Since the radio medium can be accessed by anyone, authentication of users is a very important element of a mobile network. Nowadays, in GSM/GPRS a challenge response protocol is used to authenticate the user to the mobile network. Similarly, in third generation mobile systems [3] a challenge response protocol was chosen in such a way as to achieve maximum compatibility with the current GSM security architecture. Both authentication mechanisms use symmetric key cryptography because of the limited processing power of the mobile devices. However, recent research [6] has shown that asymmetric, or public, key cryptography can be enabled successfully in future mobile terminals. In this paper, we propose a new adaptive authentication and key agreement protocol (AAKA) for future mobile communication systems. The novelty of AAKA and its main advantage over other challenge response protocols is that can be adaptive to the mobile environment and use symmetric and/or public key cryptography for user and network authentication

Dimitriou, T.

Komninos, N.

English

City Research Online

Komninos, N. & Dimitriou, T. (2006). Adaptive authentication and key agreement mechanism for future cellular systems. Paper presented at the 15th IST Mobile & Wireless Communications Summit, 04 - 08 June 2006, Mykonos, Greece.City Research OnlineOriginal citation: Komninos, N. & Dimitriou, T. (2006). Adaptive authentication and key agreement mechanism for future cellular systems. Paper presented at the 15th IST Mobile & Wireless Communications Summit, 04 - 08 June 2006, Mykonos, Greece.Permanent City Research Online URL: http://openaccess.city.ac.uk/2492/ Copyright & reuseCity  University  London has developed City  Research Online  so that  its  users  may access the research outputs of City University London's staff. Copyright © and Moral Rights for this paper are retained by the individual author(s) and/ or other copyright holders.  All material in City Research Online is checked for eligibility for copyright before being made available in the live archive. URLs from City Research Online may be freely distributed and linked to from other web pages. Versions of researchThe version in City Research Online may differ from the final published version. Users are advised to check the Permanent City Research Online URL above for the status of the paper.EnquiriesIf you have any enquiries about any aspect of City Research Online, or if you wish to make contact  with the author(s) of this paper, please email the team at publications@city.ac.uk.Abstract— Since the radio medium can be accessed byanyone, authentication of users is a very important element of amobile network. Nowadays, in GSM/GPRS a challengeresponse protocol is used to authenticate the user to the mobilenetwork. Similarly, in third generation mobile systems [3] achallenge response protocol was chosen in such a way as toachieve maximum compatibility with the current GSM securityarchitecture. Both authentication mechanisms use symmetrickey cryptography because of the limited processing power of themobile devices. However, recent research [6] has shown thatasymmetric, or public, key cryptography can be enabledsuccessfully in future mobile terminals. In this paper, wepropose a new adaptive authentication and key agreementprotocol (AAKA) for future mobile communication systems.The novelty of AAKA and its main advantage over otherchallenge response protocols is that can be adaptive to themobile environment and use symmetric and/or public keycryptography for user and network authentication.Index Terms —Authentication, GSM, UMTS, Key Agreement I. INTRODUCTIONHE GSM network authenticates the identity of thesubscriber through the use of a challenge responseprotocol [5]. Authentication involves two functional entities,the subscriber identity module (SIM) card in the mobilestation (MS), and the authentication centre (AUC) in thenetwork. Each subscriber is given a secret key, one copy ofwhich is stored in the SIM card and the other in the AUC.An overview of the challenge response protocol is shown inFig. 1.T Fig. 1.Authentication and Key Agreement in GSM N. Komninos is with the Athens Institute of Technology, 19002 Peania,Attiki, Greece (phone: 210-6682801; fax: 210-6682703; e-mail:nkom@ait.edu.gr). T. Dimitriou is with the Athens Institute of Technology, 19002 Peania Attiki,Greece (e-mail: tdim@ait.edu.gr).Upon receipt of an international mobile subscriber identity(IMSI) from the visitor location register (VLR), the AUCsearches in the database for the corresponding subscribersauthentication key (Ki). During authentication, the AUCgenerates a 128-bit random number (RAND) that it sends tothe mobile. Both the mobile and the AUC then use therandom number, in conjunction with the subscriber's secretkey and the authentication algorithm (A3), to generate a 32-bit signed response (SRES) that is sent back to the AUC.Note that Ki is never transmitted over the radio channel. It ispresent in the subscriber's SIM, as well as the AUC, homelocation register (HLR), and VLR databases. If the numbersent by the mobile is the same as the one calculated by theAUC, the subscriber is authenticated. Otherwise, if thenumber does not agree with the calculated one the connectionis terminated and an authentication failure indicated to theMS.  Furthermore, the SIM contains the ciphering keygenerating mechanism algorithm (A8) which is used toproduce 64 bit ciphering key (Kc). The ciphering key iscomputed by applying the same random number (RAND)used in the authentication process to the ciphering keygenerating algorithm (A8) with the individual subscriberauthentication key (Ki). In addition, the Kc is used to encryptand decrypt the data between the MS and VLR.On the other hand, in the authentication and keyagreement mechanism described in 3G security specifications[3], the subscriber and network authenticate each other, andalso they agree on cipher and integrity key.  The authentication method was chosen by 3GPP in such away as to achieve maximum compatibility with the currentGSM security architecture and facilitate migration from GSMto UMTS. The method is composed of a challenge/responseprotocol identical to the GSM subscriber authentication andkey establishment protocol combined with a sequencenumber-based one-pass protocol for network authenticationderived from [4].The subscriber and the network share a secret key K that isavailable only to the universal SIM (USIM) and the AUC inthe user's home environment (HE). In addition the USIM andthe HE keep track of sequence numbers (SQNME, SQNHE) tosupport network authentication. The sequence numberSQNHE is an individual counter for each subscriber and thesequence number SQNME denotes the highest sequenceAdaptive Authentication & Key Agreement Mechanism for Future Cellular SystemsN. Komninos, Member, IEEE and T. Dimitriou, Member, IEEE1MS/SIM                            VLR                               HLR/AUC      IMSI / TMSI                            IMSI / TMSI       RAND                                RAND, SRES, Kc      SRESnumber the USIM has accepted.An overview of the mechanism is shown in Fig. 2.Fig. 2.Authentication and Key Agreement in UMTSWhen a user registers for the first time in a servingnetwork, or when the serving network cannot retrieve theIMSI from the temporary MSI (TMSI) by which the useridentifies itself on the radio path, the VLR/serving GPRSsupport node (SGSN) requests the user to send its permanentidentity. The user’s response contains the IMSI in cleartext.Then, VLR/SGSN requests authentication data from the HEby sending the IMSI to the requesting node. Upon receipt ofa request from the VLR/SGSN, the HE/HLR sends an orderedarray of n authentication vectors (the equivalent of a GSM"triplet") to the VLR/SGSN. The authentication vectors areordered based on sequence number. Each authenticationvector consists of the following components: a 128-bitrandom number (RAND), an expected response (XRES), a128-bit cipher key (CK), a 128-bit integrity key (IK) and anauthentication token (AUTN). Different authenticationvectors are used for each authentication and key agreementbetween the VLR/SGSN and the USIM.When the VLR/SGSN initiates an authentication and keyagreement, it selects the next authentication vector from theordered array and sends the parameters RAND and AUTN tothe user. Upon receipt of RAND and AUTN the USIM firstcomputes the 48-bit anonymity key (AK) and retrieves thesequence number (SQN). Then it computes XMAC andcompares with the MAC which is included in AUTN [3].Next the USIM verifies that the received SQN is in thecorrect range. Finally, the USIM checks whether AUTN canbe accepted and, if so, produces a variable in size, 4 to 16bytes, response (RES) which is sent back to the VLR/SGSN.The USIM also computes 128-bit CK and IK [3].  The VLR/SGSN compares the received RES with XRES.If they match the VLR/SGSN considers the authenticationand key agreement exchange to be successfully completed.The established keys CK and IK will then be transferred bythe USIM and the VLR/SGSN to the entities which performciphering and integrity functions. Note that USIM andVLR/SGSN use f1, and f2 message authentication functionsand f3, f4, f5 key generating functions.   II.ADAPTIVE AUTHENTICATION AND KEY AGREEMENT MECHANISMThe adaptive authentication and key agreement protocol(AAKA) is a challenge/response protocol that uses symmetricor public key cryptography to overcome security problems in3G. These problems are related with IMSI, IMEI, and man-in-the-middle attacks. In 3G security specifications, forexample, the IMSI is transmitted in cleartext when allocatingTMSI to the user. Furthermore, the transmission of IMEI,which is not considered as a security parameter, is notprotected. In addition, man-in-the-middle attacks arepossible in 3G networks with disabled encryption.  In AAKA, users and network can be authenticated usingpublic key encryption. Public key schemes can be enabled infuture mobile terminals based on novel methods described in[6]. In particular, multiple crypto-processors can be used toperform public key complex computations [6]. The crypto-processor can be located either in a second cryptographic SIMcard (CSIM) or in the mobile terminal itself. If we considerthe network structure in Fig. 3, then authentication willinvolve three functional entities; the USIM, the CSIM and theAUC.Fig. 3.Public Key Infrastructure in Future Mobile NetworksThe subscriber and the network share a secret key K, andtwo public key pairs (PME and SME, PHE and SHE). The mobileequipment (ME), MS in 2G-2.5G, contains K, P HE and SMEstored either in the CSIM or USIM. Likewise, VLR/SGSN2CircuitSwitchedNetworkEIRAUCHLRVLRRadio AccessControlBS2G / 2.5GIPRadio Access Network PacketSwitchedNetwork3G / 4G2G / 2.5G3G / 4GME/USIM VLR/SGSN HE/HLRAuthentication Data Request - IMSIAuthentication Data Response AV(1..n) User Authentication RequestRAND(i) || AUTN(i) User Authentication Response RES(i) Compare RES(i) and XRES(i)User Authentication Reject - CAUSEUser Identity RequestUser Identity ResponseIMSIand HLR/AUC contain K, PME, PHE and SHE in their databases.Similarly to 3G security specifications the CSIM/USIM andthe HE keep track of sequence numbers to support networkauthentication. An overview of the AAKA mechanism isshown in Fig. 4.Fig. 4.Adaptive Authentication and Key Agreement Protocol Flow When a user registers for the first time in a servingnetwork, he/she will be assigned an authentication type (AT)number. The AT defines which encryption algorithm will beused and whether symmetric or public key encryption will beused in AAKA. Then AT will be sent to ME when theserving network requests user’s permanent identity. Uponrequest of the IMSI, the user will respond with an encrypted,based on AT, IMSI. When public key encryption are appliedthe IMSI is first signed with ME’s secret key and thenencrypted with its public key, PHE[SME(H(IMSI)), IMSI], asshown in Fig. 5.Fig. 5. Encryption/Decryption in AAKA using Public Key Cryptography andDigital SignaturesUpon receipt of the encrypted IMSI, VLR/SGSN forwardsit to HE. Then HE/AUC first decrypts the signature and thenretrieves the IMSI. Next, the HE/AuC sends anauthentication response back to the VLR/SGSN that containsan encrypted and signed (Fig. 5) array of n authenticationvectors AV(1..n). Each authentication vector consists of thefollowing components: a 152-bit RAND, an XRES, a 128-bitCK, a 128-bit IK and a 48-bit SQN. Note that RANDcontains 24 additional bits, which are used to identify AT inthe specified IMSI/TIMSI. Similarly to UMTS eachauthentication vector is good for one authentication and keyagreement between the VLR/SGSN and the USIM/CSIM.When the VLR/SGSN initiates an authentication and keyagreement, it selects the next authentication vector from theordered array and sends the parameters RAND and SQNsigned and encrypted to the user (Fig. 5). Upon receipt ofRAND and SQN the USIM/CSIM first retrieves the SQN andRAND. Next the USIM/CSIM verifies that the received SQNis in the correct range and if so, the USIM produces avariable in size, 4 to 16 bytes, RES that is sent encrypted,with PHE, back to the VLR/SGSN. VLR/SGSN decrypts andcompares RES with XRES to authenticate ME. Uponauthentication, the USIM/CSIM also computes 128-bit CKand IK to protect the air interface as presented in UMTSspecifications [3].  The VLR/SGSN compares the received RES with XRES.If they match the VLR/SGSN considers the authenticationand key agreement exchange to be successfully completed.The established keys CK and IK will then be used to performciphering and integrity functions. Similarly to UMTS,USIM/CSIM and VLR/SGSN use f1, and f2 messageauthentication functions and f3, f4, f5 key generatingfunctions.   On the other hand when symmetric key encryption is used,the IMSI is encrypted using the f8 stream cipher and theauthentication key (AK), which is computed from P HE and Kas shown in Fig. 6. As mentioned before, upon receipt of theIMSI, VLR/SGSN forwards it to HE/AUC which firstcomputes the AK and then retrieves the IMSI. Next, theHE/AUC sends an encrypted authentication response back tothe VLR/SGSN that contains a 152-bit RAND, an XRES, a128-bit CK, a 128-bit IK and a 48-bit SQN.  When the VLR/SGSN initiates an authentication and keyagreement, it selects the next authentication vector from theordered array and sends the parameters RAND and SQNencrypted (Fig. 6) to the user. Next, the USIM/CSIMproduces a variable in size, 4 to 16 bytes, RES which is sentencrypted back to the VLR/SGSN. Upon receipt of theencrypted RES, VLR/SGSN decrypts and compares the RESwith XRES to authenticate the user. The air interface then isprotected as presented in the UMTS specifications.  3ME/USIM/CSIM VLR/SGSN HE/HLRAuthentication Data Request - E[IMSI]Authentication Data Response - E[AV(1..n)]User Authentication Request E[RAND(i) || SQN(i)]User Authentication Response E[RES(I)] Compare RES(i) and XRES(i)User Authentication Reject - CAUSEUser Identity RequestATUser Identity ResponseE[IMSI]PKAH(    )SME / SHESME / HE(     ) PKAPHE / PMEPHE[SME(IMSI)]PKASHEPKAPMEH(    )IMSIRANDSQNRESAVIMSIRANDSQNRESAVSME / HE(     )f1/f3H'(    )CompareH'(   ) with H(    )EncryptionDecryptionf1 / f2Fig. 6.Encryption/Decryption in AAKA using Symmetric Key CryptographyIII. CONCLUSIONIn this paper an adaptive authentication and keydistribution protocol (AAKA) was presented that can beapplied in future mobile communication systems. AAKA is achallenge response protocol that uses symmetric and/or publickey cryptography for user and network authentication. Thenovelty of AAKA and its main advantage over otherchallenge response protocols is that can be adaptive to themobile environment. For example, when a customer registersfor the first time in a serving network an authentication type(AT) can be assigned based on the level of security he/sherequested. In AAKA we have defined two types ofauthentication; authentication using public key encryptionand authentication using symmetric key encryption.Authentication using public key schemes requires severalcrypto-processors embedded to mobile devices for public keycomplex computations. However, when a subscriber hasassigned authentication with public key encryption theVLR/SGSN still can use symmetric encryption if the networkis overloaded at the time of AAKA. The additionalinformation in RAND informs VLR/SGSN whethersymmetric or public key encryption will be used in AAKA. REFERENCES[1] 3GPP TS 21.133, "3rd Generation Partnership Project (3GPP); TechnicalSpecification Group (TSG) SA; 3G Security; Security Threats andRequirements", 2004[2] 3GPP TS 33.120, "3rd Generation Partnership Project (3GPP); TechnicalSpecification Group (TSG) SA; 3G Security; Security Principles andObjectives", 2004[3] 3GPP TS 33.102, “3rd Generation Partnership Project (3GPP); TechnicalSpecification Group (TSG) SA; 3G Security; Security Architecture", 2004[4] ISO/IEC 9798-4, "Information technology - Security techniques - Entityauthentication - Part 4: Mechanisms using a cryptographic check function",2004[5] ETSI GSM 03.20, “Digital cellular telecommunications systems (Phase2+); Security related network functions”, 2000[6] N. Komninos and B. Honary, “Novel Methods for Enabling Public KeySchemes in Future Mobile Systems”, In 3rd International Conference on3G Mobile Communication Technologies, IEE Conference Publication489, ISBN 0 85296 749 7, UK, 2002, pp. 455-458.[7] H. Haverinen, N. Asokan, and T. Maattanen,“Authentication and keygeneration for mobile IP using GSM authentication and roaming”IEEEInternational Conference on Communications, 11-14 June 2001Page(s):2453 - 2457 vol.8.[8] T. Yuh-Ren and C. Cheng-Ju, “SIM-based subscriber authentication forwireless local area networks”, 37th IEEE International CarnahanConference on Security Technology , 14-16 Oct. 2003 Page(s):468 – 473.[9] L. Wei and W. Wenye,“A lightweight authentication protocol with localsecurity association control in mobile networks”IEEE Military Communications Conference, 31 Oct.-3 Nov. 2004Page(s):225 – 231, vol. 1.[10] J. Jong Min, L. Goo Yeon, and L. Yong,“Mutual authentication protocolsfor the virtual home environment in 3G mobile network”, IEEEGlobalTelecommunications Conference, 17-21 Nov. 2002 Page(s):1658 – 1662,vol.2.4f8KIMSI(IMSI)]f8IMSIRANDSQNRESf3 / f4 / f5PHE KAKIMSIRANDSQNRESf3 / f4 / f5PHE KAKEncryptionDecryption

Adaptive authentication and key agreement mechanism for future cellular systems

Abstract

Similar works

Full text

Available Versions

City Research Online