Authentication and Authorization Applications in 4G Networks Abstract Libor Dostálek dostalek@prf.jcu.cz Faculty of Science University of South Bohemia Ceske Budejovice, Czech Republic The principle of 4G mobile networks shows that users are still connected to the network. It also calls will be implemented already over the network (VoLTE). This contribution to discuss the possibility of strong authentication for applications running on mobile devices. It deals with the possibility of combining algorithm AKA with other authentication algorithms. Combination of two algorithms will be created strong multifactor authentication, which is suitable for applications demanding high secure authentication such as Internet banking or Internet access to the Government applications. Keywords: Authentication, Smart Card, Security, Strong Password Authentication, Mobile Application Authentication. 1 Introduction Currently, there is a mass deployment of LTE in mobile networks. The next step is to deploy VoLTE (Voice over LTE), which uses similar technology, such as VoIP (i.e. TCP/IP application protocols family such as e.g. SIP, SDP, RTP etc.). For authentication in application protocols that implement the VoLTE, will be use smart cards, USIM/ISIM. This authentication based on USIM/ISIM uses so-called AKA mechanism, which uses a share secret between the USIM/ISIM and Authentication Center of users. Current mobile applications typically use password authentication. Since SIP protocol uses the same authentication mechanisms such as HTTP, so it is quite clear that it opens the possibility of using USIM/ISIM and authentication to mobile web applications.
Authentication method based on AKA mechanism, however, has its drawbacks. E.g. AKA authenticates the user to the whole time from the user login on to the network until user log off. If the network needs to re-authenticate mobile devices, may silently authenticate user (e.g. in case of transition to roaming) i.e. perform authentication without user intervention (without entering a PIN). Another disadvantage is the fact that the shared secret for AKA authentication mechanism are administered by the mobile operator. For many applications it would be advantageous if for authentication was implemented the second factor, which would administer the owner of the server. I.e. Authentication is not completely under the control of the mobile operator. Mobile equipment is computer with smart card authentication/authorization (unlike the PC). In the future it will be possible to develop entirely new types of applications, such as secure public transport tickets sale (SMS tickets causing many frauds). At present, many Internet applications are accessed from smart phones. If Internet applications require authentication, so we have a number of authentication methods, e.g.: 1. Native authentication methods in 3G/4G networks based AKA mechanism, which is hereafter mentioned. This authentication is undoubtedly a cryptographically strong authentication. Its disadvantage is that it is practically used for authenticating of mobile device to the network. To understand the problem we will describe a practical example. The user turns on the mobile device, enters a PIN, which opens an access to the secret on USIM/ISIM. Next, network services silently authenticate the user, without requiring user intervention. An attacker could steal mobile equipment with logged user and subsequently could easily exploit mobile devices. Therefore, this kind of authentication is often called equipment authentication. 2. Password authentication is typical user authentication. Generally, this authentication method is unfortunately considered weak, so applications such as home banking or egov seek other mechanisms. 3. Strong password authentication are more sophisticated password authentication methods which are resistant against known attacks (sniffing or elicitation of password, password-file compromise attack, guessing
attack, forgery attack, impersonation attack, stolen-verifier attack, replay attack etc.). 4. Authentication based on public key certificates (PKI). The problem is, where the mobile device securely store the private keys. 5. External devices such as authentication calculators generating one-time passwords. The main disadvantage of this solution is that a user must take care about an additional device, what he can find disagreeable. Using multiple authentication method independently does not increase security. Our idea is to combine (to breed) methods 1 and 3 in a common multifactor authentication. The first factor is an equipment authentication based on AKA mechanisms and the second factor is strong password authentication. 2 Ease of Use The envisaged solution does neither impose any additional requirements on the functionality of a mobile device, nor impose any additional requirements on contents of the USIM/ISIM card or the mobile infrastructure. The envisaged solution could be implemented as software application. 3 AKA mechanism A Mobile K B Network Authentication center K AKA1: I want to access AKA4: RAND, SQN AK,AMF, MAC-A AKA2: Please generate AV for A AKA3: AV=(RAND, RES, SQN AK,AMF, MAC-A) 1. Generate: o RAND o SQN 2. Run authentication function (Fig. 2) 1. Compute SQN using f5 (SQN AK AK=SQN) 2. Run authentication function (Fig. 2) 3. If MAC-A computed by A equal to MAC-A from AV, than B is authenticated. AKA5: RES If RES obtained from A equal to RES from AV than A is authenticated. Figure 1: AKA mechanism.
AKA (Authentication and Key Agreement) mechanism is a security protocol used in 3G/4G mobile networks for mutual authentication and cryptographic material agreement (Figure 1). AKA is specified in [2]. In AKA (Figure 1) we have three communication parties: A (mobile), usually mobile equipment. A is equipped with USIM/ISIM contain shared secret K. B (network), e.g. P-CSCF in IMS. Authentication center, e.g. part of Home Subscriber Server in IMS. K SQN RAND AMF f1 f2 f3 f4 f5 AK MAC-A XRES CK IK XOR K - shared secret AMF - known string SQN - sequence number RAND - random number MAC-A - one-time password for network authentication RES - one time password for user equipment authentication CK cyphering key IK integrity key AK anonymization key for SEQ f1-f5 - one way functions XOR - binary operation SQN AK Figure 2: Functions f1 f5. Parties A (mobile) and Authentication center: share secret key K (shared secret) different for each USIM/ISIM, maintain sequence number SEQ of authentication. AKA using one way functions f1, f2, f3, f4 and f5 defined in [3]. In addition we have well known string AMF. AKA mechanism (Figure 1) is following: AKA-1: AKA-2: A (mobile) wont grant access (want authentication himself and also network authentication). B (network) sends identification of A to Authentication center. AKA-3: Authentication center on behalf of B: Generate random number RAND. Generate next sequence number SEQ of authentication.
AKA-4: AKA-5: AKA-3: Run Authentication functions (Figure 2) and generate Authentication vector AV = (RAND, RES, SQN AK, AMF, MAC-A). When RES is one time password for authentication of A and MAC-A is one time password for authentication of B. Send AV to B. B sore RES form Authentication vector AV and RAND, SQN AK, AMF and MAC-A send to A. A by function f5 compute SQN. A run rest of authentication functions (Figure 2) and: If MAC-A computed by A equal to MAC-A from AV, than B (network) is authenticated. Generate RES and sent it to B. B compares RES obtained form A with saved RES form AV. If are equal, then A is authenticated. AKA is intended for mutual silent authentication. Word silent mean, that user single sign on (user after switching on mobile equipment insert PIN for opening access to shared secret K) and application in mobile equipment on background silently run particular authentication to specific required network services without user intervention. 4 Secure Hash-Based Password Authentication Protocol It is necessary to choose a suitable algorithm for password authentication. Security demands on selected algorithm: Resistance to sniffing or elicitation of password. Resistance to Password-File Compromise Attack. Resistance to Denial-of-Service Attack. Resistance to Guessing Attack. G uessing Attack stands for an adversary s attempting to guess the user s private information. Resistance to Forgery Attack. Whereby unauthorized commands are transmitted from a user to a server. Impersonation Attack. Impersonation attack stands for an adversary masquerading as a legitimate user by stealing or changing the message in a protocol. Resistance to Replay Attack. Replay Attack stands for an adversary storing a message in a previous session, then the adversary sends the message in the current session to masquerade as a legitimate user.
Resistance to Stolen-Verifier Attack. Stolen-Verifier Attack means that an adversary has a user s verifier, stolen from a server, and then impersonates the user with the stolen verifier. Stolen-Verifier Attack stands for an adversary who has stolen a user s verifier from a server. He/she can masquerade as the user, using the stolen verifier without any other attack, such as Guessing Attack. Symbol U S U id or ID X S P K u r n T s E Kpu D Kpr E Spu(M) D Spr(M) Auth Q Auth A h() Meaning denotes the user denotes the server denote the identification of the user denotes secret key of S denotes the password of U is a randomly generated key selected by U and shared with the server and stored in secure storage in a smartcard denotes a random nonce generated by U or S denotes timestamp denotes encryption with public key of S with cryptographically secure public key algorithm denotes decryption with the private key of S denotes encryption of M with the public key of S when U sends M to S denotes decryption of M with the private key of S when U s E Spu(M) decrypts denotes the bitwise XOR operation denotes concatenation denote the authentication question for the registration, forget password, and password/verifier change Phases denote the authentication answer for the registration, forget password, and password/verifier change Phases denotes a cryptographic hash function
Was selected Secure Hash -Based Password Authentication Protocol described in [1]. Selected authentication algorithm [1] consisting the following phases: Simple user registration - during registration, client and server may exchange cryptographic material by secure channel. User authentication (login to the application). Forget-Password Phase. Password Change Phase. Now we will mention registration phase and authentication phase of this algorithm. 4.1 Registration Phase User U Server S Input ID, P and generate K u PV=h(K u P) K u R1: { ID, PV } Store: IDX=E Kpu (h(id X S )) X S R2: { Auth Q } R3: E Spu (K u, P, Auth Q Auth A ) Decrypt R by S s secret key Compute PV' using K u, P in R3. Verify if PV = PV' Store: XPV=E Kpu (h(pv K u )) X S UKP=E Kpu (ID, K u, P) QAK=E Kpu (Auth Q Auth A ) R4: { h(id X S ) } Compute and Store on smart card: KP= K u P XP=h(ID X S ) P Figure 3: Registration Phase. We have two parties: User U and server S (Figure 3). In registration phase U and S exchange four messages R1, R2, R3 and R4. Furthermore, we assume that the user
U has a public key certificate of S. This session supposes using secure channel. Figure 3 shows the registration phase and the detailed steps are as follows: Step R1: U S: {ID, PV} U inputs his ID and password P, generates K u, and computes the password verifier PV=h(K u P) K u. U sends ID and PV to S as registration request. Step R2: S U: {Auth Q} S computes IDX=E Kpu(h(ID X S)) X S and stores it in S s password file. Now S generates random Auth Q and sends it to U. Step R3: U S: {R = E Spu(K u, P, Auth Q Auth A)} U inputs Auth A as an answer for the authentication question Auth Q and computes Auth Q Auth A. Next, U encrypts (K u, P, Auth Q Auth A} with Spu and sends it to S. Step R4: S U: {h(id XS)} When S receives R3, S decrypts it and computes PV using Ku and P from R. And S compares PV with the received PV in R1. If they are equal, S stores XPV=EKpu(h(PV K u)) X S, UKP=E Kpu(ID, K u, P) and AK=E Kpu(Auth Q Auth A). Now S send h(id X S) to U. U store in smartcard: KP= K u P and XP=h(ID X S) P. 4.2 Login Phase This phase uses the challenge-response method as protection from replay attack. Figure 4 shows the login phase and the detailed steps are as follows: Step L1: U S: ESpu (XP, ID, r 1 ) U enters his/her smartcard in the card reader, and inputs ID and P. Next, U generates a nonce r 1 and encrypts XP, r 1 and ID with Spu. And then U sends it to S as a login request. Step L2: S U: CA 1, r 2 When S receives L1, S decrypts it and computes G 1=h(ID X S) and G 2=D Kpr(IDX XS )=h(id X S) by decrypting IDX XS with S s private key Kpr. And S compares G 1 with G 2. If they are equal, S computes P=XP G 2 and CA 1=h(ID P) r 1, generates a nonce r 2, and sends them to U. Step L3: U S: L = h(h(pv Ku ) r 2 ) h(p V Ku ) r 2
U computes CA 2=h(ID P) r 1 and compares CA 2 with the received CA 1. If they are equal, U computes L=h(h(PV Ku) r 2) h(pv Ku) r 2, and sends L to S. When S receives L, S computes CB 1=L r 2 and computes CB 2=D Kpr(XPV X S)= h(pv Ku) and CB 3=h(CB 2 r 2) CB 2 and compares CB 3 with CB 1. If they are equal, U authenticates S. User U KP= K u PW XP=h(ID X S ) PW Server S IDX=E Kpu (h(id X S )) X S Generate random nonce r 1 L1: {E Spu (XP,ID, r 1 ) } L2: {CA 1, r 2 } D Spr (E Spu (XP,ID, r 1 ))=(XP,ID, r 1 ) Compute: G 1 =h(id X S ) G 2 =D Kpr (IDX X S )=h(id X S ) Verify: G 1 =G 2 Generate random nonce r 2 Compute: PW=XP G 2 CA 1 =h(id PW) r 1 Compute: CA 2 =h(id PW) r 1 If: CA 1 =CA 2 Network authenticated Compute: L=h(h(PV K u ) r 2 ) h(pv K u ) r 2 L3: {L} CB 1 =L r 2 CB 2 =D Kpu (XPV X S ) CB 3 =h(cb 2 r 2 ) CB 2 Verify CB 1 =CB 3 User authenticated Figure 4: Login Phase. 5 Strong authentication for mobile application As a method of strong password authentication I chose Secure Hash -Based Password Authentication Protocol [1]. This method meets the requirements set out in the section Introduction. The proposed solution creates multifactor authentication by merging AKA and [1]. Assume that the user is registered:
In terms of [1]: Mobile user U and Application function S (server) exchange four messages R1, R2, R3 and R4. In terms of AKA mechanism: User's is equipped by USIM/ISIM smart card which share secret K with Authentication Center AuC. Mobile user U KP, XP K Application function S XPV, UKP, IDX, QAK Authentication center AuC K In smartcard: KP= K u P XP=h(ID X S) P Generate random nonce r 1 X1: { ES pu(xp, ID, r 1) } AKA2: Please generate AV for A D Spr(E Spu(XP, ID, r 1) Compute: G 1=h(ID X S) G 2=D Kpr(IDX X S)=h(ID X S) Verify if G1 = G2 Compute: P = XP G 2 CA 1= h(id P) r 1 1. Generate: RAND SQN 2. Run authentication function (Fig. 2) X2: {CA 1,RAND, SQN AK,AMF, MAC-A} AKA3: AV=(RAND, RES, SQN AK,AMF, MAC-A) 1. Compute SQN using f5 (SQN AK AK=SQN) 2. Run authentication function (Fig. 2) 3. If MAC-A computed by A equal to MAC-A from AV, than B is authenticated. 4. Compute CA 2= h(id P) r 1 5. Verify if CA 1 =CA 2 6. Compute: L=h(h(PV K u) RES) h(pv K u) RES X3: { L } CB 1=L RES CB 2= D Kpu(XPV X S) CB 3=h(CB 2 RES) CB 2 Verify if CB 1 =CB 3 user is approval Figure 5: Strong authentication for mobile application. In proposed authentication Mobile user U and Application function S exchange three messages X1, X2 and X3 (Figure 5): Step X1: U S: {ES pu (XP, ID, r 1 )} This step is similar to step L1 in [1]. In additional this step ensure step AKA1 (Figure 1). Subsequently Application function S ask Authentication center AuC for
generating authentication vector AV for Mobile user U (step AKA2). Authentication center return AV (step AKA3). Step X2: S U: {CA 1, RAND, SQN AK, AMF, MAC-A} When S receives X1, S decrypts it and computes G 1=h(ID X S) and G 2=D Kpr(IDX X S)=h(ID X S). And S compares G 1 with G 2. If they are equal, S computes P=XP G 2 and CA 1=h(ID P) r 1. S does not generate a nonce r 2 [1], instead of it will use RES. Cut RES from AV from step AKA3 and save it. The rest of AV: CA 1, RAND, SQN AK, AMF, MAC-A send to U. Step X3: U S: {L} U computes by function f5 sequence number SQN; run authentication functions (Figure 2) and: If MAC-A computed by U equal to MAC-A from X2, than Application function (server) is authenticated. Generate RES and use it for subsequent computing L. U computes CA 2=h(ID P) r 1 and compares CA 2 with the received CA 1. If they are equal, U computes L=h(h(PV K u) RES) h(pv K u) RES, and sends L to S. When S receives L, S computes CB 1=L RES and computes CB 2=D Kpu(XPV X S) =h(pv Ku) and CB 3=h(CB 2 RES) CB 2 and compares CB 3 with CB 1. If they are equal, mobile user U authenticates in Application function. 6 Conclusion While AKA mechanism of 3G/4G mobile networks is used for the device authentication; the password authentication is the typical user authentication into application. Breeding both authentication methods will form strong multifactor authentication. The result is strong two-factor authentication: Equipment authentication - this itself is two-factor authentication (USIM/ISIM + PIN). This authentication is controlled by an operator. But can be used by Application Service Provider [4]. Secure Hash-Based Password Authentication Protocol. This authentication is fully under control Application Service Provider.
Practically, it is possible to see its use, e.g. in the sale of tickets e.g. for public transport. We assume that the user is still connected to the network, which follows from the principle VoLTE (Figure 6): User U AKA & Secure Password Authentication Ticket order Ticket Server S Ticket with public subscriber s identity generation Revision of ticket Ticket Public subscriber s identity verification (sending random image) Ticket verification Figure 6: Sales and revision of tickets. 1. Perform the strong authentication, as described in the previous chapter. I.e. the user and the server mutually authenticate 2. The user U order a ticket. 3. S generates a ticket with saved public identity of U. Ticket sends to U. 4. During the revision of ticket are verified: Validity of ticket (it depend of kind of ticket). Validity of ticket holder. I.e. if the ticket was purchased by the user U on his mobile equipment. From the ticket will be extracted the public identity of the holder. This public identity is sent to a random image. 5. If U receive the image, then he has a valid ticket.
References [ 1 ] Jung, Hyunhee; Kim, Hyun Sung, Edited by: Murgante, B; Gervasi, O; Iglesias, A; et al., Conference: Secure Hash-Based Password Authentication Protocol Using Smartcards, 11th International Conference on Computational Science and Its Applications (ICCSA), PT V Book Series: Lecture Notes in Computer Science Volume: 6786 Pages: 593-606, 2011 [ 2 ] 3rd Generation Partnership Project: Technical Specification Group Services and System Aspects; 3G Security; Security architecture (Release 11), 3GPP TS 33.102, version 12.2., 2014 [ 3 ] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: General (Release 11), 3GPP TS 35.205, 2014 [ 4 ] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) (Release 12), 3GPP TS 33.220 V12.3.0, 2014