Security and Privacy in 3G/4G/5G-Network authentication: the AKA protocol.
Authentication in mobile networks is usually a process between three participants: a client, an operator, and an intermediary, local authority (which can be a roaming agent, or an agent of the client's operator).
The result of positive authentication is that the client may use services via the intermediary authority. A rejected client will not be able to use the network coverage offered by the intermediary authority, nor any other service. However, a central security and privacy demand requires that the intermediary agent does not know client-specific information, which is stored by the client and the operator.
In this talk we explore the process of authentication with the specific focus on the AKA protocol, which is a main contender for use in 5G networks. This protocol is symmetric key, features mutual authentication, and its design does not follow typical cryptographic paradigms. Its basic building blocks are a set of seven algorithms, which can be implemented either by using AES (this algorithm set is called Milenage), or by using the internal permutation of Keccak (the set is called TUAK). We show that despite being unorthodox, the design of the AKA protocol is mostly sound, both when instantiated with TUAK and when instantiated with Milenage. However, this same design does not allow for an analysis in traditional authenticated key-exchange security models (e.g. Canetti/Krawczyk, Bellare/Rogaway, Bellare/Pointcheval/Rogaway); instead, we have to modify the framework to capture one particular weakness in the mutual authentication, which allows a strange type of relay attack.
Finally, we address some privacy issues of this protocol, in particular with respect to the (un)traceability requirement mentioned in the specifications.
Thème(s) : Conférences Recherche