This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Detect ciphered NAS over S1AP

0

Hello,

We have seen cases were ciphered NAS header actually contains plain NAS. How is wireshark detects if the message is ciphered or plain NAS?

Thanks, Emi

asked 01 Oct '14, 04:53

Dianalab9's gravatar image

Dianalab9
26161620
accept rate: 0%


One Answer:

2

Hi, recent Wireshark versions are using a basic heuristic: if the security header type is 2 or 4 and the MAC is not 0, then it checks the protocol discriminator to see whether it's in the allowed range.

    if ((security_header_type == 2)||(security_header_type == 4)) {
        /* Possible ciphered message */
        if (msg_auth_code != 0) {
            /* Sequence number  Sequence number 9.6 M   V   1 */
            proto_tree_add_item(nas_eps_tree, hf_nas_eps_seq_no, tvb, offset, 1, ENC_BIG_ENDIAN);
            offset++;
            /* Integrity protected and ciphered = 2, Integrity protected and ciphered with new EPS security context = 4 */
            /* Read security_header_type / EPS bearer id AND pd */
            pd = tvb_get_guint8(tvb,offset);
            /* If pd is in plaintext this message probably isn't ciphered */
            if ((pd != 7) && (pd != 15) &&
                (((pd&0x0f) != 2) || (((pd&0x0f) == 2) && ((pd&0xf0) > 0) && ((pd&0xf0) < 0x50)))) {
                proto_tree_add_text(nas_eps_tree, tvb, offset, len-6,"Ciphered message");
                return;
            }

This heuristic might consider some ciphered messages as plain and try to decode it. But it should not detect a plain message as being ciphered. At least it allows to try to decode some messages in EEA0 but with integrity activated. Depending on the Wireshark version you use, you might have a slightly different heuristic (it was refined several times).

answered 01 Oct '14, 07:21

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

This helps us a lot! Thanks!

(01 Oct '14, 08:07) Dianalab9

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(01 Oct '14, 08:46) grahamb ♦