Back to index
Security Issues in a CDPD Wireless Network
Yair Frankel et al.
One-line summary: CDPD security weak point is unauthenticated,
unencrypted traffic from MSF to MHF (BS to HLR), and lack of authentication
in initial mobile/BS key exchange. Proposed solution is challenge-response
protocol ("breaking symmetry") with nonces, with extensions described
for dealing with faults, anonymity. C/R protocol embeds its messages within
existing CDPD messages, so no need to add more messages.
- CDPD MSF and MHF (think: BS and HLR) exchange unauthenticated, unencrypted
messages! Dangerous for CDPD, esp. since it's expicitly designed for interconnection
to other networks.
- CDPD network management messages suffer from same problem
- CDPD standard doesn't specify any minimum security on "I-interfaces"
(MSF to MHF). Firewalls are useless since each MD-IS is basically a router.
- Requirement: MES must store SHR and NEI in authenticated memory. MHF
must be trusted not to reveal MES NEI or SHR. MSF (BS) must be trusted
not to disclose session keys.
- Protocol goals: fraud prevention, availability (mis-synchronization
of SHR; see below), key agreement, anonymity, computation efficiency, prevention
- Diffie-Hellman key exchange to get session key between MES & MSF
(mobile to BS);
- mobile authenticates to its home by transmitting its encrypted NEI
(permanent identifier) and SHR (shared history record, like a call counter)
- BS forwards this stuff to MHF in the clear.
- MHF accepts by sending (SHR+1) in clear to BS, which passes it (encrypted)
- Threat: authentication/interception. D-H key exchange provides
no authentication, so anyone can masquerade as MSF and trick MES into revealing
its SHR, which can be used to obtain service fraudulently or cause denial
Proposed improved protocol:
- MH sends nonce and tuple (random number, SHR, NEI) "signed"
by MH. Signed can mean encrypted with shared session key in this case.
Insight: Since message contains the SHR, can think of this message
as a response to the challenge posed by MHF to mobile in step 3 of the previous
instantiation of the protocol.
- BS relays this message plus a new nonce to MHF, "signing"
the tuple with BS-to-MHF key. This message is also BS's challenge to MHF.
At this point MH and BS have authenticated themselves to MHF.
- MHF responds to challenge with new share state (SHR+1), and signed tuple
containing new nonce, SHR+1, and MES's NEI. This message will serve as
the "challenge" to the mobile in the next instnatiation
of the protocol, since it includes SHR+1.
- BS relays this to MH, encrypted in BS/MH session key.
At this point, BS and MHF have authenticated themselves to MH.
- To incorporate protocol in CDPD: must modify "protocol data units"
(state machines) for the ESH (End-station Hello) and RDR (redirect request
from BS to MHF) messages.
- Can add authenticated key exchange for confidentiality of data
- Can add anonymity (to BS anyway) by having MH encrypt its identity in
a secret key shared with MHF. CDPD existing anonymity mechanism won't work
since it requires encryptd channel from the beginning of the authentication
protocol (costly) and doesn't address interception attack. Proposal is
to have MH transmit to BS its ID encrypted with a key based on SHR and
shared secret with MHF, then BS forwards that to MHF once MHF has authenticated
How to do link-level security, given assumption that end-to-end will be
too intrusive to integrate seamlessly with existing networks. (My view:
end-to-end will ultimately be necessary anyway for other reasons, but these
techniques can be applied there as well.)
- Why not sign message digests instead of whole messages during the protocol?
- Decryptability of data packets in presence of packet losses: can include
cumulative byte count in each packet header. End-to-end would of course
- Astoundingly poorly written; badly organized, and the descriptions are
difficult to follow and understand.
Back to index