Privacy-Enhancing Security Protocol in LTE Initial Attack

Long-Term Evolution (LTE) is a fourth-generation mobile communication technology implemented throughout the world. It is the communication means of smartphones that send and receive all of the private date of individuals. M2M, IOT, etc., are the base technologies of mobile communication that will be used in the future cyber world. However, identification parameters, such as International Mobile Subscriber Identity (IMSI), Radio Network Temporary Identities (RNTI), etc., in the initial attach section for accessing the LTE network are presented with the vulnerability of being exposed as clear text. Such vulnerability does not end in a mere identification parameter, but can lead to a secondary attack using the identification parameter, such as replication of the smartphone, illegal use of the mobile communication network, etc. This paper proposes a security protocol to safely transmit identification parameters in different cases of the initial attach. The proposed security protocol solves the exposed vulnerability by encrypting the parameters in transmission. Using an OPNET simulator, it is shown that the average rate of delay and processing ratio are efficient in comparison to the existing process.


Introduction
LTE is an abbreviation for Long-Term Evolution, which is a fourth generation mobile communication technology.LTE is designed for high-speed transmission, reduced cost per bit, low transmission delay and applicability to existing frequency bands.It is currently implemented worldwide.
LTE technology is not only used as the base technology of smartphones, which store, send and receive the sensitive personal information of individuals [1,2], but as the base technology of mobile communication technology to be used in the future cyber world, such as M2M, IOT [3,4], etc., and as the research base technology of the fifth generation mobile communication technology to be used in the future cyber world [5].
However in the current LTE technology, vulnerability of the identification parameter values of UE (user equipment) exists, being exposed as clear text in the initial attach process [6][7][8][9].The vulnerability has existed since the initial release of the LTE standards and is still present in Release 12.In the LTE technical documentation, according to the "Technical Specification Group Services and System Aspects; Rationale and track of security decisions in Long-Term Evolved (LTE) RAN/3GPP System Architecture Evolution (SAE) (Release 9)", there is a vulnerability during the initial attach process in the access to the LTE network, in which the UE identifying parameters are transmitted in plain text.Problems, such as tracing and privacy infringement, could occur.
This paper proposes a plan for safely transmitting identification parameters by classifying the initial attach processes into two tasks, initial attach with the International Mobile Subscriber Identity (IMSI) and initial attach with the Global Unique Temporary Identifier (GUTI).
The proposed paper consists of six sections.Section 2 analyzes the structure of the LTE, initial attach process, security process and threats.Section 3 proposes a security protocol by classifying the initial attach process into multiple cases in order to safely transmit identification parameters.Section 4 carries out a security analysis of the proposed protocol, and Section 5 compares and evaluates the performances between the proposed process with a security protocol and the existing process.Section 6 concludes the discussion.
Please see Table 1 for definitions and terms used in this paper.

LTE Network Structure
The LTE network consists of LTE entities dealing with wireless access network technology and EPC entities dealing with core network technology.Its structure is shown in Figure 1.
Of the LTE entities, UE accesses the evolved Node B (eNB) through the LTE-Uu Uu wireless interface.eNB, serving as the base station, provides the user with a wireless interface and provides wireless remote resource management (RRM) features, such as radio bearer control, wireless admission control, dynamic wireless resource allocation, load balancing and inter cell interference control (ICIC) [10].
EPC entities consist of the mobility management entity (MME), S-GW, P-G and home subscriber server (HSS).MME is an E-UTRAN control plane entity, communicating with HSS for user authentication and user profile download, and through NAS signaling, it provides the user terminal with EPS rambling management (EMM) and EPS session management (ESM) features.S-GW is the termination point between E-UTRAN and EPC and the anchoring point in the handover with eNB and the handover with the 3GPP system.P-GW connects UE to an external PDN network and provides packet filtering.In addition, P-GW allocates an IP address to the user terminal and serves as the mobile anchoring point in the handover between 3GPP and non-3GPP.Lastly, HSS manages the users' personal profiles [8,[10][11][12][13][14].
The IMS/Internet domain is the domain commonly calling external Internet services.

LTE Initial Attach for UE
The "initial attach for UE" process is a case of the first access to the network by the user subscribing to the LTE network using UE [15][16][17].LTE Initial attach process is shown in Figure 2. The "initial state after radio link synchronization" process is one in which UE selects eNB and synchronizes a wireless link.The "ECM connection establishment" process is a NAS layer, that is a process of transmitting IMSI to request MME for net access.Through the relevant process, the RRC connection and S1signaling connection are established.
The "authentication" process is a mutual authentication procedure between UE and MME using EPS-AKA,and the "NAS security setup" process is a key setting process to safely transmit NAS messages between UE and MME [18,19].
The "location update" process is the one that receives personal profile information from HSS after registering the location, and the "EPS session establishment" process is the one that allocates network resources, so that the users can be provided with the services [20,21].

LTE Security
After the "ECM connection establishment" process between UE and eNB, the UE starts mutual authentication by transmitting IMSI to MME.Centering around the LTE security layer, the LTE network carries out mutual authentication based on EPS-AKA.The LTE security is divided broadly into three processes: UE-HSS mutual authentication process, UE-MME NAS security setup process and UE-eNB ASsecurity setup process [6,7,9,14,[22][23][24].LTE security process is shown in Figure 3.

LTE Threats
IMSI refers to the unique ID requested from each user when the net administrator registers the user to the service, and this value refers to the unique number of identifications saved in the USIM in the user device [14].
Yet, when "initial attach for UE" is carried out, in the "ECM connection establishment" process, the UE transmits IMSI to MME in plain text.The IMSI transmitted in plain text is transmitted to MME through a number of eNB, which has a vulnerability in which it is leaking to an attacker through malicious eNB.In addition, for a user tracking an attack using the leaked IMSI, a device tracking attack and a privacy abuse attack may take place.
RNTI, the unique ID to differentiate UE from eNB, and GUTI, used instead of IMSI after a series of the process, also, are transmitted in a variety of initial attach processes in plain text, so that the same vulnerability and the threat of attack of IMSI may occur [6,7,9,25].
An attack that could allow an attacker to use the stolen identification parameter is shown in Figure 4. UE constantly transmits location information to the eNB and MME; an attacker can track the user using a leaked IMSI.Furthermore, the attacker can make a DoS attack using a leaked IMSI and GUTI, which is used for requesting RNTI [26,27].LTE threat model and its process are shown in Figure 4.

Proposed Security Protocol for Initial Attach in LTE
The proposed security protocol was designed to protect unique information about identification, such as IMSI and RNTI transmitted in plain text when the UE attempts an initial attach to the network.It consists of four types by the initial connection of the UE, and the terms and symbols used in the proposed security protocol are shown in Table 1.

Initial Attach with IMSI
The first protocol is shown in Figure 5 and is carried out after the "initial state after radio link synchronization" process in the initial attach with the IMSI case.It was designed to protect IMSI leaked from the "ECM connection establishment" process in plain text and RNTI leaked from the "EPS session establishment" process in plain text.
After the "initial state after radio link synchronization" process, UE and MME start an "ECM Connection" process.The UE transmits a generated random number and the "UE network capability" to MME for the attach request.MME receiving the attach request MME generates a random number and transmits it to the UE, and the UE and the MME carry out a series of arithmetic operations to safely transmit IMSI.
The UE and the MME enter the transmitted and received random numbers and the Public Land Mobile Network ID (PLMN ID) into the f() function, secretly shared according to Mobile Network Code (MNC), and generate an F string with 4n bits.The generated F string is divided into four numerical progressions with n bits each.After this process, the MME generates a random number progression used as challenge bits, the UE the second random number, and through lrnumerical progression and exclusive OR arithmetic operation, it generates RN U E_2 .f() = hash( Expansion P-Box( hash( S-Box(RN U E_1 ), S-Box(RN M M E_1 ), PLMN ID ) ) ) The MME generates challenge bits C i using lr i , ad i and c i .If lr i is zero, C i = c i ||ad i and if lr i is one, C i = ad i ||c i .The MME transmits C i to UE to verify it through the response value, and the UE verifies the MME through C i .
The UE is aware of lr, so it can differentiate C i transmitted by the MME into C i = c i ||ad i and if lr i is one.At this time, r 0 i and r 1 i transmits r 0 i if c i transmitted by the MME is zero and r 1 i if c i is one.At this time, the MME receives the transmission of RN U E_2 of the UE and saves it.
For ad i transmitted by the MME (ad i = ad i ), the UE detects an error and transmits the response value as a random value.The MME, too, halts the attach process if an error is detected through r 0 i = r 0 i and r 1 i = r 1 i .After the challenge-response process, the UE uses unused r 0 i and r 1 i concatenated value as a key to encrypt IMSI to transfer it to the MME.The MME generates a key through the same process as that of the UE and then decrypts the transmitted cypher text to get the IMSI.

Initial Attach with GUTI
After the IMSI is safely transmitted, UE, eNB, MME and HSS carry out up to the "AS security setup" process during the "ECM connection establishment", "authentication", "NAS security setup", "location update" and "EPS session establishment" processes.
After the "AS security setup", the eNB encrypts RNTI to MME using the secret key of the "AS security setup" to allocate the RNTI to the UE.The MME encrypts the transmitted RNTI to RN U E_2 saved in the "ECM connection establishment" process to transmit to the eNB, and the eNB allocates the RNTI by transmitting the relevant value to the UE.
Initial attach with GUTI is the initial attach process of the case in which the UE that successfully performed an initial attach with the IMSI process re-accesses, due to a series of events.f() functions that are used in Section 3.2, are as the following formula.

Case 1: MME Unchanged
The first case is that the connected MME in an initial connection with the UE is not changed, and the UE re-accesses through the same MME.Security protocol for the first case is shown in Figure 6.In a re-access, the initial attach process carries out authentication using GUTI to protect the IMSI.The process of transmitting the GUTI is the same as the Section 3.1.IMSI transmission process, and the initial attach process is carried out using existing information saved in the MME according to information, such as GUTI, NAS-MAC and NAS Seq.No. Since a series of information about the UE has already been saved in the MME, no "authentication", "NAS security setup" or "location update" process is carried out, but the "EPS session establishment" process only is carried out.

Case 2: MME Changed
The second case is that the MME is changed, but the old MME saves the information about the UE, so it transmits the information about the UE to the new MME.UE transmits the old MME's information to encrypt GUTI, so the new MME is transmitted the encryption key from the old MME using the challenge response method.Security protocol for the second case is shown in Figure 7.

Case 3: MME Changed and IMSI Needed
The third case is that the MME connected during the initial connection has been changed to a new MME, and there is no information about the UE in the MME connected during the initial connection.
In a re-access, the initial attach process carries out authentication using GUTI to protect the IMSI.The process of transmitting the GUTI is the same as the Section 3.1.IMSI transmission process.
When the MME is changed, the new MME requests the old MME for the information about the UE according to the information, such as GUTI, NAS-MAC and NAS Seq.No.At this time, if there is no information about the relevant UE in the old MME, the new MME requests the UE for the IMSI.
In this process, to safely transmit the IMSI, this proposed protocol transmits the GUTI, encrypts IMSI and transmits it using the generated series of values.For the encryption, the UE hashes KGUTIand RN U E_2 (RN, random number) to generate a key and encrypts the IMSI using the generated key, KIMSI, to transmit to the MME.After the transmission of the IMSI, the "authentication", "NAS security setup", "location update" and "EPS session establishment" processes are carried out.Security protocol for the third case is shown in Figure 8.

Security Analysis
The initial attach for UE process specified in the LTE Standards Release 12 transmits the parameters to identify the UE in plain text, and the proposed security protocol encrypts and safely transmits the relevant identification parameters.Security comparative analysis table is shown in Table 2.The proposed security protocols generate a key value used to encrypt identification parameters through the challenge-response process.The key used to encrypt IMSI and GUTI is defined as the value not used in the challenge-response process during the numerical progression generated through the f() function of the secret sharing between the UE and the MME.The relevant key value is defined only in the UE and MME, but not transmitted through the communication process to the outside.Therefore, an attacker can find the identification parameters only through the attack on the encryption algorithm, like AES-256, to know the encrypted IMSI and GUTI.
The key value encrypting the RNTI is transmitted through the challenge-response process, but the location of the bit continues to change for the transmission.Even if an attacker collects the bit string through an attack, like tapping, the probability of finding the key value with a total of n bits is (1/4) n .

Error Detection and Verification
In the proposed security protocols, since the challenge-response and encryption are carried out through the f() function of the secret sharing between the UE and the MME and the key definition method, the UE and MME can verify if the other is a legitimate entity.In addition, in the challenge-response process, the UE can detect errors through ad i = ad i , and the MME can detect errors through r 0 i = r 0 i and r 1 i = r 1 i .

Reliability
In order to secure the credibility of new MME, communication is only made possible when the UE, old MME and new MME have cross-authenticated each other.In this process, as the challenge-response method supports error detection, even a 1-bit mis-transmission will put a stop to the communication.Additionally, since IMSI is transmitted in the new MME using the values mutually shared by the UE and old MME during the past communication, the credibility of the new MME can be secured.In essence, since the UE constantly alters the MME, during which the key maintains continuity, like a hash-chain, safety against IMSI takeover through fake MME can be enhanced.

Conclusions
In this paper, a security protocol was proposed in order to solve the vulnerability of the unique identification value being transmitted as clear text, which is constantly being pointed out in LTE standards and related technical documents, and to be used as a basic study of mobile communication technology to be used in the future cyber world.
The proposed security protocol was designed to safely transmit IMSI, RNTI and GUTI in a variety of initial attach processes when the UE accesses the LTE network.The proposed security protocol generated a key through the challenge-response method to encrypt and transmit the unique ID and support error detection and verification.As a result of a performance analysis, the security protocol encrypted and safely transmitted vulnerability parameters and turned out to have a performance of an average of 32.0% based on VoIP 100%, demanding a lower rate of delay, so that the safety and performance of the proposed encryption algorithm were found to be efficient.
After all of the analyses, the proposed security protocols had less overhead and fully satisfied the privacy requirements and the maximum permissible delay defined in LTE standards.

Table 1 .
The terms and symbols used in the proposed security protocol.

Table 6 .
Summary of performance analysis.