CIS 6930 - Cellular and Mobile Network Security: CDMA/UMTS Air - PowerPoint PPT Presentation

CIS 6930 - Cellular and Mobile Network Security: CDMA/UMTS Air Interface Professor Patrick Traynor 10/11/2018 Florida Institute for Cybersecurity (FICS) Research

UMTS and CDMA 3G technology - major change from GSM (TDMA) • Based on techniques originally employed by Verizon (IS-95) • Signal is encoded so that it can be recovered from “noise” (other signals) • Florida Institute for Cybersecurity (FICS) Research 2

New Considerations Technology differences • Power control • Frequency re-use & handoffs • Number of users • Modulation (Phase Shift Keying) • Traffic differences • What is the primary difference between 2G and 3G? • Florida Institute for Cybersecurity (FICS) Research 3

Code Division Multiple Access • used in several wireless broadcast channels (cellular, satellite, etc) standards • unique “code” assigned to each user; i.e., code set partitioning • all users share same frequency, but each user has own “chipping” sequence (i.e., code) to encode data • encoded signal = (original data) X (chipping sequence) • decoding: inner-product of encoded signal and chipping sequence • allows multiple users to “coexist” and transmit simultaneously with minimal interference (if codes are “orthogonal”) • What does it mean for two vectors to be orthogonal? Florida Institute for Cybersecurity (FICS) Research 4

CDMA Encode/Decode channel output Z i,m Z i,m = d i . c m d 0 = 1 data 1 1 1 1 1 1 1 1 bits d 1 = -1 - - 1 - - - - - - 1 1 1 1 1 1 1 sender 1 1 1 slot 0 1 1 1 1 slot 1 1 channel channel code - output - - - 1 1 1 1 - output - - - 1 1 1 1 slot 1 slot 0 M D i = Σ Z i,m . c m m=1 M 1 1 1 1 1 1 1 1 received d 0 = 1 input - - 1 - - - - - - 1 1 1 1 1 1 1 d 1 = -1 1 1 1 1 1 1 1 1 slot 0 slot 1 channel channel code - - - - 1 - 1 1 1 - 1 - 1 - 1 1 output output receiver slot 1 slot 0 Florida Institute for Cybersecurity (FICS) Research 5

CDMA: two-sender interface Florida Institute for Cybersecurity (FICS) Research 6

CDMA Benefits Higher capacity • interference limited = high efficiency • uses voice activity detection to reduce transmission bandwidth • Improved quality • soft handoff • CDMA has frequency, spatial, and time diversity to adapt to errors • Ease of deployment • no frequency planning; frequency reuse = 1 • Increased talk time • power control ensures that the UE transmits at optimum power, resulting in longer battery life. • Florida Institute for Cybersecurity (FICS) Research 7

CDMA Privacy Given that all signals look like noise unless you have the despreading • sequence, what sort of privacy does CDMA offer? Ideally, you should get a 2 N search space... • Zhang et al. show that the IS-95 long code of 42 bits can be cracked by • capturing 42 frames and solving 42 linear equations Break takes approximately 840 ms. • What is the security implication? • Florida Institute for Cybersecurity (FICS) Research 8

Universal Mobile Telecommunications System: UMTS Specifications: • Frequencies: 700, 850, 900, 1700, 1900, 2100 MHz (5 MHz channels) • worldwide; FDD Chipping codes: up to 512 bits • Power control: up to1500x per second • Time division: 10 ms frames, 1 frame = 15 time slots • Borrows extensively from GSM protocols • Major changes: • CDMA Technology: Channel structure/handoffs/power control • Security -- increased use of cryptographic constructions • Data infrastructure • Florida Institute for Cybersecurity (FICS) Research 9

Entities: New names, old faces UE = User Equipment • Node-B • RNC = Radio Network Controller • BSC RNC MS BTS UE Node-B BTS BTS Node-B Node-B Florida Institute for Cybersecurity (FICS) Research 10

Channels: Old & New GSM UMTS BCCH BCCH PCH PCH AGCH AICH SDCCH DCCH TCH DTCH RACH RACH SCH SCH CCCH CCCH Florida Institute for Cybersecurity (FICS) Research 11

Channel Types Logical: defines a logical task or use in the network • Transport: defines the way logical data is prepared • Physical: defines the actual channel (i.e. chipping code) used to transmit data • Florida Institute for Cybersecurity (FICS) Research 12

Logical Channels Broadcast Control Channel (BCCH): Provides • common information about the cell to UEs. Paging Control Channel (PCCH): Provides • information about incoming calls and how to listen for them. Dedicated Control Channel (DCCH): A two- • way assigned channel that carries control information to and from a single UE. Common Control Channel (CCCH): A two- • way shared channel that carries control information. Dedicated Traffic Channel (DTCH): A two- • way assigned channel that carries traffic to and from a single UE. Florida Institute for Cybersecurity (FICS) Research 13

Transport Channels Dedicated Transport Channel (DCH): carries data to and from a specific UE • Broadcast Channel (BCH): Broadcasts network and cell information • Forward Access Channel (FACH): Carries control information to UEs for shared channels. • Random Access Channel (RACH): Carries channel requests to the network from the UE. • Paging Channel (PCH): Carries incoming call alerts. • Uplink Common Packet Channel (CPCH): 
 • Carries packet data to the network. Downlink Shared Channel (DSCH): Carries 
 • packet data to the UE. Florida Institute for Cybersecurity (FICS) Research 14

Physical Channels: Signaling Forward (to UE): • Primary Common Control Physical Channel (PCCPCH): Carries the BCH • Secondary Common Control Physical Channel (SCCPCH): Carries the FACH and the PCH • Synchronization Channel (SCH): Synchronizes time with the network • Common Pilot Channel (CPICH): Informs the user of the Primary Scrambling Code (PSC) • Acquisition Indicator Channel (AICH): Used to carry dedicated channel assignments to UEs • Paging Indication Channel (PICH): Provides the UE with information about how pages are sent. This • informs the UE how often to wake up and listen for pages. Reverse (to Node-B): • Physical Random Access Channel (PRACH): Carries the RACH • Florida Institute for Cybersecurity (FICS) Research 15

Physical Channels: Traffic Bi-Directional: • Dedicated Physical Data Channel (DPDCH): Carries a DCH • Dedicated Physical Control Channel (DPCCH): Carries control information (e.g., identifiers, power • control) Forward (to UE): • Physical Downlink Shared Channel (PDSCH): carries packet data to a UE. • CPCH Status Indication Channel (CSICH): Indicates the status of the CPCH • Collision Detection/Channel Assignment Indication Channel 
 • (CD/CA-ICH): Indicates if data sent over the CPCH has been successfully received or if a collision occurred. Reverse (to Node-B): • Physical Common Packet Channel (PCPCH): Carries the CPCH • Florida Institute for Cybersecurity (FICS) Research 16

How a connection is made SCH • CPICH • PCCPCH • Synchronize Time (SCH) Acquire PSC (CPICH) Acquire cell information (PCCPCH) Node-B UE Florida Institute for Cybersecurity (FICS) Research 17

How a call is sent/received DPDCH (DCCH & DTCH) + DPCCH • Page sent over PCH (SCCPCH) Page response over RACH (PRACH) Chipping & scrambling code assigned (AICH) Authentication over DCCH (DPDCH + DPCCH) Call connect over DTCH (DPDCH + DPCCH) Node-B UE Florida Institute for Cybersecurity (FICS) Research 18

Mappings Source: http://www.authorstream.com/Presentation/3627946-387767-wcdma-air-interface-fundamentals-science-technology-ppt-powerpoint/ • Florida Institute for Cybersecurity (FICS) Research 19

Spreading Codes Orthogonal Variable Spreading Factor (OVSF) vs scrambling codes • OVSF codes are typical chipping/spreading codes • Scrambling codes can be multiplied into OSVF codes to provide more • user channels Long vs. short codes • Uplink: code lengths up to 256 (+ 16.8 M scrambling codes) • Downlink: code lengths up to 512 • Why are these numbers different? • Florida Institute for Cybersecurity (FICS) Research 20

Power Control CDMA provides optimal performance when all signals are received at • approximately the same strength. When a DTCH is assigned, the Node-B sends reports of the RSS (received • signal strength) to the UE, alerting it at what power to transmit. Power control commands sent up to 1500 times per second • Florida Institute for Cybersecurity (FICS) Research 21

Handoffs 4 types: hard, soft, softer, network (2G 3G) • Soft handoff overview: • Frequency reuse = 1 • UE will receive signal from multiple 
 • Node-Bs. Extract signals of old and new tower 
 • simultaneously using different chipping 
 codes. Remain connected to old Node-B until re-registered with new Node-B • Florida Institute for Cybersecurity (FICS) Research 22