You are on page 1of 9

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/326155249

Securing authentication for mobile networks, a survey on 4G issues and 5G


answers

Conference Paper · February 2018


DOI: 10.1109/ICIN.2018.8401619

CITATIONS READS

0 115

3 authors:

Shanay Behrad Emmanuel Bertin


Université Paris-Saclay Orange Labs
2 PUBLICATIONS   0 CITATIONS    103 PUBLICATIONS   498 CITATIONS   

SEE PROFILE SEE PROFILE

Noel Crespi
Institut Mines-Télécom
381 PUBLICATIONS   2,406 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Collaborative Analytics Platform View project

DiY Smart Experiences Project View project

All content following this page was uploaded by Shanay Behrad on 27 February 2019.

The user has requested enhancement of the downloaded file.


Securing Authentication for Mobile Networks,
A Survey on 4G issues and 5G answers
Shanay Behrad, Emmanuel Bertin Noel Crespi
Orange Labs, France Institut Telecom, Telecom SudParis, CNRS 5157, France
{shanay.behrad,emmanuel.bertin}@orange.com noel.crespi@it-sudparis.eu

Abstract— The upcoming fifth generation of mobile networks In this paper, we review the challenges of EPS-AKA
is expected to support a set of many requirements and use cases. procedure for 4G systems and discuss the new needs coming
However, it should be able to provide a high level of security by from the new 5G use cases, as well as the way, standards are
considering the different aspects such as authentication currently evolving. The remainder of this paper is organized as
mechanisms. The current 4G AKA protocols designed to address follows. In section II, we explain the main nodes of the 4G
the AAA needs present some weaknesses and will also be architecture that participate in EPS-AKA procedures. In
impacted by the new requirements of 5G systems. In this paper, section III we study the vulnerabilities of EPS-AKA and
we survey the vulnerabilities of 4G AKA protocol, as well as the summarize them in a survey table. In section IV, we finally
current 5G architectural answers brought by the 3GPP.
discuss the AAA impact of new 5G use-cases and introduce
Keywords— 5G, mobile network; Authentication, AAA
the current architectural answers from 5G standardization
mechanisms; AKA protocol process.

I. INTRODUCTION II. SUMMARY OF CURRENT (4G) AAA


From 2G to 5G, one of the most important requirements of A. 4G Architecture
mobile systems is security. Authenticating users for network
4G architecture involves many functional entities to ensure
access and ensuring a bidirectional trust between users and
Authentication and Access Control. The main entities are
network are key items to build such secured systems. Both are
described below and summarized in Figure 1:
related to the AAA mechanisms (Authentication, Authorization
and Accounting) that provide secure network services and  UE (User Equipment) is the mobile device, that includes a
billing for network subscribers. UICC (Universal Integrated Circuit Card) and an
In 2G, the authentication of the users is based on the SIM application, USIM (Universal Subscriber Identity Module)
(Subscriber Identity Module), the well-known secure element running on it. The USIM stores user-related information
that stores the subscriber’s IMSI (International Mobile such as the IMSI (International Mobile Subscriber Identity)
Subscriber Identity) and a permanent key. However, the lack of and the subscriber’s Secret key (which is pre-shared with
mutual authentication caused active attacks against the the AuC in the Home Network and never leaves these two
subscribers (e.g., an attacker can appear as a valid base station elements). The IMSI uniquely identifies a subscriber and
to the subscriber). Since 3G, the 3GPP (3rd Generation consists of three parts: MCC (Mobile Country Code), MNC
Partnership Project) is making use of AKA (Authentication and (Mobile Network Code) that specifies the subscriber’s
Key-agreement) protocols [1] with mutual authentication carrier network and MSIN (Mobile Subscriber
feature to address this issue. The AKA mechanism in 4G Identification Number) that identifies the subscriber in the
systems (EPS-AKA) has few differences compared with the mobile network. The USIM participates in subscriber
3G systems (UMTS-AKA), detailed in [2]. authentication process.

The forthcoming generation of mobile systems is now 5G  eNodeB (evolved Node B) is the main component of the E-
that should fulfill the increasing demand for higher throughput, UTRAN (Evolved Universal Terrestrial Radio Access
low latency and better quality of service. Some additional Network). UEs connected to the core network via eNodeBs.
requirements have also been raised in the scope of the 5G, such They are directly linked together and this flat architecture
as handling the connectivity for the IoT (Internet of things), cause lower latency and better performance gains in
providing network slices to specific customers or vertical connection [3, 4].
sectors, or managing heterogeneous network accesses (e.g.,  MME (Mobility Management Entity) is the main control
addressing Wi-Fi and cellular access networks from a node of the network. MME performs authentication and is
converged network). All of these requirements and concepts mainly responsible for the attachment process, bearer
affect the whole network and the associated security needs. handling (in collaboration with the S-GW and the P-GW),
AAA mechanisms for 5G should thus consider the issues and tracking UE’s location and selecting the gateways (deciding
weaknesses of current AKA protocols, as well as these new the route of data packets).
requirements.
 HSS (Home Subscriber Server) is a database that stores the
subscriber’s data (including subscription profile) and the
secret keys. HSS is basically an integration of the HLR the network. In the current 5G specifications, this protocol is
(Home Location Register) and the AuC (Authentication reused, with few differences [5].
Center) that holds and generates all the needed
cryptographic material. It provides authentication data to EPS-AKA provides mutual authentication (the network
the MME. authenticates the UE and the UE authenticates the serving
network), based on symmetric key cryptography. In this
 P-GW (Packet Data Network Gateway) connects the core protocol, at first, the parties authenticate each other and set the
network to the external networks such as internet and secret key, then, some other keys are derived from this secret
provides IP addresses to the UEs. It is also responsible for key to provide data integrity and confidentiality. All the
policy enforcement, billing, and charging. All packets messages in EPS-AKA are NAS messages2.
destined for mobile subscribers are navigated to P-GW.
Figure 2 depicts the EPS-AKA procedure and the attacks it
 S-GW (Serving Gateway) anchors the data bearer and may encounter. As shown in figure 2, the EPS-AKA procedure
routes data packets to the UE, eventually by triggering the starts by sending the Attach request message from the UE to
MME. S-GW is responsible for a given geographical zone the MME. This message contains the UE’s IMSI or GUTI
and it serves as an intermediate equipment to avoid (Globally Unique Temporary Identifier) if it exists. GUTI is a
frequent rerouting at the P-GW level in the case of temporary identifier that the MME allocates to the UE, after the
movements of UEs. initial attach procedure, to protect the IMSI from
eavesdropping (i.e., to avoid the frequent transmission of IMSI
4G architecture supports multiple access technologies that causes the availability of tracking the movements of a UE
(trusted and untrusted access networks). The operator decides by an attacker)3. If the MME cannot recognize the GUTI, it
which non-3GPP access network is trusted and which one is sends the Identity request message to the UE, which then sends
untrusted. The handling of non-3GPP accesses involves other its IMSI in the Identity response message. The rest of the EPS-
entities: AKA procedure is as follow [2, 6]:
 AAA Server is responsible for authentication and  The MME sends Authentication information request to the
authorization of the UE in the case of non-3GPP access1. HSS which contains the UE’s IMSI and the SNid (Serving
 EPDG (Evolved Packet Data Gateway) is responsible for Network Identifier). The UE trusts the home network about
the establishment of an IPsec tunnel between the operator the verification of the serving network identity (The home
network and the UE in the case of untrusted non-3GPP network uses the SNid to compute the serving network
access. specific K ASME key that we will describe below).
 The HSS generates a random challenge RAND, finds the
However, we mainly focus on the 3GPP access in the scope of UE’s secret key K (according to UE’s IMSI) and then
this paper. inputs these two items to cryptographic functions to
generate AVs (Authentication Vectors). AVs consist of the
RAND, a XRES (the MME checks if this amount is equal
to the RES from the UE to authenticate the UE), a local
master key K ASME (computed by a key derivation function
with the SNid as one of its inputs) and an AUTN
(Authentication Token). The other input of cryptographic
functions is a counter, SQN. The HSS keeps a counter for
each UE and this counter is used to avoid the MME to re-
use an AV (It helps UE to check the freshness of AVs and
avoid replay attacks).
 The HSS sends the AV to the MME that stores K ASME and
XRES parts of the AV, and sends RAND and AUTN to the
UE.
 The USIM inside the UE retrieves the SQN from AUTN by
Fig. 1. LTE network architecture. The MME and the HSS are in the control using the secret key K, and RAND; next, it computes
plane and the S-GW and the P-GW are in the user plane. The solid lines
show the control plane links and the dashed lines show the user plane links.
XMAC by using SQN, RAND and the AMF part of the
AUTN and compares XMAC with the MAC part of the
AUTN. Then, it checks if SQN is in the right range (USIM
B. EPS-AKA overview
2
Concerning 3GPP access networks, the 4G authentication There are two sets of protocols in mobile systems that concern the UE, Non-
process is supported by the EPS-AKA protocol, which is an Access Stratum (NAS) and Access Stratum (AS). NAS protocols are for
connections between the UE and the core network, while AS concerns the link
authentication and key agreement protocol between the UE and with the radio access network.
3 Temporary Mobile Subscriber Identity (TMSI) is another kind of identifier,
1
AAA is a widely used term. Whereas we focus in this article on AAA allocated to the UE by its current MME. As two different MMEs could use the
mechanisms between the mobile networks and the subscribers, the term of same TMSI for two different UEs, the GUTI with a larger structure and global
AAA is also used as entity name for non-3GPP access,. significance is used as a temporary identity. It contains TMSI.
Fig. 2. EPS-AKA procedure and the attacks against it

has its own SQN and it checks if the SQN from the HSS is acquire the IMSI [7, 8]. In handover cases between MMEs, if
not too far apart from its own SQN, to ensure a synchronization failure happens, the new MME or the
synchronization between HSS and UE). In this part, the UE previous one request the UE’s IMSI, which is then transmitted
authenticates the network. Then, it computes K ASME , thus in clear text again [4, 9-11]. In these cases, an attacker can
now, both UE and MME have the same key to establish eavesdrop the connection to catch IMSIs.
secure connections. The USIM also computes a RES and
One of the problems of IMSI disclosure is theft of services
sends it to the MME. If the SQN is not in the expected
with session mix-up attacks. It can be an inside attack where
range, UE sends a synchronization failure message and if
the attacker is a subscriber of the network but impersonates
XMAC is not the same as MAC, UE sends a MAC failure
itself as another subscriber and use the services that victim
message.
should get from the network [9, 12, 13]. It could also be an
 The MME checks if XRES and RES are equal and outside attack, in which the attacker is not a subscriber of the
completes the authentication and key agreement process. network and swaps the services between subscribers of the
network [13]. Theft of services attacks can also happen
We may here underline that the above described between UE and the IMS part of the network (IP multimedia
authentication process is also implicitly an access control or subsystem which provides multimedia services such as voice
authorization process. The authentication of the UE is indeed calls) and affect the revenue of the operator [14]. It is also
necessary and sufficient to provide it access to the network possible for the attacker to force a UE to send IMSI constantly
resources. Let us now survey the identified vulnerabilities of and wastes the computational power of the HSS and the
this key process. memory of the MME [15, 16].

III. EPS-AKA VULNERABILITIES To solve IMSI disclosure problem, some solutions based
on public key cryptography were proposed [17-24]. Some of
There are numbers of security issues about LTE security. them encrypt all the messages between the UE and the
In the scope of this paper we only focus on AAA; therefore we network and some of them only encrypt IMSIs. Most of the
mainly consider EPS-AKA protocol vulnerabilities as this public key based solutions increase computational and
protocol plays the main role in securing network access and communication costs for UEs (with limited capabilities and
ensuring the privacy of UEs. Table 1 summarizes these energy) and for the network elements. Pseudonyms based
vulnerabilities and their effects on the security of the LTE solutions to IMSI disclosure problem were also proposed [11,
system. 25] but were needing additional capabilities in UEs or
The first vulnerability is IMSI disclosure (IMSI catching), additional entities in the network [4, 18, 23, 25].
which affects user confidentiality. As we mentioned in As we mentioned in the previous section, GUTI is a
previous sections, UE sends the IMSI to MME in clear text temporary identifier and should be fresh. However, in reality,
during the first attachment procedure. Furthermore, IMSI is it is not changed frequently and disclosure of it may cause the
transmitted in paging messages that are sent from MME to same problems as IMSI disclosure [7, 23, 26]. An attacker can
eNodeBs and from eNodeBs to UEs, to find a specific UE (for also change GUTIs. In this scenario, the server can not
example, when UE has an incoming call). An attacker can recognize GUTIs and ask UEs to send their IMSIs [22].
trigger paging procedure without awareness of the user, e.g.
by using social network applications, and then sniff paging One of the most important attacks is rogue eNodeB that
messages between eNodeB and UE to decode them and pretends to be a legitimate eNodeB and, by operating with
high power, makes the UEs connect to it [7, 14, 15, 27, 29]. A the MME and between the MME and the UE [19]. If an
rogue eNodeB can redirect UEs to another network that attacker gets these AVs (User Authentication request) by
provides weak data encryption instead of UE’s home network eavesdropping the connection between the MME and the UE
[9]. It can also cause man in the middle attacks (MitM, the or by corrupting the serving network, it can replay them. Then,
attacker impersonate itself to the network as a legitimate UE) the attacker sends these AVs to the UEs in a specific area. The
[9], the disclosure of UE’s location and compromises sessions UE which the AVs are belong to, will send synchronization
keys during handover processes (de-synchronization attacks) failure message and the other UEs will send MAC failure
[4, 10]. Leakage of SNid, because of transmission in clear messages, therefore the attacker determines the presence of the
from the MME to the UE and the HSS, may also cause rogue UE in that location [8, 14, 22, 23, 30, 31, 32].
eNodeB attacks [10, 19]. SNid disclosure may cause traffic on
the MME too; because an attacker can force UEs to attach to Finally, EPS-AKA is based on symmetric key
the MME [23]. Furthermore, LTE system supports femtocells cryptography and all the keys that are used to prevent data
and HeNodeBs and operators do not control them, so, an integrity are derived from the secret key (in the key hierarchy),
attacker can use them as rogue eNodeBs and collects IMSIs therefore, the leakage of this key would cause serious problem
[18, 24]. to the whole network [9, 19].
In addition to the aforementioned vulnerabilities, some
The next vulnerability is relevant to the TAU (Tracking
Area Update) procedure. Mobile operators divide their service security issues are due to the interworking with non-3GPP
area to tracking areas and each tracking area consists of a access networks. The UE uses EAP-AKA and EAP-AKA’ as
number of cells. UEs, inform the MME about their locations the authentication and key agreement protocol when trying to
by sending TAU messages. Some network services are not access the LTE core network via a non-3GPP access network,
accessible in some tracking areas, or some UEs are not as well as during handover procedures between 3GPP access
authorized to access them, as a result, the network sends TAU networks and non-3GPP access networks [6]. These protocols
reject message to UEs in an unprotected manner. In this case, are similar to EPS-AKA protocol (instead of MME, they are
an attacker can cause DoS (Deny of Service) attacks against working with AAA server, the needed keys are driven from
UE by getting TAU request message from UE via rogue the AVs that AAA server gets from the HSS) so they have
eNodeB and sending TAU reject message to UE with “LTE similar vulnerabilities as EPA-AKA, such as attacks against
services not allowed” or “LTE and non-LTE services not UE privacy and location, Dos attacks, UE impersonating and
allowed” content [7, 16, 29]. It is also possible for an attacker billing mechanisms attacks [33, 34, 35].
to use the location information of the UE and find a link
between its IMSI and GUTI and then, traces the UE across the IV. NEW 5G NEEDS
network [18]. The fifth generation of mobile communications has a
DOS attacks against UEs can also happen during number of goals, such as achieving low latency, high data
attachment procedure when the UE sends its network and rates, increased convergence, accessibility and dense
security capabilities to the network. An attacker can change connectivity. 5G will also support IoT (Internet of Things)
this message; therefore the MME may reject some of the UE’s services and address the needs of different vertical markets,
requests [7, 9]. such as healthcare, automotive and transport. 5G-PPP (Fifth
Generation Public Private Partnership) has defined several
Unprotected AVs vulnerability is used to determine if a different use cases for 5G including enhanced mobile
specific UE is in a specific area or not, and track its broadband and critical communications [37].
movements. AVs are sent in clear text between the HSS and

TABLE I. SUMMARY OF EPS-AKA VULNERABILITIES AND ATTACKS, THE GOAL OF THESE ATTACKS AND THE CURRENT SOLUTIONS

Vulnerability Attacks Attacks Goals Proposed Solutions

 Impersonating UEs [4,  Weaken subscriber confidentiality


 IMSI disclosure  public key based
12, 15, 36]  DoS attacks against the HSS and the MME
 GUTI persistence solutions [17-22]
 MitM  Theft of service
 Disclosure of the subscriber location
 Weaken UE’s data security
 Rogue eNodeB [7, 14, 15,  public key based
 SNid disclosure  Intercepting connections between the UE
27] solutions [19, 23]
and the network
 DoS against the MME
 Acceptance of TAU reject,
Service reject, Attach reject  public key + digital
 DoS attack  Dos against UE [7]
messages without integrity signature [7]
protection
 UE’s network and security  public key + digital
 Bidding down attack  Dos against UE
capabilities disclosure signature [7]
 Synchronization failure  Replay attack  Disclosure of the subscriber location
These different goals and use cases have important impacts V. FIRST STANDARDIZED SOLUTIONS: 5G PHASE 1
on security aspects of the system and service specific security ARCHITECTURE
requirements should be considered for designing appropriate
5G phase 1 should be published in December 2017 for first
AAA mechanisms for 5G networks, e.g., fast communications
deployments in 2019. It will be later followed by a phase 2 for
need fast AKA procedures [38]. As another example, in IoT,
which many options are still open. Concerning the 5G phase 1,
numerous devices may access the network at the same time, so
3GPP has provided a technical specification to define the first
the network should have the ability to control this large
architecture of 5G systems and to specify the main nodes and
amount of signaling traffic and authenticate the devices
their responsibilities [45]. In this architecture control plane
correctly to avoid DDOS (Distributed Denial of Service
and user plane are as much as possible separated to achieve
attacks). IoT devices have low power capacity and cannot
more flexible and scalable deployment. Instead of Network
support strong authentication procedures. In addition, they are
Entities grouping many functions, 3GPP attempted to define
usually able to connect to the network via non-3GPP access
NFs (Networks Functions) with more atomic roles (i.e., one
options (some of them will not have 5G radio access and will
specific responsibility per function). However, most of these
use Wi-Fi or Bluetooth) [39]. According to these limitations,
NFs are somehow a mapping of existing 4G entities. Two
some solutions based on group-based authentications with an
representations are possible for NFs interactions, one of them
IoT gateway are proposed to decrease the number of full
is based on the service-oriented architecture (SOA) viewpoint
execution of AKA procedure [40, 41]. But these group-based
and the other one is based on traditional reference points. In
AKA solutions have some weaknesses too. Some of the
service-based representation, an NF exposes a set of services it
weaknesses are traditional AKA weaknesses we have
offers to other NFs, and it uses the services provided by them.
mentioned in the previous section, while some of them are
All interactions are carried by the same protocol for API
specific to the group-based nature of these approaches. For
invocations. Each time a new NF needs to be plugged only its
example, an attacker can pretend itself as a member of a group
new API should be declared to other components. In reference
and get access to the network [42].
point representation, specific protocol links are kept between
The aforementioned requirements of 5G have also pairs of network functions. Figure 3 shows the current 5G
produced new concepts we have to mention: architecture and its network functions.
 Network slicing, which is a solution to meet
heterogeneous requirements from different vertical
markets [43]. Networks slices are logical networks relying
on a single physical network [44]. Each network slice is
composed of various network functions to provide
specific capabilities and to satisfy a specific type of usage
[45]. For example, in some IoT case (e.g., smart factory),
mobility will not be very high, so it may not need
mobility handling functions [44]. There can be different
approaches in providing network slicing (for example we Fig. 3. 5G architecture and its main network functions. All of the NFs can
connect to UDSF, NEF and NRF, therefor they are not shown in the
can have a slice per service or a slice per vertical market). figure. RAN stands for Radio Access Network.
Different technologies like SDN (Software-defined
Network) and NFV (Network Functions Virtualizations) The two first defined NFs can be seen as an evolution of
will be used to deploy slicing. [46], [47] and [48] present the HSS:
some proposals for network slicing architecture and
implementations. Concerning security, network slicing  AUSF (Authentication Server Function) provides a
also adds some issues out of the scope of this paper, such unified framework for authentication issues (for 3GPP
as slice isolation to prevent threat propagation through access as well as non-3GPP access).
slices, authentication and integrity protection of input data
and access control between slices [39].  UDM (Unified Data Management) contains data that was
related to HSS (i.e., user data). UDM stores only some
 Heterogeneous network access, as different radio part of data (such as subscription data of users) and not all
technologies might be used to access 5G networks. As we of it. It also supports authentication credential processing,
mentioned before, one of the 5G goals is to provide a user identification handling and access authorization.
better accessibility to users, therefore when users do not
Indeed, we should notice that the concept of the data in 5G is a
have 5G connectivity, they may connect to 5G network
little bit different, with the differentiation between structured
through other types of accesses, e.g., satellite access. In
data and unstructured data. Structured data is exchanged
IoT case, devices may also use different radio access
between NFs in a standardized way, to enable communication
technologies. In these situations, the enterprises or
between equipment from different vendors. Unstructured data
satellite providers may have their own AAA servers and
are vendor specific data that can be hidden to other network
the management of the connection between different
functions. Three new functions are defined in this context:
AAA servers, especially in roaming scenarios is very
important [39, 49]. It is also important to prevent the  SDSF (Structured Data Storage network function)
network against unauthorized access in this heterogeneous
infrastructure [50].  UDSF (Unstructured Data Storage network function)
 UDR (Unified Data Repository), which is responsible for VI. AAA CHOICES done FOR 5G PHASE 1
storing or retrieving subscription and policy data. This new 5G architecture comes along with some new
Two other NFs can be seen as a division of the 4G MME: design choices for AAA, but also with much continuity. The
most important continuity concerns the symmetric key based
 AMF (Core Access and Mobility Management Function) authentication through a secure element. In the phase one of
has different functionalities such as access authentication 5G standards, it was decided to keep a secure element in UE
and authorization, registration management and mobility (like UICC in the previous generations) to process the
management. As different access technologies will be subscription credentials [5], which could also be an ESIM
used, 5G needs a common framework for access (Embedded SIM) provided by device makers and where
management, as well as for handling mobility between operators can provision their profile over-the-air at the
different accesses. Therefore, AMF will support both subscription time.
3GPP access networks and non-3GPP access networks.
Unlike 4G (where MME is used for 3GPP access and Concerning differences, 5G introduces a new type of
ePDG for non-3GPP ones), the structure of the core identifier, SUPI (Subscriber Permanent Identifier) that is
network will be common for 3GPP access and non-3GPP somehow equivalent to IMSI but with a more global footprint,
access in 5G system. as it can be used not only for cellular services subscribers but
for different environments like IoT. The SUPI can have
 SMF (Session Management Function) is responsible for different formats: IMSI and NAI (Network Access Identifier).
session management and some other functionalities, such NAI is more flexible and can include different identifiers
as allocation of IP addresses, and controlling the policy within (including IMSI). To protect user privacy, the MSIN
enforcement and QoS (establishment of a session is part of the identifier will be encrypted with the public key of
totally separated from mobility management). the subscriber’s home network4, addressing this way the IMSI
A function is also dedicated to policy management, as the disclosure vulnerability. SUCI (Subscription Concealed
PCRF (Policy and charging rules function) was: Identifier) contains the concealed SUPI. The public key of the
home network should be stored in the secure element of the
 PCF (Policy Control Function) is related to policy UE. We will also have 5G-GUTI as the temporary identifier
framework and provides policy rules to NFs in the control like GUTI in 4G system.
plane.
Figure 4 depicts the detailed message flow in 5G-AKA
Then, new functions are introduced to manage the procedures. As we mentioned in the previous section, the
instantiation of network functions and the interactions between authentication mechanisms in 5G systems will be done in the
them, in an NFV (Network Function Virtualization) approach: same principle as 4G systems (AKA mechanism, 5G-AKA
and EAP-AKA’) with some little differences. These
 NEF (Network Exposure Function) handles all the differences in AKA mechanisms will be from the network
information and services that can be exposed by NFs to perspective only but not from the UE perspective. AKA
for example 3rd parties and the circulation of information mechanisms in 5G systems, like in 4G systems, use “serving
between different NFs in the control plane. network name” (like SNid in 4G) in deriving the anchor key
 NRF (NF Repository Function) stores available NFs in (K SEAF ), therefore the anchor key will belong to the specific
the system and informs other NFs about new NFs. In the serving network and this serving network cannot pretend to be
service based representation, each time a new NF is added another serving network. Moreover, there is a secondary
to the system, it indeed needs to be discovered by all other protection in AKA mechanisms for 5G systems; the visited
NFs. network will provide Authentication Confirmation message to
the home network and confirms that the UE’s authentication is
A new function is also dedicated to network slicing: successful. Another difference in AKA mechanisms for 5G
 NSSF (Network Slice Selection Function) determines the systems is that the anchor key (K SEAF ), that is derived in a
serving AMF for the UE and selects network slice 3GPP access can also be used in a non-3GPP access without a
instances for it (in addition to network slicing concept, new authentication process. As we mentioned in the previous
network slice instances provide specific services to section, 4G systems use EPS-AKA for 3GPP access and EAP-
different enterprises). AKA for non-3GPP access, but in 5G systems both of 5G-
AKA and EAP-AKA’ can be used in both 3GPP access and
Finally, generic functions represent application plane, transfer non-3GPP access (we should notice that for 5G-AKA, NAS
plane and external data network: context is needed which is not present for non-3GPP access,
so, at the beginning of the non-3GPP access, only EAP-AKA’
 AF (Application Function) provides services to 3rd parties. is foreseen).
 UPF (User plane Function) is responsible for everything
related to user data.
 DN (Data Network) is internet access or services from
operators and 3rd parties. 4
This choice can be justified as follow: if all parts of the identifier were
encrypted, the decryption should be done in the serving network, to route the
messages to the right home network. This would impose to put in place a
global mechanism to distribute and manage certificates.
Fig. 4. 5G-AKA and EAP-AKA’. The main focus is on the 5G-AKA. The computation of RES* in the ME (Mobile Equipment) is in the same way as the
computation of XRES* in the ARPF and The computation of HRES* in the SEAF is in the same way as the computation of HXRES* in the AUSF

In the authentication process, the UE, the SEAF (Security


Anchor Function), the AUSF and the UDM/ARPF VII. CONCLUTION
(Authentication Repository and Processing Function) will be As reviewed in this paper, current authentication
involved [51]. The SEAF will be included in the AMF and mechanisms for 4G networks have some weaknesses that
interacts with AUSF to get authentication data from UDM. It make them vulnerable to various attacks. While the new AKA
accomplishes UE authentication for different access networks. procedures for 5G are solving IMSI disclosure problem and
The ARPF stores subscribers’ profiles and the information that mitigating the consequences of SNid disclosure, other 4G
is related to the security. At the beginning of the vulnerabilities will remain in 5G (GUTI potential persistence,
authentication process, the UE will send its SUPI to the SEAF.
acceptance of reject messages, capabilities disclosure and
Then, the SEAF will send the 5G-AIR (Authentication
Initiation Request) to the AUSF. 5G-AIR contains SUCI or synchronization failure). In addition, new vulnerabilities
SUPI of the UE, the name of the serving network. This appear with new 5G use-cases (e.g., group-based
message also indicates that the UE has a 3GPP access or non- authentication).
3GPP access. After receiving authentication information While 3GPP have provided the AKA protocols for the first
request from AUSF, UDM/ARPF generates AV just like in 4G phase of 5G networks, more research is still needed to design
system then, transforms them to new AVs that are specific to innovative AAA mechanisms to better support new 5G needs
5G systems (this transformation will be different in EAP- (e.g., the huge number of objects in IoT connectivity,
AKA’ and 5G-AKA). In the case of the UE’s successful heterogeneous network access, D2D connections, as well as
authentication, the SEAF will send 5G-AC (Authentication issues related to network slicing and openness to 3rd parties
Confirmation) message in 5G-AKA process. These messages trough a wholesale-oriented model), in order to ensure both
are useful but not enough in protecting the system against network operators’ and customers’ security.
some frauds like fraudulent Update Location request for
subscribers (a link is needed between the authentication result REFERENCES
and the location update procedure) [5]. [1] 3GPP, “Security Architecture,” TS 33.102, Tech. Spec. 14.1.0, 2017.
[2] 3GPP, “Security Architecture,” TS 33.401, Tech. Spec. 15.1.0, 2017.
It is important to notice that the authentication process [3] 3GPP, “Network Architecture,” TS 23.002, Tech. Spec. 14.1.0, 2017.
should be done outside the slice. It means that the UE should [4] J. Cao, M. Ma, H. Li, Y. Zhang, and Z. Luo, “A survey on security
authenticate with the network not with the slice. UE can aspects for LTE and LTE-A networks,” IEEE Communications Surveys
access a specific slice instance through the NSSF only when & Tutorials, vol. 16, no. 1, pp. 283–302, 2014.
[5] 3GPP, “Security Architecture and Procedures for 5G System,” TS 33.501,
its authentication with the home network is completed [5, 45].
Tech. Spec. 0.3.0, 2017.
[6] D. Forsberg, G. Horn, W.-D. Moeller, and V. Niemi, LTE security. John [27] J. Cichonski, J. M. Franklin, and M. Bartock, “LTE Architecture
Wiley & Sons, 2012. Overview and Security Analysis,” NIST Draft NISTIR, vol. 8071, 2016.
[7] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, [28] C.-K. Han and H.-K. Choi, “Security analysis of handover key
“Practical attacks against privacy and availability in 4G/LTE mobile management in 4G LTE/SAE networks,” IEEE Transactions on Mobile
communication systems,” arXiv preprint arXiv:1510.07563, 2015. Computing, vol. 13, no. 2, pp. 457–468, 2014.
[8] M. S. A. Khan and C. J. Mitchell, “Another look at privacy threats in 3G [29] A. N. Bikos and N. Sklavos, “LTE/SAE security issues on 4G wireless
mobile telephony,” in Australasian Conference on Information Security networks,” IEEE Security & Privacy, vol. 11, no. 2, pp. 55–62, 2013.
and Privacy, 2014, pp. 386–396. [30] S. Alt, P.-A. Fouque, G. Macario-Rat, C. Onete, and B. Richard, “A
[9] F. B. Degefa, D. Lee, J. Kim, Y. Choi, and D. Won, “Performance and Cryptographic Analysis of UMTS/LTE AKA,” in International
security enhanced authentication and key agreement protocol for Conference on Applied Cryptography and Network Security, 2016, pp.
SAE/LTE network,” Computer Networks, vol. 94, pp. 145–163, 2016. 18–35.
[10] S. Mavoungou, G. Kaddoum, M. Taha, and G. Matar, “Survey on threats [31] M. Arapinis et al., “New privacy issues in mobile telephony: fix and
and attacks on mobile networks,” IEEE Access, vol. 4, pp. 4543–4572, verification,” in Proceedings of the 2012 ACM conference on Computer
2016. and communications security, 2012, pp. 205–216.
[11] H. Choudhury, B. Roychoudhury, and D. K. Saikia, “Enhancing user [32] M.-F. Lee, N. P. Smart, B. Warinschi, and G. J. Watson, “Anonymity
identity privacy in LTE,” in Trust, Security and Privacy in Computing guarantees of the UMTS/LTE authentication and connection protocol,”
and Communications (TrustCom), 2012 IEEE 11th International International journal of information security, vol. 13, no. 6, pp. 513–
Conference on, 2012, pp. 949–957. 527, 2014.
[12] J.-K. Tsay and S. F. Mjølsnes, “A vulnerability in the umts and lte [33] S. Othmen, F. Zarai, M. S. Obaidat, and A. Belghith, “Re-authentication
authentication and key agreement protocols,” in International protocol from WLAN to LTE (ReP WLAN-LTE),” in Global
Conference on Mathematical Methods, Models, and Architectures for Communications Conference (GLOBECOM), 2013 IEEE, 2013, pp.
Computer Network Security, 2012, pp. 65–76. 1446–1451.
[13] S. Mjølsnes and J.-K. Tsay, “Computational security analysis of the [34] Y. E. H. El Idrissi, N. Zahid, and M. Jedra, “Security analysis of 3GPP
UMTS and LTE authentication and key agreement protocols,” 2012. (LTE)—WLAN interworking and a new local authentication method
[14] D. Bhasker, “4G LTE security for mobile network operators,” Cyber based on EAP-AKA,” in Future Generation Communication Technology
Secur. Inf. Sys. Inf. Anal. Cent.(CSIAC), vol. 1, no. 4, pp. 20–29, 2013. (FGCT), 2012 International Conference on, 2012, pp. 137–142.
[15] M. A. Abdrabou, A. D. E. Elbayoumy, and E. A. El-Wanis, “LTE [35] H. Mun, K. Han, and K. Kim, “3G-WLAN interworking: security
Authentication Protocol (EPS-AKA) Weaknesses Solution,” in analysis and new authentication and key agreement based on EAP-
Intelligent Computing and Information Systems (ICICIS), 2015 IEEE AKA,” in Wireless Telecommunications Symposium, 2009. WTS 2009,
Seventh International Conference on, 2015, pp. 434–441. 2009, pp. 1–8.
[16] L. Qiang, W. Zhou, B. Cui, and L. Na, “Security analysis of TAU [36] Y. Park and T. Park, “A survey of security threats on 4G networks,” in
procedure in LTE network,” in P2P, Parallel, Grid, Cloud and Internet Globecom Workshops, 2007 IEEE, 2007, pp. 1–6.
Computing (3PGCIC), 2014 Ninth International Conference on, 2014, [37] N. Alliance, “5G white paper,” Next generation mobile networks, white
pp. 372–376. paper, 2015.
[17] J. B. Abdo, J. Demerjian, K. Ahmad, H. Chaouchi, and G. Pujolle, “EPS [38] P. Schneider and G. Horn, “Towards 5G security,” in
mutual authentication and crypt-analyzing SPAKA,” in Computing, Trustcom/BigDataSE/ISPA, 2015 IEEE, 2015, vol. 1, pp. 1165–1170.
Management and Telecommunications (ComManTel), 2013 [39] 5G Ensure Project, “Deliverable D2.4 Security Architecture (draft),”
International Conference on, 2013, pp. 303–308. 2016.
[18] Z. J. Haddad, S. Taha, and I. A. Saroit, “Anonymous authentication and [40] J. Li, M. Wen, and T. Zhang, “Group-based authentication and key
location privacy preserving schemes for LTE-A networks,” Egyptian agreement with dynamic policy updating for MTC in LTE-A Networks,”
Informatics Journal, 2017. IEEE Internet of Things Journal, vol. 3, no. 3, pp. 408–417, 2016.
[19] X. Li and Y. Wang, “Security enhanced authentication and key [41] W.-T. Su, W.-M. Wong, and W.-C. Chen, “A survey of performance
agreement protocol for LTE/SAE network,” in Wireless improvement by group-based authentication in iot,” in Applied System
Communications, Networking and Mobile Computing (WiCOM), 2011 Innovation (ICASI), 2016 International Conference on, 2016, pp. 1–4.
7th International Conference on, 2011, pp. 1–4. [42] R. Giustolisi and C. Gerhmann, “Threats to 5G group-based
[20] J. V. Franklin and K. Paramasivam, “Enhanced Authentication Protocol authentication,” in 13th International Conference on Security and
for Improving Security in 3GPP LTE Networks,” in Proc. International Cryptography (SECRYPT 2016), 26-28 July 2016, Madrid, Spain, 2016.
Conference on Information and Network Technology (ICINT 2011), [43] X. Foukas, G. Patounas, A. Elmokashfi, and M. K. Marina, “Network
2011. Slicing in 5G: Survey and Challenges,” IEEE Communications
[21] J. B. B. Abdo, H. Chaouchi, and M. Aoude, “Ensured confidentiality Magazine, vol. 55, no. 5, pp. 94–100, 2017.
authentication and key agreement protocol for EPS,” in Broadband [44] B. Chatras, U. S. T. Kwong, and N. Bihannic, “NFV enabling network
Networks and Fast Internet (RELABIRA), 2012 Symposium on, 2012, pp. slicing for 5G,” in Innovations in Clouds, Internet and Networks (ICIN),
73–77. 2017 20th Conference on, 2017, pp. 219–225.
[22] P.-A. Fouque, C. Onete, and B. Richard, “Achieving Better Privacy for [45] 3GPP, “System Architecture for the 5G System,” TS 23.501, Tech. Spec.
the 3GPP AKA Protocol,” IACR Cryptology ePrint Archive, vol. 2016, 1.4.0, 2017.
p. 480, 2016. [46] J. Ordonez-Lucena, P. Ameigeiras, D. Lopez, J. J. Ramos-Munoz, J.
[23] K. Hamandi, I. Sarji, A. Chehab, I. H. Elhajj, and A. Kayssi, “Privacy Lorca, and J. Folgueira, “Network Slicing for 5G with SDN/NFV:
enhanced and computationally efficient HSK-AKA LTE scheme,” in Concepts, Architectures, and Challenges,” IEEE Communications
Advanced Information Networking and Applications Workshops Magazine, vol. 55, no. 5, pp. 80–87, 2017.
(WAINA), 2013 27th International Conference on, 2013, pp. 929–934. [47] K. Katsalis, N. Nikaein, E. Schiller, A. Ksentini, and T. Braun,
[24] G. Escudero-Andreu, C. P. Raphael, and D. J. Parish, “Analysis and “Network Slices toward 5G Communications: Slicing the LTE
design of security for next generation 4G cellular networks,” in The 13th Network,” IEEE Communications Magazine, vol. 55, no. 8, pp. 146–
annual post graduate symposium on the convergence of 154, 2017.
telecommunications, networking and broad-casting (PGNET), 2012. [48] P. Rost et al., “Network Slicing to Enable Scalability and Flexibility in
[25] 3GPP, “Rationale and Track of Security Decisions in Long Term Evolved 5G Mobile Networks,” IEEE Communications Magazine, vol. 55, no. 5,
(LTE) RAN / 3GPP System Architecture Evolution,” TR 33.821, Tech. pp. 72–79, 2017.
Report. 9.0.0, 2009. [49] 5G Ensure Project, “Deliverable D2.1 Use Cases,” 2016.
[26] K. Hamandi, I. Sarji, I. H. Elhajj, A. Chehab, and A. Kayssi, “W-AKA: [50] 5GPP, “5G PPP Phase1 Security Landscape”, white paper, 2017.
Privacy-enhanced LTE-AKA using secured channel over Wi-Fi,” in [51] 3GPP, “Study of Security Aspects of the Next Generation System,” TR
Wireless Telecommunications Symposium (WTS), 2013, 2013, pp. 1–6. 33.899, Tech. Report. 1.3.0, 2017.

View publication stats