the 5g aka authentication protocol privacy
play

The 5G-AKA Authentication Protocol Privacy Adrien Koutsos LVS, ENS - PowerPoint PPT Presentation

The 5G-AKA Authentication Protocol Privacy Adrien Koutsos LVS, ENS Paris-Saclay January 18, 2019 Adrien Koutsos 5G-AKA Privacy January 18, 2019 1 / 43 1 The 4g - aka and 5g - aka Protocols The 4g - aka Protocol The imsi Catcher Attack The 5g


  1. Privacy in 4g - aka Confidentiality of the user identity Once a temporary identity is set up, the id is protected if: The protocol does not fail. The adversary is a passive adversary. Adrien Koutsos 5G-AKA Privacy January 18, 2019 12 / 43

  2. Privacy in 4g - aka Confidentiality of the user identity Once a temporary identity is set up, the id is protected if: The protocol does not fail. The adversary is a passive adversary. = ⇒ This is not realistic! Adrien Koutsos 5G-AKA Privacy January 18, 2019 12 / 43

  3. The imsi Catcher Attack [Strobel, 2007] UE Attacker tmp - id or id If tmp - id received “Permanent-ID-Request” id Adrien Koutsos 5G-AKA Privacy January 18, 2019 13 / 43

  4. The imsi Catcher Attack [Strobel, 2007] UE Attacker tmp - id or id If tmp - id received “Permanent-ID-Request” id Why this is a major attack Reliable: the attack always works. Easy to deploy: only need an antenna. Large scale: not targeted. Adrien Koutsos 5G-AKA Privacy January 18, 2019 13 / 43

  5. Privacy in 5g - aka The 5g - aka protocol 5g - aka is the next version of aka (drafts are available [3GPP, 2018]). Adrien Koutsos 5G-AKA Privacy January 18, 2019 14 / 43

  6. Privacy in 5g - aka The 5g - aka protocol 5g - aka is the next version of aka (drafts are available [3GPP, 2018]). 3GPP fix for 5G-AKA Simply encrypt the permanent identity by sending { id } pk n Adrien Koutsos 5G-AKA Privacy January 18, 2019 14 / 43

  7. UE HN 5g - aka id , tmp - id , k , pk n , sqn u id , tmp - id , k , sk n , sqn n tmp - id or { id } pk n n , sqn n ⊕ H 5 k ( n ) , H 1 � � k ( � sqn n , n � ) b mac ← check mac sqn n ← sqn n + 1 b sqn ← check range ( sqn u , sqn n ) b mac ∧ b sqn sqn u ← sqn n H 2 k ( n ) ¬ b mac “Auth-Failure” b mac ∧ ¬ b sqn sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � � k ( � sqn u , n � ) If the mac is valid: sqn n ← sqn u + 1 assign-tmp-id Adrien Koutsos 5G-AKA Privacy January 18, 2019 15 / 43

  8. Privacy in 5g - aka Is it enough? Adrien Koutsos 5G-AKA Privacy January 18, 2019 16 / 43

  9. Privacy in 5g - aka Is it enough? For confidentiality of the id , yes. Adrien Koutsos 5G-AKA Privacy January 18, 2019 16 / 43

  10. Privacy in 5g - aka Is it enough? For confidentiality of the id , yes. For unlinkability, no. Adrien Koutsos 5G-AKA Privacy January 18, 2019 16 / 43

  11. Unlinkability Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  12. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  13. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  14. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  15. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  16. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  17. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  18. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  19. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Unlinkability attack The adversary knows if it interacted with id t or id ′ . Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  20. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  21. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  22. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  23. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Unlinkability attack The adversary knows if it interacted with id t or id ′ . Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  24. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  25. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  26. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  27. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Re-iterate the last two steps to get a second message t 2 . Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  28. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Re-iterate the last two steps to get a second message t 2 . Send both t 1 and t 2 , which increments sqn n by two . Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  29. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Re-iterate the last two steps to get a second message t 2 . Send both t 1 and t 2 , which increments sqn n by two . The user is permanently de-synchronized = ⇒ unlinkability attack. Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  30. Objective Objective Design a modified version of aka , called aka + , such that: Provides some form of unlinkability. Adrien Koutsos 5G-AKA Privacy January 18, 2019 21 / 43

  31. Objective Objective Design a modified version of aka , called aka + , such that: Provides some form of unlinkability. Satisfies the design and efficiency constraints of 5g - aka . Adrien Koutsos 5G-AKA Privacy January 18, 2019 21 / 43

  32. Objective Objective Design a modified version of aka , called aka + , such that: Provides some form of unlinkability. Satisfies the design and efficiency constraints of 5g - aka . Is proved secure. Adrien Koutsos 5G-AKA Privacy January 18, 2019 21 / 43

  33. 1 The 4g - aka and 5g - aka Protocols The 4g - aka Protocol The imsi Catcher Attack The 5g - aka Protocol Unlinkability Attacks Against 5g - aka 2 The aka + Protocol Design Constraints Key Ideas The aka + Protocol 3 Security Proofs σ -Unlinkability Modeling in the Bana-Comon Model Theorem 4 Conclusion Adrien Koutsos 5G-AKA Privacy January 18, 2019 22 / 43

  34. Random Number Generation in 5g - aka Random Number Generation by the User In 5g - aka , the user generates a random number only: If no tmp - id is assigned. In the session following a de-synchronization. Adrien Koutsos 5G-AKA Privacy January 18, 2019 23 / 43

  35. The aka + Protocol Design Constraints aka + should be as efficient as the 5g - aka : Random number generation (user): at most one nonce per session, and only for re-synchronization or if no tmp - id is assigned. Adrien Koutsos 5G-AKA Privacy January 18, 2019 24 / 43

  36. The aka + Protocol Design Constraints aka + should be as efficient as the 5g - aka : Random number generation (user): at most one nonce per session, and only for re-synchronization or if no tmp - id is assigned. The user can use only one-way functions and asymmetric encryption . Adrien Koutsos 5G-AKA Privacy January 18, 2019 24 / 43

  37. The aka + Protocol Design Constraints aka + should be as efficient as the 5g - aka : Random number generation (user): at most one nonce per session, and only for re-synchronization or if no tmp - id is assigned. The user can use only one-way functions and asymmetric encryption . Network complexity: only three messages per session. Adrien Koutsos 5G-AKA Privacy January 18, 2019 24 / 43

  38. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  39. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  40. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack Postpone re-synchronization to the next session: {� id , sqn u �} pk n . UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) No re-synchronization message = ⇒ no failure message attack. No extra randomness for the user. H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  41. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack Postpone re-synchronization to the next session: {� id , sqn u �} pk n . UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) No re-synchronization message = ⇒ no failure message attack. No extra randomness for the user. H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  42. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack Postpone re-synchronization to the next session: {� id , sqn u �} pk n . UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) No re-synchronization message = ⇒ no failure message attack. No extra randomness for the user. H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / Add a challenge n from the HN when using the permanent identity. UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth UE HN n If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message � {� id , sqn u �} pk n , Mac 1 � k m ( �{� id , sqn u �} pk n , n � ) If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  43. Architecture of aka + aka + Sub-Protocols id sub-protocol: is initiated by the HN with a challenge n. uses the encrypted permanent identity. allows to re-synchronize the UE and the HN. id Sub-Protocol tmp - id Sub-Protocol assign-tmp-id Sub-Protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 26 / 43

  44. Architecture of aka + aka + Sub-Protocols id sub-protocol: is initiated by the HN with a challenge n. uses the encrypted permanent identity. allows to re-synchronize the UE and the HN. tmp - id sub-protocol: is initiated by the UE. uses a temporary identity. id Sub-Protocol tmp - id Sub-Protocol assign-tmp-id Sub-Protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 26 / 43

  45. Architecture of aka + aka + Sub-Protocols id sub-protocol: is initiated by the HN with a challenge n. uses the encrypted permanent identity. allows to re-synchronize the UE and the HN. tmp - id sub-protocol: is initiated by the UE. uses a temporary identity. assign-tmp-id sub-protocol: assigns a fresh temporary identity to the UE. id Sub-Protocol tmp - id Sub-Protocol assign-tmp-id Sub-Protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 26 / 43

  46. id Sub-Protocol UE id HN state n state id u n {� id , sqn u �} n e pk n , Mac 1 m ( �{� id , sqn u �} n e � pk n , n � ) � k id sqn u ← sqn u + 1 b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ sqn u ≥ sqn id n if b Inc then sqn id ← sqn u + 1 n session id ← n n tmp - id id n ← tmp - id b Mac Mac 2 m ( � n , sqn u + 1 � ) k id if check-mac then authenticated HN Adrien Koutsos 5G-AKA Privacy January 18, 2019 27 / 43

  47. id Sub-Protocol UE id HN state n state id u n {� id , sqn u �} n e pk n , Mac 1 m ( �{� id , sqn u �} n e � pk n , n � ) � k id sqn u ← sqn u + 1 b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ sqn u ≥ sqn id n if b Inc then sqn id ← sqn u + 1 n session id ← n n tmp - id id n ← tmp - id b Mac Mac 2 m ( � n , sqn u + 1 � ) k id if check-mac then authenticated HN Adrien Koutsos 5G-AKA Privacy January 18, 2019 27 / 43

  48. id Sub-Protocol UE id HN state n state id u n {� id , sqn u �} n e pk n , Mac 1 m ( �{� id , sqn u �} n e � pk n , n � ) � k id sqn u ← sqn u + 1 b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ sqn u ≥ sqn id n if b Inc then sqn id ← sqn u + 1 n session id ← n n tmp - id id n ← tmp - id b Mac Mac 2 m ( � n , sqn u + 1 � ) k id if check-mac then authenticated HN Adrien Koutsos 5G-AKA Privacy January 18, 2019 27 / 43

  49. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  50. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  51. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  52. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  53. The assign-tmp-id Sub-Protocol UE id HN state n state id u � tmp - id ⊕ H r k id ( n ) , Mac 5 m ( � tmp - id , n � ) � k id b acc ← check-mac tmp - id u ← if b acc then tmp - id else UnSet valid-tmp u ← b acc Adrien Koutsos 5G-AKA Privacy January 18, 2019 29 / 43

  54. 1 The 4g - aka and 5g - aka Protocols The 4g - aka Protocol The imsi Catcher Attack The 5g - aka Protocol Unlinkability Attacks Against 5g - aka 2 The aka + Protocol Design Constraints Key Ideas The aka + Protocol 3 Security Proofs σ -Unlinkability Modeling in the Bana-Comon Model Theorem 4 Conclusion Adrien Koutsos 5G-AKA Privacy January 18, 2019 30 / 43

  55. Security Proofs Objective A B A A Formally prove that aka + satisfies: �∼ mutual authentication . A B A B unlinkability . id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 31 / 43

  56. Security Proofs Objective A B A A Formally prove that aka + satisfies: �∼ mutual authentication . A B A B unlinkability . id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 31 / 43

  57. Security Proofs Objective A B A A Formally prove that aka + satisfies: �∼ mutual authentication . A B A B unlinkability = ⇒ σ - unlinkability . id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 31 / 43

  58. The σ -Unlinkability Property σ -Unlinkability High level idea: show privacy only for a subset of the standard unlinkability game scenarios. Adrien Koutsos 5G-AKA Privacy January 18, 2019 32 / 43

  59. The σ -Unlinkability Property σ -Unlinkability High level idea: show privacy only for a subset of the standard unlinkability game scenarios. Game-based definition (like standard unlinkability). Parametric property ( σ ). In general, weaker than unlinkability. Allow to precisely quantify privacy guarantees. Adrien Koutsos 5G-AKA Privacy January 18, 2019 32 / 43

  60. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  61. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  62. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  63. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  64. σ -Unlinkability Efficiency vs Privacy There is a trade-off between: Efficiency: the tmp - id sub-protocol is faster. Privacy: the id sub-protocol provides some privacy. Adrien Koutsos 5G-AKA Privacy January 18, 2019 34 / 43

  65. σ -Unlinkability Efficiency vs Privacy There is a trade-off between: Efficiency: the tmp - id sub-protocol is faster. Privacy: the id sub-protocol provides some privacy. Remark If we use only the id sub-protocol, we get standard unlinkability. All previous attacks are also σ -unlinkability attacks. Adrien Koutsos 5G-AKA Privacy January 18, 2019 34 / 43

  66. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  67. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . A security property P ∼ Q is modeled by a formula � u P ∼ � u Q . Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  68. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . A security property P ∼ Q is modeled by a formula � u P ∼ � u Q . Implementation assumptions and cryptographic hypothesis are modeled by axioms Ax. Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  69. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . A security property P ∼ Q is modeled by a formula � u P ∼ � u Q . Implementation assumptions and cryptographic hypothesis are modeled by axioms Ax. We have to show that Ax | = � u P ∼ � u Q . Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  70. Modeling: the Protocol Messages and State Symbolic trace of actions τ . Example: τ = UE A , HN , UE B , UE A . Adrien Koutsos 5G-AKA Privacy January 18, 2019 36 / 43

  71. Modeling: the Protocol Messages and State Symbolic trace of actions τ . Example: τ = UE A , HN , UE B , UE A . Symbolic frame φ τ : sequences of messages observed by the attacker. Symbolic state σ τ : current state of the users and the network. Adrien Koutsos 5G-AKA Privacy January 18, 2019 36 / 43

  72. Modeling: the Protocol UE n Input n: b-auth u ← n � {� id , sqn u �} pk n , Mac 1 � k m ( � {� id , sqn u �} pk n , n � ) sqn u ← sqn u + 1 Adversary knowledge: φ in τ Adversary computations: g ⇒ Symbolic input: g ( φ in = τ ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 37 / 43

  73. Modeling: the Protocol UE n Input n: b-auth u ← n � {� id , sqn u �} pk n , Mac 1 � k m ( � {� id , sqn u �} pk n , n � ) sqn u ← sqn u + 1 Adversary knowledge: φ in τ Adversary computations: g ⇒ Symbolic input: g ( φ in = τ ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 37 / 43

  74. Modeling: the Protocol UE n Input n: b-auth u ← n � {� id , sqn u �} pk n , Mac 1 � k m ( � {� id , sqn u �} pk n , n � ) sqn u ← sqn u + 1 Adversary knowledge: φ in τ Adversary computations: g ⇒ Symbolic input: g ( φ in = τ ) � σ up ≡ τ b-auth u �→ g ( φ in τ ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 37 / 43

Recommend


More recommend