5GAKA-LCCO: A Secure 5G Authentication and Key Agreement Protocol with Less Communication and Computation Overhead

Abstract

There are still some shortcomings in the latest version of the 5G authentication and key agreement (AKA) protocol, which is specified by the third-generation partnership project (3GPP). To overcome these shortcomings, an improved primary authentication and key agreement protocol for 5G networks (5G-IPAKA) were proposed. However, one of the shortcomings of the 5G AKA protocol has not been completely overcome in the 5G-IPAKA protocol, resulting in denial of service (DoS) attacks against both the serving network (SN) and the home network (HN). In addition, the 5G AKA protocol has large communication and computation overhead, while the 5G-IPAKA protocol has an even larger communication and computation overhead. These will lead to a great deal of energy consumption. To solve these problems, a secure 5G authentication and key agreement protocol, with less communication and computation overhead (5GAKA-LCCO) is proposed. Then, the 5GAKA-LCCO protocol is proven secure in both the strand space model and the Scyther tool. Further discussion and comparative analysis show that the 5GAKA-LCCO protocol can completely overcome the shortcomings of the latest version of the 5G AKA protocol and is better than the recently improved 5G AKA protocols in overcoming these shortcomings. Additionally, the 5GAKA-LCCO protocol has less communication and computation overhead than the 5G AKA protocol and the recently improved 5G AKA protocols.

1. Introduction

With the continuous popularization of 5G communication technology, in the near future, the 5G network, as an important communication infrastructure, will penetrate diverse vertical fields, such as the transportation and medical treatment industries, and will also support various information interactions between people, people and things, and things and things [1]. In the 5G network, three different primary authentication and key agreement protocols are defined in the related third-generation partnership project (3GPP) specifications [2,3,4], including the 5G authentication and key agreement (AKA) protocol, the improved extensible authentication protocol method for third-generation authentication and key agreement (EAP-AKA’), and the 5G extensible authentication protocol method for transport layer security (EAP-TLS). The first two protocols are based on the shared key cryptography, while the last one is based on the public key cryptography. These protocols all aim to provide mutual authentication of subscribers and networks. Currently, they are in the process of standardization.

The 5G AKA protocol [2,3,4] was developed directly from the evolution packet system (EPS)-AKA protocol of the long-term evolution (LTE)/4G network [3], so it inherited certain security vulnerabilities from the EPS-AKA protocol, such as impersonation attacks, man-in-the-middle attacks (MitM), and denial of service (DoS) attacks [5,6,7,8,9,10,11]. In [12], the authors analyzed the 5G AKA protocol of the technical specification (TS) 33.501 v0.7.0. They discovered a protocol vulnerability that could enable an attacker to impersonate another user in a serving network (SN). Based on the Tamarin model checker [13], Basin et al. [14] investigated the security properties of the 5G AKA protocol of TS 33.501 v15.1.0, and several major issues were revealed. These issues are related to user localization, the leakage of activity, the impact of active attackers, and the presence of malicious SN while roaming. In [15], the authors pointed out that the 5G AKA protocol suffers from link–ability attacks and proposed a new authentication scheme by making use of the Diffie–Hellman key exchange algorithm to generate the session key. This scheme was successful in preventing link–ability attacks along with an MitM attack.

For the more recent 5G AKA protocol, the authors in [16] found a new attack type. They claimed that the protection mechanism of the sequence number (SQN) can be defeated under specific replay attacks due to its use of exclusive-OR (XOR) and a lack of randomness. In [17], the authors modeled all key components of the 5G AKA protocol (i.e., the user equipment, the serving network, and the home network) according to the definition in the 3GPP specification document. They discovered an attack that exploits a potential race condition and additionally showed that solving the race condition for the honest case does not necessarily prevent the attack. In [18], the authors investigated the privacy properties of the 5G AKA protocol using the Bana–Comon logic [19,20]. They discovered a novel de-synchronization attack and proved that their proposed protocol guarantees these privacy properties. In [21], the authors proposed a novel version of the 5G AKA protocol to prevent active attacks and gain resistance against malignant serving networks. Unfortunately, there is a possibility of an SN impersonation, so this scheme does not eliminate the vulnerability toward a MitM attack. Further, Gharsallah et al. [22] also attempted to launch a revised version of the 5G AKA protocol. However, their proposed protocol suffers from privacy preservation, as the device identities are clearly transmitted in the air, which leads to numerous security attacks.

As time goes on, more attacks on the 5G AKA protocol were found due to the insecure channel between different network domains in the legacy mobile network. In [23], the authors discovered an attack exploiting the subscription concealed identifier (SUCI) to track a subscriber in the 5G network, which is directly caused by the insecure air channel. To cover this issue, they proposed a secure authentication scheme by utilizing the existing public key infrastructure (PKI) mechanism. Further, they found a location-sniffing attack, which can be implemented by an attacker through inexpensive devices [24]. Similarly, they proposed a fixed scheme based on the existing PKI mechanism. In [25], the authors modeled the 5G AKA protocol by using ProVerif based on three- and four-entity models and then proposed their security consideration. Further, Mariya et al. [26] proposed an enhanced version of the authentication and key agreement protocol for the 5G system that surmounts the limitations existing in the 5G AKA protocol. Parne et al. [27] introduced a protocol that preserves the privacy of the user identity and overcomes the identified problems of the 5G AKA protocol.

Similarly, 3GPP has also been enhancing the security of the 5G AKA protocol [2,3,4]. However, there are still some shortcomings in the latest version of the 5G AKA protocol [28]. To overcome these shortcomings, an improved primary authentication and key agreement protocol for 5G networks (5G-IPAKA) was proposed in [28].

The main contributions of this paper are as follows:

• We point out that one of the shortcomings of the 5G AKA protocol has not been completely overcome in the 5G-IPAKA protocol. This means that DoS attacks against both the SN and the HN can be formed, resulting in a great deal of energy consumption of both the SN and the HN.
• We point out that the 5G AKA protocol has large communication and computation overhead. This makes that a lot of energy is consumed whether the authentication is successful or failed. However, the 5G-IPAKA protocol has larger communication and computation overhead than the 5G AKA protocol.
• We propose a secure 5G authentication and key agreement protocol with less communication and computation overhead (5GAKA-LCCO) from seven aspects. Then, we formally analyze the security of the 5GAKA-LCCO protocol by using both the strand space model [29,30,31] and the Scyther tool [32,33]. As a result, the 5GAKA-LCCO protocol is secure in both the strand space model and the Scyther tool.
• Through further discussion and comparative analysis, the 5GAKA-LCCO protocol can completely overcome the shortcomings of the latest version of the 5G AKA protocol and is better than the recently improved 5G AKA protocols in overcoming these shortcomings. In addition, the 5GAKA-LCCO protocol has less communication and computation overhead than the 5G AKA protocol and the recently improved 5G AKA protocols.

The rest of this paper is organized as follows. Section 2 provides overviews of both the 5G AKA protocol and the 5G-IPAKA protocol. In Section 3, we give our motivation for this paper. Section 4 describes our proposed 5GAKA-LCCO protocol. Section 5 provides formal verification of the 5GAKA-LCCO protocol in both the strand space model and the Scyther tool. In Section 6, we present the discussion and analysis, and conclude the paper in Section 7.

2. Overviews of Both the 5G AKA Protocol and the 5G-IPAKA Protocol

2.1. The 5G AKA Protocol

According to [2,3,4], the steps of the latest version of the 5G AKA protocol in the 3GPP standard version v17.4.0 of TS 33.501 are illustrated in Figure 1.

In Figure 1, the universal subscriber identity module (USIM) and the mobile equipment (ME) are located in the user equipment (UE), and the security anchor function (SEAF) is located in the SN. The authentication server function (AUSF), the unified data management (UDM), the authentication credential repository and processing function (ARPE), and the subscriber identity de-concealing function (SIDF) are located in the home network (HN). The messages between the SN and the HN are usually protected. The detailed steps of the latest version of the 5G AKA protocol are as follows:

• When the SEAF initiates authentication with the UE, the UE sends $SUCI$ to the SEAF, where the UE includes the ME and the USIM. $SUCI$ denotes a SUCI of the UE and $SUCI=x\cdot G\left|\right|{\left\{SUPI\right\}}_{EK}\left|\right|MA{C}_{UE}$, where $SUPI$ denotes the subscription permanent identifier (SUPI) of the UE, $x\cdot G$ and $x$ are an ephemeral public–private key pair of the UE for Diffie–Hellman exchange, $y\cdot G$ and $y$ are the ephemeral public–private key pair of the HN for Diffie–Hellman exchange, $EK\left|\right|ICB\left|\right|MK=KDF(x\cdot y\cdot G)$ and $MA{C}_{UE}=HMAC(MK,{\left\{SUPI\right\}}_{EK})$, $EK$ is an encryption key, $ICB$ is an initial counter block (ICB), $MK$ is a message authentication code (MAC) key, $MA{C}_{UE}$ is a MAC of the UE, $KDF()$ is a key derivation function, $HMAC()$ is a hash function for computing MAC, and $\left|\right|$ denotes a concatenation.
• Upon receiving $SUCI$, the SEAF sends $SUCI$ and $SNN$ to the AUSF. $SNN$ denotes the serving network name (SNN) of the SN.
• If the SEAF is entitled to use $SNN$, then the AUSF stores the received $SNN$ and sends $SUCI$ and $SNN$ to the UDM.
• The UDM invokes the SIDF when $SUCI$ is received. Then, the SIDF de-conceals $SUCI$ to gain $SUPI$ before the UDM can process the request. Based on $SUPI$, the UDM/ARPF chooses one authentication method.
• When 5G AKA is selected, the UDM/ARPF generates $RAND$, calculates $AUTN$ and ${XRES}^{\ast }$, and derives $K_{AUSF}$, and then creates a 5G home environment authentication vector (5G HE AV) from $RAND$, $AUTN$, ${XRES}^{\ast }$, and $K_{AUSF}$. $RAND$ is an unpredictable challenge of the HN. $AUTN$ is an authentication token of the HN and $AUTN=SQN\oplus AK\left|\right|AMF\left|\right|MAC$, where $SQN$ is a fresh sequence number generated by the HN, $AK$ is an anonymous key and $AK=f_5(K,RAND)$, $AMF$ is the authentication management field (AMF) and the separation bit of the AMF is set to 1, $MAC$ is a MAC of the HN and $MAC=f_1(K,SQN|\left|RAND\right||AMF)$, $K$ is a long-term key between the UE and the HN, $f_1()$ is a message authentication function, and $f_5()$ is a key-generating function. Here, ${XRES}^{\ast }=KDF(CK||IK,SNN$$\left|\right|RAND\left|\right|XRES)$, where $CK$ is a cipher key and $CK=f_3(K,RAND)$, $IK$ is an integrity key and $IK=f_4(K,RAND)$, $XRES$ is an expected response and $XRES=f_2(K,RAND)$, $f_2()$ is a message authentication function, and $f_3()$ and $f_4()$ are two key-generating functions. $K_{AUSF}$ is a key derived from $CK$ and $IK$, and $K_{AUSF}=KDF(CK||IK,SNN||SQN\oplus AK)$.
• The UDM sends the 5G HE AV to the AUSF together with $SUPI$. When an authentication and key management for applications (AKMA) subscription is used, the UDM also sends $AKMA$ to the AUSF. $AKMA$ denotes the AKMA indication and routing indicator.
• The AUSF stores the received ${XRES}^{\ast }$ temporarily together with the received $SUPI$.
• The AUSF generates a 5G AV from the 5G HE AV received from the UDM/ARPF by computing ${HXRES}^{\ast }$ from ${XRES}^{\ast }$, computing $K_{SEAF}$ from $K_{AUSF}$, replacing ${XRES}^{\ast }$ with ${HXRES}^{\ast }$, and replacing $K_{AUSF}$ with $K_{SEAF}$ in the 5G HE AV, where ${HXRES}^{\ast }=SHA256(RAND||{XRES}^{\ast })$, $K_{SEAF}=KDF(K_{AUSF},SNN)$, and $SHA256()$ is a hash function.
• The ASUF creates a 5G serving environment authentication vector (5G SE AV) by removing $K_{SEAF}$ from the 5G AV, then sends the 5G SE AV (i.e., $RAND$, $AUTN$, and ${HXRES}^{\ast }$) to the SEAF.
• The SEAF stores ${HXRES}^{\ast }$, and then sends $RAND$, $AUTN$, $ngKSI$, and $ABBA$ to the UE. Here, $ngKSI$ is used by the UE and the access and mobility management function (AMF) to identify the $K_{AMF}$ and the partial native security context that is created if the authentication is successful. $ABBA$ denotes the anti-bidding down between architecture (ABBA) parameter.
• In the UE, the ME forwards $RAND$ and $AUTN$ to the USIM. Upon receipt of $RAND$ and $AUTN$, the USIM first computes the anonymous key $AK$ and retrieves the sequence number $SQN=(SQN\oplus AK)\oplus AK$. Next, the USIM computes $XMAC=f_1(K,SQN|\left|RAND\right||AMF)$ and compares this with $MAC$, which is included in $AUTN$. Then, the USIM verifies that the received $SQN$ is in the correct range. If $XMAC$ is the same as $MAC$ and $SQN$ is in the correct range, then the USIM computes a response $RES=f_2(K,RAND)$, $CK$ and $IK$, and then returns $RES$, $CK$, and $IK$ to the ME. The ME then computes ${RES}^{\ast }=KDF(CK||IK,SNN|\left|RAND\right||RES)$, $K_{AUSF}$ and $K_{SEAF}$.
• The UE sends ${RES}^{\ast }$ to the SEAF.
• The SEAF computes ${HRES}^{\ast }=SHA256(RAND||{RES}^{\ast })$ and compares this with ${HXRES}^{\ast }$. If they coincide, then the SEAF considers that the authentication is successful from the serving network point of view; if not, then the SEAF considers that the authentication is unsuccessful.
• The SEAF sends the received ${RES}^{\ast }$ to the AUSF.
• The AUSF compares the received ${RES}^{\ast }$ with the stored ${XRES}^{\ast }$. If ${RES}^{\ast }$ and ${XRES}^{\ast }$ are equal, then the AUSF considers that the authentication is successful from the home network point of view. Then, the AUSF informs the UDM of the authentication result.
• The AUSF indicates to the SEAF whether the authentication was successful or not from the home network point of view (i.e., $Result$). If the authentication was successful, then the ASUF also sends $K_{SEAF}$ and $SUPI$ to the SEAF.

In step 11, if $XMAC$ and $MAC$ are different, then the USIM indicates to the ME a MAC failure of $AUTN$. Then, the UE sends a “MAC failure” indication to the SEAF. Further, the SEAF sends the “MAC failure” indication to the AUSF. Finally, the ASUF sends the “MAC failure” indication to the UDM/ARPF.

In step 11, if $SQN$ is not in the correct range, then the USIM computes $AUTS=SQ{N}_{UE}\oplus A{K}^{\ast }\left|\right|MAC-S$, and sends $AUTS$ with a “Synchronization failure” indication to the ME, where $SQ{N}_{UE}$ denotes the highest sequence number the USIM has accepted, $A{K}^{\ast }=f_5^{\ast }(K,RAND)$, $MAC-S=f_1^{\ast }(K,SQ{N}_{UE}|\left|RAND\right||AM{F}_0)$, $AM{F}_0$ is a dummy value of all zeros, $f_1^{\ast }()$ is a message authentication function, and $f_5^{\ast }()$ is a key-generating function. Then, the UE sends $AUTS$ with a “Synchronization failure” indication to the SEAF. Further, the SEAF sends $RAND$ and $AUTS$ with a “Synchronization failure” indication to the AUSF. Finally, the ASUF sends $RAND$ and $AUTS$ with a “Synchronization failure” indication to the UDM/ARPF.

According to the analysis of the above 5G AKA protocol, there are still some shortcomings in the latest version of the 5G AKA protocol [28], as follows:

• $SUCI$ can be replayed without being found. The HN cannot find whether $SUCI$ is a replayed message because $SUCI$ does not contain the challenge of the HN. Similarly, the UE cannot find whether $SUCI$ is a replayed message because $AUTN$ does not contain the challenge of the UE (i.e., $x$), which is included in $SUCI$ generated by the UE.
• Mutual authentication between the UE and the SN cannot be established. The UE cannot authenticate the SN because $AUTN$ does not contain $SNN$. Similarly, the SN cannot authenticate the UE for the following three reasons. Firstly, the SN does not verify $SUCI$, $AUTN$, ${HXRES}^{\ast }$, ${RES}^{\ast }$, and $AUTS$. Secondly, the second received message of the SN does not contain $SUPI$ to match with $SUCI$ in the first received message of the SN. Finally, the last received message of the SN does not contain $RAND$, meaning that $SUPI$ in the last received message of the SN cannot match the UE’s identity in $AUTN$ and ${HXRES}^{\ast }$, which are included in the second received message of the SN.
• $K_{SEAF}$ cannot reach an agreement. The last received message of the SN does not contain $RAND$, so this message can be a replayed message, meaning that $K_{SEAF}$ on the SN is not equal to $K_{SEAF}$ on the HN. As a result, $K_{SEAF}$ on the SN is also not equal to $K_{SEAF}$ on the UE.
• Location privacy of the UE can be compromised. Because $AUTN$ does not contain the challenge of the UE (i.e., $x$), the first received message of the UE can be a replayed message. If $SQN\subset AUTN$ is in the correct range, then the location of the UE can be compromised by reidentifying ${RES}^{\ast }$. If $SQN\subset AUTN$ is not in the correct range, then the location privacy of the UE can be compromised by identifying the “Synchronization failure” indication. That is to say, when the first received message of the UE is replayed, the legitimate UE responds to ${RES}^{\ast }$ or a “Synchronization failure” indication, but any other UE responds to a “MAC failure” indication. As a result, the location privacy of the legitimate UE can be compromised.
• DoS attacks against the SN can be formed. Because the received messages of the SN do not contain the challenge of the SN, these messages can be some replayed messages. As a result, the penetrator can impersonate both the UE and the HN to complete the entire 5G AKA protocol with the SN, forming DoS attacks against the SN.
• Attacks based on MAC failure can be performed. Firstly, the penetrator can forge or tamper with the first received message of the UE to make the UE respond to a “MAC failure” indication, resulting in authentication failure. Secondly, the penetrator can directly send a “MAC failure” indication to the SN, causing authentication failure. Finally, the penetrator can also replay a “MAC failure” indication between the SN and the HN, causing authentication failure.
• Perfect forward secrecy cannot be provided. In the latest version of the 5G AKA protocol, if $K$ is leaked, then the penetrator can calculate $K_{AUSF}$ and $K_{SEAF}$ based on those messages transmitted in the past run of the protocol. As a result, the penetrator can decrypt those encrypted communication messages transmitted in the past run of the protocol. Therefore, the latest version of the 5G AKA protocol cannot provide perfect forward secrecy.

2.2. The 5G-IPAKA Protocol

In order to overcome the above shortcomings of the latest version of the 5G AKA protocol, we proposed the 5G-IPAKA protocol in [28], which is illustrated in Figure 2.

In Figure 2, the detail steps of the 5G-IPAKA protocol are as follows:

• When the SEAF initiates an authentication with the UE, the UE sends $SUCI$ to the SEAF.
• Upon receiving $SUCI$, the SEAF generates $RAN{D}_{SN}$ and then sends $RAN{D}_{SN}$, $SUCI$, and $SNN$ to the AUSF, where $RAN{D}_{SN}$ is an unpredictable challenge of the SEAF.
• If the SEAF is entitled to use $SNN$, then the AUSF stores the received $SNN$ and sends $SUCI$ and $SNN$ to the UD.
• The UDM invokes the SIDF when $SUCI$ is received. Then, the SIDF de-conceals $SUCI$ to gain $SUPI$ before the UDM can process the request. Based on $SUPI$, the UDM/ARPF chooses one authentication method.
• When 5G-IPAKA is selected, the UDM/ARPF generates $RAND$, calculates $AUTN$ and ${XRES}^{\ast }$, and derives $K_{AUSF}$, and then creates a 5G HE AV from $RAND$, $AUTN$, ${XRES}^{\ast }$, and $K_{AUSF}$, where $AUTN=SQN\oplus AK\left|\right|AMF\left|\right|MAC$, $AK=f_5(BK,RAND)$, $MAC=f_1(BK,SQN|\left|RAND\right||AMF)$, $CK=f_3(BK,RAND)$, $IK=f_4(BK,RAND)$, $XRES=f_2(BK,RAND)$, ${XRES}^{\ast }=KDF(CK||IK,SNN$$\left|\right|RAND\left|\right|XRES)$, $K_{AUSF}=KDF(CK||IK,SNN||SQN\oplus AK)$, and $BK=KDF(K,$$x\cdot y\cdot G\left|\right|SNN)$.
• The UDM sends the 5G HE AV to the AUSF together with $SUPI$. When an AKMA subscription is used, the UDM also sends $AKMA$ to the AUSF.
• The AUSF stores the ${XRES}^{\ast }$ temporarily together with the received $SUPI$.
• The AUSF generates a 5G AV from the 5G HE AV received from the UDM/ARPF by computing ${HXRES}^{\ast }$ from ${XRES}^{\ast }$, computing $K_{SEAF}$ from $K_{AUSF}$, replacing ${XRES}^{\ast }$ with ${HXRES}^{\ast }$, and replacing $K_{AUSF}$ with $K_{SEAF}$ in the 5G HE AV.
• The ASUF creates a 5G SE AV by adding $SUPI$ to the 5G AV, then sends the 5G SE AV (i.e., $RAND$, $AUTN$, ${HXRES}^{\ast }$, $K_{SEAF}$, and $SUPI$) together with $RAN{D}_{SN}$ to the SEAF.
• The SEAF stores ${HXRES}^{\ast }$, computes $MA{C}_{SN}$, and then sends $RAN{D}_{SN}$, $RAND$, $AUTN$, $ngKSI$, $ABBA$, and $MA{C}_{SN}$ to the UE, where $MA{C}_{SN}$ is a MAC of the SEAF and $MA{C}_{SN}=HMAC(K_{SEAF},RAN{D}_{SN}|\left|RAND\right|\left|AUTN\right|\left|ngKSI\right||ABBA)$.
• In the UE, the ME forwards $RAND$ and $AUTN$ to the USIM. Upon receipt of $RAND$ and $AUTN$, the USIM first computes $BK=KDF(K,x\cdot y\cdot G||SNN)$ and the anonymous key $AK=f_5(BK,RAND)$ and retrieves the sequence number $SQN=(SQN\oplus AK)\oplus AK$. Next, the USIM computes $XMAC=f_1(BK,SQN$$\left|\right|RAND\left|\right|AMF)$ and compares this with $MAC$ that is included in $AUTN$. Then, the USIM verifies that the received $SQN$ is in the correct range. If $XMAC$ is the same as $MAC$ and $SQN$ is in the correct range, then the USIM computes a response $RES=f_2(BK,RAND)$, $CK=f_3(BK,RAND)$, and $IK=f_4(BK,RAND)$, and then returns $RES$, $CK$, and $IK$ to the ME. The ME then computes ${RES}^{\ast }=KDF(CK||IK,SNN|\left|RAND\right||RES)$, $K_{AUSF}$, and $K_{SEAF}$. Finally, the ME verifies $MA{C}_{SN}$ using $K_{SEAF}$. If the verification fails, then the ME aborts.
• The UE computes $MA{C}_{UE,2}$, and then sends ${RES}^{\ast }$ and $MA{C}_{UE,2}$ to the SEAF, where $MA{C}_{UE,2}=HMAC(K_{SEAF},RAN{D}_{SN}||{RES}^{\ast })$ is another MAC of the UE.
• The SEAF verifies $MA{C}_{UE,2}$. If the verification fails, then the SEAF aborts. Otherwise, the SEAF computes ${HRES}^{\ast }=SHA256(RAND||{RES}^{\ast })$ and compares this with ${HXRES}^{\ast }$. If they coincide, then the SEAF considers that the authentication is successful from the serving network point of view. If not, then the SEAF considers that the authentication is unsuccessful.
• The SEAF sends the received ${RES}^{\ast }$ to the AUSF.
• The AUSF compares the received ${RES}^{\ast }$ with the stored ${XRES}^{\ast }$. If ${RES}^{\ast }$ and ${XRES}^{\ast }$ are equal, then the AUSF considers that the authentication is successful from the home network point of view. Then, the AUSF informs the UDM of the authentication result.
• The AUSF indicates to the SEAF whether the authentication was successful or not from the home network point of view (i.e., $Result$).

In step 11, if $XMAC$ and $MAC$ are different, then the UE directly discards the first received message of the UE without responding to a “MAC failure” indication, so the HN will initiate a new authentication procedure towards the UE when the HN does not receive an authentication response message or a synchronization failure message within a certain period of time.

In step 11, if $SQN$ is not in the correct range, then the USIM computes $AUTS=SQ{N}_{UE}\oplus A{K}^{\ast }\left|\right|MAC-S$, and then sends $AUTS$ with a “Synchronization failure” indication to the ME, where $A{K}^{\ast }=f_5^{\ast }(BK,RAND)$ and $MAC-S=f_1^{\ast }(BK,$$SQ{N}_{UE}\left|\right|RAND\left|\right|AM{F}_0)$. Then, the ME computes $MA{C}_{UE,2}=HMAC(K_{SEAF},RAN{D}_{SN}$$\left|\right|Syncf\left|\right|AUTS)$, and then sends $AUTS$ and $MA{C}_{UE,2}$ with a “Synchronization failure” indication to the SEAF, where $Syncf="\mathrm{Synchronization}\hspace{0.17em}\mathrm{failure}"$. Further, the SEAF verifies $MA{C}_{UE,2}$. If the verification fails, then the SEAF aborts, otherwise the SEAF sends $RAND$ and $AUTS$ with a “Synchronization failure” indication to the AUSF. Finally, the ASUF sends $RAND$ and $AUTS$ with a “Synchronization failure” indication to the UDM/ARPF.

Compared with the latest version of the 5G AKA protocol, the main improvements of the 5G-IPAKA protocol are as follows:

• Replace the pre-shared key between the UE and the HN with a derivation key of the pre-shared key. In detail, $K$ is replaced with $BK=KDF(K,x\cdot y\cdot G||SNN)$ on both the UE and the HN.
• Add the challenge-response mechanism for the SN. Firstly, $RAN{D}_{SN}$ is added to the first sent message of the SEAF as a challenge and is added to the second received message of the SEAF as a response. Then, $RAN{D}_{SN}$ is added to the second sent message of the SEAF as a challenge and is added to the third received message of the SEAF as a response (i.e., $RAN{D}_{SN}$ in $MA{C}_{UE,2}$).
• Add the mutual authentication and key confirmation between the UE and the SN. Firstly, $K_{SEAF}$ and $SUPI$ are moved to the second sent message of the AUSF. Then, the UE and the SN perform a mutual authentication and key confirmation process based on $MA{C}_{SN}$ and $MA{C}_{UE,2}$, which are generated by using $K_{SEAF}$.
• Replace the MAC failure procedure with the timeout mechanism on the HN. If $XMAC$ and $MAC$ are different, then the UE directly discards the first received message of the UE without responding to a “MAC failure” indication, so the HN will initiate a new authentication procedure towards the UE when the HN does not receive an authentication response message or a synchronization failure message within a certain period of time.

3. Motivation

In [28], the 5G-IPAKA protocol was proven secure in the mixed strand space model [29,30,31]. However, the above first shortcoming of the 5G AKA protocol has not been completely overcome. In the 5G-IPAKA protocol, whether $SUCI$ is replayed can be found, but only the UE can find whether $SUCI$ is replayed, while both the SN and the HN cannot find whether $SUCI$ is replayed. This will lead to DoS attacks against both the SN and the HN, as shown in Figure 3 and Figure 4.

In Figure 3, the penetrator $P$ replays a large amount of messages to the SEAF, which include $SUCI$, $SUC{I}^{\prime }$, etc., for different UEs. Then, the SEAF, AUSF, UDM, ARPF, and SIDF must respond if these UEs have not been authenticated, and the penetrator discards the response messages of the SEAF. As a result, DoS attacks against both the SN and the HN are formed, resulting in a great deal of energy of both the SN and the HN being consumed.

In Figure 4, the penetrator $P$ replays a large amount of messages to the AUSF, which include $SUCI$, $SUC{I}^{\prime }$, etc., for different UEs. Then, the AUSF, UDM, ARPF, and SIDF must respond if these UEs have not been authenticated, and the penetrator discards the response messages of the AUSF. As a result, Dos attacks against the HN are formed, resulting in a great deal of energy of the HN being consumed.

Additionally, the 5G AKA protocol has large communication and computation overhead. As a result, whether the authentication is successful or failed, this will lead to a great deal of energy consumption. Compared with the 5G AKA protocol, the 5G-IPAKA protocol adds some calculations and fields, so it has larger communication and computation overhead than the 5G AKA protocol.

Therefore, it is necessary to propose a novel 5G AKA protocol, which can completely overcome the above shortcomings of the 5G AKA protocol and has less communication and computation overhead than the 5G AKA protocol.

4. Our Proposed 5GAKA-LCCO Protocol

According to the above motivation, we propose a 5GAKA-LCCO protocol, which is illustrated in Figure 5.

In Figure 5, the detail steps of the 5GAKA-LCCO protocol are as follows:

• When the SEAF initiates an authentication with the UE, the SEAF generates $RAN{D}_{SN}$ and $T_{SN}$, and then sends $RAN{D}_{SN}$ and $T_{SN}$ to the UE, where $T_{SN}$ is a timestamp generated by the SEAF.
• Upon receiving $RAN{D}_{SN}$ and $T_{SN}$, the UE sends $SUCI=x\cdot G\left|\right|{\left\{SUPI\right\}}_{EK}$$\left|\right|MA{C}_{UE}$ to the SEAF, where $EK\left|\right|ICB\left|\right|MK\left|\right|K_{AUSF}=KDF(K,x\cdot y\cdot G||RAN{D}_{SN}$$\left|\right|T_{SN}\left|\right|SNN)$ and $MA{C}_{UE}=HMAC(MK,{\left\{SUPI\right\}}_{EK})$. Note that the time synchronization only needs to be maintained between the SN and the HN in the 5GAKA-LCCO protocol, so the UE does not verify $T_{SN}$.
• Upon receiving $SUCI$, the SEAF sends $RAN{D}_{SN}$, $T_{SN}$, $SUCI$, and $SNN$ to the AUSF.
• If the SEAF is entitled to use $SNN$ and $T_{SN}$ is valid, then the AUSF stores the received $SNN$, and sends $RAN{D}_{SN}$, $T_{SN}$, $SUCI$, and $SNN$ to the UDM. Otherwise, the AUSF aborts. If $|T_{SN}-T_{AUSF}|<\mathsf{\Delta }{t}_{AUSF}$, then $T_{SN}$ is valid, where $T_{AUSF}$ is the current time of the AUSF and $\mathsf{\Delta }{t}_{AUSF}$ is the time difference set by the AUSF.
• The UDM first verifies $T_{SN}$. If $T_{SN}$ is invalid, then the UDM/ARPF aborts. Otherwise, the UDM invokes the SIDF when $SUCI$ is received. Then, the SIDF de-conceals $SUCI$ to gain $SUPI$ before the UDM can process the request. After the de-concealing process, the SIDF sends $MK$, $K_{AUSF}$, and $SUPI$ to the UDM. If $|T_{SN}-T_{UDM}|<\mathsf{\Delta }{t}_{UDM}$, then $T_{SN}$ is valid, where $T_{UDM}$ is the current time of the UDM and $\mathsf{\Delta }{t}_{UDM}$ is the time difference set by the UDM.
• The UDM/ARPF generates $RAND$ and calculates $AUTN$, where $AUTN=AMF\left|\right|MAC$ and $MAC=f_1(MK,RAND||AMF)$.
• The UDM sends $RAN{D}_{SN}$, $RAND$, $AUTN$, $K_{AUSF}$, and $SUPI$ to the AUSF. When an AKMA subscription is used, the UDM also sends $AKMA$ to the AUSF.
• The AUSF calculates $K_{SEAF}$ from $K_{AUSF}$, then sends $RAN{D}_{SN}$, $K_{SEAF}$, $SUPI$$RAND$, and $AUTN$ to the SEAF, where $K_{SEAF}=KDF(K_{AUSF},SNN)$.
• The SEAF stores $K_{SEAF}$, and then sends $RAND$, $AUTN$, $ngKSI$, and $ABBA$ to the UE.
• The UE verifies $AUTN$ based on $MK$. If the verification is successful, then the UE calculates $K_{SEAF}$ from $K_{AUSF}$, and stores $K_{SEAF}$. Otherwise, the UE aborts.

Compared with the latest version of the 5G AKA protocol, the main improvements of our proposed 5GAKA-LCCO protocol are as follows:

• Modify the key derivation process of the pre-shared key. In detail, $EK\left|\right|ICB\left|\right|MK$$\left|\right|K_{AUSF}=KDF(K,x\cdot y\cdot G|\left|RAN{D}_{SN}\right|\left|T_{SN}\right||SNN)$, where $EK$ and $ICB$ are used to encrypt $SUPI$, $MK$ is used to calculate $MA{C}_{UE}$ and $MAC$, and $K_{AUSF}$ is used to derivate $K_{SEAF}$.
• Add the challenge-response mechanism for the UE. $x$ is included in $SUCI$ of the first sent message of the UE as a challenge, and $x$ is added to $AUTN$ of the third received message of the UE as a response.
• Add the challenge-response mechanism for the SN. Firstly, $RAN{D}_{SN}$ is added to the first sent message of the SEAF as a challenge and $RAN{D}_{SN}$ is added to $SUCI$ of the first received message of the SEAF as a response. Then, $RAN{D}_{SN}$ is added to the second sent message of the SEAF as a challenge and $RAN{D}_{SN}$ is added to the second received message of the SEAF as a response.
• Add the timestamp mechanism for the SN and the HN. $T_{SN}$ is added to the first four messages of the protocol, but $T_{SN}$ is only verified by the AUSF and the UDM. To verify $T_{SN}$, time synchronization between the SN and the HN needs to be maintained.
• Remove the synchronization failure procedure. Earlier, SQNs were used in the 5G AKA protocol because strong random number generation was not possible in the USIM, but in the current generation, this is not an issue anymore [21]. Additionally, the SQN concealment mechanism is not sufficiently protected, leading to leakage of SQNs and thus allowing activity monitoring attacks [21]. Hence, we remove $SQN$ from $AUTN$ and use $RAND$ alone.
• Replace the MAC failure procedure with a timeout mechanism on the HN. If $XMAC$ and $MAC$ are different, then the UE directly discards the second received message without responding to a “MAC failure” indication, so the HN will initiate a new authentication procedure towards the UE when the HN does not receive an authentication response message or a synchronization failure message within a certain period of time.
• Reduce the communication and computation overhead of the authentication process. Firstly, the first sent message of the SEAF (including $RAN{D}_{SN}$ and $T_{SN}$) is added, and the authentication of the UE is advanced to the verification of $SUCI$. Secondly, $K_{SEAF}$ and $SUPI$ are moved to the second sent message of the AUSF. Finally, after receiving the $AUTN$, the UE will no longer respond to the SEAF. This reduces the number of messages in the authentication process, as well as the communication and computation overhead.

Note that the timestamp mechanism for the SN and the HN is added to our proposed 5GAKA-LCCO protocol for the following reasons:

• The timestamp mechanism for the SN and the HN can overcome DoS attacks against the HN. This is because the first received message of the HN in the proposed 5GAKA-LCCO protocol cannot be replayed because $T_{SN}$ is included in this message.
• According to [2,3,4], the SEAF initiates an authentication with the UE during any procedure for establishing a signaling connection with the UE, according to SEAF’s policy. If the random number mechanism is used to overcome DoS attacks against the HN, then the first received message of the HN must be sent from the SEAF, and the HN responds to the SEAF with a random number. However, the first received message of the HN can be replayed, which means that DoS attacks against the HN still cannot be overcome.

5. Formal Verification of the 5GAKA-LCCO Protocol

To simplify the formal verification of the 5GAKA-LCCO protocol, we assume that:

• The parties of the 5GAKA-LCCO protocol shown in Figure 5 are simplified as the UE, SN, and HN.
• There is a session key $K_{SN,HN}$ between the SN and the HN, and it is secure.
• $ngKSI$ and $ABBA$ do not affect the security of the 5G AKA protocol, so they are ignored here.

According to these assumptions, the 5GAKA-LCCO protocol shown in Figure 5 is simplified as follows:

• $SN\to UE$: $RAN{D}_{SN}\left|\right|T_{SN}$.
• $UE\to SN$: $SUCI$.
• $SN\to HN$: ${\left\{RAN{D}_{SN}\right|\left|T_{SN}\right|\left|SUCI\right|\left|SNN\right\}}_{K_{SN,HN}}$.
• $HN\to SN$: ${\left\{RAN{D}_{SN}\right|\left|K_{SEAF}\right|\left|SUPI\right|\left|RAND\right|\left|AUTN\right\}}_{K_{SN,HN}}$.
• $SN\to UE$: $RAND\left|\right|AUTN$.

In this section, in order to evaluate the security of the 5GAKA-LCCO protocol, we mainly employ two formal verification methods, including security proof by using the strand space model [29,30] and security simulation by the use of the Scyther tool [32,33]. Moreover, we choose the Dolev–Yao attacker model to check the security of the 5GAKA-LCCO protocol. In this attacker model, the attacker can completely control the network and conduct a series of attacks.

5.1. Security Proof Based on the Strand Space Model

The strand space model [29,30] is a well-studied formal analysis method for security protocols. Therefore, we use the strand space model to analyze the security of our proposed 5GAKA-LCCO protocol as follows.

Definition 1.

An infiltrated strand space$\sum ,\mathcal{P}$is a space for the 5GAKA-LCCO protocol if it is the union of four kinds of strands: (1) Initiator strands$s\in \mathrm{Init}[UE$, $SN$, $HN$, $SUCI$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN]$with trace:$<-RAN{D}_{SN}\left|\right|T_{SN}$, $+SUCI$, $-RAND\left|\right|AUTN>$. The principal associated with this strand is$UE$; (2) Responder strands$r\in \mathrm{Resp}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $H_1$, $K_{SEAF}$, $SUPI]$with trace:$<+RAN{D}_{SN}\left|\right|T_{SN}$, $-SUCI$, $+{\left\{RAN{D}_{SN}\right|\left|T_{SN}\right|\left|SUCI\right|\left|SNN\right\}}_{K_{SN,HN}}$, $-\left\{RAN{D}_{SN}\right||K_{SEAF}$$\left|\right|SUPI\left|\right|RAND\left|\right|H_1{\}}_{K_{SN,HN}}$, $+RAND\left|\right|H_1>$. The principal associated with this strand is$SN$. $H_1$is one message that is not inspected by$SN$; (3) Server strands$t\in \mathrm{Serv}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$with trace:$<-\{RAN{D}_{SN}$$\left|\right|T_{SN}\left|\right|SUCI\left|\right|SNN{\}}_{K_{SN,HN}}$, $+{\left\{RAN{D}_{SN}\right|\left|K_{SEAF}\right|\left|SUPI\right|\left|RAND\right|\left|AUTN\right\}}_{K_{SN,HN}}>$. The principal associated with this strand is$HN$; (4) Penetrator strands$p\in \mathcal{P}$[29,30].

Theorem 1.

Suppose: (1)$\sum$is a space for the 5GAKA-LCCO protocol, and$\mathcal{C}$is a bundle containing an initiator strand$s\in \mathrm{Init}[UE$, $SN$, $HN$, $SUCI$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN]$; (2)$K\notin {\mathcal{K}}_P$and$K_{SN,HN}\notin {\mathcal{K}}_P$; (3)$x$, $RAND$and$RAN{D}_{SN}$are uniquely originating in$\sum$. Then,$\mathcal{C}$contains a unique server strand$t\in \mathrm{Serv}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$and a unique responder strand$r\in \mathrm{Resp}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$.

Proof of Theorem 1.

Since $EK\left|\right|ICB\left|\right|MK\left|\right|K_{AUSF}=KDF(K,x\cdot y\cdot G|\left|RAN{D}_{SN}\right||T_{SN}$$\left|\right|SNN)$, $MK\notin {\mathcal{K}}_P$ according to assumption (2). $MAC=f_1(MK,RAND||AMF)$, and $RAND$ is uniquely originating in $\sum$, so $MAC\subset AUTN\subset term(<s,3>)$ must uniquely originate on a server strand $t\in \mathrm{Serv}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$. Since $RAN{D}_{SN}$ is uniquely originating in $\sum$, $\left\{RAN{D}_{SN}\right|\left|T_{SN}\right||SUCI$$\left|\right|SNN{\}}_{K_{SN,HN}}=term(<t,1>)$ must uniquely originate on a responder strand $r\in \mathrm{Resp}[U{E}^{\prime }$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAN{D}^{\prime }$, ${H^{\prime }}_1$, ${K^{\prime }}_{SEAF}$, $SUP{I}^{\prime }]$ according to assumption (2). Similarly, ${\left\{RAN{D}_{SN}\right|\left|{K^{\prime }}_{SEAF}\right|\left|SUP{I}^{\prime }\right|\left|RAN{D}^{\prime }\right|\left|{H^{\prime }}_1\right\}}_{K_{SN,HN}}$$=term(<r,4>)$ must originate on a server strand $t^{\prime }\in \mathrm{Serv}[U{E}^{″}$, $SN$, $HN$, $SUC{I}^{″}$, $SNN$, $RAN{D}_{SN}$, ${T^{″}}_{SN}$, $RAN{D}^{\prime }$, $AUT{N}^{\prime }$, ${K^{\prime }}_{SEAF}$, $SUP{I}^{\prime }]$, where ${H^{\prime }}_1=AUT{N}^{\prime }$. By assumption (2), $\left\{RAN{D}_{SN}\right|\left|{T^{″}}_{SN}\right||SUC{I}^{″}$$\left|\right|SNN{\}}_{K_{SN,HN}}=term(<t^{\prime },1>)$ must originate on a responder strand $r^{\prime }\in \mathrm{Resp}[U{E}^{‴}$, $SN$, $HN$, $SUC{I}^{″}$, $SNN$, $RAN{D}_{SN}$, ${T^{″}}_{SN}$, $RAN{D}^{‴}$, ${H^{‴}}_1$, ${K^{‴}}_{SEAF}$, $SUP{I}^{‴}]$. $RAN{D}_{SN}$ is uniquely originating in $\sum$, and $r^{\prime }=r$, so $SUC{I}^{″}=SUCI$ and ${T^{″}}_{SN}=T_{SN}$. According to $t^{\prime }$ and Definition 1, $U{E}^{″}=UE$, $SUP{I}^{\prime }=SUPI$ and ${K^{\prime }}_{SEAF}=K_{SEAF}$, so ${\left\{RAN{D}_{SN}\right|\left|T_{SN}\right|\left|SUCI\right|\left|SNN\right\}}_{K_{SN,HN}}$$=term(<t^{\prime },1>)$. By Definition 1, $RAN{D}^{\prime }=RAND$ and $AUT{N}^{\prime }=AUTN$, i.e., $t^{\prime }=t$. Hence, $r\in \mathrm{Resp}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$. □

According to Theorem 1, $UE$ successfully authenticates $HN$ and $SN$, and can establish an injection agreement [29,30] with them.

Theorem 2.

Suppose: (1)$\sum$is a space for the 5GAKA-LCCO protocol, and$\mathcal{C}$is a bundle containing a server strand$t\in \mathrm{Serv}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$; (2)$K\notin {\mathcal{K}}_P$and$K_{SN,HN}\notin {\mathcal{K}}_P$; (3)$x$, $RAND$and$RAN{D}_{SN}$are uniquely originating in$\sum$. Then,$\mathcal{C}$contains a unique initiator strand$s\in \mathrm{Init}[UE$, $SN$, $HN$, $SUCI$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN]$and a unique responder strand$r\in \mathrm{Resp}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$.

Proof of Theorem 2.

Since $EK\left|\right|ICB\left|\right|MK\left|\right|K_{AUSF}=KDF(K,x\cdot y\cdot G|\left|RAN{D}_{SN}\right||T_{SN}$ $\left|\right|SNN)$, $MK\notin {\mathcal{K}}_P$ according to assumption (2). $MA{C}_{UE}=HMAC(MK,{\left\{SUPI\right\}}_{EK})$, and $x$ is uniquely originating in $\sum$, so $MA{C}_{UE}\subset SUCI\subset term(<t,1>)$ must uniquely originate on an initiator strand $s\in \mathrm{Init}[UE$, $SN$, $HN$, $SUCI$, $RAN{D}_{SN}$, $T_{SN}$, $RAN{D}^{\prime }$, $AUT{N}^{\prime }]$. Similarly, $MA{C}^{\prime }=f_1(MK,RAN{D}^{\prime }||AMF)\subset AUT{N}^{\prime }$$\subset term(<s,3>)$ must originate on a server strand $t^{\prime }\in \mathrm{Serv}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAN{D}^{\prime }$, $AUT{N}^{\prime }$, $K_{SEAF}$, $SUPI]$, so ${\left\{RAN{D}_{SN}\right|\left|T_{SN}\right|\left|SUCI\right|\left|SNN\right\}}_{K_{SN,HN}}$$=term(<t^{\prime },1>)$. By Definition 1, $RAN{D}^{\prime }=RAND$ and $AUT{N}^{\prime }=AUTN$, i.e., $t^{\prime }=t$. Hence, $s\in \mathrm{Init}[UE$, $SN$, $HN$, $SUCI$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN]$. Since $RAN{D}_{SN}$ is uniquely originating in $\sum$, $\left\{RAN{D}_{SN}\right|\left|T_{SN}\right||SUCI$$\left|\right|SNN{\}}_{K_{SN,HN}}=term(<t,1>)$ must uniquely originate on a responder strand $r\in \mathrm{Resp}[U{E}^{″}$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAN{D}^{″}$, ${H^{″}}_1$, ${K^{″}}_{SEAF}$, $SUP{I}^{″}]$ according to assumption (2). Similarly, $\left\{RAN{D}_{SN}\right|\left|{K^{″}}_{SEAF}\right||SUP{I}^{″}$$\left|\right|RAN{D}^{″}\left|\right|H_1^{″}\}{K}_{SN,HN}$$=term(<r,4>)$ must originate on a server strand $t^{\prime }\in \mathrm{Serv}[U{E}^{‴}$, $SN$, $HN$, $SUC{I}^{‴}$, $SNN$, $RAN{D}_{SN}$, ${T^{‴}}_{SN}$, $RAN{D}^{″}$, $AUT{N}^{″}$, ${K^{″}}_{SEAF}$, $SUP{I}^{″}]$, where ${H^{″}}_1=AUT{N}^{″}$. By assumption (2), $\left\{RAN{D}_{SN}\right|\left|{T^{‴}}_{SN}\right||SUC{I}^{‴}$$\left|\right|SNN{\}}_{K_{SN,HN}}=term(<t^{\prime },1>)$ must originate on a responder strand $r^{\prime }\in \mathrm{Resp}[U{E^{″}}^{″}$, $SN$, $HN$, $SUC{I}^{‴}$, $SNN$, $RAN{D}_{SN}$, ${T^{‴}}_{SN}$, $RAN{D^{″}}^{″}$, ${{H^{″}}^{″}}_1$, ${{K^{″}}^{″}}_{SEAF}$, $SUP{I^{″}}^{″}]$. $RAN{D}_{SN}$ is uniquely originating in $\sum$, and $r^{\prime }=r$, so $SUC{I}^{‴}=SUCI$ and ${T^{‴}}_{SN}=T_{SN}$. According to $t^{\prime }$ and Definition 1, $U{E}^{‴}=UE$, $SUP{I}^{″}=SUPI$ and ${K^{″}}_{SEAF}=K_{SEAF}$, so ${\left\{RAN{D}_{SN}\right|\left|T_{SN}\right|\left|SUCI\right|\left|SNN\right\}}_{K_{SN,HN}}$$=term(<t^{\prime },1>)$. By Definition 1, $RAN{D}^{″}=RAND$ and $AUT{N}^{″}=AUTN$, i.e., $t^{\prime }=t$. Hence, $r\in \mathrm{Resp}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$. □

According to Theorem 2, $HN$ successfully authenticates $UE$ and $SN$, and can establish an injection agreement [29,30] with them.

Theorem 3.

Suppose: (1)$\sum$is a space for the 5GAKA-LCCO protocol, and$\mathcal{C}$is a bundle containing a responder strand$r\in \mathrm{Resp}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $H_1$, $K_{SEAF}$, $SUPI]$; (2)$K\notin {\mathcal{K}}_P$and$K_{SN,HN}\notin {\mathcal{K}}_P$; (3)$x$, $RAND$and$RAN{D}_{SN}$are uniquely originating in$\sum$. Then,$\mathcal{C}$contains a unique server strand$t\in \mathrm{Serv}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$and a unique initiator strand$s\in \mathrm{Init}[UE$, $SN$, $HN$, $SUCI$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN]$.

Proof of Theorem 3.

By assumptions (2) and (3), $K_{SN,HN}\notin {\mathcal{K}}_P$, and $RAND$ is uniquely originating in $\sum$, so ${\left\{RAN{D}_{SN}\right|\left|K_{SEAF}\right|\left|SUPI\right|\left|RAND\right|\left|H_1\right\}}_{K_{SN,HN}}=term(<r,4>)$ must uniquely originate on a server strand $t\in \mathrm{Serv}[UE$, $SN$, $HN$, $SUC{I}^{\prime }$, $SNN$, $RAN{D}_{SN}$, ${T^{\prime }}_{SN}$, $RAND$, $AUT{N}^{\prime }$, $K_{SEAF}$, $SUPI]$. Similarly, ${\left\{RAN{D}_{SN}\right|\left|{T^{\prime }}_{SN}\right|\left|SUC{I}^{\prime }\right|\left|SNN\right\}}_{K_{SN,HN}}$$=term(<t,1>)$ must originate on a responder strand $r^{\prime }$. $RAN{D}_{SN}$ is uniquely originating in $\sum$, and $r^{\prime }=r$, so ${T^{\prime }}_{SN}=T_{SN}$ and $SUC{I}^{\prime }=SUCI$ according to assumption (1). According to $t$ and Definition 1, $AUT{N}^{\prime }=AUTN$. Hence, $t\in \mathrm{Serv}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN$, $K_{SEAF}$, $SUPI]$. Since $EK\left|\right|ICB\left|\right|MK\left|\right|K_{AUSF}=KDF(K,x\cdot y\cdot G|\left|RAN{D}_{SN}\right||T_{SN}$$\left|\right|SNN)$, $MK\notin {\mathcal{K}}_P$ according to assumption (2). $MA{C}_{UE}=HMAC(MK,{\left\{SUPI\right\}}_{EK})$, and $x$ is uniquely originating in $\sum$, so $MA{C}_{UE}\subset SUCI\subset term(<t,1>)$ must uniquely originate on an initiator strand $s\in \mathrm{Init}[UE$, $SN$, $HN$, $SUCI$, $RAN{D}_{SN}$, $T_{SN}$, $RAN{D}^{″}$, $AUT{N}^{″}]$. Similarly, $MA{C}^{″}=f_1(MK,RAN{D}^{″}||AMF)\subset AUT{N}^{″}\subset term(<s,3>)$ must originate on a server strand $t^{\prime }\in \mathrm{Serv}[UE$, $SN$, $HN$, $SUCI$, $SNN$, $RAN{D}_{SN}$, $T_{SN}$, $RAN{D}^{″}$, $AUT{N}^{″}]$, $K_{SEAF}$, $SUPI]$, so ${\left\{RAN{D}_{SN}\right|\left|T_{SN}\right|\left|SUCI\right|\left|SNN\right\}}_{K_{SN,HN}}$$=term(<t^{\prime },1>)$. By Definition 1, $RAN{D}^{″}=RAND$ and $AUT{N}^{″}=AUTN$, i.e., $t^{\prime }=t$. Hence, $s\in \mathrm{Init}[UE$, $SN$, $HN$, $SUCI$, $RAN{D}_{SN}$, $T_{SN}$, $RAND$, $AUTN]$. □

According to Theorem 3, $SN$ successfully authenticates $UE$ and $HN$, and can establish an injection agreement [29,30] with them.

From Theorems 1–3, mutual authentication between the UE and SN, mutual authentication between the UE and SN, and mutual authentication between the SN and HN are established. Additionally, an injection agreement among the UE, SN and HN is established, so replay and MitM attacks among the UE, SN, and HN are overcome according to the definition of the injection agreement [29,30].

Because MitM attacks among the UE, SN, and HN are overcome, $K_{SEAF}$ can reach an agreement among the UE, SN, and HN. In addition, replay attacks among the UE, SN, and HN are overcome, so all the messages among the UE, SN, and HN cannot be replayed. As a result, $SUCI$ cannot be replayed, the location privacy of the UE cannot be compromised, and DoS attacks against both the SN and HN cannot be formed.

5.2. Security Simulation Based on the Scyther Tool

The Scyther tool [32,33] is a protocol formal analysis tool, which can provide explicit termination for unlimited sessions and infinite state aggregation protocols, and support multiprotocol parallel analysis. The security protocol description language (SPDL) is used in the Scyther tool to describe and analyze security protocols. It provides a set of claims to test various security goals, such as secrecy and authentication. The secret claim is applied to state confidentiality. In order to provide different degrees of authentication strength, several forms of authentication claims including Alive (i.e., aliveness), Weakagree (i.e., weak agreement), Niagree (i.e., non-injection agreement), and Nisynch (i.e., non-injection synchronization) are employed to detect replay, reflection, MitM attacks, and so on. The detailed description of formal definitions for all Scyther claims can be found in [33].

We model our proposed 5GAKA-LCCO protocol in SPDL and specify the security properties of the 5GAKA-LCCO protocol by a series of claims of Scyther, as shown in Figure 6.

From Figure 6, our proposed 5GAKA-LCCO protocol successfully makes certain all Scyther claims and there are no attacks found under the test of the Scyther tool.

According to Figure 6, $SUPI$ (i.e., UE in this figure) is secret, and $K_{SEAF}$ (i.e., the session key established between the UE and HN and distributed from the HN to SN) is also secret. Additionally, aliveness, weak agreement, non-injection agreement, and non-injection synchronization among the UE, SN, and HN are established, so replay and MitM attacks among the UE, SN, and HN are overcome [33].

Similarly, because MitM attacks among the UE, SN, and HN are overcome, $K_{SEAF}$ can reach an agreement among the UE, SN, and HN. In addition, replay attacks among the UE, SN, and HN are overcome, so all the messages among the UE, SN, and HN cannot be replayed. As a result, $SUCI$ cannot be replayed, the location privacy of the UE cannot be compromised, and DoS attacks against both the SN and HN cannot be formed.

6. Discussion

6.1. Security of the 5GAKA-LCCO Protocol

$SUCI=x\cdot G\left|\right|{\left\{SUPI\right\}}_{EK}$$\left|\right|MA{C}_{UE}$, $MA{C}_{UE}=HMAC(MK,{\left\{SUPI\right\}}_{EK})$ and $EK\left|\right|ICB$$\left|\right|MK\left|\right|K_{AUSF}=KDF(K,x\cdot y\cdot G|\left|RAN{D}_{SN}\right|\left|T_{SN}\right||SNN)$, so both $RAN{D}_{SN}$ and $T_{SN}$ are included in $SUCI$, meaning that both the SN and the HN can find whether $SUCI$ is replayed.

$AUTN=AMF\left|\right|MAC$, $MAC=f_1(MK,RAND||AMF)$ and $EK\left|\right|ICB$$\left|\right|MK\left|\right|K_{AUSF}=KDF(K,x\cdot y\cdot G|\left|RAN{D}_{SN}\right|\left|T_{SN}\right||SNN)$, so $AUTN$ contains the challenge of the UE (i.e., $x$). Hence, the second received message of the UE cannot be a replayed message, preventing the location privacy of the UE from being compromised.

Since the received messages of the SN contain the challenge of the SN (i.e., $RAN{D}_{SN}$), these messages cannot be some replayed messages, preventing DoS attacks against the SN. In addition, $T_{SN}$ is included in ${\left\{RAN{D}_{SN}\right|\left|T_{SN}\right|\left|SUCI\right|\left|SNN\right\}}_{K_{SN,HN}}$ and verified by the HN based on maintaining the time synchronization between the SN and HN, so the first received message of the HN cannot be replayed, preventing DoS attacks against the HN.

The 5GAKA-LCCO protocol does not contain the above “MAC failure” indication, so it can defend against those attacks based on MAC failure. In addition, $EK\left|\right|ICB\left|\right|MK$$\left|\right|K_{AUSF}=KDF(K,x\cdot y\cdot G|\left|RAN{D}_{SN}\right|\left|T_{SN}\right||SNN)$ and $K_{SEAF}=KDF(K_{AUSF},SNN)$, providing perfect forward secrecy (PFS) based on the Diffie–Hellman exchange.

Depending on the above formal verification and security analysis of the 5GAKA-LCCO protocol, our proposed 5GAKA-LCCO protocol can completely overcome the above shortcomings in the latest version of the 5G AKA protocol.

A comparative analysis between the 5GAKA-LCCO protocol and the recently improved 5G AKA protocols [23,24,26,28] regarding the shortcomings of the latest version of the 5G AKA protocol is given in

Table 1. Comparative analysis between the 5GAKA-LCCO protocol and the recently improved 5G AKA protocols [23,24,26,28] regarding the shortcomings of the latest version of the 5G AKA protocol.

Security Issues	5G AKA	[23]	[24]	[26]	[28]	5GAKA-LCCO
$SUCI$ can be replayed without being found	Yes	No	Yes	No	No	No
Mutual authentication cannot be established between the UE and the SN	Yes	Yes	Yes	Yes	No	No
$K_{SEAF}$ cannot be agreed among the UE, he SN and the HN	Yes	Yes	Yes	Yes	No	No
The location privacy of the UE can be compromised	Yes	No	No	No	No	No
Dos attacks against the SN can be formed	Yes	Yes	Yes	Yes	Yes	No
Dos attacks against the HN can be formed	Yes	Yes	Yes	Yes	Yes	No
Attacks based on MAC failure can be performed	Yes	Yes	No	No	No	No
Perfect forward secrecy cannot be provided	Yes	Yes	Yes	Yes	No	No

.

From Table 1, the recently improved 5G AKA protocols still have some of the shortcomings of the latest version of the 5G AKA protocol, but our proposed 5GAKA-LCCO protocol completely overcomes all the shortcomings of the latest version of the 5G AKA protocol.

In [23], the ephemeral public–private key pair of the UE (i.e., $x$ and $x\cdot G$), the PKI public–private key pair of the SN, and the PKI public–private key pair of the HN are used to ensure the security of the channel between the UE and the SN, the security of channel between the UE and the HN, and the security of the channel between the SN and the HN. The first received message of the UE is encrypted by using the ephemeral public key of the UE, which means that the message can only be decrypted by using the ephemeral private key of the UE, so it cannot be a replayed message, preventing the location privacy of the UE being compromised. In addition, the UE can find whether $SUCI$ is replayed. However, the other parts fully inherit the 5G AKA protocol, so the other shortcomings of the 5G AKA protocol still exist in the protocol of [23].

In [24], both the synchronization failure and the MAC failure are constructed as the format of ${RES}^{\ast }$, making it impossible to distinguish them, which can prevent the location privacy of the UE being compromised and prevent those attacks based on MAC failure. However, the other parts fully inherit the 5G AKA protocol, so the other shortcomings of the 5G AKA protocol still exist in the protocol of [24].

In [26], $SUCI$ is included in $AUT{H}_{SEAF}$ of the second received message of the UE, so the UE can find whether $SUCI$ is replayed, where $AUT{H}_{SEAF}$ is an authentication token of the SEAF. However, both the SN and the HN cannot find whether $SUCI$ is replayed, resulting in DoS attacks against both the SN and HN. Additionally, the protocol in [26] removes the synchronization failure procedure and the MAC failure procedure, preventing the location privacy of the UE from being compromised and defending against those attacks based on MAC failure. Similarly, $MA{C}_{ARPF}$ is also included in $AUT{H}_{SEAF}$ of the second received message of the UE, but it does not contain $SEA{F}_{ID}$, where $MA{C}_{ARPF}$ is a MAC of the ARPF and $SEA{F}_{ID}$ is the identity of the SEAF (i.e., $SNN$ mentioned above). This means that the UE cannot authenticate the SN being authenticated by the HN, meaning that mutual authentication between the UE and the SN cannot be established and $K_{SEAF}$ cannot reach an agreement. In addition, $RAN{D}_{SEAF}$ is included in $RAN{D^{\prime }}_{UE}$ of the second received message of the SEAF, ${HXRES}^{\ast }$ of the third received message of the SEAF, and ${RES}^{\ast }$ of the fourth received message of the SEAF, but the SEAF does not verify these three fields, so DoS attacks against the SN can be formed, where $RAN{D^{\prime }}_{UE}$ is calculated based on $RAN{D}_{UE}$ and $RAN{D}_{SEAF}$ (i.e., the challenges of the UE and the SEAF, respectively). Because $K_{AUSF}$ and $K_{SEAF}$ can be calculated when $K$ is leaked, PFS cannot be provided.

In [28], $K$ is replaced with $BK=KDF(K,x\cdot y\cdot G||SNN)$ on both the UE and the HN, so $AUTN$ must contain the challenge of the UE (i.e., $x$), which is included in $SUCI$ generated by the UE. Hence, the UE can find whether $SUCI$ is replayed. However, both the SN and the HN cannot find whether $SUCI$ is replayed, resulting in DoS attacks against both the SN and the HN. Because the mutual authentication and injection agreement among the UE, SN, and HN are established, $K_{SEAF}$ can reach an agreement among the UE, SN, and HN. Because $AUTN$ contains the challenge of the UE (i.e., $x$), the first received message of the UE (including $AUTN$) cannot be a replayed message, preventing the location privacy of the UE from being compromised. In addition, the UE directly discards the first received message without responding to a “MAC failure” indication when $XMAC$ and $MAC$ are different, defending against those attacks based on MAC failure. Because $K_{AUSF}$ and $K_{SEAF}$ are generated based on $BK$, this provides PFS based on the Diffie–Hellman exchange.

Therefore, our proposed 5GAKA-LCCO protocol is better than the recently improved 5G AKA protocols in overcoming the shortcomings of the latest version of the 5G AKA protocol.

6.2. Communication, Computation, and Storage Overhead of the 5GAKA-LCCO Protocol

In order to evaluate the communication overhead, we will compute the transmitted message size. According to [2,3,4,26,27], the sizes with respect to various fields of the transmitted messages are presented in

Table 2. The sizes with respect to numerous fields of the transmitted messages [2,3,4,26,27].

Fields	Size (Bits)
$K$$/EK$$/MK$$/IK$$/CK$$/AK$$/BK$$/K_{SN,HN}$	128
$K_{AUSF}$$/K_{SEAF}$$/K_{AMF}$	256
$SQN$$/SQ{N}_{UE}$$/AMF$	48
$RES$$/{RES}^{\ast }$$/XRES$$/{XRES}^{\ast }$$/{HRES}^{\ast }$$/{HXRES}^{\ast }$	128
$MAC$$/XMAC$$/MA{C}_{UE}$$/MA{C}_{ARPF}$$/MA{C}_{SEAF}$	64
$Syncf$$/MACf$$/Result$	16
$RAND$$/RAN{D}_{SN}$$/RAN{D}_{SEAF}$$/RAN{D}_{UE}$$/RAN{D^{\prime }}_{UE}$	128
$SNN$$/SUPI$$/SEA{F}_{ID}$	128
$T_{SN}$$/T_1$	64
$\mathrm{x}/x\cdot G$$/$$/y\cdot G$	256

.

A comparative analysis between the 5GAKA-LCCO protocol and the recently improved 5G AKA protocols [23,24,26,28] regarding the communication, computation, and storage overhead is given in

Table 3. A comparative analysis between the 5GAKA-LCCO protocol and the recently improved 5G AKA protocols [23,24,26,28] regarding the communication, computation, and storage overhead.

Protocols	Communication Overhead (Bits)	Computation Overhead	Storage Overhead (Bits)
5G AKA	3120	1ECDH + 1ED + 12F + 2XOR	3328
[23]	3248	4PED + 1ED + 10F + 2XOR	7680
[24]	3472	2PED + 1ECDH +1ED + 13F + 1XOR	5504
[26]	3664	1ECDH + 1ED + 12F	3392
[28]	3664	1ECDH + 1ED + 16F + 2XOR	3328
5GAKA-LCCO	2656	1ECDH + 1ED + 4F	3392

.

In Table 3, the communication overhead represents the total communication overhead of the transmitted messages among the UE, SN, and HN, including the transmitted messages in both the synchronization failure procedure and the MAC failure procedure. For the 5G AKA protocol, the total communication overhead = 448 + 576 + 496 + 368 +128 + 128 + 400 + 208 + 336 + 16 + 16 = 3120 bits. For the protocol in [23], the total communication overhead = 384 + 640 + 496 + 368 + 128 + 128 + 400 + 208 + 336 + 16 + 16 = 3248 bits. For the protocol in [24], the total communication overhead = 448 + 576 + 496 + 368 + 128 + 128 + 400 + 256 + 256 + 208 + 208 = 3472 bits. For the protocol in [26], the total communication overhead = 576 + 192 + 192 + 768 + 1088 +576 + 128 + 128 + 16 = 3664 bits. For the protocol in [28], the total communication overhead = 448 + 704 + 1008 + 560 + 192 + 128 + 16 + 272 + 336 = 3664 bits. For our proposed 5GAKA-LCCO protocol, the total communication overhead = 192 + 448 + 768 + 880 + 368 = 2656 bits.

In Table 3, ECDH denotes the generation and verification of an elliptic curve Diffie–Hellman (ECDH) exchange. PED denotes the generation and verification of a public key encryption and decryption process. ED denotes the generation and verification of a symmetric key encryption and decryption process. F denotes the generation and verification of a key function, a key derivation function, a MAC function, or a hash function, which are grouped into one category because they require the same amount of calculation [27]. XOR denotes the generation and verification of an XOR value.

The storage overhead is composed of three parts: Public parameters, identity information, and keys [34]. Hence, the storage overhead in Table 3 represents the total storage overhead of the public parameters, identity information, and keys on the UE, SN, and HN. For the 5G AKA protocol, the total storage overhead = 1408 + 512 + 1408 = 3328 bits. For the protocol in [23], the total storage overhead = 1920 + 2688 + 3072 = 7680 bits. For the protocol in [24], the total storage overhead = 2432 + 512 + 256 = 5504 bits. For the protocol in [26], the total storage overhead = 1408 + 576 + 1408 = 3392 bits. For the protocol in [28], the total storage overhead = 1408 + 512 + 1408 = 3328 bits. For our proposed 5GAKA-LCCO protocol, the total storage overhead = 1408 + 512 + 1472 = 3392 bits.

From Table 3, the communication overhead of the 5GAKA-LCCO protocol is considerably less than that of the 5G AKA protocol and the recently improved 5G AKA protocols [23,24,26,28]. According to [26], PED > ECDH > ED > F > XOR in computation overhead, so the computation overhead of the 5GAKA-LCCO protocol is also lower than that of the 5G AKA protocol and the recently improved 5G AKA protocols [23,24,26,28]. Hence, our proposed 5GAKA-LCCO protocol has less communication and computation overhead than the 5G AKA protocol and the recently improved 5G AKA protocols. In addition, the storage overhead of the 5GAKA-LCCO protocol is slightly more than that of the 5G AKA protocol and the improved 5G AKA protocol in [28] and is equivalent to that of the improved 5G AKA protocol in [26]. However, the storage overhead of the 5GAKA-LCCO protocol is considerably less than that of the two improved 5G AKA protocols in [23,24].

7. Conclusions

In this paper, we provide overviews of both the latest version of the 5G AKA protocol and the 5G-IPAKA protocol, where the 5G-IPAKA protocol is a recently improved 5G AKA protocol. Then, we point out that one of the shortcomings of the 5G AKA protocol has not been completely overcome in the 5G-IPAKA protocol, leading to DoS attacks against the SN and HN. As a result, much of the energy of both the SN and HN is consumed. Additionally, the 5G AKA protocol has large communication and computation overhead. Thus, whether the authentication is successful or failed, this will lead to a great deal of energy consumption, while the 5G-IPAKA protocol has an even larger communication and computation overhead.

To solve these problems, we propose a 5GAKA-LCCO protocol. Compared with the latest version of the 5G AKA protocol, the main improvements of the 5GAKA-LCCO protocol include the fact that the key derivation process of the pre-shared key is modified, the challenge-response mechanism for the SN is added, the challenge-response mechanism for the HN is added, the timestamp mechanism for the SN and HN is added, the synchronization failure procedure is removed, the MAC failure procedure is replaced with a timeout mechanism on the HN, and the communication and computation overhead of the authentication process is reduced.

Finally, we use both the strand space model and the Scyther tool to formally analyze the security of the 5GAKA-LCCO protocol. As a result, mutual authentication and injection among the UE, SN, and HN are established. Therefore, the 5GAKA-LCCO protocol is secure in both the strand space model and the Scyther tool. Based on further discussion and comparative analysis, the 5GAKA-LCCO protocol can completely overcome the above shortcomings of the latest version of the 5G AKA protocol and is better than the recently improved 5G AKA protocols in overcoming these shortcomings. In addition, the 5GAKA-LCCO protocol has less communication and computation overhead than the 5G AKA protocol and the recently improved 5G AKA protocols.

In the above protocols, the public key cryptography mechanism, which has large computation and storage overhead, is always used. To further reduce the computation overhead, we will further improve these protocols in the future so that they do not use the public key cryptography mechanism.