secure-aka: an efficient aka protocol for umts networks

Wireless Pers CommunDOI 10.1007/s11277-014-1821-0

Secure-AKA: An Efficient AKA Protocol for UMTSNetworks

Neetesh Saxena · Narendra S. Chaudhari

© Springer Science+Business Media New York 2014

Abstract In this paper, we propose an improved and efficient authentication and key agree-ment (AKA) protocol named “Secure-AKA” to prevent Universal Mobile Telecommunica-tion System (UMTS) network from various attacks like man-in-the-middle attack, redirec-tion attack, replay attack, active attacks in the corrupted UMTS networks, and especiallydenial of service attack. This protocol completely eliminates the need of counter synchro-nization between a mobile station and its home network, and protects the actual identity ofeach user over the network by generating a temporary identity during the authentication.The Secure-AKA protocol generates minimum communication and computation overheadsas compared to UMTS-AKA, S-AKA, AP-AKA, EURASIP-AKA, COCKTAIL-AKA, X-AKA, and EXT-AKA protocols. On an average, Secure-AKA protocol reduces 65 % of thebandwidth consumption during the authentication process in comparison to UMTS-AKA,which is the maximum reduction of bandwidth by any AKA protocol referred in the paper.

Keywords UMTS · Authentication · Identity · Attacks · Overheads

1 Introduction

With the latest and advanced innovations in mobile applications, the third-generation (3G)technology has been widely used in modern mobile devices. It has been a great advancement tovarious service capabilities, numerous operations, and performance as compare to the second-generation (2G) technology. UMTS is one of the 3G technologies which is an extension ofGlobal System for Mobile Communications (GSM). In fact, there were many security issues

N. Saxena (B) · N. S. ChaudhariDiscipline of Computer Science and Engineering, Indian Institute of Technology, Indore, Indiae-mail: [email protected]

N. S. ChaudhariDepartment of Computer Science and Engineering, Visvesvarya National Institute of Technology,Nagpur, Indiae-mail: [email protected]

123

N. Saxena, N. S. Chaudhari

presented in the original 2G GSM network. The 3G UMTS technology has overcome theseissues including mutual authentication. To improve the security weaknesses exist in GSM[1], the UMTS authentication and key agreement AKA was proposed at network level [2] forauthenticating 3G mobile subscribers. Although, the UMTS-AKA has successfully defeatedmost of the vulnerabilities found in the GSM network, but, it is still vulnerable to redirectionattack [3], man-in-the-middle (MITM) attack [4] and denial of service (DoS) attack [5].

1.1 Research Problem

The original UMTS-AKA protocol is vulnerable to some security attacks such as redirec-tion attack [6], man-in-the-middle attack [7], impersonation attack, and DoS attack. Thereare several other issues with UMTS-AKA protocol including the huge bandwidth usagebetween the Home Location Register (HLR) and the Visitor Location Register (VLR), largestorage space overhead at VLR, and counter synchronization problem between the mobilestation (MS) and the HLR/VLR. This protocol also generates huge communication and com-putation overheads in order to provide the mutual authentication between the MS and theVLR/HLR. To solve these issues in the UMTS network, many researchers have proposedtheir protocols; however, they are still not able to reduce the overheads effectively. In fact,some of these protocols are still vulnerable to attacks. All these existing issues are consid-ered in our work in order to develop an efficient and secure AKA protocol for 3G UMTSnetwork.

1.2 Our Contribution

In this paper, we present an improved and efficient AKA protocol namely “Secure-AKA” for3G UMTS network. Our protocol has the following main attributes:

1. The proposed Secure-AKA protocol provides mutual authentication between the MS andthe HLR and between the MS and the VLR, similar to all AKA protocols discussed inthe paper.

2. The Secure-AKA protocol prevents the UMTS network from redirection attack (asby AP-AKA, S-AKA, COCKTAIL-AKA), man-in-the-middle attack (as by S-AKA,COCKTAIL-AKA), replay attack (as by all AKA), active attacks in the corrupted network(as by all AKA), and denial of service attack (by Secure-AKA only while S-AKA providepartial prevention).

3. The Secure-AKA is able to reduce the bandwidth consumption between the VLR and theHLR, and reduce the VLR storage.

4. It completely overcomes the counter synchronization problem exists in UMTS-AKAas the mobile user and the roaming network node do not maintain any counter. This ispossible with message authentication code (MAC3) and DK key in the proposed protocol.

5. This protocol hides the actual identity of each MS, i.e., International Mobile SubscriberIdentity (IMSI), and computes a temporary identity, i.e., Temporary Mobile SubscriberIdentity (TMSI) during the authentication process. The other existing protocols discussedin the paper do not provide identity protection over the network.

6. The Secure-AKA produces minimum communication and computation overheads as com-pare to all existing and recent AKA protocols from the literature.

7. On an average, the Secure-AKA protocol uses lesser bandwidth and provides minimummessage exchanged ratio during authentication as compared to all existing AKA protocolsfor UMTS network.

123

An Efficient AKA Protocol for UMTS Networks

1.3 Organization

The entire paper is organized in seven sections which are as follows: Sect. 2 introducesthe literature review of existing UMTS-AKA protocols in the UMTS network. Section 3illustrates the communication, trust, and attack models for UMTS network. Section 4 explainsa solution against DoS attack in the UMTS network. In Sect. 5, we focus on the security goalsto be achieved and explain the proposed Secure-AKA protocol in detail. The security andperformance analysis with simulation results of proposed protocol are given in Sect. 6. Finally,Sect. 7 summarizes the conclusion of the work.

2 Review: Existing AKA Protocols

In the UMTS-AKA protocol, each MS shares a secret key SK and certain cryptographicfunctions with the home network. The HLR and the MS, each maintains a counter to preventreplay attack [8,9]. The cryptographic functions shared between the HLR and the MS includetwo message authentication codes f1 and f2, and three key generation functions f3, f4, and f5[10]. AK/XAK is the anonymity key which is used to hide the sequence number in originalUMTS-AKA protocol. Lot of research is going on 3G UMTS network including regulationof 3G uplink and downlink buffer and flow control [11], 3G traffic offloading [12], vehicularnetwork access through WiFi [13] and UMTS-AKA protocol for intelligent transportationsystems [14]. Thus, the security of 3G UMTS network is a major concern.

Various AKA protocols [15–19] were proposed to provide the authentication among com-munication parties in mobile communications at various levels. Many symmetric key basedAKA protocols [20–23] were proposed for UMTS network to improve the security of UMTS-AKA and effective utilization of bandwidth during the authentication. The NS-AKA protocolin [20] reduces the overheads, and is free from redirection and MITM attacks, but does not pro-vide resistance against denial of service attack. Zhang and Fang [21,24] proposed a new pro-tocol namely AP-AKA, to defeat the redirection attack and intensely inferior the effect of cor-rupted network. Al-Saraireh and Yousef’s protocol [22] primary emphasis on the bandwidthreduction for transmitted authentication vectors and therefore, the authentication vectors areonly produced by the MS, not by the VLR. Another S-AKA protocol [25] reduces bandwidthconsumption up to 38 % (with number of authentication requests n = 2, 5, 10, 20, 50, 100),and also decreases the number of messages required in authenticating mobile subscribers;however, our analysis states that S-AKA can reduce bandwidth consumption up to 29 % only(when n = 50, 100, 200, 500, 1,000). The UMTS-AKA and EURASIP-AKA protocols do notprevent MITM and redirection attacks. However, the S-AKA protocol is able to stop MITMand redirection attacks while the AP-AKA protocol does not resist the MITM attack butis free from redirection attack. Al-Saraireh and Yousef’s protocol (EURASIP-AKA) doesnot clear the security issues with redirection as well as man-in-the-middle attacks. X-AKAprotocol [26] was proposed to prune off the transmission of authentication vectors (AV) inUMTS-AKA protocol and improves its bandwidth utilization; however it does not preventman-in-the-middle and redirection attacks. Al-Saraireh and Yousef’s EXT-AKA protocol[27] focused on the bandwidth reduction for transmitting authentication vectors. However,this protocol also does not clear the security issues against various attacks. Ou, Hwang, andJan proposed a new protocol COCKTAIL-AKA, to vanquish the imperfection of UMTS-AKA protocol [28], but it is penetrable to DoS attack and impersonation attack [29]. It alsodoes not solve the synchronization problem between MS and HLR.

Tables 1 and 2 list the definitions of various symbols, abbreviations and cryptographicfunctions used in various AKA protocols discussed in the paper.

123


Table 1 Symbols andabbreviations

Symbol Definition Bits

IMSI International mobile subscriber identity 128

TID Temporary identity 128

LAI Location area identifier 40

SK Secret key shared b/w MS and HLR 128

ReqNo Request number 128

PID Proxy identity 128

Puz Puzzle 128

α/H Hash code 64

AMF Authentication management field 48

RAND Random number 128

AUTN Authentication token Variable

AV Authentication vector Variable

Y/N Yes/no flag 1

DK Delegation key 128

CK Cipher key 128

IK/IIK Integrity key 128

MAC/XMAC Message authentication code 64

RES/XRES Response/expected response 64

T Time stamp 64

ACK Acknowledgement 16

Solul Solutionl of puzzle 128

Solu2 Complete solution 128

Table 2 Definition of functions Functions Definition

f Function to generate TID

f′′ Function to generate IIK Key

fl Message authentication function for MAC/XMAC

f2 Key generation function for DK

f3 Message authentication function for RES/XRES

f4 Key generation function for CK

f5 Key generation function for IK

f6 Key generation function for EK

g() Hash generation function for α

H Hash function

Solul Function to compute solutionl

Solu2 Function to compute solution2

EK{}, DK{} Functions to cipher/decipher message

|| Concatenation

123


3 Communication, Trust and Attack Models

We present the system model in terms of communication and trust scenario and then discuss anattack model. First, we discuss the communication and trust model. When a user is in his/herhome network then the mutual authentication takes place between the MS and the HLR.The HLR generates the authentication vectors as per the authentication requests receivedfrom various MS(s). A trust model comes into the picture when a user moves to a roamingarea. The MS requests to one of the roaming operators for providing the service and the MSsends an authentication request to the nearest VLR of that service provider. The transmissionof authentication vectors take place between the VLR and the HLR, and then rest of themutual authentication process is executed between the MS and the VLR. In this trust model,it is assumed that a secret key SK is shared between the MS and the HLR. The authenticinformation is generated by HLR (based on SK key) and then HLR sends it to the VLR.

An attack model describes various scenarios where a malicious MS or VLR can accessthe authentic information, misguide the legitimate MS, or corrupt the network. A maliciousVLR can redirect the legitimate MS and can receive the valid tokens, i.e., AV. This attackannoys a victim MS with billing problem and forces the legitimate MS on its HLR to becharged for roaming by a malicious VLR. Another possibility of attack is to delay or reusethe authentication messages. This may lead to replay attack, if the transmitted messages donot contain any nonce or timestamp value. An attacker or adversary can also corrupt andimpersonate the network. An adversary can forge the authentication data request to obtainauthentication vectors and use it to impersonate the network independent of the actual locationof the user. An attacker can hide itself between the MS and the VLR, and may be able tocrack the UMTS security. The adversary can eavesdrop the session initiated by legitimate MSwhich leads to the man-in-the-middle attack. For such an attack, the attacker must be able tointercept and inject some data. Apart from these attacks, various forms of denial of service(DoS) attack such as primary DoS, and distributed DoS (DDoS) are quite possible. Theexisting DoS and DDoS defense mechanisms anticipates a flood of authentication requestsas attack and exploit the vulnerabilities of the system. The low rate DoS (LDoS) attacks aredifficult to detect as compared to other forms of DoS attacks as it exploits many factors andvulnerabilities that vary from iterative hops to fixed minimum retransmission timeout (RTO).Our primary focus is to prevent the network from authentication requests based DoS attack.

More on denial of service (DoS) attack There are some other reasons for the possibilitiesof DoS attack such as black-hole attack, dropping acknowledgement (ACK) signal, andmanipulating unprotected radio resource control (RRC) messages.

Black-hole attack An intruder with false Base Transceiver Station (BTS) equipment followsto its target victim. In the presence of this attack, all the active mobile terminals in that cellulararea are diddled towards the false BTS for the connection, if the signal from the maliciousBTS is stronger than the legitimate BTS. When the victim is connected to the fake BTSequipment, the intruder drops all transmitted packets towards the victim MS.

Dropping ACK signal The protection of IMSI is considered as a very important issue inUMTS network. Instead, temporary identities i.e., TMSIs are transmitted to the mobile usersjust after the activation of cipher mode and then TMSIs are used for the signal communicationin the network. A new TMSI is allotted each time a mobile user moves to a roaming areaobserved by other Serving GPRS Support Node (SGSN). When a TMSI is encrypted andtransmitted to the MS, it does not link to the corresponding IMSI by the SGSN until AllocationComplete message is reached to the SGSN from the MS. If it is not the case then both

123


sets {IMSI, TMSIold} and {IMSI, TMSInew} are believed correct by the SGSN. These TMSIAllocation Command messages are examined by the attacker who immediately drops thosemessages. This process creates a cause where a new TMSI is generated repeatedly, whichis expressed as dropping ACK signal based DoS attack to all users entering in a particularrouting area.

Unprotected RRC The adversary can modify the RRC messages during the communicationover the UMTS network before the protocol cipher mode is on.

4 A Solution: A Tour Puzzle for Dos Attack

Our proposed protocol (discussed later) prevents UMTS network from various attacks. Thisentire section focuses on DoS attack which may exist in the UMTS network whereas the pre-vention from other attacks has been discussed in the later section. We propose a tour puzzlescheme which prevents the UMTS network from DoS attack. Various cryptographic puzzleschemes have been introduced as a defense mechanism to prevent DoS attack, but they havesome drawbacks. Our proposed scheme overcomes the various limitations of existing tourpuzzle schemes.

4.1 Security Requirements for a Puzzle Scheme

A cryptographic puzzle scheme should satisfy certain requirements in order to qualify asa better defense mechanism [30]. The primary attribute of a client puzzle is that it shouldbe neither impossible nor too easy to solve. Several cryptographic puzzles are based on theinversion of hash function [31,32]. It is important to note that the puzzle generation and itssolution verification must produce minimal computation and memory overhead at the server.Otherwise, there may be a chance that the puzzle mechanism itself becomes a reason forDoS attack when an attacker transmits bulky fake requests for puzzle generation or a hugenumber of puzzle solutions. Additionally, a protocol with a strong client puzzle scheme maynot be secure enough against DoS attack if the required security is not provided to the puzzle.Another important point is that before a server wishes to perform some high computationoperations, it must ensure that the client has committed some of its own resources for solvinga puzzle. The initial model for client puzzles was described by Jakobsson and Juels [32].Then after Rivest et al. [33] proposed a concrete modular exponentiation puzzle based onRSA modulus factorization problem, however, these puzzles require a demanding server toexecute computationally intensive exponentiation to verify their solutions. More recently,Stebila and Ustaoglu [34] proposed a security model for DoS resistance of key exchangeprotocols. Recently, some other client puzzle based schemes have been proposed to overcomeDoS attack [35,36]. The following are the requirements for a puzzle scheme:

(1) Computation Assurance The cryptographic puzzle gives computation assurance whichmeans a lower and upper bound on the number of cryptographic operations carried out atclient end to solve the puzzle. The puzzle should be hard enough for malicious user to solvein reasonable time [37].

(2) Efficiency The performance efficiency of the server in terms of speed, storage capacity,bandwidth etc., must be high for puzzle generation, distribution, and client verification. Allthe operations carried out must add minimal server overhead and good enough to tackledenial of service attack [38].

123


(3) Puzzle Granularity Puzzle granularity ensures that the degree of difficulty can beincreased or decreased based on the assessment to observe the behavior of a user.

(4) Correlation-free Applying inference knowledge from other puzzle solutions should notstrong enough to easily solve the new puzzle.

(5) Tamper-resistance The puzzle scheme should be able to resist the replay attack overtime. One time puzzle generation can be used to avoid reusability of the answer of a puzzleat multiple clients.

(6) Non-parallelizability A strong coupling between puzzle modules limits its parallel imple-mentation. It prevents parallel computation by malicious client for puzzle solution.

(7) Puzzle fairness An approximate time must be spent to solve a puzzle by authentic clientirrespective of the resources used. This property helps in preventing the network from DoSattack to an acceptable level.

We stress on tour based puzzle scheme because these puzzles require a minimum amount oftime to solve. We consider the size of puzzle and its solution of 128 bits each. The generationof our tour based puzzle scheme requires the readers to follow subsequent subsections.

4.2 Drawbacks in Existing Tour Puzzle Schemes

The existing tour puzzle schemes are efficient against both, resource consumption DoS attackand protocol related DoS attacks, but still they have vulnerabilities that can be exploited toincrease the load on server even more. These types of abnormal requests generated by theclients can cause the computation in the puzzle itself to be done repeatedly and cause stresson server. Some of the major drawbacks or vulnerabilities found in the existing tour puzzlescheme are as follows:

(1) Multiple requests for puzzle by a client In the tour puzzle scheme [30], the server repliesto all clients with a Service Restricted message, indicating that a puzzle needs to be solvedin order to receive service, whenever the server suspects it is under attack or its load is abovecertain threshold. The server also allows a single client to experience different tours (nx ) byproviding the server with different nx without performing any check before giving a tour.However, it may cause congestion or heavy load on the server if multiple clients send theirrequests for resource allocation to the server (DDoS attack). Thus, we see that an exhaustedserver’s condition can be forced with sending fake requests by malicious clients.

(2) No communication between server and nodes In the tour puzzle scheme [30], after receiv-ing a puzzle from the server, the client traverses each node and reaches the last node where itsends the puzzle answer to the server. A legitimate client follows the correct path of execu-tion; however, a malicious client can request a puzzle and sends an answer after visiting onlyfew nodes or even after visiting the first node in the guided tour. Then the server validatesfirst outcome sent by the client that should be correct in order to proceed further to calculatemore outcomes and can find one of them to be false. But by the time server realizes that theanswer was false and sufficient resources are spent by it during this process. The problem canbe more severe, if a client uses different nonce to take new puzzle and sends fake answers tothe server only after visiting the first node.

(3) Excessive computation at the server In [30], a lot of computation is involved in calculatingthe answer sent by the client. A major part of calculation and computation performed by the

123


server increases load on it. The client does not have to do any major calculation but onlywaits for the nodes to get the next address and traverse it in order to complete the puzzlesolution.

4.3 Improvements in Tour Puzzle

In this subsection, we propose some improvements in the existing tour puzzle scheme andincorporate them while developing our new tour puzzle scheme which works with our pro-posed AKA protocol (explained later). The key point in our tour puzzle scheme is that theVLR maintains {Ax , Cx , tx , Px , ix } for each MS. In our scheme, a tour puzzle contains onlytwo fixed nodes, one is VLR and other is proxy connected to respective VLR. The followingare the proposed improvements in tour puzzle scheme:

(1) Pre-puzzle allocation check Our first proposition is to place an algorithm before the VLR(server) starts allocating the puzzle and in turn resources to the MS (client). The VLR keepstrack of unique individual MS’s Ax i.e., address of each MS, and number of times it hasrequested within a fixed time T by a counter Cx . It also stores the last time access of eachAx called tx to check whether the MS is requesting within predefined time interval T bycomparing it with the current time. This tx is updated each time Ax requests service, sendsanswer or its puzzle timeout. If an MS fails to solve puzzle in time or sends incorrect answer,value of Cx is incremented and thereby complexity of puzzle given to that MS is increasedexponentially. In case the MS is already given a puzzle and requests service interim, thecurrent tour is terminated and the MS’s Cx is incremented.

The VLR periodically decreases the counter value after fixed time tr for each MS, hence,the MS that does not send request rapidly lowers value of Cx , thereby receiving less difficultpuzzles. The frequent requests by an MS increases the value of Cx faster and the MS has towait more to get easier puzzle. The (tr *Cx ) is the amount of time it takes for Cx value to dropto 0. Once the value of Cx is dropped to zero, the entry in database is deleted and memory isfreed. However, the VLR must check if a puzzle has been assigned to the MS then it shouldwait for the answer or timeout of puzzle before deleting the entries from database. If the MSsuccessfully completes the puzzle within given time, the database entry is deleted.

(2) Randomized answer A random number Px is associated with every tour puzzle (aftersolving the first part of puzzle) assigned to an MS. The VLR stores and sends a random valuePx to the proxy which is used as a parameter to compute the final answer of the puzzle. TheMS follows the trail of tour guide and reaches the proxy. The proxy sends Px to the MS andthe MS sends Solu2’ as final answer of the given puzzle to the VLR.

(3) Completion of tour The proxy sends yes/no flag notification, which indicates that theclient has sent the correct solution for phase-1. If the final solution Solu2’ ?= Solu2 holdsthen the VLR changes the value of corresponding MS’s ix from 0 to 1. The VLR accepts theanswer from the MS only if the value of ix is 1. Once MS sends the answer (whether corrector incorrect), the value of ix is changed to zero. Same is the case with timeout of puzzle. Bydoing so, the VLR ensures that the MS is legitimate. This would ensure that no MS sends theanswer in the middle or halfway through a tour or sends answer multiple times after visitingthe proxy. It also prevents a malicious MS from sending the answer to the VLR who hadnever made a request to the VLR for resource allocation.

123


4.4 Proposed Tour Puzzle Scheme

This subsection presents a new tour puzzle scheme based on the improvements discussed inthe previous subsection. Here, ts is the start time at which the MS request is generated whiletx is the last time access of each MS. The proposed tour puzzle scheme is as follows:

Proposed Tour Puzzle Scheme if MS requests for service without answer if xA entry does not exists in database

create database entry ( xA , xC = 0 , xt = st , xP =Random number, xi =0);

send a puzzle to MS; else if xA entry exists in database

if MS is running a tour, i.e., H exists

xC = xC +1;

terminate current connection of xA ;

else if MS is not running a tour

if st - xt T

xC = xC +1;

Send a new puzzle; else if st - xt >T

sends a new puzzle; else if MS requests service with answer

if xA entry does not exists in database

xA entry exists in database

xi == 0

xi == 1

) for the MS at Proxy;

xP to the MS;

xi = 0;

xC = xC +1;

xi = 0;

ignore;

else if

if

ignore;

else if

verify the answer (H, if answer is correct

Send a random number

if Solu2’ is correct (Solu2’ ?= Solu2) at VLRallow access to resources;

tour of MS is completed;else if answer is invalid

terminate tour of MS;

α

123


Ax entry exists in

database?

Yes

Yes

No

st - xt ≤ T

Yes

No

Create database entry;

Sends a puzzle to MS;

Cx ++;

Terminate connection of Ax;

Cx ++; Send a new puzzle;

Send a new puzzle;

Is MS running a

tour?

MS request for service;

Start

Is requested without answer?

No

Yes

No

Verify the answer (H, α) for the MS at Proxy;

Answer is correct?

Yes

No

Proxy sends a random number Px to the MS;

Solu2’ ?= Solu2 at

VLR

Allow Access to Resources;

xi = 0; tour of MS is completed;

Yes

Cx ++;

xi = 0;

Terminate tour of MS;

End

MS solves Puz and sends answer;

No

Ax entry does not exist in

database?

No

Yes

Ignore;

ix ==0?

No

Yes

Ignore;

5 Focus on Proposed Protocol

In this section, we focus on the development of Secure-AKA protocol for UMTS network.First, we set the security goals for our proposed protocol and then explain our protocol indetails.

5.1 Goals for Our Protocol

In order to maintain proper security in the UMTS network, we need to define the goals forthe proposed protocol that must be achieved during the design of the protocol. We define thesecurity and performance goals for our protocol as follows:

1. The protocol must be able to provide mutual authentication between the MS and the VLR,and between the MS and the HLR.

2. The protocol should reduce the storage overhead at VLR, as in UMTS-AKA all therequested authentication vectors from the HLR to the VLR are stored in storage space ofVLR when user is in roaming area.

3. The actual identity of each MS i.e., IMSI, should be protected from being eavesdropped.4. The exchange of messages during the authentication process should be reduced in terms

of its size.

123


Fig. 1 Proposed tour puzzle based protocol

5. The protocol should effectively utilize the bandwidth in order to complete the authenti-cation process successfully.

6. The protocol should generate communication and computation overhead as less as pos-sible.

7. The protocol must be able to resist various possible attacks in the UMTS network.

5.2 Proposed Secure-AKA Protocol

In this section, we propose and present an efficient and secure authentication and key agree-ment protocol called Secure-AKA, which prevents redirection attack, man-in-the-middleattack, DoS attack, impersonation attack, and reduces the impact of network corruption. Thisprotocol follows the framework of original 3GPP UMTS-AKA protocol and overcomes theproblem of counter synchronization between the MS and the HLR. In the Secure-AKA pro-tocol, each MS and its HLR share a secret key SK, which is stored in the AuthenticationCenter (AuC) of HLR and onto the Subscriber Identity Module (SIM) card of the MS atthe time of manufacturing. Cryptographic functions f′, f′′, f1, f2, f3, f4, f5, f6, g, H, Solu1,Solu2, Ek{}, and DK{} are used in this protocol and Table 2 represents the description ofeach function. The protocol for puzzle based scheme is shown in Fig. 1 which consists of 7steps. These 7 steps are incorporated in the proposed protocol named ‘Secure-AKA’ whichprevents the UMTS network from various attacks including DoS attack. The Secure-AKAprotocol, as shown in Fig. 2, has divided into two phases and can be understood as follows:

Phase-1 Initially, the MS who wishes to make a request to the VLR to create a connectionfor the authentication, generates a temporary identity (TID) using f′ function with originalIMSI and a timestamp T1, where TID = f′(IMSI, T1). The MS sends (ReqNo, TID, T1,MAC1) to the VLR [message (1)] where ReqNo is the request number and MAC1 = f1SK(T1,LAI). Additionally, an integrity key IIK is generated which prevents the modification ofRRC messages during the communication before the protocol cipher mode is set, whereIIK = f′′SK(T1). Steps 2–7 shown in Fig. 2 only execute when protocol analyzes that theremight be DoS attack in the network. The analysis includes the network behavior, number ofrequests per time, reliability, number of connection failures etc. If it is the case, then the VLRsends a message back to the MS with ReqNo, T2, a puzzle Puz, and the proxy node identityPID [message (2)]. Simultaneously, the VLR sends ReqNo, a random number Rand, and

123


Fig. 2 Proposed Secure-AKA protocol a Phase-1, b Phase-2. MAC1 = XMAC1 = f1SK(T1,LAI),MAC2 = f1SK(T6,AMF), DK = f2SK(T1), MAC3 = f1DK(MAC2,T6,T7), AUTH = (MAC3,T6,T7,AMF),MAC3 = f1DK(f1SK(T6,AMF),T6,T7), RES = XRES=f3DK(T7), CK = f4DK(T6), IK = f5DK(T6),EK = f6DK(T6), MAC3’ = XMAC3’ = f1DK(MAC2,T6,Ti), RES’ = XRES’ = f3DK(Ti)

the puzzle Puz to the proxy server/node which is directly connected to the VLR [message(3)]. Then the proxy waits for the answer from any MS until a threshold time is reachedafter receiving the message from the VLR. On receiving a message from an MS with (T3,ReqNo, H) [message (4)], the proxy compares ReqNo. If the message is not received withinthe threshold time then the request from that MS will be dropped and the proxy sends thisnotification to the VLR, which then terminates the connection. Here, H is the hash code ofthe solution generated for the puzzle, i.e. Solu1’. The proxy generates the answer of puzzle,i.e., Solu1, and computes α which is the hash code of Solu1. Then the proxy compares α

with the received H, if both do not match then proxy sends a notification message to the VLRwith flag value ‘no’ and the connection is released, otherwise proxy sends ‘yes’ flag with theSolu1 [message (5)].

The proxy node can wait for a random amount of time before sending the notificationto the VLR, if it finds the duration between the messages received from VLR and the

123


MS is less than the expected or threshold time. Please note that the proxy sends Solu1’to the VLR only if the flag value is ‘yes’ (which means that connection is alive). If theVLR finds the mode of flag ‘yes’ then it sends a message with (T4, ReqNo, Rand) tothe MS [message (6)]. After receiving the message from the VLR, the MS computes thefinal solution Solu2’ as Solu2’=f(Solu1’, Rand). Then MS sends (T5, ReqNo, Solu2’) tothe VLR [message (7)]. On getting this message, the VLR computes Solu2 and com-pares it with the received Solu2’. If it does not hold then connection is simply termi-nated, otherwise, the VLR sends (TID, T1, MAC1) to the HLR along with the knownlocation area identity (LAI) of MS [message (8)]. After receiving such information, theHLR derives XMAC1 (XMAC1 = f1SK(T1, LAI) and compares it with the received MAC1.If both are equal then the MS is a legitimate user. The HLR generates IMSI by passingthe TID and T1 to the f′ function [IMSI = f′(TID, T1)]. The working of f′ is in such away if we pass TID to it then we receive the output as IMSI and if we pass IMSI asinput then we get TID as an output of it. The function can be understood like an XORoperation, however, we recommend to use a complex function. Then the HLR generates(T6, DK, MAC2, AMF), and passes to the VLR [message (9)] where MAC2 = f1SK(T6,AMF).

On receiving, the VLR generates T7 and computes MAC3 where MAC3 = f1DK (MAC2,T6, T7). The VLR transmits AUTH to the MS which includes MAC3, T6, T7, and AMF[message (10)]. On receiving AUTH, the MS generates DK key [DK = f2SK(T1)], com-putes XMAC3 and compares it with the received MAC3 (MAC3 ?= XMAC3). If it holdsthen the MS computes RES, CK, IK, and EK where RES = f3DK(T7), CK = f4DK(T6),IK = f5DK(T6), EK = f6DK(T6). Then the MS sends RES to the VLR [message (11)]. Onreceiving, the VLR computes XRES as XRES = f3DK(T7) and compares it with the receivedRES (RES ?= XRES). If both are equal then the VLR generates CK, IK, and EK key. After thesuccessful mutual authentication, the VLR assigns a new TMSI to the TID and sends to theMS in cipher mode using EK key [message (12)]. After receiving the message (12) from theVLR, MS decrypts the TMSI and acknowledges the receipt of TMSI to the VLR [message(13)]. Here, the size of the acknowledgement (ACK) is considered of 16 bits. Finally, theMS, VLR, and HLR store the pairs (IMSI, TMSI), (TMSI, TID), and (TID, IMSI) in theirstorage space respectively. The function Solu1() and Solu2() are used to generate the solu-tion1 (Solu1) and solution2 (Solu2) respectively for the given puzzle. At the completion ofauthentication process, TID will be recognized between the VLR and the HLR, while TMSIwill be recognized between the MS and the VLR.

Phase-2 It is devoted to the subsequent authentications between the MS and the VLR withina time limit (Expiry time of session secret key DK). The MS sends an authentication requestto the VLR including the TMSI and current timestamp Ti [message (1)]. On receiving, theVLR verifies the TMSI by checking whether it is stored in the storage space or not. If it isthere, that means the MS is not requesting for the first time, but, is requesting for the subse-quent authentications. The VLR then checks whether Ti ≤ ExpTime, where ExpTime is themaximum expiry time after which any request for the subsequent authentication is discarded.If both are valid then the VLR computes the MAC3’ [MAC3’ = f1DK(MAC2, T6, Ti)] andsends to the MS [message (2)]. Then the MS computes XMAC3’ (XMAC3’ = f1DK(MAC2,T6, Ti) and checks whether MAC3’ ?= XMAC3’. If it holds then the MS computes RES’[RES’ = f3DK(Ti)] and sends to the VLR [message (3)]. On receiving, the VLR computesXRES’ [XRES’ = f3DK(Ti)] and compares it with the received RES’. If both are equal thenthe authentication is successful. Now, both the MS and the VLR can use CK, IK, and EKkeys for the purpose of confidentiality, integrity, and encryption.

123


6 Analysis of Secure-AKA Protocol

In this section, we discuss the security and performance analysis of Secure-AKA protocolin terms of resistance to various attacks, communication and computation overheads, andbandwidth utilization.

6.1 Resistance to Attacks

This subsection discusses about the resistance to various possible attacks over the UMTSnetwork.

6.1.1 Redirection Attack and Black-hole Attack

The LAI is not protected in the UMTS network and can be altered or changed by an adversarywith some devices such as IMSI catcher, which leads to the redirection attack. In Secure-AKA, the message authentication code is used to maintain the integrity of LAI and therebyprevents the UMTS networks from the redirection attack. This attack fails if the malicioususer is unable to obtain the information from the MS of legitimate user. In the proposedprotocol, the MS involves the LAI of BTS in MAC1 and sends this MAC1 to the VLR inmessage (1). The authentication request is denied if the HLR fails to match the LAI sentby the VLR in message (8) with the LAI embedded in MAC1. Such a technique solves theproblem of mischarged billing in the UMTS network. Thus, this scheme also prevents theUMTS network from the black-hole attack.

6.1.2 Replay Attack

The Secure-AKA protocol is free from this attack by sending timestamp T1, T2, T3, T4, T5,T6, T7, and Ti with the messages during the transmission of information over the network.This prevents the misuse of valid information as an adversary can delay the message over thenetwork and can send it later for some malicious purpose if no random number or timestampis involve in the transmitted message.

6.1.3 Man-in-the-Middle Attack

A man-in-the-middle attack occurs when an adversary eavesdrops the communicated infor-mation between the MS and the BTS. In Secure-AKA, the EK key is used between the MSand the VLR. This key prohibits the communication from being eavesdropped. In originalUMTS-AKA, no such key exists; however, this EK key is introduced in Secure-AKA protocolto defeat the man-in-the-middle attack.

6.1.4 Impersonate Networks

Over UMTS network, the corruption of a VLR/HLR affects the security of whole network.Following are some scenarios in which an attacker or adversary can try to impersonate theUMTS network:

Case-1 Let us consider that an impaired VLR is present in the network and it is assumed thatthe adversary can eavesdrop all its messages. The adversary must reply with a valid responseRES to the VLR in order to impersonate MS, but the adversary can not obtain correct RESsince RES was transferred between the MS and the uncorrupted VLR only.

123


Case-2 When the adversary tries to impersonate uncorrupted VLR, the adversary begins theprotocol by sending MAC1 and LAI to the HLR in message (8) where MAC1 was previouslysent by the MS to the VLR. Now, the adversary requests for the authentication vectors (inplace of the actual user) through the impaired network VLR. But after verifying MAC1, theHLR concludes that the MS is not present in the VLR and rejects the request.

Case-3 If the adversary tries to impersonate uncorrupted network, the attempt to impersonateit gets fail as the MS can verify that previously there was no request for authentication vector.

6.1.5 Denial of Service (DoS) Attack

The DoS attack and its variants are discussed in the following scenarios: The attackerMS’ floods the victim VLR with the authentication request by spoofing the IMSI/TMSI,a timestamp T1, a request number ReqNo, and MAC1. Then, T2, ReqNo, Puz, PID arereturned back from the VLR to the spoofed source MS.Case-1: The attacker MS’ floods the victim VLR by self IMSI

(1) If the malicious MS does not respond within the threshold time duration to the proxythen the connection is simply terminated. Then VLR resets the authentication requestand makes free the resources that are used to maintain the authentication request status.

(2) Additionally, if it is a malicious user then the proxy will not get the hash of Solu1’ orwill receive invalid hash. There is a timeout period for each MS to maintain the state ofhalf-opened authentication requests. If the attacker MS’ causes overflow at the victimVLR with the half-open authentication requests, then the VLR cannot accept any newincoming authentication requests. However, even if the attacker’s hash matches with α,he/she cannot compute the same Solu2’ which requires the knowledge of a secret functionf′ along with a random number Rand.

Case-2: The attacker MS’ floods the victim VLR by spoofing IMSIThere are two different scenarios for such a case as:

Scenario-1 In the first scenario, if the actual MS that receives a puzzle Puz message is notactive then the proxy will not receive any information from the MS. In this scenario, theprocess is similar to case-1. The proxy waits for a threshold time to hear from the MS. Afterthe timeout period, the VLR resets the authentication request and does free the resources thatare used to maintain the authentication request status.

Scenario-2 In the second scenario, if the MS is active, it will send a signal for reset to theVLR since it didn’t initiate any authentication request. If the victim VLR receives the resetsignal, it can free the resources that are used to maintain the authentication request status.The low rate DoS attack exploits the fact that most systems have a retransmission timeout(RTO) for one second. It would be difficult for the attacker to predict the next RTO valueif the RTO is set to any random values and this ultimately would help in controlling therate of attack [37]. Thus, we also propose the timeout to be in random nature. During theinitial authentication, a malicious MS’ may launch a DoS attack either to the HLR or to thevisited VLR. If the MS’ forges message (1), the forged message can be detected by the HLRon receipt of message (8) and that can also be immediately detected by the VLR with DKauthorized by the HLR for phase-2 message exchanges.

Thus, Secure-AKA protocol resists such DoS attacks (DDoS and LDoS), since the forgedmessages can be detected by the HLR and the VLR. In fact, in this protocol the HLR is

123


supposed to receive a TID from the MS which is neither an actual IMSI of the MS nor aTMSI for the network. Thus, an actual IMSI or a fake TMSI with f′ function will not be ableto extract correct IMSI of MS; hence the connection will be terminated. Thus, there is nochance that the attacker will be able to generate same TID from a victim MS’s IMSI. Weclaim that Secure-AKA protocol prevents the network from DoS attack while S-AKA cansolve the problem of DoS attack partially.

Dropping ACK Signal Since, the proposed protocol uses TID during the initial phase insteadof IMSI or TMSI, thus it is able to overcome the dropping ACK signal issue. There is noconfusion in the form of the transmitted identity of the MS. The reception of new TID by theVLR/HLR indicates the generation of new TMSI in the future.

6.2 Communication Overhead

In this subsection, we calculate total transmitted bits in order to evaluate communicationoverhead with respect to UMTS-AKA, Secure-AKA and other AKA protocols. This overheadcan be calculated with the help of values specified in Table 1. Total number of transmittedbits used by each protocol is as follows:

(1) UMTS-AKA protocolPhase-1: (1) + (2)+(3) = 256 + 608*n bitsPhase-2: ((4) + (5))*n = *n bitsTotal bits = 256 + 960*n(2) EURASIP-AKA (J. Al-Saraireh and S. Yousef’s AKA) protocolTotal transmitted bits = ((1) + (2) + (3))*n = 992*n bits(3) AP-AKA protocol It is assumed that the maximum idx = 32,000 = 228[1].Phase-1: (1) + (2) + (3) + ((4)*n) = 768+604*nPhase-2: ((5) + (6))*n = 348*nTotal transmitted bits = 768 + 952*n(4) S-AKA protocolPhase-1: (1) + (2) + (3) + (4) + (5) = 1,312 bitsPhase-2: ((1) + (2) + (3))*n = 680*n bitsTotal transmitted bits = 1,312 + 680*n(5) COCKTAIL-AKA protocolPhase-1: (1) + (2) + (3) = 1,200Phase-2: ((4) + (5))*n = 432*nTotal transmitted bits = 1,200 + 432*n(6) X-AKA protocolPhase-1: (1)+(2)+(3) = 880Phase-2: ((4)+(5))*n = 432*nTotal bits = 880 + 432*n(7) EXT-AKA (IJTACS) protocolPhase-1: (1)+(2)+(3) = 1,008Phase-2: ((4)+(5))*n = 432*nTotal transmitted bits = 1,008 + 432*n(8) Secure-AKA protocolPhase-1: ((1) +(2) +(3) +(4) + (5) + (6) + (7) +(8) +(9) + (10) + (11) + (12) + (13)) = 3,289 bitsPhase-2: ((1) + (2) + (3))*n = 320*nTotal transmitted bits = 3,289+320*n

123


Fig. 3 Communication overhead

Figure 3 represents the communication overhead generated by various existing AKAprotocols by varying the number of mobile stations for authentication requests. We canclearly observe that Secure-AKA protocol generates minimum communication overhead ascompared to existing AKA protocols AP-AKA, S-AKA, EURASIP-AKA, UMTS-AKA,COCKTAIL-AKA, X-AKA, and EXT-AKA.

6.3 Computation Overhead

A unit value is considered in order to measure the computational overhead for all the securityfunctions used, however practically these functions may be differ and are operator specific[28,39]. The reason for choosing unit value is that it considers all the functions of variousAKA protocols as global and provides equal weight without knowing their structures. Toevaluate the computation overhead, we need to calculate total number of functions used ineach AKA protocol.

(1) UMTS-AKA protocolPhase-1: {f1(), f2(), f3(), f4(), f5()}*n = 5*n,Phase-2: {f1(), f2(), f3(), f4(), f5()}*n = 5*nTotal functions used = 10*n(2) EURASIP-AKA (J. Al-Saraireh and S. Yousef) protocolTotal functions used = {f5(), f1(), f1(), f2(), f2(), f3(), f4(), f3(), f4()}*n = 9*n(3) AP-AKA protocolPhase-1: {Hk(), Fk(), Fk(), (Fk(), Gk(), Hk(), Fk())*n} = 3 + 4*n,Phase-2: {Hk(), Fk(), Fk(), Fk()}*n = 4*nTotal functions used = 3 + 8*n(4) S-AKA protocolPhase-1: {f1(), f6(), f1(), f1(), f6(), f1(), f1(), f1(), f3(), f4(), f2(), f7(), f2(), f3(), f4(),

f7()} = 16Phase-2: {f1(), f6(), f1(), f1(), f1(), f1(), f1(), f2(), f2()}*n = 9*n

123


Fig. 4 Computation overhead

Total functions used = 16 + 9*n(5) COCKTAIL-AKA protocolPhase-1: {f1, f5, f3, f4, f2, f2, f2, f3, f4, f3, f4, f2, f5} = 13,Phase-2: {f1, f1, f1, f2, f3, f4, f2, f3, f4}*n = 9*nTotal functions used = 13 + 9*n(6) X-AKA protocolPhase-1: {f1, f1, fx, f1, f1} = 5Phase-2: {f1, f1, f2, f2, f3, f4, f3, f4}*n = 8*nTotal functions used = 5 + 8*n(7) EXT-AKA protocol (J. Al-Saraireh and S. Yousef, IJTACS)Phase-1: {f1, f99, f1, f1} = 4,Phase-2: {f1, f99, f1, f1, f2, f2, f3, f4, f3, f4}*n = 10*nTotal functions used = 4 + 10*n(8) Secure-AKA protocolPhase-1: {f′(), f1SK(), g(), H, Solu1, Solu1, Solu2, Solu2, f′(), f1SK(), f1SK(), f2(),

f1SK(), f1SK(), f1DK(), f2(), f4(), f5(), f3(), f6(), f4(), f5(), f3(), f6(), {}EK, {}DK} = 26,Phase-2: {f1DK(), f1DK(), f3(), f3()}*n = 4*nTotal functions used = 26 + 4*n

Figure 4 illustrates the computation overhead generated by each AKA protocol in termsof bits with varying the number of MS. The figure shows that Secure-AKA protocol gen-erates minimum computation overhead than UMTS-AKA, AP-AKA, EURASIP-AKA, S-AKA, COCKTAIL-AKA, X-AKA, and EXT-AKA protocol. An individual 1:1 comparisonfor Secure-AKA protocol is carried out in Figs. 5 and 6 for communication and computa-tion overheads respectively with respect to already existing AKA protocols, when numberof authentication requests n = 50, 100, 200, 500, and 1,000 (our assumption). The utmostefficiency of Secure-AKA protocol is observed in terms of maximum reduction of commu-nication and computation overheads against EURASIP-AKA, UMTS-AKA, and EXT-AKAprotocols respectively.

123


Fig. 5 Communication overhead (Secure-AKA/other protocols)

Fig. 6 Computation overhead (Secure-AKA/other protocols)

6.4 Bandwidth Consumption

The bandwidth consumption in each AKA protocol varies with the number of AVs transmittedfrom the VLR/HLR to the MS. Let there be ‘n’ authentication vectors which are transmitted.Table 3 shows the bandwidth consumption of each AKA protocol, when the number ofauthentication requests within same VLR varies as n = 50, 100, 200, 500, and 1,000 (ourassumption).

123


Table 3 Bandwidth consumption analysis

No. ofAVs

AP-AKA/UMTS-AKA

EURASIP-AKA/UMTS-AKA

S-AKA/UMTS-AKA

COCKTAIL-AKA/ UMTS-AKA

X-AKA/UMTS-AKA

EXT-AKA/UMTS-AKA

Secure-AKA/UMTS-AKA

50 1 1.02 0.73 0.47 0.46 0.46 0.4

100 0.99 1.03 0.72 0.46 0.45 0.45 0.36

200 0.99 1.03 0.71 0.45 0.45 0.45 0.35

500 0.99 1.03 0.71 0.45 0.45 0.45 0.34

1,000 0.99 1.03 0.7 0.45 0.45 0.45 0.33

Avg 0.99 1.02 0.71 0.45 0.45 0.45 0.35

Table 4 Message exchanged analysis

No. ofAVs

AP-AKA/UMTS-AKA

EURASIP-AKA/UMTS-AKA

S-AKA/UMTS-AKA

COCKTAIL-AKA/ UMTS-AKA

X-AKA/UMTS-AKA

EXT-AKA/UMTS-AKA

Secure-AKA/UMTS-AKA

50 0.8 0.9 0.93 0.92 0.81 1 0.45

100 0.8 0.9 0.91 0.91 0.8 1 0.42

200 0.8 0.9 0.9 0.9 0.8 1 0.41

500 0.8 0.9 0.9 0.9 0.8 1 0.4

1,000 0.8 0.9 0.9 0.9 0.8 1 0.4

Avg 0.8 0.9 0.9 0.9 0.8 1 0.41

One can clearly observe that on an average, Secure-AKA protocol is able to reduce 65 %of the bandwidth consumption which is the maximum reduction of bandwidth by any AKAprotocol as compared to UMTS-AKA protocol. Similarly, Table 4 represents that Secure-AKA protocol reduces 59 % of the messages exchanged ratio in terms of computations forthe authentication, when the number of authentication requests n = 50, 100, 200, 500, and1,000.

Table 5 represents the average bandwidth consumption and average message exchangedratio for Secure-AKA protocol with respect to existing AKA protocols. Table concludes thaton an average, Secure-AKA reduces 65, 64, 66, 51, 22, 22, and 22 % of the bandwidth con-sumption as compared to UMTS-AKA, AP-AKA, EURASIP-AKA, S-AKA, COCKTAIL-AKA, X-AKA, and EXT-AKA protocols respectively. Similarly, on an average, Secure-AKAprotocol is able to lower the 59, 48, 54, 55, 54, 48, and 59 % of the messages exchanged ratioduring the authentication process in comparison to UMTS-AKA, AP-AKA, EURASIP-AKAS-AKA, COCKTAIL-AKA, X-AKA, and EXT-AKA protocols respectively.

6.5 Summary of Attack Resistance

Table 6 summarizes resistance to various attacks by different existing AKA protocols inthe UMTS network. All existing protocols mentioned in Table 6 are free from replay andactive attacks in corrupt network. The AP-AKA prevents network from redirection attackbut penetrable to man-in-the-middle attack. The X-AKA, EXT-AKA, and EURASIP-AKA

123


Table 5 Average overhead analysis

Protocols/parameters

Secure-AKA/UMTS-AKA

Secure-AKA/AP-AKA

Secure-AKA/EURASIP-AKA

Secure-AKA/S-AKA

Secure-AKA/COCKTAIL-AKA

Secure-AKA/X-AKA

Secure-AKA/EXT-AKA

Avg. bandwidthconsumption

0.35 0.36 0.34 0.49 0.78 0.78 0.78

Avg. messageexchange

0.41 0.52 0.46 0.45 0.46 0.52 0.41

Table 6 Protocols versus different attacks

Protocol versusattacks

UMTS-AKA

AP-AKA

X-AKA EXT-AKA

EURASIP-AKA

COCKTAIL-AKA

S-AKA Secure-AKA

Prevention to replayattack

Yes Yes Yes Yes Yes Yes Yes Yes

Prevent active attack incorrupt network

Yes Yes Yes Yes Yes Yes Yes Yes

Prevent MITM attack No No No No No Yes Yes Yes

Prevent redirectionattack

No Yes No No No Yes Yes Yes

Prevent DoS attack No No No No No No Partially Yes

are not able to prevent UMTS network from redirection and man-in-the-middle attacks;however, COCKTAIL-AKA and S-AKA are able to overcome the problem of such attacks.Our Secure-AKA protocol prevents the UMTS network from all such attacks including DoSattack while only S-AKA protocol is able to resist DoS attack partially.

6.6 Secure-AKA Protocol Simulation

The Secure-AKA protocol has simulated in Java environment. The protocol has consideredas client server paradigm where MS is the client and, VLR and HLR are servers. We haveimplemented function f1() as HMACSHA1 function. Further, functions f2(), f3(), f4(), f5(),and f6() are considered as HMACSHA256 function. However, all these functions are networkoperator specific. The output of function f1() is truncated to 64 bits as the output of thisfunctions is MCA1/ MAC2/ MAC3/ MAC3’ of 64 bits in size. Similarly, the output offunctions f2()/f4()/f5()/f6() and function f3() are truncated to 128 and 64 bits, respectively.All the results presented in the paper have been obtained on Core i3 processor, 2GB RAM, 320GB hard disk and Windows7 operating system, and J2ME WTK with JDK1.6 environment.In all tables, the unit of time is milliseconds and memory/space is measured in bytes. Sincethe simulation time of Secure-AKA is measured on a PC thus, we may obtain the differenttime estimation as perform in real 3G UMTS networks. In order to minimize this difference,we have considered the message transmission time according to the data speed of UMTSnetwork which is normally considered from 384 kbps to 2 Mbps. Thus, we simulated Secure-AKA and calculated the transmission time for each message with a speed of 384 kbps aswell as with 2 Mbps.Secure-AKA protocol (384 kbps)

Total Secure-AKA messages transmission time = (1) ReqNo, TID, T1, MAC1 + (2)ReqNo, T2, Puz, PID + (3) ReqNo, Rand, Puz + (4) ReqNo, T3, H + (5) Y/N, Solu1

123


Table 7 Computation for each function used in secure-AKA

Function f′() = fun of XOR g()/H = [SHA256]

ExT PCPUT TUM ExT PCPUT TUM

0.84 93.60 12,968,288 78.0 109.20 12,990,648

Ext execution Time (ms), PCPUT process CPU time (ms), TUM total used memory (bytes)

Table 8 Computation for each function used in Secure-AKA

f1() = [HMACSHA1] f2()/f3()/f4()/f5()/f6() = [HMACSHA256]

ExT PCPUT TUM ExT PCPUT TUM

221.60 296.40 15,211,840 273.41 296.40 15,204,024

+ (6) T4, ReqNo, Rand + (7) T5, ReqNo, Solu2’ + (8) TID, T1, MAC1, LAI + (9) T6,MAC2, DK, AMF + (10) MAC3, T6, T7, AMF + (11) RES + (12) {TMSI}EK + (13)ACK = 3,289*2,543/1,000*1,000 = 8.3 ms.Secure-AKA protocol (2 Mbps)

Total Secure-AKA messages transmission time = (1) ReqNo, TID, T1, MAC1 + (2)ReqNo, T2, Puz, PID + (3) ReqNo, Rand, Puz + (4) ReqNo, T3, H + (5) Y/N, Solu1+ (6) T4, ReqNo, Rand + (7) T5, ReqNo, Solu2’ + (8) TID, T1, MAC1, LAI + (9) T6,MAC2, DK, AMF + (10) MAC3, T6, T7, AMF + (11) RES + (12) {TMSI}EK + (13)ACK = 3,289 * 476/1,000 * 1,000 = 1.6 ms.

The execution time, process CPU time, and total memory usage for f′(), g()/H, f1(), andf2()/f3()/f4()/f6() can be observed from Tables 7 and 8. For function f′(), we implementeda simple XOR based function however we recommend to use a complex function. For theencryption and decryption of TMSI in step-12 of Secure-AKA protocol, we prefer to use AESalgorithms which is considered one of the best algorithm. It has been found that AES takes40 ms to encrypt ({}EK) and 18 ms to decrypt ({}DK) a single message [40]. Further, weborrowed the puzzle solution time from [41] which takes on an average 44.88 s (44,880 ms)to generate and solve a puzzle. The security level for the puzzle is considered as 240 whichis very difficult level. The solution to puzzle is generated using Smart Dust simulator whichis a Java Simulator. However, the puzzle generation and solution time differs from puzzle topuzzle and their complexity levels. Since we know the transmission time for all the messagessent along with the computation time for each function used in Secure-AKA protocol, thuswe can easily calculate the total time required for the execution of Secure-AKA protocol.

Total execution time for Secure-AKA = Total messages transmission time + 2*f′() forIMSI/TMSI + 2*g()/H for hash + 2*f1() for MAC1 + 2*f1() for MAC2 + 2*f1() for MAC3 +2*f3() for RES + 2*f4() for CK + 2*f6() for EK +2*f5() for IK + 2*f2() for DK + {}EK + {}DK+ Puzzle solution time [Puzzle generation + 2*Solu1() for Puzzle + 2*Solu2() for Puzzle].

Total execution time for Secure-AKA protocol (384 kbps) = 8.3 + 2*0.84 + 2*78.0 +2*221.60 + 2*221.60 + 2*221.60 + 2* 273.41 + 2* 273.41 + 2* 273.41 + 2* 273.41 + 2*273.41 + 40 + 18 + Puzzle solution time = 8.5 + 1.68 + 156 + 443.20 + 443.20 + 443.20 +546.82 + 546.82 + 546.82 + 546.82 + 546.82 + 40 + 18 + Puzzle solution time = 4287.68 +Puzzle solution time (in ms).

Total execution time for Secure-AKA protocol (2 Mbps) = 1.6 + 2*0.84 + 2*78.0 +2*221.60 +2*221.60 + 2*221.60 + 2* 273.41 + 2* 273.41 + 2* 273.41 + 2* 273.41 +

123


2* 273.41 + 40 + 18 + Puzzle solution time = 8.5 + 1.68 + 156 + 443.20 + 443.20 + 443.20+ 546.82 + 546.82 + 546.82 + 546.82 + 546.82 + 40 + 18 + Puzzle solution time = 4,281.18+ Puzzle solution time (in ms).

Since, from [41] example of puzzle, the puzzle solution time is 44,880 ms, thusTotal execution time for Secure-AKA with 384 kbps speed = 4,287.68 + 44,880 = 49,

167.68 ms.Total execution time for Secure-AKA with 2 Mbps speed = 4,281.18 + 44,880 = 49,

161.18 ms.Similarly, we can calculate the estimate time for each subsequent authentication (phase-2)

during the session (within the expiry time) as:Total execution time for Secure-AKA Phase-2 protocol = Total messages transmission

time (Phase-2) + f1() for MAC3’ + 2*f3() for RES’Total execution time for Secure-AKA Phase-2 protocol (384 kbps) = (320*2,543/1,000*

1,000) + 2*221.60+ 2* 273.41 = 990.83 ms.Total execution time for Secure-AKA Phase-2 protocol (2 Mbps) = (320*476/1,000*1,000)

+ 2*221.60+ 2* 273.41 = 990.17 ms.

6.7 Formal Proof of Secure-AKA Protocol

In order to clear statement of our analysis, we use the BAN-Logic symbols to formal proofthe authentication process of Secure-AKA protocol.

1. A|≡ X : A believes X, or A would be entitled to believe X.2. A� X : A sees X. Someone has sent a message containing X to A, who can read and repeat

X.3. A|∼ X : A once said X. A at some time sent a message including the statement X.4. A|⇒ X : A has jurisdiction over X. A is an authority on X and should be trusted on this

matter.5. #(X): The formula X is fresh, that is, X has not been sent in a message at any time before

the current run of the protocol.

6. AK↔ B: A and B may use the shared key K to communicate.

7. AX⇔ B: The formula X is a secret known only to A and B.

8. (X)y : This represents X combined with the formula Y that Y be a secret.

(1) The formal messages in the Secure-AKA protocolPhase-1: Message (1): M S → V L R : T a, Req No, f ′(I M SI, T a), f 1(T a, L AI )SK ;

M SSK↔ H L R

Message (2): V L R → M S : T b, Req No, Puz, P I DMessage (3): V L R → Pr oxy : Req No, Rand, PuzMessage (4): M S → Pr oxy : T c, , Req No, HMessage (5): Pr oxy → V L R : Flag, Solution1Message (6): Pr oxy → M S : T d, Req No, RandMessage (7): M S → V L R : T e, Req No, Solution2Message (8): V L R → H L R : T I D, T a, L AI, f 1(T a, L AI )SK

Message (9): H L R → V L R : T f, f 2(T a)SK , AM F, f 1(T f, AM F)SK ;

V L RDK↔ H L R, f 2(T a)SK

Message (10): V L R → M S : T f, T g, AM F , f 1( f 1(T f, AM F)SK , T f, T g)DK

123


Message (11): M S → V L R : f 3(T g)DK ; f 4(T f )DK , f 5(T f )DK , f 6(T f )DK ,

M SC K↔ V L R, M S

I K↔ V L R, M SE K↔ V L R

Message (12): V L R → M S : {T M SI }E K

Message (13): M S → V L R : AC K {T M SI }Phase-2: Message (1): M S → V L R : T i, T M SIMessage (2): V L R → M S : f 1( f 1(T f, AM F)SK , T f, T i)DK

Message (3): M S → V L R : f 3(T i)DK

(2) Security assumptions

a. It is assumed that SK is a secure key which is shared between the MS and its HLR.

(1) MS has the secure key SK and M S|≡ M SSK↔ H L R

(2) HLR has the secure key SK and H L R|≡ M SSK↔ H L R

b. It is assumed that VLR trusts the HLR.

(1) V L R| ≡ H L R| ⇒ M SSK↔ H L R

(2) V L R|∼A,H L R�AH L R|≡V L R|≡A

(3) H L R|∼A,V L R�AV L R|≡H L R|≡A

c. It is assumed that communication between the HLR and the VLR is secure.

(1) V L R|≡ V L RA⇔ H L R, A is conveyance message between the VLR and the HLR.

(2) H L R|≡ V L RA⇔ H L R, A is conveyance message between the VLR and the HLR.

(3) Security analysisPhase-1: (1) M S → V L R : M S| ≡ #(T a), V L R � T a, Req No, f ′(I M SI, T a),

f 1(T a, L AI )SK

Message (2): V L R → M S : V L R|≡ #(T b), M S � T b, Req No, Puz, P I DMessage (3): V L R → Pr oxy : Pr oxy � Req No, Rand, PuzMessage (4): M S → Pr oxy : M S| ≡ #(T c), Pr oxy � T c, , Req No, H , on receiving,

the proxy compares the Alpha with the received H. If it doesn’t hold, then connection isterminated.

Message (5): Pr oxy → V L R : V L R � Flag, Solution1Message (6): Pr oxy → M S : Pr oxy| ≡ #(T d), M S � T d, Req No, Rand , The MS

computes Solu2’Message (7): M S → V L R : M S| ≡ (T e), V L R � T e, Req No, Solution2, on receiving

the VLR computes Solu2 (from Solu1 and Rand using a function f) and compares with thereceived Solu2’.

Message (8): V L R → H L R : H L R � T a, L AI, f 1(T a, L AI )SK , f ′(I M SI, T a),on receiving, the HLR derives IMSI as f ′(T I D, L AI ); computes f 1(T a, L AI )SK andcompares with the received f 1(T a, L AI )SK ;

Message (9): H L R → V L R : H L R| ≡ #(T f ), V L R � T f, f 2(T a)SK , AM F ,

f 1(T f, AM F)SK ; H L R| ≡ ∀(V L RDK↔ M S)

Message (10): V L R → M S : M S � T f, T g, AM F , f 1( f 1(T f, AM F)SK , T f, T g)DK ;MS computes f 1( f 1(T f, AM F)SK , T f, T g)DK and compares with the received f 1( f 1(T f,AM F)SK , T f, T g)DK ; MS generates f 2(T a)SK , f 3(T g)DK , f 4(T f )DK , f 5(T f )DK andf 6(T f )DK ;

Message (11): M S → V L R : V L R � f 3(T g)DK ; on receiving, the VLR derivesf 3(T g)DK and compares with the received f 3(T g)DK ; the VLR generates f 4(T f )DK ,

123


f 5(T f )DK , f 6(T f )DK , H L R| ≡ ∀(M SC K↔ V L R), H L R| ≡ ∀(M S

I K↔ V L R), H L R| ≡∀(M S

E K↔ V L R)

Message (12): V L R → M S : E{T M SI }E K

Message (13): On receiving, the MS computes D{T M SI }E K , then M S → V L R :V L R � AC K {T M SI }

Phase-2: (1):M S → V L R : M S| ≡ #(T i), V L R � T i, T M SI(2): On receiving, the VLR checks TMSI and T i ≤ ExpT ,V L R → M S :

f 1( f 1(T f, AM F)SK , T f, T i)DK ,(3): On receiving, the MS computes f 1( f 1(T f, AM F)SK , T f, T i)DK and compares

with the received f 1( f 1(T f, AM F)SK , T f, T i)DK ; then M S → V L R : f 3(T i)DK ; If theVLR finds that the calculated f 3(T i)DK and the received f 3(T i)DK are equal then only theauthentication is successful.

(4) Message meaning rule

(1) M S|≡(M S

,SK↔ H L R)∧(V L R

DK↔ M S) M S� f 1(T a,L AI )SKM S|≡H L R|∼ f 1(T a,L AI )SK

(2) V L R|≡ f 1(T f,AM F)SK ∧(V L R

)

DK↔ M S,V L R� f 1( f 1(T f,AM F)SK ,T f,T g)DKV L R|≡H L R|∼ f 1( f 1(T f,AM F)SK ,T f,T g)DK

(5) Nonce/timestamp verification rule

(1) M S|≡#(T a),M S|≡H L R|∼ f 1(T a,L AI )SKM S|≡H L R|≡ f 1(T a,L AI )SK

(2) H L R|≡#(T b)∧V L R|≡#(T c),V L R|≡H L R|∼ f 1( f 1(T f,AM F)SK ,T f,T g)DKM S|≡H L R|≡ f 1( f 1(T f,AM F)SK ,T f,T g)DK

(6) Jurisdiction rule

(1) M S|≡H L R⇒ f 1(T a,L AI )SK ,M S�V L R|∼ f 1(T a,L AI )SKM S|≡H L R|≡V L R

(2) V L R|≡H L R⇒ f 1( f 1(T f,AM F)SK ,T f,T g)DK ,V L R�V L R|∼ f 1( f 1(T f,AM F)SK ,T f,T g)DKV L R|≡H L R|≡M S

(7) Confidentiality between the MS and the VLR

M S| ≡ (M SE K↔ V L R), M S � {Msg}E K

M S| ≡ V L R| ∼ Msg∧ V L R| ≡ (V L R

E K↔ M S), V L R � {Msg}E K

V L R| ≡ M S| ∼ Msg

(8) Protocol Goalsa) Mutual authenticationM S| ≡ H L R| ≡ V L R ∧ V L R| ≡ H L R| ≡ M S → M S| ≡ V L R ∧ V L R| ≡ M S;

Thus, mutual authentication holds.b) Key agreement There is one DK key between the VLR and the MS to provide the

agreement. M S| ≡ DK ∧ #(T a), since DK = f 2(T a)SK ; V L R| ≡ DK ∧ #(T f ), sinceH L R → V L R| ∼ DK

c) Resistance replay attack between the MS and the VLR If the attacker gets #Ta, #Tb #Tc,#Td, #Te, and #Tf from messages (1–9) in phase-1 or #Ti from message (1) in phase-2, he/shecannot forge messages because he/she does not know how to derive these values. Since #Ta,#Tb, #Tc, #Td, #Te, #Tf and #Ti will be changed at the next time, hence, goal of resistancereplay attack between the MS and the VLR holds.

d) Resistance man-in-the-middle attack between the MS and the VLR Since attacker knowsneither EK key nor encryption algorithm/function, thus it prevents the communication frombeing eavesdropped.

e) Resistance redirection attack between the MS and the VLR Since f 1(T a, L AI )SK isused to maintain the integrity of LAI, thus it prevents from the redirection attack.

123


f) Resistance impersonation attack between the MS and the VLR(1) Adversary tries to impersonate MS Since f 1(T a, L AI )SK is computed at the MS and

compared at the HLR, this prevents from the impersonation attack. Additionally, adversarymust reply with a valid f 3(T g)DK but he/she neither has DK nor EK key where DK =f 2(T a)SK and E K = f 6(T f )DK .

(2) Adversary tries to impersonate VLR The integrity value f 1(T a, L AI )SK at the MS andthe HLR will be violated. Additionally, if the MS receives f 1( f 1(T f, AM F)SK , T f, T g)DK

at any time, then the connection will be terminated because the MS has not sent any requestto VLR.

g) Resistance DoS attack between the MS and the VLREach MS has to solve a puzzle Puz in two phases by computing Solu1 and Solu2, and

allows access to the resources only after the successful verification of Solu2 where Solu1 (128bits) = Solu1(Puz, T2) and Solu2 (128 bits) = Solu2(Solu1, Rand). Additionally, each MS hasto wait for a threshold time before computing the Solu2. This all prevents the network fromDoS attack.

7 Conclusion

In this the paper, we analyzed original UMTS-AKA protocol along with the existing andrecent AKA protocols such as AP-AKA, S-AKA, EURASIP-AKA, COCKTAIL-AKA, X-AKA, and EXT-AKA protocols. We evaluated the security weaknesses of UMTS-AKA andproposed an improved and efficient “Secure-AKA” protocol 3G UMTS network. The Secure-AKA protocol provides a better secure and efficient service when a user moves to a roamingarea and remains protect the actual identity of the MS, i.e., IMSI, during the authenticationprocess. The proposed protocol is able to prevent various security attacks and generatesminimum communication as well computation overheads as compared to all existing AKAprotocols discussed in this paper. We can clearly observe that on an average, Secure-AKAprotocol is able to reduce 65 % of the bandwidth consumption during the authenticationin comparison to original UMTS-AKA which is the maximum reduction of bandwidth byany AKA protocol in the UMTS network. Further, on an average, Secure-AKA protocolreduces 64, 66, 51, 22, 22, and 22 % of the bandwidth consumption in comparison to AP-AKA, EURASIP-AKA, S-AKA, COCKTAIL-AKA, X-AKA, and EXT-AKA, respectively.We have also analyzed the message exchanged ratio in terms of computations during theauthentication process and found that on an average, Secure-AKA protocol reduces theratio of messages exchanged by 59, 48, 54, 55, 54, 48, and 59 % with respect to UMTS-AKA, AP-AKA, EURASIP-AKA, S-AKA, COCKTAIL-AKA, X-AKA, and EXT-AKA,respectively. The limitation of Secure-AKA protocol can be considered in terms of storageoverhead since MS, VLR, and HLR need to store identity pair as: M S → (I M SI, T M SI ),V L R → (T M SI, T I D), and H L R → (T I D, I M SI ), respectively. But in fact, theseidentity pairs take very less memory space to store them onto the MS, VLR, and HLR. Finally,we conclude that Secure-AKA protocol fulfills all security and performance goals discussed inthe paper; hence, it is suitable to replace original UMTS-AKA for UMTS network. Further, weneed to alter source code of existing UMTS protocol in order to implement proposed protocolin real UMTS network environment. Unfortunately, there is no open source software availablefor UMTS protocol stack which could provide the platform for developers/researchers toenable quick prototyping/testing by modifying existing code. However, we provided theprotocol simulation with some assumption (message transmission time was calculated basedon the speed of UMTS network). Since, the simulation in real UMTS network requires

123


infrastructure (telecommunication laboratory), thus it is considered as future scope of thiswork.

Acknowledgments This work was supported by Tata Consultancy Services Limited (TCS), India.

References

1. Peinado, A. (2004). Privacy and authentication protocol providing anonymous channels in GSM. Com-puter Communication, 27(17), 1709–1715.

2. Babu, B. S., & Venkataram, P. (2009). A dynamic authentication scheme for mobile transactions. Inter-national Journal of Network and Security, 8(1), 59–74.

3. Zhang, M. (2003). Provably-secure enhancement on 3GPP authentication and key agreement protocol.Verizon Communication, Cryptology, ePrint Rep. 2003/092.

4. Meyer, U., & Wetzel, S. (2004). A man-in-the-middle attack on UMTS. In Proceedings of 3rd ACM WiSe,New York (pp. 90–97).

5. Georgios, K., Constantinos, K., Stefanos, G., & Jong, H. P. (2009). Signaling-oriented DoS Attacks inUMTS Networks. Advances in Information Security and Assurance (ISA), LNCS, 5576, 280–289.

6. Hamano, T., Suzuki, R., Ikegawa, T., & Ichikawa, H. (2004). A Redirection-based defense mechanismagainst flood-type attacks in large-scale ISP networks. In: 10th Asia-Pacific conference on communicationsand 5th international symposium on multi-dimensional mobile, communications (pp. 543–547).

7. Guha, R. K., Furqan, Z., & Muhammad, S. (2007). Discovering man-in-the-middle attacks in authenti-cation protocols. In IEEE Military Communications Conference (MILCOM-2007) (pp. 1–7).

8. Lin, Y. B., Chang, M. F., Hsu, M. T., & Wu, L. Y. (2005). One-pass GPRS and IMS authenticationprocedure for UMTS. IEEE Journal of Selected Areas of Communications, 23(6), 1233–1239.

9. Mobarhan, M. A., & Shahbahrami, A. (2012). Evaluation of security attacks on UMTS authenticationmechanism. International Journal of Network Security and its Applications, 4(4), 37–52.

10. 3rd Generation Partnership Project; Technical Specification Group SA; 3G Security. (1999). Report on theevaluation of 3GPP standard confidentiality and integrity algorithms, version 1.0.0, 2000–2012, 3GPP,TR 33.909.

11. Yin, X., Wai, K. L., Ben, L., & Razeen, A. (2012). Dynamic regulation of mobile 3G/HSPA uplink bufferwith receiver-side flow control. In 20th IEEE international conference on network protocols (ICNP)(pp. 1–10).

12. Xuejun, Z., Wei, G., Guohong, C., & Yiqi, D. (2011). Win-coupon: An incentive framework for 3G trafficoffloading. In 19th IEEE international conference on network protocols (ICNP) (pp. 206–215).

13. Xiaoxiao, H., Deshpande, P., & Das S. R. (2011). Moving bits from 3G to metro-scale WiFi for vehicularnetwork access: An integrated transport layer solution. In 19th IEEE international conference on networkprotocols (ICNP-2011) (pp. 353–362).

14. Ou, H. H., Hwang, M. S., & Jan, J. K. (2009). The UMTS-AKA protocols for intelligent transportationsystems. EURASIP Journal on Wireless Communications and Networking, 2009, 1–12.

15. Cheng, K. M., Chang, T. Y., & Lo, J. W. (2010). Cryptanalysis of security enhancement for a modifiedauthentication key agreement protocol. International Journal of Network Security, 11(1), 55–57.

16. Seo, D., & Sweeney, P. (1999). Simple authenticated key agreement algorithm. Electronics Letters, 35(13),1073–1074.

17. Godor, G. (2006). Novel authentication algorithm public key based cryptography in mobile phone systems.International Journal of Computer Science and Network Security, 6(2B), 126–134.

18. Tang, C., & Wu, D. O. (2008). An efficient mobile authentication scheme for wireless networks. IEEETransactions on Wireless Communications, 7(4), 1408–1416.

19. Murtaza, N. A. J. A., & Minhas, A. A. (2010). A novel security algorithm for universal mobile telecom-munication system. International Journal of Multimedia and Ubiquitous Engineering, 5(1), 1–18.

20. Saxena, N., & Chaudhari, N. S. (2014). NS-AKA: An improved and efficient AKA protocol for 3G(UMTS) networks. In International conference on advances in computer science and electronics engi-neering (CSEE’14), Kuala Lampur, Malaysia (pp. 220–224).

21. Lee, C. C., Chen, C. L., Ou, H. H., & Chen, L. A. (2013). Extension of an efficient 3GPP authenticationand key agreement protocol. Wireless Personal Communication, 68(3), 861–872.

22. Al-Saraireh, J., & Yousef, S. (2). A new authentication protocol for UMTS mobile networks. EURASIPJournal of Wireless Communication Network, 2006, 19–30.

23. Chun, I. E., Ho, P. H., & Chen, H. Y. (2007). Nested one-time secret mechanisms for fast mutual authenti-cation in mobile communications. In IEEE wireless communication and networking conference (WCNC)(pp. 2714–2719).

123


24. Zhang, M., & Fang, Y. (2005). Security analysis and enhancements of 3GPP authentication and keyagreement protocol. IEEE Transactions on Wireless Communication, 4(2), 734–742.

25. Huang, Y. L., Shen, C. Y., & Shieh, S. W. (2011). S-AKA: A provable and secure authentication keyagreement protocol for UMTS networks. IEEE Transactions on Vehicular Technology, 60(9), 4509–4519.

26. Huang, C. M., & Li, J. W. (2005). Authentication and key agreement protocol for UMTS with lowbandwidth consumption. In 19th international conference AINA (pp. 392–397).

27. Al-Saraireh, J., & Yousef, S. (2006). Extension of authentication and key agreement protocol (AKA) foruniversal mobile telecommunication system (UMTS). International Journal of Theoretical and AppliedComputer Sciences, 1(1), 109–118.

28. Ou, H. H., Hwang, M. S., & Jan, J. K. (2010). A cocktail protocol with the authentication and keyagreement on the UMTS. Journal of Systems and Software, 83(2), 316–325.

29. Wu, S., Zhu, Y., & Pu, Q. (2010). Security analysis of a cocktail protocol with the authentication and keyagreement on the UMTS. Communication Letters, 14(4), 366–368.

30. Abliz, M., & Znati, T. (2009). A guided tour puzzle for denial of service prevention. In Annual computersecurity applications conference (ACSAC), Hawaii, USA (pp. 279–288).

31. Feng, W., Kaiser, E., & Luu, A. (2005). Design and implementation of network puzzles. In INFO-COM 2005 and 24th annual joint conference of IEEE computer and communications societies (vol. 4,pp. 2372–2382).

32. Juels, A., & Brainard, J. (1999). Client puzzles: A cryptographic countermeasure against connectiondepletion attacks. In Network and distributed system security symposium (NDSS) (pp. 151–165).

33. Rivest, R. L., Shamir, A., & Wagner, D. A. (March 1996). Time-lock puzzles and timed-release crypto.Technical Report TR-684, MIT Laboratory for Computer Science.

34. Stebila, D., & Berkant, U. (2009). Towards denial-of-service-resilient key agreement protocols. In 14thAustralasian conference on information security and privacy, LNCS 5594 (pp. 389–406).

35. Stebila, D., Kuppusamy, L., Rangasamy, J., Boyd, C., & Nieto, J. G. (Feb 2013). Stronger difficultynotions for client puzzles and denial-of-service-resistant protocols. Cryptology 649, 1–28.

36. Rangasamy, J., Stebila, D., Kuppusary, L., Boyd, C., & Nieto, J. G. (2012). Efficient modularexponentiation-based puzzles for denial-of-service protection. Information Security and Cryptology(ICISC), LNCS, 7259, 319–331.

37. Feng, W., Kaiser, E., & Luu, A. (2005). The design and implementation of network puzzles. In IEEEinternational conference on computer communication (INFOCOM), Miami (vol. 4, pp. 2372–2382).

38. Tritilanunt, S., Boyd, C., Foo, E., & Gonz’alez, J. M. (2007). Toward non-parallelizable client puzzles.In 6th international conference on cryptology and network security, Singapore (vol. 4856, pp. 247–264).

39. Saxena, N., & Chaudhari, N. S. (2014). SecureSMS: A secure SMS protocol for VAS and other applica-tions. Journal of Systems and Software, 90, 138–150.

40. Saxena, N., & Chaudhari, N. S. (2012). A secure approach for SMS in GSM network. In InternationalIT conference and exhibition ACM CUBE-2012, Pune, India (pp. 59–64).

41. Michalas, A., Komninos, N., & Prasad, N. R. (2011). Mitigate DoS and DDoS attack in mobile ad hocnetworks. International Journal of Digital Crime and Forensics (IJDCF), 3(1), 1–38.

Neetesh Saxena has done his undergraduation from Uttar PradeshTechnical University (UPTU) Lucknow, India and graduation fromGuru Gobind Singh Indraprastha University (GGSIPU) Delhi, India.He is currently a Ph.D. student in the Discipline of Computer science& Engineering at Indian Institute of Technology (IIT) Indore, India.His current research interests include Cryptography, Network Security,Mobile Computing and applications. He is a reviewer of various Inter-national Conferences and Journals including European Journal of Oper-ation Research (EJOR), and International Journal of Network Security(IJNS). He is a member of several professional bodies including IEEE,ACM, and Computer Society of India (CSI).

123


Narendra S. Chaudhari has completed his undergraduate, gradu-ate, and doctoral studies at Indian Institute of Technology (IIT), Mum-bai, India, in 1981, 1983, and 1988 respectively. Dr. Narendra hasdone significant research work on game AI, novel neural networkmodels like binary neural nets and bidirectional nets, context freegrammar parsing, and graph isomorphism problem. He has super-vised more than 20 doctoral students and more than 80 Master’s stu-dents. He has delivered invited talks and presented his research resultsin several countries like America, Australia, Canada, Germany, Hun-gary, Japan, United Kingdom, etc. He has delivered prestigious M.S.Ramanujam memorial lecture organized by The Institution of Engi-neers, India in the area of Computer Engineering. He has more than250 publications in top quality international conferences and journals.Dr. Narendra has shouldered many senior level administrative posi-tions in Universities in India as well as abroad. A few notable assign-ments include: Dean—Faculty of Engineering Sciences, Devi AhilyaUniversity, Indore, Member—Executive Council, Devi Ahilya Univer-

sity, Indore, Coordinator—International Exchange Program, Nanyang Technological University, Singapore,Deputy Director - GameLAB, Nanyang Technological University, Singapore. He was Dean - Research andDevelopment, Indian Institute of Technology (IIT) Indore, and member, Board of Governors, IIT Indoresince September 2010 to June 2013. Currently, he is Director of Visvesvarya National Institute of Technol-ogy, Nagpur, Maharashtra State, India. He has been referee and reviewer for a number of premier conferencesand journals including IEEE Transactions, Neurocomputing, etc. Dr. Narendra is Fellow and recipient ofEminent Engineer award (Computer Engineering) of The Institution of Engineers, India (IE- India), as wellas Fellow of the Institution of Electronics and Telecommunication Engineers (IETE) (India), senior mem-ber of Computer Society of India, Senior Member of IEEE, USA, Member of Indian Mathematical Society(IMS), Member of Cryptology Research Society of India (CRSI), and many other professional societies.

123

secure-aka: an efficient aka protocol for umts networks

Documents