monitored even when a call is not in progress, as evidenced by the recent highly-publicized police pursuit of a famous U.S. athlete.
The security and authentication mechanisms incorporated in GSM make it the most secure mobile communication standard currently available, particularly in comparison to the analog systems described above. Part of the enhanced security of GSM is due to the fact that it is a digital system utilizing a speech coding algorithm, Gaussian Minimum Shift Keying (GMSK) digital modulation, slow frequency hopping, and Time Division Multiple Access (TDMA) time slot architecture. To intercept and reconstruct this signal would require more highly specialized and expensive equipment than a police scanner to perform the reception, synchronization, and decoding of the signal. In addition, the authentication and encryption capabilities discussed in this paper ensure the security of GSM cellular telephone conversations and subscriber identification credentials against even the determined eavesdropper.
2.0 Overview of GSM
GSM (group special mobile or general system for mobile communications) is the Pan-European standard for digital cellular communications. The Group Special Mobile was established in 1982 within the European Conference of Post and Telecommunication Administrations (CEPT). A Further important step in the history of GSM as a standard for a digital mobile cellular communications was the signing of a GSM Memorandum of Understanding (MoU) in 1987 in which 18 nations committed themselves to implement cellular networks based on the GSM specifications. In 1991 the first GSM based networks commenced operations. GSM provides enhanced features over older analog-based systems, which are summarized below:
• Total Mobility:
The subscriber has the advantage of a Pan-European system allowing him to communicate from everywhere and to be called in any area served by a GSM cellular network using the same assigned telephone number, even outside his home location. The calling party does not need to be informed about the called person's location because the GSM networks are responsible for the location tasks. With his personal chipcard he can use a telephone in a rental car, for example, even outside his home location. This mobility feature is preferred by many business people who constantly need to be in touch with their headquarters.
• High Capacity and Optimal Spectrum Allocation:
The former analog-based cellular networks had to combat capacity problems, particularly in metropolitan areas. Through a more efficient utilization of the assigned frequency bandwidth and smaller cell sizes, the GSM System is capable of serving a greater number of subscribers. The optimal use of the available spectrum is achieved through the application Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), efficient half-rate and full-rate speech coding, and the Gaussian Minimum Shift Keying (GMSK) modulation scheme.
• Security:
The security methods standardized for the GSM System make it the most secure cellular telecommunications standard currently available. Although the confidentiality of a call and anonymity of the GSM subscriber is only guaranteed on the radio channel, this is a major step in achieving end-to- end security. The subscriber’s anonymity is ensured through the use of temporary identification numbers. The confidentiality of the communication itself on the radio page link is performed by the application of encryption algorithms and frequency hopping which could only be realized using digital systems and signaling.
• Services:
The list of services available to GSM subscribers typically includes the following: voice communication, facsimile, voice mail, short message transmission, data transmission and supplemental services such as call forwarding.
Digital 2G systems, such as GSM, PDC, IS-136 TDMA and IS-95 CDMA, use cryptographic methods for authentication and confidentiality. GSM standard implements security features which ensure physical security, confidentiality, user authentication, and user anonymity.
Slow frequency hopping and modulation techniques enhance the physical security. Information sent between a mobile station and the network is encrypted. GSM security is based on a shared secret key Ki and on a unique number, the International Mobile Subscriber Identity (IMSI). Both are saved on the user’s Subscriber Identity Module (SIM) and in the Authentication Centre (AuC) of the operator.
2.1 GSM Radio Channel
The GSM standard specifies the frequency bands of 890 to 915 MHz for the uplink band, and 935 to 960 MHz for the downlink band, with each band divided up into 200 kHz channels. Other features of the radio channel interface include adaptive time alignment, GMSK modulation, discontinuous transmission and reception, and slow frequency hopping. Adaptive time alignment enables the MS to correct its transmit timeslot for propagation delay. GMSK modulation provides the spectral efficiency and low out-of-band interference required in the GSM system. Discontinuous transmission and reception refers to the MS powering down during idle periods and serves the dual purpose of reducing co-channel interference and extending the portable unit's battery life. Slow frequency hopping is an additional feature of the GSM radio channel interface which helps to counter the effects of Rayleigh fading and co-channel interference.
2.2 TDMA Frame Structures, Channel Types, and Burst Types
The 200 kHz channels in each band are further subdivided into 577 ms timeslots, with 8 timeslots comprising a TDMA frame of 4.6 ms. Either 26 or 51 TDMA frames are grouped into multiframes (120 or 235 ms), depending on whether the channel is for traffic or control data. Either 51 or 26 of the multiframes (again depending on the channel type) make up one superframe (6.12 s). A hyperframe is composed of 2048 superframes, for a total duration of 3 hours, 28 minutes, 53 seconds, and 760 ms. The TDMA frame structure has an associated 22-bit sequence number which uniquely identifies a TDMA frame within a given hyperframe
