FFormal Analysis of UMTS Privacy
M. Arapinis, L. I. Mancini, E. Ritter, M. D. RyanUniversity of Birmingham
Abstract
The ubiquitous presence of mobile communication devices and the continuous development of mo-bile data applications, which results in high level of mobile devices’ activity and exchanged data, oftentransparent to the user, makes privacy preservation an important feature of mobile telephony systems. Wepresent a formal analysis of the UMTS Authentication and Key Agreement protocol, using the appliedpi-calculus and the
ProVerif tool. We formally verify the model with respect to privacy properties. Weshow a linkability attack which makes it possible, for individuals with low-cost equipment, to trace UMTSsubscribers. The attack exploits information leaked by poorly designed error messages.
While most mobile phone users accept that the network operator can track their physical movements,few would be happy if an arbitrary third party could do so. Such a possibility would enable all kindsof undesirable behaviour, ranging from criminal stalking and harassment to more mundane monitoringof spouse or employee movements. For this reason, UMTS mobile phone protocols have been designedto prevent third parties from identifying wireless messages as coming from a particular mobile phone.The protocols include cryptography and the use of temporary identifiers (such as the
Temporary MobileSubscriber Identity (TMSI)) in an e ff ort to achieve the aim of untrackability by third parties.Unfortunately, it is known that “IMSI catchers” can be used to force a mobile phone to reveal its per-manent International Mobile Subscriber Identity (IMSI) [1, 2]. The possibility of such a breach of IMSIconfidentiality is acknowledged in the UMTS protocol specifications [3]. Until fairly recently, implement-ing an IMSI catcher required the specialised equipment found only in network base stations. However, thecost of such devices is becoming more and more a ff ordable thanks to software emulation.In this paper, we identify a further problem with the key establishment protocols used in modern net-works. We show that if an adversary can capture a message to a phone that authenticates the phone byits TMSI, then the adversary can from then on distinguish its interactions with that phone from any other.To achieve this, the adversary replays the captured message. Our attack exploits the fact that the victim’sphone will reply with subtly di ff erent error messages, depending on whether the replayed request is asso-ciated with it or with a di ff erent phone. In contrast with the IMSI catcher, our attack is not known to theprotocol designers.It is straightforward to modify the protocol to avoid the IMSI catcher attack, by using public key encryp-tion. Avoiding the error message attack is more subtle, because the attack itself is more subtle. We proposea modification of the protocol. We model the key establishment protocol in ProVerif , and we demonstratethat
ProVerif can find the attack based on the di ff ering error messages. Then, we propose a simple fix,which prevents the attacker from distinguishing between the reply to a replayed message for the victim’sphone from the reply to a replayed message from some other phone. We demonstrate that ProVerif doesnot find the attack in the revised version, and actually can prove that there are no distinguishing attacks.Unfortunately, our model is an approximation of the underlying protocol, in a precise way. The under-lying protocol uses exclusive-or as a means to perform a symmetric-key encryption. We do not model thisencryption; indeed, we allow an adversary to see both the key and the plaintext.
ProVerif ’s exhibitionof the attack and its absence in the fixed protocol are both relative to this approximation. The approxima-tion is plainly incorrect for secrecy properties; however, the privacy property at hand is expressed as theattacker’s inability to distinguish two situations, and intuitively, the approximation is a correct abstractionfor that property. In the approximate model, the attacker has strictly more information with which to makethe distinction. Formally proving that the approximation is an abstraction is left as further work.1 a r X i v : . [ c s . CR ] S e p .1 Related Work Known Attacks on UMTS
Previous work analysing UMTS security exploits the vulnerabilities which are propagated from GSMto UMTS when providing inter-operability between the two systems. Most of the reported attacks takeadvantage of well-known weaknesses of the GSM authentication and key agreement protocol, such as lackof mutual authentication and use of weak encryption . These attacks allow an active attacker to violatethe user identity confidentiality, to eavesdrop outbound communications and to masquerade as a legitimatesubscriber obtaining services which will be billed on the victim’s account. For example, Meyer and Wetzel[4] present an attack which allows the attacker to impersonate a base station and eavesdrop a victim’s mo-bile station communications. An even more disrupting attack allowing impersonation of a victim’s mobilestation and service theft is explained by Ahmadian et al. in [5].To the best of our knowledge, the only attack that does not rely on GSM / UMTS interoperability hasbeen presented by Zhang and Fang in [6]. The attack is a variant of the false base station attack and takesadvantage of the fact that the mobile station does not authenticate the serving network . It allows theredirection of the victim’s outgoing tra ffi c to a di ff erent network, let’s say a network which uses a weakerencryption algorithm or one which charges higher rates than the victim’s one. AKA Protocol Security: Formal Proofs and New Proposals
The UMTS authentication and key agreement protocol in its pure form (i.e. with no GSM support) hasbeen formally proved to meet some of the specified security requirements [7], such as authentication andconfidentiality. However, the framework used for the formal analysis does not capture Zhang and Fang’sattack. Moreover, unlinkability and anonymity properties, which are the focus of our work, have not beenanalysed.A new framework for authentication has been proposed to take into account subscribers’ privacy withrespect to both the serving and the home network [8]. Other recently published papers also propose new au-thentication protocols to enhance UMTS security and privacy [8, 6]. However, the adoption of the enhancedauthentication protocols would require considerable changes to the current security architecture. Unlike ourwork, these works, do not rely on a formal study of the AKA protocol or present a formal verification of theproposed protocols.
Universal Mobile Telecommunications System (UMTS) is a mobile telephony standard specified andmaintained by the Third Generation Partnership Project (3GPP). UMTS was introduced in 1999 to o ff er abetter support for mobile data applications increasing the data rate and lowering the costs of mobile datacommunications. Furthermore, UMTS o ff ers an improved security architecture with respect to previousmobile communication systems such as GSM (Global System for Mobile Communication). In the followingsections, we will introduce the UMTS network architecture and we will describe in more detail its securityfeatures and the Authentication and Key Agreement (AKA) protocol, which is the main building block ofUMTS security. We will then present a linkability attack which enables tracing UMTS subscribers thanksto the exploitation of the AKA protocol error messages. The network architecture of the UMTS system, depicted in figure 1, is built on the pre-existing voice anddata mobile networks, by namely GSM and GPRS (General Packet Radio Service) networks, respectively.The user side of the network consists of Mobile Stations (MS). Each mobile station comprises a MobileEquipment (ME) such as a mobile phone, together with a Universal Subscriber Identity Module (USIM),which identifies the user as a legitimate subscriber within a mobile telephony operator network. To accessthe services o ff ered by a mobile operator, a MS connects through radio communication technology to theUTRAN (UMTS Terrestrial Radio Access Network) or GERAN (GSM / EDGE Radio Access Network).The latter one is a GSM / GPRS access network.A mobile station directly communicates with a Base Transceiver Station or Node B which covers thearea the MS is located in. One or more Node B are connected with a Radio Network Controller (RNC),2igure 1: UMTS Architecturedefining a cell. A group of cells forms a Location Area. RNCs manage the radio resources and inter-cell handover and are the interface between the mobile station and the core network. The core networko ff ers circuit-switch and packet-switch services. The Mobile Switching Centre (MSC) and Gateway MobileSwitching Centre (GMSC) o ff er, respectively, inter and intra-network circuit-switching domain servicesand interface the UMTS with the traditional fixed telephony network. The Serving GPRS Support Node(SGSN) and the Gateway Serving GPRS Support Node (GGSN) o ff er, respectively, inter and intra-networkpacket-switching domain services as well as connecting the UMTS network with the internet.Within the core network, the Home Location Register (HLR) stores permanent sensitive information ofUMTS subscribers such as identity, service profile, and activity status. These informations are linked to theUSIM and recorded when stipulating a contract with the mobile operator. UMTS o ff ers roaming capabilitiesbetween di ff erent network operators, meaning that a mobile station can be connected to a visited network,called the Serving Network (SN), which might be di ff erent from the subscriber’s Home Network (HN).Each subscriber has a long term identifier IMSI (International Mobile Subscriber Identity) that is storedin the USIM, and a temporary identifier TMSI (Temporary Mobile Subscriber Identity), allocated by theserving network. The purpose of the TMSI is to protect the subscriber identity privacy. To limit the use ofthe IMSI a subscriber identifies himself using the TMSI whenever it is possible. To avoid user traceability,the TMSI is periodically changed through the TMSI reallocation procedure.The Visitor Location Register (VLR) stores temporary information about subscribers visiting a givenlocation area of the serving network and maintains TMSI / IMSI associations. The network operator and thesubscriber share a long term secret key used for authentication purposes. This key is stored in the USIM.The Authentication Centre (AuC) is a protected database storing association between subscriber identities(IMSI) and long-term keys.
We will consider a simplified network architecture so to be able to abstract from the network complex-ity and concentrate on the communication protocols taking place between a Mobile Station (MS) and theServing Network (SN).When referring to a Serving Network we mean both the UTRAN / GERAN Base Station that the MSis directly communicating with, and the complex structure of databases and servers connected with it andforming the UMTS core network.When a mobile station connects to a network, a temporary identity, TMSI (Temporary Mobile Sub-scriber Identity) is assigned to it and is used, instead of the IMSI, to identify the MS. To avoid mobile3 , S QN MS , CK K , S QN HN , CK SN / HNMS
LOCATION UPDATE(oldTMSI)AKA PROTOCOLTMSI REALL CMD( { newT MS I } CK )TMSI REALL COMPLETE Figure 2: TMSI Reallocation procedurestation traceability by third parties, the UMTS standard requires periodic updates of the temporary identityto be performed.UMTS communication system aims to provide authentication, confidentiality, and user identity confi-dentiality [3]. In particular, the UMTS standard defines the following two properties concerning the sub-scribers privacy: • User identity confidentiality: the property that the permanent user identity (IMSI) of a user to whoma services is delivered cannot be eavesdropped on the radio access link; • User untraceability: the property that an intruder cannot deduce whether di ff erent services are deliv-ered to the same user by eavesdropping on the radio access link.To achieve the above mentioned security properties, UMTS relies mainly on the Authentication and KeyAgreement (AKA) protocol, on ciphering and integrity checking of the confidential data transmitted on theradio channel, and on the use of temporary identities. The AKA protocol allows MS and SN to establisha pair of shared session keys: a ciphering key and an integrity key, to be used to ensure the secrecy andintegrity of the subsequent communications.As previously mentioned, mobile stations are identified using temporary identities. New temporaryidentities are assigned by the network using the TMSI reallocation procedure, which consists of a messagecontaining the new TMSI, followed by an acknowledgement message. To avoid the linkability of consecu-tively used temporary identities, the new TMSI is encrypted using the session key CK established during theexecution of the AKA protocol. The standard requires a new TMSI to be allocated at least at each changeof location area [9]. The TMSI reallocation is usually performed in conjunction with other procedures asfor example location updating. This scenario is depicted in figure 2. The Authentication and Key Agreement (AKA) protocol aims to achieve the mutual authentication ofMS and SN, and to establish shared session keys to be used to secure the subsequent communications. Thesession keys are not exchanged during the protocol but computed locally by the MS and the SN. Accordingto [3], the authentication procedure is always initiated by the SN for the purpose of: • Checking whether the identity provided by the MS is acceptable or not. • Providing parameters enabling the MS to calculate a new UMTS ciphering key. • Providing parameters enabling the MS to calculate a new UMTS integrity key. • Allowing the MS to authenticate the network. 4 , S QN MS K , S QN HN SN / HNMS
AUTH REQ(
RAND , AUT N )new
RANDAK ← f K ( RAND ) MAC ← f K ( S QN HN || RAND ) AUT N ← S QN HN ⊕ AK || MACAK ← f K ( RAND ) XMS G || XMAC ← AUT NS QN HN ← XMS G ⊕ AKMAC ← f K ( S QN HN || RAND )Check:
MAC = XMAC
Check:
S QN HN > S QN MS RES ← f K ( RAND ) AUTH RES(
RES ) CK ← f K ( RAND ) IK ← f K ( RAND ) Check:
RES = f K ( RAND ) CK ← f K ( RAND ) IK ← f K ( RAND ) Figure 3: Authentication and Key Agreement protocolThe MS and the Home Network (HN) share a secret cryptographic key K , assigned to the subscriber by thenetwork operator and loaded on the USIM card. The secret key allows MS and HN to compute, o ff -line,shared ciphering and integrity keys to be used for encryption and integrity check of the communication.The AKA protocol consists in the exchange of two messages: the authentication request and the authen-tication response. In figure 3, a successful execution of the AKA protocol is shown. The SN initiates theauthentication and key agreement procedure as follows: • Before sending an authentication request to the MS, the serving network requests authentication datafrom the mobile station’s home network (HN). The home network returns an authentication vectorcontaining a random challenge
RAND , the authentication token
AUT N computed from it, the ex-pected authentication response f K ( RAND ), the integrity key IK and the encryption key CK . Thefunctions, f , f , f , f , and f
5, used to compute the authentication parameters are cryptographicfunctions computed using the shared key K and are defined in the UMTS standard. The authentica-tion function f f RES ; the key generating functions, f , f , and f CK , the integrity, IK , and the anonymity key, AK , respectively. • The SN sends the authentication challenge RAND and the authentication token
AUT N to the MS.The authentication token contains a MAC which is computed applying the function f S QN HN , generated by the HN / AuC usingan individual counter for each user. A new sequence number is generated either by increment of thecounter or through time based algorithms as defined in [3]. The sequence number
S QN HN identifiesthe authentication vector and allows the MS to verify the freshness of the authentication request (seefigure 3). • When the MS receives the (
RAND , AUT N ) message it first retrieves the sequence number (
S QN HN ),verifies the MAC ( MAC = XMAC ). This step ensure the MAC was generated by the network usingthe shared key K . The mobile station stores the greatest sequence number used for authentication, S QN MS . This value is used to check the freshness of the authentication request ( S QN MS < S QN HN ).5 , S QN MS K , S QN HN SN / HNMS
AUTH REQ(
RAND , AUT N )AUTH RESPONSE(
RES )if
MAC (cid:44)
XMAC then
RES ← MAC FAIL else if
S QN HN < = S QN MS then RES ← S YNCH FAIL ( AUTS )else
RES ← f K ( RAND ) if
RES = SYNCH FAIL thenResynchelse if
RES (cid:44) f K ( RAND ) thenReject Authentication
Figure 4: AKA Failure Messages • The MS computes the ciphering key, the integrity key and the authentication response
RES messageand sends
RES to the network. • The SN authenticates the MS verifying whether the received response is equal to the expected one(
RES = f K ( RAND )).After successful authentication, the SN sends a security mode command message to the MS, indicatingwhich one of the allowed algorithms to use for ciphering and integrity checking of the subsequent commu-nications.The authentication procedure can fail on the MS side either because the MAC verification failed, orbecause the received sequence number is not in the correct range with respect to the sequence number storedin the MS (
S QN MS ). In the former case, the MS sends an authentication failure message indicating MacFailure as the failure cause. In the latter case, the MS sends an authentication failure message containingthe
AUT S parameter and indicating
Synchronization Failure as the failure cause. The AUTS parametercontains the sequence number
S QN MS , to allow the SN to perform a re-synchronization and a MAC forauthenticity and integrity purposes.The authentication procedure can fail on the SN side because the RES verification failed, in this casethe SN sends an authentication reject message.For simplicity, we are not considering here failure situations in which the network initiates other pro-cedures to recover from an authentication failure. Figure 4 depicts the error messages possibly occurringduring the authentication procedure.
Despite the use of temporary identities to avoid the linkability of UMTS subscribers, the execution ofthe AKA protocol enables an active attacker to trace UMTS subscribers. An active attacker could interceptan authentication request message containing the pair (
RAND , AUT N ) sent by the SN to a victim mobilestation MS v . The captured authentication request can be replayed by the adversary to check the presenceof MS v . In fact, thanks to the error messages, the adversary can distinguish any mobile station from theone the authentication request was originally sent to. On reception of the replayed ( RAND , AUT N ), thevictim mobile station, MS v , successfully verifies the MAC and sends a synchronization failure message.While, the MAC verification fails when executed by any other mobile station and as a result a MAC failure6 , S QN MS v RAND , AUT N K , S QN HN SN / HNAttackerMS
AUTH REQ(
RAND , AUT N )AUTH RES(
RES ) K , S QN (cid:48) MS v AUTH REQ(
RAND , AUT N )AUTH RES(
S YNCH FAIL ) This is MS v ! Figure 5: Linkability attackmessage is sent. The implementation of few false base stations would then allow an attacker to trace themovements of a victim mobile station, resulting in a breach of the subscriber untraceability. The proposedattack is shown in figure 5.Intuitively, the UMTS AKA protocol linkability problem can easily be solved by simply sending thesame error message for any kind of failure occurring. In the following sections, we introduce the theoreticalframework we used to automatically verify the unlinkability and anonymity of this simple fix. In addition,we illustrate the UMTS AKA protocol model and discuss the verification results.
In the following sections we present the
ProVerif process language. We introduce the model of UMTSAKA protocol and the formalization of the privacy properties under analysis. Further, we discuss the resultof the verification with the
ProVerif tool of both the original protocol and the fixed version.
The
ProVerif process language is similar to the applied pi-calculus, which is a formal language, in-troduced by Abadi and Fournet [10], for modelling concurrent processes and ease the modelling of cryp-tographic protocols. The
ProVerif process language makes it possible to automatically verify protocolmodels written in the language, using the
ProVerif tool [11].Cryptographic primitives are modelled as functions and messages are represented by terms of the
ProVerif process language built over an infinite set of names, an infinite set of variables and the set ofconsidered cryptographic primitives. A function symbol with arity 0 is a constant symbol. Functions aredistinguished in two categories: constructors and destructors. We write f for constructors and g for destruc-tors. Terms are variables, names and application of constructors and are defined by the following grammar: L , M , N , T :: = Terms a , b , c , . . . Name x , y , z , . . . Variable f ( M , . . . , M l ) Function applicationwhere f ∈ Σ and l matches the arity of f Destructors are defined by a set of reduction rules of the form g ( M , . . . , M l ) → M which can be applied byprocesses to manipulate terms. Example 1.
Using functions and reduction rules we can define cryptographic functions, for example, let = { senc / , pub / , aenc / , xor / , / , } , and consider the reductions sdec ( k , senc ( k , m )) → m adec ( k , aenc ( pub ( k ) , m , r )) → m xor ( xor ( x , y ) , z ) → xor ( x , ( xor ( y , z )) xor ( x , y ) → xor ( y , x ) xor ( x , ) → x xor ( x , x ) → In this example, senc and aenc model, respectively, symmetric and non deterministic asymmetric encryp-tion. The first reduction rule allows to decrypt an encrypted message, m, given the knowledge of the en-cryption key k, hence it defines symmetric encryption. While, the second rules allows to decrypt a message,m, encrypted using a public key, pub ( k ) , and a random value, r, given the knowledge of the correspondingprivate key k. Therefore, it defines non deterministic public key encryption.The function xor is described by a set of reductions modelling its algebraic properties and a constant representing the value 0. The grammar for processes of the
ProVerif process language is the following: P , Q , R :: = plain processes0 null process P | Q parallel composition! P replication new n ; P name restriction if M = N then P else Q conditional let x = g ( M , . . . , M n ) in P destructor application else Q in ( M , x ); P message input out ( M , N ); P message outputThe null process does nothing. The parallel composition of P and Q represents the parallel execution of P and Q . The replication of a process P acts like the parallel execution of unboundedly many copies of P .The name restriction ν n . P creates a new name n whose scope is restricted to the process P and then runs P . Note that we check for equality modulo the equational theory rather than syntactic equality of terms.The message input in ( M , x ); P represents a process ready to input from the channel M , the actual messagereceived will be substituted to x in P , the syntactic substitution of a term T for the variable x in the process P is denoted by P { T / x } . The message output out ( M , N ); P describes a process ready to send a term N on thechannel M and then to run P . The let construct defines a process that evaluates g ( M , . . . , M n ) and behavesas P , where x is substituted with the evaluation of g ( M , . . . , M n ) in P , if the evaluation of g ( M , . . . , M n )is successful, and behaves as Q otherwise. The conditional checks the equality of two terms M and N andthen behaves as P or Q accordingly.The conditional is actually defined in terms of let . A destructor equals is defined, with the reduction equals ( x , x ) → x . The if construct stands for let x = equals ( M , N ) in P else Q . We also use somesyntactic sugar to allow the let construct to introduce abbreviations such as let x = M in P . Moreover,we assume implicit definitions of constructors and destructors of tuples. In particular, we allow implicit ap-plication of tuple destructors using pattern matching, as for example let ( x , ..., x n ) = M in P else Q ,that if M is an n -tuple, executes P where x , . . . , x n are substituted with f st ( M ) , snd ( M ) , . . . , n − th ( M ), andexecutes Q otherwise.The definition of a process in the ProVerif language consists of a set of declarations which allow todefine: free a. free names; fun f/arity. functions and their arity; reduc f(x,y,..)=f(w,z,..). the functions’ reduction rules;8 et A = P. a subprocess A, where P is defined by the grammar given above; Process P the main process, where P is defined by the grammar given above.
Example 2.
We can model a system S where mobile stations, MS , with identity, imsi, run along with aserving network, S N, with which they share a private key k as the process: let S = !new k; new imsi; !new sqn;(SN | MS)
The serving network process SN executing the AKA protocol can be modelled by the following
ProVerif process:
The SN creates a fresh random number and calculates the parameters needed during the authenticationprocess. It sends the random and the authentication token on a public channel c . Finally, the SN waits forthe authentication response.A mobile station can be represented by the following process: The MS waits for an authentication request, from which it retrieves the mac and the sequence number(respectively xmac and xsqn ), checks if they are equal to the locally computed ones ( mac, sqn ) and sendseither the authentication response res or a failure message, indicating the failure cause. The evaluation of terms ( ⇓ ) of the ProVerif process language is defined by the following rules: M ⇓ Mg ( D , . . . , D n ) ⇓ σ N if g ( N , . . . , N n ) → N ∈ Σ and σ is such that ∀ i , D i ⇓ M i and M i = σ N i The structural equivalence relation ( ≡ ) defines when syntactically di ff erent processes represent the sameprocess, allowing to rule out uninteresting syntactic di ff erences between processes: P ≡ P | P | Q ≡ Q | PP | ( Q | R ) ≡ ( P | Q ) | R new a ; new b ; P ≡ new b ; new a ; PP | new a ; Q ≡ new a ; ( P | Q ) if a (cid:60) f n ( P ) P ≡ P ≡ QQ ≡ P P ≡ Q , Q ≡ RP ≡ R P ≡ Q new a ; P ≡ new a ; Q The reduction relation ( → ) describes how processes evolve. According to the first reduction rule, inputand output actions on a channel N can synchronize, resulting in the message M to be communicated, i.e.substituted for x in Q . The let construct tries to evaluate the term D , if the evaluation is successful, i.e. D ⇓ M then M is substituted for x in P otherwise the process Q is executed. The replication of P can evolveto the parallel execution of an unfolded copy of P running in parallel with its replication. Moreover, wehave that if a process P can evolve to Q , when in isolation, then it can perform the same step when runningin parallel with another process R . The reduction relation is closed by name restriction and structuralequivalence. out ( N , M ); P | in ( N , x ); Q → P | Q { M / x } let x = D in P else Q → P { M / x } i f D ⇓ M let x = D in P else Q → Q if there is no M such that D ⇓ M ! P → P | ! PP → QP | R → Q | R P → Q new a ; P → new a ; QP (cid:48) ≡ P , P → Q , Q ≡ Q (cid:48) P (cid:48) → Q (cid:48) We write → ∗ for the reflexive and transitive closure of → . A context is a process with a hole, C [ ]. An evaluation context is a context whose hole is not undera replication, a conditional, an input or an output. An evaluation context represents an attacker, i.e. anyprocess which may follow or not the protocol rules and interact with our “well behaving” processes. Wesay that a context closes A when C [ P ] is closed, where C [ P ] is the process obtained by filling C ’s hole with P . We write P ↓ M if P can send a message on the channel M , that is, if P → ∗ C [ out ( M , N ); P (cid:48) ] for someterm N and some evaluation context C [ ] that does not bind the free names in M Definition 1.
Observational equivalence ( ≈ ) is the largest symmetric relation R between closed processeswith the same domain such that P R Q implies:1. if P ↓ M then Q ↓ M
2. if P → ∗ P (cid:48) then Q → ∗ Q (cid:48) and P (cid:48) R Q (cid:48) for some Q (cid:48) C [ P ] R C [ Q ] for all closing evaluation context C [ ]Intuitively, observational equivalence captures the idea that two processes are indistinguishable if theirobservable behaviour is the same. The observable behaviour of a process is what an attacker (evaluationcontext) can observe and deduce using the equivalence relations on terms when the process interacts withthe environment i.e. outputs on free channels.The ProVerif process language can represent pairs of processes having the same structure and di ff eringonly by some terms and term evaluations, such a pair of processes is called biprocess. Biprocesses arerepresented by extending the language grammar with the choice [ M , M (cid:48) ] term and the choice [ D , D (cid:48) ] termevaluation. A biprocess P defines two processes: f st ( P ) which is obtained by replacing all occurrences of choice [ M , M (cid:48) ] with M and choice [ D , D (cid:48) ] with D in P , and, snd ( P ) obtained by replacing choice [ M , M (cid:48) ]with M (cid:48) and choice [ D , D (cid:48) ] with D (cid:48) in P .The ProVerif tool can prove the observational equivalence of biprocesses, which is defined as follows:
Definition 2.
Let P be a closed biprocess. We say that P satisfies observational equivalence when f st ( P ) ≈ snd ( P ). 10 et SN =new rand;let mac = f1(k, (rand, sqn)) inlet ak = f5(k, rand) inlet autn = ((sqn, ak), mac) inout(c, (rand, autn));in(c, xres).let MS =in(c, x);let (xrand, xautn) = x inlet (y, xmac) = xautn inlet ak = f5(k, xrand) inlet y = (xsqn, xak) inlet mac = f1(k, (xrand, xsqn)) inif xmac = mac thenif xsqn = sqn thenlet res = f2(k, xrand) inout(c, res)elseout(c, Fail)elseout(c, Fail). Figure 6: SN and MS process, sending the same error message for both MAC verification and synchroniza-tion failures and without the use of the xor function
In this section, we present the verification of the unlinkability and anonymity properties of the UMTSAKA protocol when sending the same error message for both MAC verification and synchronization fail-ures. We use the formalization of privacy related properties as given by Arapinis et al. in [12], namelystrong unlinkability and strong anonymity. The definitions we present here are tailored to our case study,we refer the reader to [12] for the general ones.Though the theory allows to write a set of reduction rules to model the xor function, the
ProVerif toolcannot deal with its algebraic properties. Hence, in the models used for the verification of unlinkability andanonymity the xor is replaced in the SN and MS models presented in example 2, in the following way: • The xor in the calculation of autn by the SN process at line 5 is substituted by a pair: let autn = ((sqn, ak), mac) in • The xor at line 6 of the MS process is replaced by a pattern matching on the received pair: let (xsqn, xak) = y in
The fixed version of the SN and MS process, sending the same error message for both MAC verificationand synchronization failures and without the use of the xor function, is shown in figure 6.
Informally, the strong unlinkability property holds when a system in which agents access a servicemultiple times looks the same as a system in which agents access the service at most once. We use thisdefinition since it captures well the concept of user untraceability stated in the 3GPP standard. Let
S N and MS be a serving network process and a mobile station process as defined in example 2 and consider thesystem S UNLINK defined as follows: S UNLINK = ! new k ; new imsi ; new sqn ; ( S N | MS )11here k is the long term shared key. Each instance of MS in S UNLINK represents a di ff erent mobile station,with key k and identity imsi which can execute the protocol at most once. The system S UNLINK is an idealsystem with respect to the unlinkability of a mobile station, which by definition cannot be linked because itexecutes only once.Let S be a system where mobile stations can execute more than once, as defined in example 2. Followingthe definition given in [12], the unlikability property is satisfied if the system S is observationally equivalentto a system S UNLINK : S ≈ S UNLINK
To make the defined observational equivalence suitable for the verification with
ProVerif , we definedthe two systems S and S UNLINK as the following biprocess S : S = ! new sk new imsi new sk new imsi new sqn ; let ( k , imsi ) = choice [( sk , imsi , ( sk , imsi in ( S N | MS )where sk , sk imsi , imsi f st ( P ) represents asystem where a mobile station (with key sk
1) may execute the protocol many times, while snd ( P ) representsa system where mobile stations execute the protocol at most once (the key sk ff erent). Thismakes the definition of strong unlikability suitable for the automatic verification using ProVerif , becauseit reduces the problem of testing strong unlinkability to the observational equivalence of a biprocess ( f st ( P )and snd ( P ) di ff er only in the choice of the identity and related key, i.e. choice [( sk , imsi , ( sk , imsi ProVerif tool shows that theunlinkability property holds. The verification of the original protocol results, as expected, in the breachof the unlinkability property. The
ProVerif code used to verify the unlinkability property of the originalprotocol and of the fixed version is shown respectively in figure 10 and figure 11.
Informally, strong anonymity requires a system where the user imsi w with publicly known identityexecutes the role R i to be undistinguishable from a system where the user imsi w is not present at all, which isthe ideal system from imsi w ’s anonymity preservation point of view. This notion captures well the definitionof user identity confidentiality stated in the 3GPP standard.Let S N and MS be a serving network and a mobile station process as defined in example 2 and let MS W be mobile station processes such that. MS W has known, public identity imsi w . MS W is defined as follows: MS W = ! MS { imsi w / imsi } where imsi w is the publicly known identity of MS W . The strong anonymity holds when the followingobservational equivalence is satisfied:! MS | ! S N ≈ ! MS | MS W | ! S N
The mobile stations’ permanent identities are modelled as secret names, to verify the strong anonymityproperty we give the adversary the knowledge of one identity, modelled as a free (public) name. We define asystem S W where the mobile station with publicly known identity imsi w free imsi w . S W = new sk w new sk ms ; new imsi ms ; new sqn ms ; new sqn w ; let ( imsi , k ) = ( imsi ms , sk ms ) inlet sqn = sqn ms in ( S N | MS ) | let ( imsi , k ) = ( imsi w , sk w inlet sqn = sqn w in ( S N | MS )12here sk sk ms are permanent shared keys, imsi w , imsi ms are permanent mobile stations identities.The given model represent a system where a mobile station with public identity imsi w ProVerif is described by the following biprocess: free imsi w . S = new sk w new imsi w new sk w new sk ms ; new imsi ms ; new sqn ms ; new sqn w ; let ( imsi , k ) = ( imsi ms , sk ms ) inlet sqn = sqn ms in ( S N | MS ) | let ( imsi , k ) = choice [( imsi w , sk w , ( imsi w , sk w inlet sqn = sqn w in ( S N | MS )where f st ( S ) is a system where only mobile stations with secret identities execute the protocol and snd ( S ) = S W is a system where the mobile station with publicly known identity imsi w ProVerif code used to verify the anonymity property are shown in figure 12.
ProVerif proved that the anonymity property is achieved by both the fixed version and the originalversion of the UMTS AKA protocol.
The xor function is used in the UMTS AKA protocol to combine the sequence number
S QN with the AK parameter. Instead of modelling a simplified version of the xor function, we chose to send the SQNand AK parameter in clear, i.e. as components of a tuple. We believe this abstraction is sound, in this case,because it gives more discretional power to the attacker. However, a formal proof of the soundness of thisabstraction is not given in this paper.Besides the xor abstraction, the verification of the fixed version of the AKA protocol shows that oursimple fix thwarts the information leakage problem which causes the linkability of UMTS subscribers.The proposed simple solution does not diversify the type of errors, hence it would invalidate errorrecovery features of the protocol. Instead, we suggest the adoption of a public key infrastructure whereeach home network has a public key known by the mobile stations (it could be stored in the USIM). Whenan error occurs, during the authentication procedure, the mobile station can encrypt the error messageusing the HN public key and then send the error message on the radio channel (see figure 7). Notice thatthe introduction of random padding values will be required to obtain a non-deterministic encryption ofthe error messages and avoid known cypher text attacks being performed by the attacker. Furthermore,meaningful error messages allowing re-synchronization and sender authentication should be used in a realimplementation. The work presented in this document is still in progress. We discuss in this session the issues currentlyunder examination. In modelling the AKA protocol, we made some abstractions to ease the modellingprocess and to overcome
ProVerif ’s limitations. In particular, we send the sequence numbers in clear,instead of XOR-ing them with the AK parameter. Moreover, in our model the HN and MS view of sequencenumbers is perfectly synchronized.Intuitively, the XOR abstraction is sound, since we give the attacker more information, with respectto the original protocol, hence we leave more room for attacks. With this abstraction, the unlinkabilityof the AKA can be proved when our simple fix is applied to it. The perfect synchronization of sequencenumbers, intuitively, does not a ff ect the unlinkability property, in fact in both the original AKA protocol andthe fixed one, they are sent in clear. Moreover, the linkability attack relies on the possibility of replayingold authentication requests, i.e. old sequence numbers, hence the currently valid sequence numbers areirrelevant from the attacker’s point of view. We are currently working on the soundness of our abstractions.13 , S QN MS , PK HN K , S QN HN , S K HN SN / HNMS
AUTH REQ(
RAND , AUT N )if
MAC (cid:44)
XMAC then
RES ← {
MAC FAILURE } PK HN elseif S QN HN < = S QN MS then RES ← {
S YNCH FAILURE } PK HN else RES ← f K ( RAND ) AUTH RES(
RES ) Figure 7: AKA protocol with public key encryption of error messages
ProVerif cannot prove the unlinkability of the public key based fix of the AKA protocol a manual proofwill be given instead.While modelling the AKA protocol and studying its privacy properties, we started questioning the fea-sibility of the linkability attack in real settings. Hence we investigated the available open source projectsrelated to mobile telephony technologies and we are currently working on the actual implementation of theproposed linkability attack.
We showed that despite the use of temporary identities UMTS subscribers can be traced thanks to theinformation leaked by the authentication and key agreement protocol. We proposed a public-key-basedcountermeasure to ensure both unlinkability and anonymity of UMTS subscribers while keeping the UMTSsecurity architecture mostly unchanged. Furthermore, we successfully use the definition given in [12] toautomatically verify privacy related properties. Though our approach is not applicable to more generalsettings, it can be used to automatically verify unlinkability and anonymity of protocols which do not usethe user identity during the initialization phase.
References [1] Dirk Fox. IMSI-Catcher.
Datenschutz und Datensicherheit (DuD) , 21:539–539, 1997.[2] Daehyun Strobel. IMSI Catcher, 2007. Seminar Work, Ruhr-Universitat Bochum.[3] 3GPP. Technical specification group services and system aspects; 3G security; security architecture(release 9). Technical report, 3rd Generation Partnership Project, 2010. 3GPP TS 33.102 V9.3.0.[4] Ulrike Meyer and Susanne Wetzel. A man-in-the-middle attack on UMTS. In
Proceedings of the 3rdACM workshop on Wireless security , WiSe ’04, pages 90–97, New York, NY, USA, 2004. ACM.[5] Zahra Ahmadian, Somayeh Salimi, and Ahmad Salahi. New attacks on UMTS network access. In
Proceedings of the 2009 conference on Wireless Telecommunications Symposium , WTS’09, pages291–296, Piscataway, NJ, USA, 2009. IEEE Press.[6] Muxiang Zhang and Yuguang Fang. Security analysis and enhancements of 3GPP authentication andkey agreement protocol.
IEEE Transactions on Wireless Communications , 4(2):734–742, 2005.[7] 3GPP. Formal analysis of the 3G authentication protocol, version 3.1.0. Technical report, 3rd Gener-ation Partnership Project, 1999. 3GPP, TR 33.902.14 * public communication channel *)free c.(* constant values *)fun macFail/0. fun synchFail/0. fun Fail/0.(* UMTS AKA protocol specific mac and key generation functions *)fun f1/2. fun f2/2. fun f3/2. fun f4/2. fun f5/2.(* generic symmetric encryption function *)fun senc/2.reduc sdec(k, senc(k, m)) = m.
Figure 8: The public channel, the cryptographic primitives and the constant values[8] Geir Køien and Vladimir Oleshchuk. Location privacy for cellular systems; analysis and solution. InGeorge Danezis and David Martin, editors,
Privacy Enhancing Technologies , volume 3856 of
LectureNotes in Computer Science , pages 40–58. Springer Berlin / Heidelberg, 2006. 10.1007 / SIGPLANNot. , 36(3):104–115, 2001.[11] Bruno Blanchet, Mart´ın Abadi, and C´edric Fournet. Automated Verification of Selected Equivalencesfor Security Protocols. In , pages331–340, Chicago, IL, June 2005. IEEE Computer Society.[12] Myrto Arapinis, Tom Chothia, Eike Ritter, and Mark Ryan. Analysing unlinkability and anonymityusing the applied pi calculus. In
CSF , pages 107–121. IEEE Computer Society, 2010.
In this section, we present the code used for the verification with
ProVerif an clarify some technicaldetails. In the rest of this section we will use the notation: (* section heading *)... to avoid code repetition and ease the reading.In the following figure, we introduce the functions and reductions we used to model the cryptographicprimitives involved in the UMTS authentication and key agreement protocol. The function senc modelsymmetric encryption, while f1,f2, f3, f4 and f5 are protocol specific one way cryptographic func-tions. Moreover, in this part of the code we declare a public channel c and three constant values macFail , synchFail and Fail . The public channel and function declaration is reported in figure 8. The servingnetwork process did not present any technical challenge in the modelling process and is the same for all theverified properties, hence is briefly reported in figure 9, without further remarks.The code in figure 10 was used to verify the unlinkability of the UMTS AKA protocol. Though, theevaluation of an if statement condition is part of the internal behaviour of a process, Proverif considersprocesses, which execute di ff erent branches of an if statement, not observationally equivalent. Hence itmight exhibit false attacks. In fact, the ProVerif tool is proved to be sound but not complete. This meansthat if
ProVerif does not find an attack, this is a proof that there are no attacks, and the security propertyholds in the verified model. Though, the contrary it is not true, i.e. if
ProVerif does find an attack, it isnot a proof that the property does not hold, because the attack may or may not match a real attack, and the15 * Serving Network process *)let SN = new rand;let mac = f1(xk, (rand, xsqn)) inlet ak = f5(xk, rand) inlet autn = (xsqn, ak, mac) inout(c, (rand, autn));in(c, xres).
Figure 9: Serving Network Processproperty could still be proved to be satisfied using, for example, manual techniques. To avoid this problem,when verifying the unlikability property, we introduced a function err and a destructor geterr , whichallow to check the validity of MAC and sequence number, and at the same time retrieve the error message.The use of the err function avoids the introduction of extra if statements that would lead to false attacks.As explained in section 3, the UMTS AKA protocol does not satisfy the linkability property and in fact ProVerif cannot prove the observational equivalence and finds that an attacker can distinguish the twoprocesses because di ff erent error messages can be sent as answer for the same authentication request.The code in figure 11 shows the AKA protocol fixed so that the same error message is sent, indepen-dently from the kind of failure occurred. This is obtained by simply changing the definition of the errfunction. This solution is proved to satisfy unlinkability. In figure 12, we show the code we used to verifythe AKA anonymity property. In this case, the if statements were not source of false attack, hence we didnot use the err function. As expected the anonymity property holds because the private identities of themobile stations are never revealed (i.e. sent on the public channel).16 * public channel and cryptographic primitives *)...fun err/4.reducgeterr( err(x, z, y, y)) = macFail;geterr( err(x, x, y, z)) = synchFail.(* Serving Network process *)...(* Mobile Station process *)let MS = in(c, x);let (xrand, xautn) = x inlet (xsqn, xak, xmac) = xautn inlet mac = f1(k, (xrand, xsqn)) inif (xmac, xsqn) = (mac, sqn) thenlet res = f2(k, xrand) inout(c, res)elselet errmsg = geterr(err(mac, xmac, sqn, xsqn)) inout(c, errmsg)).process !new sk1; new imsi1;!new sk2; new imsi2; new sqn;let (k, imsi) = choice[(sk1, imsi1), (sk2, imsi2)] in(SN | MS) Figure 10:
AKA protocol Unlinkability (* public channel and cryptographic primitives *)...fun err/4.reducgeterr( err(x, z, y, y)) = Fail;(* Serving Network process *)...(* Mobile Station process *)...process !new sk1; new imsi1;!new sk2; new imsi2; new sqn;let (k, imsi) = choice[(sk1, imsi1), (sk2, imsi2)] in(SN | MS)
Figure 11:
AKA protocol Unlinkability: simple fix * public channel and cryptographic primitives *)...(* Serving Network process *)...(* public identity *)free imsi_w2.(* Mobile Station processes *)let MS =in(c, x);let (xrand, xautn) = x inlet (xsqn, xak, xmac) = xautn inlet mac = f1(k, (xrand, xsqn)) inif (xmac, xsqn) = (mac, sqn) thenif xsqn = sqn thenlet res = f2(k, xrand) inout(c, res)else out(c, synchFail)else out(c, macFail).process new sk_w1;new sk_w2;new imsi_w1;!new sk_ms;new imsi_ms;!new sqn_w;new sqn_ms;let (imsi,k) = (imsi_ms, sk_ms) inlet sqn = sqn_ms in (SN |MS)|let (imsi,k) =choice[(imsi_w1, sk_w1),(imsi_w2, sk_w2)] inlet sqn = sqn_w in (SN|MS) Figure 12: