Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards 5G AKE: The security and privacy of 3G/4G AKA

Published byGary Chapman Modified over 6 years ago

Similar presentations

Presentation on theme: "Towards 5G AKE: The security and privacy of 3G/4G AKA"— Presentation transcript:

1 Towards 5G AKE: The security and privacy of 3G/4G AKA
With P.-A. Fouque (UR1), B. Richard, G. Macario-Rat (Orange) S. Alt (DGA)

2 Authenticated Key Exchange

3 Secure communication over insecure channels
Goal: Insecure channels: The Internet ( Mobile networks (2G, 3G, 4G…) Bluetooth Radio Frequency Channels “Secure” channels: Messages exchanged over this channel could be intercepted, but not read by active 3rd parties (Man-in-the-Middle attackers) Secure communication over insecure channels

4 Typical 2-Party AKE Authentication & KE Secure Channel

5 Security of AKE Meet the adversary: AKE + SC
A Man-in the Middle, aims to break channel security Can interact in multiple sessions of many parties Can corrupt parties to learn long-term keys Can reveal computed session keys Forward-secrecy: if the adversary corrupts a user, it cannot break the security of past sessions AKE + SC

6 Is the resulting protocol still secure?
Real-world AKE In practice, ensures: Secure Internet browsing (TLS/SSL) Mobile services (AKA) Payments Personal identification (ID cards/passports) Security of protocol only proved for 2-party use Yet sometimes, handshakes are proxied, by semi-trusted third parties Is the resulting protocol still secure?

7 The case of AKA

8 AKA and 3G/4G networks Communication as a service for mobile users
Users (clients) subscribe to an operator… … and expect service anywhere, everywhere Service provided by servers: Local service: usually affiliated with client’s operator Roaming: server affiliated with partnering operator Requirement: secure Client-Server channel, with server only semi-trusted Operator Server Client Radio link Secure channel

9 The AKA protocol Standardized in the 1990s by 3GPP
Designed to be a 3-party protocol, in which the server acts as a proxy between the client and operator Symmetric-key and stateful protocol 3-tiered trust: Operator is trusted with all data: client key 𝑠 𝑘 𝐶 , operator key 𝑠𝑘 𝑜𝑝 , and client-specific state 𝑆𝑞𝑛 𝑂𝑝, 𝐶 Client trusted with almost everything: client key 𝑠 𝑘 𝐶 , a function of the operator key 𝑠𝑘 𝑜𝑝 , client state 𝑆𝑞𝑛 𝐶 Server trusted with nothing: only manages identity management Additional concern: client privacy

10 The basic 2-party Protocol
sk C , sk op , Sqn Op,C UID sk C , sk op , Sqn C UID 𝑈𝐼𝐷 Update 𝑆𝑞𝑛 𝑂𝑝,𝐶 , generate fresh 𝑅, do: 𝑀𝐴𝐶 𝑂𝑃 = 𝐹 1 𝑠𝑘 𝐶 , 𝑠𝑘 𝑂𝑃 , 𝑅, 𝑆𝑞𝑛, 𝐴𝑀𝐹 𝑀𝐴𝐶 𝐶 = 𝐹 2 ( 𝑠𝑘 𝐶 , 𝑠𝑘 𝑂𝑃 , 𝑅) 𝐴𝐾= 𝐹 5 ( 𝑠𝑘 𝐶 , 𝑠𝑘 𝑂𝑃 , 𝑅) 𝐴𝑢𝑡𝑛= 𝑆𝑞𝑛 XOR 𝐴𝐾 | 𝐴𝑀𝐹 | 𝑀𝐴𝐶 𝑂𝑃 𝐶𝐾= 𝐹 3 𝑠𝑘 𝐶 , 𝑠𝑘 𝑂𝑃 , 𝑅 𝐼𝐾= 𝐹 4 ( 𝑠𝑘 𝐶 , 𝑠𝑘 𝑂𝑃 , 𝑅) 𝑅 | 𝐴𝑢𝑡𝑛 Compute 𝐴𝐾, get 𝑆𝑞𝑛 𝑂𝑝,𝐶 check 𝑀𝐴𝐶 𝑂𝑃 If 𝑆𝑞𝑛 ∈ { 𝑠𝑡 𝐶 , …, 𝑠𝑡 𝐶 +𝛿} compute: 𝐶𝐾, 𝐼𝐾, 𝑅𝑠𝑝= 𝐹 2 ( 𝑠𝑘 𝐶 , 𝑠𝑘 𝑂𝑃 , 𝑅) 𝑅𝑠𝑝 Else: 𝑅𝑒𝑠𝑦𝑛𝑐ℎ Check: 𝑅𝑠𝑝== 𝑀𝐴𝐶 𝐶

11 Resynch Procedure If 𝑀𝐴𝐶 𝑂𝑃 verifies, but 𝑆𝑞𝑛 out of range Compute:
sk C , sk op , Sqn Op,C IMSI sk C , sk op , Sqn C IMSI If 𝑀𝐴𝐶 𝑂𝑃 verifies, but 𝑆𝑞𝑛 out of range Compute: 𝐴𝐾 ∗ = 𝐹 5 ∗ 𝑠𝑘 𝐶 , 𝑠𝑘 𝑂𝑃 , 𝑅 𝑀𝐴𝐶 𝐶 ∗ = 𝐹 1 ∗ 𝑠𝑘 𝐶 , 𝑠𝑘 𝑂𝑃 , 𝑠𝑡 𝐶 , 𝐴𝑀𝐹, 𝑅 𝑠𝑡 𝐶 XOR 𝐴𝐾 ∗ || 𝑀𝐴𝐶 𝐶 ∗ Compute: 𝐴𝐾 ∗ , get 𝑠𝑡 𝐶 Check: out of range Check: 𝑀𝐴𝐶 𝐶 ∗ Set 𝑠𝑡 𝑂𝑃 𝐶 := 𝑠𝑡 𝐶 Start from there.

12 Introducing the third party
The server is not trusted to know 𝑠𝑘 𝐶 , 𝑠𝑘 𝑜𝑝 , 𝑆𝑞𝑛 𝐶 , 𝑆𝑞𝑛 𝑂𝑝,𝐶 However, it is the server that provides service to the client Only legitimate clients may receive the service Client will only receive service from legitimate servers Server used as proxy, does only identity management Client identifiers: IMSI/TMSI also stored by client and server Area identifier: LAI, unique per server/area IMSI known by all, (TMSI, LAI) tuple handled by server In 4G, TMSI and LAI replaced by GUTI How can authentication work without client secrets?

13 AKA protocol structure
Client Server Operator sk C , sk op , Sqn C sk C , sk op , Sqn Op,C (TMSI, LAI) or IMSI Get IMSI Batch Auth.vectors Challenge-Response TMSI reallocation

14 Security Weaknesses of AKA
Server impersonation by offline relays Main causes: No authentication of UID No nonce on client side UID Request UID Request IMSI/TMSI, LAI IMSI/TMSI, LAI Auth. challenge Auth.challenge

15 Security Weaknesses of AKA (cont’d)
Impersonation/key-distinguishing attack [ZF03]: Corrupted Server S Send Unsused auth. vectors 𝐴𝑉 {𝑞+1} ,…, 𝐴𝑉 {𝑛} Client C Server S* Operator Op User identifier Challenge-Response based on AV {q+1}

16 Security of AKA Where AKA security fails: What AKA guarantees:
C-imp. security: even for server corruptions & offline relays S-imp. security: no server corruptions, no offline relays Key-indistinguishability: no server corruptions State confidentiality Soundness Where AKA security fails: Server corruption attacks reveal session keys Thus even sessions in “safe” areas are vulnerable IMSI/TMSI insecurity leads to offline relays

17 Privacy of AKA 3GPP requirements: “IMSI catcher” [S07] attackers
ID-Hiding: nobody can trace the client’s IMSI Location-hiding: nobody can trace the client’s LAI Untraceable: nobody can link services to clients “IMSI catcher” [S07] attackers break the first two: First get the LAI Then force IMSI revelation [BVR15]: encrypt TMSI with PKE But this still allows traceability UID Request TMSI/LAI R/LAI IMSI Request IMSI

18 Traceability Attacks Distinguishing between two clients allows traceability UID Request UID Request (Encrypted) UID (Encrypted) UID Auth. challenge Auth.challenge Adv. does not know which client this is But he can trace it

19 Traceability by resynchronization
UID Request UID Request IMSI/TMSI IMSI/TMSI Auth. challenge Update Sq n Op,C Auth.challenge No update Resynchronization Failure (wrong key) Attack repeated a number of times

20 Traceability by TMSI-Reallocation
UID Request UID Request IMSI/TMSI IMSI/TMSI Auth.challenge Response Enc(TMSI) random

21 Our counter-proposals
Easy fix: security even with server corruptions Add server identifier to all cryptographic functions Even if a server is corrupted, the adversary cannot use its identity in a different area Harder fix: better privacy Encrypt TMSI in smarter way: Use symmetric encryption inside PKE scheme Use Operator as soon as an attack is detected Remove need for resynchronization Add authentication at TMSI reallocation Optimality: impossibility result for better privacy

22 Towards 5G

23 Need for new primitives
3G/4G AKA provides some limited security And we can fix it to get better privacy Some AKA problems: Currently all computation done at the operator’s end Legal interceptions: operators reveal long-term keys … thus giving away more data than necessary Strong deviation in practical implementations For instance TMSI, LAI not always used in practice since “you have no privacy, get over it!” Application-layer primitives problematic No concept of “end-to-end”, everything goes through Op But should we use it for 5G networks?

24 Challenges for 5G A fundamental leap (akin to TLS 1.3 vs 1.2)
What we need: Protocol that allows for unfederated E2E security … including Peer-to-Peer types of connections Usability: must answer to Legal Interceptions But we should allow operators to give away less data Different handshakes for different situations: Roaming and domestic Client-server vs. P2P Better application-layer primitives Including lightweight primitives for data-stream transfer Efficiency, compliance to legal standards, ease of use!

Download ppt "Towards 5G AKE: The security and privacy of 3G/4G AKA"

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Lecture 11: Strong Passwords

Lecture 11: Strong Passwords
Shambhu Upadhyaya 1 802.11 Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Similar presentations

Ads by Google