Achieving Better Privacy for the 3GPP AKA Protocol

Pierre-Alain Fouque 1 , Cristina Onete 2  and Benjamin Richard 3
  • 1 Université de Rennes 1/ IRISA
  • 2 INSA Rennes/IRISA
  • 3 Orange Labs


Proposed by the 3rd Generation Partnership Project (3GPP) as a standard for 3G and 4G mobile-network communications, the AKA protocol is meant to provide a mutually-authenticated key-exchange between clients and associated network servers. As a result AKA must guarantee the indistinguishability from random of the session keys (key-indistinguishability), as well as client- and server-impersonation resistance. A paramount requirement is also that of client privacy, which 3GPP defines in terms of: user identity confidentiality, service untraceability, and location untraceability. Moreover, since servers are sometimes untrusted (in the case of roaming), the AKA protocol must also protect clients with respect to these third parties. Following the description of client-tracking attacks e.g. by using error messages or IMSI catchers, van den Broek et al. and respectively Arapinis et al. each proposed a new variant of AKA, addressing such problems. In this paper we use the approach of provable security to show that these variants still fail to guarantee the privacy of mobile clients. We propose an improvement of AKA, which retains most of its structure and respects practical necessities such as key-management, but which provably attains security with respect to servers and Man-in-the- Middle (MiM) adversaries. Moreover, it is impossible to link client sessions in the absence of client-corruptions. Finally, we prove that any variant of AKA retaining its mutual authentication specificities cannot achieve client-unlinkability in the presence of corruptions. In this sense, our proposed variant is optimal.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] 3GPP. 3G Security; Technical Specification Group (TSG) SA; 3G Security; Security Architecture. TS 33.102, 3rd Generation Partnership Project (3GPP), June 2013.

  • [2] 3GPP. 3rd Generation Partnership Project; Technical Specification Group Services ans System Aspects; Security related network functions (Release 12). TS 43.020, 3rd Generation Partnership Project (3GPP), June 2014.

  • [3] J. Alwen, M. Hirt, U. Maurer, A. Patra, and P. Raykov. Anonymous authentication with shared secrets. In Proceedings of LatinCrypt, volume 8895 of LNCS, pages 219-236. Springer- Verlag, 1999.

  • [4] G. Ateniese, A. Herzberg, H. Krawczyk, and G. Tsudik. Untraceable mobility or how to travel incognito. In Elsevier Computer Networks, volume 31, pages 871-884. Elsevier, 1999.

  • [5] BSI. A Proposal for: Functionality classes for random number generators. AIS 20 / AIS 31. Version 2.0 , Bundesamt fur Sichercheit in der Informationstechnik (BSI), 2011.

  • [6] R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attacks. In Advances in Cryptology - CRYPTO 1998, volume 1462 of LNCS, pages 13-25. Springer, 1998.

  • [7] David A. McGrew and John Viega. The Security and Performance of the Galois/Counter Mode of Operation (Full Version). IACR Cryptology ePrint Archive, 2004:193, 2004.

  • [8] D.Strobel. IMSI Catcher. In 2007, Seminar Work, Ruhr- Universitat Bochum, 2007.

  • [9] Fabian van den Broek and Roel Verdult and Joeri de Ruiter. Defeating IMSI Catchers. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, USA, October 12-6, 2015, pages 340-351, 2015.

  • [10] P. A. Fouque, C. Onete, and B. Richard. Achieving Better Privacy for the 3GPP AKA Protocol. Cryptology ePrint Archive, Report 2001/112, 2016.

  • [11] Jens Hermans and Andreas Pashalidis and Frederik Vercauteren and Bart Preneel. A New RFID Privacy Model. In Computer Security - ESORICS 2011 - 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12-14, 2011. Proceedings, pages 568-587, 2011.

  • [12] Jens Hermans and Andreas Pashalidis and Frederik Vercauteren and Bart Preneel. A New RFID Privacy Model. In V. Atluri and C. Diaz, editors, Esorics, volume 6879, pages 568-587, 2011.

  • [13] M. S. A. Khan and C. J. Mitchell. Another look at privacy threats in 3G mobile telephony. In Proceedings of ACISP, volume 8544 of Lecture Notes in Computer Science, pages 386-396. Springer, 2014.

  • [14] Michael Burrows and Martín Abadi and Roger M. Needham. A Logic of Authentication. ACM Trans. Comput. Syst., 8(1):18-36, 1990.

  • [15] Mihir Bellare and David Pointcheval and Phillip Rogaway. Authenticated Key Exchange Secure against Dictionary Attacks. In Advances in Cryptology - EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, pages 139-155, 2000.

  • [16] Mihir Bellare and Phillip Rogaway. Entity Authentication and Key Distribution. In D. R. Stinson, editor, Advances in Cryptology - CRYPTO ’93, volume 773 of LNCS, pages 232-249. Springer, 1993.

  • [17] Mihir Bellare and Ran Canetti and Hugo Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. In Proceedings of the ACM Symposium on the Theory of Computing, pages 419-428, 1998.

  • [18] Ming-Feng Lee and Nigel P. Smart and Bogdan Warinschi and Gaven J. Watson. Anonymity guarantees of the UMTS/LTE authentication and connection protocol. Int. J. Inf. Sec., 13(6):513-527, 2014.

  • [19] Muxiang Zhang. Provably-Secure Enhancement on 3GPP Authentication and Key Agreement Protocol. IACR Cryptology ePrint Archive, 2003:92, 2003.

  • [20] Muxiang Zhang and Yuguang Fang. Security analysis and enhancements of 3gpp authentication and key agreement protocol. IEEE Transactions on Wireless Communications, 4(2):734-742, 2005.

  • [21] Myrto Arapinis and Loretta Ilaria Mancini and Eike Ritter and Mark Ryan. Privacy through Pseudonymity in Mobile Telephony Systems. In 21st Annual Network and Distributed System Security Symposium, NDSS, 2014.

  • [22] Myrto Arapinis and Loretta Ilaria Mancini and Eike Ritter and Mark Ryan and Nico Golde and Kevin Redon and Ravishankar Borgaonkar. New privacy issues in mobile telephony: fix and verification. In the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16-18, 2012, pages 205-216, 2012.

  • [23] S. provider. Personal communication with one of europe’s largest service providers, 2015.

  • [24] Radu-Ioan Paise and Serge Vaudenay. Mutual Authentication in RFID: Security and Privacy. In Proc. on the 3rd ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 292-299. ACM, 2008.

  • [25] Ran Canetti and Hugo Krawczyk. Universally Composable Notions of Key Exchange and Secure Channels. In Advances in Cryptology - EUROCRYPT 2002, volume 2332 of LNCS, pages 337-351, 2002.

  • [26] Serge Vaudenay. On Privacy Models for RFID. In ASIACRYPT ’07, volume 4883, pages 68-87, 2007.

  • [27] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert. Practical attacks against privacy and availability in 4g/lte mobile communication systems. In Proceedings of NDSS. Internet Society, 2016.

  • [28] Ulrike Meyer and Susanne Wetzel. A man-in-the-middle attack on UMTS. In Proceedings of the 2004 ACM Workshop on Wireless Security, Philadelphia, PA, USA, October 1, 2004, pages 90-97, 2004.

  • [29] Zahra Ahmadian and Somayeh Salimi and Ahmad Salahi. New attacks on UMTS network access. In 2009 Wireless Telecommunications Symposium, WTS 2009, Prague, Czech Republic, April 22-24, 2009, pages 1-6, 2009.


Journal + Issues