the 5g aka authentication protocol privacy
play

The 5G-AKA Authentication Protocol Privacy Adrien Koutsos LVS, ENS - PowerPoint PPT Presentation

Nov 09, 2023 •135 likes •1.45k views

The 5G-AKA Authentication Protocol Privacy Adrien Koutsos LVS, ENS Paris-Saclay January 18, 2019 Adrien Koutsos 5G-AKA Privacy January 18, 2019 1 / 43 1 The 4g - aka and 5g - aka Protocols The 4g - aka Protocol The imsi Catcher Attack The 5g

  1. Privacy in 4g - aka Confidentiality of the user identity Once a temporary identity is set up, the id is protected if: The protocol does not fail. The adversary is a passive adversary. Adrien Koutsos 5G-AKA Privacy January 18, 2019 12 / 43

  2. Privacy in 4g - aka Confidentiality of the user identity Once a temporary identity is set up, the id is protected if: The protocol does not fail. The adversary is a passive adversary. = ⇒ This is not realistic! Adrien Koutsos 5G-AKA Privacy January 18, 2019 12 / 43

  3. The imsi Catcher Attack [Strobel, 2007] UE Attacker tmp - id or id If tmp - id received “Permanent-ID-Request” id Adrien Koutsos 5G-AKA Privacy January 18, 2019 13 / 43

  4. The imsi Catcher Attack [Strobel, 2007] UE Attacker tmp - id or id If tmp - id received “Permanent-ID-Request” id Why this is a major attack Reliable: the attack always works. Easy to deploy: only need an antenna. Large scale: not targeted. Adrien Koutsos 5G-AKA Privacy January 18, 2019 13 / 43

  5. Privacy in 5g - aka The 5g - aka protocol 5g - aka is the next version of aka (drafts are available [3GPP, 2018]). Adrien Koutsos 5G-AKA Privacy January 18, 2019 14 / 43

  6. Privacy in 5g - aka The 5g - aka protocol 5g - aka is the next version of aka (drafts are available [3GPP, 2018]). 3GPP fix for 5G-AKA Simply encrypt the permanent identity by sending { id } pk n Adrien Koutsos 5G-AKA Privacy January 18, 2019 14 / 43

  7. UE HN 5g - aka id , tmp - id , k , pk n , sqn u id , tmp - id , k , sk n , sqn n tmp - id or { id } pk n n , sqn n ⊕ H 5 k ( n ) , H 1 � � k ( � sqn n , n � ) b mac ← check mac sqn n ← sqn n + 1 b sqn ← check range ( sqn u , sqn n ) b mac ∧ b sqn sqn u ← sqn n H 2 k ( n ) ¬ b mac “Auth-Failure” b mac ∧ ¬ b sqn sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � � k ( � sqn u , n � ) If the mac is valid: sqn n ← sqn u + 1 assign-tmp-id Adrien Koutsos 5G-AKA Privacy January 18, 2019 15 / 43

  8. Privacy in 5g - aka Is it enough? Adrien Koutsos 5G-AKA Privacy January 18, 2019 16 / 43

  9. Privacy in 5g - aka Is it enough? For confidentiality of the id , yes. Adrien Koutsos 5G-AKA Privacy January 18, 2019 16 / 43

  10. Privacy in 5g - aka Is it enough? For confidentiality of the id , yes. For unlinkability, no. Adrien Koutsos 5G-AKA Privacy January 18, 2019 16 / 43

  11. Unlinkability Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  12. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  13. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  14. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  15. Unlinkability Example A B A B B B ∼ A B C D E F F Linkability Attack Even if the id is hidden, an attacker may link sessions of the same user. Adrien Koutsos 5G-AKA Privacy January 18, 2019 17 / 43

  16. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  17. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  18. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  19. The Failure Message Attack [Arapinis et al., 2012] UE ( id t ) HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 k ( n ) UE ( id ′ ) Attacker t auth If id ′ � = id t “Auth-Failure” If id ′ = id t sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � k ( � sqn u , n � ) � Unlinkability attack The adversary knows if it interacted with id t or id ′ . Adrien Koutsos 5G-AKA Privacy January 18, 2019 18 / 43

  20. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  21. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  22. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  23. The Encrypted id Replay Attack [Fouque et al., 2016] UE ( id t ) HN { id t } pk n UE ( id ′ ) HN { id ′ } pk n { id t } pk n / n , sqn n ⊕ H 5 k ( n ) , H 1 � � t auth ≡ k ( � sqn n , n � ) If id ′ � = id t Failure Message If id ′ = id t H 2 k ( n ) Unlinkability attack The adversary knows if it interacted with id t or id ′ . Adrien Koutsos 5G-AKA Privacy January 18, 2019 19 / 43

  24. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  25. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  26. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  27. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Re-iterate the last two steps to get a second message t 2 . Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  28. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Re-iterate the last two steps to get a second message t 2 . Send both t 1 and t 2 , which increments sqn n by two . Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  29. New Attack on the priv-aka Protocol The priv-aka Protocol The authors of [Fouque et al., 2016] propose a new protocol, priv-aka (claimed unlinkable). Unlinkability Attack (four sessions) We found an attack to permanently de-synchronize the user: Run a session but keep the last message t 1 . Re-synchronize the user and the network. Re-iterate the last two steps to get a second message t 2 . Send both t 1 and t 2 , which increments sqn n by two . The user is permanently de-synchronized = ⇒ unlinkability attack. Adrien Koutsos 5G-AKA Privacy January 18, 2019 20 / 43

  30. Objective Objective Design a modified version of aka , called aka + , such that: Provides some form of unlinkability. Adrien Koutsos 5G-AKA Privacy January 18, 2019 21 / 43

  31. Objective Objective Design a modified version of aka , called aka + , such that: Provides some form of unlinkability. Satisfies the design and efficiency constraints of 5g - aka . Adrien Koutsos 5G-AKA Privacy January 18, 2019 21 / 43

  32. Objective Objective Design a modified version of aka , called aka + , such that: Provides some form of unlinkability. Satisfies the design and efficiency constraints of 5g - aka . Is proved secure. Adrien Koutsos 5G-AKA Privacy January 18, 2019 21 / 43

  33. 1 The 4g - aka and 5g - aka Protocols The 4g - aka Protocol The imsi Catcher Attack The 5g - aka Protocol Unlinkability Attacks Against 5g - aka 2 The aka + Protocol Design Constraints Key Ideas The aka + Protocol 3 Security Proofs σ -Unlinkability Modeling in the Bana-Comon Model Theorem 4 Conclusion Adrien Koutsos 5G-AKA Privacy January 18, 2019 22 / 43

  34. Random Number Generation in 5g - aka Random Number Generation by the User In 5g - aka , the user generates a random number only: If no tmp - id is assigned. In the session following a de-synchronization. Adrien Koutsos 5G-AKA Privacy January 18, 2019 23 / 43

  35. The aka + Protocol Design Constraints aka + should be as efficient as the 5g - aka : Random number generation (user): at most one nonce per session, and only for re-synchronization or if no tmp - id is assigned. Adrien Koutsos 5G-AKA Privacy January 18, 2019 24 / 43

  36. The aka + Protocol Design Constraints aka + should be as efficient as the 5g - aka : Random number generation (user): at most one nonce per session, and only for re-synchronization or if no tmp - id is assigned. The user can use only one-way functions and asymmetric encryption . Adrien Koutsos 5G-AKA Privacy January 18, 2019 24 / 43

  37. The aka + Protocol Design Constraints aka + should be as efficient as the 5g - aka : Random number generation (user): at most one nonce per session, and only for re-synchronization or if no tmp - id is assigned. The user can use only one-way functions and asymmetric encryption . Network complexity: only three messages per session. Adrien Koutsos 5G-AKA Privacy January 18, 2019 24 / 43

  38. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  39. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  40. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack Postpone re-synchronization to the next session: {� id , sqn u �} pk n . UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) No re-synchronization message = ⇒ no failure message attack. No extra randomness for the user. H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  41. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack Postpone re-synchronization to the next session: {� id , sqn u �} pk n . UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) No re-synchronization message = ⇒ no failure message attack. No extra randomness for the user. H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  42. Key Ideas Key Ideas Behind aka + The Encrypted id Replay Attack The Failure Message Attack Postpone re-synchronization to the next session: {� id , sqn u �} pk n . UE ( id t ) HN UE ( id t ) { id t } pk n HN � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) No re-synchronization message = ⇒ no failure message attack. No extra randomness for the user. H 2 UE ( id ′ ) k ( n ) HN { id ′ } pk n { id t } pk n / Add a challenge n from the HN when using the permanent identity. UE ( id ′ ) Attacker � n , sqn n ⊕ H 5 k ( n ) , H 1 � t auth ≡ k ( � sqn n , n � ) t auth UE HN n If id ′ � = id t If id ′ � = id t “Auth-Failure” Failure Message � {� id , sqn u �} pk n , Mac 1 � k m ( �{� id , sqn u �} pk n , n � ) If id ′ = id t If id ′ = id t � sqn u ⊕ H 5 , ∗ k ( n ) , H 1 , ∗ � H 2 k ( � sqn u , n � ) k ( n ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 25 / 43

  43. Architecture of aka + aka + Sub-Protocols id sub-protocol: is initiated by the HN with a challenge n. uses the encrypted permanent identity. allows to re-synchronize the UE and the HN. id Sub-Protocol tmp - id Sub-Protocol assign-tmp-id Sub-Protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 26 / 43

  44. Architecture of aka + aka + Sub-Protocols id sub-protocol: is initiated by the HN with a challenge n. uses the encrypted permanent identity. allows to re-synchronize the UE and the HN. tmp - id sub-protocol: is initiated by the UE. uses a temporary identity. id Sub-Protocol tmp - id Sub-Protocol assign-tmp-id Sub-Protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 26 / 43

  45. Architecture of aka + aka + Sub-Protocols id sub-protocol: is initiated by the HN with a challenge n. uses the encrypted permanent identity. allows to re-synchronize the UE and the HN. tmp - id sub-protocol: is initiated by the UE. uses a temporary identity. assign-tmp-id sub-protocol: assigns a fresh temporary identity to the UE. id Sub-Protocol tmp - id Sub-Protocol assign-tmp-id Sub-Protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 26 / 43

  46. id Sub-Protocol UE id HN state n state id u n {� id , sqn u �} n e pk n , Mac 1 m ( �{� id , sqn u �} n e � pk n , n � ) � k id sqn u ← sqn u + 1 b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ sqn u ≥ sqn id n if b Inc then sqn id ← sqn u + 1 n session id ← n n tmp - id id n ← tmp - id b Mac Mac 2 m ( � n , sqn u + 1 � ) k id if check-mac then authenticated HN Adrien Koutsos 5G-AKA Privacy January 18, 2019 27 / 43

  47. id Sub-Protocol UE id HN state n state id u n {� id , sqn u �} n e pk n , Mac 1 m ( �{� id , sqn u �} n e � pk n , n � ) � k id sqn u ← sqn u + 1 b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ sqn u ≥ sqn id n if b Inc then sqn id ← sqn u + 1 n session id ← n n tmp - id id n ← tmp - id b Mac Mac 2 m ( � n , sqn u + 1 � ) k id if check-mac then authenticated HN Adrien Koutsos 5G-AKA Privacy January 18, 2019 27 / 43

  48. id Sub-Protocol UE id HN state n state id u n {� id , sqn u �} n e pk n , Mac 1 m ( �{� id , sqn u �} n e � pk n , n � ) � k id sqn u ← sqn u + 1 b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ sqn u ≥ sqn id n if b Inc then sqn id ← sqn u + 1 n session id ← n n tmp - id id n ← tmp - id b Mac Mac 2 m ( � n , sqn u + 1 � ) k id if check-mac then authenticated HN Adrien Koutsos 5G-AKA Privacy January 18, 2019 27 / 43

  49. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  50. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  51. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  52. tmp - id UE id HN Sub-Protocol state n state id u valid-tmp u tmp - id u valid-tmp u ← false b id ← tmp - id id n = tmp - id u � = UnSet if b id then tmp - id id n ← UnSet session id ← n n b id � � n ⊕ H k id ( n ) , Mac 3 n , sqn id m ( � n , sqn id n , tmp - id u � ) k id b acc ← check-mac ∧ range ( sqn u , sqn id n ) if b acc then sqn u ← sqn u + 1 b acc Mac 4 m ( n ) k id b Mac ← check-mac if b Mac then authenticated id b Inc ← b Mac ∧ session id n = n if b Inc then sqn id ← sqn id n + 1 n tmp - id id n ← tmp - id Adrien Koutsos 5G-AKA Privacy January 18, 2019 28 / 43

  53. The assign-tmp-id Sub-Protocol UE id HN state n state id u � tmp - id ⊕ H r k id ( n ) , Mac 5 m ( � tmp - id , n � ) � k id b acc ← check-mac tmp - id u ← if b acc then tmp - id else UnSet valid-tmp u ← b acc Adrien Koutsos 5G-AKA Privacy January 18, 2019 29 / 43

  54. 1 The 4g - aka and 5g - aka Protocols The 4g - aka Protocol The imsi Catcher Attack The 5g - aka Protocol Unlinkability Attacks Against 5g - aka 2 The aka + Protocol Design Constraints Key Ideas The aka + Protocol 3 Security Proofs σ -Unlinkability Modeling in the Bana-Comon Model Theorem 4 Conclusion Adrien Koutsos 5G-AKA Privacy January 18, 2019 30 / 43

  55. Security Proofs Objective A B A A Formally prove that aka + satisfies: �∼ mutual authentication . A B A B unlinkability . id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 31 / 43

  56. Security Proofs Objective A B A A Formally prove that aka + satisfies: �∼ mutual authentication . A B A B unlinkability . id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 31 / 43

  57. Security Proofs Objective A B A A Formally prove that aka + satisfies: �∼ mutual authentication . A B A B unlinkability = ⇒ σ - unlinkability . id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 31 / 43

  58. The σ -Unlinkability Property σ -Unlinkability High level idea: show privacy only for a subset of the standard unlinkability game scenarios. Adrien Koutsos 5G-AKA Privacy January 18, 2019 32 / 43

  59. The σ -Unlinkability Property σ -Unlinkability High level idea: show privacy only for a subset of the standard unlinkability game scenarios. Game-based definition (like standard unlinkability). Parametric property ( σ ). In general, weaker than unlinkability. Allow to precisely quantify privacy guarantees. Adrien Koutsos 5G-AKA Privacy January 18, 2019 32 / 43

  60. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  61. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  62. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  63. The σ -Unlinkability Property Two Indistinguishable Executions Each time the id sub-protocol is used, we can change the user’s identity. A B A B B B ∼ A B A C C C id sub-protocol tmp - id sub-protocol Adrien Koutsos 5G-AKA Privacy January 18, 2019 33 / 43

  64. σ -Unlinkability Efficiency vs Privacy There is a trade-off between: Efficiency: the tmp - id sub-protocol is faster. Privacy: the id sub-protocol provides some privacy. Adrien Koutsos 5G-AKA Privacy January 18, 2019 34 / 43

  65. σ -Unlinkability Efficiency vs Privacy There is a trade-off between: Efficiency: the tmp - id sub-protocol is faster. Privacy: the id sub-protocol provides some privacy. Remark If we use only the id sub-protocol, we get standard unlinkability. All previous attacks are also σ -unlinkability attacks. Adrien Koutsos 5G-AKA Privacy January 18, 2019 34 / 43

  66. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  67. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . A security property P ∼ Q is modeled by a formula � u P ∼ � u Q . Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  68. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . A security property P ∼ Q is modeled by a formula � u P ∼ � u Q . Implementation assumptions and cryptographic hypothesis are modeled by axioms Ax. Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  69. Modeling The Bana-Comon Model [Bana and Comon-Lundh, 2014] The proof is in the Bana-Comon unlinkability model: Messages are modeled by (first-order) terms . A security property P ∼ Q is modeled by a formula � u P ∼ � u Q . Implementation assumptions and cryptographic hypothesis are modeled by axioms Ax. We have to show that Ax | = � u P ∼ � u Q . Adrien Koutsos 5G-AKA Privacy January 18, 2019 35 / 43

  70. Modeling: the Protocol Messages and State Symbolic trace of actions τ . Example: τ = UE A , HN , UE B , UE A . Adrien Koutsos 5G-AKA Privacy January 18, 2019 36 / 43

  71. Modeling: the Protocol Messages and State Symbolic trace of actions τ . Example: τ = UE A , HN , UE B , UE A . Symbolic frame φ τ : sequences of messages observed by the attacker. Symbolic state σ τ : current state of the users and the network. Adrien Koutsos 5G-AKA Privacy January 18, 2019 36 / 43

  72. Modeling: the Protocol UE n Input n: b-auth u ← n � {� id , sqn u �} pk n , Mac 1 � k m ( � {� id , sqn u �} pk n , n � ) sqn u ← sqn u + 1 Adversary knowledge: φ in τ Adversary computations: g ⇒ Symbolic input: g ( φ in = τ ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 37 / 43

  73. Modeling: the Protocol UE n Input n: b-auth u ← n � {� id , sqn u �} pk n , Mac 1 � k m ( � {� id , sqn u �} pk n , n � ) sqn u ← sqn u + 1 Adversary knowledge: φ in τ Adversary computations: g ⇒ Symbolic input: g ( φ in = τ ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 37 / 43

  74. Modeling: the Protocol UE n Input n: b-auth u ← n � {� id , sqn u �} pk n , Mac 1 � k m ( � {� id , sqn u �} pk n , n � ) sqn u ← sqn u + 1 Adversary knowledge: φ in τ Adversary computations: g ⇒ Symbolic input: g ( φ in = τ ) � σ up ≡ τ b-auth u �→ g ( φ in τ ) Adrien Koutsos 5G-AKA Privacy January 18, 2019 37 / 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia

End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia

End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia Tech) Ege Gulcan (Virginia Tech) Daisuke Moriyama (NICT) Patrick Schaumont (Virginia Tech) Moti Yung (Google/Columbia University) 1 Motivation

595 views • 31 slides
Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit

Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit

Privacy-Preserv rving Im Implicit Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit Authentication Usage patterns, authentication decision making Cost: privacy! Our Basic Protocol

547 views • 17 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer

Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer

Recursive Authentication Protocol 1 L. C. Paulson Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer Laboratory University of Cambridge Recursive Authentication Protocol 2 L. C. Paulson Overview of the

363 views • 20 slides
Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, Krzysztof Pietrzak Authentication Protocols Prover Verifier HB-style authentication shared AES key K protocols

563 views • 22 slides
stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication to be nobody-but-yourselfin a world which is doing its best to make you everybody else - e e cummings authentication: verifying the

490 views • 15 slides
Cryptanalysis of a Novel Authentication Protocol Conforming to EPC-C1G2 Standard Pedro

Cryptanalysis of a Novel Authentication Protocol Conforming to EPC-C1G2 Standard Pedro

Cryptanalysis of a Novel Authentication Protocol Conforming to EPC-C1G2 Standard Pedro Peris-Lopez, Julio Cesar Hernandez-Castro, Juan M. Estevez-Tapiador, and Arturo Ribagorda Computer Science Department, Carlos III University of Madrid {

451 views • 12 slides
How to get a trustworthy DNS Privacy enabling recursive resolver an analysis of authentication

How to get a trustworthy DNS Privacy enabling recursive resolver an analysis of authentication

How to get a trustworthy DNS Privacy enabling recursive resolver an analysis of authentication mechanisms for DNS Privacy enabling recursive resolvers Benno Overeinder Melinda Shore Willem Toorop Fastly NLnet Labs NLnet Labs (presenter)

321 views • 21 slides
Migration towards a more secure authentication in the Session Initiation Protocol Lars Strand

Migration towards a more secure authentication in the Session Initiation Protocol Lars Strand

Migration towards a more secure authentication in the Session Initiation Protocol Lars Strand Wolfgang Leister Alan Duric The Fifth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2011) 21-27

805 views • 21 slides
Overview of HTTP Mutual Overview of HTTP Mutual authentication protocol authentication protocol

Overview of HTTP Mutual Overview of HTTP Mutual authentication protocol authentication protocol

Overview of HTTP Mutual Overview of HTTP Mutual authentication protocol authentication protocol proposal proposal Yutaka OIWA Yutaka OIWA RCIS, AIST RCIS, AIST July 26, 2010 July 26, 2010 Motivation Motivation Current HTTP

445 views • 11 slides
1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure

1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure

Chapter 18 1 2 Security Authentication Principles 3 4 Hypertext Transfer Cryptography Protocol Secure (HTTPS) 5 6 Security Best Common Practices Threat Vectors 7 Summary Fundamentals of Web Development - 2 nd Ed. Randy Connolly

603 views • 14 slides
DECAP-Distributed Extensible Cloud Authentication Protocol Andrea Huszti and Norbert Ol ah

DECAP-Distributed Extensible Cloud Authentication Protocol Andrea Huszti and Norbert Ol ah

Security requirements The proposed protocol Security analysis DECAP-Distributed Extensible Cloud Authentication Protocol Andrea Huszti and Norbert Ol ah University of Debrecen Nijmegen, Netherlands Andrea Huszti and Norbert Ol ah

402 views • 22 slides
Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Chair of Network Architectures and Services TUM Department of Informatics Technical University of Munich (TUM) Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication Matthias Wachs, Quirin Scheitle, and

462 views • 14 slides
Privacy concerns of implicit secondary factors for web authentication Joseph Bonneau Stuart

Privacy concerns of implicit secondary factors for web authentication Joseph Bonneau Stuart

Privacy concerns of implicit secondary factors for web authentication Joseph Bonneau Stuart Schechter Edward Felten Microsoft Research Prateek Mittal Arvind Narayanan Princeton University WAY Workshop 2014 Passwords +... Behavioral/soft

524 views • 14 slides
Protocol for Carrying Authentication for Network Access (PANA) (draft-ietf-pana-pana-00.txt)

Protocol for Carrying Authentication for Network Access (PANA) (draft-ietf-pana-pana-00.txt)

Protocol for Carrying Authentication for Network Access (PANA) (draft-ietf-pana-pana-00.txt) Authors: Dan Forsberg Yoshihiro Ohba Basavaraj Patil Hannes Tschofenig Alper Yegin IETF56 Contents Introduction PAA Discovery

612 views • 34 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Cardinal invariants of the Haar null ideal M ark Po or E otv os Lor and

Cardinal invariants of the Haar null ideal M ark Po or E otv os Lor and

Introduction Uniformity and covering number Cofinality Questions Cardinal invariants of the Haar null ideal M ark Po or E otv os Lor and University, Budapest Descriptive Set Theory in Turin September 2017 joint work with M

545 views • 30 slides
The Next Generation of Nuclear Reactor Designs Prof. Sama Bilbao y Len Reactors Currently in

The Next Generation of Nuclear Reactor Designs Prof. Sama Bilbao y Len Reactors Currently in

The Next Generation of Nuclear Reactor Designs Prof. Sama Bilbao y Len Reactors Currently in Operation Source: PRIS, IAEA, 01/2012 Reactors Currently in Operation Total Capacity TYPE Number of Units [MWe] BWR 84 77,621 FBR 2 580 GCR 17 8,732

1.04k views • 91 slides
Relative Hilbert-Post completeness for exceptions Dominique Duval, with Jean-Guillaume Dumas,

Relative Hilbert-Post completeness for exceptions Dominique Duval, with Jean-Guillaume Dumas,

Relative Hilbert-Post completeness for exceptions Dominique Duval, with Jean-Guillaume Dumas, Burak Ekici, Damien Pous, Jean-Claude Reynaud [arXiv:1503.00948] G eocalisation ` a Chamb ery, 10 juin 2015 Outline Reasoning with exceptions

316 views • 19 slides
Status of the NOvA cross-section analyses Linda Cremonesi for the NOvA cross-section group

Status of the NOvA cross-section analyses Linda Cremonesi for the NOvA cross-section group

Status of the NOvA cross-section analyses Linda Cremonesi for the NOvA cross-section group NuSTEC Board Meeting December 2019 1 NuMI beam Narrow band beam centred around 2GeV Both neutrino and antineutrino mode Hadron production

444 views • 21 slides
Computing and Reconstruction in PANDA Stefano Spataro ISTITUTO NAZIONALE DI FISICA

Computing and Reconstruction in PANDA Stefano Spataro ISTITUTO NAZIONALE DI FISICA

Computing and Reconstruction in PANDA Stefano Spataro ISTITUTO NAZIONALE DI FISICA NUCLEARE Sezione di Torino Monday, 12 th May 2014 12 th May 2014 Computing and Reconstruction Stefano Spataro In PANDA

456 views • 44 slides
Basic Elec. Engr Basic Elec. Engr. Lab . Lab ECS 204 ECS 204 Asst. Prof. Dr. Prapun Suksompong

Basic Elec. Engr Basic Elec. Engr. Lab . Lab ECS 204 ECS 204 Asst. Prof. Dr. Prapun Suksompong

Basic Elec. Engr Basic Elec. Engr. Lab . Lab ECS 204 ECS 204 Asst. Prof. Dr. Prapun Suksompong prapun@siit.tu.ac.th AC Circuit Time-varying Signal Lab 4 Oscilloscope Function generator 1 Time-varying periodic signal

485 views • 21 slides
What is a particle? KSETA Tutorial Manuel Kambeitz, Ivan Shvetsov, Michael Ziegler | 21-23 July,

What is a particle? KSETA Tutorial Manuel Kambeitz, Ivan Shvetsov, Michael Ziegler | 21-23 July,

What is a particle? KSETA Tutorial Manuel Kambeitz, Ivan Shvetsov, Michael Ziegler | 21-23 July, 2014 K ARLSRUHE I NSTITUTE OF T ECHNOLOGY (KIT) www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory of the

147 views • 12 slides
Emil Wiechert, born 1861, Prussia Measured e/m for cathode rays but didnt realize that

Emil Wiechert, born 1861, Prussia Measured e/m for cathode rays but didnt realize that

Emil Wiechert, born 1861, Prussia Measured e/m for cathode rays but didnt realize that they were a new fundamental particle. First theory of Earths interior as a set of shells Invented the method of prospecting that uses explosions

570 views • 4 slides

More recommend