Privacy-Enhancing Security Protocol in LTE Initial Attack

Abstract

Long-Term Evolution (LTE) is a fourth-generation mobile communication technology implemented throughout the world. It is the communication means of smartphones that send and receive all of the private date of individuals. M2M, IOT, etc., are the base technologies of mobile communication that will be used in the future cyber world. However, identification parameters, such as International Mobile Subscriber Identity (IMSI), Radio Network Temporary Identities (RNTI), etc., in the initial attach section for accessing the LTE network are presented with the vulnerability of being exposed as clear text. Such vulnerability does not end in a mere identification parameter, but can lead to a secondary attack using the identification parameter, such as replication of the smartphone, illegal use of the mobile communication network, etc. This paper proposes a security protocol to safely transmit identification parameters in different cases of the initial attach. The proposed security protocol solves the exposed vulnerability by encrypting the parameters in transmission. Using an OPNET simulator, it is shown that the average rate of delay and processing ratio are efficient in comparison to the existing process.

1. Introduction

LTE is an abbreviation for Long-Term Evolution, which is a fourth generation mobile communication technology. LTE is designed for high-speed transmission, reduced cost per bit, low transmission delay and applicability to existing frequency bands. It is currently implemented worldwide.

LTE technology is not only used as the base technology of smartphones, which store, send and receive the sensitive personal information of individuals [1,2], but as the base technology of mobile communication technology to be used in the future cyber world, such as M2M, IOT [3,4], etc., and as the research base technology of the fifth generation mobile communication technology to be used in the future cyber world [5].

However in the current LTE technology, vulnerability of the identification parameter values of UE (user equipment) exists, being exposed as clear text in the initial attach process [6–9]. The vulnerability has existed since the initial release of the LTE standards and is still present in Release 12. In the LTE technical documentation, according to the “Technical Specification Group Services and System Aspects; Rationale and track of security decisions in Long-Term Evolved (LTE) RAN/3GPP System Architecture Evolution (SAE) (Release 9)”, there is a vulnerability during the initial attach process in the access to the LTE network, in which the UE identifying parameters are transmitted in plain text. Problems, such as tracing and privacy infringement, could occur.

This paper proposes a plan for safely transmitting identification parameters by classifying the initial attach processes into two tasks, initial attach with the International Mobile Subscriber Identity (IMSI) and initial attach with the Global Unique Temporary Identifier (GUTI).

The proposed paper consists of six sections. Section 2 analyzes the structure of the LTE, initial attach process, security process and threats. Section 3 proposes a security protocol by classifying the initial attach process into multiple cases in order to safely transmit identification parameters. Section 4 carries out a security analysis of the proposed protocol, and Section 5 compares and evaluates the performances between the proposed process with a security protocol and the existing process. Section 6 concludes the discussion.

Please see

Table 1. The terms and symbols used in the proposed security protocol.

UE	User Equipment
eNB	evolved Node B
MME	mobility management entity
HSS	home subscriber server
IMSI	International Mobile Subscriber Identity
RNTI	Radio Network Temporary Identity
GUTI	Global Unique Temporary Identifier
PLMN ID	Public Land Mobile Network ID (MCC + MNC)
MCC	Mobile Country Code
MNC	Mobile Network Code
RN	random number
h()	hash function
F	4n bit string by f()
C	challenge bits

for definitions and terms used in this paper.

2. LTE

2.1. LTE Network Structure

The LTE network consists of LTE entities dealing with wireless access network technology and EPC entities dealing with core network technology. Its structure is shown in Figure 1.

Of the LTE entities, UE accesses the evolved Node B (eNB) through the LTE-Uu Uu wireless interface. eNB, serving as the base station, provides the user with a wireless interface and provides wireless remote resource management (RRM) features, such as radio bearer control, wireless admission control, dynamic wireless resource allocation, load balancing and inter cell interference control (ICIC) [10].

EPC entities consist of the mobility management entity (MME), S-GW, P-G and home subscriber server (HSS). MME is an E-UTRAN control plane entity, communicating with HSS for user authentication and user profile download, and through NAS signaling, it provides the user terminal with EPS rambling management (EMM) and EPS session management (ESM) features. S-GW is the termination point between E-UTRAN and EPC and the anchoring point in the handover with eNB and the handover with the 3GPP system. P-GW connects UE to an external PDN network and provides packet filtering. In addition, P-GW allocates an IP address to the user terminal and serves as the mobile anchoring point in the handover between 3GPP and non-3GPP. Lastly, HSS manages the users’ personal profiles [8,10–14].

The IMS/Internet domain is the domain commonly calling external Internet services.

2.2. LTE Initial Attach for UE

The “initial attach for UE” process is a case of the first access to the network by the user subscribing to the LTE network using UE [15–17]. LTE Initial attach process is shown in Figure 2.

The “initial state after radio link synchronization” process is one in which UE selects eNB and synchronizes a wireless link. The “ECM connection establishment” process is a NAS layer, that is a process of transmitting IMSI to request MME for net access. Through the relevant process, the RRC connection and S1 signaling connection are established.

The “authentication” process is a mutual authentication procedure between UE and MME using EPS-AKA, and the “NAS security setup” process is a key setting process to safely transmit NAS messages between UE and MME [18,19].

The “location update” process is the one that receives personal profile information from HSS after registering the location, and the “EPS session establishment” process is the one that allocates network resources, so that the users can be provided with the services [20,21].

2.3. LTE Security

After the “ECM connection establishment” process between UE and eNB, the UE starts mutual authentication by transmitting IMSI to MME. Centering around the LTE security layer, the LTE network carries out mutual authentication based on EPS-AKA. The LTE security is divided broadly into three processes: UE-HSS mutual authentication process, UE-MME NAS security setup process and UE-eNB AS security setup process [6,7,9,14,22–24]. LTE security process is shown in Figure 3.

2.4. LTE Threats

IMSI refers to the unique ID requested from each user when the net administrator registers the user to the service, and this value refers to the unique number of identifications saved in the USIM in the user device [14].

Yet, when “initial attach for UE” is carried out, in the “ECM connection establishment” process, the UE transmits IMSI to MME in plain text. The IMSI transmitted in plain text is transmitted to MME through a number of eNB, which has a vulnerability in which it is leaking to an attacker through malicious eNB. In addition, for a user tracking an attack using the leaked IMSI, a device tracking attack and a privacy abuse attack may take place.

RNTI, the unique ID to differentiate UE from eNB, and GUTI, used instead of IMSI after a series of the process, also, are transmitted in a variety of initial attach processes in plain text, so that the same vulnerability and the threat of attack of IMSI may occur [6,7,9,25].

An attack that could allow an attacker to use the stolen identification parameter is shown in Figure 4. UE constantly transmits location information to the eNB and MME; an attacker can track the user using a leaked IMSI. Furthermore, the attacker can make a DoS attack using a leaked IMSI and GUTI, which is used for requesting RNTI [26,27]. LTE threat model and its process are shown in Figure 4.

3. Proposed Security Protocol for Initial Attach in LTE

The proposed security protocol was designed to protect unique information about identification, such as IMSI and RNTI transmitted in plain text when the UE attempts an initial attach to the network. It consists of four types by the initial connection of the UE, and the terms and symbols used in the proposed security protocol are shown in Table 1.

3.1. Initial Attach with IMSI

The first protocol is shown in Figure 5 and is carried out after the “initial state after radio link synchronization” process in the initial attach with the IMSI case. It was designed to protect IMSI leaked from the “ECM connection establishment” process in plain text and RNTI leaked from the “EPS session establishment” process in plain text.

After the “initial state after radio link synchronization” process, UE and MME start an “ECM Connection” process. The UE transmits a generated random number and the “UE network capability” to MME for the attach request. MME receiving the attach request MME generates a random number and transmits it to the UE, and the UE and the MME carry out a series of arithmetic operations to safely transmit IMSI.

The UE and the MME enter the transmitted and received random numbers and the Public Land Mobile Network ID (PLMN ID) into the f() function, secretly shared according to Mobile Network Code (MNC), and generate an F string with 4n bits. The generated F string is divided into four numerical progressions with n bits each. After this process, the MME generates a random number progression used as challenge bits, the UE the second random number, and through lrnumerical progression and exclusive OR arithmetic operation, it generates $R{N^{\prime }}_{UE\_2}$.

$$\mathrm{f}()=\text{hash}(\text{Expansion P-Box}(\text{hash}(\text{S-Box}({\mathrm{RN}}_{UE\_1}),\text{S-Box}({\mathrm{RN}}_{MME\_1}),\text{PLMN ID})))$$

The MME generates challenge bits C_i using lr_i, ad_i and c_i. If lr_i is zero, C_i = c_i∥ad_i and if lr_i is one, C_i = ad_i∥c_i. The MME transmits C_i to UE to verify it through the response value, and the UE verifies the MME through C_i.

The UE is aware of lr, so it can differentiate C_i transmitted by the MME into C_i = c_i∥ad_i and C_i = ad_i∥c_i. The UE generates ${\mathrm{R}}_i={\mathrm{R}{\mathrm{N}}^{\prime }}_{UE\_2i}\parallel {\mathrm{r}}_i^0$ or ${\mathrm{R}}_i={\mathrm{R}{\mathrm{N}}^{\prime }}_{UE\_2i}\parallel {\mathrm{r}}_i^1$ if lr_i is zero and ${\mathrm{R}}_i={\mathrm{r}}_i^0\parallel {R{N}^{\prime }}_{UE\_2i}$ or ${\mathrm{R}}_i={\mathrm{r}}_i^1\parallel {\mathrm{R}{\mathrm{N}}^{\prime }}_{UE\_2i}$ if lr_i is one. At this time ${\mathrm{r}}_i^0$ and ${\mathrm{r}}_i^1$ transmits ${\mathrm{r}}_i^0$ if c_i transmitted by the MME is zero and ${\mathrm{r}}_i^1$ if c_i is one. At this time, the MME receives the transmission of ${\mathrm{RN}}_{UE\_2}$ of the UE and saves it.

For ad_i transmitted by the MME (ad_i ≠ ad_i), the UE detects an error and transmits the response value as a random value. The MME, too, halts the attach process if an error is detected through ${\mathrm{r}}_i^0\ne {\mathrm{r}}_i^0$ and ${\mathrm{r}}_i^1\ne {\mathrm{r}}_i^1$.

After the challenge-response process, the UE uses unused ${\mathrm{r}}_i^0$ and ${\mathrm{r}}_i^1$ concatenated value as a key to encrypt IMSI to transfer it to the MME. The MME generates a key through the same process as that of the UE and then decrypts the transmitted cypher text to get the IMSI.

3.2. Initial Attach with GUTI

After the IMSI is safely transmitted, UE, eNB, MME and HSS carry out up to the “AS security setup” process during the “ECM connection establishment”, “authentication”, “NAS security setup”, “location update” and “EPS session establishment” processes.

After the “AS security setup”, the eNB encrypts RNTI to MME using the secret key of the “AS security setup” to allocate the RNTI to the UE. The MME encrypts the transmitted RNTI to RN_{UE_2} saved in the “ECM connection establishment” process to transmit to the eNB, and the eNB allocates the RNTI by transmitting the relevant value to the UE.

Initial attach with GUTI is the initial attach process of the case in which the UE that successfully performed an initial attach with the IMSI process re-accesses, due to a series of events. f() functions that are used in Section 3.2, are as the following formula.

$$\mathrm{f}()=\text{hash}(\text{Expansion P-Box}(\text{hash}(\text{S-Box}({\mathrm{RN}}_{UE\_1}),\text{S-Box}({\mathrm{RN}}_{MME\_1}),\text{NAS seq}.\text{no}.)))$$

3.2.1. Case 1: MME Unchanged

The first case is that the connected MME in an initial connection with the UE is not changed, and the UE re-accesses through the same MME. Security protocol for the first case is shown in Figure 6.

In a re-access, the initial attach process carries out authentication using GUTI to protect the IMSI. The process of transmitting the GUTI is the same as the Section 3.1. IMSI transmission process, and the initial attach process is carried out using existing information saved in the MME according to information, such as GUTI, NAS-MAC and NAS Seq. No. Since a series of information about the UE has already been saved in the MME, no “authentication”, “NAS security setup” or “location update” process is carried out, but the “EPS session establishment” process only is carried out.

3.2.2. Case 2: MME Changed

The second case is that the MME is changed, but the old MME saves the information about the UE, so it transmits the information about the UE to the new MME. UE transmits the old MME’s information to encrypt GUTI, so the new MME is transmitted the encryption key from the old MME using the challenge response method. Security protocol for the second case is shown in Figure 7.

3.2.3. Case 3: MME Changed and IMSI Needed

The third case is that the MME connected during the initial connection has been changed to a new MME, and there is no information about the UE in the MME connected during the initial connection.

In a re-access, the initial attach process carries out authentication using GUTI to protect the IMSI. The process of transmitting the GUTI is the same as the Section 3.1. IMSI transmission process.

When the MME is changed, the new MME requests the old MME for the information about the UE according to the information, such as GUTI, NAS-MAC and NAS Seq. No. At this time, if there is no information about the relevant UE in the old MME, the new MME requests the UE for the IMSI.

In this process, to safely transmit the IMSI, this proposed protocol transmits the GUTI, encrypts IMSI and transmits it using the generated series of values. For the encryption, the UE hashes KGUTI and RN_{UE_2} (RN, random number) to generate a key and encrypts the IMSI using the generated key, KIMSI, to transmit to the MME. After the transmission of the IMSI, the “authentication”, “NAS security setup”, “location update” and “EPS session establishment” processes are carried out. Security protocol for the third case is shown in Figure 8.

4. Security Analysis

The initial attach for UE process specified in the LTE Standards Release 12 transmits the parameters to identify the UE in plain text, and the proposed security protocol encrypts and safely transmits the relevant identification parameters. Security comparative analysis table is shown in

Table 2. Security comparative analysis.

Identify Parameter	Original Initial Attach	Proposed Initial Attach
IMSI	Plain Text Transmission	Cipher Text Transmission
RNTI	Plain Text Transmission	Cipher Text Transmission
GTUI	Plain Text Transmission	Cipher Text Transmission

.

4.1. Key Definition, Encryption and Decryption

The proposed security protocols generate a key value used to encrypt identification parameters through the challenge-response process. The key used to encrypt IMSI and GUTI is defined as the value not used in the challenge-response process during the numerical progression generated through the f() function of the secret sharing between the UE and the MME. The relevant key value is defined only in the UE and MME, but not transmitted through the communication process to the outside. Therefore, an attacker can find the identification parameters only through the attack on the encryption algorithm, like AES-256, to know the encrypted IMSI and GUTI.

The key value encrypting the RNTI is transmitted through the challenge-response process, but the location of the bit continues to change for the transmission. Even if an attacker collects the bit string through an attack, like tapping, the probability of finding the key value with a total of n bits is (1/4)ⁿ.

4.2. Error Detection and Verification

In the proposed security protocols, since the challenge-response and encryption are carried out through the f() function of the secret sharing between the UE and the MME and the key definition method, the UE and MME can verify if the other is a legitimate entity. In addition, in the challenge-response process, the UE can detect errors through ad_i ≠ ad_i, and the MME can detect errors through ${\mathrm{r}}_i^0\ne {\mathrm{r}}_i^0$ and ${\mathrm{r}}_i^1\ne {\mathrm{r}}_i^1$.

4.3. Reliability

In order to secure the credibility of new MME, communication is only made possible when the UE, old MME and new MME have cross-authenticated each other. In this process, as the challenge-response method supports error detection, even a 1-bit mis-transmission will put a stop to the communication. Additionally, since IMSI is transmitted in the new MME using the values mutually shared by the UE and old MME during the past communication, the credibility of the new MME can be secured. In essence, since the UE constantly alters the MME, during which the key maintains continuity, like a hash-chain, safety against IMSI takeover through fake MME can be enhanced.

5. Performance Analysis

The performance analysis environment is shown

Table 3. Performance analysis environment.

Element	Values	Description
Cell	1	–
Number of UE	1, 50, 100	–
Test time	9000 s	Initial data (0–150 s) not reflected
Initial Attach Attempt Cycle	150 s	The UE service uses the initial attempt only
Portability Model	Deactivation	–

and original process’s performance analysis is shown in

Table 4. Performance analysis: original process.

Device	Original Initial Attach
	Time(s)	Delay(s)	Traffic Received (bits/s)
1	–	0.004600	1.214
50	–	0.007210	1.233
100	–	0.010302	1.033

. It was carried out on the LTE network components, UE, eNB and MME.

All three initial attach processes include an initial attach with the IMSI process. The arithmetic operation of the encryption algorithm is carried out between the UE and the MME, and the eNB is used for passing through the communication process, so based on the initial attach with IMSI between the UE and the MME node, the average of overhead (time (s)), average delay (s) and average transmission rate (traffic received (bits/s)), the arithmetic operation of the encryption algorithm was measured and compared. In addition, for a performance analysis when the number of terminal users in the base station increases, the terminals were analyzed based on units of 1, 50 and 100 machine(s).

Since the existing initial attach does not perform encryption, time (s) was excluded. It was found that the delay according to the encryption process in the proposed algorithm decreased a little (somewhat), and since there was no packet switching other than the initial access process, it did not have an impact on the transmission rate. Performance analysis for proposed process is shown in

Table 5. Performance analysis: proposed process.

Device	Proposed Initial Attach
	Time(s)	Delay(s)	Traffic Received (bits/s)
1	0.0110	0.007615	1.156
50	0.0103	0.010510	1.301
100	0.0109	0.014006	1.100

and Summary of performance analysis is shown in

Table 6. Summary of performance analysis.

Device	Summary (Based on VoIP 100%)
	Time(s)	Delay(s)	Traffic Received (bits/s)
1	36%	39%	1%
50	34%	31%	0.9%
100	36%	26%	0.9%
Total Average	35.3%	32.0%	0.93%

.

The maximum permissible delay in the LTE access network, based on the QCI defined in 3GPP TS 23.203, is 100 ms (0.1 s) for FTP and web browsing, 50 ms (0.05 s) for video streaming and 30 ms (0.03 s) for VoIP. Based on VoIP with the lowest delay (0.03 s, 100%), the overhead and delay turned out to be 35.3% and 32.0%, respectively, for the arithmetic operation of encryption, so it was found that the initial attach of the proposed algorithm had less overhead. Since the transmission rate dealt with the initial entry process only prior to the security setup, it turned out to have no impact.

6. Conclusions

In this paper, a security protocol was proposed in order to solve the vulnerability of the unique identification value being transmitted as clear text, which is constantly being pointed out in LTE standards and related technical documents, and to be used as a basic study of mobile communication technology to be used in the future cyber world.

The proposed security protocol was designed to safely transmit IMSI, RNTI and GUTI in a variety of initial attach processes when the UE accesses the LTE network. The proposed security protocol generated a key through the challenge-response method to encrypt and transmit the unique ID and support error detection and verification. As a result of a performance analysis, the security protocol encrypted and safely transmitted vulnerability parameters and turned out to have a performance of an average of 32.0% based on VoIP 100%, demanding a lower rate of delay, so that the safety and performance of the proposed encryption algorithm were found to be efficient.

After all of the analyses, the proposed security protocols had less overhead and fully satisfied the privacy requirements and the maximum permissible delay defined in LTE standards.