Encrypting IMSI to improve privacy in 5G Networks

IN

DEGREE PROJECT ELECTRICAL ENGINEERING, SECOND CYCLE, 30 CREDITS

STOCKHOLM SWEDEN 2017,

Encrypting IMSI to improve privacy in 5G Networks

Double Degree Program KTH-UPM ENRIQUE COBO JIMÉNEZ

KTH ROYAL INSTITUTE OF TECHNOLOGY

SCHOOL OF INFORMATION AND COMMUNICATION TECHNOLOGY

Master Thesis Report

Title: Encrypting IMSI to improve privacy in 5G networks

Author: Enrique Cobo Jiménez

Supervisors: Christian Schaefer Prof. Mats Näslund

Aliation 1: School of Information and Communication Technology

School of Electrical Engineering KTH Royal Institute of Technology Aliation 2: ETS de Ingenieros de Telecomunicación

UPM Technical University of Madrid

TRITA: ICT-EX-2017:19

Thesis Committee

President: Prof. Elena Dubrova

Member: Prof. Mark T. Smith

Academic

Advisor: Sha Tao

Opponent: Vicent Molés Cases

SCORE:

Stockholm, 23rd of March, 2017

Abstract

Nowadays, the long-term identier of a user in a mobile network, namely Interna- tional Mobile Subscriber Identity or IMSI, is transmitted in clear text over the radio interface. Given that this interface is used as a shared medium, anyone with a radio transceiver and processing software can thus read such identier.

This fact constitutes a threat to user privacy, considering that the user is traceable by following the presence of the identier in the network. Moreover, the menace has been known in the literature for the last 25 years, but no countermeasures have been deployed because the severity was judged not to be suciently high.

However, the current situation is dierent. One the one hand, the user is made more vulnerable: the needed equipment for catching IMSIs over the radio interface is becoming cheaper, while user-related connected devices are arising in the form of Internet of Things. On the other hand, mobile devices are now computationally more powerful, and the upcoming standardization of 5G represents an opportunity to address such issues.

This dissertation presents a proposal to encrypt the IMSI based on Elliptic Curve Integrated Encryption Scheme, a public-key approach in which the long-term subs- cription identier is concealed over the radio interface. By doing so, the IMSI is never publicly disclosed, and thus privacy is enhanced.

Besides, research was conducted to show the technical feasibility of the proposal.

First, the impact of the encrypted identier on the network was studied. Secondly, the execution time needed for Android devices to perform encryption operations was measured. In both cases, the results were favorable, drawing the conclusion that there are no impediments to the adoption of the presented solution.

The Thesis was developed in cooperation with Ericsson AB, Security Research.

KEY WORDS: 5G; Privacy; IMSI ; Security; ECIES; Android.

v

Sammanfattning

Den långsiktiga identieraren för en användare i ett mobilt nätverk, IMSI (Interna- tional Mobile Subscriber Identity), överförs i klartext via radiogränssnittet. Med detta gränssnitt som delat medium kan någon med en radiomottagare och mjukvara läsa såna identierare.

Detta utgör ett hot mot användarnas personliga integritet med tanke på att använ- daren kan spåras genom att följa förekomsten av identierare i nätverket. Dessutom har hotet varit känt under de senaste 25 åren, men inga åtgärder har använts eftersom att risken bedömdes inte vara tillräckligt hög.

Däremot är den nuvarande situationen annorlunda. Å ena sidan är användaren mer sårbar: den utrustning som behövs för att fånga IMSI över radiogränssnittet blir billigare medan antalet användarrelaterade anslutna enheter ökar. Å andra sidan kan moderna mobila enheter utföra mycket mer beräkningar, och den kommande standar- diseringen av 5G utgör en möjlighet att lösa sådana problem.

Rapporten presenterar ett förslag för att kryptera IMSI baserat på ECIES (Elliptic Curve Integrated Encryption Scheme), en asymmetrisk-kryptogra algoritm där den långsiktiga identieraren är dold över radiogränssnittet. Genom att göra så avslöjas aldrig IMSI, och därmed förbättras den personliga integriteten.

Dessutom har forskning bedrivits för att visa den tekniska genomförbarheten av förslaget. Först studerades eekten av den krypterade identieraren i nätverket. Sedan mättes exekveringstiden som krävs för Android-enheter för att utföra krypteringsope- rationer. I båda fallen var resultaten gynnsamma, och därav dras slutsatsen att det inte nns några hinder för antagandet av den presenterade lösningen.

Denna rapport framställdes i samarbete med Ericsson AB, Security Research.

NYCKELORD: 5G; Personlig Integritet; IMSI ; Säkerhet; ECIES; Android.

vii

Resumen

En la actualidad, el identicador jo de un usuario en una red móvil, denomina- do IMSI (International Mobile Subscriber Identier), se envía en texto plano sobre la interfaz radio. Puesto que dicha interfaz es un medio compartido, cualquiera con suciente equipamiento radio y software de procesamiento puede por tanto obtener el identicador.

Este hecho reduce la privacidad de los usuarios en la red móvil, puesto que cual- quier usuario es por tanto localizable siguiendo el rastro de su identicador. Además, esta vulnerabilidad es bien conocida desde hace 25 años, pero no se adoptaron contra- medidas debido a que la amenaza no fue considerada como sucientemente severa.

Sin embargo, la situación está cambiando. De un lado, el usuario es cada vez más atacable: el equipamiento necesario para obtener IMSIs desde la interfaz radio es cada vez más barato, mientras que emergen nuevos terminales en el denominado Internet de las Cosas que también exponen al usuario que los porta. Del otro lado, los terminales móviles actuales son cada vez computacionalmente más potentes, y la inminente estan- darización de 5G representa una oportunidad para solventar estas vulnerabilidades.

Este Trabajo Fin de Máster presenta una propuesta para cifrar el identicador IMSI que se basa en ECIES (Elliptic Curve Integrated Encryption Scheme), un sistema de criptografía asimétrica en el que el IMSI se oculta en la interfaz radio. De esta manera, dicho identicador no se revelaría nunca en un canal público, mejorando de esta manera la privacidad del usuario en redes 5G.

Además, se llevaron a cabo estudios para demostrar la viabilidad técnica de la propuesta. En esta línea, se evaluó el impacto que tendría el uso del identicador cifrado en la red, así como el tiempo requerido para completar el cifrado en dispositivos Android. Los resultados en ambos casos fueron favorables, concluyendo por tanto que no hay impedimentos técnicos para la implementación de la misma.

Este trabajo fue desarrollado en colaboración con Ericsson AB, Security Research.

PALABRAS CLAVE: 5G; Privacidad; IMSI ; Seguridad; ECIES; Android.

ix

Acknowledgements

After Jaén, Madrid, and now Stockholm; after a Bachelor's Degree, a Master's Degree and a Double Degree; in short, after 24 years, 5 months and some days, it is time to move. Now we say goodbye to the student stage to put into practice the knowledge and the skills acquired with eort and dedication during these years, and to face new challenges and problems in the real world.

But, of course, I have never been alone in this journey. I would like to dedicate some words to all these people that have walked with me during all this time.

First, I would like to thank all the people at Ericsson, Security Research. It was very nice to do the thesis with them, I have learned a lot from this experience. To be honest, I must say that I always found a helping hand whenever I needed. I would especially acknowledge Christian and Mats, my supervisors, for their implication in the work and for their valuable advises; and Prajwol, who really acted as an advisor in the shade, for all the dedication and support he put in the Thesis.

What to say about all the people I met during this experience in Stockholm and Lappis: Alfonso, Viktor, Mathilde, Pablo, Clara, Hamza, Giorgos, Rasines, Diego, Car- los, Vicent, Atsushi, Marie, Irene, Mikael, Masuma,... (sorry, but I had to stop at some point): you made it special. I wish I gave you at least half of what I received from you.

Innite thanks.

I can not fail to acknowledge my people from Spain: my whole-life friends la manada de Jaén NP, my colleagues in suering los pencos de la ETSIT, and my dorm-mates mendelianos. I am aware that I have been a bit disappeared during this year and a half, but precisely here is where the secret of friendship lies: True friends are like stars, you can't always see them, but you know they're always there.

Last but not least. To my family: my parents, sister, grandparents, cousins, uncles, and aunts. First, the chaval decided to go to the University in Madrid, and ve years later he decided to move to Sweden (½con el frío que hace!). And yes, I am using the correct verb, because you never put any obstacle throughout this journey, although I suppose this has been dicult for you. At least I hope that the Telecommunications, whose development I would like to contribute in the future, worked well and you felt me close, despite the distance. Today, I am who I am thanks to you.

And, nally, to you...

Enrique Cobo Jiménez

xi

Table of Contents

Abstract; Sammanfattning; Resumen v

Acknowledgements xi

1. Introduction 1

1.1. Problem statement . . . . 1

1.2. Objectives . . . . 4

1.3. Report Organization . . . . 5

2. Background 7 2.1. 4G Architecture model . . . . 7

2.1.1. Network elements . . . . 7

2.1.2. Network architecture . . . . 8

2.2. Identication of Mobile Subscribers . . . . 9

2.2.1. IMSI . . . . 9

2.2.2. GUTI . . . 10

2.2.3. Others: MSISDN and IMEI . . . 10

2.3. Control signaling . . . 11

2.3.1. General overview . . . 11

2.3.2. The Attach procedure . . . 13

2.3.3. Lawful Interception . . . 15

2.4. Fundamentals on cryptography . . . 16

2.4.1. Asymmetric cryptography . . . 16

2.4.2. Elliptic Curve Cryptography . . . 18

2.4.3. Other cryptographic tools . . . 19

3. Review Study 25 3.1. Traditional public-key schemes . . . 25

3.2. Attribute-based encryption . . . 26

3.2.1. Key-Policy Attribute-Based Encryption . . . 27

3.2.2. IBE . . . 29

3.3. Pseudonyms . . . 30

3.4. Conclusions . . . 31

4. Enhancing Long-Term Identier Privacy 33

4.1. Introduction . . . 33

xiii

4.2. KP-ABE implementation . . . 34

4.2.1. Length analysis . . . 34

4.2.2. Local-AuS implementation . . . 37

4.3. Traditional public-key scheme (RSA) . . . 38

4.4. Elliptic Curve Integrated Encryption Scheme . . . 40

4.5. Conclusions . . . 43

5. Encrypted IMSI based on ECIES 45 5.1. Usage . . . 45

5.1.1. Features . . . 45

5.1.2. Suggested Elliptic Curves and Software implementation . . . 48

5.2. Implications . . . 50

5.2.1. Modications on equipment . . . 50

5.2.2. Protocol modications . . . 50

6. Evaluation and Analysis 53 6.1. Performance . . . 53

6.1.1. Size analysis . . . 53

6.1.2. Delay introduced by ECIES . . . 54

6.2. Remaining vulnerabilities . . . 58

6.3. Ethical, societal and sustainability aspects . . . 59

7. Conclusions 61 7.1. Conclusion . . . 61

7.2. Future lines . . . 62

Appendices 65 A. ECIES implementations 67 A.1. NIST P-256 . . . 67

A.2. Curve25519 . . . 69

B. Test results 71

References 75

List of Acronyms 81

List of Figures

1.1. Evolution and forecast of number of worldwide mobile subscriptions . . 2

1.2. Eavesdropping on a shared medium . . . . 3

2.1. Simplied 4G network architecture . . . . 8

2.2. Structure of IMSI . . . . 9

2.3. 4G control plane protocol stack and interfaces . . . 11

2.4. Attach procedure . . . 13

2.5. Dierent elliptic curves . . . 19

2.6. Elliptic Curve addition and scalar multiplication . . . 20

2.7. Evaluated AES mode of operation . . . 22

3.1. Attribute-based encryption architecture . . . 27

4.1. RSA with Optimal Asymmetric Encryption Padding . . . 39

4.2. ECIES encryption functional diagram . . . 41

4.3. ECIES decryption functional diagram . . . 42

5.1. Using ECIES to encrypt the IMSI . . . 46

5.2. Using ECIES to decrypt the IMSI . . . 47

5.3. NIST P-256 and Curve25519 representation . . . 49

5.4. Attach procedure with E-IMSI . . . 51

6.1. Total execution time (KG + KA) in the tested devices . . . 58

xv

List of Tables

4.1. Comparison between analyzed solutions . . . 43

6.1. Cipher text size, in bits, as a function of the solution . . . 54

6.2. Android devices . . . 55

6.3. Execution time, in ms, for NIST P-256 (KG and KA) . . . 57

6.4. Execution time, in ms, for Curve25519 (KG and KA) . . . 57 6.5. Execution time, in µs, for the Common Operations (KD, AES and XOR) 57

xvii

Chapter 1

Introduction

De cada pregunta, de cada respuesta;

de cada persona, de cada planeta;

de cada recuerdo, de cada cometa;

de cada deseo, de cada estrella.

Mariposa, La Oreja de Van Gogh

Abstract: In this chapter, the motivations for the Thesis are presented. Privacy is even more important nowadays, and breaches on it must be xed. This thesis focuses on one issue in mobile networks: the disclosure of the long-term identier IMSI over the radio interface; and how to solve it in the framework of the future 5G network. Moreover, this chapter details the objectives of the Thesis and the organization of this report.

1.1. Problem statement

In the so-called information society, where almost everything is just a click away from wherever one is, people are increasingly concerned about the value of privacy.

Therefore, those failure points that represent a privacy thread are of vital importance, and eorts are put to solve them as soon as possible.

Mobile devices have a focus on them. We must not forget that, according to [1], there are around 7,5 billion subscriptions worldwide, following a positive trend that may end with 8,9 billion subscriptions in 2022, as depicted in Figure 1.1.

Moreover, the introduction of IoT (Internet of Things) devices may also impact on the system by incorporating new elements to the mobile network. In this sense, we see that the paradigm is moving, so that, for the future, if something benets from a connection, it will be connected.

Therefore, security and privacy pitfalls in mobile networks have a particular im- portance, due to the potential number of attackable subjects. One of these points of failure is the disclosure of the subscriber's long-term identier, so-called IMSI (Inter- national Mobile Subscriber Identity), sent unencrypted over the Radio Interface. Thus, an eavesdropping attack can be deployed, as depicted in Figure 1.2: anyone with access to some radio equipment can listen to the channel and catch the users' identier [2].

Such radio devices receive the name of IMSI Catchers [3].

1

Figure 1.1: Evolution and forecast of worldwide mobile subscriptions, obtained from [1].

Nowadays, the 3GPP (Third Generation Partnership Project) [4] represents the main standardization body for mobile networks, since it joints several telecommuni- cations standard organizations formed by network operators and equipment manufac- turers. The standardization activity is split into dierent working groups within three Technical Specication Groups. The reference group for Security is called Services and Systems Aspect 3. (SA3).

Following is the standardization process at 3GPP. First, its members submit their proposals, namely contributions, to the relevant working group. The contribution is then analyzed and discussed in the working group meeting. If it passes this lter, the proposal is nally addressed in the Technical Specication Group Plenary, responsible of the standards redaction.

The IMSI-Catching attack is not a new issue for these bodies. Already 25 years ago, when the second generation of the mobile network 2G was standardized, it was decided to assign a short-term identier TMSI (Temporary Mobile Subscriber Identity) after successful authentication, to minimize the times that the IMSI was sent in clear text.

Nevertheless, the IMSI was still transmitted in some cases. In [5] some enhancements were already proposed.

Several ideas arose to overcome this problem in 3GPP when moving to the third

generation 3G. One solution [6] proposed to implement one-time pseudonyms, in which

the IMSI was anonymized by replacing it by a derived pseudonym. In [7], it was

suggested to use pre-shared group keys for encrypting the IMSI. However, none of

these solutions was accepted [8] mainly because the threat was judged not to be so

severe. Besides, it was unclear that the proposed solutions were compatible with the

1.1. Problem statement 3

Figure 1.2: Eavesdropping on a shared medium. If anything is sent unprotected over a shared medium, such as the radio interface, it might be intercepted (eavesdropped) by non-authorized third parties.

actual system. Some privacy issues related to IMSI disclosure for 3G networks were as well summarized in [9].

Again, when 4G standardization process started, the problem was revisited in the TR (Technical Report) 33.821 [10]. This time, the solutions included group key en- cryption of the IMSI, public-key cryptography, and the digital signature of IMSI-based requests. Once more, the proposals were rejected due to several reasons. For the rst one, a group key approach does not ensure perfect privacy, since all members of the group can decrypt. For the second one, the cost of implementing a public-key system between the user and the serving network was judged to be too high. Finally, the di- gitally signed IMSI-based requests were not able to solve the fact that the IMSI was still sent in clear text, and therefore the passive IMSI-Catcher attack was not solved.

The situation nowadays has changed in dierent ways. First, the mobile devices are now more powerful, regarding computation capabilities, which makes some of the solutions easier to implement. Second, the equipment needed for performing IMSI catching is becoming cheaper due to the development of software-dened radio [11].

Finally, and as we stated in the beginning, the arising of personal IoT devices would imply that a user would have associated more IMSIs, which makes him more exposed to this privacy threat.

In this scenario is where 5G comes into play [12]. However, rst, the fth generation of the mobile network have to deal with the new paradigm of lots of elements connected to the network and faster connections: it is expected that the speed would increase up to 5Gbps.

The deployment calendar for 5G states that it has to be launched by 2020, but

already there should be some pilots by 2018. To this end, the privacy issues introduced

in this section has to be addressed before that, so some proposals are now being

discussed in 3GPP, in TR 33.899 [13], which will be object of analysis of this Thesis

work.

In this Thesis, we are going to focus on the privacy issues related to the disclosure of the IMSI in the Radio Interface. However, there are other issues worth considering for the development of 5G. In this sense, the European project 5G-ENSURE [14] was born to address and propose solutions for enhancing future 5G systems. The project results from a joint eort between mobile network operators, vendors and academic institutions. The work is also done in the framework of this project.

Note that 5G is not standardized yet, this process is about to start. Due to this, during this dissertation we will refer to the 4G standard, more specically to its Re- lease 14. Nevertheless, this does not represent a major issue since the equipment and procedures relevant for the work will technically be migrated from 4G to 5G.

1.2. Objectives

The main goal of this Thesis work is to eciently conceal the subscriber long-term identier IMSI in the Radio Interface, while transmitting it to those network nodes that need it for its operation. Such goal can be divided into sub-objectives, listed below:

Literature review: As stated before, IMSI disclosure has been a problem for the last 25 years. Therefore, and intensive eort has to be done for analyzing present and past solutions to the problem:

• First, the proposals for legacy mobile generations (2G-4G) will serve as a basis for understanding the problem and as a context for real solutions.

• In this sense, academic papers will also be reviewed.

• We will deeply analyze the proposals from 3GPP discussed in [13] and in the 5G-ENSURE project.

Deployment of a proposal for concealing the IMSI : As a result of the literature review, some objective indicators can be used for choosing a technically feasible solution.

• As a rst step, a high-level solution will be proposed, in which the key features are highlighted.

• Then, we will move from a general perspective to a more detailed proposal.

In this process, important factors to take into account will be the new iden- tier size, computation overhead, or required changes in real networks and equipment.

Evaluation of the proposed scheme: The proposal has to be analyzed to ensure that the constraints are fullled. Some of the aspects to be discussed are:

• Computation eort: the time that the suggested proposal takes for comple- ting the task.

• Network performance: a study to see how the new system would impact on

the network, concerning bandwidth or protocol modications.

1.3. Report Organization 5

• Remaining vulnerabilities: we must not forget what the main goal of the Thesis is. Therefore, an analysis of the situation after the proposed scheme is adopted has to be carried out, to see that the goal is fullled.

Documentation generation: Writing the dissertation and other related documents, such as papers and contributions; and presentation of the results. The report will be elaborated using L

TEX[15].

The work will be focused on the transmission of the IMSI from the user when attaching a network, which represents the main vulnerability of the system, and what is intercepted by IMSI-Catchers.

1.3. Report Organization

The report is organized as follows:

Chapter 2 oers a review of the main concepts to be known for the correct understanding of the work, from a description of 4G networks to an introduction to cryptography.

Chapter 3 discusses the solutions proposed for IMSI concealment in 5G in both 3GPP and 5G-ENSURE.

Chapter 4 presents the high-level solution from this work. Some preliminary ideas are analyzed and compared.

Chapter 5 details our proposal for encrypting the IMSI.

Chapter 6 analyzes the solution we propose regarding performance and remaining vulnerabilities.

Chapter 7 concludes the work and presents some future lines.

Chapter 2

Background

Le bonheur, pourquoi le refuser? En l'acceptant, on n'aggrave pas le malheur des autres et même ça aide à lutter pour eux. Je trouve regrettable cette honte qu'on éprouve à se sentir heureux.

Albert Camus

Abstract: This chapter presents the key concepts for the understanding of the Thesis work. First, we present our reference architecture model, and we dene the subscriber identiers. We then continue introducing some basics on control signaling for 4G, with a particular interest in the Attach procedure. Finally, the cryptographic basis for the work is introduced. A reader with knowledge about 4G Systems and Cryptography may decide to skip the chapter.

2.1. 4G Architecture model

In this Section, the network architecture is presented, in the reference framework of 4G. First, the nodes are separately presented, and afterward, it is shown how they are connected.

2.1.1. Network elements

The most important nodes that conform the 4G network are introduced. The TS (Technical Specication) 23.401 [16] was used as the main reference for this section.

The USIM (Universal Subscriber Identity Module) is a mobile application that stores user-related information, such as identiers or keys, and includes compu- tation capabilities that are used for cryptographic purposes, as dened in TS 31.102 [17]. It is usually embedded on a chip-card called UICC (Universal Inte- grated Circuit Card).

The UICC is inserted into the ME (Mobile Equipment), which provides radio capabilities. The ME is what is commonly known as the mobile phone, but in a broad sense, it is every mobile device that connects to the 3GPP networks.

Note that, for a user to communicate, he would need both a valid subscription

7

(i.e., USIM) and device (i.e., ME). This union is what denes the UE (User Equipment).

The eNB (Evolved Node B) is the radio element to which an UE is wirelessly connected. It thus represents the entity that moves the communication from the radio channel to the back end of the network. Usually, this element is also denoted as Base Station.

The MME (Mobility Management Entity) is the network equipment responsible for managing users within a network, hence it constitutes the main control device in the network. It manages authentication and mobile services from the network to the UE and vice versa, and it is reachable from a user through the eNB.

The HSS (Home Subscriber Server) represents a database in which the corres- ponding keys and identiers of the USIM are stored. It is necessary, for instance, for authenticating a user within a network, and thus it has to be in touch with the MME to which the user is attached.

The gateway, presented for completeness, is the interface between the 3GPP network and the Internet. It is the network element in which the data trac is routed, separating the control ow from the data plane. An UE reaches it from an eNB.

2.1.2. Network architecture

From a network perspective, like the one presented in Fig. 2.1, we can divide it according to two factors: Background: 4G Architecture

IMSI = MCC | MNC | MSIN

2017-03-23 5

Encrypting IMSI to improve privacy in 5G networks Enrique Cobo Jiménez - Master Thesis

Serving Network (V-PLMN) Home Network (H-PLMN)

Radio Access Network (RAN) Core Network (CN)

HSS

ME

eNB MME

ME

HSS

Figure 2.1: Simplied 4G network architecture.

Depending on the nature of the devices on it, the RAN (Radio Access Network)

and the CN (Core Network) emerge: The RAN is made up of those devices with

radio capabilities, such as UE and eNB. On the other hand, the CN consists of

the central nodes: MME and HSS.

2.2. Identication of Mobile Subscribers 9

According to the home operator for a given user, the network is divided in PLMN (Public Land Mobile Network): the home network (or H-PLMN), the one to which a user belongs; and the serving (or visited) network, so-called V-PLMN, the one to which the user is attached, if dierent from its H-PLMN. A user always authenticates using its home HSS, but the other network elements would vary according to which V-PLMN it is attached.

Figure 2.1 depicts a simplied 4G network, in which the user on the left is connected to a network which does not belong to its home operator. This situation receives the name of roaming. Meanwhile, for the user on the right, the serving and home network is the same (non-roaming situation).

2.2. Identication of Mobile Subscribers

In this section, the most important user identiers are introduced, as presented in the TS 23.003 [18].

2.2.1. IMSI

The IMSI is the identier that uniquely denes a subscriber within all networks. It is stored in the USIM and in the HSS to which it belongs. It is formed by the following elements, as shown in Figure 2.2:

3GPP

3GPP TS 23.003 V14.2.0 (2016-12) 16

Release 14

The LMSI may be allocated by the VLR at location updating and is sent to the HLR together with the IMSI. The HLR makes no use of it but includes it together with the IMSI in all messages sent to the VLR concerning that MS.

2.2 Composition of IMSI

IMSI is composed as shown in figure 1.

MCC

Not more than 15 digits 3 digits 2 or 3

MNC MSIN

PLMN

IMSI

9 or 10 digits

Figure 1: Structure of IMSI

IMSI is composed of three parts:

1) Mobile Country Code (MCC) consisting of three digits. The MCC identifies uniquely the country of domicile of the mobile subscriber;

2) Mobile Network Code (MNC) consisting of two or three digits for GSM/UMTS applications. The MNC identifies the home PLMN of the mobile subscriber. The length of the MNC (two or three digits) depends on the value of the MCC. A mixture of two and three digit MNC codes within a single MCC area is not recommended and is outside the scope of this specification.

3) Mobile Subscriber Identification Number (MSIN) identifying the mobile subscriber within a PLMN.

The National Mobile Subscriber Identity (NMSI) consists of the Mobile Network Code and the Mobile Subscriber Identification Number.

2.3 Allocation principles

IMSI shall consist of decimal digits (0 through 9) only.

The number of digits in IMSI shall not exceed 15.

The allocation of Mobile Country Codes (MCCs) is administered by the ITU-T. The current allocation is given in the COMPLEMENT TO ITU-T RECOMMENDATION E.212 [44].

The allocation of National Mobile Subscriber Identity (NMSI) is the responsibility of each administration.

If more than one PLMN exists in a country, the same Mobile Network Code should not be assigned to more than one PLMN.

The allocation of IMSIs should be such that not more than the digits MCC + MNC of the IMSI have to be analysed in a foreign PLMN for information transfer.

2.4 Structure of TMSI

Since the TMSI has only local significance (i.e. within a VLR and the area controlled by a VLR, or within an SGSN and the area controlled by an SGSN, or within an MME and the area controlled by an MME), the structure and coding of it can be chosen by agreement between operator and manufacturer in order to meet local needs.

The TMSI consists of 4 octets. It can be coded using a full hexadecimal representation.

Figure 2.2: Structure of IMSI, adapted from TS 23.003 [18].

The MCC (Mobile Country Code) is a 3-digit number that identies the country to which the user belongs, and dened by the ITU (International Telecommuni- cation Union).

The MNC (Mobile Network Code) is a 2-or-3-digit number which refers to a spe- cic operator within a country and is allocated by a country-dependent authority.

The MSIN (Mobile Subscriber Identity Number) is a 10-digit-maximum number which uniquely identies a user on its home network.

Note that MNC and MSIN are dened by its maximum length since the whole

IMSI cannot be more than 15 digits. The consequence is that, for a country that uses

a 2-digit MNC (typically the European case), the maximum MSIN would be 10 digits;

and the other way around: for a country that uses 3-digit MNC (usually in North America), the maximum MSIN would be 9 digits.

It is also worth mentioning that a user's H-PLMN can be identied by the conca- tenation of MCC and MNC.

The IMSI is encoded using BCD (Binary-Coded Decimal), which implies that every digit needs 4 bits. Therefore, the MCC is always 12 bits long, the MNC between 8 and 12 bits long, and the MSIN requires 40 bits at maximum. It is important to recall that the whole IMSI cannot be larger than 60 bits.

2.2.2. GUTI

Since the IMSI represents the long-term identier of the user, a temporal identity TMSI was introduced to anonymize the user. Such identier is called GUTI (Global Unique Temporary Identity) in 4G, and it is used whenever available in place of IMSI, either entirely or just a part of it. Although it has global signicance, it is allocated by the V-PLMN's MME. The GUTI consists of:

GUMMEI (Global Unique MME Identity): It uniquely denes the MME to which a user is attached. In turn, the GUMMEI is dened by:

• The MCC and MNC (i.e., the PLMN) where the MME is located. Its length is the same as introduced before.

• MME Group id, of 16 bits length; and MME code, of 8 bits length. All this identies a particular MME within a network.

M-TMSI, of 32 bits, is freely allocated by the MME; and uniquely identies an UE attached to a V-PLMN's network. As its name indicates, it has temporary signicance.

2.2.3. Others

In this section, some other used identiers are presented for completeness.

2.2.3.1. MSISDN

The MSISDN (Mobile Station Integrated Services Digital Network) is nothing else than the phone number of a given subscriber, i.e., the number one needs to dial for setting a call, for instance.

It is noteworthy to say that this identier is not used in the Core Network: only IMSI and GUTI are internally used. Furthermore, an USIM (and thus an IMSI) can theoretically be linked with more than one MSISDN. There are mechanisms in the network, which are out of the scope of this Thesis, whose task is to translate from one identier to the other.

2.2.3.2. IMEI

The IMEI (International Mobile Equipment Identity) is a number that identies

the ME. It is used, for instance, for emergency services where no IMSI is available, or

to block a device in the case it was stolen.

2.3. Control signaling 11

2.3. Control signaling

This section analyzes how the network elements communicate between themselves to share the needed information for a correct operation. First, a general overview of the most relevant protocols for the Thesis is introduced. Then, the Attach procedure, which represents our battleeld, is detailed. Finally, the Lawful Interception requirements are presented, since they constitute a constraint for the solutions.

2.3.1. General overview

The Control plane is the set of protocols that allows the exchange of control signals between elements in the system. Fig. 2.3 shows the control plane stack for the most relevant nodes in the 4G system, together with the formal names of the interfaces.

L2 L2

L1 L1

MME S10 MME

GTP GTP

SCTP SCTP

IP IP

MME S11

GTP

SCTP

IP

L2

L1 SGW GTP

SCTP

IP

L2

L1

S1-MME PDCP

RLC RLC

NAS

RRC RRC

PHY

MAC L2

L1 LTE-Uu

PDCP

L2

L1 SCTP

IP S1AP

SCTP

IP

L2

L1 DIAMETER

UE eNB MME HSS

NAS

S6a

DIAMETER

SCTP

IP

L2

L1 S1AP

SCTP

IP

L2

L1

Figure 2.3: 4G control plane protocol stack and interfaces.

The specic protocols, highlighted in the Figure, are briey summarized. General protocols, such as IP or SCTP, are therefore skipped in this Thesis.

RRC (Radio Resource Control): Protocol that connects the UE with the eNB on the radio interface. Its main function is to allocate radio resources to the UE and to adjust them on demand. For 4G it is described in TS 36.331 [19].

PDCP (Packet Data Convergence Protocol): Responsible for the transfer of both

user and control plane data, ciphering and integrity protection. Standardized in

TS 36.323 [20] for 4G.

RLC (Radio Link Control): It is a data link layer protocol, and thus responsible for error-free transfer and data units management. The version for 4G is in the TS 36.322 [21].

S1AP (S1 Application Protocol): As shown in Fig. 2.3, S1 represents the interface between the MME and eNB. So, this protocol is responsible for carrying messages between these two entities. Dened in TS 36.413 [22].

GTP (GPRS Tunnelling Protocol): Based on IP, it carries GPRS (General Packet Radio Services) between the network elements, both control (GTP-C, TS 29.274 [23]) and user data (GTP-U, TS 29.281 [24]).

Two of them were left unaddressed on purpose, due to that they require extra attention for the Thesis: NAS (Non-Access Stratum) and DIAMETER.

2.3.1.1. NAS

NAS, as shown in the gure, allows the direct communication between UE and MME, with its messages encapsulated into the RRC protocol in the path UE-eNB, and in the S1AP between eNB and MME. Here, the eNB acts as a simple relay. NAS is dened in TS 24.301 [25].

Formally, it consists of two protocols: the EMM (EPS Mobility Management) and the ESM (EPS Session Management). We are more interested in the rst one, which de-

nes access, authentication, and security procedures. ESM handles user data between the UE and the packet data domain using bearers.

Going deeper into the EMM protocol, it denes the following procedures:

GUTI allocation and management.

Attach and detach procedures.

Paging: a mechanism to inform the UE that it has pending network services (i.e., termination call or SMS).

As mentioned, authentication and security procedures.

2.3.1.2. DIAMETER

DIAMETER is a network protocol that provides Authentication, Authorization and Accounting services, typically used in applications that involve network accesses.

Standardized by the RFC (Request For Comments) 6733 [26], it was thought as an improvement of the successful RADIUS protocol (RFC 2865 [27]) concerning more secure communications and better scalability.

For its use in 3GPP networks, some particularities need to be considered. The TS 29.272 [28] details the procedures that use DIAMETER between network nodes. In particular, in this Thesis we are interested in the communications between MME and HSS, with the following services:

Location Management Procedures: to inform the HSS about the network cu-

rrently serving a given UE.

2.3. Control signaling 13

Subscriber Data Handling Procedures: to update the serving network with infor- mation about the user.

Authentication Procedures: to request authentication support to the HSS.

Fault Recovery Procedures: in the case of synchronization failure.

Notication Procedures: to exchange updates between the MME and the HSS.

2.3.2. The Attach procedure

The following gure shows the Attach procedure, i.e., UE connecting to the net- work. Several reasons can trigger such procedure, e.g., on the very rst attach of a user within a specic network, or as a recovery mechanism.

Fig. 2.4 shows the complete attach procedure. It is split into three main sub- procedures or stages: identication, authentication and update location.

UpdateLoc.AuthenticationIdentification

Core Network (CN)

Radio Access Network (RAN) HSS

UE MME

[NAS] Attach Request IMSI or GUTI

[NAS] Identity Request [NAS] Identity Response

IMSI

[DIAMETER] Authentication Info. Request IMSI

[DIAMETER] Authentication Info. Answer KASME, AUTN, RAND, XRES [NAS] Authentication Request

AUTN, RAND [NAS] Authentication Response

RES

[DIAMETER] Update Location Request IMSI

[DIAMETER] Update Location Answer MSISDN,…

Serving Network (V-PLMN) Home Network (H-PLMN)

Figure 2.4: Attach procedure.

2.3.2.1. Identication stage

It represents the rst stage, in which the UE would need to send its long-term

identier IMSI over the radio interface without any protection. If the UE had a GUTI,

it would be transmitted in the (NAS) Attach Request message. Otherwise, this message

would include the clear-text IMSI.

There is a failure recovery mechanism in case that the GUTI is no longer recogni- zable by the network. The MME would forward a (NAS) Identity Request, in which the UE is requested to reply with its clear-text IMSI. The UE does so in the (NAS) Identity Response.

In the sequel, and for simplicity, we are going to refer to the case in which the UE is attaching as if it was its rst time, i.e., UE sends the IMSI in the (NAS) Attach Request. There is no loss of generality when doing this simplication.

As we introduced in Section 1.1, since the IMSI is sent in clear text, it is possible for a passive attacker, nmaley passive IMSI catcher, to just listen to the radio channel and to wait until an IMSI appears. Besides, note that there is still no security context available so that the UE cannot check if it is attaching to an actual MME, or to an active attacker that is impersonating a legit network. This kind of attack, since it requires specic actions from the attacker side, is called active IMSI catcher.

We must also introduce, for completeness, the scenario in which a ME is attaching to a network following an emergency procedure. In this case, it should be possible for the user to connect the network even without a subscription (USIM). Therefore, the ME can also be identied using its IMEI when attaching the network on an emergency.

2.3.2.2. Authentication stage

After the UE has identied itself with its IMSI, the network has to authenticate that it is whom it is supposed to be. Note that this step is crucial, since otherwise, anyone could impersonate anyone else by just sending its IMSI to the network. Moreover, as we saw in the previous paragraph, it is relatively easy to get someone's IMSI.

Such procedure also receives the name of AKA (Authentication and Key Agree- ment), because it lets the parties involved on it generate a session shared secret key as a consequence of the parties being authenticated. Specic details on the needed cry- ptographic functions are out of the scope of the Thesis but standardized in TS 33.401 [29].

The sub-procedure starts with the MME sending a (DIAMETER) Authentication Info. Request to the HSS. This query nowadays includes the IMSI in clear text. Ne- vertheless, the S6a interface runs over a secure channel (typically IPSec), so it should not be possible for an attacker to sni the IMSI from this communication.

The HSS, from the IMSI and its associated long-term key K, generates a so-called AV (Authentication Vector), which includes the following elds:

KASME (Key Access Security Management Entity): The secret session key that UE and MME will share after successful authentication. The UE can derive it using other elds of the AV.

AUTN (Authentication Token): It serves several purposes: acting as a freshness check (the UE may decide to reject the AKA procedure if some eld on the AUTN is not within a given range) and allowing network authentication from the UE side.

RAND (Random Challenge): Needed for the UE to compute the KASME and RES

(Response), the latter used to authenticate the user to the serving network.

2.3. Control signaling 15

XRES (Expected Response): The MME authenticates the UE by checking the XRES from the HSS and the RES from the UE.

The AV is sent from the HSS to the MME in the (DIAMETER) Authentication Info. Answer. Then, the MME keeps the KASME and XRES parts of it, and forwards AUTN and RAND to the UE in the (NAS) Authentication Request.

Afterward, the UE is capable of computing KASME and RES from the received para- meters and the long-term key K, provided that the security checks be passed. At this point, the network has been authenticated to the UE.

Then, the UE forwards in the (NAS) Authentication Response message its RES. As already mentioned, the MME checks the expected response with the received version of it, and if both match the UE is authenticated.

2.3.2.3. Update Location stage

In this nal stage, the visited PLMN informs the home PLMN that the UE is attached to its network. To do so, the MME sends a (DIAMETER) Update Location Request message to the UE's home PLMN. In this message, the MME includes the IMSI together with a network identier.

The HSS keeps this information, and provides the visiting network with some other useful information about the user through (DIAMETER) Update Location Answer.

Among other parameters, the MSISDN is sent to the MME in this message.

At this point, (i) the UE has successfully attached the network, (ii) the MME knows all it needs for delivering network services to the UE, and (iii) the HSS keeps track of the network in which the user is. For the following steps, the MME will provide the UE with a bearer between UE and SGW (Serving Gateway) when needed.

2.3.3. Lawful Interception

LI (Lawful Interception) is a legal mechanism, used by Authorities, to request net- work usage information about the targeted users, suspected criminals, for its analysis or to serve as evidence. For the 3GPP case, it is described in the standards TS 33.106 [30] and TS 33.107 [31].

Some of the information that can be obtained by this procedure includes:

The content of a private conversation between two parties. In this case, the Authority is listening to a conversation or reading an SMS, as if it were part of the conversation.

A relation of network services demanded by the target. A list is sent to the Authorities including information about, for instance, number and recipients of calls or data connections.

Information about the physical locations of the target. Based on the information

collected by the eNB, the network gathers data about where a user was at a

given time. Such information can afterward be shared with the Authorities, upon

request.

According to TS 33.107 [31], a user must be interceptable by one of the following identiers: MSISDN, IMEI, or IMSI. Since in this Thesis we will modify the way the IMSI is sent, we need to consider that the modied system is still LI-compliant.

Furthermore, the TS 33.106 [30] states that a roaming user shall also be a possible target, no matter to which network it is attaching. Such interception needs to be done without the knowledge or the visibility of the home network. Therefore, it has to be possible to perform LI without being dependent on the user's home network for assistance.

Hence, the IMSI is forced to be known in the serving network from the very begin- ning. Proposals to conceal the IMSI that do not consider this fact into account might be technically invalid, because of such regulatory impositions. This implies that the proposals will always need to consider a mechanism for which the IMSI is always put to the serving network's knowledge.

2.4. Fundamentals on cryptography

In this section, we present some basics on cryptographic functions and primitives whose knowledge is relevant for understanding the Thesis. It is mainly focused on asymmetric cryptography and Elliptic Curve cryptography, since they represent the most important points of this work. Also, other useful cryptographic functions used in the document, such as Die-Helmann, symmetric ciphers, and hash functions, are also presented.

The book [32] served as a basic reference for this section. It is one of the de-facto manuals in cryptography used in Academia for the teaching of Security courses.

2.4.1. Asymmetric cryptography

Asymmetric cryptography lies on the fact that encryption and decryption processes require dierent keys. It also receives the name of public-key cryptosystems. It consists of the following elements:

Plain text: The original message that needs to be concealed.

Ciphertext: The encrypted, hidden version of message.

Public key: Accessible key that, on a public-key cryptosystem, acts as the en- cryption key.

Private key: Hidden key that, on a typical asymmetric system, is necessary for decrypting the ciphertext message.

Encryption algorithm: Responsible for transforming the plain text to a cip- hertext, as a result of some key-dependent mathematical functions.

Decryption algorithm: Retrieves the original message from the ciphertext and the corresponding key used in the encrypting process, by reverting the process applied by the encryption algorithm.

Note that the public and private keys are somehow related, which implies that what

is done by one of the keys is complemented by the other one.

2.4. Fundamentals on cryptography 17

Some of the applications of public-key cryptosystems include:

Traditional message concealing: The sender encrypts a message using the re- cipient's public key, and then the latter decrypts the ciphertext employing its private key.

Digital signature: If an individual uses its private key for signing the message, anyone with the complementary public key will be able of checking that the signer generated the message.

Key exchange: It will be analyzed in the next Section 2.4.3.

One of the main points of failure that public-key cryptosystems have is the provision of the public key in the recipients. Note that it is not only valid to put it in an accessible folder, because this scheme is vulnerable to the MitM (Man-in-the-Middle) attack, as now described. A malicious user could just locate itself in the middle of the communication by exchange its public key to both parties in the communication, pretending to be the others' recipient. Under this attack, all the communications are visible to the attacker.

To avoid such situations, other elements are required. A PKI (Public Key Infrastruc- ture) is used to manage public-key cryptosystems employing the so-called certicates:

they are issued by trusted authorities, proving that the identity associated with a given public key corresponds to the actual owner of the key.

However, there are other means of securely exchanging public keys. The easiest one is receiving it from its owner directly, i.e., without checking any public folder. The problem of such costless solution is its lack of scalability: it is unpractical to do it when it turns to be a considerably large number of users.

We now analyze the most used public-key system so far: The RSA (Rivest, Shamir, and Adleman) algorithm. As its name indicates, it was developed by Ronald Rivest, Adi Shamir, and Leonard Adleman at MIT in 1978 [33]. It is based on exponentiation in modular arithmetic, and its security relies on the factoring problem, considered to be hard to solve. The working principle is now summarized:

The public-private key pair is generated as follows:

1. Two prime numbers p 6= q are chosen at random.

2. Calculate n = p · q, and φ(n) = (p − 1) · (q − 1).

3. Select integer e such that gcd(φ(n), e) = 1 and 1 < e < φ(n).

4. Calculate d = e

mod φ(n)

5. The public key will be the combination of {n, e}, whereas the private key will be {n, d}.

The encryption primitive, given the public parameters {n, e} and the message M <

n is as follows:

C = M

mod n (2.1)

Finally, the decryption primitive, given the public parameters {d, e} and the cip-

hertext C is:

M = C

mod n (2.2) Note that, for the RSA algorithm, it is perfectly feasible that the private key is used to sign the message. Of course, in this case, the message will be recoverable by using the public key.

2.4.2. Elliptic Curve Cryptography

The main issues that asymmetric cryptography present are its key length and computation time. According to several studies [34], [35], for a system to be secure, the RSA key length should be greater than 2048 bits. Instead, the use of ECC (Elliptic Curve Cryptography) may overcome such issues, as will be explained in this section.

ECC, as its name indicates, is based on EC (Elliptic Curve) over a nite eld. An Elliptic Curve is dened by the following expression, namely Weierstrass equation:

y

+ axy + by = x

+ cx

+ dx + e ( mod p) (2.3) Note that both the constants (a, b, c, d, e) and the variables (x, y) are restricted to the given nite eld, determined by p. However, for its use in cryptography, curves on the following reduced form are used:

y

= x

+ cx

+ dx + e ( mod p) (2.4) The name Elliptic comes from the fact that it is a cubic equation (i.e., order 3), which are as well used for dening the circumference of an ellipse. Figure 2.5 shows the appearance of various elliptic curves.

The curve is dened by points (x, y), satisfying equation (2.4). Note that, when talking about Elliptic Curves, we follow the notation of naming points on the curve using capital, calligraphic letters; whereas scalars are lower case letters.

An Elliptic curve needs of a special point, called point at innity and denoted O, for being dened. However, it is not properly a point on the curve: it is dened in the projective plane. The point at innity has an important signicance, because it denes the identity element of the addition operation, which is explained in the following.

Two operations are dened within this context: addition and multiplication. The EC addition takes two points on the curve to generate another: (T = R + S); whereas EC multiplication takes a point and a scalar, and can be seen as a repeated addition on the same point: (S = n·R = R+R+...+R, n times). Figure 2.6 shows a geometric interpretation of these operations.

Together with O, there is yet another point that needs special treatment. The generator point, denoted G, serves as a basis anchor for generating points on the curve via multiplication. The resulting points, {G, 2G, 3G, . . . , nG}, form a cyclic subgroup.

Following is an example in which the relevance of the generator point is highlighted.

A public key is represented as a point on the curve, whereas a private is just a scalar. Let P be the public key associated with the private key k. Then, the following equation holds:

P = k · G (2.5)

2.4. Fundamentals on cryptography 19

Figure 2.5: Dierent elliptic curves.

To retrieve k from P and G, i.e., to obtain the private key from the public parame- ters is known as the EC-DLP (Discrete Logarithm Problem). This problem is thought to be more dicult than the one for inverting RSA, hence key size can be reduced for the same level of security.

A technique called PC (Point Compression) is used to lessen the need for memory space, especially when transmitting EC points. It is based on the fact that, for the cur- ves presented in equation (2.4), the y coordinate can be obtained from the x coordinate as follows:

y = ± √

x

+ cx

+ dx + e ( mod p) (2.6) So, a whole point can be recovered from its x-coordinate plus one bit of sign indica- tion. The saving in bandwidth is at the expense of extra computation at the recipient's side, which needs to include a modular square root algorithm.

Also, compared to traditional public-key schemes such as RSA, speed is also en- hanced, inuenced by both key length reduction and EC construction. These facts represent an advantage when implementing EC-based schemes in constrained equip- ment such as smartphones or IoT devices.

2.4.3. Other cryptographic tools

This section presents other tools that are going to be used during the Thesis. For

further details, the reader may be interested in reference texts such as the already

presented [32].

R -S = -(2R)

S = 2R -(R + S)-T =

R + S T =

Figure 2.6: Elliptic Curve addition (green, T = R + S) and scalar multiplication (blue, S = 2R ). The solid blue line is tangent to R, and the solid green line is formed by the union of R and S. Note also that T = R + S = 3R.

2.4.3.1. The Die-Hellman key exchange primitive

The main idea behind the Die-Hellman primitive, as introduced by Whiteld Dif-

e and Martin Hellman in 1976 [36], is that the two parties involved in communication can independently derive a secret key from a combination of public parameters and user-dependent private parameters.

In the beginning, the primitive was implemented using exponentiation in modular arithmetic, but it can be generalized to any nite group, such as EC. The example we propose is based on it, and we will use some of the concepts explained in Section 2.4.2.

Let us consider the basic scenario in which Alice and Bob are our parties in the communication. They both agree on a curve to use, and each has a public-private key pair, as follows from equation (2.5): A = a · G, and B = b · G, respectively. We also consider that the public keys are securely provisioned at the other side, i.e., no MitM attack is possible.

If Alice wants to derive a shared value between her and Bob, she will take Bob's public key B and her private key a, which in the EC world are a point on the curve and a scalar, respectively. EC multiplication is thus valid, and thus Alice obtains a point, namely secret S, on the curve. Note that the process is identical from Bob's side, but using Alice's public key A and his private key b:

S = b · A = b · (a · G) = a · (b · G) = a · B (2.7)

2.4. Fundamentals on cryptography 21

This secret value can then be utilized for the encryption of messages through sym- metric ciphers, as explained in the following section.

2.4.3.2. Symmetric cryptography

Symmetric cryptography is based on that the same key is used both for encrypting and decrypting. It consists of the following basic elements, some of them shared with public-key systems:

Plain text: The original message that needs to be concealed.

Ciphertext: The encrypted, hidden version of the message.

Secret key: A shared value that determines how the ciphertext will look like.

Encryption algorithm: Responsible for transforming the plain text to a cip- hertext, using some key-dependent transformations on the plain text.

Decryption algorithm: Retrieves the original message from the ciphertext and the secret key, by reverting the process applied by the encryption algorithm.

Let P, C, κ be the plaintext, ciphertext, and secret key, respectively. The symmetric cryptographic primitives are denoted as:

C = E

(P ) (2.8)

P = D

(C) = D

( E

(P )) (2.9)

One of the key features that symmetric cryptography has to fulll is that it has to be strong, in the sense that the knowledge of the construction details must not be enough to break the system. We must assume that it is possible for a potential attacker to build the same system, and thus impractical to hide the security of the system there.

So, it is noteworthy to mention that the security of the cryptosystem has to rely only on the secrecy and strength of the key, which of course cannot be widespread for obvious reasons: the full communication would be readable.

There are various symmetric ciphers to be chosen, but we will focus on two of them in this Thesis: XOR and AES (Advanced Encryption Standard). The former represents the most elemental one, whereas the latter constitutes the de-facto symmetric cipher.

The XOR cipher, as its name indicates, performs a bitwise XOR operation (denoted as ⊕) between the key and the plaintext to generate the ciphertext; and the same in the other direction, since XOR is an involutory function. Hence, for any bit string B , B ⊕ B = 0, where 0, the zero string, is the identity element. Mathematically, the cryptographic primitives become:

C = E

(P ) = P ⊕ κ (2.10)

P = D

(C) = C ⊕ κ = (P ⊕ κ) ⊕ κ (2.11)

Despite its simplicity, it is not very used because the system forces the secret key

to be used just once, due to the vulnerability of XOR to the known plaintext attack:

the knowledge of the plain text and the ciphertext encrypted with XOR recovers the key: C ⊕ P = κ. Nevertheless, it serves as a basis for more complex ciphers.

AES is a symmetric cipher standardized by NIST (National Institute of Standards and Technology) in 2001, and since then it has been the referential symmetric cipher, widely used and accepted. It was initially developed by Joan Daemen and Vincent Rijmen, and thus also known as Rijndael. The details of how AES is built are out of the scope of the Thesis.

There are various modes in which AES can run, depending on the feature one wants to optimize. We are going to highlight two of them: CBC (Cipher Block Chaining) and CTR (Counter). CBC works with blocks of data, which implies that the output of the cipher is as well constant. Meanwhile, CTR mode is a stream cipher, as XOR, encrypting the data on the go, not necessarily over a block of data. This feature also enables the length preservation between the plain text and the ciphertext. Figure 2.7 depicts both modes of operation.

(a) CBC mode encryption.

(b) CTR mode encryption.

Figure 2.7: Evaluated AES mode of operation, obtained from [37].

2.4.3.3. Hash functions

A Hash is a function that takes as an input a non-xed-length bit string and converts it into a xed-length bit string. For a Hash function, denoted as H(), to be useful, it has to fulll these two properties:

One-way: Given H(x), it has to be dicult to retrieve the original x.

Collision-resistant: For any bit string x, it has to be dicult to nd another,

dierent bit string x

6= x such that H(x) = H(x

) , i.e., produces the same output.

2.4. Fundamentals on cryptography 23

Hash functions have several cryptographic applications, being the two most impor- tant (i) the generation of message digests, and (ii) the creation of one-way passwords

le. For the former, since these functions admit input data blocks of variable length, sometimes large, and it produces a xed-length, deterministic output, it can be con- sidered as if the input was digested. The digest can be later used for, i.e., integrity check or digital signature.

The second application, the one applied in the Thesis, lies in the one-way property of hash functions, which implies that it is hard to nd the original input given the output. So, hash functions are one of the basis for the generation of keying material.

One of the most used hash families is SHA-2. Standardized by NIST in 2001, it

denes four functions, which vary on its output length: SHA-224, SHA-256, SHA-384,

and SHA-512. Details on the construction are not considered.

Chapter 3

Review Study

Fantasie ist wichtiger als Wissen, denn Wissen ist begrenzt.

Albert Einstein

Abstract: In this chapter, the solutions that are being discussed nowadays for the concealment of the IMSI are presented and evaluated. We will focus mostly on these proposals in 3GPP since it represents the main standardization body for mobile net- works. Three main high-level solutions will be analyzed: traditional public-key schemes, attribute-based encryption, and pseudonyms.

3.1. Traditional public-key schemes

As it was explained in Section 2.4, a public-key scheme has the particularity of being formed by a public key and a private key, so that what is encrypted with the public one can only be decrypted using the private element, and the other way around.

When applying this scheme to protecting IMSI, the keys are used as follows:

1. The private key belongs to the element of the network which is in charge of peeforming the decryption.

2. The UE will know the public key of such element by the time it has to generate the ciphertext.

Several solutions propose the usage of such schemes, but we are going to focus on the solution discussed in [38]. Researchers suggest implementing a system based on DHIES (Die-Hellman Integrated Encryption Scheme), which consists of several functions and relies on the Die-Hellman primitive as explained in Section 2.4.

Their solution consists on encrypting the IMSI on the RAN part, i.e., from the UE to the MME. The problem comes from the fact that all the possible MMEs' public keys cannot be stored on the UE. The proposal includes two variants to overcome this issue: one in which additional network infrastructure such as PKI is required, and a second that does not need extra elements.

25

For the PKI variant, the (NAS) Identity Request message includes the MME's Certicate with its public key. Such can (and must) be of course validated by the PKI.

The UE derives the keying material from its private key and the received public key, and it responds in the (NAS) Identity Response with its public key, its symmetrically- encrypted IMSI and a MAC (Message Authentication Code). Upon reception, the MME follows the same proceeding to derive the keying material, being thus able to decrypt the IMSI and validate the MAC.

On the other hand, the no-PKI solution includes further messages to be exchanged:

Instead of sending (NAS) Identity Response right after (NAS) Identity Request, the UE

rst transmits its public key to the MME in a separate message. The MME responds with its (untrusted) public key so that now UE can compute the keying material for doing symmetric encryption and MAC. Finally, the UE sends (NAS) Identity Response with the encrypted IMSI and MAC, and the MME can decrypt it as described above.

The present proposal has the following characteristics:

It allows the whole IMSI to be encrypted (i.e., MCC, MNC, and MSIN), due to the MME would be responsible for the decryption, and hence it would

nd the right HSS from there.

Therefore, it allows LI.

Comparing both variants, the former requires the introduction of new network elements (and possible extra signaling to it, to validate the certicates), whe- reas the latter does not oer security against MitM attacks, and introduces new messages in the Attach procedure.

The (NAS) Attach Request message is still sent, even though now it would never include the IMSI, because the UE has to wait for the V-PLMN's public key for the encryption. However, it would include GUTI if available.

It is left unaddressed the specics on which scheme to use. Thus, it is impossible to do an analysis regarding bandwidth overload.

For the sake of completeness, both variants introduce a nonce in the keying material derivation, which needs to be exchanged between both entities and then increasing the bandwidth requirements.

Before concluding, authors in [39] suggest the usage of public-key encryption based on RSA but for non-3GPP accesses, e.g. WLAN (Wireless Local Area Network). We evaluate a similar solution for 3GPP accesses in Section 4.3.

3.2. Attribute-based encryption

Attribute-based encryption is a special kind of public-key scheme in which other parameters are used in the process, dening which elements on the network will be able to decrypt. Fig. 3.1 shows how this kind of scheme works.

Two main implementations will be discussed: KP-ABE (Key-Policy Attribute-Based

Encryption) and IBE.