Location Privacy for Cellular Systems; Analysis and Solution - PowerPoint PPT Presentation

1 / 22

About This Presentation

Title:

Location Privacy for Cellular Systems; Analysis and Solution

Description:

The Mobile Station (MS) w/radio access. A tamper resistant security module (smartcard etc) ... Created online over protected channel (SN and HS believes in s) ... – PowerPoint PPT presentation

Number of Views:48

Avg rating:3.0/5.0

Slides: 23

Provided by: geir4

Category:

more less

Transcript and Presenter's Notes

Title: Location Privacy for Cellular Systems; Analysis and Solution

1
Location Privacy for Cellular Systems Analysis
and Solution

Geir M. Køien
Telenor RD (Norway) and Agder University College
(Norway)
and
Vladimir A. Oleshchuk
Agder University College (Norway)

2
Background and Motivation

The Principals
User Entity (UE)
The Mobile Station (MS) w/radio access
A tamper resistant security module (smartcard
etc)
Serving Network (SN)
Core Network nodes
Gateways etc
Network Access Servers
Access Network
Radio network controllers
Access Points (AP)
Home Server (HS)
Home Location Register
Authentication Center etc

3
Background and Motivation

The 2G/3G Solutions
3G Access Security
The UMTS Authentication and Key Agreement (AKA)
protocol
Off-line delegated protocol
Home network distributes complete session
credentials to serving network..
Which executes the network initiated mutual
entity authentication (USIM and Network)
Authentication based on knowledge of pre-shared
secret (only at USIM and HLR/AuC)
Challenge-Response with signed challenge to
allow a one-pass scheme
Location/Identity Privacy
Permanent identity (IMSI) only used in clear
when necessary
After initial identity presentation with IMSI in
clear
the AKA protocol is executed
then encryption/integrity protection started
then the Serving Network assigns a temporary
identity (TMSI)
Subsequent identity presentation with TMSI (in
clear)

4
Background and Motivation

Mobility Management
Cellular Control Model
Users subscribe to services at mobile operator
(home environment/operator)
Infrastructure in control of a central authority
(the serving network operator)
Operative control is at Serving Network, while
administrative (incl. charging) control at Home
Handovers under network control (performance/QoS
reasons)
2G/3G Mobility Management
Location Registration (incl. loc. updating)
No existing UE-SN relationship ? IMSI transferred
in clear on common channel
Call to Mobile Station
Paging (call announcement) is in cleartext on
broadcast channel (IMSI or TMSI)
Call from Mobile Station
Access in cleartext over common channel until
identity is presented (IMSI or TMSI)
Handover (HO)

5
UMTS Authentication and Key Agreement

3G Security and Privacy
Principals USIM, SN and HE
Mutual off-line (delegated) challenge-response,
executed between SN and USIM
Confidentiality on all user/control plane data
and integrity on control plane data
Limited privacy (IMSI presented in clear, but
protected TMSI used when possible)

6
Background and Motivation

Privacy Issues and Location Issues
3GPP Privacy Requirements
User Identity Confidentiality
The property that the identity cannot be
eavesdropped over the radio access link
User Location Confidentiality
Presence/arrival of a user cannot be detected by
eavesdropping on the radio link
User untraceability
Protection against tracking of users
Location Issues
The Serving Network (SN) will necessarily know
where the subscriber is
During active calls/session through radio derived
methods (this is a E112/E911 req.)
During idle time through the registration (tied
to a location area)
The Home Server network will only know which SN
the UE is attached to
The UE must depend on infrastructure support to
determine location
Satellite (GPS), possibly with SN support
(kick-start measurements and timing)
Location can also be provided by SN (commercial
service)

7
Background and Motivation

Control and Trust Issues
Trust Relationships
UE HS
UE is a subscriber with the HS. HS has security
jurisdiction over UE. With current subscription
models the relationships is relatively long (even
for pre-paid).
SN HS
Mutual relationship based on legally binding
roaming agreements. Both parties wants to limit
the trust needed to maintain the relationship.
UE SN
No a priori relationship. Relationship created
on-the-fly with the HS as the mediator.
Control Issues
Home Control
Large no.of serving network operators
For commercial reasons the operators sign even
with bad operators
Particularly problematic in the delegated
off-line model in current cellular systems
Remedy On-line authentication (Home
Subscriber)
Remedy Spatial home control may be needed for
large pan-national
serving networks

8
Enhanced Security and Privacy

Requirements
Performance is King (AKA requirements)
The most critical performance aspect is temporal
(real-time response)
Processing time may be significant but Moores
law is on our side
Message Propagation Delays Physical laws
Important to reduce no of round-trips to a
minimum
3-Way AKA
We have three principals that all should be
active in the security context
Security Context Hierarchy
Long-term contexts is the basis (Roaming
agreements and Subscription contacts)
Medium-term contexts needed to establish
credentials for 3-way context
Short-term session contexts needed for
over-the-air protection
Computational and Communication Balance
AKA computation should be possible on secure
device (smartcard)
Air-interface may have severe capacity
restrictions during establishment

9
Enhanced Security and Privacy

The Architectural Context
Minimizing Total Setup Execution Time
Typical 3G scenario for initial registration
UE?SN Access Request (access channels are
narrow minimal message)
SN?UE Go to control channel and identify
yourself
UE?SN Present IMSI Request to be registered
SN?HS Request credentials for IMSI
HS?SN Reply( Authentication Vector )
SN?UE Challenge( RAND,AUTN )
UE?SN Response ( RES )
Identity Presentation, Initial Registration and
AKA triggered by same event
Historic reasons that lead to sequential/serial
procedure execution
Combined procedures means fewer round-trips
Location Privacy vs. Spatial Home Control
Problematic to allow spatial home control and
provide location privacy
Spatial resolution important

10
Enhanced Security and Privacy

The Initiator-Responder Scheme
Combined Identity Presentation, AKA and Location
Registration
Location Registration is invariably triggered by
the UE
Combined procedure must therefore be trigger by
UE
The Context Reference Identity (CRID)
To provide location privacy an anonymous identity
should be used
Context Reference Identity
Pseduo-random value created by UE
Valid for exactly one medium-term 3-way security
context
HS must be allowed to learn both CRID and
permanent identity
SN shall not learn permanent identity, but will
know that HS acknowledges CRID
An additional Temporary Alias Identity (TAID)
Medium-term context valid for several sessions
TAID is (pseudo-random) session identity assigned
by SN
SN and UE knows (TAID,CRID) association

11
Enhanced Security and Privacy

Home Control
Secure Multi-party Computation (SMC)
HS defines a Validity Area (VA) were UE is
permitted to be
UE location (x,y) should not be revealed to HS
Point-Inclusion scheme allows HS to receive
privacy protected location E(x,y) and still
determine if is (x,y) inside VA.
Spatio-Temporal Binding of Medium-Term Security
Context
SN identity tied to context
HS identity tied to context
Context Reference Identity (CRID) tied to context
Area identity (large area) tied to context
Validity period tied to context

12
Privacy Preserving 3-Way AKA

Cryptographic basis
Secure Multi-party Computation (SMC)
Homomorphic crypto
Operation X on encrypted data is equivalent to
some operation Y on cleartext data
Identity-Based Encryption (IBE)
Identity string used as public-key key (for
instance bob_at_operator.net)
Alice must know system parameters before she can
encrypt with ID
Private Key Generator (PKG) creates corresponding
private key
Bob receives private key from PKG
No authentication in basic scheme
Challenge-Response
Two-way challenge-response between UE and HS
Symmetric MAC signed response (based on
long-term pre-shared secret)
Diffie-Hellman (DH) Exchange
DH used for generation of medium-term shared
secret

13
Privacy Preserving 3-Way AKA

Secure 2-Party Location Inclusion Protocol
(S2PLIP)
The S2PLIP concept
Executed between SN and HS
SN provides UE position (x,y), HS provides
polygon P
SN does not want HS to learn (x,y) and HS do not
want to disclose P
The S2PLIP protocol
0. Distribution of public-key pair from Bob (HS)
to Alice (SN). Use same E/D.
Location z (x,y) Polygon P ai,bi i
1,2,..n
HS?SN E(P)
SN?HS Please decrypt parameter ? (for some i)
HS?SN D(?)
SN?HS Vector of values e
HS Iff D(e)gt0 for all e then z is inside P
HS-SN Interface is high capasity
S2PLIP has few round-trips

14
Privacy Preserving 3-Way AKA

Outline of the PP3WAKA protocol
Always initiated by UE
UE generates CRID
IBE to provide confidentiality (UE?SN and UE?HS)
Challenge-Response (UE??HS)
DH over SN-HS interface
SMC to protect location while allowing spatial
home control

15
Privacy Preserving 3-Way AKA

Outline of the PP3WAKA protocol
1 UE prepares PP3WAKA
Prf(?) ? CRID
Generate UE?HS challenge/response data incl.
keys
HSK HSIDSNIDLONG_TERM_PERIOD (HS IBE
public key)
ID HSIDSNIDHashed_Area_CodePERIOD (SN
IBE public key)
EID(CRID) ? A
EHSK(UEID,CRID,Challenge) ? B
UE?SN (A,B,PERIOD,HSID)
2 SN prepares to contact HS
SN observes UE location (x,y) (we presume
polygon E(P) present at SN)
SN generates ?
SN generates DH value DHA
C PERIODHAC ? DHA
SN?HS B,CBKEY

16
Privacy Preserving 3-Way AKA

3 HS responds
Validity of PERIOD verified. HS constructs ID
and HSK, and generates corresponding private keys
dID and dHSK.
Decrypt B. Associate CRID-UEID. Compute response
to UE.
Generate challenge to UE. Generate UE-HS shared
key, and use it to protect data sent to UE.
EUE-HS key(Challenge, Response,DH secret s) ? D
In parallel S2PLIP continues (HS return decrypt
?))
HS?SN D,DHB,dID,CRID, ?BKEY
4 SN receives HS response and continues setup
with UE
SN, which now has dID , decrypts A to get CRID.
Continue iff (CRIDUE CRIDHS). Compute DH
secret s. Generate pseudo-random key derivation
element RNDSN.
Derive session keys KeyGens(CRID,RNDSN) ? KSN
Generate TAID protect and bind to CRID
EKsn(CRID,TAID) ? E
In parallel S2PLIP continues (SN start
computation of e-values)
SN?UE (D,RNDSN,E)

17
Privacy Preserving 3-Way AKA

5 UE responds
Decrypts D. Then verify HS response, and compute
own response to HS.
UE accepts s, and generates session keys
KeyGens(CRID,RNDSN) ? KSN
KSN is used to decrypt E. UE then gets
CRID,TAID.
Generate pseudo-random key derivation element
RNDUE.
Derive session keys KeyGens(CRID,RNDUE) ? KUE
EKue(TAID,RESHE) ? F
UE believes that SN has possession of s. With
msg-5 the UE has demonstrated possession of s to
SN. UE and SN also believe that KSN and KUE are
shared session keys.
UE?SN (RNDUE,F)
6 SN receives UE response and forward response
to HS
Derive session keys KeyGens(CRID,RNDUE) ? KUE
Decrypt F. Verify TAID. Forward RESUE.
SN now believes that s is a shared secret for
CRID. Only outstanding is a verification that HS
has authenticated CRID(and thereby UE).
S2PLIP continues (SN forwards e-values)
SN?HS CRID,RESSN,e-valuesBKEY

18
Privacy Preserving 3-Way AKA

7 HS responds to SN
HS verifies UE response. HS now considers UE to
be authenticated and CRID a valid UE identity.
It then completes spatial verification (of
e-values).
Message 7 is sent to SN to verify that HS
acknowledges CRID.
HS?SN CRID,successBKEY
8 SN receives HS acknowledge
SN now has assurance that HS acknowledges CRID.
UE has not yet verification that HS accepted its
response, but UE can continue without this
knowledge (any subsequent SN usage of the PP3WAKA
credentials will demonstrate SN belief in the
credentials).