In a mobile communication system signalling and user plane protocols need to be secured so as to avoid eavesdropping and unauthorised modification of messages. In the following, it is primarily focused on protocols which originate or terminate at the user equipment. Protocols between network nodes are not considered in detail.
The security of protocols is typically achieved by using cryptographic mechanisms such as encryption and integrity protection. These mechanisms rely in turn on cryptographic keys and, in some cases, on counters or sequence numbers which, together with the cryptographic keys and the clear text messages, are put into a function which computes the protected messages sent over the communication link.
In such a known system, the following problem may arise:
Once the same cryptographic key and the same counter is used with different messages, then an attacker could exploit this fact to break security, at least in one of the following two ways.
1. For integrity protection, typically a message authentication code (MAC) is computed from a counter, a cryptographic key and a clear text message. The MAC is then appended to the clear text message and sent together with it over the communication link. The counter may serve to detect attempts by an attacker to replay a previous message, which may lead to undesirable or dangerous effects. When the counter and the cryptographic key are the same for two different messages, an attacker could replace one message with the other and the receiver would not be able to notice it.
2. For confidentiality protection, often a so-called cipher is used. Stream ciphers may be advantageous for radio links as they allow for easy error recovery. A stream cipher produces a pseudorandom bit stream (the key stream) which is XORed with a clear text message, thereby concealing the message from an eavesdropper. The receiver is able to generate the same key stream, subtracted from the received message and recover the clear text message. The generation of the key stream depends on a counter and a cryptographic key. When the counter and the cryptographic key are the same, only the key stream will be the same. But when two different clear text messages are XORed with the same key stream, then the attacker has a strong advantage in finding out the clear text messages.