Efficient GSM Authentication and Key Agreement Protocols with Robust User Privacy Protection

全文

(1)Efficient GSM Authentication and Key Agreement Protocols with Robust User Privacy Protection Jing-Lin Wu, Wen-Shenq Juang and Sian-Teng Chen Department of Information Management Shih Hsin University No. 1, Lane 17, Sec. 1, Muja Rd., Wenshan Chiu, Taipei, Taiwan, 116, R.O.C [email protected] Abstract Nowadays, GSM is used widely by people around the world. However, there are also some problems of GSM authentication to be found. In 2004, Choi et al. proposed an authentication scheme with user privacy protection in GSM. They claimed that their scheme can improve some drawbacks of GSM authentication and achieve an ability of user privacy protection. But we point out that Choi et al.’ s scheme is not able to achieve privacy and is not able to resist some well-known attacks completely. Hence, we propose a more efficient GSM authentication protocol with robust identity privacy protection. Our scheme also can remedy all drawbacks of GSM authentication mentioned by Choi et al. and resist to well-known attacks. Keywords: Identity privacy, Mutual authentication, Network security, Mobile security. 1. Introduction Recently, the wireless networking becomes more popular and convenient to us. No matter where people travel to, he can use services provided by service providers. Radio interface and wireless network access are two territories, where the same level of protection as wired networks must be provided, in wireless communications. When an illegal user enters the territory of the radio interface of a network provider, he is easy to intercept the transferred messages over this radio interface and the sensitive information of the legal user could be exposed to the adversary. Besides, the adversary can pretend a legal user to access wireless network services. These problems may cause bill controversy among a mobile user, network providers and service providers. In order to avoid these problems, a secure authentication protocol must be established before users use services. Since the Global System for Mobile communications (GSM), known as second-generation digital cellular system (2G), was proposed in several years ago, it has been widely utilized around the world so far [5]. GSM authentication key agreement (GSM AKA) is based on a challenge-response mechanism, but this mechanism can not achieve mutual authentication. VLR can easily authenticate MS by the assistance of. HLR, but MS can not authenticate VLR since the random challenge is only generated by HLR. In addition to mutual authentication, some drawbacks of GSM AKA were pointed out and many improved schemes [3][4][9][10] have been proposed to overcome weaknesses of GSM AKA. Choi et al. proposed GSM AKA scheme to overcome some problems of GSM AKA in 2004 [4], but we point out that some security problems are still not solved in Choi et al.’ s scheme. In this paper, we propose efficient and robust identity privacy GSM AKA schemes to improve Choi et al.’ s scheme. The remainder of this paper is organized as follows. In section 2, we review Choi et al.’ s GSM AKA protocol. In section 3, we describe some problems of Choi et al.’ s AKA scheme. In section 4, we show our proposed GSM AKA scheme with robust identity privacy protection. In section 5, we make a comparison of the efficiency and security among our scheme and the other related schemes. In section 6, we make a discussion. Finally, we make a conclusion.. 2. Related works Before illustrating Choi et al.’ s authentication protocol [5], the notations must be demonstrated. HLR and VLR represent the home location register and the visitor location register, respectively. IMSI and TMSI represent the international mobile subscriber identity and the temporary mobile subscriber identity. LAI represents location area identifier. A3(), A5() and A8() are three main cryptographic algorithms [5], where A3() indicates an authentication algorithm, A5() indicates an encryption/decryption algorithm and A8() indicates a cipher key generation algorithm. Ek() denotes the encryption function with the symmetric key k via the A5 algorithm. Dk() denotes the decryption function with the symmetric key k via the A5 algorithm. IDHLR denotes a unique identification of HLR, IDVLR denotes a unique identification of VLR, and f() denotes a one-way hash function. K represents the common shared key between HLR and MS and Kc denotes the cipher key. “ ||” represents the string concatenation symbol and “ ⊕” denotes the bitwise exclusive-or operation. Choi et al.’ s proposed the GSM AKA scheme with privacy is based on the Alias (AL), where AL is a unique identity of MS for traveling and assigned to the IMSI of MS one-by-one. HLR assigns this AL to a user when. - 540 -.

(2) MS registration. The relationship between the alias and the real identity should be kept secretly by HLR. This scheme occurs while MS receiving an identity request at location updating. We demonstrate this scheme as follows. Step 1: When MS receiving an identity request from VLR, MS will extract AL from its database instead of IMSI, chooses a random number RAND, computes a response SRES1=A3(RAND||K), another encryption key Ku=f(IMSI||IDHLR||K) and an encrypted message E K u (RAND) via the A5 as the encryption algorithm. Then, MS sends AL, IDHLR, SRES1 and EK (RAND) to u VLR. Step 2: After receiving AL, IDHLR, SRES1 and E K u (RAND), VLR identifies the identity of HLR, derives the corresponding shared key VH and generates another encrypted message EVH(AL). Then, VLR sends IDVLR, EVH(AL) and E K (RAND) to HLR. u. Step 3: While receiving IDVLR, EVH(AL) and E K (RAND), HLR identifies the identity of VLR and u. knows the shared key VH. HLR decrypts EVH(AL) and gets the alias AL of MS. HLR can use the alias AL to find the corresponding IMSI in its key table and obtain shared key K. Then, HLR calculates the symmetric decryption key Ku=f(IMSI||IDHLR||K) and decrypts E K u (RAND) by using the A5 as the decryption algorithm. HLR computes another response SRES2= A3(RAND||K) and an encrypted message EVH(RAND|| TK||IMSI). Next, HLR sends SRES2, IDHLR and EVH(RAND|| TK||IMSI) back to VLR. Step 4: Upon receiving SRES2, IDHLR and EVH(RAND||TK||IMSI), VLR first verifies if SRES1=SRES2. If the equation is satisfied, VLR decrypts EVH(RAND||TK||IMSI) using the shared key VH and stores the temporary key TK in its database. Subsequently, VLR sends the random number RAND and encrypted message ETK(TMSInew) to MS, where ETK() is the encryption algorithm by using the A5 algorithm with the temporary key TK. Step 5: Once MS receives RAND and ETK(TMSInew), MS will verify the random number RAND is chosen by itself. If yes, MS computes the temporary key TK=A8(RAND||K) and decrypts ETK(TMSInew) by using the A5 algorithm and the temporary key TK. The process of authentication is accomplished.. 3. Some problems of Choi et al.’ sGSM AKA protocol In this section, we point out that some drawbacks of Choi et al.’ s GSM authentication protocol as follows. (i) The redi r e c t i ona t t a c ki st or e di r e c tMS’ st r a f f i ct o another domain or base station. Assume that an attacker is manipulating a device having the capability of a base station, called the false base s t a t i on ,a n dt h i sa t t a c k e r ’ sde v i c ec a nalso imitate the capability of a mobile station. In order to carry. out functionality of two different devices, the special device can be used, i.e., IMSI catcher [12]. The attacker can imitate a base station and allure a legal mobile station to camp on the radio channels of the false base station impersonated by the attacker. On the other hand, the attacker can also imitate a mobile station and creates the connection with a pure base station. We point also out that Choi et al.’ s GSM AKA protocol is easily attacked by the redirection attack problem [15] since the HLR can not check whether any information is sent from visited VLR by MS actually or sent from a false VLR. Besides, if one of networks is corrupted, the security of all networks will be jeopardized. The adversary can implement this attack, called the corrupted network attack, leading to a large damage for networks. According to [15], the redirection attack and the corrupted network attack can be solved by checking the validity of the authenticator and checking if the identity of VLR truly visited by MS is embedded in that authenticator. (ii) Even though Choi et al.’ s scheme uses alias AL to conceal the MS’ s identity, the adversary can still know which location a MS travels to since the adversary can send an identity request to many MS in different times or various locations. If the adversary wants to know MS’ s location and what he does, the adversary can easily know that by recoding the AL of MS even if the identity IMSI of MS is not exposed. So Choi et al.’ s scheme is achieving weak identity privacy for MS. (iii) The modification attack is to disturb the normal communications between both ends. Choi et al. ’ s scheme is vulnerable to the modification attack while VLR sends an encrypted message ETK(IMSInew) and a random number RAND to MS. If the correctness of RAND is checked by MS, MS will compute the temporary key TK and decrypt the encrypted message ETK(IMSInew). In this way, MS only checks the correctness of the random number RAND and MS then accepts the new temporary identity TMSInew. The attacker can easily replay the same random number RAND and forge an encrypted message ETK’(TMSInew’ ) . Th e n ,t h e adversary can send the random number RAND and ETK’(TMSInew’ )t oMSa n dMSwi l lbe l i e v e st h a t TMSInew’i s pr odu c e d by a genuine VLR for communications.. 4. Our proposed scheme with robust user privacy protection The system architecture of our scheme is the same with that of the original GSM authentication and key agreement protocol and also based on three cryptographic algorithms A3(), A5() and A8(), where A3() is an authentication algorithm, A5() is an encryption algorithm and A8() is an cipher key. - 541 -.

(3) generation algorithm [5]. Let x be a master secret key kept secretly by the HLR. There are two situations for authentication when a MS wants to use the service including the normal case and the case while a MS receiving an identity request. Due to space consideration, we only describe our modified scheme for the case while a MS receiving an identity request in Figure 1. The normal case will be appeared in the full version of this paper. Now, we will describe our scheme as follows. Step 1. VLR sends identity request including a random number N3 to MS through the downlink channel. Step 2. While MS receives the identity request and N3, it firstly extracts the secret token wi=A3(x||ri) and the random number ri. Then, MS selects a random number RAND, and computes the authentication tag VAC= f(K||IDVLR||RAND||N3||wi) and an expected response SRES1=A3(K||RAND). Then MS generates an encrypted IMSI by computing Pi=IMSI⊕wi. Next, MS sends Pi, IDHLR, SRES1, VAC, RAND and ri to VLR through the uplink channel. Step 3. Upon receiving Pi, IDHLR, SRES1, VAC, RAND and ri, VLR stores SRES1 in its database and sends IDVLR, Pi, VAC, RAND, N3 and ri to HLR via a secure channel. Step 4. When receiving IDVLR, Pi, VAC, RAND, N3 and ri, HLR firstly checks if the nonces RAND and N3 are fresh. HLR can keep a recently used nonces table for checking freshness. If they are fresh, HLR calculates the secret token wi=A3(x||ri) and gets IMSI by computing Pi⊕wi =(IMSI⊕wi)⊕wi =IMSI. Then, HLR can derive the shared key K and verifies if VAC=f(K||IDVLR|| RAND||N3||wi). If they are not identical, HLR halts this connection. Otherwise, HLR computes a temporary key TK=A8(K||RAND) and an expected response SRES2=A3(K||RAND). HLR then selects a random number N4 and another random number ri+1 for being used next time, and generates a secret token wi+1=A3(x||ri+1) to be used next time and a message of concealed secret token Ti+1=wi+1⊕A3(K||ri+1). Next, HLR generates an authenticator MAC=f(K||N4||VAC||wi+1) and an encrypted message EVH(IMSI||TK||SRES2|| Ti+1||MAC||ri+1), where VH is shared key with VLR. HLR sends N4, EVH(IMSI||TK||SRES2||Ti+1||MAC||N4||ri+1) to VLR. Step 5. While receiving N4, EVH(IMSI||TK|| SRES2||Ti+1||MAC||N4||ri+1), VLR decrypts the message by using the shared key VH. Then, it verifies if SRES1=SRES2. If they are not match, VLR aborts this connection. Otherwise, VLR keeps the temporary key TK in its database and computes another authenticator AUTH =f(TK||TMSInew||MAC), where TMSInew is a new assigned temporary identity by VLR. Then, VLR sends AUTH, Ti+1, ri+1, MAC, N4 and an encrypted message ETK(TMSInew), where ETK() is using the A5 as the encryption algorithm with the temporary key TK. Step 6. After receiving AUTH, Ti+1, ri+1, MAC, N4, and ETK(TMSInew), MS computes the secret token wi+1 = Ti+1 ⊕ A3(K||ri+1) =wi+1⊕A3(K||ri+1))⊕A3(K||. ri+1) to be used next time and verifies if MAC= f(K||N4||VAC||wi+1). If they are not match, MS halts this connection. Otherwise, MS stores the secret token wi+1 and the random number ri+1 for being used next time. If it is valid, MS computes the temporary key TK=A8(K||RAND) and decrypts ETK(TMSInew) and gets TMSInew. Next, MS verifies authenticators MAC=f(K|| N4||VAC||wi+1) and AUTH=f(TK||TMSI||MAC). If they are identical, HLR and VLR are authenticated by MS and the process of authentication is accomplished. MS. VLR. HLR. Identity request 1. N3 2. Pi, IDHLR, SRES1, VAC, RAND, ri 3. IDVLR , Pi, SRES1,VAC, RAND, ri 4. N4, E VH (IMSI||TK||SRES2||Ti+1||MAC||ri+1) 5. AUTH, Ti+1, ri+1, MAC, N4, ETK(TMSInew). Figure 1. Our proposed GSM AKA authentication while MS receiving an identity request. 5. Security analysis consideration. and. performance. 5.1 Identity privacy In [4], Choi et al claimed that their proposed GSM AKA scheme can achieve identity privacy. But the adversary can still know wherever location the same MS is while sending an identity request to the same MS via the alias AL during various times. Hence, we propose a more strong GSM AKA scheme with identity privacy protection by using the secret token wi=A3(x||ri) and the random number ri to protect IMSI. We generates the concealed message Pi=IMSI⊕wi for achieving location privacy. Nobody, except HLR, can generate the secret token wi=A3(x||ri). If the adversary eavesdrops the concealed message Pi and the random number ri, the adversary is also impossible to obtain IMSI without the master key x kept secretly by HLR. Thus, compared with [4], our schemes provide more robust location privacy by using the secret token wi=A3(x||ri).. 5.2 Mutual authentication The goal of mutual authentication is that MS and VLR establish an agreed temporary key TK and MS and VLR can authenticate each other with the assistance of HLR. In our scheme, we assume that the temporary key TK is a kind of session keys to be used for a valid period. TK Let A  B denote that A and B share a common session key TK. The mutual authentication is accomplished between A and B if there exists an TK TK such that A believes A  B and B believes TK A  B for the transaction [1][6][7][8]. A strong mutual authentication should include the following. - 542 -.

(4) TK statement [1][6][7][8]: A believes B believes A  B TK and B believes A believes A B. We can illustrate that our scheme can achieve strong mutual authentication between VLR and MS as follows. After Step 4 of our proposed GSM AKA scheme in section 4.1, VLR receives the message N4 and EVH(IMSI||TK||SRES2||Ti+1||MAC||N4||ri+1) from HLR, VLR can decrypt this message and verify if TK SRES1=SRES2. If yes, VLR believes VLR  MS. Since the random number N3 is chosen by VLR, and confirms the freshness of N3 embedded in VAC, also embedded in MAC, with HLR’ s assistance, VLR TK believes MS believes VLR  MS. After of Step 5 of our proposed scheme in section 4.1, MS receives AUTH, N4 and ETK(TMSInew), MS computes the temporary key TK=A8(K||RAND), decrypts ETK(TMSInew) and checks if AUTH=f(TK|| TMSI||MAC) is valid. If yes, MS will believes TK VLR  MS since the random number RAND selected by MS is embedded in VAC, also embedded in MAC. Since MS can also confirm if the random number RAND is fresh, and AUTH=f(TK||TMSI||MAC) can only be calculated by HLR and sent to VLR, MS believes TK VLR believes VLR  MS.. 5.3 Secret token protection For achieving identity privacy, our scheme uses the secret token wi=A3(x||ri) to conceal IMSI as a message Pi =IMSI⊕wi and MS sends this concealed message to HLR for anonymous authentication. If an adversary wants to know IMSI of MS, it must firstly get the secret token wi=A3(x||ri). Even though the random number ri and the concealed message Pi=IMSI⊕wi are known by the attacker, the secret token wi=A3(x||ri) is impossible to derive since the master secret key x is only kept secretly by HLR, and only HLR can generate the secret token wi=A3(x||ri). The secret token wi is computed as wi=A3(x||ri), where ri is ith random number selected by HLR. After HLR accepts the request of the anonymous authentication by using the secret token mechanism, HLR will generate a new secret token wi+1=A3(x||ri+1) to be used next time and the random number ri+1 to be used next time. Later, the new secret token wi+1 will be sent secretly to MS by using another concealed message Ti+1=wi+1⊕A3(K||ri+1), where K is shared key between HLR and MS. As soon as MS receives the conceal message Ti+1 and the random number ri+1, MS can derive the new secret token wi+1=Ti+1⊕A3(K||ri+1) to be used next time, and store this new secret token wi+1 and the random number ri+1 for next time use. Except HLR, nobody can calculate the new secret token wi+1=Ti+1⊕A3(K||ri+1). Even if the adversary taps the concealed message Pi+1 and the random number ri+1 while location updating phase happens again, it is still difficult to compute the new secret token wi+1 since the adversary does not has the shared key K.. 5.4 Withstanding attacks. (i). Man-in-middle attack [11] The man-in-middle attack means that the attacker tries to modify the content of communications and is not to be observed by both ends of communications. The adversary tries to get the transmitting messages between both ends, and replaces a modified message with the transmitting message. This attack can be resisted in our scheme since both ends can verify whether a message is modified or not by checking the authenticator. If the message is modified, the receiver will reject it immediately. (ii) Dictionary attack [2] For calculating the temporary key TK, the adversary must know the random number RAND and the shared key K. Even if the random number RAND is transmitted on plain text, and it is got by the adversary. It is impossible to calculate the temporary key TK since the shared key K is kept secretly by HLR and MS. Only MS and HLR have the shared key K. The adversary can not compute the temporary key TK since the high entropy of the shared key K. (iii) Replay attack [13] For prevent this attack, our scheme uses nonces N3, N4 and RAND to resist to the replay attack. HLR can check if the nonce is used in its recently used nonce table. If the message is replayed by the adversary, the receiver can observe the replayed message and reject it. (iv) Modification attack [14] The modification attack is to disturb normal communication between both ends. Our scheme can resist this pixilated attack since our schemes use authenticators to verify if the message is modified by the attack. Even if the message is altered by the attacker, the receiver will check the correctness of the authenticator. If it not correct, the receiver will reject it.. 5.5 Efficiency comparisons In this section, we make efficiency comparison with related schemes. According to [5], there are three cryptographic algorithms, A3(), A5() and A8() used in GSM authentication. A3() is the authentication algorithm to generate message authentication code and the output parameters of A3() is 32 bits. A8() is the cipher key generation algorithm and the out parameters of A8() is 64 bits. A5() is the encryption algorithm. We also assume that the master secret key x and random number RAND is 128 bits, the shared key VH is 64 bits, secret token wi =A3(x||ri+1) is 32 bits and the temporary key TK=A8(K||RAND) is 64 bits. Beside, we also assume that A3() algorithm and A8() algorithm are similar to hash operation and A5() algorithm resemble a symmetric encryption/decryption operation. Also, we assume that the new assigned TMSI is encrypted by VLR and sent to HLR. The computation cost of encryption and decryption for the new assigned TMSI is also considered. Efficiency comparison of our scheme and related schemes [3][4][5][10] while MS receiving an identity. - 543 -.

(5) request is shown in Table 1. In our scheme, the memory needed for MS is 352 bits. In [3] and [10], the memory needed for MS is 128 bits and 832 bits, respectively. The memory needed for MS in [4] and [5] is 192 bits. The memory needed for VLR is 160 bits in our scheme and [4]. In [3] and [10], the memory needed for VLR is 146 bits. The memory required for VLR is (224n) bits in [5]. In our scheme, the memory needed for HLR is 320 bits. In [3] and [5], the memory needed for HLR is 128 bits. In [4], the memory needed for HLR is 192 bits. The memory needed for HLR is 640 bits in [10]. The computation cost for MS is one decryption operation, six hash operations and two exclusive-or operations in our scheme. The computation cost of MS is two encryption operations and two hash operations in [3]. In [4], the computation cost of MS is one encryption operation, one decryption operation and three hash operations. The computation cost for MS in [10] is one exponential operation, one encryption and three hash operations. The computation cost for MS in [5] is one decryption operation and two hash operations. In our scheme, the computation cost of VLR is one encryption operation, one decryption operation and one hash operation. Two encryption operations and one decryption operation is required for VLR in [4]. In [3] and [10], the computation cost for VLR is two encryptions and one encryption operation, respectively. Only one encryption operation is needed for VLR in [5]. The computation cost on HLR in our scheme is one encryption operation, seven hash operations and two exclusive-or operations. The computation cost of HLR in [3] is two hash operations. However, in [4], the computation cost for HLR is one encryption operation, two decryption operations and three hash operations. In [10], one exponential operation and two hash operations are needed for HLR. However, (2n) hash operations are required for HLR in [5].. and not able to withstand the redirection attack and the corrupted network attack. Besides, the modification attack on Chang et al.’ s scheme is not available (N/A) since their scheme assumes that the new TMSI is already assigned to MS before the authentication phase. Compared with Choi et al.’ ss c h e me[4], Choi et al.’ s scheme is not able to prevent the redirection attack, the corrupted network attack, the replay attack and the modification attack. In addition, Choi et al.’ ss c h e me only achieves weak identity privacy. Compared with [10], even though their scheme provides identity privacy but their scheme has not great performance since using public key cryptography. Beside ,Pe i n a do’ ss c h e me[10] can not resist to the redirection attack and the corrupted network attack, and have time synchronization problem. Note that the modification attack on encrypted TMSI is not available (N/A) since Peinado’ s scheme uses an encrypted ticket from HLR to replace with a new assigned TMSI by the visited VLR. Regarding to computation or communication cost, since using the temporary key mechanism, our scheme and other related schemes [3][4] are more lower than the schemes [5][10]. Our scheme satisfies all property of the listed and has relatively great performance. Table 2. Functionality comparison among our GSM AKA and the other related GSM AKA schemes C1 C2 C3 C4 C5 S1 S2 S3 S4 S5 S6 S7. C1: The computation cost for MS; C2: The computation cost for HL R; C3: The computation cost for VLR; C4: The communication cost between HLR and VLR; C5: The space overhead for VLR; S1: Identity priva cy; S2: Mutual authentication between MS and VLR; S3: Preventing the rep lay attack S4: Preventing the redirection attack; S5: Preventing the corrupted network attack; S6: Preventing the modification attack while VLR assigns a new TMSI; S7: No time synchronization problem.. Table 1. Efficiency comparison among our 3GPP AKA scheme and the other related schemes while MS receiving an identity req uest E1 Our scheme. E2. E3. E4. E5. E6. 352 bits. 160 bits. 320 bits. 1Sym+6H+2 2Sym+1H XOR. Chang et al. [3] 128 bits. 146 bits. 128 bits. 2Sym+2H. 2Sym. 2H. Choi et al. [4]. 192 bits. 160 bits. 192 bits. 2Sym+3H. 3Sym. 3Sym+3H. Peinado [10]. 832 bits. 146 bits. 640 bits. 1Sym. 1Exp+2H. GSM [5]. 192 bits (224 n) bits. 1Exp+1Sym +3H 1 Sym + 2 H. 1Sym. (2 n)H. 128 bits. Our scheme Chang et al. [3] Choi et al. [4] Peinado [10] GSM [5] Low Low Low High Low Low Low Low High High Low Low Low Low Low Low Low Low Low High Low Low Low Low High Yes No Partial Yes No Yes Yes Yes Yes No Yes Yes No Yes No Yes No No No No Yes No No No No Yes N/A No N/A No Yes Yes Yes No Yes. 1Sym+7H +2XOR. 6. Discussion. E1: Memory needed in MS; E2: Memory needed in VLR; E3: Memory ne eded in HLR; E4: Computation cost for MS; E5: Computation cost for VLR; E6: Compu tation cost for HLR; Exp: Exponential operation; Sym: Symmetric encryption/decryption operation; H: Hash operation; XOR: Exclusive-or operation; n: numbers of authentication vectors.. Note that the encryption of TMSI using the encryption key Kci through the A5 algorithm on the VLR’ ss i de a n dt h e de c r y pt i on ofTMSIu s i ng t h e decryption key Kci through the A5 algorithm on the MS’ ss i dea r eincluded in the computation cost in the related GSM AKA protocols for the comparison. We summarize the functionality of our scheme and the related schemes in Table 2. In compared to Chang et al.’ s scheme [3], it is not able to provide identity privacy,. In this section, we discuss our proposed schemes for more detailed considerations in advance. Instead of using the exclusive-or operation, we also provide more robust identity privacy of MS in GSM AKA protocols. Besides, we focus on the lifetime of the temporary key and make more detailed demonstrations. In our proposed GSM AKA protocol, we use the secret token wi =A3(x||ri) to protect IMSI of MS by computing the message Pi=IMSI⊕wi. First of all, for convenience to demonstrate, we assume that the approach of checking the authenticator is ignored. Instead of using Pi=IMSI⊕wi, MS generates an secret token wi=A3(x||ri) as a symmetric encryption key and an encrypted message Pi = Ew (IMSI), where Ey() is a i. - 544 -.

(6) symmetric decryption function and y is a symmetric encryption key as an input. Then, MS sends Pi and ri to HLR, Once HLR receives Pi and ri, HLR generates the symmetric decryption key wi and decrypts the identity IMSI= Dw (Pi), where Dy() is a symmetric decryption i. function and y is the symmetric decryption key. For protecting the new transferred secret token wi+1=A3(x||ri+1), HLR will generates another symmetric encryption key Kst=A3(K||ri+1) and encrypts Ti+1= EK (wi+1), where K is shared key of MS and HLR.. the Taiwan Information Security Center (TWISC), National Science Council under the Grants NSC 95-3114-P-001-001-Y02 and NSC 94-3114-P-011-001.. References [1]. [2]. st. Then, HLR sends the random number ri+1 to be used the next time and the secret token Ti+1 to be used the next time to MS. After receiving ri+1 and Ti+1, MS can obtain wi+1 by decrypting DK (Ti 1 ) = DA3( K || r ) (Ti+1). Since st i 1 only HLR can generate the correct secret token wi+1=A3(x||ri+1) for the next time use and MS will believes the new received secret token wi+1 is valid. MS will store ri+1 and wi+1 in its memory, and use them while MS receiving an identity request next time. Either using the exclusive-or operation or a symmetric cryptosystem to be applied in our proposed scheme, the identity privacy can be implemented in our proposed scheme. Note that using symmetric cryptosystems have higher overheads than exclusive-or operations in MS and HLR. For the performance consideration, our proposed scheme adopts the exclusive-or operation to enforce identity privacy. For achieving more robust identity privacy, TMSI can also apply the above mentioned approaches to be concealed but space overhead and computation cost will be increasing in MS and VLR. In our proposed GSM scheme, the lifetime of the generated temporary key TK is not considered. For specifying the lifetime of each generated TK, HLR can send the lifetime LifeTimeTK of TK to VLR. Also, VLR will forward the LifeTimeTK of TK to MS. For simply illustration, we only specify the time life of the temporary key used in our GSM AKA protocol at normal case. The authenticator MAC=f(K||N2||VAC||wi+1) be replaced with MAC=f(K||N2||VAC||wi+1||TimeLifeTK) in Step 4 of Section 4.1.. [3]. [4]. [5]. [6]. [7]. [8]. [9]. [10]. [11]. [12]. 7. Conclusion. [13]. In this paper, we have proposed a GSM authentication scheme with robust identity privacy protection. In order to achieve the user’ s identity privacy, only using alias, used in Choi et al.’ s scheme, is not enough since the MS’ s location is still easy to be exposed by the location privacy attack. Hence, we use the exclusive-or operation to produce dynamically a secret token for achieving robust identity privacy protection. Besides, we also use the temporary key mechanism for reducing bandwidth consumption. Our proposed scheme can also resist well-known attacks.. [14]. [15]. Acknowledgment. This work was supported in part by the National Science Council of the Republic of China under the Grant NSC 95-2221-E-128-004-MY2, and by. - 545 -. M.Bur r ow,M.Aba dia n dR.Ne e dha m,“ A Log i cof Aut he nt i c a t i on, ”ACM Trans. Comput. Syst., Vol. 8, pp. 18-36, 1990. S.Be l l ov i na n dM.Me r r i t t ,“ En c r y pt e dKe yExc ha ng e : Password-Based Protocol Secure Against Dictionary At t a c k s , ”Re s e a r c hi nSe c ur i t ya ndPr i v a c y ,Pr oc e e di ng s IEEE Computer Society Symposium, pp. 72-84, 1992. C. Chang, J. Lee and Y. Cha ng ,“ Ef f i c i e nt Aut he nt i c a t i on Pr ot oc ol s of GSM, ” Computer Communications, Vol. 28, pp. 921-928, 2005. Y.Choia ndS.Ki m,“ AnI mpr ov e me ntonPr i v a c ya nd Aut he nt i c a t i oni nGSM, ”Pr oc e e di ng sofWor k s hopo n I nf or ma t i on Se c ur i t y Appl i c a t i ons ( WI SA’ 200 4) ,pp. 14-26, 2004. Digital Cellular Telecommunications System (Phase 2+), Security Related Network Functions (GSM 03.20 version 8.1.0 Release 1999), ESTI TS 100 929 V8.1.0, 2001. W. J ua ng , “ Ef f i c i e nt Mul t i -server Password Authenticated Key Agreement Using Sma r tCa r ds , ” IEEE Trans. on Consumer Electronics, Vol. 50, No. 1, pp. 251-255, 2004. W.J ua ng ,“ Ef f i c i e nt Pa s s wor d Aut he nt i c a t i o n Ke y Ag r e e me ntUs i ngSma r tCa r ds , ”Computer and Security, Vol. 23, pp. 167-173, 2004. W.J ua ng ,“ Ef f i c i e ntUs e r Aut he n t i c a t i on and Key Ag r e e me nti nUbi qui t o usCompu t i ng , ”I nPr oc e e di ngof the 2006 International Conference Computational Science and is Applications, Lecture Notes in Computer Science 3983, pp. 396-405, Springer-Verlag Press, German, 2006. C. Lee, M. Hwang and W. Yang, “ Extension of Authentication Protocol for GSM,”IEE Proceedings of Communications, Vol. 150, pp. 91-95, 2003. A. Pe i na d o, “ Pr i v a c ya nd Aut he n t i c a t i on Pr o t oc ol Pr ov i di ng Anony mousCha nne l si n GSM, ”Computer Communications, Vol. 27, pp. 1709-1715, 2004. D. Se oa nd P.Swe e ne y ,“ Si mpl eAut he nt i c a t e d Ke y Ag r e e me ntAl g or i t hm, ”Electronics Letters, Vol. 35, pp. 1073-1074, 1999. J .Qur i k e ,“ Se c ur i t yi nt heGSM Sy s t e m, ”Aus Mobi l e , http://www.ausmobile.com. P. Sy ve r s on, “ A Ta x onomy of Re pl a y At t a c k s , ” Computer Security Foundations Workshop VII, CSFW 7. Proceedings 14-16, pp. 187-191, 1994. C.Ya ng ,T.Cha nga n dM.Hwa ng ,“ Cr y pt a na l y s i sof Si mpl eAut he nt i c a t e dKe yAg r e e me ntPr ot oc ol s , ”IEICE Trans. Fundamentals, Vol. E87-A, No. 8, pp. 2174-2176, 2004. M. Zhang and Y. Fa ng ,“ Se c ur i t y Ana l y s i sa nd Enhanced of 3GPP Authentication and Key Agreement Pr ot oc ol , ”IEEE Trans. on Wireless Commun., Vol. 4, No. 2, pp. 734-742, 2005..

(7)