DEMONSTRATOR USER MANUAL
Contents
1. Figure 0 1 Default scenario USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 18 of 18 Authentication scenarios 3GPP authentication with real or simulated smart card The scenario 3GPP authentication with real smart card is stored in the configuration file 3gpp_realcard dsc The configuration file 3gpp_simcard describes the settings that are neces sary for the run of a 3GPP authentication process with a simulated smart card In both cases the SIM personalisation function is switched off See the following figure for a detailed description of the protocol flows USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 19 of 19 SELECT DF_UMTS SELECT EF_SPN READ BINARY EF_SPN EF SPID SELECT EF SSD READ BINARY EF SSD i EF_SSD jy InitAuthReq SPID SSD I l I SELECT DF_3GPP ig AuthMechAck 3GPP I MANAGE SECURITY ENVIRONMENT 3GPP SELECT EF_GMSI READ BINARY EF_GMSI EF_GMSI SELECT DF_UMTS SELECT BINARY EF_IMSI EMUI AuthID GMSI EMUI AuthReq RAND AUTN SELECT DF 3GPP x RES CK IK A AuthResp RES Figure 0 2 3GPP authentication detailed view USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 20 of 20 ASPeCT authentication with real or simulated smart card In order to visualise the ASPeCT authentication procedure one of the configuration files as pect realcard2. r Abstraction Level Fraud Simulation C Abstract Detailed IE EavesDrop Modify Man in the middle ls r Configuration A USIM Terminal Network Intruder Det Usim Det Tem Det Net Det Int Cancel COM Port Figure 0 2 Configure Demonstration Window Description of the Elements e Smart Card Mode The user can choose between a virtual and a physical card This action can also be carried out by Drag amp Drop from the Tree Window into the Main Window De fault Simulated e Abstraction Level The user can choose between a detailed and an abstract view of the pro tocol message flows Default Abstract e Authentication Protocol The user can choose between the 2 authentication protocols 3GPP and ASPeCT Default 3GPP e Fraud Simulation The user may choose between 2 types of fraud simulation Eaves drop Modify and Man in the middle Fraud mode default No Intruder selected e Eavesdrop modify 3GPP ASPeCT The intruder is able to eavesdrop store and mod ify messages that are exchanged between the terminal and the network The intruder only eavesdrops and stores the messages automatically He does not modify the messages automatically The user of the demonstrator has the possibility to modify the messages by modifying the data in the SEND MESS buffer of the intruder The intruder sends the modified messages to the target instance e Man in the middle In this fraud simulat
3. simulated smart card cation procedure middle dsc Network protocol ASPeCT protocol with man in the Velocity ls middle attack Abstraction Level detailed Fraud Simulation man in the middle Default scenario The default scenario is loaded automatically when the demonstrator application is started This scenario describes a 3GPP authentication process with a simulated smart card The messages that are transmitted between the instances are characterised by their names without parameters The instances Def Usim Def Term and Def Net are involved in the authentication process The SIM USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 17 of 17 personalisation function is switched off The following figure explains the protocol flow of the default scenario USIM Terminal Network SELECT s VERIFY CHV gt SELECT READ BINARY A SELECT es READ BINARY W_ OO InitAuthReq AuthMechAck SELECT gt MANAGE SECURITY ENVIRONMENT EI SELECT e Z 22 7 2 22 READ BINARY e SELECT _ s P SELECT ENCIPHER IMSI A gt AuthID AuthR SELECT oe REL AUTHENTICATE lt MMM Hc gt AuthResp
4. lt SELECT EF_SS e READ BINARY EF SSD I EF SSD gt lnitAuthReq SPID SSD InitAuthReq SPID SSD gt u _AuthMechAck ASPeCT lt AuthMechAck ASPeCT e SELECT DF ASPeCT OK 2 MANAGE SECURITY ENVIRONMENT ASPeCT OK gt lt GENERATE PUBLIC KEY PAIR PK U gt lt SELECT EF_CAID OK gt lt READ BINARY EF CAID EF_CAD AuthChall PK_U CAID I uthChall PK_U CAID gt AuthChallPK UIGAID AulhRea RND NIAUTH NICERTN lt AuihReq RND_NIAUTH_NICERTN VERIFY CERTIFICATE CERTN lt MUTUAL AUTHENTICATE END NAUTH N USIM AUTH FAILED USIM AUTH FAILED USIM AUTH FAILED Figure 0 7 Man in the middle attack ASPeCT protocol Presentation examples and comments Comments PIN USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 27 of 27 PIN CHV1 0000 Unblock PIN Unblock CHV 1 0000 0000 The user PIN 0000 is entered e either with the mouse via the keyboard of the terminal and confirmed with OK e or via the keyboard of the laptop PC and confirmed with the Return key The user has the possibility to change the PIN via the menu point Action gt Change CHV If a false PIN is entered more that 3 times the PIN is blocked The PIN can be unblocked with the menu point Action gt Unblock CHV The unblocking PIN 00000000 has to be entered Start of a demonstration run there are three possible modes
5. 20 SIM PERSONADISATION sihitee kenad feos varda ses eee eese deed aee cede eee teo Eee ee EE TSAS EiS ed 21 USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 3 of 3 FAILURE FRAUD SCENARIOS YES US S S D aap um aW Shu a St dee K 23 Synchronisation failure wimrreeeeeennnnneneeeeeoeeennnnennananeaeeeennnananeeeeeeeeenn een 23 Modification of protocol messages a sssssssssssssssssssssssa 25 ASPeCT authentication procedure with man in the middle attack 25 PRESENTATION EXAMPLES AND COMMENTS 26 COMMENTS 26 PRESENTATION EXAMPLES u S Seks SS SSS S aee de eed o ere e ee RE enda cu ls te sadas aaa kus 28 DOCUMENT MANAGEMENIT I 29 REFERENCES 30 DEFINITIONS 31 ABBREVIATIONS4 7 5 4059 a tre aea certe aada 31 General 31 Protocol Data Units Commands Variables esses hene hene nennen nennen 32 Introduction In the demonstrator the 3GPP authentication and key agreement protocol including the man agement of sequence numbers in case of synchronisation failures and the asymmetric ASPeCT protocol are implemented The flows of the authentication protocols as well as the contents of the protocol messages and the state variables of the system instances are visualised on the demonstra tor s
6. Realtime Mode Toolbar gt arrow or via the menu point Action gt Run gt Realtime Slow Mode Toolbar gt 2 arrows or via the menu point Action gt Run gt Slow Step by Step Toolbar gt arrow with line or via the menu point Action gt Run gt Step by Step Counter synchronisation in case of the 3GPP protocol with real smart card When the demonstrator application is started a loss of synchronisation between the counter in the real smart card and the network may occur In this case the smart card de livers the response data AUTS after the AUTHENTICATE command This is not a faulty behaviour and the synchronisation between the smart card and the network will be proceeded automatically Explanation the sequence counters in the network are loaded from the variable data file at each start of the demonstrator application The counter in the real smart card keeps its current value when the smart card is reset In order to ensure the synchronisation of the counters at a new start of the demonstrator application the variables of the network have to be stored before the demonstrator appli cation is exited e the network instance e g Net 3 that shall be used in further demonstration runs with a real smart card has to be selected in the Tree Window with the use of the left mouse button e via the menu point File gt Save the variables of the network are stored USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V
7. e OK A new temporary configuration is created and shown in the Main Window The dialog is left e Cancel The dialog is left without any changes e Com Port After pressing this button the dialog window Com Port opens up This dialog allows the user to select the interface for the chipcard terminal After changing the adjusted interface the demonstrator application checks automatically whether a chipcard terminal can be found at the new interface This action lasts up to a few seconds Default Com2 Action Menu Menu Point Run gt Real Time When the menu point Action Run gt Real Time is selected the demonstration is started in the Real Time mode This action can also be carried out with the toolbar Icon FF Menu Point Run gt Slow The menu point Action Run gt Slow starts the demonstration in Slow mode with the adjusted ve locity This action can also be carried out with the toolbar Icon USECA DOC GD 01 1 WP27 B U S E C A USECA Demonstrator V1 1 Page 13 of 13 Menu Point Run gt Step By Step After selection of the menu point Action Run gt Step By Step the demonstration is started in the Slow mode In this simulation mode the user has to press the Space key to proceed a single step This action can also be carried out via the toolbar Icon Menu Point Action gt Break This menu point is only active if a simulation is started in slow mode When selecting the menu point Action gt Bre
8. Authentication Request This protocol message contains the network s authentication data AuthResp Authentication Response AuthResp contains the authentication data computed by the USIM Auth Status 1 status of an authentication vector AUTN 15 Authentication Token for Network authentication AUTN SQN 8 AK I AMF I MAC Lengths SON 8 AK 6 byte AME 1 byte MAC 8 byte AUTS 13 Authentication Token used in the counter re Synchronisation procedure AUTS SEQ MSB f5x MACS IMACS Lengths SEQ_MS f5x MACS 5 byte MACS 8 byte CAID 16 Certification Authority Identity CERTI up to 147 Intruder Certificate CERTN up to 147 Network Certificate CERTU up to 147 User Certificate CHV 8 Card Holder Verification information CK 16 Cipher Key delta 5 accepted difference between old and new sequence number EMUI Encrypted Mobile User Identity Enc_Ki data Encryption of data with key Ki Ki is of symmetric secret key type GK 16 User Group Key GMSI up to 8 Group Identity hi data data are hashed with hash function hi ID_N 16 Network Identity IK 16 Integrity Key IMEI 7 International Mobile Equipment Identity IMSI up to 8 International Mobile Subscriber Identity InitAuthReq Initiate Authentication Request InitAuthReq is sent from the terminal to the network in order to initiate the authentication p
9. can be seen which includes all instances that are managed by the demonstrator Thus the instances of the present configuration visible in the Main Window i e at the start the default configuration are marked with blue coloured sym bols If the demonstrator application determines a physical card in the chipcard terminal an addi tional symbol of a Physical USIM card is inserted into the tree If data sets are changed manually or during a demonstration run the corresponding symbols in the tree are marked with red colour In the Info Window at the bottom screen frame one can look by means of the register alterna tively at the event protocol or the variables of the system instances The user of the demonstrator USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 7 of 7 has the possibility to modify each of these variables in order to intervene in a simulation run The variables that are changed during a step of the simulation run are marked with red colour The Status Line is positioned in the left lower corner of the screen If the user moves the mouse over a menu or a toolbar icon an explanation of the element below the actual mouse position is shown in this status line Additional during the demonstration run the current state of the authentication system is shown marked with green colour When running a simulation in Real Time mode and selecting the action Action gt Get Meas Time the time difference between two steps is
10. card mode simulated smart card tion with simulated c Network protocol 3GPP protocol smart card Velocity ls Abstraction Level detailed Fraud Simulation no fraud attempts ASPeCT authenti as Smart card mode simulated smart card cation with simu lated smart card pect_simcard dsc Network protocol Velocity Abstraction Level Fraud Simulation ASPeCT protocol ls detailed no fraud attempts SIM personalisa personalisa Smart card mode simulated smart card tion tion dsc Network protocol 3GPP protocol Velocity ls Abstraction Level detailed Fraud Simulation no fraud attempts synchronisation synch_fail dsc Smart card mode simulated smart card failure between the Network protocol 3GPP protocol USIM and the net Velocity ls work Abstraction Level detailed Fraud Simulation man in the middle intruder modifies protocol messages of the 3GPP au thentication proce dure 3gpp_modify dsc Smart card mode Network protocol Velocity Abstraction Level Fraud Simulation simulated smart card 3GPP protocol ls detailed eavesdrop modify intruder modifies protocol messages of the ASPeCT au thentication proce dure as pect_modify dsc Smart card mode Network protocol Velocity Abstraction Level Fraud Simulation simulated smart card ASPeCT protocol ls detailed eavesdrop modify ASPeCT authenti aspect_man i t Smart card mode
11. eavesdropped in the last authentication session instead of the fresh authentication request of the network see figure 3 6 The messages that are modified by the intruder are marked with red colour USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 24 of 24 SELECT DF_UMTS VERIFY CHV CHV1 SELECT EF_SPN READ BINARY EF SPN EF SPID SELECT EF SSD ill READ BINARY EF_SSD EF_SSD pou 1 InitAuthReq SPNI SS I InitAuthReq SPNI SD _ TD p l l SELECT DF_3GPP AuthMechAck 3GPP thMechAck 3GPP gg AAA OK ooo o I M PP NAGE SECURITY ENVIRONMENT 3G pe K SAACEN S SELECT EF GMSI K READ BINARY EF GMSI EF GMSI SELECT DF UMTS K SELECT BINARY EF IMSI O x ENCIPHER IMSI EMUI AuthID GMSI EMUDI AuthID GMSI I EMUT eee I A thReg RAND AUTN uthReg RAND AUTN P 3 SELECT DF 3GPP AUTHENTICATE RAND AUTN AUTS AuthResp AUTS T AuthResp AUTS Figure 0 6 Synchronisation failure USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 25 of 25 Modification of protocol messages If the user of the demonstrator wants to modify the protocol messages he may open the configura tion 3gpp_modify dsc With this configuration the intruder eavesdrops and stores the messages that are sent from the network to the terminal and vice versa The intruder stores t
12. on the PC or laptop this older version has to be de installed before the newer version 1 1 can be installed In order to de install the application please refer to section 2 1 3 The USECA demonstrator application V1 1 is delivered on 2 installation disks 1 Insert the first installation disk 2 Open the Control Panel Window choose Software and click on the Install icon 3 Follow the setup instructions that appear on the screen 4 The setup routine copies the necessary data and configuration files as well as the chipcard ter minal drivers to the hard disk 5 The Demonstrator icon will be added to the Start Programs menu De installation In order to de install the USECA demonstrator application the following tasks have to be per formed 1 Open the Control Panel Window and choose Software 2 Select Demonstrator and click on the Add Remove Programs icon 3 The USECA demonstrator software will be removed from the hard disk after confirming the security question 4 Select all chipcard drivers CHIPDRIVE and click on the Add Remove Programs icon The chipcard terminal drivers will be removed from the hard disk USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 5 of 5 6 A few files can not be removed automatically Install log Setuptwk exe WProtect exe as well as the configuration files and variable data files that are write protected In order to re move these files the user has to rem
13. scenarios These files that are stored in the directory Config Files that are write protected can be stored under a new name with the menu File gt Save As Menu point File gt Save As This menu point is only active if an entry is selected in the Tree Window After selection of the menu point File gt Save As a dialog is opened up and the user is reguested to enter a name for this entry The features for the selected entry are stored in a file with the corresponding extension Menu point File gt Open Configuration After selection of the menu point File gt Open Configuration a window opens up in which the user can choose between several predefined configuration files After closing the dialog the con figuration is shown in the Main Window With this function only the configuration file which contains the information concerning the con figuration settings is loaded while the variables of the instances of the configuration are not modi fied In order to reload the original variables of the instances the menu File gt Load has to be se lected USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 10 of 10 Menu point File gt Save Configuration The configuration is stored as a file file format Name dsc Menu point File gt Close Configuration The present configuration is closed and the default configuration is loaded Menu point File gt Import The configuration file and the corresponding variab
14. the network are not correct and an nounces an error Authentication failed gt The demonstrations run is stopped Cre T Document Management Author Monika Horak Giesecke amp Devrient Prinzregentenstr 159 D 81677 M nchen Germany USECA DOC GD 011 WP27 B USECA Reference Version References 3G21 111 3G31 101 3G31 102 3G33 102 ASP D20 1999 GSM02 16 GSM02 22 GSM11 11 HP98 1SO78 16 4 1SO78 16 8 1SO15946 2 USE D04 1999 USECA Demonstrator V1 1 Page 30 of 30 Phone 49 89 4119 1944 Fax 49 89 4119 2460 Email monika horak gdm de USECA DOC GD 011 WP27 B V1 1 15 August 2000 3G TS 21 111 3rd Generation Partnership Project Technical Specification Group Terminals USIM and IC Card Requirements Version 3 0 0 1999 3GPP 31 101 3rd Generation Partnership Project Technical Specification Group TSG Terminals UICC Physical and Logical Characteristics Version 0 5 0 1999 3G TS 31 102 3rd Generation Partnership Project Technical Specification Group Terminals USIM characteristics Version 0 5 0 1999 3G TS 33 102 3rd Generation Partnership Project Technical Specification Group Services and System Aspects 3G Security Security Architecture Ver sion 3 0 0 1999 ACTS ASPeCT AC095 deliverable 20 Project final report and results of trials GSM 02 16 Digital cellular telecommunications system Phase 2 International Mobile station Equ
15. the time of a real communication set up In StepByStep mode a single step of the dem USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 8 of 8 onstration run is carried out each time the user presses the Space key In this mode the user has the possibility to observe the changes of the variables within a single step The mode S ow exe cutes the simulation in a velocity which can be adjusted in the configuration menu Thus an in terruption of the demonstration session can be forced by means of the menu Action Break The run of the simulation will be continued by using the menu Action gt Continue Each message produces an entry with the exact indication of time 1 msec resolution into the log file in the Info Window lower screen frame Measured times are real times that means meas ured times include time to enter the PIN number respectively in StepByStep mode the distance between two steps and in Slow mode the adjustment of waiting time velocity For this reason an useful computation of the time distance menu Action gt Get Meas Time is only possible in the mode Real Time By clicking onto an instance or by using the cursor keys arrow left right the Info Window switches to this instance and the variables of this instance that are relevant for the current simula tion run are shown This means that the Info Window as well as the Tree Window show a special view of the system Only those variables and inst
16. will be carried out via the keyboard of the handy or via the keyboard of the PC At first the user has to enter the Unblock CHV number Afterwards he has to enter the new PIN number and confirm this input If the Unblock CHV Action is successful both the counter of the CHV and the counter of Un block CHV will be reset In a simulated card all these variables appear in the directory DF_UMTS EF_CHV Menu Point Action gt Get Meas Time Only active if a simulation Real Time has been started before After the menu point Action Get Meas Time is chosen the user is requested to press the Shift key and select entries in the Main Window with the mouse or in the Info Window Log Book with mouse and keyboard The time difference in milliseconds between first and last selected entry is shown in the status line This action can also be carried out via the toolbar Icon USECA DOC GD 011 WP27 B USECA Demonstrator V1 1 USECA Page 15 of 15 This process is stopped by selecting the Action gt Get Meas Time menu or pressing the icon once more Menu Point Help Menu Point Help Topics After selection of the menu point Help Topics the online help functions of the demonstrator ap plication opens up Via the card index Contents Index or Search an Online Help is at the user s disposal Menu Point About The version number of the application is shown together with the icon in a dialog field Predefined sce
17. 1 1 Page 28 of 28 Presentation examples 3GPP Authentication 1 Open the configuration with simulated smart card File gt Open Configuration 3gpp_simcard dsc with real smart card File gt Open Configuration 3gpp_realcard dsc 2 Start the demonstrations run Enter the PIN 0000 4 Proceed the demonstration until the authentication procedure is finished gt The demonstration run will be finished with the status Secure Operation Mode Replay Attack short version Open the configuration File gt Open Configuration synch_fail dsc Start the demonstrations run Enter the PIN 0000 Proceed the demonstration until the authentication procedure is finished gt the intruder eavesdrops the message AuthReq RANDIAUTN and stores the parameters gt The demonstration run will be finished with the status Secure Operation Mode since the intruder did not modify any messages 5 Enhance the configuration in order to simulate a replay attack Edit gt Configuration gt Fraud Simulation Man in the middle confirm with OK 6 Start a new demonstrations run gt The intruder modifies the message that he received from the network Instead of the original AuthReq AuthRes messages the intruder sends the parameters of the corre sponding messages that have been eavesdropped in the former protocol run gt The USIM checks the authentication parameters and detects the replay at
18. ECA demonstrator offers the possibility to simulate fraud attempts and to study the be haviour of the UMTS system in the case of failure or fraud The demonstrator includes two dif ferent fraud simulation modes e Eavesdrop modify e The intruder automatically eavesdrops and stores the messages that are exchanged be tween the terminal and the network He does not modify the messages automatically e The user of the demonstrator has the possibility to modify the messages by modifying the data in the SEND MESS buffer of the intruder The intruder sends the modified mes sages to the target instance e Man in the middle The intruder automatically performs attacks by modifying the AuthReq and AuthResp mes sages that are transmitted between the terminal and the network Synchronisation failure A synchronisation failure can be achieved by simulating a replay attack The user of the demonstrator has to open the configuration file synch_fail dsc and start a demon stration run During this demonstration run the intruder eavesdrops the messages that are trans mitted between the terminal and the network and stores the security relevant parameters RAND AUTN and RES In order to simulate a replay attack the user of the demonstrator has to enhance the configuration of the demonstrator and to select the fraud simulation mode man in the middle When a new demonstration run is started the intruder automatically replays the AuthReg message that he
19. USECA DEMONSTRATOR USER MANUAL Version 1 1 U S E C A USECA Demonstrator V1 1 Page 2 of 2 Table of contents TABLE OF CONTENTIS eese ees ee sens states sesso setate tenes esses to senes sse sese sees sa ease sepes sata 2 INTRODUCTION Ill 5 i aa sa ok rues 3 INSTRUCTIONS FOR USE OF THE DEMONSTRATOR 4 INSTALLATION 4 Installation Requirements eese eese eene mu EE EEE AECE ECEE EEEE E i 4 Installation of the Demonstrator Application asss 4 De installati nz s i oc DR e REED SS I OR I EE Tee 4 START OF THE DEMONSTRATOR SOFTWARE a nnn nene resin eni nnne nene 5 Overview 5 RUT Of a Demonstration enc RE E E eee terea een EYE eie 7 WHE ELEMENTS OF THE MENU sitt E E E E te eI NI 8 File menu 8 Edit menu 10 Action Menu 12 Menu Point Help canoe eee ettet E Ee e Ee eee RE 15 PREDEFINED SCENARIOS 4 eeeeee eee eese etes esten eo ro sse nano eenase ena nano eena ee 15 DEFAULT SCENARO 5552s E ROCnenenege nennen qn EN NEN OE ass aa sas 16 AUTHENTICATION SCENARIOS cccccccssssssseccceecceaseeeeeecceeeesaaseeeeeceeseeaaaaeseeeeeeeeessaaaaseeeeeeeeeeaa 18 3GPP authentication with real or simulated smart card 18 ASPeCT authentication with real or simulated smart card
20. ak the demonstration stops and the menu item changes in Continue By using the menu point Action gt Continue or pressing the toolbar item Slow the run of the demonstration will be continued This action can also be carried out via the toolbar Icon Menu Point Action gt Stop The menu Stop is only active if a simulation is started Via the menu point Action gt Stop the demonstration is stopped This action can also be carried out via the toolbar Icon QD Menu Point Action gt Personalise By using the SIM personalisation feature the user is able to lock one terminal to one or more up to 3 different USIMs After the personalisation the terminal works only with the personalised cards When the menu point Action gt Personalise is selected the picture of a terminal appears The user has to enter the personalisation key in order to activate the personalisation feature The input of the PIN number will be carried out via the keyboard of the handy or via the keyboard of the PC USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 14 of 14 In case of a new personalisation the user has to enter his 4 digit Personalisation Key and confirm this key The terminal uses the identity number of the USIM card as the personalisation code For any further personalisation the user has to enter the Personalisation Key Menu Point Action gt De Personalise This function allows the user to unlock the terminal When the menu po
21. ances are displayed which belong to the cur rently configured authentication protocol Le in a simulation of the 3GPP protocol the variables of the ASPeCT protocol can not be seen The image of the terminal simulates the visible surface of the terminal Via its display the termi nal user will be required to enter his PIN number Error messages will also occur on the display e g in case of a missing USIM card The input of the PIN number will be carried out via the key board of the terminal whereas the input will be followed up with as it is done with a physi cal device Note If the input length is lower than 8 digits the user has to confirm his input with the OK Button The elements of the menu File menu The standard loading and saving functions of the demonstrator application load the relevant files from the directory Config They also save the relevant files into this predefined directory The directory Config contains all the information concerning the configuration and variable data files Besides the standard possibilities of saving and loading configurations the demonstrator applica tion provides a mechanism to import and export configurations In contrary to normally saving both configuration files and variable data files can be exported to another directory or disk or im ported from another directory or disk In this way configurations can be used without additionally settings in every further version o
22. creen Therefore the demonstrator can be used as a visualisation tool in order to present the 3GPP or the ASPeCT authentication and key establishment mechanisms to an expert audience during conferences Since the demonstrator allows exact tracing of the implemented authentication protocols and the intervention of the user in order to manipulate the state variables of the system it also serves as an analysing tool for authentication in UMTS The authentication and key establishment mecha nisms as well as the behaviour of the protocols under failure conditions or fraud attempts can be analysed Due to the time measure functions and logging functions the demonstrator may also serve as tool for evaluating the authentication protocol as well as the performance of the implemented security mechanisms USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 4 of 4 Instructions for use of the Demonstrator Installation Installation Requirements The following software and hardware prerequisites are required for a proper run of the USECA demonstrator application e Operating system Windows 95 OSR2 Windows 98 or Windows NT Version 4 0 e Hardware requirements e Video resolution 1024 768 pixel e itis recommended to set the colour palette gt 256 colours e G amp D Personal Chipcard Terminal PCT200 Installation of the Demonstrator Application If version 1 0 of the USECA demonstrator application has already been installed
23. displayed in the Status Line In the Status Line the following types of status are shown e Terminal authentication e CHV verification e AKA preparation e AKA GPP or ASPeCT e Read keys from UICC e Secure operation mode etc The Info Window the Toolbar and the Status Line can be switched on or off via the menu View All windows are scrollable and the size of the windows can be changed The user has the possibility to load a predefined scenario as well as to load a new variable data file with the help of the File menu With the File gt OpenConfiguration menu a predefined sce nario can be loaded A variable data file is loaded via the File gt Load menu After selecting the menu Edit gt Configuration the dialog Configure Demonstration appears Within this dialog the settings of a configuration can be modified A simple method to change the instances of an existing configuration is to select an existing entry in the Tree Window and to draw it with left mouse button pressed into the Main Window Drag amp Drop The instance in the Main Window is exchanged by this process New instances can be created by changing an existing instance and storing it under a new name Run of a Demonstration The demonstration session can be started via the menu Action gt Run It can be started in 3 ways e Real Time e Step By Step e Slow In RealTime mode the events are illustrated in real time that means the measured times are iden tically to
24. dsc or aspect simcard dsc has to be opened USIM Terminal Network SELECT DF UMTS lt VERIFY CHV CHV1 S e S E I ELECT EF SPD I I lt T I gt I 5 READ BINARY EF_SPD I I I EF_SPID u f S gt l SELECT EF SSD l lt I K I I f z gt f 2 READ BINARY EF_SSD I I EF SSD I u gt InitAuthReq SPIDISSD gt Tem le AuthMechAck ASPeCT I lt I OK gt n MANAGE SECURITY ENVIRONMENT ASPeCT le GENERATE PUBLIC KEY PAIR I l PK u E I SELECT EF_CAID I lt OK gt P READ BINARY EF CAID I I EF_CAID gt AuthChall PK U CAID AuthReq RND_N AUTH_N CERTN T VERIFY CERTIFICATE CERTN lt l K i gt le MUTUAL AUTHENTICATE RND NJAUTH N f Enc Sig AUTH_U ne Sig _U gt SELECT EF_CERTU lt OK le SECURE READ BINARY EF_CERTU I Enc EF_CERTU E AuthResp Enc Sig AUTH U Enc CERTU SELECT DF UMTS I OK I I gt SELECT EF CK I K I 2 gt le READ BINARY EF_CK I EF CK gt I ELECT EF_IK I 2 SELECT EF_ Ok gt READ BINARY EF IK le I EF IK Figure 0 3 ASPeCT authentication USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 21 of 21 SIM Personalisation When the USIM Pe
25. ecurity mechanisms 1999 USE D07 ACTS USECA AC336 deliverable 7 The UMTS USIM Specification of a Demonstrator 1999 USE D09 ACTS USECA AC336 deliverable 9 Intermediate report on a PKI architecture for UMTS 1999 Definitions UICC A removable IC card containing a USIM USIM An application that represents and identifies a user in the UMTS network The USIM contains functions and data needed to identify and authenticate the user when UMTS services are accessed In particular the USIM contains the user s IMUI and any security parameters that need to be carried by the user for in stance keys The USIM is implemented in a smart card the UICC Abbreviations General 3GPP Third Generation Partnership Project API Application Programming Interface AKA Authentication and Key Agreement ATR Answer To Reset ASPeCT Advanced Security for Personal Communications Technologies CHV Card Holder Verification Information DES Data Encryption Standard ETSI European Telecommunications Standards Institute GSM Global System for Mobile Communications GUI Graphical User Interface HE Home Environment IMEI International Mobile Equipment Identity IMSI International Mobile Subscriber Identity IMUGI International Mobile User Group Identity IMUI International Mobile User Identity MAC Message Authentication Code USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 32 of 32 MDH Modified Diffie Hellman AKA protoco
26. f the demonstrator software USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 9 of 9 Menu point File gt Load After the selection of the menu point File gt Load a dialog opens up which enables the user to choose variable files If one entry in the Tree Window is selected the dialog opens up with the corresponding extension When the dialog is closed with OK the application checks whether this entry already exists In case that this file does not exist yet within the working store of the demonstrator a new entry is created in the tree of the Tree Window If the file already exists in the tree a security inquiry appears Overprint the old file with Yes No and Cancel If Yes is selected the variable data file of the old entry is overwritten within the working store of the demonstrator If No or Cancel is selected this process is cancelled This action can also be carried out via the toolbar Icon Menu point File gt Save This menu point is only active if an entry is selected in the Tree Window The features for the selected entry are stored in a variable data file name corresponding extension This action can also be carried out via the toolbar Icon Note In order to avoid unintentional modifications of the predefined scenarios the user is highly recommended to write protect the configuration files and variable data files that are correspond ing to the predefined
27. fies the message that he received from the network Instead of the original message of the network the intruder sends the parameters of the message that have been eavesdropped in the former protocol run to the terminal 10 Continue the demonstrations run gt The USIM detects the replay attack and delivers the response message AUTS gt A Authentication failure is announced gt the demonstrations run is stopped 11 In order to show that the 3GPP system functions correctly even after a replay attack the in truder can be switched off afterwards and a new demonstrations run without intruder can be started User of the demonstrator modifies messages Open configuration File gt Open Configuration 3gpp_modify dsc Start the demonstrations run Enter the PIN 0000 Break the demonstrations run when the intruder receives the message Au thReq RANDIAUTN that was sent by the network 5 Select the variables Intruder Def_Int Message_buffers in the Tree Window gt In the Info Window two buffers are displayed REC_MESS includes the message that was received by the intruder SEND_MESS includes the message that the intruder will send to the terminal 6 The user has the possibility to modify the message in the SEND_MESS buffer click in the value column of the line send mess overwrite any characters of the message confirm with OK 7 Continue the demonstrations run gt The USIM detects that the authentication data of
28. hat is stored in the terminal for the purpose of terminal authentication SIM personalisation UPI 1 USIM Personalisation Indicator USIM User Services Identity Module USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 35 of 35 XRES 4 eXpected RESponse 3GPP symmetric authentication and key agreement protocol defined by the 3GPP standardisation group USECA DOC GD 011 WP27 B
29. he messages that he receives from the sender of the message in the buffer REC_MESS This message is copied into the SEND_MESS buffer The user of the demonstrator has the possibility to modify the mes sage in the SEND_MESS buffer With the following simulation step the intruder sends the mes sage that is stored in the SEND_MESS buffer to the destination party ASPeCT authentication procedure with man in the middle attack The configuration file aspect man i t middle dsc may be used in order to simulate a man in the middle attack where the intruder automatically attacks the ASPeCT authentication procedure The intruder possesses a public key pair and a certificate and manipulates the communication between the terminal and the network When receiving an authentication message the intruder analyses the message and modifies it by the use of his own keys and certificate He sends the modified messages to the target party His goal is to impersonate the network in communications with the terminal and to impersonate the terminal in communications with the network see figure 3 7 USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 26 of 26 USIM Terminal Intruder Network SELECT DF UMTS 2 VERIFY CHV CHV1 j lt SELECT EF_SPID READ BINARY EF SPID EF SPID gt ELECT EF_SSD
30. includes 3 windows a menu a toolbar and a status line USECA DOC GD 011 WP27 B USECA USECA Demonstrator V1 1 Page 6 of 6 Tree Main window window E Dotaali LUSETA Desvoestiotor JEPP Pretecoll LO Dm Edt Mn Vm Hee eig le 2 55 d est Duss k m 1 LJ Physical Cond S ja coger Bel Usin et Ten bet mi Def net D mer uen x J B muc gt GLELT EF SPID E gue H zi J z fy OF Lr g eov Sg E i Bra i EF 50 Rr gt R Ex 4 ELEGT ey 55D x B Fs or e EF SED ARO iunt E SID gr asrezr MOM B rco LL 5 213 E E olu miht React AD E601 B Eg rr J Myth es SPD 550 B Fs B rr sw Area Fe COO PP ga cr acer Aabe ink RPF d Termini SELECT OF Jorr s aem C m Ch Metot pe X Ds ret AGE SECURITY EIROMEVT GOP Info window Figure 0 1 USECA demonstrator screen All actions can be directed via the Menu The Toolbar positioned below the menu includes the symbols for the most frequently used functions of the program The Main Window displays the instances that are involved in the current UMTS system simula tion In this window the protocol flows of the authentication procedure are visualised The Title Line contains the name of the application USECA Demonstrator the presently loaded configuration and the selected authentication protocol In the Tree Window on the left side of the screen a tree
31. int Action gt De Personalise is selected the picture of the terminal appears and the user is asked to enter the Per sonalisation Key The input of this PIN number will be carried out via the keyboard of the termi nal or via the keyboard of the PC In order to de personalise a terminal the user has to enter the Personalisation Key which has been entered during the personalisation procedure via the Action menu Action gt Personalise If the input of the key is correct the personalisation data as well as the Personalisation Key are deleted Menu Point Action gt Change CHV The card holder verification value PIN number of a physical or a simulated smart card can be changed via this function By selecting the menu point Action gt Change CHV the picture of a terminal appears and the user has to enter his PIN number The input of the PIN number will be carried out via the keyboard of the handy or via the keyboard of the PC At first the user has to enter the old PIN number Afterwards he has to enter the new PIN number and confirm this entry In a simulated card the new PIN number appears in the directory DF_UMTS EF_CHV Menu Point Action gt Unblock CHV In case of a wrong input of the PIN number more than 3 times the CHV number is blocked Now the user has to use the Unblock CHV functionality in order to annul this state When the menu point Action gt Unblock CHV is selected the picture of a terminal appears The input of the PIN number
32. ion mode the intruder automatically modifies messages that are transmitted between the network and the terminal He automatically USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 12 of 12 performs attacks When the 3GPP protocol is simulated the intruder replays authentication messages that have been eavesdropped in former authentication sessions Notice To run a simulation in this mode a session in Eavesdrop Modify mode has to be started first In this way the in truder is able to eavesdrop the necessary data When the ASPeCT protocol is simulated the intruder possesses a public key pair and a certificate and manipulates the communica tion between the terminal and the network When receiving an authentication message he analyses the message and modifies it by the use of his own keys and certificate He sends the modified messages to the target party His goal is to impersonate the network in communications with the terminal and to impersonate the terminal in communications with the network e Velocity Setting of the holding time for one step in Slow mode This field may include val ues between 1 100 s Default 15 e Configuration This field allows the user to compose a demonstrator configuration If a physical card is chosen the field USIM is inactive otherwise the user has to choose a card in this field This action can also be carried out by Drag amp Drop from the configuration win dow into the Main Window
33. ipment Identities MED Version 6 0 0 Release 1997 GSM 02 22 Digital cellular telecommunications system Phase 2 Personalisa tion of GSM Mobile Equipment ME Mobile functionality specification Ver sion 6 0 0 Release 1997 GSM 11 11 Digital cellular telecommunications system Phase 2 Specifica tion of the Subscriber Identity Module Mobile Equipment SIM ME inter face Version 7 2 0 Release 1998 G nther Horn Bart Preneel Authentication and Payment in Future Mobile Sys tems in Computer Security ESORICS 98 Louvain la Neuve Belgium 16 18 9 1998 Proceedings p 277 294 published as LNCS 1485 Springer 1998 ISO IEC 7816 4 Information technology Identification cards Integrated cir cuit s cards with contacts part 4 Interindustry commands for interchange 1995 ISO IEC 7816 8 Information technology Identification cards Integrated cir cuit s cards with contacts part 8 Security related interindustry commands 1998 ISO IEC WD 15946 2 Information technology Security techniques Crypto graphic techniques based on elliptic curves part 2 Digital signatures 1998 ACTS USECA AC336 deliverable 4 Intermediate report on the UMTS USIM USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 31 of 31 USE D05 ACTS USECA AC336 deliverable 5 Intermediate report on terminal security for UMTS 1999 USE D06 ACTS USECA AC336 deliverable 6 Intermediate report on UMTS s
34. l PSO Perform Security Operation SE Security Environment SEQ symmetric AKA protocol using SEQuence counters SIM Subscriber Identity Module TA Terminal Authentication UMTS Universal Mobile Telecommunications System UPI USIM Personalisation Indicator USIM Universal Subscriber Identity Module USECA UMTS SECurity Architecture UTI USIM Terminal Interface VLR Visited Location Register Protocol Data Units Commands Variables Parameter length in Explanation bytes AID len Application Identifier AK 4 8 Anonymity Key AMF Authentication Management Field ASI 1 Application Status Identifier ASPeCT asymmetric authentication and key agreement protocol defined in the ASPeCT project ATI 2 Application Type Identifier AuthChall Authentication Challenge AuthChall contains the user s challenge for the asymmetric authentica tion procedure AuthID Authentication Identity This message is sent from the terminal to the network in order to associ ate the protocol run with a certain USIM AuthMechAck Authentication Mechanism Acknowledge AuthMechAck is sent from the network to the terminal in order to deter mine the authentication protocol AUTH N 16 Network Authentication Token AUTH N h2 K SI RND NIID N USECA DOC GD 011 WP27 B USECA USECA Demonstrator V1 1 Page 33 of 33 AUTH U 16 USIM Authentication Token AUTH U h3 PK UI PK NIRND NIID N AuthReq
35. le data files are loaded from any data media or from any directories Menu point File gt Export The present configuration can be exported onto another data medium The demonstrator applica tion stores not only the configuration file but also the corresponding variable data files Menu point File gt Recent Files Up to four of the last loaded configurations are shown here and can be activated by selecting the application Menu point File gt Exit After a security request the state of the software i e the last visible windows and their dimen sions are recorded in the registration data base With a new start the software appears with these windows again The demonstrator software is closed Edit menu Menu point Edit gt Delete Entity Only active if an entry is selected in the Tree Window The selected entry is deleted after a double security request in the tree as well as in the directory Config This process is irrevocable after the statement of the security requests USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 11 of 11 Menu point Edit gt Configuration After the selection of the menu point Edit gt Configuration the dialog window Configure Dem onstration opens up When this dialog is opened the currently loaded configuration settings are shown Configure Demonstration Ed r Smart Card Mode Authentication Protocol Velocity Simulated C Physical E 3GPP C ASPeCT
36. narios The USECA demonstrator offers the possibility to run predefined scenarios The configuration settings as well as the values of the instance variables are described in a format that has been defined specifically for the demonstrator The configuration information is stored in demonstration scenario configuration files name dsc The instance variables are stored in entity variables files name uvf tvf nvf ivf With the use of these files it is possible to predefine sce narios that can be loaded and run easily The following table gives an overview of predefined sce narios scenario configuration comments default scenario default dsc Smart card mode Network protocol Velocity Abstraction Level Fraud Simulation simulated smart card 3GPP protocol ls abstract no fraud attempts 3GPP authentica tion with real smart card 3gpp_realcard ds c Smart card mode Network protocol Velocity Abstraction Level Fraud Simulation physical smart card 3GPP protocol ls detailed no fraud attempts ASPeCT authenti as Smart card mode physical smart card cation with real pect realcard dsc Network protocol ASPeCT protocol smart card Velocity ls USECA DOC GD 011 WP27 B USECA USECA Demonstrator V1 1 Page 16 of 16 Abstraction Level Fraud Simulation detailed no fraud attempts 3GPP authentica 3gpp_simcard ds Smart
37. ove the directory Programs Demonstrator Start of the Demonstrator Software Overview The USECA demonstrator application starts when the demonstrator icon in the Start Programs menu is selected when double clicking the icon or when the file Demonstrator exe is executed A demonstration session is described within two kinds of files a configuration file and up to 4 variable data files When started the software first of all searches for the default configuration and the variable data files of a UMTS system in the directory Config The default configuration and variables are loaded With these data sets the user is able to start a simulation session imme diately after the start of the demonstrator application A configuration file includes all the infor mation that describes a simulation session like the authentication protocol or the type of the simu lated attack Configuration files and variable data files are named name ext The extension of a configuration file is dsc Variable data files are stored with the extensions uvf ivf tvf nvf which characterise the variable data files of the instances USIM Intruder Terminal and Net work A variable data file includes all information concerning the variables of the instance the name of the variable an explanation of the variable and the current value After the start of the USECA demonstrator application the following screen is displayed The demonstrator screen
38. rocedure USECA DOC GD 011 WP27 B USECA USECA Demonstrator V1 1 Page 34 of 34 K 16 USIM Individual key K_PC 4 Personalisation Control Key K_S 16 Session Key MAC 8 Message Authentication Code MAC f1 x SQNIRANDIAMF MACS 8 Message Authentication Code used in the counter re Synchronisation procedure MACS fl SEQ MSIRANDIAMF PID 2 Profile Identifier PK CA Public Key of the Certification Authority PK N Network s Public Key PK_U user s temporary Diffie Hellman Public Key PKS_U User s Public Signature Key RAND 16 RANDom challenge RES 4 user authentication RESponse RND_U 8 random number that is used as the temporary Diffie Hellman secret key of the user RND_N 8 RaNDom number computed by the Network SE Security Environment Sig data Data is signed with key SKi SKi is of asymmetric secret key type SK_N Network s Secret Key SK_U User s Secret signature Key SPID 5 Service Provider IDentity SQN 6 SeQuence Number SEQ_HE 5 SeQuence counter which is stored in the Network and serves as a basis for the generation of sequence numbers for one USIM SEO LO USIM keeps track of an ordered list of the b highest batch number values SEQ MS it has accepted IND SEO SON SEO I IND Lengths within USECA SEO 5 byte IND 1 byte SSD Security Service Descriptor UICCID_x 10 List of UICC IDentifiers t
39. rsonalisation Indicator UPI of the terminal is set to on the terminal selects the EF_UICCID and reads the UICCID It compares this identifier with the reference values stored in the terminal In case of a match the USIM is accepted and the authentication and key establishment procedure is executed see figure 3 4 Otherwise the message Please insert correct USIM is announced and the terminal switches into the mode where only emergency calls are al lowed see figure 3 5 USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 22 of 22 SELECT EF_ICCID OK READ BINARY EF ICCID EF ICCID SELECT DF UMTS OK VERIFY CHV CHV1 OK SELECT EF SPN OK READ BINARY EF_SPN EF SPID SELECT EF SSD OK READ BINARY EF_SSD EF SSD InitAuthReg SPID SSD AuthMechAck 3GPP SELECT DF 3GPP OK NAGE SECURITY ENVIRONMENT 3G y OK SELECT EF GMSI OK READ BINARY EF GMSI EF GMSI SELECT DF UMTS OK SELECT BINARY EF IMSI OK ENCIPHER IMSI EMUI lul AuthID GMSI EMUI t AuthReg RAND AUTN SELECT DF 3GPP OK AUTHENTICATE RAND AUTN RES I CK IK AuthResp RES Figure 0 4 Correct SIM personalisation USECA DOC GD 01 1 WP27 B U S E C A USECA Demonstrator V1 1 Page 23 of 23 SELECT EF_ICCID OK gt READ BINARY EF_ICCID EF ICCID gt Figure 0 5 SIM personalisation failure Failure fraud scenarios The US
40. tack The smart card delivers the response parameters AUTS and a Authentication failure is an nounced by the network The demonstrations run is stopped pA Ne Replay Attack detailed version Open the configuration File gt Open Configuration synch_fail dsc Start the demonstrations run Enter the PIN 0000 Break the demonstrations run when the intruder receives the message Au thReg RANDIAUTN that was sent by the network gt The intruder eavesdrops the message and stores the parameters RAND and AUTN the variables are stored in Def_Int eavesdropped_auth_data see Tree Window 5 Continue the demonstrations run until the protocol run is finished Pe USECA DOC GD 011 WP27 B U S E C A USECA Demonstrator V1 1 Page 29 of 29 gt The demonstrations run will be finished with the status Secure Operation Mode since the intruder did not modify any messages 6 Enhance the configuration in order to simulate a replay attack Edit gt Configuration gt Fraud Simulation Man in the middle confirm with OK 7 Start a new demonstrations run 8 Break when the terminal received the message AuthReq RANDIAUTN that was sent by the intruder 9 Compare the message that was sent by the network with the message that was modified and sent by the intruder click on the corresponding messages with the left mouse button the mes sage contents are displayed in the Info Window gt The intruder modi
Download Pdf Manuals
Related Search