Received Date: December 19, 2016; Accepted Date: January 12, 2017; Published Date: January 20, 2017
Citation: Oyinloye OE, Alese BK, Thompson F, Adetunmbi AO (2017) A Proposed Lower Computational Complexity Secret Key Mirroring System on GSM. J Comput Sci Syst Biol 10:006-011.doi:10.4172/jcsb.1000239
Copyright: © 2017 Oyinloye OE, et al. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Visit for more related articles at Journal of Computer Science & Systems Biology
Global system for mobile communication is a wireless radio technology used mostly on network communication. It is designed to overcome the challenges of analog communication. GSM evolved from generation 1G to 4G LTE and uses protocols to protect transmissions, which have shown to be susceptible to attacks. This fact has been proven based on several attacks ranging from narrow pipe attack, guess, and determine attacks, side channel attacks, time memory tradeoff attacks and correlation attacks which have high computational complexities. The proposed system called GSM Traffic Monitoring System (GTMS) attempts to proffer a lower computational complexity attack. It uses a key retrieval and passive attack module to handle the mirroring of the secret key authentication procedure given a chosen random challenge on a SIM card through the injection of a malware. This research aims at drawing the attention of network providers- SIM configuration; an area that requires protection from attackers.
GSM traffic monitoring system; Mirroring; 2-ary malware; Key retrieval; GSM; GTMSRAND; SIM; Authentication; Secret key
Mobile communication has become convenient than ever, due to openness of wireless network. One of the applications of mobile communication is in the use of the Global System for Mobile Communication (GSM). The GSM is a digital wireless network standard designed to replace the many existing incompatible cellular system; to overcome the limitations of analog communication network systems. Most users use the GSM network for communication and exchange of very sensitive and private information believing that the GSM System is reliable and secure .
The Global system for mobile communication has three sections namely; the mobile station, base station subsystem and network and switching subsystem as described in Figure 1.
The mobile station consists of the mobile equipment and a subscriber identity module card. It authenticates itself to the operator’s network and communicates to other users through the base station subsystem. The base station subsystem controls the radio link with the mobile station. It manages the base transceiver station, releases/allocates radio channels, coordinates frequency hopping, channel setup and connection of mobile station to network and switching subsystem .
The network and switching subsystem is responsible for the management of mobile services such as authentication, switching of calls profiling and mobility management, call routing between functional entities based on the standard signaling system number 7 (SS7), location update, roaming capabilities, call control, provision of subscribed services for each mobile currently located in a geographical region . The connections between these sections are mostly fiber, microwave, and satellite links .
In all, GSM has evolved through several generations; each generation is characterized by its own operational features. The generations include the 1G, 2G, 3G, 3.5/4G. 1G is the analog voice cellular telephony developed in 1980s; it supports one call per channel and hence was inefficient in using limited spectrum. It required large/ heavy and expensive analog devices and its power consumption was high. It required large frequency gap to handle interference .
In order to deliver mobile voice services to more people in more places, the 2G was designed in the 1990s and it supported more than one user per channel, enabling compression of voice signal. The digital components cost/weight were far less and it delivered more secure signals. It allows multiple users (8 users) per radio with each user talking one at a time via time division multiple access (TDMA) technique; offering a simple data service with General Packet Radio Service (GPRS). It required large frequency gap to reduce interference [3,4].
On top of the foregoing, the development of the Code Division Multiple Access (CDMA) GSM in year 2003 yielded 3G. It provided increased voice capacity by more efficient use of spectrum resources and better security. With 3G the high-speed internet access was introduced and it surpassed 2G connections in 2013 [3,4]. Since year 2010, the 4G Long Term Evolution (LTE) is evolving to provide more data capacity for faster and better mobile broadband. The multimode 3G/LTE is the foundation on which the 4G LTE thrives [3,4]. These GSM generations proffer several levels of security and excellent services; however, the security services are operated on cryptographic devices.
In recent years, several kinds of attacks on cryptographic devices have become public. The goal of these attacks is to reveal the secret key of cryptographic devices. Techniques used to achieve this goal are manifold; hence attacks on cryptographic devices differ significantly in terms of cost, time, equipment, and expertise needed. Consequently, there are also several ways of categorizing these attacks. Attacks may be classified as either passive or [5,6].
Passive attacks are attacks in which the cryptographic device is operated largely or even entirely within its specification. The secret key is revealed by observing physical properties of the device, for example; execution time, power consumption. With active attacks, the cryptographic device, its inputs, and /or its environment are manipulated (tampered with) in order to make the device behave abnormally. The secret key is revealed by exploiting this abnormal behavior of the device .
Receptivity is one of the characteristics of GSM network, thus anyone could use a receiver to passively monitor the radio waves. Therefore, it is important that reasonable security measures should be employed to ensure privacy of user’s data from unauthorized use of the service, avoid misuse of resources by impersonators and eavesdropping on information. Security measures have been put in place to safe guard a subscriber’s privacy ranging from personal identification numbers, pin unblocking key codes, several protocol algorithms for communication. Despite the availability of these security measures, a test of the provided security measure is regularly required to determine the strength of the security mechanism deployed by network operators. Researches show that these security measures may be susceptible to several attacks such as cryptographic attacks, power analysis attacks and correlation attacks as confirmed by the studies of [7-10]. Although these attacks and many more have successfully cracked the security algorithms they also have shown to have high computational complexity. As researches expose some of the weaknesses, designers of GSM have attempted to handle these weak points, more attacks have been proposed on the newer approaches.
The GSM is used by millions of users . These millions entrust their privacy at the mercy of the network provider’s security mechanism.
GSM deploys several security measures to protect the radio link and communication in general. They include:
(i) A3 algorithm
(ii) A8 algorithm
(iii) A5 algorithm
The use of these algorithms is seen in user authentication, protection of transmitted data over-the-air among others. The efficiency of these algorithms, hinge on the high degree of security on secret key privacy. A study by Brienco et al. showed that network vulnerability is possible by revealing the secret key, since the secret key is central to the security algorithm . This was proved by recovering the secret key from a SIM card through reverse engineering gathered data from the reference algorithm, based on 150,000 challenge queries. The study further showed that possession of the secret key leaves each of the algorithms used in GSM susceptible to an attacker’s manipulation . Brumley reported on a narrow pipe attack technique that exploited the weakness of the COMP-128 and which was said to have been used to recover the secret key . This left the card clone-able and allowed eavesdropping, but it requires at least eight hours completing the attack.
Side channel attacks ranging from differential power analysis attack, simple power analysis attack, partitioning attacks requiring queries ranging from eight to thousands, has also been used. These query requirement makes the approach have a high data complexity and furthermore not implementable in real-time. Studies show that these side channel attacks can be guarded against by using hiding and masking of power measurements [5,13].
Other attacks types were further proposed on the algorithms used for confidentiality. These attacks were based on the fact that the protocols used on GSM also called algorithms use the shared secret key as their security baseline. So, the attacks placed on these protocols were used to recover the secret key, session key and even establish connection. The algorithms include the A5/1, A5/2, A5/3 and a not in use but already proposed A5/4 .
Biryukov et al. proposed a time memory data tradeoff approach by reconstructing the linear feedback shift registers used in the A5/1 algorithm . This approach does not foster real time attack since a large amount of known key stream, a large data for pre-computation and storage is required for a successful attack. Although the study proposed a possible online phase of the attack, by analysis it can be said that a possible online phase of the attack would give a very low success rate due to the computational requirement and will require very expensive machines with very high speed.
More attacks were further proposed on the network signaling. Margave claims that access to the signaling network will reveal sensitive information for key recovery . This claim is based on the fact that the traffic within a network operator’s environment is sent as plaintext. This attack requires the presence of the attacker at the base station and very expensive equipment for implementation. On the part of the network operators, physical protection of base stations is always provided, so that access to the signaling equipment may be difficult and hence this attack can be guarded against. But, if it happens that an attacker gets access to the base station; then, this attack will be successfully carried out and used for a long time undetected.
Barkan et al. proposed an attack on A5/2 to exploit the GSM error/ correction scheme. GSM uses error/correction before encryption; this makes the data have linear dependencies and by observing cipher-text the study showed that the session key could be recovered . However, the pre-computational phase of the attack requires a huge amount of data more than is required for a time memory tradeoff attack. These practical obstacles make actual implementation of the attack difficult.
Dunkelman et al. proposed a related key attack on Kasumi used in A5/3 to recover the key from block cipher . The study obtained the 128-bit key using chosen and related messages that may not be applicable in the specific way in which Kasumi is used on the A5/3 encryption in the 3G GSM telephony. The break was not operated in real time meaning the conversation must be intercepted, recorded, and then run through a system to break the encryption to have a suitable .wav file output. A5/3 used in 3G calls is not generally known to be broken outside of the intelligence agency circles. However various known cell phone vulnerabilities can make it susceptible to passive attack. With downward compatibility issues attack possible on A5/1 and A5/2 can be mounted on A5/3.
Gendrullis et al. proposed and implemented also time memory tradeoff attack to generate the linear feedback shift registers content for reconstructing the 64-bit session key by using generated states and discarding only possible wrong states thereby reducing the level of unsuccessful result . This technique required many checking possibilities. The study revealed that the approach produced the same number of 64 bits output for more than one state. In the study, it is claimed that this occurrence is negligible but for real time implementation this may lead to a lack of confidence in this approach.
Session keys have also been recovered using brute force attack; although, with a high data complexity and almost not realizable in real time, as a large amount of input data is required to make it feasible. The required data is said to be time bound, so that if the data captured is not used to recover the key within the data validity period, then the approach must be repeated with a new captured data. Cases of this are seen in Golic, who proposed brute force attacks  and Kumar who investigated further . It was observed that these approaches resulted in exhaustive search, which generally is known to have a high time complexity [19,20].
The result of these attacks implies that the security of networks is highly vulnerable, but most of these attacks also require a large amount of data, time and some others, expensive equipment. Hence, this research focused on secret key recovery using a malware based approach by mounting an active attack on the SIM card, performing a passive attack for validation and evaluating the computation complexity, with the hope to reduce the computational complexity.
Furthermore, this research was carried out to help network operator determine a possible vulnerable point on the SIM card and also to act as a test tool for network operators determine the extent of vulnerability on the SIM card and network.
Establishing a connection between the phone and the network begins with the mobile station sending the International Mobile Subscriber’s Identity (IMSI) number to the network operator. This number is attached to a copy of the card’s secret key and a set of random challenges (RANDs) at the network provider’s authentication center. The network provider sends a Random Challenge (RAND) to the SIM. This random challenge is combined with the secret key on the SIM card using the COMP-128 algorithm to generate a signed response and a session key, Kc. The generated signed response is sent to the network provider, who compares the result of the signed response (SRES) from the SIM and the copy resident at its (Network Operator) authentication center. If it matches, the network provider allows the SIM card to connect on the network, otherwise authentication is rejected.
In some cases, a temporary mobile subscriber’s identity (TMSI) number can be sent to the network address in other to protect the IMSI from attackers. If the result of the SRES does not match using the IMSI in the event that the TMSI did not derive the correct signed response, the authentication process may be repeated or an authentication reject message is sent to the subscriber. Figure 2 shows the GSM authentication procedure.
The proposed system is tagged GSM traffic Monitoring System (GTMS). It is designed as a simple tool with less computational complexities, to reconstruct the secret key used by a SIM card. GTMS uses a malware injection approach to intercept SIM card authentication operation. This approach does not attempt to recover the secret key when the SIM card is not carrying out the SIM card authentication, contrary to the work of researchers who attempt to crack the triple DES algorithm, because the secret key is protected with triple DES when not in use. Rather the process of mirroring begins when the secret key carries out the authentication procedure in order to mirror the authentication process.
The injection process gives way to the required authentication and communication process with the mobile station. Figure 3 describes the GTMS authentication architecture on the mobile station.
The malware performs the responsibility of the network provider by providing the required random challenge called GTMSRAND. The designed system does not disregard the GSM standard. This standard ensures that certain regulations are followed before any authentication is performed.
Architecture of the proposed system
The GTMS is single tier architecture that uses the malware activities and the passive attack to mirror data. Figure 4 illustrates the connection structure of the GTMS system.
The malware: The malware is first injected into the mobile equipment (ME) and then the SIM card. When this is done, the malware attempts to inject itself into the required environments manipulating the activities of the SIM/ME functionalities. Figure 5 shows the malware injections on the SIM and the mobile equipment.
The GTMS mathematical model
It applies the standard practice of a SIM/ME. However, in order to suit the expected and desired attributes for the GTMS to achieve its purpose, attempts are made to manipulate the standard characteristics of each of these functions. The GTMS is attempting to recover the secret key stored on the SIM.
The process of recovering the secret key with the use of the GTMS is a 3-tuple system
these functions have a relationship that is a nonhomogeneous second order linear differential equation as described in Equation 1.
where is the malware function, is the emulator function, is the Reversing function. Each of these functions has several components that aid achieving their operations.
The GTMS operations are broken into two main modules, namely: The key retrieval and Passive attack. Each module holds a dependent relation with each other. This paper emphasizes the key retrieval process.
The key retrieval module: The GTMS begins by firstly recovering the key using the key retrieval module. The key retrieval module is built on a 2-ary malware with characteristics of definite finite automata. The 2-ary malware is based on the theorem of a k-ary malware.
Definition: A k-ary malware is a family of k-files (some of them may not be executable), whose union constitutes a computer malware and its code operation can be sequential (serial mode) or parallel, depending on how k-constituent parts are acting either one after the other or together respectively .
However, in this research a 2-ary non-monolithic binary entity malware is proposed with a set of binary and non-executable files, working in a serial mode to produce the desired capture of the 128-bit secret key property. The entities of the malware are given in the relation as described in equations 3 to 7 and their attributes are transparent and silent, so that their activities are not seen as foreign to the SIM. This attribute is built in through the use of through the use of the Libthor programme resident in mn
mg, mr, f, g, are the set of binary files used by the malware and mn is the non-executable files. Here mr indicates the mirroring system, whose member properties are given asf andg . Mg is the set of executable binary mv and non-executable file mn, and mn≠0.
The malware is defined such that all transparent and silent binaries and the main legal program is said to constitute the only parts of the malware. The set mv whose members are shown in Equation 7 is the set of binary that have distinct properties. mn, Non-executable further carries the attributes to ensure that mv are not detectable by an antivirus, the SIM card’s security system and the mobile equipment.
mv operation: The set mv whose members are its properties given in Equation 7 all work together to achieve the initiation of the Run GSM algorithm. This algorithm request is usually initiated by the mobile equipment after the card holder’s verification 1 (CHV1) procedure is successful. It further generates the required RAND; this RAND is the input parameter for the authentication procedure. The generated RAND by the malware is tagged GTMSRAND; it is known to the attacker.
Assuming all properties of elements of mv have a general property name, say P, then it can be said that the object b who is a member of mv has the property say: kernel-land code injection. This property forces the injection of code into the mobile phone. The injected code allows the mobile equipment to listen to the malware, assuming that the malware is the subscriber’s network’s base transceiver station (BTS). This assumption makes the malware a fake base station, without physical structure.
The mobile equipment receives the RAND from the malware; which poses as a network. The property information of b as P(b) as shown below: P(b) → accept_network_Receive_GTMS_RAND.
Another member of mv is c. Let c be a property say: the generation of the GTMSRAND and initiator of the next binary file. The GTMSRAND given to the mobile station through the mobile equipment is usually a randomly generated 128 bits value. This value is generated by the home location register (HLR) in a standard GSM setting without any integrity parameter for the SIM to validate the source of the RAND, hence the SIM card does not have any means of verifying the validity of the RAND sent. With this RAND characteristic the GTMS system uses the binary file c to generate the GTMSRAND. The RAND generated follows the EAPSIM authentication given by Arkko and Haverinen .
The value of the attribute contains two reserved bytes followed by one GTMSRAND that is 16 bytes long. The reserved bytes are set to zero upon sending and ignored upon reception and represents the number of GTMSRAND, which in the case of this research n=1. The GTMSRAND value was generated using the Lehmer multiplicative congruential algorithm, based on the standard minimum parameters as described in Equation 9 and 10 and the initial value called S0.
Where Z, G, N are integer parameters; Z=16807; G=1, N=128; S0 ≥ 1. So that Si is given to be the sunset of the natural numbers and S0 ≠ 0, then there is a natural number (t)
S0 being the least element of S. the generator performs this operation eight times to generate eight hexadecimal number, which is concatenated to produce the 128 bits GTMSRAND as described in Equation 10
The GTMSRAND is stored in mn as given
Here, only a copy is stored for attack verification purpose.
The binary file c initiates the next binary file tagged; a. It employs the system of virtual machine for malware, which was developed by Anthony Desnos. These virtual machines are said to offer a powerful protection for an algorithm or anything else that would require protection against reverse engineering. It takes a piece of assembly instructions and has a simple dynamic metamorphic virtual machine very quickly to interpret.
The GTMS embeds this machine into different parts of the malware to protect them. The virtual machine is totally independent from the program. It runs an algorithm into an encapsulated object, for protecting every binary file instructions. The virtual machine uses a malicious pseudo-random number generator to hide the GTMSRAND stored on the mobile equipment by XORing the sequence with a 128 bit sequence. The integer constants in the GTMSRAND generator are protected using LibThor internal junk package.
LibThor has been proven to be useful in hiding operation code values, register offsets or anything which represents an invariant in a program . The property of the binary file c is given as:
xh represents the GTMSRAND and a is the initiation of the next binary file attribute.
The property d who is a member of the set mv is said to have three attributes:
a) Force the SIM to perform CHV1 verification for a successful return
b) Change the SIM card’s directory to DFGSM, to allow initiation of the Run GSM algorithm.
c) Initiate the algorithm.
The particular binary property of P(d) is given as
and i represent the attributes of binary d.
The malware manipulates the standard operation in the following functionality:
Input: data string #content of data string “instruction to add malware functionality part of toolkit”
Output: The SIM data download is activated, meanwhile the SIM acknowledges with a 16 bytes of data.
The manipulated Envelope initiates a point-to-point download of properties c of mv , properties g of mr into the SIM card. It further enables changing of file directory as given in property di.
Terminal: The malware manipulates the function of the terminal used by the SIM card to transfer from the mobile equipment the SIM toolkit application g, b, c, d1 and d2.
Thus, the SIM card is expected to perform a CHV1 and present it to the mobile equipment, after this verification the mobile phone is meant to initiate the RUN GSM algorithm; if this does not begin the binary file d3 will force the process to begin. Before the RUN GSM algorithm is initiated the b must have provided the GTMSRAND to the mobile equipment to transfer to the SIM card. However, d2 should have changed the active directory to the dedicated file for GSM.
Upon initiation of the algorithm for authenticating a subscriber to the network given as:
Output: SRES, Kc, C
Where C is the mirrored content from the authentication process and is 128 bits based on the GTMSRAND; x and the secret key Ki tagged as y.
Authentication procedure:The manipulated fetch command is used to initiate the mirror operation whose result is C and other properties. This fetch command with its characteristics described in GSM Specification allows the mirrored data to be saved in mn and protected by LibThor internal junk packaging.
The components of mv can hence be written as described, using the set property system, shown below,
mr operation: The set as given in Equation 4 are the functions for manipulating the SIM security. The f function injects the necessary code into the SIM card to manipulate the SIM card security, for the purpose of allowing the mirroring capability of the malware, g to be active. The mirroring function
Here x and y represent the GTMSRAND and the secret key, A and B are real numbers; A, B=1, v denotes the vector of the result C being reflected, l represents any vector in the line being reflected in and v.l denotes the dot product of v with l. Using this function the malware mirrors the SIM card.
Some methods that have been used by authors include correlation attacks, side-channel attacks, guess-and-determine attacks, memory tradeoff attacks. These attack designs are dependent on solving complex mathematical equations with a number of assumptions. They recover materials essential to intercept communication, but these attacks are characterized by high computational complexities in terms of time or storage. This research worked on proffering a reduced computational complexities approach to recovering secret key required for authentication. It is a promising candidate of attack and an obvious point of concern for network operators in the security of secret key and SIM cards. This became evident as a simple point to point download of newer functionalities into a SIM card makes the SIM card vulnerable to cloning and traffic eavesdropping without having to attack the triple DES cryptographic system used to protect secret key.