3GPP TSG-SA WG3-LI Meeting #38 Tallinn, Estonia, 7-9 Septe !

e" #010 Title$ LI o% MI&E'-I(A&E, a )& pe"spe*ti+e ,o*- ent %o"$ ,is*-ssion ,ate$ So-"*e$

SA3LI10_099

(a*.g"o-n/
Various schemes have been discussed for inclusion in IMS Media Plane Security; MIKEY-IBAKE is currently bein considered! "here is some concern about the #a$ful Interce%tion solution %ro%osed for this scheme& $hich may %revent its de%loyment in some 'urisdictions! (ecent events have hi hli hted the difficulties that can arise $hen a%%ro%riate #I mechanisms are not en ineered into systems at an early sta e!

MI&E'-I(A&E an/ LI 0e1-i"e ents

"o %erform #a$ful Interce%tion on MIKEY-IBAKE communications& a #EM) $ould be re*uired to %erform a Man-in-the-Middle attac+ durin session establishment ,or re-+ey-& and continue to decry%t and re-encry%t communications for the duration of the session! "his a%%ears to %rohibit several of the re*uirements a reed in Section .!/ of 01PP "S 00!234! "he re*uirements are considered in turn here!
2! 5hen an encry%tion service is %rovided by the P#M6& la$ful interce%tion shall ta+e %lace as for a non encry%ted communications! a! In addition encry%ted communications shall be decry%ted& or the decry%tion +eys and any re*uired associated information ,e! ! roll over counters- shall be %rovided to the #EM)! b! )or the s%ecific case $here a +ey server based solution is used& it is a national o%tion for the o%erator to ma+e +eys and any associated information ,e! ! roll over counters- directly available to the #EM) for the decry%tion of communications!

It a%%ears that MIKEY-IBAKE satisfies this re*uirement!

7! Interce%tion shall be %erformed in such a manner as to avoid detectability by the "ar et or others! In %articular8 a! "here shall be no si nificant difference in latency durin call setu% or durin communications com%ared to a non interce%ted communications!

9ue to the timin and interaction re*uired to %erform the Man-in-the-Middle attac+ durin call setu%& there $ill be additional latency in call setu%! "his $ill be es%ecially %ronounced $hen lar e numbers of Surveillance Sub'ects are active in one re ion or one s$itch! :om%utationally intensive elli%tic curve calculations $ill need to be %erformed for every call setu% under surveillance& so a slot to %erform these

2 ,0-

3GPP TSG-SA WG3-LI Meeting #38 SA3LI10_099 Tallinn, Estonia, 7-9 Septe !e" #010 calculations is re*uired before the call can commence! It a%%ears that MIKEYIBAKE does not satisfy this re*uirement!
b! Interce%tion of a "ar et shall not %revent the use of +ey e;chan e a%%lications $hich %rovide a user +ey confirmation mechanism! 6<"E8 Key confirmation mechanisms such as an authentication strin to be e;chan ed verbally are commonly used to %rovide additional assurance of authentication!

"he Man-in-the-Middle attac+ re*uired for #I in MIKEY-IBAKE results in different +eys bein derived by each MS=>E $hen surveillance is ta+in %lace! "his %rohibits the use of such +ey confirmation mechanisms $hich some users may e;%ect& and may be included in im%lementations of the standard! It a%%ears that MIKEY-IBAKE does not satisfy this re*uirement!
c! Should interce%tion fail durin a call ,or durin call setu%-& the call shall be unaffected!

Should a MIKEY-IBAKE #I im%lementation fail& all calls sub'ect to interce%tion $ill immediately fail! "his is because the #I im%lementation needs to decry%t and reencry%t ,$ith a different +ey- all data it interce%ts! Such an event may raise a$areness of a Surveillance Sub'ect to interce%tion! It should be noted that multi%le Surveillance Sub'ects? calls $ould be simultaneously terminated ,and other users in the same location $ould not-; this may indicate $hich users are under surveillance! It a%%ears that MIKEY-IBAKE does not satisfy this re*uirement!
0! 5here the P#M6 o%erator %rovides decry%tion of the communication& it is the o%erator?s choice $here in the net$or+ this decry%tion is %erformed! @o$ever& follo$in decry%tion& all I(I and :: shall be %rovided to the #EM) usin handover mechanisms as %er a non encry%ted communication!

<%erators have little choice in the %ositionin of the decry%tion function $hen %erformin #I on MIKEY-IBAKE! "he communications must be decry%ted and reencry%ted en-route& in the core net$or+& as the communicatin %arties of a MIKEYIBAKE call under surveillance have different +eys! 6ote that this a%%roach also causes difficulties in %erformin #I $hen #ocal (outin is em%loyed! It a%%ears that MIKEY-IBAKE does not satisfy this re*uirement!
A! An encry%tion solution shall not %rohibit commencement of Interce%tion and decry%tion of an e;istin communication!

By allo$in for session re+eys& it may be %ossible for MIKEY-IBAKE to satisfy this re*uirement! @o$ever& if re+eyin of sessions is not commonly confi ured by users& the use of a session re+ey to facilitate #a$ful Interce%tion $ill be detectable by Surveillance Sub'ects! It is unclear $hether MIKEY-IBAKE can satisfy this re*uirement!
.! If +ey material and any associated information are available& it shall be %ossible to retros%ectively decry%t encry%ted communications!

A Man-in-the-Middle attac+ is an active attac+& $hich must be %erformed at the time of call setu%! "herefore in MIKEY-IBAKE& if this attac+ has not been %erformed& any surveillance is im%ossible& $hether durin or after the call! In order to retros%ectively

7 ,0-

3GPP TSG-SA WG3-LI Meeting #38 SA3LI10_099 Tallinn, Estonia, 7-9 Septe !e" #010 decry%t communications the Man-in-the-Middle attac+ must have been %erformed on all subscribers! It a%%ears that MIKEY-IBAKE does not satisfy this re*uirement! It is %ossible to em%loy Identity Based Encry%tion $hilst allo$in for the %ossibility of #a$ful Interce%tion! In li ht of these re*uirements& >K overnment has develo%ed a similar scheme& MIKEY-SAKKE& $hich su%%orts 01PP SA0 #I re*uirements and has additional benefits such as lo$ latency! )ull details of this scheme can be found in the MIKEY-SAKKE Internet 9raft! An additional concern in the >K is that %erformin an active attac+& such as the Man-inthe-Middle attac+ %ro%osed in the #a$ful Interce%tion solution for MIKEY-IBAKE may be ille al! "he >K :om%uter Misuse Act 2BB3 %rovides le islative %rotection a ainst unauthorised access to and modification of com%uter material! "he act ma+es s%ecific %rovisions for la$ enforcement a encies to access com%uter material under %o$ers of ins%ection& search or seiCure! @o$ever& the act ma+es no such %rovision for modification of com%uter material! A Man-in-the-Middle attac+ causes modification to com%uter data and $ill im%act the reliability of the data! As a result& it is li+ely that #EM)s and P#M6s $ould be unable to %erform #I on MIKEY-IBAKE $ithin the current le al constraints )urthermore& the fact that communications are modified en-route by an active attac+ $ould render any interce%ted data unacce%table for evidential use! )or these reasons there must be si nificant doubt re ardin de%loyment of MIKEYIBAKE in the >K or in other countries $ith similar le al frame$or+s or $here evidential #I is re*uired!

0e%e"en*es
"hese re*uirements relate to IMS Media Security and to #a$ful Interce%tion! 01PP "S 00!2348 D#a$ful interce%tion re*uirementsE 01PP "S 00!07F8 DIP Multimedia Subsystem ,IMS- media %lane securityE 01PP "( 00!F7F8 DIP Multimedia Subsystem ,IMS- media %lane securityE S%ecification for MIKEY-SAKKE8 IE") Internet 9raft draft- roves-mi+ey-sa++e-33& MIKEY-SAKKE8 Sa+ai-Kasahara Key E;chan e in Multimedia Internet KEYin ,$or+ in %ro ress-

0e*o

en/ation

SA0-#I members are re*uested to discuss the concerns herein re ardin #a$ful Interce%tion of MIKEY-IBAKE!

0 ,0-