Authentication and Ciphering in Gprs Network
Authentication and Ciphering in Gprs Network
The HLR is a database that contains packet domain • Ki: This is an 128-bit long individual identification
subscription data and routing information. It uses Gr key like a password for the subscriber.
interface for SGSN and Gc interface for GGSN • GPRS-Kc: This is a 64-bit ciphering key which is
communication to exchange of user subscription, service generated for every single connection to avoid
and location data. eavesdropping.
• A3/A8 Algorithms: SIM and AuC contain both
Mobile Switching Center/Visitor Location Register A3/A8 algorithms to generate the related keys for
(MSC/VLR) coordinates call setups to and from GSM authentication and ciphering respectively.
users and manages GSM mobility. Gs signalling interface
is used for communication between SGSN and MSC. It Two another identifiers defined as IMSI and P-TMSI are
forwards circuit-switched paging for the GPRS-attached stored in SIM card and SGSN separately:
MSs to SGSN; therefore, MSC is not directly involved in • IMSI (The International Mobile Subscriber Identity
the GPRS network. number) serves as a fixed subscriber number to
identify the subscriber towards the network. IMSI is
The BSS ensures the radio connection between mobile also stored in HLR and AuC.
station and network using Um and Gb interfaces. Interface • P-TMSI (The Packet Temporary Mobile Subscriber
between MS and BTS is called Um and interface between Identity) serves as a temporary subscriber number to
BSC and SGSN is called Gb. identify the subscriber in air interface towards the
network to protect IMSI number. P-TMSI prevents
The Base Station Controller (BSC) has switching recognition of GPRS subscriber by a potential
capabilities used for circuit-switched calls and also dropper. The subscriber uses P-TMSI during location
carrying GPRS traffic. update, GPRS attach or detach GPRS packet transfer.
P-TMSI is allocated by SGSN, which may also
The Equipment Identity Register (EIR) is a database that regularly reallocate a new P-TMSI to MS.
contains MS identities. SGSN uses Gf signalling
interface to communicate with EIR for an extra equipment The last algorithm GPRS-A5 implemented in MS and
check in GPRS. SGSN ciphers the data. The ciphering is a task performed
by the Logical Link Control (LLC) protocol which is
III. GPRS SECURITY MODEL transported transparently between MS and SGSN. LLC
The security mechanisms of GPRS are implemented in information is not deciphered in the base station. That
SIM card of MS and the authentication centre (AuC) of means ciphered data is carried to the SGSN node of the
network. Stored information in these systems, algorithms GPRS network [5].
and keys are given below;
IV. GPRS AUTHENTICATION
When MS initiates a connection to GPRS network, it has A3 and A8 security algorithms both use Ki and RAND as
to be authenticated before it is allowed to have access. input parameters. A3 and A8 algorithms are demonstrated
GPRS authentication is conducted at the start of: in Figure 2.
• a routing area update
• a GPRS attach or detach After getting triplets from AuC, SGSN sends RAND
• a GPRS packet transfer number to MS for authentication. SIM generates SRES
based on RAND and Ki by using A3 algorithm. The MS
Authentication refers to the necessity for checking the transmits its SRES value to the SGSN that compares it
identity of the MS before it is allowed to make use of with SRES from AuC. If both values agree, the
network resources. Initially this procedure was intended to authentication is successful .Figure2, 3.
protect the subscriber from attackers who would make
illegal use of the network by stealing and using their Each execution of the algorithm A3 is performed with a
identities [5]. new value of the RAND which cannot be predetermined;
in this way recording the channel transmission and
The GPRS operator wants to know who is trying to playing it back cannot be used to fake an identity. A
initiate a connection with the network. The aim of the common cause for concern is that all these messages over
authentication process is to identify that the user has a the radio interface are sent unencrypted because the
correct SIM card with a valid Ki key. This process must ciphering starts after the authentication. Security
be verified without sending Ki over the radio interface. conscious users worry that if someone manages to
intercept RAND and SRES as they are transmitted over
The authentication process is initiated and controlled by the radio interface, and if this person knows the algorithm
SGSN, supported by AuC and MS. During GPRS attach A3, it may be possible to reverse the calculation to derive
process, SGSN sends a message containing the IMSI of Ki.[6]
the subscriber to the AuC and requests triplets, shown in
Figure 1. A triplet is composed of three keys called In fact the algorithms used in GSM/GPRS are designed to
RAND, SRES and Kc, which are explained below: make extremely difficult to calculate the input Ki (128
bits) from the output SRES (32 bits). Such inverse
• RAND is randomly generated 128 bit number used problems require a lot of processing time on a computer to
for providing triples always different. find the solution [2]. Today’s faster computer technology
• SRES (signed response) is 32 bit long number brings a solution that inverse problem. In this study, Ki is
generated by A3 algorithm and used as digital obtained from SRES and RAND by using a PII 450MHz,
signature of MS. 256MB RAM computer and SimScan V2 [11] program in
• GPRS-Kc is 64 bit ciphering key generated by A8 one hour. By using Ki, it is possible to generate ciphering
algorithm and used for encrypting data between MS key GPRS-Kc which influences data confidentiality of the
and SGSN. subscriber.
V. GPRS CIPHERING performed between MS and SGSN and use a new version
When authentication process successfully completed, of A5 developed especially for packet transmission (A5-
SGSN sends a message “Authentication is successful”. At 3). That version of A5 is called GPRS-A5.
the time of receiving that message from MS, it sends a
response message to SGSN and starts ciphering shown in GPRS ciphering algorithm GPRS-A5 does not use only
Figure 3. GPRS-Kc key during ciphering, it also uses two
additional parameters defined as input and direction to
Ciphering process in GPRS needs a ciphering key and a protect subscriber data confidentiality. If GPRS Kc was
ciphering algorithm. On the fixed network side, SGSN has the only one input parameter, the ciphering bit sequence
GPRS-Kc key as ciphering key and GPRS-A5 as (Ciph-S) would be the same for every GPRS session. One
ciphering algorithm. The SGSN receives GPRS-Kc key as of input parameters named input depends on the LLC
part of the triplet from AuC, while the MS generates frame number; the other parameter direction depends on
GPRS-Kc in SIM after receiving RAND from network.[5] data transmission direction. As a result, each LLC frame
is ciphered with a different Ciph-S. It has the same length
Although GSM and GPRS systems use the same ciphering as the LLC frame being ciphered. The length of the LLC
key and similar algorithms, there are some differences frames is variable and may be up to 1523 octets long. It is
between ciphering in GSM and GPRS. In GSM, ciphering very clear that the SGSN must regularly send the LLC
is performed between MS and BTS and uses one of three frame number to MS for staying synchronous.
versions of A5 (A5-0, A5-1 or A5-2), depending on the
level of ciphering permitted. In GPRS, ciphering is
In this study, security over the whole General Packet 1. ETSI EN 300 920: Digital cellular
Radio Service is analysed. In the air interface, security telecommunications system (Phase 2+); Security
remains in encryption and authentication. SGSN is aspects (GSM 02.09 V7.1.1 Release 1998)
responsible for the authentication of the subscriber. A 2. ETSI TS 121 133: Universal Mobile
signed response (SRES) and a ciphering key (Kc) are Telecommunication System (UMTS); 3G Security;
derived from security algorithms (A3, A5), individual Security Threads and Requirements (V3.1.0 Release
identification key (Ki) and a Random Number (RAND). 1999)
These keys are used for authentication and encryption. If 3. ETSI TS 133 120: Universal Mobile
the authentication is successful, then the encryption of Telecommunication System (UMTS); 3G Security;
data and signalling is targeted. Unfortunately, the Security Principles and Objectives (V3.0.0 Release
distribution of the keys is less reliable. The keys are sent 1999)
through the fixed network in clear text format. On this 4. Emmanuel Seurre, Patrick Savelli and Jean-Pierre
point of view, GPRS network is quite insecure. The keys Pietri, GPRS for Mobile Internet, Artech House,2003
should be regularly changed over a session and short key 5. Geoff Sanders, Lionel Thorens, GPRS Networks,
life time should be used in order to get a secure data John Wiley & Sons Ltd,2003
communication. 6. GSM and GPRS Security, Chengyuan Peng, Helsinki
University of Technology
The strength of A3 algorithm is tested and individual 7. C. Bettstetter, GSM 2+ General Packet Radio Service
identification key (Ki) is obtained from SRES and RAND GPRS: Architecture, Protocols, and Air interface.
in one hour. it is possible to generate ciphering key IEEE Communications Surveys, 1999
GPRS-Kc by using obtained individual identification key 8. An open source implementation of GGSN,
(Ki) which influences directly data confidentiality of http://www.openggsn.org/index.html
subscriber. As a solution, GPRS operator or the 9. The 3rd Generation Partnership Project ,
standardization organisation can develop new algorithm to http://www.3gpp.org/
improve the security. Since the algorithm is stored in the 10. GPRS Security. Charles Brookson. December 2001,
SIM card of MS, GPRS operators can make the changes http://www.brookson.com/gsm/gprs.pdf
themselves without involving the hardware or software 11. SIM SCAN v2.00 (Mar 17 2003), GSM SmartCard
manufacturers. analyzer, written by Dejan Kaljevic,
http://users.net.yu/~dejan