Security and Privacy in 3G/4G/5G Networks: The AKA Protocol

Slide Note
Embed
Share

This content discusses the AKA protocol in 3G/4G/5G networks, detailing the research background, academic journey, and ongoing projects related to security and privacy in network communications. It covers topics such as distance-bounding protocols, privacy-preserving databases, authenticated key exchange, and more. The talk focuses on authenticated key exchange, unilateral/mutual authentication, desired properties, privacy in authentication, and the implementation of the AKA protocol.

muey769
muey769 Follow

Uploaded on Sep 06, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. SECURITY & PRIVACY IN 3G/4G/5G NETWORKS: THE AKA PROTOCOL WITH S.ALT, P.-A. FOUQUE, G. MACARIO-RAT, B. RICHARD

  2. ME, MYSELF, AND EMSEC BSc. & MSc. Mathematics, TU Eindhoven Master thesis on multiparty pairing-based key exchange (supervisors: Tanja Lange, Bernhard Esslinger) Ph.D. at CASED (Darmstadt) Thesis: Security aspects of Distance-Bounding Protocols (supervisor: Marc Fischlin) Post-doc at IRISA (Rennes) 13- 14: Privacy & Distance Bounding (CIDRE) 14- 15: Privacy in geolocation (CIDRE/CAPPRIS) 15- 16: TLS/SSL (EMSEC)

  3. EMSEC IRISA research team Founded 2014 Led by: Pierre-Alain Fouque (UR1) & Gildas Avoine (INSA) As of Sept. 2015: 5 permanents: 2 UR1, 2 INSA, 1 CNRS Topics: Embedded Security and Cryptography Design & Attacks Building blocks Models & Proofs Attacks on Implementation s Cryptanalysis Real-World ES

  4. WHAT I DO Distance-Bounding Protocols Security framework [DFKO11, FO12, FO13b], Protocol assessment/comparison [FO13a, MOV14] Privacy-preserving DB [HPO13,GOR14, MOV14] Protocol with Secret Sharing [GKL+14] Implementations [GLO15] Authenticated Key-Exchange OPACITY [DFG+13] TLS 1.3 [KMO+15], TLS 1.2&1.3 ePrint version AKA [AFM+15, FMO+15] (submissions)

  5. WHAT I DO (II) Other primitives Signatures of knowledge [FO11] Redactable signatures for tree data [BBD+10] Anonymous PKE [KMO+13] Private asymmetric fingerprinting [FGLO14] Projects ANR LYRICS [finished mid 14] CAPPRIS (Inria) [ongoing]

  6. THIS TALK Authenticated Key Exchange Unilateral/Mutual Authentication Desired Properties Privacy in Authentication Elegant The AKA Protocol Description Security (intuition) AKA and Privacy The case of the Hopeless Task Ugly

  7. PART II AUTHENTICATED KEY EXCHANGE

  8. AUTHENTICATED KEY-EXCHANGE Allows two parties to communicate securely Peer-to-Peer or Server-Client Examples: TLS/SSL (https://) Two steps: Compute session-specific keys (handshake) Use keys for secure communication (symmetric AE)

  9. AKE WITH UNILATERAL AUTHENTICATION Usually the case for Server-Client AKE Anybody can talk to the server Most common TLS mode Secure channel server/client or adv/server

  10. AKE WITH MUTUAL AUTHENTICATION Sometimes server-client, mostly peer-to-peer Can also be achieved by unilateral authentication + password-based authentication in secure channel [KMO+15] Client and server confirm partner s identities

  11. AKE SECURITY PROPERTIES (UNILATERAL) Key Secrecy [BR93], [BPR00], [CK01] : Adversary s goal: distinguishing the keys of an honest, fresh session from random keys of same length Rules of game: adaptive party corruptions, key- reveal, concurrent sessions and interactions Symmetric Key Restriction: no terminal corruptions! Client-impersonation resistance Adversary s goal: impersonate client in fresh authentication session Rules of game: adaptive party corruptions, key- reveal, concurrent sessions and interactions, no relays!

  12. TERMINAL IMPERSONATION Terminal-impersonation resistance Adversary s goal: impersonate terminal in fresh authentication session Rules of game: adaptive party corruptions, key- reveal, concurrent sessions and interactions, no relays! The eternal debate: first or second Should terminal authenticate first or second? VANET, MANET, RFID authentication: terminal first When optional, usually terminal second

  13. PRIVACY IN AUTHENTICATION DrawClient Corrupt Key Secrecy [JW00], [Vau07], [HPV+12] : Adversary s goal: find input bit to DrawProver Rules of game: DrawClient always takes same input bit, can corrupt*, interact, etc.

  14. PRIVACY NOTIONS DrawClient Corrupt Weak : no corruptions Forward : once A corrupts, only corruptions (find past LoR connection) Strong : no restrictions Narrow/wide: know result of honest sessions

  15. IMPOSSIBILITY RESULTS [Vau07]: Strong Privacy requires Key- Agreement [PV08]: Wide-Forward privacy with symmetric keys is impossible if all state is revealed*

  16. PART III THE AKA PROTOCOL

  17. PART III. 1 IDENTIFIERS & SECRETS

  18. ELEGANT SYMMETRIC (A)KE [BR93] Usual case for AKE: 2 parties, e.g. client/server Share symmetric secret key ?? Sometimes public identifier ??? Elegant KE: use PRF keyed with ?? AKE? No problem, use another PRF and switch! ?? ???,?? ??? ??? ???? ?????(??,??)

  19. THE CASE OF 3G/4G/5G Usual case for AKE: 2 parties, e.g. client/server In 3G/4G/5G networks, 3 parties: Client: registering with (only one) operator client key and operator key stored* in SIM Operator: has list of clients, whose data he knows Local terminal: not always operator (think of roaming) can authenticate/communicate with client must not know keys

  20. THE CASE OF 3G/4G/5G (CONTD.) Some more restrictions: Connection Terminal Operator is expensive! Assumed to take place on secure channel Whenever PKI is used, in practice this means storing PKs and certificates in the phone No PKI for Terminals (too many of them)

  21. 1001 IDENTIFIERS Client associated with secret keys: ???,????,??? All clients of the same operator share same ???? Other identifiers: Operator associates ? with unique ??? (permanent) Each terminal ??associates ? with 4B ??? (temporary), unique per terminal, updated per session ??? ??? ??? ???? ??? ??? ???? ??? ??? ???? ???

  22. 1001 IDENTIFIERS (CONTD.) Each terminal has non- colliding list of ???s Inter-terminal collisions possible No centralized DB of all ???s Each terminal is associa-ted with unique ??? Like ZIP code (???, ???) unique

  23. 1001 IDENTIFIERS (SUMMARY) Multiple clients of same Operator ??? ??? ??? ??? ???

  24. 1001 IDENTIFIERS (SUMMARY) Multiple clients of same Operator ??? ??? ??? ??? ??? ???

  25. 1001 IDENTIFIERS (SUMMARY) ??? and ??? in protocol run, same ??? ??? ???, ??? ??? ???, ??? ??? Find ??? ??? ??? ?????? ??? ????, ??? ???? ???

  26. 1001 IDENTIFIERS (SUMMARY) ??? and ??? in protocol run, different ??? ???, ??? ??? ??? ??? ??? ???, ??? ??? ??? ???, ??? ??? ?????? ??? ????, ??? ???? Possible (not likely) ???? = ???

  27. SECRET KEYS, SECRET STATE Client associated with secret keys: ???,????,??? All clients of the same operator share same ???? State ???is a sequence number Terminal also has a state ???? ?w.r.t. that client Used as shared randomness for authentication Initially randomly chosen for each client Then updated by update function (3 possibilities) Unlike ????,???, Terminals may know ???

  28. PART III. 2 UNDERLYING CRYPTOGRAPHY

  29. CRYPTOGRAPHIC FUNCTIONS The seven dwarfs: ?1 : used by terminal, for terminal authentication input (???,????,?,????? ?1 : used by client in special procedure input (???,????,?,????? ?,???) ?,???) ?2 : used by client, for client authentication input (???,????,?) ?3,?4 : used by both for session-key generation input (???,????,?) ?5 : used by terminal for blinding key input (???,????,?) ?5 input (???,????,?) : used by client for blinding key, special procedure

  30. MILENAGE ?1 ?1 ?5 ?5 ?2 ?3 ?4

  31. TUAK ?5,?5 ?2 ?3 ?4

  32. WHAT WE PROVED FOR TUAK Single function ? generalizing the seven functions TUAK: ?????is PRF assuming that the internal permutation of Keccak is PRF Stronger than each function is PRF ! Intuition of ????? : use handy truncation of output

  33. WHAT WE PROVED FOR MILENAGE Single function ? generalizing the seven functions Becomes 2 functions never used together in same call MILENAGE: ????,? ???are PRF assuming that the AES permutation is PRF Intuition of ????????? : use handy XOR-ing in all the right places

  34. PART III. 3 THE PROTOCOL

  35. AKA STRUCTURE (BASIC) ??? Initial Identificatio n ? ??? ???? Get ??? Handshak e ??????,???? Terminal Authenticatio n Check TAuth ? Client Check: d(???,???? Authenticatio n Resynch Procedure ?) ? Process Notify OK Update ??? Update ???? ?

  36. AKA STRUCTURE (REAL) ??? Initial Identificatio n ? ???? Get ??? Handshakes ??????,???? ??????, ??????[???? ? ?] ??????, ???????[???? ?] ??????,???? ? Update ??? ??????, ??????[???? ?] OK ??????[???? ?] Update ??? Update ???? ?

  37. INITIAL IDENTIFICATION ??? ID Request (???,??? ) Get ??? ??? Request ??? Fundamental privacy flaw: ??? easily obtainable! Security: even if ??? replaced, still OK (authen- tication automatically fails)

  38. HANDSHAKE PREPARATION (1 BATCH) ??? ??? Set ??? = ??????[???? Generate R at random. ?] Compute: ?????= ?1???,????,?,???,??? ????= ?2(???,????,?) ?? = ?5(???,????,?) ???? = ??? XOR ?? || ??? || ????? ?? = ?3 ???,????,? ?? = ?4(???,????,?) Reveals Sqn ? and everything

  39. TERMINAL/CLIENT AKE ??? ? || ??? XOR ?? || ??? || ????? Compute: ?? = ?5(???,????,?) Retrieve ??? and check ????? If ??? {???, ,???+ ?} Compute: ??? = ?2(???,????,?) ?? = ?3 ???,????,? ?? = ?4(???,????,?) ??? Check ??? = ???? Else Resynch!

  40. RESYNCH PROCEDURE ??? If ????? verifies, but ??? out of range Compute: ?? = ?5 ???? ???,????,? = ?1 ???,????,???,???,? ???XOR ?? || ???? Compute:?? , get ??? Check: out of range Check: ???? Set ???? ?= ??? Start from there.

  41. PART IV SECURITY OF AKA

  42. CLEANER ABSTRACTION

  43. SECURITY PROPERTIES Key Secrecy: Attained under assumption of pseudorandomness of ? Advantage is linear in number of clients! Client Impersonation: Attained under assumption of pseudorandomness of ? ?? ?? Advantage is linear in 2|????| and 2|???|

  44. OFFLINE RELAYS ??? Initial Identificatio n Get ??? ? || ??? XOR ?? || ??? || ????? Initial Identificatio n ? || ??? XOR ?? || ??? || ?????

  45. TERMINAL-IMPERSONATION RESISTANCE Attained as long as there are no offline relays Thus weaker than Client Impersonation guarantee Terminal Impersonation: Attained under assump-tion of pseudorandomness of ? ?? ?? Advantage is linear in 2|????| and 2|???|

  46. PART V LACK OF PRIVACY & IMPOSSIBILITIES

  47. TRUTH OR DARE 3 GPP claim AKA is: ID-Hiding nobody can identify client Location-hiding nobody can trace client location Untraceable nobody can link client sessions Their arguments: Nobody knows ??? and normally it is not used Sequence number and keys are hidden in transcripts We PROVE AKA is: NOT ID-Hiding very easy to recover ??? Location-hiding not really NOT Untraceable see some attacks next slide

  48. DISTINGUISHING BY TERMINAL IMPERSONATION ??? Initial Identificatio n ??? Get ??? ? || ??? XOR ?? || ??? || ????? Initial Identificatio n ? || ??? XOR ?? || ??? || ????? DrawClient

  49. DISTINGUISHING BY RESYNCHRONIZATION ??? Initial Identificatio n Repeat ? times Get ??? Update ??? ??? ? || ??? XOR ?? || ??? || ????? ??? Resynch! Initial Identificatio n ? || ??? XOR ?? || ??? || ????? DrawClient Get ??? Update ??? Clien t Auth

  50. THE BIG IMPOSSIBILITY Goal: make this protocol forward-private Trivial solution: just build a new protocol How do we do it without changing it too much? The past kills your future In the AKA protocol the client is always one step behind the terminal/operator in state. Client corruption at time ? is enough to identify client in (? 1)st transcript Generalizable attack: problem is that 3GPP do not want the client to choose anything But we can fix the protocol to get weak privacy

Related


Understanding the Privacy Paradox: Attitudes vs. Behaviors

Understanding the Privacy Paradox: Attitudes vs. Behaviors

clai_evi
Data Privacy Best Practices Training for Libraries

Data Privacy Best Practices Training for Libraries

teo_nah
Understanding Network Analysis: Whole Networks vs. Ego Networks

Understanding Network Analysis: Whole Networks vs. Ego Networks

kayliee
Privacy-Preserving Analysis of Graph Structures

Privacy-Preserving Analysis of Graph Structures

bilal
Understanding Privacy in Information Security Training

Understanding Privacy in Information Security Training

lillia
NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

haley
Social Networks, Privacy, and Freedom of Association in the Digital Age

Social Networks, Privacy, and Freedom of Association in the Digital Age

aman
Understanding OSI Model and TCP/IP Protocol Suite in Computer Networking

Understanding OSI Model and TCP/IP Protocol Suite in Computer Networking

gwendolyn
Understanding Privacy Rights in Europe: A Comprehensive Overview

Understanding Privacy Rights in Europe: A Comprehensive Overview

jesu_26
Town Hall Q&A Session on Privacy and Research Protocols

Town Hall Q&A Session on Privacy and Research Protocols

hsta
Understanding Mobile Computing and TCP/IP Protocol Suite

Understanding Mobile Computing and TCP/IP Protocol Suite

ambrosia
Understanding BGP Basics and Routing Security

Understanding BGP Basics and Routing Security

cobe_53
Student Privacy Laws and Best Practices in Education Sector

Student Privacy Laws and Best Practices in Education Sector

nam_e
Enhancing Online Patron Privacy in Library Websites

Enhancing Online Patron Privacy in Library Websites

weld852
Efficient and Scalable Protocol for Private Set Intersection in Big Data Security

Efficient and Scalable Protocol for Private Set Intersection in Big Data Security

lea_ste
Adaptive Tree-based Convergecast Protocol

Adaptive Tree-based Convergecast Protocol

zofia
Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security

Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security

arkady
Privacy Challenges in Online Social Networks

Privacy Challenges in Online Social Networks

shr_not
Enhancing Privacy with Randomized MAC Addresses in 802.11 Networks

Enhancing Privacy with Randomized MAC Addresses in 802.11 Networks

kgorr
Privacy Address Requirements for Wireless Personal Area Networks

Privacy Address Requirements for Wireless Personal Area Networks

vkob
Privacy Issues in IEEE 802.11 Networks: Tracking and MAC Randomization

Privacy Issues in IEEE 802.11 Networks: Tracking and MAC Randomization

kard154
Enhancing Receiver-Initiated Packet Train Protocol for Underwater Acoustic Networks

Enhancing Receiver-Initiated Packet Train Protocol for Underwater Acoustic Networks

kailen
Understanding Breach of Confidence and Privacy Rights in Legal Context

Understanding Breach of Confidence and Privacy Rights in Legal Context

harmo
Understanding EIGRP: A Comprehensive Overview

Understanding EIGRP: A Comprehensive Overview

rebeca

More Related Content