City Research Online. Permanent City Research Online URL:

Similar documents
ETSI TS V3.5.0 ( )

ETSI TS V3.4.0 ( )

Secure and Authentication Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography.

Security functions in mobile communication systems

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

ETSI TS V3.1.0 ( )

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

USIM based Authentication Test-bed For UMTS-WLAN Handover 25 April, 2006

ETSI TR V ( )

Wireless Communications and Mobile Computing

Designing Authentication for Wireless Communication Security Protocol

Private Identification, Authentication and Key Agreement Protocol with Security Mode Setup

EP B1 (19) (11) EP B1 (12) EUROPEAN PATENT SPECIFICATION

NS-AKA: An Improved and Efficient AKA Protocol for 3G (UMTS) Networks

Questioning the Feasibility of UMTS GSM Interworking Attacks

Key Management Protocol for Roaming in Wireless Interworking System

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

Request for Comments: Cisco Systems January 2006

GPRS Security for Smart Meters

UMTS System Architecture and Protocol Architecture

Mobile Security Fall 2013

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

Diminishing Signaling Traffic for Authentication in Mobile Communication System

Talk 4: WLAN-GPRS Integration for Next-Generation Mobile Data Networks

UMTS Authentication and Key Agreement - A comprehensive illustration of AKA procedures within the UMTS system

Basics of GSM in depth

A secure GSM-based electronic Murabaha transaction. 2. Background

3G TS V3.1.0 ( )

EFFICIENT MECHANISM FOR THE SETUP OF UE-INITIATED TUNNELS IN 3GPP-WLAN INTERWORKING. 1. Introduction

Security Management System of Cellular Communication: Case Study

Efficient GSM Authentication and Key Agreement Protocols with Robust User Privacy Protection

Improved One-Pass IP Multimedia Subsystem Authentication for UMTS

Secure 3G user authentication in ad-hoc serving networks

EUROPEAN ETS TELECOMMUNICATION July 1998 STANDARD

Secure military communications on 3G, 4G and WiMAX

UNIVERSAL MOBILE TELECOMMUNICATIONS

Analysis and Modeling of False Synchronizations in 3G- WLAN Integrated Networks

ON THE IMPACT OF GSM ENCRYPTION AND MAN-IN-THE-MIDDLE ATTACKS ON THE SECURITY OF INTEROPERATING GSM/UMTS NETWORKS

City Research Online. Permanent City Research Online URL:

Cellular Communication

Implementation of Enhanced AKA in LTE Network

UMTS Addresses and Identities Mobility and Session Management

ETSI TS V5.3.0 ( )

ETSI TS V ( )

Pertemuan 7 GSM Network. DAHLAN ABDULLAH

LTE Security How Good Is It?

GSM. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides) GPRS

Chapter 3 GSM and Similar Architectures

EUROPEAN ETS TELECOMMUNICATION November 1996 STANDARD

T325 Summary T305 T325 B BLOCK 2 4 PART III T325. Session 1 Block III Part 2 Section 2 - Continous Network Architecture. Dr. Saatchi, Seyed Mohsen

UMTS Security Features. Technical Brief

New Privacy Issues in Mobile Telephony: Fix and Verification

3GPP TS V ( )

Security of Cellular Networks: Man-in-the Middle Attacks

Security Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks

Modifying Authentication Techniques in Mobile Communication Systems

PORTABLE communication systems (PCSs) do not require

3GPP TS V4.0.0 ( )

Securing SMS of a GSM Network Message Center Using Asymmetric Encryption Technique Algorithm.

City, University of London Institutional Repository. This version of the publication may differ from the final published version.

3GPP TS V6.6.0 ( )

3G TS V1.0.0 ( )

3GPP TR V4.0.0 ( )

3GPP TS V9.4.0 ( )

The security of existing wireless networks

Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems. Henri Gilbert Orange Labs.

Integration of voice and data in an m-commerce situation

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

JP-3GA (R99) Unstructured Supplementary Service Data (USSD); Stage 1

ETSI TS V4.0.0 ( )

CHAPTER 4 SYSTEM IMPLEMENTATION 4.1 INTRODUCTION

Analysis of a Multiple Content Variant Extension of the Multimedia Broadcast/Multicast Service

Rab Nawaz Jadoon. Cellular Systems - II DCS. Assistant Professor. Department of Computer Science. COMSATS Institute of Information Technology

JP-3GA (R99) Super Charger ; Stage 2

3GPP TS V4.2.0 ( )

ETSI TS V6.4.0 ( )

Understanding Carrier Wireless Systems

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

ETSI TS V6.3.0 ( )

Federated access service authorization

GPRS and UMTS T

Insights Into the SMS Industry and Market Trends

Nexus8610 Traffic Simulation System. Intersystem Handover Simulation. White Paper

Mobility and Security Management in the GSM System

E2-E3: CONSUMER MOBILITY. CHAPTER-5 CDMA x OVERVIEW (Date of Creation: )

Authentication Across Heterogeneous Networks

Chapter 13 Location Privacy

Please refer to the usage guidelines at or alternatively contact

TS-3GA (R99)v3.6.0 Serving GPRS Support Node SGSN - Visitors Location Register (VLR); Gs Interface Layer 3 Specification

OVERCOMING CHANNEL BANDWIDTH CONSTRAINTS IN SECURE SIM APPLICATIONS

System Architecture Evolution

ETSI TS V (201

Due to the many benefits provided by both the third-generation (3G) mobile networks and the IEEE wireless local area networks (WLANs), it is

A Design of Authentication Protocol for a Limited Mobile Network Environment

Radiator. EAP-SIM and EAP- AKA Support

Wireless Security Security problems in Wireless Networks

Design of a Routing Mechanism to Provide Multiple Mobile Network Service on a Single SIM Card Boobalan. P, Krishna. P, Udhayakumar. P, Santhosh.

ETSI TS V1.1.1 ( )

ETSI TS V4.0.0 ( )

Transcription:

Komninos, N. & Dimitriou, T. (2006). Adaptive authentication and key agreement mechanism for future cellular systems. Paper presented at the 15th IST Mobile & Wireless Communications Summit, 04-08 June 2006, Mykonos, Greece. City Research Online Original citation: Komninos, N. & Dimitriou, T. (2006). Adaptive authentication and key agreement mechanism for future cellular systems. Paper presented at the 15th IST Mobile & Wireless Communications Summit, 04-08 June 2006, Mykonos, Greece. Permanent City Research Online URL: http://openaccess.city.ac.uk/2492/ Copyright & reuse City University London has developed City Research Online so that its users may access the research outputs of City University London's staff. Copyright and Moral Rights for this paper are retained by the individual author(s) and/ or other copyright holders. All material in City Research Online is checked for eligibility for copyright before being made available in the live archive. URLs from City Research Online may be freely distributed and linked to from other web pages. Versions of research The version in City Research Online may differ from the final published version. Users are advised to check the Permanent City Research Online URL above for the status of the paper. Enquiries If you have any enquiries about any aspect of City Research Online, or if you wish to make contact with the author(s) of this paper, please email the team at publications@city.ac.uk.

1 Adaptive Authentication & Key Agreement Mechanism for Future Cellular Systems N. Komninos, Member, IEEE and T. Dimitriou, Member, IEEE Abstract Since the radio medium can be accessed by anyone, authentication of users is a very important element of a mobile network. Nowadays, in GSM/GPRS a challenge response protocol is used to authenticate the user to the mobile network. Similarly, in third generation mobile systems [3] a challenge response protocol was chosen in such a way as to achieve maximum compatibility with the current GSM security architecture. Both authentication mechanisms use symmetric key cryptography because of the limited processing power of the mobile devices. However, recent research [6] has shown that asymmetric, or public, key cryptography can be enabled successfully in future mobile terminals. In this paper, we propose a new adaptive authentication and key agreement protocol (AAKA) for future mobile communication systems. The novelty of AAKA and its main advantage over other challenge response protocols is that can be adaptive to the mobile environment and use symmetric and/or public key cryptography for user and network authentication. Index Terms Authentication, GSM, UMTS, Key Agreement T I. INTRODUCTION HE GSM network authenticates the identity of the subscriber through the use of a challenge response protocol [5]. Authentication involves two functional entities, the subscriber identity module (SIM) card in the mobile station (MS), and the authentication centre (AUC) in the network. Each subscriber is given a secret key, one copy of which is stored in the SIM card and the other in the AUC. An overview of the challenge response protocol is shown in Fig. 1. MS/SIM VLR HLR/AUC Fig. 1.Authentication and Key Agreement in GSM / TMSI S / TMSI, S, Kc N. Komninos is with the Athens Institute of Technology, 19002 Peania, Attiki, Greece (phone: 210-6682801; fax: 210-6682703; e-mail: nkom@ait.edu.gr). T. Dimitriou is with the Athens Institute of Technology, 19002 Peania Attiki, Greece (e-mail: tdim@ait.edu.gr). Upon receipt of an international mobile subscriber identity () from the visitor location register (VLR), the AUC searches in the database for the corresponding subscribers authentication key (Ki). During authentication, the AUC generates a 128-bit random number () that it sends to the mobile. Both the mobile and the AUC then use the random number, in conjunction with the subscriber's secret key and the authentication algorithm (A3), to generate a 32- bit signed response (S) that is sent back to the AUC. Note that Ki is never transmitted over the radio channel. It is present in the subscriber's SIM, as well as the AUC, home location register (HLR), and VLR databases. If the number sent by the mobile is the same as the one calculated by the AUC, the subscriber is authenticated. Otherwise, if the number does not agree with the calculated one the connection is terminated and an authentication failure indicated to the MS. Furthermore, the SIM contains the ciphering key generating mechanism algorithm (A8) which is used to produce 64 bit ciphering key (Kc). The ciphering key is computed by applying the same random number () used in the authentication process to the ciphering key generating algorithm (A8) with the individual subscriber authentication key (Ki). In addition, the Kc is used to encrypt and decrypt the data between the MS and VLR. On the other hand, in the authentication and key agreement mechanism described in 3G security specifications [3], the subscriber and network authenticate each other, and also they agree on cipher and integrity key. The authentication method was chosen by 3GPP in such a way as to achieve maximum compatibility with the current GSM security architecture and facilitate migration from GSM to UMTS. The method is composed of a challenge/response protocol identical to the GSM subscriber authentication and key establishment protocol combined with a sequence number-based one-pass protocol for network authentication derived from [4]. The subscriber and the network share a secret key K that is available only to the universal SIM (USIM) and the AUC in the user's home environment (HE). In addition the USIM and the HE keep track of sequence numbers ( ME, HE) to support network authentication. The sequence number HE is an individual counter for each subscriber and the sequence number ME denotes the highest sequence

2 number the USIM has accepted. An overview of the mechanism is shown in Fig. 2. ME/USIM VLR/SGSN HE/HLR The established keys CK and IK will then be transferred by the USIM and the VLR/SGSN to the entities which perform ciphering and integrity functions. Note that USIM and VLR/SGSN use f1, and f2 message authentication functions and f3, f4, f5 key generating functions. User Identity Request User Identity Response Request (i) AUTN(i) Response (i) Reject - CAUSE Fig. 2.Authentication and Key Agreement in UMTS Request - Response AV(1..n) Compare (i) and X(i) When a user registers for the first time in a serving network, or when the serving network cannot retrieve the from the temporary MSI (TMSI) by which the user identifies itself on the radio path, the VLR/serving GPRS support node (SGSN) requests the user to send its permanent identity. The user s response contains the in cleartext. Then, VLR/SGSN requests authentication data from the HE by sending the to the requesting node. Upon receipt of a request from the VLR/SGSN, the HE/HLR sends an ordered array of n authentication vectors (the equivalent of a GSM "triplet") to the VLR/SGSN. The authentication vectors are ordered based on sequence number. Each authentication vector consists of the following components: a 128-bit random number (), an expected response (X), a 128-bit cipher key (CK), a 128-bit integrity key (IK) and an authentication token (AUTN). Different authentication vectors are used for each authentication and key agreement between the VLR/SGSN and the USIM. ordered array and sends the parameters and AUTN to the user. Upon receipt of and AUTN the USIM first computes the 48-bit anonymity key (AK) and retrieves the sequence number (). Then it computes XMAC and compares with the MAC which is included in AUTN [3]. Next the USIM verifies that the received is in the correct range. Finally, the USIM checks whether AUTN can be accepted and, if so, produces a variable in size, 4 to 16 bytes, response () which is sent back to the VLR/SGSN. The USIM also computes 128-bit CK and IK [3]. The VLR/SGSN compares the received with X. If they match the VLR/SGSN considers the authentication and key agreement exchange to be successfully completed. II.ADAPTIVE AUTHENTICATION AND KEY AGREEMENT MECHANISM The adaptive authentication and key agreement protocol (AAKA) is a challenge/response protocol that uses symmetric or public key cryptography to overcome security problems in 3G. These problems are related with, IMEI, and manin-the-middle attacks. In 3G security specifications, for example, the is transmitted in cleartext when allocating TMSI to the user. Furthermore, the transmission of IMEI, which is not considered as a security parameter, is not protected. In addition, man-in-the-middle attacks are possible in 3G networks with disabled encryption. In AAKA, users and network can be authenticated using public key encryption. Public key schemes can be enabled in future mobile terminals based on novel methods described in [6]. In particular, multiple crypto-processors can be used to perform public key complex computations [6]. The cryptoprocessor can be located either in a second cryptographic SIM card (CSIM) or in the mobile terminal itself. If we consider the network structure in Fig. 3, then authentication will involve three functional entities; the USIM, the CSIM and the AUC. 2G / 2.5G 3G / 4G 2G / 2.5G BS 3G / 4G Radio Access Control IP Radio Access Network Fig. 3.Public Key Infrastructure in Future Mobile Networks VLR HLR AUC EIR Circuit Switched Network Packet Switched Network The subscriber and the network share a secret key K, and two public key pairs (P ME and S ME, P HE and S HE). The mobile equipment (ME), MS in 2G-2.5G, contains K, P HE and S ME stored either in the CSIM or USIM. Likewise, VLR/SGSN

3 and HLR/AUC contain K, P ME, P HE and S HE in their databases. Similarly to 3G security specifications the CSIM/USIM and the HE keep track of sequence numbers to support network authentication. An overview of the AAKA mechanism is shown in Fig. 4. ME/USIM/CSIM VLR/SGSN HE/HLR User Identity Request AT User Identity Response E[] Request E[(i) (i)] Response E[(I)] Reject - CAUSE Request - E[] Response - E[AV(1..n)] Compare (i) and X(i) Fig. 4.Adaptive Authentication and Key Agreement Protocol Flow When a user registers for the first time in a serving network, he/she will be assigned an authentication type (AT) number. The AT defines which encryption algorithm will be used and whether symmetric or public key encryption will be used in AAKA. Then AT will be sent to ME when the serving network requests user s permanent identity. Upon request of the, the user will respond with an encrypted, based on AT,. When public key encryption are applied the is first signed with ME s secret key and then encrypted with its public key, P HE[S ME(H()), ], as shown in Fig. 5. AV f1 / f2 Compare H'( ) with H( ) H( ) H'( ) H( ) AV S ME / S HE f1/f3 P ME S ME / HE ( ) S ME / HE ( ) P HE / P ME P HE [S ME ()] Fig. 5. Encryption/Decryption in AAKA using Public Key Cryptography and Digital Signatures S HE Encryption Decryption Upon receipt of the encrypted, VLR/SGSN forwards it to HE. Then HE/AUC first decrypts the signature and then retrieves the. Next, the HE/AuC sends an authentication response back to the VLR/SGSN that contains an encrypted and signed (Fig. 5) array of n authentication vectors AV(1..n). Each authentication vector consists of the following components: a 152-bit, an X, a 128-bit CK, a 128-bit IK and a 48-bit. Note that contains 24 additional bits, which are used to identify AT in the specified /T. Similarly to UMTS each authentication vector is good for one authentication and key agreement between the VLR/SGSN and the USIM/CSIM. ordered array and sends the parameters and signed and encrypted to the user (Fig. 5). Upon receipt of and the USIM/CSIM first retrieves the and. Next the USIM/CSIM verifies that the received is in the correct range and if so, the USIM produces a variable in size, 4 to 16 bytes, that is sent encrypted, with P HE, back to the VLR/SGSN. VLR/SGSN decrypts and compares with X to authenticate ME. Upon authentication, the USIM/CSIM also computes 128-bit CK and IK to protect the air interface as presented in UMTS specifications [3]. The VLR/SGSN compares the received with X. If they match the VLR/SGSN considers the authentication and key agreement exchange to be successfully completed. The established keys CK and IK will then be used to perform ciphering and integrity functions. Similarly to UMTS, USIM/CSIM and VLR/SGSN use f1, and f2 message authentication functions and f3, f4, f5 key generating functions. On the other hand when symmetric key encryption is used, the is encrypted using the f8 stream cipher and the authentication key (AK), which is computed from P HE and K as shown in Fig. 6. As mentioned before, upon receipt of the, VLR/SGSN forwards it to HE/AUC which first computes the AK and then retrieves the. Next, the HE/AUC sends an encrypted authentication response back to the VLR/SGSN that contains a 152-bit, an X, a 128-bit CK, a 128-bit IK and a 48-bit. ordered array and sends the parameters and encrypted (Fig. 6) to the user. Next, the USIM/CSIM produces a variable in size, 4 to 16 bytes, which is sent encrypted back to the VLR/SGSN. Upon receipt of the encrypted, VLR/SGSN decrypts and compares the with X to authenticate the user. The air interface then is protected as presented in the UMTS specifications.

4 P HE K f3 / f4 / f5 P HE K f3 / f4 / f5 AK AK f8 f8 K ()] Encryption Decryption [2] 3GPP TS 33.120, "3rd Generation Partnership Project (3GPP); Technical Specification Group (TSG) SA; 3G Security; Security Principles and Objectives", 2004 [3] 3GPP TS 33.102, 3rd Generation Partnership Project (3GPP); Technical Specification Group (TSG) SA; 3G Security; Security Architecture", 2004 [4] ISO/IEC 9798-4, "Information technology - Security techniques - Entity authentication - Part 4: Mechanisms using a cryptographic check function", 2004 [5] ETSI GSM 03.20, Digital cellular telecommunications systems (Phase 2+); Security related network functions, 2000 [6] N. Komninos and B. Honary, Novel Methods for Enabling Public Key Schemes in Future Mobile Systems, In 3rd International Conference on 3G Mobile Communication Technologies, IEE Conference Publication 489, ISBN 0 85296 749 7, UK, 2002, pp. 455-458. [7] H. Haverinen, N. Asokan, and T. Maattanen, Authentication and key generation for mobile IP using GSM authentication and roaming IEEE International Conference on Communications, 11-14 June 2001 Page(s):2453-2457 vol.8. [8] T. Yuh-Ren and C. Cheng-Ju, SIM-based subscriber authentication for wireless local area networks, 37th IEEE International Carnahan Conference on Security Technology, 14-16 Oct. 2003 Page(s):468 473. [9] L. Wei and W. Wenye, A lightweight authentication protocol with local security association control in mobile networks IEEE Military Communications Conference, 31 Oct.-3 Nov. 2004 Page(s):225 231, vol. 1. [10] J. Jong Min, L. Goo Yeon, and L. Yong, Mutual authentication protocols for the virtual home environment in 3G mobile network, IEEEGlobal Telecommunications Conference, 17-21 Nov. 2002 Page(s):1658 1662, vol.2. Fig. 6.Encryption/Decryption in AAKA using Symmetric Key Cryptography III. CONCLUSION In this paper an adaptive authentication and key distribution protocol (AAKA) was presented that can be applied in future mobile communication systems. AAKA is a challenge response protocol that uses symmetric and/or public key cryptography for user and network authentication. The novelty of AAKA and its main advantage over other challenge response protocols is that can be adaptive to the mobile environment. For example, when a customer registers for the first time in a serving network an authentication type (AT) can be assigned based on the level of security he/she requested. In AAKA we have defined two types of authentication; authentication using public key encryption and authentication using symmetric key encryption. Authentication using public key schemes requires several crypto-processors embedded to mobile devices for public key complex computations. However, when a subscriber has assigned authentication with public key encryption the VLR/SGSN still can use symmetric encryption if the network is overloaded at the time of AAKA. The additional information in informs VLR/SGSN whether symmetric or public key encryption will be used in AAKA. REFERENCES [1] 3GPP TS 21.133, "3rd Generation Partnership Project (3GPP); Technical Specification Group (TSG) SA; 3G Security; Security Threats and Requirements", 2004

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback