Cryptology ePrint Archive: Report 2016/480

Achieving Better Privacy for the 3GPP AKA Protocol

Pierre-Alain Fouque and Cristina Onete and Benjamin Richard

Abstract: Proposed by the 3rd Generation Partnership Project (3GPP) as a standard for 3G and 4G mobile-network communications, the AKA protocol is meant to provide a mutually-authenticated key-exchange between clients and associated network servers. As a result AKA must guarantee the indistinguishability from random of the session keys (key-indistinguishability), as well as client- and server-impersonation resistance. A paramount requirement is also that of client privacy, which 3GPP defines in terms of: user identity confidentiality,service untraceability,and location untraceability. Moreover, since servers are sometimes untrusted (in the case of roaming),the AKA protocol must also protect clients with respect to these third parties. Following the description of client-tracking attacks e.g. by using error messages or IMSI catchers, van den Broek et al. and respectively Arapinis et al. each proposed a new variant of AKA, addressing such problems. In this paper we use the approach of provable security to show that these variants still fail to guarantee the privacy of mobile clients. We propose an improvement of AKA, which retains most of its structure and respects practical necessities such as key management, but which provably attains security with respect to servers and Man-in-the-Middle (MiM) adversaries. Moreover, it is impossible to link client sessions in the absence of client-corruptions. Finally, we prove that any variant of AKA retaining its mutual authentication specificities cannot achieve client-unlinkability in the presence of corruptions. In this sense, our proposed variant is optimal.

Category / Keywords: cryptographic protocols /

Original Publication (with major differences): PoPETS 2016.4

Date: received 19 May 2016, last revised 5 Aug 2016

Contact author: benjaminrichard913 at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20160805:141454 (All versions of this report)

Short URL: ia.cr/2016/480

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]