[IEEE 2013 2nd International Conference on Advanced Computing, Networking and Security (ADCONS) -...

Seamless interoperation of LTE-UMTS-GSM requires flawless UMTS and GSM

Kavitha AmmayappanSamsung Research IndiaBangalore, India 560037

Email: [email protected]

Abstract—Though the mobile communication technologykeep facilitating new generations such as LTE,UMTS,etc thereplacement of the past generation technologies may taketime and it may not be replaced in its entirety. Hence,interoperability among these technologies are coming intothe picture. This interoperation may introduce unexpectedsecurity vulnerabilities which are inherited from the pastgeneration technologies such as GSM. Moreover, most phonesare programmed to gracefully fail over to GSM when a3G/4G connection seems unavailable [13]. Hence, irrespectiveof the presence of advanced technologies, the interoperabilitydemands to update the identified flaws of the past technolo-gies. This will pave way for seamless secure communicationthrough interoperation. Hence, in this paper, a HMAC basedmutual authentication and key agreement protocol for GSM isproposed to avoid false base station attack. The correctness ofthe protocol is verified by using Proverif.

Keywords-Authentication; Key Agreement; GSM; Proverif;

I. INTRODUCTION

Mobile communication technology is evolving continu-ously as mobile phones are closely associated with our dailylives. Global System for Mobile Communication (GSM) hasa very wide installed base irrespective of the recent technolo-gies such as UMTS and LTE. It is very difficult and timeconsuming to replace the basic technologies(GSM, UMTS)with the advanced ones(LTE). Hence, interoperability amongthese technologies have originated to provide quality serviceto customers through seam-less transition of technologieswithout interruption. There are lot of possibilities for secu-rity loopholes during seam-less integration of different gen-eration of communication technologies. Therefore, securityon such interoperation becomes a question and the samehave been analysed in [15], [16] and [17]. The possibilityof occurrence of man-in-the-middle attack in UMTS-GSMinteroperation is discussed in [15], [17], [18]. The authors of[15] identified and discussed two specific LTE interoperationscenarios that inherits an attack from GSM and interopera-tion between UMTS and GSM. The attack is due to falsebase station attack which can eavesdrop and modify thetraffic. Though integration exists among different generationtechnologies, most phones are programmed to fail over toGSM when a 3G/4G connection seems unavailable[13]. Thisreveals that the security of the individual technology ismore important for the success of the interoperation amongdifferent generation technologies. Hence, it is mandatory

to update the basic GSM authentication protocol to havea flawless interoperation for quality mobile communication.Therefore, to enhance the GSM security, we propose a newHMAC based Mutual Authentication and Key AgreementProtocol in this paper.Here, the main concern is the efficiency of the secure

mutual authentication and key agreement protocol whilepreventing man-in-the middle and replay attacks. The newprotocol comprises two different phases based on the attach-ment of the MS with the VLR. The protocol is reviewedagainst [1] and [2] which are similar in conceptualization.The rest of the paper is organized as follows: Chun I Fanet al.[1] and Ali Fanian et al.[2] schemes are briefed inSection II. Core security issues of GSM are discussed inSection III. Proposed protocol is explained in Section IV.Security Analysis of the proposed protocol is discussed inSection V. Performance Analysis of the proposed protocol iscompared with [1] and [2] in Section VI. Correctness of theprotocol using Proverif is given in Section VII. This paperis concluded in Section VIII.

II. RELATED WORK

Though several approaches exist in the literature, propos-als [1] and [2] are almost based on the similar hypothesisnamely hashing. Therefore, we briefly review them in orderto compare our new protocol with [1] and [2] and to findout efficiency in terms of computational cost.

A. Review of Chun-I Fan et al. Protocol

This is based on the concept of nested one-time secretmechanism to achieve efficiency and security. In their lit-erature work, they have highlighted the pros and cons oftimestamp, one time secret and nonce based GSM AKAmechanisms. They have assumed static symmetric keysbetween MS and other network elements such as VLRand HLR. There is a nonce based outer approach betweenMS and VLR and timestamp based inner approach betweenVLR and HLR to overcome the difficulties in maintainingclock synchronization and stable transmission time betweeneach MS, VLR and HLR. Integrity protection to signalingdata has not been addressed in their approach. Symmetricencryption and decryption operations are major causes forcomputational efficiency of their protocol.

2013 Second International Conference on Advanced Computing, Networking and Security

978-0-7695-5127-2/13 $31.00 © 2013 IEEE

DOI 10.1109/ADCONS.2013.53

169

B. Review of Ali Fanian et al. ProtocolThis is based on the TESLA broadcast authentication

protocol which is designed to overcome the inadequacyof the one-way authentication of GSM specification. Theprotocol assumes the clocks of each MS and BSC aresynchronized when MS joins with the new service area.However, the assumption is difficult to realize in realtime.

III. ISSUES RELEVANT TO GSM AUTHENTICATION ANDKEY AGREEMENT MECHANISM

Authentication protocol in GSM has been executed eitherat the time of a location update or at the time of a servicerequest from an end user. Existing authentication and keyagreement protocols for GSM have been discussed in [1],[2], [3], [4], [5], [6], [7], [8], [9] and have focused mostlyto prevent man in the middle kind of attack scenario.The prevalent issues related to GSM authentication and keyagreement protocol are summarized below:1) Due to the lack of network authentication process, falsebase station(IMSI catcher) pretends to be a genuineBTS and requests for IMSI.

2) Lack of integrity protection to signaling data may forcethe mobile/network to engage in a plain data (voice ortext) transmission by removing or modifying the cryptooptions.

3) Storage of authentication triplets at VLR, may pose athreat in exposing the symmetric key of a targeted MS.

To overcome the above mentioned design short comings,several cryptographic protocols have been proposed. Someof them are based on symmetric cryptography whereas theproposals cited in [8] and [9] are based on asymmetriccryptographic concepts. Protocol cited in [1] is based onhash key chain concepts. Protocol cited in [2] employssymmetric encryption and decryption and equated theircomputational cost to HMAC calculation. Among othercryptographic techniques, the hash based proposals are morepromising as they attribute towards computational efficiency.In this paper, we propose a new mutual authenticationand key agreement protocol based on hash function forhaving computational efficiency and to overcome the issueshighlighted from points 1 to 3.

IV. PROPOSED PROTOCOLA. Initial Authentication in a new VLR locationThis protocol is executed at the time the SIM initially

registers with the HLR.• MS −→ BTS:

H(MS‖LAI‖T,Ki), T, IMSI

• BTS −→ BSC:

H(LAI‖T,Ki), T, CI,LAI, IMSI

• BSC −→ MSC:

H(LAI‖T,Ki), T, CI,LAI, IMSI

• MSC −→ VLR:

H(LAI‖T,Ki), T, CI,LAI,MSC ISDN, IMSI

VLR checks the validity of MSC ISDN . If MSC ISDNis valid, it includes its own identity VLR ISDN in the au-thentication message and forwards it to HLR. If MSC ISDNis not valid, it discards the authentication message.

• VLR −→ HLR:

LAI,H(LAI‖T,Ki), T, CI, V LR ISDN, IMSI

HLR checks the data origin authenticity of the receivedauthentication request message based on the parameterspresent in the message. First HLR verifies VLR ISDN. If itis valid, it retrieves Ki from its database, based on the validIMSI of the SIM. Then it computes H(Ki‖MS‖LAI‖T )and compares with the received HMAC. If both matches,then HLR ensures that the authentication message has comefrom the registered SIM through valid network entities suchas BTS, BSC, MSC and VLR.

Further, it computes the session key Kc = H(Ki‖T )which will be used for this particular session to provide con-fidentiality and integrity. It also calculates the HMACV LR

as H(Ki, V LR ISDN‖CI‖LAI) which is intended forthe MS to implicitly authenticate the network elementsnamely BTS, BSC and VLR.

• HLR −→ VLR:Kc, HMACVLR

VLR stores the session key KC for this particular MS. Itassigns TMSI to MS and it is included in the authenticationresponse message as shown below.

• VLR −→ MSC:

HMACVLR, TMSI

• MSC −→ BSC:

HMACVLR, TMSI

• BSC −→ BTS:

HMACVLR, TMSI

• BTS −→ MS:HMACVLR, TMSI

After receiving the authentication response message,MS computes the session key Kc to check thevalidity of the received HMACV LR. It calculatesH(Ki, V LR ISDN,CI, LAI) and compares with the re-ceived HMACV LR. If both matches, MS authenticates thenetwork elements namely BTS, BSC and VLR . It implic-itly ensures that the authentication response has traversedthrough valid network elements.HLR sends the session key, Kc, to VLR through a secure

channel. The Kc can be used to establish a secure channelbetween MS and BTS for the particular session. Networkelements such as BSC, MSC and HLR can identify the

170

Table INOTATION

Notation DefinitionAKA Authentication and Key AgreementIMSI International Mobile Subscriber IdentityLAI Location Area IdentityHLR Home Location RegisterVLR Visiting Location RegisterBTS Base Transceiver SystemBSC Base Station ControllerGSM Global System for MobileLTE Long Term EvolutionMS Mobile StationMSC Mobile Switching CenterMSC ISDN MSC IdentityVLR ISDN VLR IdentityKi and Knew Session KeysCI Cell IdentityCGI Cell Global IdentityTMSI Temporary Mobile Subscriber IdentityH(Message,Ki) HMAC functionCount Integer, which indicates the number of times

of execution of the Authentication protocol with the same VLRUMTS Universal Mobile Telecommunication System

information about the BTS through which the authenticationrequest has come from the MS, using CI, LAI information ofthe BTS. Once the authentication is completed, MSC passesthe key,Kc to the BSS (to the BTS to be specific) and ordersthe BTS and MS to switch to cipher mode. The MSC canidentify the BSC and BTS based on their valid identifierslike CI and LAI. Thus it can pass the encryption key througha secure channel to the right BSS and in turn it selects thecorrect BTS.

B. Subsequent Authentication with the same VLR locationThis phase will be executed when there is a service

request from the MS. The MS is attached with the sameVLR after its initial registration with the HLR. Count isthe integer value which needs to be maintained at MS,VLR and AUc/HLR. It is not transmitted along with theauthentication messages. It starts with the value of zero andincremented at both ends whenever the MS authenticateswith the network. The ‘count ’value will be cleared at VLRand HLR/AUc, when the MS moves to some other servicearea and initialized again to zero at the new VLR. The‘count ’value can be fixed to a maximum threshold to caterto all user base including rural communities where mobilitywill be very rare.

Protocol flow from MS to VLR in subsequentauthentication phase:

• MS −→ BTS:

TMSI,CI, T,H(TMSI‖CI‖LAI‖Count‖T,Kc)

• BTS −→ BSC:

TMSI,LAI,CI, T,H(TMSI‖CI‖LAI‖Count‖T,Kc)

• BSC −→ MSC:


• MSC −→ VLR:


VLR checks TMSI in its database and retrievesthe corresponding Kc. Subsequently it validatesH(TMSI‖CI‖LAI‖Count‖T,Kc), based on theimplicit count value which is maintained at both MSand VLR/HLR. Further, it computes the new session key,Knew = H(count‖CGI,Kc),where CGI=CI+LAI. It willbe used to establish a secure communication for thisparticular session. VLR sends an authentication response toMS as shown below.

Protocol flow from VLR to MS in subsequentauthentication phase:

• VLR −→ MSC:

TMSI,H(V LR ISDN‖Count‖CGI‖T, Knew)

• MSC −→ BSC:


• BSC −→ BTS:


• BTS −→ MS:


As soon as MS receives the authentication response, itcomputes the session key, Knew. To authenticate the VLR,it calculates H(V LR ISDN‖Count‖CGI‖T,Knew) and

171

compares with the received HMAC. If the comparisonmatches, then MS ensures that it is connected with the validBTS through valid BSC, MSC and VLR.Thus the proposed protocol design achieves bilateral

authentication between MS and network. VLR generatesthe session key based on demand and therefore it is faulttolerant. HLR in the proposed protocol is responsible for val-idating the MS for the first time during SIM initialization andsession key generation. Thus it is not required to generateauthentication triplets. Therefore its computational overheadis reduced. Bandwidth consumption is minimized since thereis no concept of authentication triplets transmission betweenHLR and VLR.

V. SECURITY ANALYSIS

We have performed security analysis of the proposedprotocol mainly with respect to Man in the Middle andReplay Attacks. We have also performed an analysis againsttype attack which is cited in [2].

• Type Attack(Man in the Middle Attack) A BTSneeds to be connected to the network (BSC) for nor-mal GSM operation. An adversary BTS will not beconnected to the BSC. Otherwise it can be identifiedby the BSC. A stand alone adversary BTS can ma-nipulate information transmitted from the Mobile Sta-tion. Though, the adversary captures the authenticationrequest message shown in equation 1, the adversarycannot manipulate the HMAC, generated by HLR,which is used to validate the VLR.

TMSI, LAI, CI, T,H(TMSI‖CI‖LAI‖Count‖T,Kc)(1)

Adversary cannot generate/manipulate the session keyKc, since the hardcoded key Ki is involved in derivingthe session keyKc. The access to the hardcoded keyKi

is limited to user SIM and HLR/AuC. If the adversaryBTS wants to connect to the BSC then it has to occurthrough a known process. In that case, it cannot act as aman-in-the middle attacker. For instance, the adversaryBTS connects to the BSC to proceed the authenticationin forward direction, by broadcasting the CI and LAIinformation of the valid BTS with the strongest signal.In that case, the connected adversary BTS can be iden-tified by the network. Therefore adversary BTS will notbe connected to the network elements. In the proposedprotocol, even if the adversary BTS impersonates asa valid BTS to MS, by generating an arbitrary sessionkeyKa which will be different from the original sessionkey Kc. MS cannot generate the arbitrary session keyKa since, at MS, the session key generation involvesthe knowledge of the hardcoded key Ki. Therefore,the arbitrary session key Ka cannot be generated atMS for a successful authentication and key agreementprocess. So the proposed protocol design prevents ’type

attack’ cited in [2] which is similar to Man-inthe-Middle attack.

• Replay Attack The inclusion of timestamp in the com-putation of digest (i.e.,) keyed hash messages preventsthe replay of the same messages at mobile station,VLR and HLR. Therefore, timestamp in the keyed hashcomputation prevents replay attack in both case 1 andcase 2 which are described in subsections IV-A andIV-B.

• Integrity Protection to Signaling data As per theGSM standard, soon after the successful authentication,MSC transmits the session key Kc, to the respectiveBTS. After successful authentication, MSC instructsboth BTS and MS to switch over to cipher mode. Thesession key Kc, is known to both MS and BTS priorswitching over to cipher mode. Thus the signalling data,exchanged while switching over to cipher mode canbe added with integrity check values using session keyKc. Therefore, the signalling data cannot be modifiedby a fake BTS. Otherwise, MS’s capabilities can beintercepted by a fake BS and modified to no cipheroption. Therefore by establishing a non encrypted voicetransmission, it can control all traffic between the MSand Network [14]. The session key is unique for everyauthentication. Hence, the resulting digest for perform-ing integrity check over cipher mode commands keepchanging. Thus adversary BTS cannot replay the digestamong MS and BTS so as to make the ‘no cipher’setting at the MS. Each session is initiated with thenew session key. Therefore the derived unique sessionkey at MS and VLR for providing integrity check tosignaling data and data confidentiality increases theoverall security of the GSM voice communication. Thusthe proposed protocol avoids false base station andreply attacks through HMAC based AKA mechanism.

VI. PERFORMANCE ANALYSIS

The performance of the proposed protocol is measured interms of the number of cryptographic operations performedby MS, VLR and HLR in each phase of the protocol.Number of cryptographic operations involved in the protocoldesign is directly estimates its computational requirement.Tables II, III and IV, show the number of various cryptooperations required at MS, HLR and VLR respectively in theproposed protocol which is compared with [1] and [2]. Wehave considered here only the first two phases out of the fourof [1] based on the relevance with the proposed protocol. Theproposed scheme requires three rounds of HMAC operationin both initial and subsequent authentication phases. Pro-posal [1] requires four rounds of encryption and decryptionduring the initial authentication phase and it is reducedto three for the subsequent authentication phase. HMACis generally considered as a less computationally intensive

172

operation than symmetric encryption and decryption oper-ations [19]. Proposed protocol design prevents type attack(which is similar to man-in-the middle) and replay attacks.Moreover it provides tower authentication and integrityprotection to signalling data. This prevents eavesdroppingand protects data traffic from false base station. Proposal[2] requires modification at the BSC and BTS level forbroadcasting the key chain values. Moreover, it requires atime synchronization between BSC and MS when MS joinsa new service area. Otherwise, MS can verify the latestdisclosed key as authentic by running the protocol whichis an additional constraint.

VII. ANALYSIS USING PROVERIF

The proposed protocol has been verified using Proverif.It is widely used to verify security properties particularlysecrecy and authentication in the security protocol design.The security protocol needs to be modelled through aspecification language which is based on an extension ofpure Pi-calculus. In ProVerif, the protocol is converted into aset of Horn clauses, and the security properties are translatedthrough queries on these clauses [10], [11] and [12].The verification is applied on the secrecy and mutual

authentication between HLR and MS. Here, the validation isbased on the secrecy of the symmetric key generated at HLRand MS. This is the base for mutual authenticity between MSand HLR/VLR through the value of HMAC calculated usingthe symmetric key. This has been verified for unboundednumber of sessions in Proverif. The outcome of the protocolvalidation is shown in Figure 1. Table V presents the resultsof all the test queries regarding authentication.

Figure 1. Output of the Proverif for the Proposed Protocol

VIII. CONCLUSION

In this paper, we have proposed a mutual authenticationand key agreement protocol for secure communication inGSM based on HMAC function. The proposed protocol canwithstand Man in the Middle and Replay Attacks. Moreoverit facilitates integrity protection to signaling data. Comparedto [1] and [2] schemes, the proposed protocol reduces

the computational cost. The correctness of the protocol isverified using Proverif. In brief, it enhances the security ofthe GSM voice communication with minimal computationalrequirements.

REFERENCES[1] ChunI Fan, Pei-Hsiu Ho and Ruei-Hau Hsu, Provably Secure

Nested One-Time Secret Mechanisms for Fast Mutual Authen-tication and Key Exchange in Mobile Communications, IEEEACM Transactions on Networking, Vol.18, No.3, 2010.

[2] Ali Fanian, Mehdi Berenjkoub, T. Aaron Gulliver, A TESLA-Based Mutual Authentication Protocol for GSM Networks,Vol.1, No.1, pp. 3-15, 2009.

[3] Ming-Feng Chang and Yi-Bing Lin, Improving the Fault Tol-erance of GSM Networks, IEEE Network, 1998.

[4] C. C. Chang, J. S. Lee and Y. F. Chang,Efficient authenticationprotocols of GSM, Computer Communications,Vol. 28, No. 8,pp. 921-928, 2005.

[5] O. Aydemir and A. A. Selcuk, A strong user authenticationprotocol for GSM, Proceedings of 14th IEEE International-Workshops on Enabling Technologies: Infrastructure for Col-laborative Enterprise (WETICE05)

[6] M. S. Hwang, Y. L. Tang and C. C. Lee, An efficient authentica-tion protocol for GSM networks, Proceedings of AFCEA/IEEEEUROCOMM 2000, pp. 326-330 2000

[7] C.C. Lee, I.E. Liao, and M.S. Hwang, An efficient authentica-tion protocol for mobile communications, TelecommunicationSystems, 2010.

[8] K.P.Kumar, G. Shailaja, A.Kavitha and A. Saxena, MutualAuthentication and Key Agreement for GSM, Proceedings ofICMB’06, pp. 25-28, 2006.

[9] Kavitha Ammayappan, A. Saxena and Atul Negi, MutualAuthenication and Key Agreement based on Elliptic curveCryptography for GSM, Proceedings of ADCOM’06, pp.183-186, 2006.

[10] http://prosecco.gforge.inria.fr/personal/bblanche/proverif/manual.pdf

[11] H. M. N. Al Hamadi, C. Y. Yeun, M. J. Zemerly, M. A. Al-Qutayri and A. Gawanmeh, Verifying Mutual Authenticationfor the DLK Protocol using ProVerif tool, International Journalfor Information Security Research, Vol.2, Issue.1/2, pp.256-265, 2012.

[12] Riccardo Bresciani and Andrew Butterfield, ProVerif Analysisof the ZRTP Protocol, International Journal for Infonomics,Vol.3, Issue.3, 2010.

[13] http://blog.cryptographyengineering.com/2013/05/a-few-thoughts-on-cellular-encryption.html

[14] D. Fox. Der, IMSI catcher, In DuD Datenschutz und Daten-sicherheit, 2002.

[15] Chunyu Tang, David A. Naumann and Susanne WetzelAnalysis of authentication and key establishment in inter-generational mobile telephony,Cryptology eprint archive 2013.

173

Table IICOMPUTATIONAL COMPLEXITY AT MS

No.of Encryption No.of Decryption No.of Hash A3 A5 A8Our Scheme - - 3|3 - - -[1] 1E |1F+1E 1D|0 - - - -[2] - - - 1|1 1 1

Table IIICOMPUTATIONAL COMPLEXITY AT HLR

No.of Encryption No.of Decryption No.of Hash A3 A5 A8Our Scheme - - 3|0 - - -[1] 2E |1E 2D|2D - - - -[2] - - - 1 1 1

Table IVCOMPUTATIONAL COMPLEXITY AT VLR

No.of Encryption No.of Decryption No.of Hash A3 A5 A8Our Scheme - - 0|3 - - -[1] 1E |1E 1D|1D - - - -[2] - - - 0|1 - 1| separates, initial and subsequent authentication phasesE-Encryption; D-Decryption; F-Function{A3, A5, A8}Crypto Algorithms used in GSM

Table VRESULTS OF AUTHENTICATION AND SECRECY OF THE PROPOSED

PROTOCOL

The Query Proverif Resultinjevent(msacceptshlr(p)) =⇒ injevent(hlracceptsms(p)) truequery not attacker(kcd[]) truequery not attacker(ki[]) true

[16] U. Meyer. Secure Roaming and Handover Procedures inWireless Access Networks. PhD thesis, Darmstadt Universityof Technology, Germany, 2005

[17] U. Meyer and S. Wetzel. A man-in-the-middle attack onUMTS In ACM WiSec , pages 9097, 2004

[18] U. Meyer and S. Wetzel. On the impact of GSM encryptionand man-in-the-middle attacks on the security of interoperat-ing GSM/UMTS networks, In IEEE Symposium on Personal,Indoor and Mobile Radio Communications, 2004.

[19] Nachiketh R. Potlapally, Srivaths Ravi, Anand Raghunathanand Niraj K. Jha A Study of the Energy Consumption Charac-teristics of Cryptographic Algorithms and Security ProtocolsIEEE Transactions on Mobile Computing, Vol. 5, No. 2, pp.128-143, 2006.

174

[IEEE 2013 2nd International Conference on Advanced Computing, Networking and Security (ADCONS) -...

Documents

Transcript of [IEEE 2013 2nd International Conference on Advanced Computing, Networking and Security (ADCONS) -...