Embed Size (px)
Citation preview
Recent Security Issues for Mobile Phone Systems
Speaker: Prof. Kouichi SAKURAIKyushu Univ. & ISIT/Kyushu
Slide-Material by: Kazuhide FUKUSHIMAKDDI R&D Laboratories, Inc.18th Jul. 2008
1
Contents of this talkLatest Trend in JapanMobile MalwareCustomer’s Data-Privacy Protection
Remote Lock & Data Erase Service
DRM System on Mobile PhoneOverview of WiMax SecurityAppendix
Securing Banking service with mobile phone
2
Overview of Mobile Phone Market in Japan
3
NTT DoCoMowith 50% market share
au (KDDI)with 30% market share Softbank
with 20% market share
New Price PlaniPhone 3G
Hi-Spec Mobile PhonesNew Service Plan
The Biggest CompanyStability
Mobile Internet Service with Fixed Fee
KDDI started mobile internet service with fixed fee (Oct. 2003)
Data communication using laptop PCs is excludedNTT DoCoMo and Softbank Mobile also started the fixed fee service
4
The Price of Fixed Fee Servicefor Mobile Internet
DoCoMo provides a fully flat fee serviceKDDI and Softbank provide a pay-as-you-go service with a cap
5
1000
NTD / Per Month
600
300
0 50,000 100,000 # of packets
DoCoMo
KDDI
Softbank
Voice Call Service with Fixed Fee
Softbank provides voice call service with fixed fee (Jan. 2007~)
Free domestic voice calls between Softbank usersMonthly fee is 980 JPY (280 NTD)This service is available from 1:00 ~ 21:00
Additional fee is required between 21:00~1:00
NTT DoCoMo and KDDI provide the fixed fee service between family and enterprise users
6
Mobile Number Portability (MNP)Service that enables customers to switch service provider while keeping the existing mobile telephone numbers
MNP was started on 24th Oct. 2006 in JapanThe service fee is 2,100 JPY(about 600 NTD)
KDDI gains about 1,230,000 customers in the yearNTT DoCoMo and Softbank Mobile did not announce their gain and losses
However, the usage rate of MNP stays within 3%Some customers hate changing their e-mail address and complicated procedure
Customers must go to two offices of the existing provider and the new provider
7
Mobile Music DistributionMP3
Rip from CDDownload from web site
iTune Music StoreAvailable only in Japan in Asian countries (May. 2005~)
150 JPY ~ 200 JPY (43NTD~58NTD) per contentPay Music Distribution
Chaku-Uta Service and Chaku-Uta Full Service(by KDDI/DoCoMo/Softbank in Japan, Dec. 12~)
210 JPY ~ 420 JPY (60NTD~120NTD) per content
8
MP3 on Mobile Phone
MP3 music content can be played on many of mobile in other countries having GSM systems.
A pay music distribution serves for mobile phones will not have a great runUsers will simply move their MP3 files obtained from music CDs or web sites to mobile phones at free fee.
9
Chaku-Uta Service in Japan
Restricted number of mobile phones can play MP3 music content in Japan due to intent of content providers
Japanese operators collaborated with content providers and developed mobile music distribution services.These services distribute music content in distinct formats protected by some DRM systems.
10
iTunes Music StoreThe iTunes Store is a software-based online digital media store operated by Apple Inc. (Apr, 2008)As of June 2008, the store has sold 5 billion songsThe price of content is reasonable
150 JPY ~ 200JPY in Japan (43NTD~58NTD)Lower than other Japanese domestic service
User friendly DRM system (FairUse)Content in PC can be unlimitedly copied to iPod/iPhone
11
iPhone 3G
iPhone 3G is released by Softbank Mobile on 11th July, 2008The contract period is at least two years
Lowest monthly fee: 8,240JYP (2,400NTD) The total fee for two years: 197,760JPY (57,600NTD)
iPhone 3G is not released in KoreaIn Korea, all the devices with mobile internet function must install domestically-produced OS, Wireless Internet Platform for Interoperability (WIPI)
Apple must modify iPhone for sales in Korea
12
13
Mobile Malware
14
A Predication in 2003
Threats will become more multifaceted as information assets will becomeMobile phone will be exposed to the threat of malware and illegal access
Mobile carriers in Japan had been researched techniques against these threats
15
Current StatusMobile Malware is not so big problem
Because …There were few advantages to attacking mobile phones
A little malware (such as Cabir in 2004) was developedCabir does not attempt to analyses information in mobile phonesIt was only a "proof of concept" worm
Operating systems and software development kits for mobile phones were hardly disclosed and different for each mobile phone
16
Progress of PCs and Mobile Phones
Current mobile phones has same capability as PCs in ten years agoHowever, development environment is much poorer because of non-public OS and SDK
1998 2003 2008
64KB
128KB
256KB
512KB
1GB
2GB
128MHz
256MHz
512MHz
1GHz
2GHz
4GHzMemory
CPU
About 10 years
PCs
Mobile Phones
17
Future StatusMobile Malware will be a serious problemThere are many important information in mobile phones
Currently, full music content and FeliCa chip for small payments are on mobile phones In the near future, mobile phones will have credit card numbers for large payments
Operating systems will go to the common architecture (Windows, Linux, Symbian OS, Android by Google or KCP+ by KDDI) and many SDKs will be available
Attackers will be able to develop malware using these kitsThe timing of the appearance of a serious malware is hard to predict
It depend on not only the progress of hardware but also trend ofplatforms
18
New Services that Attempt Attackers
Chaku Uta Full ServiceMobile music distribution service
EZ FeliCa ServiceSmall payment service
Large payment service (in the near Future)
19
Mobile Music Distribution Service― Chaku Uta Full Service
Mobile music distribution service by KDDI (Oct. 2004 ~) Full songs (3min. ~ 5min. ) are distributedSongs are compressed with 48kbps bit rate by HE-AAC (High Efficiency ACC) codecThe size of songs is about 1.5MBThe songs can be registered as a ringing tone and alarm as well as Chaku-Uta music
Existing music distribution service: Chaku Uta Service (Dec. 2002~)
Only bridge parts of songs (5 sec. ~ 30 sec.) are distributedSongs are compressed by AAC codecThe size of songs is about 200KB
20
Small Payment Service― EZ FeliCa Service
EZ FeliCa Service (Sep. 2005~) allows to utilize the technology of contact-free card
FeliCa chip (a contact-free IC card) is embedded to the mobile phone
Edy and Mobile Suica are also available on mobile phones by NTT DoCoMo and Softbank Mobile
Member’s CardAvailable as memberscards or point card
ShoppingAvailable as e-moneycards or credit cards(such as Edy)
TransportationAvailable astransportation tickets(such as Mobile Suica)
21
Large Payment Service
In the near future, large payments (50,000 JPY~ /14,500 NTD~) will be available on mobile phones
Mobile phones will be used for payments just as credit cards Currently, the payments are limited up to 50,000 JPY (about 14,500 NTD) in Edy and 20,000JPY (about 5800 NTD) in Suica
The large payment service will attract attackers as well as customers
Mobile Banking
3GPP tries to establish international standard of mobile banking
Korea is active to standardize mobile banking based on GSM and MyfareJapan is isolated in this discussion
22
23
Anti-Malware for Mobile PhonesExisting anti-virus software for PCs is hard to apply to mobile phones because of memory shortage
For example, Virus BusterTM 2007 by Trend Micro require more than 60MB of memory Exiting mobile phones have only 32MB~64MB of memory
We must development specialized anti-malware for mobile phones
Kaspersky Anti-Virus Mobile by Kaspersky Lab (Russian company)
For Symbian OS and Windows Mobile Symantec Mobile AntiVirus for Windows MobileTrend Micro Mobile Security
For Windows Mobile
F-Secure Mobile Anti-Virus
F-Secure sells mobile anti-virus software System requirements:
Platform: Symbian 7.x/8.x/9.x,Windows Mobile 2003 (SE) for Pocket PC/SmartphoneMemory: 1MB~ (S60 2nd Edition)
http://mobile.f-secure.com/
24
25
Remote Lock and Data Erase Service in Japan
26
Remote Lock and Data Erase
The registeredphone number
Repeated calls withinthe specific time
The lost mobile phone
The mobile phone is lockedAll data are removed
27
Remote Lock and Data EraseRemote Lock and Data Erase by making calls several times (3~10 times)
The calls must come from the registered phone numberThe calls must be within the specified of time (1~10 min.) The mobile phone must be turned on and inside of the service area
Remote Lock is available at almost all the KDDI mobile phones(from Feb. 2005)Data Erase is available at mobile phones for Business: au Business mobile (from Mar. 2006)
All data in the memory (such as address and schedule data) are removed
The basic monthly charge for au Business Mobile is depend on theamount of free call
15,000JPY (4,350NTD) for 800 min.3,600JPY (1,050NTD) for 25 min.
28
Public Relations Support System based on BREW Application
Public Relations Staff
Headquarters Office
Customer DB
GPS System
The staff can securely download customer data by using a BREW Application
In case of lost: • Remote lock and data erase are available at the server in headquarters office• Location of mobile phone (determined by the GPS system) is notified to the server
KDDI closed network
Employed by Tokyo Tomin Bank, Limited
29
DRM System on Mobile Phones
30
Previous DRM System on Mobile Phones
Closed PlatformDifficult to Analyze
Much secure than PCsContent cannot be moved to other mobile phones or PCs
Simple DRM SystemMobile Phones were assumed to be a secure device The content encryption key is stored in mobile phones
Secure
31
Current IssuesStandardization and Generalization of Platforms on Mobile Phones
Platforms such as Symbian, Linux, KCP+Mobile phones face to the threat of analysis as well as PCs
Diversification of Content UsageFixed-Mobile Convergence (FMC) Service
Mobile Content can be played on PCsBackup of Mobile Content
Content can be moved to other mobile phones via PCs or memory cards (such as mini/micro SD)
Mobile content may be analyzed on PCs
32
KCP+ – Common Platform in KDDI Mobile Phones
BREW (KCP)
User Interface
Applications
Middleware/ Wireless Control
Operating System
MSM7500(Chipset by Qualcomm)
Additional Drivers
SpecificDevices
Common Devices
Fully Common Parts Specific PartsPartially Common Parts
Most of systems go to the common architectureIn order to reduce the development cost
Android – Common Platform by Google
Android is a software platform and operating system for mobile devices based on the Linux operating system
33
BREW (KCP)
Application Framework
Kernel (Linux 2.6.23)
Application Software
Standard Library
Hardware
Android Runtime
From Nov. 2007
libc Open GL FreeType SSL Web Kit
The parts whose source code is published
34
au Listen Mobile Service (Lismo!)― FMC Service in KDDI
The service started in Feb. 2006Lismo Music Store started Jun. 2006
The service is available on high-end mobile phones (CDMA 1X WIN)Mobile content can be played and backed up on PCs CD music and Content from Lismo Music Store can be moved to mobile phones
KDDI runs Lismo Music Store and each content provider (such as avex) provides content Lismo Music Store sells about 30,000 music
The price of music content for ringing tune (Chaku-Uta) is 210 ~ 420 JPY (about 60 ~ 120 NTD)
About 1,000,000 customers uses Lismo! service
Mobile Content
CD music / PC Content
35
Overview of LISMO!
①Content download from Lismo Music Store (like as iTune Music Store)②Content ripping from CD③Content download from EZweb④Content (Chaku-Uta Full) from PC to phone (can be registered as a ringing tone)⑤Content (CD music) copy from PC to phone (cannot be registered as a ringing tone) ⑥Content copy from phone to PC
Music content(Chaku-Uta Full)
Content Content③
②
④
Content
Content
⑥
①
⑤Content
Content
Music Content(Chaku-Uta Full)
PCMobile Phone
CD music
au Music Port(Music Player for PCslike iTune)
au Music Port(Music Player for PCs)
36
Future DRM System
DRM System based on HardwareUser Identify Module (UIM) in 3G mobile phones
IC card with computational capability The private key and public key certificate can be securely stored in UIM
37
Overview of OMA DRM 2.0
Digital Right Management System defined by Open Mobile Alliance
Each device must securely store the private key and public key certificate
(1) Encryption Mechanism using Symmetric and Public Key Cryptography
(2) Authentication using Digital Signature(3) Without any Revocation Systems
Content encryption keys are encrypted with each public key of the devices
38
Device
License Management Server
OCSP responderPrivate Key
IDDevice
Public KeyCertificate
Private Key
IDService
Content DistributionServer
①Download anencrypted content
② Right Object request③ Right Object Response
Content Key encrypted withthe public key of the device
Check the validity of the Certificate in the device
④Decryptthe content
Separated Model Combined Model
Entities in OMA DRM 2.0
Public KeyCertificate
License
39
Comparison with the old specification ― OMA DRM 1.0
OMA DRM has complete backward compatibility to OMA DRM 2.0Support of access to multiple DRMSupport various kinds of content (such as music video clip, streaming content)
40
Overview of Mobile WiMAXKDDI R&D Laboratories
41
Mobile WiMAXStandard that provides higher-speed mobile communications than 3G mobile phone systemHigh-speed, Low-cost, and Wireless Communication
DSL
WLAN
3G mobile phones
High-Speed
Mobility
Mobile WiMAX
High-SpeedLow cost MobilityMobile WiMAX
Service
42
WiMAX Milestone in JapanJun. 2007
Ministry of Internal Affairs and Communication of Japan released the licenses assignment policyThe licenses for mobile WiMAX were going to be assigned to two of the four candidates (Investing companies of NTT DoCoMo, KDDI, Softbank Mobile and WILLCOM)
Dec. 2007The licenses were assigned to KDDI and WILLCOM
2009Mobile WiMAX services will be available
Korea is 1~1.5 years ahead of the schedule
43
Mobile WiMAX Service
Personal BroadcastingHigh Quality in Urban Area
Less Multi-pass Interference in Urban AreaMore Channels
Large Downlink ThroughputInteractive Service
Large Uplink Throughput
Personal CommunicationQoS Guaranteed ServiceMore Concurrent Call
Personal BroadbandMore Users
Large ThroughputHigh Quality P2P Service
Large Uplink Throughput
44
Network Model in Mobile WiMAXBase Station (BS)
Internet
Security Authentication (SA)
Mobile Station (MS)
Mobile Devices
45
Low bandwidthWe must minimize message sizes, number of messages
High risk of eavesdroppingWe must use link-level encryption
User/Device MobilitySecurity issues related to mobility
AuthenticationChargingPrivacy
What is Mobile Security (V.S. Fixed Security)?
46
IEEE 802.16 development
IEEE802.16e
IEEE 802.16e introduces new features:
• Mobility (handoff support)
• Energy saving mechanisms (e.g. sleep mode)
• Multicast and Broadcast support
• Improved security functionality
IEEE802.16-2001
IEEE802.16d
…
mobilenomadicfixed200520042001
Fixed WiMAX Mobile WiMAX
47
Comparison withIEEE802.16-2004 (1/2)
Support Mobile DevicesNew entity: MS (Mobile Station)Handoff at layer 2 (MAC Layer)
Handoff: the process of transferring an ongoing call or data session from one channel connected to the core network to another.
Support New Modulation MethodsNew method: Scalable OFDMA Enhanced methods: MIMO, AAS
Improve Security FunctionalitiesNew key-management protocol: PKMv2
48
Energy saving mechanisms Idel and Sleeping Mode
Support Quality of Service (QoS)QoS: algorithms that provide different levels of quality to different types of network traffic
Support Multicast and Broadcast Service
Comparison withIEEE802.16-2004 (2/2)
49
Scope of IEEE 802.16 standard
MAC common part sublayer
Physical Layer
Security sublayer
Key management(PKM)
Key management(PKM)
Cipher suiteCipher suite
Service specific convergence sublayer
MAC layer
WiMAX Standard includes the definition of MAC and PHY layer
MAC: Medium Access Control, PKM: Privacy Key Management
50
Security Sublayer
Privacy Key Management (PKM)Authentication/reauthentication of SSKey update
Privacy Key Management (PKM)Authentication/reauthentication of SSKey update
Cipher suite includingEncryption algorithmsAuthentication algorithmsDefinition how algorithms are applied
Cipher suite includingEncryption algorithmsAuthentication algorithmsDefinition how algorithms are applied
Security Sublayer
?
51
Privacy Key Management (PKM)Version 2
PKMv2 AuthenticationSupport Device, User and both Device/User Mutual AuthenticationX.509 certificates support via EAP authentication SIM, USIM, SmartCards interworking with 3G support using EAP-SIM, EAP-AKA, EAP-SmartCard methods
PKMv2 Privacy and Key Management Data & Management Authentication and Integrity, Traffic Encryption KeysKey contexts, Security Association (SA) per service flow (connections) for multiple hosts support and SA lifetime ManagementCommon key management framework for Mobile Access and Mobile IPPKMv1 is replaced with PKMv2 to support handoff , broadcast/multicast message and improve security (authentication, encryption)
52
PKMv1 V.S. PKMv2
PKMv1 PKMv2Authentication One-way authentication
based on RSAMutual authentication based on EAP or RSA
Key Encryption 3-DES, RSA, AES AES with Key WrapData Encryption DES, AES DES, AESEtc. • Security control for
Broadcast/Multicast message• Pre-authentication procedure for handoff
5353
Cipher suiteData encryption
DES in CBC mode
AES in CBC mode
AES in CCM mode
AES in CTR mode (Multicast)
Key encryption
3DES in EDE mode
Asymmetric with RSA
AES in ECB mode
AES Key Wrap (RFC 3394)
Message authentication
HMAC with SHA-1 CMAC with AES
?
54
Secret Key Cryptosystem
A cryptosystem in which the encryption key is the same as the decryption key
The key must be shared between two or more users that want to communicate securely
Block CipherA cryptosystem which operates on fixed-length groups of bit, termed blocks
Stream CipherA cryptosystem which xors a pseudorandom cipher bit stream to plaintext bits
55
Secret Key Cryptosystem
The sender and the receiver have the same key
Encryption Decrption
``x4J%m$S9g\’’``Hello’’ ``Hello’’
key key
ciphertextplaintext plaintext
56
Message Authentication Code (MAC)
Used to detection of data alternation and verify the validity of deviceThe generation key is the same as the verification keyExample:
The sender transforms a plaintext to MAC with a key using a MAC algorithm, and sends the pair of the plaintext and MAC to the receiverThe receiver generate MAC using the same key and algorithm, and verify whether generated MAC coincides with MAC received from the sender
CBC-MAC
MAC Algorithm Using Block Cipher
57
E
Message 1
MAC
E E
Message 2 Message 3
HMAC-SHA-1
MAC Algorithm Using Hash Function
58
SHA-1
key 0x5c5c…5c key 0x3636…36 Message
SHA-1
MAC
Block Cipher Mode of Operation
Block cipher operates on blocks of fixed length(often 64/128/192/256 bits)Modes of operation is used to encrypt messages of large length
59
ECB Mode
ECB mode does NOT provide sufficient security:A repeated plaintext yields the repeated ciphertextAn attacker can modify a ciphertext by change the order of block
60
Plaintext1
E
Ciphertext 1
Plaintext 2
E
Ciphertext 2
Plaintext3
E
Ciphertext 3
key key key
CBC Mode
61
Plaintext1
E
Ciphertext 1
Plaintext 2
E
Ciphertext 2
Plaintext3
E
Ciphertext 3
key keykey
Initial Vector
CTR Mode
62
Counter
E
Ciphertext 1
Counter+1
E
Ciphertext 2
Counter+2
E
Ciphertext 3
key
Plaintext 1 Plaintext 2 Plaintext 3
keykey
+1 +1
CCM Mode
CCM mode (Counter with CBC-MAC) is a mode of operation for cryptographic block ciphers
An authenticated encryption algorithm that is designed to provide both authentication and privacy Ciphertext is made by CTR modeMAC is generated by CBC-MAC
CCM mode is only defined for block ciphers with a block length of 128 bits (e.g., AES)
63
AES Key Wrap
AES Key Wrap is a mode of operation of AES to encrypt cryptographic key material with another key (key encryption key, KEK)The Key Wrap algorithms are intended for applications such as:
protecting keys while in untrusted storagetransmitting keys over untrusted communications networks
Detailed algorithm is defined in RFC339464
References (1/3)[1] Shane Coursen, The future of mobile malware. ScienceDirect -- Network Security,
2007(8):7--11, 2007.[2] Mikko Hypponen. Malware Goes Mobile. Scientific American Magazine 2006, pages
70--77, 2006.[3] David Dagon, Tom Martin, and Thad Starner. Mobile Phones as Computing Devices:
The Viruses are Coming! IEEE Pervasive Computing, 3(4):11--15, 2004.[4] Neal Leavitt. Mobile Phones: The Next Frontier for Hackers? Computer, 38(4):20--23,
4 2005.[5] David Johnston and Jesse Walker. Overview of IEEE 802.16 Security. IEEE Security
& Privacy, 2(3):40--48, 6 2004.[6] Wayne Jansen and Rick Ayers. Guidelines on Cell Phone Forensics.
Recommendations of the National Institute of Standards and Technology, Special Publication 800-101, http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf, 5 2007.
[7] Open Mobile Alliance. OMA Digital Rights Management V2.0. http://www.openmobilealliance.org/Technical/release_program/drm_v2_0.aspx, 3 2006.
65
References (2/3)[8] Airspan. Mobile Wimax Security.
http://www.airspan.com/pdfs/WP_Mobile_WiMAX_Security.pdf, 2007.[9] WiMAX Forum. Mobile WiMAX – Part I: A Technical Overview and Performance
Evaluation. http://www.wimaxforum.org/news/downloads/Mobile_WiMAX_Part1_Overview_and_Performance.pdf, 8 2006.
[10]Taeshik Shon and Wook Choi. An Analysis of Mobile WiMAX Security: Vulnerabilities and Solutions. Proc. of First International Conference Network-Based Information Systems (NBiS 2007), Lecture Notes in Computer Science 4658, pages 88--97, 8 2007.
[11]H. Harney and C. Muckenhirn. Group Key Management Protocol (GKMP) Specification. RFC2093, http://ietf.org/rfc/rfc2093.txt, 7 1997.
[12] H. Harney and C. Muckenhirn. Group Key Management Protocol (GKMP) Architecture. RFC2094, http://ietf.org/rfc/rfc2094.txt, 7 1997.
[13]D. Wallner, E. Harder, and R. Agee. Key Management for Multicast: Issues and Architectures. RFC2627, http://ietf.org/rfc/rfc2627.txt, 6 1999.
66
References (3/3)[14] B. Weis, T. Hardjono, and H. Harney. The Group Domain of Interpretation.
RFC3547, http://ietf.org/rfc/rfc3547.txt, 7 2003.[15] H. Harney, U. Meth, A. Colegrove, and G. Gross. GSAKMP: Group Secure
Association Key Management Protocol. RFC4535, http://ietf.org/rfc/rfc4535.txt, 6 2006.
[16]T. Hardjono and B. Weis. The Multicast Group Security Architecture. RFC3740, http://ietf.org/rfc/rfc3740.txt, 3 2004.
[17]Chung Kei Wong and Mohamed Gouda and Simon S. Lam, "Secure GroupCommunications Using Key Graphs", "IEEE/ACM Trans. on Networking",
67
Homework
General Problem(1)Study the (security) reason why PKM v1 in
Mobile WiMax is replaced with PKM v2.
68
