Physical Layer Security of Selected Communication Technologies

This section reviews the most commonly used protection mechanisms in wireless communication technologies today. The focus is on physical layer security structures and their shortcomings. The communication technologies presented are Near-Field Communication (NFC) and mobile networks.

Near-Field Communication (NFC)

NFC commonly refers to communication using wireless protocols between two small (portable) electronic devices. The NFC standard is widely used in contactless payment systems and mobile payment solutions in general. NFC-compatible devices can also exchange identity information, such as key cards for access control, and negotiate parameters to establish a subsequent high-bandwidth wireless connection using more capable protocols.

The figure shows common use cases for NFC connections, with arrows indicating the communication directions between the terminal devices.

NFC is designed to transmit and receive data only at a distance of a few centimeters. Even if higher-level cryptographic protocols are used, basic NFC protocols do not provide security and cannot guarantee that two devices are truly only a short distance apart. NFC implementations are vulnerable to eavesdropping, man-in-the-middle attacks, and relay attacks.

Even today, NFC-compliant devices are used in security-critical connections because it is assumed that the devices are close to each other during communication. However, research has shown that this assumption cannot be reliably verified using NFC protocols alone. The communication distance can be made almost arbitrarily large by relaying messages between NFC-enabled devices: The NFC devices are made to believe they are communicating directly with each other, but in reality, they exchange data via two smartphones controlled by the attacker for instance within a WiFi network. This type of attack is also called a wormhole attack, where the communicating parties are tricked into assuming they are closer to each other than they actually are. This is a problem that cannot be solved by using only logical or data layer techniques in the communication process.

Most targeted attacks and their effects can be mitigated by securing NFC devices or strengthening the protocol, for example, with two-phase authentication. Unfortunately, such mechanisms shift security-relevant decisions to the NFC system user. Countermeasures that do not burden users can be roughly classified into physical layer methods and the augmentation with context- or device-specific identifiers.

The NFC standards (ISO/IEC 18092, 21481, 14443) include protocol extensions that make NFC devices context-aware by using location information to help verify proximity. Location sensing can be implemented using various services, each with its own accuracy and granularity. Possible methods include GNSS/GPS-based proximity verification or using the base station cell-ID to infer proximity. In the latter case location of the base station nearest to the communicating NFC device must be determined reliably to ensure accurate proximity information.

Physical layer methods proposed in research literature impose timing constraints, thereby limiting the distance of the connection between communicating parties. Time limits on protocol messages define an upper bound on the physical distance between two communicating devices. Although such distance bounding is considered the most effective approach, it remains uncertain whether secure distance limitation can be practically implemented for small NFC-compatible devices.

Question 1

Select the true statement:

Wormhole is the term that refers to an NFC-specific variant of man-in-the-middle attacks.

NFC protocols only work between two devices that are within a few centimeters of each other.

By default NFC enforces timing constraints strict enough to thwart relaying attacks.

The idea of NFC operating only at a very short range has often led to neglecting eavesdropping.

Mobile Networks (Advanced)

Mobile communication technology enables voice, messaging, and data traffic within a network formed by base stations. Each base station covers one or more cells, which together form a cellular network. The security regulations for these networks are based on agreements among different stakeholders. Standards were initially managed by the GSM Association and later by 3GPP (3rd Generation Partnership Project). This approach allows different parties (telecom operators) to implement networks in which devices from various manufacturers can operate without service disruptions.

Second-generation networks (2G, i.e., GSM) were introduced in the 1990s and limited their services to voice and text messaging. 2G networks could carry data via the CSD service (Circuit-Switched Data Service), which worked similarly to telephone network modems but over mobile networks. The evolution of email and web services created a need for higher speeds and additional services.

3GPP improved the GSM standard with packet-switched data services, which led to the General Packet Radio Service (GPRS). Like GSM, GPRS used a home register called HLR (Home Location Register), responsible for managing subscriber keys and authentication. GPRS enhanced GSM by adding the SGSN (Serving GPRS Support Node) for routing data traffic and managing mobility to improve data transmission. Third-generation (3G) cellular networks, also known as UMTS (Universal Mobile Telecommunications System), introduced several improvements over 2G networks, including enhanced security, increased speed, and greater capacity. Fourth-generation (4G) mobile networks, known as LTE (Long Term Evolution), further increased transmission speeds and capacity.

The main security features that mobile networks aim to provide are confidentiality in communication between the mobile device and the base station, as well as accurate billing. Security has evolved across network generations, but the general implementation remains the same. Subscribers are identified using their Subscriber Identity Module (SIM—later USIM, Universal SIM—which is a physical device), the International Mobile Subscriber Identity (IMSI), and a secret key stored on the SIM. IMSI numbers and keys are used both for subscriber authentication and for generating session keys that protect communication. The phone number plays a role only in routing.

2G security focused on ensuring confidentiality of the wireless link between the mobile device and the base station. For this purpose, the AKA protocol (Authentication and Key Agreement) is executed each time the mobile device initiates a billable activity. 2G AKA authentication is based on a long-term key, Ki, stored both on the subscriber’s SIM and in the network. Before the challenge-response protocol of 2G AKA is executed, the SGSN receives from the HLR the session key Kc, a random value RAND, and the expected response XRES. Both Kc and XRES are generated in the HLR based on RAND and Ki. When the mobile device attempts to authenticate to the network, it is sent RAND. For authentication, the device combines its key Ki with the received RAND to generate the response RES and the session key Kc. The device sends RES to the SGSN, which compares it to XRES. If the values match, the device is authenticated to the network. The SGSN then sends Kc to the base station to which the device is connected, and that key is used to encrypt the wireless link between the mobile device and the base station.

2G AKA provided very limited protection. It used insufficient key sizes (56–64 bits) and weak algorithms for authentication and key generation (A3, A5, and A8). These were broken after publication, enabling eavesdropping and message forgery. Furthermore, AKA was designed to provide only one-way authentication of the mobile device to the network. Since the network did not authenticate itself to the mobile devices, this allowed attacks using fake base stations, compromising user location privacy and communication confidentiality.

To address these shortcomings, 3G networks introduced a new 3G AKA procedure. It replaced weak encryption algorithms and provided mutual authentication between the network and mobile devices. Since at this stage there are terminal devices other than mobile phones, the term UE (User Equipment) will be used from now on. The input to the 3G AKA protocol is a secret key K, shared between the HLR and the subscriber. The result is two keys: the confidentiality/encryption key CK and the integrity key IK. This allows the network and the UE to protect both the integrity and confidentiality of their communication using two separate keys, in accordance with common security practices. CK and IK are each 128 bits long, which is still considered sufficient.

Authentication and key derivation are performed as follows. The HLR first generates a random challenge RAND, the expected response XRES, the keys CK and IK, and the authentication token AUTN. It sends these to the SGSN, which forwards RAND and AUTN to the UE. The UE uses its long-term key K to generate the response RES and to verify whether the AUTN was created by the HLR. In addition to key K, AUTN depends on a counter maintained by both the HLR and the UE. After receiving RES, the SGSN compares it to XRES, and if they match, it forwards CK and IK to the base station. The base station and the UE can now use these keys to secure their communication.

However, 3G did not eliminate vulnerabilities in operator networks. CK and IK are transmitted between different devices and entities within the network. They are sent between the SGSN and its associated base station, as well as between different base stations during mobility. This allows network attackers to capture these keys and thus eavesdrop on wireless connections.

The 4G security architecture retained many core elements of 2G and 3G networks but aimed to address 3G’s shortcomings by securing network links and redistributing roles. For example, long-term key storage was moved from the HLR to the Home Subscriber Server (HSS). Mobility management was moved from the SGSN to the Mobility Management Engine (MME).

The 5G security architecture builds further on 4G but follows similar principles and structures in its implementation. In particular, 5G introduces new versions of the AKA protocol to address issues identified in 4G. Opinions differ on the success of these improvements.

The evolution of mobile networks is often described as follows:

• 0G is generally considered analog technology, such as ARP networks (car radio telephone)
• 1G = NMT
• 2G = GSM
• 3G = UMTS (GPRS served as a transitional phase between 2G and 3G, “2.5G”)
• 4G = LTE (Long Term Evolution)
• 5G = a significant increase in data transmission speeds

Posting submission...