A Formal Analysis of 5G Authentication

Basin, David; Dreier, Jannik; Hirschi, Lucca; Radomirović, Saša; Sasse, Ralf; Stettler, Vincent

doi:10.1145/3243734.3243846

Cited by 281 publications

(235 citation statements)

References 29 publications

Supporting

Mentioning

207

Contrasting

Unclassified

Order By: Relevance

“…Our notion of protocols only covers 2-party protocols. This obviously excludes important protocols with more than 2 parties such as secure group communication protocols [45], e-voting protocols [37], make mobile communication protocols [14], the combination of DAA join and DAA sign [37] that features 3 parties, etc. This also excludes scenarios where privacy is considered between group of entities.…”

Section: Class Of Protocolsmentioning

confidence: 99%

See 1 more Smart Citation

A method for unbounded verification of privacy-type properties

Hirschi

Baelde

Delaune

2019

JCS

Self Cite

View full text Add to dashboard Cite

In this paper, we consider the problem of verifying anonymity and unlinkability in the symbolic model, where protocols are represented as processes in a variant of the applied pi calculus, notably used in the ProVerif tool. Existing tools and techniques do not allow to verify directly these properties, expressed as behavioral equivalences. We propose a different approach: we design two conditions on protocols which are sufficient to ensure anonymity and unlinkability, and which can then be effectively checked automatically using ProVerif. Our two conditions correspond to two broad classes of attacks on unlinkability, i.e. data and control-flow leaks. This theoretical result is general enough that it applies to a wide class of protocols based on a variety of cryptographic primitives. In particular, using our tool, UKano, we provide the first formal security proofs of protocols such as BAC and PACE (e-passport), Hash-Lock (RFID authentication), etc. Our work has also lead to the discovery of new attacks, including one on the LAK protocol (RFID authentication) which was previously claimed to be unlinkable (in a weak sense).

show abstract

Section: Class Of Protocolsmentioning

confidence: 99%

“…no mutable states persistent across sessions). This immediately excludes numerous real-world protocols such as secure messaging protocols [31], mobile communication protocols [14], etc.…”

mentioning

confidence: 99%

A method for unbounded verification of privacy-type properties

Hirschi

Baelde

Delaune

2019

JCS

Self Cite

View full text Add to dashboard Cite

show abstract

“…Despite the evolutions to the AKA protocol made in each generation, the nutshell of the AAC mechanism stays the same and is based on symmetric cryptography and a secret key shared between the UE and the HN [36]. In 3G and 4G, the identity of the UE (IMSI) is sent in a clear text in the identity request part of the AKA protocol, which allows privacy attacks against the UE [37][38][39][40][41][42][43][44][45][46][47][48]. To address this problem, in 5G, the UE sends its identity protected by asymmetric encryption using the HN's public key.…”

Section: Aka-based Aac Flawsmentioning

confidence: 99%

“…The security flaws of the AKA-based AAC mechanism used in cellular networks, the different attacks against them and their formal security analysis were studied in several pieces of research [38][39][40][41][42][43]. If we focus on 5G-AKA as the main AAC mechanism in 5G, we can see that although it is not in the operational stage yet, some security flaws have already been recognized.…”

Section: Aka-based Aac Flawsmentioning

confidence: 99%

A new scalable authentication and access control mechanism for 5G-based IoT

Behrad

Bertin

Tuffin

et al. 2020

Future Generation Computer Systems

View full text Add to dashboard Cite

The fifth generation of mobile networks, 5G, is expected to support a set of many requirements and use cases such as handling connectivity for a massive number of IoT (Internet of Things) devices. Authenticating IoT devices and controlling their access to the network plays a vital role in the security of these devices and of the whole cellular system. In current cellular networks, as well as in 3GPP specifications release 16 on 5G, the AAC (Authentication and Access Control) of IoT devices is done in the same manner as the AAC of MBB (Mobile Broadband) UE (User Equipment). Considering the expected growth of IoT devices, this will likely induce a very high load on the connectivity provider's CN (Core Network) and cause network failures.To manage the AAC of this massive number of devices, we propose an SSAAC (Slice Specific Authentication and Access Control) mechanism that makes use of the flexibility provided by virtualization technologies. This mechanism allows the authentication and access control of IoT devices to be delegated to the 3rd parties providing these devices, thereby decreasing the load of the connectivity provider's CN, while increasing the flexibility and modularity of the whole 5G network. We evaluate the feasibility of our proposal with the OAI (Open Air Interface) open-source platform. Next, we provide a security analysis of the proposal and highlight the security requirements to use with this proposal. We also evaluate the impact of this delegation approach on the network load considering the anticipated number of AAC signaling messages compared to the existing AAC mechanisms in cellular networks. According to these evaluations, our approach is feasible and it would provide cellular networks the opportunity to overcome the security shortcomings in their AAC mechanisms. It also considerably reduces the AAC signaling load on the connectivity provider's CN. IntroductionAlong with mobility, security is one of the most important aspects of cellular systems. AAC (Authentication and access control) plays a vital role in ensuring the expected security level. In 3G and 4G, authentication and access control of subscribers are done through AKA (authentication and key agreement) protocols. These protocols (UMTS-AKA protocol in 3G and EPS-AKA in 4G) are based on the unique identities of subscribers and symmetric cryptographic algorithms [1,2] The system subscribers' identities and the secret keys (that are used in symmetric cryptographic algorithms) are provisioned in secured elements (e.g., SIM cards or embedded SIM) and stored in cellular system's database as well. Executing these AKA protocols to establish a secure connection with the cellular system is mandatory for each UE (composed of a mobile device and a secured element) to obtain its cellular connectivity [1,2]. However, these well-established principles may prevent cellular systems from supporting the connectivity of a massive number of devices [3], in particular when considering the context of the IoT-where a high growth rate of connected devices...

show abstract

“…Therefore, such protocols need to guarantee strong security requirements in an active adversarial setting, i.e., when considering an adversary that has complete control over the communication network. Formal, symbolic methods, rooted in the seminal work of Dolev and Yao [26], have been successful in analysing complex protocols, including for instance the recent TLS 1.3 proposal [11,25] and the upcoming 5G standard [8].…”

mentioning

confidence: 99%

Exploiting Symmetries When Proving Equivalence Properties for Security Protocols

Cheval

Kremer

Rakotonirina

2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Verification of privacy-type properties for cryptographic protocols in an active adversarial environment, modelled as a behavioural equivalence in concurrent-process calculi, exhibits a high computational complexity. While undecidable in general, for some classes of common cryptographic primitives the problem is coNEXP-complete when the number of honest participants is bounded.In this paper we develop optimisation techniques for verifying equivalences, exploiting symmetries between the two processes under study. We demonstrate that they provide a significant (several orders of magnitude) speed-up in practice, thus increasing the size of the protocols that can be analysed fully automatically. CCS CONCEPTS• Security and privacy → Formal security models; Logic and verification.Security protocols are distributed programs transmitting data between several parties. The underlying messages may be sensitivefor economical, political, or privacy reasons-and communications are usually performed through an untrusted network such as the Internet. Therefore, such protocols need to guarantee strong security requirements in an active adversarial setting, i.e., when considering an adversary that has complete control over the communication network. Formal, symbolic methods, rooted in the seminal work of Dolev and Yao [26], have been successful in analysing complex protocols, including for instance the recent TLS 1.3 proposal [11,25] and the upcoming 5G standard [8].

show abstract

A Formal Analysis of 5G Authentication

Cited by 281 publications

References 29 publications

A method for unbounded verification of privacy-type properties

A method for unbounded verification of privacy-type properties

A new scalable authentication and access control mechanism for 5G-based IoT

Exploiting Symmetries When Proving Equivalence Properties for Security Protocols

Contact Info

Product

Resources

About