Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion

  title={Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion},
  author={Cas J. F. Cremers and Martin Dehnel-Wild},
  journal={Proceedings 2019 Network and Distributed System Security Symposium},
The 5G mobile telephony standards are nearing completion; upon adoption these will be used by billions across the globe. Ensuring the security of 5G communication is of the utmost importance, building trust in a critical component of everyday life and national infrastructure. We perform fine-grained formal analysis of 5G’s main authentication and key agreement protocol (AKA), and provide the first models to explicitly consider all parties defined by the protocol specification. Our analysis… 

Figures from this paper

Privacy-Preserving and Standard-Compatible AKA Protocol for 5G
This paper proposes a privacy-preserving solution for the AKA protocol of 5G system denoted by 5G-AKA, which is resistant to linkability attacks performed by active attackers, and is compatible with the SIM cards and currently deployed Serving Networks (SNs).
Formalizing and Verifying Generations of AKA Protocols Master Thesis
The analysis shows that newer AKA protocol variants improve security guarantees compared to older variants, however, the newest standard is still unable to satisfy certain security properties without extra assumptions that are not part of the actual protocol specification.
Formal Analysis of 5G EAP-TLS Authentication Protocol Using Proverif
This work builds the first formal model of the 5G EAP-TLS authentication protocol in the applied pi calculus, and performs an automated security analysis of the formal protocol model by using the ProVerif model checker.
On the Efficacy of New Privacy Attacks against 5G AKA
The analysis reveal that the activity monitoring attack is not as effective against 5G as it is against the previous generations (3G/4G) and the location confidentiality attack is a direct extension of an existing privacy vulnerability that affects all generations of mobile telephony in a much severe manner.
Dependability Analysis of 5G-AKA Authentication Service From Server and User Perspectives
The continuous-time Markov chain (CTMC) models are developed to capture the operational details of the 5G-AKA authentication services when facing the service failure and derive formulas for calculating metrics of interest, including Defects Per Million (DPM), authentication service’s first restoration time from failure and total cost of ownership (TCO).
A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security
An improved PKI mechanism based on the existing asymmetric encryption of 5G is proposed, which introduces a new pair of asymmetric keys in the gNodeB to encrypt and sign the signalling message sent to UE.
5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol
5GReasoner, a framework for property-guided formal verification of control-plane protocols spanning across multiple layers of the 5G protocol stack, is proposed and identified 11 design weaknesses resulting in attacks having both security and privacy implications.
A Spectral Analysis of Noise: A Comprehensive, Automated, Formal Analysis of Diffie-Hellman Protocols
This work starts from first principles and compute the strongest threat model under which a protocol is secure, thus enabling formal comparison between protocols, and provides a fine-grained separation of Noise protocols that were previously described as offering similar security properties.
Formal Analysis of QUIC Handshake Protocol Using Symbolic Model Checking
A formal model of the QUIC handshake protocol is developed and a comprehensive formal security analysis is performed by using two state-of-the-art model checking tools for cryptographic protocols, i.e., ProVeirf and Verifpal, showing that ProVerif is generally more powerful than VerifPal in terms of verifying authentication properties.
IMP4GT: IMPersonation Attacks in 4G NeTworks
A novel cross-layer attack is introduced that exploits the existing vulnerability on layer two and extends it with an attack mechanism on layer three and implies that providers can no longer rely on mutual authentication for billing, access control, and legal prosecution.


A Formal Analysis of 5G Authentication
This work provides the first comprehensive formal model of a protocol from the AKA family: 5G AKA, and finds that some critical security goals are not met, except under additional assumptions missing from the standard.
A Modular Security Analysis of EAP and IEEE 802.11
A reduction-based security analysis of the Extensible Authentication Protocol EAP is conducted, showing that the main EAP construction, considered as a 3P-AKE protocol, achieves a security notion which is called AKE$$^w$$ under the assumption that the EAP method employs channel binding.
A Comprehensive Symbolic Analysis of TLS 1.3
The most comprehensive, faithful, and modular symbolic model of the TLS~1.3 draft 21 release candidate is constructed, and an unexpected behaviour is revealed, which is expected to inhibit strong authentication guarantees in some implementations of the protocol.
A Vulnerability in the UMTS and LTE Authentication and Key Agreement Protocols
A flaw in the specifications of the Authentication and Key Agreement (AKA) protocols of the Universal Mobile Telecommunications System and Long-Term Evolution (LTE) as well as the specification of the GSM Subscriber Identity Authentication protocol is reported.
3G-WLAN interworking: security analysis and new authentication and key agreement based on EAP-AKA
This paper analyzes threats and attacks in 3G-WLAN interworking and proposes a new authentication and key agreement protocol based on EAPAKA that combines Elliptic Curve Diffie-Hellman(ECDH) with symmetric key cryptosystem to overcome these vulnerabilities.
LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE
A modelbased testing approach LTEInspector is proposed which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model for exposing vulnerabilities in the 4G LTE protocol.
Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA')
This specification defines a new EAP method, EAP-AKA', a small revision of the EAP-AKA method. The change is a new key derivation function that binds the name of the access network to the keys
Mutual entity authentication for LTE
  • Geir M. Køien
  • Computer Science
    2011 7th International Wireless Communications and Mobile Computing Conference
  • 2011
This paper proposes an amendment to the EPS-AKA protocol to make it a full mutual (online) entity authentication protocol, and analyze the proposal, highlighting both the improvements and the drawbacks of the new AKA protocol.
New privacy issues in mobile telephony: fix and verification
This work exposes two novel threats to the user privacy in 3G telephony systems, which make it possible to trace and identify mobile telephony subscribers, and proposes fixes to these privacy issues which also take into account and solve other privacy attacks known from the literature.
The Transport Layer Security (TLS) Protocol Version 1.3
This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent