Secure-AKA: An Efficient AKA Protocol for UMTS Networks

Download Secure-AKA: An Efficient AKA Protocol for UMTS Networks

Post on 25-Dec-2016




1 download

Embed Size (px)


<ul><li><p>Wireless Pers CommunDOI 10.1007/s11277-014-1821-0</p><p>Secure-AKA: An Efficient AKA Protocol for UMTSNetworks</p><p>Neetesh Saxena Narendra S. Chaudhari</p><p> Springer Science+Business Media New York 2014</p><p>Abstract In this paper, we propose an improved and efficient authentication and key agree-ment (AKA) protocol named Secure-AKA to prevent Universal Mobile Telecommunica-tion System (UMTS) network from various attacks like man-in-the-middle attack, redirec-tion attack, replay attack, active attacks in the corrupted UMTS networks, and especiallydenial of service attack. This protocol completely eliminates the need of counter synchro-nization between a mobile station and its home network, and protects the actual identity ofeach user over the network by generating a temporary identity during the authentication.The Secure-AKA protocol generates minimum communication and computation overheadsas compared to UMTS-AKA, S-AKA, AP-AKA, EURASIP-AKA, COCKTAIL-AKA, X-AKA, and EXT-AKA protocols. On an average, Secure-AKA protocol reduces 65 % of thebandwidth consumption during the authentication process in comparison to UMTS-AKA,which is the maximum reduction of bandwidth by any AKA protocol referred in the paper.</p><p>Keywords UMTS Authentication Identity Attacks Overheads</p><p>1 Introduction</p><p>With the latest and advanced innovations in mobile applications, the third-generation (3G)technology has been widely used in modern mobile devices. It has been a great advancement tovarious service capabilities, numerous operations, and performance as compare to the second-generation (2G) technology. UMTS is one of the 3G technologies which is an extension ofGlobal System for Mobile Communications (GSM). In fact, there were many security issues</p><p>N. Saxena (B) N. S. ChaudhariDiscipline of Computer Science and Engineering, Indian Institute of Technology, Indore, Indiae-mail:</p><p>N. S. ChaudhariDepartment of Computer Science and Engineering, Visvesvarya National Institute of Technology,Nagpur, Indiae-mail:</p><p>123</p></li><li><p>N. Saxena, N. S. Chaudhari</p><p>presented in the original 2G GSM network. The 3G UMTS technology has overcome theseissues including mutual authentication. To improve the security weaknesses exist in GSM[1], the UMTS authentication and key agreement AKA was proposed at network level [2] forauthenticating 3G mobile subscribers. Although, the UMTS-AKA has successfully defeatedmost of the vulnerabilities found in the GSM network, but, it is still vulnerable to redirectionattack [3], man-in-the-middle (MITM) attack [4] and denial of service (DoS) attack [5].</p><p>1.1 Research Problem</p><p>The original UMTS-AKA protocol is vulnerable to some security attacks such as redirec-tion attack [6], man-in-the-middle attack [7], impersonation attack, and DoS attack. Thereare several other issues with UMTS-AKA protocol including the huge bandwidth usagebetween the Home Location Register (HLR) and the Visitor Location Register (VLR), largestorage space overhead at VLR, and counter synchronization problem between the mobilestation (MS) and the HLR/VLR. This protocol also generates huge communication and com-putation overheads in order to provide the mutual authentication between the MS and theVLR/HLR. To solve these issues in the UMTS network, many researchers have proposedtheir protocols; however, they are still not able to reduce the overheads effectively. In fact,some of these protocols are still vulnerable to attacks. All these existing issues are consid-ered in our work in order to develop an efficient and secure AKA protocol for 3G UMTSnetwork.</p><p>1.2 Our Contribution</p><p>In this paper, we present an improved and efficient AKA protocol namely Secure-AKA for3G UMTS network. Our protocol has the following main attributes:</p><p>1. The proposed Secure-AKA protocol provides mutual authentication between the MS andthe HLR and between the MS and the VLR, similar to all AKA protocols discussed inthe paper.</p><p>2. The Secure-AKA protocol prevents the UMTS network from redirection attack (asby AP-AKA, S-AKA, COCKTAIL-AKA), man-in-the-middle attack (as by S-AKA,COCKTAIL-AKA), replay attack (as by all AKA), active attacks in the corrupted network(as by all AKA), and denial of service attack (by Secure-AKA only while S-AKA providepartial prevention).</p><p>3. The Secure-AKA is able to reduce the bandwidth consumption between the VLR and theHLR, and reduce the VLR storage.</p><p>4. It completely overcomes the counter synchronization problem exists in UMTS-AKAas the mobile user and the roaming network node do not maintain any counter. This ispossible with message authentication code (MAC3) and DK key in the proposed protocol.</p><p>5. This protocol hides the actual identity of each MS, i.e., International Mobile SubscriberIdentity (IMSI), and computes a temporary identity, i.e., Temporary Mobile SubscriberIdentity (TMSI) during the authentication process. The other existing protocols discussedin the paper do not provide identity protection over the network.</p><p>6. The Secure-AKA produces minimum communication and computation overheads as com-pare to all existing and recent AKA protocols from the literature.</p><p>7. On an average, the Secure-AKA protocol uses lesser bandwidth and provides minimummessage exchanged ratio during authentication as compared to all existing AKA protocolsfor UMTS network.</p><p>123</p></li><li><p>An Efficient AKA Protocol for UMTS Networks</p><p>1.3 Organization</p><p>The entire paper is organized in seven sections which are as follows: Sect. 2 introducesthe literature review of existing UMTS-AKA protocols in the UMTS network. Section 3illustrates the communication, trust, and attack models for UMTS network. Section 4 explainsa solution against DoS attack in the UMTS network. In Sect. 5, we focus on the security goalsto be achieved and explain the proposed Secure-AKA protocol in detail. The security andperformance analysis with simulation results of proposed protocol are given in Sect. 6. Finally,Sect. 7 summarizes the conclusion of the work.</p><p>2 Review: Existing AKA Protocols</p><p>In the UMTS-AKA protocol, each MS shares a secret key SK and certain cryptographicfunctions with the home network. The HLR and the MS, each maintains a counter to preventreplay attack [8,9]. The cryptographic functions shared between the HLR and the MS includetwo message authentication codes f1 and f2, and three key generation functions f3, f4, and f5[10]. AK/XAK is the anonymity key which is used to hide the sequence number in originalUMTS-AKA protocol. Lot of research is going on 3G UMTS network including regulationof 3G uplink and downlink buffer and flow control [11], 3G traffic offloading [12], vehicularnetwork access through WiFi [13] and UMTS-AKA protocol for intelligent transportationsystems [14]. Thus, the security of 3G UMTS network is a major concern.</p><p>Various AKA protocols [1519] were proposed to provide the authentication among com-munication parties in mobile communications at various levels. Many symmetric key basedAKA protocols [2023] were proposed for UMTS network to improve the security of UMTS-AKA and effective utilization of bandwidth during the authentication. The NS-AKA protocolin [20] reduces the overheads, and is free from redirection and MITM attacks, but does not pro-vide resistance against denial of service attack. Zhang and Fang [21,24] proposed a new pro-tocol namely AP-AKA, to defeat the redirection attack and intensely inferior the effect of cor-rupted network. Al-Saraireh and Yousefs protocol [22] primary emphasis on the bandwidthreduction for transmitted authentication vectors and therefore, the authentication vectors areonly produced by the MS, not by the VLR. Another S-AKA protocol [25] reduces bandwidthconsumption up to 38 % (with number of authentication requests n = 2, 5, 10, 20, 50, 100),and also decreases the number of messages required in authenticating mobile subscribers;however, our analysis states that S-AKA can reduce bandwidth consumption up to 29 % only(when n = 50, 100, 200, 500, 1,000). The UMTS-AKA and EURASIP-AKA protocols do notprevent MITM and redirection attacks. However, the S-AKA protocol is able to stop MITMand redirection attacks while the AP-AKA protocol does not resist the MITM attack butis free from redirection attack. Al-Saraireh and Yousefs protocol (EURASIP-AKA) doesnot clear the security issues with redirection as well as man-in-the-middle attacks. X-AKAprotocol [26] was proposed to prune off the transmission of authentication vectors (AV) inUMTS-AKA protocol and improves its bandwidth utilization; however it does not preventman-in-the-middle and redirection attacks. Al-Saraireh and Yousefs EXT-AKA protocol[27] focused on the bandwidth reduction for transmitting authentication vectors. However,this protocol also does not clear the security issues against various attacks. Ou, Hwang, andJan proposed a new protocol COCKTAIL-AKA, to vanquish the imperfection of UMTS-AKA protocol [28], but it is penetrable to DoS attack and impersonation attack [29]. It alsodoes not solve the synchronization problem between MS and HLR.</p><p>Tables 1 and 2 list the definitions of various symbols, abbreviations and cryptographicfunctions used in various AKA protocols discussed in the paper.</p><p>123</p></li><li><p>N. Saxena, N. S. Chaudhari</p><p>Table 1 Symbols andabbreviations</p><p>Symbol Definition Bits</p><p>IMSI International mobile subscriber identity 128</p><p>TID Temporary identity 128</p><p>LAI Location area identifier 40</p><p>SK Secret key shared b/w MS and HLR 128</p><p>ReqNo Request number 128</p><p>PID Proxy identity 128</p><p>Puz Puzzle 128</p><p>/H Hash code 64</p><p>AMF Authentication management field 48</p><p>RAND Random number 128</p><p>AUTN Authentication token Variable</p><p>AV Authentication vector Variable</p><p>Y/N Yes/no flag 1</p><p>DK Delegation key 128</p><p>CK Cipher key 128</p><p>IK/IIK Integrity key 128</p><p>MAC/XMAC Message authentication code 64</p><p>RES/XRES Response/expected response 64</p><p>T Time stamp 64</p><p>ACK Acknowledgement 16</p><p>Solul Solutionl of puzzle 128</p><p>Solu2 Complete solution 128</p><p>Table 2 Definition of functions Functions Definition</p><p>f Function to generate TID</p><p>f Function to generate IIK Keyfl Message authentication function for MAC/XMAC</p><p>f2 Key generation function for DK</p><p>f3 Message authentication function for RES/XRES</p><p>f4 Key generation function for CK</p><p>f5 Key generation function for IK</p><p>f6 Key generation function for EK</p><p>g() Hash generation function for </p><p>H Hash function</p><p>Solul Function to compute solutionl</p><p>Solu2 Function to compute solution2</p><p>EK{}, DK{} Functions to cipher/decipher message</p><p>|| Concatenation</p><p>123</p></li><li><p>An Efficient AKA Protocol for UMTS Networks</p><p>3 Communication, Trust and Attack Models</p><p>We present the system model in terms of communication and trust scenario and then discuss anattack model. First, we discuss the communication and trust model. When a user is in his/herhome network then the mutual authentication takes place between the MS and the HLR.The HLR generates the authentication vectors as per the authentication requests receivedfrom various MS(s). A trust model comes into the picture when a user moves to a roamingarea. The MS requests to one of the roaming operators for providing the service and the MSsends an authentication request to the nearest VLR of that service provider. The transmissionof authentication vectors take place between the VLR and the HLR, and then rest of themutual authentication process is executed between the MS and the VLR. In this trust model,it is assumed that a secret key SK is shared between the MS and the HLR. The authenticinformation is generated by HLR (based on SK key) and then HLR sends it to the VLR.</p><p>An attack model describes various scenarios where a malicious MS or VLR can accessthe authentic information, misguide the legitimate MS, or corrupt the network. A maliciousVLR can redirect the legitimate MS and can receive the valid tokens, i.e., AV. This attackannoys a victim MS with billing problem and forces the legitimate MS on its HLR to becharged for roaming by a malicious VLR. Another possibility of attack is to delay or reusethe authentication messages. This may lead to replay attack, if the transmitted messages donot contain any nonce or timestamp value. An attacker or adversary can also corrupt andimpersonate the network. An adversary can forge the authentication data request to obtainauthentication vectors and use it to impersonate the network independent of the actual locationof the user. An attacker can hide itself between the MS and the VLR, and may be able tocrack the UMTS security. The adversary can eavesdrop the session initiated by legitimate MSwhich leads to the man-in-the-middle attack. For such an attack, the attacker must be able tointercept and inject some data. Apart from these attacks, various forms of denial of service(DoS) attack such as primary DoS, and distributed DoS (DDoS) are quite possible. Theexisting DoS and DDoS defense mechanisms anticipates a flood of authentication requestsas attack and exploit the vulnerabilities of the system. The low rate DoS (LDoS) attacks aredifficult to detect as compared to other forms of DoS attacks as it exploits many factors andvulnerabilities that vary from iterative hops to fixed minimum retransmission timeout (RTO).Our primary focus is to prevent the network from authentication requests based DoS attack.</p><p>More on denial of service (DoS) attack There are some other reasons for the possibilitiesof DoS attack such as black-hole attack, dropping acknowledgement (ACK) signal, andmanipulating unprotected radio resource control (RRC) messages.</p><p>Black-hole attack An intruder with false Base Transceiver Station (BTS) equipment followsto its target victim. In the presence of this attack, all the active mobile terminals in that cellulararea are diddled towards the false BTS for the connection, if the signal from the maliciousBTS is stronger than the legitimate BTS. When the victim is connected to the fake BTSequipment, the intruder drops all transmitted packets towards the victim MS.</p><p>Dropping ACK signal The protection of IMSI is considered as a very important issue inUMTS network. Instead, temporary identities i.e., TMSIs are transmitted to the mobile usersjust after the activation of cipher mode and then TMSIs are used for the signal communicationin the network. A new TMSI is allotted each time a mobile user moves to a roaming areaobserved by other Serving GPRS Support Node (SGSN). When a TMSI is encrypted andtransmitted to the MS, it does not link to the corresponding IMSI by the SGSN until AllocationComplete message is reached to the SGSN from the MS. If it is not the case then both</p><p>123</p></li><li><p>N. Saxena, N. S. Chaudhari</p><p>sets {IMSI, TMSIold} and {IMSI, TMSInew} are believed correct by the SGSN. These TMSIAllocation Command messages are examined by the attacker who immediately drops thosemessages. This process creates a cause where a new TMSI is generated repeatedly, whichis expressed as dropping ACK signal based DoS attack to all users entering in a particularrouting area.</p><p>Unprotected RRC The adversary can modify the RRC messages during the communicationover the UMTS network before the protocol cipher mode is on.</p><p>4...</p></li></ul>


View more >