In constrained environments where computation power, storage space, and bandwidth are severely limited, as is the case for mobile phones, public-key cryptography was considered inefficient and therefore not a viable option. However, with the advent of faster processors and more efficient public-key cryptographic techniques, such as use of elliptic curve mathematics, traditional obstacles that prohibited use of public-key cryptography have essentially been overcome. Indeed, public-key cryptography has already been incorporated into mobile phones for applications as well as over the air service provisioning. These events allow the wireless industry to exploit the advantages of public-key cryptography in third generation systems.
Mobile phones that communicate over RF networks represent a classic example of the problems facing data security. RF networks are easy to eavesdrop so data sent by a phone can easily be monitored by an adversary and the medium itself prevents data being placed in physical opaque envelopes to ensure secrecy. In fact data sent over RF networks by mobile phones may be subject not just to eavesdropping. It is also possible for an adversary to intercept messages and replace them, delete them, or subvert them. Mobile phones users therefore need diverse security services such as the assurance that data it receives is genuine as well as the assurance that data it sends will remain secret. Data security services needed between a mobile phone and a service provider communicating over an RF network include:
Data Confidentiality: Both the mobile phone user and the service provider may want messages they exchange to remain secret. For example, the mobile phone user may want adversaries to be unable to eavesdrop on sensitive calls.
Data Integrity: Both the mobile phone user and the service provider may want messages they exchange to remain unaltered. For example, the service provider may want the assurance that the call request it receives specifies the same number that the user dialed so that the call can be completed as dialed.
Data authentication: Both the mobile phone user and the service provider may want to know the origin of data they receive. For example, the service provider may want to know the origin of a call request so that it can decide whether to complete the call.
Non-repudiation: The mobile phone user may wish to send data that is non-repudiable, meaning that the user cannot later deny sending the data. For example, the user may wish to complete a financial transaction such a buying stock over the phone.
Device or entity authentication: Both the mobile phone user and the service provider may want to know who they are communicating with. For example, the service provider may want to check that it is communicating with a paid-up mobile phone user before allowing the user to place calls. Device authentication should prohibit in particular an adversary from replaying the authorization sent by a valid user in order to gain access to the network.
Cryptography is capable of providing all these services. Encryption schemes can be used to provide data confidentiality, message authentication codes (MACs) or signature schemes can be used to provide data integrity and data authentication, and signature schemes can be used to provide non-repudiation. Entity authentication can be provided using more complicated protocols built out of encryption schemes, message authentication codes, and signature schemes.
Currently, security in cellular networks is limited primarily to device authentication. Before allowing a mobile phone network access, the network or service provider authenticates the phone using a protocol based on a message authentication code. The need for additional security services like those listed above has motivated the cellular industry to provide more comprehensive security in future third generation systems.
Authentication in current RF systems consists of device authentication based on symmetric cryptography. The mobile station is provisioned with an Authentication Key, referred to as the A-key, prior to any communication with the cellular network. The A-key is also provisioned in the Authentication Center (AC) of the service provider or home network. The process of provisioning the A-key in the mobile station is part of “service provisioning”, during which other mobile station specific information is also provisioned. While there are several ways to provision the A-key, Over-The-Air Service Provisioning (OTASP) is recommended. OTASP uses the Diffie-Hellman protocol to create the A-key concurrently in the AC and the mobile station.
The A-key is then used to create session keys known as SSDs (Shared Secret Data), which are stored in the mobile station and the home network and are used to authenticate the mobile station. The SSDs are derived by hashing the A-key and other information, such as the mobile station's identity. When a user is roaming in another part of the network the home network, at the discretion of the service provider, may decide to share the SSD with the serving network to enable the serving network to authenticate the mobile device itself using SSD. Alternatively, the service provider may require the serving network to authenticate the mobile station by checking with the home network each time. Sharing SSDs with the serving network saves signaling traffic between the two networks when the user is roaming but it also requires a degree of trust in the serving network, since knowledge of SSD enables the serving network to impersonate the mobile station.
When a mobile station powers-on, it “registers” with the network. During registration, the mobile station sends its identity to the serving network (assume that the mobile station is roaming) along with an authentication string or MAC (for simplicity, the term MAC is used throughout the rest of the document for authentication string) that is created by hashing SSD, identity information, a random challenge (32-bit number broadcast by the base station), and other information. The serving network queries the user's home network to register the mobile station. The home network, at this point, determines if the SSD is to be shared with the serving network If so, the SSD is passed to the serving network. The serving network computes the MAC by using the same inputs as the mobile station. If the computed MAC matches the one sent by the mobile station, the mobile station is considered authenticated.
The serving network keeps the SSD associated with the mobile station for the duration of the time that the user is registered in that network. During that time, if the user originates a call (referred to as call origination), the mobile station is again authenticated in the same way as it was for registration, except that dialed digits may be used as additional input to the hash. Once again, the serving network computes the MAC and verifies if the two MACs match, thereby authenticating the mobile station. In addition, if a call is received for the user (referred to as call termination), the same procedure is repeated. In short, authentication is based on calculation of a MAC, which is a hash of SSD, a random challenge from the serving network or base station, and other input, such as mobile station's identity and/or dialed digits.
The Authentication Center in the home network may decide to update the SSD in the mobile station, referred to as SSD update. This is accomplished by sending a request to the mobile station to generate a new SSD. In this scenario, mutual authentication of the mobile station to the home network and of the home network to the mobile station is performed prior to storage of the newly generated SSD in the mobile station. The authentication of the home network consists of the following: the mobile station sends a random challenge to the AC; the AC computes a MAC using a component of SSD, the random challenge, and other information, and sends it to the mobile station; the mobile station verifies the received MAC with its own computed value.
There are a number of weaknesses with the current authentication system.
It requires the backbone network connecting the home network and the serving network to be very secure. Messages exchanged on this network must be exchanged confidentially; otherwise, an eavesdropper monitoring this channel can impersonate any active mobile stations.
It imposes high security requirements on the Authentication Center of each service provider. Maintaining the confidentiality of the A-key database at the Authentication Center is essential; otherwise, anyone who learns the contents of the database can impersonate any mobile station at any time. This problem is escalated by the fact that there is no effective disaster recovery mechanism in the event of Authentication Center compromise.
There are security concerns over SSD sharing. If the home network decides to share SSDs with serving networks, this enables the serving network to impersonate mobile stations.
The CAVE algorithm, which is used to provide authentication, itself has security concerns. CAVE has not been published and has not received widespread scrutiny by the cryptographic community. Compromise of CAVE could cause embarrassment for the cellular community, which has already been hurt by the use of unpublished algorithms, such as CMEA.
There are efficiency concerns. A large amount of communication is required on the backbone network linking the home network and the serving network. This communication is substantially increased if the home network is not sharing SSDs with the serving network since now the serving network must communicate with the home network each time it wants to authenticate the mobile station.
Most importantly, the current system does not provide sufficient security services. Device authentication provides limited security to the network since there remains the possibility that an adversary can hijack service after device authentication has been performed. Furthermore, the limited deployment of data privacy services presents a major problem since it means users are wary of placing sensitive calls over the cellular network. This issue will become particularly important in the future if the cellular industry wants to support advanced features like internet browsing and over the air financial transactions.
Global roaming, one of the most promising features of third generation systems, will heighten many of these concerns.
The deployment of a third generation system affords the cellular industry an opportunity to address the deficiencies of the current authentication system. The third generation authentication system therefore needs to meet the following requirements:
Minimization of computation time required by mobile stations for generation of appropriate keys on each access. Since authentication is used for every call, performance is an important consideration. Security should not affect the service being offered to the end-user negatively.
Ability to provide non-repudiation. This is extremely useful in services that are expected to drive deployment of third generation systems.
Minimization of extra network infrastructure. Since third generation is a migration from second generation systems, it is important to take advantage of the current infrastructure in place, where possible.
Scalability. As more and more cellular systems are brought into service each year and with many carriers aiming to provide worldwide roaming, third generation ESA and ESP should provide for the ability to scale without imposing additional costs on carriers.