Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Networks

Enhancement of the Authentication and Key Agreement
Protocol in 4G Mobile Network
Presented by:
Ahmad Kabbara ( CNE)
Student id:201110061
Ahmad.Kabbara@outlook.com
Mobile : 71418179
FACULTY OF ENGINEERING AND INFORMATION TECHNOLOGY AND MARITIME
STUDIES
C O M M U N I C AT I O N A N D N E T W O R K E N G I N E E R I N G D E PA R T M E N T
FINAL YEAR PROJECT FYP596: 2013 - 2014
Project Supervisor: Dr. Bacem Bakhache Bakhache@hotmail.com 03172319
Project Reviewer 1: Dr. Kassem Ahmad Kassem.ahmad@liu.edu.lb 03012333
Project Reviewer 2: Eng. Hikmat Adhami Hikmat.adhami@gmail.com 03205239
Faculty Dean: Dr. Walid Kamali Walid.kamali@gmail.com 70139077
Rev5 27/6/2014

This project intends to give an in-depth insight into the issue of security in 4th
generation mobile network specifically in the authentication and key agreement
(AKA) protocol. The aim is to analyze the 4G AKAs and their Enhancements
and propose a new solution to overcome the attacks made on the 4G network
and to oppose to the vulnerabilities found in the 4G AKA Enhancements. This
Solution will be tested based on some QOS parameters and by the AVISPA
tool (Safe/Unsafe results).
Abstract
11/07/2014FYP596 Enhancement of the Authentication and Key Agreement Protocol for 4G Mobile Network - Ahmad Kabbara 2 /44

 Introduction
 Security in 4G Mobile Networks
 EPS-AKA Vulnerabilities & Existing Solution Analysis
 Our Proposed Solution
 Proposed Solution Analysis & Testing
 Project Management
 Difficulties, Assessments & Acquired Skills
Outline

Even though the new network generation represents the most important
evolution in the mobile network, many security issues and breaches have been
identified, and multiple non successful enhancements have been proposed. So
in order to overcome these vulnerabilities we propose an enhancement that will
be inspired from some of the successful enhancements in order to provide a
better and more powerful protocol.
Introduction 1/2
Overview

 All time integrity and confidentiality
protection of control plane.
 User identity confidentiality (IMSI).
 Mutual authentication between all
entities.
Introduction 2/2
Objectives
• Search for
vulnerable
areas.
Analyze
• Write AKAs
in HLPSL
Code.
Program
• Implement
AKAs &
Solutions on
AVISPA.
• Compare the
protocols
based on QOS
parameters
Test
Project Methodology

Security in 4G Mobile Networks

Mobile security has become increasingly important in mobile computing. It
is of particular concern as it relates to the security of personal and business
information.
A smartphone user is exposed to various threats when he uses his phone.
These threats can disrupt the operation of the smartphone, and transmit or
modify the user data. For these reasons, The protocols deployed there
must guarantee the privacy/confidentiality and integrity of the information
the terminal handles.
Security in 4G Mobile Networks
Introduction

4G Mobile Network Security Credentials 1/3
Integrity and Confidentiality Protection

Symmetric Key Cyphering

Asymmetric Key Cyphering

Security in 4G Mobile Networks 1/6
EPS AKA Keys derivation Overview

Security in 4G Mobile Network 2/6
EPS AKA Procedure
UE eNB MME HSS/AuC
NAS attach request (IMSI)
AUTH data request
(IMSI, SNid)
AUTH data response
AV ( 1… n )Authentication Request (AUTN, RAND,
KSIasme)
Authentication Response
(RES)
NAS SMC (confidentiality and integrity
algorithm)
NAS Security Mode Complete
S1AP Initial Context Setup
Compute CK &
IK, & Kasme
Compare RES
& XRES
AUTN = (XSQN || AMF || MAC
Generation of authentication vectors
At AUC/HSS Side
AVUMTS = (RAND || XRES || CK || IK || AUTN
Verify that SQN is
in the correct range
Verify MAC=XMAC
Security Context
AS Security Mode
Complete
AS security Mode
Command

f1 f2 f3 f5f4
Generate RAND
Generate SQN
K
AMF
MAC XRES CK IK AK
AUTN = (XSQN || AMF || MAC
Generation of authentication
vectors At AUC Side
f1
f2
XMAC
RES
CK IK
AK
Verify that SQN is
in the correct range
Verify MAX=XMAC
K
f5
SQN
⊕
RAND
AMF MAC
AUTN
f4f3
Network
Authentication
CK IK
KDF
XSQN
KASME
SNID
XSQN
XSQN = xor (SQN,AK)
At HSS/UE Side
AVEPS = (RAND || XRES || KASME || AUTN
AVUMTS = (RAND || XRES || CK || IK || AUTN
Generation of Encryption and
integrity Keys
EPS AKA Keys Derivation Methods

K
KASME
KNASenc KNASint
KeNB
KRRCintKUPencKUPint KRRCenc
CK , IK
USIM/AuC
UE/HSS
UE/MME
UE/eNB
EPS Key Hierarchy

Encryption and integrity of NAS signaling Integrity and Encryption of RRC/AS signaling
User Plane Encryption
EPS Key Derivation Purpose

Derived Key= KDF (Kin, S),
or KDF=HMAC-SHA-256
S= FC|| P0| |L0|| P1|| L1||….|| Pn|| Ln
Saize of
derived key
(bits)
Output
derived key
Input secret
key
Kin
FC
(1 octet)
P0, P1, …., Pn L0,
L1,..,Ln
(2 octets)
KASME CK||IK 0x10 SNid, SQN⊕AK 0x0003,
0x0006
256
KeNB KASME 0x11 La valeur Count
de la liaison
montante NAS
0x0004 256
KeNB* KeNB 0x13 PCI, EARFCN-
DL
0x0002,
0x0002
256
KNASenc,
KNASint,
KRRCenc,
KRRCint,
KUPenc,
KUPint
KASME ou
KeNB
0x15 Algorithm
Distinguisher &
Algo-ID
0x0001,
0x0001
128
KDF
KASME
S=0x15||0x 02||0x 0001||0x 01|| 0x 0001
HMAC
SHA-256
Integrity Algorithm ID Integrity Algorithm
‘0001’: EIA1 SNOW 3G
‘0010’: EIA2 AES
‘0011’: EIA3 ZUC
KNASint
Encryption Algorithm ID Encryption
Algorithm
‘0001’: EEA1 SNOW 3G
‘0010’: EEA2 AES
‘0011’: EEA3 Not defined
Key Derivation Function

EPS-AKA Vulnerabilities & Existing
Solution Analysis

K
EPS-AKA Vulnerabilities
UE eNB MME HSS/AuC
NAS attach request (IMSI , UESecCap)
AUTH data request
(IMSI, SNid)
AUTH data response
AV ( 1… n )
Authentication Request (AUTN, RAND,
KSIasme)
Authentication Response
(RES)
NAS SMC (confidentiality and integrity
algorithm)
S1AP Initial Context Setup
Compute CK &
IK, & Kasme
Compare RES
& XRES
AUTN = (XSQN || AMF || MAC)
Generation of authentication
vectors At AUC/HSS Side
AVUMTS = (RAND || XRES || CK || IK || AUTN)AS Security Mode
Complete
AS security Mode
Command
Passive Attacks(eavesdropping) & Active
Attacks
Bidding Down Attack
AVEPS = (RAND || XRES || KASME || AUTN)
Replay Attack
f1 f3 f5f4
Generate RAND
Generate SQN
AMF
MAC XRES CK IK AK
Attack against
the permanent
Key K by
1-Cypher-text
only attack on f1
2-Known
Plaintext Attack
on f2
Attack to recover KASME & K
f2
MITM attack against AVs
Attack to recover KASME & K

 Security Enhanced Authentication & Key Agreement – SE AKA
 IMSI is cyphered and all transmission links between the entities are protected.
 New key generation method.
 Ensured Confidentiality Authentication & Key Agreement – EC AKA
 Asymmetric encryption of some messages using HSS and MME public keys.
 Symmetric encryption of some messages using new encryption key generated
in HSS and UE.
Existing Solutions

Advantages:
 All transmission connections between the nodes of the EPS all secured
by asymmetric cyphering.
Inconvenients:
 Vulnerable against Reject attack
 Vulnerable against Service Blocking(MITM)
 Vulnerable against Brute Force or Intelligent Brute Force attack against
IMSI
Existing Solutions – SE AKA

Advantages:
 Oppose the dictionary attack against IMSI
Inconvenients:
 Vulnerable against Reject Attack
 Vulnerable against Denial of Service Attack against HSS/AuC
 Vulnerable against MITM Attack:
Existing Solutions – EC AKA

 Inspired from the tested protocols (SE & EC AKA)
 Need to oppose to most vulnerabilities.
 based on both Public key and Symmetric key Cyphering.
 New Key Derivation functions.
 New keys generated.
 The Solution will be tested by AVISPA to ensure its success.
Proposed Solution
Introduction

Proposed Solution
The Revolutionary EPS AKA–upon 1st registration
NAS attach request (IDHSS, B= ({IMSI, SQNUE , RandEK,
RandTHK, RandTIK, UEsecCap, MACTIK1}_PKH))
AUTH data request (A=({SNid, Network-Type,
RandTEK1}_PKH) || B)
AUTH data response (C1=({UEsecCap, RandTEK2,
MACTIK3}_PKM ) || C2=({EK, RandTHK, SQNHSS, AVEPSi (1…
n), MACTIK2}_TEK))
Authentication Request (D1=({AUTN(i), RAND(i), KSIASME,
SQNHSS,MACRIK}_REK),D2=({ChosenUEsecCap, THK}_EK))
Authentication Response (RESEK , MACRIK)
({ReplayedUEsecCap,[IMEISV-request], NAS-MAC}_REK)
NAS SMC ([IMEISV-request], NAS-MAC)
Initial Context Setup
(UEsecCap, KeNB)
AS Security Mode
Complete (AS-MAC)
AS security Mode
Command (Int Algo, Enc
Algo, AS-MAC)
Generation of
Authentication
vectorsHSS
authentication
Generation of
Cyphering
and Integrity
Keys
UE authentication &
Generation of Cyphering and
Integrity Keys
UE eNB MME HSS/AuC

The Revolutionary EPS AKA
Av’s Generation & Authentication Process
f1 f2 f3 f5f4
Generate RAND
Generate SQN
K
AMF
MAC XRES CK IK AK
S-MAC
⊕
S-XRES
⊕
SQNHSS EK
f1
f2
XMAC
RES
CK IK
AK
Verify that SQNUE & SQNHE and
SQN in the correct range
Verify MAC=XMAC
K
f5
RAND
AMF S-MAC
AUTN
f4f3
Network
Authentication
⊕
SQNHSS
MAC
AUTN = (SQNAK|| AMF || S-MAC)
At AUC Side
AVUMTS= (RAND || XRES || CK || IK || AUTN)
Generation of Encryption and
integrity Keys at UE Side
AVEPS = (RAND || S-XRES || KASME || AUTN)

Keys Derivation Functions
Derived Key= KDF (Kin, S), or
KDF=HMAC-SHA-256
S= FC|| P0| |L0|| P1|| L1||….|| Pn|| Ln
Size of
derived key
(bits)
Output
derived key
Input secret
key Kin
FC
(1 octet)
P0, P1, …., Pn L0, L1,..,Ln
KASME CK||IK 0x10 SNid, SQNAK 0x0003,
0x0008
512
TIK1 K 0x15 RandTIK 0x0010 128
TEK RandTEK1||Ran
dTEK2
0x1D IDHSS 0x0004 256
TIK2 Trunc (TEK) 0x15 SNid 0x0003 128
EK K 0x1E RandEK 0x0010 128
THK Trunc (KASME) 0x1F RandTHK 0x0010 256
REK Trunc(THK) 0x15 Distinguisher
Algo & Algo ID
0x0001,
0x0001
128
RIK Trunc(THK) 0x15 Distinguisher
Algo & Algo ID
0x0001,
0x0001
128
HMAC
SHA-3-256/512
CK IK
KDF
512
KASME
SNID
SQNAK
IDHSS
KDF
256
TEK
RandTEK1
RandTEK2
Input Kin & S and output parameters of KDF for R-AKA
Trunc (TEK) SNid
KDF
256
TIK2
K RandTIK
KDF
256
TIK1
Distinguisher
Algo
Algo ID
KDF
256
REK
Trunc(THK)
Kin
S=0x15||0x 08||0x 0001||0x 01|| 0x 0001HMAC
SHA-3-256
KDF
HMAC
SHA-3-256

Proposed Solution
NAS attach request (IDHSS, B= ({IMSI, SQNUE , RandEK,
RandTHK, RandTIK, UEsecCap, MACTIK1}_PKH))
AUTH data request (A=({SNid, Network-Type,
MACTIK2}_TEK) || B)
AUTH data response (C=({UEsecCap, EK, RandTHK,
SQNHSS, AVEPSi (1… n),MACTIK2}_TEK))Authentication Request (D1=({AUTN(i), RAND(i), KSIASME,
SQNHSS,MACRIK}_REK),D2=({ChosenUEsecCap, THK}_EK))
Authentication Response (RESEK , MACRIK)
({ReplayedUEsecCap,[IMEISV-request], NAS-MAC}_REK)
NAS SMC ([IMEISV-request], NAS-MAC)
Initial Context Setup
(UEsecCap, KeNB)
AS Security Mode
Complete (AS-MAC)
AS security Mode
Command (Int Algo, Enc
Algo, AS-MAC)
Generation of
Authentication
vectorsHSS
authentication
Generation of
Cyphering
and Integrity
Keys
UE authentication &
Generation of Cyphering and
Integrity Keys
UE eNB MME HSS/AuC

Proposed Solution Analysis & Testing

 Used for the analysis of large-scale Internet security protocols and applications.
 Based on High-Level Protocol Specification Language (HLPSL).
 Can be downloaded on desktop or accessed directly from the browser
 Compatible only with Macintosh and Linux environments.
AVISPA Overview

Protocol
name
Protocols are defined role
by role (UE,MME,HSS)
the knowledge that each role in the protocol is
supposed to have at the beginning of a
protocol session
the sequence of messages of the protocol
( transitions)
the description of the knowledge of the principals
the intruder's knowledge and capabilities and goals
Environment Role containing all constants declaration
HLPSL
Protocol Specification
Role
Goals to be
satisfied
Own
knowledge
Transitions

Protocols Testing with AVISPA
AVISPA
Result
AKA protocols
Safe TR-AKA
Safe EC-AKA
Unsafe SE-AKA
Unsafe EPS- AKA
AVISPA Results for the
tested Protocols

Additional cost of each protocol compared to the cost of the standard EPS-
AKA protocol
 TR-AKA and EC-AKA protocols do not require additional expenditure, compared with
EPS-AKA. A software update will do the job.
 SE-AKA protocol relies on digital certificates to users so The MME must have UE public
key (certificate). SE-AKA requires additional investment compared to EPS-AKA ($ 50 /
certificate).
QOS Parameters – Cost Analysis
1 TR-AKA, EC-AKA, EPS-AKA
2 SE-AKA
Protocols are arranged in
ascending order of cost:

QOS Parameters – Security/Risk Analysis
Security Level
AKA
protocols
1 TR-AKA
2 EC-AKA
3 SE-AKA
4 EPS- AKA
Potocols are listed in
desceandant order
based on the security
of each one
Risk=Active Value*Perceived Threat*Vulnerability
Vulnerability EPS-AKA SE-AKA EC-AKA TR-AKA
1- IMSI Confidentiality Protection No No Yes Yes
2- Resistance against Rejet Attack No No No Yes
3- Resistance against DOS Attack over UE No No Yes Yes
4- Resistance against services blockage by MITM Attack No No Yes Yes
5- Confidentiality of the interface MME-HSS No Yes Yes Yes
6- Confidentiality of the interface UE-MME No No Yes Yes
7- Resistance against DOS Attack over HSS No No No Yes
8- Resistance against MME identity theft No No No Yes
TR-AKA is the most secured protocol compared to the three tested protocols.
EC-AKA also is somehow secured and at the same time vulnerable against
some attacks.
SE-AKA and EPS-AKA are totally unsecured and vulnerable against all the
identified attacks in the above table

QOS Parameters – Signaling Traffic & Overhead Analysis
0
2000
4000
6000
8000
10000
12000
14000
16000
Uplink
(Radio and Backhaul
Interfaces)
Downlink
(Radio and Backhaul)
Core Traffic
204 260
4562
1180 1024
14780
1180
394
7951
1212
586
7709
EPS-AKA
SE-AKA
EC-AKA
TR-AKA
Additional Traffic Percentage 3GPP EPS-AKA SE-AKA EC-AKA
Overhead over the radio (%) +289% -18% +14%
Overhead over the Core interface (%) +62% -38% 5%
Total Overhead % +76% -35% -7%
TR-AKA has more traffic than 3GPP EPS-AKA and less
Traffic than SE-AKA and EC-AKA
TR-AKA has more traffic than 3GPP EPS-AKA and less
Traffic than SE-AKA and EC-AKA

Results Summary
Studied Protocols TR-AKA EC-AKA SE-AKA EPS-AKA
Safety 1 1 4 4
Security 1 2 3 4
Cost 1 1 3 1
Overhead 2 3 4 1
The TR-AKA has the best results in the first three parameters and achieved very good results in the
remaining parameter.
The excellent performance of TR-AKA
places it as the best AKA protocol
proposed to date.

Actual vs. Preliminary Budget
Item Prelimanry Cost Actual Cost Sub Total Description
Articles $25/ Article/40
Articles
$25/ Article $1,750 70Articles
Internet Usage $44/ Month $44/ Month $440 10Months
Transportation $6/ day $6/ day $756 126Months / 6 Months
Printing Report $25/ Copy $25/ Copy $125 5 Copies
Printing Book $70/ Copy $70/ Copy $420 6 Books
Designing &
Printing Poster
$60/ Poster $60/ Poster $60 1Poster
Labour ---- $7/ Hour $10,500 1500Average working hours
5h/day over 10 months
Grand Total $2,081 $14,051

Time Schedule

Pert Chart

Difficulties, Assessments & Acquired Skills

Difficulties & Assessments
Acquired Skills
- Faced many problems in the programing language.
- Tried to solve the Protocol Simulation & intruder simulation issue on
SPAN with no success.
- Faced too many problems configuring and installing AVISPA on
different OS platforms.
- Learned a new programing language.
- Improved my knowledge in Mobile Security.
- Improved my project management abilities
Difficulties, Assessments & Acquired Skills

Future Work
Conclusion
• Testing of TR-AKA against internal and external attacks.
• Investigation of power consumption & how the battery life is
affected by the use of the proposed protocol.
• Comparison of processing & transmission delays for TR-AKA &
studied protocols
The TR-AKA succeeded to perform very well on all the studied
parameters(Safety, Security, Cost & Signaling Overhead) and
outperformed SE-AKA & EC-AKA
Future Work

Thank You
I welcome any comments
or suggestions for
improvements

Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Networks

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Networks

Semelhante a Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Networks (20)

Último

Último (20)

Enhancement of the Authentication and Key Agreement Protocol in 4G Mobile Networks

Notas do Editor