Professional Documents
Culture Documents
LTE Authentication Protocol (EPS-AKA) Weaknesses Solution
LTE Authentication Protocol (EPS-AKA) Weaknesses Solution
LTE Authentication Protocol (EPS-AKA) Weaknesses Solution
the Evolved Packet System (EPS). It was decided to separate Access Network (E-l.JTRAN) (EPC)
the user data (UP) and the signaling (CP) to make operators A
\I
can operate their network easily independent as shown in Fig
1 [1]. The RAN in LTE is called E-UTRAN and the CN is
called EPC as shown in Fig 2, it consists of several different
types of nodes as follow [2]:
1) Mobility Management Entity (MME): Control-plane
node of the EPC, handles the signaling related to UE
�! eNB
434
2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS'15)
Transport
I ]}JSI,So\'id.r.. mron:�'Pt I
A\:(XF.ES,Atmi, R.,U:D, K...l
c1l'ptomphic I
stratum l.!!) JI functions I
ME
J
VerifyUE
Fig 3 Overview of the security architecture
RES=XRES
435
2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS'15)
436
2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS'15)
437
2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS'15)
because it does not encrypt some of messages MEPI.AKA.ud Secret res Ok No _ks within bounds.
between UE, MME and HSS. MEPS-AKA provides
the data confidentiality during the authentication mmt MEPI.AKA.mmt S«rdlM\l Fail Falsif" Atlmtl_"
process to prevent the attacker from sniffing the entire MEPI.AKA.mmd Secret res Fail Falsified At i ea stl _..
message during the authentication process, by
encrypting all the entire messages using symmetric MEPI.AKA.mme2 Secrdxres Fail Fabified Atleastl_"
Scyther is a tool for the formal analysis of security The description of the proposed protocol is
protocols under the perfect cryptography assumption, in which accomplished in two steps. The first step is the exchange of
it is assumed that all cryptographic functions are perfect: the five messages between (UE, MME) as specified in section V,
adversary learns nothing from an encrypted message unless he where the messages (1, 2, 3, 6 and 7) are exchanged in the first
knows the decryption key. The tool can be used to find step as shown in Fig 8. The second step is the exchange of two
problems that arise from the way the protocol is constructed. messages between (MME, HSS) as specified in section V,
where the messages (4 and 5) are exchanged in the second step
Fig 9 show an overview for protocol verification flow as shown in Fig 8. The following claims (Secrecy, SKR, Alive,
chart using Scyther tool. Scyther tool used to check security Weakagree, Niagree, and Nisynch) are checked for the
properties for EPS-AKA and MEPS-AKA, to verify that the elements in the exchanged messages. The output result of the
performance of the proposed protocol is more secure than the first and second step are shown in Fig 11 and Fig 12.
standard protocol[13, 14].
Step1; description of the messages between (UE) and (MME)
Protocol
are as follow:
Design
�
j
Protocol send
1)
I
from the UE point of view as follow:
(ue, mme, {Rul, exp (hash (psw), u)} kum, Rul);
I
Desc tion
� recv 2 (mme, ue, {Rml, Rul, z} kum, Rml);
send 3 (ue, mme, {IMSI, Ts, Ru2, Rml} k (ue, mme), Ru2);
Failed
L_ Description
recv
send
4
5
(mme, ue,
(ue, mme,
{authhss, authmme} k (ue, mme), Rm3, Rh);
{res, Rm3, Ru3} k (ue, mme), Ru3);
� And the claims are written as follow:
� Pass claim_ue (ue, SKR, exp (z, u»;
claim_ue (ue, Secret, IMSI);
Claims
claim_ue (ue, Secret, res);
claim_ue (ue, Alive);
claim_ue (ue, Weakagree);
J
Protocol
Claims ---+
verification claim_ue (ue, Niagree);
veri� failed claim_ue (ue, Nisynch);
2) from MME point of view as follow:
recv I (ue, mme, {Rul, z} kum, Rul);
send 2 (mme, ue, {Rml, Rul, exp (hash (psw), m)} kum, Rml);
Fig 9 Protocol Verification Flow Chart
438
2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS'15)
recv 3 (ue, mme, {IMSI, Ts, Ru2, Rml} k (ue, mme), Ru2); 'I!] Scyther results: ve-rify .�
send 4 (mme, ue, {authhss, authmme} k (ue, mme), Rm3, Rh); Claim Status Comments
recv 5 (ue, mme, {res, Rm3, Ru3} k (ue, mme), Ru3);
Ok
And the claims are written as follow:
MEPS_AKA MEPS_AKA,mme SecretIMSJ No attacks within bounds.
claim mme (mme, SKR, exp ( z, m»; MEPS_AKA,mmel Sec,etxres Ok No attacks within bounds.
claim mme (mme, Secret, IMSI); MEPS_AKA,mme2 AI.,. Ok No attacks within bounds.
Step2; description of the messages between (MME) and (HSS) MEPS_AKA,hssl Secretxres Ok No attacks within bounds.
439
2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS'15)
the value (Rul1A) using the static key Kum then send this
message ({Rul, A} kum , Rul,related number to the IMSI of
the user) to MME side through the socket, and all the other
message is implemented using these sequence as message 1 as
specifIed in section V. Visual studio used for implementation
as shown in Fig 13.
440
2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS'15)
441