Efficient GSM Authentication and Key Agreement Protocols with Robust User Privacy Protection Author: Jing-Lin Wu, Wen-Shenq Juang and Sian-Teng Chen Department of Information Management, Shih Hsin University, Taipei, Taiwan.
Agenda Introduction Review related work Our proposed scheme Security and performance analysis Discussion Conclusion 2
Introduction GSM System is used widely Privacy issue Some problems on GSM - Attacks on GSM - Bill controversy 3
GSM AKA Review work - Being pointed some security problem Choi et al. s AKA scheme - Improve partially the privacy problem - Scheme for MS receiving an identity request - More efficient 4
Choi et al s GSM AKA Depend on A3, A5 and A8 algorithm Security - Mutual authentication - Having completely privacy protection on location privacy attack? - Withstand the redirection attack and the corrupted network attack? Efficiency - Using the temporary key mechanism 5
tations HLR VLR TMSI IMSI LAI A3() A5() A8() K VH SRES w i The Home location register. The visitor location register. The temporary mobile subscriber identity. The international mobile subscriber identity. The location area identity. The authentication algorithm. The encryption algorithm. The cipher key generation algorithm. The common shared key between HLR and MS. The symmetric encryption/decryption key between VLR and HLR The expected response. The secret token The concatenation symbol. 6
Choi et al. s AKA while MS receiving an identity request MS 1. Identity request VLR HLR 2. AL, HLR_ID,SRES1, (RAND) EK u 3. VLR_ID, E VH (AL), EK u (RAND) 5. E TK (TMSI new ), RAND? SRES1 = SRES2 4. SRES2, HLR_ID, E VH (RAND TK IMSI) K u =f(imsi HLR_ID K) 7
Some problems of Choi et al. s AKA Partially privacy protection - Easy to be traced by using the alias Vulnerable to some attacks - The redirection attack - The corrupted network attack - The modification attack - TMSI verifying 8
Our proposed schemes Proposed scheme - Proposed scheme while MS receiving an identity request Improved some problems of Choi et al. s scheme - Fully privacy protection for MS - Based on A3, A5 and A8 algorithm - Secret token for protecting IMSI 9
Proposed scheme while MS receiving an Identity request MS Identity request 1. N 3 VLR HLR 2. P i, ID HLR, SRES1,VAC, RAND, r i 3. ID VLR,P i, SRES1,VAC, RAND, r i P i =IMSI w i =IMSI A3(x r i ) 4. N 4, E VH (IMSI TK SRES2 T i+1 MAC r i+1 ) 5. AUTH, T i+1, r i+1, MAC, N 4, E TK (TMSI new ) T i+1 =w i+1 A3(K r i+1 ) 10
Security analysis Mutual authentication Identity privacy protection Secret token protection Withstanding attacks - Man-in-the-middle attack - Dictionary attack -Replay attack - Modification attack 11
Security comparisons Our scheme Chang et al. Choi et al. GSM Peinado S1 Partial S2 S3 S4 S5 S6 N/A N/A S7 S1: Identity privacy; S2: Mutual authentication between MS and VLR; S3: Preventing the replay attack S4: Preventing the redirection attack; S5: Preventing the corrupted network attack; S6: Preventing the modification attack while VLR assigns a new TMSI; S7: time synchronization problem. 12
Functionality comparisons Our scheme Chang et al. Choi et al. GSM Peinado C1 High C2 High High C3 C4 High C5 High C1: The computation cost for MS; C2: The computation cost for HLR; C3: The computation cost for VLR; C4: The communication cost between HLR and VLR; C5: The space overhead for VLR 13
Performance considerations while MS receiving an identity request E1 E2 E3 E4 E5 E6 Our scheme 352 bits 160 bits 320 bits 1 Sym + 1 H + 2 XOR 2 Sym + 1H Chang et al. 128 bits 146 bits 128 bits 2 Sym + 2 H 2 Sym 2 H 1 Sym + 7 H + 2 XOR Choi et al. 192 bits 160 bits 192 bits 2 Sym + 3 H 3 Sym 3 Sym + 3 H GSM 192 bits (224 n) bits 128 bits 1 Sym + 2 H 1 Sym (2 n) H Peinado 832 bits 146 bits 640 bits 1 Exp + 1 Sym + 3 H 1 Sym 1 Exp + 2 H E1: Memory needed in MS; E2: Memory needed in VLR; E3: Memory needed in HLR; E4: Computation cost for MS; E5: Computation cost for VLR; E6: Computation cost for HLR; Exp: Exponential operation; Sym: Symmetric encryption/decryption operation; H: Hash operation; XOR: Exclusive-or operation; n: numbers of authentication vectors. 14
Discussions An alternative way for protecting the secret token - Symmetric cryptosystem Specifying the life time of a temporary key - Embedded in authenticator 15
Conclusions Identity privacy protection complete for IMSI Mutual authentication Efficiency Withstand attacks, i.e., the redirect attack and the corrupted network attack 16
The End