Fcord 2016 Usim&Milenage 0x48

FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS
(.\fcord2016 – Chapter 18)
Cryptographic Embedded
Devices
USIM &
Cryptographic Embedded Devices
MILENAGE
USIM & MILENAGE (Part 2)
Chapter 18; Smith, G; Lieb, L.D.

AUTHORS & REVIEWERS

Chapter 18 [1]; Greg Smith[2]; Laurence D. Lieb, CCPA [3]
[1]Institute for Digital Forensics IDF; Mobile Telephone Examination Board MTEB; London, England
[2]trewmte.blogspot.com; London, England. Email: trewmte@gmail.com
[3]HaystackId 205 W. Randolph, Suite 1125 Chicago, IL 60606; United States of America
Email: llieb@haystackid.com
For the last two years Chapter 18, Smith et al have been studying AKA
(authentication and key agreement). One candidate for AKA is
MILENAGE which, in 2014 & published 2015, was hacked using DPA (a
side channel attack). Having spent 2016 researching through a huge
range of document, presentation, test data and scripts etc., it was noted
there had been nothing written as to what to look for and how
practitioners could handle this information. It is hoped with the
discussion, embedded links and those willing to learn this presentation
goes some way to help in that regard.
Copyright and IP
Please note images and other materials used
throughout this and other presentations may
hold copyright etc. held by their respective
owners.
Discussion Topics
• Welcome to FCORD2016 (Chapter 18)
• Training Course Part 1 – Cryptology for mobile

telecommunications – extensive research and materials
• Training Course Part 2 - Cryptographic Embedded Devices:

USIM & MILENAGE
Discussion Topics
• What has happened since last Chapter event? Recap
• MILENAGE Recap – What, Where, Why
• MILENAGE Recap – Standards to read
• MILENAGE Recap – Simplified Development Tool
• USIM & MILENAGE
• USIM & MILENAGE: Attacks - Methodology for Power
Side Channels Attacks
• USIM & MILENAGE: CONCLUSION
Discussion Topics

• USIM & MILENAGE
• For new attendees FCORD is a discussion and presentation channel for person not
present training for MTEB/IDF members; also digital and cybercrime practitioners.
• MTEB and IDF are not for profit organisations. FCORD is our focus conference. There
are numerous Chapters within FCORD e.g. Chapter 27 firearms and weapons,
Chapter 31 cloning mobile phones and so on. Statute Chapter numbers are used in
order to frame the importance of the subject and work and does not provide legal
advice.
• The title Chapter 18 comes from the original Computer Misuse Act (CMA) 1990
which makes wide provision for events associated with misuse of computer devices
and systems; CMA has been to subjected to amendments over the years, such as
The Police and Justice Act 2006 Chapter 48 amends the Computer Misuse Act, see
Part 5 sections 35-38. The new amendments came into force on October 1, 2008.
• FCORD Chapter 18 deals with computer devices and systems.
• FCORD Chapter 18 remit covers computer and computing research, discovery and
developments.
Discussion Topics

• USIM & MILENAGE
• What has happened since last chapter event? – Recap
• Release 4 - 3GPP TR 35.909 V4.0.0 (2001-04) 6.1 General requirements for
3GPP cryptographic functions and algorithms “The functions should be
designed with a view to their continued use for a period of at least 20 years.”
• Huge body of standards, articles and reports discuss MILENAGE along with
public algorithm and development tools. Together they combine to produce a
use toolkit for those interested in cryptographic embedded device.
• MILENAGE embedded into certain USIM cards have been subjected to

successful Differential Power Analysis (DPA) Attacks to reveal secrets.
• DPA Attacker is not the same as the old style brute force RAND challenges
performed 1998 by SDA and UC Berkeley researchers to reveal the hidden keys
(COMP128-1) http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html.
The hacking community also produced a range of
tools reported in ‘SPECIAL ISSUE: B/2002
CLONING SIM CARDS’ that were shown to
successfully clone GSM SIM cards.
• Security of devices (e.g. USIM) with cryptographic implementations can be
subjected to attacks by analysis of their Algorithms and Circuits
• A threat to the security of cryptographic implementations in smart cards that
remains today is SPA (Simple Power Analysis) and DPA (Differential Power
Analysis) originally proposed in 1999[*].
• The latest successful Differential Power Analysis attack 2014 and reported 2015
did so by directly evaluating DPA leakage from logic information emitted during
power “switching activity“ in circuits [**].
• As the authors Liu et al state in their report [**] “In its standard form..., DPA is
based on a divide-and-conquer strategy, in which the different parts of a
secret key (usually denoted as “subkeys”) are recovered separately.”
• For this training presentation it does not propose an attack or countermeasure
on the scheme in the parent node, but highlights aspect not often discussed
that could help investigations and security policies, processes and procedures.
[*] P. Kocher, J. Jaffe and B. Jun, “Differential Power Analysis,” Crypto’99, LNCS 1666, pp. 388-397, Springer-Verlag, 1999
[**]Junrong Liu, Yu Yu, Francois-Xavier Standaert, Zheng Guo, Dawu Gu, Wei Sun, Yijie Ge, and Xinjun Xie 'Small Tweaks do
Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards'
Discussion Topics

• USIM & MILENAGE
• MILENAGE Recap – Who, What, Why:
Of particular relevance for cybercrime investigation framing the “tech” language of
any guidelines or reporting according to national and international approved and
regulated technology standards which can be or have been adopted by institutions,
manufacturers, services provides and operators assists continuity. Some examples
follow.
- Two important standards sub-groups under the umbrella of the International
Telecommunications Union (ITU) are ITU-T (Telecommunications) and ITU-R
(Radio). Their influence and specification woven in fixed and wireless
technology should not be under estimated
- ITU-T http://www.itu.int/en/ITU-T/about/Pages/default.aspx
- http://www.itu.int/net/itu_search/index.aspx?cx=001276825495132238663%3Anqzm45
z846q&cof=FORID%3A9&ie=UTF-8&q=ITU-T+Q.1741.4+
- Example of ITU-T work associated with MILENAGE: ITU-T Q.1741.4 (10/2005) SERIES Q:
SWITCHING AND SIGNALLING - Signalling requirements and protocols for IMT-2000 IMT-
2000 references to release 6 of GSM evolved UMTS core network
- ITU-R http://www.itu.int/pub/R-REC
- http://www.itu.int/net/itu_search/index.aspx?cx=001276825495132238663%3Anqzm45
z846q&cof=FORID%3A9&ie=UTF-8&q=ITU-R+M.1457-11
- Example of ITU-T work associated with MILENAGE: ITU-R M.1457-11 (02/2013) Detailed
specifications of the terrestrial radio interfaces of International Mobile
Telecommunications-2000 (IMT-2000)
- 3GPP A Global Initiative publishes a range of Confidentiality Algorithms specifications:
http://www.3gpp.org/specifications/60-confidentiality-algorithms
- For wireless standards reference to the specifications published by the 3GPP A Global
Initiative can be found at http://www.3gpp.org/specifications/79-specification-numbering
Image source - http://image.slidesharecdn.com/zte3g-12987232846962-phpapp02/95/zte-3g-16-728.jpg?cb=1298701834

Discussion Topics

• USIM & MILENAGE
• MILENAGE Recap – standards to read:
- For mobile standards specifications relevant to confidentiality: MILENAGE series is
available here: http://www.3gpp.org/DynaReport/33-series.htm
The requirements for the authentication and key

generation functions were specified by 3GPP TSG SA in:
3rd Generation Partnership Project: technical
Specification Group Services and System Aspects; 3G
Security; Cryptographic Algorithm Requirements 3G TS
33.105 version 3.4.0, the latest standard is V13.0.0:
NOTE: Regarding f0, the random generation function, it

was agreed with 3GPP SA3 that an example for this
function should not be proposed by the Task Force.
NOTE: For each of the algorithms f1 to f5* there is a

general requirement that it shall be computationally
infeasible to derive K from knowledge of input(s) and
output.
3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the
3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1:
General 3G TS 33.105 version 13.0.0 (2016-01). It repeats at Section 7.8 ‘Subsequent
requirements on the authentication and key generation functions’ (as in previous versions):
'It is required that the algorithm lends itself to implementations which are resistant to Simple Power
Analysis, Differential Power Analysis and other 'side-channel' attacks as appropriate when
implemented on a USIM. It is acknowledged that SAGE may need to consult with smart card experts
in order to be able to address this requirement.‘
Also 3GPP TS 35.205 V13.0.0 (2016-01) Section 9.4 Side channel attacks evaluation
In the design process it was concluded not to be feasible to design a general algorithm framework that by
itself would not be vulnerable to side channel attacks. Rijndael, as most other block ciphers, is potentially
vulnerable to simple and differential power analysis (SPA and DPA) aiming to recover the secret key. It was
also concluded that the use of operator constants, OPc, in the USIM cards can only play a limited role in
protecting against these kinds of attacks. Hardware protection measures and masking techniques, as
referenced in [6], need to be specifically implemented for protection. Also timing attacks (TA) may need
implementation specific countermeasures. Rijndael as an AES candidate has been shown to readily lend
itself to protection measures against side channel attacks.
Example set of algorithms which may be used as the
authentication and key generation functions f1, f1*, f2, f3,
f4, f5 and f5*. (It is not mandatory that the particular
algorithms specified in this document are used — all seven
functions are operator-specifiable rather than being fully
standardised). This document is one of five, which between
them form the entire specification of the example
algorithms, entitled:
• 3GPP TS 35.205: Document 1: General".
• 3GPP TS 35.206: Document 2: Algorithm
Specification".
• 3GPP TS 35.207: Document 3: Implementors' Test
Data".
• 3GPP TS 35.208: Document 4: Design Conformance
Test Data".
• 3GPP TR 35.909: Document 5: Summary and results of
design and evaluation".
NOTE: TS = Technical Specification TR = Technical Report
Good place to stop and refresh on certain points:

• Adoption of MILENAGE specification is optional, but once adopted and intended for
use the stated outcomes should be followed, even where the seven functions are
operator-specifiable.
• When dealing with standards remember to corroborate what status is given to the
performance of a function (Mandatory-Mandatory; Mandatory-Optional; Optional-
Mandatory; and Optional-Optional).
• MILENAGE in use requires to be compatible and operational between USIM, smart
devices and the relevant network entities. Also, check for backward/forward
communications: GSM<>WCDMA<>LTE.
• Anticipated that MILENAGE provides confidence in the communications confidentiality
and a higher degree of 3G security to prevent cloning of its secrets.
• This is in addition to any electronic countermeasures used within USIM to prevent
cloning etcetera.
• Known side-channel attacks (SCA) protection mechanisms should be implemented.
Discussion Topics

• USIM & MILENAGE
• MILENAGE Recap – simplified development tool:
An example of a simplified tool designed to test the

parameters for MILENAGE based upon 3G TS 35.206
brings to life the technicality involved but in an easy
format to follow.
http://fabricioapps.blogspot.co.uk/2011/05/umts-security-algorithm-MILENAGE.html
Download - http://bit.ly/H0idng
http://1.bp.blogspot.com/-qqyhNtIf04I/TcF4b5m6NeI/AAAAAAAAADw/kYIu9Z0-dhw/s1600/umts_security_MILENAGE.JPG
• MILENAGE Recap – simplified development tool - input:
• MILENAGE Recap – simplified development tool - output:
• MILENAGE Recap : TR 35.909 V13.0.0 (2016-01) Release 13 Page 13
Section 8 The 3GPP MILENAGE algorithm
OP: operator-specific parameter EK : Rijndael block cipher with

r1,…, r5: fixed rotation constants 128 bits input and 128 bits key
c1,…, c5: fixed addition constants
Attention was drawn to f1 and f5 similar output in the ‘AUTN’ field in the previous
screen shots. The question is why?
The keys combined are in fact known as the authentication token used by the
AuC(HLR) and in USIM.
Upon implementation the make up of the AUTN token has been expressed as
combining:
• MILENAGE Recap – simplified development tool – output vectors GSM Kc & SRES
• MILENAGE – some thoughts:
The simplified tool (produced back in 2004) shown in the previous slides provides a
snapshot of one development tool created to test MILENAGE functions. It is though
a useful training tool that brings to life the expression of the specifications as
defined in the standards.
There are, of course, many other up-to-date tools used that assist Cyber and
Security Investigations, Pen Testers and Forensics. That is why Training Course Part
1 contains extensive, historical and up-to-date research and materials as part of the
training course, which includes also identification of scripts etc.
So we can see there are standards for cryptographic algorithms for GSM/3G/LTE.
We understand the stated MILENAGE algorithm’s specifications defined in the
standards provide a useful understanding of a parameters and functions that cyber
management can consider when handling USIM/Device investigations in the
workplace and for asset management.
Discussion Topics

• USIM & MILENAGE
• USIM & MILENAGE:
Back in 2002 GEMPLUS (now known as gemalto) was one of the first U/SIM card
producers to offer MILENAGE as an encryption algorithm. To do that developers
needed to know how GEMPLUS defined Authentication Configuration for 3G
Security.
Does the current Standard (e.g. 31.102) stack up, thus back up a reason to investigate?
Reading EFKEYS at USIM 6F08 with USIM Detective (Quantaq)
http://www.quantaq.com/products/usimdetective/
The tools and software are out there to program USIMs embedded with
MILENAGE.
Discussion Topics

• USIM & MILENAGE
Side-Channels Attacks (SCA)
USIM & MILENAGE: ATTACKS

• USIM & MILENAGE: Methodology for Power Side-Channels Attacks
The Goal (cybertechs/pen testing/forensic analysis):
The methodology of attack would be to prove/disprove the vulnerability of a USM

card to a sustained differential power analysis attacks to find whether USIM would
reveal its secret keys.
The above report published in 2015 confirmed the results of the authors successful tests
obtained the year previous from certain USIM cards embedded with MILENAGE
susceptible to a DPA Attack. The report did not claim, infer or imply all USIM cards were
susceptible to DPA attacks but highlighted those USIMs that were attacked and how
quickly the secret keys were obtained (next slide). The report does not identify a
particular manufacturer, network operator or country involved.
Download report: https://perso.uclouvain.be/fstandae/PUBLIS/161.pdf
How was the attack successful?
Summary and outcome of the attack reported at the Black Hat USA 2015 Conference
https://www.blackhat.com/us-15/briefings.html#cloning-3g-4g-sim-cards-with-a-pc-and-
an-oscilloscope-lessons-learned-in-physical-security
The presentation how the hack was performed:

https://www.blackhat.com/docs/us-15/materials/us-15-Yu-Cloning-3G-4G-SIM-Cards-
With-A-PC-And-An-Oscilloscope-Lessons-Learned-In-Physical-Security.pdf
It is noted the attackers discovered that by implementing MILENAGE, based on block

ciphers AES-128, as an algorithmic level countermeasure cannot in itself prevent DPA.
This is shown by Professor Yu Yu (Black Hat Presentation) Step 1 recovered profile of
AES during power tracing.
What causes power leakage enabling power tracing?
Professor Yu Yu mentions in “Small Tweaks” report CMOS typically suffers from power
leakage (enabling power traces to be obtained) during switching activity. A useful
presentation on CMOS leakage can be found her:
https://www.ece.cmu.edu/~ece322/LECTURES/Lecture13/Lecture13.03.pdf
To generally summarise this DPA:
The DPA successful attack on the DUTs-devices under test-(chips) was possible due to
testing the encryption on the chips by observing the power levels of the chips during
switching activity. Professor Yu Yu and his team analysed the power levels to show a
correlation of the bit patterns.
The attack further involved observing differences in the encryption process, which is
then used to crack the keys. This is shown in the presentation by use of particular test
data, by presenting an arrangement of inputs to the chips, and observing the power
level variations. During each round of test attacks the power consumption levels
observed changed, depending upon the activity within the chips. This task-orientated
procedure led to the chips exposing their secrets, which enabled other chips to be
cloned from the revealed secrets.
This successful attack affords cyber management, forensic investigators and pen
testers etc. a useful investigation and training opportunity to discover how these and
similar attacks might occur and what action may be necessary. To do that we need
not rehearse that which is already written in the report/presentation, but analyse the
components involved in the attack and other aspects identified by them to assist
investigations and security polices, practices and procedures.
Template - identities in side channel attacks - DPA
POWER TRACES
POWER MODELS
The Measurement Setup
Single Bit
The Signal Processing
Hamming Weight
Hamming Distance
DIFFERENTIAL POWER ANALYSIS
Switching Distance
Difference of Means
Toggle Count
Correlation Coefficient
Power Simulation
Profiled Model
Advanced Power Analysis Attacks
Higher-Order DPA
Collision Attacks
Profiled Attacks
Algebraic Side-Channel Attacks
POWER TRACES POWER MODELS
The Measurement Setup Single Bit
The Signal Processing Hamming Weight
Hamming Distance
DIFFERENTIAL POWER ANALYSIS Switching Distance
Difference of Means Toggle Count
Correlation Coefficient Power Simulation
Profiled Model
Advanced Power Analysis Attacks
Higher-Order DPA Tick method denotes items used
Collision Attacks in metrics or discussed as tools of
Profiled Attacks attack.
Algebraic Side-Channel Attacks
Question for security and forensic consideration. Does the reported attack note
countermeasure/s implemented in and on the USIM card designed to prevent attack
and revelation of secrets? If so, how was the attack successful, in other words, what
failed?
ALGORITHMIC level countermeasure CIRCUIT level countermeasure
Masked Data? DDL (Dynamic Differential Logic)?
Block Ciphers [~]? SABL (Sense Amplifier Based Logic)?
Random Delay? DCVSL (Differential Cascode Voltage Switch Logic)?
Shuffling? SDDL (Simple Dynamic Differential Logic)?
-? WDDL (Wave Dynamic Differential Logic)?
-? Double Wave Dynamic Differential Logic (DWDDL)?
-? ?
[~] Does MILENAGE use block ciphers? How would this ?
prevent DPA?
?
Masked Data > Obfuscation (blinding, masking); Cache Lockdown (static, disallow altogether caching);
Random Delay > by dummy XOR (logic gate); Shuffling > Randomization (the address-to-cacheline mapping)
like Address Space Layout Randomization ASLR; Leakage reduction Noise (injecting an unpredictable
component).
Roman Korkikian submitted a doctoral paper (2016-10) with title: Side-Channel and
Fault Analysis in the Presence of Countermeasures: Tools, Theory and Practice
https://www.ens-paris.fr/images/RK.pdf See pages 45-46 for Side Channel Attack
Countermeasures definitions based upon the mind-map below.
1. Attack Attributes vis-à-vis Methodology
POWER TRACES
The Measurement Setup
- Self-made card reader
- CyptoMobile-Master - Py script (free on internet)
- PC – Dell or Similar
- LeCroy W waverunner Mxi-A (photo updated Oscill.)
- Card-to-Terminal Adapter
- MP300 SC2
BOM (Bill of Materials)

Combined PoS (point of sale prices) 15K-20K (UK).
Less if either items rented, second-hand purchase
and nothing if borrowed or obtained due to theft.
Assessing skillsets and the actual or potential tools to breach security invariably
requires understanding if an attack could have been perpetrated by a major source
vis-à-vis person in the backroom with a PC? This type of questions is not new.
In the online news article about cyber attack at the BBC website
(http://www.bbc.co.uk/news/technology-18238326), Kaspersky's chief malware
expert Vitaly Kamluk: "Currently there are three known classes of players who
develop malware and spyware: hacktivists, cybercriminals and nation states.
Sixteen years earlier a taxonomy of attackers (classes) was defined by Ross Anderson
and Markus Kuhn in 1996, referred to back in 1998 in a series of reports published in
FEN (Forensic Expert News) into Smart Card Hacking. This was prior to the successful
1998 attack on GSM SIM Cards.
Full details here:

http://trewmte.blogspot.co.uk/2012/05/new-malware-invokes-label-cyber-weapon.html
In short, what Anderson and Kuhn proposed in their taxonomy of attackers:
" Class I (clever outsiders):

They are often very intelligent but may have insufficient knowledge of the system. They may
have access to only moderately sophisticated equipment. They often try to take advantage of an
existing weakness in the system, rather than try to create one.
" Class II (knowledgeable insiders):

They have substantial specialised technical education and experience. They have varying degrees
of understanding of parts of the system but potential access to most of it. They often have
highly sophisticated tools and instruments for analysis.
" Class III (funded organisations):

They are able to assemble teams of specialists with related and complementary skills backed by
great funding resources. They are capable of in-depth analysis of the system, designing
sophisticated attacks, and using the most advanced analysis tools. They may use Class II
adversaries as part of the attack team."
From an investigations point of view, and for creating either security policies,
practices or procedures both Anderson & Kuhn and Kamluk provide useful guidance
and identifiers as a starting point to create a ‘profile’ of potential attackers.
Hans Brinker - Harlingen. Dutch boy with finger in the dyke. ‘If they act quickly and in time, even
they with their limited strength and resources can avert disasters.’
Image: https://s-media-cache-ak0.pinimg.com/736x/c0/68/af/c068af80206f357e36ef617d2dbe9294.jpg
CONCLUSION
CONCLUSION – CRYPTOGRAPHIC ALGORITHMS:

In closing, this DPA is a direct attack on hardware (physical). This attack therefore requires
obtaining a victim’s USIM card or, in the alternative, acquiring genuine unused USIMs from
operators and cloning multiple USIMs. The algorithm MILENAGE was not at fault (even
with tweak OPc) as it relied upon the hardware. MILENAGE is not going away according to
GSMA 2016:
Solutions to Enhance IoT Authentication Using SIM Cards (UICC)

http://www.gsma.com/connectedliving/wp-content/uploads/2016/11/cl_iot_authenticate_report_web_11_16.pdf
Official Document CLP.14 - IoT Security Guidelines for Network Operators

http://www.gsma.com/connectedliving/wp-content/uploads/2016/02/CLP.14-v1.0.pdf
CONCLUSION – CRYPTOGRAPHIC ALGORITHMS:
Other cryptographic algorithms suggested for mobile communications to consider for
security purposes:
- SNOW
http://www.gsma.com/aboutus/wp-content/uploads/2014/12/Doc5-UEA2-UIA2-Spec-Design-Evaluation-
Report.doc
- TUAK and Keccak

http://comsec.uwaterloo.ca/~y24tan/pdf/Report.pdf
Also, see ISG Smart Card Centre - Royal Holloway University of London, Re: Performance
Evaluation of the TUAK algorithm in support of the ETSI Sage standardisation group
31.10.2014
http://www.3gpp.org/ftp/Specs/archive/35_series/35.936/SAGE_report/Perfevaluationext.zip
CONCLUSION – HARDWARE COUNTERMEASURES:
In general, to avoid Power Side-Channel Attacks (SCA) the particular USIM providers in
industry should learn, if they haven’t already, from smart card solutions e.g. to snuff out
side-channel attacks at source; a dual CPU that works on inverted logic can help do this.
One solution, of many, is the Infineon SLE77 with a dual CPU, memory, Bus and Cache
encryption:
http://www.infineon.com/cms/en/product/security-and-smart-card-solutions/security-
controllers/sle77/channel.html?channel=5546d462503812bb015066c2d8181744
http://www.infineon.com/dgdl/Infineon-
Infineon+Chip+Card+&+Security+ICs+Portfolio_10.2014-SG-v01_00-
EN.pdf?fileId=5546d4624933b875014999016c6e2bde
• USIM & MILENAGE: Methodology for Power Side Channels Attacks
CONCLUSION: SECURITY & FORENSICS
Cyber Management
Determine possibility for attack and reducing or removing the risk could include:
- Asset management company issued devices vis-à-vis BYOD
- Selection and choice of algorithm and hardware
- BYOD: Cyber Classification
http://trewmte.blogspot.co.uk/2015/08/byod-cyber-classification.html
INVESTIGATORS
Hopefully this presentation might help; plus helpful info below:
BYOD - CJIS MOBILE APPENDIX - FBI

http://trewmte.blogspot.co.uk/2015/11/byod-cjis-mobile-appendix-fbi.html
CONCLUSION: SECURITY & FORENSICS
PEN TESTERS
- Can you run tests to evaluate any rogue USIMs?
- Do you have the equipment to evaluate USIM vulnerable to side-channel attack?
FORENSIC EXAMINERS
- Is your SIM reader up-to-date and does it collect data from particular visible
elementary files (EF)?
- Particularly for law enforcement: obtain the various cryptographic algorithm
signatures identified in EFKEYS etc.?
- Link analysis to other EFs in USIM to create a profile of network activity.
Mobile Telephone Examination Board

and
Institute for Digital Forensics
Can be found on LinkedIn
THANK YOU
END OF FCORD2016 CHAPTER 18
DISCUSSION CHANNEL

Fcord 2016 Usim&amp;Milenage 0x48

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Fcord 2016 Usim&amp;Milenage 0x48

Загружено:

Авторское право:

Доступные форматы

FORENSIC CONFERENCE ON RESEARCH AND DEVELOPMENTS

(.\fcord2016 – Chapter 18)

Chapter 18; Smith, G; Lieb, L.D.

AUTHORS & REVIEWERS

[2]trewmte.blogspot.com; London, England. Email: trewmte@gmail.com

• Training Course Part 1 – Cryptology for mobile

• Training Course Part 2 - Cryptographic Embedded Devices:

• Welcome to FCORD2016 (Chapter 18)

• Welcome to FCORD2016 (Chapter 18)

• MILENAGE embedded into certain USIM cards have been subjected to

• Welcome to FCORD2016 (Chapter 18)

Image source - http://image.slidesharecdn.com/zte3g-12987232846962-phpapp02/95/zte-3g-16-728.jpg?cb=1298701834

• Welcome to FCORD2016 (Chapter 18)

The requirements for the authentication and key

NOTE: Regarding f0, the random generation function, it

NOTE: For each of the algorithms f1 to f5* there is a

Good place to stop and refresh on certain points:

• Welcome to FCORD2016 (Chapter 18)

An example of a simplified tool designed to test the

OP: operator-specific parameter EK : Rijndael block cipher with

• Welcome to FCORD2016 (Chapter 18)

• Welcome to FCORD2016 (Chapter 18)

USIM & MILENAGE: ATTACKS

The Goal (cybertechs/pen testing/forensic analysis):

The methodology of attack would be to prove/disprove the vulnerability of a USM

How was the attack successful?

The presentation how the hack was performed:

• USIM & MILENAGE: Methodology for Power Side-Channels Attacks

It is noted the attackers discovered that by implementing MILENAGE, based on block

• USIM & MILENAGE: Methodology for Power Side-Channels Attacks

To generally summarise this DPA:

• USIM & MILENAGE: Methodology for Power Side-Channels Attacks

BOM (Bill of Materials)

Full details here:

In short, what Anderson and Kuhn proposed in their taxonomy of attackers:

" Class I (clever outsiders):

" Class II (knowledgeable insiders):

" Class III (funded organisations):

CONCLUSION – CRYPTOGRAPHIC ALGORITHMS:

Solutions to Enhance IoT Authentication Using SIM Cards (UICC)

Official Document CLP.14 - IoT Security Guidelines for Network Operators

- TUAK and Keccak

CONCLUSION: SECURITY & FORENSICS

BYOD - CJIS MOBILE APPENDIX - FBI

CONCLUSION: SECURITY & FORENSICS

Mobile Telephone Examination Board

Вам также может понравиться

Fcord 2016 Usim&Milenage 0x48

Fcord 2016 Usim&Milenage 0x48