Cryptology ePrint Archive: Report 2016/364

Cryptographic Analysis of the 3GPP AKA Protocol

Stéphanie Alt and Pierre-Alain Fouque and Gilles Macario-rat and Cristina Onete and Benjamin Richard

Abstract: Secure communications between mobile subscribers and their associated operator networks require mutual authentication and key derivation protocols. The 3GPP standard provides the \aka\ protocol for just this purpose. Its structure is generic, to be instantiated with a set of seven cryptographic algorithms. The currently-used proposal instantiates these by means of a set of AES-based algorithms called Milenage; as an alternative, the ETSI SAGE committee submitted the TUAK algorithms, which rely on a truncation of the internal permutation of Keccak.

In this paper, we provide a formal security analysis of the \aka\ protocol in its complete three-party setting. We formulate requirements with respect to both Man-in-the-Middle (MiM) adversaries, i.e. key-indistinguishability and impersonation security, and to local untrusted serving networks, denoted "servers", namely state-confidentiality and soundness. We prove that the unmodified AKA protocol attains these properties as long as servers cannot be corrupted. Furthermore, adding a unique server identifier suffices to guarantee all the security statements even in in the presence of corrupted servers. We use a modular proof approach: the first step is to prove the security of (modified and unmodified) AKA with generic cryptographic algorithms that can be represented as a unitary pseudorandom function --PRF-- keyed either with the client's secret key or with the operator key. A second step proceeds to show that TUAK and Milenage guarantee this type of pseudorandomness, though the guarantee for Milenage requires a stronger assumption. Our paper provides (to our knowledge) the first complete, rigorous analysis of the original AKA protocol and these two instantiations. We stress that such an analysis is important for any protocol deployed in real-life scenarios.

Category / Keywords: cryptographic protocols / AKA protocol, AKE protocols, provable security, real-world cryptography

Original Publication (with major differences): Proceedings of ACNS 2016

Date: received 8 Apr 2016, withdrawn 13 May 2016

Contact author: cristina,onete at gmail com

Available format(s): (-- withdrawn --)

Note: This is a duplicate of paper 2016/317

Version: 20160513:172929 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]