The proposed scheme was designed to protect original identification information such as IMSI and RNTI that are transmitted as plain texts when UE tries an initial attach in the network. It is composed of four cases in total, according to UE’s initial access types, and eNB and MME are assumed to be a secure channel along with the backbone network.
3.1. Secret Sharing
MNO applies the secret sharing method to UE, eNB, and MME for the secure initial attach process; in other words, UE is executed in MNO before distributing UICC.
MME selects three points of SSKUE, SSKeNB, and SSKMME in the curve that has a secret value, S, and passes Y = aX2 + bX + S. SSKUE is stored in UE, and SSKMME is stored in MME. Finally, SSKeNB is stored in eNB; at this moment, h(SSKUE) is saved together with eNB as a corresponding value with SSKeNB.
3.2. Initial Attach with IMSI
The first protocol is shown as Figure 1
and carried out after the Initial State after Radio Link Synchronization process is completed in the initial attach in the IMSI case. The first protocol is based on mutual authentication between UE and eNB MME and is designed to protect IMSI, which is leaked as plain texts in the ECM connection establishment process, and RNTI, which is leaked as plain texts in the EPS session establishment process.
UE transmits a random number and the UE network capability generated for the attach request to MME. MME, which receives the attach request, generates random numbers and transmits them to UE, and UE and MME execute a series of calculation to transmit IMSI securely.
UE and MME inputs transmitted and received random numbers and PLMN ID to the hash function, which has secret sharing according to MNC and generates 4 n bits F string. Generated F stings are divided into four sequences with each n bits. MME generates random number sequences that are used as challenge bits, and UE generates SSKUE’ and calculates a lr sequence and exclusive.
MME generates challenge bits Ci using lri, adi, and ci. Ci is composed of Ci = ci‖adi when lri is 0, and of Ci = adi‖ci when lri is 1. MME transmits Ci to UE and verifies UE through response values, and UE verifies MME through Ci.
Because UE knows lr, UE can distinguish Ci which is transmitted by MME between Ci = ci‖adi and Ci = adi‖ci. In case lri is 0, UE generates Ri = SSKUEi′‖ri0 or Ri = SSKUEi′‖ri1; in case lri is 1, UE generates Ri = ri0‖ SSKUEi′ or Ri = ri1‖ SSKUEi′. At this moment, ri1 transmits ri0 when ci transmitted by MME is 0, and transmits to ri1 when ci is 1. Through this process, MME receives UE’s SSKUE.
After the challenge response process, MME transmits SSKUE, which is drawn through s-box inverse function and transmits to eNB after hashing SSKUE. eNB transmits SSKeNB, which corresponds with h(SSKUE) to MME. MME verifies whether a correct secret value, S, is drawn by substituting SSKMME, SSKUE, and SSKeNB, which are corresponding with SSKUE in Y = aX2 + bX + S. In case verification of all SSK is successful, MME makes a hash calculation of unused ri0 and subsequently transmits to eNB.
UE and eNB execute the challenge response process using h(ri0), and the random number, RNUE_2, which is generated by UE, is transmitted to eNB.
After the second challenge response process is completed, UE transmits encrypted IMSI to MME using unused ri1 as a key. MME obtains ISMI by decoding received encrypted messages through the same process with UE.
After IMSI is securely transmitted, it executes down to the Access Stratum (AS) security setup process among the processes of ECM connection establishment, verification, NAS security setup, location update, and EPS session establishment. After AS security setup is completed, eNB transmits encrypted RNTI to MME using a secret key of the AS security setup in order to allocate RNTI to UE. eNB allocates received RNTI by encrypting received RNTI to RNUE_2, which is saved in the ECM connection establishment process, and by transmitting to UE.