A Cryptographic Analysis of UMTS/LTE AKA

  • Stephanie Alt
  • Pierre-Alain Fouque
  • Gilles Macario-rat
  • Cristina Onete
  • Benjamin Richard
Conference paper

DOI: 10.1007/978-3-319-39555-5_2

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9696)
Cite this paper as:
Alt S., Fouque PA., Macario-rat G., Onete C., Richard B. (2016) A Cryptographic Analysis of UMTS/LTE AKA. In: Manulis M., Sadeghi AR., Schneider S. (eds) Applied Cryptography and Network Security. ACNS 2016. Lecture Notes in Computer Science, vol 9696. Springer, Cham

Abstract

Secure communications between mobile subscribers and their associated operator networks require mutual authentication and key deri-vation protocols. The \(\mathsf {3GPP}\) standard provides the \(\mathsf {AKA}\) protocol for just this purpose. Its structure is generic, to be instantiated with a set of seven cryptographic algorithms. The currently-used proposal instantiates these by means of a set of \(\mathsf {AES}\)-based algorithms called \(\mathsf {MILENAGE}\); as an alternative, the ETSI SAGE committee submitted the \(\mathsf {TUAK}\) algorithms, which rely on a truncation of the internal permutation of \(\mathsf {Keccak}\).

In this paper, we provide a formal security analysis of the \(\mathsf {AKA}\) protocol in its complete three-party setting. We formulate requirements with respect to both Man-in-the-Middle (MiM) adversaries, i.e. key-indistinguishability and impersonation security, and to local untrusted serving networks, denoted “servers”, namely state-confidentiality and soundness. We prove that the unmodified \(\mathsf {AKA}\) protocol attains these properties as long as servers cannot be corrupted. Furthermore, adding a unique server identifier suffices to guarantee all the security statements even in in the presence of corrupted servers. We use a modular proof approach: the first step is to prove the security of (modified and unmodified) \(\mathsf {AKA}\) with generic cryptographic algorithms that can be represented as a unitary pseudorandom function –PRF– keyed either with the client’s secret key or with the operator key. A second step proceeds to show that \(\mathsf {TUAK}\) and \(\mathsf {MILENAGE}\) guarantee this type of pseudorandomness, though the guarantee for \(\mathsf {MILENAGE}\) requires a stronger assumption. Our paper provides (to our knowledge) the first complete, rigorous analysis of the original \(\mathsf {AKA}\) protocol and these two instantiations. We stress that such an analysis is important for any protocol deployed in real-life scenarios.

Keywords

Security proof \(\mathsf {AKA}\) protocol \(\mathsf {TUAK}\) \(\mathsf {MILENAGE}\) 

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Stephanie Alt
    • 1
  • Pierre-Alain Fouque
    • 2
  • Gilles Macario-rat
    • 4
  • Cristina Onete
    • 3
  • Benjamin Richard
    • 4
  1. 1.DGA BruzBruzFrance
  2. 2.IRISAUniversity of Rennes 1RennesFrance
  3. 3.INSA/IRISA RennesRennesFrance
  4. 4.Orange LabsChatillonFrance

Personalised recommendations