Roll No/Div: -______

EXPERIMENT NO: - 2

Aim of the Experiment: - To Implement GSM security algorithms (A3/A5/A8)

Lab Outcome: -

Date of Performance: -

Date of Submission: -

Implementation Understanding Punctuality & Discipline Total Marks

(05) (05) (05) (15)

Practical In charge
 EXPERIMENT NO.: 02

Title: To develop security algorithms for mobile communication network

Aim: To Implement GSM security algorithms (A3/A5/A8)

Theory:
GSM offers several security services using confidential information stored in the AuC
and in the individual SIM (which is plugged into an arbitrary MS). The SIM stores
personal, secret data and is protected with a PIN against unauthorized use. (For
example, the secret key Ki used for authentication and encryption procedures is stored
in the SIM.) The security services offered by GSM are explained below:

 Access control and authentication: The first step includes the authentication
of a valid user for the SIM. The user needs a secret PIN to access the SIM. The
next step is the subscriber authentication. This step is based on a challenge-
response scheme.

 Confidentiality: All user-related data is encrypted. After authentication, BTS

and MS apply encryption to voice, data, and signaling. This confidentiality
exists only between MS and BTS, but it does not exist end-to-end or within the
whole fixed GSM/telephone network.

 Anonymity: To provide user anonymity, all data is encrypted before

transmission, and user identifiers (which would reveal an identity) are not used
over the air. Instead, GSM transmits a temporary identifier (TMSI), which is
newly assigned by the VLR after each location update. Additionally, the VLR
can change the TMSI at any time.

Three algorithms have been specified to provide security services in GSM. Algorithm
A3 is used for authentication, A5 for encryption, and A8 for the generation of a
cipher key. In the GSM standard only algorithm A5 was publicly available, whereas
A3 and A8 were secret, but standardized with open interfaces. Both A3 and A8 are no
longer secret, but were published on the internet in 1998. This demonstrates that
security by obscurity does not really work. As it turned out, the algorithms are not very
strong. However, network providers can use stronger algorithms for authentication – or
users can apply stronger end-to-end encryption. Algorithms A3 and A8 (or their
replacements) are located on the SIM and in the AuC and can be proprietary. Only A5
which is implemented in the devices has to be identical for all providers.

Authentication:
Before a subscriber can use any service from the GSM network, he or she must be
authenticated. Authentication is based on the SIM, which stores the individual
authentication key Ki, the user identification IMSI, and the algorithm used for
authentication A3. Authentication uses a challenge-response method: the access control
AC generates a random number RAND as challenge, and the SIM within the MS
answers with SRES (signed response) as response. The AuC performs the basic
generation of random values RAND, signed responses SRES and cipher keys Kc for
each IMSI, and then forwards this information to the HLR. The current VLR requests
the appropriate values for RAND, SRES, and Kc from the HLR. For authentication, the
VLR sends the random value RAND to the SIM. Both sides, network and subscriber
module, perform the same operation with RAND and the key Ki, called A3. The MS
sends back the SRES generated by the SIM; the VLR can now compare both values. If
they are the same, the VLR accepts the subscriber, otherwise the subscriber is rejected.

Encryption:
To ensure privacy, all messages containing user-related information are encrypted in
GSM over the air interface. After authentication, MS and BSS can start using
encryption by applying the cipher key Kc (the precise location of security functions for
encryption, BTS and/or BSC are vendor dependent). Kc is generated using the
individual key Ki and a random value by applying the algorithm A8. Note that the SIM
in the MS and the network both calculate the same Kc based on the random value
RAND. The key Kc itself is not transmitted over the air interface.

Fig 1: Subscriber Authentication

MS and BTS can now encrypt and decrypt data using the algorithm A5 and the cipher
key Kc. As Figure 2 shows, Kc should be a 64 bit key – which is not very strong, but is
at least a good protection against simple eavesdropping. However, the publication of
A3 and A8 on the internet showed that in certain implementations 10 of the 64 bits are
always set to 0, so that the real length of the key is thus only 54 consequently, the
encryption is much weaker.
 Fig 2: Data Encryption

A5/1 Algorithm:

Input: 64 bit session key (secret key), 22 bit frame bits(plain text).

Output: Cipher text size 228 bits.

Process:
Step1: Initialize 3 registers are set to zero
Step 2: Load 64 bits session key(secret key) + 22 bits of frame number(public
key), session key and frame number is XORed bit-by-bit with the LSB(least
significant bits), and the registers are clocked regularly.
Step 3: (100) times the registers are cycled and discarding any output(all registers
are closed irregularly the majority function identify the shifted registers)
Step 4: (228) times the register are cycled (clocked irregularly the majority
function identify the shifted registers) to generate the key stream.
Step 5: add random generated number by XORing with the resulting keystream to
find final key stream
Step 6: all steps repeated for the next
frame. Step 7: end

Program:

#include<stdio.h>
#include<stdlib.h>
#include<math.h>
#include<string.h>
long int p, q, n, t, flag, e[100], d[100], temp[100], j, m[100], en[100], i;
char msg[100];
int prime(long int);
void ce();
long int cd(long int);
void encrypt();
void decrypt();

int main() {
printf("\nENTER FIRST PRIME NUMBER\n");
scanf("%ld", &p);
flag = prime(p);
if (flag == 0) {
printf("\nWRONG INPUT\n");
exit(1);
}

printf("\nENTER ANOTHER PRIME NUMBER\n");

scanf("%ld", &q);
flag = prime(q);
if (flag == 0 || p == q) {
printf("\nWRONG INPUT\n");
exit(1);
}

printf("\nENTER MESSAGE\n");
fflush(stdin);
scanf("%s", msg);

for (i = 0; msg[i] != '\0'; i++)

m[i] = msg[i];

n = p * q;
t = (p - 1) * (q - 1);
ce();

printf("\nPOSSIBLE VALUES OF e AND d ARE\n");

for (i = 0; i < j - 1; i++)
printf("\n%ld\t%ld", e[i], d[i]);

encrypt();
decrypt();

return 0;
}

int prime(long int pr) {

int i;
j = sqrt(pr);
for (i = 2; i <= j; i++) {
if (pr % i == 0)
return 0;
}
return 1;
}

void ce() {
int k;
k = 0;
for (i = 2; i < t; i++) {
if (t % i == 0)
continue;
flag = prime(i);

if (flag == 1 && i != p && i != q) {

e[k] = i;
flag = cd(e[k]);
if (flag > 0) {
d[k] = flag;
k++;
}
if (k == 99)
break;
}
}
}

long int cd(long int x) {

long int k = 1;
while (1) {
k = k + t;
if (k % x == 0)
return (k / x);
}
}

void encrypt() {
long int pt, ct, key = e[0], k, len;
i = 0;
len = strlen(msg);
while (i != len) {
pt = m[i];
pt = pt - 96;
k = 1;
for (j = 0; j < key; j++) {
k = k * pt;
k = k % n;
}
temp[i] = k;
ct = k + 96;
en[i] = ct;
i++;
}
en[i] = -1;
printf("\nTHE ENCRYPTED MESSAGE IS\n");
for (i = 0; en[i] != -1; i++)
printf("%c", en[i]);
}

void decrypt() {
long int pt, ct, key = d[0], k;
i = 0;
while (en[i] != -1) {
ct = temp[i];
 k = 1;
for (j = 0; j < key; j++) {
k = k * ct;
k = k % n;
}
pt = k + 96;
m[i] = pt;
i++;
}
m[i] = -1;
printf("\nTHE DECRYPTED MESSAGE IS\n");
for (i = 0; m[i] != -1; i++)
printf("%c", m[i]);
}

Output:

Conclusion: Hence, we have implemented the RSA security Algorithm.

 Roll No/Div: -______

EXPERIMENT NO: - 3

Aim of the Experiment: - Study of security tools (like Kismet, Netstumbler)

Lab Outcome: -

Date of Performance: -

Date of Submission: -

Implementation Understanding Punctuality & Discipline Total Marks

(05) (05) (05) (15)

Practical In charge
 EXPERIMENT NO. 03

Title: To study the security tools.

Aim: Study of security tools (like Kismet, Netstumbler)

Theory:
Study of Kismet Security Tool.

Introduction-
 Kismet is a wireless network and device detector, sniffer, wardriving tool,
and WIDS (wireless intrusion detection) framework.

 Kismet works with Wi-Fi interfaces, Bluetooth interfaces, some SDR

(software defined radio) hardware like the RTLSDR, and other
specialized capture hardware.

 Kismet works on Linux, OSX, and, to a degree, Windows 10 under the

WSL framework. On Linux it works with most Wi-Fi cards, Bluetooth
interfaces, and other hardware devices. On OSX it works with the built-in
Wi-Fi interfaces, and on Windows 10 it will work with remote captures.

 Kismet is an open-source wireless network analyzer; Kismet works with a

lot of wireless cards supporting "monitor" mode.

 The kismet program is composed by a server called "kismet_server" and

a client "kismet_client" which can connect to many servers.
Kismet is able to generate several types of logs such as "dump", "csv"
or "xml" files.

Kismet Interface-
Use of Kismet Tool-
 Kismet is a console (ncurses) based 802.11 layer-2 wireless network
detector, sniffer, and intrusion detection system.

 It identifies networks by passively sniffing (as opposed to more active tools

such as Netstumbler), and can even decloak hidden (non-beaconing)
networks if they are in use.

 It can automatically detect network IP blocks by sniffing TCP, UDP, ARP,

and DHCP packets, log traffic in Wireshark/TCPdump compatible format,
and even plot detected networks and estimated ranges on downloaded maps.

 It collects data packets and identifies the network by hiding the network.

Commands:
KISMET_CLIENT

 -f
Use an alternate config file
 -u
Use an alternate UI config file
 -q
Override sound option and run in quiet mode
 -s
Override server host:port
 -r
Attempt to automatically restablish the connection if the server terminates
 -g
Override UI type (curses, panel)
 -c
Override list of columns to display (comma seperated)
 -v
Print version
 -h
Help

KISMET_SERVER

 -I
Set the initial channel for a channel source (source:channel)
 -x
Forcibly enable the channel hopper
 -X
Forcibly disable the channel hopper

 -t
Set the title used for the %t field of the logfile template (Default: Kismet)
  -n
Disable all logging
 -f
Use an alternate config file
 -C
Comma-separated list to override what capture sources are enabled.
 -l
Override logging types, comma separated (dump, cisco, weak, csv, xml, gps)
 -m
Override maximum packets logged per file
 -q
Override sound option and run in quiet mode

 -g
Override GPS host:port
 -p
Override port to listen on for clients
 -a
Override list of client IPs or network/mask blocks (comma separated)
allowed to connect
 -s
Run in silent mode (no console status information)
 -N
Override server name for this instance of Kismet
 -v
Print version
 -h
Help

WIFI Data using Kismet tool Step by Step-

To use it, move the wireless card into monitor mode and type "airmon-ng start
wlan0" in the terminal.

Step 1 :
To launch it, open terminal and type “kismet”.
Step 2 :
Click “Ok”.

Step 3 :
Click “Yes” when it asks to start Kismet Server. Otherwise it will stop functioning.

Step 4 :
Start-up Options, leave as default. Click “Start”

Step 5 :
Now it will display a table that asks you to define a wireless network card. In
this case, click “Yes”
Step 6 :
In this case, the wireless source is “wlan0”. It must be written in the “Intf” section
→ click the “Add” section.

Step 7 :
It will start sniffing the WiFi network, as shown in the screenshot below.

Step 8 :
When you click on the network, wireless details are generated, as shown in
the screenshot below.
 Study of Wireshark Security Tool

Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time
and display them in human-readable format. Wireshark includes filters, color coding, and other
features that let you dig deep into network traffic and inspect individual packets.

Capturing Packets

After downloading and installing Wireshark, you can launch it and double-click the
name of a network interface under Capture to start capturing packets on that interface.
For example, if you want to capture traffic on your wireless network, click your wireless
interface. You can configure advanced features by clicking Capture > Options, but this
isn’t necessary for now.

As soon as you click the interface’s name, you’ll see the packets start to appear in real
time. Wireshark captures each packet sent to or from your system.
If you have promiscuous mode enabled—it’s enabled by default—you’ll also see all the
other packets on the network instead of only packets addressed to your network adapter.
To check if promiscuous mode is enabled, click Capture > Options and verify the
“Enable promiscuous mode on all interfaces” checkbox is activated at the bottom of this
window.
Filtering Packets

If you’re trying to inspect something specific, such as the traffic a program sends
when phoning home, it helps to close down all other applications using the network
so you can narrow down the traffic. Still, you’ll likely have a large amount of packets
to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the
window and clicking Apply (or pressing Enter). For example, type “dns” and you’ll
see only DNS packets. When you start typing, Wireshark will help you autocomplete
your filter.

You can also click Analyze > Display Filters to choose a filter from among the default
filters included in Wireshark. From here, you can add your own custom filters and
save them to easily access them in the future.
For more information on Wireshark’s display filtering language, read the Building
display filter expressions page in the official Wireshark documentation.
Another interesting thing you can do is right-click a packet and select Follow > TCP
Stream.
You’ll see the full TCP conversation between the client and the server. You can also
click other protocols in the Follow menu to see the full conversations for other
protocols, if applicable.

Close the window and you’ll find a filter has been applied automatically. Wireshark is
showing you the packets that make up the conversation.

Inspecting Packets

Click a packet to select it and you can dig down to view its details.
You can also create filters from here — just right-click one of the details and use the
Apply as Filter submenu to create a filter based on it.

Wireshark is an extremely powerful tool, and this tutorial is just scratching the surface
of what you can do with it. Professionals use it to debug network
protocol implementations, examine security problems and inspect network protocol
internals.

Conclusion-

Hence, we have studied security tools: Kismet & Wireshark. Kismet is a wireless
network detector and intrusion detection system, specializing in monitoring and
analyzing wireless network activities. Wireshark is a versatile network protocol analyzer
that captures and examines data on a broader scale, aiding in troubleshooting and
security analysis across various network types.