S-AKA: A Provable and Secure Authentication Key Agreement Protocol for UMTS Networks

S-AKA: A Provable and Secure Authentication Key

Agreement Protocol for UMTS Networks

Yu-Lun Huang, Member, IEEE, Chih-Ya Shen, and Shiuhpyng Winston Shieh, Senior Member, IEEE

Abstract—The authentication and key agreement (AKA)

pro-tocol of Universal Mobile Telecommunication System (UMTS), which is proposed to solve the vulnerabilities found in Global Sys-tem for Mobile Communications (GSM) sysSys-tems, is still vulnerable to redirection and man-in-the-middle attacks. An adversary can mount these attacks to eavesdrop or mischarge the subscribers in the system. In this paper, we propose a secure AKA (S-AKA) pro-tocol to cope with these problems. The S-AKA propro-tocol can reduce bandwidth consumption and the number of messages required in authenticating mobile subscribers. We also give the formal proof of the S-AKA protocol to guarantee its robustness.

Index Terms—Authentication protocol, key agreement protocol,

Universal Mobile Telecommunication System (UMTS) networks. I. INTRODUCTION

W

ITH THE boost of mobile applications, third-generation (3G) technology has been widely deployed to mod-ern mobile devices as an improvement to service capabilities, worldwide operations, and performance. As one of the 3G technologies, the Universal Mobile Telecommunication System (UMTS), which is an evolution of the Global System for Mobile Communications (GSM), uses the same core network standard as GSM. Meanwhile, UMTS has been also developed into a fourth-generation (4G) technology. For backward compatibil-ity, these mobile devices also support second-generation (GSM) technology.

To improve the security weaknesses in GSM [1], UMTS authentication and key agreement (AKA) was proposed at the network level [2] for authenticating 3G mobile subscribers. UMTS AKA negotiates security keys between a subscriber and the serving network and then achieves mutual authentication between the two parties. UMTS AKA can successfully defeat Manuscript received November 17, 2010; revised April 22, 2011 and June 2, 2011; accepted August 7, 2011. Date of publication September 22, 2011; date of current version December 9, 2011. This work was supported in part by the Industrial Technology Research Institute; by the Institute for Information Industry; by Chunghwa Telecom; by the Chung-Shan Institute of Science and Technology; by the Networked Communications Program Office; by the International Collaboration for Advancing Security Technology Program, National Science Conncil of Taiwan, under Grant NSC97-2745-P-001-001; and by the Taiwan Information Security Center, National Science Council of Taiwan, under Grant NSC99-2218-E-009-017 and Grant NSC100-2219-E-009-005. The review of this paper was coordinated by Dr. L. Chen.

Y.-L. Huang is with the Department of Electrical Engineering, National Chiao Tung University, Hsinchu 300, Taiwan.

C.-Y. Shen was with the Department of Computer Science and Information Engineering, National Chiao Tung University, Hsinchu 300, Taiwan. He is now with the Department of Electrical Engineering, National Taiwan University, Taipei 106, Taiwan.

S. W. Shieh is with the Department of Computer Science and Information Engineering, National Chiao Tung University, Hsinchu 300, Taiwan.

Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TVT.2011.2168247

most of the vulnerabilities found in GSM systems and provide a more secure telecommunication system. Nevertheless, it is still vulnerable to some attacks, such as redirection [3] and man-in-the-middle attacks [4]. Mobile subscribers may be mischarged or eavesdropped under these attacks.

In this paper, we propose a new AKA protocol that eliminates vulnerabilities and enhances bandwidth efficiency. We also give the formal proof of our protocol to show its security strength. This paper is organized as follows. In Section II, we introduce UMTS AKA and analyze its security and bandwidth bottle-necks. Section III gives the related work and our motivation. In Section IV, we present the secure AKA (S-AKA) protocol. The security analysis and formal proof are given in Sections V and VI, respectively. Section VII concludes this paper.

II. UNIVERSALMOBILETELECOMMUNICATIONSYSTEM AUTHENTICATION ANDKEYAGREEMENT

The three major entities involved in UMTS AKA [5] are the mobile station (MS), the Serving GPRS Support Node (SGSN), and the Home Location Register/Authentication Cen-ter (HLR/AuC). The MS acts on behalf of a mobile subscriber to communicate with the SGSN and HLR/AuC for mutual authentication. The SGSN represents the visited serving net-work, and the HLR/AuC in the home domain is in charge of subscriber authentication. In UMTS AKA, the MS and HLR/AuC share a secret key K and maintain sequence numbers SQN_MS and SQN_HNfor resisting replay attacks. The MS and HLR/AuC also execute some cryptographic functions for key generations and integrity checks. Tables I and II define the abbreviations and cryptographic functions used in this paper, respectively.

Five messages are exchanged during authentication in UMTS AKA [5].

UM1: The MS sends a registration request containing its IMSI

to the SGSN via a base station subsystem (BSS). The BSS then handles traffic and signaling between the MS and the GSM core network.

UM2: The SGSN forwards the request to the HLR/AuC.

UM3: After authenticating the MS, the HLR/AuC sends an

ordered array of m AVs to the SGSN. Each AV consists of RAND, XRES, CK, IK, and AUTN.

UM4: The SGSN selects an unused AV, retrieves RAND and

AUTN, and sends them to the MS.

UM5: After successfully checking the freshness and

correct-ness of SQN and MAC in AUTN, the MS authenticates the networks and generates RES, CK, and IK for mutual authentication and session protection.

TABLE I

SYMBOLS ANDABBREVIATIONS

TABLE II CRYPTOGRAPHICFUNCTIONS

A. Security Vulnerabilities

Recently, UMTS AKA has been found vulnerable to redi-rection and man-in-the-middle attacks [6]. When a mobile subscriber is under attack, an adversary can eavesdrop the communication between the MS and the SGSN or even annoy the MS with billing problems.

1) Redirection Attack: Redirection attack is one of the pos-sible attacks on multihomed mobile networks. In this attack, an adversary owns a device that can simultaneously impersonate both the BSS and the MS [3] at the same time. To deceive the victim MS, the adversary masquerades as a legitimate BSS by broadcasting a bogus BSS ID. It also disguises as the victim MS to trick the BSS (see Fig. 1). The adversary connects to another legitimate foreign network on behalf of the legitimate MS and builds up a transparent tunnel to relay messages between the legitimate foreign network and the victim MS. Since AUTN, RAND, and secret keys are successfully negotiated, the victim MS will then be authenticated by the foreign network.

The redirection attack persecutes a victim MS with billing problems, forcing the victim MS on his home network to be charged for roaming into a foreign domain operated by another service provider. In this case, neither the home network nor the victim MS can detect the redirection attack. It is also possible that the adversary can redirect the victim MS to an insecure network with weak or none encryption. Hence, the adversary can eavesdrop the communication sessions [6].

2) Man-in-the-Middle Attack: In this attack, the adversary lures the victim MS to use a serving network with weak or none encryption. Upon attacking the network, an attacker, which is hiding between the MS and the SGSN, tries to bypass the UMTS security, forces a UMTS/GSM dual-mode mobile device to use the less secure GSM authentication, and obtains AUTN. The attacker can then eavesdrop the session initiated by the victim MS [4]. This makes the attacker easily alter and eavesdrop the unprotected messages and sessions.

B. Bandwidth Consumption

In UMTS AKA, the HLR/AuC sends m AVs to the SGSN after authenticating the MS. The SGSN needs to request for another authentication when these AVs are exhausted. Trans-mitting authentication requests and AVs, however, requires a high bandwidth and incurs a high communication cost, partic-ularly when the SGSN and HLR/AuC are located in different administrative domains. Obviously, the number of AVs m sent by the HLR/AuC has a great impact on bandwidth consump-tion. Smaller m not only means less bandwidth consumption for each registration but implies more frequent authentication requests and vector transmission as well. The tradeoff exists due to the difficulties in choosing an optimal m value for the entire network. Fig. 2 shows the bandwidth consumption of UMTS AKA with different values of m.

Taking “50 authentication requests initiated by one MS” as an example, if m = 2, it needs 57 472 bits for authentication, but it needs additional 22 976 bits if m = 100. For 200 authenti-cation requests, it needs 231 472 bits for each MS (if m = 2) but only 214 224 bits if m = 100. If millions of MSs are requesting authentications at the same time, the mobile network must offer adequate bandwidth to accommodate these requests.

III. RELATEDWORK

Many AKA protocols [7]–[11] were proposed to ensure the authenticity of communication parties and protect mobile communications at different levels, namely, application, device, and network levels. Some of them [12] and TBAS [2] protect transactions at the application level, some schemes [13] discuss device-based authentication that works by registering a device before it can access any service, whereas some others [5] intend to authorize the MS to use a UMTS network resource at the network level. However, when trying to adapt these protocols to UMTS networks, they either do not address the characteristics of UMTS networks or inefficiently perform on authenticating a mobile user in the registration procedure.

Since asymmetric key cryptography requires higher costs in installation and deployment, many symmetric key-based protocols [6], [14]–[17] were proposed to enhance the security of UMTS AKA and to reduce the bandwidth consumption of authentication. In the aforementioned protocols, a secret key is generally shared between the MS and the HLR/AuC. In 2005, X-AKA [14], which is a symmetric key-based authentication protocol, was proposed to prune off the transmission of AVs in UMTS AKA and improves its bandwidth consumption. However, it does not resist redirection and man-in-the-middle

Fig. 1. Redirection attack in UMTS AKA.

Fig. 2. Bandwidth consumption of UMTS AKA for different numbers of AVs (m = 2 100).

attacks. Zhang and Fang [6] presented the AP-AKA protocol to defeat the redirection attack and drastically lower the im-pact of network corruption, but an extra message is initiated by the SGSN for authenticating the roaming MSs. Such a design helps AP-AKA defeat the redirection attack. The pro-tocol, however, is still susceptible to the man-in-the-middle attack.

Al-Saraireh and Yousef [15] proposed a symmetric key-based authentication protocol for UMTS networks. Al-Saraireh and Yousef’s protocol mainly focuses on reducing the band-width required for transmitting AVs. Hence, the AVs are gen-erated by MSs instead of by serving networks. Al-Saraireh and

Yousef’s protocol eliminates the cost of delivering AVs during authentication. The protocol, however, does not resolve the security issues in defeating redirection and man-in-the-middle attacks.

In 2010, Ou et al. [17] proposed Cocktail-AKA to overcome the congenital defects of UMTS AKA. Cocktail-AKA uses two varieties of AVs (called MAV and PAV) to produce several effective AVs. In the protocol, each service network produces its own AVs (MAVs) in advance. These MAVs are produced only once but can be reused later. While authenticating the MS, the HLR/AuC calculates a private authentication vector (PAV) for MS. The PAV is transferred to the SGSN. Then, the SGSN uses the PAV and MAV to generate several effective AVs for subsequent authentications. However, Cocktail-AKA is vulnerable to denial-of-service (DoS) attacks [18].

IV. PROPOSEDPROTOCOL: SECURE–AUTHENTICATION ANDKEYAGREEMENT(S-AKA)

We propose an S-AKA, trying to

• defeat redirection and man-in-the-middle attacks;

• mutually authenticate the MS and HLR/AuC, as well as the MS and SGSN;

• negotiate a cipher key CK and an integrity key IK; • assure the freshness of user keys;

• reduce the bandwidth required for authentication.

S-AKA retains the framework of UMTS AKA with three assumptions.

1) The SGSN can handle user authentication securely. 2) The communication link between the SGSN and the

Fig. 3. S-AKA-I. The SGSN obtains the authentication vectors from the HLR/AuC.

Fig. 4. S-AKA-II. The SGSN mutually authenticates the MS without the involvement of the HLR/AuC.

3) Each MS and its HLR/AuC share a secret key SK and cryptographic functions.

There are two phases defined in S-AKA, namely, S-AKA-I and S-AKA-II. In S-AKA-I, the SGSN intends to obtain AVs from the HLR/AuC, so that the SGSN and MS can authenticate each other without the HLR/AuC in S-AKA-II, as shown in Figs. 3 and 4, respectively.

A. Phase I: S-AKA-I MI

1 MS→ SGSN : {IMSI, Service Request, ACCm, MACm}.

In MI

1, IMSI is the identity of a subscriber. ACCmpresents

the number of successful MS authentications and is used to guarantee the freshness of the authentication request. ACCm, which is initially set to 0, increases on each

area of the BSS, and it indicates the physical connec-tion between the MS and the BSS. MACm is the keyed

message authentication code of ACCm and LAI,

protect-ing the message integrity. It is represented as MACm=

f 1DK(ACCmLAI), where DK = f6SK(ACCm).

MI₂SGSN→ HLR/AuC : {IMSI, ACCm, MACm, LAI}. Upon

receipt of MI₁, the SGSN records ACCm. Since the SGSN

knows the LAI of the BSS forwarding MI₁, it forwards MI₁ to the HLR/AuC together with the BSS’s LAI. By checking MACm, the HLR/AuC can verify whether the LAI reported

by the SGSN is the same as that recognized by the MS. If not, it rejects the request.

MI

3 HLR/AuC→ SGSN : {AUTN, DK}. The HLR/AuC

checks MACm for the integrity of ACCm and LAI. It

compares ACCm and ACCh counted by the HLR/AuC.

The HLR/AuC considers it a replay if ACCm< ACCh.

Otherwise, the HLR/AuC randomly generates RAND and derives MACh= f 1SK(RANDAMF), where AMF is an

indication of algorithms and keys that generate AVs. Then, the HLR/AuC concatenates the aforementioned tokens to

derive AUTN = (MAChRANDAMF). The HLR/AuC

also computes DK and sends it to the SGSN together with AUTN. After that, the SGSN successfully obtains the authorization to authenticate the MS for the subsequent connections.

MI4 SGSN→ MS : {AUTNs}. Upon receipt of MI3, the

SGSN increments its ACCs by 1 and randomly

gen-erates RNs, derives MACs, and constructs AUTNs,

where MACs= f 1DK(MAChRNsRANDACCs), and

AUTNs= MACsRNsRANDAMFACCs.

MI

5 MS→ SGSN : {XRES}. First, the SGSN checks if

ACCs> ACCm and sets ACCm to ACCs when the

in-equality holds. Second, the MS authenticates the SGSN by deriving and verifying XMACh and XMACs. Third, the

MS computes IK = f 3DK(RNs), CK = f 4DK(RNs), and

XRES = f 2DK(RNs) and sends XRES to the SGSN for

mutual authentication. If the MS is successfully authenti-cated, the SGSN uses f 3 and f 4, taking DK and RNsas

parameters, to derive CK and IK, respectively. These keys can be used to protect the communication between the MS and the SGSN. As aforementioned, security weaknesses of GSM expose the entire mobile system to man-in-the-middle attacks. If a GSM BSS is involved in a conversation, an extra key PLK = f 7DK(RNs) is negotiated between the

MS and the SGSN to protect the confidentiality of the data passing through the GSM BSS.

B. Phase II: S-AKA-II

In this phase, no HLR/AuC is involved. Only three messages are required upon reconnecting to the same SGSN. The SGSN can authenticate the MS according to the AVs obtained in S-AKA-I. The message flow of S-AKA-II is described here. MII1 MS→ SGSN : {IMSI, Service Request, ACCm, MACm}.

Similar to MI1, the MS increments its ACCm by 1 and

sends MACm= f 1DK(ACCmLAI) to the SGSN. ACCm

continues from the ACCmin the previous MI1. In addition,

SK in MI₁ is replaced with DK for there is no preshared keys between the MS and the SGSN.

MII2 SGSN→ MS : {AUTNs}. The SGSN checks the LAI

of the BSS. If the BSS is not physically connected, the SGSN rejects the request immediately. Otherwise, the SGSN accumulates the ACCs by 1 and compares it

with the ACCm of MII1 to check if it is a replay. The

SGSN then verifies MACm on behalf of the HLR/AuC.

If MACm is legitimate, the SGSN generates RNs and

computes MACs= f 1DK(MAChRNsRANDACCs),

where MACh, RAND, and DK are sent by the HLR/AuC.

The SGSN then constructs and sends AUTNs to the MS,

where AUTNs= MACsRNsRANDAMFACCs.

MII₃ MS→ SGSN : {XRES}. Upon receipt of AUTNs, the MS

authenticates the SGSN and HLR/AuC by verifying MACs

and MACh, respectively. Then, the MS sends XRES =

f 2DK(RNs) to the SGSN. The SGSN authenticates the MS

by verifying the freshness and correctness of XRES. For each successful authentication, the SGSN increments ACCs and forwards the new ACCs to the MS (see MI4).

Meanwhile, the MS sets the new ACCsto its ACCm(see MI5)

for synchronizing ACCmand ACCs. The synchronized ACCm

and ACCscan be used to detect potential DoS attacks initiated

by forging MII

1 in S-AKA-II.

The major enhancements of S-AKA include three factors. 1) Resistance to the redirection attacks: In UMTS AKA,

LAI, which identifies the location area of the BSS, is not protected and can be altered by an adversary with some redirection attack. S-AKA uses message authentication code to protect the integrity of LAI, thereby preventing the network from redirection attacks.

2) Resistance to the the-middle attacks: A man-in-the-middle attack can occur while connecting to a GSM BSS. In S-AKA, a new key PLK is negotiated to encrypt payloads between the MS and the SGSN. PLK prevents the communication from being eavesdropped or modi-fied. Since no key generation function for PLK is defined in UMTS AKA, a new function f 7 is introduced in S-AKA to generate PLK for both the MS and the SGSN. 3) Reduced bandwidth consumption: With a ticket-based design, the proposed protocol hence allows the HLR/AuC to authorize the SGSN for subsequent and mutual authen-tications of the MS. Once the HLR/AuC authenticates the MS successfully, it sends the visited SGSN a delegation key DK for subsequent authentications. Such a design benefits from the traffic reduction between the HLR/AuC and the SGSN and thus greatly reduces bandwidth consumption.

V. ANALYSIS

Since S-AKA retains the framework of UMTS AKA, basic security features, such as data integrity and confidentiality, are inherited. Retaining UMTS AKA also helps S-AKA resist var-ious attacks, such as replay and guessing attacks. This section explains how S-AKA can resist redirection, man-in-the-middle, and DoS attacks and compares UMTS AKA and S-AKA in

terms of the bandwidth consumed during the authentication procedures.

A. Security Analysis

• Mutual authentication between the MS and the HLR/AuC: In S-AKA-I, the HLR/AuC authenticates the MS by verifying ACCm and MACm on receipt of MI2. To

au-thenticate the HLR/AuC, the MS checks AUTNs

re-ceived in MI

4. With MACs, RNs, RAND, AMF, and

ACCs contained in AUTNs, the MS can derive the

fol-lowing expected authentication codes of the HLR/AuC

and SGSN: XMACh and XMACs, where XMACs=

f 1DK(XMAChRNsRANDAMFACCs).

If XMACs is equal to MACs, both the HLR/AuC

and the SGSN are authenticated. This guarantees mutual authentication between the MS and the HLR/AuC. For subsequent authentications, even when the HLR/AuC is not involved, the MS can still authenticate the HLR/AuC with MII

2 in S-AKA-II.

• Mutual authentication between the MS and the SGSN: In S-AKA-I, the SGSN authenticates the MS by verifying XRES in MI

5. Upon receipt of MI5, the SGSN checks

XRES = f 2DK(RNs). The MS is considered

authenti-cated if the equality holds. The same procedure takes place in authenticating the MS when the SGSN receives MII₅ in S-AKA-II. Similar to authenticating the HLR/AuC, on receiving AUTNs, the MS computes XMACh and

XMACsto authenticate the SGSN if XMACh= XMACs

holds. This ensures mutual authentication between the MS and the SGSN.

• Freshness of security keys: In S-AKA-I, CK and IK are negotiated in MI4and MI5, whereas in S-AKA-II, they are

negotiated in MII2 and MII3. Since CK and IK are derived

from RNs, the freshness of these keys can be guaranteed

by RNs. ACCs in MI4 or MII2 is accumulated on each

successful authentication and can be used to guarantee the freshness of MI

4 and MII2. The freshness of RNs, RAND,

and AMF in MI

4and MII2 can thus be guaranteed as well.

This ensures the freshness of CK and IK.

B. Resistance to Attacks

• Redirection attack: An adversary initiates a redirection attack by simulating a BSS to obtain user information and by impersonating an MS to forward user messages to his destination. The redirection attack fails if the adversary fails to obtain user information by impersonating a BSS. Without the user information, the adversary cannot im-personate any MS and connect to a legitimate BSS. To impersonate a BSS, the adversary either transmits signals with stronger power or jams the spectrum and tries to entrap the MS to establish the connection with the faked BSS. In S-AKA, the MS embeds the LAI of the BSS in MACm and sends MACm to the SGSN in MI1. The

authentication request is rejected if the HLR/AuC fails to match the LAI reported by the SGSN in MI

2 and the

LAI embedded in MACm. Such a design not only solves

TABLE III

ROBUSTNESSAGAINSTDIFFERENTATTACKS

the mischarged billing problems but prevents a user from being tricked into a network with none or weak encryption keys as well.

• Man-in-the-middle attack: To defeat the man-in-the-middle attack, an encrypt key PLK is introduced to protect payloads. The key is negotiated by the MS and SGSN after exchanging MI₄, MI₅ and MII₂, MII₃ in S-AKA-I and S-AKA-II, respectively. PLK is used to encrypt and de-crypt data only when connecting to a GSM BSS. With PLK, the MS encrypts the payload prior to transmission, even if none encryption command is specified by the GSM BSS. Hence, data confidentiality of the communication channel between the MS and the SGSN can be guaranteed. Considering the performance issue, bitwise operations can be used to implement the payload encryption. In general, bitwise encryptions do not consume significant computing power, and data confidentiality can be guaran-teed without sacrificing performance.

• DoS attack: During the initial authentication, a malicious MS may launch a DoS attack either to its HLR/AuC (using MI₁) or to the visited SGSN (using MII₁).

– If the MS forges MI1, the forged message can be

detected by the HLR/AuC on receipt of MI2.

– If the MS forges MII1, the forged message can

be immediately detected by the SGSN with DK authorized by the HLR/AuC.

We claim that S-AKA can partially resist DoS attacks since the forged MII

1 can be immediately detected by the

SGSN but the forged MI

1 can only be detected by the

HLR/AuC.

Table III lists a summary of robustness against known attacks to the AKA protocols proposed for UMTS net-works. Most of the AKA protocols (marked N) fail to detect forged messages at the SGSN side during the initial authentication, but some of them (marked P) can detect the forged messages during subsequent authentications. C. Bandwidth Consumption

In analyzing the bandwidth consumption, we assume that m AVs are transmitted every time the HLR/AuC successfully authenticates the MS. We also assume that the MS averagely issues p authentication requests to the same SGSN.

1) Bandwidth Analysis of UMTS AKA: The sizes of UM1to

UM5are calculated as follows.

• The length of the first message, which is denoted by |UM1|, is the sum of the length of its parameters: IMSI,

Service Request, and LAI. Thus

|UM1| = |IMSI| + |Service Request| + |LAI|

= 176 bits.

• Since UM2is a forwarding message of UM1, its length is

the same as UM1.

• UM3 contains a sequence of AV, which is composed of

RAND, XRES, CK, IK, and AUTN. Its length can be represented as

|AV| = |RAND| + |XRES| + |CK| + |IK| + |AUTN| = 608 bits.

Since m AVs are assumed to be transmitted by the HLR/AuC after the initial authentication, the length of UM3is m∗ |AV| = 608m bits.

• UM4 consists of RAND and AUTN = (SQN⊕

AKAMFMAC). Its length can be obtained by summing up|RAND| + |AUTN| (288 bits).

• UM5only contains a 64-bit long RES.

In UMTS AKA, the bandwidth consumption varies depend-ing on whether the HLR/AuC is involved or not. The HLR/AuC is required to authenticate the MS if there is no available AV in the SGSN. No HLR/AuC is required if there is any unused AV in the SGSN. The bandwidth consumption for these two cases is discussed as follows.

• No available AV in the SGSN: Since five messages are exchanged, the bandwidth consumption is obtained by summing up the lengths of the five messages, i.e.,

bwinit= 5

i=1

|UMi| = 704 + 608m bits.

• Available AVs in the SGSN: In this case, only UM1, UM4,

and UM5are exchanged between the MS and the SGSN.

The bandwidth consumption is thus

bwsub=|UM1| + |UM4| + |UM5| = 528 bits.

The overall bandwidth consumption for p times of authenti-cations in UMTS AKA is summarized as

_p m  ∗ bwinit+  p− _p m  ∗ bwsub.

Furthermore, the total number of message exchange is _p m  ∗ 5 +p− _p m  ∗ 3, where p
1 and m
1. 2) Bandwidth Analysis of S-AKA: The lengths of S-AKA messages are calculated as follows.

• MI₁ is composed of IMSI, Service Request, ACCm, and

MACm.|MI1| is 264 bits.

• MI2appends LAI to MI1, and its length is|M1I| + |LAI| =

264 bits.

• MI3contains AUTN and DK, and its length is |AUTN| + |DK| = 368 bits.

• In MI

4, the SGSN sends AUTNsto the MS. Thus, its length

should be|AUTNs| = 392 bits.

Fig. 5. Bandwidth consumption of UMTS AKA, AP-AKA, X-AKA, Cocktail-AKA, and S-AKA. (a) m = 2. (b) m = 100. p ranges from 1 to 1200.

• MI5is an expected response XRES.

• In S-AKA-II, MII1, MII2, and MII3 are identical to MI1, MI4,

and MI5, respectively. Hence, we obtain

_MII

1 =M1I, M2II=M4I, M3II=M5I.

Similar to UMTS AKA, the bandwidth consumption varies on S-AKA-I and S-AKA-II.

• For an initial authentication (S-AKA-I) bwinit= 5
i=1 _MI i= 1312 bits.

• For a subsequent authentication (S-AKA-II) bwsub=

3

i=1

M_iII= 680 bits.

Therefore, we derive the overall bandwidth consumption for p times of authentications, i.e.,

bwinit+ (p− 1) ∗ bw‘sub, for p
1.

In addition, the number of messages exchanged for p times of authentications is

5 + (p− 1) ∗ 3, for p
1.

3) Comparisons: The bandwidth consumption varies by the number of AVs transmitted from the HLR/AuC to the SGSN and the total number of authentication requests. In Fig. 5, we compare UMTS AKA, AP-AKA, X-AKA, Cocktail-AKA, and S-AKA in terms of the number of AVs (m = 2 and 100) and the number of authentication requests p. The x-axis stands for the number of authentications within the same SGSN territory, and the y-axis represents the bandwidth consumption (in bits).

Table IV(a) and (b) shows the average ratios of bandwidth consumption and the number of messages exchanged for user

TABLE IV

RATIOS OFBANDWIDTHCONSUMPTION ANDMESSAGE EXCHANGE FORAUTHENTICATION

authentications. In Table IV(a), the average of bandwidth ratios (for m = 2, 5, 10, 20, 50, and 100) for S-AKA/UMTS AKA is 0.62, which means S-AKA has reduced 38% of the bandwidth. Similarly, the average of message ratios (S-AKA/UMTS AKA) in Table IV(b) shows that S-AKA has reduced 8% of the messages exchanged for authentication. Despite that S-AKA is not the protocol that saves the most bandwidth, it can resist more attacks, as described in Table III.

VI. FORMALANALYSIS

Traditional formal logics were developed to find protocol flaws, but they do not appear to provide security guarantees used in analyzing higher level protocols using session keys. In 1999, Shoup [19] proposed a new formal security model specifying security guarantees that a session key exchange protocol should provide. Taking Shoup’s model as a basis, Zhang [20] proposed a security model consisting of an ideal and a real system to analyze simulatability of adversaries in the two systems and examine the security for key exchange protocols.

In this paper, we utilize Shoup’s and Zhang’s [20] formal models to analyze AKA protocols in the mobile settings. We identify the following two types of communication channels of mobile networks: 1) channels within and between networks and 2) channels between users and networks. In practice, channels of the former type are protected through dedicated communi-cation circuits or high-layer security schemes. Channels of the latter type are usually implemented using wireless media and, thus, are vulnerable to attacks.

We assume that an adversary is capable of fully controlling channels between users and networks, including eavesdrop-ping, modifying, and replaying intercepted messages. In the following, we specify the actions of adversaries for both ideal and real systems defined in Shoup’s security model. The ideal system describes the authentication between user entities and network entities. It can be treated in the same way as in the two-party setting defined in Shoup’s formal model of security.

The real system models the operations executed by a real-world adversary who controls the communication channels between a user and a network. It thus follows the definition of the three-party setting in Shoup’s security model. The security of an AKA protocol can be proved based on the simulatability in the two different systems.

A. Preliminaries

We summarize the definitions of advantages presented in Zhang’s model [3], [20] as follows.

• The distinguishing advantage of a probabilistic polynomial-time algorithm D that outputs 0 or 1 is defined as Advdist_xk,yk(D) =|P (D(xk) = 1)− P (D(yk) = 1)|,

where x ={xk}k
0 and y ={yk}k
0 are sequences of

random variables; xkand ykare in a finite set.

• The prf advantage of a probabilistic polynomial-time oracle machine A is defined as Advprf_G (A) =|P (g←R G : Ag= 1)− P (g← U(d, s) : AR g= 1)|, where g← GR denotes the operation of randomly selecting a function g from the family G :{0, 1}k_{× {0, 1}}d_{→ {0, 1}}s_{, and}

U (d, s) denotes the family of all functions from{0, 1}d_to

{0, 1}s_{. G can be also associated with an insecurity}

func-tion Advprf_G (t, q) =

MAX

A∈ A(t, q) Advprf_G (A), where A(t, q) denotes the set of adversaries that make at most q oracle queries and have running time at most t.

• The mac advantage of an adversary A, i.e., Advmac_F (A), is defined as the probability that AF (K) _{outputs a pair}

(σ, M ), where we have the following.

– F :{0, 1}k× Dom(F ) → {0, 1}l is a family of functions generating MAC, where Dom(F ) = {0, 1}L_.

– K∈ {0, 1}k_{is a randomly chosen key.}

– M was not a query of A to its Oracle.

– σ = F (K, M ) is referred to as the MAC of M . F can be associated with an insecurity function Advmac_F (t, q) =

MAX

A∈ A(t, q) Advmac_F (A), where A(t, q) denotes the set of adversaries that make at most q oracle queries and have running time at most t. If Advmac_F (A) is negligible in k for every polynomially bounded adversary A, we say that F is a secure MAC.

B. Security Proofs

By [20, Definitions 1 and 2], we assume that each entity in S-AKA has a random number generator producing random numbers, such as RAND and RNs, for the network entity and

its instances. In addition, we assume these random numbers are randomly selected in the game of A, and|RAND| and |RNs| are

polynomials in k. Let CAdenote the event that the transcript of

A (TA) is collision free, and let CAbe the complement of event

CA. Then, we derive the probability of CA, i.e.,

P (CA) n2 i  2−|RAND|+ 2−|RNs| 2 (1)

where ni denotes the number of instances initialized by A.

Since |RAND| and |RNs| are assumed polynomials in k, we

consider that P (CA) is negligible.

Lemma 1: Let A be a real-world adversary, and let TAbe the

transcript of A, which is assumed collision free. Assuming f 1 and f 2 are independent function families and collision resistant in TA, let MAdenote the event that TAis authentic. Then, we

obtain the probability of its complement event, i.e.,

P (MA)  ni(2∗ AdvmacF (t, q)) . (2)

Proof: If TAwere not authentic, there must have existed

at least one instance which has been accepted, but the stimulus on this instance was not output by a compatible instance. We claim that the probability of such an event is upper bounded by (2). The proof considers three cases.

1) Let Ii
j
be the network instance that has received and

accepted (IMSI, ACCm, MACm, LAI). Since IMSIi
j
is

used in the computation of MACm, the stimulus on Ii
j

could not be output by any user instance that is not compatible with Ii
j
. We can then construct an adversary

AF for message authentication code F . AF has oracle

access to f 1Kand f 2K, where K was randomly chosen.

Assume that IMSIi
j
is assigned to a user U , which may

or may not be initialized by A. AF begins its experiment

by selecting the authentication keys for all users but U . AFruns A just as in the real system.

In the game of A, if an entity or entity instance needs to evaluate f 1 and f 2 under the key of U , AF provides the

evaluation by appealing to oracles f 1K and f 2K. If an

entity or entity instance needs to evaluate f 3, f 4, f 6, and f 7 under the key of U , AF supplies a random number or

even a constant for the evaluation. If at any point Ii
j

accepts, AF stops and outputs (MACm, ACCmLAI);

otherwise, AF stops at the end of the game of A and

outputs an empty string.

Let Succ(AF, F ) denote the event that AF outputs a

MACmand a message, and the message was not queried

to oracle f 1K. Let ASi
j
denote the event that Ii
j

has been accepted, but the stimulus on Ii
j
was not

output by a user instance. If ASi
j
= 1, then AF has

successfully forged MACmfor message ACCmLAI, and

this message was not queried to oracle f 1k. This

im-plies P (ASi
j
= 1) P (Succ(AF, F )) = 1. Thus, we

can obtain

P (ASi
j
= 1)  AdvmacF (t, q) (3)

where t = O(T ), and q = O(ni).

2) Let Iij be a user instance that has received and accepted

AUTNs. Let ASij denote the event that the stimulus on

Iij was not output by any network instance. Let ISij

denote the event that the stimulus on Iij was output

by any network instance Ip
q
but not compatible with

Iij. If ISij is true, then instance Ip
q
received message

(IMSI, ACC, MACm, LAI) before sending out AUTNs.

Since TA is collision free, RNs and RAND cannot be

generated by any other user instances except Iij. This

implies that A has successfully concocted MACm. By (3),

we have

P (ISij = 1)  AdvmacF (t, q) (4)

where t = O(T ), and q = O(ni).

Now, suppose ASij is true, then adversary A

has successfully concocted MACh and MACs. By

running A, we can construct an adversary A_F for f 1. A_F works in the same way as f 1 ex-cept that, when Iij accepts, AF stops and outputs

the following two pairs: (MACh, RANDAMF) and

(MACs, MAChRNsACCsRAND). Using the

nota-tion Succ(A_F, F ) described earlier, we have

P (ASij = 1)  P (Succ(AF, F ) = 1) . (5)

Therefore, by (4) and (5), the probability of the stimu-lus on a user instance Iij that was not output by a

com-patible network instance is upper bounded by P (ASij=

1) + P (ISij=1) 2 ∗ AdvmacF (t, q).

3) Let Ii

j

be a network instance that has received and

accepted XRES, where RNsin AUTNswas sent by Ii

j

.

If the stimulus on Ii

j

was not output by any user

instance, then adversary A has successfully concocted XRES. Similar to (3), it is proved that the probability of such an event is upper bounded by Advmac_F (t, q).

Next, if the stimulus on Ii

j

was output by a user

instance Ipq that is not compatible with Ii

j

, then Ipq

received AUTNsbefore it outputs the stimulus. Since TA

is collision free, AUTNscannot be output by any network

instance other than Ii

j

. This means that the adversary

concocted MACs for (MAChRNsACCsRAND). By

(5), the probability of such an event is upper bounded by 2∗ Advmac_F (t, q).

We then conclude that the probability that TA is not an

authentic transcript is at most ni(2∗ AdvmacF (t, q)), where ni

is the number of instances. 

Lemma 2: Let A be a real-world adversary and TA be the

transcript of A. Assume that TAis authentic and collision free

and G is a pseudorandom function family, independent of f 1, where f 1 is collision resistant in TA. Then, there exists an

ideal-world adversary A∗ such that, for every distinguisher D with running time T , Advdist_TA,T∗

A(D) neAdv

prf

G (t, q), where neand

ni are the numbers of user entities and instances initialized by

A, respectively, t = O(T ), and q = O(ni).

Proof: We construct a simulator that takes a real-world adversary A as the input and creates an ideal-world adversary A∗. The simulator basically has A∗ acting as adversary A just as in the real system. For any implementation record in the real-world transcript, A∗copies this record into the ideal-world transcript by issuing an implementation operation.

• For each record (start session, i, j) that A’s action cause is in the real-world transcript, A∗ computes a connection assignment, and the ringmaster in the ideal system sub-stitutes session key Ks

ij with an idealized random session

• For each record (abort session, i, j) that A’s action cause is in the real-world transcript, A∗ executes the operation (abort session, i, j).

For an application operation, the ringmaster in the ideal system makes the evaluation using the idealized session keys. Thus, we have an ideal-world adversary whose transcript is almost identical to the transcript of real-world adversary A. The differences exist in the application records. In the following three cases, we show that the connection assignments made by A∗are legal and the differences between the two transcripts are computationally indistinguishable.

• Case 1: Assume that a user instance Ii1j1 has received

and accepted message AUTNs. Since TA is authentic,

this message must be output by a network instance Ii
₁j
₁

compatible with Ii1j1. In this case, we let adversary A∗

make the connection assignment (create, i₁, j₁). We have to argue that this connection assignment was never made before. The truth holds because AUTNs could not be a

stimulus on other user instances. Otherwise, MACswould

not be acceptable by Ii1j1. Therefore, it is legal for A∗ to

make the connection assignment. Consequently, it is also legal to substitute session key Ks

i1j1with a random number

Ki1j1.

• Case 2: Assume that a network instance Ii
₂j
₂has received

and accepted message (IMSI, ACCm, MACm, LAI) from

a user instance Ii2j2. We let A∗ make the connection

as-signment (create, i2, j2) and let the ringmaster substitute

session key K_is

2j
2 with a random number Ki

2j2
. Since

f 1 is collision resistant in TA, MACm could not be a

stimulus on any instances other than Ii
₂j₂
. Therefore, the

connection assignment (create, i2, j2) cannot be made

before.

• Case 3: Assume that a network instance Ii
₃j
₃has received

and accepted message XRES. Under the assumption that TA is collision free and f 2 is collision resistant in TA,

it can be concluded that Ii3j3 has been accepted and the

stimulus on Ii3j3output by Ii
₃j₃
. By Case 1, Ii3j3has been

isolated by Ii
3j3
. It is legal for A

∗_{to make the connection}

assignment (connect, i3, j3). Accordingly, the ringmaster

replaces session key Ki
3j
3with Ki3j3.

The aforementioned analyses show that there exists a con-nection assignment for each start session record in T_A∗. Next, we show that the two transcripts TAand TA∗are computationally

in-distinguishable. Note that if we remove the application records in both TA and TA∗, then the remaining transcripts are exactly

the same. Therefore, we only need to consider the application records in both transcripts.

First, we assume that there is only one user entity ini-tialized by A. Let D be a distinguisher for TA and TA∗.

By running D on TA and TA∗, we have an adversary

D for G(including f 3, f 4, f 7) such that Advdist_TA,T∗ A(D) =

Advprf_G (D). Thus, Advdist_TA,T∗

A(D) Adv

prf

G (t, q), where t =

O(T ), q = O(2ni), and niis the number of instances initialized

by A. Now, assume the number of user entities initialized by A in ne. Let K1, K2, . . ., and Kne denote the keys of the user

entities. Then, D and D have access to the input-and-output

pairs of GK1, GK2, . . . , GKe. As a result, it can be concluded

that

AdvdistTA,TA∗(D)  neAdv

prf G (t, q)

which proves the lemma. 

Theorem VI.1: If G is a pseudorandom function family, f 1 is a secure message authentication code, and G and f 1 are independent, then S-AKA is an S-AKA protocol.

Proof: Let A be a real world adversary and TA be the

transcript of A. Since f 1 is a secure message authentication code, the probability that f 1 is not collision resistant is negligi-ble. Without loss of generality, we assume that f 1 is collision resistant in TA. By Lemma 2, there exists an ideal world

adversary A∗such that for every distinguisher D with running time T

|P (D(TA) = 1|MA∩ CA)− P (D(TA∗) = 1|MA∩ CA)|

 neAdvprfG (t, q).

Thus, it follows that AdvdistTA,TA∗(D) =|P (D(TA) = 1)− P (D(TA∗) = 1)| =|(P (D(TA) = 1|MA∩ CA) − P (D(TA∗) = 1|MA∩ CA)) P (MA∩ CA)| +PD(TA) = 1|MA∪ CA  − PD(TA∗) = 1|MA∪ CA  PMA∪ CA  |P (D(TA) = 1|MA∩ CA) − P (D(TA∗) = 1|MA∩ CA)| + P (MA) + P  CA   neAdvprf_G (t, q) + P (MA) + P (CA) and we obtain P (MA) = P (MA|CA)P (CA) + P (MA|CA)P (CA)  P (MA|CA) + P (CA).

Now, we conclude that Advdist_TA,T∗

A(D)  neAdv

prf

G (t, q) + P (MA|CA) + 2P (CA).

By (1), P (CA) is negligible in k. In addition, by Lemma 1,

P (MA|CA) is also negligible. Hence, AdvdistTA,T_A∗(D) can be

considered negligible. This has proved that S-AKA is an

S-AKA protocol. 

VII. CONCLUSION

To resolve the vulnerabilities found in GSM systems, UMTS AKA was designed to defeat many known security issues and has been adopted in 3G/4G networks for securely authenti-cating mobile subscribers. Despite the security enhancement,

UMTS AKA is still vulnerable to some attacks, such as redi-rection and man-in-the-middle attacks. In this paper, we have analyzed the security weakness of UMTS AKA and proposed a new authentication key agreement protocol, namely, S-AKA, for UMTS networks.

The proposed protocol is more efficient and can defeat both redirection and man-in-the-middle attacks. We have also analyzed the message exchange and bandwidth consumption of S-AKA and compared it with UMTS AKA. The result shows that, in terms of bandwidth consumption, our protocol can save up to 38% of the bandwidth required during authentication. In addition, we have formally proved the security strength and robustness of our protocol using Shoup’s and Zhang’s formal models.

REFERENCES

[1] A. Peinado, “Privacy and authentication protocol providing anonymous channels in GSM,” Comput. Commun., vol. 27, no. 17, pp. 1709–1715, Nov. 2004.

[2] B. S. Babu and P. Venkataram, “A dynamic authentication scheme for mobile transactions,” Int. J. Netw. Secur., vol. 8, no. 1, pp. 59–74, Jan. 2009.

[3] M. Zhang, “Provably-secure enhancement on 3GPP authentication and key agreement protocol,” Verizon Commun., Cryptology ePrint Archive Rep. 2003/092, 2003.

[4] U. Meyer and S. Wetzel, “A man-in-the-middle attack on UMTS,” in Proc.

3rd ACM WiSe, New York, 2004, pp. 90–97.

[5] Technical Specification Group Services and System Aspects; 3G Security; Security Architecture, Third Generation Partnership Project, Tech. Rep. Tech. Spec. 3G TS 33.102 V3.7.0, 2000.

[6] M. Zhang and Y. Fang, “Security analysis and enhancements of 3GPP authentication and key agreement protocol,” IEEE Trans. Wireless

Com-mun., vol. 4, no. 2, pp. 734–742, Mar. 2005.

[7] K.-M. Cheng, T.-Y. Chang, and J.-W. Lo, “Cryptanalysis of security en-hancement for a modified authentication key agreement protocol,” Int. J.

Netw. Secur., vol. 11, no. 1, pp. 55–57, Jul. 2010.

[8] C. C. Chang, K. F. Hwang, and I. C. Lin, “Security enhancement for a modified authenticated key agreement protocol,” Int. J. Comput. Numer.

Anal. Appl., vol. 3, no. 1, pp. 1–7, 2003.

[9] D. Seo and P. Sweeney, “Simple authenticated key agreement algorithm,”

Electron. Lett., vol. 35, no. 13, pp. 1073–1074, Jun.1999.

[10] S. I. Gy. Gdor, “Novel authentication algorithm public key based cryptog-raphy in mobile phone systems,” Int. J. Comput. Sci. Netw. Secur., vol. 6, no. 2B, pp. 126–134, Feb. 2006.

[11] J. A. Murtaza Naveed Akhtar and A. Ali Minhas, “A novel security algo-rithm for universal mobile telecommunication system,” Int. J. Multimedia

Ubiquitous Eng., vol. 5, no. 1, pp. 1–18, Jan. 2010.

[12] Y.-B. Lin, M.-F. Chang, M.-T. Hsu, and L.-Y. Wu, “One-pass GPRS and IMS authentication procedure for UMTS,” IEEE J. Sel. Areas Commun., vol. 23, no. 6, pp. 1233–1239, Jun. 2005.

[13] A. I. Gardezi, “Security in wireless cellular networks,” Washington University in St. Louis, St. Louis, MO, 2006.

[14] C.-M. Huang and J.-W. Li, “Authentication and key agreement protocol for UMTS with low bandwidth consumption,” in Proc. 19th Int. Conf.

AINA, 2005, pp. 392–397.

[15] J. Al-Saraireh and S. Yousef, “A new authentication protocol for UMTS mobile networks,” EURASIP J. Wireless Commun. Netw., vol. 2006, no. 2, p. 19, Apr. 2006.

[16] E. Chun-I, P.-H. Ho, and H.-Y. Chen, “Nested one-time secret mechanisms for fast mutual authentication in mobile communications,” in Proc. IEEE

Wireless Commun. Netw. Conf., 2007, pp. 2714–2719.

[17] H.-H. Ou, M.-S. Hwang, and J.-K. Jan, “A cocktail protocol with the authentication and key agreement on the UMTS,” J. Syst. Softw., vol. 83, no. 2, pp. 316–325, Feb. 2010.

[18] S. Wu, Y. Zhu, and Q. Pu, “Security analysis of a cocktail protocol with the authentication and key agreement on the UMTS,” Commun. Lett., vol. 14, no. 4, pp. 366–368, Apr. 2010.

[19] V. Shoup, “On formal models for secure key exchange,” IBM Zurich Research Lab, Rüschlikon, Switzerland, Tech. Rep. RZ 3120 (#93166), 1999.

[20] M. Zhang, “Adaptive protocol for entity authentication and key agreement in mobile networks,” in Proc. ICISC, 2003, pp. 166–183.

Yu-Lun Huang (M’04) received the B.S. and Ph.D.

degrees in computer science and information en-gineering from National Chiao Tung University, Hsinchu, Taiwan, in 1995 and 2001, respectively.

She is currently an Assistant Professor with the Department of Electrical Engineering, National Chiao Tung University. Her research interests in-clude wireless security, secure testbed design, em-bedded software, emem-bedded operating systems, risk assessment, secure payment systems, voice over In-ternet Protocol, and quality of service.

Dr. Huang is a member of the Phi Tau Phi Society.

Chih-Ya Shen received the B.S. and M.S. degrees

from National Chiao Tung University, Hsinchu, Taiwan, in 2005 and 2007, respectively. He is cur-rently working toward the Ph.D. degree with the De-partment of Electrical Engineering, National Taiwan University, Taipei, Taiwan.

His research interests include mobile computing and network security.

Shiuhpyng Winston Shieh (SM’98) received the

M.S. and Ph.D. degrees in electrical and com-puter engineering from the University of Maryland, College Park.

He is currently a Professor and past Chair of the Department of Computer Science, National Chiao Tung University (NCTU), Hsinchu, Taiwan, and the Director of Taiwan Information Security Center, NCTU. He was a Visiting Professor with the Uni-versity of California, Berkeley, during 2003–2004 and 2005–2006. He has served as Advisor to the National Security Council of Taiwan Presidential Office, Chair of Malware Forum of National Information and Communication Security Techonology, Director of Government Service Network–Computer Emergency Response Team/Coordination Center, Advisor to the National Information and Commu-nication Security Task Force, and Advisor to the National Security Bureau. He was the former President of the Chinese Cryptology and Information Security Association: one of the leading security organizations in Asia. He is an experimentalist. He (along with V. Gligor of Carnegie Mellon University, Pittsburgh, PA) received the first U.S. patent in the intrusion detection field. He has published more than 150 technical papers, patents, and books. His research interests include reliability and security hybrid mechanisms, network and system security, and software program behavior analysis.

Dr. Shieh has been actively involved with the IEEE Reliability Society, where he serves as the Editor-in-Chief of the IEEE RELIABILITYSOCIETY NEWSLETTER; an Administrative Committee Member and Associate Editor of the IEEE TRANSACTIONS ONRELIABILITY; the Program Chair for the 2012 IEEE Software Security and Reliability; and the Chair of the IEEE Reliability Society Taipei/Tainan Chapter. During his term as the Chapter Chair, the chap-ter received the Best Chapchap-ter Award from both the Reliability Society and the IEEE Taipei Section (among the 41 chapters in the Taipei Section), respectively. In addition, he is an Association for Computing Machinery (ACM) Special Interest Group on Security, Audit and Control Awards Committee Member and the Associate Editor of the IEEE TRANSACTIONS ONDEPENDABLE AND SECURECOMPUTING; a past Associate Editor of the ACM Transactions on

Information and System Security, Journal of Computer Security, Journal of Information Science and Engineering, and Journal of Computers; and a Guest

Editor of IEEE INTERNET COMPUTING. He was one of the 41 recipients worldwide of the ACM Distinguished Scientist Award in 2010. He was also a recipient of the ACM Service Award for his contribution to ACM and the Distinguished Information Award (presented by Taiwan’s Vice President) for his contribution to computer security research, which is the highest honor awarded to computer scientists in Taiwan.