In mobile communication, e.g. according to the GSM (more generally referred to as 2G) or UMTS (more generally referred to as 3G) standard, security has become of utmost importance. This is very much related to the increased use of mobile communication in business and for private communication. Accordingly, requirements on security encompass authentication of network as well as of mobile user, integrity of information transmitted over a mobile link, encryption of information and protection against replay attacks. It is for example known that GSM suffers from security problems and, e.g., it is possible to retrieve the encryption key by breaking the A5/2-cryptographic algorithm. A technical description of a fraudulent proceeding is described in reference [1]. The GSM authentication and key agreement procedure AKA is only dependent on a random number RAND and the key is thus the same independent of the actual crypto algorithm used. There are three algorithm choices for circuit switched data, A5/1, A5/2, A5/3 and three algorithms for packet data, GEA1, GEA2 and GE A3. The terminal signals its capabilities, in particular the set of crypto algorithms it supports, to the network. The network then selects which crypto algorithm to use. Note that this signalling is unprotected. Thus the terminal has no chance to detect if and when an attacker is signalling that it should use A5/2 and that this information originates from a legitimate operator.
Generally, there are three types of attacks. The first type comprises an attacker intercepting and decrypting traffic when the system is using A5/2 that has been broken as described in reference [1].
The second type comprises interception of traffic associated with the AKA procedure to record traffic data and the RAND-value that is used. Later, a false base station can make the mobile terminal execute an AKA procedure using the previously recorded RAND and to encrypt the traffic using the A5/2-algorithm, which enables the attacker to retrieve the crypto key KC. Due to the simple dependence on RAND this key, KC, will be the same key as was used to protect the recorded traffic.
The third type of attack involves an active man-in-the-middle forcing the terminal to use the A5/2 algorithm, thereby enabling calculation of the crypto key.
The UMTS standard advises methods that overcome most of these problems. However, a scenario is foreseen in which GSM terminals will be used during a considerable period of time until UMTS terminals have become property of the great majority of users. In fact, many advanced services will be available on GSM phones and users may be reluctant to exchange their phones until at a later time. Some solutions to these problems are currently being proposed in 3GPP, e.g. as described in references [2, 3]. Reference [2] discloses a solution to enhance the security provided by GSM AKA by deriving transform dependent keys, also referred to as key-separation. While this solution solves some of the GSM problems there are still disadvantages. For instance, this solution does not provide a signalling interface that is appropriate for UMTS AKA, which would be preferred in order to get replay protection, network authentication, and secure algorithm selection. This solution also, in some cases, becomes complex. The solution disclosed in reference [3] suffers from the same disadvantages and, in addition, has some other security problems in that the effective key-space size is potentially reduced due to reduced randomness. Still other disadvantages relate to a reduced randomness of the RAND and there is, furthermore, no provision for mutual authentication
Still another method to improve the GSM AKA security is described in reference [4] and referred to as EAP-SIM (Extensible Authentication Protocol). The main part of EAP-SIM comprises a mutual authentication and session key agreement protocol. According to this method, up to three GSM AKA triplets are generated and included in security operations to achieve a longer session key, e.g. 128 bits. The improved security requires certain conditions to be fulfilled regarding the choice of RAND-values. A disadvantage of this method is that sessions are not independent. If the session key from one of the sessions is compromised then an adversary can use it to carry fraudulent conversations with the client. Another disadvantage is that a mobile terminal, provided with EAP SIM functionality, does not behave as an ordinary GSM terminal towards the network but requires a special communication protocol. EAP SIM could therefore not be made transparent to GSM/UMTS access networks.
Reference [6] describes a tamper-resistant security device such as a SIM card, which in addition to the AKA module has a software application that cooperates with the AKA module to provide security and/or privacy enhancements such as those proposed by EAP-SIM.