Achieving Better Privacy for the 3GPP AKA Protocol

Fouque, Pierre-Alain; Onete, Cristina; Richard, Benjamin

doi:10.1515/popets-2016-0039

Cited by 32 publications

(25 citation statements)

References 20 publications

(51 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…fixes) have been shown (resp. proposed) in the literature [7], [20], [24], [13]. We study here a simplified version of the AKA protocol, inspired from the different fixes proposed in the literature.…”

Section: Simplified 5g-akamentioning

confidence: 99%

“…We study here a simplified version of the AKA protocol, inspired from the different fixes proposed in the literature. More specifically, we add a challenge-response mechanism at the beginning of the protocol to avoid the encrypted IMSI replay attack [20]. With this modification, we add the generation of fresh nonces for the network and the mobile station, thus the resynchronisation mechanism using the sequence number becomes useless and we remove this sequence number, which takes away the main difficulty of the original protocol.…”

Section: Simplified 5g-akamentioning

confidence: 99%

See 1 more Smart Citation

A Method for Proving Unlinkability of Stateful Protocols

Baelde

Delaune

Moreau

2020

2020 IEEE 33rd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

The rise of contactless and wireless devices such as mobile phones and RFID chips justifies significant concerns over privacy, and calls for communication protocols that ensure some form of unlinkability. Formally specifying this property is difficult and context-dependent, and analysing it is very complex; as is common with security protocols, several incorrect unlinkability claims can be found in the literature. Formal verification is therefore desirable, but current techniques are not sufficient to directly analyse unlinkability. In [21], two conditions have been identified that imply unlinkability and can be automatically verified. That work, however, only considers a restricted class of protocols. We adapt their formal definition as well as their proof method to the common setting of RFID authentication protocols, where readers access a central database of authorised users. Moreover, we also consider protocols where readers may update their database, and tags may also carry a mutable state. We propose sufficient conditions to ensure unlinkability, find new attacks, and obtain new proofs of unlinkability using Tamarin to establish our sufficient conditions.

show abstract

Section: Simplified 5g-akamentioning

confidence: 99%

Section: Simplified 5g-akamentioning

confidence: 99%

A Method for Proving Unlinkability of Stateful Protocols

Baelde

Delaune

Moreau

2020

2020 IEEE 33rd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

show abstract

“…For this protocol, some of the older identified attacks still hold. For instance, there are the attacks of [19]- [21] that exploit the usage of the different types of failures, MAC based or synchronization based, to track a specific subscriber. In the attack, an old authentication challenge already received by the subscriber needs to be replayed and identification of the same subscriber is obtained in case a synchronization failure is replied.…”

Section: Related Workmentioning

confidence: 99%

Novel 5G Authentication Protocol to Improve the Resistance Against Active Attacks and Malicious Serving Networks

Braeken¹,

Liyanage²,

Kumar³

et al. 2019

IEEE Access

View full text Add to dashboard Cite

The security of mobile communication largely depends on the strength of the authentication key exchange protocol. The 3rd Generation Partnership Project (3GPP) Group has standardized the 5G AKA (Authentication and Key Agreement) protocol for the next generation of mobile communications. It has been recently shown that the current version of this protocol still contains several weaknesses regarding user localization, leakage of activity, active attackers, and in the presence of malicious serving networks, leading to potentially major security leaks. We propose a new version of the 5G AKA protocol to overcome all the currently identified weaknesses in the protocol. In the new protocol, we replace the sequence numbers with random numbers, making it possible to drastically reduce the number of required communication phases and steps in the protocol. The usage of random numbers for the 5G AKA protocol is possible since the current Universal Subscriber Identity Modules (USIMs) are now capable of performing randomized asymmetric encryption operations. Moreover, the proposed protocol provides two additional security features, i.e., postcompromise security and forward security, not present in the current 5G AKA protocol. Finally, we evaluate the performance, both computation and communication efficiency, of the proposed AKA protocol and show its improvements compared to the current 5G AKA protocol.

show abstract

“…RELATED WORK Two-party authenticated key-exchange protocols are an old and well-studied primitive [2] and various notions of channel security have been formalized and applied to TLS 1.2 [20], [25], [8], [22], [31], [36], [27] and 1.3 [13], [14], [19], [16], [3], [28], [23], [26], [21]. However, as Bhargavan et al [4] showed in the context of TLS, and as Alt et al [1] and Fouque et al [17] -in the context of mobile networks, expanding two-party handshakes to include even a single, dedicated middlebox can expose the obtained channel to serious attacks. Our work reuses some parts of [4]'s security model, specifically the elegant way in which multiparty protocols can be viewed as compositions of 2-party AKE schemes; however, the scope of our paper is fundamentally different.…”

Section: Prototype Implementationmentioning

confidence: 99%

A Formal Treatment of Accountable Proxying Over TLS

Bhargavan

Boureanu

Delignat-Lavaud

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

Much of Internet traffic nowadays passes through active proxies, whose role is to inspect, filter, cache, or transform data exchanged between two endpoints. To perform their tasks, such proxies modify channel-securing protocols, like TLS, resulting in serious vulnerabilities. Such problems are exacerbated by the fact that middleboxes are often invisible to one or both endpoints, leading to a lack of accountability. A recent protocol, called mcTLS, pioneered accountability for proxies, which are authorized by the endpoints and given limited read/write permissions to application traffic.Unfortunately, we show that mcTLS is insecure: the protocol modifies the TLS protocol, exposing it to a new class of middlebox-confusion attacks. Such attacks went unnoticed mainly because mcTLS lacked a formal analysis and security proofs. Hence, our second contribution is to formalize the goal of accountable proxying over secure channels. Third, we propose a provably-secure alternative to soon-to-be-standardized mcTLS: a generic and modular protocol-design that carefully composes generic secure channel-establishment protocols, which we prove secure. Finally, we present a proof-of-concept implementation of our design, instantiated with unmodified TLS 1.3 draft 23, and evaluate its overheads.

show abstract

Achieving Better Privacy for the 3GPP AKA Protocol

Cited by 32 publications

References 20 publications

A Method for Proving Unlinkability of Stateful Protocols

A Method for Proving Unlinkability of Stateful Protocols

Novel 5G Authentication Protocol to Improve the Resistance Against Active Attacks and Malicious Serving Networks

A Formal Treatment of Accountable Proxying Over TLS

Contact Info

Product

Resources

About