the 5g-aka authentication protocol privacybetween a game stating the protocol security and...
TRANSCRIPT
The 5G-AKA Authentication Protocol PrivacyAdrien Koutsos
LSV CNRS ENS Paris-Saclay Universiteacute Paris-SaclayCachan France
adrienkoutsoslsvfr
AbstractmdashWe study the 5G-AKA authentication protocol de-scribed in the 5G mobile communication standards This versionof AKA tries to achieve a better privacy than the 3G and 4Gversions through the use of asymmetric randomized encryptionNonetheless we show that except for the IMSI-catcher attackall known attacks against 5G-AKA privacy still apply
Next we modify the 5G-AKA protocol to prevent theseattacks while satisfying 5G-AKA efficiency constraints as muchas possible We then formally prove that our protocol is σ-unlinkable This is a new security notion which allows for afine-grained quantification of a protocol privacy Our securityproof is carried out in the Bana-Comon indistinguishability logicWe also prove mutual authentication as a secondary result
Index TermsmdashAKA Unlinkability Privacy Formal Methods
I INTRODUCTION
Mobile communication technologies are widely used forvoice text and Internet access These technologies allow asubscriberrsquos device typically a mobile phone to connectwirelessly to an antenna and from there to its service providerThe two most recent generations of mobile communicationstandards the 3G and 4G standards have been designed bythe 3GPP consortium The fifth generation (5G) of mobilecommunication standards is being finalized and drafts arenow available [1] These standards describe protocols thataim at providing security guarantees to the subscribers andservice providers One of the most important such protocolis the Authentication and Key Agreement (AKA) protocolwhich allows a subscriber and its service provider to establisha shared secret key in an authenticated fashion There aredifferent variants of the AKA protocol one for each generation
In the 3G and 4G-AKA protocols the subscriber and itsservice provider share a long term secret key The subscriberstores this key in a cryptographic chip the Universal Sub-scriber Identity Module (USIM) which also performs all thecryptographic computations Because of the USIM limitedcomputational power the protocols only use symmetric keycryptography without any pseudo-random number generationon the subscriber side Therefore the subscriber does not use arandom challenge to prevent replay attacks but instead relieson a sequence number SQN Since the sequence number hasto be tracked by the subscriber and its service provider theAKA protocols are stateful
Because a user could be easily tracked through its mobilephone it is important that the AKA protocols provide privacyguarantees The 3G and 4G-AKA protocols try to do that usingtemporary identities While this provides some privacy againsta passive adversary this is not enough against an active
adversary Indeed these protocols allow an antenna to ask fora user permanent identity when it does not know its temporaryidentity (this naturally happens in roaming situations) Thismechanism is abused by IMSI-catchers [2] to collect thepermanent identities of all mobile devices in range
The IMSI-catcher attack is not the only known attack againstthe privacy of the AKA protocols In [3] the authors show howan attacker can obtain the least significant bits of a subscriberrsquossequence number which allows the attacker to monitor theuserrsquos activity The authors of [4] describe a linkability attackagainst the 3G-AKA protocol This attack is similar to theattack on the French e-passport [5] and relies on the factthat 3G-AKA protocol uses different error messages if theauthentication failed because of a bad Mac or because a de-synchronization occurred
The 5G standards include changes to the AKA protocol toimprove its privacy guarantees In 5G-AKA a user never sendsits permanent identity in plain-text Instead it encrypts it usinga randomized asymmetric encryption with its service providerpublic key While this prevents the IMSI-catcher attack this isnot sufficient to get unlinkability Indeed the attacks from [3][4] against the 3G and 4G-AKA protocols still apply Moreoverthe authors of [6] proposed an attack against a variant of theAKA protocol introduced in [4] which uses the fact that anencrypted identity can be replayed It turns out that their attackalso applies to 5G-AKA
a) Objectives Our goal is to improve the privacy of5G-AKA while satisfying its design and efficiency constraintsIn particular our protocol should be as efficient as the 5G-AKAprotocol have a similar communication complexity and relyon the same cryptographic primitives Moreover we wantformal guarantees on the privacy provided by our protocol
b) Formal Methods Formal methods are the best way toget a strong confidence in the security provided by a protocolThey have been successfully applied to prove the security ofcrucial protocols such as Signal [7] and TLS [8] [9] Thereexist several approaches to formally prove a protocol security
In the symbolic or Dolev-Yao (DY) model protocols aremodeled as members of a formal process algebra [10] Inthis model the attacker controls the network he reads allmessages and he can forge new messages using capabilitiesgranted to him through a fixed set of rules While security inthis model can be automated (eg [11]ndash[14]) it offers limitedguarantees we only prove security against an attacker that hasthe designated capabilities
The computational model is more realistic The attacker
also controls the network but is not limited by a fixed setof rules Instead the attacker is any Probabilistic Polynomial-time Turing Machine (PPTM for short) Security proofs in thismodel are typically sequences of game transformations [15]between a game stating the protocol security and crypto-graphic hypotheses This model offers strong security guar-antees but proof automation is much harder For instanceCRYPTOVERIF [16] cannot prove the security of statefulcryptographic protocols (such as the AKA protocols)
There is a third model the Bana-Comon (BC) model [17][18] In this model messages are terms and the security prop-erty is a first-order formula Instead of granting the attackercapabilities through rules as in the symbolic approach westate what the adversary cannot do This model has severaladvantages First since security in the BC model entailscomputational security it offers strong security guaranteesThen there is no ambiguity the adversary can do anythingwhich is not explicitly forbidden Finally this approach iswell-suited to model stateful protocols
c) Related Work There are several formal analysis ofAKA protocols in the symbolic models In [12] the authorsuse the DEEPSEC tool to prove unlinkability of the protocolfor three sessions In [4] and [19] the authors use PROVERIFto prove unlinkability of AKA variants for respectively threesessions and an unbounded number of sessions In these threeworks the authors abstracted away several key features of theprotocol Because DEEPSEC and PROVERIF do not support thexor operator they replaced it with a symmetric encryptionMoreover sequence numbers are modeled by nonces in [4]and [12] While [19] models the sequence number update theyassume it is always incremented by one which is incorrectFinally none of these works modeled the re-synchronizationor the temporary identity mechanisms Because of these inac-curacies in their models they all miss attacks
In [20] the authors use the TAMARIN prover to analysemultiple properties of 5G-AKA For each property they eitherfind a proof or exhibit an attack To our knowledge this is themost precise symbolic analysis of an AKA protocol For exam-ple they correctly model the xor and the re-synchronizationmechanisms and they represent sequence numbers as integers(which makes their model stateful) Still they decided not toinclude the temporary identity mechanism Using this modelthey successfully rediscover the linkability attack from [4]
We are aware of two analysis of AKA protocols in thecomputational model In [6] the authors present a significantlymodified version of AKA called PRIV-AKA and claim it isunlinkable However we discovered a linkability attack againstthe protocol which falsifies the authors claim In [21] theauthors study the 4G-AKA protocol without its first messageThey show that this reduced protocol satisfies a form ofanonymity (which is weaker than unlinkability) Because theyconsider a weak privacy property for a reduced protocol theyfail to capture the linkability attacks from the literature
To summarize there is currently no computational securityproof of a complete version of an AKA protocol
d) Contributions Our contributions are
bull We study the privacy of the 5G-AKA protocol describedin the 3GPP draft [1] Thanks to the introduction ofasymmetric encryption the 5G version of AKA is notvulnerable to the IMSI-catcher attack However we showthat the linkability attacks from [3] [4] [6] against olderversions of AKA still apply to 5G-AKA
bull We present a new linkability attack against PRIV-AKAa significantly modified version of the AKA protocolintroduced and claimed unlinkable in [6] This attackexploits the fact that in PRIV-AKA a message can bedelayed to yield a state update later in the execution ofthe protocol where it can be detected
bull We propose the AKA+ protocol which is a modifiedversion of 5G-AKA with better privacy guarantees andsatisfying the same design and efficiency constraints
bull We introduce a new privacy property called σ-unlinkability inspired from [22] and Vaudenayrsquos Pri-vacy [23] Our property is parametric and allows us tohave a fine-grained quantification of a protocol privacy
bull We formally prove that AKA+ satisfies the σ-unlinkabilityproperty in the computational model Our proof is carriedout in the BC model and holds for any number of agentsand sessions that are not related to the security parameterWe also show that AKA+ provides mutual authenticatione) Outline In Section II and III we describe the 5G-AKA
protocol and the known linkability attacks against it Wepresent the AKA+ protocol in Section IV and we definethe σ-unlinkability property in Section V Finally we showhow we model the AKA+ protocol using the BC logic inSection VI and we state and sketch the proofs of the mutualauthentication and σ-unlinkability of AKA+ in Section VIIThis is an extended abstract without the full proofs whichcan be found in the technical report [24]
II THE 5G-AKA PROTOCOL
We present the 5G-AKA protocol described in the 3GPPstandards [1] This is a three-party authentication protocolbetweenbull The User Equipment (UE) This is the subscriberrsquos physi-
cal device using the mobile communication network (ega mobile phone) Each UE contains a cryptographic chipthe Universal Subscriber Identity Module (USIM) whichstores the user confidential material (such as secret keys)
bull The Home Network (HN) which is the subscriberrsquos ser-vice provider It maintains a database with the necessarydata to authenticate its subscribers
bull The Serving Network (SN) It controls the base station(the antenna) the UE is communicating with through awireless channel
If the HN has a base station nearby the UE then the HN andthe SN are the same entity But this is not always the case (egin roaming situations) When no base station from the userrsquosHN are in range the UE uses another networkrsquos base station
The UE and its corresponding HN share some confidentialkey material and the Subscription Permanent Identifier (SUPI)
which uniquely identifies the UE The SN does not have accessto the secret key material It follows that all cryptographiccomputations are performed by the HN and sent to theSN through a secure channel The SN also forwards all theinformation it gets from the UE to the HN But the UEpermanent identity is not kept hidden from the SN after asuccessful authentication the HN sends the SUPI to the SNThis is not technically needed but is done for legal reasonsIndeed the SN needs to know whom it is serving to be ableto answer to Lawful Interception requests
Therefore privacy requires to trust both the HN and theSN Since in addition they communicate through a securechannel we decided to model them as a single entity and weinclude the SN inside the HN A description of the protocolwith three distinct parties can be found in [20]
A Description of the Protocol
The 5G standard proposes two authentication protocolsEAP-AKAprime and 5G-AKA Since their differences are not rel-evant for privacy we only describe the 5G-AKA protocol
a) Cryptographic Primitives As in the 3G and 4G vari-ants the 5G-AKA protocol uses several keyed cryptographicone-way functions f1 f2 f5 f1lowast and f5lowast These functions areused both for integrity and confidentiality and take as input along term secret key k (which is different for each subscriber)
A major novelty in 5G-AKA is the introduction of an asym-metric randomized encryption middotne
pk Here pk is the publickey and ne is the encryption randomness Previous versionsof AKA did not use asymmetric encryption because the USIMwhich is a cryptographic micro-processor had no randomnessgeneration capabilities The asymmetric encryption is used toconceal the identity of the UE by sending SUPIne
pk insteadof transmitting the SUPI in clear (as in 3G and 4G-AKA)
b) Temporary Identities After a successful run of theprotocol the HN may issue a temporary identity a GloballyUnique Temporary Identity (GUTI) to the UE Each GUTI canbe used in at most one session to replace the encrypted identitySUPIne
pk It is renewed after each use Using a GUTI allowsto avoid one asymmetric encryption This saves a pseudo-random number generation and the expensive computation ofan asymmetric encryption
c) Sequence Numbers The 5G-AKA protocol preventsreplay attacks using a sequence number SQN instead of arandom challenge This sequence number is included in themessages incremented after each successful run of the pro-tocol and must be tracked and updated by the UE and theHN As it may get de-synchronized (eg because a messageis lost) there are two versions of it the UE sequence numberSQNU and the HN sequence number SQNN
d) State The UE and HN share the UE identity SUPI along-term symmetric secret key k a sequence number SQNU
and the HN public key pkN The UE also stores in GUTI thevalue of the last temporary identity assigned to it (if there isone) Finally the HN stores the secret key skN correspondingto pkN its version SQNN of every UErsquos sequence number anda mapping between the GUTIs and the SUPIs
UE
SUPI GUTI k pkN SQNU
HN
SUPI GUTI k skN SQNN
GUTI or SUPInepkN
if GUTI was used GUTI larr UnSetlangn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangInput xnR SQNR larr π1(x) π2(x)oplus f5k (nR)bmac larr f1k (〈SQNR nR〉) = π3(x)bSQN larr range(SQNU SQNR)
SQNN larr SQNN + 1
SQNU larr SQNRf2k (nR)
bmac and bSQN
ldquoAuth-Failurerdquonotbmac
langSQNU oplus f5lowastk (nR) f1lowastk (〈SQNU nR〉)
rangInput ySQNlowastR larr π1(y)oplus f5lowastk (n)if f1lowastk (〈SQNlowastR n〉) = π2(y) then SQNN larr SQNlowastR + 1
bmac and notbSQN
Conventions larr is used for assignments and has a lowerpriority than the equality comparison operator =
Fig 1 The 5G-AKA Protocol
e) Authentication Protocol The 5G-AKA protocol isrepresented in Fig 1 We now describe an honest executionof the protocol The UE initiates the protocol by identifyingitself to the HN which it can do in two different ways
bull It can send a temporary identity GUTI if one was assignedto it After sending the GUTI the UE sets it to UnSet toensure that it will not be used more than once Otherwiseit would allow an adversary to link sessions together
bull It can send its concealed permanent identity SUPInepkN
using the HN public key pkN and a fresh randomness ne
Upon reception of an identifying message the HN retrieves thepermanent identity SUPI if it received a temporary identityGUTI this is done through a database look-up and if aconcealed permanent identity was used it uses skN to decryptit It can then recover SQNN and the key k associated tothe identity SUPI from its memory The HN then generatesa fresh nonce n It masks the sequence number SQNN byxoring it with f5k(n) and mac the message by computingf1k(〈SQNN n〉) (we use 〈 〉 for tuples) It then sends themessage 〈n SQNN oplus f5k(n) f1k(〈SQNN n〉)〉
When receiving this message the UE computes f5k(n)With it it unmasks SQNN and checks the authenticity of the
message by re-computing f1k(〈SQNN n〉) and verifying thatit is equal to the third component of the message It alsochecks whether SQNN and SQNU are in range1 If both checkssucceed the UE sets SQNU to SQNN which prevents thismessage from being accepted again It then sends f2k(n) toprove to HN the knowledge of k If the authenticity check failsan ldquoAuth-Failurerdquo message is sent Finally if the authenticitycheck succeeds but the range check fails UE starts the re-synchronization sub-protocol which we describe below
f) Re-synchronization The re-synchronization protocolallows the HN to obtain the current value of SQNU Firstthe UE masks SQNU by xoring it with f5lowastk (n) mac themessage using f1lowastk (〈SQNU n〉) and sends the pair 〈SQNU oplusf5lowastk (n) f1lowastk (〈SQNU n〉)〉 When receiving this message theHN unmasks SQNU and checks the mac If the authenticationtest is successful HN sets the value of SQNN to SQNU + 1This ensures that HN first message in the next session of theprotocol is in the correct range
g) GUTI Assignment There is a final component of theprotocol which is not described in Fig 1 (as it is not used inthe privacy attacks we present later) After a successful run ofthe protocol the HN generates a new temporary identity GUTIand links it to the UErsquos permanent identity in its databaseThen it sends the masked fresh GUTI to the UE
III UNLINKABILITY ATTACKS AGAINST 5G-AKA
We present in this section several attacks against AKA thatappeared in the literature All these attacks but one (the IMSI-catcher attack) carry over to 5G-AKA Moreover several fixesof the 3G and 4G versions of AKA have been proposed Wediscuss the two most relevant fixes the first by Arapinis etal [4] and the second by Fouque et al [6]
None of these fixes are satisfactory The modified AKAprotocol given in [4] has been shown flawed in [6] The authorsof [6] then propose their own protocol called PRIV-AKA andclaim it is unlinkable (they only provide a proof sketch)While analyzing the PRIV-AKA protocol we discovered anattack allowing to permanently de-synchronize the UE and theHN Since a de-synchronized UE can be easily tracked (afterbeing de-synchronized the UE rejects all further messages)our attack is also an unlinkability attack This is in directcontradiction with the security property claimed in [6] Thisis a novel attack that never appeared in the literature
A IMSI-Catcher Attack
All the older versions of AKA (4G and earlier) are vulnerableto the IMSI-catcher attack [2] This attack simply relies onthe fact that in these versions of AKA the permanent identity(called the International Mobile Subscriber Identity or IMSI inthe 4G specifications) is not encrypted but sent in plain-textMoreover even if a temporary identity is used (a TemporaryMobile Subscriber Identity or TMSI) an attacker can simplysend a Permanent-ID-Request message to obtain the UErsquospermanent identity The attack is depicted in Fig 2
1The specification is loose here it only requires that SQNU lt SQNN leSQNU + C where C is some constant chosen by the HN
UE AttackerTMSI or IMSI
ldquoPermanent-ID-RequestrdquoIf TMSI received
IMSI
Fig 2 An IMSI-Catcher Attack
UEIMSIt HNtauth equiv
langn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangf2k (n)
UEIMSIprime Attackertauth
ldquoAuth-FailurerdquoIf IMSIprime 6= IMSIt
langSQNU oplus f5lowastk (nR) f1lowastk (〈SQNU nR〉)
rangIf IMSIprime = IMSIt
Fig 3 The Failure Message Attack by [4]
This necessitates an active attacker with its own base stationAt the time this required specialized hardware and wasbelieved to be too expensive This is no longer the case andcan be done for a few hundreds dollars (see [25])
B The Failure Message Attack
In [4] Arapinis et al propose to use an asymmetric encryp-tion to protect against the IMSI-catcher attack each UE carriesthe public-key of its corresponding HN and uses it to encryptits permanent identity This is basically the solution that wasadopted by 3GPP for the 5G version of AKA Interestinglythey show that this is not enough to ensure privacy and givea linkability attack that does not rely on the identificationmessage sent by UE While their attack is against the 3G-AKAprotocol it is applicable to the 5G-AKA protocol
a) The Attack The attack is depicted in Fig 3 and worksin two phases First the adversary eavesdrops a successful runof the protocol between the HN and the target UE with identityIMSIt and stores the authentication message tauth sent by HNIn a second phase the attacker A tries to determine whether aUE with identity IMSIprime is the initial UE (ie whether IMSIprime =IMSIt) To do this A initiates a new session of the protocol andreplays the message tauth If IMSIprime 6= IMSIt then the mac testfails and UEIMSIprime answers ldquoAuth-Failurerdquo If IMSIprime = IMSItthen the mac test succeeds but the range test fails and UEIMSIprime
sends a re-synchronization messageThe adversary can distinguish between the two messages
and therefore knows if it is interacting with the original or adifferent UE Moreover the second phase of the attack can
UEIMSIt HNIMSItnepkN
UEIMSIprime HNIMSIprimenprimeepkN
IMSItne
pkN
tauth equivlangn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangFailure Message
If IMSIprime 6= IMSIt
f2k (nR)If IMSIprime = IMSIt
Fig 4 The Encrypted IMSI Replay Attack by [6]
be repeated every time the adversary wants to check for thepresence of the tracked user IMSIt in its vicinity
b) Proposed Fix To protect against the failure messageattack the authors of [4] propose that the UE encrypts both er-ror messages using the public key pkN of the HN making themindistinguishable To the adversary there is no distinctionsbetween an authentication and a de-synchronization failureThe fixed AKA protocol without the identifying messageIMSIne
pkN was formally checked in the symbolic model using
the PROVERIF tool Because this message was omitted in themodel an attack was missed We present this attack next
C The Encrypted IMSI Replay Attack
In [6] Fouque et al give an attack against the fixed AKAproposed by Arapinis et al in [4] Their attack described inFig 4 uses the fact the identifying message IMSItne
pkNin the
proposed AKA protocol by Arapinis et al can be replayedIn a first phase the attacker A eavesdrops and stores the
identifying message IMSItnepkN
of an honest session betweenthe user UEIMSIt it wants to track and the HN Then everytime A wants to determine whether some user UEIMSIprime isthe tracked user UEIMSIt it intercepts the identifying messageIMSIprimenprimee
pkNsent by UEIMSIprime and replaces it with the stored
message IMSItnepkN
Finally A lets the protocol continuewithout further tampering We have two possible outcomesbull If IMSIprime 6= IMSIt then the message tauth sent by HN is
mac-ed using the wrong key and the UE rejects themessage Hence the attacker observes a failure message
bull If IMSIprime = IMSIt then tauth is accepted by UEIMSIprime andthe attacker observes a success message
Therefore the attacker can deduce whether it is interacting withUEIMSIt or not which breaks unlinkability
D Attack Against The PRIV-AKA Protocol
The authors of [6] then propose the PRIV-AKA protocolwhich is a significantly modified version of AKA The authorsclaim that their protocol achieves authentication and clientunlinkability But we discovered a de-synchronization attackit is possible to permanently de-synchronize the UE and the
HN Our attack uses the fact that in PRIV-AKA the HNsequence number is incremented only upon reception of theconfirmation message from the UE Therefore by interceptingthe last message from the UE we can prevent the HN fromincrementing its sequence number We now describe the attack
We run a session of the protocol but we intercept thelast message and store it for later use Note that the HNrsquossession is not closed At that point the UE and the HN arede-synchronized by one We re-synchronize them by runninga full session of the protocol We then re-iterate the stepsdescribed above we run a session of the protocol preventthe last message from arriving at the HN and then run afull session of the protocol to re-synchronize the HN and theUE Now the UE and the HN are synchronized and we havetwo stored messages one for each uncompleted session Wethen send the two messages to the corresponding HN sessionswhich accept them and increment the sequence number In theend it is incremented by two
The problem is that the UE and the HN cannot recoverfrom a de-synchronization by two We believe that this wasmissed by the authors of [6]2 Remark that this attack is alsoan unlinkability attack To attack some user UEIMSIrsquos privacywe permanently de-synchronize it Then each time UEIMSI triesto run the PRIV-AKA protocol it will abort which allows theadversary to track it
Remark 1 Our attack requires that the HN does not close thefirst session when we execute the second session At the endof the attack before sending the two stored messages thereare two HN sessions simultaneously opened for the same UEIf the HN closes any un-finished sessions when starting a newsession with the same UE our attack does not work
But this make another unlinkability attack possible Indeedclosing a session because of some later session between theHN and the same UE reveals a link between the two sessionsWe describe the attack First we start a session i betweena user UEA and the HN but we intercept and store the lastmessage tA from the user Then we let the HN run a fullsession with some user UEX Finally we complete the initialsession i by sending the stored message tA to the HN Herewe have two cases If X = A then the HN closed the firstsession when it completed the second Hence it rejects tA IfX 6= A then the first session is still opened and it accepts tA
Closing a session may leak information to the adversaryProtocols which aim at providing unlinkability must explicitwhen sessions can safely be closed By default we assume asession stays open In a real implementation a timeout tied tothe session (and not the user identity) could be used to avoidkeeping sessions opened forever
E Sequence Numbers and Unlinkability
We conjecture that it is not possible to achieve functionality(ie honest sessions eventually succeed) authentication andunlinkability at the same time when using a sequence number
2ldquothe two sequence numbers may become desynchronized by one step []Further desynchronization is prevented []rdquo (p 266 [6])
based protocol with no random number generation capabilitiesin the UE side We briefly explain our intuition
In any sequence number based protocol the agents maybecome de-synchronized because they cannot know if theirlast message has been received Furthermore the attacker cancause de-synchronization by blocking messages The problemis that we have contradictory requirements On the one hand toensure authentication an agent must reject a replayed messageOn the other hand in order to guarantee unlinkability anhonest agent has to behave the same way when receiving amessage from a synchronized agent or from a de-synchronizedagent Since functionality requires that a message from asynchronized agent is accepted it follows that a messagefrom a de-synchronized agent must be accepted Intuitivelyit seems to us that an honest agent cannot distinguish betweena protocol message which is being replayed and an honestprotocol message from a de-synchronized agent It followsthat a replayed message should be both rejected and acceptedwhich is a contradiction
This is only a conjecture We do not have a formal state-ment or a proof Actually it is unclear how to formallydefine the set of protocols that rely on sequence numbers toachieve authentication Note however that all requirements canbe satisfied simultaneously if we allow both parties to generaterandom challenges in each session (in AKA only HN uses arandom challenge) Examples of challenge based unlinkableauthentication protocols can be found in [26]
IV THE AKA+ PROTOCOL
We now describe our principal contribution which is thedesign of the AKA+ protocol This is a fixed version of the5G-AKA protocol offering some form of privacy against anactive attacker First we explicit the efficiency and designconstraints We then describe the AKA+ protocol and explainhow we designed this protocol from 5G-AKA by fixing allthe previously described attacks As we mentioned before wethink unlinkability cannot be achieved under these constraintsNonetheless our protocol satisfies some weaker notion of un-linkability that we call σ-unlinkability This is a new securityproperty that we introduce Finally we will show a subtleattack and explain how we fine-tuned AKA+ to prevent it
A Efficiency and Design Constraints
We now explicit the protocol design constraints Theseconstraints are necessary for an efficient in-expensive toimplement and backward compatible protocol Observe thatin a mobile setting it is very important to avoid expensivecomputations as they quickly drain the UErsquos battery
a) Communication Complexity In 5G-AKA authentica-tion is achieved using only three messages two messages aresent by the UE and one by the HN We want our protocolto have a similar communication complexity While we didnot manage to use only three messages in all scenarios ourprotocol achieves authentication in less than four messages
b) Cryptographic primitives We recall that all crypto-graphic primitives are computed in the USIM where theyare implemented in hardware It follows that using moreprimitives in the UE would make the USIM more voluminousand expensive Hence we restrict AKA+ to the cryptographicprimitives used in 5G-AKA we use only symmetric keyedone-way functions and asymmetric encryption Notice thatthe USIM cannot do asymmetric decryption As in 5G-AKAwe use some in-expensive functions eg xor pairs by-oneincrements and boolean tests We believe that relying onthe same cryptographic primitives helps ensuring backwardcompatibility and would simplify the protocol deployment
c) Random Number Generation In 5G-AKA the UEgenerates at most one nonce per session which is used torandomize the asymmetric encryption Moreover if the UEwas assigned a GUTI in the previous session then there is norandom number generation Remark that when the UE and theHN are de-synchronized the authentication fails and the UEsends a re-synchronization message Since the session fails nofresh GUTI is assigned to the UE Hence the next session ofthe protocol has to conceal the SUPI using SUPIne
pkN which
requires a random number generation Therefore we constrainour protocol to use at most one random number generation bythe UE per session and only if no GUTI has been assigned orif the UE and the HN have been de-synchronized
d) Summary We summarize the constraints for AKA+bull It must use at most four messages per sessionsbull The UE may use only keyed one-way functions and
asymmetric encryption The HN may use these functionsplus asymmetric decryption
bull The UE may generate at most one random number persession and only if no GUTI is available or if re-synchronization with the HN is necessary
B Key Ideas
In this section we present the two key ideas used in thedesign of the AKA+ protocol
a) Postponed Re-Synchronization Message We recallthat whenever the UE and the HN are de-synchronized the au-thentication fails and the UE sends a re-synchronization mes-sage The problem is that this message can be distinguishedfrom a mac failure message which allows the attack presentedin Section III-B Since the session fails no GUTI is assignedto the UE and the next session will use the asymmetricencryption to conceal the SUPI The first key idea is to piggy-back on the randomized encryption of the next session to senda concealed re-synchronization message More precisely wereplace the message SUPIne
pkNby 〈SUPI SQNU〉ne
pkN This
has several advantagesbull We can remove the re-synchronization message that lead
to the unlinkability attack presented in Section III-B InAKA+ whenever the mac check or the range check failsthe same failure message is sent
bull This does not require more random number generationby the UE since a random number is already beinggenerated to conceal the SUPI in the next session
SUPI Sub-Protocol GUTI Sub-Protocol
ASSIGN-GUTI Sub-Protocol
Fig 5 General Architecture of the AKA+ Protocol
The 3GPP technical specification (see [1] Annex C) requiresthat the asymmetric encryption used in the 5G-AKA protocolis the ECIES encryption scheme which is an hybrid encryp-tion scheme Hybrid encryption schemes use a randomizedasymmetric encryption to conceal a temporary key Thiskey is then used to encrypt the message using a symmetricencryption which is in-expensive Hence encrypting the pair〈SUPI SQNU〉 is almost as fast as encrypting only SUPI andrequires the UE to generate the same amount of randomness
b) HN Challenge Before Identification To prevent theEncrypted IMSI Replay Attack of Section III-C we add arandom challenge n from the HN The UE initiates the protocolby requesting a challenge without identifying itself Whenrequested the HN generates and sends a fresh challenge n tothe UE which includes it in its response by mac-ing it withthe SUPI using a symmetric one-way function Mac1 with keykID
m The UE response is nowlang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN n〉)
rangThis challenge is only needed when the encrypted permanentidentity is used If the UE uses a temporary identity GUTI thenwe do not need to use a random challenge Indeed temporaryidentities can only be used once before being discarded andare therefore not subject to replay attacks By consequence wesplit the protocol in two sub-protocolsbull The SUPI sub-protocol uses a random challenge from the
HN encrypts the permanent identity and allows to re-synchronize the UE and the HN
bull The GUTI sub-protocol is initiated by the UE using atemporary identity
In the SUPI sub-protocol the UErsquos answer includes the chal-lenge We use this to save one message the last confirmationstep from the UE is not needed and is removed The resultingsub-protocol has four messages Observe that the GUTI sub-protocol is faster since it uses only three messages
C Architecture and States
Instead of a monolithic protocol we have three sub-protocols the SUPI and GUTI sub-protocols which handleauthentication and the ASSIGN-GUTI sub-protocol which isrun after authentication has been achieved and assigns afresh temporary identity to the UE A full session of theAKA+ protocol comprises a session of the SUPI or GUTI sub-protocols followed by a session of the ASSIGN-GUTI sub-protocol This is graphically depicted in Fig 5
Since the GUTI sub-protocol uses only three messages anddoes not require the UE to generate a random number or
compute an asymmetric encryption it is faster than the SUPIsub-protocol By consequence the UE should always use theGUTI sub-protocol if it has a temporary identity available
The HN runs concurrently an arbitrary number of sessionsbut a subscriber cannot run more than one session at thesame time Of course sessions from different subscribers maybe concurrently running We associate a unique integer thesession number to every session and we use HN(j) andUEID(j) to refer to the j-th session of respectively the HNand the UE with identity ID
a) One-Way Functions We separate functions that areused only for confidentiality from functions that are also usedfor integrity We have two confidentiality functions f and f rwhich use the key k and five integrity functions Mac1ndash Mac5which use the key km We require that f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This is a new assumption which requires that these func-tions are simultaneously computationally indistinguishablefrom random functions
Definition 1 (Jointly PRF Functions) Let H1(middot middot) Hn(middot middot)be a finite family of keyed hash functions from 0 1lowasttimes0 1ηto 0 1η The functions H1 Hn are Jointly PseudoRandom Functions if for any PPTM adversary A with accessto oracles Of1 Ofn
|Pr(k AOH1(middotk)OHn(middotk)(1η) = 1)minusPr(g1 gn AOg1(middot)Ogn(middot)(1η) = 1)|
is negligible wherebull k is drawn uniformly in 0 1η bull g1 gn are drawn uniformly in the set of all functions
from 0 1lowast to 0 1η
Observe that if H1 Hn are jointly PRF then in partic-ular every individual Hi is a PRFRemark 2 While this is a non-usual assumption it is simpleto build a set of functions H1 Hn which are jointly PRFfrom a single PRF H For example let tag1 tagn be non-ambiguous tags and let Hi(m k) = H(tagi(m) k) ThenH1 Hn are jointly PRF whenever H is a PRF (see [24])
b) UE Persistent State Each UEID with identity ID hasa state stateID
U persistent across sessions It contains the fol-lowing immutable values the permanent identity SUPI = IDthe confidentiality key kID the integrity key kID
m and the HNrsquospublic key pkN The states also contain mutable values thesequence number SQNU the temporary identity GUTIU and theboolean valid-gutiU We have valid-gutiU = false whenever novalid temporary identity is assigned to the UE Finally thereare mutable values that are not persistent across sessions Egb-authU stores HNrsquos random challenge and e-authU storesHNrsquos random challenge when the authentication is successful
c) HN Persistent State The HN state stateN contains thesecret key skN corresponding to the public key pkN Also forevery subscriber with identity ID it stores the keys kID andkID
m the permanent identity SUPI = ID the HN version of thesequence number SQNID
N and the temporary identity GUTIIDN It
UE
stateIDU
HN(j)
stateN
Request_Challenge
nj
Input nR b-authU larr nRlang〈SUPI SQNU〉
nepkN
Mac1kIDm(〈〈SUPI SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1 Input y〈IDR SQNR〉 larr dec(π1(y) skN)
bIDMac larr π2(y) = Mac1kID
m(〈π1(y) nj〉)
and IDR = ID
bIDInc larr bID
Mac and SQNR ge SQNIDN
if bIDMac then b-authjN e-authjN larr ID
if bIDInc then SQNID
N larr SQNR + 1
sessionIDN larr nj
GUTIIDN larr GUTIj
Mac2kIDm(〈nj SQNR + 1〉)
bMac
Input zbok larr z = Mac2kID
m(〈b-authU SQNU〉)
e-authU larr if bok then b-authU else fail
Fig 6 The SUPI Sub-Protocol of the AKA+ Protocol
stores in sessionIDN the random challenge of the last session
that was either a successful SUPI session which modifiedthe sequence number or a GUTI session which authenticatedID This is used to detect and prevent some subtle attackswhich we present later Finally every session HN(j) stores inb-authjN the identity claimed by the UE and in e-authjN theidentity of the UE it authenticated
D The SUPI GUTI and ASSIGN-GUTI Sub-Protocols
We describe honest executions of the three sub-protocolsof the AKA+ protocol An honest execution is an executionwhere the adversary dutifully forwards the messages withouttampering Each execution is between a UE and HN(j)
a) The SUPI Sub-Protocol This protocol uses the UErsquospermanent identity re-synchronizes the UE and the HN and isexpensive to run The protocol is sketched in Fig 6
The UE initiates the protocol by requesting a challengefrom the network When asked HN(j) sends a fresh randomchallenge nj After receiving nj the UE stores it in b-authUand answers with the encryption of its permanent identitytogether with the current value of its sequence number usingthe HN public key pkN It also includes the mac of thisencryption and of the challenge which yields the messagelang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN nj〉)
rang
Then the UE increments its sequence number by one Whenit gets this message the HN retrieves the pair 〈SUPI SQNU〉by decrypting the encryption using its secret key skN Forevery identity ID it checks if SUPI = ID and if the mac iscorrect If this is the case HN authenticated ID and it storesID in b-authjN and e-authjN After having authenticated IDHN checks whether the sequence number SQNU it received isgreater than or equal to SQNID
N If this holds it sets SQNIDN to
SQNU +1 stores nj in sessionIDN generates a fresh temporary
identity GUTIj and stores it into GUTIIDN This additional check
ensures that the HN sequence number is always increasingwhich is a crucial property of the protocol
If the HN authenticated ID it sends a confirmation messageMac2kID
m(〈nj SQNU +1〉) to the UE This message is sent even
if the received sequence number SQNU is smaller than SQNIDN
When receiving the confirmation message if the mac is validthen the UE authenticated the HN and it stores in e-authU
the initial random challenge (which it keeps in b-authU) Ifthe mac test fails it stores in e-authU the special value fail
b) The GUTI Sub-Protocol This protocol uses the UErsquostemporary identity requires synchronization to succeed and isinexpensive The protocol is sketched in Fig 7
When valid-gutiU is true the UE can initiate the protocolby sending its temporary identity GUTIU The UE then setsvalid-gutiU to false to guarantee that this temporary identityis not used again When receiving a temporary identity x HNlooks if there is an ID such that GUTIID
N is equal to x and isnot UnSet If the temporary identity belongs to ID it setsGUTIID
N to UnSet and stores ID in b-authjN Then it generatesa random challenge nj stores it in sessionID
N and sends it tothe UE together with the xor of the sequence number SQNID
N
with fkID(nj) and a maclangnj SQNID
N oplus fkID(nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang
When it receives this message the UE retrieves the challengenj at the beginning of the message computes fkID(nj) and usesthis value to unconceal the sequence number SQNID
N It thencomputes Mac3kID
m(〈nj SQNID
N GUTIU〉) and compares it to themac received from the network If the macs are not equal orif the range check range(SQNU SQNID
N ) fails it puts fail intob-authU and e-authU to record that the authentication wasnot successful If both tests succeed it stores in b-authU ande-authU the random challenge increments SQNU by one andsends the confirmation message Mac4kID
m(nj) When receiving
this message the HN verifies that the mac is correct If this isthe case then the HN authenticated the UE and stores ID intoe-authID
N Then HN checks whether sessionIDN is still equal
to the challenge nj stored in it at the beginning of the sessionIf this is true the HN increments SQNID
N by one generates afresh temporary identity GUTIj and stores it into GUTIID
N c) The ASSIGN-GUTI Sub-Protocol The ASSIGN-GUTI
sub-protocol is run after a successful authentication regardlessof the authentication sub-protocol used It assigns a freshtemporary identity to the UE to allow the next AKA+ sessionto run the faster GUTI sub-protocol It is depicted in Fig 8
UE
stateIDU
HN(j)
stateN
GUTIU
valid-gutiU
valid-gutiU larr false Input xbID larr GUTIID
N = x and GUTIIDN 6= UnSet
if bID then GUTIIDN larr UnSet
b-authjN larr ID
sessionIDN larr nj
langnj SQNID
N oplus fkID (nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang bID
Input ynR SQNR larr π1(y) π2(y)oplus fkID (nR)
bacc larr π3(y) = Mac3kIDm(〈nR SQNR GUTIU〉))
and range(SQNU SQNR)
if bacc then b-authU e-authU larr nRSQNU larr SQNU + 1
if notbacc then b-authU e-authU larr fail
Mac4kIDm(nR)
bacc
Input z
bIDMac larr (b-authjN = ID) and (z = Mac4kID
m(nj))
bIDInc larr bID
Mac and sessionIDN = nj
if bIDMac then e-authjN larr ID
if bIDInc then SQNID
N larr SQNIDN + 1
GUTIIDN larr GUTIj
Fig 7 The GUTI Sub-Protocol of the AKA+ Protocol
The HN conceals the temporary identity GUTIj generatedby the authentication sub-protocol by xoring it with f r
kID(nj)and macs it When receiving this message UE unconceals thetemporary identity GUTIID
N by xoring its first component withf rkID
m(e-authU) (since e-authU contains the HNrsquos challenge after
authentication) Then UE checks that the mac is correct andthat the authentication was successful If it is the case it storesGUTIID
N in GUTIU and sets valid-gutiU to true
V UNLINKABILITY
We now define the unlinkability property we use which isinspired from [22] and Vaudenayrsquos privacy [23]
a) Definition The property is defined by a game inwhich an adversary tries to link together some subscriberrsquos ses-sions The adversary is a PPTM which interacts through ora-cles with N different subscribers with identities ID1 IDN and with the HN The adversary cannot use a subscriberrsquospermanent identity to refer to it as it may not know it Insteadwe associate a virtual handler vh to any subscriber currently
UE
stateIDU
HN(j)
stateN
〈GUTIj oplus f rkID (nj) Mac5kID
m(lang
GUTIj njrang)〉
e-authIDN = ID
Input xGUTIR larr π1(x)oplus f r
kIDm(e-authU)
bacc larr(π2(x) = Mac5kID
m(〈GUTIR e-authU〉)
)and (e-authU 6= fail)
GUTIU larr if bacc then GUTIR else UnSetvalid-gutiU larr bacc
Fig 8 The ASSIGN-GUTI Sub-Protocol of the AKA+ Protocol
running a session of the protocol We maintain a list lfree of allsubscribers that are ready to start a session We now describethe oracles Obbull StartSession() starts a new HN session and returns
its session number jbull SendHN(m j) (resp SendUE(m vh)) sends the mes-
sage m to HN(j) (resp the UE associated with vh) andreturns HN(j) (resp vh) answer
bull ResultHN(j) (resp ResultUE(vh)) returns true ifHN(j) (resp the UE associated with vh) has made asuccessful authentication
bull DrawUE(IDi0 IDi1) checks that IDi0 and IDi1 are bothin lfree If that is the case returns a new virtual handlerpointing to IDib depending on an internal secret bit bThen it removes IDi0 and IDi1 from lfree
bull FreeUE(vh) makes the virtual handler vh no longervalid and adds back to lfree the two identities that wereremoved when the virtual handler was created
We recall that a function is negligible if and only if it isasymptotically smaller than the inverse of any polynomial Anadversary A interacting with Ob is winning the q-unlinkabilitygame if A makes less than q calls to the oracles and itcan guess the value of the internal bit b with a probabilitybetter than 12 by a non-negligible margin ie if the followingquantity is non negligible in η∣∣2timesPr
(b AOb(1η) = b
)minus 1∣∣
Finally a protocol is q-unlinkable if and only if there are nowinning adversaries against the q-unlinkability game
b) Corruption In [22] [23] the adversary is allowed tocorrupt some tags using a Corrupt oracle Several classes ofadversary are defined by restricting its access to the corruptionoracle A strong adversary has unrestricted access a destruc-tive adversary can no longer use a tag after corrupting it (it isdestroyed) a forward adversary can only follow a Corruptcall by further Corrupt calls and finally a weak adversarycannot use Corrupt at all A protocol is C unlinkable if no
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
also controls the network but is not limited by a fixed setof rules Instead the attacker is any Probabilistic Polynomial-time Turing Machine (PPTM for short) Security proofs in thismodel are typically sequences of game transformations [15]between a game stating the protocol security and crypto-graphic hypotheses This model offers strong security guar-antees but proof automation is much harder For instanceCRYPTOVERIF [16] cannot prove the security of statefulcryptographic protocols (such as the AKA protocols)
There is a third model the Bana-Comon (BC) model [17][18] In this model messages are terms and the security prop-erty is a first-order formula Instead of granting the attackercapabilities through rules as in the symbolic approach westate what the adversary cannot do This model has severaladvantages First since security in the BC model entailscomputational security it offers strong security guaranteesThen there is no ambiguity the adversary can do anythingwhich is not explicitly forbidden Finally this approach iswell-suited to model stateful protocols
c) Related Work There are several formal analysis ofAKA protocols in the symbolic models In [12] the authorsuse the DEEPSEC tool to prove unlinkability of the protocolfor three sessions In [4] and [19] the authors use PROVERIFto prove unlinkability of AKA variants for respectively threesessions and an unbounded number of sessions In these threeworks the authors abstracted away several key features of theprotocol Because DEEPSEC and PROVERIF do not support thexor operator they replaced it with a symmetric encryptionMoreover sequence numbers are modeled by nonces in [4]and [12] While [19] models the sequence number update theyassume it is always incremented by one which is incorrectFinally none of these works modeled the re-synchronizationor the temporary identity mechanisms Because of these inac-curacies in their models they all miss attacks
In [20] the authors use the TAMARIN prover to analysemultiple properties of 5G-AKA For each property they eitherfind a proof or exhibit an attack To our knowledge this is themost precise symbolic analysis of an AKA protocol For exam-ple they correctly model the xor and the re-synchronizationmechanisms and they represent sequence numbers as integers(which makes their model stateful) Still they decided not toinclude the temporary identity mechanism Using this modelthey successfully rediscover the linkability attack from [4]
We are aware of two analysis of AKA protocols in thecomputational model In [6] the authors present a significantlymodified version of AKA called PRIV-AKA and claim it isunlinkable However we discovered a linkability attack againstthe protocol which falsifies the authors claim In [21] theauthors study the 4G-AKA protocol without its first messageThey show that this reduced protocol satisfies a form ofanonymity (which is weaker than unlinkability) Because theyconsider a weak privacy property for a reduced protocol theyfail to capture the linkability attacks from the literature
To summarize there is currently no computational securityproof of a complete version of an AKA protocol
d) Contributions Our contributions are
bull We study the privacy of the 5G-AKA protocol describedin the 3GPP draft [1] Thanks to the introduction ofasymmetric encryption the 5G version of AKA is notvulnerable to the IMSI-catcher attack However we showthat the linkability attacks from [3] [4] [6] against olderversions of AKA still apply to 5G-AKA
bull We present a new linkability attack against PRIV-AKAa significantly modified version of the AKA protocolintroduced and claimed unlinkable in [6] This attackexploits the fact that in PRIV-AKA a message can bedelayed to yield a state update later in the execution ofthe protocol where it can be detected
bull We propose the AKA+ protocol which is a modifiedversion of 5G-AKA with better privacy guarantees andsatisfying the same design and efficiency constraints
bull We introduce a new privacy property called σ-unlinkability inspired from [22] and Vaudenayrsquos Pri-vacy [23] Our property is parametric and allows us tohave a fine-grained quantification of a protocol privacy
bull We formally prove that AKA+ satisfies the σ-unlinkabilityproperty in the computational model Our proof is carriedout in the BC model and holds for any number of agentsand sessions that are not related to the security parameterWe also show that AKA+ provides mutual authenticatione) Outline In Section II and III we describe the 5G-AKA
protocol and the known linkability attacks against it Wepresent the AKA+ protocol in Section IV and we definethe σ-unlinkability property in Section V Finally we showhow we model the AKA+ protocol using the BC logic inSection VI and we state and sketch the proofs of the mutualauthentication and σ-unlinkability of AKA+ in Section VIIThis is an extended abstract without the full proofs whichcan be found in the technical report [24]
II THE 5G-AKA PROTOCOL
We present the 5G-AKA protocol described in the 3GPPstandards [1] This is a three-party authentication protocolbetweenbull The User Equipment (UE) This is the subscriberrsquos physi-
cal device using the mobile communication network (ega mobile phone) Each UE contains a cryptographic chipthe Universal Subscriber Identity Module (USIM) whichstores the user confidential material (such as secret keys)
bull The Home Network (HN) which is the subscriberrsquos ser-vice provider It maintains a database with the necessarydata to authenticate its subscribers
bull The Serving Network (SN) It controls the base station(the antenna) the UE is communicating with through awireless channel
If the HN has a base station nearby the UE then the HN andthe SN are the same entity But this is not always the case (egin roaming situations) When no base station from the userrsquosHN are in range the UE uses another networkrsquos base station
The UE and its corresponding HN share some confidentialkey material and the Subscription Permanent Identifier (SUPI)
which uniquely identifies the UE The SN does not have accessto the secret key material It follows that all cryptographiccomputations are performed by the HN and sent to theSN through a secure channel The SN also forwards all theinformation it gets from the UE to the HN But the UEpermanent identity is not kept hidden from the SN after asuccessful authentication the HN sends the SUPI to the SNThis is not technically needed but is done for legal reasonsIndeed the SN needs to know whom it is serving to be ableto answer to Lawful Interception requests
Therefore privacy requires to trust both the HN and theSN Since in addition they communicate through a securechannel we decided to model them as a single entity and weinclude the SN inside the HN A description of the protocolwith three distinct parties can be found in [20]
A Description of the Protocol
The 5G standard proposes two authentication protocolsEAP-AKAprime and 5G-AKA Since their differences are not rel-evant for privacy we only describe the 5G-AKA protocol
a) Cryptographic Primitives As in the 3G and 4G vari-ants the 5G-AKA protocol uses several keyed cryptographicone-way functions f1 f2 f5 f1lowast and f5lowast These functions areused both for integrity and confidentiality and take as input along term secret key k (which is different for each subscriber)
A major novelty in 5G-AKA is the introduction of an asym-metric randomized encryption middotne
pk Here pk is the publickey and ne is the encryption randomness Previous versionsof AKA did not use asymmetric encryption because the USIMwhich is a cryptographic micro-processor had no randomnessgeneration capabilities The asymmetric encryption is used toconceal the identity of the UE by sending SUPIne
pk insteadof transmitting the SUPI in clear (as in 3G and 4G-AKA)
b) Temporary Identities After a successful run of theprotocol the HN may issue a temporary identity a GloballyUnique Temporary Identity (GUTI) to the UE Each GUTI canbe used in at most one session to replace the encrypted identitySUPIne
pk It is renewed after each use Using a GUTI allowsto avoid one asymmetric encryption This saves a pseudo-random number generation and the expensive computation ofan asymmetric encryption
c) Sequence Numbers The 5G-AKA protocol preventsreplay attacks using a sequence number SQN instead of arandom challenge This sequence number is included in themessages incremented after each successful run of the pro-tocol and must be tracked and updated by the UE and theHN As it may get de-synchronized (eg because a messageis lost) there are two versions of it the UE sequence numberSQNU and the HN sequence number SQNN
d) State The UE and HN share the UE identity SUPI along-term symmetric secret key k a sequence number SQNU
and the HN public key pkN The UE also stores in GUTI thevalue of the last temporary identity assigned to it (if there isone) Finally the HN stores the secret key skN correspondingto pkN its version SQNN of every UErsquos sequence number anda mapping between the GUTIs and the SUPIs
UE
SUPI GUTI k pkN SQNU
HN
SUPI GUTI k skN SQNN
GUTI or SUPInepkN
if GUTI was used GUTI larr UnSetlangn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangInput xnR SQNR larr π1(x) π2(x)oplus f5k (nR)bmac larr f1k (〈SQNR nR〉) = π3(x)bSQN larr range(SQNU SQNR)
SQNN larr SQNN + 1
SQNU larr SQNRf2k (nR)
bmac and bSQN
ldquoAuth-Failurerdquonotbmac
langSQNU oplus f5lowastk (nR) f1lowastk (〈SQNU nR〉)
rangInput ySQNlowastR larr π1(y)oplus f5lowastk (n)if f1lowastk (〈SQNlowastR n〉) = π2(y) then SQNN larr SQNlowastR + 1
bmac and notbSQN
Conventions larr is used for assignments and has a lowerpriority than the equality comparison operator =
Fig 1 The 5G-AKA Protocol
e) Authentication Protocol The 5G-AKA protocol isrepresented in Fig 1 We now describe an honest executionof the protocol The UE initiates the protocol by identifyingitself to the HN which it can do in two different ways
bull It can send a temporary identity GUTI if one was assignedto it After sending the GUTI the UE sets it to UnSet toensure that it will not be used more than once Otherwiseit would allow an adversary to link sessions together
bull It can send its concealed permanent identity SUPInepkN
using the HN public key pkN and a fresh randomness ne
Upon reception of an identifying message the HN retrieves thepermanent identity SUPI if it received a temporary identityGUTI this is done through a database look-up and if aconcealed permanent identity was used it uses skN to decryptit It can then recover SQNN and the key k associated tothe identity SUPI from its memory The HN then generatesa fresh nonce n It masks the sequence number SQNN byxoring it with f5k(n) and mac the message by computingf1k(〈SQNN n〉) (we use 〈 〉 for tuples) It then sends themessage 〈n SQNN oplus f5k(n) f1k(〈SQNN n〉)〉
When receiving this message the UE computes f5k(n)With it it unmasks SQNN and checks the authenticity of the
message by re-computing f1k(〈SQNN n〉) and verifying thatit is equal to the third component of the message It alsochecks whether SQNN and SQNU are in range1 If both checkssucceed the UE sets SQNU to SQNN which prevents thismessage from being accepted again It then sends f2k(n) toprove to HN the knowledge of k If the authenticity check failsan ldquoAuth-Failurerdquo message is sent Finally if the authenticitycheck succeeds but the range check fails UE starts the re-synchronization sub-protocol which we describe below
f) Re-synchronization The re-synchronization protocolallows the HN to obtain the current value of SQNU Firstthe UE masks SQNU by xoring it with f5lowastk (n) mac themessage using f1lowastk (〈SQNU n〉) and sends the pair 〈SQNU oplusf5lowastk (n) f1lowastk (〈SQNU n〉)〉 When receiving this message theHN unmasks SQNU and checks the mac If the authenticationtest is successful HN sets the value of SQNN to SQNU + 1This ensures that HN first message in the next session of theprotocol is in the correct range
g) GUTI Assignment There is a final component of theprotocol which is not described in Fig 1 (as it is not used inthe privacy attacks we present later) After a successful run ofthe protocol the HN generates a new temporary identity GUTIand links it to the UErsquos permanent identity in its databaseThen it sends the masked fresh GUTI to the UE
III UNLINKABILITY ATTACKS AGAINST 5G-AKA
We present in this section several attacks against AKA thatappeared in the literature All these attacks but one (the IMSI-catcher attack) carry over to 5G-AKA Moreover several fixesof the 3G and 4G versions of AKA have been proposed Wediscuss the two most relevant fixes the first by Arapinis etal [4] and the second by Fouque et al [6]
None of these fixes are satisfactory The modified AKAprotocol given in [4] has been shown flawed in [6] The authorsof [6] then propose their own protocol called PRIV-AKA andclaim it is unlinkable (they only provide a proof sketch)While analyzing the PRIV-AKA protocol we discovered anattack allowing to permanently de-synchronize the UE and theHN Since a de-synchronized UE can be easily tracked (afterbeing de-synchronized the UE rejects all further messages)our attack is also an unlinkability attack This is in directcontradiction with the security property claimed in [6] Thisis a novel attack that never appeared in the literature
A IMSI-Catcher Attack
All the older versions of AKA (4G and earlier) are vulnerableto the IMSI-catcher attack [2] This attack simply relies onthe fact that in these versions of AKA the permanent identity(called the International Mobile Subscriber Identity or IMSI inthe 4G specifications) is not encrypted but sent in plain-textMoreover even if a temporary identity is used (a TemporaryMobile Subscriber Identity or TMSI) an attacker can simplysend a Permanent-ID-Request message to obtain the UErsquospermanent identity The attack is depicted in Fig 2
1The specification is loose here it only requires that SQNU lt SQNN leSQNU + C where C is some constant chosen by the HN
UE AttackerTMSI or IMSI
ldquoPermanent-ID-RequestrdquoIf TMSI received
IMSI
Fig 2 An IMSI-Catcher Attack
UEIMSIt HNtauth equiv
langn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangf2k (n)
UEIMSIprime Attackertauth
ldquoAuth-FailurerdquoIf IMSIprime 6= IMSIt
langSQNU oplus f5lowastk (nR) f1lowastk (〈SQNU nR〉)
rangIf IMSIprime = IMSIt
Fig 3 The Failure Message Attack by [4]
This necessitates an active attacker with its own base stationAt the time this required specialized hardware and wasbelieved to be too expensive This is no longer the case andcan be done for a few hundreds dollars (see [25])
B The Failure Message Attack
In [4] Arapinis et al propose to use an asymmetric encryp-tion to protect against the IMSI-catcher attack each UE carriesthe public-key of its corresponding HN and uses it to encryptits permanent identity This is basically the solution that wasadopted by 3GPP for the 5G version of AKA Interestinglythey show that this is not enough to ensure privacy and givea linkability attack that does not rely on the identificationmessage sent by UE While their attack is against the 3G-AKAprotocol it is applicable to the 5G-AKA protocol
a) The Attack The attack is depicted in Fig 3 and worksin two phases First the adversary eavesdrops a successful runof the protocol between the HN and the target UE with identityIMSIt and stores the authentication message tauth sent by HNIn a second phase the attacker A tries to determine whether aUE with identity IMSIprime is the initial UE (ie whether IMSIprime =IMSIt) To do this A initiates a new session of the protocol andreplays the message tauth If IMSIprime 6= IMSIt then the mac testfails and UEIMSIprime answers ldquoAuth-Failurerdquo If IMSIprime = IMSItthen the mac test succeeds but the range test fails and UEIMSIprime
sends a re-synchronization messageThe adversary can distinguish between the two messages
and therefore knows if it is interacting with the original or adifferent UE Moreover the second phase of the attack can
UEIMSIt HNIMSItnepkN
UEIMSIprime HNIMSIprimenprimeepkN
IMSItne
pkN
tauth equivlangn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangFailure Message
If IMSIprime 6= IMSIt
f2k (nR)If IMSIprime = IMSIt
Fig 4 The Encrypted IMSI Replay Attack by [6]
be repeated every time the adversary wants to check for thepresence of the tracked user IMSIt in its vicinity
b) Proposed Fix To protect against the failure messageattack the authors of [4] propose that the UE encrypts both er-ror messages using the public key pkN of the HN making themindistinguishable To the adversary there is no distinctionsbetween an authentication and a de-synchronization failureThe fixed AKA protocol without the identifying messageIMSIne
pkN was formally checked in the symbolic model using
the PROVERIF tool Because this message was omitted in themodel an attack was missed We present this attack next
C The Encrypted IMSI Replay Attack
In [6] Fouque et al give an attack against the fixed AKAproposed by Arapinis et al in [4] Their attack described inFig 4 uses the fact the identifying message IMSItne
pkNin the
proposed AKA protocol by Arapinis et al can be replayedIn a first phase the attacker A eavesdrops and stores the
identifying message IMSItnepkN
of an honest session betweenthe user UEIMSIt it wants to track and the HN Then everytime A wants to determine whether some user UEIMSIprime isthe tracked user UEIMSIt it intercepts the identifying messageIMSIprimenprimee
pkNsent by UEIMSIprime and replaces it with the stored
message IMSItnepkN
Finally A lets the protocol continuewithout further tampering We have two possible outcomesbull If IMSIprime 6= IMSIt then the message tauth sent by HN is
mac-ed using the wrong key and the UE rejects themessage Hence the attacker observes a failure message
bull If IMSIprime = IMSIt then tauth is accepted by UEIMSIprime andthe attacker observes a success message
Therefore the attacker can deduce whether it is interacting withUEIMSIt or not which breaks unlinkability
D Attack Against The PRIV-AKA Protocol
The authors of [6] then propose the PRIV-AKA protocolwhich is a significantly modified version of AKA The authorsclaim that their protocol achieves authentication and clientunlinkability But we discovered a de-synchronization attackit is possible to permanently de-synchronize the UE and the
HN Our attack uses the fact that in PRIV-AKA the HNsequence number is incremented only upon reception of theconfirmation message from the UE Therefore by interceptingthe last message from the UE we can prevent the HN fromincrementing its sequence number We now describe the attack
We run a session of the protocol but we intercept thelast message and store it for later use Note that the HNrsquossession is not closed At that point the UE and the HN arede-synchronized by one We re-synchronize them by runninga full session of the protocol We then re-iterate the stepsdescribed above we run a session of the protocol preventthe last message from arriving at the HN and then run afull session of the protocol to re-synchronize the HN and theUE Now the UE and the HN are synchronized and we havetwo stored messages one for each uncompleted session Wethen send the two messages to the corresponding HN sessionswhich accept them and increment the sequence number In theend it is incremented by two
The problem is that the UE and the HN cannot recoverfrom a de-synchronization by two We believe that this wasmissed by the authors of [6]2 Remark that this attack is alsoan unlinkability attack To attack some user UEIMSIrsquos privacywe permanently de-synchronize it Then each time UEIMSI triesto run the PRIV-AKA protocol it will abort which allows theadversary to track it
Remark 1 Our attack requires that the HN does not close thefirst session when we execute the second session At the endof the attack before sending the two stored messages thereare two HN sessions simultaneously opened for the same UEIf the HN closes any un-finished sessions when starting a newsession with the same UE our attack does not work
But this make another unlinkability attack possible Indeedclosing a session because of some later session between theHN and the same UE reveals a link between the two sessionsWe describe the attack First we start a session i betweena user UEA and the HN but we intercept and store the lastmessage tA from the user Then we let the HN run a fullsession with some user UEX Finally we complete the initialsession i by sending the stored message tA to the HN Herewe have two cases If X = A then the HN closed the firstsession when it completed the second Hence it rejects tA IfX 6= A then the first session is still opened and it accepts tA
Closing a session may leak information to the adversaryProtocols which aim at providing unlinkability must explicitwhen sessions can safely be closed By default we assume asession stays open In a real implementation a timeout tied tothe session (and not the user identity) could be used to avoidkeeping sessions opened forever
E Sequence Numbers and Unlinkability
We conjecture that it is not possible to achieve functionality(ie honest sessions eventually succeed) authentication andunlinkability at the same time when using a sequence number
2ldquothe two sequence numbers may become desynchronized by one step []Further desynchronization is prevented []rdquo (p 266 [6])
based protocol with no random number generation capabilitiesin the UE side We briefly explain our intuition
In any sequence number based protocol the agents maybecome de-synchronized because they cannot know if theirlast message has been received Furthermore the attacker cancause de-synchronization by blocking messages The problemis that we have contradictory requirements On the one hand toensure authentication an agent must reject a replayed messageOn the other hand in order to guarantee unlinkability anhonest agent has to behave the same way when receiving amessage from a synchronized agent or from a de-synchronizedagent Since functionality requires that a message from asynchronized agent is accepted it follows that a messagefrom a de-synchronized agent must be accepted Intuitivelyit seems to us that an honest agent cannot distinguish betweena protocol message which is being replayed and an honestprotocol message from a de-synchronized agent It followsthat a replayed message should be both rejected and acceptedwhich is a contradiction
This is only a conjecture We do not have a formal state-ment or a proof Actually it is unclear how to formallydefine the set of protocols that rely on sequence numbers toachieve authentication Note however that all requirements canbe satisfied simultaneously if we allow both parties to generaterandom challenges in each session (in AKA only HN uses arandom challenge) Examples of challenge based unlinkableauthentication protocols can be found in [26]
IV THE AKA+ PROTOCOL
We now describe our principal contribution which is thedesign of the AKA+ protocol This is a fixed version of the5G-AKA protocol offering some form of privacy against anactive attacker First we explicit the efficiency and designconstraints We then describe the AKA+ protocol and explainhow we designed this protocol from 5G-AKA by fixing allthe previously described attacks As we mentioned before wethink unlinkability cannot be achieved under these constraintsNonetheless our protocol satisfies some weaker notion of un-linkability that we call σ-unlinkability This is a new securityproperty that we introduce Finally we will show a subtleattack and explain how we fine-tuned AKA+ to prevent it
A Efficiency and Design Constraints
We now explicit the protocol design constraints Theseconstraints are necessary for an efficient in-expensive toimplement and backward compatible protocol Observe thatin a mobile setting it is very important to avoid expensivecomputations as they quickly drain the UErsquos battery
a) Communication Complexity In 5G-AKA authentica-tion is achieved using only three messages two messages aresent by the UE and one by the HN We want our protocolto have a similar communication complexity While we didnot manage to use only three messages in all scenarios ourprotocol achieves authentication in less than four messages
b) Cryptographic primitives We recall that all crypto-graphic primitives are computed in the USIM where theyare implemented in hardware It follows that using moreprimitives in the UE would make the USIM more voluminousand expensive Hence we restrict AKA+ to the cryptographicprimitives used in 5G-AKA we use only symmetric keyedone-way functions and asymmetric encryption Notice thatthe USIM cannot do asymmetric decryption As in 5G-AKAwe use some in-expensive functions eg xor pairs by-oneincrements and boolean tests We believe that relying onthe same cryptographic primitives helps ensuring backwardcompatibility and would simplify the protocol deployment
c) Random Number Generation In 5G-AKA the UEgenerates at most one nonce per session which is used torandomize the asymmetric encryption Moreover if the UEwas assigned a GUTI in the previous session then there is norandom number generation Remark that when the UE and theHN are de-synchronized the authentication fails and the UEsends a re-synchronization message Since the session fails nofresh GUTI is assigned to the UE Hence the next session ofthe protocol has to conceal the SUPI using SUPIne
pkN which
requires a random number generation Therefore we constrainour protocol to use at most one random number generation bythe UE per session and only if no GUTI has been assigned orif the UE and the HN have been de-synchronized
d) Summary We summarize the constraints for AKA+bull It must use at most four messages per sessionsbull The UE may use only keyed one-way functions and
asymmetric encryption The HN may use these functionsplus asymmetric decryption
bull The UE may generate at most one random number persession and only if no GUTI is available or if re-synchronization with the HN is necessary
B Key Ideas
In this section we present the two key ideas used in thedesign of the AKA+ protocol
a) Postponed Re-Synchronization Message We recallthat whenever the UE and the HN are de-synchronized the au-thentication fails and the UE sends a re-synchronization mes-sage The problem is that this message can be distinguishedfrom a mac failure message which allows the attack presentedin Section III-B Since the session fails no GUTI is assignedto the UE and the next session will use the asymmetricencryption to conceal the SUPI The first key idea is to piggy-back on the randomized encryption of the next session to senda concealed re-synchronization message More precisely wereplace the message SUPIne
pkNby 〈SUPI SQNU〉ne
pkN This
has several advantagesbull We can remove the re-synchronization message that lead
to the unlinkability attack presented in Section III-B InAKA+ whenever the mac check or the range check failsthe same failure message is sent
bull This does not require more random number generationby the UE since a random number is already beinggenerated to conceal the SUPI in the next session
SUPI Sub-Protocol GUTI Sub-Protocol
ASSIGN-GUTI Sub-Protocol
Fig 5 General Architecture of the AKA+ Protocol
The 3GPP technical specification (see [1] Annex C) requiresthat the asymmetric encryption used in the 5G-AKA protocolis the ECIES encryption scheme which is an hybrid encryp-tion scheme Hybrid encryption schemes use a randomizedasymmetric encryption to conceal a temporary key Thiskey is then used to encrypt the message using a symmetricencryption which is in-expensive Hence encrypting the pair〈SUPI SQNU〉 is almost as fast as encrypting only SUPI andrequires the UE to generate the same amount of randomness
b) HN Challenge Before Identification To prevent theEncrypted IMSI Replay Attack of Section III-C we add arandom challenge n from the HN The UE initiates the protocolby requesting a challenge without identifying itself Whenrequested the HN generates and sends a fresh challenge n tothe UE which includes it in its response by mac-ing it withthe SUPI using a symmetric one-way function Mac1 with keykID
m The UE response is nowlang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN n〉)
rangThis challenge is only needed when the encrypted permanentidentity is used If the UE uses a temporary identity GUTI thenwe do not need to use a random challenge Indeed temporaryidentities can only be used once before being discarded andare therefore not subject to replay attacks By consequence wesplit the protocol in two sub-protocolsbull The SUPI sub-protocol uses a random challenge from the
HN encrypts the permanent identity and allows to re-synchronize the UE and the HN
bull The GUTI sub-protocol is initiated by the UE using atemporary identity
In the SUPI sub-protocol the UErsquos answer includes the chal-lenge We use this to save one message the last confirmationstep from the UE is not needed and is removed The resultingsub-protocol has four messages Observe that the GUTI sub-protocol is faster since it uses only three messages
C Architecture and States
Instead of a monolithic protocol we have three sub-protocols the SUPI and GUTI sub-protocols which handleauthentication and the ASSIGN-GUTI sub-protocol which isrun after authentication has been achieved and assigns afresh temporary identity to the UE A full session of theAKA+ protocol comprises a session of the SUPI or GUTI sub-protocols followed by a session of the ASSIGN-GUTI sub-protocol This is graphically depicted in Fig 5
Since the GUTI sub-protocol uses only three messages anddoes not require the UE to generate a random number or
compute an asymmetric encryption it is faster than the SUPIsub-protocol By consequence the UE should always use theGUTI sub-protocol if it has a temporary identity available
The HN runs concurrently an arbitrary number of sessionsbut a subscriber cannot run more than one session at thesame time Of course sessions from different subscribers maybe concurrently running We associate a unique integer thesession number to every session and we use HN(j) andUEID(j) to refer to the j-th session of respectively the HNand the UE with identity ID
a) One-Way Functions We separate functions that areused only for confidentiality from functions that are also usedfor integrity We have two confidentiality functions f and f rwhich use the key k and five integrity functions Mac1ndash Mac5which use the key km We require that f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This is a new assumption which requires that these func-tions are simultaneously computationally indistinguishablefrom random functions
Definition 1 (Jointly PRF Functions) Let H1(middot middot) Hn(middot middot)be a finite family of keyed hash functions from 0 1lowasttimes0 1ηto 0 1η The functions H1 Hn are Jointly PseudoRandom Functions if for any PPTM adversary A with accessto oracles Of1 Ofn
|Pr(k AOH1(middotk)OHn(middotk)(1η) = 1)minusPr(g1 gn AOg1(middot)Ogn(middot)(1η) = 1)|
is negligible wherebull k is drawn uniformly in 0 1η bull g1 gn are drawn uniformly in the set of all functions
from 0 1lowast to 0 1η
Observe that if H1 Hn are jointly PRF then in partic-ular every individual Hi is a PRFRemark 2 While this is a non-usual assumption it is simpleto build a set of functions H1 Hn which are jointly PRFfrom a single PRF H For example let tag1 tagn be non-ambiguous tags and let Hi(m k) = H(tagi(m) k) ThenH1 Hn are jointly PRF whenever H is a PRF (see [24])
b) UE Persistent State Each UEID with identity ID hasa state stateID
U persistent across sessions It contains the fol-lowing immutable values the permanent identity SUPI = IDthe confidentiality key kID the integrity key kID
m and the HNrsquospublic key pkN The states also contain mutable values thesequence number SQNU the temporary identity GUTIU and theboolean valid-gutiU We have valid-gutiU = false whenever novalid temporary identity is assigned to the UE Finally thereare mutable values that are not persistent across sessions Egb-authU stores HNrsquos random challenge and e-authU storesHNrsquos random challenge when the authentication is successful
c) HN Persistent State The HN state stateN contains thesecret key skN corresponding to the public key pkN Also forevery subscriber with identity ID it stores the keys kID andkID
m the permanent identity SUPI = ID the HN version of thesequence number SQNID
N and the temporary identity GUTIIDN It
UE
stateIDU
HN(j)
stateN
Request_Challenge
nj
Input nR b-authU larr nRlang〈SUPI SQNU〉
nepkN
Mac1kIDm(〈〈SUPI SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1 Input y〈IDR SQNR〉 larr dec(π1(y) skN)
bIDMac larr π2(y) = Mac1kID
m(〈π1(y) nj〉)
and IDR = ID
bIDInc larr bID
Mac and SQNR ge SQNIDN
if bIDMac then b-authjN e-authjN larr ID
if bIDInc then SQNID
N larr SQNR + 1
sessionIDN larr nj
GUTIIDN larr GUTIj
Mac2kIDm(〈nj SQNR + 1〉)
bMac
Input zbok larr z = Mac2kID
m(〈b-authU SQNU〉)
e-authU larr if bok then b-authU else fail
Fig 6 The SUPI Sub-Protocol of the AKA+ Protocol
stores in sessionIDN the random challenge of the last session
that was either a successful SUPI session which modifiedthe sequence number or a GUTI session which authenticatedID This is used to detect and prevent some subtle attackswhich we present later Finally every session HN(j) stores inb-authjN the identity claimed by the UE and in e-authjN theidentity of the UE it authenticated
D The SUPI GUTI and ASSIGN-GUTI Sub-Protocols
We describe honest executions of the three sub-protocolsof the AKA+ protocol An honest execution is an executionwhere the adversary dutifully forwards the messages withouttampering Each execution is between a UE and HN(j)
a) The SUPI Sub-Protocol This protocol uses the UErsquospermanent identity re-synchronizes the UE and the HN and isexpensive to run The protocol is sketched in Fig 6
The UE initiates the protocol by requesting a challengefrom the network When asked HN(j) sends a fresh randomchallenge nj After receiving nj the UE stores it in b-authUand answers with the encryption of its permanent identitytogether with the current value of its sequence number usingthe HN public key pkN It also includes the mac of thisencryption and of the challenge which yields the messagelang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN nj〉)
rang
Then the UE increments its sequence number by one Whenit gets this message the HN retrieves the pair 〈SUPI SQNU〉by decrypting the encryption using its secret key skN Forevery identity ID it checks if SUPI = ID and if the mac iscorrect If this is the case HN authenticated ID and it storesID in b-authjN and e-authjN After having authenticated IDHN checks whether the sequence number SQNU it received isgreater than or equal to SQNID
N If this holds it sets SQNIDN to
SQNU +1 stores nj in sessionIDN generates a fresh temporary
identity GUTIj and stores it into GUTIIDN This additional check
ensures that the HN sequence number is always increasingwhich is a crucial property of the protocol
If the HN authenticated ID it sends a confirmation messageMac2kID
m(〈nj SQNU +1〉) to the UE This message is sent even
if the received sequence number SQNU is smaller than SQNIDN
When receiving the confirmation message if the mac is validthen the UE authenticated the HN and it stores in e-authU
the initial random challenge (which it keeps in b-authU) Ifthe mac test fails it stores in e-authU the special value fail
b) The GUTI Sub-Protocol This protocol uses the UErsquostemporary identity requires synchronization to succeed and isinexpensive The protocol is sketched in Fig 7
When valid-gutiU is true the UE can initiate the protocolby sending its temporary identity GUTIU The UE then setsvalid-gutiU to false to guarantee that this temporary identityis not used again When receiving a temporary identity x HNlooks if there is an ID such that GUTIID
N is equal to x and isnot UnSet If the temporary identity belongs to ID it setsGUTIID
N to UnSet and stores ID in b-authjN Then it generatesa random challenge nj stores it in sessionID
N and sends it tothe UE together with the xor of the sequence number SQNID
N
with fkID(nj) and a maclangnj SQNID
N oplus fkID(nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang
When it receives this message the UE retrieves the challengenj at the beginning of the message computes fkID(nj) and usesthis value to unconceal the sequence number SQNID
N It thencomputes Mac3kID
m(〈nj SQNID
N GUTIU〉) and compares it to themac received from the network If the macs are not equal orif the range check range(SQNU SQNID
N ) fails it puts fail intob-authU and e-authU to record that the authentication wasnot successful If both tests succeed it stores in b-authU ande-authU the random challenge increments SQNU by one andsends the confirmation message Mac4kID
m(nj) When receiving
this message the HN verifies that the mac is correct If this isthe case then the HN authenticated the UE and stores ID intoe-authID
N Then HN checks whether sessionIDN is still equal
to the challenge nj stored in it at the beginning of the sessionIf this is true the HN increments SQNID
N by one generates afresh temporary identity GUTIj and stores it into GUTIID
N c) The ASSIGN-GUTI Sub-Protocol The ASSIGN-GUTI
sub-protocol is run after a successful authentication regardlessof the authentication sub-protocol used It assigns a freshtemporary identity to the UE to allow the next AKA+ sessionto run the faster GUTI sub-protocol It is depicted in Fig 8
UE
stateIDU
HN(j)
stateN
GUTIU
valid-gutiU
valid-gutiU larr false Input xbID larr GUTIID
N = x and GUTIIDN 6= UnSet
if bID then GUTIIDN larr UnSet
b-authjN larr ID
sessionIDN larr nj
langnj SQNID
N oplus fkID (nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang bID
Input ynR SQNR larr π1(y) π2(y)oplus fkID (nR)
bacc larr π3(y) = Mac3kIDm(〈nR SQNR GUTIU〉))
and range(SQNU SQNR)
if bacc then b-authU e-authU larr nRSQNU larr SQNU + 1
if notbacc then b-authU e-authU larr fail
Mac4kIDm(nR)
bacc
Input z
bIDMac larr (b-authjN = ID) and (z = Mac4kID
m(nj))
bIDInc larr bID
Mac and sessionIDN = nj
if bIDMac then e-authjN larr ID
if bIDInc then SQNID
N larr SQNIDN + 1
GUTIIDN larr GUTIj
Fig 7 The GUTI Sub-Protocol of the AKA+ Protocol
The HN conceals the temporary identity GUTIj generatedby the authentication sub-protocol by xoring it with f r
kID(nj)and macs it When receiving this message UE unconceals thetemporary identity GUTIID
N by xoring its first component withf rkID
m(e-authU) (since e-authU contains the HNrsquos challenge after
authentication) Then UE checks that the mac is correct andthat the authentication was successful If it is the case it storesGUTIID
N in GUTIU and sets valid-gutiU to true
V UNLINKABILITY
We now define the unlinkability property we use which isinspired from [22] and Vaudenayrsquos privacy [23]
a) Definition The property is defined by a game inwhich an adversary tries to link together some subscriberrsquos ses-sions The adversary is a PPTM which interacts through ora-cles with N different subscribers with identities ID1 IDN and with the HN The adversary cannot use a subscriberrsquospermanent identity to refer to it as it may not know it Insteadwe associate a virtual handler vh to any subscriber currently
UE
stateIDU
HN(j)
stateN
〈GUTIj oplus f rkID (nj) Mac5kID
m(lang
GUTIj njrang)〉
e-authIDN = ID
Input xGUTIR larr π1(x)oplus f r
kIDm(e-authU)
bacc larr(π2(x) = Mac5kID
m(〈GUTIR e-authU〉)
)and (e-authU 6= fail)
GUTIU larr if bacc then GUTIR else UnSetvalid-gutiU larr bacc
Fig 8 The ASSIGN-GUTI Sub-Protocol of the AKA+ Protocol
running a session of the protocol We maintain a list lfree of allsubscribers that are ready to start a session We now describethe oracles Obbull StartSession() starts a new HN session and returns
its session number jbull SendHN(m j) (resp SendUE(m vh)) sends the mes-
sage m to HN(j) (resp the UE associated with vh) andreturns HN(j) (resp vh) answer
bull ResultHN(j) (resp ResultUE(vh)) returns true ifHN(j) (resp the UE associated with vh) has made asuccessful authentication
bull DrawUE(IDi0 IDi1) checks that IDi0 and IDi1 are bothin lfree If that is the case returns a new virtual handlerpointing to IDib depending on an internal secret bit bThen it removes IDi0 and IDi1 from lfree
bull FreeUE(vh) makes the virtual handler vh no longervalid and adds back to lfree the two identities that wereremoved when the virtual handler was created
We recall that a function is negligible if and only if it isasymptotically smaller than the inverse of any polynomial Anadversary A interacting with Ob is winning the q-unlinkabilitygame if A makes less than q calls to the oracles and itcan guess the value of the internal bit b with a probabilitybetter than 12 by a non-negligible margin ie if the followingquantity is non negligible in η∣∣2timesPr
(b AOb(1η) = b
)minus 1∣∣
Finally a protocol is q-unlinkable if and only if there are nowinning adversaries against the q-unlinkability game
b) Corruption In [22] [23] the adversary is allowed tocorrupt some tags using a Corrupt oracle Several classes ofadversary are defined by restricting its access to the corruptionoracle A strong adversary has unrestricted access a destruc-tive adversary can no longer use a tag after corrupting it (it isdestroyed) a forward adversary can only follow a Corruptcall by further Corrupt calls and finally a weak adversarycannot use Corrupt at all A protocol is C unlinkable if no
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
which uniquely identifies the UE The SN does not have accessto the secret key material It follows that all cryptographiccomputations are performed by the HN and sent to theSN through a secure channel The SN also forwards all theinformation it gets from the UE to the HN But the UEpermanent identity is not kept hidden from the SN after asuccessful authentication the HN sends the SUPI to the SNThis is not technically needed but is done for legal reasonsIndeed the SN needs to know whom it is serving to be ableto answer to Lawful Interception requests
Therefore privacy requires to trust both the HN and theSN Since in addition they communicate through a securechannel we decided to model them as a single entity and weinclude the SN inside the HN A description of the protocolwith three distinct parties can be found in [20]
A Description of the Protocol
The 5G standard proposes two authentication protocolsEAP-AKAprime and 5G-AKA Since their differences are not rel-evant for privacy we only describe the 5G-AKA protocol
a) Cryptographic Primitives As in the 3G and 4G vari-ants the 5G-AKA protocol uses several keyed cryptographicone-way functions f1 f2 f5 f1lowast and f5lowast These functions areused both for integrity and confidentiality and take as input along term secret key k (which is different for each subscriber)
A major novelty in 5G-AKA is the introduction of an asym-metric randomized encryption middotne
pk Here pk is the publickey and ne is the encryption randomness Previous versionsof AKA did not use asymmetric encryption because the USIMwhich is a cryptographic micro-processor had no randomnessgeneration capabilities The asymmetric encryption is used toconceal the identity of the UE by sending SUPIne
pk insteadof transmitting the SUPI in clear (as in 3G and 4G-AKA)
b) Temporary Identities After a successful run of theprotocol the HN may issue a temporary identity a GloballyUnique Temporary Identity (GUTI) to the UE Each GUTI canbe used in at most one session to replace the encrypted identitySUPIne
pk It is renewed after each use Using a GUTI allowsto avoid one asymmetric encryption This saves a pseudo-random number generation and the expensive computation ofan asymmetric encryption
c) Sequence Numbers The 5G-AKA protocol preventsreplay attacks using a sequence number SQN instead of arandom challenge This sequence number is included in themessages incremented after each successful run of the pro-tocol and must be tracked and updated by the UE and theHN As it may get de-synchronized (eg because a messageis lost) there are two versions of it the UE sequence numberSQNU and the HN sequence number SQNN
d) State The UE and HN share the UE identity SUPI along-term symmetric secret key k a sequence number SQNU
and the HN public key pkN The UE also stores in GUTI thevalue of the last temporary identity assigned to it (if there isone) Finally the HN stores the secret key skN correspondingto pkN its version SQNN of every UErsquos sequence number anda mapping between the GUTIs and the SUPIs
UE
SUPI GUTI k pkN SQNU
HN
SUPI GUTI k skN SQNN
GUTI or SUPInepkN
if GUTI was used GUTI larr UnSetlangn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangInput xnR SQNR larr π1(x) π2(x)oplus f5k (nR)bmac larr f1k (〈SQNR nR〉) = π3(x)bSQN larr range(SQNU SQNR)
SQNN larr SQNN + 1
SQNU larr SQNRf2k (nR)
bmac and bSQN
ldquoAuth-Failurerdquonotbmac
langSQNU oplus f5lowastk (nR) f1lowastk (〈SQNU nR〉)
rangInput ySQNlowastR larr π1(y)oplus f5lowastk (n)if f1lowastk (〈SQNlowastR n〉) = π2(y) then SQNN larr SQNlowastR + 1
bmac and notbSQN
Conventions larr is used for assignments and has a lowerpriority than the equality comparison operator =
Fig 1 The 5G-AKA Protocol
e) Authentication Protocol The 5G-AKA protocol isrepresented in Fig 1 We now describe an honest executionof the protocol The UE initiates the protocol by identifyingitself to the HN which it can do in two different ways
bull It can send a temporary identity GUTI if one was assignedto it After sending the GUTI the UE sets it to UnSet toensure that it will not be used more than once Otherwiseit would allow an adversary to link sessions together
bull It can send its concealed permanent identity SUPInepkN
using the HN public key pkN and a fresh randomness ne
Upon reception of an identifying message the HN retrieves thepermanent identity SUPI if it received a temporary identityGUTI this is done through a database look-up and if aconcealed permanent identity was used it uses skN to decryptit It can then recover SQNN and the key k associated tothe identity SUPI from its memory The HN then generatesa fresh nonce n It masks the sequence number SQNN byxoring it with f5k(n) and mac the message by computingf1k(〈SQNN n〉) (we use 〈 〉 for tuples) It then sends themessage 〈n SQNN oplus f5k(n) f1k(〈SQNN n〉)〉
When receiving this message the UE computes f5k(n)With it it unmasks SQNN and checks the authenticity of the
message by re-computing f1k(〈SQNN n〉) and verifying thatit is equal to the third component of the message It alsochecks whether SQNN and SQNU are in range1 If both checkssucceed the UE sets SQNU to SQNN which prevents thismessage from being accepted again It then sends f2k(n) toprove to HN the knowledge of k If the authenticity check failsan ldquoAuth-Failurerdquo message is sent Finally if the authenticitycheck succeeds but the range check fails UE starts the re-synchronization sub-protocol which we describe below
f) Re-synchronization The re-synchronization protocolallows the HN to obtain the current value of SQNU Firstthe UE masks SQNU by xoring it with f5lowastk (n) mac themessage using f1lowastk (〈SQNU n〉) and sends the pair 〈SQNU oplusf5lowastk (n) f1lowastk (〈SQNU n〉)〉 When receiving this message theHN unmasks SQNU and checks the mac If the authenticationtest is successful HN sets the value of SQNN to SQNU + 1This ensures that HN first message in the next session of theprotocol is in the correct range
g) GUTI Assignment There is a final component of theprotocol which is not described in Fig 1 (as it is not used inthe privacy attacks we present later) After a successful run ofthe protocol the HN generates a new temporary identity GUTIand links it to the UErsquos permanent identity in its databaseThen it sends the masked fresh GUTI to the UE
III UNLINKABILITY ATTACKS AGAINST 5G-AKA
We present in this section several attacks against AKA thatappeared in the literature All these attacks but one (the IMSI-catcher attack) carry over to 5G-AKA Moreover several fixesof the 3G and 4G versions of AKA have been proposed Wediscuss the two most relevant fixes the first by Arapinis etal [4] and the second by Fouque et al [6]
None of these fixes are satisfactory The modified AKAprotocol given in [4] has been shown flawed in [6] The authorsof [6] then propose their own protocol called PRIV-AKA andclaim it is unlinkable (they only provide a proof sketch)While analyzing the PRIV-AKA protocol we discovered anattack allowing to permanently de-synchronize the UE and theHN Since a de-synchronized UE can be easily tracked (afterbeing de-synchronized the UE rejects all further messages)our attack is also an unlinkability attack This is in directcontradiction with the security property claimed in [6] Thisis a novel attack that never appeared in the literature
A IMSI-Catcher Attack
All the older versions of AKA (4G and earlier) are vulnerableto the IMSI-catcher attack [2] This attack simply relies onthe fact that in these versions of AKA the permanent identity(called the International Mobile Subscriber Identity or IMSI inthe 4G specifications) is not encrypted but sent in plain-textMoreover even if a temporary identity is used (a TemporaryMobile Subscriber Identity or TMSI) an attacker can simplysend a Permanent-ID-Request message to obtain the UErsquospermanent identity The attack is depicted in Fig 2
1The specification is loose here it only requires that SQNU lt SQNN leSQNU + C where C is some constant chosen by the HN
UE AttackerTMSI or IMSI
ldquoPermanent-ID-RequestrdquoIf TMSI received
IMSI
Fig 2 An IMSI-Catcher Attack
UEIMSIt HNtauth equiv
langn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangf2k (n)
UEIMSIprime Attackertauth
ldquoAuth-FailurerdquoIf IMSIprime 6= IMSIt
langSQNU oplus f5lowastk (nR) f1lowastk (〈SQNU nR〉)
rangIf IMSIprime = IMSIt
Fig 3 The Failure Message Attack by [4]
This necessitates an active attacker with its own base stationAt the time this required specialized hardware and wasbelieved to be too expensive This is no longer the case andcan be done for a few hundreds dollars (see [25])
B The Failure Message Attack
In [4] Arapinis et al propose to use an asymmetric encryp-tion to protect against the IMSI-catcher attack each UE carriesthe public-key of its corresponding HN and uses it to encryptits permanent identity This is basically the solution that wasadopted by 3GPP for the 5G version of AKA Interestinglythey show that this is not enough to ensure privacy and givea linkability attack that does not rely on the identificationmessage sent by UE While their attack is against the 3G-AKAprotocol it is applicable to the 5G-AKA protocol
a) The Attack The attack is depicted in Fig 3 and worksin two phases First the adversary eavesdrops a successful runof the protocol between the HN and the target UE with identityIMSIt and stores the authentication message tauth sent by HNIn a second phase the attacker A tries to determine whether aUE with identity IMSIprime is the initial UE (ie whether IMSIprime =IMSIt) To do this A initiates a new session of the protocol andreplays the message tauth If IMSIprime 6= IMSIt then the mac testfails and UEIMSIprime answers ldquoAuth-Failurerdquo If IMSIprime = IMSItthen the mac test succeeds but the range test fails and UEIMSIprime
sends a re-synchronization messageThe adversary can distinguish between the two messages
and therefore knows if it is interacting with the original or adifferent UE Moreover the second phase of the attack can
UEIMSIt HNIMSItnepkN
UEIMSIprime HNIMSIprimenprimeepkN
IMSItne
pkN
tauth equivlangn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangFailure Message
If IMSIprime 6= IMSIt
f2k (nR)If IMSIprime = IMSIt
Fig 4 The Encrypted IMSI Replay Attack by [6]
be repeated every time the adversary wants to check for thepresence of the tracked user IMSIt in its vicinity
b) Proposed Fix To protect against the failure messageattack the authors of [4] propose that the UE encrypts both er-ror messages using the public key pkN of the HN making themindistinguishable To the adversary there is no distinctionsbetween an authentication and a de-synchronization failureThe fixed AKA protocol without the identifying messageIMSIne
pkN was formally checked in the symbolic model using
the PROVERIF tool Because this message was omitted in themodel an attack was missed We present this attack next
C The Encrypted IMSI Replay Attack
In [6] Fouque et al give an attack against the fixed AKAproposed by Arapinis et al in [4] Their attack described inFig 4 uses the fact the identifying message IMSItne
pkNin the
proposed AKA protocol by Arapinis et al can be replayedIn a first phase the attacker A eavesdrops and stores the
identifying message IMSItnepkN
of an honest session betweenthe user UEIMSIt it wants to track and the HN Then everytime A wants to determine whether some user UEIMSIprime isthe tracked user UEIMSIt it intercepts the identifying messageIMSIprimenprimee
pkNsent by UEIMSIprime and replaces it with the stored
message IMSItnepkN
Finally A lets the protocol continuewithout further tampering We have two possible outcomesbull If IMSIprime 6= IMSIt then the message tauth sent by HN is
mac-ed using the wrong key and the UE rejects themessage Hence the attacker observes a failure message
bull If IMSIprime = IMSIt then tauth is accepted by UEIMSIprime andthe attacker observes a success message
Therefore the attacker can deduce whether it is interacting withUEIMSIt or not which breaks unlinkability
D Attack Against The PRIV-AKA Protocol
The authors of [6] then propose the PRIV-AKA protocolwhich is a significantly modified version of AKA The authorsclaim that their protocol achieves authentication and clientunlinkability But we discovered a de-synchronization attackit is possible to permanently de-synchronize the UE and the
HN Our attack uses the fact that in PRIV-AKA the HNsequence number is incremented only upon reception of theconfirmation message from the UE Therefore by interceptingthe last message from the UE we can prevent the HN fromincrementing its sequence number We now describe the attack
We run a session of the protocol but we intercept thelast message and store it for later use Note that the HNrsquossession is not closed At that point the UE and the HN arede-synchronized by one We re-synchronize them by runninga full session of the protocol We then re-iterate the stepsdescribed above we run a session of the protocol preventthe last message from arriving at the HN and then run afull session of the protocol to re-synchronize the HN and theUE Now the UE and the HN are synchronized and we havetwo stored messages one for each uncompleted session Wethen send the two messages to the corresponding HN sessionswhich accept them and increment the sequence number In theend it is incremented by two
The problem is that the UE and the HN cannot recoverfrom a de-synchronization by two We believe that this wasmissed by the authors of [6]2 Remark that this attack is alsoan unlinkability attack To attack some user UEIMSIrsquos privacywe permanently de-synchronize it Then each time UEIMSI triesto run the PRIV-AKA protocol it will abort which allows theadversary to track it
Remark 1 Our attack requires that the HN does not close thefirst session when we execute the second session At the endof the attack before sending the two stored messages thereare two HN sessions simultaneously opened for the same UEIf the HN closes any un-finished sessions when starting a newsession with the same UE our attack does not work
But this make another unlinkability attack possible Indeedclosing a session because of some later session between theHN and the same UE reveals a link between the two sessionsWe describe the attack First we start a session i betweena user UEA and the HN but we intercept and store the lastmessage tA from the user Then we let the HN run a fullsession with some user UEX Finally we complete the initialsession i by sending the stored message tA to the HN Herewe have two cases If X = A then the HN closed the firstsession when it completed the second Hence it rejects tA IfX 6= A then the first session is still opened and it accepts tA
Closing a session may leak information to the adversaryProtocols which aim at providing unlinkability must explicitwhen sessions can safely be closed By default we assume asession stays open In a real implementation a timeout tied tothe session (and not the user identity) could be used to avoidkeeping sessions opened forever
E Sequence Numbers and Unlinkability
We conjecture that it is not possible to achieve functionality(ie honest sessions eventually succeed) authentication andunlinkability at the same time when using a sequence number
2ldquothe two sequence numbers may become desynchronized by one step []Further desynchronization is prevented []rdquo (p 266 [6])
based protocol with no random number generation capabilitiesin the UE side We briefly explain our intuition
In any sequence number based protocol the agents maybecome de-synchronized because they cannot know if theirlast message has been received Furthermore the attacker cancause de-synchronization by blocking messages The problemis that we have contradictory requirements On the one hand toensure authentication an agent must reject a replayed messageOn the other hand in order to guarantee unlinkability anhonest agent has to behave the same way when receiving amessage from a synchronized agent or from a de-synchronizedagent Since functionality requires that a message from asynchronized agent is accepted it follows that a messagefrom a de-synchronized agent must be accepted Intuitivelyit seems to us that an honest agent cannot distinguish betweena protocol message which is being replayed and an honestprotocol message from a de-synchronized agent It followsthat a replayed message should be both rejected and acceptedwhich is a contradiction
This is only a conjecture We do not have a formal state-ment or a proof Actually it is unclear how to formallydefine the set of protocols that rely on sequence numbers toachieve authentication Note however that all requirements canbe satisfied simultaneously if we allow both parties to generaterandom challenges in each session (in AKA only HN uses arandom challenge) Examples of challenge based unlinkableauthentication protocols can be found in [26]
IV THE AKA+ PROTOCOL
We now describe our principal contribution which is thedesign of the AKA+ protocol This is a fixed version of the5G-AKA protocol offering some form of privacy against anactive attacker First we explicit the efficiency and designconstraints We then describe the AKA+ protocol and explainhow we designed this protocol from 5G-AKA by fixing allthe previously described attacks As we mentioned before wethink unlinkability cannot be achieved under these constraintsNonetheless our protocol satisfies some weaker notion of un-linkability that we call σ-unlinkability This is a new securityproperty that we introduce Finally we will show a subtleattack and explain how we fine-tuned AKA+ to prevent it
A Efficiency and Design Constraints
We now explicit the protocol design constraints Theseconstraints are necessary for an efficient in-expensive toimplement and backward compatible protocol Observe thatin a mobile setting it is very important to avoid expensivecomputations as they quickly drain the UErsquos battery
a) Communication Complexity In 5G-AKA authentica-tion is achieved using only three messages two messages aresent by the UE and one by the HN We want our protocolto have a similar communication complexity While we didnot manage to use only three messages in all scenarios ourprotocol achieves authentication in less than four messages
b) Cryptographic primitives We recall that all crypto-graphic primitives are computed in the USIM where theyare implemented in hardware It follows that using moreprimitives in the UE would make the USIM more voluminousand expensive Hence we restrict AKA+ to the cryptographicprimitives used in 5G-AKA we use only symmetric keyedone-way functions and asymmetric encryption Notice thatthe USIM cannot do asymmetric decryption As in 5G-AKAwe use some in-expensive functions eg xor pairs by-oneincrements and boolean tests We believe that relying onthe same cryptographic primitives helps ensuring backwardcompatibility and would simplify the protocol deployment
c) Random Number Generation In 5G-AKA the UEgenerates at most one nonce per session which is used torandomize the asymmetric encryption Moreover if the UEwas assigned a GUTI in the previous session then there is norandom number generation Remark that when the UE and theHN are de-synchronized the authentication fails and the UEsends a re-synchronization message Since the session fails nofresh GUTI is assigned to the UE Hence the next session ofthe protocol has to conceal the SUPI using SUPIne
pkN which
requires a random number generation Therefore we constrainour protocol to use at most one random number generation bythe UE per session and only if no GUTI has been assigned orif the UE and the HN have been de-synchronized
d) Summary We summarize the constraints for AKA+bull It must use at most four messages per sessionsbull The UE may use only keyed one-way functions and
asymmetric encryption The HN may use these functionsplus asymmetric decryption
bull The UE may generate at most one random number persession and only if no GUTI is available or if re-synchronization with the HN is necessary
B Key Ideas
In this section we present the two key ideas used in thedesign of the AKA+ protocol
a) Postponed Re-Synchronization Message We recallthat whenever the UE and the HN are de-synchronized the au-thentication fails and the UE sends a re-synchronization mes-sage The problem is that this message can be distinguishedfrom a mac failure message which allows the attack presentedin Section III-B Since the session fails no GUTI is assignedto the UE and the next session will use the asymmetricencryption to conceal the SUPI The first key idea is to piggy-back on the randomized encryption of the next session to senda concealed re-synchronization message More precisely wereplace the message SUPIne
pkNby 〈SUPI SQNU〉ne
pkN This
has several advantagesbull We can remove the re-synchronization message that lead
to the unlinkability attack presented in Section III-B InAKA+ whenever the mac check or the range check failsthe same failure message is sent
bull This does not require more random number generationby the UE since a random number is already beinggenerated to conceal the SUPI in the next session
SUPI Sub-Protocol GUTI Sub-Protocol
ASSIGN-GUTI Sub-Protocol
Fig 5 General Architecture of the AKA+ Protocol
The 3GPP technical specification (see [1] Annex C) requiresthat the asymmetric encryption used in the 5G-AKA protocolis the ECIES encryption scheme which is an hybrid encryp-tion scheme Hybrid encryption schemes use a randomizedasymmetric encryption to conceal a temporary key Thiskey is then used to encrypt the message using a symmetricencryption which is in-expensive Hence encrypting the pair〈SUPI SQNU〉 is almost as fast as encrypting only SUPI andrequires the UE to generate the same amount of randomness
b) HN Challenge Before Identification To prevent theEncrypted IMSI Replay Attack of Section III-C we add arandom challenge n from the HN The UE initiates the protocolby requesting a challenge without identifying itself Whenrequested the HN generates and sends a fresh challenge n tothe UE which includes it in its response by mac-ing it withthe SUPI using a symmetric one-way function Mac1 with keykID
m The UE response is nowlang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN n〉)
rangThis challenge is only needed when the encrypted permanentidentity is used If the UE uses a temporary identity GUTI thenwe do not need to use a random challenge Indeed temporaryidentities can only be used once before being discarded andare therefore not subject to replay attacks By consequence wesplit the protocol in two sub-protocolsbull The SUPI sub-protocol uses a random challenge from the
HN encrypts the permanent identity and allows to re-synchronize the UE and the HN
bull The GUTI sub-protocol is initiated by the UE using atemporary identity
In the SUPI sub-protocol the UErsquos answer includes the chal-lenge We use this to save one message the last confirmationstep from the UE is not needed and is removed The resultingsub-protocol has four messages Observe that the GUTI sub-protocol is faster since it uses only three messages
C Architecture and States
Instead of a monolithic protocol we have three sub-protocols the SUPI and GUTI sub-protocols which handleauthentication and the ASSIGN-GUTI sub-protocol which isrun after authentication has been achieved and assigns afresh temporary identity to the UE A full session of theAKA+ protocol comprises a session of the SUPI or GUTI sub-protocols followed by a session of the ASSIGN-GUTI sub-protocol This is graphically depicted in Fig 5
Since the GUTI sub-protocol uses only three messages anddoes not require the UE to generate a random number or
compute an asymmetric encryption it is faster than the SUPIsub-protocol By consequence the UE should always use theGUTI sub-protocol if it has a temporary identity available
The HN runs concurrently an arbitrary number of sessionsbut a subscriber cannot run more than one session at thesame time Of course sessions from different subscribers maybe concurrently running We associate a unique integer thesession number to every session and we use HN(j) andUEID(j) to refer to the j-th session of respectively the HNand the UE with identity ID
a) One-Way Functions We separate functions that areused only for confidentiality from functions that are also usedfor integrity We have two confidentiality functions f and f rwhich use the key k and five integrity functions Mac1ndash Mac5which use the key km We require that f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This is a new assumption which requires that these func-tions are simultaneously computationally indistinguishablefrom random functions
Definition 1 (Jointly PRF Functions) Let H1(middot middot) Hn(middot middot)be a finite family of keyed hash functions from 0 1lowasttimes0 1ηto 0 1η The functions H1 Hn are Jointly PseudoRandom Functions if for any PPTM adversary A with accessto oracles Of1 Ofn
|Pr(k AOH1(middotk)OHn(middotk)(1η) = 1)minusPr(g1 gn AOg1(middot)Ogn(middot)(1η) = 1)|
is negligible wherebull k is drawn uniformly in 0 1η bull g1 gn are drawn uniformly in the set of all functions
from 0 1lowast to 0 1η
Observe that if H1 Hn are jointly PRF then in partic-ular every individual Hi is a PRFRemark 2 While this is a non-usual assumption it is simpleto build a set of functions H1 Hn which are jointly PRFfrom a single PRF H For example let tag1 tagn be non-ambiguous tags and let Hi(m k) = H(tagi(m) k) ThenH1 Hn are jointly PRF whenever H is a PRF (see [24])
b) UE Persistent State Each UEID with identity ID hasa state stateID
U persistent across sessions It contains the fol-lowing immutable values the permanent identity SUPI = IDthe confidentiality key kID the integrity key kID
m and the HNrsquospublic key pkN The states also contain mutable values thesequence number SQNU the temporary identity GUTIU and theboolean valid-gutiU We have valid-gutiU = false whenever novalid temporary identity is assigned to the UE Finally thereare mutable values that are not persistent across sessions Egb-authU stores HNrsquos random challenge and e-authU storesHNrsquos random challenge when the authentication is successful
c) HN Persistent State The HN state stateN contains thesecret key skN corresponding to the public key pkN Also forevery subscriber with identity ID it stores the keys kID andkID
m the permanent identity SUPI = ID the HN version of thesequence number SQNID
N and the temporary identity GUTIIDN It
UE
stateIDU
HN(j)
stateN
Request_Challenge
nj
Input nR b-authU larr nRlang〈SUPI SQNU〉
nepkN
Mac1kIDm(〈〈SUPI SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1 Input y〈IDR SQNR〉 larr dec(π1(y) skN)
bIDMac larr π2(y) = Mac1kID
m(〈π1(y) nj〉)
and IDR = ID
bIDInc larr bID
Mac and SQNR ge SQNIDN
if bIDMac then b-authjN e-authjN larr ID
if bIDInc then SQNID
N larr SQNR + 1
sessionIDN larr nj
GUTIIDN larr GUTIj
Mac2kIDm(〈nj SQNR + 1〉)
bMac
Input zbok larr z = Mac2kID
m(〈b-authU SQNU〉)
e-authU larr if bok then b-authU else fail
Fig 6 The SUPI Sub-Protocol of the AKA+ Protocol
stores in sessionIDN the random challenge of the last session
that was either a successful SUPI session which modifiedthe sequence number or a GUTI session which authenticatedID This is used to detect and prevent some subtle attackswhich we present later Finally every session HN(j) stores inb-authjN the identity claimed by the UE and in e-authjN theidentity of the UE it authenticated
D The SUPI GUTI and ASSIGN-GUTI Sub-Protocols
We describe honest executions of the three sub-protocolsof the AKA+ protocol An honest execution is an executionwhere the adversary dutifully forwards the messages withouttampering Each execution is between a UE and HN(j)
a) The SUPI Sub-Protocol This protocol uses the UErsquospermanent identity re-synchronizes the UE and the HN and isexpensive to run The protocol is sketched in Fig 6
The UE initiates the protocol by requesting a challengefrom the network When asked HN(j) sends a fresh randomchallenge nj After receiving nj the UE stores it in b-authUand answers with the encryption of its permanent identitytogether with the current value of its sequence number usingthe HN public key pkN It also includes the mac of thisencryption and of the challenge which yields the messagelang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN nj〉)
rang
Then the UE increments its sequence number by one Whenit gets this message the HN retrieves the pair 〈SUPI SQNU〉by decrypting the encryption using its secret key skN Forevery identity ID it checks if SUPI = ID and if the mac iscorrect If this is the case HN authenticated ID and it storesID in b-authjN and e-authjN After having authenticated IDHN checks whether the sequence number SQNU it received isgreater than or equal to SQNID
N If this holds it sets SQNIDN to
SQNU +1 stores nj in sessionIDN generates a fresh temporary
identity GUTIj and stores it into GUTIIDN This additional check
ensures that the HN sequence number is always increasingwhich is a crucial property of the protocol
If the HN authenticated ID it sends a confirmation messageMac2kID
m(〈nj SQNU +1〉) to the UE This message is sent even
if the received sequence number SQNU is smaller than SQNIDN
When receiving the confirmation message if the mac is validthen the UE authenticated the HN and it stores in e-authU
the initial random challenge (which it keeps in b-authU) Ifthe mac test fails it stores in e-authU the special value fail
b) The GUTI Sub-Protocol This protocol uses the UErsquostemporary identity requires synchronization to succeed and isinexpensive The protocol is sketched in Fig 7
When valid-gutiU is true the UE can initiate the protocolby sending its temporary identity GUTIU The UE then setsvalid-gutiU to false to guarantee that this temporary identityis not used again When receiving a temporary identity x HNlooks if there is an ID such that GUTIID
N is equal to x and isnot UnSet If the temporary identity belongs to ID it setsGUTIID
N to UnSet and stores ID in b-authjN Then it generatesa random challenge nj stores it in sessionID
N and sends it tothe UE together with the xor of the sequence number SQNID
N
with fkID(nj) and a maclangnj SQNID
N oplus fkID(nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang
When it receives this message the UE retrieves the challengenj at the beginning of the message computes fkID(nj) and usesthis value to unconceal the sequence number SQNID
N It thencomputes Mac3kID
m(〈nj SQNID
N GUTIU〉) and compares it to themac received from the network If the macs are not equal orif the range check range(SQNU SQNID
N ) fails it puts fail intob-authU and e-authU to record that the authentication wasnot successful If both tests succeed it stores in b-authU ande-authU the random challenge increments SQNU by one andsends the confirmation message Mac4kID
m(nj) When receiving
this message the HN verifies that the mac is correct If this isthe case then the HN authenticated the UE and stores ID intoe-authID
N Then HN checks whether sessionIDN is still equal
to the challenge nj stored in it at the beginning of the sessionIf this is true the HN increments SQNID
N by one generates afresh temporary identity GUTIj and stores it into GUTIID
N c) The ASSIGN-GUTI Sub-Protocol The ASSIGN-GUTI
sub-protocol is run after a successful authentication regardlessof the authentication sub-protocol used It assigns a freshtemporary identity to the UE to allow the next AKA+ sessionto run the faster GUTI sub-protocol It is depicted in Fig 8
UE
stateIDU
HN(j)
stateN
GUTIU
valid-gutiU
valid-gutiU larr false Input xbID larr GUTIID
N = x and GUTIIDN 6= UnSet
if bID then GUTIIDN larr UnSet
b-authjN larr ID
sessionIDN larr nj
langnj SQNID
N oplus fkID (nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang bID
Input ynR SQNR larr π1(y) π2(y)oplus fkID (nR)
bacc larr π3(y) = Mac3kIDm(〈nR SQNR GUTIU〉))
and range(SQNU SQNR)
if bacc then b-authU e-authU larr nRSQNU larr SQNU + 1
if notbacc then b-authU e-authU larr fail
Mac4kIDm(nR)
bacc
Input z
bIDMac larr (b-authjN = ID) and (z = Mac4kID
m(nj))
bIDInc larr bID
Mac and sessionIDN = nj
if bIDMac then e-authjN larr ID
if bIDInc then SQNID
N larr SQNIDN + 1
GUTIIDN larr GUTIj
Fig 7 The GUTI Sub-Protocol of the AKA+ Protocol
The HN conceals the temporary identity GUTIj generatedby the authentication sub-protocol by xoring it with f r
kID(nj)and macs it When receiving this message UE unconceals thetemporary identity GUTIID
N by xoring its first component withf rkID
m(e-authU) (since e-authU contains the HNrsquos challenge after
authentication) Then UE checks that the mac is correct andthat the authentication was successful If it is the case it storesGUTIID
N in GUTIU and sets valid-gutiU to true
V UNLINKABILITY
We now define the unlinkability property we use which isinspired from [22] and Vaudenayrsquos privacy [23]
a) Definition The property is defined by a game inwhich an adversary tries to link together some subscriberrsquos ses-sions The adversary is a PPTM which interacts through ora-cles with N different subscribers with identities ID1 IDN and with the HN The adversary cannot use a subscriberrsquospermanent identity to refer to it as it may not know it Insteadwe associate a virtual handler vh to any subscriber currently
UE
stateIDU
HN(j)
stateN
〈GUTIj oplus f rkID (nj) Mac5kID
m(lang
GUTIj njrang)〉
e-authIDN = ID
Input xGUTIR larr π1(x)oplus f r
kIDm(e-authU)
bacc larr(π2(x) = Mac5kID
m(〈GUTIR e-authU〉)
)and (e-authU 6= fail)
GUTIU larr if bacc then GUTIR else UnSetvalid-gutiU larr bacc
Fig 8 The ASSIGN-GUTI Sub-Protocol of the AKA+ Protocol
running a session of the protocol We maintain a list lfree of allsubscribers that are ready to start a session We now describethe oracles Obbull StartSession() starts a new HN session and returns
its session number jbull SendHN(m j) (resp SendUE(m vh)) sends the mes-
sage m to HN(j) (resp the UE associated with vh) andreturns HN(j) (resp vh) answer
bull ResultHN(j) (resp ResultUE(vh)) returns true ifHN(j) (resp the UE associated with vh) has made asuccessful authentication
bull DrawUE(IDi0 IDi1) checks that IDi0 and IDi1 are bothin lfree If that is the case returns a new virtual handlerpointing to IDib depending on an internal secret bit bThen it removes IDi0 and IDi1 from lfree
bull FreeUE(vh) makes the virtual handler vh no longervalid and adds back to lfree the two identities that wereremoved when the virtual handler was created
We recall that a function is negligible if and only if it isasymptotically smaller than the inverse of any polynomial Anadversary A interacting with Ob is winning the q-unlinkabilitygame if A makes less than q calls to the oracles and itcan guess the value of the internal bit b with a probabilitybetter than 12 by a non-negligible margin ie if the followingquantity is non negligible in η∣∣2timesPr
(b AOb(1η) = b
)minus 1∣∣
Finally a protocol is q-unlinkable if and only if there are nowinning adversaries against the q-unlinkability game
b) Corruption In [22] [23] the adversary is allowed tocorrupt some tags using a Corrupt oracle Several classes ofadversary are defined by restricting its access to the corruptionoracle A strong adversary has unrestricted access a destruc-tive adversary can no longer use a tag after corrupting it (it isdestroyed) a forward adversary can only follow a Corruptcall by further Corrupt calls and finally a weak adversarycannot use Corrupt at all A protocol is C unlinkable if no
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
message by re-computing f1k(〈SQNN n〉) and verifying thatit is equal to the third component of the message It alsochecks whether SQNN and SQNU are in range1 If both checkssucceed the UE sets SQNU to SQNN which prevents thismessage from being accepted again It then sends f2k(n) toprove to HN the knowledge of k If the authenticity check failsan ldquoAuth-Failurerdquo message is sent Finally if the authenticitycheck succeeds but the range check fails UE starts the re-synchronization sub-protocol which we describe below
f) Re-synchronization The re-synchronization protocolallows the HN to obtain the current value of SQNU Firstthe UE masks SQNU by xoring it with f5lowastk (n) mac themessage using f1lowastk (〈SQNU n〉) and sends the pair 〈SQNU oplusf5lowastk (n) f1lowastk (〈SQNU n〉)〉 When receiving this message theHN unmasks SQNU and checks the mac If the authenticationtest is successful HN sets the value of SQNN to SQNU + 1This ensures that HN first message in the next session of theprotocol is in the correct range
g) GUTI Assignment There is a final component of theprotocol which is not described in Fig 1 (as it is not used inthe privacy attacks we present later) After a successful run ofthe protocol the HN generates a new temporary identity GUTIand links it to the UErsquos permanent identity in its databaseThen it sends the masked fresh GUTI to the UE
III UNLINKABILITY ATTACKS AGAINST 5G-AKA
We present in this section several attacks against AKA thatappeared in the literature All these attacks but one (the IMSI-catcher attack) carry over to 5G-AKA Moreover several fixesof the 3G and 4G versions of AKA have been proposed Wediscuss the two most relevant fixes the first by Arapinis etal [4] and the second by Fouque et al [6]
None of these fixes are satisfactory The modified AKAprotocol given in [4] has been shown flawed in [6] The authorsof [6] then propose their own protocol called PRIV-AKA andclaim it is unlinkable (they only provide a proof sketch)While analyzing the PRIV-AKA protocol we discovered anattack allowing to permanently de-synchronize the UE and theHN Since a de-synchronized UE can be easily tracked (afterbeing de-synchronized the UE rejects all further messages)our attack is also an unlinkability attack This is in directcontradiction with the security property claimed in [6] Thisis a novel attack that never appeared in the literature
A IMSI-Catcher Attack
All the older versions of AKA (4G and earlier) are vulnerableto the IMSI-catcher attack [2] This attack simply relies onthe fact that in these versions of AKA the permanent identity(called the International Mobile Subscriber Identity or IMSI inthe 4G specifications) is not encrypted but sent in plain-textMoreover even if a temporary identity is used (a TemporaryMobile Subscriber Identity or TMSI) an attacker can simplysend a Permanent-ID-Request message to obtain the UErsquospermanent identity The attack is depicted in Fig 2
1The specification is loose here it only requires that SQNU lt SQNN leSQNU + C where C is some constant chosen by the HN
UE AttackerTMSI or IMSI
ldquoPermanent-ID-RequestrdquoIf TMSI received
IMSI
Fig 2 An IMSI-Catcher Attack
UEIMSIt HNtauth equiv
langn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangf2k (n)
UEIMSIprime Attackertauth
ldquoAuth-FailurerdquoIf IMSIprime 6= IMSIt
langSQNU oplus f5lowastk (nR) f1lowastk (〈SQNU nR〉)
rangIf IMSIprime = IMSIt
Fig 3 The Failure Message Attack by [4]
This necessitates an active attacker with its own base stationAt the time this required specialized hardware and wasbelieved to be too expensive This is no longer the case andcan be done for a few hundreds dollars (see [25])
B The Failure Message Attack
In [4] Arapinis et al propose to use an asymmetric encryp-tion to protect against the IMSI-catcher attack each UE carriesthe public-key of its corresponding HN and uses it to encryptits permanent identity This is basically the solution that wasadopted by 3GPP for the 5G version of AKA Interestinglythey show that this is not enough to ensure privacy and givea linkability attack that does not rely on the identificationmessage sent by UE While their attack is against the 3G-AKAprotocol it is applicable to the 5G-AKA protocol
a) The Attack The attack is depicted in Fig 3 and worksin two phases First the adversary eavesdrops a successful runof the protocol between the HN and the target UE with identityIMSIt and stores the authentication message tauth sent by HNIn a second phase the attacker A tries to determine whether aUE with identity IMSIprime is the initial UE (ie whether IMSIprime =IMSIt) To do this A initiates a new session of the protocol andreplays the message tauth If IMSIprime 6= IMSIt then the mac testfails and UEIMSIprime answers ldquoAuth-Failurerdquo If IMSIprime = IMSItthen the mac test succeeds but the range test fails and UEIMSIprime
sends a re-synchronization messageThe adversary can distinguish between the two messages
and therefore knows if it is interacting with the original or adifferent UE Moreover the second phase of the attack can
UEIMSIt HNIMSItnepkN
UEIMSIprime HNIMSIprimenprimeepkN
IMSItne
pkN
tauth equivlangn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangFailure Message
If IMSIprime 6= IMSIt
f2k (nR)If IMSIprime = IMSIt
Fig 4 The Encrypted IMSI Replay Attack by [6]
be repeated every time the adversary wants to check for thepresence of the tracked user IMSIt in its vicinity
b) Proposed Fix To protect against the failure messageattack the authors of [4] propose that the UE encrypts both er-ror messages using the public key pkN of the HN making themindistinguishable To the adversary there is no distinctionsbetween an authentication and a de-synchronization failureThe fixed AKA protocol without the identifying messageIMSIne
pkN was formally checked in the symbolic model using
the PROVERIF tool Because this message was omitted in themodel an attack was missed We present this attack next
C The Encrypted IMSI Replay Attack
In [6] Fouque et al give an attack against the fixed AKAproposed by Arapinis et al in [4] Their attack described inFig 4 uses the fact the identifying message IMSItne
pkNin the
proposed AKA protocol by Arapinis et al can be replayedIn a first phase the attacker A eavesdrops and stores the
identifying message IMSItnepkN
of an honest session betweenthe user UEIMSIt it wants to track and the HN Then everytime A wants to determine whether some user UEIMSIprime isthe tracked user UEIMSIt it intercepts the identifying messageIMSIprimenprimee
pkNsent by UEIMSIprime and replaces it with the stored
message IMSItnepkN
Finally A lets the protocol continuewithout further tampering We have two possible outcomesbull If IMSIprime 6= IMSIt then the message tauth sent by HN is
mac-ed using the wrong key and the UE rejects themessage Hence the attacker observes a failure message
bull If IMSIprime = IMSIt then tauth is accepted by UEIMSIprime andthe attacker observes a success message
Therefore the attacker can deduce whether it is interacting withUEIMSIt or not which breaks unlinkability
D Attack Against The PRIV-AKA Protocol
The authors of [6] then propose the PRIV-AKA protocolwhich is a significantly modified version of AKA The authorsclaim that their protocol achieves authentication and clientunlinkability But we discovered a de-synchronization attackit is possible to permanently de-synchronize the UE and the
HN Our attack uses the fact that in PRIV-AKA the HNsequence number is incremented only upon reception of theconfirmation message from the UE Therefore by interceptingthe last message from the UE we can prevent the HN fromincrementing its sequence number We now describe the attack
We run a session of the protocol but we intercept thelast message and store it for later use Note that the HNrsquossession is not closed At that point the UE and the HN arede-synchronized by one We re-synchronize them by runninga full session of the protocol We then re-iterate the stepsdescribed above we run a session of the protocol preventthe last message from arriving at the HN and then run afull session of the protocol to re-synchronize the HN and theUE Now the UE and the HN are synchronized and we havetwo stored messages one for each uncompleted session Wethen send the two messages to the corresponding HN sessionswhich accept them and increment the sequence number In theend it is incremented by two
The problem is that the UE and the HN cannot recoverfrom a de-synchronization by two We believe that this wasmissed by the authors of [6]2 Remark that this attack is alsoan unlinkability attack To attack some user UEIMSIrsquos privacywe permanently de-synchronize it Then each time UEIMSI triesto run the PRIV-AKA protocol it will abort which allows theadversary to track it
Remark 1 Our attack requires that the HN does not close thefirst session when we execute the second session At the endof the attack before sending the two stored messages thereare two HN sessions simultaneously opened for the same UEIf the HN closes any un-finished sessions when starting a newsession with the same UE our attack does not work
But this make another unlinkability attack possible Indeedclosing a session because of some later session between theHN and the same UE reveals a link between the two sessionsWe describe the attack First we start a session i betweena user UEA and the HN but we intercept and store the lastmessage tA from the user Then we let the HN run a fullsession with some user UEX Finally we complete the initialsession i by sending the stored message tA to the HN Herewe have two cases If X = A then the HN closed the firstsession when it completed the second Hence it rejects tA IfX 6= A then the first session is still opened and it accepts tA
Closing a session may leak information to the adversaryProtocols which aim at providing unlinkability must explicitwhen sessions can safely be closed By default we assume asession stays open In a real implementation a timeout tied tothe session (and not the user identity) could be used to avoidkeeping sessions opened forever
E Sequence Numbers and Unlinkability
We conjecture that it is not possible to achieve functionality(ie honest sessions eventually succeed) authentication andunlinkability at the same time when using a sequence number
2ldquothe two sequence numbers may become desynchronized by one step []Further desynchronization is prevented []rdquo (p 266 [6])
based protocol with no random number generation capabilitiesin the UE side We briefly explain our intuition
In any sequence number based protocol the agents maybecome de-synchronized because they cannot know if theirlast message has been received Furthermore the attacker cancause de-synchronization by blocking messages The problemis that we have contradictory requirements On the one hand toensure authentication an agent must reject a replayed messageOn the other hand in order to guarantee unlinkability anhonest agent has to behave the same way when receiving amessage from a synchronized agent or from a de-synchronizedagent Since functionality requires that a message from asynchronized agent is accepted it follows that a messagefrom a de-synchronized agent must be accepted Intuitivelyit seems to us that an honest agent cannot distinguish betweena protocol message which is being replayed and an honestprotocol message from a de-synchronized agent It followsthat a replayed message should be both rejected and acceptedwhich is a contradiction
This is only a conjecture We do not have a formal state-ment or a proof Actually it is unclear how to formallydefine the set of protocols that rely on sequence numbers toachieve authentication Note however that all requirements canbe satisfied simultaneously if we allow both parties to generaterandom challenges in each session (in AKA only HN uses arandom challenge) Examples of challenge based unlinkableauthentication protocols can be found in [26]
IV THE AKA+ PROTOCOL
We now describe our principal contribution which is thedesign of the AKA+ protocol This is a fixed version of the5G-AKA protocol offering some form of privacy against anactive attacker First we explicit the efficiency and designconstraints We then describe the AKA+ protocol and explainhow we designed this protocol from 5G-AKA by fixing allthe previously described attacks As we mentioned before wethink unlinkability cannot be achieved under these constraintsNonetheless our protocol satisfies some weaker notion of un-linkability that we call σ-unlinkability This is a new securityproperty that we introduce Finally we will show a subtleattack and explain how we fine-tuned AKA+ to prevent it
A Efficiency and Design Constraints
We now explicit the protocol design constraints Theseconstraints are necessary for an efficient in-expensive toimplement and backward compatible protocol Observe thatin a mobile setting it is very important to avoid expensivecomputations as they quickly drain the UErsquos battery
a) Communication Complexity In 5G-AKA authentica-tion is achieved using only three messages two messages aresent by the UE and one by the HN We want our protocolto have a similar communication complexity While we didnot manage to use only three messages in all scenarios ourprotocol achieves authentication in less than four messages
b) Cryptographic primitives We recall that all crypto-graphic primitives are computed in the USIM where theyare implemented in hardware It follows that using moreprimitives in the UE would make the USIM more voluminousand expensive Hence we restrict AKA+ to the cryptographicprimitives used in 5G-AKA we use only symmetric keyedone-way functions and asymmetric encryption Notice thatthe USIM cannot do asymmetric decryption As in 5G-AKAwe use some in-expensive functions eg xor pairs by-oneincrements and boolean tests We believe that relying onthe same cryptographic primitives helps ensuring backwardcompatibility and would simplify the protocol deployment
c) Random Number Generation In 5G-AKA the UEgenerates at most one nonce per session which is used torandomize the asymmetric encryption Moreover if the UEwas assigned a GUTI in the previous session then there is norandom number generation Remark that when the UE and theHN are de-synchronized the authentication fails and the UEsends a re-synchronization message Since the session fails nofresh GUTI is assigned to the UE Hence the next session ofthe protocol has to conceal the SUPI using SUPIne
pkN which
requires a random number generation Therefore we constrainour protocol to use at most one random number generation bythe UE per session and only if no GUTI has been assigned orif the UE and the HN have been de-synchronized
d) Summary We summarize the constraints for AKA+bull It must use at most four messages per sessionsbull The UE may use only keyed one-way functions and
asymmetric encryption The HN may use these functionsplus asymmetric decryption
bull The UE may generate at most one random number persession and only if no GUTI is available or if re-synchronization with the HN is necessary
B Key Ideas
In this section we present the two key ideas used in thedesign of the AKA+ protocol
a) Postponed Re-Synchronization Message We recallthat whenever the UE and the HN are de-synchronized the au-thentication fails and the UE sends a re-synchronization mes-sage The problem is that this message can be distinguishedfrom a mac failure message which allows the attack presentedin Section III-B Since the session fails no GUTI is assignedto the UE and the next session will use the asymmetricencryption to conceal the SUPI The first key idea is to piggy-back on the randomized encryption of the next session to senda concealed re-synchronization message More precisely wereplace the message SUPIne
pkNby 〈SUPI SQNU〉ne
pkN This
has several advantagesbull We can remove the re-synchronization message that lead
to the unlinkability attack presented in Section III-B InAKA+ whenever the mac check or the range check failsthe same failure message is sent
bull This does not require more random number generationby the UE since a random number is already beinggenerated to conceal the SUPI in the next session
SUPI Sub-Protocol GUTI Sub-Protocol
ASSIGN-GUTI Sub-Protocol
Fig 5 General Architecture of the AKA+ Protocol
The 3GPP technical specification (see [1] Annex C) requiresthat the asymmetric encryption used in the 5G-AKA protocolis the ECIES encryption scheme which is an hybrid encryp-tion scheme Hybrid encryption schemes use a randomizedasymmetric encryption to conceal a temporary key Thiskey is then used to encrypt the message using a symmetricencryption which is in-expensive Hence encrypting the pair〈SUPI SQNU〉 is almost as fast as encrypting only SUPI andrequires the UE to generate the same amount of randomness
b) HN Challenge Before Identification To prevent theEncrypted IMSI Replay Attack of Section III-C we add arandom challenge n from the HN The UE initiates the protocolby requesting a challenge without identifying itself Whenrequested the HN generates and sends a fresh challenge n tothe UE which includes it in its response by mac-ing it withthe SUPI using a symmetric one-way function Mac1 with keykID
m The UE response is nowlang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN n〉)
rangThis challenge is only needed when the encrypted permanentidentity is used If the UE uses a temporary identity GUTI thenwe do not need to use a random challenge Indeed temporaryidentities can only be used once before being discarded andare therefore not subject to replay attacks By consequence wesplit the protocol in two sub-protocolsbull The SUPI sub-protocol uses a random challenge from the
HN encrypts the permanent identity and allows to re-synchronize the UE and the HN
bull The GUTI sub-protocol is initiated by the UE using atemporary identity
In the SUPI sub-protocol the UErsquos answer includes the chal-lenge We use this to save one message the last confirmationstep from the UE is not needed and is removed The resultingsub-protocol has four messages Observe that the GUTI sub-protocol is faster since it uses only three messages
C Architecture and States
Instead of a monolithic protocol we have three sub-protocols the SUPI and GUTI sub-protocols which handleauthentication and the ASSIGN-GUTI sub-protocol which isrun after authentication has been achieved and assigns afresh temporary identity to the UE A full session of theAKA+ protocol comprises a session of the SUPI or GUTI sub-protocols followed by a session of the ASSIGN-GUTI sub-protocol This is graphically depicted in Fig 5
Since the GUTI sub-protocol uses only three messages anddoes not require the UE to generate a random number or
compute an asymmetric encryption it is faster than the SUPIsub-protocol By consequence the UE should always use theGUTI sub-protocol if it has a temporary identity available
The HN runs concurrently an arbitrary number of sessionsbut a subscriber cannot run more than one session at thesame time Of course sessions from different subscribers maybe concurrently running We associate a unique integer thesession number to every session and we use HN(j) andUEID(j) to refer to the j-th session of respectively the HNand the UE with identity ID
a) One-Way Functions We separate functions that areused only for confidentiality from functions that are also usedfor integrity We have two confidentiality functions f and f rwhich use the key k and five integrity functions Mac1ndash Mac5which use the key km We require that f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This is a new assumption which requires that these func-tions are simultaneously computationally indistinguishablefrom random functions
Definition 1 (Jointly PRF Functions) Let H1(middot middot) Hn(middot middot)be a finite family of keyed hash functions from 0 1lowasttimes0 1ηto 0 1η The functions H1 Hn are Jointly PseudoRandom Functions if for any PPTM adversary A with accessto oracles Of1 Ofn
|Pr(k AOH1(middotk)OHn(middotk)(1η) = 1)minusPr(g1 gn AOg1(middot)Ogn(middot)(1η) = 1)|
is negligible wherebull k is drawn uniformly in 0 1η bull g1 gn are drawn uniformly in the set of all functions
from 0 1lowast to 0 1η
Observe that if H1 Hn are jointly PRF then in partic-ular every individual Hi is a PRFRemark 2 While this is a non-usual assumption it is simpleto build a set of functions H1 Hn which are jointly PRFfrom a single PRF H For example let tag1 tagn be non-ambiguous tags and let Hi(m k) = H(tagi(m) k) ThenH1 Hn are jointly PRF whenever H is a PRF (see [24])
b) UE Persistent State Each UEID with identity ID hasa state stateID
U persistent across sessions It contains the fol-lowing immutable values the permanent identity SUPI = IDthe confidentiality key kID the integrity key kID
m and the HNrsquospublic key pkN The states also contain mutable values thesequence number SQNU the temporary identity GUTIU and theboolean valid-gutiU We have valid-gutiU = false whenever novalid temporary identity is assigned to the UE Finally thereare mutable values that are not persistent across sessions Egb-authU stores HNrsquos random challenge and e-authU storesHNrsquos random challenge when the authentication is successful
c) HN Persistent State The HN state stateN contains thesecret key skN corresponding to the public key pkN Also forevery subscriber with identity ID it stores the keys kID andkID
m the permanent identity SUPI = ID the HN version of thesequence number SQNID
N and the temporary identity GUTIIDN It
UE
stateIDU
HN(j)
stateN
Request_Challenge
nj
Input nR b-authU larr nRlang〈SUPI SQNU〉
nepkN
Mac1kIDm(〈〈SUPI SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1 Input y〈IDR SQNR〉 larr dec(π1(y) skN)
bIDMac larr π2(y) = Mac1kID
m(〈π1(y) nj〉)
and IDR = ID
bIDInc larr bID
Mac and SQNR ge SQNIDN
if bIDMac then b-authjN e-authjN larr ID
if bIDInc then SQNID
N larr SQNR + 1
sessionIDN larr nj
GUTIIDN larr GUTIj
Mac2kIDm(〈nj SQNR + 1〉)
bMac
Input zbok larr z = Mac2kID
m(〈b-authU SQNU〉)
e-authU larr if bok then b-authU else fail
Fig 6 The SUPI Sub-Protocol of the AKA+ Protocol
stores in sessionIDN the random challenge of the last session
that was either a successful SUPI session which modifiedthe sequence number or a GUTI session which authenticatedID This is used to detect and prevent some subtle attackswhich we present later Finally every session HN(j) stores inb-authjN the identity claimed by the UE and in e-authjN theidentity of the UE it authenticated
D The SUPI GUTI and ASSIGN-GUTI Sub-Protocols
We describe honest executions of the three sub-protocolsof the AKA+ protocol An honest execution is an executionwhere the adversary dutifully forwards the messages withouttampering Each execution is between a UE and HN(j)
a) The SUPI Sub-Protocol This protocol uses the UErsquospermanent identity re-synchronizes the UE and the HN and isexpensive to run The protocol is sketched in Fig 6
The UE initiates the protocol by requesting a challengefrom the network When asked HN(j) sends a fresh randomchallenge nj After receiving nj the UE stores it in b-authUand answers with the encryption of its permanent identitytogether with the current value of its sequence number usingthe HN public key pkN It also includes the mac of thisencryption and of the challenge which yields the messagelang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN nj〉)
rang
Then the UE increments its sequence number by one Whenit gets this message the HN retrieves the pair 〈SUPI SQNU〉by decrypting the encryption using its secret key skN Forevery identity ID it checks if SUPI = ID and if the mac iscorrect If this is the case HN authenticated ID and it storesID in b-authjN and e-authjN After having authenticated IDHN checks whether the sequence number SQNU it received isgreater than or equal to SQNID
N If this holds it sets SQNIDN to
SQNU +1 stores nj in sessionIDN generates a fresh temporary
identity GUTIj and stores it into GUTIIDN This additional check
ensures that the HN sequence number is always increasingwhich is a crucial property of the protocol
If the HN authenticated ID it sends a confirmation messageMac2kID
m(〈nj SQNU +1〉) to the UE This message is sent even
if the received sequence number SQNU is smaller than SQNIDN
When receiving the confirmation message if the mac is validthen the UE authenticated the HN and it stores in e-authU
the initial random challenge (which it keeps in b-authU) Ifthe mac test fails it stores in e-authU the special value fail
b) The GUTI Sub-Protocol This protocol uses the UErsquostemporary identity requires synchronization to succeed and isinexpensive The protocol is sketched in Fig 7
When valid-gutiU is true the UE can initiate the protocolby sending its temporary identity GUTIU The UE then setsvalid-gutiU to false to guarantee that this temporary identityis not used again When receiving a temporary identity x HNlooks if there is an ID such that GUTIID
N is equal to x and isnot UnSet If the temporary identity belongs to ID it setsGUTIID
N to UnSet and stores ID in b-authjN Then it generatesa random challenge nj stores it in sessionID
N and sends it tothe UE together with the xor of the sequence number SQNID
N
with fkID(nj) and a maclangnj SQNID
N oplus fkID(nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang
When it receives this message the UE retrieves the challengenj at the beginning of the message computes fkID(nj) and usesthis value to unconceal the sequence number SQNID
N It thencomputes Mac3kID
m(〈nj SQNID
N GUTIU〉) and compares it to themac received from the network If the macs are not equal orif the range check range(SQNU SQNID
N ) fails it puts fail intob-authU and e-authU to record that the authentication wasnot successful If both tests succeed it stores in b-authU ande-authU the random challenge increments SQNU by one andsends the confirmation message Mac4kID
m(nj) When receiving
this message the HN verifies that the mac is correct If this isthe case then the HN authenticated the UE and stores ID intoe-authID
N Then HN checks whether sessionIDN is still equal
to the challenge nj stored in it at the beginning of the sessionIf this is true the HN increments SQNID
N by one generates afresh temporary identity GUTIj and stores it into GUTIID
N c) The ASSIGN-GUTI Sub-Protocol The ASSIGN-GUTI
sub-protocol is run after a successful authentication regardlessof the authentication sub-protocol used It assigns a freshtemporary identity to the UE to allow the next AKA+ sessionto run the faster GUTI sub-protocol It is depicted in Fig 8
UE
stateIDU
HN(j)
stateN
GUTIU
valid-gutiU
valid-gutiU larr false Input xbID larr GUTIID
N = x and GUTIIDN 6= UnSet
if bID then GUTIIDN larr UnSet
b-authjN larr ID
sessionIDN larr nj
langnj SQNID
N oplus fkID (nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang bID
Input ynR SQNR larr π1(y) π2(y)oplus fkID (nR)
bacc larr π3(y) = Mac3kIDm(〈nR SQNR GUTIU〉))
and range(SQNU SQNR)
if bacc then b-authU e-authU larr nRSQNU larr SQNU + 1
if notbacc then b-authU e-authU larr fail
Mac4kIDm(nR)
bacc
Input z
bIDMac larr (b-authjN = ID) and (z = Mac4kID
m(nj))
bIDInc larr bID
Mac and sessionIDN = nj
if bIDMac then e-authjN larr ID
if bIDInc then SQNID
N larr SQNIDN + 1
GUTIIDN larr GUTIj
Fig 7 The GUTI Sub-Protocol of the AKA+ Protocol
The HN conceals the temporary identity GUTIj generatedby the authentication sub-protocol by xoring it with f r
kID(nj)and macs it When receiving this message UE unconceals thetemporary identity GUTIID
N by xoring its first component withf rkID
m(e-authU) (since e-authU contains the HNrsquos challenge after
authentication) Then UE checks that the mac is correct andthat the authentication was successful If it is the case it storesGUTIID
N in GUTIU and sets valid-gutiU to true
V UNLINKABILITY
We now define the unlinkability property we use which isinspired from [22] and Vaudenayrsquos privacy [23]
a) Definition The property is defined by a game inwhich an adversary tries to link together some subscriberrsquos ses-sions The adversary is a PPTM which interacts through ora-cles with N different subscribers with identities ID1 IDN and with the HN The adversary cannot use a subscriberrsquospermanent identity to refer to it as it may not know it Insteadwe associate a virtual handler vh to any subscriber currently
UE
stateIDU
HN(j)
stateN
〈GUTIj oplus f rkID (nj) Mac5kID
m(lang
GUTIj njrang)〉
e-authIDN = ID
Input xGUTIR larr π1(x)oplus f r
kIDm(e-authU)
bacc larr(π2(x) = Mac5kID
m(〈GUTIR e-authU〉)
)and (e-authU 6= fail)
GUTIU larr if bacc then GUTIR else UnSetvalid-gutiU larr bacc
Fig 8 The ASSIGN-GUTI Sub-Protocol of the AKA+ Protocol
running a session of the protocol We maintain a list lfree of allsubscribers that are ready to start a session We now describethe oracles Obbull StartSession() starts a new HN session and returns
its session number jbull SendHN(m j) (resp SendUE(m vh)) sends the mes-
sage m to HN(j) (resp the UE associated with vh) andreturns HN(j) (resp vh) answer
bull ResultHN(j) (resp ResultUE(vh)) returns true ifHN(j) (resp the UE associated with vh) has made asuccessful authentication
bull DrawUE(IDi0 IDi1) checks that IDi0 and IDi1 are bothin lfree If that is the case returns a new virtual handlerpointing to IDib depending on an internal secret bit bThen it removes IDi0 and IDi1 from lfree
bull FreeUE(vh) makes the virtual handler vh no longervalid and adds back to lfree the two identities that wereremoved when the virtual handler was created
We recall that a function is negligible if and only if it isasymptotically smaller than the inverse of any polynomial Anadversary A interacting with Ob is winning the q-unlinkabilitygame if A makes less than q calls to the oracles and itcan guess the value of the internal bit b with a probabilitybetter than 12 by a non-negligible margin ie if the followingquantity is non negligible in η∣∣2timesPr
(b AOb(1η) = b
)minus 1∣∣
Finally a protocol is q-unlinkable if and only if there are nowinning adversaries against the q-unlinkability game
b) Corruption In [22] [23] the adversary is allowed tocorrupt some tags using a Corrupt oracle Several classes ofadversary are defined by restricting its access to the corruptionoracle A strong adversary has unrestricted access a destruc-tive adversary can no longer use a tag after corrupting it (it isdestroyed) a forward adversary can only follow a Corruptcall by further Corrupt calls and finally a weak adversarycannot use Corrupt at all A protocol is C unlinkable if no
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
UEIMSIt HNIMSItnepkN
UEIMSIprime HNIMSIprimenprimeepkN
IMSItne
pkN
tauth equivlangn SQNN oplus f5k (n) f1k (〈SQNN n〉)
rangFailure Message
If IMSIprime 6= IMSIt
f2k (nR)If IMSIprime = IMSIt
Fig 4 The Encrypted IMSI Replay Attack by [6]
be repeated every time the adversary wants to check for thepresence of the tracked user IMSIt in its vicinity
b) Proposed Fix To protect against the failure messageattack the authors of [4] propose that the UE encrypts both er-ror messages using the public key pkN of the HN making themindistinguishable To the adversary there is no distinctionsbetween an authentication and a de-synchronization failureThe fixed AKA protocol without the identifying messageIMSIne
pkN was formally checked in the symbolic model using
the PROVERIF tool Because this message was omitted in themodel an attack was missed We present this attack next
C The Encrypted IMSI Replay Attack
In [6] Fouque et al give an attack against the fixed AKAproposed by Arapinis et al in [4] Their attack described inFig 4 uses the fact the identifying message IMSItne
pkNin the
proposed AKA protocol by Arapinis et al can be replayedIn a first phase the attacker A eavesdrops and stores the
identifying message IMSItnepkN
of an honest session betweenthe user UEIMSIt it wants to track and the HN Then everytime A wants to determine whether some user UEIMSIprime isthe tracked user UEIMSIt it intercepts the identifying messageIMSIprimenprimee
pkNsent by UEIMSIprime and replaces it with the stored
message IMSItnepkN
Finally A lets the protocol continuewithout further tampering We have two possible outcomesbull If IMSIprime 6= IMSIt then the message tauth sent by HN is
mac-ed using the wrong key and the UE rejects themessage Hence the attacker observes a failure message
bull If IMSIprime = IMSIt then tauth is accepted by UEIMSIprime andthe attacker observes a success message
Therefore the attacker can deduce whether it is interacting withUEIMSIt or not which breaks unlinkability
D Attack Against The PRIV-AKA Protocol
The authors of [6] then propose the PRIV-AKA protocolwhich is a significantly modified version of AKA The authorsclaim that their protocol achieves authentication and clientunlinkability But we discovered a de-synchronization attackit is possible to permanently de-synchronize the UE and the
HN Our attack uses the fact that in PRIV-AKA the HNsequence number is incremented only upon reception of theconfirmation message from the UE Therefore by interceptingthe last message from the UE we can prevent the HN fromincrementing its sequence number We now describe the attack
We run a session of the protocol but we intercept thelast message and store it for later use Note that the HNrsquossession is not closed At that point the UE and the HN arede-synchronized by one We re-synchronize them by runninga full session of the protocol We then re-iterate the stepsdescribed above we run a session of the protocol preventthe last message from arriving at the HN and then run afull session of the protocol to re-synchronize the HN and theUE Now the UE and the HN are synchronized and we havetwo stored messages one for each uncompleted session Wethen send the two messages to the corresponding HN sessionswhich accept them and increment the sequence number In theend it is incremented by two
The problem is that the UE and the HN cannot recoverfrom a de-synchronization by two We believe that this wasmissed by the authors of [6]2 Remark that this attack is alsoan unlinkability attack To attack some user UEIMSIrsquos privacywe permanently de-synchronize it Then each time UEIMSI triesto run the PRIV-AKA protocol it will abort which allows theadversary to track it
Remark 1 Our attack requires that the HN does not close thefirst session when we execute the second session At the endof the attack before sending the two stored messages thereare two HN sessions simultaneously opened for the same UEIf the HN closes any un-finished sessions when starting a newsession with the same UE our attack does not work
But this make another unlinkability attack possible Indeedclosing a session because of some later session between theHN and the same UE reveals a link between the two sessionsWe describe the attack First we start a session i betweena user UEA and the HN but we intercept and store the lastmessage tA from the user Then we let the HN run a fullsession with some user UEX Finally we complete the initialsession i by sending the stored message tA to the HN Herewe have two cases If X = A then the HN closed the firstsession when it completed the second Hence it rejects tA IfX 6= A then the first session is still opened and it accepts tA
Closing a session may leak information to the adversaryProtocols which aim at providing unlinkability must explicitwhen sessions can safely be closed By default we assume asession stays open In a real implementation a timeout tied tothe session (and not the user identity) could be used to avoidkeeping sessions opened forever
E Sequence Numbers and Unlinkability
We conjecture that it is not possible to achieve functionality(ie honest sessions eventually succeed) authentication andunlinkability at the same time when using a sequence number
2ldquothe two sequence numbers may become desynchronized by one step []Further desynchronization is prevented []rdquo (p 266 [6])
based protocol with no random number generation capabilitiesin the UE side We briefly explain our intuition
In any sequence number based protocol the agents maybecome de-synchronized because they cannot know if theirlast message has been received Furthermore the attacker cancause de-synchronization by blocking messages The problemis that we have contradictory requirements On the one hand toensure authentication an agent must reject a replayed messageOn the other hand in order to guarantee unlinkability anhonest agent has to behave the same way when receiving amessage from a synchronized agent or from a de-synchronizedagent Since functionality requires that a message from asynchronized agent is accepted it follows that a messagefrom a de-synchronized agent must be accepted Intuitivelyit seems to us that an honest agent cannot distinguish betweena protocol message which is being replayed and an honestprotocol message from a de-synchronized agent It followsthat a replayed message should be both rejected and acceptedwhich is a contradiction
This is only a conjecture We do not have a formal state-ment or a proof Actually it is unclear how to formallydefine the set of protocols that rely on sequence numbers toachieve authentication Note however that all requirements canbe satisfied simultaneously if we allow both parties to generaterandom challenges in each session (in AKA only HN uses arandom challenge) Examples of challenge based unlinkableauthentication protocols can be found in [26]
IV THE AKA+ PROTOCOL
We now describe our principal contribution which is thedesign of the AKA+ protocol This is a fixed version of the5G-AKA protocol offering some form of privacy against anactive attacker First we explicit the efficiency and designconstraints We then describe the AKA+ protocol and explainhow we designed this protocol from 5G-AKA by fixing allthe previously described attacks As we mentioned before wethink unlinkability cannot be achieved under these constraintsNonetheless our protocol satisfies some weaker notion of un-linkability that we call σ-unlinkability This is a new securityproperty that we introduce Finally we will show a subtleattack and explain how we fine-tuned AKA+ to prevent it
A Efficiency and Design Constraints
We now explicit the protocol design constraints Theseconstraints are necessary for an efficient in-expensive toimplement and backward compatible protocol Observe thatin a mobile setting it is very important to avoid expensivecomputations as they quickly drain the UErsquos battery
a) Communication Complexity In 5G-AKA authentica-tion is achieved using only three messages two messages aresent by the UE and one by the HN We want our protocolto have a similar communication complexity While we didnot manage to use only three messages in all scenarios ourprotocol achieves authentication in less than four messages
b) Cryptographic primitives We recall that all crypto-graphic primitives are computed in the USIM where theyare implemented in hardware It follows that using moreprimitives in the UE would make the USIM more voluminousand expensive Hence we restrict AKA+ to the cryptographicprimitives used in 5G-AKA we use only symmetric keyedone-way functions and asymmetric encryption Notice thatthe USIM cannot do asymmetric decryption As in 5G-AKAwe use some in-expensive functions eg xor pairs by-oneincrements and boolean tests We believe that relying onthe same cryptographic primitives helps ensuring backwardcompatibility and would simplify the protocol deployment
c) Random Number Generation In 5G-AKA the UEgenerates at most one nonce per session which is used torandomize the asymmetric encryption Moreover if the UEwas assigned a GUTI in the previous session then there is norandom number generation Remark that when the UE and theHN are de-synchronized the authentication fails and the UEsends a re-synchronization message Since the session fails nofresh GUTI is assigned to the UE Hence the next session ofthe protocol has to conceal the SUPI using SUPIne
pkN which
requires a random number generation Therefore we constrainour protocol to use at most one random number generation bythe UE per session and only if no GUTI has been assigned orif the UE and the HN have been de-synchronized
d) Summary We summarize the constraints for AKA+bull It must use at most four messages per sessionsbull The UE may use only keyed one-way functions and
asymmetric encryption The HN may use these functionsplus asymmetric decryption
bull The UE may generate at most one random number persession and only if no GUTI is available or if re-synchronization with the HN is necessary
B Key Ideas
In this section we present the two key ideas used in thedesign of the AKA+ protocol
a) Postponed Re-Synchronization Message We recallthat whenever the UE and the HN are de-synchronized the au-thentication fails and the UE sends a re-synchronization mes-sage The problem is that this message can be distinguishedfrom a mac failure message which allows the attack presentedin Section III-B Since the session fails no GUTI is assignedto the UE and the next session will use the asymmetricencryption to conceal the SUPI The first key idea is to piggy-back on the randomized encryption of the next session to senda concealed re-synchronization message More precisely wereplace the message SUPIne
pkNby 〈SUPI SQNU〉ne
pkN This
has several advantagesbull We can remove the re-synchronization message that lead
to the unlinkability attack presented in Section III-B InAKA+ whenever the mac check or the range check failsthe same failure message is sent
bull This does not require more random number generationby the UE since a random number is already beinggenerated to conceal the SUPI in the next session
SUPI Sub-Protocol GUTI Sub-Protocol
ASSIGN-GUTI Sub-Protocol
Fig 5 General Architecture of the AKA+ Protocol
The 3GPP technical specification (see [1] Annex C) requiresthat the asymmetric encryption used in the 5G-AKA protocolis the ECIES encryption scheme which is an hybrid encryp-tion scheme Hybrid encryption schemes use a randomizedasymmetric encryption to conceal a temporary key Thiskey is then used to encrypt the message using a symmetricencryption which is in-expensive Hence encrypting the pair〈SUPI SQNU〉 is almost as fast as encrypting only SUPI andrequires the UE to generate the same amount of randomness
b) HN Challenge Before Identification To prevent theEncrypted IMSI Replay Attack of Section III-C we add arandom challenge n from the HN The UE initiates the protocolby requesting a challenge without identifying itself Whenrequested the HN generates and sends a fresh challenge n tothe UE which includes it in its response by mac-ing it withthe SUPI using a symmetric one-way function Mac1 with keykID
m The UE response is nowlang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN n〉)
rangThis challenge is only needed when the encrypted permanentidentity is used If the UE uses a temporary identity GUTI thenwe do not need to use a random challenge Indeed temporaryidentities can only be used once before being discarded andare therefore not subject to replay attacks By consequence wesplit the protocol in two sub-protocolsbull The SUPI sub-protocol uses a random challenge from the
HN encrypts the permanent identity and allows to re-synchronize the UE and the HN
bull The GUTI sub-protocol is initiated by the UE using atemporary identity
In the SUPI sub-protocol the UErsquos answer includes the chal-lenge We use this to save one message the last confirmationstep from the UE is not needed and is removed The resultingsub-protocol has four messages Observe that the GUTI sub-protocol is faster since it uses only three messages
C Architecture and States
Instead of a monolithic protocol we have three sub-protocols the SUPI and GUTI sub-protocols which handleauthentication and the ASSIGN-GUTI sub-protocol which isrun after authentication has been achieved and assigns afresh temporary identity to the UE A full session of theAKA+ protocol comprises a session of the SUPI or GUTI sub-protocols followed by a session of the ASSIGN-GUTI sub-protocol This is graphically depicted in Fig 5
Since the GUTI sub-protocol uses only three messages anddoes not require the UE to generate a random number or
compute an asymmetric encryption it is faster than the SUPIsub-protocol By consequence the UE should always use theGUTI sub-protocol if it has a temporary identity available
The HN runs concurrently an arbitrary number of sessionsbut a subscriber cannot run more than one session at thesame time Of course sessions from different subscribers maybe concurrently running We associate a unique integer thesession number to every session and we use HN(j) andUEID(j) to refer to the j-th session of respectively the HNand the UE with identity ID
a) One-Way Functions We separate functions that areused only for confidentiality from functions that are also usedfor integrity We have two confidentiality functions f and f rwhich use the key k and five integrity functions Mac1ndash Mac5which use the key km We require that f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This is a new assumption which requires that these func-tions are simultaneously computationally indistinguishablefrom random functions
Definition 1 (Jointly PRF Functions) Let H1(middot middot) Hn(middot middot)be a finite family of keyed hash functions from 0 1lowasttimes0 1ηto 0 1η The functions H1 Hn are Jointly PseudoRandom Functions if for any PPTM adversary A with accessto oracles Of1 Ofn
|Pr(k AOH1(middotk)OHn(middotk)(1η) = 1)minusPr(g1 gn AOg1(middot)Ogn(middot)(1η) = 1)|
is negligible wherebull k is drawn uniformly in 0 1η bull g1 gn are drawn uniformly in the set of all functions
from 0 1lowast to 0 1η
Observe that if H1 Hn are jointly PRF then in partic-ular every individual Hi is a PRFRemark 2 While this is a non-usual assumption it is simpleto build a set of functions H1 Hn which are jointly PRFfrom a single PRF H For example let tag1 tagn be non-ambiguous tags and let Hi(m k) = H(tagi(m) k) ThenH1 Hn are jointly PRF whenever H is a PRF (see [24])
b) UE Persistent State Each UEID with identity ID hasa state stateID
U persistent across sessions It contains the fol-lowing immutable values the permanent identity SUPI = IDthe confidentiality key kID the integrity key kID
m and the HNrsquospublic key pkN The states also contain mutable values thesequence number SQNU the temporary identity GUTIU and theboolean valid-gutiU We have valid-gutiU = false whenever novalid temporary identity is assigned to the UE Finally thereare mutable values that are not persistent across sessions Egb-authU stores HNrsquos random challenge and e-authU storesHNrsquos random challenge when the authentication is successful
c) HN Persistent State The HN state stateN contains thesecret key skN corresponding to the public key pkN Also forevery subscriber with identity ID it stores the keys kID andkID
m the permanent identity SUPI = ID the HN version of thesequence number SQNID
N and the temporary identity GUTIIDN It
UE
stateIDU
HN(j)
stateN
Request_Challenge
nj
Input nR b-authU larr nRlang〈SUPI SQNU〉
nepkN
Mac1kIDm(〈〈SUPI SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1 Input y〈IDR SQNR〉 larr dec(π1(y) skN)
bIDMac larr π2(y) = Mac1kID
m(〈π1(y) nj〉)
and IDR = ID
bIDInc larr bID
Mac and SQNR ge SQNIDN
if bIDMac then b-authjN e-authjN larr ID
if bIDInc then SQNID
N larr SQNR + 1
sessionIDN larr nj
GUTIIDN larr GUTIj
Mac2kIDm(〈nj SQNR + 1〉)
bMac
Input zbok larr z = Mac2kID
m(〈b-authU SQNU〉)
e-authU larr if bok then b-authU else fail
Fig 6 The SUPI Sub-Protocol of the AKA+ Protocol
stores in sessionIDN the random challenge of the last session
that was either a successful SUPI session which modifiedthe sequence number or a GUTI session which authenticatedID This is used to detect and prevent some subtle attackswhich we present later Finally every session HN(j) stores inb-authjN the identity claimed by the UE and in e-authjN theidentity of the UE it authenticated
D The SUPI GUTI and ASSIGN-GUTI Sub-Protocols
We describe honest executions of the three sub-protocolsof the AKA+ protocol An honest execution is an executionwhere the adversary dutifully forwards the messages withouttampering Each execution is between a UE and HN(j)
a) The SUPI Sub-Protocol This protocol uses the UErsquospermanent identity re-synchronizes the UE and the HN and isexpensive to run The protocol is sketched in Fig 6
The UE initiates the protocol by requesting a challengefrom the network When asked HN(j) sends a fresh randomchallenge nj After receiving nj the UE stores it in b-authUand answers with the encryption of its permanent identitytogether with the current value of its sequence number usingthe HN public key pkN It also includes the mac of thisencryption and of the challenge which yields the messagelang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN nj〉)
rang
Then the UE increments its sequence number by one Whenit gets this message the HN retrieves the pair 〈SUPI SQNU〉by decrypting the encryption using its secret key skN Forevery identity ID it checks if SUPI = ID and if the mac iscorrect If this is the case HN authenticated ID and it storesID in b-authjN and e-authjN After having authenticated IDHN checks whether the sequence number SQNU it received isgreater than or equal to SQNID
N If this holds it sets SQNIDN to
SQNU +1 stores nj in sessionIDN generates a fresh temporary
identity GUTIj and stores it into GUTIIDN This additional check
ensures that the HN sequence number is always increasingwhich is a crucial property of the protocol
If the HN authenticated ID it sends a confirmation messageMac2kID
m(〈nj SQNU +1〉) to the UE This message is sent even
if the received sequence number SQNU is smaller than SQNIDN
When receiving the confirmation message if the mac is validthen the UE authenticated the HN and it stores in e-authU
the initial random challenge (which it keeps in b-authU) Ifthe mac test fails it stores in e-authU the special value fail
b) The GUTI Sub-Protocol This protocol uses the UErsquostemporary identity requires synchronization to succeed and isinexpensive The protocol is sketched in Fig 7
When valid-gutiU is true the UE can initiate the protocolby sending its temporary identity GUTIU The UE then setsvalid-gutiU to false to guarantee that this temporary identityis not used again When receiving a temporary identity x HNlooks if there is an ID such that GUTIID
N is equal to x and isnot UnSet If the temporary identity belongs to ID it setsGUTIID
N to UnSet and stores ID in b-authjN Then it generatesa random challenge nj stores it in sessionID
N and sends it tothe UE together with the xor of the sequence number SQNID
N
with fkID(nj) and a maclangnj SQNID
N oplus fkID(nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang
When it receives this message the UE retrieves the challengenj at the beginning of the message computes fkID(nj) and usesthis value to unconceal the sequence number SQNID
N It thencomputes Mac3kID
m(〈nj SQNID
N GUTIU〉) and compares it to themac received from the network If the macs are not equal orif the range check range(SQNU SQNID
N ) fails it puts fail intob-authU and e-authU to record that the authentication wasnot successful If both tests succeed it stores in b-authU ande-authU the random challenge increments SQNU by one andsends the confirmation message Mac4kID
m(nj) When receiving
this message the HN verifies that the mac is correct If this isthe case then the HN authenticated the UE and stores ID intoe-authID
N Then HN checks whether sessionIDN is still equal
to the challenge nj stored in it at the beginning of the sessionIf this is true the HN increments SQNID
N by one generates afresh temporary identity GUTIj and stores it into GUTIID
N c) The ASSIGN-GUTI Sub-Protocol The ASSIGN-GUTI
sub-protocol is run after a successful authentication regardlessof the authentication sub-protocol used It assigns a freshtemporary identity to the UE to allow the next AKA+ sessionto run the faster GUTI sub-protocol It is depicted in Fig 8
UE
stateIDU
HN(j)
stateN
GUTIU
valid-gutiU
valid-gutiU larr false Input xbID larr GUTIID
N = x and GUTIIDN 6= UnSet
if bID then GUTIIDN larr UnSet
b-authjN larr ID
sessionIDN larr nj
langnj SQNID
N oplus fkID (nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang bID
Input ynR SQNR larr π1(y) π2(y)oplus fkID (nR)
bacc larr π3(y) = Mac3kIDm(〈nR SQNR GUTIU〉))
and range(SQNU SQNR)
if bacc then b-authU e-authU larr nRSQNU larr SQNU + 1
if notbacc then b-authU e-authU larr fail
Mac4kIDm(nR)
bacc
Input z
bIDMac larr (b-authjN = ID) and (z = Mac4kID
m(nj))
bIDInc larr bID
Mac and sessionIDN = nj
if bIDMac then e-authjN larr ID
if bIDInc then SQNID
N larr SQNIDN + 1
GUTIIDN larr GUTIj
Fig 7 The GUTI Sub-Protocol of the AKA+ Protocol
The HN conceals the temporary identity GUTIj generatedby the authentication sub-protocol by xoring it with f r
kID(nj)and macs it When receiving this message UE unconceals thetemporary identity GUTIID
N by xoring its first component withf rkID
m(e-authU) (since e-authU contains the HNrsquos challenge after
authentication) Then UE checks that the mac is correct andthat the authentication was successful If it is the case it storesGUTIID
N in GUTIU and sets valid-gutiU to true
V UNLINKABILITY
We now define the unlinkability property we use which isinspired from [22] and Vaudenayrsquos privacy [23]
a) Definition The property is defined by a game inwhich an adversary tries to link together some subscriberrsquos ses-sions The adversary is a PPTM which interacts through ora-cles with N different subscribers with identities ID1 IDN and with the HN The adversary cannot use a subscriberrsquospermanent identity to refer to it as it may not know it Insteadwe associate a virtual handler vh to any subscriber currently
UE
stateIDU
HN(j)
stateN
〈GUTIj oplus f rkID (nj) Mac5kID
m(lang
GUTIj njrang)〉
e-authIDN = ID
Input xGUTIR larr π1(x)oplus f r
kIDm(e-authU)
bacc larr(π2(x) = Mac5kID
m(〈GUTIR e-authU〉)
)and (e-authU 6= fail)
GUTIU larr if bacc then GUTIR else UnSetvalid-gutiU larr bacc
Fig 8 The ASSIGN-GUTI Sub-Protocol of the AKA+ Protocol
running a session of the protocol We maintain a list lfree of allsubscribers that are ready to start a session We now describethe oracles Obbull StartSession() starts a new HN session and returns
its session number jbull SendHN(m j) (resp SendUE(m vh)) sends the mes-
sage m to HN(j) (resp the UE associated with vh) andreturns HN(j) (resp vh) answer
bull ResultHN(j) (resp ResultUE(vh)) returns true ifHN(j) (resp the UE associated with vh) has made asuccessful authentication
bull DrawUE(IDi0 IDi1) checks that IDi0 and IDi1 are bothin lfree If that is the case returns a new virtual handlerpointing to IDib depending on an internal secret bit bThen it removes IDi0 and IDi1 from lfree
bull FreeUE(vh) makes the virtual handler vh no longervalid and adds back to lfree the two identities that wereremoved when the virtual handler was created
We recall that a function is negligible if and only if it isasymptotically smaller than the inverse of any polynomial Anadversary A interacting with Ob is winning the q-unlinkabilitygame if A makes less than q calls to the oracles and itcan guess the value of the internal bit b with a probabilitybetter than 12 by a non-negligible margin ie if the followingquantity is non negligible in η∣∣2timesPr
(b AOb(1η) = b
)minus 1∣∣
Finally a protocol is q-unlinkable if and only if there are nowinning adversaries against the q-unlinkability game
b) Corruption In [22] [23] the adversary is allowed tocorrupt some tags using a Corrupt oracle Several classes ofadversary are defined by restricting its access to the corruptionoracle A strong adversary has unrestricted access a destruc-tive adversary can no longer use a tag after corrupting it (it isdestroyed) a forward adversary can only follow a Corruptcall by further Corrupt calls and finally a weak adversarycannot use Corrupt at all A protocol is C unlinkable if no
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
based protocol with no random number generation capabilitiesin the UE side We briefly explain our intuition
In any sequence number based protocol the agents maybecome de-synchronized because they cannot know if theirlast message has been received Furthermore the attacker cancause de-synchronization by blocking messages The problemis that we have contradictory requirements On the one hand toensure authentication an agent must reject a replayed messageOn the other hand in order to guarantee unlinkability anhonest agent has to behave the same way when receiving amessage from a synchronized agent or from a de-synchronizedagent Since functionality requires that a message from asynchronized agent is accepted it follows that a messagefrom a de-synchronized agent must be accepted Intuitivelyit seems to us that an honest agent cannot distinguish betweena protocol message which is being replayed and an honestprotocol message from a de-synchronized agent It followsthat a replayed message should be both rejected and acceptedwhich is a contradiction
This is only a conjecture We do not have a formal state-ment or a proof Actually it is unclear how to formallydefine the set of protocols that rely on sequence numbers toachieve authentication Note however that all requirements canbe satisfied simultaneously if we allow both parties to generaterandom challenges in each session (in AKA only HN uses arandom challenge) Examples of challenge based unlinkableauthentication protocols can be found in [26]
IV THE AKA+ PROTOCOL
We now describe our principal contribution which is thedesign of the AKA+ protocol This is a fixed version of the5G-AKA protocol offering some form of privacy against anactive attacker First we explicit the efficiency and designconstraints We then describe the AKA+ protocol and explainhow we designed this protocol from 5G-AKA by fixing allthe previously described attacks As we mentioned before wethink unlinkability cannot be achieved under these constraintsNonetheless our protocol satisfies some weaker notion of un-linkability that we call σ-unlinkability This is a new securityproperty that we introduce Finally we will show a subtleattack and explain how we fine-tuned AKA+ to prevent it
A Efficiency and Design Constraints
We now explicit the protocol design constraints Theseconstraints are necessary for an efficient in-expensive toimplement and backward compatible protocol Observe thatin a mobile setting it is very important to avoid expensivecomputations as they quickly drain the UErsquos battery
a) Communication Complexity In 5G-AKA authentica-tion is achieved using only three messages two messages aresent by the UE and one by the HN We want our protocolto have a similar communication complexity While we didnot manage to use only three messages in all scenarios ourprotocol achieves authentication in less than four messages
b) Cryptographic primitives We recall that all crypto-graphic primitives are computed in the USIM where theyare implemented in hardware It follows that using moreprimitives in the UE would make the USIM more voluminousand expensive Hence we restrict AKA+ to the cryptographicprimitives used in 5G-AKA we use only symmetric keyedone-way functions and asymmetric encryption Notice thatthe USIM cannot do asymmetric decryption As in 5G-AKAwe use some in-expensive functions eg xor pairs by-oneincrements and boolean tests We believe that relying onthe same cryptographic primitives helps ensuring backwardcompatibility and would simplify the protocol deployment
c) Random Number Generation In 5G-AKA the UEgenerates at most one nonce per session which is used torandomize the asymmetric encryption Moreover if the UEwas assigned a GUTI in the previous session then there is norandom number generation Remark that when the UE and theHN are de-synchronized the authentication fails and the UEsends a re-synchronization message Since the session fails nofresh GUTI is assigned to the UE Hence the next session ofthe protocol has to conceal the SUPI using SUPIne
pkN which
requires a random number generation Therefore we constrainour protocol to use at most one random number generation bythe UE per session and only if no GUTI has been assigned orif the UE and the HN have been de-synchronized
d) Summary We summarize the constraints for AKA+bull It must use at most four messages per sessionsbull The UE may use only keyed one-way functions and
asymmetric encryption The HN may use these functionsplus asymmetric decryption
bull The UE may generate at most one random number persession and only if no GUTI is available or if re-synchronization with the HN is necessary
B Key Ideas
In this section we present the two key ideas used in thedesign of the AKA+ protocol
a) Postponed Re-Synchronization Message We recallthat whenever the UE and the HN are de-synchronized the au-thentication fails and the UE sends a re-synchronization mes-sage The problem is that this message can be distinguishedfrom a mac failure message which allows the attack presentedin Section III-B Since the session fails no GUTI is assignedto the UE and the next session will use the asymmetricencryption to conceal the SUPI The first key idea is to piggy-back on the randomized encryption of the next session to senda concealed re-synchronization message More precisely wereplace the message SUPIne
pkNby 〈SUPI SQNU〉ne
pkN This
has several advantagesbull We can remove the re-synchronization message that lead
to the unlinkability attack presented in Section III-B InAKA+ whenever the mac check or the range check failsthe same failure message is sent
bull This does not require more random number generationby the UE since a random number is already beinggenerated to conceal the SUPI in the next session
SUPI Sub-Protocol GUTI Sub-Protocol
ASSIGN-GUTI Sub-Protocol
Fig 5 General Architecture of the AKA+ Protocol
The 3GPP technical specification (see [1] Annex C) requiresthat the asymmetric encryption used in the 5G-AKA protocolis the ECIES encryption scheme which is an hybrid encryp-tion scheme Hybrid encryption schemes use a randomizedasymmetric encryption to conceal a temporary key Thiskey is then used to encrypt the message using a symmetricencryption which is in-expensive Hence encrypting the pair〈SUPI SQNU〉 is almost as fast as encrypting only SUPI andrequires the UE to generate the same amount of randomness
b) HN Challenge Before Identification To prevent theEncrypted IMSI Replay Attack of Section III-C we add arandom challenge n from the HN The UE initiates the protocolby requesting a challenge without identifying itself Whenrequested the HN generates and sends a fresh challenge n tothe UE which includes it in its response by mac-ing it withthe SUPI using a symmetric one-way function Mac1 with keykID
m The UE response is nowlang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN n〉)
rangThis challenge is only needed when the encrypted permanentidentity is used If the UE uses a temporary identity GUTI thenwe do not need to use a random challenge Indeed temporaryidentities can only be used once before being discarded andare therefore not subject to replay attacks By consequence wesplit the protocol in two sub-protocolsbull The SUPI sub-protocol uses a random challenge from the
HN encrypts the permanent identity and allows to re-synchronize the UE and the HN
bull The GUTI sub-protocol is initiated by the UE using atemporary identity
In the SUPI sub-protocol the UErsquos answer includes the chal-lenge We use this to save one message the last confirmationstep from the UE is not needed and is removed The resultingsub-protocol has four messages Observe that the GUTI sub-protocol is faster since it uses only three messages
C Architecture and States
Instead of a monolithic protocol we have three sub-protocols the SUPI and GUTI sub-protocols which handleauthentication and the ASSIGN-GUTI sub-protocol which isrun after authentication has been achieved and assigns afresh temporary identity to the UE A full session of theAKA+ protocol comprises a session of the SUPI or GUTI sub-protocols followed by a session of the ASSIGN-GUTI sub-protocol This is graphically depicted in Fig 5
Since the GUTI sub-protocol uses only three messages anddoes not require the UE to generate a random number or
compute an asymmetric encryption it is faster than the SUPIsub-protocol By consequence the UE should always use theGUTI sub-protocol if it has a temporary identity available
The HN runs concurrently an arbitrary number of sessionsbut a subscriber cannot run more than one session at thesame time Of course sessions from different subscribers maybe concurrently running We associate a unique integer thesession number to every session and we use HN(j) andUEID(j) to refer to the j-th session of respectively the HNand the UE with identity ID
a) One-Way Functions We separate functions that areused only for confidentiality from functions that are also usedfor integrity We have two confidentiality functions f and f rwhich use the key k and five integrity functions Mac1ndash Mac5which use the key km We require that f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This is a new assumption which requires that these func-tions are simultaneously computationally indistinguishablefrom random functions
Definition 1 (Jointly PRF Functions) Let H1(middot middot) Hn(middot middot)be a finite family of keyed hash functions from 0 1lowasttimes0 1ηto 0 1η The functions H1 Hn are Jointly PseudoRandom Functions if for any PPTM adversary A with accessto oracles Of1 Ofn
|Pr(k AOH1(middotk)OHn(middotk)(1η) = 1)minusPr(g1 gn AOg1(middot)Ogn(middot)(1η) = 1)|
is negligible wherebull k is drawn uniformly in 0 1η bull g1 gn are drawn uniformly in the set of all functions
from 0 1lowast to 0 1η
Observe that if H1 Hn are jointly PRF then in partic-ular every individual Hi is a PRFRemark 2 While this is a non-usual assumption it is simpleto build a set of functions H1 Hn which are jointly PRFfrom a single PRF H For example let tag1 tagn be non-ambiguous tags and let Hi(m k) = H(tagi(m) k) ThenH1 Hn are jointly PRF whenever H is a PRF (see [24])
b) UE Persistent State Each UEID with identity ID hasa state stateID
U persistent across sessions It contains the fol-lowing immutable values the permanent identity SUPI = IDthe confidentiality key kID the integrity key kID
m and the HNrsquospublic key pkN The states also contain mutable values thesequence number SQNU the temporary identity GUTIU and theboolean valid-gutiU We have valid-gutiU = false whenever novalid temporary identity is assigned to the UE Finally thereare mutable values that are not persistent across sessions Egb-authU stores HNrsquos random challenge and e-authU storesHNrsquos random challenge when the authentication is successful
c) HN Persistent State The HN state stateN contains thesecret key skN corresponding to the public key pkN Also forevery subscriber with identity ID it stores the keys kID andkID
m the permanent identity SUPI = ID the HN version of thesequence number SQNID
N and the temporary identity GUTIIDN It
UE
stateIDU
HN(j)
stateN
Request_Challenge
nj
Input nR b-authU larr nRlang〈SUPI SQNU〉
nepkN
Mac1kIDm(〈〈SUPI SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1 Input y〈IDR SQNR〉 larr dec(π1(y) skN)
bIDMac larr π2(y) = Mac1kID
m(〈π1(y) nj〉)
and IDR = ID
bIDInc larr bID
Mac and SQNR ge SQNIDN
if bIDMac then b-authjN e-authjN larr ID
if bIDInc then SQNID
N larr SQNR + 1
sessionIDN larr nj
GUTIIDN larr GUTIj
Mac2kIDm(〈nj SQNR + 1〉)
bMac
Input zbok larr z = Mac2kID
m(〈b-authU SQNU〉)
e-authU larr if bok then b-authU else fail
Fig 6 The SUPI Sub-Protocol of the AKA+ Protocol
stores in sessionIDN the random challenge of the last session
that was either a successful SUPI session which modifiedthe sequence number or a GUTI session which authenticatedID This is used to detect and prevent some subtle attackswhich we present later Finally every session HN(j) stores inb-authjN the identity claimed by the UE and in e-authjN theidentity of the UE it authenticated
D The SUPI GUTI and ASSIGN-GUTI Sub-Protocols
We describe honest executions of the three sub-protocolsof the AKA+ protocol An honest execution is an executionwhere the adversary dutifully forwards the messages withouttampering Each execution is between a UE and HN(j)
a) The SUPI Sub-Protocol This protocol uses the UErsquospermanent identity re-synchronizes the UE and the HN and isexpensive to run The protocol is sketched in Fig 6
The UE initiates the protocol by requesting a challengefrom the network When asked HN(j) sends a fresh randomchallenge nj After receiving nj the UE stores it in b-authUand answers with the encryption of its permanent identitytogether with the current value of its sequence number usingthe HN public key pkN It also includes the mac of thisencryption and of the challenge which yields the messagelang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN nj〉)
rang
Then the UE increments its sequence number by one Whenit gets this message the HN retrieves the pair 〈SUPI SQNU〉by decrypting the encryption using its secret key skN Forevery identity ID it checks if SUPI = ID and if the mac iscorrect If this is the case HN authenticated ID and it storesID in b-authjN and e-authjN After having authenticated IDHN checks whether the sequence number SQNU it received isgreater than or equal to SQNID
N If this holds it sets SQNIDN to
SQNU +1 stores nj in sessionIDN generates a fresh temporary
identity GUTIj and stores it into GUTIIDN This additional check
ensures that the HN sequence number is always increasingwhich is a crucial property of the protocol
If the HN authenticated ID it sends a confirmation messageMac2kID
m(〈nj SQNU +1〉) to the UE This message is sent even
if the received sequence number SQNU is smaller than SQNIDN
When receiving the confirmation message if the mac is validthen the UE authenticated the HN and it stores in e-authU
the initial random challenge (which it keeps in b-authU) Ifthe mac test fails it stores in e-authU the special value fail
b) The GUTI Sub-Protocol This protocol uses the UErsquostemporary identity requires synchronization to succeed and isinexpensive The protocol is sketched in Fig 7
When valid-gutiU is true the UE can initiate the protocolby sending its temporary identity GUTIU The UE then setsvalid-gutiU to false to guarantee that this temporary identityis not used again When receiving a temporary identity x HNlooks if there is an ID such that GUTIID
N is equal to x and isnot UnSet If the temporary identity belongs to ID it setsGUTIID
N to UnSet and stores ID in b-authjN Then it generatesa random challenge nj stores it in sessionID
N and sends it tothe UE together with the xor of the sequence number SQNID
N
with fkID(nj) and a maclangnj SQNID
N oplus fkID(nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang
When it receives this message the UE retrieves the challengenj at the beginning of the message computes fkID(nj) and usesthis value to unconceal the sequence number SQNID
N It thencomputes Mac3kID
m(〈nj SQNID
N GUTIU〉) and compares it to themac received from the network If the macs are not equal orif the range check range(SQNU SQNID
N ) fails it puts fail intob-authU and e-authU to record that the authentication wasnot successful If both tests succeed it stores in b-authU ande-authU the random challenge increments SQNU by one andsends the confirmation message Mac4kID
m(nj) When receiving
this message the HN verifies that the mac is correct If this isthe case then the HN authenticated the UE and stores ID intoe-authID
N Then HN checks whether sessionIDN is still equal
to the challenge nj stored in it at the beginning of the sessionIf this is true the HN increments SQNID
N by one generates afresh temporary identity GUTIj and stores it into GUTIID
N c) The ASSIGN-GUTI Sub-Protocol The ASSIGN-GUTI
sub-protocol is run after a successful authentication regardlessof the authentication sub-protocol used It assigns a freshtemporary identity to the UE to allow the next AKA+ sessionto run the faster GUTI sub-protocol It is depicted in Fig 8
UE
stateIDU
HN(j)
stateN
GUTIU
valid-gutiU
valid-gutiU larr false Input xbID larr GUTIID
N = x and GUTIIDN 6= UnSet
if bID then GUTIIDN larr UnSet
b-authjN larr ID
sessionIDN larr nj
langnj SQNID
N oplus fkID (nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang bID
Input ynR SQNR larr π1(y) π2(y)oplus fkID (nR)
bacc larr π3(y) = Mac3kIDm(〈nR SQNR GUTIU〉))
and range(SQNU SQNR)
if bacc then b-authU e-authU larr nRSQNU larr SQNU + 1
if notbacc then b-authU e-authU larr fail
Mac4kIDm(nR)
bacc
Input z
bIDMac larr (b-authjN = ID) and (z = Mac4kID
m(nj))
bIDInc larr bID
Mac and sessionIDN = nj
if bIDMac then e-authjN larr ID
if bIDInc then SQNID
N larr SQNIDN + 1
GUTIIDN larr GUTIj
Fig 7 The GUTI Sub-Protocol of the AKA+ Protocol
The HN conceals the temporary identity GUTIj generatedby the authentication sub-protocol by xoring it with f r
kID(nj)and macs it When receiving this message UE unconceals thetemporary identity GUTIID
N by xoring its first component withf rkID
m(e-authU) (since e-authU contains the HNrsquos challenge after
authentication) Then UE checks that the mac is correct andthat the authentication was successful If it is the case it storesGUTIID
N in GUTIU and sets valid-gutiU to true
V UNLINKABILITY
We now define the unlinkability property we use which isinspired from [22] and Vaudenayrsquos privacy [23]
a) Definition The property is defined by a game inwhich an adversary tries to link together some subscriberrsquos ses-sions The adversary is a PPTM which interacts through ora-cles with N different subscribers with identities ID1 IDN and with the HN The adversary cannot use a subscriberrsquospermanent identity to refer to it as it may not know it Insteadwe associate a virtual handler vh to any subscriber currently
UE
stateIDU
HN(j)
stateN
〈GUTIj oplus f rkID (nj) Mac5kID
m(lang
GUTIj njrang)〉
e-authIDN = ID
Input xGUTIR larr π1(x)oplus f r
kIDm(e-authU)
bacc larr(π2(x) = Mac5kID
m(〈GUTIR e-authU〉)
)and (e-authU 6= fail)
GUTIU larr if bacc then GUTIR else UnSetvalid-gutiU larr bacc
Fig 8 The ASSIGN-GUTI Sub-Protocol of the AKA+ Protocol
running a session of the protocol We maintain a list lfree of allsubscribers that are ready to start a session We now describethe oracles Obbull StartSession() starts a new HN session and returns
its session number jbull SendHN(m j) (resp SendUE(m vh)) sends the mes-
sage m to HN(j) (resp the UE associated with vh) andreturns HN(j) (resp vh) answer
bull ResultHN(j) (resp ResultUE(vh)) returns true ifHN(j) (resp the UE associated with vh) has made asuccessful authentication
bull DrawUE(IDi0 IDi1) checks that IDi0 and IDi1 are bothin lfree If that is the case returns a new virtual handlerpointing to IDib depending on an internal secret bit bThen it removes IDi0 and IDi1 from lfree
bull FreeUE(vh) makes the virtual handler vh no longervalid and adds back to lfree the two identities that wereremoved when the virtual handler was created
We recall that a function is negligible if and only if it isasymptotically smaller than the inverse of any polynomial Anadversary A interacting with Ob is winning the q-unlinkabilitygame if A makes less than q calls to the oracles and itcan guess the value of the internal bit b with a probabilitybetter than 12 by a non-negligible margin ie if the followingquantity is non negligible in η∣∣2timesPr
(b AOb(1η) = b
)minus 1∣∣
Finally a protocol is q-unlinkable if and only if there are nowinning adversaries against the q-unlinkability game
b) Corruption In [22] [23] the adversary is allowed tocorrupt some tags using a Corrupt oracle Several classes ofadversary are defined by restricting its access to the corruptionoracle A strong adversary has unrestricted access a destruc-tive adversary can no longer use a tag after corrupting it (it isdestroyed) a forward adversary can only follow a Corruptcall by further Corrupt calls and finally a weak adversarycannot use Corrupt at all A protocol is C unlinkable if no
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
SUPI Sub-Protocol GUTI Sub-Protocol
ASSIGN-GUTI Sub-Protocol
Fig 5 General Architecture of the AKA+ Protocol
The 3GPP technical specification (see [1] Annex C) requiresthat the asymmetric encryption used in the 5G-AKA protocolis the ECIES encryption scheme which is an hybrid encryp-tion scheme Hybrid encryption schemes use a randomizedasymmetric encryption to conceal a temporary key Thiskey is then used to encrypt the message using a symmetricencryption which is in-expensive Hence encrypting the pair〈SUPI SQNU〉 is almost as fast as encrypting only SUPI andrequires the UE to generate the same amount of randomness
b) HN Challenge Before Identification To prevent theEncrypted IMSI Replay Attack of Section III-C we add arandom challenge n from the HN The UE initiates the protocolby requesting a challenge without identifying itself Whenrequested the HN generates and sends a fresh challenge n tothe UE which includes it in its response by mac-ing it withthe SUPI using a symmetric one-way function Mac1 with keykID
m The UE response is nowlang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN n〉)
rangThis challenge is only needed when the encrypted permanentidentity is used If the UE uses a temporary identity GUTI thenwe do not need to use a random challenge Indeed temporaryidentities can only be used once before being discarded andare therefore not subject to replay attacks By consequence wesplit the protocol in two sub-protocolsbull The SUPI sub-protocol uses a random challenge from the
HN encrypts the permanent identity and allows to re-synchronize the UE and the HN
bull The GUTI sub-protocol is initiated by the UE using atemporary identity
In the SUPI sub-protocol the UErsquos answer includes the chal-lenge We use this to save one message the last confirmationstep from the UE is not needed and is removed The resultingsub-protocol has four messages Observe that the GUTI sub-protocol is faster since it uses only three messages
C Architecture and States
Instead of a monolithic protocol we have three sub-protocols the SUPI and GUTI sub-protocols which handleauthentication and the ASSIGN-GUTI sub-protocol which isrun after authentication has been achieved and assigns afresh temporary identity to the UE A full session of theAKA+ protocol comprises a session of the SUPI or GUTI sub-protocols followed by a session of the ASSIGN-GUTI sub-protocol This is graphically depicted in Fig 5
Since the GUTI sub-protocol uses only three messages anddoes not require the UE to generate a random number or
compute an asymmetric encryption it is faster than the SUPIsub-protocol By consequence the UE should always use theGUTI sub-protocol if it has a temporary identity available
The HN runs concurrently an arbitrary number of sessionsbut a subscriber cannot run more than one session at thesame time Of course sessions from different subscribers maybe concurrently running We associate a unique integer thesession number to every session and we use HN(j) andUEID(j) to refer to the j-th session of respectively the HNand the UE with identity ID
a) One-Way Functions We separate functions that areused only for confidentiality from functions that are also usedfor integrity We have two confidentiality functions f and f rwhich use the key k and five integrity functions Mac1ndash Mac5which use the key km We require that f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This is a new assumption which requires that these func-tions are simultaneously computationally indistinguishablefrom random functions
Definition 1 (Jointly PRF Functions) Let H1(middot middot) Hn(middot middot)be a finite family of keyed hash functions from 0 1lowasttimes0 1ηto 0 1η The functions H1 Hn are Jointly PseudoRandom Functions if for any PPTM adversary A with accessto oracles Of1 Ofn
|Pr(k AOH1(middotk)OHn(middotk)(1η) = 1)minusPr(g1 gn AOg1(middot)Ogn(middot)(1η) = 1)|
is negligible wherebull k is drawn uniformly in 0 1η bull g1 gn are drawn uniformly in the set of all functions
from 0 1lowast to 0 1η
Observe that if H1 Hn are jointly PRF then in partic-ular every individual Hi is a PRFRemark 2 While this is a non-usual assumption it is simpleto build a set of functions H1 Hn which are jointly PRFfrom a single PRF H For example let tag1 tagn be non-ambiguous tags and let Hi(m k) = H(tagi(m) k) ThenH1 Hn are jointly PRF whenever H is a PRF (see [24])
b) UE Persistent State Each UEID with identity ID hasa state stateID
U persistent across sessions It contains the fol-lowing immutable values the permanent identity SUPI = IDthe confidentiality key kID the integrity key kID
m and the HNrsquospublic key pkN The states also contain mutable values thesequence number SQNU the temporary identity GUTIU and theboolean valid-gutiU We have valid-gutiU = false whenever novalid temporary identity is assigned to the UE Finally thereare mutable values that are not persistent across sessions Egb-authU stores HNrsquos random challenge and e-authU storesHNrsquos random challenge when the authentication is successful
c) HN Persistent State The HN state stateN contains thesecret key skN corresponding to the public key pkN Also forevery subscriber with identity ID it stores the keys kID andkID
m the permanent identity SUPI = ID the HN version of thesequence number SQNID
N and the temporary identity GUTIIDN It
UE
stateIDU
HN(j)
stateN
Request_Challenge
nj
Input nR b-authU larr nRlang〈SUPI SQNU〉
nepkN
Mac1kIDm(〈〈SUPI SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1 Input y〈IDR SQNR〉 larr dec(π1(y) skN)
bIDMac larr π2(y) = Mac1kID
m(〈π1(y) nj〉)
and IDR = ID
bIDInc larr bID
Mac and SQNR ge SQNIDN
if bIDMac then b-authjN e-authjN larr ID
if bIDInc then SQNID
N larr SQNR + 1
sessionIDN larr nj
GUTIIDN larr GUTIj
Mac2kIDm(〈nj SQNR + 1〉)
bMac
Input zbok larr z = Mac2kID
m(〈b-authU SQNU〉)
e-authU larr if bok then b-authU else fail
Fig 6 The SUPI Sub-Protocol of the AKA+ Protocol
stores in sessionIDN the random challenge of the last session
that was either a successful SUPI session which modifiedthe sequence number or a GUTI session which authenticatedID This is used to detect and prevent some subtle attackswhich we present later Finally every session HN(j) stores inb-authjN the identity claimed by the UE and in e-authjN theidentity of the UE it authenticated
D The SUPI GUTI and ASSIGN-GUTI Sub-Protocols
We describe honest executions of the three sub-protocolsof the AKA+ protocol An honest execution is an executionwhere the adversary dutifully forwards the messages withouttampering Each execution is between a UE and HN(j)
a) The SUPI Sub-Protocol This protocol uses the UErsquospermanent identity re-synchronizes the UE and the HN and isexpensive to run The protocol is sketched in Fig 6
The UE initiates the protocol by requesting a challengefrom the network When asked HN(j) sends a fresh randomchallenge nj After receiving nj the UE stores it in b-authUand answers with the encryption of its permanent identitytogether with the current value of its sequence number usingthe HN public key pkN It also includes the mac of thisencryption and of the challenge which yields the messagelang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN nj〉)
rang
Then the UE increments its sequence number by one Whenit gets this message the HN retrieves the pair 〈SUPI SQNU〉by decrypting the encryption using its secret key skN Forevery identity ID it checks if SUPI = ID and if the mac iscorrect If this is the case HN authenticated ID and it storesID in b-authjN and e-authjN After having authenticated IDHN checks whether the sequence number SQNU it received isgreater than or equal to SQNID
N If this holds it sets SQNIDN to
SQNU +1 stores nj in sessionIDN generates a fresh temporary
identity GUTIj and stores it into GUTIIDN This additional check
ensures that the HN sequence number is always increasingwhich is a crucial property of the protocol
If the HN authenticated ID it sends a confirmation messageMac2kID
m(〈nj SQNU +1〉) to the UE This message is sent even
if the received sequence number SQNU is smaller than SQNIDN
When receiving the confirmation message if the mac is validthen the UE authenticated the HN and it stores in e-authU
the initial random challenge (which it keeps in b-authU) Ifthe mac test fails it stores in e-authU the special value fail
b) The GUTI Sub-Protocol This protocol uses the UErsquostemporary identity requires synchronization to succeed and isinexpensive The protocol is sketched in Fig 7
When valid-gutiU is true the UE can initiate the protocolby sending its temporary identity GUTIU The UE then setsvalid-gutiU to false to guarantee that this temporary identityis not used again When receiving a temporary identity x HNlooks if there is an ID such that GUTIID
N is equal to x and isnot UnSet If the temporary identity belongs to ID it setsGUTIID
N to UnSet and stores ID in b-authjN Then it generatesa random challenge nj stores it in sessionID
N and sends it tothe UE together with the xor of the sequence number SQNID
N
with fkID(nj) and a maclangnj SQNID
N oplus fkID(nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang
When it receives this message the UE retrieves the challengenj at the beginning of the message computes fkID(nj) and usesthis value to unconceal the sequence number SQNID
N It thencomputes Mac3kID
m(〈nj SQNID
N GUTIU〉) and compares it to themac received from the network If the macs are not equal orif the range check range(SQNU SQNID
N ) fails it puts fail intob-authU and e-authU to record that the authentication wasnot successful If both tests succeed it stores in b-authU ande-authU the random challenge increments SQNU by one andsends the confirmation message Mac4kID
m(nj) When receiving
this message the HN verifies that the mac is correct If this isthe case then the HN authenticated the UE and stores ID intoe-authID
N Then HN checks whether sessionIDN is still equal
to the challenge nj stored in it at the beginning of the sessionIf this is true the HN increments SQNID
N by one generates afresh temporary identity GUTIj and stores it into GUTIID
N c) The ASSIGN-GUTI Sub-Protocol The ASSIGN-GUTI
sub-protocol is run after a successful authentication regardlessof the authentication sub-protocol used It assigns a freshtemporary identity to the UE to allow the next AKA+ sessionto run the faster GUTI sub-protocol It is depicted in Fig 8
UE
stateIDU
HN(j)
stateN
GUTIU
valid-gutiU
valid-gutiU larr false Input xbID larr GUTIID
N = x and GUTIIDN 6= UnSet
if bID then GUTIIDN larr UnSet
b-authjN larr ID
sessionIDN larr nj
langnj SQNID
N oplus fkID (nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang bID
Input ynR SQNR larr π1(y) π2(y)oplus fkID (nR)
bacc larr π3(y) = Mac3kIDm(〈nR SQNR GUTIU〉))
and range(SQNU SQNR)
if bacc then b-authU e-authU larr nRSQNU larr SQNU + 1
if notbacc then b-authU e-authU larr fail
Mac4kIDm(nR)
bacc
Input z
bIDMac larr (b-authjN = ID) and (z = Mac4kID
m(nj))
bIDInc larr bID
Mac and sessionIDN = nj
if bIDMac then e-authjN larr ID
if bIDInc then SQNID
N larr SQNIDN + 1
GUTIIDN larr GUTIj
Fig 7 The GUTI Sub-Protocol of the AKA+ Protocol
The HN conceals the temporary identity GUTIj generatedby the authentication sub-protocol by xoring it with f r
kID(nj)and macs it When receiving this message UE unconceals thetemporary identity GUTIID
N by xoring its first component withf rkID
m(e-authU) (since e-authU contains the HNrsquos challenge after
authentication) Then UE checks that the mac is correct andthat the authentication was successful If it is the case it storesGUTIID
N in GUTIU and sets valid-gutiU to true
V UNLINKABILITY
We now define the unlinkability property we use which isinspired from [22] and Vaudenayrsquos privacy [23]
a) Definition The property is defined by a game inwhich an adversary tries to link together some subscriberrsquos ses-sions The adversary is a PPTM which interacts through ora-cles with N different subscribers with identities ID1 IDN and with the HN The adversary cannot use a subscriberrsquospermanent identity to refer to it as it may not know it Insteadwe associate a virtual handler vh to any subscriber currently
UE
stateIDU
HN(j)
stateN
〈GUTIj oplus f rkID (nj) Mac5kID
m(lang
GUTIj njrang)〉
e-authIDN = ID
Input xGUTIR larr π1(x)oplus f r
kIDm(e-authU)
bacc larr(π2(x) = Mac5kID
m(〈GUTIR e-authU〉)
)and (e-authU 6= fail)
GUTIU larr if bacc then GUTIR else UnSetvalid-gutiU larr bacc
Fig 8 The ASSIGN-GUTI Sub-Protocol of the AKA+ Protocol
running a session of the protocol We maintain a list lfree of allsubscribers that are ready to start a session We now describethe oracles Obbull StartSession() starts a new HN session and returns
its session number jbull SendHN(m j) (resp SendUE(m vh)) sends the mes-
sage m to HN(j) (resp the UE associated with vh) andreturns HN(j) (resp vh) answer
bull ResultHN(j) (resp ResultUE(vh)) returns true ifHN(j) (resp the UE associated with vh) has made asuccessful authentication
bull DrawUE(IDi0 IDi1) checks that IDi0 and IDi1 are bothin lfree If that is the case returns a new virtual handlerpointing to IDib depending on an internal secret bit bThen it removes IDi0 and IDi1 from lfree
bull FreeUE(vh) makes the virtual handler vh no longervalid and adds back to lfree the two identities that wereremoved when the virtual handler was created
We recall that a function is negligible if and only if it isasymptotically smaller than the inverse of any polynomial Anadversary A interacting with Ob is winning the q-unlinkabilitygame if A makes less than q calls to the oracles and itcan guess the value of the internal bit b with a probabilitybetter than 12 by a non-negligible margin ie if the followingquantity is non negligible in η∣∣2timesPr
(b AOb(1η) = b
)minus 1∣∣
Finally a protocol is q-unlinkable if and only if there are nowinning adversaries against the q-unlinkability game
b) Corruption In [22] [23] the adversary is allowed tocorrupt some tags using a Corrupt oracle Several classes ofadversary are defined by restricting its access to the corruptionoracle A strong adversary has unrestricted access a destruc-tive adversary can no longer use a tag after corrupting it (it isdestroyed) a forward adversary can only follow a Corruptcall by further Corrupt calls and finally a weak adversarycannot use Corrupt at all A protocol is C unlinkable if no
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
UE
stateIDU
HN(j)
stateN
Request_Challenge
nj
Input nR b-authU larr nRlang〈SUPI SQNU〉
nepkN
Mac1kIDm(〈〈SUPI SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1 Input y〈IDR SQNR〉 larr dec(π1(y) skN)
bIDMac larr π2(y) = Mac1kID
m(〈π1(y) nj〉)
and IDR = ID
bIDInc larr bID
Mac and SQNR ge SQNIDN
if bIDMac then b-authjN e-authjN larr ID
if bIDInc then SQNID
N larr SQNR + 1
sessionIDN larr nj
GUTIIDN larr GUTIj
Mac2kIDm(〈nj SQNR + 1〉)
bMac
Input zbok larr z = Mac2kID
m(〈b-authU SQNU〉)
e-authU larr if bok then b-authU else fail
Fig 6 The SUPI Sub-Protocol of the AKA+ Protocol
stores in sessionIDN the random challenge of the last session
that was either a successful SUPI session which modifiedthe sequence number or a GUTI session which authenticatedID This is used to detect and prevent some subtle attackswhich we present later Finally every session HN(j) stores inb-authjN the identity claimed by the UE and in e-authjN theidentity of the UE it authenticated
D The SUPI GUTI and ASSIGN-GUTI Sub-Protocols
We describe honest executions of the three sub-protocolsof the AKA+ protocol An honest execution is an executionwhere the adversary dutifully forwards the messages withouttampering Each execution is between a UE and HN(j)
a) The SUPI Sub-Protocol This protocol uses the UErsquospermanent identity re-synchronizes the UE and the HN and isexpensive to run The protocol is sketched in Fig 6
The UE initiates the protocol by requesting a challengefrom the network When asked HN(j) sends a fresh randomchallenge nj After receiving nj the UE stores it in b-authUand answers with the encryption of its permanent identitytogether with the current value of its sequence number usingthe HN public key pkN It also includes the mac of thisencryption and of the challenge which yields the messagelang〈SUPI SQNU〉ne
pkN Mac1kID
m(〈〈SUPI SQNU〉ne
pkN nj〉)
rang
Then the UE increments its sequence number by one Whenit gets this message the HN retrieves the pair 〈SUPI SQNU〉by decrypting the encryption using its secret key skN Forevery identity ID it checks if SUPI = ID and if the mac iscorrect If this is the case HN authenticated ID and it storesID in b-authjN and e-authjN After having authenticated IDHN checks whether the sequence number SQNU it received isgreater than or equal to SQNID
N If this holds it sets SQNIDN to
SQNU +1 stores nj in sessionIDN generates a fresh temporary
identity GUTIj and stores it into GUTIIDN This additional check
ensures that the HN sequence number is always increasingwhich is a crucial property of the protocol
If the HN authenticated ID it sends a confirmation messageMac2kID
m(〈nj SQNU +1〉) to the UE This message is sent even
if the received sequence number SQNU is smaller than SQNIDN
When receiving the confirmation message if the mac is validthen the UE authenticated the HN and it stores in e-authU
the initial random challenge (which it keeps in b-authU) Ifthe mac test fails it stores in e-authU the special value fail
b) The GUTI Sub-Protocol This protocol uses the UErsquostemporary identity requires synchronization to succeed and isinexpensive The protocol is sketched in Fig 7
When valid-gutiU is true the UE can initiate the protocolby sending its temporary identity GUTIU The UE then setsvalid-gutiU to false to guarantee that this temporary identityis not used again When receiving a temporary identity x HNlooks if there is an ID such that GUTIID
N is equal to x and isnot UnSet If the temporary identity belongs to ID it setsGUTIID
N to UnSet and stores ID in b-authjN Then it generatesa random challenge nj stores it in sessionID
N and sends it tothe UE together with the xor of the sequence number SQNID
N
with fkID(nj) and a maclangnj SQNID
N oplus fkID(nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang
When it receives this message the UE retrieves the challengenj at the beginning of the message computes fkID(nj) and usesthis value to unconceal the sequence number SQNID
N It thencomputes Mac3kID
m(〈nj SQNID
N GUTIU〉) and compares it to themac received from the network If the macs are not equal orif the range check range(SQNU SQNID
N ) fails it puts fail intob-authU and e-authU to record that the authentication wasnot successful If both tests succeed it stores in b-authU ande-authU the random challenge increments SQNU by one andsends the confirmation message Mac4kID
m(nj) When receiving
this message the HN verifies that the mac is correct If this isthe case then the HN authenticated the UE and stores ID intoe-authID
N Then HN checks whether sessionIDN is still equal
to the challenge nj stored in it at the beginning of the sessionIf this is true the HN increments SQNID
N by one generates afresh temporary identity GUTIj and stores it into GUTIID
N c) The ASSIGN-GUTI Sub-Protocol The ASSIGN-GUTI
sub-protocol is run after a successful authentication regardlessof the authentication sub-protocol used It assigns a freshtemporary identity to the UE to allow the next AKA+ sessionto run the faster GUTI sub-protocol It is depicted in Fig 8
UE
stateIDU
HN(j)
stateN
GUTIU
valid-gutiU
valid-gutiU larr false Input xbID larr GUTIID
N = x and GUTIIDN 6= UnSet
if bID then GUTIIDN larr UnSet
b-authjN larr ID
sessionIDN larr nj
langnj SQNID
N oplus fkID (nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang bID
Input ynR SQNR larr π1(y) π2(y)oplus fkID (nR)
bacc larr π3(y) = Mac3kIDm(〈nR SQNR GUTIU〉))
and range(SQNU SQNR)
if bacc then b-authU e-authU larr nRSQNU larr SQNU + 1
if notbacc then b-authU e-authU larr fail
Mac4kIDm(nR)
bacc
Input z
bIDMac larr (b-authjN = ID) and (z = Mac4kID
m(nj))
bIDInc larr bID
Mac and sessionIDN = nj
if bIDMac then e-authjN larr ID
if bIDInc then SQNID
N larr SQNIDN + 1
GUTIIDN larr GUTIj
Fig 7 The GUTI Sub-Protocol of the AKA+ Protocol
The HN conceals the temporary identity GUTIj generatedby the authentication sub-protocol by xoring it with f r
kID(nj)and macs it When receiving this message UE unconceals thetemporary identity GUTIID
N by xoring its first component withf rkID
m(e-authU) (since e-authU contains the HNrsquos challenge after
authentication) Then UE checks that the mac is correct andthat the authentication was successful If it is the case it storesGUTIID
N in GUTIU and sets valid-gutiU to true
V UNLINKABILITY
We now define the unlinkability property we use which isinspired from [22] and Vaudenayrsquos privacy [23]
a) Definition The property is defined by a game inwhich an adversary tries to link together some subscriberrsquos ses-sions The adversary is a PPTM which interacts through ora-cles with N different subscribers with identities ID1 IDN and with the HN The adversary cannot use a subscriberrsquospermanent identity to refer to it as it may not know it Insteadwe associate a virtual handler vh to any subscriber currently
UE
stateIDU
HN(j)
stateN
〈GUTIj oplus f rkID (nj) Mac5kID
m(lang
GUTIj njrang)〉
e-authIDN = ID
Input xGUTIR larr π1(x)oplus f r
kIDm(e-authU)
bacc larr(π2(x) = Mac5kID
m(〈GUTIR e-authU〉)
)and (e-authU 6= fail)
GUTIU larr if bacc then GUTIR else UnSetvalid-gutiU larr bacc
Fig 8 The ASSIGN-GUTI Sub-Protocol of the AKA+ Protocol
running a session of the protocol We maintain a list lfree of allsubscribers that are ready to start a session We now describethe oracles Obbull StartSession() starts a new HN session and returns
its session number jbull SendHN(m j) (resp SendUE(m vh)) sends the mes-
sage m to HN(j) (resp the UE associated with vh) andreturns HN(j) (resp vh) answer
bull ResultHN(j) (resp ResultUE(vh)) returns true ifHN(j) (resp the UE associated with vh) has made asuccessful authentication
bull DrawUE(IDi0 IDi1) checks that IDi0 and IDi1 are bothin lfree If that is the case returns a new virtual handlerpointing to IDib depending on an internal secret bit bThen it removes IDi0 and IDi1 from lfree
bull FreeUE(vh) makes the virtual handler vh no longervalid and adds back to lfree the two identities that wereremoved when the virtual handler was created
We recall that a function is negligible if and only if it isasymptotically smaller than the inverse of any polynomial Anadversary A interacting with Ob is winning the q-unlinkabilitygame if A makes less than q calls to the oracles and itcan guess the value of the internal bit b with a probabilitybetter than 12 by a non-negligible margin ie if the followingquantity is non negligible in η∣∣2timesPr
(b AOb(1η) = b
)minus 1∣∣
Finally a protocol is q-unlinkable if and only if there are nowinning adversaries against the q-unlinkability game
b) Corruption In [22] [23] the adversary is allowed tocorrupt some tags using a Corrupt oracle Several classes ofadversary are defined by restricting its access to the corruptionoracle A strong adversary has unrestricted access a destruc-tive adversary can no longer use a tag after corrupting it (it isdestroyed) a forward adversary can only follow a Corruptcall by further Corrupt calls and finally a weak adversarycannot use Corrupt at all A protocol is C unlinkable if no
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
UE
stateIDU
HN(j)
stateN
GUTIU
valid-gutiU
valid-gutiU larr false Input xbID larr GUTIID
N = x and GUTIIDN 6= UnSet
if bID then GUTIIDN larr UnSet
b-authjN larr ID
sessionIDN larr nj
langnj SQNID
N oplus fkID (nj) Mac3kIDm(〈nj SQNID
N GUTIIDN 〉)rang bID
Input ynR SQNR larr π1(y) π2(y)oplus fkID (nR)
bacc larr π3(y) = Mac3kIDm(〈nR SQNR GUTIU〉))
and range(SQNU SQNR)
if bacc then b-authU e-authU larr nRSQNU larr SQNU + 1
if notbacc then b-authU e-authU larr fail
Mac4kIDm(nR)
bacc
Input z
bIDMac larr (b-authjN = ID) and (z = Mac4kID
m(nj))
bIDInc larr bID
Mac and sessionIDN = nj
if bIDMac then e-authjN larr ID
if bIDInc then SQNID
N larr SQNIDN + 1
GUTIIDN larr GUTIj
Fig 7 The GUTI Sub-Protocol of the AKA+ Protocol
The HN conceals the temporary identity GUTIj generatedby the authentication sub-protocol by xoring it with f r
kID(nj)and macs it When receiving this message UE unconceals thetemporary identity GUTIID
N by xoring its first component withf rkID
m(e-authU) (since e-authU contains the HNrsquos challenge after
authentication) Then UE checks that the mac is correct andthat the authentication was successful If it is the case it storesGUTIID
N in GUTIU and sets valid-gutiU to true
V UNLINKABILITY
We now define the unlinkability property we use which isinspired from [22] and Vaudenayrsquos privacy [23]
a) Definition The property is defined by a game inwhich an adversary tries to link together some subscriberrsquos ses-sions The adversary is a PPTM which interacts through ora-cles with N different subscribers with identities ID1 IDN and with the HN The adversary cannot use a subscriberrsquospermanent identity to refer to it as it may not know it Insteadwe associate a virtual handler vh to any subscriber currently
UE
stateIDU
HN(j)
stateN
〈GUTIj oplus f rkID (nj) Mac5kID
m(lang
GUTIj njrang)〉
e-authIDN = ID
Input xGUTIR larr π1(x)oplus f r
kIDm(e-authU)
bacc larr(π2(x) = Mac5kID
m(〈GUTIR e-authU〉)
)and (e-authU 6= fail)
GUTIU larr if bacc then GUTIR else UnSetvalid-gutiU larr bacc
Fig 8 The ASSIGN-GUTI Sub-Protocol of the AKA+ Protocol
running a session of the protocol We maintain a list lfree of allsubscribers that are ready to start a session We now describethe oracles Obbull StartSession() starts a new HN session and returns
its session number jbull SendHN(m j) (resp SendUE(m vh)) sends the mes-
sage m to HN(j) (resp the UE associated with vh) andreturns HN(j) (resp vh) answer
bull ResultHN(j) (resp ResultUE(vh)) returns true ifHN(j) (resp the UE associated with vh) has made asuccessful authentication
bull DrawUE(IDi0 IDi1) checks that IDi0 and IDi1 are bothin lfree If that is the case returns a new virtual handlerpointing to IDib depending on an internal secret bit bThen it removes IDi0 and IDi1 from lfree
bull FreeUE(vh) makes the virtual handler vh no longervalid and adds back to lfree the two identities that wereremoved when the virtual handler was created
We recall that a function is negligible if and only if it isasymptotically smaller than the inverse of any polynomial Anadversary A interacting with Ob is winning the q-unlinkabilitygame if A makes less than q calls to the oracles and itcan guess the value of the internal bit b with a probabilitybetter than 12 by a non-negligible margin ie if the followingquantity is non negligible in η∣∣2timesPr
(b AOb(1η) = b
)minus 1∣∣
Finally a protocol is q-unlinkable if and only if there are nowinning adversaries against the q-unlinkability game
b) Corruption In [22] [23] the adversary is allowed tocorrupt some tags using a Corrupt oracle Several classes ofadversary are defined by restricting its access to the corruptionoracle A strong adversary has unrestricted access a destruc-tive adversary can no longer use a tag after corrupting it (it isdestroyed) a forward adversary can only follow a Corruptcall by further Corrupt calls and finally a weak adversarycannot use Corrupt at all A protocol is C unlinkable if no
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
UEIDA HNGUTIA
UEIDX where IDX = IDA or IDB HN
NoGutiIDX = IDA
GUTIB
IDX = IDB
Fig 9 Consecutive GUTI Sessions of AKA+ Are Not Unlinkable
adversary in C can win the unlinkability game Clearly wehave the following relations
strong rArr destructive rArr forward rArr weak
The 5G-AKA protocol does not provide forward secrecyindeed obtaining the long-term secret of a UE allows todecrypt all its past messages By consequence the best we canhope for is weak unlinkability Since such adversaries cannotcall Corrupt we removed the oracle from our definition
c) Wide Adversary Note that the adversary knows ifthe protocol was successful or not using the ResultUEand ResultHN oracles (such an adversary is called wide inVaudenayrsquos terminology [23]) Indeed in an authenticated keyagreement protocol this information is always available to theadversary if the key exchange succeeds then it is followed byanother protocol using the newly established key while if itfails then either a new key-exchange session is initiated orno message is sent Hence the adversary knows if the keyexchange was successful by passive monitoring
A σ-Unlinkability
In accord with our conjecture in Section III-E the AKA+
protocol is not unlinkable Indeed an adversary A caneasily win the linkability game First A ensures that IDAand IDB have a valid temporary identity assigned A callsDrawUE(IDA IDA) to obtain a virtual handler for IDA andruns a SUPI and ASSIGN-GUTI sessions between IDA and theHN with no interruptions This assigns a temporary identity toIDA We use the same procedure for IDB
Then A executes the attack described in Fig 9 It startsa GUTI session with IDA and intercepts the last message Atthat point IDA no longer has a temporary identity while IDBstill does Then it calls DrawUE(IDA IDB) which returns avirtual handler vh to IDA or IDB The attacker then start anew GUTI session with vh If vh is a handler for IDA theUE returns NoGuti If vh aliases IDB the UE returns thetemporary identity GUTIA The adversary A can distinguishbetween these two cases and therefore wins the game
A
A
B
B
A
A
B
C
B
C
B
C
sim
Fig 10 Two indistinguishable executions Square (resp round) nodes areexecutions of the SUPI (resp GUTI) sub-protocol Each time the SUPI sub-protocol is used we can change the subscriberrsquos identity
a) σ-unlinkability To prevent this we want to forbidDrawUE to be called on de-synchronized subscribers We dothis by modifying the state of the user chosen by DrawUEWe let σ be an update on the state of the subscribers Wethen define the oracle DrawUEσ(IDi0 IDi1) it checks thatIDA and IDB are both free then applies the update σ toIDib rsquos state and returns a new virtual handler pointing toIDib The (q σ)-unlinkability game is the q-unlinkability gamein which we replace DrawUE with DrawUEσ A protocol is(q σ)-unlinkable if and only if there is no winning adversaryagainst the (q σ)-unlinkability game Finally a protocol is σ-unlinkable if it is (q σ)-unlinkable for any q
b) Application to AKA+ The privacy guarantees givenby the σ-unlinkability depend on the choice of σ The idea isto choose a σ that allows to establish privacy in some scenariosof the standard unlinkability game3
We illustrate this on the AKA+ protocol Let σul =valid-gutiU 7rarr false be the function that makes the UErsquostemporary identity not valid This simulates the fact that theGUTI has been used and is no longer available If the UErsquostemporary identity is not valid then it can only run the SUPIsub-protocol Hence if the AKA+ protocol is σul-unlinkablethen no adversary can distinguish between a normal executionand an execution where we change the identity of a subscribereach time it runs the SUPI sub-protocol We give in Fig 10 anexample of such a scenario We now state our main result
Theorem 1 The AKA+ protocol is σul-unlinkable for anarbitrary number of agents and sessions when the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
This result is shown later in the paper Still the intuitionis that no adversary can distinguish between two sessionsof the SUPI protocol Moreover the SUPI protocol has twoimportant properties First it re-synchronizes the user withthe HN which prevents the attacker from using any prior de-synchronization Second the AKA+ protocol is designed insuch a way that no message sent by the UE before a successfulSUPI session can modify the HNrsquos state after the SUPI sessionTherefore any time the SUPI protocol is run we get a ldquocleanslaterdquo and we can change the subscriberrsquos identity Note thatwe have a trade-off between efficiency and privacy the SUPIprotocol is more expensive to run but provides more privacy
3Remark that when σ is the empty state update the σ-unlinkability andunlinkability properties coincide
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
UEIDA HNGUTI
tauth
UEIDA or UEIDBHN
SUPI Session
tauth
GUTI Session
Fig 11 A Subtle Attack Against The AKA+no-inc Protocol
B A Subtle Attack
We now explain what is the role of sessionIDN and how it
prevents a subtle attack against the σul-unlinkability of AKA+We let AKA+
no-inc be the AKA+ protocol where we modify theGUTI sub-protocol we described in Fig 7 in the state updateof the HNrsquos last input we remove the check sessionID
N = nj
(ie bIDInc = bID
Mac) The attack is described in Fig 11First we run a session of the GUTI sub-protocol between
UEIDA and the HN but we do not forward the last message tauthto the HN We then call DrawUEσul(IDA IDB) which returnsa virtual handler vh to IDA or IDB We run a full session usingthe SUPI sub-protocol with vh and then send the messagetauth to the HN We can check that because we removed thecondition sessionID
N = nj from bIDInc this message causes the
HN to increment SQNIDAN by one At that point UEIDA is de-
synchronized but UEIDB is synchronized Finally we run asession of the GUTI sub-protocol The session has two possibleoutcomes if vh aliases to A then it fails while if vh aliasesto B it succeeds This leads to an attack
When we removed the condition sessionIDN = nj we broke
the ldquoclean slaterdquo property of the SUPI sub-protocol we canuse a message from a session that started before the SUPIsession to modify the state after the SUPI session sessionID
N
allows to detect whether another session has been executedsince the current session started and to prevent the update ofthe sequence number when this is the case
VI MODELING IN THE BANA-COMON LOGIC
We prove Theorem 1 using the Bana-Comon model intro-duced in [18] This is a first order logic in which protocolmessages are represented by terms using special functionsymbols for the adversaryrsquos inputs It has only one predicatesim which represents computational indistinguishability To usethis model we first build a set of axioms Ax specifyingwhat the adversary cannot do This set of axiom comprisescomputationally valid properties cryptographic hypothesesand implementation assumptions Then given a protocol anda security property we compute a formula φ expressing theprotocol security Finally we show that the security property
φ can be deduced from the axioms Ax If this is the case thisentails computational security
A Syntax and Semantics
We quickly recall the syntax and semantics of the logica) Terms Terms are built using function symbols in F
names in N (representing random samplings) and variablesin X The set F of function symbols contains a countableset of adversarial function symbols G which represent theadversary inputs and protocol function symbols The protocolfunction symbols are the functions used in the protocol egthe pair 〈_ _〉 the i-th projection πi encryption __
_ decryp-tion dec(_ _) if_then_else_ true false equality eq(_ _)integer greater or equal geq(_ _) and length len(_)
b) Formulas For every integer n we have one predicatesymbol simn of arity 2n which represents equivalence betweentwo vectors of terms of length n We use an infix notation forsimn and omit n when not relevant Formulas are built usingthe usual Boolean connectives and first-order quantifiers
c) Semantics We use the classical semantics of first-order logic Given an interpretation domain we interpretterms function symbols and predicates as respectively ele-ments functions and relations of this domain
We focus on a particular class of models called the compu-tational models (see [18] for a formal definition) In a compu-tational modelMc terms are interpreted in the set of PPTMsequipped with a working tape and two random tapes ρ1 ρ2The tape ρ1 is used for the protocol random values while ρ2is for the adversaryrsquos random samplings The adversary cannotaccess directly the random tape ρ1 although it may obtain partof ρ1 through the protocol messages A key feature is to let theinterpretation of an adversarial function g be any PPTM whichsoundly models an attacker arbitrary probabilistic polynomialtime computation Moreover the predicates simn are interpretedusing computational indistinguishability asymp Two families ofdistributions of bit-string sequences (mη)η and (mprimeη)η in-dexed by η are indistinguishable iff for every PPTM A withrandom tape ρ2 the following quantity is negligible in η
∣∣Pr(ρ1 ρ2 A(mη(ρ1 ρ2) ρ2) = 1) minusPr(ρ1 ρ2 A(mprimeη(ρ1 ρ2) ρ2) = 1)
∣∣B Modeling of the AKA+ Protocol States and Messages
We now use the Bana-Comon logic to model the σul-unlinkability of the AKA+ protocol We consider a setting withN identities ID1 IDN and we let Sid be the set of allidentities To improve readability protocol descriptions oftenomit some details For example in Section IV we sometimesomitted the description of the error messages The failuremessage attack of [4] demonstrates that such details may becrucial for security An advantage of the Bana-Comon modelis that it requires us to fully formalize the protocol and tomake all assumptions explicit
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
a) Symbolic State For every identity ID isin Sid weuse several variables to represent UEIDrsquos state Eg SQNID
U
and GUTIIDU store respectively UEIDrsquos sequence number and
temporary identity Similarly we have variables for HNrsquos stateeg SQNID
N We let Svar be the set of variables used in AKA+⋃jisinNAisinUN
IDisinSid
SQNID
A GUTIIDA e-authID
U b-authIDU e-authjN
b-authjN s-valid-gutiIDU valid-gutiID
U sessionIDN
A symbolic state σ is a mapping from Svar to terms Intuitivelyσ(x) is a term representing (the distribution of) the value of xExample 1 To avoid confusion with the semantic equality =we use equiv to denote syntactic equality Then we can expressthe fact that GUTIID
U is unset in a symbolic state σ by havingσ(GUTIID
U ) equiv UnSet Also given a state σ we can state that σprime
is the state σ in which we incremented SQNIDU by having σprime(x)
be the term σ(SQNIDU ) + 1 if x is SQNID
U and σ(x) otherwiseb) Symbolic Traces We explain how to express (q σul)-
unlinkability in the BC model In the (q σul)-unlinkabilitygame the adversary chooses dynamically which oracle itwants to call This is not convenient to use in proofs as we donot know statically the i-th action of the adversary We preferan alternative point-of-view in which the trace of oracle callsis fixed (wlog as shown later in Proposition 1) Then thereare no winning adversaries against the σul-unlinkability gamewith a fixed trace of oracle calls if the adversaryrsquos interactionswith the oracles when b = 0 are indistinguishable from theinteractions with the oracles when b = 1
We use the following action identifiers to represent symboliccalls to the oracle of the (q σul)-unlinkability gamebull NSID(j) represents a call to DrawUEσul(ID _) when b = 0
or DrawUEσul(_ ID) when b = 1bull PUID(j i) (resp TUID(j i)) is the i-th user message in the
session UEID(j) of the SUPI (resp GUTI) sub-protocolbull FUID(j) is the only user message in the session UEID(j)
of the ASSIGN-GUTI sub-protocolbull PN(j i) (resp TN(j i)) is the i-th network message in
the session HN(j) of the SUPI (resp GUTI) sub-protocolbull FN(j) is the only network message in the session HN(j)
of the ASSIGN-GUTI sub-protocolThe remaining oracle calls either have no outputs and do notmodify the state (eg StartSession) or can be simulatedusing the oracles above Eg since the HN sends an errormessage whenever the protocol is not successful the outputof ResultHN can be deduced from the protocol messages
A symbolic trace τ is a finite sequence of action identifiersWe associate to any execution of the (q σul)-unlinkabilitygame with a fixed trace of oracle calls a pair of symbolictraces (τl τr) which corresponds to the adversaryrsquos interac-tions with the oracles when b is respectively 0 and 1 We letRul be the set of such pairs of tracesExample 2 We give the symbolic traces corresponding to thehonest execution of AKA+ between UEID(i) and HN(j) If theSUPI protocol is used we have the trace τ ijSUPI(ID)
PUID(i 0) PN(j 0) PUID(i 1) PN(j 1) PUID(i 2) FN(j) FUID(i)
And if the GUTI sub-protocol is used the trace τ ijGUTI(ID)
TUID(i 0) TN(j 0) TUID(i 1) TN(j 1) FN(j) FUID(i)
Which such notations the left trace τl of the attack describedin Fig 11 in which the adversary only interacts with A is
TUA(0 0) TN(0 0) TUA(0 1) τ11SUPI(A) TN(0 1) τ22GUTI(A)
Similarly we can give the right trace τr in which the adversaryinteracts with A and B
TUA(0 0) TN(0 0) TUA(0 1) τ01SUPI(B) TN(0 1) τ12GUTI(B)
c) Symbolic Messages We define for every action iden-tifier ai the term representing the output observed by theadversary when ai is executed Since the protocol is statefulthis term is a function of the prefix trace of actions executedsince the beginning We define by mutual induction for anysymbolic trace τ = τ0ai whose last action is aibull The term tτ representing the last message observed
during the execution of τ bull The symbolic state στ representing the state after the
execution of τ bull The frame φτ representing the sequence of all messages
observed during the execution of τ Some syntactic sugar we let σin
τ = στ0 be the symbolic statebefore the execution of the last action and φin
τ = φτ0 be thesequence of all messages observed during the execution of τ except for the last message
The frame φτ is simply the frame φinτ extended with tτ ie
φτ equiv φinτ tτ Moreover the initial frame contains only pkN
ie φε equiv pkN When executing an action ai only a subset ofthe symbolic state is modified For example if the adversaryinteracts with UEID then the state of the HN and of all theother users is unchanged Therefore instead of defining στ we define the symbolic state update σup
τ which is a partialfunction from Svar to terms Then στ is the function
στ (x) equiv
σinτ (x) if x 6isin dom(σup
τ )
σupτ (x) if x isin dom(σup
τ )
where dom gives the domain of a function Now for everyaction ai we define tτ and σup
τ using φinτ and σin
τ As anexample we describe the second message and state updateof the session UEID(j) for the SUPI sub-protocol whichcorresponds to the action PUID(j 1) We recall the relevantpart of Fig 6
UE
Input nR b-authU larr nRlang〈ID SQNU〉
nepkN
Mac1km(〈〈ID SQNU〉
nepkN
nR〉)rang
SQNU larr SQNU + 1
First we need a term representing the value inputted by UEID
from the network As we have an active adversary this valuecan be anything that the adversary can compute using the
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
knowledge it accumulated since the beginning of the protocolThe knowledge of the adversary or the frame is the sequenceof all messages observed during the execution of τ except forthe last message This is exactly φin
τ Finally we use a specialfunction symbol g isin G to represent the arbitrary polynomialtime computation done by the adversary This yields the termg(φin
τ ) which symbolically represents the inputWe now need to build a term representing the asymmetric
encryption of the pair containing the UErsquos permanent identityID and its sequence number The permanent identity ID issimply represented using a constant function symbol ID (weomit the parenthesis ()) UEIDrsquos sequence number is stored inthe variable SQNID
U To retrieve its value we just do a look-upin the symbolic state σin
τ which yields σinτ (SQNID
U ) Finally weuse the asymmetric encryption function symbol to build theterm tenc
τ equiv 〈ID σinτ (SQNID
U )〉nje
pkN Notice that the encryption
is randomized using a nonce nje and that the freshness ofthe randomness is guaranteed by indexing the nonce with thesession number j Finally we can give tτ and σup
τ
tτ equivlangtencτ Mac1
kIDm(〈tenc
τ g(φinτ )〉)
rangσupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Remark that we omitted some state updates in the descriptionof the protocol in Fig 6 For example UEID temporary identityGUTIID
U is reset when starting the SUPI sub-protocol In the BCmodel these details are made explicit
The description of tτ and σupτ for the other actions can
be found in Fig 12 and Fig 13 Observe that we describeone more message for the SUPI and GUTI protocols than inSection IV This is because we add one message (PUID(j 2)for SUPI and TN(j 1) for GUTI) for proof purposes to simulatethe ResultUE and ResultHN oracles Also notice thatin the GUTI protocol when HN receives a GUTI that is notassigned to anybody it sends a decoy message to a specialdummy identity IDdum
The following soundness theorem states that security in theBC model implies computationally security
Proposition 1 The AKA+ protocol is σul-unlinkable in anycomputational model satisfying the axioms Ax if for every(τl τr) isin Rul we can derive φτl sim φτr using Ax
The proof of this result is basically the proof that FixedTrace Privacy implies Bounded Session Privacy in [27] Weomit the details
C Axioms
Using Proposition 1 we know that to prove Theorem 1 weneed to derive φτl sim φτr for every (τl τr) isin Rul using aset of inference rules Ax Moreover we need the axioms Axto be valid in any computational model where the asymmetricencryption __
_ is IND-CCA1 secure and f and f r (resp Mac1ndashMac5) satisfy jointly the PRF assumption
Remark that the AKA+ protocol described in Section IVis under-specified Eg we never specified how the 〈_ _〉function should be implemented Instead of giving a complex
Case ai = PUID(j 0) tτ equiv Request_Challenge
Case ai = PN(j 0) tτ equiv nj
Case ai = PUID(j 1) Let tencτ equiv 〈ID σin
τ (SQNIDU )〉nje
pkN then
tτ equivlangtencτ Mac1kID
m(〈tencτ g(φin
τ )〉)rang
σupτ equiv
SQNIDU 7rarr suc(σin
τ (SQNIDU )) e-authID
U 7rarr failb-authID
U 7rarr g(φinτ ) GUTIID
U 7rarr UnSetvalid-gutiID
U 7rarr false
Case ai = PN(j 1) Let tdec equiv dec(π1(g(φinτ )) skN) and let
acceptIDiτ equiv eq(π2(g(φin
τ ))Mac1kIDi
m(〈π1(g(φin
τ )) nj〉))
and eq(π1(tdec) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and geq(π2(tdec) σinτ (SQN
IDiN ))
tτ equiv if acceptID1τ then Mac2
kID1m
(〈nj suc(π2(tdec))〉)
else if acceptID2τ then Mac2
kID2m
(〈nj suc(π2(tdec))〉)middot middot middot
else UnknownId
σupτ equiv
sessionIDiN 7rarr if inc-acceptIDi
τ then nj else σinτ (sessionIDi
N )
GUTIIDiN 7rarr if inc-acceptID
τ then GUTIj else σinτ (GUTI
IDiN )
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(π2(tdec)) else σinτ (SQN
IDiN )
b-authjN e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = PUID(j 2)
acceptIDτ equiv eq(g(φin
τ )Mac2kIDm(〈σin
τ (b-authIDU ) σin
τ (SQNIDU )〉))
tτ equiv if acceptIDτ then ok else error
σupτ equiv e-authID
U 7rarr if acceptIDτ then σin
τ (b-authIDU ) else fail
Fig 12 The Symbolic Terms and State Updates for the SUPI Sub-Protocol
specification of the protocol we are going to put requirementson AKA+ implementations through the set of axioms Ax Thenif we can derive φτl sim φτr using Ax for every (τl τr) isinRul we know that any implementation of AKA+ satisfyingthe axioms Ax is secure
Our axioms are of two kinds First we have structural ax-ioms which are properties that are valid in any computationalmodel For example we have axioms stating that sim is anequivalence relation Second we have implementation axiomswhich reflect implementation assumptions on the protocolfunctions For example we can declare that different identitysymbols are never equal by having an axiom eq(ID1 ID2) simfalse for every ID1 6equiv ID2 For space reasons we only describea few of them here (the full set of axioms Ax is given in [24])
a) Equality Axioms If eq(s t) sim true holds in anycomputational model then we know that the interpretationsof s and t are always equal except for a negligible numberof samplings Let s
= t be a shorthand for eq(s t) sim trueWe use
= to specify functional correctness properties of theprotocol function symbols For example the following rulesstate that the i-th projection of a pair is the i-th element ofthe pair and that the decryption with the correct key of a
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
Case ai = NSID(j) σupτ equiv valid-gutiID
U 7rarr falseCase ai = TUID(j 0)
tτ equiv if σinτ (valid-gutiID
U ) then σinτ (GUTIID
U ) else NoGuti
σupτ equiv
valid-gutiID
U 7rarr false e-authIDU 7rarr fail
s-valid-gutiIDU 7rarr σin
τ (valid-gutiIDU ) b-authID
U 7rarr fail
Case ai = TN(j 0) Let tIDioplus equiv σin
τ (SQNIDiN )oplus fkIDi (nj) then
msgIDiτ equiv 〈nj tIDi
oplus Mac3kIDi
m(〈nj σin
τ (SQNIDiN ) σin
τ (GUTIIDiN )〉)〉
acceptIDiτ equiv eq(σin
τ (GUTIIDiN ) g(φin
τ )) and noteq(σinτ (GUTI
IDiN )UnSet)
tτ equiv if acceptID1τ then msgID1
τ
else if acceptID2τ then msgID2
τmiddot middot middot
else msgIDdumτ
σupτ equiv
GUTIIDiN 7rarr if acceptIDi
τ then UnSet else σinτ (GUTI
IDiN )
sessionIDiN 7rarr if acceptIDi
τ then nj else σinτ (sessionIDi
N )
b-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = TUID(j 1) Let tSQN equiv π2(g(φinτ ))oplus fkID (π1(g(φin
τ ))) then
acceptIDτ equiv eq(π3(g(φin
τ ))Mac3kIDm(〈π1(g(φin
τ )) tSQN σinτ (GUTIID
U )〉))
and σinτ (s-valid-gutiID
U ) and range(σinτ (SQNID
U ) tSQN)
tτ equiv if acceptIDτ then Mac4kID
m(π1(g(φ
inτ ))) else error
σupτ equiv
b-authID
U e-authIDU 7rarr if acceptID
τ then π1(g(φinτ )) else fail
SQNIDU 7rarr if acceptID
τ then suc(σinτ (SQNID
U )) else σinτ (SQNID
U )
Case ai = TN(j 1)
acceptIDiτ equiv eq(g(φin
τ )Mac4kIDi
m(nj)) and eq(σin
τ (b-authjN) IDi)
inc-acceptIDiτ equiv acceptIDi
τ and eq(σinτ (sessionIDi
N ) nj)
tτ equiv ifori acceptIDi
τ then ok else error
σupτ equiv
SQNIDiN 7rarr if inc-acceptIDi
τ then suc(σinτ (SQN
IDiN ))
else σinτ (SQN
IDiN )
GUTIIDiN 7rarr if inc-acceptIDi
τ then GUTIj else σinτ (GUTI
IDiN )
e-authjN 7rarr if acceptID1τ then ID1
else if acceptID2τ then ID2
middot middot middotelse UnknownId
Case ai = FN(j)
msgIDiτ equiv 〈GUTIj oplus f r
kIDi (nj) Mac5
kIDim
(〈GUTIj nj〉)〉
tτ equiv if eq(σinτ (e-authjN) ID1) then msgID1
τ
else if eq(σinτ (e-authjN) ID2) then msgID2
τmiddot middot middot
else UnknownId
Case ai = FUID(j) Let tGUTI equiv π1(g(φinτ ))oplus f r
kID (σinτ (e-authID
U )) then
acceptIDτ equiv eq(π2(g(φin
τ ))Mac5kIDm(〈tGUTI σ
inτ (e-authID
U )〉))
and noteq(σinτ (e-authID
U ) fail) and noteq(σinτ (e-authID
U )perp)tτ equiv if acceptID
τ then ok else error
σupτ equiv
valid-gutiID
U 7rarr acceptIDτ
GUTIIDU 7rarr if acceptID
τ then tGUTI else UnSet
Fig 13 The Symbolic Terms and State Updates for NSID(j) and the GUTIand ASSIGN-GUTI Sub-Protocols
cipher-text is equal to the message in plain-text
πi(〈x1 x2〉)= xi for i isin 1 2 dec(xzpk(y) sk(y)) = x
b) Structural Axioms Structural axioms are axiomswhich are valid in any computational model eg
~u1 ~v1 sim ~u2 ~v2f(~u1) ~v1 sim f(~u2) ~v2
FA~u t sim ~v s
= t
~u s sim ~v R
The axiom FA states that to show that two function applica-tions are indistinguishable it is sufficient to show that theirarguments are indistinguishable The axiom R states that ifs= t holds then we can safely replace s by t
c) Cryptographic Assumptions We now explain howcryptographic assumptions are translated into axioms Weillustrate this on the unforgeability property of the functionsMac1ndash Mac5 Recall that UEID uses the same secret key kID
mfor these five functions Therefore instead of the standardPRF assumption we assume that these functions are jointlyPRF ie Mac1ndash Mac5 are simultaneously computationallyindistinguishable from random functions
It is well-known that if H is a PRF then H is unforgeableagainst an adversary with oracle access to H(middot km) Similarlywe can show that if HH1 Hl are jointly PRF then noadversary can forge a mac of H(middot km) even if it has oracleaccess to H(middot km) H1(middot km) Hl(middot km) We translate thisproperty as follows let sm be ground terms where km appearsonly in subterms of the form Mac _
km(_) then for every 1 le
j le 5 if S is the set of subterms of sm of the form Macjkm(_)
then we have an instance of EUF-MACj
s = Macjkm(m)rarr
oruisinS s = Macjkm
(u) (EUF-MACj)
where u = v denotes the term eq(u v) Basically if sis a valid Mac then s must have been honestly generatedSimilarly we can build a set of axioms reflecting the factthat some functions are jointly collision-resistant Indeed ifHH1 Hl are jointly PRF then no adversary can builda collision for H(middot km) even if it has oracle access toH(middot km) H1(middot km) Hl(middot km) This translates as followslet m1m2 be ground terms if km appears only in subtermsof the form Mac _
km(_) then we have an instance of CRj
Macjkm(m1) = Macjkm
(m2)rarr m1 = m2(CRj)
These axioms are sound (the proof is given in [24])
Proposition 2 For every 1 le j le 5 the EUF-MACj andCRj axioms are valid in any computational model where the(Maci)i functions are interpreted as jointly PRF functions
VII SECURITY PROOFS
We now state the authentication and σul-unlinkability lem-mas For space reasons we only sketch the proofs (the fullproofs are given in the technical report [24])
A Mutual Authentication of the AKA+ ProtocolAuthentication is modeled by a correspondence prop-
erty [28] of the form ldquoin any execution if event A occurs thenevent B occurredrdquo This can be translated in the BC logic
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
a) Authentication of the User by the Network AKA+
guarantees authentication of the user by the network if in anyexecution if HN(j) believes it authenticated UEID then UEID
stated earlier that it had initiated the protocol with HN(j)We recall that e-authjN stores the identity of the UE authen-
ticated by HN(j) and that UEID stores in b-authIDU the random
challenge it received Moreover the session HN(j) is uniquelyidentified by its random challenge nj Therefore authentica-tion of the user by the network is modeled by stating that forany symbolic trace τ isin dom(Rul) if σin
τ (e-authjN) = ID thenthere exists some prefix τ prime of τ such that σin
τ prime(b-authIDU ) = nj
Let be the prefix ordering on symbolic traces then
Lemma 1 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authjN) = ID rarr
orτ primeτ σ
inτ prime(b-authID
U ) = nj
The key ingredients to show this lemma are necessaryconditions for a message to be accepted by the networkBasically a message can be accepted only if it was honestlygenerated by a subscriber These necessary conditions rely onthe unforgeability and collision-resistance of (Macj)1lejle5
b) Necessary Acceptance Conditions Using theEUF-MACj and CRj axioms we can find necessary conditionsfor a message to be accepted by a user We illustrate this onthe HNrsquos second message in the SUPI sub-protocol We depicta part of the execution between session UEID(i) and sessionHN(j) below
UEID(i) HN(j)
PN(j 0)nj
PUID(i 1)
lang〈ID SQNU〉
niepkN
Mac1km(〈〈ID SQNU〉
niepkN
nj〉)rang
PN(j 1)
We then prove that if a message is accepted by HN(j) ascoming from UEID then the first component of this messagemust have been honestly generated by a session of UEIDMoreover we know that this session received the challenge nj
Lemma 2 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ rarr
orτ1=_PUID(_1)τ
(π1(g(φ
inτ )) = tenc
τ1 and g(φinτ1) = nj
)Proof sktech Let tdec be the term dec(π1(g(φin
τ )) skN) ThenHN(j) accepts the last message iff the following test succeeds
π2(g(φinτ )) = Mac1kID
m(〈π1(g(φin
τ )) nj〉) and π1(tdec) = ID
By applying EUF-MAC1 to the underlined part above we knowthat if the test holds then π2(g(φ
inτ )) is equal to one of the
honest Mac1kIDm
subterms of π2(g(φin(τ))) which are the terms(Mac1kID
m(〈tenc
τ1 g(φinτ1)〉)
)τ1=_PUID(_1)≺τ
(1)(Mac1kID
m(〈π1(g(φin
τ1)) nj1〉))τ1=_PN(j11)≺τ
(2)
Where ≺ is the strict version of We know that PN(j 1)cannot appear twice in τ Hence for every τ1 = _ PN(j1 1) ≺τ we know that j1 6= j Using the fact that two distinct noncesare never equal except for a negligible number of samplingswe can derive that eq(nj1 nj) = false Using an axiom statingthat the pair is injective and the CR1 axiom we can show thatπ2(g(φ
inτ )) cannot by equal to one of the terms in (2)
Finally for every τ1 = _ PUID(_ 1) ≺ τ using the CR1 andthe pair injectivity axioms we can derive that
Mac1kIDm(〈π1(g(φin
τ )) nj〉) = Mac1kIDm(〈tenc
τ1 g(φinτ1)〉)
rarr π1(g(φinτ )) = tenc
τ1 and nj = g(φinτ1)
We prove a similar lemma for TN(j 1) The proof ofLemma 1 is straightforward using these two properties
c) Authentication of the Network by the User The AKA+
protocol also provides authentication of the network by theuser That is in any execution if UEID believes it authenticatedsession HN(j) then HN(j) stated that it had initiated theprotocol with UEID Formally
Lemma 3 For every τ isin dom(Rul) ID isin Sid and j isin Nthere is derivation using Ax of
σinτ (e-authID
U ) = nj rarrorτ primeτ σ
inτ prime(b-authjN) = ID
This is shown using the same techniques than for Lemma 1
B σ-Unlinkability of the AKA+ Protocol
Lemma 2 gives a necessary condition for a message to beaccepted by PN(j 1) as coming from ID We can actually gofurther and show that a message is accepted by PN(j 1) ascoming from ID if and only if it was honestly generated by asession of UEID which received the challenge nj
Lemma 4 Let ID isin Sid and τ isin dom(Rul) be a trace endingwith PN(j 1) There is a derivation using Ax of
acceptIDτ harr
orτ1=_PUID(_1)τ
(g(φin
τ ) = tτ1 and g(φinτ1) = nj
)We prove similar lemmas for most actions of the AKA+
protocol Basically these lemmas state that a message isaccepted if and only if it is part of an honest execution ofthe protocol between UEID and HN This allow us to replaceeach acceptance conditional acceptID
τ by a disjunction over allpossible honest partial transcripts of the protocol
We now state the σul-unlinkability lemma
Lemma 5 For every (τl τr) isin Rul there is a derivation usingAx of the formula φτl sim φτr
The full proof is long and technical It is shown by inductionover τ Let (τl τr) isin Rul we assume by induction that thereis a derivation of φin
τlsim φin
τr We want to build a derivation ofφinτl tτl sim φin
τr tτr using the inference rules in AxFirst we rewrite tτl using the acceptance characterization
lemmas such as Lemma 4 This replaces each acceptIDτl
by acase disjunction over all honest executions on the left sideSimilarly we rewrite tτr as a case disjunction over honest
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-
executions on the right side Our goal is then to find amatching between left and right transcripts such that matchedtranscripts are indistinguishable If a left and right transcriptcorrespond to the same trace of oracle calls this is easyBut since the left and right traces of oracle calls may differthis is not always possible Eg some left transcript maynot have a corresponding right transcript When this happenswe have two possibilities instead of a one-to-one match webuild a many-to-one match eg matching a left transcriptto several right transcripts or we show that some transcriptsalways result in a failure of the protocol Showing the latteris complicated as it requires to precisely track the possiblevalues of SQNID
U and SQNIDN across multiple sessions of the
protocol to prove that some transcripts always yield a de-synchronization between UEID and HN
VIII CONCLUSION
We studied the privacy provided by the 5G-AKA authenti-cation protocol While this protocol is not vulnerable to IMSIcatchers we showed that several privacy attacks from the liter-ature apply to it We also discovered a novel desynchronizationattack against PRIV-AKA a modified version of AKA eventhough it had been claimed secure
We then proposed the AKA+ protocol This is a fixed versionof 5G-AKA which is both efficient and has improved privacyguarantees To study AKA+rsquos privacy we defined the σ-unlinkability property This is a new parametric privacy prop-erty which requires the prover to establish privacy only fora subset of the standard unlinkability game scenarios Finallywe formally proved that AKA+ provides mutual authenticationand σul-unlinkability for any number of agents and sessionsOur proof is carried out in the Bana-Comon model which iswell-suited to the formal analysis of stateful protocols
ACKNOWLEDGMENT
This research has been partially funded by the FrenchNational Research Agency (ANR) under the project TECAP(ANR-17-CE39-0004-01)
REFERENCES
[1] TS 33501 Security architecture and procedures for 5G system 3GPPTechnical Specification Rev 1520 September 2018
[2] D Strobel ldquoIMSI catcherrdquo Ruhr-Universitaumlt Bochum Seminar Work2007
[3] R Borgaonkar L Hirshi S Park A Shaik A Martin andJ-P Seifert ldquoNew adventures in spying 3G amp 4G usersLocate track monitorrdquo 2017 briefing at BlackHat USA 2017[Online] Available httpswwwblackhatcomus-17briefingshtmlnew-adventures-in-spying-3g-and-4g-users-locate-track-and-monitor
[4] M Arapinis L I Mancini E Ritter M Ryan N Golde K Redonand R Borgaonkar ldquoNew privacy issues in mobile telephony fix andverificationrdquo in the ACM Conference on Computer and CommunicationsSecurity CCSrsquo12 ACM 2012 pp 205ndash216
[5] M Arapinis T Chothia E Ritter and M Ryan ldquoAnalysing unlinka-bility and anonymity using the applied pi calculusrdquo in Proceedings ofthe 23rd IEEE Computer Security Foundations Symposium CSF 2010IEEE Computer Society 2010 pp 107ndash121
[6] P Fouque C Onete and B Richard ldquoAchieving better privacy for the3gpp AKA protocolrdquo PoPETs vol 2016 no 4 pp 255ndash275 2016
[7] N Kobeissi K Bhargavan and B Blanchet ldquoAutomated verificationfor secure messaging protocols and their implementations A symbolicand computational approachrdquo in 2017 IEEE European Symposium onSecurity and Privacy EuroSampP IEEE 2017 pp 435ndash450
[8] K Bhargavan C Fournet and M Kohlweiss ldquomitls Verifying protocolimplementations against real-world attacksrdquo IEEE Security amp Privacyvol 14 no 6 pp 18ndash25 2016
[9] C Cremers M Horvat J Hoyland S Scott and T van der MerweldquoA comprehensive symbolic analysis of TLS 13rdquo in ACM Conferenceon Computer and Communications Security CCSrsquo17 ACM 2017 pp1773ndash1788
[10] M Abadi B Blanchet and C Fournet ldquoThe applied pi calculus Mobilevalues new names and secure communicationrdquo J ACM vol 65 no 1pp 11ndash141 2018
[11] B Blanchet PROVERIF Cryptographic protocols verifier in the formalmodel available at httpprosecccogforgeinriafrpersonalbblanchetproverif
[12] V Cheval S Kremer and I Rakotonirina ldquoDEEPSEC deciding equiv-alence properties in security protocols theory and practicerdquo in 2018IEEE Symposium on Security and Privacy SP 2018 IEEE 2018 pp529ndash546
[13] S Meier B Schmidt C Cremers and D Basin ldquoThe tamarin proverfor the symbolic analysis of security protocolsrdquo in 25th InternationalConference on Computer Aided Verification CAVrsquo13 Springer-Verlag2013 pp 696ndash701
[14] V Cortier N Grimm J Lallemand and M Maffei ldquoA type system forprivacy propertiesrdquo in ACM Conference on Computer and Communica-tions Security CCSrsquo17 ACM 2017 pp 409ndash423
[15] V Shoup ldquoSequences of games a tool for taming complexity in securityproofsrdquo IACR Cryptology ePrint Archive vol 2004 p 332 2004
[16] B Blanchet ldquoA computationally sound mechanized prover for securityprotocolsrdquo IEEE Trans Dependable Sec Comput vol 5 no 4 pp193ndash207 2008
[17] G Bana and H Comon-Lundh ldquoTowards unconditional soundnessComputationally complete symbolic attackerrdquo in Principles of Securityand Trust 2012 ser LNCS vol 7215 Springer 2012 pp 189ndash208
[18] G Bana and H Comon-Lundh ldquoA computationally complete symbolicattacker for equivalence propertiesrdquo in 2014 ACM Conference onComputer and Communications Security CCS rsquo14 ACM 2014 pp609ndash620
[19] F van den Broek R Verdult and J de Ruiter ldquoDefeating IMSI catch-ersrdquo in ACM Conference on Computer and Communications SecurityCCSrsquo15 ACM 2015 pp 340ndash351
[20] D A Basin J Dreier L Hirschi S Radomirovirsquoc R Sasse andV Stettler ldquoA formal analysis of 5G authenticationrdquo in the ACMConference on Computer and Communications Security CCSrsquo18 ACM2018
[21] M Lee N P Smart B Warinschi and G J Watson ldquoAnonymityguarantees of the UMTSLTE authentication and connection protocolrdquoInt J Inf Sec vol 13 no 6 pp 513ndash527 2014
[22] J Hermans A Pashalidis F Vercauteren and B Preneel ldquoA new RFIDprivacy modelrdquo in ESORICS ser Lecture Notes in Computer Sciencevol 6879 Springer 2011 pp 568ndash587
[23] S Vaudenay ldquoOn privacy models for RFIDrdquo in ASIACRYPT 2007 13thInternational Conference on the Theory and Application of Cryptologyand Information Security ser LNCS Springer 2007 pp 68ndash87
[24] A Koutsos ldquoThe 5G-AKA authentication protocol privacyrdquo CoRR volabs181106922 2018
[25] A Shaik J Seifert R Borgaonkar N Asokan and V Niemi ldquoPracticalattacks against privacy and availability in 4glte mobile communicationsystemsrdquo in 23rd Annual Network and Distributed System SecuritySymposium NDSS The Internet Society 2016
[26] L Hirschi D Baelde and S Delaune ldquoA method for verifying privacy-type properties The unbounded caserdquo in IEEE Symposium on Securityand Privacy SP 2016 IEEE Computer Society 2016 pp 564ndash581
[27] H Comon and A Koutsos ldquoFormal computational unlinkability proofsof RFID protocolsrdquo in 30th Computer Security Foundations Symposium2017 IEEE Computer Society 2017 pp 100ndash114
[28] T Y C Woo and S S Lam ldquoA semantic model for authenticationprotocolsrdquo in Proceedings 1993 IEEE Computer Society Symposium onResearch in Security and Privacy May 1993 pp 178ndash194
- Introduction
- The 5g-aka Protocol
-
- Description of the Protocol
-
- Unlinkability Attacks Against 5g-aka
-
- imsi-Catcher Attack
- The Failure Message Attack
- The Encrypted imsi Replay Attack
- Attack Against The priv-aka Protocol
- Sequence Numbers and Unlinkability
-
- The aka+ Protocol
-
- Efficiency and Design Constraints
- Key Ideas
- Architecture and States
- The supi guti and assign-guti Sub-Protocols
-
- Unlinkability
-
- sigma-Unlinkability
- A Subtle Attack
-
- Modeling in The Bana-Comon Logic
-
- Syntax and Semantics
- Modeling of the aka+ Protocol States and Messages
- Axioms
-
- Security Proofs
-
- Mutual Authentication of the aka+ Protocol
- Sigma-Unlinkability of the aka+ Protocol
-
- Conclusion
- References
-