ML-AKA: An Authentication Protocol for Non-Standalone 5G-Based C-IoT Networks
<p>End-to-end device communication over a NSA-5G-based C-IoT network.</p> "> Figure 2
<p>Key generation and authentication procedure in LTE network.</p> "> Figure 3
<p>EPS-AKA protocol of the NSA-based C-IoT network.</p> "> Figure 4
<p>A C-IoT communication framework in a personal area network.</p> "> Figure 5
<p>A C-IoT communication framework in a local area network.</p> "> Figure 6
<p>A C-IoT communication framework in global area network scenario.</p> "> Figure 7
<p>Authentication, registration, and acknowledgment flow diagram for ML-AKA protocol.</p> "> Figure 8
<p>Simulation result of ML-AKA protocol using AVISPA tools.</p> "> Figure 9
<p>Outcome of protocol variation with the help of ProVerif tool.</p> "> Figure 10
<p>Time cost of Phase IV operations.</p> "> Figure 11
<p>Communication overhead comparison for key agreement and session establishment using the ML-AKA protocol.</p> "> Figure 12
<p>Comparison of communication overhead for key agreement step.</p> "> Figure 13
<p>Comparison of communication overhead for session establishment step.</p> ">
Abstract
:1. Introduction
- Issue: Associations between 5G and 4G lead to increases in network complexity and operational complexity.
- Solution: In the proposed NSA-based C-IoT architecture, entities in the LTE core network handle all the control and management functionalities. This will help to smooth the transition of C-IoT devices from 4G to 5G networks.
- Issue: The key generation and key management strategies of 4G and 5G are slightly different.
- Solution: The proposed architecture uses a multi-layer authentication mechanism to reduce computational complexity within the network elements and user devices.
- Issue: An increase in the heterogeneity among IoT devices requires a variety of security keys and key management strategies.
- Solution: In the proposed work, uniform key sharing (UKS) uses some encrypted keys that can be used at various levels of the C-IoT network.
- We have propose an end-to-end NSA-based C-IoT architecture to identify and demonstrate the possible security holes.
- We have developed a common key-based ML-AKA security protocol to establish secure communication between devices present across a multi-layer architecture.
- We have proposed mathematical models for the generation, authentication, and verification of keys in a multi-tier architecture.
2. Related Work
Authors and Years | Method and Approach | Contribution (s) | Limitation(s) |
---|---|---|---|
Alam et al. [4] (2015) | DHKE method for LTE network | Secure from potential DDOS attack | Prone to MIMT attack |
Jover et al. [8] (2015) | Multilevel security protocol for device-to-device communication | Secures IoT devices from attacks that occur at the network layer | Developed protocol provides protection against physical layer attacks |
Yao et al. [10] (2016) | Group-based secure (GBS) secure key verification and validation method | User blog for each group uses a designated encoded header with each data packet. | Group header enhances required bandwidth and processing time |
Raghothaman et al. [6] (2016) | Distributed key exchange (DKE) technique for IoT application | Reduces data injection attacks at the end user IoT devices | Key distribution is complex |
Wang et al. [5] (2017) | Universal key exchange mechanism for cellular network | Secures the packet transmission over transmission channels | Increases communication overhead due to use of extra headers |
Sun et al. [11] (2019) | Elliptical curve method for 5G cellular network | lightweight public key-based crypto-system | Implementation complexity is high |
Yan et al. [12] (2023) | EGHA protocol for cellular network | A temporary ID-based authentication protocols for 5G-based V2X. | Increases computational complexity with the added TID |
Li et al. [13] (2023) | AGMA Code to reduce handover signalling in 5G-V2X | Inter- and intra-AMF handover secure solution | Other core elements are not considered |
Ranaweera et al. [14] (2024) | RSA and ECC encryption method for migrated data | Service Migration Security Framework (SMSF) for 5G network | Not useful for heterogeneous network |
3. Interfaces and Communication Links for NSA-Based C-IoT Networks
3.1. Device and Gateway
3.2. Access Network
3.3. LTE Core and EPC Network
3.4. Application and Connectivity Platform
4. Important Security Issue in NSA-Based C-IoT Architecture
- The use of distinct unique IDs for different IoT devices or objects by user equipment can lead to confusion for mobile equipment and other IoT devices in terms of identification and authentication.
- The lack of availability of efficient algorithms for the IoT objects or device identification leads to security failures in the IoT system.
5. D2D Authentication Process for Cellular IoT Network
- UE/DE and the core network should be mutually authenticated.
- UE, MME, abd eNodeB should preserve ciphering, integrity and replay protection.
- To prevent identity theft, the access network should use a temporary identity instead of the permanent identity of the user.
5.1. Key Generation and Authentication Process in the LTE Framework
- K includes a random number of bits and is used for certain users master keys, which are stored in USIM and AuC.
- The intermediate key (CK, IK) is a 128-bit key which is derived from the root key, K.
- The access security management entity key () is generated from the intermediate key (CK, IK) with the use of two additional parameters: the serving network ID and bitwise sum of two additional parameters. The is distributed as the local master key.
- The key for evolved node B () is derived from and the additional input counter. This additional input is required to ensure that each new key differs from the previous key.
- Keys , and are used to authenticate the integrity of RRC and subscribers. The key generation attains the key separation and prevents associated key attacks. Once any key is changed, only the dependent keys are unaffected.
5.2. Authentication Vector Generation Process in the LTE Framework
- Message Auth. Code = fun1.
- Calculated reply XRES = fun2.
- Cipher Key, CK = fun3.
- Nobility Key, NK = fun4.
- Obscurity Key, OK = fun5.
- Auth. Token,AUTN =(sqn XOR AK).
5.3. The Standard EPS-AKA Authentication and Key Agreement Protocol
- The UE sends service requests to the core network.
- In order to generate the EPS authentication vectors, an MME request is sent to HSS and dispensed back to MME.
- MME and HSS mutually authenticate each other and share keys between them.
- The UE dispenses secret data to the serving networks by combining the session key with the integrity key.
6. The Novel ML-AKA Protocol for the 5G-NSA Based C-IoT Network
- Personal Area Authentication (PAA): Authentication of the local devices for end-to-end secure communication establishment, dealing with local communication and personal devices, as shown in Figure 4.
- Local Area Authentication (LAA): The link between the devices and eNodeB is secured by using LAA. This deals with the authentication and secure data transfer between end-to-end devices through an eNodeB, as shown in Figure 5.
- Global Area Authentication (GAA): The communication between eNodeB and the core network, along with the local component, is secured by GAA. The GAA includes EPC security, physical channel security, etc., as shown in Figure 6.
- System model setup: In the system model setup stage, different devices generate some common parameters and create key agreements for D2D communication.
- Roaming registration of devices: See below for explanations of the roaming registration of devices, which will allow us to achieve authentic D2D communication.(1) Devices ( where i = 1,2) deal with the registration to the in order to acquire local area resources to take care of local area authentication (LAA). The device identities (, ) are used for device registration requests that devices send to their AP.(2) After the registration request from to the has been accepted, the authentication request js sent to the eNodeB; each request has its own identity () for verification purposes.(3) After accepting the authentication request by the eNodeB, the server checks the legitimacy of the access points through the . If the authentication request is not pinged by the legitimate AP, eNodeB simply rejects the authentication request and halts the process. When the authentication request comes from the authorized devices () and access point (), the eNodeB generates authentication information that contains a roaming key . The roaming key is calculated with the use of a cryptographic derivative function (KDF).(4) After obtaining the authentication information (), the and mutually authenticate each other. Along with the authentication and verifying the legitimacy, both the and derive the D2D function key, which is with the use of roaming key .The D2D session key is generated by the D2D fun key .
- D2D connection establishment:In the D2D connection establishment phase, two nearest devices ( and ) discover each other and share a random secret key (). If the shared random secret key () matches, a D2D connection is established.
- Session key generation for D2D:After the secure D2D or D2X connection has been established, the session key generation process begins, which is explained in the following steps:(1) There is one device () ping for the generation of session key process through sending the device to device session request to their access points (). Device identities keys like and are used for D2D session request.(2) After receiving the session request, verifies the legitimacy of the respective devices. Session requests are only accepted for legitimate devices. Only one session identity is used, and this is denoted as . After that, picks the random nonce value and sends a key agreement request, which consists of , , and .(3) Once the has sent the key agreement request, it confirms the legacy of and approves the D2D services. After selecting a new random nonce value , delivers the device identity (, ) to .(4) With the sharing of their IDs, and generate a random pre-shared key () with the use of XOR functions. After the key, , has been generated, it is sent to both the devices (, ) attached to the eNodeB to establish a session. During this session, the management and key exchange request sent from to contains ’s identity , and session identity , and the request sent from to contains , () and .(5) Devices and choose random nonce values a and b, which are used to generate the session key and , respectively. Before the session keys are exchanged, the message authentication code and are computed for and with the use of hashed MAC (HMAC) and the common secret key .(6) After obtaining the and , the devices (, ) verify the HMAC by computing their common secret key . If the result of the verification is correct then a D2D session key = = is generated.
6.1. Accuracy of the ML-AKA Protocol
6.2. Security Assessment
- Mutual authentication among the devices present in the network: The ML-AKA protocol follows the security framework of EPS architecture and inherits the security features for ML-AKA device-to-device communication and the mutual authentication between the devices and APs. The ML-AKA protocol uses HMAC functions and some secret authentication keys like and to perform authentication between devices. In order to compute the common secret key and achieve the MAC verification, the shared secret and are used. The common secret is used to generate and for and , respectively, and is also used to authenticate the identity of devices which are communicating with each other.
- Manage session with the use of session keys: Devices communicate with each other for a particular session prior to the exchange of actual information. This session is created by generating and exchanging some session keys between the devices. In ML-AKA protocols, the generated session keys are exchanged between entities that are present across various levels.
- Enhance session key privacy: In cellular-based IoT communication, heterogeneous types of devices are connected to each other by sharing secret keys through eNodeB and the core network. The primary objective of core network entities like MME and HSS is to maintain this privacy and preserve the identity of the shared secret keys. However, in some cases, if the LTE core network entities are compromised, data exchanged between the IoT devices can be easily evaluated by the third party. To avoid this, the ML-AKA protocol disallows outside attacks, meaning that attackers are unable to access the plaintext.
- Reduce the probability of security attacks at the network junction: In the traditional C-IoT network, the channels between the APs are secured with the help of a standard EPS-AKA protocol under the 3GPP standard. But communication channels between APs and IoT devices are secured by the standard Wi-Fi Protected Access (WPA) protocol under the IEEE 802.11 standard. Due to this difference in the protocols and authentication mechanism, unauthorized malicious attackers may target the transition points. To reduce the likelihood of this occurring, the ML-AKA protocol uses a common key that can be used interoperatively in all the forms of communication passing through the C-IoT architecture.
7. Simulation and Protocol Performance Analysis
7.1. Protocol Performance Analysis
7.2. ML-AKA Protocol Computational Cost
- Devices ().
- Access Points ().
- eNodeB.
7.3. Communication Overhead
8. Conclusions and Future Scope
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Atzori, L.; Iera, A.; Morabito, G. The internet of things: A survey. Comput. Netw. 2010, 54, 2787–2805. [Google Scholar] [CrossRef]
- Evans, D. The Internet of Things How the Next Evolution of the Internet Is Changing Everything. Available online: https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf (accessed on 10 April 2011).
- Saxena, N.; Grijalva, S.; Chaudhari, N.S. Authentication protocol for an IoT-enabled LTE network. ACM Trans. Internet Technol. (TOIT) 2016, 16, 25. [Google Scholar] [CrossRef]
- Alam, M.; Yang, D.; Rodriguez, J.; Abd-alhameed, R. Secure device-to-device communication in LTE-A. IEEE Commun. Mag. 2014, 52, 66–73. [Google Scholar] [CrossRef]
- Wang, M.; Yan, Z.; Niemi, V. UAKA-D2D: Universal Authentication and Key Agreement Protocol in D2D Communications. Mob. Netw. Appl. 2017, 22, 510–525. [Google Scholar] [CrossRef]
- Raghothaman, B.; Deng, E.; Pragada, R.; Sternberg, G.; Deng, T.; Vanganuru, K. Architecture and protocols for LTE-based device to device communication. In Proceedings of the Computing, Networking and Communications (ICNC), San Diego, CA, USA, 28–31 January 2013; pp. 895–899. [Google Scholar]
- Forsberg, D.; Horn, G.; Moeller, W.D.; Niemi, V. LTE Security; John Wiley & Sons: Hoboken, NJ, USA, 2012. [Google Scholar]
- Jover, R.P. Security and impact of the IoT on LTE mobile networks. In Security and Privacy in Internet of Things (IoTs): Model, Algorithms, Implementations; CRC Press: Boca Raton, FL, USA, 2015; Volume 6. [Google Scholar]
- Hu, F. Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations; CRC Press: Boca Raton, FL, USA, 2016. [Google Scholar]
- Yao, J.; Wang, T.; Chen, M.; Wang, L.; Chen, G. GBS-AKA: Group-based secure authentication and key agreement for M2M in 4G network. In Proceedings of the 2016 International Conference on Cloud Computing Research and Innovations (ICCCRI), Singapore, 4–5 May 2016; IEEE: Piscataway, NJ, USA, 2016; pp. 42–48. [Google Scholar]
- Sun, Y.; Cao, J.; Ma, M.; Li, H.; Niu, B.; Li, F. Privacy-preserving device discovery and authentication scheme for D2D communication in 3GPP 5G HetNet. In Proceedings of the 2019 International Conference on Computing, Networking and Communications (ICNC), Honolulu, HI, USA, 18–21 February 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 425–431. [Google Scholar]
- Yan, X.; Ma, M.; Su, R. Efficient Group Handover Authentication for Secure 5G-Based Communications in Platoons. IEEE Trans. Intell. Transp. Syst. 2023, 24, 3104–3116. [Google Scholar] [CrossRef]
- Li, G.; Lai, C. Platoon handover authentication in 5G-V2X: IEEE CNS 20 poster. In Proceedings of the 2020 IEEE Conference on Communications and Network Security (CNS), Virtually, 29 June–1 July 2020; IEEE: Piscataway, NJ, USA, 2020; pp. 1–2. [Google Scholar]
- Ranaweera, P.; Yadav, A.K.; Liyanage, M.; Jurcut, A.D. A Novel Authentication Protocol for 5G gNodeBs in Service Migration Scenarios of MEC. IEEE Trans. Dependable Secur. Comput. 2024, 21, 2930–2948. [Google Scholar] [CrossRef]
- Wang, M.; Yan, Z. A survey on security in D2D communications. Mob. Netw. Appl. 2017, 22, 195–208. [Google Scholar] [CrossRef]
- Doppler, K.; Rinne, M.; Wijting, C.; Ribeiro, C.B.; Hugl, K. Device-to-device communication as an underlay to LTE-advanced networks. IEEE Commun. Mag. 2009, 47. [Google Scholar] [CrossRef]
- Køien, G.M. Mutual entity authentication for LTE. In Proceedings of the Wireless Communications and Mobile Computing Conference (IWCMC), Istanbul, Turkey, 4–8 July 2011; IEEE: Piscataway, NJ, USA, 2011; pp. 689–694. [Google Scholar]
- Zhang, M.; Fang, Y. Security analysis and enhancements of 3GPP authentication and key agreement protocol. IEEE Trans. Wirel. Commun. 2005, 4, 734–742. [Google Scholar] [CrossRef]
- Liu, Y.; Xu, Y.; Li, D.; Wang, W. Device-to-device communication in LTE-A cellular networks: Standardization, architecture, and challenge. In Proceedings of the Vehicular Technology Conference (VTC Spring), Seoul, Republic of Korea, 18–21 May 2014; pp. 1–5. [Google Scholar]
- Wang, M.; Yan, Z. Security in D2D communications: A review. In Proceedings of the Trustcom/BigDataSE/ISPA, Helsinki, Finland, 20–22 August 2015; Volume 1, pp. 1199–1204. [Google Scholar]
- Muthana, A.A.; Saeed, M.M. Analysis of user identity privacy in LTE and proposed solution. Int. J. Comput. Netw. Inf. Secur. 2017, 9, 54. [Google Scholar] [CrossRef]
- Alezabi, K.A.; Hashim, F.; Hashim, S.J.; Ali, B.M. An efficient authentication and key agreement protocol for 4G (LTE) networks. In Proceedings of the Region 10 Symposium, Kuala Lumpur, Malaysia, 14–16 April 2014; pp. 502–507. [Google Scholar]
- Jumaa, N.K. Implementation of Enhanced AKA in LTE Network. Int. J. Comput. Sci. Mob. Comput. 2015, 4, 1124–1132. [Google Scholar]
- Armando, A.; Basin, D.; Boichut, Y.; Chevalier, Y.; Compagna, L.; Cuéllar, J.; Drielsma, P.H.; Héam, P.C.; Kouchnarenko, O.; Mantovani, J.; et al. The AVISPA tool for the automated validation of internet security protocols and applications. In Proceedings of the International Conference on Computer Aided Verification, Edinburgh, UK, 6–10 July 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 281–285. [Google Scholar]
- Ramadan, M.; Li, F.; Xu, C.; Mohamed, A.; Abdalla, H.; Ali, A.A. User-to-User Mutual Authentication and Key Agreement Scheme for LTE Cellular System. IJ Netw. Secur. 2016, 18, 769–781. [Google Scholar]
- Aiash, M.; Mapp, G.; Lasebae, A.; Phan, R. Providing security in 4G systems: Unveiling the challenges. In Proceedings of the 2010 Sixth Advanced International Conference on Telecommunications, Barcelona, Spain, 9–15 May 2010; pp. 439–444. [Google Scholar]
- Bikos, A.N.; Sklavos, N. LTE/SAE security issues on 4G wireless networks. IEEE Secur. Priv. 2013, 11, 55–62. [Google Scholar] [CrossRef]
- He, D.; Wang, J.; Zheng, Y. User authentication scheme based on self-certified public-key for next generation wireless network. In Proceedings of the 2008 International Symposium on Biometrics and Security Technologies, Islamabad, Pakistan, 23–24 April 2008; pp. 1–8. [Google Scholar]
- Yue, J.; Ma, C.; Yu, H.; Zhou, W. Secrecy-based access control for device-to-device communication underlaying cellular networks. IEEE Commun. Lett. 2013, 17, 2068–2071. [Google Scholar] [CrossRef]
Acronyms and Symbols | |
---|---|
Acronyms | Explanation |
/ | Device i and its identity |
/ | AP number and its unique ID |
Secret key shared between and eNodeB | |
KDF | Cryptographic function (Key Derivation Function) |
Session key generated with the help of random nonce values a and b | |
Hash function based Message Authentication Code | |
eNodeB | Evolved node B |
SQN | Sequence number |
SNID | Serving network identity |
AK/XAK | Anonymity key |
CK/XCK | Cipher key |
IK/XIK | Integrity key |
SK/K | Secret key shared between devices () and eNodeBs |
Key set identifier for each | |
ACK | Acknowledgement |
Roaming key | |
D2D fun key | |
Random nonce value | |
Random value chosen by eNodeB | |
Shared random secret key | |
Session identity | |
Common secret key | |
D2D session key | |
Evolved key set identifier |
Protocol Name | Parse Time (Tp) | Search Time (Ts) | Visited Nodes | Depth |
---|---|---|---|---|
EPS-AKA | 0.031 s | 2.22 s | 1360 nodes | 10 plies |
UAKA-D2D | 0.043 s | 1.73 s | 1360 nodes | 10 plies |
ML-AKA | 0.01 s | 1.40 s | 1360 nodes | 10 plies |
Device Name | Phase | Time |
---|---|---|
Devices () | Phase 2 | |
Phase 3 | - | |
Phase 4 | ||
Access Points () | Phase 2 | |
Phase 3 | - | |
Phase 4 | ||
eNodeB | Phase 2 | |
Phase 2 | - | |
Phase 4 | - |
EPS-AKA | UAKA-D2D | ML-AKA | |
---|---|---|---|
DDoS Mitigation | ✓ | ✓ | ✓ |
Spoofing Attack | × | ✓ | ✓ |
MIMT Attack | × | × | ✓ |
Reply Attack | ✓ | ✓ | ✓ |
Length of the Security Parameters (Bits) | |
---|---|
Parameters | Size (Bits) |
DID | 128 |
eNodeB/APID | 64 |
SID | 64 |
hint | |
, | |
256 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Mahapatra, B.; Singh, V.; Bhattacharjee, R.; Srinivasan, C.R. ML-AKA: An Authentication Protocol for Non-Standalone 5G-Based C-IoT Networks. Designs 2024, 8, 128. https://doi.org/10.3390/designs8060128
Mahapatra B, Singh V, Bhattacharjee R, Srinivasan CR. ML-AKA: An Authentication Protocol for Non-Standalone 5G-Based C-IoT Networks. Designs. 2024; 8(6):128. https://doi.org/10.3390/designs8060128
Chicago/Turabian StyleMahapatra, Byomakesh, Vikash Singh, Rituraj Bhattacharjee, and C. R. Srinivasan. 2024. "ML-AKA: An Authentication Protocol for Non-Standalone 5G-Based C-IoT Networks" Designs 8, no. 6: 128. https://doi.org/10.3390/designs8060128
APA StyleMahapatra, B., Singh, V., Bhattacharjee, R., & Srinivasan, C. R. (2024). ML-AKA: An Authentication Protocol for Non-Standalone 5G-Based C-IoT Networks. Designs, 8(6), 128. https://doi.org/10.3390/designs8060128