CS 9223 - Mobile Security

Assignment 2: 3G PCAP Analysis

Background

In this assignment, you will analyze a pcap file from a lab to understand the security mechanism
of 3G network that we covered in class. The following concepts will be studied:

1. Authentication, and
2. Identity Privacy Protection

The pcap file for the assignment is attached in this assignment folder: 3g_attach.pcap.

Also, since this pcap file is from lab using a simulator for the mobile, we will point out the
differences from what we studied in class.

1. Please open the 3G_attach.pcap file provided using wireshark.

2. Filter the packets using the following filter “ranap”. This will give you packets on the
following interface:
a. Between the RNC and SGSN: This interface is called the “Iu-ps” interface and the
application layer protocol is called the RANAP (Radio Access Network Application
Protocol) and you will see a bunch of packets where wireshark will display the
protocol as “RANAP”.

You should be getting a screen that looks approximately like the below (your WireShark settings
for display of fields may be slightly different)

1
NOTE: We are not interested here to understand the details of these protocols, but to
look inside the packets in wireshark to review some of the security concepts we learnt in
class. The RANAP protocol is used on the interface between RNC and SGSN (Iu-PS
interface) and the RNC and MSC/VLR (Iu-CS interface). Though RANAP is only used in 3G
systems, it has “evolved” into S1AP (S1 Application Protocol) in 4G systems (you will
learn about this in Module 6) used between the eNB and MME (S1 interface) and the
NGAP (Next Generation Application Protocol) in 5G system (Module 6) used between
the gNB and AMF (N1 interface). Hence, the concepts from RANAP have evolved and are
still used in today’s 4G/5G cellular systems. Again, this is for your information, in case
you are interested in finding out more about these protocols.

The interfaces and protocols relevant to the PCAP.

2
 The packets of interest are shown below with Red #, which corresponds to the packet
number in pcap. We will look at various fields in the packets to answer the questions
below.

PCAP Messages of interest

SGSN HSS/
UE RNS AuC
44. Attach request

45. Identity request

47. Identity Response
48. Identity request
AUTN SQNHE K RAND
50. Identity Response
F(B)-1 Authentication request (IMSI)
K RAND Function B Function A
SQNUE Generate authentication
vectors AV(1..n)
AUTN XRES CK IK
Function A Authentication response
AVs
RES CK IK Store authentication vectors AV(1..n)

Select authentication vector AV

51. Authentication request (RAND || AUTN)

Verify AUTN
Compute RES
53. Authentication response RES AV RAND, XRES, CK, IK, AUTN

RES == AKA Authentication and Key Agreement

XRES? AuC Authentication Center
AV Authentication Vector
54. Security Mode Command (CK,IK AUTN Authentication TokeN
Security Mode Command UE Security Capabilities) CK Ciphering Key
(Selected Algos) HE Home Environment
IK Integrity protection Key
Security Mode Complete RES RESponse
56. Security Mode Complete XRES eXpected RESponse
SQN Sequence Number
UE User Equipment
TMSI Temporary Mobile Subscriber Identity
Insert Subscriber Data

58. Attach Accept (P-TMSI)

60. Attach Complete

Please answer the following questions from the pcap file:

1. Packet 44: “Attach request” is the message that the UE sends to the SGSN (a non-access
stratum NAS message). It is received by the RNC and forwarded by the RNC to the SGSN
as “direct transfer (DTAP)” message. DTAP messages are used for transferring NAS
messages between UE and SGSN in both directions on the Iu-ps interface. The direct in
the “Direct Transfer” is used to signify that RNC directly transfers the message without
the RNC processing the message. Look into the attach request message.
The Mobile Identity Type is (enter the most appropriate identity-type of the identity
type options shown by wireshark): ________________
The value of the Mobile Identity in hex is (write this value starting with 0x....):
_______________

2. Packets 45/47: The SGSN requests the mobile to provide the IMEI number of the mobile.
The IMEI number provides information about the mobile phone device manufacturer.

3
 What are the last 4 digits of the IMEI value in message 47: ____________

NOTE: The IMEI value is not a valid IMEI value (the UE is a simulator in a lab). You can
press *#06# on your phone and then go to this site to get more details about your
phone: https://www.imei.info/. It is interesting to note the kind of information that can
be gotten by knowing your phone’s IMEI.

3. (not related to any pcap packets): Press *#06# on your phone and then go to this site to
get more details about your phone: https://www.imei.info/.
Provide any one piece of information that you learnt about your phone based on the
IMEI that surprised you. Please do not write “none”, there must be something that you
did not know your phone supported that you learnt from the IMEI lookup, for example, I
was not aware that my phone is dual-SIM capable. You can write free-text:
_______________

4. Packets 48/50: In this case the SGSN does not have the permanent identity of the
mobile, the IMSI, the SGSN requests the mobile for its permanent identity. Look at
message 50 and answer:
What is the MCC value of the IMSI (three digits): ______________
What is the MNC value of the IMSI (three digits): ______________

NOTE: The country corresponding to the MCC is People’s Republic of Korea (South
Korea). The MNC value does not correspond to any known operator in South Korea. You
can learn about the current operatos in any country from Wikipedia:
https://en.wikipedia.org/wiki/Mobile_country_code

Based on Wikipedia, how many mobile operators are currently operating in South
Korea: _________

5. Packets 51/53: Here the SGSN (acting as an authenticator) sends the RAND and AUTN
that it received from the HSS to the UE. (Since the PCAP does not include capture of the
interface between the SGSN and HSS, we do not have the messages that correspond to
the exchange between the SGSN and HSS). The UE verifies the AUTN and responds with
SRES.
What is the value of RES in message 53 (this is a hex number, please write starting with
0x....):____________

NOTE: Though wireshark labels this as “XRES” or eXpected RESponse, this parameter is
called RES (RESponse) in 3GPP standards.

6. Packets 54/56: Here the SGSN sends security mode command to the RNC, so that RNC
can setup integrity protection and/or encryption with the UE. The message exchange
between the RNC and the UE is not captured in the pcap.
Does Message 54 include any encryption related information (Yes or No): _______

4
 What are the last four digits of the integrity protection key in message 54 (just enter the
last four digits without any leading 0x): ___________
What is the name of integrity protection algorithm that the RNC has selected to use
with the UE (see message 56) (look up into the class notes to see what algorithm UIA1
corresponds to): ___________

7. Packet 58 (attach accept): In this message, the SGSN provides a new temporary identity
(P-TMSI) to the UE, so that the permanent identity (IMSI) is not sent multiple times over
the radio interface.
What is the value of the Temporary identity provided to the UE (in hex, write starting
with 0x....): ___________

Analyzing the pcap will give you a good overview of the concepts that we spoke about in the
class by looking at a pcap from lab. This should give you an appreciation of how 3G system
works.

In the next assignment we will analyze a pcap for 4G system. You will start identifying
similarities and differences from what you see in this pcap.

In the meantime, you can continue to play with the current pcap to look at the different fields
and messages, eg. look at the Routing Area Identity in message 58 and see how this value is
globally unique, i.e. no two operators will have the same value of RAI. There has been a lot of
thought that has gone into creating identities in cellular networks such that they are globally
unique. You can start discussion and/or ask questions on the slack channel for the assignment.

Additional information for reference:

RANAP protocol Specification
3G Security Specification

Instructions

In order to automate and simplify the grading of your assignment, please go to quiz
section of the course on Bright Space. In the “Assignment 2: 3G PCAP Analysis”, answer
the questions there. You have only one attempt to answer the questions correctly.
Please ensure that you are answering the questions correctly and following the
instructions in the question, because once you submit you cannot update the answer
and the quiz will be graded automatically.

If you submitted the answer following the instructions provided, but you think that the
grading is incorrect, please send an 1:1 email to your assigned TA stating the question
number and why you think the automatic grading is incorrect. The TA may be able to
5
change your grade on the question, based on your explanation. The TA’s decision is
final. Please be polite.

This is the first time we are using the automatic grading feature of the system for “fill in
the blank” responses. So there can be mistakes in the way we have setup the automatic
grading, which we will correct once we learn about that.

The total points for this assignment is 100. Questions 1-7 except question 3, are worth
15 points each. Question 3 is 10 points.

Hand In

There is no hand-in for the assignment.

1. Please go to quiz section of the course on Bright Space. In the “Assignment 2: 3G
PCAP Analysis”, answer the questions there.
2. For submission, few notes:
a. Hex digits are not case sensitive, so 0xD4C6, 0xd4c6, 0xD4c6 and 0xd4C6
are all the same response.
b. If you are requested to enter digits, just enter the digits without any
leading 0x.
c. Text entry is also case-insensitive, so both P-TMSI and p-tmsi are the same
response
3. You are allowed only one attempt to submit the assignment. So please make sure
you read the question and the instructions correctly.
4. Once you submit the assignment, you will be able to see your grade in the
assignment immediately.