Detect ciphered NAS over S1AP

Question

Hello,

We have seen cases were ciphered NAS header actually contains plain NAS. How is wireshark detects if the message is ciphered or plain NAS?

Thanks, Emi

Answer 1

Hi, recent Wireshark versions are using a basic heuristic: if the security header type is 2 or 4 and the MAC is not 0, then it checks the protocol discriminator to see whether it's in the allowed range.

    if ((security_header_type == 2)||(security_header_type == 4)) {
        /* Possible ciphered message */
        if (msg_auth_code != 0) {
            /* Sequence number  Sequence number 9.6 M   V   1 */
            proto_tree_add_item(nas_eps_tree, hf_nas_eps_seq_no, tvb, offset, 1, ENC_BIG_ENDIAN);
            offset++;
            /* Integrity protected and ciphered = 2, Integrity protected and ciphered with new EPS security context = 4 */
            /* Read security_header_type / EPS bearer id AND pd */
            pd = tvb_get_guint8(tvb,offset);
            /* If pd is in plaintext this message probably isn't ciphered */
            if ((pd != 7) && (pd != 15) &&
                (((pd&0x0f) != 2) || (((pd&0x0f) == 2) && ((pd&0xf0) > 0) && ((pd&0xf0) < 0x50)))) {
                proto_tree_add_text(nas_eps_tree, tvb, offset, len-6,"Ciphered message");
                return;
            }

This heuristic might consider some ciphered messages as plain and try to decode it. But it should not detect a plain message as being ciphered. At least it allows to try to decode some messages in EEA0 but with integrity activated. Depending on the Wireshark version you use, you might have a slightly different heuristic (it was refined several times).