An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science, Kyungpook National University, Korea

Kyungpook National University, Korea 2/18 Contents Introduction Acronyms GSM authentication protocol Proposed authentication protocol Location privacy in GSM Enhanced location privacy protocol Discussions Conclusion

Kyungpook National University, Korea 3/18 Introduction Two major security worries in Mobile communication Confidentiality (privacy) The guarantee that messages are not intercepted by an eavesdropper Authentication To ensure that any unauthorized user cannot fraudulently obtain services Security features provided by GSM Subscriber identity authentication Subscriber identity confidentiality User data and signaling information confidentiality on radio path

Kyungpook National University, Korea 4/18 Acronyms MS : Mobile Station HLR : Home Location Register AuC : Authentication Center VLR o/n : Visiting Location Register old/new MSC: Mobile Switching Center IMSI : International MS Identity TMSI o/n: Temporary Mobile Subscriber Identity old/new RAND : Random Number SRES : Signed response K c : a Ciphering Session Key K i : a user’s secret key shared with HLR A3, A8, A5 : unpublished one-way func. Standardized Enc/Dec alg.

Kyungpook National University, Korea 5/18 GSM authentication protocol Authentication and Confidentiality in GSM MSVLRHLR / AuC A3 A8 A3 A8 RAND Ki SRES [n] RAND [n] Kc [n] = RAND Ki Yes/No A5 Kc Data Ciphertext TMSIIMSI Authentication Confidentiality SRES

Kyungpook National University, Korea 6/18 GSM authentication protocol Drawbacks The space overhead can occur when the VLR stores sets of authentication parameters. VLR needs the assistance of HLR when it identifies the MS. If VLR consumes all sets of authentication parameters of MS, it requests additional parameters to the HLR. There is bandwidth consumption between the VLR and the HLR, when the VLR needs other sets of authentication parameters. The authentication of VLR/HLR is not instituted in the GSM protocol. There is no way to provide data/location confidentiality in wired network.

Kyungpook National University, Korea 7/18 Proposed authentication protocol The design goals of the proposed protocol To achieve mutual authentication between MS and VLR To improve the location privacy in wired network To simplify the authentication flows To reduce the storage in VLR To reduce bandwidth consumption between VLR and HLR Authentication of mobile users is to be done by the VLR instead of the HLR, even if the VLR does not know the subscriber's secret key Ki and A3 algorithm. Assumption HLR and VLR shares a symmetric key.

Kyungpook National University, Korea 8/18 Proposed authentication protocol MSVLRHLR SRES1,TMSI, LAI Eku(RAND) VLR_ID, E VH (IMSI) Eku(RAND) HLR_ID,SRES2 E VH (RAND, Tki) SRES1 = SRES2 ? E Tki (TMSInew) RAND K VH : a shared key, Ku = f (IMSI,HLR_ID,Ki) : 64bit-length Authentication (location updating) KiRAND A3 & A8 SRES1Tki KiRAND A3 & A8 SRES2Tki

Kyungpook National University, Korea 9/18 Location privacy in GSM Location update using TMSI IMSI : International MS Identity TMSI : Temporary Mobile Subscriber Identity LAI : Location Area Identity

Kyungpook National University, Korea 10/18 Location privacy in GSM Drawbacks IMSI is exposed and delivered in the wired network without any protection In some abnormal cases, MS sends its IMSI to VLR in the wireless network without any protection

Kyungpook National University, Korea 11/18 Location privacy problems Authentication at location updating in a new VLR, TMSI unknown in old VLR MSVLR n VLRo LAI, TMSIo TMSIo Unknown Identity Request IMSI

Kyungpook National University, Korea 12/18 Location privacy problems Authentication at location updating in a new VLR, old VLR not reachable MSVLR n VLRo LAI, TMSIo Identity Request IMSI VLR not reachable

Kyungpook National University, Korea 13/18 A possible attack MSAttacker LAI, TMSIo Identity Request IMSI VLR not reachable TMSI o unknown or Acquire IMSI of the MS

Kyungpook National University, Korea 14/18 Enhanced location privacy protocol MS VLR HLR TMSI, LAI, SRES1 Eku(RAND) VLR_ID, E VH (AL) Eku(RAND) SRES2, HLR_ID E VH (RAND, Tki, IMSI) SRES1 = SRES2 ? E Tki (TMSInew) RAND, LAIn Identity Request AL, HLR_ID, SRES1 Eku(RAND) AL : Alias of the MS.15 bit-length Abnormal Authentication (location updating)

Kyungpook National University, Korea 15/18 Discussions Features Mutual authentication between MS and VLR RAND Enhanced Location privacy in wired network Shared symmetric keys (K VH ), Alias Reduced the data flows during the authentication. 5 flows -> 4flows Reduced storage space in the VLR (Only Tki is stored) Reduced bandwidth consumption between the VLR and HLR VLR Authenticates MS without assistance of HLR The security of the protocol is based on the existing architecture of the GSM authentication, e.g. A3,A5,A8

Kyungpook National University, Korea 16/18 Discussions Comparison

Kyungpook National University, Korea 17/18 Conclusion Drawbacks of the original GSM authentication Drawbacks of the location privacy protocol The proposed authentication protocol Mutual authentication between MS and VLR Enhanced Location privacy Reduced the data flows during the authentication.(5 flows -> 4flows) Reduced storage space in the VLR Reduced bandwidth consumption between the VLR and HLR VLR Authenticates MS without assistance of HLR The security of the protocol is based on the existing architecture of the GSM authentication, e.g. A3,A5,A8

Kyungpook National University, Korea 18/18 Thank you