On the (In)Security of 4G - Part X: Authentication and Key Agreement Procedure
Jul 13, 2020
11 min read
Table of Contents
4G Security “Onion” Layers
In the 4G Security Architecture TS 33.401, we find different layers of security:
4G Security Authentication Procedure - “Is a user an authorized subscriber to use the network? Is the network the one it claims to be?” - Performs mutual authentication of UE and Network and as a secondary purpose agrees on a mutually shared secret key.
NAS (Non Access Stratum) Security - Establishment of a secure connection between user and network and securely deliver (integrity protection and ciphering) control data that travels over LTE radio links at NAS level (User Equipment (UE)) <-> Mobility Management Entity (MME)).
AS (Access Stratum) Security - The process of securing RRC signalling/control data ((integrity protection and ciphering)) and user data (ciphering) between the user and the 4G base station (UE <-> evolved Node B (enB)).
Now after we have seen, which keys exist, learnt details about the key hierarchy in Part VIII and the Initial Attachment Procedure UE <-> Network in Part VII, we have to go deeper about the step 5a in the procedure - the UE authentication.
4G Authentication and Key Agreement (AKA)
What do we want with the AKA procedure?
TS 33.401 defines the purpose of the AKA procedure as follows:
EPS AKA shall produce keying material forming a basis for User Plane (UP), Radio Resource Control (RRC) (aka Access Stratum (AS) security), and Non Access Stratum (NAS) ciphering keys as well as RRC and NAS integrity protection keys.
UE and MME are mutually authenticated to each other after the procedure.
4G AKA Prerequisites
An Mobile Equipment (ME) that has Evolved Universal Terrestrial Radio Access Network (E-UTRAN) radio capability shall support the Universal Subscriber Identity Module (USIM)-ME interface as specified in TS 31.102. Or: with a Subscriber Identity Module (SIM) card without USIM-ME interface (prior to 3G) will not gain access to the E-UTRAN.
Several keys are shared between UE and Home Subscriber Service (HSS):
(1) The permanent key K is stored in the USIM on the Universal Integrated Circuit Card (UICC) and in the Authentication Center (AuC).
(2) During the AKA run, Cipher Key (CK), Integrity Key (IK) are derived within the AuC and the USIM.
The HSS and the USIM keep track of Sequence Numbers (SQN) of messages exchanged between UE and HE: SQNUE, SQNHE
4G A First Look on the AKA Run
Here we show a simplified example of the exchanged authentication and key agreement material. In later sub-chapter we will go deeper on each step and message exchange. Please note, 4G defines a Access Security Management Entity (ASME), an entity that receives top-level key(s), which is usually the MME on network side and the UE on user side. Ths is also the reasoning behind the top-level used key name KASME.
A simplified view on the AKA procedure between UE and the network with the goal to achieve mutual entity authentication and derive the mutually shared key KASME.
The UE provides an UE Identifier, which can be (1) permanent as the International Mobile Subscriber Identity (IMSI), however in most cases a (2) temporary identifier such as Temporary Mobile Subscriber Identity (TMSI) or the Globally Unique Temporary UE Identity (GUTI) are transmitted. The eNB receives this UE identifier and forwards that to the Evolved Packet Core (EPC), namely to the MME.
The UE Identifier is passed on, together with the Serving Node (SN) ID, from the MME to the HSS (and the HSS inquires at the AuC about this UE Identifier and SN ID). Thus the backend now knows, (1) who wants to gain access and in which cell the UE is.
The HSS/AuC generates a Random Nonce (RAND), takes the latest Sequence Number (SQN) shared with that particular UE and the network, increments the SQN by one, and the pre-shared master key to compute produce two cryptographic outputs: (1) The Expected Result (XRES) and the Authentication Token (AUTN).
The AUTN consists of a Sequence Number (SQN), an Authentication Management Field (AMF) and a Message Authentication Code (MAC) with MAC over RAND, SQN, AMF TS 31.102 - Chapter 6.1.
It reconstructs a bunch of authentication vectors, chooses one and finally sends this Expected Response (XRES), AUTN, RAND, KASME to the MME.
The MME saves the XRES and AUTN field, and generates the KSIASME - a key identifier for KASME and further derived keys from KASME (see Part IX for a detailed view on 4G key hierarchy and derivation).
It finally sends AUTN, RAND and KSIASME to the UE.
The eNB forwards these fields to the UE.
The USIM on the UE sends AUTN, RAND, the secret key K, and its SQN through the same cryptographic function used by the HSS/AuC. This results in a Response (RES) value that is sent via the eNB to the MME. The MME checks whether RES and XRES match. If they do, the UE has been successfully authenticated to the network and vice versa, as both parties have proven knowledge of the previously shared permanent key K.
At that stage, the USIM can generate IK, CK and from there KASME and pass that information to the ME, where further key derivation takes place (see Part IX) until encrypted traffic can commence.
4G AKA - Let’s go deeper…
Now we have seen, how the procedure works in general. Now we want to provide a more detailed view.
Detailed run of the 4G AKA Procedure. Details from TS 31.102, TS 33.401
Now let’s break this down.
In Part IX, we discussed the initial attach procedure. The first message of the UE carries an (1) UE identifier (temporary: TMSI, GUTI, …, permanent: IMSI), the (2) UE NW - CAP (UE Network Capabilities) - so which security algorithms are supported (e.g. EEA0=on, EEA1=on, EEA=2=off, EEA3=off, EIA0=on, EIA1=on, EIA2=off, EIA3=off - (EEA0, EIA0) tells the E-UTRAN that no ciphering/integrity algorithms can be used by the UE, for more details refer to Part IX) and (3) the KSIASME=7, indicating that the UE has no authentication key as of yet. KSIASME is 3 bit long and identifies shared keys between UE and MME.
The MME initiates the 4G authentication procedure (as it recognizes UE not having a KASME available) by sending a Authentication Data Request to the HSS. This message carries (1) a UE Identifier, (2) Serving Network (SN) ID, referring to the network accessed by the user (consists of Public Land Mobile Network (PLMN) ID (Mobile Country Code (MCC) + Mobile Network Code (MNC))), (3) n, which refers to the amount of Authentication Vector (AV) that the MME requests and (4) NW Type, Network Type, the type of the network that the UE tries to access (for 4G E-UTRAN).
The NW Type also carries the Separation Bit in the Authentication Management Field (AMF), telling the HSS about how to proceed and what to do next.
The HSS generates the requested amount of AVs by first generating n Random Nonce (RAND) and n Sequence Number (SQN) (by simply incrementing the last known and shared SQN with that UE up to n times).
The Authentication Vector (AV) generation at HSS then follows as specified in TS 31.102 subclause 6.3.2:
HSS Authentication Vector generation.
Functions f1, f1*, f2, f3, f4, f5 and f5* are detailed in TS 35.206. The result of this process is (1) $AUTN:=SQN \oplus AK || AMF || MAC$ and (2) $AV_i:=RAND_i || XRES_i || CK_i || IK_i || AUTN_i$ with $i \in {0,…,n-1}$.
Now if the separation bit is set to zero (SeparationBit=0), the generated CK and IK may leave the HSS. 1) Then the HSS sends n generated AVs to the MME in n Authentication Data Responses.
The MME then chooses an AV and calculates a KASME key as described in Part IX. With $S=0x10||SN ID||len(SN ID)||SQN \oplus AK||len(SQN \oplus AK)$ the MME can derive $K_{ASME} = $HMAC-SHA-256$_{(CK||IK)}(S)$. 2) If the separation bit was set to one (SeparationBit=1), the generated CK and IK may never leave the HSS. Thus the HSS computes $K_{ASME} = $HMAC-SHA-256$_{(CK||IK)}(S)$ and $AV_i:=RAND_i || XRES_i || K_{ASME}i || AUTN_i$. Authentication Data Responses now carry the different AVs containing KASME instead of IK, CK.
No matter how the MME obtained KASME, it saves that specific KASME for possible shared key with UE for further key derivation and the corresponding Expected Response (XRES) for further comparison with UE’s Response (RES).
The MME sends the User Authentication Request message, containing the (1) chosen random number $RAND_i$ for the (2) authentication token $AUTN_i$ and the (3) key identifier $KSI_{ASME}i$ for the key $K_{ASME}i$ that was already derived by the MME from the MME chosen AV.
The UE now has perform a series of steps. Especially the Authentication Token (AUTN) generation at UE as specified in TS 31.102 subclause 6.3.3 is important:
UE Authentication Token generation.
Functions f1, f1*, f2, f3, f4, f5 and f5* are again detailed in TS 35.206.
With the $UE Identifier$ (IMSI) and key $K$ provided by the USIM and $RAND_i, SQN_i$ by the HSS, via the $AUTN_i:=SQN_i \oplus AK_i || AMF_i || MAC_i$ delivered in the User Authentication Request message, the UE starts computing the Anonymity Key (AK). From there the UE can calculate the $SQN$ and the Expected MAC (XMAC) (here $XMAC_{UE}i$ as the UE has computed that XMAC for the i-th AUTN as sent by the HSS).
The UE then compares $MAC_i==XMAC_{UE}i$.
If they $MAC_i$ and $XMAC_{UE}i$ DO NOT match, something went wrong. 3) Either the data was maliciously manipulated on the data link, or some bit flip occurred on the way from the HSS to the UE. With this the authentication UE <- MME fails and the UE replies with a User Authentication Failure message. This message details out (1) the UE identity (e.g. IMSI), (2) the cause of the authentication failure (CAUSE), (3) the Access Type, (4) Authentication Retry Attempt and (5) the random number $RAND_i$ for which the failure happened. What the MME does with this information, whether it tries again with another AV, which entities it informs etc., is all described in TS 24.301 and TS 31.102.
If $MAC_i$ and $XMAC_{UE}i$ match, the UE proceeds to verify whether the $SQN_{UE}i$ is in the correct range (again $SQN_{UE}i$, because the UE computed it for the i-th AV). Correct range can be determined as the UE and HSS have a record of previously used Sequence Numbers (SQN) and if the HSS used one far ahead (or behind) of the UE or someone tried to manipulate the SQN, the UE now knows something is off.
If the $SQN_{UE}i$ is NOT in the correct range, something went wrong. 4) The UE then proceeds to calculate the AUTS parameter, that basically tells the 4G network, for which $SQN$ the authentication procedure failed and protects it with its own Message Authentication Code (MAC).The AUTS generation is detailed in TS 31.102 subclause 6.3.3:
UE AUTS generation.
The $AUTS_i$ parameter and the $RAND_i$ parameter are sent back to the MME within a Synchronization Failure message. How the MME proceeds from here is specified in TS 31.102. 5) If $MAC_i$ and $XMAC_{UE}i$ match and $SQN_{UE}i$ is in the right SQN range, the HSS is authenticated to the UE. Then the UE Response (RES) is calculated with $f2_K(RAND_i)=RES_{UE}i$. This message is sent back within the User Authentication Response message. The MME checks whether $XRES_i==RES_{UE}i$. If the they DO NOT match:
The MME applies measures specified in TS 24.301 and TS 31.102.
If $XRES_i==RES_{UE}i$ match, the UE is authenticated to the HSS. Thus UE <-> HSS are mutually authenticated now!
Then the UE derives its $K_{ASME}UE$: $f3_K(RAND_i)=CK_{UE}i$, $f4_K(RAND_i)=IK_{UE}i$, $S_{UE} = 0x10 || SN$ $ID || len(SN$ $ID) || SQN_{UE}i \oplus AK || len(SQN_{UE}i \oplus AK)$ and finally $K_{ASME}UE = $HMAC-SHA-256$_{(CK_{UE}i||IK_{UE}i)}(S_{UE})$.
Now UE and MME have mutually authenticated to each other and share a key $K_{ASME}UE==K_{ASME}i$, from where further keys can be derived to secure the communication.
Summary
In this post, wo looked at the authentication of UE and HSS to each other and how both communication parties, the “smartphone” or any mobile device and the network agree one a commonly shared key, from which subsequent keys can be derived.
Essentially we covered the first and most important layer of 4G security.
In the next post we look at NAS and AS security.
My research interests include security of wireless communications systems, digital aeronautical communications systems, digital avionics and cybersecurity.
