A. Initial Authentication with PEPS-AKA

The message flow of the PEPS-AKA protocol is shown in Figure 4, and the steps involved in the PEPS-AKA-based authentication procedure are summarized as follows.

1. Initially, for a new user, when a UE attempts to connect with an LTE network, a confidentiality- and integrity-protected Attach Request is sent from the UE to the MME through an eNB with the IMSI, security capability and Key Selection Identifier (KSI$_{\mathrm {ASME}}$ ) = 7. The Initial Attach Request message in addition contains an unconcealed and integrity protected dummy IMSI related to the users’ IMSI to support user identification at the network side. The dummy IMSI is pre-shared using the USIM/UICC along with the secret K at UE and HSS. For known and frequent users, the Globally Unique Temporary Identifier (GUTI) is used instead of the IMSI. KSI_ASME is a 3-bit value ranging from 0 (“000”) to 7 (“111”), where KSI$_{\mathrm {ASME}}=7$ indicates that the UE has no authentication key, which triggers the PEPS-AKA procedure.

2. The MME receives the Attach Request and sends an Authentication Data Request message, along with the Serving Network Identifier (SN-ID) and Network Type (NT), to the HSS and requests an Authentication Vector (AV) for the UE.

3. Upon receiving the Authentication Data Request, the HSS verifies the SN-ID, and if it is found to be genuine, the HSS retrieves the UE’s secret key (LTE K) from its database and generates a single AV. The AV is generated as shown in Figure 5 and sent to the MME along with the security key (K₀) in the Authentication Data Response message. During the PEPS-AKA process, K₀ and AV are generated from the static LTE K, and once a user has been acknowledged as a frequent user, K₀ and AV are generated from the dynamic LTE K. The 128 least significant bits of K₀ are reserved for confidentiality protection, and the 128 most significant bits are reserved for integrity protection. The AV is composed of four parameters: a random number (RAND), expected response (XRES), K_ASME and authentication token (AUTN). Where ‘$f1-f5$ ’ shown in Figure 5, are the one-way hashing functions used to support AV generation. The sequence number (SQN) is generated by the HSS, and it is incremented by one for every round. Anonymity Key (AK) that is used to encrypt the SQN to ensure UE privacy protection when any eavesdropper tries to associate different executions of the authentication protocol with consecutive SQNs with the same mobile user. The Authentication Management Field (AMF) is configured in USIM and the operator’s database in AuC. Thus, AUTN is computed as ((SQN XOR AK)$\vert \vert$ AMF$\vert \vert$ MAC).

4. The MME sends the confidentiality- and integrity-protected Authentication Request with its MME-ID, RAND, AUTN of HSS, Function Identifier Sequence (FnId_Seq) and KSI_ASME to the UE. FnId_Seq is an optional parameter and is sent only for known and frequent users. KSI_ASME is used by the UE to generate a K_ASME value that is identical to that of the HSS. For every initial UE-HSS association, the secret LTE K is used, which is a predefined static key that is stored in the UE and HSS as a factory setting. For every successive association, a new Pseudo Random Function (PRF) is used to generate a dynamic LTE K to leverage the LTE security. Therefore, the initial PRF identifier in the FnId_Seq parameter always denotes the PRF ‘$f0$ ’ to generate the dynamic LTE K, and the rest of FnId_Seq contains the set of PRF identifiers to support 4G+FRP re-authentication key generation. For 4G+RAM execution between a single UE-MME pair, the dynamic LTE K varies and increases the overall security level. The MME stores FnId_Seq locally to support re-authentication. The dynamic LTE K generation using ‘$f0$ ’ is further explained in Section V-B.

5. On the user side, the network authentication is performed with AUTN validation. If the network is found to be genuine, the Authentication Response (RES) is sent to the MME.

6. The MME validates the RES of the UE with the XRES in the AV received from the HSS. If the RES and XRES match, the UE is considered to be genuine. Thus, the MME authenticates the UE and an Authentication Success message is sent from the MME to the UE.

FIGURE 4.

PEPS-AKA message exchange.

Show All

FIGURE 5.

Cryptographic key material generation.

Show All

After a successful mutual authentication, the K_ASME generated by the HSS will also be generated by the UE, which is a top-level key (also known as an anchor key) that is used to secure LTE communication. Post PEPS-AKA authentication, the non-access stratum security mode command procedure and access stratum command procedures follow procedures that are similar to those of the existing LTE system.

The idea behind the proposed 4G+FRP is to use the K_ASME generated during the initial PEPS-AKA authentication as a seed for the predefined PRF according to the shared FnId_Seq to support Re-authentication K_ASME (r-K_ASME) generation at the UE and MME for a successful re-authentication.

The AES-based secure message authentication algorithm EEA2 is used for confidentiality protection, and EIA2 is used for integrity protection. EIA2 uses AES as the underlying cipher and CMAC as the MAC structure, which is extensively analyzed and proven to be secure. The PRF ‘f6’ is pre-shared and stored with the LTE K as the factory settings.

B. Re-Authentication with 4G+FRP

The re-authentication process involves a single round-trip-time authentication, which is described as follows.

1. The UE sends an Attach Request, with a re-authentication vector to the MME (through an eNB) during re-authentication. The re-authentication vector consists of a cipher- and integrity-protected GUTI, Re-authentication Identifier (R-Id), RV_Ctr, Re-authentication Key (r-K_ASME) and Timestamp (T). ‘T’ ensures the freshness of the message. R-Id is generated by both UE and MME, and it is unique to each UE and eNB pair. R-Id is generated by truncating the K_ASME value that is generated during the initial PEPS-AKA authentication. RV_Ctr denotes the number of re-authentications being carried out for a known or frequent visitor. To generate r-K_ASME, the UE initially fetches an Fn-Id that corresponds to RV_Ctr from the pre-shared FnId_Seq. The Fn-Id uniquely identifies a PRF in the order of the received FnId_Seq. A PRF table has a set of PRFs along with the received FnId_Seq and corresponding user R-Id that is maintained for every UE and eNB pair. The security key K_R and r-K_ASME generation shown in Figure 6(a)and 6(b) are pre-processes at the UE to send the attach request to the MME. The 128 least significant bits of K_R are reserved for confidentiality protection, and the 128 most significant bits are reserved for integrity protection of the 4G+FRP message exchanges.

2. Upon receipt of an Attach Request, the MME computes the corresponding K_R and r-K_ASME based on the received R-Id, RV_Ctr from the pre-shared FnId_Seq. If the r-K_ASME computed by the MME matches the received r-K_ASME, then a Re-authentication Success message is sent in the Attach Response to the UE.

FIGURE 6.

(a) Re-authentication message confidentiality and integrity protection key generation. (b) Re-authentication key generation.

Show All

For every re-authentication following an initial PEPS-AKA authentication K_ASME is used as a seed to generate the r-K_ASME key. In contrast, for every re-authentication following a re-authentication; i.e., n^th re-authentication following an (n−1)^th re-authentication, r-$\text{K}_{\mathrm {ASME{-}n-1}}$ is used as the seed to generate the r-$\text{K}_{\mathrm {ASME-n}}$ key. A set of PRFs is used as the key generation function. The PRF sequence used to generate subsequent r_K_ASME is pre-shared during the PEPS-AKA initial authentication phase.

Here, $prf_{x}$ is a PRF, taken from a PRF set or sequence (“$prf_{0}$ ”, $prf_{1}$ , $prf_{2}\ldots prf_{x}$ , $prf_{x+1} \ldots .prf_{n}$ ), where $prf_{0}$ is defined for two special purposes as (i) $prf_{0}$ is assigned as ‘$f0$ ’ as shown in Figure 5 and that is used for dynamic LTE K generation, with the static LTE K as the seed after a normal authentication phase and the previously generated dynamic LTE K as the seed for the key hierarchy after a known authentication phase; and (ii) $prf_{0}$ is used for encryption key (K_R) derivation during re-authentication with K₀ as the seed. The remaining PRFs, from $prf_{1}$ to $prf_{n}$ , are used in the order specified in FnId_Seq to derive the subsequent re-authentication keys (r-K_ASME).

A PRF that has been used once is not reused for r-K_ASME generation during a 4G+RAM cycle. Hence, the r-K_ASME is unique for a UE-eNB pair in its 4G+RAM duration. Additionally, as Fn-Id is not transmitted during the authentication request, r-K_ASME is highly secure. The various 4G+FRP parameters, along with their bit sizes, are presented in Table 1.

TABLE 1 Parameters and Bit Sizes of the Re-Authentication Vector

A. Formal Security Verification

AVISPA is used with Security Protocol ANimator (SPAN) to validate the security properties of various 3G and 4G security protocols that were discussed in recent research works [28], [29]. As AVISPA provides a high level of assurance to both developers and users of next-generation security protocols, the proposed PEPS-AKA and 4G+FRP are validated using the AVISPA tool. The proposed protocols are modeled with the High-Level Protocol Specification Language (HLPSL). The HLPSL models the communicating entities UE, MME and HSS in different roles and specifies their behaviors with defined state machines [30]. Every protocol’s HLPSL is composed of sections such as the role, session, goal and environment. The goal encompasses the authentication and secrecy goal of the protocols. The Dolev-Yao intruder model is set up to validate the resistance of PEPS-AKA and 4G+FRP to various intruder attacks. Before this, the Dolev-Yao model is given knowledge about various sessions in the protocol. With the gained intruder knowledge, the Dolev-Yao model attempts to analyze, intercept, inject and modify the exact message exchanges by impersonating a legitimate user [31].

All message exchanges in the proposed PEPS-AKA and 4G+FRP are encrypted with security keys K₀ and K_R using the EEA2 encryption algorithm and integrity protected with the EIA2 integrity algorithm, respectively. The goal sections of PEPS-AKA and 4G+FRP verify the secrecy of keys K₀ and K_R during the authentication and re-authentication intruder simulations, respectively, under the Dolev-Yao attack model. It also verifies the authentication goal between UE and HSS in PEPS-AKA and authentication goal between UE and MME in 4G+FRP. The intruder simulations of PEPS-AKA and 4G+FRP are shown in Figures 7 and 8, respectively.

FIGURE 7.

PEPS-AKA intruder simulation.

Show All

FIGURE 8.

4G+FRP intruder simulation.

Show All

The corresponding outputs from the back-end servers On-the-Fly Model Checker (OFMC), SAT-based Model Checker (SATMC) and Constrained Logic-based Attack Searcher (CL-AtSe) indicate that our proposed PEPS-AKA and 4G+FRP are safe under intruders’ security attacks and satisfy the specified security goals. The sample output from the OFMC back-end server is shown in Figure 9. The related state-space tree construction by the OFMC [32] and the depth of attack analysis are shown in term of visited nodes and plies respectively.

FIGURE 9.

PEPS-AKA and 4G+FRP security results reported by OFMC.

Show All

B. Bandwidth Consumption Analysis

This section defines the fluid-flow mobility model for the LTE system to determine the UE network boundary crossing rate and dwell time within a given LTE access network where the PEPS-AKA mechanism is triggered. The authentication overhead of PEPS-AKA and its bandwidth consumption are analyzed using the defined fluid-flow mobility model. The model describes the amount of data flow out from the LTE access region, which is directly proportional to the density of the mobile user population within the LTE access region, the average speed of a mobile user with respect to the direction $(v)$ , and the length $(L)$ of the registration area boundary. It is assumed that the directions of movement of the mobile users are uniformly distributed over [0,$2\pi$ ], and the mobile users are uniformly populated with a density of $\rho$ . Therefore, the rate of registration area crossing by any mobile user is given by $$\begin{equation} R_{LTE}=\frac {\rho vL}{\pi } \end{equation}$$ View Source\begin{equation} R_{LTE}=\frac {\rho vL}{\pi } \end{equation}

When the fluid-flow mobility model is considered to analyze the PEPS-AKA authentication bandwidth consumption, various assumptions, which are presented in Table 2, are suggested by various research works, such as [25] and [33].

TABLE 2 Parameters Involved in Bandwidth Consumption Analysis

Based on the assumptions shown in Table 2 and equation (1), the rate of mobile UEs (arrival rate of UEs for registration per access region) crossing an access region can be computed as equation (2). $$\begin{align} R\_{}LTE=&\frac {\left ({ {30.3km\times 5.6km/s\times 390units/sq.km} }\right )}{3600\pi }\notag \\=&5.85~UEs/s. \end{align}$$ View Source\begin{align} R\_{}LTE=&\frac {\left ({ {30.3km\times 5.6km/s\times 390units/sq.km} }\right )}{3600\pi }\notag \\=&5.85~UEs/s. \end{align}

The computed registration rate is equal to the de-registration rate. Therefore, the number of users requesting access to the network per second is equivalent to the number of authentication requests for registration per second, and it is calculated as $$\begin{align} R_{Auth }=&R\_{}LTE\notag \\&{}^{\ast } Number~of ~registration ~area ~in ~a ~serving ~network \notag \\=&5.85~\text {users}/\text {sec} {}^{\ast } 128 = 748.8~\text {users}/\text {s}, \end{align}$$ View Source\begin{align} R_{Auth }=&R\_{}LTE\notag \\&{}^{\ast } Number~of ~registration ~area ~in ~a ~serving ~network \notag \\=&5.85~\text {users}/\text {sec} {}^{\ast } 128 = 748.8~\text {users}/\text {s}, \end{align} where R_Auth is the arrival rate of mobile users at an LTE access network for registration following an authentication. Therefore, the MME should be able to manage the processes of authentication and location area updating for 749 mobile users/s. As with all conventional authentication mechanisms, the MME, along with the HSS, takes over the entire authentication and key management process. Therefore, there is a huge threat to the MME and HSS/AuC due to computational overhead.

The bandwidth consumption of PEPS-AKA can be computed from the authentication request arrival rate (R_Auth). Based on the rate of authentication request arrival and the authentication parameters given in Table 3, the total authentication bandwidth consumption (Total_BW_Auth) can be calculated as shown in (4). $$\begin{align} Total\_{}BW_{Auth}=&Authentication ~Message ~Size \notag \\&\quad {}^{\ast } No. ~of ~Authentication ~Request/s\qquad \end{align}$$ View Source\begin{align} Total\_{}BW_{Auth}=&Authentication ~Message ~Size \notag \\&\quad {}^{\ast } No. ~of ~Authentication ~Request/s\qquad \end{align}

TABLE 3 PEPS-AKA Parameters and Bit Sizes

To evaluate the optimal performance of the proposed PEPS-AKA protocol, computing the bandwidth utilization between the serving MME and HSS is sufficient. The HSS overhead and authentication delay are mainly due to excess message exchange between the MME and HSS. The size of a message exchanged between the MME and HSS in the conventional authentication mechanism is the sum of the sizes of the messages sent during AV request and AV reception. The bit sizes of the authentication parameters for message computation of SE-AKA and Enhanced AKA are taken from their corresponding research works [25], [34]. In previous works, it was proven that SE-AKA outperforms various other LTE authentication schemes, such as EPS-AKA, DEX-AKA, EAP-AKA, AP-AKA, X-AKA, Cocktail AKA, S-AKA and G-AKA [34], [35]. Therefore, the comparison of PEPS-AKA is limited to recently proposed and accepted research works, such as Enhanced AKA and SE-AKA. In conventional authentication schemes [25], [34], the size of a message transmitted between the MME and HSS is calculated as follows. $$\begin{align}&\hspace {-1.2pc}Message ~size ~of ~SE{-}AKA \notag \\[4pt]=&SNID \!+\! IMSI \!+\! [AV (RAND\!+\!XRES\!+\!AUTN\!+\!K_{ASME}) {}^{\ast } n]\notag \\[4pt]=&48+64+ [(128+32+128+256) {}^{\ast } 5]\notag \\[4pt]=&48+64+2720 = 2832~\text {bits} \\&\hspace {-1.2pc}Total\_{}BW_{Auth}\_{}SE{-}AKA\notag \\=&2832~bits \times 748.8/s\notag \\[4pt]=&2.022~Mbits/s \\&\hspace {-1.2pc}Message ~size ~of ~Enhanced{-}AKA\notag \\=&2{}^{\ast } SNID + 2 {}^{\ast } KI + IMSI +M{-}ID + RAND_{UE}+ S\notag \\=&2 {}^{\ast } 48 + 2 {}^{\ast } 128 + 128 + 60 + 128 + 128\notag \\=&796~\text {bits} \\&\hspace {-1.2pc}Total\_{}BW_{Auth}\_{}Enhanced~AKA \notag \\=&796~bits{}^{\ast } 748.8/s\notag \\=&0.568~Mbits/s \end{align}$$ View Source\begin{align}&\hspace {-1.2pc}Message ~size ~of ~SE{-}AKA \notag \\[4pt]=&SNID \!+\! IMSI \!+\! [AV (RAND\!+\!XRES\!+\!AUTN\!+\!K_{ASME}) {}^{\ast } n]\notag \\[4pt]=&48+64+ [(128+32+128+256) {}^{\ast } 5]\notag \\[4pt]=&48+64+2720 = 2832~\text {bits} \\&\hspace {-1.2pc}Total\_{}BW_{Auth}\_{}SE{-}AKA\notag \\=&2832~bits \times 748.8/s\notag \\[4pt]=&2.022~Mbits/s \\&\hspace {-1.2pc}Message ~size ~of ~Enhanced{-}AKA\notag \\=&2{}^{\ast } SNID + 2 {}^{\ast } KI + IMSI +M{-}ID + RAND_{UE}+ S\notag \\=&2 {}^{\ast } 48 + 2 {}^{\ast } 128 + 128 + 60 + 128 + 128\notag \\=&796~\text {bits} \\&\hspace {-1.2pc}Total\_{}BW_{Auth}\_{}Enhanced~AKA \notag \\=&796~bits{}^{\ast } 748.8/s\notag \\=&0.568~Mbits/s \end{align}

During the initial authentication, except for the difference in bit size of messages transmitted between the UE, MME and HSS, the number of rounds for requesting AV is similar in existing schemes and the proposed PEPS-AKA. Here, we consider the size of the authentication message exchanged between the MME and HSS to evaluate the bandwidth consumption and HSS load. Therefore, the message size of the proposed PEPS-AKA between the MME and HSS is equal to the total number of authentication requests and response message exchanges. $$\begin{align}&\hspace {-2pc}Size ~of~ PEPS{-}AKA ~message\notag \\=&IMSI + SN{-}ID + NT + MAC + AV \notag \\&\times \,(RAND + AUTN + XRES +K_{ASME})\notag \\=&64 + 28 + 4 + 128 + 128 + 128 + 32 + 256\notag \\=&768~\text {bits} \\&\hspace {-2pc}Total\_{}BW_{Auth}\_{}PEPS{-}AKA \notag \\=&768~bits {}^{\ast } 748.8/s\notag \\=&575078.4~bits/sec \notag \\=&0.548~Mbits/s \end{align}$$ View Source\begin{align}&\hspace {-2pc}Size ~of~ PEPS{-}AKA ~message\notag \\=&IMSI + SN{-}ID + NT + MAC + AV \notag \\&\times \,(RAND + AUTN + XRES +K_{ASME})\notag \\=&64 + 28 + 4 + 128 + 128 + 128 + 32 + 256\notag \\=&768~\text {bits} \\&\hspace {-2pc}Total\_{}BW_{Auth}\_{}PEPS{-}AKA \notag \\=&768~bits {}^{\ast } 748.8/s\notag \\=&575078.4~bits/sec \notag \\=&0.548~Mbits/s \end{align}

As discussed in Section IV, 4G+RAM is a combination of PEPS-AKA and 4G+FRP. Therefore, the 4G+RAM authentication signaling overheads at the HSS for different authentication arrival rates are comparatively analyzed with those of existing schemes, such as SE-AKA and Enhanced EPS-AKA in Figures 10 and 11.

FIGURE 10.

Comparison of HSS loads during initial authentication.

Show All

FIGURE 11.

Comparison of HSS Loads during Session / Re-authentication.

Show All

The existing schemes fetch ‘$n$ ’ AVs from the HSS, whereas the proposed PEPS-AKA fetches only a single AV from the HSS. Meanwhile, the MME sends the required FnId_Seq to the UE to support ‘$n$ ’ future accesses and the generation of the corresponding re-authentication vectors; therefore, the HSS load is very minimal and is balanced in 4G+RAM authentication and re-authentication compared to the existing schemes.

Therefore, both the known- and frequent-user authentication processes of the proposed 4G+RAM greatly reduce the HSS and AuC overhead. This minimum re-authentication signaling renders fast access for LTE and critical PS-LTE users. No AVs for future access are generated during the initial authentication, but the required re-authentication vector is generated as and when required, without any delay at the MME itself; this eliminates the AV synchronization problem.

1) Initial Authentication for a New User

To demonstrate the optimal performance of PEPS-AKA, a comparative analysis based on the entire authentication bandwidth consumption is performed. The authentication overheads of PEPS-AKA, Enhanced AKA, and SE-AKA are computed in (11), (12), and (13) as follows.

1. Attach request sent from UE to MME

2. Authentication data / AV request from MME to HSS

3. AV data response sent from HSS to MME

4. Authentication request along with FnId_Seq sent from MME to UE.

5. Authentication response sent from UE to MME

$$\begin{align}&\hspace {-2pc}Bandwidth~for~PEPS{-}AKA \!=\! \prod \nolimits _{i=1}^{5} {M\left ({ i }\right ){}^{\ast } 748.8/s}\qquad \\ m1=&IMSI+KSI_{ASME}+SEC{-}Capability +MAC\notag \\ m2=&IMSI + SN{-}ID +NT \notag \\ m3=&AV (RAND, AUTN, XRES, K_{ASME})\notag \\ m4=&MME{-}ID, RAND, AUTN_{HSS}, K_{ASME},\notag \\&FnId\_{}Seq, MAC\notag \\ m5=&RES\notag \\&\hspace {-2pc}Bandwidth~for~Enhanced~AKA \!=\! \prod \nolimits _{i=1}^{5} {M\left ({ i }\right ){}^{\ast } 748.8/s}\quad \notag \\ {}\end{align}$$ View Source\begin{align}&\hspace {-2pc}Bandwidth~for~PEPS{-}AKA \!=\! \prod \nolimits _{i=1}^{5} {M\left ({ i }\right ){}^{\ast } 748.8/s}\qquad \\ m1=&IMSI+KSI_{ASME}+SEC{-}Capability +MAC\notag \\ m2=&IMSI + SN{-}ID +NT \notag \\ m3=&AV (RAND, AUTN, XRES, K_{ASME})\notag \\ m4=&MME{-}ID, RAND, AUTN_{HSS}, K_{ASME},\notag \\&FnId\_{}Seq, MAC\notag \\ m5=&RES\notag \\&\hspace {-2pc}Bandwidth~for~Enhanced~AKA \!=\! \prod \nolimits _{i=1}^{5} {M\left ({ i }\right ){}^{\ast } 748.8/s}\quad \notag \\ {}\end{align}

• $m1 = SNID+KI+IMSI+M{-}ID+RAND_{UE}$

• $m2 = 2{}^{\ast } SNID+KI+IMSI+M{-}ID+ RAND_{UE}$

• $m3 = KI+S$

• $m4 = KI+RAND_{MME}+AUTH$

• $m5 = RES$

Based on the assumptions of the fluid-flow model given in Table 2, a serving network consists of 128 registration areas. According to the SE-AKA scheme [34], each registration area is considered as a group, where one UE in each group is assumed to perform full authentication, representing all group members, whereas the other UEs may send or receive $m1$ , $m5$ , $m4$ , etc. Each group (G) is assigned a group number ‘$j$ ’. The SE-AKA bandwidth is calculated as follows. $$\begin{align}&\hspace {-1.2pc}Bandwidth~for ~SE{-}AKA\notag \\=&128/sec{}^{\ast } \prod \nolimits _{i=1}^{5} m\left ({ i }\right )\notag \\&+\left ({ 748.8\!-\!128 }\right ){}^{\ast }(m1+m4+m5\!-\!MACGj\!-\!TGj) \qquad ~ \end{align}$$ View Source\begin{align}&\hspace {-1.2pc}Bandwidth~for ~SE{-}AKA\notag \\=&128/sec{}^{\ast } \prod \nolimits _{i=1}^{5} m\left ({ i }\right )\notag \\&+\left ({ 748.8\!-\!128 }\right ){}^{\ast }(m1+m4+m5\!-\!MACGj\!-\!TGj) \qquad ~ \end{align}

• $m1 = ID_{Gj}+TID_{ME}+R_{ME}+MAC_{Gj}+T_{Gj}$

• $m2 = ID_{Gj}+TID_{ME}+R_{ME}+MAC_{Gj}+T_{Gj}+LAI$

• $m3 = R_{HSS}+R_{ME}+AMF+748.8/128(SV_{ME}+TID_{ME})$

• $m4 =ID_{MME}+ID_{Gj}+TID_{ME}+MAC_{MME}+R_{HSS}$

  $+R_{MME}+R_{ME}+AMF+aP$

• $m5=MAC_{ME}+bP$

2) Authentication and Re-Authentication for Known and Frequent Users

Once the UE is registered, in both Enhanced-AKA and SE-AKA, the AV is made available in the serving network; hence, the HSS is not involved in fetching the AV. However, this AV availability at the UE side and the MME side will result in a huge security loophole when the UE is compromised. In turn, according to the proposed authentication model, in both the proposed PEPS-AKA and 4G+FRP, the AVs and re-authentication vectors are generated as and when required on the go by fetching from the HSS and with the pre-shared FnId_Seq at the MME, respectively. Therefore, the HSS involvement is reduced to a great extent. The bandwidth consumptions of PEPS-AKA and 4G+FRP are computed based on the authentication request arrival rate [36]. As mentioned in previous research, the authentication request arrival rate in an intra-domain handover is expressed as $$\begin{equation} \mathop \lambda \nolimits _{1} =\sum \limits _{r=1}^{4} {\mathop \lambda \nolimits _{u} } \mathop P\nolimits _{r} \left ({ {\left [{ {\overline {\mathop N\nolimits _{a} } } }\right ]-1} }\right ) \end{equation}$$ View Source\begin{equation} \mathop \lambda \nolimits _{1} =\sum \limits _{r=1}^{4} {\mathop \lambda \nolimits _{u} } \mathop P\nolimits _{r} \left ({ {\left [{ {\overline {\mathop N\nolimits _{a} } } }\right ]-1} }\right ) \end{equation} where $\lambda _{\mathrm {u}}$ , is the call arrival rate, P_r is the probability that a UE initiates a network access, and the connection lasts until a UE moves out of the current access domain. $\overline N_{a}$ is the average number of access areas passed by a UE. When the UE call arrival rate $\lambda _{\mathrm {u}}$ follows a Poisson distribution, then the average number of intra-domain handover authentications is [$\overline N_{a}$ ]−1. Let $\lambda _{2}$ be the rate of arrival of session authentications. It is the same as the UE call arrival rate [36]. Therefore, $\lambda _{2} = \lambda _{\mathrm {u}}$ .

The bandwidth consumption for PEPS-AKA and enhanced AKA are computed as $$\begin{equation} BW\_{}PEPS{-}AKA = (\lambda 1+\lambda 2){}^{\ast } (m1+m4+m5)\qquad \end{equation}$$ View Source\begin{equation} BW\_{}PEPS{-}AKA = (\lambda 1+\lambda 2){}^{\ast } (m1+m4+m5)\qquad \end{equation}

The bandwidth consumption for 4G+FRP is computed as $$\begin{equation} BW\_{}4G+FRP = ((\lambda 1+\lambda 2){}^{\ast } (m1{'}+m2{'}) \end{equation}$$ View Source\begin{equation} BW\_{}4G+FRP = ((\lambda 1+\lambda 2){}^{\ast } (m1{'}+m2{'}) \end{equation} where,

1. Authentication request from UE to MME

2. Authentication request from MME to UE

The bandwidth consumption for SE-AKA is computed as $$\begin{align} BW\_{}SE{-}AKA=&(\lambda 1+\lambda 2){}^{\ast } (m1+m4+m5) - (\lambda 1+\lambda 2)\notag \\&\qquad \qquad \qquad ~{}^{\ast } (MAC_{Gj} + T_{Gj}) \end{align}$$ View Source\begin{align} BW\_{}SE{-}AKA=&(\lambda 1+\lambda 2){}^{\ast } (m1+m4+m5) - (\lambda 1+\lambda 2)\notag \\&\qquad \qquad \qquad ~{}^{\ast } (MAC_{Gj} + T_{Gj}) \end{align}

Using the bandwidth consumptions of various protocols, calculated from (15)–​(17), and the authentication arrival rate in an access network, as given in (14), a comparison among the authentication arrival rates and the corresponding bandwidth consumptions for PEPS-AKA, 4G+FRP, Enhanced-AKA, and SE-AKA is performed as depicted in Figures 12 and 13. As in [25] and [36], a few assumptions are made: $\lambda _{\mathrm {u}} = 8.7$ /sec/registration area, P_r = 1 and $\overline N _{a} = 10$ .

FIGURE 12.

Comparison of bandwidth consumption for initial authentication.

Show All

FIGURE 13.

Comparison of bandwidth consumption for session / handover authentication.

Show All

A. User Privacy Protection

The authentication requests and responses in PEPS-AKA and 4G+FRP are encrypted, and the IMSI is sent only during the initial authentication. During every re-authentication, instead of the IMSI, the GUTI is sent in the access request. Therefore, as the rate of on-the-air IMSI transmission decreases and every attach request message containing the IMSI is encrypted and integrity-protected, the possibility of IMSI tampering, user tracking, or user information acquisition becomes negligible.

B. Security Against Man-in-the-Middle Attack

To perform a successful man-in-the-middle attack, an intruder needs to tamper with the IMSI of a legitimate user. With the IMSI of any legitimate user, the intruder can send an attach request message to receive the valid AV from the HSS. However, in PEPS-AKA and 4G+FRP, the IMSI cannot be fetched at any level, as the IMSI transmitted during the authentication process is confidentiality and integrity protected. Moreover, during every re-authentication, the GUTI is sent as the UE identifier instead of the IMSI, so a man-in-the-middle attack is not feasible. Additionally, the IMSI cannot be cached or tampered with when using any IMSI catching device.

C. Resistance to Re-Direction Attack

During the initial authentication, on receiving the attach request message, only the MME sends the SN-ID in an authentication data request to the HSS. As both the MME and HSS reside in the secured backhaul connection network, tampering is not possible at this stage. Moreover, the intruder can impersonate only a genuine eNB to perform a re-direction attack. As an eNB does not initiate any attach request in the PEPS-AKA process, a fake eNB cannot modify the SN-ID. Additionally, during the 4G+FRP process, re-authentication is initiated only with trusted and previously authenticated genuine eNBs, and no new eNB can initiate 4G+FRP. Therefore, a re-direction attack is not feasible.

D. Solution to the Single-Key Problem

The pre-shared static LTE K in the UE and HSS is the source key for deriving all subsequent key materials in the LTE network. If the static LTE K is compromised, then all other keys can be retrieved. Taking this into consideration, in 4G+RAM, the static LTE K is used only once during the very first initial authentication, and for every successive access dynamic, LTE K is used to generate the entire LTE key hierarchy. Thus, the single-key problem is addressed effectively.

E. Security Against Re-Play Attack

The entire communication between any UE and MME is protected with the anchor key, K_ASME. It is dynamically generated with a different set of PRFs, so no cached K_ASME can be re-used for future communication. Every attach request corresponding to the re-authentication contains a timestamp value, which ensures the freshness of the message and prevents replay attempts.

F. De-Synchronization Attack

The single AV generation in PEPS-AKA prevents the interleaving usage of AV which in turn avoids the de-synchronization attack. Moreover, this type of attack in MME prevents the timeliness of handover key management. It is a potential security flaw when the intruder compromises any security key. The proposed 4G+RAM uses the K_ASME that was previously generated to derive r-K_ASME with a different PRF, and if any authentication failure occurs, the secret LTE K is used to re-initiate the authentication with PEPS-AKA. Additionally, during the re-authentication phase, if any network error occurs, the UE can re-initiate a 4G+FRP-based re-authentication with the unused set of Fn-IDs in the order specified by the received FnId_Seq. Therefore, no communication failure occurs at any level.

G. Signaling Overhead Optimization

During every initial authentication, a single AV is fetched, instead of ‘$n$ ’ AVs, from the HSS, and HSS involvement in the re-authentication process is completely eluded. These two enhancements reduce the signaling overhead and bandwidth consumption in the LTE access network significantly.

H. Perfect Forward and Backward Secrecy

Dynamic LTE K-based key generation ensures perfect forward and backward secrecy without imposing any overhead on the existing system. Moreover, the PRFs used to generate K_ASME are not logically related or dependent. Therefore, if any authentication key is obtained, the previous keys and successive keys cannot be derived at any level, so all past and future communications are made safe.

I. Denial-of-Service Attack

The hackers execute Denial-of-Service (DoS) attack by cloning the legitimate UEs’ identification information (IMSI) to send multiple attach request messages to the LTE access network simultaneously along with the legitimate UEs’ attach request message. Where the MME will be overwhelmed by this kind of DoS attack and the legitimate UE’s attach request will be denied. The LTE EPS-AKA is prone to DoS attack due to lack of confidentiality protection and integrity protection. Whereas the proposed 4G+RAM is resistant towards DoS as both PEPS-AKA and 4G+FRP carrying subscriber identification information are confidentiality and integrity protected.

J. Distributed Denial-of-Service Attack

Using a technique similar to botnets that attacks websites to achieve distributed denial-of-service (DDoS) attack, it is also possible for the hackers to overwhelm the LTE cellular networks to shut it down. To execute a successful DDoS attack, the hackers need to clone the subscriber identification information (IMSI/GUTI) from SIM cards/USIM from thousands of UEs and then make multiple roaming calls from different geographical locations with different handsets. DDoS in LTE will deliberately confuse the network with a mobile number that appears to be in thousands of places at once. But, the subscriber identification information in the proposed 4G+RAM will not be available to hackers as all the message exchange during PEPS-AKA and 4G+FRP are confidentiality and integrity protected.