A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security

This paper proposes a systematic analysis method for 5G Non-Access Stratum Signalling security based on formal analysis, which has identified 10 new 5G protocol vulnerabilities, and an improved PKI security mechanism targeted at eliminating these vulnerabilities. Firstly, the 5G system, state transition properties and security properties were abstracted from 3GPP specifications. To mimic an attacker’s behavior, a Dolev-Yao adversary model was constructed in the 5G model by empowering it with NAS signalling security testing knowledge and reasonable security capabilities in the wireless channel. Then we used the TAMARIN prover to verify all the abstracted properties one by one and discovered some protocol vulnerabilities based on the counterexamples found. We further verified these vulnerabilities on the testbed and identified 10 new 5G protocol vulnerabilities. Moreover, we analyzed the root cause of these vulnerabilities and concluded that all of them were caused by the unconditional trust between UE and gNodeB. Therefore, we propose an improved PKI mechanism based on the existing asymmetric encryption of 5G. Besides the existing public-private key pair of the home network, we introduce a new pair of asymmetric keys in the gNodeB to encrypt and sign the signalling message sent to UE. The gNodeB can be connected only when the verification succeeds and then the RRC connection can be initiated. This mechanism can effectively avoid all the vulnerabilities found in this paper.

[1]  Pankaj Rohatgi,et al.  Partitioning attacks: or how to rapidly clone some GSM cards , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[2]  Ralf Sasse,et al.  A Formal Analysis of 5G Authentication , 2018, CCS.

[3]  Wushao Wen,et al.  Non-access-stratum request attack in E-UTRAN , 2012, 2012 Computing, Communications and Applications Conference.

[4]  Rose Qingyang Hu,et al.  Security for 5G Mobile Wireless Networks , 2018, IEEE Access.

[5]  Ming Yi,et al.  Overview of 5G security technology , 2017, Science China Information Sciences.

[6]  Jean-Jacques Quisquater,et al.  On the Need of Physical Security for Small Embedded Devices: A Case Study with COMP128-1 Implementations in SIM Cards , 2013, Financial Cryptography.

[7]  Jeffrey H. Reed,et al.  Vulnerability of LTE to hostile interference , 2013, 2013 IEEE Global Conference on Signal and Information Processing.

[8]  Cas J. F. Cremers,et al.  Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion , 2019, NDSS.

[9]  Elisa Bertino,et al.  Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information , 2019, NDSS.

[10]  Eli Biham,et al.  Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication , 2003, CRYPTO.

[11]  Nicholas Hopper,et al.  Location leaks over the GSM air interface , 2012, NDSS.

[12]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[13]  Ravishankar Borgaonkar,et al.  New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols , 2019, IACR Cryptol. ePrint Arch..

[14]  Roger Piqueras Jover,et al.  The current state of affairs in 5G security and the main remaining security challenges , 2019, ArXiv.

[15]  Edgar Weippl,et al.  On Security Research Towards Future Mobile Network Generations , 2017, IEEE Communications Surveys & Tutorials.

[16]  Yongdae Kim,et al.  Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[17]  Thorsten Holz,et al.  Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[18]  Vuk Marojevic,et al.  Security and Protocol Exploit Analysis of the 5G Specifications , 2018, IEEE Access.

[19]  Mark Ryan,et al.  New privacy issues in mobile telephony: fix and verification , 2012, CCS.

[20]  Ulrike Meyer,et al.  A man-in-the-middle attack on UMTS , 2004, WiSe '04.

[21]  Georgios Kambourakis,et al.  DoS attacks exploiting signaling in UMTS and IMS , 2011, Comput. Commun..

[22]  Yin Xu,et al.  Unveiling the hidden dangers of public IP addresses in 4G/LTE cellular data networks , 2014, HotMobile.

[23]  Antonios Argyriou,et al.  Security for 4G and 5G Cellular Networks: A Survey of Existing Authentication and Privacy-preserving Schemes , 2017, J. Netw. Comput. Appl..

[24]  Yongdae Kim,et al.  GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier , 2018, NDSS.

[25]  Ayman I. Kayssi,et al.  Effects of Signaling Attacks on LTE Networks , 2013, 2013 27th International Conference on Advanced Information Networking and Applications Workshops.

[26]  Elisa Bertino,et al.  LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.

[27]  Song Jin,et al.  Analysis and Evaluation of Jammer Interference in LTE , 2013, ICCC.

[28]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[29]  Patrick P. C. Lee,et al.  On the detection of signaling DoS attacks on 3G/WiMax wireless networks , 2009, Comput. Networks.

[30]  Wei Sun,et al.  Small Tweaks Do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards , 2015, ESORICS.

[31]  Adrien Koutsos,et al.  The 5G-AKA Authentication Protocol Privacy , 2018, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[32]  Hyoung-Kee Choi,et al.  Security Analysis of Handover Key Management in 4G LTE/SAE Networks , 2014, IEEE Transactions on Mobile Computing.

[33]  Caixia Liu,et al.  A proactive defense mechanism for mobile communication user data , 2018, Science China Information Sciences.