the 5g aka authentication protocol privacy
play

The 5G-AKA Authentication Protocol Privacy Adrien Koutsos LVS, ENS - PowerPoint PPT Presentation

Nov 09, 2023 •135 likes •1.45k views

The 5G-AKA Authentication Protocol Privacy Adrien Koutsos LVS, ENS Paris-Saclay January 18, 2019 Adrien Koutsos 5G-AKA Privacy January 18, 2019 1 / 43 1 The 4g - aka and 5g - aka Protocols The 4g - aka Protocol The imsi Catcher Attack The 5g

  1. Privacy in 4g - aka Confidentiality of the user identity Once a temporary identity is set up, the id is protected if: The protocol does not fail. The adversary is a passive adversary. Adrien Koutsos 5G-AKA Privacy January 18, 2019 12 / 43

  2. Privacy in 4g - aka Confidentiality of the user identity Once a temporary identity is set up, the id is protected if: The protocol does not fail. The adversary is a passive adversary. = ⇒ This is not realistic! Adrien Koutsos 5G-AKA Privacy January 18, 2019 12 / 43

  3. The imsi Catcher Attack [Strobel, 2007] UE Attacker tmp - id or id If tmp - id received “Permanent-ID-Request” id Adrien Koutsos 5G-AKA Privacy January 18, 2019 13 / 43

  4. The imsi Catcher Attack [Strobel, 2007] UE Attacker tmp - id or id If tmp - id received “Permanent-ID-Request” id Why this is a major attack Reliable: the attack always works. Easy to deploy: only need an antenna. Large scale: not targeted. Adrien Koutsos 5G-AKA Privacy January 18, 2019 13 / 43

  5. Privacy in 5g - aka The 5g - aka protocol 5g - aka is the next version of aka (drafts are available [3GPP, 2018]). Adrien Koutsos 5G-AKA Privacy January 18, 2019 14 / 43

  6. Privacy in 5g - aka The 5g - aka protocol 5g - aka is the next version of aka (drafts are available [3GPP, 2018]). 3GPP fix for 5G-AKA Simply encrypt the permanent identity by sending { id } pk n Adrien Koutsos 5G-AKA Privacy January 18, 2019 14 / 43

  7. UE HN 5g - aka id , tmp - id , k , pk n , sqn u id , tmp - id , k , sk n , sqn n tmp - id or { id } pk n n , sqn n ⊕ H 5 k ( n ) , H 1 � � k ( � sqn n , n � ) b mac ← check mac sqn n ← sqn n + 1 b sqn ← check range ( sqn u , sqn n ) b mac ∧ b sqn sqn u ← sqn n H 2 k ( n ) ¬ b mac “Auth-Failure” b mac ∧ ¬ b sqn sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � � k ( � sqn u , n � ) If the mac is valid: sqn n ← sqn u + 1 assign-tmp-id Adrien Koutsos 5G-AKA Privacy January 18, 2019 15 / 43

  8. Privacy in 5g - aka Is it enough? Adrien Koutsos 5G-AKA Privacy January 18, 2019 16 / 43

  9. Privacy in 5g - aka Is it enough? For confidentiality of the id , yes. Adrien Koutsos 5G-AKA Privacy January 18, 2019 16 / 43

  10. Privacy in 5g - aka Is it enough? For confidentiality of the id , yes. For unlinkability, no. Adrien Koutsos 5G-AKA Privacy January 18, 2019 16 / 43

  11. Unlinkability Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  12. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  13. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  14. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  15. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  16. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  17. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  18. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  19. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Unlinkability attack The adversary knows if it interacted with id t or id ′ . Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  20. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  21. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  22. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  23. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Unlinkability attack The adversary knows if it interacted with id t or id ′ . Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  24. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  25. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  26. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  27. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Re-iterate the last two steps to get a second message t 2 . Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  28. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Re-iterate the last two steps to get a second message t 2 . Send both t 1 and t 2 , which increments sqn n by two . Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  29. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Re-iterate the last two steps to get a second message t 2 . Send both t 1 and t 2 , which increments sqn n by two . The user is permanently de-synchronized = ⇒ unlinkability attack. Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  30. Objective Objective Design a modified version of aka , called aka + , such that: Provides some form of unlinkability. Adrien Koutsos 5G-AKA Privacy January 18, 2019 21 / 43

  31. Objective Objective Design a modified version of aka , called aka + , such that: Provides some form of unlinkability. Satisfies the design and efficiency constraints of 5g - aka . Adrien Koutsos 5G-AKA Privacy January 18, 2019 21 / 43

  32. Objective Objective Design a modified version of aka , called aka + , such that: Provides some form of unlinkability. Satisfies the design and efficiency constraints of 5g - aka . Is proved secure. Adrien Koutsos 5G-AKA Privacy January 18, 2019 21 / 43

  33. 1 The 4g - aka and 5g - aka Protocols The 4g - aka Protocol The imsi Catcher Attack The 5g - aka Protocol Unlinkability Attacks Against 5g - aka 2 The aka + Protocol Design Constraints Key Ideas The aka + Protocol 3 Security Proofs σ -Unlinkability Modeling in the Bana-Comon Model Theorem 4 Conclusion Adrien Koutsos 5G-AKA Privacy January 18, 2019 22 / 43

  34. Random Number Generation in 5g - aka Random Number Generation by the User In 5g - aka , the user generates a random number only: If no tmp - id is assigned. In the session following a de-synchronization. Adrien Koutsos 5G-AKA Privacy January 18, 2019 23 / 43

  35. The aka + Protocol Design Constraints aka + should be as efficient as the 5g - aka : Random number generation (user): at most one nonce per session, and only for re-synchronization or if no tmp - id is assigned. Adrien Koutsos 5G-AKA Privacy January 18, 2019 24 / 43

  36. The aka + Protocol Design Constraints aka + should be as efficient as the 5g - aka : Random number generation (user): at most one nonce per session, and only for re-synchronization or if no tmp - id is assigned. The user can use only one-way functions and asymmetric encryption . Adrien Koutsos 5G-AKA Privacy January 18, 2019 24 / 43

  37. The aka + Protocol Design Constraints aka + should be as efficient as the 5g - aka : Random number generation (user): at most one nonce per session, and only for re-synchronization or if no tmp - id is assigned. The user can use only one-way functions and asymmetric encryption . Network complexity: only three messages per session. Adrien Koutsos 5G-AKA Privacy January 18, 2019 24 / 43

  38. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  39. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  40. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack Postpone re-synchronization to the next session: {� id , sqn u �} pk n . UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) No re-synchronization message = ⇒ no failure message attack. No extra randomness for the user. H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  41. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack Postpone re-synchronization to the next session: {� id , sqn u �} pk n . UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) No re-synchronization message = ⇒ no failure message attack. No extra randomness for the user. H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  42. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack Postpone re-synchronization to the next session: {� id , sqn u �} pk n . UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) No re-synchronization message = ⇒ no failure message attack. No extra randomness for the user. H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / Add a challenge n from the HN when using the permanent identity. UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth UE HN n If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message � {� id , sqn u �} pk n , Mac 1 � k m ( �{� id , sqn u �} pk n , n � ) If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  43. Architecture of aka + aka + Sub-Protocols id sub-protocol: is initiated by the HN with a challenge n. uses the encrypted permanent identity. allows to re-synchronize the UE and the HN. id Sub-Protocol tmp - id Sub-Protocol assign-tmp-id Sub-Protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 26 / 43

  44. Architecture of aka + aka + Sub-Protocols id sub-protocol: is initiated by the HN with a challenge n. uses the encrypted permanent identity. allows to re-synchronize the UE and the HN. tmp - id sub-protocol: is initiated by the UE. uses a temporary identity. id Sub-Protocol tmp - id Sub-Protocol assign-tmp-id Sub-Protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 26 / 43

  45. Architecture of aka + aka + Sub-Protocols id sub-protocol: is initiated by the HN with a challenge n. uses the encrypted permanent identity. allows to re-synchronize the UE and the HN. tmp - id sub-protocol: is initiated by the UE. uses a temporary identity. assign-tmp-id sub-protocol: assigns a fresh temporary identity to the UE. id Sub-Protocol tmp - id Sub-Protocol assign-tmp-id Sub-Protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 26 / 43

  46. id Sub-Protocol UE id HN state n state id u n {� id , sqn u �} n e pk n , Mac 1 m ( �{� id , sqn u �} n e � pk n , n � ) � k id sqn u ← sqn u + 1 b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ sqn u ≥ sqn id n if b Inc then sqn id ← sqn u + 1 n session id ← n n tmp - id id n ← tmp - id b Mac Mac 2 m ( � n , sqn u + 1 � ) k id if check-mac then authenticated HN Adrien Koutsos 5G-AKA Privacy January 18, 2019 27 / 43

  47. id Sub-Protocol UE id HN state n state id u n {� id , sqn u �} n e pk n , Mac 1 m ( �{� id , sqn u �} n e � pk n , n � ) � k id sqn u ← sqn u + 1 b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ sqn u ≥ sqn id n if b Inc then sqn id ← sqn u + 1 n session id ← n n tmp - id id n ← tmp - id b Mac Mac 2 m ( � n , sqn u + 1 � ) k id if check-mac then authenticated HN Adrien Koutsos 5G-AKA Privacy January 18, 2019 27 / 43

  48. id Sub-Protocol UE id HN state n state id u n {� id , sqn u �} n e pk n , Mac 1 m ( �{� id , sqn u �} n e � pk n , n � ) � k id sqn u ← sqn u + 1 b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ sqn u ≥ sqn id n if b Inc then sqn id ← sqn u + 1 n session id ← n n tmp - id id n ← tmp - id b Mac Mac 2 m ( � n , sqn u + 1 � ) k id if check-mac then authenticated HN Adrien Koutsos 5G-AKA Privacy January 18, 2019 27 / 43

  49. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  50. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  51. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  52. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  53. The assign-tmp-id Sub-Protocol UE id HN state n state id u � tmp - id ⊕ H r k id ( n ) , Mac 5 m ( � tmp - id , n � ) � k id b acc ← check-mac tmp - id u ← if b acc then tmp - id else UnSet valid-tmp u ← b acc Adrien Koutsos 5G-AKA Privacy January 18, 2019 29 / 43

  54. 1 The 4g - aka and 5g - aka Protocols The 4g - aka Protocol The imsi Catcher Attack The 5g - aka Protocol Unlinkability Attacks Against 5g - aka 2 The aka + Protocol Design Constraints Key Ideas The aka + Protocol 3 Security Proofs σ -Unlinkability Modeling in the Bana-Comon Model Theorem 4 Conclusion Adrien Koutsos 5G-AKA Privacy January 18, 2019 30 / 43

  55. Security Proofs Objective A B A A Formally prove that aka + satisfies: �∼ mutual authentication . A B A B unlinkability . id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 31 / 43

  56. Security Proofs Objective A B A A Formally prove that aka + satisfies: �∼ mutual authentication . A B A B unlinkability . id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 31 / 43

  57. Security Proofs Objective A B A A Formally prove that aka + satisfies: �∼ mutual authentication . A B A B unlinkability = ⇒ σ - unlinkability . id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 31 / 43

  58. The σ -Unlinkability Property σ -Unlinkability High level idea: show privacy only for a subset of the standard unlinkability game scenarios. Adrien Koutsos 5G-AKA Privacy January 18, 2019 32 / 43

  59. The σ -Unlinkability Property σ -Unlinkability High level idea: show privacy only for a subset of the standard unlinkability game scenarios. Game-based definition (like standard unlinkability). Parametric property ( σ ). In general, weaker than unlinkability. Allow to precisely quantify privacy guarantees. Adrien Koutsos 5G-AKA Privacy January 18, 2019 32 / 43

  60. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  61. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  62. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  63. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  64. σ -Unlinkability Efficiency vs Privacy There is a trade-off between: Efficiency: the tmp - id sub-protocol is faster. Privacy: the id sub-protocol provides some privacy. Adrien Koutsos 5G-AKA Privacy January 18, 2019 34 / 43

  65. σ -Unlinkability Efficiency vs Privacy There is a trade-off between: Efficiency: the tmp - id sub-protocol is faster. Privacy: the id sub-protocol provides some privacy. Remark If we use only the id sub-protocol, we get standard unlinkability. All previous attacks are also σ -unlinkability attacks. Adrien Koutsos 5G-AKA Privacy January 18, 2019 34 / 43

  66. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  67. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . A security property P ∼ Q is modeled by a formula � u P ∼ � u Q . Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  68. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . A security property P ∼ Q is modeled by a formula � u P ∼ � u Q . Implementation assumptions and cryptographic hypothesis are modeled by axioms Ax. Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  69. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . A security property P ∼ Q is modeled by a formula � u P ∼ � u Q . Implementation assumptions and cryptographic hypothesis are modeled by axioms Ax. We have to show that Ax | = � u P ∼ � u Q . Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  70. Modeling: the Protocol Messages and State Symbolic trace of actions τ . Example: τ = UE A , HN , UE B , UE A . Adrien Koutsos 5G-AKA Privacy January 18, 2019 36 / 43

  71. Modeling: the Protocol Messages and State Symbolic trace of actions τ . Example: τ = UE A , HN , UE B , UE A . Symbolic frame φ τ : sequences of messages observed by the attacker. Symbolic state σ τ : current state of the users and the network. Adrien Koutsos 5G-AKA Privacy January 18, 2019 36 / 43

  72. Modeling: the Protocol UE n Input n: b-auth u ← n � {� id , sqn u �} pk n , Mac 1 � k m ( � {� id , sqn u �} pk n , n � ) sqn u ← sqn u + 1 Adversary knowledge: φ in τ Adversary computations: g ⇒ Symbolic input: g ( φ in = τ ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 37 / 43

  73. Modeling: the Protocol UE n Input n: b-auth u ← n � {� id , sqn u �} pk n , Mac 1 � k m ( � {� id , sqn u �} pk n , n � ) sqn u ← sqn u + 1 Adversary knowledge: φ in τ Adversary computations: g ⇒ Symbolic input: g ( φ in = τ ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 37 / 43

  74. Modeling: the Protocol UE n Input n: b-auth u ← n � {� id , sqn u �} pk n , Mac 1 � k m ( � {� id , sqn u �} pk n , n � ) sqn u ← sqn u + 1 Adversary knowledge: φ in τ Adversary computations: g ⇒ Symbolic input: g ( φ in = τ ) � σ up ≡ τ b-auth u �→ g ( φ in τ ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 37 / 43

Recommend

End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia

End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia

End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia Tech) Ege Gulcan (Virginia Tech) Daisuke Moriyama (NICT) Patrick Schaumont (Virginia Tech) Moti Yung (Google/Columbia University) 1 Motivation

595 views • 31 slides
Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit

Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit

Privacy-Preserv rving Im Implicit Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit Authentication Usage patterns, authentication decision making Cost: privacy! Our Basic Protocol

547 views • 17 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer

Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer

Recursive Authentication Protocol 1 L. C. Paulson Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer Laboratory University of Cambridge Recursive Authentication Protocol 2 L. C. Paulson Overview of the

363 views • 20 slides
Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, Krzysztof Pietrzak Authentication Protocols Prover Verifier HB-style authentication shared AES key K protocols

563 views • 22 slides
stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication to be nobody-but-yourselfin a world which is doing its best to make you everybody else - e e cummings authentication: verifying the

490 views • 15 slides
Cryptanalysis of a Novel Authentication Protocol Conforming to EPC-C1G2 Standard Pedro

Cryptanalysis of a Novel Authentication Protocol Conforming to EPC-C1G2 Standard Pedro

Cryptanalysis of a Novel Authentication Protocol Conforming to EPC-C1G2 Standard Pedro Peris-Lopez, Julio Cesar Hernandez-Castro, Juan M. Estevez-Tapiador, and Arturo Ribagorda Computer Science Department, Carlos III University of Madrid {

451 views • 12 slides
How to get a trustworthy DNS Privacy enabling recursive resolver an analysis of authentication

How to get a trustworthy DNS Privacy enabling recursive resolver an analysis of authentication

How to get a trustworthy DNS Privacy enabling recursive resolver an analysis of authentication mechanisms for DNS Privacy enabling recursive resolvers Benno Overeinder Melinda Shore Willem Toorop Fastly NLnet Labs NLnet Labs (presenter)

321 views • 21 slides
Migration towards a more secure authentication in the Session Initiation Protocol Lars Strand

Migration towards a more secure authentication in the Session Initiation Protocol Lars Strand

Migration towards a more secure authentication in the Session Initiation Protocol Lars Strand Wolfgang Leister Alan Duric The Fifth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2011) 21-27

805 views • 21 slides
Overview of HTTP Mutual Overview of HTTP Mutual authentication protocol authentication protocol

Overview of HTTP Mutual Overview of HTTP Mutual authentication protocol authentication protocol

Overview of HTTP Mutual Overview of HTTP Mutual authentication protocol authentication protocol proposal proposal Yutaka OIWA Yutaka OIWA RCIS, AIST RCIS, AIST July 26, 2010 July 26, 2010 Motivation Motivation Current HTTP

445 views • 11 slides
1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure

1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure

Chapter 18 1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure (HTTPS) 5 6 Security Best Common Practices Threat Vectors 7 Summary Fundamentals of Web Development - 2 nd Ed. Randy Connolly

603 views • 14 slides
DECAP-Distributed Extensible Cloud Authentication Protocol Andrea Huszti and Norbert Ol ah

DECAP-Distributed Extensible Cloud Authentication Protocol Andrea Huszti and Norbert Ol ah

Security requirements The proposed protocol Security analysis DECAP-Distributed Extensible Cloud Authentication Protocol Andrea Huszti and Norbert Ol ah University of Debrecen Nijmegen, Netherlands Andrea Huszti and Norbert Ol ah

402 views • 22 slides
Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Chair of Network Architectures and Services TUM Department of Informatics Technical University of Munich (TUM) Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication Matthias Wachs, Quirin Scheitle, and

462 views • 14 slides
Privacy concerns of implicit secondary factors for web authentication Joseph Bonneau Stuart

Privacy concerns of implicit secondary factors for web authentication Joseph Bonneau Stuart

Privacy concerns of implicit secondary factors for web authentication Joseph Bonneau Stuart Schechter Edward Felten Microsoft Research Prateek Mittal Arvind Narayanan Princeton University WAY Workshop 2014 Passwords +... Behavioral/soft

524 views • 14 slides
Protocol for Carrying Authentication for Network Access (PANA) (draft-ietf-pana-pana-00.txt)

Protocol for Carrying Authentication for Network Access (PANA) (draft-ietf-pana-pana-00.txt)

Protocol for Carrying Authentication for Network Access (PANA) (draft-ietf-pana-pana-00.txt) Authors: Dan Forsberg Yoshihiro Ohba Basavaraj Patil Hannes Tschofenig Alper Yegin IETF56 Contents Introduction PAA Discovery

612 views • 34 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
A Privacy-Restoring Mechanism for Offline RFID Systems Gildas Avoine Iwen Coisel Tania Martin

A Privacy-Restoring Mechanism for Offline RFID Systems Gildas Avoine Iwen Coisel Tania Martin

A Privacy-Restoring Mechanism for Offline RFID Systems Gildas Avoine Iwen Coisel Tania Martin Universit e catholique de Louvain Belgium April 16, 2012 [WiSec12, Tucson, AZ, USA] Goal of our Paper Authentication protocol that

1.08k views • 43 slides
Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version

Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version

Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version 4 Khanh Hoang Huynh Jason Kerssens Supervisors: Alex Stavroulakis (KPMG) Aristide Bouix (KPMG) Introduction AWS As of 2018, AWS has a

636 views • 26 slides
Security Protocols Part 9 SSL Protocol Recap Digital Certificate Authentication

Security Protocols Part 9 SSL Protocol Recap Digital Certificate Authentication

Security Protocols Part 9 SSL Protocol Recap Digital Certificate Authentication Integrity Non-repudiation CA (Certification Authority) Issue digital certificates (via digital signature) Publish/Distribute digital

491 views • 13 slides
Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and

Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and

Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and Iwen COISEL Orange Labs R&D - Caen - France RFIDSec 08 - 10 th July 2008 Outline 1 General Context 2 A synchronization problem 3 A

714 views • 33 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and

An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement Gildas Avoine 1 and Aslan Tchamkerten 2 1 Universit e catholique de Louvain, Louvain-la-Neuve, Belgium 2 Telecom ParisTech,

335 views • 31 slides
Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open University) Andrew D. Gordon (MSR Cambridge) Jan Jrjens (TU Dortmund) Verifying Security Code Assume a security API specification.

397 views • 24 slides

More recommend