"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

---

SIM Based WLAN Authentication for Open Platforms

This paper discusses approaches to authenticating users with open platforms, such as notebook PCs, for WLAN access using SIM cards. Using SIM cards to authenticate WLAN access is desirable by wireless operators as this approach minimizes additional infrastructure investments since the existing authentication processes and equipment are re-used. This paper starts with an overview of the authentication methodology in today’s GSM networks. Applying the GSM authentication methodology in a WLAN environment is then discussed. Enabling use of open platforms in WLANs requires consideration of potential security threats to authentication data due to the presence of open pathways. These open pathways are illustrated and possible mitigation techniques are discussed. With the appropriate mitigation approaches, SIM based user authentication can be easily extended to the WLAN environment.

Worldwide, traditional cellular operators are investigating how to integrate WLANs (Wireless Local Area Network) in their service offerings and business models. Currently GSM (Global System for Mobile Communications) operators provide Subscriber Identity Module (SIM) for each subscriber on their network. Worldwide, GSM networks are the most widely deployed digital cellular mobile network standard. The role of SIM is to authenticate the user on the GSM network and to facilitate effective billing. Operators are now seeking to extend this SIM-authentication functionality to WLAN services, instead of the existing username/password or prepaid service WLAN authentication methods. This paper will provide a brief overview of the authentication process in a GSM network, and will then describe a method of WLAN authentication using SIM cards. Finally the paper will go through various SIM security issues, as well as describe an assortment of reader attachments and their advantages and disadvantages.

The role of SIM in GSM networks is to ensure that only authorized users can access the network. In order to properly authenticate a user, it must be able to store data, guard against unauthorized access to the stored data, and execute a cryptographic algorithm under secure conditions. The SIM and mobile device is authenticated with a background system. The data transferred between the mobile station and base station across the air interface is encrypted.

There are three major components in the GSM network:

• The mobile station (or mobile phone) has the Subscriber Identity Module (SIM) which provides the user’s unique identity.
  
  

• The Base Station Subsystem (BSS), which connects the user on a mobile station to other mobile/landline users.
  
  

• The Network Subsystem (NSS), which is capable of routing calls to and from the fixed network via the BSC (Base Station Controller) and BTS (Base Transceiver Station) to different mobile stations.

SIM based WLAN authentication requires the use of a SIM reader attached to the computing device, so that the authentication software can use the SIM credentials.

The EAP-SIM protocol, resident on the client, specifies the Extensible Authentication Protocol (EAP) mechanism for authentication and session key distribution using GSM SIM. In EAP-SIM several RAND challenges are used for generating several 64-bit ciphering keys (Kc), which are combined to constitute a longer session key. EAP/SIM also enhances the basic GSM authentication mechanism by accompanying the RAND challenges with message authentication code in order to provide mutual authentication. The EAP-SIM client starts the authentication process by connecting to the AAA server. The AAA server issues a challenge over the 802.11b radio interface, which is then forwarded to the SIM reader by the EAP-SIM client. The EAP-SIM client communicates to the SIM through the SIM reader, the SIM calculates the response that contains the SRES and Kc, which is sent to the EAP-SIM client. The EAP- SIM client then forwards the response to the AAA server, which then checks the response and provides access appropriately. In this scenario it is assumed that the AAA server has a secure connection to GSM backbone network components like HLR.

3.2. Use of SIM cards on open platforms

An open platform, for the purposes of this paper, is defined as a general purpose computing device with an open operating system. A notebook PC is considered to be an open platform since users can download/write software for execution in a notebook PC without any restrictions.

There are various types of SIM readers available as an external attachment to personal computers as described below:

USB/PCMCIA SIM Access: This is currently the most common way for access a SIM card. In this usage model USB SIM reader and SIM reader driver software can be purchased or provides by an operator for using on notebook computer. The USB SIM reader is a PC/SC standard compliant reader so it I s accessible using the Microsoft smart card subsystem. The USB SIM Card reader is treated as a generic smart card reader. The smart card access is provided using a generic set of API from Microsoft Resource Manager. The application can use GSM 11.11 specification and Microsoft API for interacting with SIM cards. The USB readers are very easy to use and there are no additional regulatory requirements for using them to access SIM. However, the user has to physically remove the SIM out of the cell phone and insert it into the USB reader. In general, physical access to a SIM in a cell phone is not easy. Another issue with USB readers is that the data path to and from the SIM is over an open bus and is thus susceptible to SIM attacks.

SIM Access from GPRS PC Card: PCMCIA cards provide GPRS network access for notebook computers. PCMCIA GPRS cards and access software are provided by GPRS service providers. The GPRS card contains a GPRS radio, a slot for the SIM, and the firmware software. GPRS cards are installed as modems on the notebook computers. Accessing SIM from a GPRS card for use in WLAN authentication is a very flexible and easy usage model. The biggest advantage is that the user already has a subscription for GPRS service. Also, the SIM is always present in the GPRS card so there is no need for the user to physically take out the SIM card from another device, such as the cell phone, and place it in a GPRS card. As is the case with USB readers, there are no needs to satisfy any additional regulatory requirements. However, the data path used by the application/authentication software to access the SIM over AT modem interface is still not completely secure.

SIM Access from Mobile Handset over Bluetooth: In this usage scenario the notebook connects to the handset over a Bluetooth connection. The notebook has a SIM access client, which connects to the SIM access server on the handset. The SIM access server is preinstalled on the phone/handset. The request for SIM data is passed from the notebook to the SIM access server on the phone. The data between the links is encrypted using Bluetooth base band encryption. There are many steps involved in this and currently not all phones support the required SIM access subsystems. This approach re-uses the SIM on the cell phone SIM and the user does not have a SIM reader attached to the notebook. The phone acts as a remote SIM reader connected over a Bluetooth connection. This usage scenario doesn’t cover the potential hacking of the authentication software, and it has the open system issues similar to those associated with the USB or GPRS card reader.

SIM Access from Reader Hardwired to Notebook: This method modifies the current notebook architecture and provides the SIM reader with a secure access to the device, i.e. not over current open USB or PCI bus. This is not a very flexible approach, since the legacy systems will not be able to support these modifications. This method may also require Full Type Approval (FTA). At present, FTA is required for WWAN (Wireless Wide Area Network) modules with integrated SIM. This architecture will require modifications to the existing WWAN module, thus requiring new FTA. This is approach provides complete data path security.

4. Security Considerations in SIM Use for WLAN Authentication

4.1. SIM Security

SIM card are a subset of smart cards—actually, SIM is an application on a smart card. In general, smart card security is guaranteed by four components, which are: card body, chip hardware, operating system and application. The chip hardware, operating system and application protects the data and programs in smart card micro controller. Also, in the GSM system, SIM is manufactured, provisioned, distributed, and managed in trusted environments. This results in the SIM being a tamper resistant device in which the access credentials of a mobile network subscriber can be securely stored. However, even if the key data (Ki) inside the SIM cannot be directly obtained, its opacity depends on the algorithms used to hide it from the outside world. Using cryptanalysis, hackers can find a way to calculate the value of the secret data by analyzing a huge number of command-response pairs. The risks of such attacks in cellular systems are, however, relatively low since the cell phone is "closed" to the outside world and also depends on the weakness of the cryptographic algorithm (e.g. Comp 128-1) used. One possibility open to hackers is to eavesdrop on the data being transmitted between the cell phone and the base station. This approach requires having access to the cellular infrastructure, such as base station stations, for capturing the triplets (RAND, SRES, Kc) while they are transmitted over the air. Since the infrastructure equipment is quite expensive, this approach is not quite realistic. Another approach is for the hacker to have physical possession of a stolen or cloned SIM. For this reason, operators use software to detect cloned SIM usage and block their use, without impacting the customer service. Also GSM systems have fraud detection mechanism in place to deter usage of stolen or cloned SIM usage.

4.2. Open Platform Security

The use of SIM cards for authentication of users with open platforms in WLAN networks requires consideration of the openness of data paths used to access the SIM data. Possible open paths are Path A and Path B:

Path B issues are being addressed by the standards bodies with EAP-SIM and PEAP (Protected EAP) protocols to address data security. However, the data pathway security for Path A in open platforms has not yet been addressed in standard bodies.

External SIM card readers are attached over an open bus, providing potential exposure of SIM card data. Given access to a SIM card, it is possible to obtain any number of GSM triplets and hence attack GSM security. Possible types of types of SIM attacks could be:

Attack on the secret key Ki: The A3A8 algorithm, Comp128_1 is the first version of the GSM Association algorithm for Internal Authentication. In 1998, engineers connected with UC Berkeley were able to deduce Ki of a SIM by collecting a large number of triplets (Rand, SRES and Kc). This type of attack is not practical if the attackers do not possess the SIM and cannot execute repeated authentication. In response to this threat, the Comp128 was improved and will be replaced by Comp128-2, Comp-128-3, or other, proprietary algorithms. However, a large number of existing SIM still use the old version. Therefore, it is possible for an unauthorized process running in the authentication agent of a WLAN enabled laptop computer to perform GSM authentication commands an appropriate number of times to obtain the required triplets.

Denial of service: As a counter measure against SIM card theft and cloning, the operators have implemented an authorization counter in SIM cards. This counter is incremented at every execution of the RUN GSM ALGORITHM command. This counter has a limit, generally far below the number of authentication exchanges needed to crack the algorithm, but enough to guarantee an acceptable lifetime of the SIM. At reaching its upper limit the SIM inoperable and needs to be replaced. So, if a hacker obtains a cloned SIM card and tries to crack the cryptographic algorithm, it is possible that the authentication counter exceeds the limit and operator will automatically have to suspend service associated with the SIM card. The owner of the original card will thus face denial of his (her) service without being fully aware.

Spying on, or attack on the integrity of SIM data: The SIM standard states that the user pin-code (CHV1) needs to be presented before RUN GSM ALGORITHM command can be executed. Therefore, in order to authenticate to WLAN, using a standard SIM, the user will have to type in his CHV. This CHV gives access to most of the data in the SIM, abbreviated dialing numbers, short messages, network settings, IMSI and other. Therefore, a malicious program in the supplicant can read this data and either upload it to a cracker server or modify the contents for some criminal reasons.

Vulnerability due to these threats varies with the cryptographic algorithm used in SIM based authentication. Comp-128-1 cryptographic algorithm is weaker than the newly defined Comp-128-3. In the future, as more operators use Comp-128-3 algorithm, Path A security may become less of an issue.

Since the deployment of stronger forms of cryptographic algorithms is not widespread yet, PATH A security needs to be addressed. Possible ways to mitigate PATH A security issues are:

1. Trusted hardware and execution environment
   
   

2. Securing the data path by creating an encrypted tunnel between the SIM reader and the network client on the notebook.
   
   

3. End-to-end encrypted tunnel covering Path A and Path B.

5. Summary

Utilization of SIM for WLAN authentication could be very advantageous to operators. They can leverage existing business processes and network infrastructure. There are various ways described in this paper for attaching a SIM to a notebook PC. However, accessing the SIM from a notebook PC requires consideration of some security threats. With the appropriate mitigation approaches and in light of the advantages a SIM brings to WLAN, the industry should work on building the strength of the algorithms used in authentication and the definition of independent data structures, while enhancing the existing data that allows identification, authentication, control and service provisioning.

6. References

[1] GSM Association WLAN Task Force, "Security Objectives to be included in PRD AA.39: WLAN/GSM Roaming User Scenarios, V 2.0.0," WLAN Doc 122/02, 2002.

[2] Mike Hendry, Smart Card Security and Applications, Artech House Publishers, 2001.

[3] GSM Association Wireless LAN Task Force, "Advantages of using a SIM as an authentication token for Wireless LANs," SD Doc 407/02, 2002.

[4] Jane Dashevsky, Edward C. Epp, Jose Puthenkulam, and Mrudula Yalemanchi, "SIM Trust Parameter," Intel Developer Services, (http://developer.intel.com), 2003.

[5] Micehel Mouly and Marie-Bernadette Pautet, The GSM System for Mobile Communications, Self Published, 1992.

[6] W. Rankl and W. Effing, SmartCard Handbook, John Willey Publication, 1999.

[7] European Telecommunication Standards Institute, GSM 11.11, Version 5.0, 1995.