Skip to main content
SpringerLink
Log in

Defeating the Downgrade Attack on Identity Privacy in 5G

  • Conference paper
  • First Online:
Security Standardisation Research (SSR 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11322))

Included in the following conference series:

Abstract

3GPP Release 15, the first 5G standard, includes protection of user identity privacy against IMSI catchers. These protection mechanisms are based on public key encryption. Despite this protection, IMSI catching is still possible in LTE networks which opens the possibility of a downgrade attack on user identity privacy, where a fake LTE base station obtains the identity of a 5G user equipment. We propose (i) to use an existing pseudonym-based solution to protect user identity privacy of 5G user equipment against IMSI catchers in LTE and (ii) to include a mechanism for updating LTE pseudonyms in the public key encryption based 5G identity privacy procedure. The latter helps to recover from a loss of synchronization of LTE pseudonyms. Using this mechanism, pseudonyms in the user equipment and home network are automatically synchronized when the user equipment connects to 5G. Our mechanisms utilize existing LTE and 3GPP Release 15 messages and require modifications only in the user equipment and home network in order to provide identity privacy. Additionally, lawful interception requires minor patching in the serving network.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The notation used in this paper is summarized in Appendix A.

  2. 2.

    The first five to six digits of the IMSI identify the country and the home network of the mobile user. Even though these digits allow linkability in certain cases, (e.g., if in a visited network there is only one roaming UE from a specific country), these digits are not randomized, because they are needed to route initial requests for authentication data for roaming UE to the correct home network.

  3. 3.

    The standard [6] does not require the HN to provision \( pk \) into every UE. If HN has not provisioned its \( pk \) into a UE, then that UE will not conceal its long-term identity with this mechanism.

References

  1. Soltani, A., Timberg, C.: Tech firm tries to pull back curtain on surveillance efforts in Washington, September 2014. https://www.washingtonpost.com/world/national-security/researchers-try-to-pull-back-curtain-on-surveillance-efforts-in-washington/2014/09/17/f8c1f590-3e81-11e4-b03f-de718edeb92f_story.html?utm_term=.96e31aa4440b. Accessed 14 July 2017

  2. PKI Electronic Intelligence: 3G UMTS IMSI Catcher. http://www.pki-electronic.com/products/interception-and-monitoring-systems/3g-umts-imsi-catcher/. Accessed 6 July 2018

  3. Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., Weippl, E.: IMSI-catch me if you can: IMSI-catcher-catchers. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 246–255. ACM, New York (2014)

    Google Scholar 

  4. Ney, P., Smith, J., Gabriel, C., Tadayoshi, K.: SeaGlass: enabling city-wide IMSI-catcher detection. In: Proceedings on Privacy Enhancing Technologies. PoPETs (2017)

    Google Scholar 

  5. 3GPP: TS 22.261 Service requirements for next generation new services and markets (2018). https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3107

  6. 3GPP: TS 33.501 Security architecture and procedures for 5G System, March 2018. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169

  7. Van den Broek, F., Verdult, R., de Ruiter, J.: Defeating IMSI catchers. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015. ACM (2015)

    Google Scholar 

  8. Khan, M.S.A., Mitchell, C.J.: Improving air interface user privacy in mobile telephony. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 165–184. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27152-1_9

    Chapter  Google Scholar 

  9. Norrman, K., Näslund, M., Dubrova, E.: Protecting IMSI and user privacy in 5G networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, MobiMedia 2016. ICST (2016)

    Google Scholar 

  10. Ginzboorg, P., Niemi, V.: Privacy of the long-term identities in cellular networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, MobiMedia 2016. ICST (2016)

    Google Scholar 

  11. Khan, M., Mitchell, C.: Trashing IMSI catchers in mobile networks. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017), Boston, USA, 18–20 July 2017. Association for Computing Machinery (ACM), United States, May 2017

    Google Scholar 

  12. Khan, M., Järvinen, K., Ginzboorg, P., Niemi, V.: On de-synchronization of user pseudonyms in mobile networks. In: Shyamasundar, R.K., Singh, V., Vaidya, J. (eds.) ICISS 2017. LNCS, vol. 10717, pp. 347–366. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72598-7_22

    Chapter  Google Scholar 

  13. 3GPP: TS 23.003, 15.4.0 Numbering, addressing and identification, June 2018. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=729

  14. 3GPP: TS 23.501 System Architecture for the 5G System (2018). https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3144

  15. Khan, M., Ginzboorg, P., Niemi, V.: IMSI-based routing and identity privacy in 5G. In: Proceedings of the 22nd Conference of Open Innovations Association FRUCT, Jyvaskyla, Finland, May 2018

    Google Scholar 

  16. 3GPP: TS 33.401 V15.0.0 Security architecture (Release 15), June 2017. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2296

  17. 3GPP: TS 23.012 V14.0.0 Location management procedures (Release 14), March 2017. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=735

  18. Herzberg, A., Krawczyk, H., Tsudik, G.: On travelling incognito. In: 1994 First Workshop on Mobile Computing Systems and Applications. IEEE Xplore (1994)

    Google Scholar 

  19. Asokan, N.: Anonymity in a mobile computing environment. In: First Workshop on Mobile Computing Systems and Applications. IEEE, Santa Cruz (1994)

    Google Scholar 

  20. Køien, G.M.: Privacy enhanced mutual authentication in LTE. In: 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp. 614–621, October 2013

    Google Scholar 

  21. Khan, M., Niemi, V.: Concealing IMSI in 5G network using identity based encryption. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds.) NSS 2017. LNCS, vol. 10394, pp. 544–554. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64701-2_41

    Chapter  Google Scholar 

  22. Certicom Research: SEC 1: Elliptic Curve Cryptography. Standards for Efficient Cryptography, Ver. 2.0, May 2009. http://www.secg.org/sec1-v2.pdf

  23. Certicom Research: SEC 2: Recommended Elliptic Curve Domain Parameters. Standards for Efficient Cryptography, Ver. 2.0, January 2010. http://www.secg.org/sec2-v2.pdf

  24. NIST: Advanced Encryption Standard (AES). FIPS PUB 197 (2001)

    Google Scholar 

  25. NIST: Recommendation for Block Cipher Modes of Operation: Methods and Techniques. SP 800–38A (2001)

    Google Scholar 

  26. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104, February 1997

    Google Scholar 

  27. NIST: Secure hash standard (SHS). FIPS PUB 180-4 (2012)

    Google Scholar 

  28. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14

    Chapter  Google Scholar 

  29. Langley, A., Hamburg, M., Turner, S.: Elliptic Curves for Security. RFC 7748, January 2016

    Google Scholar 

  30. Interactive digital media GmbH: Mobile Country Codes (MCC) and Mobile Network Codes (MNC). http://www.mcc-mnc.com/

  31. Wikipedia: List of mobile network operators. https://en.wikipedia.org/wiki/List_of_mobile_network_operators

  32. 3GPP: TS 33.106: 3G security; Lawful interception requirements (2018). https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2265

  33. 3GPP: TS 33.126 V15.0.0 Lawful Interception requirements, June 2018. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3181

Download references

Author information

Authors and Affiliations

  1. University of Helsinki, Helsinki, Finland

    Mohsin Khan, Kimmo Järvinen & Valtteri Niemi

  2. Helsinki Institute for Information Technology, Helsinki, Finland

    Mohsin Khan, Kimmo Järvinen & Valtteri Niemi

  3. Huawei Technologies, Helsinki, Finland

    Philip Ginzboorg

  4. Aalto University, Espoo, Finland

    Philip Ginzboorg

Authors
  1. Mohsin Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Philip Ginzboorg
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kimmo Järvinen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Valtteri Niemi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohsin Khan .

Editor information

Editors and Affiliations

  1. CISPA-Helmholtz-Zentrum (i.G.), Saarbrücken, Germany

    Cas Cremers

  2. IBM Research Zurich, Rüschlikon, Switzerland

    Anja Lehmann

Appendices

Appendix A Summary of Notation

figure a

Appendix B Algorithms

figure b
figure c
figure d
figure e
figure f
figure g

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Khan, M., Ginzboorg, P., Järvinen, K., Niemi, V. (2018). Defeating the Downgrade Attack on Identity Privacy in 5G. In: Cremers, C., Lehmann, A. (eds) Security Standardisation Research. SSR 2018. Lecture Notes in Computer Science(), vol 11322. Springer, Cham. https://doi.org/10.1007/978-3-030-04762-7_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04762-7_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04761-0

  • Online ISBN: 978-3-030-04762-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation