Five main issue about GSM and UMTS Security

1. The currently used GSM cipher algorithms (used to provide confidentiality) are not published along with the bulk of the GSM standards. Instead, the GSM Association controls the distribution of the algorithm specifications. The decision not to make the algorithms available for peer review has received some criticism, with hindsight, from the academic world. However, it must be recognised that GSM security was designed at a time when the controls on the export and use of cryptography were much tighter. The regulatory situation was considerably relaxed in the late 1990s, which led 3GPP to adopt a more open approach to the design of the UMTS algorithms and to publish the algorithm specifications together with the rest of the UMTS standards.

2. Unlike the cipher algorithm, the GSM and UMTS authentication algorithms do not need to be standardised and operators are free to design or select their own. In GSM, an example algorithm was not included in the standards. This resulted in some operators using an algorithm, known as COMP-128, that has been recognised to be vulnerable to cryptographic attack. After this attack was published on the Internet, the GSM Association made a replacement algorithm available. To help avoid inadequate algorithms being used in UMTS, an example algorithm called MILENAGE [10] has been included in the standards for use by operators who do not wish to design their own.

3. The strength of the cipher algorithm depends, in part, on the length of the cipher key. In GSM, the cipher key is transported as a 64-bit structure. However, in practice the top 10 bits of the cipher key are set to zero to reduce the effective key length to 54 bits. This was due to the regulatory controls that were in force when GSM was designed. As these controls have been relaxed it is now possible for GSM to use full-length 64-bit keys. Creating a longer key than this for GSM is much more complex because it would require the ciphering algorithm to be replaced and the signalling protocols to be upgraded to support the longer key. UMTS required a new ciphering mechanism anyway so the opportunity was taken to increase the cipher key length to 128 bits, which should provide a good level of security for many years to come.

4. GSM was not explicitly designed to protect against active attacks on the radio path, because they would require an attacker to masquerade as a GSM network (so-called 'false base station attacks'). These attacks were considered to be too expensive to mount compared to other attacks. However, as mobile cellular services become more widespread, the cost and availability of equipment that may be used to masquerade as a base station make such attacks more likely. Although GSM already provides some protection against certain types of false base station attack, a much more thorough threat analysis was performed during the UMTS design phase. This has led to the development of new security features, which are explicitly designed to counteract false base station attacks.

5. For GSM circuit-switched services, user traffic and sensitive signalling information are protected on the GSM radio path between the mobile and the base station using a ciphering algorithm. While this protects communications on the most vulnerable radio path, an opportunity was taken in UMTS to extend ciphering further back into the network. This allows more links within the radio access network to be protected, including potentially vulnerable microwave links that may be used to connect base stations to the fixed part of the network.

Security for Mobility Chris J. Mitchell 2004