A Cryptographic Analysis of UMTS/LTE AKA

  • Stephanie Alt
  • Pierre-Alain Fouque
  • Gilles Macario-rat
  • Cristina Onete
  • Benjamin RichardEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9696)


Secure communications between mobile subscribers and their associated operator networks require mutual authentication and key deri-vation protocols. The \(\mathsf {3GPP}\) standard provides the \(\mathsf {AKA}\) protocol for just this purpose. Its structure is generic, to be instantiated with a set of seven cryptographic algorithms. The currently-used proposal instantiates these by means of a set of \(\mathsf {AES}\)-based algorithms called \(\mathsf {MILENAGE}\); as an alternative, the ETSI SAGE committee submitted the \(\mathsf {TUAK}\) algorithms, which rely on a truncation of the internal permutation of \(\mathsf {Keccak}\).

In this paper, we provide a formal security analysis of the \(\mathsf {AKA}\) protocol in its complete three-party setting. We formulate requirements with respect to both Man-in-the-Middle (MiM) adversaries, i.e. key-indistinguishability and impersonation security, and to local untrusted serving networks, denoted “servers”, namely state-confidentiality and soundness. We prove that the unmodified \(\mathsf {AKA}\) protocol attains these properties as long as servers cannot be corrupted. Furthermore, adding a unique server identifier suffices to guarantee all the security statements even in in the presence of corrupted servers. We use a modular proof approach: the first step is to prove the security of (modified and unmodified) \(\mathsf {AKA}\) with generic cryptographic algorithms that can be represented as a unitary pseudorandom function –PRF– keyed either with the client’s secret key or with the operator key. A second step proceeds to show that \(\mathsf {TUAK}\) and \(\mathsf {MILENAGE}\) guarantee this type of pseudorandomness, though the guarantee for \(\mathsf {MILENAGE}\) requires a stronger assumption. Our paper provides (to our knowledge) the first complete, rigorous analysis of the original \(\mathsf {AKA}\) protocol and these two instantiations. We stress that such an analysis is important for any protocol deployed in real-life scenarios.


Security proof \(\mathsf {AKA}\) protocol \(\mathsf {TUAK}\) \(\mathsf {MILENAGE}\) 


  1. 1.
    3GPP: 3G Security, Specification of the MILENAGE algorithm set: an example algorithm set for the 3Gpp. Authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: algorithm specification. TS 35.206, 3rd Generation Partnership Project (3GPP), June 2007Google Scholar
  2. 2.
    3GPP: 3G Security, Specification of the TUAK algorithm set: a 2nd example for the 3Gpp. Authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5* \(-\) Document 1: algorithm specification. TS 35.231, 3rd Generation Partnership Project (3GPP), June 2013Google Scholar
  3. 3.
    Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., Seifert, J.-P.: Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In: Accepted to NDSS 2016 (2016)Google Scholar
  4. 4.
    Arapinis, M., Chothia, T., Ritter, E., Ryan, M.: Analysing unlinkability and anonymity using the applied Pi calculus. In: Proceedings of the CSF 2010, pp. 107–121 (2010)Google Scholar
  5. 5.
    Arapinis, M., Mancini, L.I., Ritter, E., Ryan, M., Golde, N., Redon, K., Borgaonkar, R.: New privacy issues in mobile telephony: fix and verification. In: Proceedings of ACM CCSGoogle Scholar
  6. 6.
    Arapinis, M., Ritter, E., Ryan, M.D.: StatVerif: verification of stateful processes. In: Proceedings of CSF 2011, pp. 33–47 (2011)Google Scholar
  7. 7.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Blanchet, B.: Automatic verification of security protocols in the symbolic model: the verifier ProVerif. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD VII. LNCS, vol. 8604, pp. 54–87. Springer, Heidelberg (2014)Google Scholar
  11. 11.
    Gilbert, H.: The security of “One-Block-to-Many” modes of operation. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 376–395. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPsGoogle Scholar
  13. 13.
    Lee, M., Smart, N., Warinschi, B., Watson, G.: Anonymity guarantees of the UMTS/LTE authentication and connection protocol. Int. J. Inf. Sec. 13(6), 513–527 (2014)CrossRefGoogle Scholar
  14. 14.
    Strobel, D.: IMSI catcher. In: Seminar Work, Ruhr-Universitat Bochum (2007)Google Scholar
  15. 15.
    Zhang, M.: Provably-Secure Enhancement on 3Gpp. Authentication and Key Agreement Protocol. In: IACR Cryptology ePrint Archive 2003, p. 92 (2003).
  16. 16.
    Zhang, M., Fang, Y.: Security analysis and enhancements of 3GPP authentication and key agreement protocol. IEEE Trans. Wirel. Commun. 4(2), 734–742 (2005)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Stephanie Alt
    • 1
  • Pierre-Alain Fouque
    • 2
  • Gilles Macario-rat
    • 4
  • Cristina Onete
    • 3
  • Benjamin Richard
    • 4
    Email author
  1. 1.DGA BruzBruzFrance
  2. 2.IRISAUniversity of Rennes 1RennesFrance
  3. 3.INSA/IRISA RennesRennesFrance
  4. 4.Orange LabsChatillonFrance

Personalised recommendations