Chan-Kyu Han, Hyoung-Kee Choi, Jung Woo Baek, Ho Woo Lee

Sungkyunkwan University

hkchoi@ece.skku.ac.kr

IEEE LCN 2009, Zürich, Switzerland, 20-23 October, 2009

- 2 -

Introducing the revised security architecture in 3GPP LTE/SAE

Relaxing the Poisson assumption in authentication request process

Renewal process and renewal reward theorem

Exploring new authentication triggers

e.g. horizontal and vertical handover, multimedia requests

Observing signaling cost of each authentication event

Analyzing the effect of arrival rate, exceptional case, various random processes on signaling loads in mobile networks

- 3 -

Multiple-access network

Revised UMTS-AKA

Long Term Evolution

(Evolved-UTRAN)

System architecture evolution(Evolved Packet System)

All IP-based multimedia service

Heterogeneous mobility

- 4 -

MME

HSSUE

UAR: User authentication req./res.ADR: Authentication data req./res.CTR: Context transfer req./res.

Handover

MME GUTI

IMSI,[RAND,KASME,AUTN,RES]i..K

One set of authentication vector for performance reason

Backward compatibility for vector-based UMTS-AKA

Including network identity to prevent redirection attack

Key hierarchy: (CK, IK) for HSS/AuC and KASME for MME

- 5 -

Criteria UMTS-AKA EPC-AKA

Vulnerability Redirection, false BS attack [ZHANG05-IEEE Trans.Wcomm.]

Has not been reported

Authentication Vector-based Vector- or key reuse-based

ID protection TMSI (limited) GUTI(limited)

Key material CK, IK (VLR, HLR/AuC) KeNB(eNodeB), KASME(MME),CK and IK (HSS)

Confidentiality Only at the AS AS and NAS (signaling only)

Integrity Only at the AS AS and NAS

Support (1) Call origin./termin.(2) Location update

(1) Call origin./termin.(2) Multimedia service(3) Various location update

- 6 -

Various authentication request types

i.e., call origination/termination, multimedia service, X2/S1 handover and Inter RAT handover

Various random processes rather than Poisson assumption

Repeated ADR request every K UAR/CTR request

Signaling cost for every repeated authentication cycle

- 7 -

R(t): total reward earned by t

N(t): the counting process of renewal process X

E[R]: expected reward (cost)

E[X]: expected length of renewal process X

( )

1

0 0

( ) ( ) [ ]lim lim

( ) [ ]

N t

nn

t t

RRt N t E R

t N t t E X

- 8 -

tx,y: x-th ADR within y-th UAR

Yi: duration of each authentication event

[tn,K,tn+1,K]: The expected value of the renewal interval

• Recursive and reproductive process• Renewal epoch: [tn,K]

Renewal process

- 9 -

f(Y): probability density function of renewal length Y

Bernoulli distribution with pi for each authentication trigger Xi

Xi: i-th authentication trigger

• call origination/termination, multimedia service, X2/S1 handover and Inter RAT handover

• M: number of authentication trigger (=5)

Ci : the total signaling cost of completion of Xi K: the number of authentication vector

1 1

( ) ( ), where 1M M

i i ii ifY p f X p

0 (1 )

1

0 1 1

[ ] ( 1) [ ]

( [ ] )

i i M

K M

i i ij i

E R C K EY C

C j p E X C

- 10 -

C(K): normalized expected signaling cost

pε: exceptional authentication trigger

pε,k= pε·(1- pε)k

i.e., power-off, S1 handover to different domain, and Non-3GPP access

D: SIP signaling load and processing time for generating authentication vector

1

0 ,1 1

1

[ ]( )

[ ]

( 1) [ ]

( ) [ ]

K M

k i i ik i

t

E RC K

E N

C p K p E X C C

K Y f Y dt E D

- 11 -

Without multiple authentication vectors

Key revocation: KASME either is compromised or reaches the period of T

T(xi) /t(xi): the CDF/PDF of lifetime T of KASME

C-1: rekeying cost for all EPS network entities

when KASME is compromised

0

0

[ ] ( | ) ( )

( ) ( )T

T

E N EY X x dT x

x t x dx T t x dx

10

[ ] ( ) ( ) ( )T

i iT

E R C C tx dx C tx dx

1

[ ]( )

[ ]

M

ii

E RCt p

E N

- 12 -

Cost Authentication event Asymptotic signaling cost

C0 Authentication vector fetch to HSS 2α+2β+4γ+K CSHA-1

C1 Call origination 4α+9β

Call termination 2α+5β

C2 Multimedia request 4α+4β+4γ

C3 X2 handover 4α+10β+3γ

C4 S1 handover 6α+14β+21γ

C4 Inter RAT handover 2α+7β+13γ

CTAU Tracking area update (TAU) 4α+6β+3γ

C-1 Revocation / Rekeying C0+2α+2β+2γ

α: RTT between UE and eNodeBβ: RTT within the EPC coreγ: RTT across the serving domain

- 13 -

λi: inter-arrival process for Xi exponential distribution for all authentication triggers

C4: 6α+14β, C4: 4α+14β+21γ

0 2 4 6 8 10 12 14 16 180

50

100

150

200

To

tal

co

st

sig

na

lin

g:

C(K

)

Number of authentication vector :K

Case 1: =2, =2

Case 2: =5, =5

Case 3: =5, =10

Case 4: =5, ,1=10

Case 5: =5, ,4=10

• Arrival rate (λi)-Increasing cost (Case 1 and 2)

• Setup delay-Insignificant (Case 2 and 3)

• Signaling cost (X4): greater effect on increasing signaling cost (Case 4 and 5)

- 14 -

pi: the probability of each authentication trigger Xi

v: the distribution pattern of pi (variance)

0 2 4 6 8 100

20

40

60

80

100

120

140

160

180

200

To

tal

co

st

sig

na

lin

g:

C(K

)

Number of authentication vector :K

=0 (K=2.81)

=0.22 (K=3.95)

=0.13 (K=3.61)

• lower variation- decreasing the optimal K- Minimizing C(K)

• propensity to be incline to acertain event - e.g., teen-ager, business man- less agitates system

- 15 -

pε: exceptional authentication trigger

i.e., power-off, S1 handover to different domain, and Non-3GPP access

0 2 4 6 8 100

100

200

300

400

500

600

700

To

tal

co

st

sig

na

lin

g:

C(K

)

Number of authentication vector :K

p=0.1 (K=0.79)

p=0.01 (K=2.81)

p=0.001 (K=10.20)

• Higher pε

-increasing the total signaling cost -Decreasing the optimal K value

• Optimal K value < 1 (pε =0.1)- vector-based EPC-AKA is meaningless

- 16 -

0 3 6 9 12 15 18

15

20

25

30

35

40

45

50

55

60

K=3.75

K=7.17

K=3.67

To

tal

co

st

sig

na

lin

g:

Co

st(

K)

Number of authentication vector : K

X2: exponential, X

3: Rayleigh, X

4: Cumulative Rayleigh, X

5: exponential

X2: exponential, X

3: exponential, X

4: hypoexponential, X

5: 3-stage erlang

X2: Pareto, X

3: exponential, X

: hypoexponential, X

5: 3-stage erlang

• Rayleigh distribution- Two-dimensional vector - suitable for handover (the subscriber’s velocity and cell coverage by eNodeB)

0 3 6 9 12 15 18

20

40

60

80

100

120

140

160

180

200

220

To

tal

co

st

sig

na

lin

g:

Co

st(

K)

Number of authentication vector :K

Baseline (K=10.20)

Pareto (multimedia) (K=9.35)

Erlang (initialization) (K=7.96)

• Pareto distribution- suitable for multimedia services• The baseline without Pareto - Suffers from Underestimation

- 17 -

An introduction of security in 3GPP LTE/SAE

Authentication procedures

Type of handovers

Mathematical framework for analyzing authentication signaling load

Numerical results: the effects of

Various random processes,

Examined the arrival rate,

Exceptional case, etc.

Our result establishes the necessity of studying mobility management, security policy, and various random arrival processes

- 18 -

For more information:

http://hit.skku.edu/~hedwig/