Professional Documents
Culture Documents
S40-20050516-008 - LU Comments On Generic Key Exchange Protocol - SP SM
S40-20050516-008 - LU Comments On Generic Key Exchange Protocol - SP SM
2
3 TSG-S WG4
4
5
6 Title: Comments on Generic Key Exchange Protocol
7
8 Source:
Sarvar Patel Simon Mizikovsky
Lucent Lucent
technologies technologies
9
10
11
12 Abstract: This contribution contains comments on Generic Key Exchange Protocol
13 described in Qualcomm contributions C25-20050314-050-R1 and C25-
14 20050418-025R1.
15
16 Recommendation: For discussion.
17
18
19
20
21
22
23
24
25
26
Lucent Technologies grants a free, irrevocable license to 3GPP2 and its Organizational Partners to
incorporate text or other copyrightable material contained in the contribution and any modifications
thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner's name
any Organizational Partner's standards publication even though it may include all or portions of this
contribution; and at the Organizational Partner's sole discretion to permit others to reproduce in
whole or in part such contribution or the resulting Organizational Partner's standards publication.
Lucent Technologies is also willing to grant licenses under such contributor copyrights to third
parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an
Organizational Partner’s standard which incorporates this contribution.
This document has been prepared by Lucent Technologies to assist the development of specifications
by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a
binding proposal on Lucent Technologies. Lucent Technologies specifically reserves the right to
amend or modify the material contained herein and to any intellectual property of Lucent
Technologies other than provided in the copyright statement above.
1
1
2 1 INTRODUCTION
3 In contribution C25-20050514-050R1 Qualcomm proposed the mutually authenticated
4 key exchange mechanism between the 1xEV-DO access terminal and access network
5 based on symmetric key PMK. We analyzed the proposal and came up with several
6 recommendations to improve the security while maintaining efficiency of the protocol.
2
1 a. Assume that the current values of ATNonce=100 and ANNonce=900. The
2 attacker queries the AT by sending a key request message with ANNonce
3 set to 950, a future value. The AT not being any wiser, creates its own
4 ATNonce=101 and sends a key response message including the message
5 integrity code. The attacker remembers the key response message,
6 including the ATNonce, and the message integrity code, etc.
7 b. The attacker lets the AT and the AN perform many session key
8 agreements, and lets the ANNonce incremented till ANNonce=949 has
9 been used up by the network.
10 c. At this point when the network will be using ANNonce=950, the attacker
11 pretends to be the AT and responds to the key request message sent by the
12 AN which includes ANNonce=950. The key response send by the attacker
13 is just a repeat of the key response stored in step (a) above. The AN will
14 receive the response, and successfully verify the message integrity code
15 and accept the protocol as successfully completed.
16 Thus the attacker has successfully fooled the AN by simply replaying some very old
17 query made to the AT. Thus freshness is not guaranteed by this protocol.
18 Requiring only that the ANNonce always be a random number solves the above
19 problem because the attacker does not know what ANNonce to use in pre-querying
20 step of the attack. The ATNonce can continue to be incremented as described in
21 the protocol.
22 To summarize, the ANNonce should always be a random value and not be
23 incremented, while the ATNonce can be a counter.
3
1 than that received in the last valid ANKeyResponse message…”, thus implicitly requiring
2 the Access Network to maintain the synchronicity of the TransactionID field with that
3 expected by the Access Terminal.
4 The replay protection property expected from this mechanism will already be achieved if
5 the ANNonce is a random number while the ATNonce is either random number or a
6 counter. Hence maintaining the TransactionID synchronicity becomes unnecessary.
7 We recommend to clarify that TransactionID should be unique throughout the
8 Generic Key Exchange transaction until its successful completion. The Access
9 Network should avoid selecting the value of TransactionID which conflicts with
10 other currently active Generic Key Exchange transaction.
4
1 3 CONCLUSION
2 In general, we agree that mutually authenticated session key agreement protocol based on
3 symmetric keys is beneficial for evolution of 1xEV-DO. We also agree that protocol
4 proposed by Qualcomm is the good one, subject to modifications proposed by this
5 contribution.