Department of Computer Science and Engineering
Helsinki University of Technology
General Packet Radio Service (GPRS) is a new technique for mobile networks, e.g. GSM, which provides high-speed packet switched data service. In the future the most important application of the GPRS is probably mobile access to the private and public IP networks (e.g., Internet). Since GPRS operates with different kind of networks security functions are vital for secure data transmission over GPRS. GPRS has quite good user authentication mechanism but confidential data transmission requires additional mechanisms.
Keywords: GPRS, GSM, authentication, security, IPSec
Wireless mobile communication has gained more and more popularity lately. Nowadays people move a lot and they want to have the same communication facilities with them as at home or in the office and mobile phones are very handy for this purpose. During the last decade mobile phones have been used mainly for speech communication and data communication has not gained much popularity. Mobile data has been used mainly by the white collar workers such as professionals, managerial staff, and sales people. In the private sector the only widely used mobile data application has been the GSM short message service (SMS).
According to a survey  users have perceived need for mobile data. However, the technology used at the moment is not powerful enough to serve these needs. In the near future two new techniques are introduced to the GSM network: High Speed Circuit Switched Data (HSCSD) and General Packet Radio Service (GPRS). HSCSD offers high data rate circuit switched connections (up to 115.2 kbit/s) while GPRS offers high data rate packet switched connections (up to 172.8 kbit/s). None of the techniques itself will be the killer application which make mobile data communication popular. Merely, they provide transmission services for a killer application with mobility as a value added service. The killer application may be a secure, high-speed access to the Internet.
This paper considers security issues of the GPRS. GPRS operates with other networks, secure and insecure, public and private. Therefore, security of data transmission is very important. Additionally, GPRS users are not located at the same place all the time making user authentication even more important and difficult than in fixed networks.
Before considering security issues, in Chapter 2, GPRS is introduced shortly. Those parts of the GPRS network that are essential for understanding the rest of this paper are introduced in Section 2.1. Few applications that can be used over the GPRS network are presented in Section 2.2 for justifying the security issues presented later on this paper. For more detailed technical, economical, and other GPRS issues refer to , , , and .
2. Short Introduction to GPRS
GPRS is developed by European Telecommunication Standards Institute (ETSI). Standardization started in 1993 and the specifications are completed for the Phase 1, but few minor modifications are still expected. One of the main goals in the GPRS design has been to support bursty data transfer and occasional transmission of large amount of data in an economical way. Both of these properties are very common for current data transmission applications.
Although GPRS is considered as a GSM service, it has its own core network and the radio network is shared between the GPRS and GSM core networks. The GPRS core network is attached to the GSM radio network via an open interface. Additionally, GSM may utilize the GPRS core network to achieve more efficient performance and the GPRS user may use some of the GSM supplementary services. However, it is possible to build a GPRS network which is not attached to any GSM network. In that case the GPRS network needs its own radio network.
2.1. GPRS Network Architecture
Figure 2-1 illustrates structure of a combined GPRS/GSM network. The important network elements for this paper are described shortly and the rest of the elements are just mentioned below.
MS - Mobile Station. There are three types of GPRS mobile stations: Class A, Class B, and Class C. The Class A mobiles are capable of using the GPRS packet switched and the GSM circuit switched bearer services at the same time. For example, Class A mobile can have a normal GSM voice call and GPRS data transfer going on at the same time. The Class B mobiles are capable of having an attachment to both the GSM and the GPRS networks at the same time. However, they can use only either circuit switched or packet switched service at the time. Among the Class C mobiles the selection between the GSM and the GPRS networks is done manually. Thus the Class C mobiles can be attached either to the GSM or to the GPRS network but not to both at the time.
SGSN - Serving GPRS Support Node. The SGSN is one of the main components of the GPRS network. The main functions of the SGSN are to handle MS registration and authentication into the GPRS network, to manage MS mobility, to relay traffic, and to collect statistics and charging information.
GGSN - Gateway GPRS Support Node. The GGSN is the interface between the GPRS backbone and external data networks. The functionality of the GGSN is similar to a router in data networks. It routes end user data from external data networks to the SGSN currently serving the destination MS and mobile originated data to the external destination data networks and to the SGSNs.
HLR - Home Location Register. The main function of the HLR is to store MS profiles. It holds information about allowed packet data protocols (PDP; refer to Glossary) per MS as well as allowed PDP addresses (refer to Glossary) per protocol. It also holds the same information as the HLR in the bare GSM network.
AuC - Authentication Center. The AuC includes information for identifying authorized users of the GPRS network and for preventing unauthorized use of the network. AuC is often a physical part of the HLR.
EIR - Equipment Identity Register. In the EIR each mobile is listed as in GSM: black list for stolen mobiles, gray list for mobiles under observation, and white list for other mobiles.
BG - Border Gateway. The main function of the BG is to ensure a secure connection between different GPRS networks over the inter-operator backbone network. The functionality of the BG is not defined in the GPRS specifications. It could consist of a firewall, security functions, and routing functions. BGs as well as their functionality are selected by the GPRS operators' mutual agreement to enable roaming.
LIN - Lawful Interception Node. The LIN (not in Figure 2-1) is used to collect information about some pre-defined subscriber or subscribers. The information could include, e.g., the data sent and received by the interception target, location information, and subscriber information. The lawful interception is an action based on the law which is performed by the GPRS network. The GPRS network has to be able to deliver required user data and other network related information to the Law Enforcement Agency (LEA) whenever wanted.
GPRS backbone networks. The GPRS backbone network can be either intra- or inter-operator network. The main function of the intra-operator backbone network is to connect the GSNs of a single operator. The inter-operator backbone network connects GPRS operators and provides international GPRS roaming. GPRS backbone networks are IP based.
The intra-operator GPRS backbone network is implemented as a set of local area networks (LAN) connected with routers. The transmission media can be Ethernet, FDDI, ATM, Frame Relay etc. In most cases, the intra-operator backbone is a private network to ensure the security and good performance. Private IP addresses can be used in the intra-operator backbone because addresses are not visible outside of the network.
The inter-operator GPRS backbone network can be based on either public (e.g., Internet) or private (dedicated) IP network. They are implemented as a wide area network connecting intra-operator backbone networks using routers. The transmission media used with inter-operator backbones can be PTP links, ATM, Frame Relay etc. It is chosen by the GPRS operators' mutual agreement to enable roaming. All the interconnected GPRS backbone networks comprise one big network and therefor the IP address allocation must be co-ordinated.
Other GPRS network elements:
2.2. GPRS Applications
GPRS supports applications based on two standard data protocols: Internet Protocol (IP) and X.25. This means that the GPRS user can communicate with public or private data network which are supporting those protocols. GPRS also supports specific point-to-point (PTP) and point-to-multipoint (PTM) services as well as transfer of the short messages (SM) over GPRS radio channels.
The PTP service allows a single user to communicate with another single GPRS user or a server (or user) which is located in an external network. The PTP service can be further divided into connectionless and connection oriented services. In the connectionless service each packet is independent of the preceding and succeeding packet. This service is of the datagram type and is intended to support bursty applications.
IP has a great significance in today's data networks and its significance will increase in the near future. IP is used in the Internet and most of the intranets. GPRS supports IP and it provides mobility as an additional feature when compared to access from fixed networks. For GPRS user the IP over GPRS communication seems to be similar to the IP over fixed network communication. There are two visible differences when compared to the fixed networks. The user has opportunity to change her location and continue communication all the time. Another difference is that the GPRS network service quality is worse than in the fixed network. When the user has an access to the Internet via a fixed network she has access to a number of services such as public data banks. However, if the access is provided via GPRS, the user has an access to the same services but her location can change during the access.
At the moment the most useful applications received from the Internet for the GPRS user are probably email and access to the WWW. Those users who have an access to the intranet of a company may basically take advantage of all services provided by the intranet. For example, access to the data bases, the use of tool software, or even access to the shared disks. If the company has a group communication software the employees could arrange teleconferences. Companies may achieve remarkable savings by allowing their employees to utilize GPRS services worldwide. Employees can participate much better to the work although they are on business trip. They have also access to the newest information all the time. Based on these examples it can be said that commercial success of GPRS depends quite much on authentication and security mechanisms that can be used.
Connection oriented service provides a logical relation between the users. The duration of the connection may vary from few seconds to several hours. This service is intended to support bursty transactive or interactive applications. GPRS is able to support applications based on the X.25 protocol. X.25 connections over GPRS are not studied further in this paper, because of its small significance compared to IP.
The PTM service allows the user to send data packets from one sender to many recipients. The PTM service won't be available in the GPRS Phase 1 and therefore it is not further studied in this paper.
The GPRS users may use the SMS offered by GSM. The maximum length of the short message is 160 characters. The service is able to handle PTP and PTM messages.
3. User Authentication and Security Inside GPRS Network
The user authentication procedures in GPRS are similar to procedures used in GSM. The difference is that the procedures are executed from the SGSN instead of the MSC. Additionally, the authentication procedure performs the selection of the ciphering algorithm and the synchronization for the ciphering. Authentication mechanism uses "authentication triplets" which are received from the HLR and stored into the SGSN. Authentication triplets consists of
During authentication procedure the SGSN informs to the MS whether ciphering is used or not. If ciphering is wanted to use the MS starts ciphering after sending Authentication Response message and the SGSN after receiving a valid Authentication Response.
It is important to note that all security functions inside the GPRS network are based on the secrecy of the secret key Ki. It is stored into the SIM (Subscriber Identification Module) card and into the HLR at subscription time and it is not known by the subscriber.
The algorithm A3 used to compute SRES can be operator dependent while allowing full inter-PLMN (public land mobile network) roaming. Operators can therefore choose A3 applicable to their own subscribers. However, ETSI has designed one algorithm and operators may use it if they want. ETSI's A3 algorithm is secret. Several reasons justify A3 to be operator dependent. One of them is the administrative complexity linked to the specification and distribution of cryptographic algorithms when they are to cross borders. The management of a single A3 algorithm would have been even more complex, since authentication is more sensitive than communication ciphering. The consequences of a broken algorithm are more far-reaching is the case of authentication. Another reason is the existence of algorithms fit for authentication and already implemented on smart cards but possibly not open for sharing. A limiting factor being the smart card memory capacity, the choice of having an operator-dependent A3 algorithm enables communication operators to use a single algorithm, e.g., SIM and pay-phone access. The GPRS user authentication is relatively good. A problem is copying of SIM which has been reportedly done. With a copied SIM unauthorized user can do many harmful things to the original user. However, copying is still quite difficult to perform and requires that the SIM card is several hours in wrong hands.
In GPRS data and signaling during data transfer are ciphered. Ciphering functionality is placed on Logical Link Control (LLC; refer to Glossary) layer. The ciphering method is GPRS Encryption Algorithm (GEA) which a secret algorithm. The scope of ciphering in GPRS is from the ciphering function at the SGSN to the ciphering function in the MS in contrast to the GSM ciphering which is a single logical channel between the BTS and MS as illustrated in Figure 3-3.
Mutual key setting is the procedure that allows the MS and the network to agree on the key Kc to use in the ciphering and deciphering algorithms. The Kc is handled by the SGSN independently from the MSC. If the MS is able to use both GSM and SGSN services then it have two different keys one in the MSC and one in the SGSN. Key setting is triggered by the authentication procedure, but the network may initiate key setting as often as the operator wishes. Key setting procedure is not encrypted and shall be performed as soon as the identity of the mobile subscriber is known by the network. The transmission of the Kc to the MS is indirect and uses the authentication RAND value. Kc is derived from RAND using algorithm A8 and Ki as illustrated in Figure 3-4. The maximum length of Kc is only 64 bits. After computation the key is stored by the MS until it is updated at the next key setting.
The MS and the SGSN must co-ordinate the instants at which the ciphering and deciphering processes start. The authentication procedure governs the start of ciphering as explained in Section 3.1. Once the encryption has been started neither the MS or the SGSN shall go to an unciphered session. During ciphered session only few signaling messages may be transferred unciphered and if any other messages are transferred unciphered they shall be deleted.
The enciphering stream at one end and the deciphering stream at the other end must be synchronized, for enciphering bit stream and the deciphering bit streams to coincidence. Synchronization is guaranteed by driving the GEA by explicit variables INPUT and DIRECTION. INPUT is the sequence number of the LLC packet and its initial value is selected by the network. DIRECTION is either from the MS to the network or from the network to the MS allowing INPUT to be identical in both directions. The output of the GEA is exclusive or'd with the clear text at the sending end and with the ciphered text at the receiving end. Figure 3-5 illustrates GPRS ciphering process.
3.3. Identity Protection
Encryption is efficient for confidentiality, but it cannot be used to protect every single message exchanged over the radio path. As stated earlier ciphering with Kc applies only when the network knows the identity of the subscriber. Before ciphering is started the user identity is kept secret from outsiders using temporary user identification parameters. Without temporary identification parameters a third-party could listen users identity and know where she roams at the particular moment. That is considered harmful for user's privacy.
4. Secure GPRS Interworking with Packet Data Network
As stated earlier GPRS supports interworking with packet data networks (PDN) and more specifically with IP. These interworked IP networks may be either the Internet or intranets. GPRS is able to operate with IPv4 and in the future with 'IPv6. Figure 4-1 illustrates the Gi reference point and protocol stack needed for GPRS interworking with IP networks.
The Gi reference point is located between the GGSN and the external IP network. From the viewpoint of the external IP network, the GGSN is seen as a normal IP router. The Layer1 and Layer2 protocols are negotiated between the GPRS and external IP network operators.
Between the GGSN and the external IP network the following assumptions are valid in generic case:
4.1. Transparent Access to Internet
The MS receives an IP address which belongs to the operator's addressing space. This address is a public IP address given either at subscription time (static address) or at PDP context activation (dynamic address; refer to Glossary). The received address is used for packet transmission between the nodes of the Internet and the GGSN as well as to map packet for the correct internal GPRS addresses.
The MS need not to send any authentication request at PDP context activation and the GGSN need not to participate in the user authentication, authorization, or encryption processes. Thus, the GPRS facilities are not used to preserve privacy and transferring of the confidential information is unsafe. However, special intranet protocols, such as IPSec, can be used allowing the GPRS user to communicate over all insecure public networks securely. User authentication and encryption are left on responsibility of the "intranet protocol" if they are at all needed. Figure 4-2. illustrates this. An "intranet protocol", IPSec, is introduced in Chapter 6.
4.2. Non-transparent Access to Intranet or ISP
The MS receives an IP address which belongs to the address space of the intranet or ISP. This address is a public IP address given either at subscription time (static address) or at PDP context activation (dynamic address). The received address is used for packet transmission between the intranet or ISP, and the GGSN as well as to map packet for the correct internal GPRS addresses. This requires a link between the GGSN and an address allocation server of the intranet or ISP. This server may be based on, e.g., Radius (refer to Glossary) or DHCP.
When non-transparent access is used the MS transmits an authentication request at PDP context activation and the GGSN requests user authentication from the same server as the IP address was acquired. Also protocol configuration options are retrieved from that server. Necessary information for authentication comes from user in PDP context activation messages.
The connection between the GPRS network and ISP can be arranged over any network, even an insecure such as the Internet. The connection be a dedicated link or a special secured tunnel arranged using some security protocol (e.g., IPSec). The type of connection is selected by mutual agreement between the GPRS operator and the ISP administrator.
4.3. Threats from External Networks
If the GPRS network is attached to an insecure public network several threats may appear from that network. This section lists few of them.
Inside the GPRS network all information, such as subscriber information and routing tables, is in clear text format and not protected in any way. Subscriber information is confidential information. Also incorrect routing tables may cause huge economical losses for the GPRS operator. Therefore, it is very important to protect the GPRS network from crackers making firewall (and GGSN) configuration very important. Another threat concerning configuration of the firewall is denial of service attacks. If a cracker is able to deny service of GGSN (or any other network element) financial losses for the operator are probably enormous. Also, inside GPRS network a cracker would be able to send GPRS signaling messages and thus affecting behavior of the GPRS network and connections.
A cracker could also cause huge bills for a GPRS user. In GPRS the billing will be based on the amount of the transferred data. Therefore, it may be possible to cause harm for a GPRS user by sending large spam emails (GPRS user also pays received data) from the external network or to create a virus (located in the user's laptop) which could send dummy packets from the MS without the user even knowing it.
5. Secure Interworking Between GPRS Networks
The interworking between GPRS operators enables roaming, i.e., the GPRS user is able to access from other operators' GPRS networks (Visited PLMN) to the Home PLMN. Figure 5-1 illustrates interworking between two GPRS operators. GPRS networks are connected to each other via inter-operator backbone network as mentioned in Section 2.1. The inter-PLMN link may be any packet data network (1) (e.g., the Internet) or dedicated link (2). Dedicated link may be chosen to fulfill QoS requirements and to improve security. All data and signaling between the GPRS operators are transmitted via BGs. GPRS operators may support IPSec and accompanying specifications for authentication and encryption as a basic set of security functionality in its BGs. However, other security protocols may be selected by a bilateral agreement between the GPRS operators.[3,4]
When the user is roaming in the VPLMN data can be routed to its destination (LAN in this case) in several ways. The actual routing depends on bilateral agreements between the GPRS operators and agreements between the HPLMN operator and the user.
If the user has static IP address then data is always routed via HPLMN because the IP address points to the GGSN of the HPLMN. If the user has dynamic IP address (refer to Glossary) then data can be routed via the HPLMN or directly to the LAN via the Internet depending on the agreements mentioned above. Administrators must be very careful when planning LAN protection. The employees should have access to the LAN perhaps from varying IP addresses but on the other hand, unauthorized users should have no access.
In the case of roaming, RAND for the MS and the both SRES and Kc for the network are acquired and calculated in the AuC of the HPLMN. This allows authentication to be successful even the A3 algorithm is operator dependent. Also, in this way the key Ki is kept secret all the time.
As already stated in Chapter 4, IPSec can be used to create secure connection from an user's MS to a LAN of a company. This chapter gives an overview to IPSec and is mainly based on references [5,6,7,8]. Other sources are mentioned separately.
IPSec consists of several open standards and its purpose is to ensure secure private communication over IP networks, e.g., the Internet. It is based on standards developed by the Internet Engineering Task Force (IETF). IPSec ensures confidentiality, integrity, and authenticity of data communications across an insecure, public IP network.
IPSec offers encryption and authentication on network layer. It provides an end-to-end security solution in the network architecture itself. Thus the end systems and applications do not need to know how to handle security issues. Encrypted packets look like ordinary IP packets and thus they can be easily routed through any IP network, such as GPRS or the Internet, without the intermediate network nodes know about encryption. The only devices that know about the encryption are the end points. This feature greatly reduces both implementation and management costs.
IPSec defines a new set of headers to be added to IP datagrams and they provide information for securing the payload of the IP packet as follows:
In tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The source's router encrypts packets and forwards them along the IPSec tunnel. The destination's router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to enjoy the benefits of IP Security. Tunnel mode also protects against traffic analysis; with tunnel mode an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.
As defined by the IETF, IPSec transport mode can only be used when both the source and the destination systems understand IPSec. In most cases IPSec is used in tunnel mode allowing the implementation of the IPSec in the network architecture without modifying the operating system or any applications on PCs, servers, and hosts. This is also the situation with GPRS.
GPRS can be seen as an access networks to other network which offer mobility as an value added service. It offers possibility that traveling employees can communicate with corporate LAN very easily even from abroad. To be able to use GPRS for transmitting confidential or private data the system must offer authentication and security functions. GPRS offers ciphering function over the radio network as well as authentication to the GPRS network.
The authentication inside the GPRS network is pretty good. If the algorithm used by a single operator is compromised the effect is not global. However, the operator must be very careful with its A3 algorithm, because if the authentication is not trustful lots of damage may be caused. However, authentication does not work against copying of SIM. If it can be copied then unauthorized user may use the identity of the authorized user until the subscription is invalidated.
The security of the transmitted data cannot be kept cryptographically excellent. Because the GEA is secret it cannot be well evaluated. Most probably, if the algorithm is compromised, the transferred data can be deciphered relatively easily. Also the key length, 64 bits, is too short nowadays. Another thing is that transmission is ciphered only between the SGSN and the MS. This makes lawful interception very easy which can be seen to hurt user's privacy.
GPRS does not offer ready security solutions for interworking between different GPRS networks nor interworking between GPRS network and intranet. Merely, possibilities are created as well as suggestions are given but they are left on responsibility of the GPRS operators and intranet administrators.
Because data between the MS and corporate LAN is almost always transmitted over insecure networks, the GPRS security functions are not enough. To make transmission secure an external intranet protocol is needed. One solution is to use IPSec. It fits well to the IP world and can be seen safe enough. Most probably it will become de-facto standard and corporates can take advantage from IPSec development. IPSec restricts lawful interception a little bit because contents of the packets are relatively difficult to extract. However, user's location can be still tracked easily.