Date post: | 23-May-2018 |
Category: |
Documents |
Upload: | hoangduong |
View: | 221 times |
Download: | 2 times |
Chan-Kyu Han, Hyoung-Kee Choi, Jung Woo Baek, Ho Woo Lee
Sungkyunkwan University
IEEE LCN 2009, Zürich, Switzerland, 20-23 October, 2009
- 2 -
Introducing the revised security architecture in 3GPP LTE/SAE
Relaxing the Poisson assumption in authentication request process
Renewal process and renewal reward theorem
Exploring new authentication triggers
e.g. horizontal and vertical handover, multimedia requests
Observing signaling cost of each authentication event
Analyzing the effect of arrival rate, exceptional case, various random processes on signaling loads in mobile networks
- 3 -
Multiple-access network
Revised UMTS-AKA
Long Term Evolution
(Evolved-UTRAN)
System architecture evolution(Evolved Packet System)
All IP-based multimedia service
Heterogeneous mobility
- 4 -
MME
HSSUE
UAR: User authentication req./res.ADR: Authentication data req./res.CTR: Context transfer req./res.
Handover
MME GUTI
IMSI,[RAND,KASME,AUTN,RES]i..K
One set of authentication vector for performance reason
Backward compatibility for vector-based UMTS-AKA
Including network identity to prevent redirection attack
Key hierarchy: (CK, IK) for HSS/AuC and KASME for MME
- 5 -
Criteria UMTS-AKA EPC-AKA
Vulnerability Redirection, false BS attack [ZHANG05-IEEE Trans.Wcomm.]
Has not been reported
Authentication Vector-based Vector- or key reuse-based
ID protection TMSI (limited) GUTI(limited)
Key material CK, IK (VLR, HLR/AuC) KeNB(eNodeB), KASME(MME),CK and IK (HSS)
Confidentiality Only at the AS AS and NAS (signaling only)
Integrity Only at the AS AS and NAS
Support (1) Call origin./termin.(2) Location update
(1) Call origin./termin.(2) Multimedia service(3) Various location update
- 6 -
Various authentication request types
i.e., call origination/termination, multimedia service, X2/S1 handover and Inter RAT handover
Various random processes rather than Poisson assumption
Repeated ADR request every K UAR/CTR request
Signaling cost for every repeated authentication cycle
- 7 -
R(t): total reward earned by t
N(t): the counting process of renewal process X
E[R]: expected reward (cost)
E[X]: expected length of renewal process X
( )
1
0 0
( ) ( ) [ ]lim lim
( ) [ ]
N t
nn
t t
RRt N t E R
t N t t E X
- 8 -
tx,y: x-th ADR within y-th UAR
Yi: duration of each authentication event
[tn,K,tn+1,K]: The expected value of the renewal interval
• Recursive and reproductive process• Renewal epoch: [tn,K]
Renewal process
- 9 -
f(Y): probability density function of renewal length Y
Bernoulli distribution with pi for each authentication trigger Xi
Xi: i-th authentication trigger
• call origination/termination, multimedia service, X2/S1 handover and Inter RAT handover
• M: number of authentication trigger (=5)
Ci : the total signaling cost of completion of Xi K: the number of authentication vector
1 1
( ) ( ), where 1M M
i i ii ifY p f X p
0 (1 )
1
0 1 1
[ ] ( 1) [ ]
( [ ] )
i i M
K M
i i ij i
E R C K EY C
C j p E X C
- 10 -
C(K): normalized expected signaling cost
pε: exceptional authentication trigger
pε,k= pε·(1- pε)k
i.e., power-off, S1 handover to different domain, and Non-3GPP access
D: SIP signaling load and processing time for generating authentication vector
1
0 ,1 1
1
[ ]( )
[ ]
( 1) [ ]
( ) [ ]
K M
k i i ik i
t
E RC K
E N
C p K p E X C C
K Y f Y dt E D
- 11 -
Without multiple authentication vectors
Key revocation: KASME either is compromised or reaches the period of T
T(xi) /t(xi): the CDF/PDF of lifetime T of KASME
C-1: rekeying cost for all EPS network entities
when KASME is compromised
0
0
[ ] ( | ) ( )
( ) ( )T
T
E N EY X x dT x
x t x dx T t x dx
10
[ ] ( ) ( ) ( )T
i iT
E R C C tx dx C tx dx
1
[ ]( )
[ ]
M
ii
E RCt p
E N
- 12 -
Cost Authentication event Asymptotic signaling cost
C0 Authentication vector fetch to HSS 2α+2β+4γ+K CSHA-1
C1 Call origination 4α+9β
Call termination 2α+5β
C2 Multimedia request 4α+4β+4γ
C3 X2 handover 4α+10β+3γ
C4 S1 handover 6α+14β+21γ
C4 Inter RAT handover 2α+7β+13γ
CTAU Tracking area update (TAU) 4α+6β+3γ
C-1 Revocation / Rekeying C0+2α+2β+2γ
α: RTT between UE and eNodeBβ: RTT within the EPC coreγ: RTT across the serving domain
- 13 -
λi: inter-arrival process for Xi exponential distribution for all authentication triggers
C4: 6α+14β, C4: 4α+14β+21γ
0 2 4 6 8 10 12 14 16 180
50
100
150
200
To
tal
co
st
sig
na
lin
g:
C(K
)
Number of authentication vector :K
Case 1: =2, =2
Case 2: =5, =5
Case 3: =5, =10
Case 4: =5, ,1=10
Case 5: =5, ,4=10
• Arrival rate (λi)-Increasing cost (Case 1 and 2)
• Setup delay-Insignificant (Case 2 and 3)
• Signaling cost (X4): greater effect on increasing signaling cost (Case 4 and 5)
- 14 -
pi: the probability of each authentication trigger Xi
v: the distribution pattern of pi (variance)
0 2 4 6 8 100
20
40
60
80
100
120
140
160
180
200
To
tal
co
st
sig
na
lin
g:
C(K
)
Number of authentication vector :K
=0 (K=2.81)
=0.22 (K=3.95)
=0.13 (K=3.61)
• lower variation- decreasing the optimal K- Minimizing C(K)
• propensity to be incline to acertain event - e.g., teen-ager, business man- less agitates system
- 15 -
pε: exceptional authentication trigger
i.e., power-off, S1 handover to different domain, and Non-3GPP access
0 2 4 6 8 100
100
200
300
400
500
600
700
To
tal
co
st
sig
na
lin
g:
C(K
)
Number of authentication vector :K
p=0.1 (K=0.79)
p=0.01 (K=2.81)
p=0.001 (K=10.20)
• Higher pε
-increasing the total signaling cost -Decreasing the optimal K value
• Optimal K value < 1 (pε =0.1)- vector-based EPC-AKA is meaningless
- 16 -
0 3 6 9 12 15 18
15
20
25
30
35
40
45
50
55
60
K=3.75
K=7.17
K=3.67
To
tal
co
st
sig
na
lin
g:
Co
st(
K)
Number of authentication vector : K
X2: exponential, X
3: Rayleigh, X
4: Cumulative Rayleigh, X
5: exponential
X2: exponential, X
3: exponential, X
4: hypoexponential, X
5: 3-stage erlang
X2: Pareto, X
3: exponential, X
: hypoexponential, X
5: 3-stage erlang
• Rayleigh distribution- Two-dimensional vector - suitable for handover (the subscriber’s velocity and cell coverage by eNodeB)
0 3 6 9 12 15 18
20
40
60
80
100
120
140
160
180
200
220
To
tal
co
st
sig
na
lin
g:
Co
st(
K)
Number of authentication vector :K
Baseline (K=10.20)
Pareto (multimedia) (K=9.35)
Erlang (initialization) (K=7.96)
• Pareto distribution- suitable for multimedia services• The baseline without Pareto - Suffers from Underestimation
- 17 -
An introduction of security in 3GPP LTE/SAE
Authentication procedures
Type of handovers
Mathematical framework for analyzing authentication signaling load
Numerical results: the effects of
Various random processes,
Examined the arrival rate,
Exceptional case, etc.
Our result establishes the necessity of studying mobility management, security policy, and various random arrival processes
- 18 -
For more information:
http://hit.skku.edu/~hedwig/