Paper 2016/364

Cryptographic Analysis of the 3GPP AKA Protocol

Stéphanie Alt, Pierre-Alain Fouque, Gilles Macario-rat, Cristina Onete, and Benjamin Richard

Abstract

Secure communications between mobile subscribers and their associated operator networks require mutual authentication and key derivation protocols. The 3GPP standard provides the \aka\ protocol for just this purpose. Its structure is generic, to be instantiated with a set of seven cryptographic algorithms. The currently-used proposal instantiates these by means of a set of AES-based algorithms called Milenage; as an alternative, the ETSI SAGE committee submitted the TUAK algorithms, which rely on a truncation of the internal permutation of Keccak. In this paper, we provide a formal security analysis of the \aka\ protocol in its complete three-party setting. We formulate requirements with respect to both Man-in-the-Middle (MiM) adversaries, i.e. key-indistinguishability and impersonation security, and to local untrusted serving networks, denoted "servers", namely state-confidentiality and soundness. We prove that the unmodified AKA protocol attains these properties as long as servers cannot be corrupted. Furthermore, adding a unique server identifier suffices to guarantee all the security statements even in in the presence of corrupted servers. We use a modular proof approach: the first step is to prove the security of (modified and unmodified) AKA with generic cryptographic algorithms that can be represented as a unitary pseudorandom function --PRF-- keyed either with the client's secret key or with the operator key. A second step proceeds to show that TUAK and Milenage guarantee this type of pseudorandomness, though the guarantee for Milenage requires a stronger assumption. Our paper provides (to our knowledge) the first complete, rigorous analysis of the original AKA protocol and these two instantiations. We stress that such an analysis is important for any protocol deployed in real-life scenarios.

Note: This is a duplicate of paper 2016/317

Metadata
Available format(s)
-- withdrawn --
Category
Cryptographic protocols
Publication info
Published elsewhere. Major revision. Proceedings of ACNS 2016
Keywords
AKA protocolAKE protocolsprovable securityreal-world cryptography
Contact author(s)
onete @ gmail com
History
2016-05-13: withdrawn
2016-04-11: received
See all versions
Short URL
https://ia.cr/2016/364
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.