Symmetric key based 5G AKA authentication protocol satisfying anonymity and unlinkability

doi:10.1016/j.comnet.2020.107424

Computer Networks

Volume 181, 9 November 2020, 107424

https://doi.org/10.1016/j.comnet.2020.107424 Get rights and content

Abstract

The recently standardised 5G AKA protocol, to be used in the next generation of mobile communications, possesses some severe shortcomings. In particular, different types of attacks, leaking parts of the identity, activity pattern and localisation of the user, have been proposed in literature.

In this paper, we propose a new version of the 5G AKA protocol, capable of offering resistance to all the known attacks and providing the required security features like anonymity, unlinkability, mutual authentication and confidentiality. The proposed protocol is completely symmetric key based and relies on cryptographic primitives currently available in the hardware of the universal subscriber identity module (USIM). Compared to the original protocol or other recently proposed versions, our protocol does not require the usage of public key encryption for hiding the real identity. Also the number of communication phases in the protocol is optimised and limited to two. The security of the protocol has been demonstrated using RUBIN logic.

Introduction

There are currently over 9.32 Billion mobile connections and 5.16 Billion unique mobile subscribers worldwide according to GSMA real-time intelligence data. These numbers are enormous, given a world population of around 7.74 Billion [1]. Wireless technology has also significantly evolved since the late nineties. Starting from voice-only 2G technology, to internet supporting 3G networks, most of the wireless connections are now relying on 4G technology. Today, the fifth generation of wireless networks, also called 5G, is even rolled out in several major cities worldwide and is expected to cover up to 65 % of the global population by the end of 2025, handling 45 % of global mobile data traffic [2].

As a consequence, dealing with the security and privacy of the users is a tremendous important task. The standardisation group for 3G, 4G, and 5G technologies, also called the 3rd Generation Partnership Project (3GPP), has proposed an Authentication and Key Agreement (AKA) protocol in this perspective. This protocol has the goal to offer on the one hand mutual authentication between devices consisting of a universal subscriber identity module (USIM) and a network provider and on the other hand enable the construction of a common shared secret key for subsequent communications. All the current communications in 3G, 4G and cellular networks rely on the security of these protocols.

For the 5G network technology, these protocols have been revised and standardised as 5G AKA protocols, in order to explicitly include also user privacy and to avoid the different fake base station attacks compromising the subscriber privacy with respect to traceability and location privacy [3], [4], [5], [6], [7], [8], [9], [10]. These attacks mainly rely on the fact that the identity of the subscriber is not protected during transmission [3], [4], [5], [6], [7] (also called the International Mobile Subscriber Identity (IMSI) catcher attacks), on the exploitation of the type of failure message [8], [10] and on the usage of the exclusive or (xor) operation to conceal the sequence number [9]. An important change in 5G AKA is the inclusion of a randomised public key encryption to send the identity of the subscriber. The latest version containing the technical specifications, Release 15, dates from June 2018 [11].

Unfortunately, it is shown by Koutsos et al. in [12] and Basin et al. [13], that also for this new standard all known attacks [8], [10] to privacy can still be applied, accept for the IMSI catcher attacks. In addition, there is also the so called encrypted IMSI replay attack presented by Fougue et al. in [14] breaking the unlinkability, which is valid for the 5G AKA protocols and was originally constructed for an improved version defined in [8] by Arapinis et al. using encrypted identifiers.

The main contributions of this paper are as follows.

•
We propose a new 5G AKA protocol, which offers anonymity, unlinkability, mutual authentication and confidentiality. In addition, the protocol is resistant to all known attacks in literature.
•
Compared to related work, our protocol is highly efficient as it only relies on symmetric key based operations, which are already currently available in the hardware of the USIM.
•
The number of communication phases in the protocol is optimised to the minimum of 2.
•
The security of the protocol has been thoroughly analysed by means of RUBIN logic.

The paper is outlined as follows. In Section 2, we give an overview of relevant related work. Section 3 deals with preliminaries on the 5G AKA protocol. In Section 4, we present our protocol. Both a formal and informal security analysis has been given in Section 5. The comparison in performance between our proposed protocol and the current 5G AKA protocol together with some recently proposed new versions is discussed in Section 6. Finally, we end the paper with some conclusions in Section 7.

Section snippets

Related work

As a reaction on the multitude of attacks on AKA and in particular 5G AKA protocols, several new variants have been proposed in literature. Some of them only contain a small modification, while others drastically change the whole architecture.

In [8], as protection measure to the exploitation of message error, Arapinis et al. proposed to encrypt the different message types of the response of the subscriber to the serving network (SN) using the public key of the home network (HN) in order to make

5G AKA protocol

There are two authentication protocols proposed in the 5G standard, EAP AKA and 5G AKA. Their differences do not have any impact on the privacy and therefore we can limit the description to the 5G AKA protocol. In this protocol, three entities are involved.

•
The User Equipment (UE) consists of the user’s physical device, typically a smart phone or IoT device. The UE contains a cryptographic chip, USIM, which stores subscriber-related information and implements security functions required to run

Proposed protocol

In our protocol, we distinguish a registration and actual authentication phase.

Attack model

Since the HN and SN are modelled as one entity, the attack model is limited to the communication channel between UE and HN. On the messages exchanged over this channel, we assume the standard Dolev-Yao model [18] in which the adversary can eavesdrop, forge, replay, delay and rush, reorder and delete the exchanged messages. This corresponds with the profiles of a so-called active and passive attacker, in which the active attacker is in the possession of some 5G-specific hardware. Furthermore, we

Performance

We now compare our proposed protocol with the original 5G AKA protocol and the protocols proposed in [12], [15], both from the point of view of storage, computation and communication at the most constrained entity in the scheme, being the UE.

Conclusion

This paper proposes a new variant for the 5G AKA protocol. Our protocol is solely based on symmetric key based operations and does not require compute intensive public key encryptions. Therefore, it perfectly fits for very lightweight devices. The system does not require additional tamper resistant storage requirements compared to the standard 5G AKA. Moreover, it also needs only two communication rounds to successfully derive a common shared session key and to ensure mutual authentication. We

Author contribution

As there is only one author that did the work, an author statement is not relevant here.

Declaration of Competing Interest

The author declares no conflict of interest.

References (22)

D. Dolev et al.
On the security of public key protocols
IEEE Trans. Inf. Theory
(1983)
WorldoMeters U.N. data,GSMA Intelligence, [Online]. Available:...
P. Jonsson, S. Carson, G. J. Kyohun Shim, B. Arendse, A. Husseini, P. Lindberg, K. Ohman, Ericsson mobility report...
A.N. Bikos et al.
LTE/SAE Security issues on 4g wireless networks
IEEE Secur. Priv.
(2013)
M. Khan et al.
Vulnerabilities of UMTS access domain security architecture, software engineering, aritificial intelligence
Network. Parallel Distrib. Comput.
(2008)
A. Shaik et al.
Practical attacks against privacy and availability in 4g/LTE mobile communication systems
Proceedings of 23nd Annual Network and Distributed System Security Symposium
(2016)
F. van den Broeck, R. Verdult, J. de Ruiter, Defeating IMSI catchers, proceedings of the 2015 ACM conference on...
M. Zhang et al.
Security analysis and enhancements of 3GPP authentication and key agreement protocol
IEEE Trans. Wireless Commun.
(2005)
M. Arapinis et al.
New privacy issues in mobile telephony: fix and verficiation
Proceedings of the 2012 ACM Conference on Computer and Communications Security
(2012)
R. Borganokar et al.
New privacy threat on 3g, 4g, and upcoming 5g AKA protocols
Proc. Priv. Enhanc. Technol.
(2019)

C. Hahn et al.

A privacy threat in 4th generation mobile telephony and its countermeasure

Proceedings of 9th International Conference on Wireless Algorithms, Systems and Applications

(2014)

Cited by (32)

SRAKN: Secure Roaming Authentication and Key Negotiation protocol for Space Information Network
2023, Computer Communications
Nowadays, the Space Information Network (SIN) with global signal coverage, large capacity, bandwidth-on-demand flexibility, and multiple services has attracted more and more users to enjoy real-time services without geographical restrictions. However, due to the openness of the satellite-to-ground wireless link, users are vulnerable to various attacks when accessing SIN and obtaining subscription services, which may pose security threats to user privacy, message integrity and confidentiality. Although many authentication protocols have been proposed to protect the security of access and data transmission, most of them are only applicable to the authentication scenarios in the home domain, without considering the security threats of roaming authentication in foreign domains. Moreover, the existing roaming authentication protocols still have some defects such as security vulnerabilities, long authentication delay, and high communication overhead. Therefore, in this paper, we propose a new secure roaming authentication and key negotiation protocol based on elliptic curve cryptography (ECC) for SIN, namely the SRAKN protocol, which also supports conditional anonymity and batch verification. In the roaming authentication phase, not only fast and low-overhead mutual authentication between the roaming user, satellite node and the foreign terrestrial control station (FTCS) is realized, but also a secure session key is jointly negotiated by the roaming user and FTCS to protect the subscription service transmission. The results of security analysis and performance comparison show that the SRAKN protocol is not only secure and resistant to various known attacks, but also has shorter roaming authentication delay, lower batch authentication overhead and communication overhead, making it more suitable for roaming users to access SIN in foreign domains.
Intelligent drone-assisted robust lightweight multi-factor authentication for military zone surveillance in the 6G era
2023, Computer Networks
In the diverse range of surveillance applications, large-scale deployment of next-generation communication technologies and the fast-growing development of unmanned aerial vehicles (UAVs) are envisioned as key innovations in the adoption of beyond-fifth generation (B5G) and 6G communication. Due to its self-reliance and versatility, a complex communication network can be formulated strategically to improve the application features of drone technology, including search-and-rescue, mission-critical services, and military surveillance. In recent times, technological advancements in hardware and software infrastructure have gained momentum toward seamless information interaction in aerial communication. Unfortunately, the recurrent process of user authentication causes severe communication instability in an unmanned aerial ad hoc network (UAANET) leading to some serious cyber threats, such as buffer overflow, denial of service, and spoofing. Therefore, building secure and reliable authentication is inevitable in order to protect drone-aided healthcare service environments. To protect aerial zones and improve security efficiency, this paper designs robust lightweight secure multi-factor authentication (RL-SMFA). The proposed RL-SMFA utilizes an AI-enabled, secure analytics phase to verify the genuineness of drone swarms for the ground control station. While protecting communication with drone vehicles, we also observe that power consumption by drones is reduced to a large extent. Using formal verification under a random oracle model, we show that the proposed RL-SMFA can functionally resist system vulnerabilities and constructively decrease the computation and communication costs of the UAANET. Lastly, the simulation study using ns3 shows that the proposed RL-SMFA achieves better performance efficiencies in terms of throughput rate, packet delivery ratio, and end-to-end delay than other state-of-the-art approaches to discovering a proper link establishment.
An improved and provably secure symmetric-key based 5G-AKA Protocol
2022, Computer Networks
Citation Excerpt :
Monilla et al. [16] presented a security analysis of [15] which shows that it does not satisfy the perfect forward secrecy. In fact, the scheme of [15] never claimed to satisfy the perfect forward secrecy feature. Monilla et al. [16] proposed the use of hash chains to include these features.
One of the primary authentication mechanisms defined for the 5G system is the 5G-Authentication and Key Agreement (5G-AKA) protocol. It is set to be used in the next generation of mobile communications but has several serious flaws such as privacy issues, vulnerability to traceability attacks, and has de-synchronization problem. To deal with these issues, An Braeken presented a lightweight authentication mechanism that provides security features not present in 5G-AKA, but the scheme fails to provide perfect forward secrecy. Later Munilla et al. introduced an improved version of the Braeken authentication scheme that claims to provide perfect forward secrecy but is computationally expensive and prone to DoS attacks if the size of the server database is large. Taking this in view, we propose a cost-effective scheme that provides all the security features, including perfect forward secrecy. We do the informal (non-mathematical) and formal analysis (using the ROR, GNY, and Scyther tool) of the security properties of the proposed protocol and show that the proposed protocol provides all the security features. Furthermore, we measure the performance of the proposed protocol in terms of energy consumption and computational, communication and storage costs. The evaluation results show that the proposed protocol takes significantly less cost than most of its competitors. In addition to this, we also compute the performance of the proposed protocol under unknown attacks in terms of computational, communication, and energy consumption costs. The outcome of analysis shows that the proposed protocol takes very less overhead under unknown attacks compared to its competitors.
Remote Registration and Group Authentication of IoT Devices in 5G Cellular Network
2022, Computers and Security
Citation Excerpt :
The protocol also overcomes the problem of signaling congestion and high bandwidth consumption. Off late, several research works were carried out that are aimed at improving the security and privacy in IoT over 5G cellular network Choudhury (2020); Cao et al. (2020); Wang et al. (2017); Braeken (2020). Some of the techniques that are commonly used in these schemes are lightweight cryptography Wang et al. (2017); Wu et al. (2020); Jangirala et al. (2019), digital signature Cao et al. (2018); Cao et al. (2019b), Elliptic Curve Diffie Hellman Key Exchange (ECDHKE) Cao et al. (2018), group based authentication Cao et al. (2018); Cao et al. (2019b), blockchain technologyYang et al. (2017); Jangirala et al. (2019), etc.
The Fifth Generation (5G) of cellular mobile network, due its speed and flexibility, will be a preferred communication technology for future deployment of the Internet of Things (IoT). However, with the rapid growth in the number of connected devices, registration and authentication of the devices in 5G cellular network are set to become challenging tasks. Currently, the basis for registration and authentication of the devices in 5G mobile network is the Universal Subscriber Identity Module (USIM) that is provided to every device. But, with large scale deployments in IoT, providing a USIM and authenticating every device individually is going to be arduous. Recently, several group based authentication protocols have been proposed by researchers. Even so, none of these proposals can be easily adopted, since they are not based on the challenge response mechanism used in the 5G Authentication and Key Agreement Protocol (5G-AKA). In this paper, an efficient scheme for remote registration and group authentication of the IoT devices in 5G cellular network is proposed. The scheme is designed to work along with 5G-AKA protocol as its extension. It uses elliptic curve cryptography that is lightweight in nature and is suitable for resource constrained IoT environment. Security analysis and performance analysis shows that the proposed scheme is secured and efficient in comparison to similar recent proposals in the literature.
Device-to-device group authentication compatible with 5G AKA protocol
2021, Computer Networks
Device-to-device (D2D) communication in 5G can offload large amounts of data from the core network and offer smaller delays in communication, making advantage of the proximity between the devices. Specific attention should be given to a dedicated authentication process as there are significant challenges with respect to security and privacy. We propose the first anonymous group D2D authentication and key agreement protocol, which can be integrated into the existing 5G-AKA protocol with only a few adaptations. No additional initialization or new implementations of security algorithms are required for the user equipment. After a successful run of the protocol, the devices in the group can derive a secure group key and a secret key shared with each other member of the group. Both from a computational and a communication perspective, the scheme is comparable with state-of-the-art related solutions. Moreover, our proposed scheme satisfies several security features, which are not currently available in the existing schemes in literature.
An enhanced symmetric-key based 5G-AKA protocol
2021, Computer Networks
5G technology is called to support the next generation of wireless communications and realize the “Internet of Everything” through its mMTC (massive Machine-Type-Communications) service. The recently standardized 5G-AKA protocol is intended to deal with security and privacy issues detected in earlier generations. Nevertheless, several 5G-AKA shortcomings have been reported, including a possibly excessive computational complexity for many IoT devices. To address these, a promising lightweight 2-pass authentication and key agreement (AKA) protocol for 5G mobile communications has recently been proposed by Braeken. Compared to the 5G-AKA protocol, this does not require the use of public key encryption. This paper analyzes the security claims of Braeken’s protocol and shows that it does not provide full unlinkability, but only session unlinkability, and is (still) subject to Linkability of AKA Failure Messages (LFM) attacks. We propose solutions to such problems and prove that symmetric-key based protocols cannot offer higher privacy protection levels without compromising availability. We then describe an enhanced version of this protocol that addresses these vulnerabilities and supports forward secrecy, which is a desirable feature for low-cost IoT devices.

View all citing articles on Scopus

An Braeken obtained her MSc Degree in Mathematics from the University of Gent in 2002. In 2006, she received her PhD in engineering sciences from the KULeuven at the research group COSIC (Computer Security and Industrial Cryptography). She became professor in 2007 at the Erasmushogeschool Brussel (currently since 2013, Vrije Universiteit Brussel) in the Industrial Sciences Department. Prior to joining the Erasmushogeschool Brussel, she worked for almost 2 years at the management consulting company Boston Consulting Group (BCG). Her current interests include the development, analysis and implementation of security protocols for embedded systems, wireless sensor networks, IoT,... She is (co-) author of over 150 publications. She has been member of the program committee for numerous conferences and workshops and member of the editorial board for Security and Communications magazine. She has also been member of the organizing committee for the IEEE Cloudtech 2018 conference and the Blockchain in IoT workshop at Globecom 2018. In addition, she is since 2015 reviewer for several EU proposals and ongoing projects, submitted under the programs of H2020, Marie Curie and ITN. She has cooperated and coordinated more than 12 national and international projects. She has been STSM manager in the COST AAPELE project (2014–2017) and is currently in the management committee of the COST RECODIS project (2016–2019).

View full text

Symmetric key based 5G AKA authentication protocol satisfying anonymity and unlinkability

Abstract

Introduction

Section snippets

Related work

5G AKA protocol

Proposed protocol

Attack model

Performance

Conclusion

Author contribution

Declaration of Competing Interest

IEEE Trans. Inf. Theory

LTE/SAE Security issues on 4g wireless networks

IEEE Secur. Priv.

Vulnerabilities of UMTS access domain security architecture, software engineering, aritificial intelligence

Network. Parallel Distrib. Comput.

Practical attacks against privacy and availability in 4g/LTE mobile communication systems

Proceedings of 23nd Annual Network and Distributed System Security Symposium

Security analysis and enhancements of 3GPP authentication and key agreement protocol

IEEE Trans. Wireless Commun.

New privacy issues in mobile telephony: fix and verficiation

Proceedings of the 2012 ACM Conference on Computer and Communications Security

New privacy threat on 3g, 4g, and upcoming 5g AKA protocols

Proc. Priv. Enhanc. Technol.

A privacy threat in 4th generation mobile telephony and its countermeasure

Proceedings of 9th International Conference on Wireless Algorithms, Systems and Applications