A Security Enhancement and Proof for AKA (Authentication and Key Agreement)

A Security Enhancement and Prooffor AKA(Authentication and Key Agreement)Vladimir KolesnikovBell LabsSCN 2010

All Rights Reserved Alcatel-Lucent 2007,2008

ProgramAKA backgroundAKA Single-UIM propertyOur extension to regular KE

All Rights Reserved Alcatel-Lucent 2007,2008

The AKA SettingAVMS(Mobile Set)SN(Serving Network)HE(Home Environment)

All Rights Reserved Alcatel-Lucent 2007,2008

AKA Message FlowCredential:Shared key K

One-time Auth vector AVRAND, SQNAUTN = SQN, FK(0,SQN,RAND)XRES = FK(1,RAND)SK = FK(2,RAND)

Obvious problem:MS does not contribute randomnessAKA Resolution:K stored on single UIMUIM keeps state (SQN)sksk

All Rights Reserved Alcatel-Lucent 2007,2008

Crypto-traditional Multi-UIM secuirity Users have several devices UIMs keyed with the same key improves AV management Simplified state management (SQN) More robust (simplified credential management, UIM cloning) Strict AKA deployment requirements Flow is preserved. No extra messages No extra overhead

All Rights Reserved Alcatel-Lucent 2007,2008

Our Multi-UIM-secure AKAIdea: do not use AKA-derived SK directly.use SK = FSK (RANDC)

All Rights Reserved Alcatel-Lucent 2007,2008

Multi-AKAskskRANDCFsk(RANDC)Fsk(RANDC)

All Rights Reserved Alcatel-Lucent 2007,2008

SecurityGive the usual game-style KE security definitionTheorem: Essential message exchange of the above Multi-AKA protocol is a secure KE protocol.