150 (IJCNS) International Journal of Computer and Network Security,

Vol. 2, No. 10, 2010

Security Architecture Objectives for Beyond 3G

Mobile Networks: A Survey and Critical Evaluation
Mana Yazdani1, and Majid Naderi2
1
Faculty of Electrical Engineering, Iran University of
Science & Technology, Tehran, Iran
manayazdani@gmail.com
2
Faculty of Electrical Engineering, Iran University of
Science & Technology, Tehran, Iran
m_naderi@iust.ac.ir

applications. EAP-TLS (Transport Layer Security) [5],

Abstract: This paper provides a review on the different
authentication and key agreement candidate protocols, EAP-
SIM, EAP-AKA, EAP-TLS, EAP-TTLS, and PEAP, for the
interworking of the WLAN with 3GPP networks. Each protocol’s
message flow is also presented. A critical evaluation and
comparison between the protocols is provided in order to reveal
the deficiency and vulnerability of each procedure. The identity
protection, the Man-in-the-Middle attack, possibility of replay
attack, latency, energy consumption and the total size of these
protocols are evaluated.
Keywords: Security, WLAN, 3G, EAP-SIM, EAP-AKA, EAP-
TLS, EAP-TTLS, PEAP.
1. Introduction
The wireless communications are being integrated to
comply with the recent increasing demand and rapid
development. The integration of different wireless networks
dramatically originates new security issues. It should be
taken into consideration that the act of integrating two
secure networks must not negatively impact the overall
security, bit rate, and mobility of each network.
The Universal Mobile Telecommunication System
(UMTS) as a 3rd Generation (3G) mobile network and
Wireless Local Area Networks (WLAN) are among the most
practical technologies providing wireless services. 3G
networks benefit from the wide area coverage, roaming, and
mobility while WLAN systems offer very high bit rates. On
the other hand, 3G and WLAN systems suffer from limited
capacity and less area coverage respectively. Practically, the
3G-WLAN interworking keeps the advantages of both 3G
and WLAN networks intact providing the users with the
ubiquitous services. Numerous studies have been conducted
to improve various security aspects of such a heterogeneous
network [13]-[16].
Although the 3rd Generation Partnership Project (3GPP)
has accepted two access scenarios for the 3G-WLAN
interworking: Extensible Authentication Protocol-
Subscribed Identity Module (EAP-SIM), and Extensible
Authentication Protocol and Key Agreement (EAP-AKA)
[1]-[4], they have shown security flaws and deficiencies
[11]. Besides, some other authentication protocols have been
also evaluated to fulfill the interworking requirements.
These protocols were essentially proposed by the Internet
Engineering Task Force (IETF) and widely used for internet
EAP-TTLS (Tunnel TLS) [6], and PEAP (Protected EAP)
[7] are among the most applicable Internet protocols. A brief
introduction to these protocols with the critical security
assessment will be provided in this paper.
2. Interworking Authentication Protocols
EAP is a wrapper for authentication protocols that
encapsulates the protocols and provides an end to end
security between the Authentication, Authorization, and
Accounting (AAA) server and the User Equipment (UE) [8].
In this section the authentication protocols which have
been evaluated as candidates for the integration of 3G-
WLAN are briefly presented. As mentioned earlier, two
protocols, EAP-SIM and EAP-AKA, have been accepted
and are currently employed by 3GPP as the authentication
protocols used for the interworking of 3G-WLAN [1], [2].
The other authentication protocols have been assessed in
articles as alternative candidates.
2.1. EAP-SIM
EAP-SIM is a protocol used in the interworking of 3G and
WLAN when the SIM-card of the GSM/GPRS is being
applied in the UE side. Although the security credentials
used in the GSM are also engaged in the authentication
process of EAP-SIM, some enhancements have been
implemented to eliminate the known security weaknesses of
GSM.
The main vulnerability of the GSM networks was mainly
emerged from the opinion that owning a base station is not
affordable for a potential attacker. Consequently, the mutual
authentication is not supported in the GSM/GPRS and only
the user is authenticated to the network. Another security
flaw unveiled is the weak ciphering systems used in the
authentication process. Many attacks have been published
on A5/1 and especially A5/2, the main cryptographic
primitives of the GSM/GPRS [9], [10]. EAP-SIM is
enhanced in comparison to the GSM/GPRS authentication
to have the mutual authentication and use a longer security
key. Practically, the security key for the GSM/GPRS is 64
bit which is enhanced up to 128 bit for the EAP-SIM [3].
The EAP-SIM authentication and key agreement
procedure is presented in Fig. 1. The steps of the
authentication procedure are shown by numbers 1 through
10 in the Fig. 1. The first and second steps are the
 (IJCNS) International Journal of Computer and Network Security, 151
initialization of the authentication procedure in which the
user communicates with the wireless AP via the EAP Over
LAN (EAPOL). The user sends his identity in the format of
the Network Access Identifier (NAI). This identity can be
the International Mobile Subscriber Identity (IMSI) or his
temporary identity (TMSI). The IMSI must be sent in a
plain text in the first connection setup and the TMSI is used
in the other setups.
Figure 1. EAP-SIM authentication protocol
AAA server recognizes the user’s identity through steps 3
and 4 and the authentication procedure is started at this
point. Then, the NONCE sent in the fifth step is the user’s
challenge to the network. In the steps 6 and 7, the AAA
server obtains n (n=2 or n=3) authentication triplets
(RAND, SRES, and Kc) for a specific user. The generation
of these triplets is based on a permanent secret key shared
between the user and the network. The step 8 is to send the
n RANDs and the MACserver. The MACserver is calculated
using the NONCE and the n RANDS in a MAC algorithm.
The user can authenticate the network by verifying the
received MACserver. The ninth step includes the MACuser
and n XRES values which are calculated by the UE. The
AAA server verifies the MACuser and checks if the received
XRES is equal to the SRES upon receiving this message. If
the check is accomplished successfully, the user is
authenticated to the AAA server and EAP success message
is sent to the user indicating the completion of the
authentication procedure. At the end of this procedure, the
session key is sent to the access point via the AAA server by
an AAA protocol (Radius or DIAMETER). This session key
is used for encryption purposes between the UE and the AP.
Further details on the EAP-SIM authentication procedure
can be accessed in references [3] and [11].
2.2. EAP-AKA
EAP-AKA is another authentication protocol which is used
in the interworking of 3G-WLAN when the user owns a
USIM card [4], [11]. A USIM card is the application
utilized on the smart card (UICC) of the 3G user equipment.
EAP-AKA implements the UMTS authentication and key
agreement procedure and applies the same protocols for
Vol. 2, No. 10, 2010
communication between the network components as
EAPOL, Radius, DIAMETER, etc.
The vulnerabilities mentioned for the GSM/GPRS
authentication were concerned in the structure of the
UMTS-AKA protocol; this authentication protocol benefits
from the mutual authentication and new cryptography with
a higher degree of security. Because EAP-AKA is an
encapsulation of the AKA procedure in EAP, it certainly
does not suffer from the GSM/GPRS vulnerabilities.
Figure 2. EAP-AKA authentication protocol
Fig. 2 depicts the authentication procedure and the key
agreement in the EAP-AKA protocol through steps 1 to 10.
The first two steps are the initialization process. Similar to
the EAP-SIM protocol, the identities transmitted in an NAI
format (in the third step) may be either permanent (IMSI) or
temporary (TMSI). If the AAA server does not possess a 3G
Authentication Vector (AV) gained from a previous
authentication, it will request AVs from the HSS/HLR
(Home Subscriber Server / Home Location Register). The
HSS generates n AVs for the specific user by the permanent
secret key shared between the UE and the HSS/HLR. The
AVs transmitted in the fourth and fifth step include a
random challenge (RAND), the authentication token
(AUTN), the calculated response (SRES), the encryption key
(CK), and the integrity key (IK). The AAA server chooses
one of the AVs for the current session and stores the rest for
other sessions. The CK and IK with the identity of the user
are calculated in a MAC algorithm to generate the master
key in the EAP-AKA process. The produced master key is
eventually used to generate the master session key. The
MACserver calculated in the AAA server from the master
key is sent with the RAND and AUTN in the sixth step. The
verification of the MACserver and AUTN will be used to
authenticate the network to the user. The AAA server
verifies the calculated MACuser and XRES sent in the
seventh step to authenticate the user. If XRES is equal to the
SRES received in the fifth step and the MACserver value is
acceptable, then the user is authorized. An EAP success
message terminates the EAP-AKA procedure while the
session key is transmitted via the AAA server to the AP to
be applied for the security purposes between the user and the
AP.
152 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010

2.3. EAP-TLS
Secure Socket Layer (SSL) is the most widely used security
protocol on the wired internet which employs a public key
infrastructure [12]. As a result, many works have focused on
applying the SSL based authentication protocols to the
wireless networks to make a compatible integration between
wireless and wired networks [13]-[16]. Performance
considerations have discouraged the use of SSL based
protocols in the resource constraint environments such as
the wireless environment. On the other hand, the relatively
small sizes of wireless data transactions imply that the
public key encryption dominates the security processing
requirements in wireless networks.
UE AP
Ww Wa
EAPOL AAA (Radius or
Diameter)
1. Connection Establishment
2. EAP Request / Identity
support the PKI in the UMTS architecture. A procedure for
the session resumption is also presented that improves the
efficiency of the repeated connection attempts. In this
structure, the need for the generation of the AVs by the
HSS/HLR is eliminated. Finally, EAP-TLS provides an end
to end authentication procedure.
2.4. EAP-TTLS
EAP-TTLS is the revision of the EAP-TLS in which the
need for the PKI in the structure was a deficiency in the
wireless networks [6]. EAP-TTLS utilizes the secure
connection established by the TLS protocol. The TLS
handshake used in the TTLS may be either mutual or one
AAA Server HSS/HLR way (only the server is authenticated to the client). The
Wx
client may be authenticated using an AAA protocol such as
SS7
RADIUS. The authentication of the client may be EAP or
another protocol such as CHAP (Challenge Handshake
Authentication Protocol) [15], [16].
UE AP AAA Server HSS/HLR

Ww Wa Wx
3. EAP Response / Identity (NAI) EAPOL AAA (Radius or SS7
Diameter)
4. Access Request with UserID
(EAP-Type=EAP-TLS,
start bit set, no data)
1. Connection Establishment
5. EAP-TLS Start
[EAP-Type=EAP-TLS 2. EAP Request / Identity
(TLS Client-Hello)]
6. EAP Response [EAP-Type=EAP-TLS (TLS Server-
Public key operation to Hello, TLS Certificate, TLS-Key- 3. EAP Response / Identity (NAI)
verify AAA server’s Exchange, TLS Certificate-Request,
certificate TLS Server-Hello-Done)]
7. EAP Request 4. EAP-TLS Start
[EAP-Type=EAP-TLS (TLS
Certificate, TLS Client-Key-Exchange,
TLS Certificate-Verify, TLS Change- 5. Client Hello
Cipher-Spec, TLS Finished)]
8. EAP Response
[EAP-Type=EAP-TLS (TLS Change- 6. Server Hello, Server Certificate, Server Hello Done
Cipher-Spec, TLS Finished, New
Encripted Pseudonym)]-RADIUS 7. Client Key Exchange, Change Spec
Access Success (In SSL),
9. EAP Request
Finished (Encrypted)
The session key
Decrypt New is sent using the
Pseudonym (P-TMSI) Session Key 8. Change Spec. Finish (Encrypted)
AAA protocol
[EAP-Type=EAP-TLS]

10. EAP Response 9. Username. CHAP Challenge, CHAP Response

10. RADIUS Authentication Request

11. EAP Success (Includes CHAP message)

Figure 3. EAP-TLS authentication protocol 11. RADIUS Access Accept

EAP-TLS is an authentication and key agreement 12. Success, Data Cipher Suit

protocol which is mainly based on SSL v.3. Similar to the Session Key

SSL protocol, EAP-TLS engages public key cryptography to 13. EAP Success

securely communicate with the AAA server. EAP-TLS is Figure 4. EAP-TTLS authentication protocol
known as one of the most secure EAP standards on wireless
EAP-TTLS has the advantage of easy deployment on an
LANs. The requirement for a client to possess a certificate is
existing structure in a wireless network. This protocol is in
part of the authentication procedure that casted doubt on the
fact a combination of two protocols: an outer and an inner
feasibility of implementing EAP-TLS on the wireless
protocol. The inner is the legacy authentication protocol and
networks. The papers in the references [13], [14] present
the outer protects the inner protocol messages. Moreover,
some practical aspects of the implementation of the EAP-
the outer protocol provides a tunnel that enables the network
TLS on the wireless networks.
to perform the functions such as the client authentication
Fig. 3 illustrates the structure of EAP-TLS authentication
and the key distribution. On the other hand, the inner
protocol proposed in the references [13], [14]. The message
protocol includes a TLS handshake which is used to
flow in the figure includes the essential adaptations to the
authenticate the server to the client based on a public or a
EAP-TLS to make it “mobile-enabled” [14]. The
private key certificate.
initialization procedure is NAI based and similar to the
Fig. 4 shows the EAP-TTLS authentication procedure. In
protocols mentioned in the previous sections. The user sends
this figure, the TLS protocol is used to authenticate the
his identity (IMSI or TMSI) along with the certificate in an
server and the CHAP protocol performs the client
EAP response message and the EAP server verifies the user
authentication. The server must verify the value of the
identity by this certificate. On the other side, the client
CHAP challenge to authenticate the user. The steps 1
checks the server certificate validity which is signed by a
through 3 in the Fig. 4 are the initialization procedure
trusted Certification Authority (CA).
similar to the other protocols and the steps 4 through 8
In the EAP-TLS architecture proposed in the reference
demonstrate the creation of a TLS tunnel in which the
[14], the use of PKI is mandatory; so, a CA must be
server is authenticated. The rest of the steps are to
connected to the 3G core network to issue the certificates.
authenticate the client in the established tunnel. In EAP-
Different structures are proposed in the reference [14] to
 (IJCNS) International Journal of Computer and Network Security, 153
TTLS, if the client uses a certificate for the authentication,
the protocol will have the same procedure as the EAP-TLS
[15], [16].
2.5. PEAP
PEAP provides a wrapping of the EAP protocol within TLS
[7]. The PEAP, similar to the EAP-TTLS, implements a
tunnel to transfer the protocol authentication messages. One
of the protocols encapsulated in the PEAP tunnel is the
EAP-AKA authentication. As mentioned earlier, the tunnel
derives the session keys.
The message flow in PEAP with the EAP-AKA
authentication is illustrated in the Fig. 5. The UE and the
HSS own a common secret key which is used during the
authentication. In the initialization phase, the UE sends an
Identity (IMSI/TMSI) as part of the EAP-AKA. An AAA
protocol like MAP or DIAMETER or RADIUS sends the
IMSI from AAA server to the HSS/HLR. Then, HSS/HLR
calculates and sends the AVs (RAND, AUTN, XRES, IK,
and CK) to the AAA server. The chosen AV is sent to the
UE for the verification so that the network is authenticated
to the user. The RES is sent back to the AAA server and if
RES=XRES, the UE is authenticated. After the AKA
procedure is completed, the session keys are derived and
shared between the UE and the AP. These session keys are
not the same as those derived in the 3G-AKA but derived
from the TLS master secret.
Figure 5. PEAP authentication protocol
3. Deficiencies and Vulnerabilities
The five authentication protocol candidates for the
integration of wireless networks were explained earlier. In
this section, a critical evaluation is made introducing the
deficiencies and vulnerabilities of each protocol separately.
Some of these vulnerabilities are revealed by the proposed
attacks in the literature which are also addressed in this
section. Additionally, the deficiencies are unveiled by
making critical comparisons between different protocols.
3.1 Vulnerabilities of the protocols
Generally, the authentication protocols presented in the
previous section set up connections between the cellular
networks and the WLAN. The security protocols included in
the WLANs are mainly based on the different versions of
802.11. The basic version of the 802.11 is considered as one
of the most vulnerable security protocols. Currently, new
Vol. 2, No. 10, 2010
versions of this security protocol are implemented in the
wireless networks. One of the new security architectures for
the 802.11 security protocol is called WiFi Protected Access
(WPA). WPA2 version, which is widely used in the wireless
networks, suffers from a number of vulnerabilities such as
denial of service attacks, session hijacking in the absence of
encryption, and the lack of trust relationship within the
WPA architecture. On the other hand, the user equipment
may initiate a bottleneck. This happens when, for instance, a
Trojan in the terminal can originate a challenge response
with the UICC and forwards the results to an active attacker.
The attacker then analyzes the messages and sets up an
attack. Another example is the malicious software residing
in a different host which can launch Distributed Denial of
Service (DDOS). When a user intends to access a WLAN
service via a cellular authentication procedure, the
SIM/USIM must be used remotely from the WLAN client
through a serial, Infrared, or Bluetooth connection. Sending
credentials on these connections can endanger the user
confidentiality.
3.3.1 EAP-SIM
EAP-SIM protocol establishes a secure connection between
the GSM and WLAN [1]-[3]. The GSM network suffers
from many security weaknesses such as the unidirectional
authentication and the key agreement protocol, the
possibility of replay attacks, and the weak cryptographic
primitives that resulted in many successful attacks to this
architecture [9], [17]. EAP-SIM claims that it has solved
many of the security flaws in the GSM though.
Some of the vulnerabilities of the EAP-SIM could be
summarized as follows.
• The mobile user is obliged to send his permanent
identity (IMSI) in a plain text during the first
authentication attempt. Correspondingly, a passive
eavesdropper may steal this identity and use it in a later
active attack.
• The messages transmitted between the UE and the
Radio Network Controller (RNC) are the only messages
provided with an integrity protection; hence, the
protocol may be vulnerable to replay attacks.
• Many EAP-SIM messages (EAP-Request/Notification,
EAP Success, or EAP Failure) are exchanged
unprotected enabling an attacker to send false
notification and mount denial of service attacks.
• Although EAP-SIM mandates the use of fresh
authentication triplets, there is no mechanism that
enables the user to check whether the authentication
triplets received from the AAA server are fresh.
Therefore, if an attacker has access to authentication
triplets, he may use the compromised triplets as long as
the master secret key remains unchanged for the target
user.
• A possible way of implementing a Man-in-the-Middle
(MitM) attack on the EAP-SIM is when the same
authentication triplets are used in both GSM and
WLAN access. If the HSS is not used specifically for
the interworking of the GSM and WLAN, then HLR
will be used as the data base that stores the
authentication credentials. Accordingly, the
authentication triplets stolen from a GSM connection
154 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010

can be misused to mount a false WLAN connection by

an adversary in EAP-SIM.

3.3.2 EAP-AKA
EAP-AKA is the authentication protocol used in the
interworking of the WLAN and the UMTS cellular networks
[1], [2], [4]. In this protocol, EAP encapsulates the AKA
procedure which is known for providing enough security.
Moreover, the authentication token (AUTN) and the
sequence number in the message flow of the authentication
procedure are engaged in order to defeat the possibility of
the replay and impersonation attacks. In spite of all the
attempts to make a secure protocol, it is blamed to have
some vulnerabilities as below.
• EAP-AKA does not support cipher suit or protocol
version negotiation and the key sizes and the algorithm
are fixed making it a less secure and inflexible protocol.
• The integrity protection is only guaranteed when
communicating between the radio network controller
and the user equipment; hence, the protocol may be
vulnerable to replay attacks. Figure 6. MitM in the EAP-TTLS
• IMSI is sent in plain text on the first authentication As it is shown in the Fig. 6, the MitM captures the
attempt; so, an adversary pretending a valid server may initialization procedure of a legitimate user and sets up a
force the user to send his IMSI and gain his permanent tunneled authentication protocol with the AAA server using
identity. the UE identity. Afterwards, the MitM forwards the
• Many EAP-AKA messages (EAP-Request/Notification, legitimate client authentication protocol messages through
EAP-Success, and EAP-Failure) are exchanged the tunnel. The MitM unwraps the messages received from
unprotected enabling an attacker to mount denial of the AAA server and forwards them to the legitimate user.
service attack. After the successful completion of the procedure, the MitM
• Although the AKA procedure is strong enough to defeat derives the session keys and starts an active or passive
the MitM attack, the integration of the UMTS with the attack.
GSM has resulted in the interception of all the UE 3.3.5 PEAP
initiated calls [18], eavesdropping attack, and an PEAP is a tunneling protocol similar to the EAP-TTLS
impersonation attack [19]. If the HSS is not used which provides a wrapping for the legacy protocols such as
specifically for the interworking of the UMTS and the the EAP-AKA. The most significant vulnerability of this
WLAN, a MitM attack is likely to happen. The protocol arises from the nature of including a tunneling
authentication credentials gained from mounting the procedure. The MitM attack in PEAP with EAP-AKA is
previously mentioned attacks on the HLR assist the displayed in the Fig. 7.
attacker to initiate a MitM attack in the EAP-AKA.
3.3.3 EAP-TLS
EAP-TLS appeared to provide the acceptable level of
security in the wired networks. It has not yet even shown
vulnerability to the MitM attacks. Nevertheless, similar to
the other interworking authentication protocols, the
Network Access Identifier (NAI) can divulge the permanent
user identity under certain circumstances thus
compromising the user privacy.
3.3.4 EAP-TTLS
EAP-TTLS was proposed to eliminate the need for a PKI in
the EAP-TLS and provide more security by tunneling which
itself augmented the possibility of a MitM attack [20]. The
attack suggested in the reference [20] is due to the fact that
the legacy client authentication protocol is not aware if it is
run in a protected or unprotected mode. The main cause of Figure 7. MitM in the PEAP with EAP-AKA
the MitM attack in EAP-TTLS is the ability of an
authentication to proceed without tunneling. The message According to the Fig. 7, the MitM initiates a tunneled
flow of the MitM attack in the EAP-TTLS is depicted in the authentication protocol with the network while
Fig. 6. masquerading as the legitimate AP to the user. MitM
unwraps the tunneled messages received from the AAA
server and forwards them to the victim. At the end of the
procedure, the MitM owns the session keys.
 (IJCNS) International Journal of Computer and Network Security, 155
Vol. 2, No. 10, 2010

3.2 Deficiencies of the protocols EAP-SIM and EAP-AKA because of their easy compatibility
Each candidate protocol has its advantages and with the existing cellular network infrastructures. On the
disadvantages to be employed in the interworking of the other hand, the EAP-TLS/TTLS and PEAP, which were
WLAN with the cellular networks. The most notable used in the Internet, showed promising advantages to be
drawback in the EAP-SIM and EAP-AKA is their employed in the interworking structure. The security
dependency on the network structure and thus cannot be vulnerability and the deficiency of each authentication
dynamic. However, the advantage of the EAP-TLS/TTLS or protocol were addressed and compared.
PEAP is that the user can be authenticated locally and does Although 3GPP has accepted the interworking protocols for
not need to first connect to the cellular access gateway. the WLAN-Cellular network, more studies on the efficiency
Another deficiency of the two protocols is the latency of the of the security protocols for the beyond 3G networks are
authentication procedure which is exacerbated due to the required.
frequent roaming of the users among different WLANs; this
frequency is caused by the comparatively small range of References
each WLAN AP. Another advantage of the EAP-TLS/TTLS [1] 3GPP, “3GPP system to Wireless Local Area Network
or PEAP in comparison with the EAP-SIM/AKA is their (WLAN) interworking; System description,” 3GPP
applicability in the beyond 3G heterogeneous networks since TS 23.234 V9.0.0, Jan. 2010.
they have been successfully implemented as protocols in the [2] 3GPP, “Wireless Local Area Network (WLAN)
Internet which is the backend of the beyond 3G networks. interworking security,” 3GPP TS 23.234 V9.2.0, June
Many researches have focused on comparing the energy 2010.
consumption, latency, and the total size of these [3] H. Haverinen, J. Saloway, “EAP-SIM authentication,”
authentication protocols in an interworking scenario [13]- RFC 4186, Jan. 2006.
[16]. All the researches demonstrate that EAP-SIM and [4] J. Arkko, H. Haverinen, “EAP-AKA authentication,”
EAP-AKA suffer from the considerable latency but benefit RFC 4187, Jan. 2006.
from the small total size on the UE. [5] B. Aboba, D. Simon, “PPP EAP TLS Authentication
The most significant problem in the implementation of Protocol,” IETF RFC 2716, Oct. 1999.
the legacy wired internet protocols in the interworking of [6] P. Funk, S. Blake-Wilson, "EAP Tunneled TLS
the WLAN with the cellular networks is the infrastructures Authentication Protocol version0," IETF RFC 5281,
required for using the public key and the PKI. EAP- Feb. 2005.
TLS/TTLS or PEAP use a public key infrastructure and [7] H. Anderson, S. Josefsson, “Protected Extensible
certificate authority which are not introduced in the existing Authentication Protocol (PEAP)” IETF RFC 2026,
2G and 3G cellular networks. Another problem of using the Aug. 2001.
certificate authority is that the USIM, which is a constraint [8] L. Blunk, J. Vollbrecht, “Extensible Authentication
resource, must be preloaded with all the CA public keys. Protocol (EAP)” IETF RFC 3748, March 1998.
Furthermore, most of the UEs are not equipped with the [9] E. Barkan, E. Biham, N. Keller, “Instant ciphertext-
digital certificate. only cryptanalysis of GSM encrypted communication,”
The Table 1 summarizes the main vulnerabilities and Journal of Cryptology, Vol. 21 Issue3, 2008.
deficiencies mentioned earlier. [10] A. Bogdanov, T. Eisenbath, A. Rupp, “A hardware-
assisted real time attack on A5/2 without
Table 1: Vulnerabilities and deficiencies comparison precomputations,” in Cryptographic Hardware and
EAP- EAP- EAP- EAP-
PEAP Embeded Systems, vol. 4727 , pp. 394-412, 2007.
SIM AKA TLS TTLS
[11] Ch. Xenakis, Ch. Ntantogin, “Security architectures for
User identity
û û û ü ü B3G mobile networks,” Journal of Telecommunication
protection
Secure against Systems, vol.35, pp. 123-139, Sept. 2007.
û û ü û û [12] V. Gupta, S. Gupta, “Experiments in wireless internet
the MitM
Secure against security,” Proc. IEEE Wireless Communication and
û û û û û Networking Conf., Vol. 1, pp. 859-863, March 2002.
replay attack
Interworking [13] G. Kambourakis, A. Rouskas, S. Gritzalis, “Using SSL
û û ü ü ü
with Internet in authentication and key agreement procedures of
Short future mobile networks,” Proc. 4th IEEE Int. Conf. on
û û ü ü ü
latency Mobile and Wireless Communication Networks 2002,
Low energy pp. 152-156, Sept. 2002.
ü ü û û û
consumption [14] G. Kambourakis, A. Rouskas, G. Kormentzas, S.
Small Gritzalis, “Advanced SSL/TLS-based authentication
ü ü û û û
total size for secure WLAN-3G interworking,” IEEE
Communications Proceedings, Vol. 151, pp.501-506,
4. Conclusion Oct.2004.
The authentication and the key agreement procedure of the [15] P. Prasithsangaree, P. Krishnamurthy, “ A new
interworking architecture between the WLAN and the authentication mechanism for loosely coupled 3G-
cellular networks for different candidate protocols were WLAN integrated networks,” In Proceeding of
discussed. The two accepted protocols by the 3GPP were the Vehicular Technology Conference 2004, IEEE, Vol. 5,
pp.2284-3003, May 2004.
156 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010

[16] Y. Zhaho, Ch. Lin, H. Yin, “Security authentication of

3G-WLAN interworking,” 20th International
Conference on Advanced Information Networking and
Applications, Vol. 2, pp. 429-436, 2006.
[17] C.J. Mitchell, “The security of the GSM air interface
protocol,” Technical Report, Royal Holloway
University of London, RHUL-MA-2001-3, 2001.
[18] U. Meyer, S. Wetzel, “A Man-in-the-Middle attack on
UMTS,” in ACM workshop on wireless security 2004,
pp. 90-97, 2004.
[19] Z. Ahmadian, S. Salimi, A. Salahi, “New attacks on
UMTS network access,” Wireless Telecommunications
Symposium 2009, Prague, pp. 1-6, April 2009.
[20] N. Asokan, N. Valteri, K. Nyberg, “Man-in-the-Middle
in tunneled authentication,” Internet Drafts, Nokia
Research Center, Oct. 2003.