Analysis of authentication and key establishment in

inter-generational mobile telephony
(with appendix July 31, 2013)

Chunyu Tang, David A. Naumann, and Susanne Wetzel
Stevens Institute of Technology
Abstract—Second (GSM), third (UMTS), and fourthgeneration (LTE) mobile telephony protocols are all in active use,
giving rise to a number of interoperation situations. Although the
standards address roaming by specifying switching and mapping
of established security context, there is not a comprehensive
specification of which are the possible interoperation cases.
Nor is there comprehensive specification of the procedures to
establish security context (authentication and short-term keys) in
the various interoperation scenarios. This paper systematically
enumerates the cases, classifying them as allowed, disallowed,
or uncertain with rationale based on detailed analysis of the
specifications. We identify the authentication and key agreement
procedure for each of the possible cases. We formally model these
scenarios and analyze their security, in the symbolic model, using
the tool ProVerif. We find two scenarios that inherit a known false
base station attack. We find an attack on the CMC message of
another scenario.

I.

I NTRODUCTION

Mobile telephony has become an integral part of our daily
activities, in part due to the tremendous success and market
penetration of smartphones and tablets. In many locations
around the world, mobile communication is already facilitated
through the fourth generation (4G) technology called Long
Term Evolution (LTE)—which evolved from the third generation (3G) technology, Universal Mobile Telecommunications
System (UMTS). Along with the opportunities created by
technology evolution there are challenges. One challenge is
the interoperation of different generations of technologies, i.e.,
communication involving mixed network components. Past
experience has shown that such interoperation may introduce
unexpected security vulnerabilities [1], [2].
The specifications promulgated by the 3GPP organization
for UMTS [3] and LTE [4] do address interoperation between
the different generations of technologies. The specification
for UMTS systematically studies all possible combinations
of interoperation between UMTS and second generation (2G)
GSM. The LTE specification details the mechanisms for security context switching and mapping to facilitate interoperation
between LTE, UMTS, and GSM. However, this applies to
maintaining context during handover and idle mode mobility.
To the best of our knowledge, the specification for LTE does
not explicitly address establishing of an initial security context
for interoperation. In particular, to date there is no comprehensive enumeration of all interoperation cases and their respective
procedures for authentication and key agreement (AKA). In
this paper we close this gap.
The first contribution of this paper is to systematically
enumerate of all possible interoperation cases between LTE,
UMTS, and GSM. We classify these cases as allowed, disallowed, or uncertain, with explicit rationale making detailed

reference to the specifications. Of the 243 cases identified,
19 cases involve GSM and UMTS technologies only, and as
such are fully treated by the UMTS specification [3]. For
cases involving LTE components, 138 cases are clearly ruled
out somewhere in the specification and 38 cases are clearly
allowed. For the remaining 48 cases the specifications and
documentation based on the specifications do not provide a
clear indication whether these cases are allowed.
As a second contribution of this paper, we provide details
on what we call the AKA scenarios,1 i.e., the specific protocol
steps for authentication and key agreement, in each allowed or
uncertain case. For each uncertain case we identify conditions
under which the case could occur. For all of the 19+38+48
cases we identify the corresponding AKA scenario. It turns
out that there are only 10 distinct AKA scenarios, including
the pure GSM, pure UMTS, and pure LTE scenarios which
apply in some interoperation cases. Although the GSM/UMTS
scenarios are described in the specifications, that is not the
case for 86 roaming cases involving LTE. For three of those
scenarios we identify two variations which are both consistent
with the specifications and which have different authenticity
properties.
As a third contribution, we provide formal models for all
10 of the AKA scenarios, including variations, in the symbolic
(Dolev-Yao) model of cryptography and using the ProVerif tool
[5]. We provide a security analysis based on these models.
The models are composed in a modular fashion from the
basic protocol models for GSM, UMTS, and LTE. This will
facilitate adding or modifying scenarios, in case of changes to
the specifications or the conditions for the uncertain cases to
occur.
Our security analysis addresses authentication properties
and secrecy. We show that two of the LTE interoperation
scenarios inherit an attack, known from GSM and the interoperation between UMTS and GSM [6], in which a false base
station can eavesdrop and modify data traffic. We show how
the attack can be prevented in one scenario. We also show that
one scenario is prone to an attack against the Cipher Mode
Command (CMC) message.
Outline: Sect. II surveys related work and Sect. III is
an overview of the GSM, UMTS, and LTE AKA protocols.
Sect. IV presents the first of our main contributions, the
systematic enumeration of possible cases and classification
of what is (dis)allowed or uncertain according to the 3GPP.
Sect. V presents our second contribution, the AKA scenarios
for each allowed or uncertain case, justified with reference to
1 In some standards, AKA has more specific meaning and varying terminology is used, e.g., depending on whether authentication is mutual.

the specifications. Sect. VI describes our ProVerif models for
GSM, UMTS, and LTE, and the specifications of desired security properties. Sect. VII presents our third contribution, the
ProVerif models for AKA scenarios involving interoperation
between technologies, and analysis results for those models.

categorizing them in terms of secrecy, integrity, or authenticity
properties. Possible security improvements are also discussed.

For reasons of space, we cannot present the complete
classification of cases, scenarios, and analysis results; instead
we present excerpts and highlights. A long version online
includes full details [7].

In GSM, UMTS, and LTE, the network architecture includes three main elements: the Mobile Station (MS), the
Serving Network (SN), and the Home Network (HN).

II.

III.

OVERVIEW OF GSM, UMTS, AND LTE SECURITY
MECHANISMS

The MS is the combination of the Mobile Equipment (ME)
and an identity module. The ME is the user device that
contains the radio functionality and the encryption/integrity
mechanisms used to protect the traffic between the MS and the
network. A 4G ME also includes the functionality to derive an
LTE master secret key KASME . In GSM, the identity module of
the Subscriber Identity Module (SIM) contains the unique International Mobile Subscriber Identity (IMSI), the subscriber’s
permanent secret key Ki, as well as the mechanisms used
for GSM AKA and GSM session key derivation. The UMTS
identity module (USIM) includes the IMSI, Ki, and the UMTS
AKA and session key derivation functionality. It furthermore
may contain the SIM functionality, i.e., the GSM AKA and
key derivation functionality. In contrast to a 3G USIM, an
LTE USIM (also refered to as enhanced USIM) provides for
additional functionality including enhanced capability for the
storing of a security context.

R ELATED WORK

Several attacks have been found against the GSM encryption algorithms [8], [9], [10], [11], [12]. Ahmadian et al. [13]
show attacks which exploit weakness of one GSM cipher
to eavesdrop or impersonate a UMTS subscriber in a mixed
network. In this paper we focus on protocol flaws rather than
cryptographic weaknesses.
Fox [14] finds the false base station attack on the GSM
AKA due to the lack of authentication of the network. Meyer
and Wetzel [1], [2], [15] show that a man-in-the-middle attack
can be performed on one of the cases of interoperation between
GSM and UMTS. In prior work [16], we use the ProVerif (PV)
tool to analyze GSM, UMTS, and roaming cases between GSM
and UMTS. The false base station attack [14] and the man-inthe-middle attack [1] were confirmed by the PV models.

The SN typically consists of the Base Station (BS) and either the Visitor Location Register/Serving GPRS Support Node
(VLR/SGSN) in GSM and UMTS, or the Mobile Management
Entity (MME) in LTE. The BS is the network access point
which manages the radio resources and establishes the connection to the MS. In GSM, the BS includes the Base Transceiver
Station (BTS) which connects to the Base Station Controller
(BSC). In GSM, encryption terminates at the BTS or at the
SGSN in GPRS. In UMTS, the BS includes the NodeB which
connects to the Radio Network Controller (RNC). Encryption
and integrity protection in UMTS terminates in the RNC. In
LTE, BS is the evolved NodeB (eNodeB). LTE distinguishes
the protection of the connection between the MS and the
eNodeB—the so-called Access Stratum (AS) and the connection between the MS and MME—the so-called Non-Access
Stratum (NAS). In LTE, the MME is the end-point for the
NAS and the respective protection mechanisms.

PV is an automatic protocol verifier that can verify authentication, secrecy, and other properties, in the symbolic (DolevYao) model, considering an unbounded number of sessions
and unbounded message space. Quite a few protocols have
been analyzed using PV. For example, Chang and Shmatikov
[17] use PV to analyze the Bluetooth device pairing protocols;
they rediscover an offline guessing attack [18] as well as a
new attack. Blanchet and Chaudhuri [19] find an integrity
attack against a file sharing protocol. Chen and Ryan analyze
TPM authorization [20]. Kremer and Ryan use PV to verify
an electronic voting protocol [21]. Arapinis et al. [22] find two
attacks against anonymity in UMTS, using PV.
Han and Choi [23] demonstrate a threat against the LTE
handover key management, involving a compromised base
station. This is concerned with maintaining security context,
whereas our work addresses establishing such context. Tsay
and Mjølsnes [24] find an attack on the UMTS and LTE AKA
protocols using CryptoVerif, an automated protocol analyzer
based on a computational model. In fact the attack lives at
the symbolic level. It depends on insecurity of the connection
between the serving network and the home network. In our
work we assume the connection between serving network and
home network is secure. (Although the standard specifies the
protocols, their implementations are operator-specific.)

The HN includes the Home Location Register (HLR) and
the Authentication Center (AuC) in GSM and UMTS, respectively the Home Subscriber Server (HSS) in LTE. The HN
stores all subscriber data including the IMSI and permanent
shared secret key Ki. It furthermore, holds its (own) algorithms
for deriving session keys as well as generating authentication
vectors. A 4G HN also includes the functionality for deriving
an LTE master secret key KASME .

Lee et al. [25] analyze the anonymity property of the
UMTS and LTE AKA and connection establishment protocols
using formal security (computational) models. The assumption
in this work is that the attacker is not capable of impersonating any network devices and the underlying cryptographic
system is perfect. They manually prove the protocols meet the
anonymity requirement, under these assumptions.

Overview of GSM Security Mechanisms. Fig. 1 shows
the GSM AKA procedure. The goal of the GSM AKA is to
authenticate the MS and to establish an encryption key that
can then be used to protect the user data exchange between
the MS and BS. The GSM AKA procedure can be triggered
by the initial network attach request [27], the Routing Area
Update (RAU) request [28], or the service request [29]. The
service request happens after a dedicated channel has been
established between the MS and the SN [29], which means

Mobarhan et al. [26] evaluate the publically known attacks
on GSM and UMTS (and the related technology GPRS),
2

BS

MS

HN

VLR/SGSN

MS

1. CAP

MME

BS

HN

GSM I

1. CAP
2. GUTI

LTE I

2. TMSI
3. User ID Request
4. IMSI

3. Identity Request
4. IMSI
5. IMSI, SNid,
Network Type

5. IMSI

GSM II

6. RAND, XRES, KC
.

GSM III

Generate RAND & SQN
MAC = f1(Ki, AMF, SQN, RAND)
XRES = f2(Ki, RAND), CK = f3(Ki, RAND)
IK = f4(Ki, RAND), AK = f5(Ki, RAND)
AUTN=SQNAK || AMF || MAC
KASME= KDF(CK, IK, SNid, SQNAK)
6. RAND, AUTN,
XRES, KASME

LTE II

Generate RAND
XRES = A3(Ki, RAND)
KC = A8(Ki, RAND)

7. RAND
RES = A3(Ki, RAND)
KC = A8(Ki, RAND)

7. RAND, AUTN

8. RES
Verify RES = XRES

GSM IV

LTE III

9. KC
Decide algorithms
9. Selected algorithms
10. CMComplete

AK = f5(Ki, RAND), SQN = 1st(AUTN)AK
Verify SQN in correct range
XMAC = f1(Ki, 2nd(AUTN), SQN, RAND)
Verify 3rd(AUTN) = XMAC,
RES = f2(Ki, RAND)
CK = f3(Ki, RAND), IK = f4(Ki, RAND)
KASME = KDF(CK, IK, SNid, 1st(AUTN))
8. RES
Verify RES = XRES

Fig. 1.

KNASenc = KDF (KASME, NAS-enc-alg, Alg-ID)
KNASint = KDF(KASME, NAS-int-alg, Alg-ID)
Decide NAS-Algs,
NAS-MAC = EIA(KNASint, (CAP, Algs))
9. CAP, NAS-Algs, [Nonces], NAS-MAC

GSM message sequence diagram [29], [15]
VLR/SGSN

BS

LTE IV

MS

HN

1. CAP

UMTS I

2. TMSI
3. User ID Request
4. IMSI
5. IMSI

UMTS II

Generate RAND & SQN
MAC = f1(Ki, AMF, SQN, RAND)
XRES = f2(Ki, RAND), CK = f3(Ki, RAND)
IK = f4(Ki, RAND), AK = f5(Ki, RAND)
AUTN = SQNAK || AMF || MAC

KNASenc = KDF (KASME, NAS-enc-alg, Alg-ID)
KNASint = KDF(KASME, NAS-int-alg, Alg-ID)
XNAS-MAC = EIA(KNASint, (CAP, Algs))
Verify XNAS-MAC = NAS-MAC
Start ciphering/deciphering
and integrity protection
10. NAS SMComplete
ciphered , integrity protected
KeNB = KDF(KASME)
11. CAP, KeNB

6. RAND, XRES,
CK, IK, AUTN

UMTS III

LTE V

7. RAND, AUTN
RES = f2(Ki, RAND), CK = f3(Ki, RAND)
IK = f4(Ki, RAND), AK = f5(Ki, RAND)
SQN = 1st(AUTN) AK
XMAC = f1(Ki, 2nd(AUTN), SQN, RAND)
Verify 3rd(AUTN) = XMAC
Verify SQN is in correct range

8. RES
Verify RES = XRES
10. CK, IK

UMTS IV

Decide algorithms ALG, Generate FRESH
MAC-I = f9((ALG, CAP FRESH), IK)

KeNB = KDF (KASME)
KRRCenc = KDF (KeNB, RRC-enc-alg, Alg-ID)
KRRCint = KDF(KeNB, RRC-int-alg, Alg-ID)
KUPenc = KDF (KeNB, UP-enc-alg, Alg-ID)
Decide AS-Algs, AS-MAC = EIA(KRRCint, Algs)
12. AS-Algs,
AS-MAC
KeNB = KDF (KASME)
KRRCenc = KDF (KeNB, RRC-enc-alg, Alg-ID)
KRRCint = KDF(KeNB, RRC-int-alg, Alg-ID)
KUPenc = KDF (KeNB, UP-enc-alg, Alg-ID)
XAS-MAC = EIA(KRRCint, Algs)
Verify XAS-MAC = AS-MAC
13. AS SMComplete
Integrity protected

Fig. 3.

LTE message sequence diagram [4]

9. ALG, CAP,
FRESH, MAC-I
XMAC-I = f9((ALG, CAP FRESH), IK)
Verify MAC-I = XMAC-I, Verify CAP

messages are transmitted as in GSM I. In comparison to
GSM, UMTS includes mechanisms for integrity protection.
Specifically, as part of block UMTS II (see Fig. 2), the HN
derives session keys for both encryption and integrity protection based on MS’s long-term secret key Ki. Like in GSM, MS
authenticates to the VLR/SGSN through a challenge-response
protocol using the authentication vector that the VLR/SGSN
obtained from HN. The authentication of the network to MS
is achieved indirectly, as the BS integrity protects the sending
of CAP which it can only do if it has received key IK from
HN via VLR/SGSN. This prevents a false base station attack.

10. SMComplete

Fig. 2.

UMTS message sequence diagram [3], [15]

that the attach request must have been executed previously.
The identity and CAPabilities (CAP) in the attach request or
the RAU request are used in the AKA procedure. Therefore,
in GSM I, the MS sends the identity and the CAP to the SN.
In GSM block II, the SN obtains authentication vectors from
the HN. In GSM III a typical challenge-response procedure is
carried out to authenticate the MS to SN. Then, in GSM IV,
the VLR/SGSN provides the BS with the session key Kc. BS
selects the encryption algorithm based on MS’s capabilities
and informs MS.

Overview of LTE Security Mechanisms. The LTE AKA
(Fig. 3) is built on the UMTS AKA. In contrast to UMTS
security, LTE introduces an enhanced key derivation hierarchy
that allows the distinguishing of protection mechanisms on
NAS and AS. Furthermore, inclusion of the id of SN as part of
the key derivation enables the MS to indirectly authenticate the
MME (through the successful use of derived keys). In addition,
LTE defines a comprehensive security context framework,
including native vs. mapped security contexts, full vs. partial
security contexts, and current vs. non-current contexts [4].
A security context typically consists of a set of security
parameters including cryptography keys and identifiers for
respective cryptographic mechanisms.

GSM is prone to a false base station attack [14] as the
GSM AKA only authenticates the MS to the SN. Since a false
BS can intercept and modify the sending of MS’s capabilities,
a false BS may force the use of no encryption thus enabling the
false BS to control all traffic between the MS and the network.
Overview of UMTS Security Mechanisms. Similar to
GSM, the UMTS AKA procedure can be triggered by the
attach request or the RAU request. In UMTS I, the same
3

the first block of the LTE AKA can contain an attach request or a TAU request. E XCERPT OF CLASSIFYING THE 243 INTEROPERATION CASES ( THE FULL TABLE IS IN [7]) Components VLR/SGSN ME BS /MME 4G 4G 4G 3G 4G 4G 2G 3G 4G .. we systematically enumerate all possible interoperation cases and classify them as allowed. while in LTE V the BS derives the keys to protect AS as well as user data. in the first block (LTE I’). a 2G VLR/SGSN can only control a 2G BS and only supports 2G AKA [6].g. The nonce in the TAU request is only used when mapping an UMTS to an EPS security context. a 3G BS requires the UMTS cipher key CK and the UMTS integrity key IK [6]— supporting only the 3G security mode set-up and operation [3]. Enumeration of Interoperation Cases. we have adopted a color/font scheme: Rows in normal font with no color indicate cases which are explicitly allowed based on the 3GPP specifications (e. the derived key is bound to a specific MME. the network can initiate an authentication procedure at any time [28]. if the network components are from different generations of technologies. since the MS does not know when the mapping will happen. UTRAN. In the following. Grey color and italic font indicates cases which are ruled out by the specifications (e. Green color and bold font indicates uncertain cases (e. and 4G AKA [30]. or uncertain based on various information in the 3GPP specifications for GSM. IV. Identity Module 4G . the combination of a 4G ME with a USIM supports 4G AKA.. and LTE. Furthermore. . LTE introduces a comprehensive framework for handling security contexts [4].. and a 4G ME supports GERAN. Given that LTE distinguishes between the protection of NAS and AS. LTE I’ will be used in one interoperation scenario (S8).g. Table I shows the details for five cases. A 3G VLR/SGSN can control both a 2G BS and a 3G BS and can support both 2G and 3G AKA [6]. and GSM.. III. UMTS. For the ME.. A 3G ME supports GERAN and UTRAN [6].... A 2G ME only supports GERAN [6]. Similarly.. However. which means a 2G BS only supports a 2G ciphering mode setting [29]... An MME can control a 4G BS and can support the 4G AKA [4].. . In LTE.. However. cases 2 and 3). it is also possible to use a 4G USIM with a 3G ME. A 3G HN can maintain 2G and 3G subscriptions [6]. we have identified 38 cases which are explicitly allowed by the 3GPP specifications. ID 1 2 3 4 . There are 19 such cases which are not further detailed in this paper as they have been analyzed previously [6]. the specification to date does not include details on what this AKA is to entail in case of interoperation of LTE.e. the ME. HN 4G 4G 4G 4G . A 4G ME can be used with a SIM [30] or USIM [4] and certainly with a 4G USIM. or 4G—thus resulting in 35 = 243 possible combinations. For the identity module. Similarly. the first block (LTE I) contains the transmission of the identity and the security capabilities of the MS. the VLR/SGSN/MME and the HN. Each one of those components can be 2G. the nonce is always included in the TAU request message 2 [30]... the id of the SN is an input to the key derivation. a 2G HN can maintain 2G and 3G subscriptions [6]. the case with ID 1). Condition to support Occurrence Reasons for Disallowance A1 A1 R5 the table. 4 .. an additional nonce NONCEMS is sent to the MME. the attach request must have already been executed [28]. disallowed. Before the service request or the NAS signalling connection establishing. The cases involving only 2G/3G components are marked with blue color and in bold italic font (e.. MME derives the keys which are used to protect NAS. If the AKA starts with a TAU request. For cases involving a mix of 4G..TABLE I. As discussed in Sect. i. 3G . A USIM supports both 2G and 3G AKA [6].. [16]. this implies that it is possible to also use a 4G USIM with a 2G ME. the master key KASME is derived and provided to MME together with the respective authentication vector. In order to improve readability of For the VLR/SGSN/MME.. it is possible to use a SIM or a USIM with a 2G ME [6]. 2 In LTE AKA. the SIM supports 2G AKA only [6]. this includes the mapping of security contexts in the case of interoperation of LTE with GSM or UMTS. Similarly. 3G. 3G. 122 . the proper use of keys derived from KASME indirectly authenticates the MME to MS.. Unlike in GSM and UMTS. a 4G USIM supports 2G. .. The MS does the corresponding key derivations in LTE IV and LTE V. 3G 3G 3G . Since a large number of USIMs is in current use. BS announces its choice of algorithms in LTE V as part of the AS SMC.g.. A 4G BS requires KeNB and only supports the 4G AS security mode command procedure and operation [4]. to the best of our knowledge. E STABLISHING A NATIVE SECURITY CONTEXT IN INTEROPERATION As mentioned previously. since a SIM or USIM can be used with a 3G ME.. case 122). UMTS. a 2G BS is only capable of handling a GSM session key Kc [6]. The LTE AKA can be triggered by the initial network attach request. Similarly.. the nonce is never used. [6]. For the BS.. For the HN. case 4).. A 4G HN can maintain 3G and 4G subscriptions [4]. If the AKA starts with an attach request. Since the 4G ME is capable of deriving LTE keys and storing security contexts [31]. 3G. Therefore.e. When a NAS signalling connection exists. . The specification defines the use of existing native or mapped security contexts and recommends the performing of an AKA procedure once a mapped security context is used.. In block LTE IV. Allowed Interoperation Cases. i. MME selects the respective algorithms to protect NAS (based on MS’s capabilities) and announces the choice to MS in LTE IV as part of the NAS Security Mode Command (SMC)..g.. and 2G network components. 3G . V we then focus on the allowed and uncertain cases only determining the specific AKA scenarios for each one of these cases. In Sect. For the disallowed and uncertain cases the table includes the details for the reasoning to determine the respective classification. the Tracking Area Update (TAU) request or the service request [28]. there are five main system components: the identity module. In particular. and E-UTRAN [30]. a 4G ME with the USIM is allowed to access the 4G network. So the first block is always LTE I. Since the 4G USIM is an enhanced version of the USIM. the BS.

Table I refers to these conditions under which they could occur: A1 A2 A3 A4 Components ID S1 S2 S3 S4 S5 S6 S7 GSM I–IV. the VLR/SGSN/MME might have to convert the encryption/integrity keys. V.. and the type of the identity module. While the first six (A. [16]. To the best of our knowledge. 3G . UMTS. R4 A 2G VLR/SGSN cannot control a 3G or 4G BS [6]. conv(Kc → CK IK. In particular. Scenarios S7..... LTE I k UMTS II–III k [optionally. Furthermore... VLR/ SGSN/ MME 4G 4G 4G . and S10 have blocks marked in brackets as optional. AKA SCENARIOS Focusing on the allowable and uncertain interoperation cases determined in the previous section. conv(CK IK → KASME . we now detail the respective AKA for each of these cases. 1. GSM I–IV. R2 A 2G ME cannot interoperate with a 3G or 4G BS [6]. In order to determine a suitable AKA for a specific interoperation case. Second. conv(CK IK nonces → KASME . UMTS I–III k GSM IV. A 4G HN can maintain 2G subscriptions. R3 A 3G ME does not support the 4G radio access interface [6].. or LTE III. An MME can support the 2G or 3G AKA. Table II provides the details for the eleven distinct instances for obtaining an authentication vector. In the following we focus on detailing Scenarios S7–S10. the latter ones are interpretations derived from specified methods. MME). S7. The blocks are as introduced in Figs. 2.. VLR/SGSN). and LTE we have determined which of the building blocks GSM I–IV. MME). UMTS I– IV. F) are based on methods described in the 3GPP specifications (mostly w.. the respective AKA was already specified by 3GPP in the context of enabling interoperation between GSM and UMTS (including the two native 2G and 3G scenarios as outlined in Sect. conv(CK IK → Kc. ME 4G 4G . Reason Stated in spec Interpretation AGKW BHV BINV . 4G ... VLR/SGSN). so we analyze versions with and without the block. E. LTE IV] k GSM IV.... as the 2G HN can only support 2G AKA.. C)” denotes that network component C converts key K1 into K2. C. this approach allowed us to categorize all allowable and uncertain interoperation cases into 10 distinct scenarios. we categorize the 105 allowable and uncertain interoperation cases into 10 distinct scenarios: An MME can control a 3G BS or a 2G BS. the authentication vector determines what kind of challengeresponse procedure is carried out. R7 A 3G ME with USIM attaching to a 3G BS shall only participate in 3G AKA and shall not participate in 2G AKA [3]. The notation “conv(K1 → K2.. For each case we provide the rationale based on which the building blocks are combined... MME). LTE IV] k UMTS IV..r. the type of VLR/SGSN/MME requesting/receiving the authentication vector. we consider the authentication vector that is generated in the HN and subsequently provided to the VLR/SGSN/MME. 4G .. For five of the scenarios... GKWX . first we consider which message might trigger the AKA to determine the messages transmitted in the first block. R6 An MME refuses to convert a GSM security context to 4G security context. HN .. LTE I–V. UMTS I–IV. Using this approach. Scenarios S1–S3 are discussed in Sect.S8 . S9. It is consistent with the specifications to either include or omit these blocks. Consequently. We found that the 3GPP specifications rule out 138 cases which include some 4G components. 4G . How and what kind of authentication Table III shows an excerpt of determining and categorizing the AKA for all of the 105 allowed and uncertain cases— including the respective reasoning to obtain the categorization (with reference to Table II). and 3. This is due to the fact that the specifications do not provide clear indication as to whether or not these cases are allowable. D. This rules out the case in which a USIM subscribed to a 2G HN is used in a 3G ME that connects to a 3G BS. R5 A 3G VLR/SGSN cannot control a 4G BS [6].. security context switching and mapping in LTE)... With notation “a k b” we indicate that block b follows after block a. III). Determining the Scenarios.. “AV = 4G AV + CK + IK” indicates that the 4G HN provides not only the 4G authentication vector to the MME but also includes the UMTS encryption key CK and integrity key IK... and LTE I–V need to be combined in what fashion to comprise a suitable AKA for the respective interoperation case. 5 . Uncertain Interoperation Cases. [15]. . B. Then.TABLE III. S10 UMTS I k LTE II–III k [optionally. For those cases. this rules out all interoperation cases which would require the deriving of the master key KASME from the GSM cipher key Kc [4]. The remaining 48 cases involving 4G components are classified as uncertain. S8 LTE I’ k UMTS II–III k LTE IV–V.. depending on the type of BS it controls.e.t.. Third. 91 .. AV = 4G AV + CK + IK. III). Scenario HN 4G 4G 4G . 1 2 3 . Table I refers to the following reasons for disallowing various cases: R1 Use of SIMs to access the 4G network is not allowed [4]. which determines the type of the security mode setup procedure... Specifically. BS 4G 3G 2G . LTE IV] k LTE V. T T . i. conv(CK IK → Kc. A 3G HN or 2G HN can maintain 4G subscriptions. Overall. Identity Module vector is generated by the HN depends on HN’s capabilities. based on the 3GPP specifications for GSM. whether GSM III. GSM I–III k UMTS IV. S3 S10 S9 . S9 GSM I k LTE II–III k [optionally. we consider the type of the BS. the type of BS. III and Scenarios S4– S6 coincide with scenarios described in the 3GPP specifications as well as prior work [1]. conv(3G AV → 2G AV). QU . [2].. UMTS III. the other four are new and are specified for the first time in this paper. E XCERPT OF DETERMINING AKA SCENARIOS AND RESPECTIVE REASONING ( FULL TABLE IN [7]) Disallowed Interoperation Cases. AV = 4G AV + CK + IK. One of the remaining five scenarios is the native 4G AKA (see Sect..

the 4G HN always generates and delivers the 2G AVs [Derived from F]. the 4G HN generates 3G AVs [4] [or derived from D]. 4. Two of the allowable/uncertain cases fall into this category. the 3G HN always generates and delivers the 2G AVs [6]. 3G BS only supports 3G SMC [6]. In this interoperation scenario. Upon request by the MME. The MME sends the integrity protected SMC message containing the nonce NONCEMS received from the MS and the nonce NONCEMME . This scenario is characterized by the same cases as in S7. LTE V is executed. which is derived from the KASME . IK. So the transmitting of the identity and the capabilities is as in GSM I (Fig. The first variation sticks to the LTE AKA as long as possible (i. the 2G cipher mode setting procedure GSM IV (Fig. [31] XG ME supports XG SMC [4]. Because the 4G BS requires KeNB . plus CK and IK (separation bit = 0) [4]. the 4G HN generates and delivers the 4G AVs (separation bit = 1) [4]. 3) is executed which includes the deriving of KeNB . S8. This scenario is characterized by a 4G ME. the first block is GSM I or UMTS I [27]. 3) is executed between the MS and the MME. Upon receiving the SMC message. we analyze both variations and show that the AKA without LTE IV is prone to an attack in which a false base station can both eavesdrop and modify the messages between the MS and the SN. 2G BS only supports 2G SMC [6]. Four of the allowable/uncertain cases fall into this category. but cannot generate 4G authentication vectors. The 4G ME supports to derive KASME and store the security contexts. 4G BS and 4G MME) and a USIM or 4G USIM identity module subscribed to a 3G HN. Upon request by a 3G VLR/SGSN.. 2G BS is not capable of handling of cipher and integrity keys. Subsequently. 2G HN only supports to generate 2G AVs [6]. the LTE challenge-response procedure LTE III (Fig. the 4G HN generates and delivers the 4G AVs. Executing both LTE IV and V prevents this attack. the 3G HN generates 2G AVs from 3G AVs [Derived from D]. Upon request by a 2G VLR/SGSN with a 4G IMSI. Including LTE IV is optional in this scenario. Triggered by TAU request and the nonce is used in latter blocks.e. the VLR/SGSN/MME generates them from Kc by applying conversion function c3 [6]. the MS uses the same key derivation function as in the MME to derive the KASME and sends out the SMC complete message. 4G ME supports 2G/3G SMC [Derived from L] The 3G BS requires CK and IK. a 4G SN (i. Upon request by a VLR/SGSN/MME with a 2G IMSI. 4 shows this AKA scenario without LTE IV. Because the 2G BS requires the GSM session key Kc. IK and sends it to the BS [Derived from M or [4]]. Triggered by attach request or RAU request. LTE V (Fig. When the MME requests the authentication vector from the HN by sending the IMSI and the network type. IK) KASME = KDF(CK. LTE IV added before LTE V S9. The retrieving and generating of the authentication vector and the challenge-response procedure are the same as in S7. The 3G HN can generate 2G or 3G authentication vectors.e. Upon request by an MME with network type equals UTRAN or GERAN. we consider the two variations with and without LTE IV (Fig. the MME derives the encryption key Kc from the UMTS cipher key CK and integrity key IK. Because the NAS signaling is transparent to the BS.e. until executing LTE IV before setting up the cipher between the MS and the BS). the first block is LTE I [4]. 3). the first block is LTE I’ [28]. Upon request by an MME. the 4G HN generates 2G AVs from UMTS AVs [Derived from D]. Because the 2G BS covers routing areas. 1) is executed between the 2G BS and the MS—which S7. the 3G HN generates and sends out 3G AVs [3]. AKA scenario S7. 1). the MME generates a nonce NONCEMME and 6 . Later we show that the AKA without LTE IV is prone to a false base station attack and the AKA with LTE IV is prone to an attack against the CMC message between the 2G BS and the MS. A B Type of AV Type of BS Type of ME Conversion First Block C D E F O P Q R S G H I J K L T M N U V W X 4G ME with USIM R EASONS USED FOR DETERMINING AKA SCENARIOS Upon request by an MME with network type equals E-UTRAN. UMTS I UMTS II UMTS III KASME = KDF(CK. the initial message can be the attach request or the RAU request. Upon receiving the authentication vector. because the network type is GERAN (because of the 2G BS). the MME applies a key derivation function to generate the local master key KASME from the UMTS encryption key CK and integrity key IK. If the check successes. the MME communicates with the MS as in UMTS III. Fig. which are derived from the intermediate key KeNB . 4G BS only supports 4G SMC [4]. [30]. Upon request by a 2G VLR/SGSN with 3G/4G IMSI. 4G BS MME 3G HN uses it with the CK. IK) LTE V Fig. 3). The other one goes to set the cipher between MS and the BS as soon as finishing the challenge-response procedure (without executing LTE IV). the VLR/SGSN/MME generates KASME from the CK. The identity request and response procedure is the same as in LTE I (Fig. In LTE IV. Upon request by a 2G VLR/SGSN with a 3G IMSI. the MS supports 4G AKA. the 3G HN therefore generates and delivers a 3G authentication vector which thus is identical to UMTS II. the 4G HN generates and delivers the 4G authentication vector with the UMTS cipher key CK and integrity key IK. The AKA is triggered by the attach request.. This scenario is characterized by a mixed SN including a 2G BS and a 4G MME as well as an MS that is subscribed to a 4G HN where either the identity module is a 4G USIM or it is a 4G ME. The VLR/SGSN/MME converts the CK and IK into Kc [6]. the MS checks whether the NONCEMS and the capabilities match what it originally sent in LTE I’. Later. The 4G BS requires 4G AS keys. [3] 3G ME supports 2G SMC [6]. and NONCEMS as input parameters to derive the KASME .TABLE II. The difference to S7 is that this scenario is triggered by the TAU request and the NONCEMS in the TAU request is used in LTE IV. Upon request by a 3G VLR/SGSN. the 3G HN generates 3G AVs [Derived from E and [6]]. Since only the 2G cipher mode setting is supported by the 2G BS.. [28] Triggered by LTE attach request or TAU request in which the nonce is never used. i. in alternate version. the 3G HN generates 2G AVs from 3G AVs [6]. Upon request by a VLR/SGSN/MME with a 2G IMSI. Because the intermediate key KeNB is derived from the local master key KASME .

or having found a possible or definite attack. 5. x3 ) ) . the 4G HN generates and delivers the 4G authentication vector as well as the UMTS encryption key CK and integrity key IK. query x1 : i d e n t . our analysis considers all cases. Ki). The roaming models are discussed in Sect. x2 . pre-sharing of each long-term credential pair (IMSI. . x3 : asmeKey . enableEnc)) Verify XNAS-MAC = NAS-MAC event begSN(imsi_ms. SNid S10. x3 : asmeKey . and absent in 2G. 2). 3. VI. There are four main processes in our PV model. so the initial message can be the attach request or a RAU request. with argument value M. kasme_ms. (Integrity protection is mandatory in 3G/4G. Here are some design decisions that apply to all of our models. x3 ) ) event ( begSN ( x1 . is modeled using PV’s table construct. snid_sn. The 3G BS obtains the UMTS encryption key CK. model Part of the 4G AKA scenario (Fig. The process awaits a message on the public channel. It also shows the name of the variables which are used in our model. query x1 : i d e n t .) Decide enableEnc?. a mixed SN consisting of a 3G BS and a 4G MME. our models simply do not re-use AVs. (CAP. The MS then sends out the SMC complete message which is ciphered if the encryption is enabled and integrity protected (lines 43–51). event ( endSN ( x1 . The registration process of the MS device is in lines 22–24. x2 : i d e n t . Sequence numbers aid in preventing re-use of authentication vectors. Because the access network is UTRAN. kasme_ms) 10. as well as the capabilities as part of UMTS IV (Fig. which facilitates checking that the models accurately reflect the protocol diagrams. RES = f2(Ki. together with our analysis results. query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . KNASint = KDF(KASME. the eNB. Lines 28–29 model that the MS receives and checks the authentication challenge message. x4 : bool . (CAP.e. Lines 46 and 52 call a parameterized process which specifies the AS SMC procedure in lines 3–11 and receives the data message in lines 18–19. 2)—which also includes the UMTS security mode set-up procedure between the 3G BS and the MS. RES Verify RES = XRES KNASenc = KDF (KASME. x2 : i d e n t . Fig. NAS SMComplete If enableEnb then ciphered . the LTE challengeresponse procedure LTE III (Fig. enableEnc. kasme_sn. Properties are specified as correspondence assertions [32] that refer to events. Details of the GSM and UMTS models can be found in [16]. CAP. the MME and the HN respectively. 5. the transmitting of identity and capabilities is as in UMTS I (Fig. In the LTE protocol. snid_sn.) Because the value is nondeterministically chosen. This scenario is characterized by a 4G HN. then event e2 must have happened previously with the same argument M. the MME sends the authentication data request with the IMSI and the network type to the 4G HN. which is also specified using this message. Three of the allowable/uncertain cases fall into this category. KNASint = KDF(KASME) XNAS-MAC = EIA(KNASint. In checking an assertion. For example. snid_ms. which suffices to specify the secrecy of data traffic. the MS receives the NAS SMC message and verifies the integrity and the received capabilities. the LTE IV is optional.LTE III XMAC = f1(Ki.. specifically Blocks III and IV from Fig. In addition. Subsequently. The 4G model in ProVerif. Later we show that the authentication properties hold in both variations. Following authentication. The 3G BS covers routing areas. representing the behavior of the MS. nonce. the MS supports 4G AKA. In lines 38–39. 3) is executed between the MS and the MME.). and we use standard idioms in our modeling. Fig. Each message has a header to indicate the type of the message content. i. x2 . RAND) MAC = XMAC. so they do not appear in Fig. NAS-MAC event endMS(imsi_ms. We give here a brief overview of our design decisions followed by a few details concerning the LTE model. the UMTS integrity key IK.e. IK. Thus. RAND). a single data message is included.) 8. In our model. query a t t a c k e r ( s e c r e t ) . RAND) CK = f3(Ki. The capability is a nondeterministically chosen boolean value interpreted to mean whether the MS has encryption capability. the MME. VII. with respect to unbounded message space and number of sessions. SNid. RAND) KASME = KDF(CK. integrity protected otherwise integrity protected event endSN(imsi_sn. Registration of the MS. Instead of modeling sequence numbers. rand ms). protocols are defined using process algebra. BS MS also includes the MME sending the GSM session key to the 2G BS. PV may terminate having successfully proved the property. The secrecy and authentication properties are specified as follows. 5 shows the details of part of the model. the MS already has the SN id before starting the AKA shown in Fig. RAND. cap_ms) LTE IV KNASenc = KDF (KASME). Fig. cap_sn) 9. As in scenarios S7 and S9. and the HN are similar to this (see [7]). M ODELING AND ANALYZING THE PURE PROTOCOLS IN P ROV ERIF The ProVerif (PV) tool has been described well elsewhere. enableEnc)) event begMS(imsi_sn. 3) annotated in accord with our long version of the paper we consider integrity of data traffic. as well as an MS that is subscribed to a 4G HN where either the identity module is a 4G USIM or it is a 4G ME with a 3G USIM. i. In the MME 7. 6 shows the code of the MS process. In order to obtain an authentication vector. kasme_sn) Fig. snid_ms. In PV. AUTN. We do not model details of algorithm capabilities/selection. we add the SN id to the authentication challenge (message 7). 1 2 3 4 5 6 7 query a t t a c k e r ( payload ) . IK = f4(Ki.our model omits sequence numbering and the key AK.. 3. Events are instrumentation that mark important points reached by the principals and have no effect on protocol behavior. with designated format and particular values: the format must be (msgHdr. The other three processes representing the BS. 5 shows the events for correspondence assertions. The secure communications between SN and HN are modeled as private channels. mac. the correspondence assertion event(e1(M)) event(e2(M)) says that if event e1 occurs. NAS-MAC = EIA(KNASint. The complete models are available with the long version of the paper [7]. ident) where msgHdr is the literal CHALLENGE and the mac must equal f1( ki .

cap ms : bool ) = l e t kenb ms : enbKey = kdf enb ( kasme ms ) i n l e t kasenc ms : asEncKey = kdf as enc ( kenb ms ) i n l e t kasint ms : a s I n t K e y = k d f a s i n t ( kenb ms ) i n l e t kupenc ms : upEncKey = kdf up enc ( kenb ms ) i n i n ( pubChannel . knasint ms ) ) ) . In this section. s e n c i n t a s ( s e c r e t . MME). x2 : enbKey . kasint ms ) ) ) . query line 2. x2 . l e t knasenc ms = kdf nas enc ( kasme ms ) i n l e t knasint ms = k d f n a s i n t ( kasme ms ) i n i n ( pubChannel . x3 ) ) event ( begMS ( x1 . 4 with details of the PV model and shows the locations of the events which are used to specify authentication and conditional payload secrecy. s e n c i n t n a s ( s e c r e t . cap ms ) . One of them is the pure 4G AKA. knasint ms ) ) ) . MS process for LTE event ( endMS ( x1 . knasenc ms ) . These authentication properties are proved successfully. event endMS ENB( imsi ms . 5 of them are the same scenarios as in the roaming cases of GSM and UMTS. it includes authenticity of the security capabilities. x2 . x2 : cipherKey . not shown in Fig. To test the secrecy of the keys. Where it is convenient. k i ) . l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . i n ( pubChannel . senc up ( s e c r e t . This refers to event endSN placed following message 10 (Fig. event ( endMS ( x1 . = f i n t e g n a s ( ( enableEnc nas ms . x2 : enbKey . for which the models and analysis appears in [16]. kasenc ms ) ) . query line 10 says that if eNB believes that it has established the KeNB associated with an MS using the particular IMSI. pMSAS( kasme ms . PV proves conditional secrecy and key secrecy. i f enableEnc nas ms = f a l s e then out ( pubChannel . cap ms ) . rand ms : nonce . x3 ) ) event (begMS ENB( x1 . event begENB ( imsi ms . = f i n t e g a s ( datamsg . rand ms ) i n l e t kasme ms : asmeKey = kdf asme ( ck ms . kasme ms . out ( pubChannel . enableEnc nas ms : bool . kasint ms ) ) ) . If the assumptions that underly our scenarios for uncertain cases turn out to be wrong. (=NASSMC. cap ms ) . imsi ms ) ) . ( NASSMComplete . it is authentication of MS to MME implies authentication to eNB as well. V. x3 : bool . 7 elaborates the scenario in Fig. cap ms ) ) . l e t res ms : resp = f 2 ( k i . then indeed there is an MS that reached that stage of its protocol role. out ( pubChannel . i n ( pubChannel . M ODELING AND ANALYZING INTEROPERATION IN P ROV ERIF Scenario S7: LTE I k UMTS II–III k [LTE IV] k LTE V. cap ms ) else out ( pubChannel . x3 . The secrecy and authentication properties are specified similar to the ones in the 4G model: 1 2 3 4 5 6 query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . pMSAS( kasme ms . Conditional secrecy (query Authentication of the MS to the MME is specified in query lines 4–5. x3 ) ) . ( ASSMComplete . x3 : bool . knasint ms ) ) ) . imsi ms : i d e n t . imsi ms . for the MS in LTE we factor out a process that models the first four blocks of LTE. we use sub-processes in our PV models to express this structure. kenb ms . and then summarize results for all 10 scenarios. As in pure 4G. plain secrecy of the message payload does not hold because the attacker can always learn the payload if the MS is not capable of encryption. ( NASSMComplete . conv(CK IK → KASME . (=CHALLENGE. for that IMSI and KeNB . datamsg : b i t s t r i n g . knasint ms ) ) . says that if the attacker obtains the secret payload then the event disableEnc must have previously taken place —this is proved by PV. f i n t e g n a s ( nas smcomplete msg . kupenc ms ) ) . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . (CAP. kasint ms ) ) . knasenc ms ) ) . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg . knasenc ms ) . sencrypt nas ( s e c r e t . x2 ) ) . which are composed to form the interoperation scenarios in Sect. 6. out ( pubChannel . The authentication of the eNB to the MS is specified in query lines 8–9. query x1 : i d e n t . query x1 : i d e n t . out ( pubChannel . snid ms . new k i : key . Conditional secrecy. res ms ) ) . For example. 6) under each of the keys and sends the ciphertexts on the public channel (lines 43–44 and 17–19). Because communication between eNB and MME is assumed secure. VI. which is modeled and analyzed in Sect. with minor modifications (adding conversion functions that enable a BS to perform a particular SMC procedure.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 challenge and successful use of the keys derived from KASME . event ( endSN ( x1 . ( ID . (=MSG. x3 . i n s e r t keys ( imsi ms . kenb ms ) . Fig. Authentication of the MME to MS is specified in query lines 6–7. The encryption capability is included in the parameters of the events to specify that the events should agree on the encryption option. snid ms ) i n event begSN ( imsi ms . x2 . l e t pMSAS( kasme ms : asmeKey . out ( pubChannel . out ( pubChannel . 5) so that it follows both verification of the 8 . x4 ) ) . out ( pubChannel . processMS Of the 10 AKA scenarios. we can easily combine these sub-processes and other code fragments that correspond to blocks. nas smcomplete msg . x4 ) ) event ( begMS ( x1 . III we annotate the protocol diagrams to mark “blocks” of message exchanges. rand ms ) . f i n t e g a s ( as smcomplete msg . x3 ) ) . sencrypt nas ( nas smcomplete msg . 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 l e t processMS = new imsi ms : i d e n t . kasint ms ) ) ) . To make the PV model for an interoperation scenario. However. The payload can be learned by the attacker when the MS is not capable of encryption. enableEnc as ms : bool . as smcomplete msg . cap ms ) . Most of the code in this model is inherited from the 4G model and the UMTS model. Fig. x2 : enbKey . we expect to be able to easily model the corrected scenarios as well. event (endMS ENB( x1 . snid ms : i d e n t ) ) . x2 . out ( pubChannel . x2 . x3 : i n t e g K e y . snid ms . x2 . the blocks already include events and the queries are easily adapted from queries for the pure protocols. = f i n t e g a s ( b o o l 2 b i t s t r i n g ( enableEnc as ms ) . In Sect. we discuss the models of the 4 new scenarios. as a sanity check on the model. event ( endENB ( x1 . = f 1 ( k i . (RES. event endMS ( imsi ms . x2 ) ) event ( begENB ( x1 . the MS encrypts a fresh secret (a private free name in the code. and adding keys to the AV in S9 and S10). =cap ms . s e n c r y p t a s ( s e c r e t . x3 ) ) . This process is reused in the models for scenarios S9 and S10. and indeed PV finds violations of the secrecy property in query line 1. (=ASSMC. query a t t a c k e r ( s e c r e t ) . query x1 : i d e n t . x2 . query x1 : i d e n t . kasme ms ) . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . kasenc ms ) i n 0 . 7 8 9 10 VII. x3 ) ) event ( begSN ( x1 . ik ms . imsi ms . and query line 3 tests the secrecy. f i n t e g n a s ( sencrypt nas ( nas smcomplete msg . For security specifications. x2 .

cap_sn) S7 w/ LTE IV S8 S9 w/ LTE IV 8. AS-MAC KeNB = KDF (KASME). RAND) XRES = f2(Ki. there is no integrity protection on the user plane traffic. Because the SMC message does not contain the received MS’s capabilities. Scenario S8: LTE I’ k UMTS II–III k LTE IV–V. The attacker intercepts and modifies the capabilities of MS to no-encryption to force the 4G BS to choose not to use encryption. IMSI. This attack would be detected once the MS sends unencrypted messages to the BS. C ONCLUSION In this paper we study authentication and key agreement (AKA) for interoperation among GSM. conv(CK IK → Kc. KRRCenc = KDF (KeNB) KRRCint = KDF(KeNB). IK) KASME = KDF(CK. KUPenc = KDF (KeNB) XAS-MAC = EIA(enableEnc. annotated in accord with our model Scenario S10: UMTS I k LTE II–III k [LTE IV] k UMTS IV. cap_ms) 9. if no encryption {payload}_KRRCenc. A NALYSIS RESULTS XRES. RAND) event begSN(imsi_ms. Authentication of the SN to the MS is specified in lines 5–6. AUTN=MAC 4. The attack found in scenario S7 without LTE IV is similar. Analysis Results. of BS to MS known false base station attack Proved Proved known false base station attack Proved known false base station attack false base station attack Proved Decrypt message if enableEnc_ms is true violated because the BS could choose to disable encryption when communicating with the MS.MME 4G BS 4G ME with USIM TABLE IV. ik_ms) 6. RAND). RAND. we consider all combinations of the five relevant system 9 . i. although there was a begMS event. This attack will be detected by the BS once the MS sends messages to the BS. ck_ms. PV finds an attack that violates the property. the attacker can both eavesdrop and modify the messages. In the models (with or without LTE IV) of this scenario. CAP. the attacker modifies the CMC message (which is not integrity protected) to tell the MS to use no encryption. the BS has to choose not to enable encryption. version without LTE IV. When the BS decides which algorithm to use. The attacker intercepts the capability message sent by the MS and replaces the capabilities with different ones. ik_sn) KASME = KDF(CK. ck_sn. 7. of MS to VLR/ SGSN/MME Auth. in S1 and S4. AUTN. RAND) CK = f3(Ki. In the model of scenario S9 without LTE IV. KeNB KeNB = KDF(KASME) LTE V KeNB = KDF (KASME). the false base station attack on the AKA without LTE IV is found when checking the authentication of the BS to the MS. the attacker intercepts the CAP message and modifies the capabilities of the MS as no-encryption. it has a different value for capabilities. so the attack can both eavesdrop and modify the data traffic. AS-MAC = EIA(enableEnc. CK = f3(Ki.. CK. RES Verify RES = XRES event endSN(imsi_sn. the MME uses the key conversion function fun c3(cipherKey. In the attack. RAND) MAC = XMAC. In this attack. the property is proved. enableEnc. the MS has no way to confirm whether the SN receives the correct capabilities. As in other scenarios. we find the known false base station attack [1] which has the same attack scenario as in the native GSM AKA. Because the subsequent traffic between the MS and the 2G BS is not encrypted nor integrity protected. UMTS and LTE. 3G HN LTE I 1. To determine the AKA procedures in each interoperation case. AUTN UMTS III XMAC = f1(Ki. Authentication of the MS to the SN is specified in lines 3–4 and is proved. MME). Scenario S9: GSM I k LTE II–III k [LTE IV] k GSM IV. RAND). Table IV gives results for all the 10 scenarios. RAND. integKey): gsmKey to derive the GSM session key from the UMTS cipher and integrity keys. Secrecy of keys (line 2) is also proved. conv(CK IK nonces → KASME . Although integrity protection is mandatory for the signaling traffic of 4G BS. RAND) IK = f4(Ki. Authentication scenario S7. ProVerif proves all the properties except the payload secrecy. RES = f2(Ki. kenb_ms. AV = 4G AV + CK + IK. ProVerif proves all the properties except the payload secrecy. IK) 7. In the model with LTE IV. IMSI 3.MAC = f1(Ki.e. KRRCint) Verify XAS-MAC = AS-MAC S9 w/o LTE IV S10 w/ LTE IV S10 w/o LTE IV event endMS(imsi_ms. we find an attack in which the attacker simply modifies the CMC message to tell the MS to use no encryption. For the version without LTE IV. MME). of VLR/ SGSN/MME to MS Scenario Conditional secrecy Key secrecy S1 Proved Proved Proved N/A S2 S3 Proved Proved Proved Proved Proved Proved N/A Proved S4 Proved Proved Proved N/A S5 Proved Proved Proved N/A S6 Proved Proved Proved N/A S7 w/o LTE IV Proved Proved Proved N/A Proved Proved Proved Proved Proved Proved Proved Proved Proved Proved Proved Proved Proved CMC attack Proved Proved Proved N/A known false base station attack Proved Proved Proved Proved Proved Proved Proved Proved N/A Proved Generate RAND . The event endMS is executed after the MS receives the SMC message. the payload secrecy could be In the model of scenario S9 with LTE IV. Fig. IK = f4(Ki. PV detects the violation because. For the version with LTE IV. payload. kenb_sn. RAND). otherwise Auth. AS SMComplete Integrity protected 10. KRRCenc = KDF (KeNB) KRRCint = KDF(KeNB). Because the BS is the GSM BS. IK 5.CAP 2. VIII. KRRCint) event begMS(imsi_sn. IMSI UMTS II Auth. line 1) does hold. an attack is found when checking the authentication of the BS to the MS. AV = 4G AV + CK + IK. KUPenc = KDF (KeNB) Decide enableENC.

” in Cryptographer’s Track at the RSA Conference (CT-RSA). 3gpp. Warinschi. Universal Mobile Telecommunications System (UMTS). Mobarhan.” in ESOP. focusing in this paper on authentication and secrecy properties. the desired authentication and secrecy properties are proved (in the symbolic model of perfect crypto. “Authenticity by typing for security protocols.D.” Journal of Computer Security. P. “The real-time cryptanalysis of A5/2. 1–6. 4. and LTE protocols. “Security weaknesses in Bluetooth. 2010. Security architecture. Darmstadt University of Technology. Salahi.8.” IACR Cryptology ePrint Archive. E. and G. we identify and justify a particular AKA scenario built from elements (“blocks”) of the pure GSM. 90–97. “Automated formal analysis of a protocol for secure file sharing on untrusted storage. “Analysis of authentication and key establishment in inter-generational mobile telephony (long version). D. “3GPP TS 33. SIM/USIM internal and external interworking aspects. 4. Redon. pp. The attack is prevented by including block LTE IV. A. Another attack. Shahbahrami. no. M. Digital cellular telecommunications system (Phase 2+). Wetzel. B.” in FCS-ARSPA.401 version 11. 176– 191.-K. dissertation. “Anonymity guarantees of the UMTS/LTE authentication and connection protocol. “Instant ciphertext-only cryptanalysis of GSM encrypted communication. on one version of scenario S7. and N. N.” in DuD Datenschutz und Datensicherheit. 2009. A. 2000. pp. Mjølsnes. Wetzel. “A man-in-the-middle attack on UMTS.htm. N.. “Symbolic analysis for security of roaming protocols in mobile networks. 2009.cs. Cryptol. LTE.102 version 11.4.301 version 11. “Attack. March 2008. Z. M. Naumann.” http: //www. [25] [26] [27] [28] [29] [30] [31] [32] 10 S.” J.. 2009. 2009. “Evaluation of security attacks on UMTS authentication mechanism. “Security analysis of handover key management in 4G LTE/SAE network. pp. no. Mobile radio interface layer 3 specification (GSM 04.htm.iacr. W. Chang and V.0 Release 11. A.-D. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS). D. Arapinis. Barkan. Keller. pp. Kremer and M. B. M. 2010. with unbounded sessions) for all other cases. E. D. G. [10] [11] [12] [13] It turns out that 10 scenarios are needed to cover all the 105 possible interoperation cases. as well as across the technologies. 3gpp System Architecture Evolution (SAE). For the scenarios involving LTE. pp. Universal Mobile Telecommunications System (UMTS). We also are interested in exploring the interworking between 4G and non-3GPP networks. 2004.” in IEEE Symp. LTE. LTE. Chaudhuri. J. Indoor and Mobile Radio Communications. Report 2000/052. Naumann. Goldberg. Salimi.0. 2013. Universal Mobile Telecommunications System (UMTS). M. C. A. J. solution and verification for shared authorisation data in TCG TPM.” http://www. pp. “Secure roaming and handover procedures in wireless access networks. 2012.3gpp.org/ftp/Specs/html-info/33102. Choi.401 v10. Blanchet and A. 4.4. org/. WTS 2009. M.” in Wireless Telecommunications Symposium. [14] [15] [16] We model and analyze pure LTE and the 4 new AKA scenarios involving LTE components. 205–216. Mobarhan. Forsberg.” Ph. Shmatikov.0 Release 11. Blanchet. UMTS. However. we find three attacks. One is the false base station attack which is inherited from the GSM system and is also found in GSM-UMTS interoperation.htm. “Analysis of an electronic voting protocol in the applied pi calculus.” in ACM WiSec.org/ftp/ Specs/html-info/23401. Ltd. Shamir.org/ftp/Specs/html-info/33401. Fox. based on information about component compatibility gleaned from the standards documents. and LTE. B. “3GPP TR 31.org/ftp/Specs/html-info/31900.” in ACM CCS. 17. Stage 2. [17] [18] [19] [20] [21] For further work. C. O. vol. and S. Chen and M. S. Some cases are classified as uncertain. C. Jakobsson and S.org/ftp/Specs/html-info/24301. “3GPP TS 23. 2004.0 Release 1998). “A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. pp.” http://www. D. is a similar false base station attack but with a 4G BS. and A.0 Release 11. “Cryptanalysis of alleged a5 stream cipher.0. for lack of definite information in the standards. “Automatic verification of correspondences for security protocols. “Cryptanalysis of the A5/2 algorithm.08 version 7. Tang. Jul. In most cases. Biham.” Rumpsession of CRYPTO. . “Formal analysis of authentication in Bluetooth device pairing. Fster-Sabater.5. a few cases have two feasible versions of the scenarios which differ by whether block LTE IV is included or whether the nonce in TAU request is used.4. I. “TS 23. General Packet Radio Service (GPRS). Gordon and A. ——. and A. 363–434. 5 involve just GSM and UMTS and were identified previously (see Sect. 65–76. L. “New attacks on UMTS network access.” International Journal of Network Security & Its Applications.htm. Universal Mobile Telecommunications System (UMTS). 201–216. 21. Ahmadian. 451–520. Stage 3. D.” in SecureComm 2011 : Seventh International ICST Conference on Security and Privacy in Communication Networks.” 1998. and A. 1999. Wagner. N. 2003. Springer. “New privacy issues in mobile telephony: fix and verification. on Sec. Han and H. Meyer and S. pp. K. “Der IMSI catcher. Jeffrey.htm.” in Formal Aspects in Security and Trust. and S. U.stevens. M. 2002.” http://www.0 Release 11. one is the pure LTE. Petrovic and A. F. [22] [23] [24] R EFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] U. Of these scenarios. L. the AKA scenario is completely determined by the components involved.pdf. “On the impact of GSM encryption and man-in-the-middle attacks on the security of interoperating GSM/UMTS networks. ACM. J. 2007. IEEE. Security architecture . Germany. Smart. Horn. vol.-F. “A vulnerability in the UMTS and LTE authentication and key agreement protocols. “3GPP TS 24.org/ftp/Specs/html-info/23060. General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access. L. E.3gpp. S. 2012. For each possible (allowed or uncertain) interoperation case.components. http://www.” 2013. Golic. pp.0 Release 11 Digital cellular telecommunications system (Phase 2+).” http://www. vol. Moeller. Universal Mobile Telecommunications System (UMTS). “3GPP TS 33. 2008. A. Ryan. II). LTE. Tang.3gpp. In the third attack on the AKA of scenario S9 with LTE IV.” in CRYPTO. and V. 392–429. Keller. Golde. Dunkelman. and Priv. 2011. G.” Cryptology ePrint Archive. 2005.” in EUROCRYPT. p.edu/∼naumann/pub/ TangNaumannWetzel2013. and R.htm. the CMC message is modified. http://eprint. 3G security. Ritter. vol. we would like to analyze the handover in GSM. UMTS. Watson. Wetzel. pp. Service description. We classify some cases as allowed or disallowed. Aside from these attacks.” 2012. D.3gpp. Niemi.” Journal of Computer Security. 186–200. Wetzel. 1997. LTE. Lee. 27. Ryan.3gpp. Meyer. 2012. the remaining 4 are new. John Wiley and Sons. Borgaonkar. Tsay and S.0. 2001. Mancini.” in Computer Network Security.” http://www. R. LTE Security.” in IEEE Symposium on Personal. Ryan. D.060 version 11. 2005. using ProVerif. “Digital cellular telecommunications system (Phase 2+).900 v11. Digital cellular telecommunications system (Phase 2+).

R4 R2. IV. A3 R2 R2 A1. A3. R3. D gives the complete code. C presents the models of the scenarios and Sect. A4 R2. R4 R2. R4 R4 A2 R3 A1. R5 A2. part 1 of 7 11 Table of cases. Green color and bold font indicates the uncertain cases. A3 R3 A1. part 2 Condition to support Occurrence Reasons for Disallowance A2 A2 R3. A4 R5 A2 A2 R4 R4 A2 R6 A1. R4 . ME 4G 3G BS VLR/SG SN/ MME HN 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 4G 4G 4G 4G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 2G 2G 2G 2G 4G 4G 4G 4G 4G 4G 4G 4G 4G 3G 3G 3G 3G Condition to support Occurrence Identity Module 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 4G 68 USIM 69 70 71 72 73 74 75 76 77 78 79 80 Reasons for Disallowance A1. rows in normal font with no color indicate the allowed cases. A2. Components ID Identity Module 1 2 3 4 5 6 7 8 9 10 11 12 13 14 4G USIM 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 4G 34 USIM 35 36 37 38 39 40 Fig. A2. A gives the complete table of cases and Sect. A3 R3. 9. A4 A1. A4 R5 R4 R4 A2. A2. A4 R5 A2. A4 A1. A4 A1. A3 R4 R4 A2. IV and the list of conditions A1–A4 at the end of Sect. A4 R2. A3. A4 A1. A2. R5 R2 A2 R2. R5 Fig. A4 A1. Blue color and bold italic font indicates the cases involving only 2G/3G components. R4 R2. A2. A2. A3. A2. A2. A3 A2. A2. R5 R2 R2. B gives the complete table of scenarios. Sect. A3 A2. A2. A4 R3. Grey color and italic font indicates the disallowed cases. A4 R3. R4 R2 R2 A1. A3 R2. A4 A1. A PPENDIX A TABLE OF CASES Figures 8 – 14 show the classification the 243 interoperation cases. R4 R4 R3 A1.A PPENDICES Sect. A4 ME 3G 2G BS VLR/SG SN/ MME HN 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 2G 2G 2G 2G 4G 4G 4G 4G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 2G 2G 2G R3. R5 R2 A2. A3. R4 A2 R2 R2 A1. A4 R2. The table makes reference to the list of reasons R1–R7 in Sect. R5 Table of cases. R4 R4 A2. 8. A3. A4 A1. Components ID As stated in the main body of the paper.

A4 R2. A4 A1. A4 R3. A4 R3. A4 R2. 11.Components ID Identity Module 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 USIM 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 USIM 115 116 117 118 119 120 Fig. R4 R2 R2 A1. 10. R5 R2 R2. R5 R3. ME BS VLR/SG SN/ MME 2G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 4G 3G HN 2G 4G 4G 4G 4G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 2G 2G 2G 2G 4G 4G 4G 4G 4G 4G 4G 4G 4G 3G 3G 3G Condition to support Occurrence Components Reasons for Disallowance ID Identity Module 121 122 123 124 125 126 127 128 USIM 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 USIM 149 150 151 152 153 154 155 156 157 158 159 160 A2. A4 R5 A2 A2 R4 R4 A2 R3 A1. A4 Table of cases. 12 ME 3G 2G BS VLR/SG SN/ MME HN 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 2G 2G 2G 2G 4G 4G 4G 4G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 2G 2G Table of cases. R4 R2 R2 A1. A4 A1. A4 A1. R4 R2. R4 R2. A4 R5 A2 A2 R4 R4 A2 R6 A1. A4 A1. A4 R5 R4 R4 A1. R4 R4 R2 R2 A1. A4 A1. A3 A1. R4 . R5 R2 R2. R5 R2 R2. R4 R4 R3 A1. A4 R2. R5 R3. A4 A1. A4 A1. part 4 Condition to support Occurrence Reasons for Disallowance R3. R4 R4 R3 A1. part 3 Fig. R5 R7 R3.

R5 R1. 12. R4 R1. R2. R2 R1 R1. R4 R4 R1. R2. R2. R4 R1 R1 R1 R1. R4 R1. R4 R4 R1. R5 R1. R2. R2 R1. R2 R1. R5 R1. ME 2G 4G 3G BS VLR/SG SN/ MME HN 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 2G 2G 4G 4G 4G 4G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 2G 2G 2G 2G 4G 4G 4G 4G 4G 4G 4G 4G 4G 3G 3G Condition to support Occurrence Identity Module 201 202 203 204 205 206 207 208 SIM 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 SIM 229 230 231 232 233 234 235 236 237 238 239 240 Reasons for Disallowance R2. part 6 R1. R4 R4 R1. part 5 ID Identity Module 241 242 SIM 243 Fig. R2 R1 R1. R5 Fig. R3 R1 R1 R1. R3 R1 Components Table of cases. ME 3G 2G BS VLR/SG SN/ MME HN 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 3G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 2G 2G 2G 2G 4G 4G 4G 4G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 2G Condition to support Occurrence Reasons for Disallowance R1 R1. R3. 14. R4 R1. 13 ME BS VLR/SG SN/ MME 2G 4G 3G 2G 2G 2G 2G Table of cases. R3 R1 R1 R1. R4 R2. R4 R2. R4 R1. R5 R2 R1. R5 R1. part 7 HN 2G 2G 2G Condition to support Occurrence Reasons for Disallowance R1. R5 R1. R5 R1. R2. R3. R3. R5 R1. R2 R1. R2 Table of cases. R4 R1. R3. R4 R4 R1 R1 R1 R1. R2 R1. R2 R1 R1. R3. R4 R1 R1 R1 R1. R4 R1. R3.Components ID Components ID Identity Module 161 USIM 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 SIM 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 SIM 196 197 198 199 200 Fig. 13. R4 . R2.

V I. V C. N. I. L. T Q. N. V C. K. V I. V E. V I. I. K. K. I. V C. M. K. V E. W B. N. V C. I. V I. V I. M. H. V C. V I. I. I. H. L. K. K. I. V F. T P. V I. N. I. M. T Q. V E. V E. V H. V E. K. V E. M. V Identity Module Interpretation T T O. H. V E. I. H. V H. H. V I. V I. V H. K. V I. I. V F. V E. M. T O. L. G. I. 17. V E. I. V I. V E. V H. K. I. X H. V C. V B. V G. W. V C. I. I. V E. N. V E. L. V E. I. L. K. L. L. V H. N. L. L. V C. V I. V G. H. L. I. M. L. N. N. V F. M. K. N. L. J. I. I. H. V A. K. V E. I. V B. V E. V I. K. V D. V I. I. K. L. part 1 of 3 162 167 168 171 176 177 180 185 186 189 194 195 198 203 204 207 212 213 216 222 225 231 234 240 243 Fig. V E. N. V C. H. I. M. L. T O. V D. V F. N. V C. I. M. V I. V B. H. V B. H. V E. K. K. V B. H. V E. N. Components ID Identity Module 1 2 3 5 6 9 10 11 4G 12 USIM 14 15 18 20 21 23 24 27 29 30 32 33 36 38 39 41 42 45 47 48 50 51 54 57 60 63 66 69 72 75 78 ME 4G 3G 2G 81 82 83 84 86 87 90 91 92 93 USIM 95 96 99 101 102 104 105 108 110 111 113 114 117 119 120 USIM 122 123 126 128 129 132 135 138 141 144 147 USIM 150 153 156 159 Reason Scenarios BS VLR/SG SN/ MME HN 4G 3G 2G 3G 2G 2G 4G 3G 2G 3G 2G 2G 3G 2G 3G 2G 2G 3G 2G 3G 2G 2G 3G 2G 3G 2G 2G 3G 2G 3G 2G 2G 2G 2G 2G 2G 2G 2G 2G 2G 4G 4G 4G 3G 3G 2G 4G 4G 4G 3G 3G 2G 4G 4G 3G 3G 2G 4G 4G 3G 3G 2G 4G 4G 3G 3G 2G 4G 4G 3G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 4G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G S3 S10 S9 S2 S6 S4 S7/S8 S2 S6 S2 S6 S4 S5 S1 S5 S1 S1 S10 S9 S2 S6 S4 S2 S6 S2 S6 S4 S5 S1 S5 S1 S1 S9 S6 S4 S6 S6 S4 S1 S1 Stated in Spec A. M. U Q. M. L. N. V D. H. I. I. I. I. K. H. V H. V F. T Q. V I. with reference to the list A–X in Table II. I. N. T T T R. part 2 R Components ID Fig. I. X H. T T T T T T T T T O O P Q Q O P Q Table of scenarios. U Q. Interpretation Table of scenarios. V I. V E. K. W. I. V E. M. V E. N. H. K. I. T S. K. L. V I. K. H. M. I. V I. I. T Q. V E. K. L. N. H. N. V B. I. L. K. 16. V I. K. K. K. K. V F. I. K. V I. V B. W B. V I. L. V T T O. K. V E. V F. I. T T T T T T O O P Q Q R O P Q Fig. V I. I. V I. V B. K. K. V E. ME BS VLR/SG SN/ MME 2G 2G 4G 3G 2G 3G 2G 2G 4G 3G 2G 3G 2G 2G 3G 2G 3G 2G 2G 3G 2G 3G 2G 2G 3G 2G 3G 2G 2G 3G 2G 2G 2G 2G 2G 2G 2G 2G 2G 2G 2G 2G 4G 4G 4G 3G 3G 2G 4G 4G 4G 3G 3G 2G 4G 4G 3G 3G 2G 4G 4G 3G 3G 2G 4G 4G 3G 3G 2G 4G 4G 3G 2G 4G 3G 2G 4G 3G 2G 4G 3G 4G 3G 2G Reason Scenarios HN 2G 4G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 3G 2G 2G 2G 2G 2G 4G 4G 4G 4G 4G 3G 3G 3G 3G 3G 2G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G S1 S3 S10 S9 S2 S6 S4 S7/S8 S2 S6 S2 S6 S4 S5 S1 S5 S1 S1 S2 S6 S2 S6 S4 S2 S6 S2 S6 S4 S5 S1 S1 S1 S6 S6 S4 S6 S6 S4 S1 S1 Stated in Spec E. L. part 3 S1 S5 S1 S1 S5 S1 S1 S5 S1 S1 S5 S1 S1 S5 S1 S1 S5 S1 S1 S1 S1 S1 S1 S1 S1 Stated in Spec E. N. V Interpretation S. N. G. V I. T S. T T T T T T T S S S S S . K. N. I. K. H. K. K. I. H. I. V E. T P. N. V E. L. L. N. I. V H. L. V F. V E. N. I. K. H. V I. K. I. K. 14 Identity Module ME USIM 2G SIM 4G SIM 3G SIM 2G Reason Scenarios BS VLR/SG SN/ MME HN 2G 3G 2G 2G 3G 2G 2G 3G 2G 2G 3G 2G 2G 3G 2G 2G 3G 2G 2G 2G 2G 2G 2G 2G 2G 2G 3G 3G 2G 3G 3G 2G 3G 3G 2G 3G 3G 2G 3G 3G 2G 3G 3G 2G 3G 2G 3G 2G 3G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 4G 3G 3G 3G 2G 2G 2G 4G 4G 3G 3G 2G 2G Table of scenarios. K. V H. K. V E. K. V E. V I. I. L. K.A PPENDIX B TABLE OF SCENARIOS Components ID Figure 15 – 17 show the determination of the AKA scenarios and respective reasoning. I. V E. 15. N. V E.

(RES. ck hn . xres sn : resp . = f i n t e g a s ( as smcomplete msg . (CAP. The key derivation function used by the MME and the MS to generate the local master key KASME is declared as: fun kdf asme ( cipherKey . kasenc sn ) . x3 ) ) . out ( pubChannel . query x1 : i d e n t . x2 : enbKey . x2 : cipherKey . (=CHALLENGE. x3 : bool . (=RES. . (=AV REQ. (=AV. event endMS ( imsi ms . (MSG. rand ms : nonce . (=MSG. out ( pubChannel . That means if the encryption is enabled. (∗ I n p u t c h a l l e n g e message from SN ∗) i n ( pubChannel . datamsg : b i t s t r i n g . 58 59 60 61 62 63 64 65 66 67 68 S7. cap ms ) ) . i n ( pubChannel . The authentication of the SN to the MS is specified in lines 6–7. 1 2 3 4 5 6 7 8 9 15 new imsi ms c r e a t i n g imsi ms 5870 a t {2} i n copy a new k i c r e a t i n g ki 5871 a t {3} i n copy a i n s e r t keys ( imsi ms 5870 . i n t e g K e y ) . rand ms ) i n (∗MS i s a u t h e n t i c a t i n g i t s e l f t o SN∗) event begSN ( imsi ms . The secrecy and authentication properties are specified as: 1 2 3 4 5 6 7 query a t t a c k e r ( payload ) . query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . The pure 4G model is discussed in Sect. (∗ Send o u t a u t h e n t i c a t i o n v e c t o r r e q u e s t ∗) out ( secureChannel . (∗ Receive a u t h e n t i c a t i o n v e c t o r ∗) i n ( secureChannel . The HN process is the same as the one in the UMTS model. (=CAP. conv(CK IK → KASME . x3 ) ) . i n ( pubChannel . rand sn : nonce . ( ID . k a s i n t s n ) ) ) . kasenc ms ) i n 0 . SN a u t h e n t i c a t e d MS∗) event endSN ( imsi sn . t r u e ) ) a t {6} i n copy a out ( pubChannel . l e t processHN = (∗ Receive a u t h e n t i c a t i o n v e c t o r r e q u e s t ∗) i n ( secureChannel . ki 5871 ) a t {4} i n copy a out ( pubChannel . (∗ Receive permanent ID ∗) i n ( pubChannel . (∗ Send a u t h e n t i c a t i o n c h a l l e n g e t o MS ∗) out ( pubChannel . (∗ Computes expected response and Kc ∗) get keys (= imsi hn . (∗ Generate a f r e s h random number ∗) new rand hn : nonce . ProVerif proves the key secrecy. mac ms : mac ) ) . rand ms ) = mac ms then (∗ Compute response and e n c r y p t i o n key ∗) l e t res ms : resp = f 2 ( k i . The authentication of the MS to the SN is specified in lines 4–5. cipherKey . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . (= ASSMComplete . (∗ Check whether r e c e i v e d response equal t o XRES∗) i f res sn = xres sn then (∗ At t h i s p o i n t . i n t e g K e y ) : asmeKey . the attacker can never learn the message payload. (ASSMC. s e n c r y p t ( s e c r e t . cap sn ) . out ( pubChannel . ck ms ) ) . i k s n ) i n l e t kenb sn : enbKey = kdf enb ( kasme sn ) i n l e t kasenc sn : asEncKey = kdf as enc ( kenb sn ) i n l e t k a s i n t s n : a s I n t K e y = k d f a s i n t ( kenb sn ) i n l e t kupenc sn : upEncKey = kdf up enc ( kenb sn ) i n event begMS ( imsi sn . x2 . ck sn : cipherKey . ik ms ) ) . The other pure models and scenarios are presented in [16]. event ( endSN ( x1 . imsi ms 5870 ) ) a t {32} i n copy a 5861 i n ( pubChannel . kenb sn . S9+ (with LTE IV) and S10+ (with LTE IV) with some explanation. xres hn . cap ms ) . i k s n ) . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . (CAP. Security Property Specifications and Findings The events used in the correspondence assertions to specify the authentication properties are declared as: 1 2 3 4 event event event event begSN ( i d e n t endSN ( i d e n t begMS ( i d e n t endMS ( i d e n t . cap sn . . = f i n t e g a s ( datamsg . a 5860 ) ) a t {31} i n copy a 5861 i n ( pubChannel . x3 ) ) event ( begMS ( x1 . ( ID . cap sn : bool ) ) . k a s i n t s n ) ) ) . (=ASSMC. res ms ) ) . =as smcomplete msg . S8. i f cap sn = f a l s e then event d i s a b l e E n c . event ( endMS ( x1 . ( ID . 86 87 88 89 90 39 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 l e t processSN = (∗ Receive MS’ s c a p a b i l i t y ∗) i n ( pubChannel . imsi ms 5870 ) ) a t {7} i n copy a i n ( pubChannel . (CAP. k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . bool ) . the MS and the SN derive the local master key KASME from the cipher key and the integrity key. (CHALLENGE. f i n t e g a s ( s e n c r y p t as ( payload . s e n c r y p t a s ( payload . ik hn . VI. i n t e g K e y ) . =imsi sn . imsi ms ) ) . ProVerif proves this authentication property. The secrecy property of the message payload does not hold. . (CAP. out ( pubChannel . i k s n : integKey . imsi hn . l e t kasme ms = kdf asme ( ck ms . (AV REQ. Proverif finds a attack trace that violates the property: 38 40 l e t kasme sn = kdf asme ( ck sn . kasint ms ) ) ) . s e n c r y p t I n t e g ( s e c r e t . cipherKey . payload . (MSG. enbKey . f i n t e g a s ( payload . f i n t e g a s ( as smcomplete msg . The conditional secrecy (line 2) holds. ik ms ) . kasint ms ) ) ) . x3 : i n t e g K e y . ik ms ) i n l e t kenb ms : enbKey = kdf enb ( kasme ms ) i n l e t kasenc ms : asEncKey = kdf as enc ( kenb ms ) i n l e t kasint ms : a s I n t K e y = k d f a s i n t ( kenb ms ) i n l e t kupenc ms : upEncKey = kdf up enc ( kenb ms ) i n (∗ Receive GSM c i p h e r mode command ∗) i n ( pubChannel . Appendix D gives the complete code files for all models. as smcomplete msg ) ) a t {31} i n copy a 5862 i n ( pubChannel . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . bool ) . (∗ Receive response ∗) i n ( pubChannel . LTE I k UMTS II–III k LTE V. ck sn . because the attacker can always learn the payload if the MS is not capable of encryption. rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . ck ms . query x1 : i d e n t . imsi hn : i d e n t ) ) . mac sn : mac ) ) . i m s i s n ) ) . x2 . rand sn . x2 . = f i n t e g a s ( b o o l 2 b i t s t r i n g ( enableEnc as ms ) . ( ASSMComplete . i m s i s n : i d e n t ) ) . kenb ms . (∗ Send o u t response t o SN ∗) out ( pubChannel . (∗ Send o u t permanent ID ∗) out ( pubChannel . k a s i n t s n ) ) ) . x3 ) ) event ( begSN ( x1 . mac hn ) ) . enbKey . The property specified in line 3 is used to test the secrecy of the keys. rand hn ) i n (∗ Send o u t a u t h e n t i c a t i o n v e c t o r ∗) out ( secureChannel . query a t t a c k e r ( s e c r e t ) . 82 83 84 85 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n (∗ Send o u t cap ms t o SN ∗) out ( pubChannel . mac sn ) ) . x2 .A PPENDIX C MODELS OF THE SCENARIOS This section presents scenarios S7 (without LTE IV). enableEnc as ms : bool . k a s i n t s n ) ) ) else out ( pubChannel . (= ID . 73 74 75 76 77 78 79 80 81 There are three main processes in our model representing the behavior of the MS. the SN and the HN respectively. out ( pubChannel . kasenc sn ) . rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . MME) 69 70 71 72 Most of the code in this model is inherited from the 4G model and the UMTS model. ( AV. as smcomplete msg . rand hn . In line 19 and line 58. res sn : resp ) ) . i f f 1 ( k i . kasint ms ) ) ) . ( ID . imsi ms 5870 ) ) a t {32} i n copy a 5862 . f i n t e g a s ( b o o l 2 b i t s t r i n g ( cap sn ) . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg .

rand hn 5872 ) . 45 rand hn 5872 ) . rand hn 5872 ) . rand hn 5872 . 1 rand hn 5872 ) ) ) a t {8} i n copy a 2 event ( begSN ( imsi ms 5870 . rand hn 5872 ) ) ) 5 a t {14} i n copy a 6 i n ( pubChannel . rand hn 5872 ) ) ) . kdf enb ( kdf asme ( f 3 ( ki 5871 . rand hn 5872 ) ) ) ) ) . ( ASSMComplete . t r u e ) 46 i s executed . which are the replaced ones. l e t kasme ms : asmeKey = kdf asme ( ck ms . i n ( pubChannel . rand hn 5872 ) ) ) ) ) ) ) 16 a t {46} i n copy a 5865 17 i n ( pubChannel . (CAP. ( ID . f i n t e g n a s ( sencrypt nas ( nas smcomplete msg . f i n t e g a s ( as smcomplete msg . (ASSMC. the SN and the HN respectively. 33 f 4 ( ki 5871 . knasint ms ) ) ) . the BS. as smcomplete msg ) ) a t {31} i n copy a 5865 i n ( pubChannel . f 4 ( ki 5871 . Most of the code in this model is inherited from the 4G model and the UMTS model. (=MSG. 3 f 4 ( ki 5871 . a 5866 ) ) a t {31} i n copy a 5867 i n ( pubChannel . 11 rand hn 5872 ) . (ASSMC. the 59 MS has no way to confirm whether the SN receives the correct 60 61 capabilities. 12 as smcomplete msg ) ) a t {44} i n copy a 5865 13 out ( pubChannel . cap ms ) . imsi ms 5870 . (CHALLENGE. 66 16 S8. ik ms ) . 42 rand hn 5872 ) . f 2 ( ki 5871 . 9 f 4 ( ki 5871 . rand hn 5872 ) . kupenc ms ) ) . 25 f 4 ( ki 5871 . f i n t e g a s ( s e n c r y p t a s ( payload . (AV REQ. ( NASSMComplete . imsi ms 5870 ) ) a t {32} i n copy a 5867 i n ( pubChannel . (RES. l e t res ms : resp = f 2 ( k i . a 5863 ) ) a t {31} i n copy a 5864 i n ( pubChannel . ( ID . f 4 ( ki 5871 . rand hn 5872 ) . the attacker intercepts the capability message 51 sent by the MS and replaces the capabilities with different 52 ones. 38 f i n t e g a s ( as smcomplete msg . a 5868 ) ) a t {31} i n copy a 5869 i n ( pubChannel . rand ms ) ) ) . k d f a s i n t ( kdf enb ( kdf asme ( 18 19 f 3 ( ki 5871 . cap ms ) . rand hn 5872 ) . ( ASSMComplete . kasenc ms ) i n 0 . knasenc ms ) ) . LTE I’ k UMTS II–III k LTE IV–V. f i n t e g a s ( as smcomplete msg . rand hn 5872 ) . cap ms : bool ) = l e t kenb ms : enbKey = kdf enb ( kasme ms ) i n l e t kasenc ms : asEncKey = kdf as enc ( kenb ms ) i n l e t kasint ms : a s I n t K e y = k d f a s i n t ( kenb ms ) i n l e t kupenc ms : upEncKey = kdf up enc ( kenb ms ) i n i n ( pubChannel . =cap ms . out ( pubChannel . knasint ms ) ) then event endMS ( imsi ms . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . s e n c i n t a s ( s e c r e t . rand ms ) i n event begSN ( imsi ms . i n ( pubChannel . (CAP. (RES. k i ) . enableEnc as ms : bool . out ( pubChannel . res ms ) ) . knasenc ms ) . enableEnc nas ms : bool . ck ms . as smcomplete msg . cap ms ) ) . f 4 ( ki 5871 . out ( pubChannel . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . as smcomplete msg . pMSAS( kasme ms . (CAP. 26 k d f a s i n t ( kdf enb ( kdf asme ( f 3 ( ki 5871 . nonce ms ) ) . cap ms ) else out ( pubChannel . ( ID . kdf enb ( kdf asme ( f 3 ( ki 5871 . which violates the 6564 correspondence assertion. 35 f 4 ( ki 5871 . 27 f 4 ( ki 5871 . = f i n t e g a s ( b o o l 2 b i t s t r i n g ( enableEnc as ms ) . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg . 31 32 kdf as enc ( kdf enb ( kdf asme ( f 3 ( ki 5871 . sencrypt nas ( nas smcomplete msg . 23 24 kdf as enc ( kdf enb ( kdf asme ( f 3 ( ki 5871 . rand hn 5872 ) ) ) ) ) . rand hn 5872 ) ) ) ) ) ) ) 28 a t {53} i n copy a 5865 29 i n ( pubChannel . nonce mme ms ) i n l e t knasenc ms : nasEncKey = kdf nas enc ( kasme ms ) i n l e t knasint ms : nasIntKey = k d f n a s i n t ( kasme ms ) i n i f ( nas mac = f i n t e g n a s ( ( enableEnc nas ms . (CAP. f i n t e g a s ( s e n c r y p t a s ( payload . s e n c r y p t a s ( s e c r e t . (∗ Pre−shared key ∗) new k i : key . The two events do not 63 agree the third parameter (the capabilities). f 1 ( ki 5871 . new nonce ms : nonce . nonce mme ms : nonce . kasint ms ) ) ) . f 3 ( ki 5871 . (∗NAS key secrecy ∗) out ( pubChannel . MME) Figure 18 shows details of the ProVerif model and the locations of the events which are used to specify the conditional payload secrecy and the authentication properties. out ( pubChannel . rand hn 5872 ) ) ) a t {35} i n copy a 5865 i n ( pubChannel . nonce mme ms ) . (∗NAS SMC procedure ∗) i n ( pubChannel . event endMS ENB( imsi ms . ck ms . nonce ms . k d f a s i n t ( kdf enb ( kdf asme ( 14 15 f 3 ( ki 5871 . ( ID . ( NASSMComplete . imsi ms 5870 ) ) a t {32} i n copy a 5869 out ( secureChannel . ( ASSMComplete . (CAP. kasint ms ) ) ) . f 2 ( ki 5871 . ik ms . (=CHALLENGE. Because the security mode command 58 message does not contain the received MS’s capabilities. f 1 ( ki 5871 . (MSG. out ( pubChannel . kasint ms ) ) . = f i n t e g a s ( datamsg . cap ms ) . (=NASSMC. nonce ms . 47 48 49 50 In this trace. f 3 ( ki 5871 . rand hn 5872 . knasint ms ) ) . The key derivation function used to derive the KASME is defined as: fun kdf asme ( cipherKey . f 4 ( ki 5871 . imsi ms 5870 ) ) a t {33} i n copy a 5865 r e c e i v e d a t {55} i n copy a 5859 new rand hn c r e a t i n g rand hn 5872 a t {56} i n copy a 5859 get keys ( imsi ms 5870 . out ( pubChannel . imsi ms . rand hn 5872 ) ) ) a t {62} i n copy a 5859 r e c e i v e d a t {34} i n copy a 5865 out ( pubChannel . s e n c r y p t a s ( payload . out ( pubChannel . (∗AS SMC procedure i n process MS∗) l e t pMSAS( kasme ms : asmeKey . t r u e ) ) 43 a t {23} i n copy a 44 The event endMS ( imsi ms 5870 . f i n t e g a s ( as smcomplete msg . (CHALLENGE. rand hn 5872 ) ) ) 7 a t {36} i n copy a 5865 8 event ( endSN ( imsi ms 5870 . kenb ms . rand hn 5872 ) ) ) ) ) ) ) 20 a t {47} i n copy a 5865 21 out ( pubChannel . The event endMS is executed with recording 62 the original capabilities of the MS. as smcomplete msg . There are four main processes in our model representing the behavior of the MS. (∗ process r e p r e s e n t i n g e−nodeB ∗) . nonce ) : asmeKey . sencrypt nas ( s e c r e t . nonce . imsi ms 5870 ) ) a t {32} i n copy a 5864 i n ( pubChannel . 40 f 4 ( ki 5871 . nas mac : msgMac ) ) . = f 1 ( k i . rand hn 5872 ) ) ) a t {13} i n copy a 4 out ( pubChannel . knasint ms ) ) ) . cap ms . kdf enb ( kdf asme ( f 3 ( ki 5871 . rand hn 5872 ) . pMSAS( kasme ms . ( AV. f 4 ( ki 5871 . rand hn 5872 ) ) ) a t {38} i n copy a 5865 10 event ( begMS ( imsi ms 5870 . rand ms : nonce . 55 The event endMS is executed after the MS receives the security 5756 mode command message. rand hn 5872 ) ) ) ) ) . i f enableEnc nas ms = f a l s e then out ( pubChannel . (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i n s e r t keys ( imsi ms . (NONCE TAU. rand hn 5872 ) ) ) . 22 kdf as enc ( kdf enb ( kdf asme ( f 3 ( ki 5871 . rand hn 5872 ) ) ) ) ) ) ) a t {22} i n copy a 41 event ( endMS ( imsi ms 5870 . k d f a s i n t ( 39 kdf enb ( kdf asme ( f 3 ( ki 5871 . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . f 1 ( ki 5871 . f 4 ( ki 5871 . knasenc ms ) . rand hn 5872 ) . f i n t e g n a s ( nas smcomplete msg . ik ms . rand hn 5872 ) ) ) ) ) ) ) 36 a t {20} i n copy a 37 out ( pubChannel . senc up ( s e c r e t . ( ID . f 4 ( ki 5871 . f 2 ( ki 5871 . imsi ms ) ) . rand hn 5872 ) . f 4 ( ki 5871 . imsi ms . as smcomplete msg . conv(CK IK nonces → KASME . rand hn 5872 ) . s e n c i n t n a s ( s e c r e t . s e n c r y p t a s ( payload . out ( pubChannel . =nonce ms . rand hn 5872 . kasenc ms ) ) . (∗ process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t i t y o f t h e MS∗) new imsi ms : i d e n t . (RES. 30 kdf as enc ( kdf enb ( kdf asme ( f 3 ( ki 5871 . rand hn 5872 ) . datamsg : b i t s t r i n g . Since the event beginMS in process SN records the 5453 capabilities received by the SN. 34 k d f a s i n t ( kdf enb ( kdf asme ( f 3 ( ki 5871 . imsi ms : i d e n t . rand hn 5872 ) . rand hn 5872 ) ) ) . rand hn 5872 ) ) ) ) ) . ki 5871 ) a t {57} i n copy a 5859 out ( secureChannel . nas smcomplete msg . (=ASSMC. f 3 ( ki 5871 . kasint ms ) ) ) . rand hn 5872 ) .10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 i n ( pubChannel . rand hn 5872 ) . integKey . imsi ms 5870 ) ) a t {32} i n copy a 5865 i n ( pubChannel .

kenb enb . NONCEMS. AUTN=MAC 5. IMSI 3. ( kasme enb : asmeKey . out ( secureChannel . RAND). enableEnc. (MSG. k a s i n t e n b ) ) ) . nonce ms sn : nonce ) ) . AUTN UMTS III XMAC = f1(Ki. NONCEMME) KNASenc = KDF (KASME). i m s i s n : i d e n t ) ) . CAP. RES Verify RES = XRES event endSN(imsi_sn. KNASint = KDF(KASME) XNAS-MAC = EIA((enableEnc. CAP. KNASint) event begMS(imsi_sn. kasme_sn. kenb_ms. = f i n t e g a s ( as smcomplete msg . cap enb . IK. if no encryption {payload}_KRRCenc. i n ( pubChannel . NAS-MAC = EIA((enableEnc. NAS Security Mode Complete ifenableEnbciphered . NONCEMS KASME = KDF(CK. IK 6. IMSI UMTS II Generate RAND . RAND). (= ASSMComplete . NONCEMME. NONCEMS. (= ID . =imsi sn . 67 68 69 70 71 72 73 74 75 76 77 78 79 80 Scenario S8 annotated in accord with our model l e t processENB = i n ( sChannelSnBts .MAC = f1(Ki. RES = f2(Ki. ck_sn. NONCEMS. payload. (ASSMC. KNASint) Verify XNAS-MAC = NAS-MAC 9. 18. ck_ms. ik_sn) KASME = KDF(CK. i n ( pubChannel . NONCEMME). NONCEMS. enableEnc. rand sn : nonce . NONCEMS. KNASint = KDF(KASME) Decide enableEnc?. RAND. out ( pubChannel . AS SMC Complete Integrity protected 13. cap sn : bool ) ) . IK = f4(Ki. KRRCint) Verify XAS-MAC = AS-MAC event endMS_ENB(imsi_ms. CK = f3(Ki.CAP 2. =as smcomplete msg . 87 88 89 90 91 92 93 94 17 (∗ process r e p r e s e n t i n g MME∗) l e t processMME = i n ( pubChannel . integrity protected otherwise integrity protected KeNB = KDF(KASME) 10. CK. ik_ms) 7. AUTN. KRRCenc = KDF (KeNB) KRRCint = KDF(KeNB). i m s i s n ) ) . otherwise Decrypt message ifenableEnc_ms is true Fig. kasint enb ) ) ) . (=NONCE TAU. (=CAP. RAND) IK = f4(Ki. cap enb : bool ) ) . IMSI. kasenc enb ) . f i n t e g a s ( s e n c r y p t a s ( payload . CAP. (AV REQ. AS-MAC = EIA(enableEnc. . XRES. i n ( pubChannel . f i n t e g a s ( b o o l 2 b i t s t r i n g ( cap enb ) . CAP. NONCEMME) KNASenc = KDF (KASME). (MSG. i f cap enb = f a l s e then event d i sa b l e E n c . NONCEMS 4. RAND) event begSN(imsi_ms. i n ( secureChannel . kasenc enb ) . imsi enb : i d e n t . l e t kenb enb : enbKey = kdf enb ( kasme enb ) i n l e t kasenc enb : asEncKey = kdf as enc ( kenb enb ) i n l e t k a s i n t e n b : a s I n t K e y = k d f a s i n t ( kenb enb ) i n l e t kupenc enb : upEncKey = kdf up enc ( kenb enb ) i n event begMS ENB( imsi enb . payload . IK. cap_ms) Verify CAP. KUPenc = KDF (KeNB) XAS-MAC = EIA(enableEnc. KeNB LTE V KeNB = KDF (KASME). k a s i n t e n b ) ) ) . k a s i n t e n b ) ) ) 81 82 83 84 85 86 else out ( pubChannel . RAND) CK = f3(Ki. out ( pubChannel . cap enb ) . RAND) MAC = XMAC. RAND. kasme_ms. cap_sn) LTE IV’ 8. cap_sn) 11. RAND). kenb_sn. AS-MAC KeNB = KDF (KASME). KRRCint) Start integrity protection event begMS_ENB(imsi_sn. f i n t e g a s ( payload . NAS-MAC event endMS(imsi_ms.MME BS MS 4G HN LTE I’ 1. RAND) XRES = f2(Ki. NONCEMME). KRRCenc = KDF (KeNB) KRRCint = KDF(KeNB). (=AV. cap_ms) 12. KUPenc = KDF (KeNB) Decide enableEnc?. s e n c r y p t a s ( payload .

i k s n ) . ik hn . 15 16 17 18 19 20 21 22 23 24 25 26 27 We specify the security properties as following: • Key Secrecy 28 29 30 31 18 There are four main processes in our model representing the behavior of the MS. i n ( pubChannel . cap sn ) ) else 0 else i f cap sn = f a l s e then i f msg nas = nas smcomplete msg then out ( sChannelSnBts . (∗ Generate a f r e s h random number ∗) new rand hn : nonce . x2 : enbKey . 14 Security Property Specifications and Findings The events used to specify the authentication properties are specified as: 1 2 3 4 5 6 event event event event event event begSN ( i d e n t . event (endMS ENB( x1 . endMS ENB( i d e n t . • Authentication of the BS to the MS 1 2 3 query x1 : i d e n t . (∗ process r e p r e s e n t i n g HN∗) l e t processHN = (∗ Receive a u t h e n t i c a t i o n v e c t o r r e q u e s t ∗) i n ( secureChannel . imsi hn . ik ms . x2 . CMComplete ) . cipherKey . the MS derives the KASME using the nonces 8 and cipher and integrity keys as in MME (lines 45–46). x3 . (∗ Pre−shared key ∗) new k i : key . imsi sn . rand hn . x4 : bool . cap ms : bool ) = i n ( pubChannel . rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . ik sn . i n t e g K e y ) : gsmKey . i k s n : integKey . enableEnc as ms : bool ) ) . S9+. cap ms ) ) . x4 ) ) event ( begMS ( x1 . x3 : bool . AV = 4G AV + CK + IK Figure 19 shows details of the ProVerif model and the locations of the events which are used to specify the conditional payload secrecy and the authentication properties. cipherKey . i n t e g K e y ) . =xres sn ) ) . ck sn . x4 ) ) . imsi ms : i d e n t . rand ms ) i n l e t kasme ms : asmeKey = kdf asme ( ck ms .95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 xres sn : resp . mac sn : mac ) ) . imsi hn : i d e n t ) ) . snid ms ) i n event begSN ( imsi ms . cipherKey . nonce mme ) i n l e t knasenc sn : nasEncKey = kdf nas enc ( kasme sn ) i n l e t k n a s i n t s n : nasIntKey = k d f n a s i n t ( kasme sn ) i n event begMS ( imsi sn . x3 : i n t e g K e y . (CHALLENGE. imsi ms ) ) . imsi sn . integKey . cap sn . ( kasme sn . k n a s i n t s n ) ) ) . the BS. kasme ms ) . x2 . The 109 MS then verifies the MAC of the messages and sends out the 11 NAS Complete messages to the MME. ( kasme sn . cap sn ) ) else 0 else 0 . x2 . The MME generates a nonce (line 100) and derives 1 2 the KASME using the nonces and cipher and integrity keys 3 (lines 102–103). knasenc sn ) = nas smcomplete msg then out ( sChannelSnBts . the SN and the HN respectively. The analysis results are the same as the ones in 4G authentication (Section VI). begMS ENB( i d e n t . integKey . The MME uses the conversion function c3 to derive the GSM session key from the UMTS cipher and integrity keys: fun c3 ( cipherKey . cap sn . kc ms . l e t res ms : resp = f 2 ( k i . Upon receiving the NAS 7 SMC messages. snid ms : i d e n t ) ) . event ( endSN ( x1 . Most of the code in this model is inherited from the 4G model and the GSM model. The MME then sends the integrity protected 4 NAS SMC messages which includes the received capabilities 56 and both nonces in lines 107–109. The AS SMC procedure 12 13 is the same as in 4G model. x3 : integKey . kc ms ) in 0. out ( pubChannel . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg . cap ms ) . nonce ms sn . (=AV REQ. x2 . (∗ process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t i t y o f t h e MS∗) new imsi ms : i d e n t . x2 . the MS generates a nonce and sends it to the MME (lines 34–35). (∗AS SMC procedure i n process MS∗) l e t pMSAS( kc ms : gsmKey . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . k n a s i n t s n ) ) ) . bool ) . endSN ( i d e n t . kc ms ) ) . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . new nonce mme : nonce . cipherKey . x3 ) ) event (begMS ENB( x1 . x3 . k i ) . (∗ Computes expected response and Kc ∗) get keys (= imsi hn . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . ck hn . ck sn : cipherKey . rand ms : nonce . out ( pubChannel . x3 ) ) . (=MSG. bool ) . mac sn ) ) . = f 1 ( k i . nonce mme . x3 ) ) . xres hn . x3 ) ) event ( begSN ( x1 . (CAP. cap sn . (=CHALLENGE. s e n c r y p t a s ( s e c r e t . cap sn ) . enbKey . rand sn . i f cap sn = t r u e then i f sdecrypt nas ( msg nas . (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i n s e r t keys ( imsi ms . because the BS could choose not to enable encryption when communicating with the MS. GSM I k LTE II–IV k GSM IV. rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . i n t e g K e y ) . x2 . endMS ( i d e n t . i n ( pubChannel . MME). f i n t e g n a s ( ( cap sn . 125 127 not a t t a c k e r (new k i ) . • Payload Secrecy query a t t a c k e r ( payload ) . The authentication vector request and response procedure is modeled in lines 93–96 and lines 129– 140. query x1 : i d e n t . nonce mme ) . . bool ) . out ( pubChannel . i n ( pubChannel . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . ProVerif proves all the properties except the payload secrecy. • Mutual Authentication between the MS and the MME 1 2 3 4 5 6 query x1 : i d e n t . mac hn ) ) . x2 : cipherKey . i n ( pubChannel . query a t t a c k e r ( s e c r e t ) . event ( endMS ( x1 . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . out ( pubChannel . event endSN ( imsi sn . msg nas : b i t s t r i n g . bool ) . = f i n t e g n a s ( msg nas . datamsg : b i t s t r i n g ) ) . in addition to the IMSI and capabilities. ck sn . (=ASSMC. nonce ms sn . rand ms ) . rand hn ) i n (∗ Send o u t a u t h e n t i c a t i o n v e c t o r ∗) out ( secureChannel . conv(CK IK → Kc. out ( pubChannel . nonce ms sn . (∗NAS SMC procedure ∗) l e t kasme sn : asmeKey = kdf asme ( ck sn . ( ID . snid ms . 1 2 • Conditional Payload Secrecy query a t t a c k e r ( payload ) 126 128 129 130 131 132 133 134 135 136 137 138 139 140 event ( d i s a b l e E n c ) . This scenario is triggered by the TAU request. (=RES. event endMS AS ( imsi ms . x2 : cipherKey . enbKey . (NASSMC. (=NASSMComplete . begMS ( i d e n t . ik sn . ( AV.

kc bs . (MSG. i m s i b s : i d e n t . =cap ms . kc_sn. NAS Security Mode Complete if enableEnb ciphered . 66 sencrypt nas ( nas smcomplete msg . snid ms . (MSG. SNid. NAS-MAC event endMS(imsi_ms. CK. IK = f4(Ki. IMSI. CMComplete 11. IK. RAND). snid_ms. cap ms ) . payload ) ) else out ( pubChannel . snid_sn. kasme ms . knasenc ms ) ) . knasint ms ) ) . NAS-MAC = EIA((enableEnc. kasme_sn. RAND) XRES = f2(Ki. IK. SNid. imsi ms . SNid. imsi ms . Network Type Generate RAND .CAP 2. (RES. knasint ms ) ) ) 55 . enableEnc nas ms : bool . ( kc bs : gsmKey . 54 = f i n t e g n a s ( ( enableEnc nas ms . 50 (∗NAS SMC procedure ∗) 51 l e t knasenc ms : nasEncKey = kdf nas enc ( kasme ms ) i n 52 l e t knasint ms : nasIntKey = k d f n a s i n t ( kasme ms ) i n 53 i n ( pubChannel . CAP. RAND. MAC = f1(Ki. knasint ms ) ) ) . AUTN. cap_sn) 10. 58 out ( pubChannel . nas smcomplete msg . cap bs ) ) . i n ( pubChannel . RES Verify RES = XRES KNASenc = KDF (KASME. cap bs : bool ) ) . (=NASSMC.) 6. 19. snid_sn. sencrypt nas ( s e c r e t . =CMComplete ) . RAND) KASME = KDF(CK. RES = f2(Ki. payload. knasint ms ) ) ) . IK RAND. event endMS ( imsi ms . knasenc ms ) . i f cap bs = f a l s e then event d i s a b l e E n c . ( NASSMComplete . KNASint) KNASenc = KDF (KASME) KNASint = KDF(KASME) event begMS(imsi_sn. ik ms ) i n 60 i f enableEnc nas ms = f a l s e then 61 out ( pubChannel . enableEnc event endMS_AS(imsi_ms. ( NASSMComplete . cap ms ) 64 else 65 out ( pubChannel . kc_ms. RAND) MAC = XMAC. kasme_sn) KC = c3(CK. SNid LTE III XMAC = f1(Ki. if no encryption {payload}_KC. RAND). cap_ms) 11. 67 19 f i n t e g n a s ( sencrypt nas ( nas smcomplete msg . IK) KC = c3(CK. (∗ process r e p r e s e n t i n g e−nodeB ∗) l e t processBS = i n ( sChannelSnBts .) Decide enableEnc?. kasme_ms. KC Decide enableEnc? GSM IV event begMS_AS(imsi_sn. 56 (∗NAS key secrecy ∗) 57 out ( pubChannel . otherwise Decrypt message if enableEnc_ms is true Fig. cap bs ) . enableEnc. AUTN. 59 l e t kc ms : gsmKey = c3 ( ck ms . IK) 9. integrity protected otherwise integrity protected event endSN(imsi_sn. SNid) 4. knasenc ms ) . IMSI LTE II 3. CAP). CAP). s e n c r y p t a s ( payload . 62 f i n t e g n a s ( nas smcomplete msg . RAND). s e n c i n t n a s ( s e c r e t . KNASint) Verify XNAS-MAC = NAS-MAC event begSN(imsi_ms. pMSAS( kc ms . cap ms ) .MME 2G BS 4G MS 4G HN GSM I 1. kc bs ) ) ) . snid_ms. event begMS AS ( imsi bs . out ( pubChannel . (ASSMC. res ms ) ) . CK = f3(Ki.). (∗ process r e p r e s e n t i n g MME∗) . CAP. RAND) IK = f4(Ki. out ( pubChannel . cap_sn) LTE IV 7. RAND) CK = f3(Ki. KASME 5. cap ms ) . kasme_ms) 8. 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 Scenario S9+ annotated in accord with our model out ( pubChannel . XRES. 63 pMSAS( kc ms . AUTN=MAC KASME= KDF(CK. cap_ms) XNAS-MAC = EIA((enableEnc. IMSI. KNASint = KDF(KASME.

f i n t e g n a s ( ( cap sn . bool ) . mac hn . BS in line 92 or 98 through the private channel between the 8 event endMS AS ( imsi ms . cap sn ) . rand hn . i n ( pubChannel . the GSM session key in line 87 and sends the key to the GSM 76 f 9 ( as smcomplete msg . ik ms ) ) . kasme sn . out ( pubChannel . the content of the encrypted data messages cannot be learned by the attacker. s e n c r y p t a s ( s e c r e t . The MME derives 5 out ( pubChannel . The mutual authentication properties between the MS and the MME are proved. snid ms : i d e n t ) ) . event endMS AS ( i d e n t . • Mutual Authentication between the MS and the MME 36 37 38 20 (∗ process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t i t y o f t h e MS∗) new imsi ms : i d e n t . i m s i s n : i d e n t ) ) . i n ( pubChannel . ik ms : integKey . x2 . ik ms . ( ID . MME and the GSM BS. cap sn : bool ) ) . ck hn . imsi hn sn . the BS. = f 1 ( k i . the payload secrecy could be violated because the BS could choose to disable encryption when communicating with the MS. x3 : asmeKey . i n ( pubChannel . 1 (∗AS SMC procedure i n process MS∗) 2 l e t pMSAS( ck ms : cipherKey . ik ms ) ) ) . imsi hn sn : i d e n t .l e t processSN = i n ( pubChannel . as smcomplete msg . rand sn : nonce . snid hn . All the keys are proved to be remained secret. =cap ms . x4 : bool . As in other models. cap sn ) . gsmKey . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . GSM BS uses the GSM session key Kc . i k s n : i n t e g K e y ) ) . i k h n ) ) . enableEnc as ms : bool . (=ASSMC. (RES. ik ms ) ) ) . x2 : gsmKey . • Payload Secrecy query a t t a c k e r ( payload ) . cap ms ) ) . 3 imsi ms : i d e n t . (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i n s e r t keys ( imsi ms . i n ( pubChannel . cap sn . i k s n ) i n i f cap sn = t r u e then i f sdecrypt nas ( msg nas . event ( endMS ( x1 . the events used to 16 specify the authentication of the BS to the MS use this key as 17 18 one of the parameters: 19 event begMS AS ( i d e n t . However. snid ms ) i n event begSN ( imsi ms . ik ms . mac sn . imsi hn : i d e n t . x2 . (=AV. The conditional payload secrecy also holds. x2 . rand ms ) i n l e t kasme ms : asmeKey = kdf asme ( ck ms . (=MSG. The code of the GSM SMC procedure 11 out ( pubChannel . cap ms ) . x3 ) ) event ( begMS AS ( x1 . session key in line 42. There are four main processes in our model l e t ck hn : cipherKey = f 3 ( ki hn . ik ms ) ) ) . ck ms . (=RES. (∗NAS SMC procedure ∗) l e t knasenc sn : nasEncKey = kdf nas enc ( kasme sn ) i n l e t k n a s i n t s n : nasIntKey = k d f n a s i n t ( kasme sn ) i n out ( pubChannel . ik hn . l e t kc sn : gsmKey = c3 ( ck sn . modeled in lines 72–76 and lines 104-114. x2 . snid sn ) ) . knasenc sn ) = nas smcomplete msg then event endSN ( imsi hn sn . event ( endMS AS ( x1 . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . Figure 20 shows details of the ProVerif model and the (∗ Generate a t h e n i c a t i o n v e c t o r s ∗) locations of the events which are used to specify the condinew rand hn : nonce . ( ASSMComplete . authentication properties. imsi hn sn . (CAP. xres sn : resp . rand ms : nonce . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . 31 32 • Conditional Payload Secrecy 33 34 35 query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . msg nas : b i t s t r i n g . out ( pubChannel . res ms ) ) . (NASSMC. gsmKey . cap sn ) ) else 0 else i f cap sn = f a l s e then i f msg nas = nas smcomplete msg then event endSN ( imsi hn sn . rand sn . kasme hn . (∗ Pre−shared key ∗) new k i : key . =xres sn ) ) . (=CHALLENGE. x2 : i d e n t . (=NASSMComplete . (∗NAS SMC procedure ∗) . query x1 : i d e n t . 12 13 i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = Security Property Specifications and Findings Since the 14 15 s d e c r y p t a s ( datamsg . (= ID . x3 : bool . kasme ms ) . k n a s i n t s n ) ) ) . x3 : asmeKey . x2 . • Authentication of the BS to the MS 1 2 query x1 : i d e n t . rand hn ) i n code in this model is inherited from the 4G model and the l e t xres hn : resp = f 2 ( ki hn . x3 ) ) . the CMC attack is found when checking the authentication of the BS to the MS. snid hn sn : i d e n t . xres hn . i n ( pubChannel . 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 1 2 3 4 query x1 : i d e n t . 1 2 20 21 22 23 The authentication properties between the MME and the MS are specified the same as the ones in the 4G model. l e t res ms : resp = f 2 ( k i . out ( pubChannel . out ( secureChannel . (AV REQ. x4 ) ) event ( begMS ( x1 . ( kc sn . kasme sn ) . snid hn ) i n HN respectively. event ( endSN ( x1 . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . the SN and the l e t kasme hn : asmeKey = kdf asme ( ck hn . query a t t a c k e r ( s e c r e t ) . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . x4 ) ) . cap sn ) ) else 0 else 0 . snid ms . (lines 3–5 and lines 59–60) is inherited from the GSM model. enableEnc as ms ) . We specify the security properties as following: 24 25 26 27 28 • Key Secrecy 1 2 29 30 not a t t a c k e r (new k i ) . cap ms : bool ) = The authentication vector request and response procedure is 4 i n ( pubChannel . new snid sn : i d e n t . AV = 4G AV + CK + IK (∗ process r e p r e s e n t i n g HN∗) l e t processHN = i n ( secureChannel . x3 ) ) event ( begSN ( x1 . bool ) . k i ) . UMTS I k LTE II–IV k UMTS IV. cap sn . ck sn : cipherKey . kasme sn ) . snid sn ) ) . (CHALLENGE. snid hn sn . mac sn : mac . ( kc sn . datamsg : b i t s t r i n g . k n a s i n t s n ) ) ) . snid hn : i d e n t ) ) . event begMS ( imsi hn sn . ck ms ) ) . rand ms ) . ( AV. x3 . i n ( secureChannel . that means. x2 : i d e n t . out ( secureChannel . (=CAP. = f 9 ( ( cap ms . out ( pubChannel . kasme sn : asmeKey . tional payload secrecy. ck ms ) i n 0 . because the BS is the GSM BS. Most of the get keys (= imsi hn . out ( sChannelSnBts . rand hn ) i n UMTS model. S10+. imsi ms ) ) . rand hn ) i n representing the behavior of the MS. snid hn sn . x3 ) ) . The MS also computes the GSM 9 10 = f 9 ( datamsg . if the encryption is enabled. = f i n t e g n a s ( msg nas . (=AV REQ. x3 . x2 . s e n c i n t a s ( s e c r e t . imsi hn . out ( sChannelSnBts . imsi sn . snid hn sn .

KNASint = KDF(KASME) XNAS-MAC = EIA((enableEnc. RES Verify RES = XRES KNASenc = KDF (KASME. IMSI. 20. ( NASSMComplete . MAC = f1(Ki. cap bs . RAND. IK RAND. 68 sencrypt nas ( nas smcomplete msg . RES = f2(Ki. AS-MAC = f9((enableEnc. CAP). 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 Scenario S10+ annotated in accord with our model l e t knasenc ms : nasEncKey = kdf nas enc ( kasme ms ) i n 55 l e t knasint ms : nasIntKey = k d f n a s i n t ( kasme ms ) i n 56 i n ( pubChannel . (∗NAS key secrecy ∗) 60 out ( pubChannel . CAP. 59 event endMS ( imsi ms . enableEnc nas ms : bool . kasme ms . RAND). knasint ms ) ) ) . IK Decide enableEnc?. RAND) MAC = XMAC. i m s i b s : i d e n t . ck bs . XRES. imsi ms . ik ms . NAS Security Mode Complete ifenableEnb ciphered . = f 9 ( as smcomplete msg . 62 i f enableEnc nas ms = f a l s e then 63 out ( pubChannel . knasint ms ) ) ) 58 . AUTN. i k b s ) ) ) else . 65 pMSAS( ck ms . knasint ms ) ) ) . RAND) KASME = KDF(CK. cap ms ) 66 else 67 out ( pubChannel .). sencrypt nas ( s e c r e t . CAP). IK = f4(Ki. snid_sn. IK) Verify XAS-MAC = AS-MAC event endMS_AS(imsi_ms. 70 21 knasenc ms ) . Network Type Generate RAND . SNid LTE III XMAC = f1(Ki. cap ms ) . (ASSMC. cap_ms) 11. (= ASSMComplete . RAND) XRES = f2(Ki. KNASint) event begMS(imsi_sn. snid_sn. imsi ms . integrity protected otherwise integrity protected event endSN(imsi_sn. AUTN=MAC KASME=KDF(CK. out ( pubChannel . knasenc ms ) . ik bs . payload. KNASint) Verify XNAS-MAC = NAS-MAC event begSN(imsi_ms. CAP. NAS-MAC = EIA((enableEnc. 64 f i n t e g n a s ( nas smcomplete msg . ck_sn. payload . otherwise Decrypt message if enableEnc_ms is true Fig. (=NASSMC. (MSG. event begMS AS ( imsi bs . NAS-MAC LTE IV event endMS(imsi_ms. (∗ process r e p r e s e n t i n g e−nodeB ∗) l e t processBS = i n ( sChannelSnBts . knasenc ms ) ) . cap bs . knasint ms ) ) . nas smcomplete msg . i k b s ) ) ) . ik ms . snid ms . AUTN. IMSI LTE II 3. kasme_sn) 9. ( ck bs : cipherKey . SNid. cap_ms) KNASenc = KDF (KASME). out ( pubChannel . i k b s ) ) ) . ck_ms. kasme_ms) 8. =as smcomplete msg .) Decide enableEnc?. RAND). cap ms ) .MME 3G BS 4G MS 4G HN UMTS I 1. RAND) CK = f3(Ki. CAP. kasme_ms. cap_sn) 7. IK. cap bs ) . f 9 ( payload . 61 out ( pubChannel . i f cap bs = f a l s e then event d i s a b l e E n c . CK = f3(Ki. KASME 5. CK. =cap ms . RAND) IK = f4(Ki. CK. ik_sn. snid_ms. cap bs : bool ) ) . snid_ms. IK. SNid) 6. s e n c i n t n a s ( s e c r e t . SNid) 4. enableEnc. CAP). SNid. f 9 ( ( cap bs . ik_ms. 57 = f i n t e g n a s ( ( enableEnc nas ms . cap ms ) . if no encryption {payload}_CK. AS-MAC XAS-MAC = f9((enableEnc. cap bs ) . RAND).CAP 2. (∗ [ Msg 8 ] ∗) pMSAS( ck ms . KNASint = KDF(KASME. IK) event begMS_AS(imsi_sn. i n ( pubChannel . i k b s : integKey . AS SMC Complete Integrity protected 12. 69 f i n t e g n a s ( sencrypt nas ( nas smcomplete msg . cap_sn) UMTS IV 10. enableEnc. CAP). kasme_sn. ( NASSMComplete . IMSI.

x2 . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . =imsi sn . kasme sn : asmeKey . cap sn . In line 97 and line 103–104 . 22 event ( d i s a b l e E n c ) . ProVerif proves all the properties except the payload secrecy. cap sn . x2 : i d e n t . 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 • Mutual Authentication between the MS and the SN query x1 : i d e n t . event begMS ( imsi sn . x3 ) ) . f 9 ( s en c r y p t a s ( payload . query x1 : i d e n t . x4 : bool . i n ( secureChannel . ( ck sn . The NAS authentication procedure (lines 39–55 and lines 87–92) is the same as in the 4G model. x3 . ik sn . 108 109 110 111 112 113 114 115 116 117 118 119 120 The MME sends out the authentication vector request in line 79. (MSG. k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . cap sn : bool ) ) . ik sn . cipherKey . x3 : asmeKey . (=CAP. 1 2 We specify the security properties as following: • Key Secrecy 1 2 not a t t a c k e r (new k i ) . event ( endSN ( x1 . x2 : i d e n t . imsi hn . msg nas : b i t s t r i n g . = f i n t e g n a s ( msg nas . snid hn : i d e n t ) ) . out ( sChannelSnBts . Security Property Specifications and Findings Since the UMTS BS uses the CK and the IK instead of the keys derived from KeNB . rand sn : nonce . snid hn sn . f i n t e g n a s ( ( cap sn . xres hn . i k s n : i n t e g K e y ) ) . rand sn . get keys (= imsi hn . out ( pubChannel . x4 ) ) event ( begMS ( x1 . imsi sn . the HN generates the 4G authentication vector based on the UMTS authentication vector. Upon receiving the authentication request (line 110). rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . bool ) . ck sn : cipherKey . i k b s ) ) ) . k n a s i n t s n ) ) ) . integKey . imsi sn . xres sn : resp . snid hn sn . x4 ) ) . out ( sChannelSnBts . i m s i s n : i d e n t ) ) . (=RES. mac sn : mac . cap sn ) ) else 0 else i f cap sn = f a l s e then i f msg nas = nas smcomplete msg then event endSN ( imsi sn . new snid sn : i d e n t . 71 72 query a t t a c k e r ( payload ) 73 (∗ process r e p r e s e n t i n g MME∗) l e t processSN = i n ( pubChannel . The code of the UMTS SMC procedure (lines 4–7 and lines 63–66) is inherited from the UMTS model. ck bs ) . 107 (∗ process r e p r e s e n t i n g HN∗) l e t processHN = i n ( secureChannel . (=AV. s e n c r y p t a s ( payload . x3 . bool ) . integKey .• Conditional Payload Secrecy out ( pubChannel . i f cap sn = t r u e then i f sdecrypt nas ( msg nas . x4 : bool . snid hn sn : i d e n t . the MME sends the CK and the IK to the UMTS BS on the private channel. event ( endMS ( x1 . (AV REQ. imsi hn : i d e n t . ck bs ) . (CHALLENGE. (=AV REQ. The HN then sends the 4G authentication vectors plus the CK and the IK to the MME (line 119–120). ck hn . And the MME receives the authentication vectors in line 80–82. cipherKey . (∗NAS SMC procedure ∗) l e t knasenc sn : nasEncKey = kdf nas enc ( kasme sn ) i n l e t k n a s i n t s n : nasIntKey = k d f n a s i n t ( kasme sn ) i n out ( pubChannel . because the BS could choose not to enable encryption when communicating with the MS. rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . x2 . cap sn ) . (=NASSMComplete . (∗ Generate a t h e n i c a t i o n v e c t o r s ∗) new rand hn : nonce . cap sn ) ) else 0 else 0 . 1 2 • Payload Secrecy query a t t a c k e r ( payload ) . snid hn ) i n out ( secureChannel . x3 : integKey . rand hn ) i n l e t kasme hn : asmeKey = kdf asme ( ck hn . (= ID . x2 : cipherKey . event endMS AS ( i d e n t . ( ck sn . mac hn . i n ( pubChannel . kasme sn ) . the events used to specify the authentication of the BS to the MS use the CK and the IK as their parameters: event begMS AS ( i d e n t . event ( endMS AS ( x1 . kasme hn . ik hn . knasenc sn ) = nas smcomplete msg then event endSN ( imsi sn . x4 ) ) . x2 . rand hn . snid hn sn . The analysis results are the same as the ones in 4G authentication (Section VI). x3 : asmeKey . x3 ) ) event ( begSN ( x1 . x3 . ( AV. cap sn ) . x3 . i k h n ) ) . . snid sn ) ) . mac sn . x2 . i n ( pubChannel . 1 2 3 4 • Authentication of the BS to the MS query x1 : i d e n t . k n a s i n t s n ) ) ) . snid hn . kasme sn . query a t t a c k e r ( s e c r e t ) . kasme sn ) . (NASSMC. imsi sn . out ( secureChannel . x4 ) ) event ( begMS AS ( x1 . i n ( pubChannel . x2 . =xres sn ) ) . x2 . snid sn ) ) .

x2 ) ) . query x1 : i d e n t . cap ms ) ) . (= ID . not a t t a c k e r (new k i ) . (CAP. sessKey ) . type nonce . const MSG: msgHdr . k ) = m. k i ) . ( ID . enableEnc sn ) ) . kc sn ) . (CMC. process ( ( ! processMS ) | processSN | processHN ) event d i sa b l e E nc . SN a u t h e n t i c a t e d MS∗) event endSN ( imsi hn sn . i m s i s n : i d e n t ) ) . rand ms : nonce ) ) . rand sn ) ) . (∗ Send a u t h e n t i c a t i o n c h a l l e n g e t o MS [ Msg 5 ] ∗) out ( pubChannel . kc hn ) ) . cap sn : bool ) ) . kc ms ) . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . msg : b i t s t r i n g ) ) . event endMS ( imsi ms . const CHALLENGE: msgHdr .A PPENDIX D COMPLETE CODE LISTINGS FOR ALL SCENARIOS out ( pubChannel . kc sn : sessKey ) ) . (∗ The s t a n d a r d secrecy q u e r i e s o f P r o V e r i f o n l y ∗) (∗ d e a l w i t h t h e secrecy o f p r i v a t e f r e e names∗) (∗ s e c r e t K c i s s e c r e t i f and o n l y i f a l l kcs are s e c r e t ∗) free secretKc : b i t s t r i n g [ private ] . x2 ) ) event ( begSN ( x1 . key ) shared between t h e MS and t h e HN. res sn : resp ) ) . x2 : sessKey . fun s e n c r y p t ( b i t s t r i n g . s e n c r y p t ( s . free s : bitstring [ private ] . (=MSG. (∗ Send o u t permanent ID [ Msg 2 ] ∗) out ( pubChannel . (∗SN decide whether t o e n c r y p t messages . i m s i s n ) ) . rand hn . i f enableEnc ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t ( msg . ( AV. (=AV. cap sn ) ) . (∗ Receive GSM c i p h e r mode command [ Msg 7 ] ∗) i n ( pubChannel . k i h n ) i n l e t xres hn : resp = a3 ( rand hn . GSM I – IV (∗ P u b l i c channel between t h e MS and t h e SN ∗) f r e e pubChannel : channel . query x1 : i d e n t . fun a8 ( nonce . k i h n ) i n (∗ Send o u t a u t h e n t i c a t i o n v e c t o r [ Msg 4 ] ∗) out ( secureChannel . s d e c r y p t ( s e n c r y p t (m. (∗ t y p e s ∗) type key . (=AV REQ. s e n c r y p t ( secretKc . (MSG. (∗ F u n c t i o n s ∗) fun a3 ( nonce . (∗When t h e a t t a c k e r knows s . const RES: msgHdr . (AV REQ. s e n c r y p t ( secretKc . S1. imsi ms ) ) . kc ms ) ) . rand sn : nonce . (∗ Computes expected response and Kc ∗) get keys (= imsi hn . type i d e n t . (∗ i f enableEnc sn = f a l s e then ∗) i f cap sn = f a l s e then event d i s a b l e E n c . event ( endMS ( x1 . enableEnc ms : bool ) ) . (∗ Secure channel between t h e SN and t h e HN ∗) f r e e secureChannel : channel [ p r i v a t e ] . new k i : key . const ID : msgHdr . ∗) query a t t a c k e r ( s ) event ( d i s a b l e E n c ) . imsi hn . type nonce . out ( pubChannel . key ) : sessKey . (=CMC. (∗ Send o u t a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Msg 3 ] ∗) out ( secureChannel . kc sn ) .86pl4. k ) . (∗ I n p u t c h a l l e n g e message from SN [ Msg 5 ] ∗) i n ( pubChannel . kc hn ) ) . (∗ Compute response and e n c r y p t i o n key ∗) l e t res ms : resp = a3 ( rand ms . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n (∗ Send o u t cap ms t o SN[ Msg 1 ] ∗) (∗ t y p e s ∗) type key . (CMC. key ) . out ( pubChannel . (∗ The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . (CHALLENGE. (∗ Send o u t c i p h e r mode command [ Msg 7 ] ∗) (∗ o u t ( pubChannel . reduc e n c C a p a b i l i t y ( ) = t r u e . s e n c r y p t ( secretKc . type i d e n t . t h e event d i s a b l e E n c has been executed . k i h n ) i n l e t kc hn : sessKey = a8 ( rand hn . xres hn . key ) : resp . (∗ Send o u t response t o SN [ Msg 6 ] ∗) out ( pubChannel . event begMS ( i d e n t . imsi hn sn : i d e n t . l e t processSN = (∗ Receive MS’ s c a p a b i l i t y [ Msg 1 ] ∗) i n ( pubChannel . event endMS ( i d e n t . x2 : sessKey . type sessKey . type msgHdr . (∗ Generate a f r e s h random number ∗) new rand hn : nonce . UMTS I – IV (∗ P u b l i c channel between t h e MS and t h e SN ∗) f r e e pubChannel : channel . (=RES. imsi hn : i d e n t ) ) . sessKey ) . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . l e t processHN = (∗ Receive a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Msg 3 ] ∗) i n ( secureChannel . k : sessKey . (∗ Check whether r e c e i v e d response equal t o expected response ∗) i f res sn = xres sn then (∗ At t h i s p o i n t . sessKey ) : b i t s t r i n g . (∗ Receive a u t h e n t i c a t i o n v e c t o r [ Msg 4 ] ∗) i n ( secureChannel . (MSG. event ( endSN ( x1 . (=CAP. based on r e c e i v e d c a p a b i l i t i e s o f MS∗) (∗ l e t enableEnc sn : b o o l = cap sn i n ∗) event begMS ( imsi hn sn . S2. kc sn ) ) ) . (∗ Secure channel between t h e SN and t h e HN ∗) f r e e secureChannel : channel [ p r i v a t e ] . xres sn : resp . reduc f o r a l l m: b i t s t r i n g . sessKey ) . 23 . type resp . const AV : msgHdr . (∗ Receive response [ Msg 6 ] ∗) i n ( pubChannel . event endSN ( i d e n t . out ( pubChannel . k i ) i n l e t kc ms : sessKey = a8 ( rand ms . encCapability ( ) = false . kc ms ) . l e t processMS = (∗ The i d e n t and pre−shared key o f t h e MS ∗) new imsi ms : i d e n t . kc sn ) ) . All models are checked by ProVerif version 1. ∗) out ( pubChannel . out ( pubChannel . res ms ) ) . i n s e r t keys ( imsi ms . const AV REQ: msgHdr . k i ) i n (∗MS i s a u t h e n t i c a t i n g i t s e l f t o SN∗) event begSN ( imsi ms . sessKey ) . kc ms ) i n 0. (=CHALLENGE. const CMC: msgHdr . x2 ) ) . query a t t a c k e r ( s ) . (RES. Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . (∗ Receive permanent ID [ Msg 2 ] ∗) i n ( pubChannel . s ) ) else out ( pubChannel . x2 ) ) event ( begMS ( x1 . query a t t a c k e r ( s e c r e t K c ) . (∗ Receive message from SN [ Msg 8 ] ∗) i n ( pubChannel .

bool ) . ∗) (∗ use them as s e s s i o n keys t o e n c r y p t a f r e e p r i v a t e name ∗) fun s e n c r y p t I n t e g ( b i t s t r i n g . (∗ Check whether r e c e i v e d response equal t o expected response ∗) i f res sn = xres sn then (∗ At t h i s p o i n t . cipherKey . key ) . fresh sn . event begMS ( i d e n t . nonce ) : i n t e g K e y . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n (∗ Send o u t cap ms t o SN[ Msg 1 ] ∗) 24 . const AV : msgHdr . i f enableEnc ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t ( msg . (∗ To t e s t secrecy o f t h e i n t e g r i t y key . resp . ck ms ) ) . query a t t a c k e r ( s ) l e t processHN = (∗ Receive a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Msg 3 ] ∗) i n ( secureChannel . (∗ Send o u t c i p h e r mode command [ Msg 7 ] ∗) out ( pubChannel . (MSG. query a t t a c k e r ( s e c r e t I k ) . l e t processMS = (∗ The i d e n t and pre−shared key o f t h e MS ∗) new imsi ms : i d e n t . fun s e n c r y p t ( b i t s t r i n g . (∗ s e c r e t I k i s s e c r e t i f and o n l y i f free secretIk : bitstring [ private ] . (∗ Receive response [ Msg 6 ] ∗) i n ( pubChannel . ck sn ) ) . event ( d i s a b l e E n c ) . (=AV REQ. out ( pubChannel . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . new f r e s h s n : nonce . out ( pubChannel . (∗ Receive a u t h e n t i c a t i o n v e c t o r [ Msg 4 ] ∗) i n ( secureChannel . out ( pubChannel . i n t e g K e y ) : msgMac . s e n c r y p t I n t e g ( s e c r e t I k . query x1 : i d e n t . fresh msg sn . (∗SN decide whether t o e n c r y p t messages ∗) (∗ base on t h e r e c e i v e d c a p a b i l i t i e s o f MS∗) (∗ l e t enableEnc sn : b o o l = cap sn i n ∗) event begMS ( imsi hn sn . enableEnc ms : bool . event ( endSN ( x1 . ck ms . cipherKey ) : b i t s t r i n g . x3 : integKey . x4 : bool . (CHALLENGE. rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . event endMS ( imsi ms . ( ID . rand hn . fresh ms ) . cipherKey . k ) . i f f 1 ( k i . query a t t a c k e r ( s ) . integKey . (∗ F u n c t i o n s ∗) fun f 1 ( key . fresh msg ms ) . fresh msg ms : nonce . fun f 4 ( key . s e n c r y p t ( s . nonce ) : cipherKey . const RES: msgHdr . (∗ The s t a n d a r d secrecy q u e r i e s o f P r o V e r i f o n l y ∗) (∗ d e a l w i t h t h e secrecy o f p r i v a t e f r e e names∗) (∗ secretCk i s s e c r e t i f and o n l y i f a l l cks are s e c r e t ∗) f r e e secretCk : b i t s t r i n g [ p r i v a t e ] . SN a u t h e n t i c a t e d MS∗) event endSN ( imsi hn sn . msgMac . (= ID . = f 9 ( ( msg . event endSN ( i d e n t . xres hn . ck ms . (∗ Receive permanent ID [ Msg 2 ] ∗) i n ( pubChannel . f 9 ( ( s e n c r y p t ( s . i m s i s n : i d e n t ) ) . ck sn : cipherKey . i k s n : integKey . mac . x2 : cipherKey . (AV REQ. imsi hn : i d e n t ) ) . query a t t a c k e r ( secretCk ) . event endMS ( i d e n t . (=CHALLENGE. mac hn ) ) . query x1 : i d e n t . = f 9 ( ( enableEnc ms . fresh msg sn ) . ik ms ) ) ) . i k s n ) ) ) else out ( pubChannel . (∗ Send o u t a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Msg 3 ] ∗) out ( secureChannel . ( AV. new fresh msg sn : nonce . (∗ Send a u t h e n t i c a t i o n c h a l l e n g e t o MS [ Msg 5 ] ∗) out ( pubChannel . new k i : key . reduc f o r a l l m: b i t s t r i n g . x3 . x3 . const AV REQ: msgHdr . (∗ Send o u t one message [ Msg 8 ] ∗) (∗ i f enableEnc sn = f a l s e then ∗) i f cap sn = f a l s e then event d i s a b l e E n c . key ) shared between MS and HN Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . integKey . fresh msg sn ) . out ( pubChannel . const SMC: msgHdr . (∗ I n p u t c h a l l e n g e message from SN [ Msg 5 ] ∗) i n ( pubChannel . l e t processSN = (∗ Receive MS’ s c a p a b i l i t y [ Msg 1 ] ∗) i n ( pubChannel . reduc encCapability ( ) = true . s . event d i s ab l e E n c . k ) = m. encCapability ( ) = false . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . (∗ Computes expected response and Kc ∗) get keys (= imsi hn . f 9 ( ( cap sn . rand ms : nonce . x4 ) ) . (∗ Receive message from SN [ Msg 8 ] ∗) i n ( pubChannel . (=SMC. integKey ) . k ) = m. (∗ Generate a f r e s h random number ∗) new rand hn : nonce . ik ms ) ) ) . xres sn : resp . cipherKey . x2 . x3 ) ) event ( begSN ( x1 . cap sn . s e n c r y p t ( secretCk . (=CAP. nonce ) : resp . f r e s h s n ) . const CHALLENGE: msgHdr . integKey . const ID : msgHdr . imsi hn sn : i d e n t . bool ) . out ( pubChannel . msg : b i t s t r i n g . (=RES. x2 : cipherKey . rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . s e n c r y p t ( secretCk . ck ms ) i n 0. cipherKey . ck hn ) ) . cap ms ) . k ) . i k s n ) ) . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . nonce ) : mac . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . i k s n ) ) ) .type type type type type type out ( pubChannel . rand hn ) i n (∗ Send o u t a u t h e n t i c a t i o n v e c t o r [ Msg 4 ] ∗) out ( secureChannel . msgHdr . ck hn . x2 . const MSG: msgHdr . s e n c r y p t ( secretCk . cap sn : bool ) ) . rand ms ) i n (∗MS i s a u t h e n t i c a t i n g i t s e l f t o SN∗) event begSN ( imsi ms . free s : bitstring [ private ] . fresh msg sn . res sn : resp ) ) . x3 : i n t e g K e y . (∗ Send o u t permanent ID [ Msg 2 ] ∗) out ( pubChannel . (∗ Send o u t response t o SN [ Msg 6 ] ∗) out ( pubChannel . s d e c r y p t I n t e g ( s e n c r y p t I n t e g (m. (=MSG. k : cipherKey . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . ck sn ) . s d e c r y p t ( s e n c r y p t (m. (SMC. event ( endMS ( x1 . (RES. ck sn ) . mac sn : mac ) ) . x2 . mac ms : mac ) ) . ik ms . rand sn : nonce . rand sn . x4 ) ) event ( begMS ( x1 . k i ) . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . ik sn . cap sn . i k s n ) ) ) . integKey ) . (∗ Receive GSM c i p h e r mode command [ Msg 7 ] ∗) i n ( pubChannel . (MSG. ck sn . cipherKey . rand ms ) = mac ms then (∗ Compute response and e n c r y p t i o n key ∗) l e t res ms : resp = f 2 ( k i . ik ms ) . out ( pubChannel . i n t e g K e y ) : b i t s t r i n g . i k s n ) . fun f 2 ( key . cap sn ) . fun f 9 ( b i t s t r i n g . ik ms ) ) . k : i n t e g K e y . cap sn . i n s e r t keys ( imsi ms . ck sn . imsi ms ) ) . (=AV. x3 ) ) . i m s i s n ) ) . ik hn . f 9 ( ( s . mac sn ) ) . x2 . res ms ) ) . s e n c r y p t I n t e g ( s e c r e t I k . imsi hn . rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . fun f 3 ( key . reduc f o r a l l m: b i t s t r i n g . (CAP. a l l i k s are s e c r e t ∗) not a t t a c k e r (new k i ) . cap ms . fresh ms : nonce . =cap ms . cap ms ) ) .

fun f 4 ( key . nonce ) : mac . senc up ( s e c r e t . k ) . encCapability ( ) = false . type i n t e g K e y . i d e n t . type cipherKey . ∗) query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . (∗ [ Msg 1 1 ] ∗) event endMS ENB( imsi ms . reduc f o r a l l m: b i t s t r i n g . kasenc ms ) ) . bool ) . type nasEncKey . x3 ) ) event ( begSN ( x1 . key ) shared between MS and HN Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . i n ( pubChannel . (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i n s e r t keys ( imsi ms . const AV : msgHdr . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . = f i n t e g a s ( b o o l 2 b i t s t r i n g ( enableEnc as ms ) . query x1 : i d e n t . kenb ms ) . event d i s a b l e E n c . type upEncKey . kenb ms . query a t t a c k e r ( s e c r e t ) . a s I n t K e y ) : b i t s t r i n g . query x1 : i d e n t . k : nasIntKey . i d e n t ) : asmeKey . fun kdf up enc ( enbKey ) : upEncKey . reduc f o r a l l m: b i t s t r i n g . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg . x2 . asmeKey . type mac . (∗ Secure channel between t h e SN and t h e HN∗) f r e e secureChannel : channel [ p r i v a t e ] . (∗ P u b l i c channel between t h e MS and t h e SN∗) f r e e pubChannel : channel . imsi ms : i d e n t . f r e e payload : b i t s t r i n g [ p r i v a t e ] . type a s I n t K e y . x2 ) ) . fun kdf enb ( asmeKey ) : enbKey . const NASSMC: msgHdr . bool ) . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . reduc f o r a l l m: b i t s t r i n g . reduc f o r a l l m: b i t s t r i n g . k : asEncKey . k ) . x2 : enbKey . kasint ms ) ) ) . out ( pubChannel . kupenc ms ) ) . (∗ Pre−shared key ∗) new k i : key . sdec in nas ( s e n c i n t n a s (m. const AV REQ: msgHdr . enbKey ) . k ) . fun senc up ( b i t s t r i n g . s e n c r y p t I n t e g ( s e c r e t I k . type nonce . kasint ms ) ) . asEncKey ) : b i t s t r i n g . key ) . asmeKey ) . query x1 : i d e n t . fun kdf nas enc ( asmeKey ) : nasEncKey . type nasIntKey . (∗ F u n c t i o n s ∗) fun f 1 ( key . = f i n t e g a s ( datamsg . x2 . integKey . (∗SMC command msg∗) f r e e nas smcomplete msg : b i t s t r i n g . x4 ) ) event ( begMS ( x1 . (∗ process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t i t y o f t h e MS∗) new imsi ms : i d e n t . type asmeKey . fun kdf asme ( cipherKey . datamsg : b i t s t r i n g . x3 . upEncKey ) : b i t s t r i n g . const ID : msgHdr . l e t res ms : resp = f 2 ( k i . bool ) . const MSG: msgHdr . kasint ms ) ) ) . 25 . k i ) . out ( pubChannel . cap ms ) . i n ( pubChannel . const NASSMComplete : msgHdr . x2 : i d e n t . fun k d f n a s i n t ( asmeKey ) : nasIntKey . (=CHALLENGE. event ( endMS ( x1 . t y p e C o n v e r t e r ] . f r e e as smcomplete msg : b i t s t r i n g . x3 ) ) . fun s e n c i n t n a s ( b i t s t r i n g . const RES: msgHdr . event ( endSN ( x1 . (=ASSMC. x3 : asmeKey . k ) . asmeKey . enbKey ) . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . (∗ t y p e s ∗) type key . type msgMac . k : a s I n t K e y . const ASSMC: msgHdr . i k h n ) ) . fun f 2 ( key . event begMS ENB( i d e n t . reduc encCapability ( ) = true . cap ms ) ) . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . k ) . type resp . type enbKey . event endSN ( i d e n t . type i d e n t . x3 : asmeKey . rand ms ) . nonce ) : cipherKey . (=MSG. process ( ( ! processMS ) | processSN | processHN ) S3. f i n t e g a s ( as smcomplete msg . x2 . x2 . event begENB ( imsi ms . x3 ) ) event (begMS ENB( x1 . ( ID . as smcomplete msg . fun k d f a s i n t ( enbKey ) : a s I n t K e y . nasEncKey ) : b i t s t r i n g . k : nasEncKey . reduc f o r a l l m: b i t s t r i n g . event (endMS ENB( x1 . nonce ) : i n t e g K e y . fun se nc ry pt as ( b i t s t r i n g . rand ms ) i n (∗ Type C o n v e r t e r ∗) fun b o o l 2 b i t s t r i n g ( bool ) : b i t s t r i n g [ data . sdec up ( senc up (m. event begENB ( i d e n t . i d e n t . (∗AS SMC procedure i n process MS∗) l e t pMSAS( kasme ms : asmeKey . cap ms : bool ) = l e t kenb ms : enbKey = kdf enb ( kasme ms ) i n l e t kasenc ms : asEncKey = kdf as enc ( kenb ms ) i n l e t kasint ms : a s I n t K e y = k d f a s i n t ( kenb ms ) i n l e t kupenc ms : upEncKey = kdf up enc ( kenb ms ) i n i n ( pubChannel . nasIntKey ) : b i t s t r i n g . nasIntKey ) : msgMac . k : upEncKey . event endMS ( i d e n t . not a t t a c k e r (new k i ) . out ( pubChannel . x2 : i d e n t . x4 ) ) . fun f 3 ( key . x3 ) ) . k ) = m. x2 ) ) event ( begENB ( x1 . sd ec ry pt as ( s en c r y p t a s (m. event endMS ENB( i d e n t . fun kdf as enc ( enbKey ) : asEncKey . kasint ms ) ) ) . x4 : bool . s e n c i n t a s ( s e c r e t . a s I n t K e y ) : msgMac . query x1 : i d e n t . fun sencrypt nas ( b i t s t r i n g . (CAP. rand ms : nonce . x2 : enbKey . snid ms : i d e n t ) ) . query a t t a c k e r ( payload ) . kasenc ms ) in 0. k ) = m. s e n c r y p t a s ( s e c r e t . fun f i n t e g n a s ( b i t s t r i n g . event ( endENB ( x1 . k ) = m. t h e event d i s a b l e E n c has been executed . x3 . ( ASSMComplete . bool ) . (∗When t h e a t t a c k e r knows s . k ) = m. enableEnc as ms : bool . sdecrypt nas ( sencrypt nas (m. event endENB ( i d e n t . sdec in as ( s e n c i n t a s (m. x2 . (∗ Secure channel between MME and BS∗) f r e e sChannelSnBts : channel [ p r i v a t e ] . = f 1 ( k i .out ( pubChannel . fun f i n t e g a s ( b i t s t r i n g . nonce ) : resp . i d e n t . event begMS ( i d e n t . i d e n t . const ASSMComplete : msgHdr . k ) = m. type asEncKey . x3 : bool . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . x2 . type msgHdr . enbKey . LTE I – V free secret : bitstring [ private ] . const CHALLENGE: msgHdr . out ( pubChannel . enbKey . (∗ [ Msg 1 2 ] ∗) out ( pubChannel . fun s e n c i n t a s ( b i t s t r i n g . asmeKey ) . imsi ms ) ) .

(∗ Secure channel between t h e SN and t h e HN ∗) f r e e secureChannel : channel [ p r i v a t e ] . cap sn ) . GSM I – IV. cap enb : bool ) ) . enableEnc nas ms : bool . f i n t e g a s ( s e n c r y p t a s ( payload . out ( pubChannel . cap enb . nonce ) : i n t e g K e y . (MSG. (∗ process r e p r e s e n t i n g MME∗) l e t processMME = i n ( pubChannel . pMSAS( kasme ms . fun c3 ( cipherKey . key ) shared between t h e MS and t h e HN. cap sn : bool ) ) . kasenc enb ) . snid sn ) ) . kenb enb ) . i n ( secureChannel . out ( pubChannel . (CHALLENGE. cap ms ) . kasenc enb ) . kasme sn : asmeKey ) ) . k a s i n t e n b ) ) ) . imsi hn : i d e n t . mac sn : mac . const AV : msgHdr . const RES: msgHdr . l e t kenb enb : enbKey = kdf enb ( kasme enb ) i n l e t kasenc enb : asEncKey = kdf as enc ( kenb enb ) i n l e t k a s i n t e n b : a s I n t K e y = k d f a s i n t ( kenb enb ) i n l e t kupenc enb : upEncKey = kdf up enc ( kenb enb ) i n event begMS ENB( imsi enb . out ( pubChannel . i m s i s n : i d e n t ) ) . = f i n t e g n a s ( ( enableEnc nas ms . mac hn . = f i n t e g a s ( as smcomplete msg . xres hn . kasme ms ) . sencrypt nas ( s e c r e t . out ( sChannelSnBts . (=RES.l e t ik ms : i n t e g K e y = f 4 ( k i . knasint ms ) ) ) . nonce ) : cipherKey . cap sn . cap ms ) . i n ( pubChannel . type sessKey . knasint ms ) ) ) . knasenc ms ) ) . snid hn : i d e n t ) ) . reduc f o r a l l m: b i t s t r i n g . fun f 9 ( b i t s t r i n g . event begMS ( imsi sn . s d e c r y p t ( s e n c r y p t (m. type i d e n t . k a s i n t e n b ) ) ) . new snid sn : i d e n t . s e n c i n t n a s ( s e c r e t . imsi enb : i d e n t . snid sn ) ) . imsi hn . (∗NAS SMC procedure ∗) l e t knasenc sn : nasEncKey = kdf nas enc ( kasme sn ) i n l e t k n a s i n t s n : nasIntKey = k d f n a s i n t ( kasme sn ) i n out ( pubChannel . knasenc ms ) . fun c2 ( resp ) : resp . const CMC: msgHdr . (∗ Generate a t h e n i c a t i o n v e c t o r s ∗) new rand hn : nonce . i n t e g K e y ) : sessKey . snid hn . query a t t a c k e r ( s ) . (∗ process r e p r e s e n t i n g HN∗) l e t processHN = i n ( secureChannel . snid sn . i f enableEnc nas ms = f a l s e then out ( pubChannel . ( kasme enb : asmeKey . snid ms . (ASSMC. out ( sChannelSnBts . cap sn ) ) else 0 else i f cap sn = f a l s e then i f msg nas = nas smcomplete msg then event endSN ( imsi sn . event endMS ( imsi ms . k a s i n t e n b ) ) ) else out ( pubChannel . cipherKey ) : b i t s t r i n g . (NASSMC. k n a s i n t s n ) ) ) . k : sessKey . out ( secureChannel . cap ms ) . kasme ms . const MSG: msgHdr . snid sn . (= ID . xres sn : resp . rand sn . (∗ t y p e s ∗) type key . ∗) (∗ use them as s e s s i o n keys t o e n c r y p t a f r e e p r i v a t e name ∗) fun s e n c r y p t C i p h e r ( b i t s t r i n g . cap ms ) else out ( pubChannel . (=AV REQ. s d e c r y p t C i p h e r ( s e n c r y p t C i p h e r (m. (=CAP. reduc encCapability ( ) = true . ik ms . i n ( pubChannel . event endENB ( imsi enb . s e n c r y p t a s ( payload . (∗NAS SMC procedure ∗) l e t knasenc ms : nasEncKey = kdf nas enc ( kasme ms ) i n l e t knasint ms : nasIntKey = k d f n a s i n t ( kasme ms ) i n i n ( pubChannel . free s : bitstring [ private ] . ik hn . =as smcomplete msg . i f cap enb = f a l s e then event d i sa b l e E n c . =cap ms . kasme sn ) . nonce ) : mac . pMSAS( kasme ms . Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . kasint enb ) ) ) . (∗ process r e p r e s e n t i n g e−nodeB ∗) l e t processENB = i n ( sChannelSnBts . knasenc sn ) = nas smcomplete msg then event endSN ( imsi sn . key ) . cap sn . i n ( pubChannel . imsi ms . rand ms ) i n l e t kasme ms : asmeKey = kdf asme ( ck ms . res ms ) ) . rand sn : nonce . i n t e g K e y ) : msgMac . type mac . (∗ The s t a n d a r d secrecy q u e r i e s o f P r o V e r i f o n l y ∗) (∗ d e a l w i t h t h e secrecy o f p r i v a t e f r e e names∗) (∗ s e c r e t K c i s s e c r e t i f and o n l y i f a l l kcs i s s e c r e t ∗) free secretKc : b i t s t r i n g [ private ] . 26 . kenb enb . (AV REQ. ( NASSMComplete . (=NASSMC. f i n t e g n a s ( nas smcomplete msg . type i n t e g K e y . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . fun s e n c r y p t ( b i t s t r i n g . k ) . type resp . event begSN ( imsi ms . convert(3G AV → 2G AV) (∗ P u b l i c channel between t h e MS and t h e SN ∗) f r e e pubChannel : channel . k ) . cap sn ) ) else 0 else 0 . mac sn . i n ( pubChannel . snid sn . kasme hn ) ) . snid hn ) i n out ( secureChannel . =imsi sn . process ( ( ! processMS ) | processMME | processENB | processHN ) S4. nonce ) : resp . (∗ F u n c t i o n s ∗) fun f 1 ( key . ( NASSMComplete . rand hn . f i n t e g a s ( payload . k n a s i n t s n ) ) ) . const CHALLENGE: msgHdr . get keys (= imsi hn . msg nas : b i t s t r i n g . ( AV. ( kasme sn . k ) = m. fun f 4 ( key . const AV REQ: msgHdr . (=AV. nas smcomplete msg . rand hn ) i n l e t kasme hn : asmeKey = kdf asme ( ck hn . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . k ) = m. snid ms . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . snid ms ) i n out ( pubChannel . f i n t e g n a s ( ( cap sn . imsi sn . sencrypt nas ( nas smcomplete msg . (= ASSMComplete . type msgHdr . rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . cap enb ) . knasenc ms ) . out ( pubChannel . = f i n t e g n a s ( msg nas . i f cap sn = t r u e then i f sdecrypt nas ( msg nas . (RES. type msgMac . reduc f o r a l l m: b i t s t r i n g . =xres sn ) ) . (∗NAS key secrecy ∗) out ( pubChannel . query a t t a c k e r ( s e c r e t K c ) . (MSG. payload . type nonce . k : cipherKey . encCapability ( ) = false . knasint ms ) ) . f i n t e g n a s ( sencrypt nas ( nas smcomplete msg . const ID : msgHdr . imsi sn . imsi ms . ( kasme sn . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . f i n t e g a s ( b o o l 2 b i t s t r i n g ( cap enb ) . kasme sn ) . type cipherKey . =snid sn . imsi sn . (∗ To t e s t secrecy o f t h e c i p h e r key . sessKey ) : b i t s t r i n g . cap sn ) . fun f 2 ( key . (=NASSMComplete . fun f 3 ( key . knasint ms ) ) ) . kasme sn . rand hn ) i n l e t xres hn : resp = f 2 ( ki hn .

const RES: msgHdr . . res sn : resp ) ) . new k i : key . s e n c r y p t ( secretKc . (∗ Check whether r e c e i v e d response matches expected response ∗) i f res sn = xres sn then (∗ At t h i s p o i n t . (∗When t h e a t t a c k e r knows s . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . s e n c r y p t ( secretKc . (∗ Send o u t permanent ID [ Message 2 ] ∗) out ( pubChannel . (∗ t y p e s ∗) type key . kc sn ) . kc ms ) . . (= ID . xres sn : resp . key ) : sessKey . ck ms ) ) . enableEnc ms : bool ) ) . (MSG. kc ms ) ) . sessKey ) . (∗ Secure channel between t h e SN and t h e HN ∗) f r e e secureChannel : channel [ p r i v a t e ] . (∗ Generate a f r e s h random number ∗) new rand hn : nonce . s e n c r y p t ( secretKc . type nonce . cap sn : bool ) ) . conv(Kc → CK IK. enableEnc sn ) ) . k ) = m.(∗ secretCk i s s e c r e t i f and o n l y i f f r e e secretCk : b i t s t r i n g [ p r i v a t e ] . (∗ Send o u t response t o SN [ Message 6 ] ∗) out ( pubChannel . encCapability ( ) = false . GSM I–III k UMTS IV. process ( ( ! processMS ) | processSN | processHN ) S5. type i d e n t . key ) : resp . VLR/SGSN) (∗ param verboseClauses = e x p l a i n e d . xres hn g . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . msg : b i t s t r i n g ) ) . cap sn ) ) . (AV REQ. fun c5 ( sessKey ) : i n t e g K e y . query a t t a c k e r ( secretCk ) . (∗ Process r e s p r e s e n t i n g SN∗) l e t processSN = (∗ Receive MS’ s c a p a b i l i t y [ Message 1 ] ∗) i n ( pubChannel . (∗ Send a u t h e n t i c a t i o n c h a l l e n g e t o MS [ Message 5 ] ∗) out ( pubChannel . (∗ i f enableEnc sn = f a l s e then ∗) i f cap sn = f a l s e then event d i s a b l e E n c . ik ms ) i n (∗MS i s a u t h e n t i c a t i n g i t s e l f t o SN∗) event begSN ( imsi ms . kc sn : sessKey ) ) . out ( pubChannel . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . cipherKey ) : b i t s t r i n g . i n s e r t keys ( imsi ms . reduc f o r a l l m: b i t s t r i n g . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . type sessKey . event endMS ( imsi ms . (∗ I n p u t c h a l l e n g e message from SN [ Message 5 ] ∗) i n ( pubChannel . (∗ Process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t and pre−shared key o f t h e MS ∗) new imsi ms : i d e n t . sessKey ) . rand sn : nonce . (CMC. (=RES. rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . (MSG. (∗ Compute response and e n c r y p t i o n key ∗) l e t res ms u : resp = f 2 ( k i . k ) . SN a u t h e n t i c a t e d MS∗) event endSN ( imsi hn sn . event endMS ( i d e n t . kc sn ) ) . kc ms ) . (CHALLENGE. imsi hn sn : i d e n t . (∗ To t e s t secrecy o f t h e i n t e g r i t y key . fun f 9 ( b i t s t r i n g . i m s i s n ) ) . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . ∗) (∗ use them as s e s s i o n keys t o e n c r y p t a f r e e p r i v a t e name ∗) fun s e n c r y p t I n t e g ( b i t s t r i n g . const AV REQ: msgHdr . kc hn ) ) . s e n c r y p t C i p h e r ( secretCk . (∗ Receive permanent ID [ Message 2 ] ∗) i n ( pubChannel . event begMS ( imsi hn sn . a l l cks are s e c r e t ∗) (∗ I f KC and CK are s e c r e t . (=AV. s e n c r y p t C i p h e r ( secretCk . (∗ Receive GSM c i p h e r mode command [ Message 7 ] ∗) i n ( pubChannel . type msgHdr . (∗ Receive message from SN [ Message 8 ] ∗) i n ( pubChannel . (∗ Computes expected response and Kc ∗) get keys (= imsi hn . sessKey ) . fun c4 ( sessKey ) : cipherKey . i m s i s n : i d e n t ) ) . fun a8 ( nonce . ck hn ) ) . event begMS ( i d e n t . rand hn ) i n l e t xres hn g : resp = c2 ( xres hn u ) i n l e t kc hn : sessKey = c3 ( ck hn . kc ms ) i n 0. out ( pubChannel . type mac . (RES. rand ms : nonce ) ) . t h e event d i sa b l e E nc has been executed . const SMC: msgHdr . out ( pubChannel . (=CMC. ∗) query a t t a c k e r ( s ) event ( d i s a b l e E n c ) . imsi hn . fun s e n c r y p t ( b i t s t r i n g . s e n c r y p t ( s . out ( pubChannel . (CMC. x2 ) ) x2 ) ) . x2 : sessKey . event ( endMS ( x1 . type resp . ( AV. res ms g ) ) . kc sn ) . query x1 : i d e n t event ( begMS ( x1 . const AV : msgHdr . const ID : msgHdr . s ) ) else out ( pubChannel . . reduc encCapability ( ) = true . event ( endSN ( x1 . rand ms ) i n l e t res ms g : resp = c2 ( res ms u ) i n l e t kc ms : sessKey = c3 ( ck ms . const MSG: msgHdr . event d i sa b l e E nc . type cipherKey . x2 ) ) x2 ) ) . i n t e g K e y ) : msgMac . ∗) out ( pubChannel . (∗ Send o u t c i p h e r mode command [ Message 7 ] ∗) (∗ o u t ( pubChannel . out ( pubChannel . i n t e g K e y ) : b i t s t r i n g . out ( pubChannel . ( ID . const CHALLENGE: msgHdr . (=MSG. then IK i s s e c r e t ∗) not a t t a c k e r (new k i ) . query x1 : i d e n t event ( begSN ( x1 . (∗ Process r e p r e s e n t i n g HN∗) l e t processHN = (∗ Receive a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Message 3 ] ∗) i n ( secureChannel . x2 : sessKey . (∗ Receive response [ Message 6 ] ∗) i n ( pubChannel . (CAP. event endSN ( i d e n t . (=CAP. i f enableEnc ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t ( msg . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n (∗ Send o u t cap ms t o SN[ Message 1 ] ∗) out ( pubChannel . kc sn ) ) ) . imsi hn : i d e n t ) ) . rand hn ) i n l e t xres hn u : resp = f 2 ( ki hn . k : cipherKey . cap ms ) ) . k i ) . sessKey ) . s d e c r y p t ( s e n c r y p t (m. (=AV REQ. i k h n ) i n (∗ Send o u t a u t h e n t i c a t i o n v e c t o r [ Message 4 ] ∗) out ( secureChannel . rand hn . (∗ Send o u t a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Message 3 ] ∗) out ( secureChannel . imsi ms ) ) . (∗ Receive a u t h e n t i c a t i o n v e c t o r [ Message 4 ] ∗) i n ( secureChannel . type i n t e g K e y . type msgMac . (∗ SN decide whether t o e n c r y p t messages ∗) (∗ base on t h e r e c e i v e d c a p a b i l i t i e s o f MS∗) (∗ l e t enableEnc sn : b o o l = cap sn i n ∗) 27 (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . (∗ F u n c t i o n s ∗) fun a3 ( nonce . ∗) (∗ P u b l i c channel between t h e MS and t h e SN ∗) f r e e pubChannel : channel . rand sn ) ) . kc hn ) ) . (=CHALLENGE.

cipherKey . l e t i k s n : i n t e g K e y = c5 ( kc sn ) i n query a t t a c k e r ( s e c r e t I k ) . reduc f o r a l l m: b i t s t r i n g . cap sn : bool ) ) . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) f 9 ( ( enableEnc sn . x4 ) ) . (∗ Compute response and e n c r y p t i o n key ∗) l e t res ms : resp = a3 ( rand ms . else (∗When t h e a t t a c k e r knows s . f r e s h s n ) . (∗ Send o u t permanent ID [ Msg 2 ] ∗) out ( pubChannel . out ( pubChannel . cap sn . s d e c r y p t I n t e g ( s e n c r y p t I n t e g (m. k ) . (CHALLENGE. out ( pubChannel . (MSG. rand sn ) ) . enableEnc ms : bool . (=CAP. k i h n ) i n l e t kc hn : sessKey = a8 ( rand hn . s e n c r y p t ( secretCk . enableEnc sn . rand hn . xres sn : resp . x3 . i f enableEnc ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t ( msg . conv(CK IK → Kc. (∗ Send a u t h e n t i c a t i o n c h a l l e n g e t o MS [ Msg 5 ] ∗) query a t t a c k e r ( s ) . (∗ d e a l w i t h t h e secrecy o f p r i v a t e f r e e names∗) (∗ Check whether r e c e i v e d response equal t o expected response ∗) (∗ secretCk i s s e c r e t i f and o n l y i f a l l cks are s e c r e t ∗) i f res sn = xres sn then f r e e secretCk : b i t s t r i n g [ p r i v a t e ] . integKey . i f cap sn = f a l s e then event ( endMS ( x1 . k i ) i n l e t kc ms : sessKey = a8 ( rand ms . (∗SN decide whether t o e n c r y p t messages ∗) (∗ base on t h e r e c e i v e d c a p a b i l i t i e s o f MS∗) (∗ I f IK and CK are s e c r e t . fresh msg sn . ck ms . event endSN ( i d e n t . (∗ i f enableEnc sn = f a l s e then ∗) query x1 : i d e n t . s e n c r y p t I n t e g ( s e c r e t I k . k i h n ) i n (∗ Send o u t a u t h e n t i c a t i o n v e c t o r [ Msg 4 ] ∗) out ( secureChannel . ( AV. ik ms . x2 . then KC i s s e c r e t . x3 : integKey . event endMS ( i d e n t . new k i : key . s e n c r y p t ( s . = f 9 ( ( msg . bool ) . ck sn ) ) . event endMS ( imsi ms . fresh msg sn ) . ck ms ) ) . out ( pubChannel . cap ms ) . i k s n ) ) ) . k ) = m. (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . ∗) (∗ l e t enableEnc sn : b o o l = cap sn i n ∗) (∗ Because CK and IK are computed from KC by p u b l i c f u n c t i o n s ∗) new f r e s h s n : nonce . i n s e r t keys ( imsi ms . query a t t a c k e r ( s ) event ( d i s a b l e E n c ) . i k s n ) ) ) event d i s ab l e E n c . fresh msg sn . (∗ Convert Kc i n t o UMTS keys ∗) (∗ s e c r e t I k i s s e c r e t i f and o n l y i f a l l i k s are s e c r e t ∗) l e t ck sn : cipherKey = c4 ( kc sn ) i n free secretIk : bitstring [ private ] . imsi hn . cap ms . (SMC. x2 : cipherKey . rand sn : nonce . i k s n ) ) . event begMS ( imsi hn sn . cap ms ) ) . event ( begMS ( x1 . x4 : bool . x3 . msg : b i t s t r i n g . kc sn : sessKey ) ) . not a t t a c k e r (new k i ) . out ( pubChannel . process ( ( ! processMS ) | processSN | processHN ) S6. k i h n ) i n l e t xres hn : resp = a3 ( rand hn . key ) . i m s i s n : i d e n t ) ) . fresh msg ms ) . fresh ms : nonce . SN a u t h e n t i c a t e d MS∗) query a t t a c k e r ( secretCk ) . s . sessKey ) . (= ID . out ( pubChannel . type nonce . imsi hn sn : i d e n t . (∗ At t h i s p o i n t .l e t processSN = (∗ Receive MS’ s c a p a b i l i t y [ Msg 1 ] ∗) i n ( pubChannel . k : i n t e g K e y . i k s n ) ) ) . new fresh msg sn : nonce . k i ) . =cap ms . out ( pubChannel . s e n c r y p t ( secretCk . cipherKey . free s : bitstring [ private ] . imsi ms ) ) . i n ( secureChannel . ( ID . (CAP. ik ms ) ) ) . fresh msg sn ) . kc sn ) . type sessKey . (∗ I n p u t c h a l l e n g e message from SN [ Msg 5 ] ∗) i n ( pubChannel . k i ) i n (∗MS i s a u t h e n t i c a t i n g i t s e l f t o SN∗) event begSN ( imsi ms . s e n c r y p t I n t e g ( s e c r e t I k . ck sn ) . fresh sn . ck sn . (SMC. ∗) event begSN ( i d e n t . ik ms ) ) ) . i m s i s n ) ) . The key t a b l e c o n s i s t s o f p a i r s (∗ Send o u t a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Msg 3 ] ∗) ( i d e n t . type i d e n t . res sn : resp ) ) . event begMS ( i d e n t . (=AV. type msgMac . x4 ) ) event d i s a b l e E n c . UMTS I–III k GSM IV. cap sn . cap sn . out ( pubChannel . type msgHdr . (∗ Computes expected response and Kc ∗) get keys (= imsi hn . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n (∗ Send o u t cap ms t o SN[ Msg 1 ] ∗) out ( pubChannel . (∗ Secure channel between t h e MS and t h e HN ∗) f r e e secureChannel : channel [ p r i v a t e ] . event endSN ( imsi hn sn . ck sn ) . (=RES. (=AV REQ. (∗ Send o u t response t o SN [ Msg 6 ] ∗) out ( pubChannel . fresh ms ) . type mac . (MSG. (∗ Receive message from SN [ Msg 8 ] ∗) i n ( pubChannel . (∗ Send o u t c i p h e r mode command [ Msg 7 ] ∗) (∗ o u t ( pubChannel . type i n t e g K e y . fresh sn . (∗ t y p e s ∗) type key . = f 9 ( ( enableEnc ms . ck ms ) i n 0. out ( secureChannel . (∗ Process r e s p r e s e n t i n g SN∗) 28 . i k s n ) ) ) . res ms ) ) . (=SMC. rand ms : nonce ) ) . f r e s h s n ) . (RES. imsi hn : i d e n t ) ) . cap sn ) . kc ms ) . (∗ Send o u t one message [ Msg 8 ] ∗) event ( endSN ( x1 . (AV REQ. kc hn ) ) . (∗ Process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t and pre−shared key o f t h e MS ∗) new imsi ms : i d e n t . x2 . fresh msg ms : nonce . sessKey ) . t h e event out ( pubChannel . type cipherKey . f 9 ( ( s . (∗ Generate a f r e s h random number ∗) new rand hn : nonce . x2 : sessKey . cap sn . xres hn . key ) shared between t h e MS and t h e HN. ik ms ) ) . (∗ Receive response [ Msg 6 ] ∗) (∗ The s t a n d a r d secrecy q u e r i e s o f P r o V e r i f o n l y ∗) i n ( pubChannel . cap sn . ik sn . integKey . x2 ) ) . f 9 ( ( cap sn . (=MSG. bool ) . x2 ) ) event ( begSN ( x1 . (=CHALLENGE. d i sa b l e E nc has been executed . query x1 : i d e n t . type resp . (∗ Process r e p r e s e n t i n g HN∗) l e t processHN = (∗ Receive a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Msg 3 ] ∗) i n ( secureChannel . Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) (∗ Receive a u t h e n t i c a t i o n v e c t o r [ Msg 4 ] ∗) t a b l e keys ( i d e n t . VLR/SGSN) (∗ P u b l i c channel between t h e MS and t h e SN ∗) f r e e pubChannel : channel . ∗) f 9 ( ( s e n c r y p t ( s . (∗ Receive permanent ID [ Msg 2 ] ∗) (∗ t h e t a b l e i d e n t / keys i n ( pubChannel . (∗ Convert Kc i n t o UMTS keys ∗) l e t ck ms : cipherKey = c4 ( kc ms ) i n l e t ik ms : i n t e g K e y = c5 ( kc ms ) i n (∗ Receive GSM c i p h e r mode command [ Msg 7 ] ∗) i n ( pubChannel .

ID : msgHdr . event endSN ( i d e n t . enableEnc sn ) ) . event ( endSN ( x1 . imsi hn : i d e n t ) ) . reduc f o r a l l m: b i t s t r i n g . (∗ To t e s t secrecy o f t h e c i p h e r key . (CMC. ∗) out ( pubChannel . sessKey ) : b i t s t r i n g . nonce ) : mac . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n (∗ Send o u t cap ms t o SN[ Msg 1 ] ∗) out ( pubChannel . MSG: msgHdr . x2 : cipherKey . i f f 1 ( k i . conv(CK IK → KASME . res ms ) ) . (=CHALLENGE. CMC: msgHdr . imsi hn . s e n c r y p t ( s . cap sn : bool ) ) . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . (MSG. out ( pubChannel . new k i : key . enableEnc ms : bool ) ) . rand sn : nonce . k i ) . k : cipherKey . (=MSG. rand sn . ck ms . (∗ Process r e p r e s e n t i n g HN∗) l e t processHN = (∗ Receive a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Msg 3 ] ∗) i n ( secureChannel . cipherKey . i k s n ) i n (∗SN decide whether t o e n c r y p t messages ∗) (∗ base on t h e r e c e i v e d c a p a b i l i t i e s o f MS∗) (∗ l e t enableEnc sn : b o o l = cap sn i n ∗) event begMS ( imsi hn sn . res sn : resp ) ) . imsi hn sn : i d e n t . ik hn . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . i k s n ) . x2 . i n t e g K e y ) . (∗ Receive response [ Msg 6 ] ∗) i n ( pubChannel .const const const const const const const (∗ Compute response and e n c r y p t i o n key ∗) l e t res ms : resp = f 2 ( k i . k ) = m. RES: msgHdr . s d e c r y p t C i p h e r ( s e n c r y p t C i p h e r (m. k ) = m. AV REQ: msgHdr . key ) shared between t h e MS and t h e HN. cap ms ) ) . (=CAP. out ( pubChannel . rand hn ) i n (∗ Send o u t a u t h e n t i c a t i o n v e c t o r [ Msg 4 ] ∗) out ( secureChannel . CHALLENGE: msgHdr . encCapability ( ) = false . kc ms ) ) . kc sn ) ) ) . ck hn . i n t e g K e y ) : msgMac . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . (MSG. imsi ms ) ) . (∗ Receive message from SN [ Msg 8 ] ∗) i n ( pubChannel . SN a u t h e n t i c a t e d MS∗) event endSN ( imsi hn sn . ck sn : cipherKey . x3 ) ) event ( begSN ( x1 . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . (∗ The s t a n d a r d secrecy q u e r i e s o f P r o V e r i f o n l y ∗) (∗ d e a l w i t h t h e secrecy o f p r i v a t e f r e e names∗) (∗ s e c r e t K c i s s e c r e t i f and o n l y i f a l l kcs i s s e c r e t ∗) free secretKc : b i t s t r i n g [ private ] . mac sn : mac ) ) . query x1 : i d e n t . event endMS ( i d e n t . i m s i s n : i d e n t ) ) . nonce ) : i n t e g K e y . i n t e g K e y ) . kc sn ) ) . (= ID . s e n c r y p t C i p h e r ( secretCk . (∗ Process r e s p r e s e n t i n g SN∗) l e t processSN = (∗ Receive MS’ s c a p a b i l i t y [ Msg 1 ] ∗) i n ( pubChannel . xres hn . (=RES. x2 : sessKey . mac ms : mac ) ) . nonce ) : resp . x3 ) ) . cipherKey . cipherKey ) : b i t s t r i n g . then IK i s s e c r e t ∗) not a t t a c k e r (new k i ) . kc ms ) . ck sn . (∗ Generate a f r e s h random number ∗) new rand hn : nonce . (∗ Send o u t permanent ID [ Msg 2 ] ∗) out ( pubChannel . 29 . AV : msgHdr . s ) ) (∗ [ Msg 8 ] ∗) else out ( pubChannel . (∗ F u n c t i o n s ∗) fun f 1 ( key . mac hn ) ) . fun c3 ( cipherKey . x3 : i n t e g K e y . kc ms ) i n 0. event ( endMS ( x1 . rand hn . (∗ Check whether r e c e i v e d response equal t o expected response ∗) i f res sn = xres sn then (∗ At t h i s p o i n t . (=AV REQ. fun s e n c r y p t ( b i t s t r i n g . query a t t a c k e r ( s e c r e t K c ) . query x1 : i d e n t . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . rand ms ) i n (∗MS i s a u t h e n t i c a t i n g i t s e l f t o SN∗) event begSN ( imsi ms . out ( pubChannel . cap sn ) ) . (∗ Receive permanent ID [ Msg 2 ] ∗) i n ( pubChannel . x2 ) ) . kc sn ) . (∗When t h e a t t a c k e r knows s . event begMS ( i d e n t . out ( pubChannel . nonce ) : cipherKey . fun f 3 ( key . (∗ i f enableEnc sn = f a l s e then ∗) i f cap sn = f a l s e then event d i s a b l e E n c . a l l cks are s e c r e t ∗) (∗ I f KC and CK are s e c r e t . event d i s ab l e E n c . ck ms ) ) . ( AV. i k s n : integKey . (CAP. LTE I k UMTS II–III k LTE V. event endMS ( imsi ms . i m s i s n ) ) . query a t t a c k e r ( secretCk ) . s e n c r y p t ( secretKc . i n t e g K e y ) : sessKey . (∗ Process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t and pre−shared key o f t h e mobile s t a t i o n ∗) new imsi ms : i d e n t . s e n c r y p t ( secretKc . rand ms : nonce . MME) (∗ P u b l i c channel between t h e MS and t h e SN ∗) f r e e pubChannel : channel . msg : b i t s t r i n g ) ) . ck hn ) ) . s d e c r y p t ( s e n c r y p t (m. (∗ Send o u t c i p h e r mode command [ Msg 7 ] ∗) (∗ o u t ( pubChannel . fun f 9 ( b i t s t r i n g . x2 ) ) event ( begMS ( x1 . k ) . out ( pubChannel . query a t t a c k e r ( s ) . x2 . ck sn ) ) . free s : bitstring [ private ] . (=CMC. l e t kc ms : sessKey = c3 ( ck ms . rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . s e n c r y p t C i p h e r ( secretCk . (CHALLENGE. rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . fun f 2 ( key . ik ms ) i n (∗ Receive GSM c i p h e r mode command [ Msg 7 ] ∗) i n ( pubChannel . ∗) (∗ use them as s e s s i o n keys t o e n c r y p t a f r e e p r i v a t e name ∗) fun s e n c r y p t C i p h e r ( b i t s t r i n g . l e t kc sn : sessKey = c3 ( ck sn . ∗) query a t t a c k e r ( s ) event ( d i s a b l e E n c ) . out ( pubChannel . t h e event d i sa b l e E nc has been executed . (CMC. key ) . (AV REQ. Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . (∗ secretCk i s s e c r e t i f and o n l y i f f r e e secretCk : b i t s t r i n g [ p r i v a t e ] . s e n c r y p t C i p h e r ( secretCk . (∗ Receive a u t h e n t i c a t i o n v e c t o r [ Msg 4 ] ∗) i n ( secureChannel . rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . (∗ Send o u t a u t h e n t i c a t i o n v e c t o r r e q u e s t [ Msg 3 ] ∗) out ( secureChannel . k ) . (∗ I n p u t c h a l l e n g e message from SN [ Msg 5 ] ∗) i n ( pubChannel . mac sn ) ) . i n s e r t keys ( imsi ms . (=AV. fun f 4 ( key . i f enableEnc ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t ( msg . (∗ Computes expected response and Kc ∗) get keys (= imsi hn . (∗ [ Msg 8 ] ∗) reduc encCapability ( ) = true . (∗ Send o u t response t o SN [ Msg 6 ] ∗) out ( pubChannel . ( ID . reduc f o r a l l m: b i t s t r i n g . rand ms ) = mac ms then process ( ( ! processMS ) | processSN | processHN ) S7. sessKey ) . ik ms ) . (RES. (∗ Send a u t h e n t i c a t i o n c h a l l e n g e t o MS [ Msg 5 ] ∗) out ( pubChannel . sessKey ) . xres sn : resp . k : sessKey .

cipherKey . (∗ Send a u t h e n t i c a t i o n c h a l l e n g e t o MS ∗) out ( pubChannel . datamsg : b i t s t r i n g . x2 . rand ms : nonce . reduc f o r a l l m: b i t s t r i n g . event endMS ( i d e n t . x3 ) ) event ( begSN ( x1 . type resp . x2 : cipherKey . cap sn ) . (∗ Check whether r e c e i v e d response equal t o XRES∗) i f res sn = xres sn then (∗ At t h i s p o i n t . k : i n t e g K e y . k ) = m. (= ID . rand sn . k i ) . (∗ Receive response ∗) i n ( pubChannel . (∗ F u n c t i o n s ∗) fun f 1 ( key . const ASSMC: msgHdr . type a s I n t K e y . k ) = m. nonce ) : resp . res ms ) ) . (CHALLENGE. new k i : key . = f i n t e g a s ( b o o l 2 b i t s t r i n g ( enableEnc as ms ) . (∗ Receive a u t h e n t i c a t i o n v e c t o r ∗) i n ( secureChannel . mac sn ) ) . query x1 : i d e n t . const AV REQ: msgHdr . out ( pubChannel . type i n t e g K e y . = f i n t e g a s ( as smcomplete msg . k : cipherKey . kasint ms ) ) ) . =imsi sn . l e t processSN = (∗ Receive MS’ s c a p a b i l i t y ∗) i n ( pubChannel . type msgHdr . x2 . 30 . i k s n ) . type enbKey . type mac . fun kdf as enc ( enbKey ) : asEncKey . nonce ) : cipherKey . f i n t e g a s ( b o o l 2 b i t s t r i n g ( cap sn ) . (= ASSMComplete . a s I n t K e y ) : msgMac . ck ms . not a t t a c k e r (new k i ) . t y p e C o n v e r t e r ] . nonce ) : mac . (∗ To t e s t secrecy o f t h e i n t e g r i t y key . k ) = m. rand ms ) = mac ms then (∗ Compute response and e n c r y p t i o n key ∗) l e t res ms : resp = f 2 ( k i . cap sn : bool ) ) . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n (∗ Send o u t cap ms t o SN ∗) out ( pubChannel . fun f i n t e g a s ( b i t s t r i n g . enbKey . (ASSMC. i n ( pubChannel . fun kdf asme ( cipherKey . (AV REQ. out ( pubChannel . i n t e g K e y ) : asmeKey . fun kdf up enc ( enbKey ) : upEncKey . fun f 4 ( key . ik ms ) ) . encCapability ( ) = false . asEncKey ) : b i t s t r i n g . i n t e g K e y ) : b i t s t r i n g . x3 ) ) . as smcomplete msg . f r e e payload : b i t s t r i n g [ p r i v a t e ] . i f cap sn = f a l s e then (∗ Type C o n v e r t e r ∗) fun b o o l 2 b i t s t r i n g ( bool ) : b i t s t r i n g [ data . x3 ) ) . i n s e r t keys ( imsi ms . kenb sn . ik ms ) . f i n t e g a s ( as smcomplete msg . x3 ) ) event ( begMS ( x1 . bool ) . nonce ) : i n t e g K e y . x2 . sd ec ry pt as ( s en c r y p t a s (m. i f f 1 ( k i . reduc f o r a l l m: b i t s t r i n g . query a t t a c k e r ( payload ) . mac ms : mac ) ) . i k s n : integKey . out ( pubChannel . t h e event d i sa b l e E nc has been executed . SN a u t h e n t i c a t e d MS∗) event endSN ( imsi sn . fun f 2 ( key . (=RES. enableEnc as ms : bool . cipherKey . f r e e as smcomplete msg : b i t s t r i n g . const RES: msgHdr . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . fun k d f a s i n t ( enbKey ) : a s I n t K e y . ck sn . i m s i s n : i d e n t ) ) . rand sn : nonce . cap ms ) . (∗ Send o u t permanent ID ∗) out ( pubChannel . s e n c r y p t ( s e c r e t . const MSG: msgHdr . l e t kasme ms = kdf asme ( ck ms . l e t processMS = (∗ The i d e n t and pre−shared key o f t h e mobile s t a t i o n ∗) new imsi ms : i d e n t . kenb ms . kasenc ms ) i n 0 . = f i n t e g a s ( datamsg . x2 : enbKey . ∗) (∗ use them as s e s s i o n keys t o e n c r y p t a f r e e p r i v a t e name ∗) fun s e n c r y p t I n t e g ( b i t s t r i n g . (=MSG. type asEncKey . imsi ms ) ) . (=ASSMC. bool ) . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . l e t kasme sn = kdf asme ( ck sn . event ( endMS ( x1 . type i d e n t . s d e c r y p t I n t e g ( s e n c r y p t I n t e g (m. xres sn : resp . enbKey . i n t e g K e y ) . (∗ I n p u t c h a l l e n g e message from SN ∗) i n ( pubChannel . ik ms ) i n l e t kenb ms : enbKey = kdf enb ( kasme ms ) i n l e t kasenc ms : asEncKey = kdf as enc ( kenb ms ) i n l e t kasint ms : a s I n t K e y = k d f a s i n t ( kenb ms ) i n l e t kupenc ms : upEncKey = kdf up enc ( kenb ms ) i n (∗ Receive GSM c i p h e r mode command ∗) i n ( pubChannel . type msgMac . k a s i n t s n ) ) ) . ( ASSMComplete . query a t t a c k e r ( s e c r e t ) . kasint ms ) ) ) . k ) . mac sn : mac ) ) . i k s n ) i n l e t kenb sn : enbKey = kdf enb ( kasme sn ) i n l e t kasenc sn : asEncKey = kdf as enc ( kenb sn ) i n l e t k a s i n t s n : a s I n t K e y = k d f a s i n t ( kenb sn ) i n l e t kupenc sn : upEncKey = kdf up enc ( kenb sn ) i n event begMS ( imsi sn . (CAP. k ) . (∗ Send o u t a u t h e n t i c a t i o n v e c t o r r e q u e s t ∗) out ( secureChannel .(∗ Secure channel between t h e SN and t h e HN ∗) f r e e secureChannel : channel [ p r i v a t e ] . query x1 : i d e n t . const ID : msgHdr . rand ms ) i n (∗MS i s a u t h e n t i c a t i n g i t s e l f t o SN∗) event begSN ( imsi ms . reduc encCapability ( ) = true . i n ( pubChannel . kasint ms ) ) ) . ∗) query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . event d i sa b l e E nc . x2 . cap ms ) ) . cap sn . key ) . fun s e n c r y p t ( b i t s t r i n g . ( ID . event endMS ( imsi ms . event ( endSN ( x1 . type asmeKey . k ) . const ASSMComplete : msgHdr . x3 : bool . s d e c r y p t ( s e n c r y p t (m. const AV : msgHdr . fun f 3 ( key . ck ms ) ) . type upEncKey . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg . k : asEncKey . cipherKey ) : b i t s t r i n g . type cipherKey . ck sn : cipherKey . out ( pubChannel . event begMS ( i d e n t . (=CHALLENGE. (=AV. (RES. (=CAP. (∗ t y p e s ∗) type key . type nonce . fun se nc ry pt as ( b i t s t r i n g . k a s i n t s n ) ) ) . (∗ Send o u t response t o SN ∗) out ( pubChannel . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . s e n c r y p t I n t e g ( s e c r e t . (∗ The s t a n d a r d secrecy q u e r i e s o f P r o V e r i f o n l y ∗) (∗ d e a l w i t h t h e secrecy o f p r i v a t e f r e e names∗) free secret : bitstring [ private ] . i m s i s n ) ) . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . i n t e g K e y ) . fun kdf enb ( asmeKey ) : enbKey . key ) shared between MS and HN Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . res sn : resp ) ) . x3 : i n t e g K e y . (∗ Receive permanent ID ∗) i n ( pubChannel . (∗When t h e a t t a c k e r knows s . event endSN ( i d e n t . =as smcomplete msg . reduc f o r a l l m: b i t s t r i n g . const CHALLENGE: msgHdr .

event ( endMS ( x1 . fun senc up ( b i t s t r i n g . event ( endSN ( x1 . fun kdf as enc ( enbKey ) : asEncKey . else out ( pubChannel . nonce ) : mac . (MSG. k a s i n t s n ) ) ) . 31 . out ( pubChannel . type asEncKey . const AV : msgHdr . a s I n t K e y ) : msgMac . nasIntKey ) : msgMac . type nonce . k ) = m. a s I n t K e y ) : b i t s t r i n g . MME) (∗ P u b l i c channel between t h e MS and t h e SN∗) f r e e pubChannel : channel . event d i s a b l e E n c . f r e e as smcomplete msg : b i t s t r i n g . ( AV. bool ) . kasint ms ) ) . fun se nc ry pt as ( b i t s t r i n g . cap ms ) . encCapability ( ) = false . fun sencrypt nas ( b i t s t r i n g . ( ASSMComplete . not a t t a c k e r (new k i ) . x2 . x3 ) ) . fun kdf asme ( cipherKey . x2 . query x1 : i d e n t . t h e event d i s a b l e E n c has been executed . fun s e n c i n t a s ( b i t s t r i n g . query a t t a c k e r ( s e c r e t ) . type nasIntKey . out ( pubChannel . s d e c r y p t a s ( s e n c r y p t a s (m. type i d e n t . i n t e g K e y ) . (∗AS SMC procedure i n process MS∗) l e t pMSAS( kasme ms : asmeKey . const RES: msgHdr . x3 : bool . cipherKey . kasint ms ) ) ) . out ( pubChannel . kasint ms ) ) ) . sdec up ( senc up (m. const ID : msgHdr . i n t e g K e y ) . kasenc ms ) ) . fun k d f n a s i n t ( asmeKey ) : nasIntKey . fun f i n t e g n a s ( b i t s t r i n g . kasenc ms ) i n 0 . nasIntKey ) : b i t s t r i n g . x3 : i n t e g K e y . x2 . x2 : enbKey . k : upEncKey . kenb ms . k : asEncKey . k : nasIntKey . type msgHdr . f r e e payload : b i t s t r i n g [ p r i v a t e ] . key ) . query x1 : i d e n t . xres hn . x3 ) ) . k ) = m. event endSN ( i d e n t . i n t e g K e y ) : asmeKey . event endMS ENB( i d e n t . s e n c i n t a s ( s e c r e t . k ) = m. fun kdf up enc ( enbKey ) : upEncKey . s e n c r y p t a s ( s e c r e t . bool ) . nonce ) : i n t e g K e y . (∗SMC command msg∗) f r e e nas smcomplete msg : b i t s t r i n g . type asmeKey . imsi hn : i d e n t ) ) . process ( ( ! processMS ) | processSN | processHN ) free secret : bitstring [ private ] . x3 ) ) event ( begSN ( x1 . k a s i n t s n ) ) ) (∗ Type C o n v e r t e r ∗) fun b o o l 2 b i t s t r i n g ( bool ) : b i t s t r i n g [ data . as smcomplete msg . const MSG: msgHdr . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg . (∗ Generate a f r e s h random number ∗) new rand hn : nonce . s e n c r y p t a s ( payload . = f i n t e g a s ( b o o l 2 b i t s t r i n g ( enableEnc as ms ) . reduc f o r a l l m: b i t s t r i n g . kasenc sn ) . out ( pubChannel . reduc f o r a l l m: b i t s t r i n g . enbKey . imsi hn . type a s I n t K e y . const AV REQ: msgHdr . nasEncKey ) : b i t s t r i n g . k ) = m. fun kdf enb ( asmeKey ) : enbKey . fun f i n t e g a s ( b i t s t r i n g . ck hn . = f i n t e g a s ( datamsg . enbKey . type mac . cipherKey . cap ms : bool ) = l e t kenb ms : enbKey = kdf enb ( kasme ms ) i n l e t kasenc ms : asEncKey = kdf as enc ( kenb ms ) i n l e t kasint ms : a s I n t K e y = k d f a s i n t ( kenb ms ) i n l e t kupenc ms : upEncKey = kdf up enc ( kenb ms ) i n i n ( pubChannel . bool ) . bool ) . k ) . fun f 2 ( key . encCapability ( ) = true . (∗ process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t i t y o f t h e MS∗) new imsi ms : i d e n t . LTE I k UMTS II–III k LTE IV–V. const CHALLENGE: msgHdr . ik hn . query x1 : i d e n t . type i n t e g K e y . enableEnc as ms : bool . x2 : cipherKey . S7+. asEncKey ) : b i t s t r i n g . event endMS ENB( imsi ms . ∗) query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . x2 . senc up ( s e c r e t . x2 . (=ASSMC. kasenc sn ) . k ) . f i n t e g a s ( payload . x2 . k ) . k : a s I n t K e y . kasint ms ) ) ) . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . k ) . x3 ) ) . t y p e C o n v e r t e r ] . query a t t a c k e r ( payload ) . imsi ms : i d e n t . kupenc ms ) ) . type upEncKey . asmeKey . type cipherKey . (MSG. f i n t e g a s ( as smcomplete msg . key ) shared between MS and HN Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . type resp . sdec in nas ( s e n c i n t n a s (m. type msgMac . x3 ) ) event (begMS ENB( x1 . sdecrypt nas ( sencrypt nas (m. type enbKey . mac hn ) ) . datamsg : b i t s t r i n g . (=AV REQ. reduc f o r a l l m: b i t s t r i n g . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . k ) = m. (∗When t h e a t t a c k e r knows s . reduc l e t processHN = (∗ Receive a u t h e n t i c a t i o n v e c t o r r e q u e s t ∗) i n ( secureChannel . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . payload . const NASSMC: msgHdr . const ASSMC: msgHdr . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . k ) . x3 ) ) event ( begMS ( x1 . nonce ) : cipherKey . const ASSMComplete : msgHdr . type nasEncKey . event begMS ( i d e n t . x2 : asmeKey . event (endMS ENB( x1 . fun f 4 ( key . fun kdf nas enc ( asmeKey ) : nasEncKey . fun s e n c i n t n a s ( b i t s t r i n g . upEncKey ) : b i t s t r i n g . (=MSG. reduc f o r a l l m: b i t s t r i n g . event d i s a b l e E n c . fun f 3 ( key . out ( pubChannel . rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . event begMS ENB( i d e n t . x3 : bool . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . conv(CK IK → KASME . nonce ) : resp . rand hn . i n ( pubChannel .reduc f o r a l l m: b i t s t r i n g . f i n t e g a s ( s e n c r y p t a s ( payload . rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . event endMS ( i d e n t . asmeKey . sdec in as ( s e n c i n t a s (m. fun k d f a s i n t ( enbKey ) : a s I n t K e y . k : nasEncKey . (∗ Computes expected response and Kc ∗) get keys (= imsi hn . (∗ t y p e s ∗) type key . const NASSMComplete : msgHdr . rand hn ) i n (∗ Send o u t a u t h e n t i c a t i o n v e c t o r ∗) out ( secureChannel . (∗ F u n c t i o n s ∗) fun f 1 ( key .

(RES. ( ID . nonce ) : mac . (=CAP. out ( pubChannel . const NONCE TAU: msgHdr . cap enb . (CHALLENGE. fun kdf as enc ( enbKey ) : asEncKey . const ID : msgHdr . cap sn . =xres sn ) ) . (∗ Secure channel between t h e SN and t h e HN∗) f r e e secureChannel : channel [ p r i v a t e ] . rand ms : nonce . f i n t e g n a s ( sencrypt nas ( nas smcomplete msg . cap ms ) ) . k ) . out ( pubChannel . rand sn . cap sn . k a s i n t e n b ) ) ) . f i n t e g a s ( b o o l 2 b i t s t r i n g ( cap enb ) . conv(CK IK nonces → KASME . fun f 4 ( key . nonce ) : i n t e g K e y . enableEnc nas ms : bool . const RES: msgHdr . const AV REQ: msgHdr . knasenc ms ) ) . k ) . type enbKey . type i n t e g K e y . nonce ) : cipherKey . nas smcomplete msg . new rand sn : nonce . (∗ Compute response and e n c r y p t i o n key ∗) l e t res ms : resp = f 2 ( k i . integKey . asEncKey ) : b i t s t r i n g . fun kdf up enc ( enbKey ) : upEncKey . cap sn ) else 0 . s e n c i n t n a s ( s e c r e t . type resp . kasme sn . out ( pubChannel . (=NASSMComplete . rand sn ) i n l e t i k s n : i n t e g K e y = f 4 ( ki sn . rand ms ) ) ) . cap sn : bool ) ) . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . k ) = m. nonce ) : asmeKey . mac sn ) ) . rand sn ) i n l e t xres sn : resp = f 2 ( ki sn . kasenc enb ) . f i n t e g n a s ( ( cap sn . (=RES. const ASSMC: msgHdr .(∗ Pre−shared key ∗) new k i : key . i k s n ) i n (∗NAS SMC procedure ∗) l e t knasenc sn : nasEncKey = kdf nas enc ( kasme sn ) i n l e t k n a s i n t s n : nasIntKey = k d f n a s i n t ( kasme sn ) i n fun s e n c r y p t a s ( b i t s t r i n g . k i ) . f i n t e g a s ( s e n c r y p t a s ( payload . i k s n ) . s e n c r y p t a s ( payload . type asEncKey . k n a s i n t s n ) ) ) . fun kdf enb ( asmeKey ) : enbKey . =as smcomplete msg . k a s i n t e n b ) ) ) . ( NASSMComplete . nonce . const NASSMC: msgHdr . (ASSMC. i m s i s n : i d e n t ) ) . cap ms ) else out ( pubChannel . (∗ process r e p r e s e n t i n g e−nodeB ∗) l e t pENB( kasme enb : asmeKey . reduc f o r a l l m: b i t s t r i n g . type a s I n t K e y . knasint ms ) ) ) . nasIntKey ) : msgMac . event begMS ( imsi sn . rand sn ) i n (∗ t y p e s ∗) type key . (∗ Receive response ∗) i n ( pubChannel . imsi sn . = f 1 ( k i . i n ( pubChannel . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . fun k d f a s i n t ( enbKey ) : a s I n t K e y . k a s i n t e n b ) ) ) . fun f i n t e g a s ( b i t s t r i n g . l e t kasme ms : asmeKey = kdf asme ( ck ms . type asmeKey . knasint ms ) ) ) . i f enableEnc nas ms = f a l s e then out ( pubChannel . const NASSMComplete : msgHdr . (= ID . =cap ms . i f cap enb = f a l s e then event d i sa b l e E n c . event endMS ( imsi ms . fun f i n t e g n a s ( b i t s t r i n g . rand ms ) i n (∗MS i s a u t h e n t i c a t i n g i t s e l f t o SN∗) event begSN ( imsi ms . LTE I’ k UMTS II–III k LTE IV–V. imsi sn . fun kdf asme ( cipherKey . ik ms ) i n (∗NAS SMC procedure ∗) l e t knasenc ms : nasEncKey = kdf nas enc ( kasme ms ) i n l e t knasint ms : nasIntKey = k d f n a s i n t ( kasme ms ) i n i n ( pubChannel . k i s n ) i n l e t mac sn : mac = f 1 ( ki sn . nonce ) : resp . cap enb : bool ) = l e t kenb enb : enbKey = kdf enb ( kasme enb ) i n l e t kasenc enb : asEncKey = kdf as enc ( kenb enb ) i n l e t k a s i n t e n b : a s I n t K e y = k d f a s i n t ( kenb enb ) i n l e t kupenc enb : upEncKey = kdf up enc ( kenb enb ) i n event begMS ENB( imsi enb . cap ms ) . type upEncKey . const AV : msgHdr . pMSAS( kasme ms . k : nasEncKey . payload . knasint ms ) ) ) . out ( pubChannel . out ( pubChannel . = f i n t e g a s ( as smcomplete msg . ck ms . (∗ Send o u t response t o SN ∗) out ( pubChannel . = f i n t e g n a s ( msg nas . fun sencrypt nas ( b i t s t r i n g . nasEncKey ) : b i t s t r i n g . kasme ms . knasenc ms ) . type nasEncKey . imsi enb : i d e n t . k a s i n t e n b ) ) ) else out ( pubChannel . i f cap sn = t r u e then i f sdecrypt nas ( msg nas . res ms ) ) . (MSG. rand sn ) i n l e t ck sn : cipherKey = f 3 ( ki sn . imsi ms . sencrypt nas ( nas smcomplete msg . process ( ( ! processMS ) | processMME ) S8. (=NASSMC. (∗NAS key secrecy ∗) out ( pubChannel . i n ( pubChannel . fun f 2 ( key . k n a s i n t s n ) ) ) . a s I n t K e y ) : msgMac . pMSAS( kasme ms . (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i n s e r t keys ( imsi ms . ( NASSMComplete . (= ASSMComplete . knasenc ms ) . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . cap enb ) . fun f 3 ( key . (∗ Type C o n v e r t e r ∗) 32 . const ASSMComplete : msgHdr . type cipherKey . k : asEncKey . kenb enb . (CAP. imsi ms ) ) . f i n t e g a s ( payload . cap sn ) . = f i n t e g n a s ( ( enableEnc nas ms . i n ( pubChannel . fun kdf nas enc ( asmeKey ) : nasEncKey . ik ms ) . msg nas : b i t s t r i n g . k ) = m. knasenc sn ) = nas smcomplete msg then pENB( kasme sn . type msgMac . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . (MSG. fun k d f n a s i n t ( asmeKey ) : nasIntKey . imsi ms . sdecrypt nas ( sencrypt nas (m. event endSN ( imsi sn . reduc f o r a l l m: b i t s t r i n g . type mac . f i n t e g n a s ( nas smcomplete msg . s d e c r y p t a s ( s e n c r y p t a s (m. (=CHALLENGE. l e t kasme sn : asmeKey = kdf asme ( ck sn . (NASSMC. (∗ process r e p r e s e n t i n g MME∗) l e t processMME = i n ( pubChannel . cap sn ) else 0 else i f msg nas = nas smcomplete msg then pENB( kasme sn . const CHALLENGE: msgHdr . knasint ms ) ) . sencrypt nas ( s e c r e t . f r e e sChannelSnBts : channel [ p r i v a t e ] . (∗ F u n c t i o n s ∗) fun f 1 ( key . i n ( pubChannel . ck sn . cap ms ) . const MSG: msgHdr . type i d e n t . MME) (∗ P u b l i c channel between t h e MS and t h e SN∗) f r e e pubChannel : channel . type nasIntKey . out ( pubChannel . (∗ Computes expected response and Kc ∗) get keys (= imsi sn . kasenc enb ) . cap sn ) . cap ms ) . type msgHdr . type nonce .

cap ms ) else out ( pubChannel . knasint ms ) ) ) . l e t res ms : resp = f 2 ( k i . (=NONCE TAU. enableEnc as ms : bool . x2 : cipherKey . out ( pubChannel . k n a s i n t s n ) ) ) . rand sn : nonce . x2 . k ) . nonce mme ms ) i n l e t knasenc ms : nasEncKey = kdf nas enc ( kasme ms ) i n l e t knasint ms : nasIntKey = k d f n a s i n t ( kasme ms ) i n i f ( nas mac = f i n t e g n a s ( ( enableEnc nas ms . cap enb . x2 . knasenc ms ) . imsi enb : i d e n t . ck ms . kasint enb ) ) ) . (NONCE TAU. imsi ms ) ) . query a t t a c k e r ( payload ) . x2 . encCapability ( ) = false . bool ) . event ( endSN ( x1 . = f i n t e g a s ( as smcomplete msg . query x1 : i d e n t . x3 ) ) event ( begSN ( x1 . k a s i n t e n b ) ) ) . cap ms ) ) . cipherKey . (=NASSMComplete . i n ( pubChannel . (=RES. cap ms ) . x3 : bool . ( ASSMComplete . query x1 : i d e n t . out ( pubChannel . integKey . (RES. ik ms . k a s i n t e n b ) ) ) else out ( pubChannel . sdec in nas ( sen c i n t n a s (m. (=NASSMC. out ( pubChannel . ( NASSMComplete . reduc out ( pubChannel . s e n c r y p t a s ( s e c r e t . i n ( pubChannel . nonce mme ) i n l e t knasenc sn : nasEncKey = kdf nas enc ( kasme sn ) i n l e t k n a s i n t s n : nasIntKey = k d f n a s i n t ( kasme sn ) i n (∗ process r e s p r e s e n t i n g MS∗) event begMS ( imsi sn . x3 ) ) . x3 . bool ) . (AV REQ. i n ( secureChannel . cap sn : bool ) ) . event (endMS ENB( x1 . k ) = m. cap sn . ik sn . kenb enb . (∗NAS key secrecy ∗) out ( pubChannel . nonce ms . x4 ) ) event ( begMS ( x1 . s e n c i n t a s ( s e c r e t . free secret : bitstring [ private ] . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . f i n t e g a s ( b o o l 2 b i t s t r i n g ( cap enb ) . l e t kasme ms : asmeKey = kdf asme ( ck ms . out ( secureChannel . new k i : key . datamsg : b i t s t r i n g . out ( pubChannel . k a s i n t e n b ) ) ) . event begMS ( i d e n t . out ( pubChannel . k i ) . ik sn . query x1 : i d e n t . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . rand ms ) i n event begSN ( imsi ms . ( ID . i f enableEnc nas ms = f a l s e then out ( pubChannel . ∗) query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . sencrypt nas ( s e c r e t . l e t kenb enb : enbKey = kdf enb ( kasme enb ) i n l e t kasenc enb : asEncKey = kdf as enc ( kenb enb ) i n l e t k a s i n t e n b : a s I n t K e y = k d f a s i n t ( kenb enb ) i n l e t kupenc enb : upEncKey = kdf up enc ( kenb enb ) i n event begMS ENB( imsi enb . i n ( pubChannel . x3 ) ) . cipherKey . f i n t e g n a s ( ( cap sn . (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i f cap sn = t r u e then i n s e r t keys ( imsi ms . s e n c i n t n a s ( s e c r e t . k n a s i n t s n ) ) ) . x4 ) ) . = f 1 ( k i . t y p e C o n v e r t e r ] . out ( pubChannel . event endMS ENB( imsi ms . f r e e payload : b i t s t r i n g [ p r i v a t e ] . f i n t e g n a s ( nas smcomplete msg . =xres sn ) ) . key ) shared between MS and HN Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . event ( endMS ( x1 . f i n t e g a s ( as smcomplete msg . =nonce ms . k : upEncKey . pMSAS( kasme ms . (MSG. x3 : integKey . kasenc ms ) i n 0 . i m s i s n : i d e n t ) ) . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . rand ms : nonce . key ) . x3 . cap sn . out ( pubChannel . i n ( pubChannel . i f sdecrypt nas ( msg nas . (= ASSMComplete . k : a s I n t K e y . payload . (=CAP. k ) . x4 : bool . nasIntKey ) : b i t s t r i n g . kasenc ms ) ) . ( kasme enb : asmeKey . i k s n ) . (=AV. fun s e n c i n t a s ( b i t s t r i n g . ck sn : cipherKey . event endSN ( i d e n t . not a t t a c k e r (new k i ) . knasenc ms ) . knasenc sn ) (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) = nas smcomplete msg then l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( sChannelSnBts . i k s n : integKey . res ms ) ) . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . event d i sa b l e E nc . x2 : enbKey . ( NASSMComplete . pMSAS( kasme ms . a s I n t K e y ) : b i t s t r i n g . =cap ms . (NASSMC. cap sn . nonce ms sn . cap ms ) . (∗NAS SMC procedure ∗) i n ( pubChannel . kasenc enb ) . k : nasIntKey . (∗When t h e a t t a c k e r knows s . i m s i s n ) ) . i n t e g K e y ) . i n t e g K e y ) . f i n t e g n a s ( sencrypt nas ( nas smcomplete msg . i n ( pubChannel . rand ms ) ) ) . (CAP. kasint ms ) ) . ik ms . cipherKey . event endMS ENB( i d e n t . kasenc enb ) . enbKey . imsi ms . out ( pubChannel . nonce ms sn . cap enb : bool ) ) . fun senc up ( b i t s t r i n g . event endMS ( i d e n t . t h e event d i sa b l e E nc has been executed . kasint ms ) ) ) . x3 : i n t e g K e y . enbKey . ik ms ) . kenb ms . knasenc ms ) ) . mac sn ) ) . (=ASSMC. (CHALLENGE. new imsi ms : i d e n t . k ) = m. nonce mme ms ) . senc up ( s e c r e t . reduc f o r a l l m: b i t s t r i n g . (= ID . x3 ) ) event (begMS ENB( x1 . l e t processMS = out ( pubChannel . nonce mme ) . sdec up ( senc up (m. knasint ms ) ) ) . nonce ms . upEncKey ) : b i t s t r i n g . cap sn ) . (=MSG. = f i n t e g n a s ( msg nas . encCapability ( ) = true .fun b o o l 2 b i t s t r i n g ( bool ) : b i t s t r i n g [ data . k ) = m. k ) . bool ) . = f i n t e g a s ( datamsg . out ( pubChannel . msg nas : b i t s t r i n g . (∗SMC command msg∗) f r e e nas smcomplete msg : b i t s t r i n g . nonce ms sn . integKey . cap ms . f i n t e g a s ( s e n c r y p t a s ( payload . =as smcomplete msg . rand sn . sencrypt nas ( nas smcomplete msg . (∗ process r e p r e s e n t i n g MME∗) l e t processMME = i n ( pubChannel . 33 . cap ms ) . i n ( pubChannel . kupenc ms ) ) . (∗AS SMC procedure i n process MS∗) l e t pMSAS( kasme ms : asmeKey . ck ms . nonce ms ) ) . fun senc int nas ( b i t s t r i n g . ck sn . out ( pubChannel . bool ) . f r e e as smcomplete msg : b i t s t r i n g . nas smcomplete msg . knasint ms ) ) . (∗NAS SMC procedure ∗) l e t kasme sn : asmeKey = kdf asme ( ck sn . reduc f o r a l l m: b i t s t r i n g . cap ms : bool ) = l e t kenb ms : enbKey = kdf enb ( kasme ms ) i n l e t kasenc ms : asEncKey = kdf as enc ( kenb ms ) i n l e t kasint ms : a s I n t K e y = k d f a s i n t ( kenb ms ) i n l e t kupenc ms : upEncKey = kdf up enc ( kenb ms ) i n i n ( pubChannel . reduc f o r a l l m: b i t s t r i n g . kasint ms ) ) ) . new nonce ms : nonce . ( kasme sn . sdec in as ( s e n c i n t a s (m. out ( pubChannel . ck sn . nas mac : msgMac ) ) . (=CHALLENGE. event begMS ENB( i d e n t . (ASSMC. new nonce mme : nonce . query a t t a c k e r ( s e c r e t ) . s e n c r y p t a s ( payload . xres sn : resp . cap enb ) . (∗ Pre−shared key ∗) i n ( pubChannel . as smcomplete msg . =imsi sn . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = sd ec ry p t a s ( datamsg . x2 . knasint ms ) ) then event endMS ( imsi ms . x2 : cipherKey . (∗ The i d e n t i t y o f t h e MS∗) nonce mme . (∗ process r e p r e s e n t i n g e−nodeB ∗) l e t processENB = i n ( sChannelSnBts . (MSG. x2 . enableEnc nas ms : bool . nonce mme ms : nonce . nonce ms sn : nonce ) ) . x2 . event endSN ( imsi sn . mac sn : mac ) ) . i f cap enb = f a l s e then event d i s a b l e E n c . cipherKey . imsi ms . imsi ms : i d e n t . = f i n t e g a s ( b o o l 2 b i t s t r i n g ( enableEnc as ms ) . f i n t e g a s ( payload . kasint ms ) ) ) .

query x1 : i d e n t . rand ms : nonce . x2 . (CAP. fun k d f n a s i n t ( asmeKey ) : nasIntKey . out ( pubChannel . CMComplete ) . nonce ) : mac . l e t res ms : resp = f 2 ( k i . gsmKey . ck ms . key ) shared between MS and HN Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . mac hn ) ) . rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . encCapability ( ) = false . x2 : cipherKey . i f cap sn = f a l s e then i f msg nas = nas smcomplete msg then out ( sChannelSnBts . key ) . (∗ Generate a f r e s h random number ∗) new rand hn : nonce . cap sn ) ) else 0 else 0 . k ) = m. snid ms : i d e n t ) ) . i n t e g K e y ) : gsmKey . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . const CHALLENGE: msgHdr . rand hn ) i n (∗ Send o u t a u t h e n t i c a t i o n v e c t o r ∗) out ( secureChannel . sdecrypt nas ( sencrypt nas (m. rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . nonce ) : i n t e g K e y . k ) . bool ) . type mac . AV = 4G AV + CK + IK (∗ P u b l i c channel between t h e MS and t h e SN∗) f r e e pubChannel : channel . k : nasIntKey . x3 : bool . ∗) query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . ik ms ) i n i n ( pubChannel . reduc f o r a l l m: b i t s t r i n g . gsmKey ) : b i t s t r i n g . event d i s a b l e E n c . x2 : gsmKey . i n t e g K e y ) : b i t s t r i n g . f r e e payload : b i t s t r i n g [ p r i v a t e ] . const MSG: msgHdr . k ) = m. (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i n s e r t keys ( imsi ms . type asmeKey . gsmKey . free secret : bitstring [ private ] . k ) . k ) = m. event ( endMS AS ( x1 . (∗ F u n c t i o n s ∗) fun f 1 ( key . fun f 4 ( key . query x1 : i d e n t . reduc f o r a l l m: b i t s t r i n g . i n ( pubChannel . const NASSMC: msgHdr . reduc encCapability ( ) = true . MME). (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . type resp . kc ms ) ) . (∗When t h e a t t a c k e r knows s . res ms ) ) . cipherKey . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg . fun se nc ry pt as ( b i t s t r i n g . type i d e n t . type gsmKey . t y p e C o n v e r t e r ] . nonce ) : cipherKey . type i n t e g K e y . rand ms ) i n l e t kasme ms : asmeKey = kdf asme ( ck ms . l e t kc ms : gsmKey = c3 ( ck ms . GSM I k LTE II–III k GSM IV. const ASSMComplete : msgHdr . imsi hn . k : i n t e g K e y . (∗ Secure channel between t h e SN and t h e HN∗) f r e e secureChannel : channel [ p r i v a t e ] . fun f i n t e g n a s ( b i t s t r i n g . type msgHdr . rand hn . fun kdf nas enc ( asmeKey ) : nasEncKey . t h e event d i s a b l e E n c has been executed . type cipherKey . k ) . event begMS AS ( i d e n t . (∗SMC command msg∗) f r e e nas smcomplete msg : b i t s t r i n g . integKey . snid ms ) i n event begSN ( imsi ms . i n t e g K e y ) : b i t s t r i n g . imsi sn . x2 . const AV REQ: msgHdr . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . query a t t a c k e r ( payload ) . nasIntKey ) : msgMac . (=ASSMC. reduc f o r a l l m: b i t s t r i n g . imsi sn . type nonce . bool ) . kc ms ) i n 0 . (∗ Pre−shared key ∗) new k i : key . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . fun f 2 ( key . sdec in nas ( s e n c i n t n a s (m. k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . (RES. x3 ) ) event ( begMS AS ( x1 . ik hn . fun f 3 ( key . kc ms . xres hn . (=MSG. x3 ) ) . (=AV REQ. rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . ik ms . ik ms ) . cipherKey . type nasIntKey . type nasEncKey . datamsg : b i t s t r i n g ) ) . type msgMac . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . ck hn . s d e c r y p t a s ( s e n c r y p t a s (m. cap ms ) . k i ) . s e n c r y p t a s ( s e c r e t . f r e e as smcomplete msg : b i t s t r i n g . fun s e n c i n t a s ( b i t s t r i n g . ( AV. conv(CK IK → Kc. x3 : i n t e g K e y . out ( pubChannel . (∗ process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t i t y o f t h e MS∗) new imsi ms : i d e n t . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . x2 . event endMS AS ( imsi ms . fun s e n c i n t n a s ( b i t s t r i n g . = f 1 ( k i . const CMComplete : msgHdr . ( kasme sn . integKey ) . nasIntKey ) : b i t s t r i n g . not a t t a c k e r (new k i ) . nasEncKey ) : b i t s t r i n g .reduc f o r a l l m: b i t s t r i n g . event endSN ( i d e n t . integKey ) . const ID : msgHdr . x2 . k ) = m. out ( pubChannel . fun c3 ( cipherKey . k ) . out ( pubChannel . ( ID . fun sencrypt nas ( b i t s t r i n g . (=CHALLENGE. enableEnc as ms : bool ) ) . process ( ( ! processMS ) | ( processMME ) | ( processENB ) | ( processHN ) ) S9. cap sn ) ) else 0 else (∗ Type C o n v e r t e r ∗) fun b o o l 2 b i t s t r i n g ( bool ) : b i t s t r i n g [ data . const NASSMComplete : msgHdr . imsi ms ) ) . imsi hn : i d e n t ) ) . fun f 9 ( b i t s t r i n g . k : nasEncKey . nonce ) : resp . sdec in as ( s e n c i n t a s (m. cap ms ) ) . const AV : msgHdr . i n ( pubChannel . const RES: msgHdr . x3 ) ) event ( begSN ( x1 . event endMS AS ( i d e n t . k : gsmKey . (∗ Computes expected response and Kc ∗) get keys (= imsi hn . rand ms ) . 34 . (∗ t y p e s ∗) type key . i d e n t ) : asmeKey . (∗ process r e p r e s e n t i n g HN∗) l e t processHN = (∗ Receive a u t h e n t i c a t i o n v e c t o r r e q u e s t ∗) i n ( secureChannel . x3 ) ) . query a t t a c k e r ( s e c r e t ) . fun kdf asme ( cipherKey . event ( endSN ( x1 . const ASSMC: msgHdr .

rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . event ( endMS AS ( x1 . event begMS AS ( i d e n t . reduc f o r a l l m: b i t s t r i n g . enableEnc as ms : bool ) ) . query a t t a c k e r ( payload ) . const ID : msgHdr . k : gsmKey . encCapability ( ) = false . f r e e sChannelSnBts : channel [ p r i v a t e ] . get keys (= imsi hn . (MSG. k ) = m. i n t e g K e y ) : b i t s t r i n g . i n ( pubChannel . query x1 : i d e n t . integKey ) : b i t s t r i n g . i d e n t ) : asmeKey . fun s e n c i n t n a s ( b i t s t r i n g . i k s n ) . x2 . i n ( secureChannel . rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . (∗When t h e a t t a c k e r knows s . xres sn : resp . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . ( AV. x3 ) ) . fun sencrypt nas ( b i t s t r i n g . (∗ Generate a t h e n i c a t i o n v e c t o r s ∗) new rand hn : nonce . (=CAP. mac sn : mac . S9+. snid sn ) ) . (ASSMC. cap sn ) . MME). key ) shared between MS and HN Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . x4 ) ) event ( begMS ( x1 . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . kc sn . payload ) ) else out ( pubChannel . k d f n a s i n t ( asmeKey ) : nasIntKey . f9 ( bitstring . type nasEncKey . f 3 ( key . event endSN ( imsi sn . =xres sn ) ) . kasme hn . reduc f o r a l l m: b i t s t r i n g . type resp . snid hn . k ) = m. x2 . kc sn ) ) ) . (∗SMC command msg∗) f r e e nas smcomplete msg : b i t s t r i n g . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . k ) . imsi ms : i d e n t . AV = 4G AV + CK + IK (∗ P u b l i c channel between t h e MS and t h e SN∗) f r e e pubChannel : channel . x3 . (=AV. s e n c r y p t a s ( payload . t h e event d i s a b l e E n c has been executed . (MSG. x3 ) ) event ( begSN ( x1 . i d e n t . GSM I k LTE II–IV k GSM IV. x2 : i d e n t . kdf nas enc ( asmeKey ) : nasEncKey . x2 . type i d e n t . k ) . f 2 ( key . kc ms . sdecrypt nas ( sencrypt nas (m. nonce ) : i n t e g K e y . reduc f o r a l l m: b i t s t r i n g . x3 : bool . k ) = m. bool ) . query x1 : i d e n t . process ( ( ! processMS ) | processSN | processHN ) encCapability ( ) = true . c3 ( cipherKey . 35 . asmeKey ) . datamsg : b i t s t r i n g ) ) . query a t t a c k e r ( s e c r e t ) . out ( pubChannel . k : nasIntKey . event ( endMS ( x1 . rand hn ) i n l e t kasme hn : asmeKey = kdf asme ( ck hn . =CMComplete ) . (∗ Type C o n v e r t e r ∗) fun b o o l 2 b i t s t r i n g ( bool ) : b i t s t r i n g [ data . x4 : bool . (∗ t y p e s ∗) type key . event d i s a b l e E n c . gsmKey ) : b i t s t r i n g . f i n t e g n a s ( b i t s t r i n g . kc ms ) ) . t y p e C o n v e r t e r ] . kdf asme ( cipherKey . snid sn ) ) . x2 . out ( pubChannel . kc ms ) in 0. (=RES. ik hn . xres hn . (= ID . snid hn : i d e n t ) ) . free secret : bitstring [ private ] . rand sn . l e t kc sn : gsmKey = c3 ( ck sn . sdec in nas ( s e n c i n t n a s (m. fun s e n c r y p t a s ( b i t s t r i n g . const ASSMC: msgHdr . (CHALLENGE. key ) . type nonce . type nasIntKey .fun fun fun fun fun fun fun fun fun (∗ process r e p r e s e n t i n g MME∗) l e t processSN = i n ( pubChannel . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . x2 : gsmKey . const CMComplete : msgHdr . imsi sn . cap ms ) . nasIntKey ) : msgMac . i k s n ) i n event begMS AS ( imsi sn . query x1 : i d e n t . type asmeKey . s e n c r y p t a s ( s e c r e t . nasEncKey ) : b i t s t r i n g . f r e e payload : b i t s t r i n g [ p r i v a t e ] . x2 : i d e n t . =imsi sn . x3 ) ) . ck sn . (AV REQ. (∗ Secure channel between t h e SN and t h e HN∗) f r e e secureChannel : channel [ p r i v a t e ] . event endMS ( i d e n t . k ) . ck sn : cipherKey . mac hn . (=MSG. rand hn . x2 . (=AV REQ. nonce ) : resp . i d e n t . i k h n ) ) . bool ) . sdec in as ( s e n c i n t a s (m. new snid sn : i d e n t . gsmKey . nasIntKey ) : b i t s t r i n g . fun s e n c i n t a s ( b i t s t r i n g . bool ) . cap ms : bool ) = i n ( pubChannel . k ) = m. imsi hn . integKey . bool ) . (=ASSMC. x3 : asmeKey . i m s i s n : i d e n t ) ) . const AV : msgHdr . type mac . nonce ) : mac . event begMS ( i d e n t . type i n t e g K e y . i n ( pubChannel . const NASSMC: msgHdr . x3 . const CHALLENGE: msgHdr . i n ( pubChannel . out ( secureChannel . const AV REQ: msgHdr . reduc f o r a l l m: b i t s t r i n g . asmeKey . imsi hn : i d e n t . kasme sn : asmeKey . cap sn ) ) . k : i n t e g K e y . snid hn ) i n out ( secureChannel . f 4 ( key . CMComplete ) . cap sn : bool ) ) . ck hn . x3 ) ) event ( begMS AS ( x1 . event endMS AS ( imsi ms . snid hn sn : i d e n t . x3 : asmeKey . asmeKey ) . event ( endSN ( x1 . const ASSMComplete : msgHdr . type msgHdr . const RES: msgHdr . i f cap sn = f a l s e then event d i sa b l e E n c . (∗AS SMC procedure i n process MS∗) l e t pMSAS( kc ms : gsmKey . out ( pubChannel . i d e n t . event endMS AS ( i d e n t . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg . conv(CK IK → Kc. i d e n t . s d e c r y p t a s ( s e n c r y p t a s (m. type cipherKey . const MSG: msgHdr . ∗) query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . const NASSMComplete : msgHdr . rand sn : nonce . x2 . (∗ process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ F u n c t i o n s ∗) fun f 1 ( key . i n t e g K e y ) : gsmKey . event endSN ( i d e n t . x4 ) ) . out ( pubChannel . k : nasEncKey . i n ( pubChannel . i k s n : i n t e g K e y ) ) . type msgMac . reduc (∗ process r e p r e s e n t i n g HN∗) l e t processHN = i n ( secureChannel . out ( pubChannel . asmeKey . f r e e as smcomplete msg : b i t s t r i n g . mac sn . not a t t a c k e r (new k i ) . nonce ) : cipherKey . gsmKey . type gsmKey . k ) .

k n a s i n t s n ) ) ) . i n t e g K e y ) : b i t s t r i n g . rand ms ) i n l e t kasme ms : asmeKey = kdf asme ( ck ms . = f 1 ( k i . payload ) ) else out ( pubChannel . (∗NAS key secrecy ∗) out ( pubChannel . rand sn . out ( pubChannel . type i d e n t . i n ( pubChannel . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . event endMS ( imsi ms . rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . msg nas : b i t s t r i n g . f i n t e g n a s ( ( cap sn . const ID : msgHdr . snid hn . i n ( pubChannel . snid hn sn : i d e n t . cap ms ) .(∗ The i d e n t i t y o f t h e MS∗) new imsi ms : i d e n t . i k s n : i n t e g K e y ) ) . cap sn : bool ) ) . event d i s a b l e E n c . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . cap sn . type msgMac . reduc f o r a l l m: b i t s t r i n g . cap sn ) ) else 0 else i f cap sn = f a l s e then i f msg nas = nas smcomplete msg then event endSN ( imsi hn sn . pMSAS( kc ms . kasme sn . knasint ms ) ) ) . k n a s i n t s n ) ) ) . i k h n ) ) . imsi sn . out ( secureChannel . knasenc ms ) . xres hn . snid ms : i d e n t ) ) . cap ms ) . ( NASSMComplete . kc bs ) ) ) . (=CHALLENGE. ( ID . nonce ) : resp . cap sn ) ) else 0 else 0 . k ) . (ASSMC. l e t kc sn : gsmKey = c3 ( ck sn . const MSG: msgHdr . = f i n t e g n a s ( msg nas . rand hn ) i n l e t kasme hn : asmeKey = kdf asme ( ck hn . (∗ process r e p r e s e n t i n g MME∗) l e t processSN = i n ( pubChannel . kasme ms . sencrypt nas ( nas smcomplete msg . imsi hn sn . out ( sChannelSnBts . kasme ms ) . knasenc sn ) = nas smcomplete msg then event endSN ( imsi hn sn . get keys (= imsi hn . fun kdf asme ( cipherKey . const AV : msgHdr . out ( pubChannel . imsi hn . (RES. nonce ) : mac . mac sn . cap bs ) . rand ms : nonce . imsi ms . type nonce . 36 out ( sChannelSnBts . type asmeKey . knasenc ms ) . snid hn : i d e n t ) ) . const AV REQ: msgHdr . f i n t e g n a s ( sencrypt nas ( nas smcomplete msg . s d e c r y p t a s ( s e n c r y p t a s (m. ( kc sn . new snid sn : i d e n t . l e t kc ms : gsmKey = c3 ( ck ms . cipherKey ) : b i t s t r i n g . (= ID . fun f 2 ( key . nas smcomplete msg . i n ( pubChannel . cap ms ) ) . snid sn ) ) . rand ms ) . i n ( pubChannel . f i n t e g n a s ( nas smcomplete msg . i n ( pubChannel . fun f 4 ( key . (∗ Secure channel between t h e SN and t h e HN∗) f r e e secureChannel : channel [ p r i v a t e ] . key ) . kasme hn . (∗NAS SMC procedure ∗) l e t knasenc ms : nasEncKey = kdf nas enc ( kasme ms ) i n l e t knasint ms : nasIntKey = k d f n a s i n t ( kasme ms ) i n i n ( pubChannel . xres sn : resp . i f cap bs = f a l s e then event d i sa b l e E n c . t y p e C o n v e r t e r ] . out ( pubChannel . kasme sn : asmeKey . (NASSMC. type msgHdr . const RES: msgHdr . reduc encCapability ( ) = true . out ( pubChannel . imsi hn sn : i d e n t . = f i n t e g n a s ( ( enableEnc nas ms . s e n c r y p t a s ( payload . type i n t e g K e y . ck hn . snid ms . (∗NAS SMC procedure ∗) l e t knasenc sn : nasEncKey = kdf nas enc ( kasme sn ) i n l e t k n a s i n t s n : nasIntKey = k d f n a s i n t ( kasme sn ) i n out ( pubChannel . (∗ Type C o n v e r t e r ∗) fun b o o l 2 b i t s t r i n g ( bool ) : b i t s t r i n g [ data . (MSG. cap ms ) else out ( pubChannel . (MSG. (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . imsi ms ) ) . event begMS AS ( imsi bs . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . (∗ F u n c t i o n s ∗) fun f 1 ( key . ck sn : cipherKey . UMTS I k LTE II–III k UMTS IV. (=CAP. res ms ) ) . cap sn ) . rand hn . (∗ Pre−shared key ∗) new k i : key . cap bs ) ) . imsi ms . snid hn ) i n out ( secureChannel . knasint ms ) ) . (=AV. cap sn ) . (∗ process r e p r e s e n t i n g HN∗) l e t processHN = i n ( secureChannel . const CHALLENGE: msgHdr . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . (CHALLENGE. rand sn : nonce . key ) shared between MS and HN Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . i m s i s n : i d e n t ) ) . f r e e payload : b i t s t r i n g [ p r i v a t e ] . const ASSMComplete : msgHdr . snid ms ) i n event begSN ( imsi ms . i n ( secureChannel . snid hn sn . k ) = m. imsi hn sn . (∗ Generate a t h e n i c a t i o n v e c t o r s ∗) new rand hn : nonce . kc bs . snid sn ) ) . ik ms . ∗) . ik hn . knasenc ms ) ) . (∗When t h e a t t a c k e r knows s . event begMS ( imsi hn sn . out ( pubChannel . =xres sn ) ) . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . AV = 4G AV + CK + IK (∗ P u b l i c channel between t h e MS and t h e SN∗) f r e e pubChannel : channel . integKey . i d e n t ) : asmeKey . fun f 3 ( key . (CAP. cap bs : bool ) ) . =cap ms . cap ms ) . sencrypt nas ( s e c r e t . ik ms ) i n i f enableEnc nas ms = f a l s e then out ( pubChannel . pMSAS( kc ms . s e n c i n t n a s ( s e c r e t . mac hn . rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . ( NASSMComplete . const ASSMC: msgHdr . knasint ms ) ) ) . snid hn sn . snid hn sn . out ( pubChannel . enableEnc nas ms : bool . (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i n s e r t keys ( imsi ms . (∗SMC command msg∗) f r e e as smcomplete msg : b i t s t r i n g . nonce ) : cipherKey . type mac . i k s n ) i n i f cap sn = t r u e then i f sdecrypt nas ( msg nas . i m s i b s : i d e n t . =CMComplete ) . (AV REQ. (∗ t y p e s ∗) type key . fun s e n c r y p t a s ( b i t s t r i n g . mac sn : mac . kasme sn ) . l e t res ms : resp = f 2 ( k i . k i ) . (=NASSMComplete . snid ms . k : cipherKey . imsi hn : i d e n t . nonce ) : i n t e g K e y . ( kc sn . (=AV REQ. (=NASSMC. rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . process ( ( ! processMS ) | processSN | processBS | processHN ) S10. ( AV. encCapability ( ) = false . knasint ms ) ) ) . (=RES. type cipherKey . type resp . fun f 9 ( b i t s t r i n g . kasme sn ) . ( kc bs : gsmKey . (∗ process r e p r e s e n t i n g e−nodeB ∗) l e t processBS = i n ( sChannelSnBts . cap sn .

reduc f o r a l l m: b i t s t r i n g . reduc f o r a l l m: b i t s t r i n g . . (=MSG. nonce ) : resp . event endMS ( imsi ms . event ( endSN ( x1 . reduc 37 encCapability ( ) = true . const AV REQ: msgHdr . = f 1 ( k i . cap sn : bool ) ) . mac hn . s e n c r y p t a s ( s e c r e t . rand ms ) i n l e t kasme ms : asmeKey = kdf asme ( ck ms . sdec in as ( s e n c i n t a s (m. f 9 ( s e n c r y p t a s ( payload . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . out ( pubChannel . i k s n : i n t e g K e y ) ) . reduc f o r a l l m: b i t s t r i n g . mac sn . i n t e g K e y ) : b i t s t r i n g . cap sn ) . kasme sn : asmeKey . out ( pubChannel . fun f 2 ( key . rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . snid hn . i d e n t ) : asmeKey . S10+. x3 . out ( pubChannel . AV = 4G AV + CK + IK (∗ process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t i t y o f t h e MS∗) new imsi ms : i d e n t . const CHALLENGE: msgHdr . fun k d f n a s i n t ( asmeKey ) : nasIntKey . type nasIntKey . out ( secureChannel . f r e s h s n ) . rand sn . (= ASSMComplete . ck sn . =as smcomplete msg . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . ck sn ) . get keys (= imsi hn . i n ( pubChannel . i k s n ) . k ) = m. k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . (∗ c o n s t a n t message headers ∗) const CAP: msgHdr . integKey . snid hn : i d e n t ) ) . x3 : integKey . (∗ process r e p r e s e n t i n g MME∗) l e t processSN = i n ( pubChannel . integKey ) . ck ms . ck ms . ∗) query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . x3 : i n t e g K e y . ik ms . fun s e n c i n t a s ( b i t s t r i n g . process ( ( ! processMS ) | processSN | processHN ) query x1 : i d e n t . x3 ) ) event ( begSN ( x1 . cipherKey . (=ASSMC. const ASSMComplete : msgHdr . imsi sn . k : i n t e g K e y . const MSG: msgHdr . not a t t a c k e r (new k i ) . const RES: msgHdr . k ) . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . i n ( secureChannel . = f 9 ( as smcomplete msg . x2 . fun f i n t e g n a s ( b i t s t r i n g . (= ID . ik hn . . event ( endMS ( x1 . (∗ Generate a t h e n i c a t i o n v e c t o r s ∗) new rand hn : nonce . fresh sn . s e n c i n t a s ( s e c r e t . ik sn . k i ) . (=AV REQ. i n ( pubChannel . xres sn : resp . snid ms ) i n event begSN ( imsi ms . (∗ A u t h e n t i c a t i o n event begSN ( i d e n t event endSN ( i d e n t event begMS ( i d e n t event endMS ( i d e n t q u e r i e s ∗) . ik ms . . (∗ Type C o n v e r t e r ∗) fun b o o l 2 b i t s t r i n g ( bool ) : b i t s t r i n g [ data . fun kdf asme ( cipherKey . x2 . out ( pubChannel . =snid sn . const ID : msgHdr . l e t res ms : resp = f 2 ( k i . ( ID . = f 9 ( ( cap ms . const NASSMC: msgHdr . k ) . k : cipherKey . i k s n ) ) ) else out ( pubChannel . type asmeKey . cap ms ) . fun kdf nas enc ( asmeKey ) : nasEncKey . (=RES. x2 . type cipherKey . rand hn . sdecrypt nas ( sencrypt nas (m. ck hn . s d e c r y p t a s ( s e n c r y p t a s (m. rand ms ) . (RES. i k s n ) ) ) . f 9 ( ( cap sn . (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i n s e r t keys ( imsi ms . kasme hn . bool ) . ck sn . fun s e n c r y p t a s ( b i t s t r i n g . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = s d e c r y p t a s ( datamsg . type msgHdr . type nasEncKey . mac sn : mac . fun f 3 ( key . i k s n ) ) ) . cipherKey . snid hn ) i n out ( secureChannel . (∗ Secure channel between t h e SN and t h e HN∗) f r e e secureChannel : channel [ p r i v a t e ] . (=CAP. fun f 9 ( b i t s t r i n g . nonce ) : cipherKey . out ( pubChannel . ik ms ) ) ) . ( ASSMComplete . as smcomplete msg . ck ms ) in 0. x4 : bool . k : nasEncKey . =xres sn ) ) . const ASSMC: msgHdr . xres hn . nonce ) : mac . fun f 4 ( key . ck sn ) . (∗ process r e p r e s e n t i n g HN∗) l e t processHN = i n ( secureChannel . i n ( pubChannel . imsi hn : i d e n t . i k h n ) ) . query a t t a c k e r ( s e c r e t ) . i n ( pubChannel . i f cap sn = f a l s e then event d i s a b l e E n c . (CHALLENGE. (MSG. cipherKey ) : b i t s t r i n g . i n ( pubChannel . free secret : bitstring [ private ] . x3 ) ) . i k s n ) ) ) . type resp . enableEnc as ms : bool . query a t t a c k e r ( payload ) . ik ms ) . ck ms ) ) . ik ms ) ) ) . const NASSMComplete : msgHdr . cap sn . type i d e n t . =cap ms . out ( pubChannel . = f 9 ( datamsg . rand ms : nonce . type i n t e g K e y . snid ms : i d e n t ) ) . k ) = m. ik ms ) ) ) . fresh ms ) . x2 : cipherKey . UMTS I k LTE II–IV k UMTS IV. res ms ) ) . i m s i s n : i d e n t ) ) . f 9 ( as smcomplete msg . type nonce . x3 . f r e e sChannelSnBts : channel [ p r i v a t e ] . snid sn ) ) . x2 : cipherKey . imsi ms ) ) . payload . integKey ) . event endSN ( imsi sn . i n ( pubChannel . cipherKey . new snid sn : i d e n t . type msgMac . fresh ms : nonce . ( AV. snid sn ) ) . x4 ) ) event ( begMS ( x1 . (∗ Pre−shared key ∗) new k i : key . k ) . cap sn . =imsi sn . type mac . x2 . bool ) . (AV REQ. f 9 ( payload . const AV : msgHdr . i n t e g K e y ) : b i t s t r i n g . event begMS ( imsi sn . (MSG. out ( pubChannel . ck sn : cipherKey . (∗ t y p e s ∗) type key . x4 ) ) . imsi hn . (∗ P u b l i c channel between t h e MS and t h e SN∗) f r e e pubChannel : channel . out ( pubChannel . integKey . rand hn ) i n l e t kasme hn : asmeKey = kdf asme ( ck hn . cap ms ) ) . integKey . s e n c r y p t a s ( payload . rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . (=CHALLENGE. nonce ) : i n t e g K e y .(∗ t h e event d i s a b le E n c has been executed . query x1 : i d e n t . (CAP. t y p e C o n v e r t e r ] . cipherKey . cap sn . nasEncKey ) : b i t s t r i n g . ik ms ) ) . fun sencrypt nas ( b i t s t r i n g . enableEnc as ms . datamsg : b i t s t r i n g . (ASSMC. nasIntKey ) : msgMac . k ) = m. (=AV. rand sn : nonce . (∗ F u n c t i o n s ∗) fun f 1 ( key . new f r e s h s n : nonce . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . .

bool ) . mac sn . cap ms ) . sencrypt nas ( nas smcomplete msg . snid hn . x3 . = f i n t e g n a s ( msg nas . (∗ t h e t a b l e i d e n t / keys The key t a b l e c o n s i s t s o f p a i r s ( i d e n t . query a t t a c k e r ( payload ) . rand ms ) i n l e t ik ms : i n t e g K e y = f 4 ( k i . snid ms .(∗NAS SMC procedure ∗) l e t knasenc ms : nasEncKey = kdf nas enc ( kasme ms ) i n l e t knasint ms : nasIntKey = k d f n a s i n t ( kasme ms ) i n i n ( pubChannel . out ( secureChannel . kasme sn ) . (=AV. ( ck sn . cap sn ) . (=MSG. knasint ms ) ) . x2 : cipherKey . knasint ms ) ) ) . = f 9 ( ( cap ms . enableEnc as ms : bool . (=CHALLENGE. x2 : i d e n t . reduc f o r a l l m: b i t s t r i n g . cap sn . ck bs ) . i k b s : integKey . (=NASSMComplete . ∗) query a t t a c k e r ( payload ) event ( d i s a b l e E n c ) . (RES. asmeKey . ( NASSMComplete . (AV REQ. k n a s i n t s n ) ) ) . as smcomplete msg . bool ) . i n t e g K e y ) : b i t s t r i n g . snid ms . key ) shared between MS and HN Table i s n o t a c c e s s i b l e by t h e a t t a c k e r ∗) t a b l e keys ( i d e n t . ik sn . x2 . ik ms ) ) ) . cap ms : bool ) = i n ( pubChannel . ( ID . out ( pubChannel . cap ms ) . knasenc ms ) ) . (∗MS non−d e t e r m i n i s t i c a l l y choose t h e c a p a b i l i t y o f e n c r y p t i o n ∗) l e t cap ms : bool = e n c C a p a b i l i t y ( ) i n out ( pubChannel . event ( endMS ( x1 . (CHALLENGE. knasenc sn ) = nas smcomplete msg then event endSN ( imsi sn . get keys (= imsi hn . event ( endMS AS ( x1 . i n ( pubChannel . ck bs ) . i k h n ) ) . (=ASSMC. out ( pubChannel . bool ) . fun senc int nas ( b i t s t r i n g . =cap ms . i k b s ) ) ) . rand hn ) i n l e t ck hn : cipherKey = f 3 ( ki hn . query a t t a c k e r ( s e c r e t ) . kasme sn . kasme ms ) . rand sn : nonce . =imsi sn . f r e e as smcomplete msg : b i t s t r i n g . (= ID . ik sn . payload . kasme sn : asmeKey . out ( pubChannel . query x1 : i d e n t . f 9 ( payload . k ) = m. event endMS AS ( i d e n t . query x1 : i d e n t . nas smcomplete msg . ck hn . i d e n t . integKey . x4 : bool . imsi ms . out ( pubChannel . (∗ process r e s p r e s e n t i n g MS∗) l e t processMS = (∗ The i d e n t i t y o f t h e MS∗) new imsi ms : i d e n t . out ( pubChannel . s e n c i n t a s ( s e c r e t . x2 . event begMS AS ( imsi bs . i k b s ) ) ) else out ( pubChannel . snid hn : i d e n t ) ) . snid hn sn : i d e n t . i n ( pubChannel . . x3 . kasme hn . out ( pubChannel . =as smcomplete msg . x4 ) ) . cap bs . ck bs . free secret : bitstring [ private ] . (∗ A u t h e n t i c a t i o n q u e r i e s ∗) event begSN ( i d e n t . res ms ) ) . encCapability ( ) = false . x4 : bool . imsi sn . enableEnc nas ms : bool . imsi sn . ik ms : integKey . cap bs ) . datamsg : b i t s t r i n g . asmeKey ) . out ( sChannelSnBts . ik ms . ik ms ) ) . fun s e n c i n t a s ( b i t s t r i n g . x2 . f i n t e g n a s ( ( cap sn . out ( sChannelSnBts . x2 : i d e n t . imsi hn : i d e n t . i d e n t . (=RES. k ) = m. x4 ) ) event ( begMS ( x1 . imsi sn . out ( pubChannel . = f 9 ( as smcomplete msg . rand ms ) i n l e t kasme ms : asmeKey = kdf asme ( ck ms . s e n c r y p t a s ( payload . x3 : asmeKey . imsi hn . ik hn . i k b s ) ) ) . i n ( pubChannel . snid hn sn . (∗ I n s e r t i d / pre−shared key p a i r i n t o t h e p r i v a t e t a b l e ∗) i n s e r t keys ( imsi ms . = f 9 ( datamsg . s e n c r y p t a s ( s e c r e t . x3 ) ) . key ) . x4 ) ) event ( begMS AS ( x1 . i m s i b s : i d e n t . i f cap sn = t r u e then i f sdecrypt nas ( msg nas . cap sn ) ) else 0 else 0 . (MSG. ( ck bs : cipherKey . ck ms ) i n 0 . cap bs . event endMS ( i d e n t . cipherKey . i n ( pubChannel . not a t t a c k e r (new k i ) . ik ms . ck ms . event ( endSN ( x1 . cipherKey . sencrypt nas ( s e c r e t . snid hn sn . (∗NAS SMC procedure ∗) l e t knasenc sn : nasEncKey = kdf nas enc ( kasme sn ) i n l e t k n a s i n t s n : nasIntKey = k d f n a s i n t ( kasme sn ) i n out ( pubChannel . imsi ms ) ) . x2 . snid ms ) i n event begSN ( imsi ms . i k b s ) ) ) . x3 . x3 . (∗ Pre−shared key ∗) new k i : key . snid sn ) ) . event begMS ( i d e n t . (∗When t h e a t t a c k e r knows s . cap ms ) else out ( pubChannel . xres hn . (MSG. bool ) . k : i n t e g K e y . 38 (∗ process r e p r e s e n t i n g MME∗) l e t processSN = i n ( pubChannel . snid sn ) ) . enableEnc as ms ) . i d e n t . i k s n : i n t e g K e y ) ) . k : nasIntKey . rand hn ) i n l e t xres hn : resp = f 2 ( ki hn . rand hn . (NASSMC. pMSAS( ck ms . cap ms ) . = f i n t e g n a s ( ( enableEnc nas ms . x2 . (=NASSMC. mac sn : mac . i n ( secureChannel . (∗ Generate a t h e n i c a t i o n v e c t o r s ∗) new rand hn : nonce . cap sn ) ) else 0 else i f cap sn = f a l s e then i f msg nas = nas smcomplete msg then event endSN ( imsi sn . i d e n t . ik ms ) ) ) . x3 : asmeKey . k ) . i m s i s n : i d e n t ) ) . ck ms ) ) . knasenc ms ) . i n ( pubChannel . ck sn : cipherKey . cap sn ) . k n a s i n t s n ) ) ) . reduc f o r a l l m: b i t s t r i n g . event endMS AS ( imsi ms . (∗ process r e p r e s e n t i n g HN∗) l e t processHN = i n ( secureChannel . rand hn ) i n l e t kasme hn : asmeKey = kdf asme ( ck hn . cap sn . (= ASSMComplete . query x1 : i d e n t . k ) . f 9 ( as smcomplete msg . (ASSMC. = f 1 ( k i . f 9 ( s e n c r y p t a s ( payload . ik ms ) ) ) . rand sn . (∗ [ Msg 8 ] ∗) pMSAS( ck ms . x4 ) ) . out ( pubChannel . (CAP. i f cap bs = f a l s e then event d i s a b l e E n c . sdec in as ( s e n c i n t a s (m. (∗AS SMC procedure i n process MS∗) l e t pMSAS( ck ms : cipherKey . cap bs : bool ) ) . ( ck sn . f r e e payload : b i t s t r i n g [ p r i v a t e ] . rand ms : nonce . k i h n ) i n l e t mac hn : mac = f 1 ( ki hn . (∗ process r e p r e s e n t i n g e−nodeB ∗) l e t processBS = i n ( sChannelSnBts . ( AV. i f enableEnc nas ms = f a l s e then out ( pubChannel . ik ms . imsi ms . cap ms ) . f i n t e g n a s ( nas smcomplete msg . ( NASSMComplete . mac hn . msg nas : b i t s t r i n g . sdec in nas ( senc in t n a s (m. =cap ms . f 9 ( ( cap bs . s e n c i n t n a s ( s e c r e t . event begMS AS ( i d e n t . kasme ms . rand ms ) . x2 . event d i sa b l e E nc . new snid sn : i d e n t . snid ms : i d e n t ) ) . cap bs ) . event begMS ( imsi sn . snid hn ) i n out ( secureChannel . f i n t e g n a s ( sencrypt nas ( nas smcomplete msg . event endSN ( i d e n t . knasenc ms ) . (∗SMC command msg∗) f r e e nas smcomplete msg : b i t s t r i n g . (∗NAS key secrecy ∗) out ( pubChannel . imsi ms : i d e n t . =xres sn ) ) . i f enableEnc as ms = t r u e then l e t msgcontent : b i t s t r i n g = sd ec ry p t a s ( datamsg . l e t res ms : resp = f 2 ( k i . ik bs . snid hn sn . integKey . cap sn : bool ) ) . ik ms . asmeKey . x3 ) ) event ( begSN ( x1 . x3 : integKey . rand ms ) i n l e t ck ms : cipherKey = f 3 ( k i . k i ) . knasint ms ) ) ) . knasint ms ) ) ) . kasme sn ) . rand hn ) i n l e t i k h n : i n t e g K e y = f 4 ( ki hn . nasIntKey ) : b i t s t r i n g . ∗) (∗ t h e event d i s a b le E n c has been executed . out ( pubChannel . cap ms ) ) . event endMS ( imsi ms . xres sn : resp . (=AV REQ. i n ( pubChannel . (=CAP. ( ASSMComplete . asmeKey ) .

process ( ( ! processMS ) | processSN | processBS | processHN ) 39 .