Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations

The lack of authentication protection for bootstrapping messages broadcast by base-stations makes impossible for devices to differentiate between a legitimate and a fake base-station. This vulnerability has been widely acknowledged, but not yet fixed and thus enables law-enforcement agencies, motivated adversaries and nation-states to carry out attacks against targeted users. Although 5G cellular protocols have been enhanced to prevent some of these attacks, the root vulnerability for fake base-stations still exists. In this paper, we propose an efficient broadcast authentication protocol based on a hierarchical identity-based signature scheme, Schnorr-HIBS, which addresses the root cause of the fake base-station problem with minimal computation and communication overhead. We implement and evaluate our proposed protocol using off-the-shelf software-defined radios and open-source libraries. We also provide a comprehensive quantitative and qualitative comparison between our scheme and other candidate solutions for 5G base-station authentication proposed by 3GPP. Our proposed protocol achieves at least a 6x speedup in terms of end-to-end cryptographic delay and a communication cost reduction of 31% over other 3GPP proposals.

[1]  Elisa Bertino,et al.  Insecure connection bootstrapping in cellular networks: the root of all evil , 2019, WiSec.

[2]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[3]  Eike Kiltz,et al.  Identity-Based Signatures , 2009, Identity-Based Cryptography.

[4]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[5]  Andy Lilly IMSI catchers: hacking mobile communications , 2017, Netw. Secur..

[6]  Hairong Qi,et al.  Load-balanced key establishment methodologies in wireless sensor networks , 2006, Int. J. Secur. Networks.

[7]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[8]  Edgar R. Weippl,et al.  The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection , 2016, RAID.

[9]  Jean-Pierre Seifert,et al.  New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities , 2019, WiSec.

[10]  Jean-Pierre Seifert,et al.  On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks , 2018, WISEC.

[11]  Yuliang Zheng An Authentication and Security Protocol for Mobile Computing , 1996, IFIP World Conference on Mobile Communications.

[12]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[13]  Do Van Thanh,et al.  Strengthening Mobile Network Security Using Machine Learning , 2016, MobiWIS.

[14]  Michael Groves Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption (ECCSI) , 2012, RFC.

[15]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[16]  Zhaohui Cheng,et al.  The SM9 Cryptographic Schemes , 2017, IACR Cryptol. ePrint Arch..

[17]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[18]  Vikas Kumar,et al.  Galindo-Garcia Identity-Based Signature Revisited , 2012, ICISC.

[19]  Craig Costello,et al.  Fourℚ: Four-Dimensional Decompositions on a ℚ-curve over the Mersenne Prime , 2015, ASIACRYPT.

[20]  Thorsten Holz,et al.  Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[21]  Xun Yi,et al.  An optimized protocol for mobile network authentication and security , 1998, MOCO.

[22]  Yongdae Kim,et al.  Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE , 2019, USENIX Security Symposium.

[23]  Dan Forsberg,et al.  LTE Security , 2010 .

[24]  Elisa Bertino,et al.  Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information , 2019, NDSS.

[25]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[26]  Elisa Bertino,et al.  Real-Time Digital Signatures for Time-Critical Networks , 2017, IEEE Transactions on Information Forensics and Security.

[27]  I. Elhanany,et al.  Self-certified public key generation on the intel mote 2 sensor network platform , 2006, 2006 2nd IEEE Workshop on Wireless Mesh Networks.

[28]  Flavio D. Garcia,et al.  A Schnorr-Like Lightweight Identity-Based Signature Scheme , 2009, AFRICACRYPT.

[29]  Marc Fischlin,et al.  A Formal Approach to Distance-Bounding RFID Protocols , 2011, ISC.

[30]  Srdjan Capkun,et al.  Realization of RF Distance Bounding , 2010, USENIX Security Symposium.

[31]  Hai Thanh Nguyen,et al.  Detecting IMSI-Catcher Using Soft Computing , 2015, SCDS.

[32]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[33]  Edgar R. Weippl,et al.  IMSI-catch me if you can: IMSI-catcher-catchers , 2014, ACSAC.

[34]  Srdjan Capkun,et al.  UWB rapid-bit-exchange system for distance bounding , 2015, WISEC.

[35]  Elisa Bertino,et al.  LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.

[36]  Bogdan Warinschi,et al.  Secure Proxy Signature Schemes for Delegation of Signing Rights , 2010, Journal of Cryptology.

[37]  Markus Ullmann,et al.  Short paper: a new identity-based DH key-agreement protocol for wireless sensor networks based on the Arazi-Qi scheme , 2011, WiSec '11.

[38]  Hai Thanh Nguyen,et al.  A Network Based IMSI Catcher Detection , 2016, 2016 6th International Conference on IT Convergence and Security (ICITCS).

[39]  Riaz Ahmed Shaikh,et al.  IMSI Catcher Detection Method for Cellular Networks , 2019, 2019 2nd International Conference on Computer Applications & Information Security (ICCAIS).

[40]  Siu-Ming Yiu,et al.  Secure Hierarchical Identity Based Signature and Its Application , 2004, ICICS.

[41]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[42]  Stig Fr. Mjølsnes,et al.  Easy 4G/LTE IMSI Catchers for Non-Programmers , 2017, MMM-ACNS.

[43]  Yongdae Kim,et al.  Location Leaks on the GSM Air Interface , 2011 .

[44]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[45]  Yunhao Liu,et al.  FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild , 2017, NDSS.

[46]  Cheng-Chi Lee,et al.  AN EXTENDED CERTIfiCATE-BASED AUTHENTICATION AND SECURITY PROTOCOL FOR MOBILE NETWORKS , 2009 .