Beruflich Dokumente
Kultur Dokumente
net/publication/326155249
CITATIONS READS
0 115
3 authors:
Noel Crespi
Institut Mines-Télécom
381 PUBLICATIONS 2,406 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Shanay Behrad on 27 February 2019.
Abstract— The upcoming fifth generation of mobile networks In this paper, we review the challenges of EPS-AKA
is expected to support a set of many requirements and use cases. procedure for 4G systems and discuss the new needs coming
However, it should be able to provide a high level of security by from the new 5G use cases, as well as the way, standards are
considering the different aspects such as authentication currently evolving. The remainder of this paper is organized as
mechanisms. The current 4G AKA protocols designed to address follows. In section II, we explain the main nodes of the 4G
the AAA needs present some weaknesses and will also be architecture that participate in EPS-AKA procedures. In
impacted by the new requirements of 5G systems. In this paper, section III we study the vulnerabilities of EPS-AKA and
we survey the vulnerabilities of 4G AKA protocol, as well as the summarize them in a survey table. In section IV, we finally
current 5G architectural answers brought by the 3GPP.
discuss the AAA impact of new 5G use-cases and introduce
Keywords— 5G, mobile network; Authentication, AAA
the current architectural answers from 5G standardization
mechanisms; AKA protocol process.
The forthcoming generation of mobile systems is now 5G eNodeB (evolved Node B) is the main component of the E-
that should fulfill the increasing demand for higher throughput, UTRAN (Evolved Universal Terrestrial Radio Access
low latency and better quality of service. Some additional Network). UEs connected to the core network via eNodeBs.
requirements have also been raised in the scope of the 5G, such They are directly linked together and this flat architecture
as handling the connectivity for the IoT (Internet of things), cause lower latency and better performance gains in
providing network slices to specific customers or vertical connection [3, 4].
sectors, or managing heterogeneous network accesses (e.g., MME (Mobility Management Entity) is the main control
addressing Wi-Fi and cellular access networks from a node of the network. MME performs authentication and is
converged network). All of these requirements and concepts mainly responsible for the attachment process, bearer
affect the whole network and the associated security needs. handling (in collaboration with the S-GW and the P-GW),
AAA mechanisms for 5G should thus consider the issues and tracking UE’s location and selecting the gateways (deciding
weaknesses of current AKA protocols, as well as these new the route of data packets).
requirements.
HSS (Home Subscriber Server) is a database that stores the
subscriber’s data (including subscription profile) and the
secret keys. HSS is basically an integration of the HLR the network. In the current 5G specifications, this protocol is
(Home Location Register) and the AuC (Authentication reused, with few differences [5].
Center) that holds and generates all the needed
cryptographic material. It provides authentication data to EPS-AKA provides mutual authentication (the network
the MME. authenticates the UE and the UE authenticates the serving
network), based on symmetric key cryptography. In this
P-GW (Packet Data Network Gateway) connects the core protocol, at first, the parties authenticate each other and set the
network to the external networks such as internet and secret key, then, some other keys are derived from this secret
provides IP addresses to the UEs. It is also responsible for key to provide data integrity and confidentiality. All the
policy enforcement, billing, and charging. All packets messages in EPS-AKA are NAS messages2.
destined for mobile subscribers are navigated to P-GW.
Figure 2 depicts the EPS-AKA procedure and the attacks it
S-GW (Serving Gateway) anchors the data bearer and may encounter. As shown in figure 2, the EPS-AKA procedure
routes data packets to the UE, eventually by triggering the starts by sending the Attach request message from the UE to
MME. S-GW is responsible for a given geographical zone the MME. This message contains the UE’s IMSI or GUTI
and it serves as an intermediate equipment to avoid (Globally Unique Temporary Identifier) if it exists. GUTI is a
frequent rerouting at the P-GW level in the case of temporary identifier that the MME allocates to the UE, after the
movements of UEs. initial attach procedure, to protect the IMSI from
eavesdropping (i.e., to avoid the frequent transmission of IMSI
4G architecture supports multiple access technologies that causes the availability of tracking the movements of a UE
(trusted and untrusted access networks). The operator decides by an attacker)3. If the MME cannot recognize the GUTI, it
which non-3GPP access network is trusted and which one is sends the Identity request message to the UE, which then sends
untrusted. The handling of non-3GPP accesses involves other its IMSI in the Identity response message. The rest of the EPS-
entities: AKA procedure is as follow [2, 6]:
AAA Server is responsible for authentication and The MME sends Authentication information request to the
authorization of the UE in the case of non-3GPP access1. HSS which contains the UE’s IMSI and the SNid (Serving
EPDG (Evolved Packet Data Gateway) is responsible for Network Identifier). The UE trusts the home network about
the establishment of an IPsec tunnel between the operator the verification of the serving network identity (The home
network and the UE in the case of untrusted non-3GPP network uses the SNid to compute the serving network
access. specific K ASME key that we will describe below).
The HSS generates a random challenge RAND, finds the
However, we mainly focus on the 3GPP access in the scope of UE’s secret key K (according to UE’s IMSI) and then
this paper. inputs these two items to cryptographic functions to
generate AVs (Authentication Vectors). AVs consist of the
RAND, a XRES (the MME checks if this amount is equal
to the RES from the UE to authenticate the UE), a local
master key K ASME (computed by a key derivation function
with the SNid as one of its inputs) and an AUTN
(Authentication Token). The other input of cryptographic
functions is a counter, SQN. The HSS keeps a counter for
each UE and this counter is used to avoid the MME to re-
use an AV (It helps UE to check the freshness of AVs and
avoid replay attacks).
The HSS sends the AV to the MME that stores K ASME and
XRES parts of the AV, and sends RAND and AUTN to the
UE.
The USIM inside the UE retrieves the SQN from AUTN by
Fig. 1. LTE network architecture. The MME and the HSS are in the control using the secret key K, and RAND; next, it computes
plane and the S-GW and the P-GW are in the user plane. The solid lines
show the control plane links and the dashed lines show the user plane links.
XMAC by using SQN, RAND and the AMF part of the
AUTN and compares XMAC with the MAC part of the
AUTN. Then, it checks if SQN is in the right range (USIM
B. EPS-AKA overview
2
Concerning 3GPP access networks, the 4G authentication There are two sets of protocols in mobile systems that concern the UE, Non-
process is supported by the EPS-AKA protocol, which is an Access Stratum (NAS) and Access Stratum (AS). NAS protocols are for
connections between the UE and the core network, while AS concerns the link
authentication and key agreement protocol between the UE and with the radio access network.
3 Temporary Mobile Subscriber Identity (TMSI) is another kind of identifier,
1
AAA is a widely used term. Whereas we focus in this article on AAA allocated to the UE by its current MME. As two different MMEs could use the
mechanisms between the mobile networks and the subscribers, the term of same TMSI for two different UEs, the GUTI with a larger structure and global
AAA is also used as entity name for non-3GPP access,. significance is used as a temporary identity. It contains TMSI.
Fig. 2. EPS-AKA procedure and the attacks against it
has its own SQN and it checks if the SQN from the HSS is acquire the IMSI [7, 8]. In handover cases between MMEs, if
not too far apart from its own SQN, to ensure a synchronization failure happens, the new MME or the
synchronization between HSS and UE). In this part, the UE previous one request the UE’s IMSI, which is then transmitted
authenticates the network. Then, it computes K ASME , thus in clear text again [4, 9-11]. In these cases, an attacker can
now, both UE and MME have the same key to establish eavesdrop the connection to catch IMSIs.
secure connections. The USIM also computes a RES and
One of the problems of IMSI disclosure is theft of services
sends it to the MME. If the SQN is not in the expected
with session mix-up attacks. It can be an inside attack where
range, UE sends a synchronization failure message and if
the attacker is a subscriber of the network but impersonates
XMAC is not the same as MAC, UE sends a MAC failure
itself as another subscriber and use the services that victim
message.
should get from the network [9, 12, 13]. It could also be an
The MME checks if XRES and RES are equal and outside attack, in which the attacker is not a subscriber of the
completes the authentication and key agreement process. network and swaps the services between subscribers of the
network [13]. Theft of services attacks can also happen
We may here underline that the above described between UE and the IMS part of the network (IP multimedia
authentication process is also implicitly an access control or subsystem which provides multimedia services such as voice
authorization process. The authentication of the UE is indeed calls) and affect the revenue of the operator [14]. It is also
necessary and sufficient to provide it access to the network possible for the attacker to force a UE to send IMSI constantly
resources. Let us now survey the identified vulnerabilities of and wastes the computational power of the HSS and the
this key process. memory of the MME [15, 16].
III. EPS-AKA VULNERABILITIES To solve IMSI disclosure problem, some solutions based
on public key cryptography were proposed [17-24]. Some of
There are numbers of security issues about LTE security. them encrypt all the messages between the UE and the
In the scope of this paper we only focus on AAA; therefore we network and some of them only encrypt IMSIs. Most of the
mainly consider EPS-AKA protocol vulnerabilities as this public key based solutions increase computational and
protocol plays the main role in securing network access and communication costs for UEs (with limited capabilities and
ensuring the privacy of UEs. Table 1 summarizes these energy) and for the network elements. Pseudonyms based
vulnerabilities and their effects on the security of the LTE solutions to IMSI disclosure problem were also proposed [11,
system. 25] but were needing additional capabilities in UEs or
The first vulnerability is IMSI disclosure (IMSI catching), additional entities in the network [4, 18, 23, 25].
which affects user confidentiality. As we mentioned in As we mentioned in the previous section, GUTI is a
previous sections, UE sends the IMSI to MME in clear text temporary identifier and should be fresh. However, in reality,
during the first attachment procedure. Furthermore, IMSI is it is not changed frequently and disclosure of it may cause the
transmitted in paging messages that are sent from MME to same problems as IMSI disclosure [7, 23, 26]. An attacker can
eNodeBs and from eNodeBs to UEs, to find a specific UE (for also change GUTIs. In this scenario, the server can not
example, when UE has an incoming call). An attacker can recognize GUTIs and ask UEs to send their IMSIs [22].
trigger paging procedure without awareness of the user, e.g.
by using social network applications, and then sniff paging One of the most important attacks is rogue eNodeB that
messages between eNodeB and UE to decode them and pretends to be a legitimate eNodeB and, by operating with
high power, makes the UEs connect to it [7, 14, 15, 27, 29]. A the MME and between the MME and the UE [19]. If an
rogue eNodeB can redirect UEs to another network that attacker gets these AVs (User Authentication request) by
provides weak data encryption instead of UE’s home network eavesdropping the connection between the MME and the UE
[9]. It can also cause man in the middle attacks (MitM, the or by corrupting the serving network, it can replay them. Then,
attacker impersonate itself to the network as a legitimate UE) the attacker sends these AVs to the UEs in a specific area. The
[9], the disclosure of UE’s location and compromises sessions UE which the AVs are belong to, will send synchronization
keys during handover processes (de-synchronization attacks) failure message and the other UEs will send MAC failure
[4, 10]. Leakage of SNid, because of transmission in clear messages, therefore the attacker determines the presence of the
from the MME to the UE and the HSS, may also cause rogue UE in that location [8, 14, 22, 23, 30, 31, 32].
eNodeB attacks [10, 19]. SNid disclosure may cause traffic on
the MME too; because an attacker can force UEs to attach to Finally, EPS-AKA is based on symmetric key
the MME [23]. Furthermore, LTE system supports femtocells cryptography and all the keys that are used to prevent data
and HeNodeBs and operators do not control them, so, an integrity are derived from the secret key (in the key hierarchy),
attacker can use them as rogue eNodeBs and collects IMSIs therefore, the leakage of this key would cause serious problem
[18, 24]. to the whole network [9, 19].
In addition to the aforementioned vulnerabilities, some
The next vulnerability is relevant to the TAU (Tracking
Area Update) procedure. Mobile operators divide their service security issues are due to the interworking with non-3GPP
area to tracking areas and each tracking area consists of a access networks. The UE uses EAP-AKA and EAP-AKA’ as
number of cells. UEs, inform the MME about their locations the authentication and key agreement protocol when trying to
by sending TAU messages. Some network services are not access the LTE core network via a non-3GPP access network,
accessible in some tracking areas, or some UEs are not as well as during handover procedures between 3GPP access
authorized to access them, as a result, the network sends TAU networks and non-3GPP access networks [6]. These protocols
reject message to UEs in an unprotected manner. In this case, are similar to EPS-AKA protocol (instead of MME, they are
an attacker can cause DoS (Deny of Service) attacks against working with AAA server, the needed keys are driven from
UE by getting TAU request message from UE via rogue the AVs that AAA server gets from the HSS) so they have
eNodeB and sending TAU reject message to UE with “LTE similar vulnerabilities as EPA-AKA, such as attacks against
services not allowed” or “LTE and non-LTE services not UE privacy and location, Dos attacks, UE impersonating and
allowed” content [7, 16, 29]. It is also possible for an attacker billing mechanisms attacks [33, 34, 35].
to use the location information of the UE and find a link
between its IMSI and GUTI and then, traces the UE across the IV. NEW 5G NEEDS
network [18]. The fifth generation of mobile communications has a
DOS attacks against UEs can also happen during number of goals, such as achieving low latency, high data
attachment procedure when the UE sends its network and rates, increased convergence, accessibility and dense
security capabilities to the network. An attacker can change connectivity. 5G will also support IoT (Internet of Things)
this message; therefore the MME may reject some of the UE’s services and address the needs of different vertical markets,
requests [7, 9]. such as healthcare, automotive and transport. 5G-PPP (Fifth
Generation Public Private Partnership) has defined several
Unprotected AVs vulnerability is used to determine if a different use cases for 5G including enhanced mobile
specific UE is in a specific area or not, and track its broadband and critical communications [37].
movements. AVs are sent in clear text between the HSS and
TABLE I. SUMMARY OF EPS-AKA VULNERABILITIES AND ATTACKS, THE GOAL OF THESE ATTACKS AND THE CURRENT SOLUTIONS