An Optimal Mutual Authentication Scheme in GSM Networks

Abdul Haleem Qureshi and Muhammad Usman

Faculty of Information Technology University of Central Punjab Lahore, Pakistan abdul.haleem@ucp.edu.pk, manilasani@yahoo.com

Abstract GSM is one of the most dominating networks for wireless mobile communication. With the passage of time, financial institutions have started using this network for providing their services. Beginning from basic services like balance enquiry, the trend is increasing to provide financial transactions on mobile. This trend establishes the need of strengthening user authentication and requirement of network authentication as well. In this paper, we have proposed a mutual authentication approach using asymmetric cryptography. In the proposed technique, user and network are authenticated with minimal computation and signaling overhead. Keywords: Asymmetric Cryptography, AuC, Authentication, GSM, HLR, MS, MSC, VLR

with MSC/VLR for authentication which in turn asks AuC/HLR to authenticate the user [3]. SIM card contains International Mobile Subscriber Identity (IMSI) and an Authentication key (Ki). This information is also available at HLR, which uniquely identifies a subscriber using these two values [2]. Using these two values, authentication schemes discuss different methods for validating user and network. Setting up a session key is also discussed in these schemes. Traditional authentication technique elaborated in [3] authenticates a user using algorithm A3. A common session key is generated individually at MS and HLR and communicated to VLR. Approach presented in [2] tries to minimize signaling overhead in the authentication process by merging multiple signals in one. It uses asymmetric cryptography for securing sensitive information over the network. Use of identity based cryptography is proposed in [5] along with applying special hash functions for further security. Authentication process presented in [3] lacks network authentication. MS does not validate whether it is communicating with a legitimate VLR or not. Further, confidentiality is not maintained in session key communication. Other authentication techniques described in [2, 5] add computations on MS which cause rapid battery consumption. Excessive public/ private key pairs are maintained and signaling overhead is not considered as well. In this paper, a new technique of authentication is proposed with focus on minimizing computation at MS, and data load on communication channel. It covers possibility of vulnerability attacks and need of mutual or mutual authentication. Our proposed scheme uses asymmetric cryptography with reduced public/private key pairs to cut down maintenance cost. Rest of the paper is organized as follows: Section two gives overview of GSM network infrastructure and discusses entities involved in authentication process. In section three some related work is discussed. Section four presents a new scheme of authentication and its advantages are discussed in section five. At the end conclusion is drawn in section six followed by references. II. GSM NETWORK ARCHITECTURE

I.

INTRODUCTION

Mobile communication systems are very famous, widely and commonly used among people all over the world. They facilitate users with wireless communication accessible virtually everywhere. Global System for Mobile communication (GSM) is the most commonly used second generation (2G) technology among mobile users. More than 80% of whole mobile subscribers worldwide are using GSM. It was introduced in early 1990s to replace numerous incompatible cellular networks operating in Europe [1]. Secure communication is always desirable in mobile communications, but its use in financial transactions has made security a necessity rather than a desire. Before initiating the communication, an authentication process is required, in which both user and network should verify each other [2]. Mainly three entities are focused while considering authentication and secure communication in GSM network. On one end is the Mobile Station (MS), which comprises of mobile phone and a Subscriber Identity Module (SIM) card [2]. On the other end, an Authentication server (AuC) is placed. AuC works in coordination of Home Location Register (HLR) database. This is a central database containing user profiles and other important data. Subscribers are assigned to different HLRs based on their phone numbers [7]. The third entity is Mobile Switching Center (MSC) which works in coordination with Visitor Location Register (VLR) database [7]. This database contains information of subscribers currently in the zone controlled by the MSC. A mobile station communicates

In this section we have briefly discussed architecture of GSM networks. GSM network can be divided in three parts:

Mobile station (MS), Base station subsystem (BSS) and Network subsystem (NS) as shown in Fig. 1 [6]. MS consists of Mobile equipment (ME) (i.e. mobile phone), and a Subscriber identity module (SIM). The SIM contains International mobile subscriber identity (IMSI) which uniquely identifies a SIM, an Authentication key (Ki) and other related information. MS consists of Mobile equipment (ME) (i.e. mobile phone), and a Subscriber identity module (SIM). The SIM contains International mobile subscriber identity (IMSI) which uniquely identifies a SIM, an Authentication key (Ki) and other related information. Base station subsystem (BSS) consists of Base transceiver system (BTS) and Base station controller system (BSC). A BTS transmits and receive signals from Mobile stations in its range. Multiple Base transceiver systems (BTS) are connected with a single BSC. The job of BSC is to manage the activities of BTS [1]. The third part of GSM network architecture is Network subsystem (NS) which consists of Mobile Switching center (MSC) and a Gateway Mobile switching center (GMSC). Multiple Base station controllers (BSC) are connected with a single MSC. Task of GMSC is to connect mobile network with Public switched telephone network (PSTN). In addition to MSC and GMSC, NS contains various databases like Home location register (HLR) and Visitor location register (VLR). HLR contains cell phone number, IMSI, Ki, and user profile information of each subscriber of a cellular service provider. It works in coordination of Authentication Center (AuC) to authenticate a user. VLR contains information of users currently in the portion of network served by it. MSC communicates with VLR and HLR for user authentication [1].

III.

RELATED WORK

In this section, we have briefly discussed some of the latest GSM authentication schemes with their weaknesses from existing literature. Main entities involved in authentication process are MS, MSC/VLR and AuC/HLR as represented in Fig. 2. MS communicates with MSC which coordinates with VLR and contacts AuC and HLR for authentication [1, 2, 3, 6]. In traditional authentication process, MS sends Temporary mobile subscriber identity (TMSI) to MSC/VLR [3]. MS sends its real identity IMSI only once when it is switched on. After that a temporary identity TMSI is assigned to it for further use. MSC/VLR extracts its real identity IMSI and sends it to AuC/HLR. The AuC/HLR finds Ki against the received IMSI. Ki is then used in Authentication algorithm (A3) and Ciphering key generation algorithm (A8) to generate a Signed result (SRES) and Ciphering key (Kc). Input of both algorithms is Ki and a randomly generated number (RAND). This process is shown in Fig. 3. AuC/HLR sends RAND, Kc, and SRES to MSC/VLR. The MSC/VLR keeps Kc and SRES and sends RAND to MS. The MS uses same A8 and A3 algorithms to generate Kc and SRES using received RAND and Stored Ki in SIM. MS sends the SRES back to MSC/VLR which compares it with the SRES received from AuC/HLR. If it matches, authentication is successful, else failed. This process is shown in Fig. 4 [3]. The scheme discussed above has some serious drawbacks. First, authentication of VLR/HLR is not considered. Secondly, all information is sent un-encrypted from HLR to VLR, which can be eavesdropped. A similar scheme is proposed in [8]. It is an enhancement of scheme presented in [3]. It proposes the use of time stamps for prevention from replay attacks. This scheme adds an overhead of preserving TMSI at HLR as well.

Figure 2. Entities involved in authentication

Figure 1. GSM Network Architecture Figure 3. Generating Kc and SRES

Figure 4. GSM Authentication Process Figure. 6. GSM Authentication Process in Authentication and Secure Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography [2]

Use of asymmetric cryptography is an answer to the security vulnerabilities in traditional authentication process. However, it is computationally extensive. Hence it is only used for authentication and transferring secret keys like Kc. The asymmetric approach discussed in [2] has focused on reducing signaling overhead and simplifies the authentication process. In this scheme four public/private key pairs are used as shown in Fig. 5. V_H_pri is shared between VLR and HLR. It is used to encrypt and decrypt data between VLR and HLR. M_V_pri is shared between MS and VLR. It is used to encrypt and decrypt data between MS and VLR. To start the authentication process as shown in Fig. 6, MS sends an identity message to VLR. This message includes Kc and RAND concatenated and then encrypted in M_V_pub. This message also includes IMSI and Ki concatenated and then encrypted in H_pub. Kc is computed by generating a Random number (RAND) and using it with Ki in A3 algorithm. VLR decrypts the part of message to get RAND and Kc. rest of the message is sent to HLR unchanged. HLR decrypts the message received from VLR using H_pri and extracts IMSI and Ki. If the received Ki matches with the stored Ki, user is authenticated. HLR sends M_pub to VLR as authentication acknowledgement. VLR uses M_pub to encrypt the RAND received from MS and sends the message to it. MS decrypts the received message and compares the generated RAND and the received one and authenticates the VLR upon match.

Considering three communicating entities, this approach works with minimal number of messages. MS is authenticated by HLR using Ki and IMSI and it authenticates VLR by sending RAND to it. If VLR send back same RAND, it is authenticated. In this solution, MS generates RAND and computes Kc at the very start of the process. This activity is an extra load on MS which is to be performed every time authentication is required. Managing shared public/private key pair for MS-VLR is another issue. This pair has to be dynamically generated once MS is in the range of VLR. An identity based cryptography scheme proposed in [5] works in three phases called Setup phase, Registration phase and Authenticated key exchange phase. In Setup phase, HLR prepares a public/private key pair (HLR_pri and HLR_pub) using a Special hash function (H) and a Master secret key (K). HLR_pub and H are made public. Registration phase begins when MS wants to register with NS. The HLR of that NS creates another Secret key K_ms using K, and H on IMSI. K_ms is then stored in HLR and MS for later use. The authentication phase shown in Fig. 7 works as follows: MS sends TMSI to VLR. On receiving TMSI, VLR sends back a randomly generated number (RAND) to MS. On receiving RAND, MS generates another random number RAND_1 and computes RAND_2 using RAND and RAND_1. Then MS applies H on RAND_2 (H(RAND_2)) and computes a key K_ms1 using K_ms and H(RAND_2). Finally MS applies H on K_ms1 and sends RAND_2, TMSI and H(K_ms1) to VLR. VLR extracts IMSI against TMSI and sends its own ID (VLR_id), RAND, H(K_ms1), and IMSI to HLR after encrypting this whole data in HLR_pub. HLR decrypts the data and generates K_ms1 using stored K_ms and applies H on it to get H(K_ms1). It

Figure 5. Public/private key pairs

compares the computed value of H(K_ms1) with the received one and authenticates the MS on match. It also authenticates the VLR by checking received VLR_id. HLR concatenates IMSI, K_ms1, and VLR_id and applies Special hash function H on the result to get H(IMSI||K_ms1||VLR_id). It signs the hashed value by encrypting it in its private key (HLR_pri) and sends the hashed value and signed value to VLR. Now it is turn of VLR to verify HLR. It is done by decrypting the signed data with HLR_pub and comparing it with received hashed value. This process is called signature verification. Now VLR appends VLR_id to the hashed value to get H(IMSI||K_ms1||VLR_id)||VLR_id and sends it to MS. MS generates hash value using IMSI, VLR_id, and K_ms1 and compares it with received value. If it is match, authentication of NS is successful, else session is terminated.

In conclusion, traditional authentication schemes suffer from man-in-middle attacks due to un-encrypted exchange of information. Symmetric authentication schemes suffer from secret key management and storage space issues. Asymmetric authentication schemes have addressed security vulnerabilities of traditional schemes but increased message complexity. They have not considered computational and storage overhead of MS, VLR and HLR. Excessive signals and load on communication channel are other issues in these schemes. IV. OPTIMAL MUTUAL AUTHENTICATION IN GSM

We have proposed a new optimal mutual authentication and ciphering key generation scheme in GSM. In this scheme, we have focused on eliminating above discussed problems of existing schemes, minimizing computation overhead of MS, reducing public private key pairs, and strengthening network authentication. Same three entities MS, MSC/VLR and AuC/HLR are used with three public/private key pairs for secure communication as shown in Fig. 8. Although M_H_pub is a public key, it is still kept secret. It enhances message security helps in validating the VLR. MS initiates the authentication process by encrypting Ki in M_H_pub, concatenating it with TMSI and encrypting the resultant value using V_pub. This encrypted message is then sent to VLR. On receiving the message, VLR decrypts it using V_pri to get TMSI and extracts IMSI against it. IMSI is concatenated with encrypted Ki and resultant value is encrypted using V_H_pub. Then it is sent to HLR. In the next step HLR extracts IMSI and Ki by decrypting the message using V_H_pri and M_H_pri. IMSI and Ki are then compared with stored IMSI and Ki. MS is authenticated if both values are same. HLR generates RAND and uses A3 algorithm to compute Kc. the Kc is then encrypted using M_H_pub. Encrypted Kc is concatenated with plain Kc and resultant is against encrypted in V_H_pub. This value is then sent back to VLR. Upon receiving the message, VLR decrypts it using V_H_pri to get Kc. VLR then signs the encrypted Kc in H_M_pub using V_pri. After this activity, the signed message sent to MS. Upon receiving the message, MS authenticates the VLR by verifying the VLR signature. Encrypted Kc is then decrypted using M_H_pri and authentication completes. This process is shown in Fig. 9.

In this approach each entity authenticates the other two. MS authenticates VLR and HLR, VLR authenticates MS and HLR, and HLR authenticates MS and VLR. It fulfills authentication requirements but uses extensive computations like applying the Hash function repeatedly. In total, six messages are exchanged with bulk of data load on communication channel.

Figure 7. GSM authentication process in GSM Security Using Identity-based Cryptography [5]

Figure 8. Public/private key pairs

communication, it is now supporting m-commerce and other financial services. Before initiating communication, a mutual authentication is necessary. Multiple authentication techniques are presented with different design goals including security, mutual authentication, and reduction in signaling overhead. In this paper, we have proposed a new mutual authentication mechanism using asymmetric cryptography with focus on minimizing computation overhead and strengthening the authentication along with eliminating problems of existing schemes. REFERENCES
[1] Figure 9. Optimal mutual authentication in GSM [2] James F. Kurose and Keith W. Ross, Computer Networking - A TopDown Approach, 5th ed., Pearson, 2010, pp. 558-563. Wilayat Khan and Habib Ullah, "Authentication and Secure Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography", IJCSI International Journal of Computer Science Issues, Vol. 7, Issue 3, No 9, May 2010. Man Young Rhee, Mobile Communication Systems and Security, Wiley-IEEE Press, April 2009, pp. 10-11. Majithia Sachin, and Dinesh Kumar, "Implementation and Analysis of AES, DES and Triple DES on GSM Network", IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.1, January 2010. Animesh Agarwal, Vaibhav Shrimali, and Manik Lal Das, "GSM Security Using Identity-based Cryptography", Dhirubahi Ambani Institute of Information and Communication Technology Gandhinagar 38, India, 2007. Young Jae Choi and Soon Ja Kim, "An Improvement on Privacy and Authentication in GSM", C.H. Lim and M. Yung (Eds.): WISA 2004, LNCS 3325, pp. 14-26, 2004. Springer-Verlag Berlin Heidelberg 2004. Patrick Traynor, Michael Lin, Machigar Ongtang,Vikhyath Rao, Trent Jaeger, Patrick McDaniel, and Thomas La Porta, "On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core", CCS 2009 Proceedings of the 16th ACM conference on Computer and communications security, 2009. Mi-Og Park and Dea-Woo Park, "SUALPPA Scheme: Enhanced Solution for User Authentication in GSM System", in Computation Science and Its Applications - ICCSA 2006, LNCS 3938, pp. 884-896.

V.

ADVANTAGES OF PROPOSED SCHEME

[3] [4]

In this proposed mechanism, computation overhead of MS is reduced by shifting the responsibility of Kc generation to HLR. By using this approach, there is no need of storing authentication algorithm A3 in SIM. Public and private key pairs are reduced to three by omitting MS-VLR link keys. By doing this, key management is also made simpler and storage requirements at VLR remain at minimum. VLR is not trusted until it is not authenticated by HLR. Use of public private key pairs eliminates the possibility of man-in-middle attacks. MS authenticates HLR using shared MS-HLR private key and VLR by verifying its signature. VLR and HLR authenticate each other by using shared VLR-HLR private key. HLR performs double authentication of MS by checking its Ki and IMSI and by using shared MS-HLR private key. VI. CONCLUSION

[5]

[6]

[7]

[8]

Wireless communication has provided great features in terms of mobility and ease of use. Starting from voice