(IJCNS) International Journal of Computer and Network Security, 137

Vol. 2, No. 2, February 2010

Comprehensive analysis of UMTS Authentication

and Key Agreement
Engr. Mujtaba Hassan1, Engr. Munaza Razzaq2 and Engr. Asim Shahzad3
1
Kohat University of Sciences and Technology, Kust Institute of Engineering Sciences,
Department of Computer Engineering, Kohat. Pakistan
engr.mujtabahassan@gmail.com
2
NWFP University of Engineering and Technology Peshawar, Abbottabad Campus
Near Post Graduate College No. 2 University Road Mandian, District Abbottabad, Pakistan.
engr.munaza_razzaq@yahoo.com

3
University of Engineering and Technology Taxila, Pakistan
asim.shahzad@uettaxila.edu.pk

and enhanced security features that are designed to stop

Abstract: This paper presents an analysis and evaluation
of the security of UMTS. This paper provides information on the
3rd generation mobile communication system, UMTS, its
Authentication and Key Agreement (AKA) procedures and
security aspects. The AKA procedure is the essence of
authenticating a user to the network and vice versa. AKA
procedures in UMTS have increased security compared with
GSM. The new feature of two-way authentication eliminates the
problem with false base stations. This is a very important
security improvement. Even though the security has improved in
some areas, there are still security features that should be
improved. Some weaknesses are also pointed out in UMTS. One
of the major weaknesses in UMTS is sending IMSI in plaintext.
We have simulated this weakness pointed out in the literature
survey. In this paper we have shown simulation scenarios for an
attack on IMSI of MS when it sends a registration request to the
serving network.
Keywords: UMTS, AKA, IMSI, Security
threats [2], [3], [4], [5], [15]. These include: Mutual
Authentication which allows the mobile user and serving
network(SN) to authenticate each other [6], Network to
Network security that secure communication between
serving networks which suggested the use of IP security to
do so, wider security scope, secure International Mobile
Subscriber identity (IMSI) usage, user to mobile station
authentication where more flexibility in that security
features can be extended and enhanced as required by new
threats and services plus GSM compatibility.
2. UMTS Security Architecture
The security architecture in UMTS is based on three
security principles: Authentication, Confidentiality and
Integrity

1. Introduction 2.1 Authentication

The Universal Mobile Telecommunications System (UMTS)
is one of the new ‘third generation’ (3G) mobile cellular
communication systems being developed within the
framework defined by the International
Telecommunications Union (ITU) known as IMT-20001.
UMTS security builds on the success of Global System for
Mobile communications (GSM) by providing new and
enhanced security features. UMTS aims to provide a
broadband, packet-based service for transmitting video, text,
digitized voice, and multimedia at data rates of up to 2
Mbps while remaining cost effective. UMTS utilizes Code
Division Multiple Access (CDMA) as it is far better suited
for fast data stream transfer. Although GSM security has
been very successful but GSM suffers from security
problems such as weak authentication and encryption
algorithms, short secret key length (only 32 bits) with no
network authentication. This has lead to false base station
attack and lack of data integrity, allowing denial of service
attacks, limited encryption scope and insecure key
transmission. An objective of the UMTS security design was
to address weaknesses [1] in GSM. UMTS introduces new
Authentication is provided to assure the claimed identity of
an entity. A node that wants to authenticate itself to
someone has to show its own identity. This can be done
either by showing knowledge of a secret only the nodes
involved knows; or by letting a third party that both nodes
trusts, vouch for their identities.
Authentication in UMTS is divided into two parts:
• Authentication of the user towards the network
• Authentication of the network towards the user
2.2 Confidentiality
Confidentiality is to keep information secured from
unwanted parties. With more and more people using the
terminals for both personal and business calls (e.g. online
services like banking) the need for keeping the
communication secure grows rapidly. Confidentiality in
UMTS is achieved by ciphering communications between
the subscriber and the network and by referring to the
subscriber by temporary (local) identities instead of using
the global identity, IMSI. The properties that should be
confidential are:
• The identity of the subscriber
138
• The current location of the subscriber
• User data (both voice and data communications
should be kept confidential).
2.3 Integrity
Sometimes a message’s origin or contents have to be
verified. Even though it might come from a previously
authenticated party, the message may have been tampered
with. To avoid this, integrity protection is necessary. The
message itself might not even have to be confidential; the
important thing is that it’s genuine. The method for
integrity protection in UMTS is to generate stamps to be
added to messages. The stamps can only be generated at the
nodes that know the keys derivate of the pre-shared secret
key, K. They are stored in the Universal Subscriber Identity
module (USIM) and the Authentication Centre (AuC). It is
very important to offer integrity protection, especially since
the SN often is operated by another operator than the
subscriber’s own operator. The property that should be
integrity protected is: Signaling messages and signaling
data.
3. Authentication and Key Agreement
The authentication is performed by the Authentication and
Key Agreement (AKA) procedure [7]. The AKA procedure
is built on the RIJNDAEL block cipher [8]. In addition to
authentication, AKA procedure also results in the Cipher
Key (CK) and the Integrity Key (IK). In UMTS, only the
encryption mode of the RIJNDAEL block cipher is used [9]
as an iterated hash function [10]. The block and key length
have been set to 128-bit. The USIM AKA (Fig. 1) is chosen
in such a way as to achieve maximum compatibility with the
current GSM/GPRS security architecture. [11], [12]. USIM
AKA is a one-pass challenge response protocol [13], [14].
Figure 1. UMTS Authentication and Key Agreement [8]
3.1 When to use AKA
• Registration of a user in a SN
• After a service request
• Location Update Request
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 2, February 2010
• Attach Request
• Detach request
• Connection re-establishment request
Registration of a subscriber in a SN typically occurs when
the user goes to another country. The first time the
subscriber then connects to the SN, he gets registered in the
SN. Service Request is the possibility for higher-level
protocols/applications to ask for AKA to be performed. E.g.
performing AKA to increase security before an online
banking transaction. The terminal updates the Home
Location Register (HLR) regularly with its position in
Location Update Requests. Attach request and detach
request are procedures to connect and disconnect the
subscriber to the network. Connection re-establishment
request is performed when the maximum number of local
authentications has been conducted. In the following an
overview of how the UMTS AKA protocol works is given:
3.2 Procedures
Authentication and key agreement (Fig. 2) [16] consists of
two procedures: First, the Home Environment (HE)
distributes authentication information to the SN. Second, an
authentication exchange is run between the user and the SN.
Figure 2. Overview of Authentication and Key Agreement
[16]
Figure 2 shows that, after receiving an authentication
information request, the HE generate an ordered array of n
authentication vectors. Each authentication vector (AV)
consists of five components (and hence may be called a
UMTS ‘quintet’ in analogy to GSM ‘triplets’): A random
number RAND, an expected response XRES, a cipher key
CK, an integrity key IK and an authentication token AUTN.
This array of n authentication vectors is then sent from the
HE to the SN. It is good for n authentication exchanges
between the SN and the USIM. In an authentication
exchange the SN first selects the next (the i-th) AVfrom the
array and sends the parameters RAND(i) and AUTN(i) to
 (IJCNS) International Journal of Computer and Network Security, 139
Vol. 2, No. 2, February 2010

the user. The USIM checks whether AUTN(i) can be

accepted and, if so, produces a response RES(i) which is
sent back to the SN. AUTN(i) can only be accepted if the
sequence number contained in this token is fresh. [16] The
USIM also computes CK(i) and IK(i). The SN compares the
received RES(i) with XRES(i). If they match, the SN
considers the authentication exchange to be successfully
completed. The established keys CK(i) and IK(i) will then
be transferred by the USIM to the mobile equipment(ME)
and by the Visitor Location Register (VLR) or Serving
General packet Radio Service Support Node(SGSN) to the
Radio Network Controller (RNC); the keys are then used by
the ciphering and integrity functions in the Mobile Station Figure 3. AV and Key Generation in AuC [17]
(MS) and in the RNC.
.
4. AKA Algorithms 5.2 Functions in USIM
The security features of UMTS are fulfilled with a set of To generate the output keys in the USIM it has only one of
cryptographic functions and algorithms.[17] A total of 10 the four parameters that the AuC has the pre-shared secret
functions are needed to perform all the necessary features, key (K). The rest of the parameters it has to receive from the
f0-f5, f1*, f5*, f8 and f9. AuC.

Table 1: Authentication Functions [17]

Functio Description Output

n
f0 Random challenge generating RAND
function
f1 Network authentication function MAC-
A/XMAC-A
f1* Re-synchronization message MAC-
authentication function S/XMAC-S

f2 User authentication function RES/XRES

f3 Cipher key derivation function CK
Figure 4. RES Generation in USIM [17]
f4 Integrity key derivation function IK
f5 Anonymity key derivation function AK When the USIM receives the (RAND||AUTN) pair it starts
by generating the Anonymity Key (AK) by applying
f5* Anonymity key derivation function AK function f5 on the received RAND. By XOR-in the AK with
for the resynchronization message
function the (SQN XOR AK) from the Authentication Token, the
f8 Confidentiality key stream <Key stream sequence number of the AuC is revealed (SQNHE). [17] The
generating function block> secret key K is then used with the received AMF, SQN and
f9 Integrity stamp generating function MAC- RAND to generate the Expected Message Authentication
I/XMAC-I Code (XMAC-A). This is then compared with the MAC-A.
If the X-MAC and MAC matches, the USIM have
5. Key Generation functions authenticated that the message (RAND||AUTN pair) is
originated in its HE.
The functions f1-f5* are called key generating functions and
are used in the initial Authentication and Key Agreement
6. Authentication parameters
procedures.
The parameters used in the Authentication and Key
5.1 Functions in AuC
Agreement procedure are: AV, AUTN, RES and XRES,
When generating a new AV the AuC reads the stored value MAC-A and XMAC-A, AUTS, MAC-S and XMAC-S [17].
of the sequence number, SQNHE and then generates a new
SQN and a random challenge RAND [17].
140
Table2: Size of Authentication Parameters [17]
7. Integrity function
The integrity protection of signaling messages between
Mobile Equipment (ME) and RNC starts during the security
mode set-up as soon as the integrity key and integrity
protection algorithm is known. A MAC function is applied
to each individual signaling message at the RRC layer of
UMTS Terrestrial Radio Access Network (UTRAN)
protocol stack [14]
Figure 5. Integrity Function [14]
Figure 5 illustrates the use of integrity algorithm f9 to
authenticate the data integrity of an RRC signaling
message. Input Parameters to the integrity function are
COUNT, IK, FRESH and Message [17].
8. Confidentiality function
In the 3G Security, user data and some signaling
information elements are considered sensitive and may be
confidentiality protected [14]. The need for a protected
mode of transmission is fulfilled by a confidentiality
function f8 as shown in Fig.6 [14]. The encryption function
is applied on dedicated channels between the ME and the
RNC
[14].
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 2, February 2010
Figure 6. Confidentiality function
Table 4: Input parameters to confidentiality function [17]
Both f8 and f9 algorithms are based on KASUMI algorithm.
The block cipher KASUMI is a modification of MISTY1
[14], [18]. KASUMI has been tested by the design team and
independent evaluation teams using crypt analytical
methods [19]. KASUMI constructions have also been
proven to provide pseudo randomness.
9. Weaknesses in UMTS security
mechanisms
To sum up, the main weaknesses in UMTS security
mechanism are:
• Integrity keys used between UE and RNC
generated in VLR/SGSN are transmitted
unencrypted to the RNC (and sometimes between
RNCs).
• IMSI is transmitted in unencrypted form.
• For a short time during signaling procedures,
signaling data are unprotected and hence exposed
to tampering.
10. Simulation Scenarios
Our simulation which identifies the problem is developed
and tested on the version designed for the Microsoft
Windows environment, MATLAB R2008a. Figure 7 is the
screenshot for the normal AKA procedure and figure 8
shows that an intruder has captured the IMSI of MS, as it
was transmitted in plain text.
 (IJCNS) International Journal of Computer and Network Security, 141
Figure 7. AKA normal procedure
It can be seen from Figure 8 and 9 that after the intruder has
captured IMSI, it will send this IMSI to VLR/SGSN and has
authenticated itself as an original MS although it is an
attacker that is acting as an authenticated user.
Figure 8. An intruder captures the IMSI
Vol. 2, No. 2, February 2010
Figure 9. An intruder launches the attack
Rest of the five USIM functions can be generated through
SIM cloning process by the attacker in order to prove that it
is the real user which has requested the service.
This problem can be avoided by proposing such algorithm
which also encrypts the IMSI during authentication process.
This problem has also been identified in [22], [23].
11. Further developments in UMTS security
Work on the next UMTS release has started. This will
introduce new security features. Many of these features will
be introduced to secure the new services which will be
introduced, e.g. presence services, push services and
multicast/broadcast services. Looking more into the future,
mobile cellular systems will have to accommodate a variety
of different radio access networks including short-range
wireless technologies, connected to a common core network.
On the user side the concept of a monolithic terminal, as we
know it, is dissolving. Distributed terminal architectures are
appearing whose components are interconnected by short-
range radio links. These new developments represent a
major challenge to the UMTS security architecture. A
collaborative research project funded by the European
Union and called SHAMAN (Security for Heterogeneous
Access in Mobile Applications and Networks) have tackled
these issues. A separate project is also underway to identify
research topics in the area of mobile communications; this
project is called PAMPAS (Pioneering Advanced Mobile
Privacy and Security).
142
11. Conclusion
AKA procedures in UMTS have increased security
compared with GSM. The new feature of two-way
authentication eliminates the problem with false base
stations. This is a very important security improvement.
Even though the security has improved in some areas, there
are still security features that should be improved. It is not
sufficient to just require integrity protection on signaling
messages. All messages should be integrity checked, but
indirectly by requiring confidentiality protection together
with integrity. AKA concept is used to perform
authentication of the user and network, as opposed to 2G
systems, which only authenticated users in a system. The
confidentiality algorithm is stronger than its GSM
predecessor. The integrity mechanism works independent of
confidentiality protection and provides protection against
active attacks. The design of cryptographic algorithms is
open and they are extensively crypto analyzed. Moreover,
the architecture is flexible and more algorithms can be
added easily.
Although 3G Security marks a large step forward however
there are some short comings. IMSI is sent in clear text
when allocating TMSI to the user. In this paper this
problem is discussed in detail with the help of simulation
scenarios. Some future work on UMTS security architecture
is also elaborated in this paper.
References
[1] “3G Security; Security principles and objectives”,
Release 4, March, 2001.
[2] Johnson, M. (2002). Revenue Assurance, “Fraud and
Security in 3G Telecom Services. VP Business
Development Visual Wireless AB”, Journal of
Economic Management, 2002, Volume 1, Issue 2.
[3] Stalling, W. Cryptography and Network Security,
Principles and Practice. 3rd edition. USA, Prentice
Hall. 2003
[4] Stefan, P, and Fridrich R. (1998). “Authentication
Schemes for 3G mobile radio Systems”. The Ninth
IEEE International Symposium on, 1998.
[5] Zhang, M. and Fang, Y. (2005).” Security Analysis
and Enhancements of 3GPP Authentication and Key
Agreement Protocol”. IEEE Transactions on wireless
Communications, Vol. 4, No. 2. 2005
[6] 3GPP TS 21.133. “3GPP Security; Security
Architecture”.
[7] 3GPP TS 33.102, Technical Specification Group
Services and System Aspects,” 3G Security. Security
Architecture”, V 4.2.0 September 2001.
[8] Daemen J, Rijmen V. AES Proposal: Rijndael.
Available:
http://csrc.nist.gov/encryption/aes/round2/AESAlgs/Rij
ndael
[9] 3GPP TS 35.206 V4.0.0, Technical Specification Group
Services and System Aspects, 3G Security,
Specification the MILENAGE Algorithm Set: An
example algorithm set for the 3GPP authentication and
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 2, February 2010
key generation functions f1, f1*, f2, f3, f4, f5 and f5*,
Document 2: Algorithm Specification, April 2001.
[10] 3GPP TR 35.909 V4.0.0, Technical Specification
Group Services and System Aspects, 3G Security,
Specification of the MILENAGE. Algorithm Set: An
example algorithm set for the 3GPP authentication
and key generation functions f1, f1*, f2, f3, f4, f5 and
f5*, design and evaluation, April 2001.
[11] C. J. Mitchell, “Security for Mobility”, Institute of
Electrical Engineers, December, 2004.
[12] 3GPP TS 33.102 (5.2.0), “3G Security; Security
Architecture”, Release 5, June, 2003.
[13] ISO/IEC 9798-4: "Information technology – Security
techniques - Entity authentication - Part 4: Mechanisms
using a cryptographic check function"
[14] Evaluation of UMTS security architecture and services
1-4244-9701-0/06/$20.00 ©2006 IEEE
[15] “Extension of Authentication and Key Agreement
Protocol (AKA) for Universal Mobile
Telecommunication System (UMTS)International
Journal of Theoretical and Applied Computer
Sciences” Volume 1 Number 1 (2006) pp. 109–118 (c)
GBS Publishers and Distributors (India)
http://www.gbspublisher.com/ijtacs.htm
[16] UMTS Security by K. Boman, G. Horn, P. Howard,
and V. Niemi October 2002 issue of IEE Electronics &
Communication Engineering Journal.
[17] UMTS Authentication and Key Agreement - A
comprehensive illustration of AKA procedures within
the UMTS system By Jon Robert Dohmen , Lars Sømo
Olaussen, , Grimstad - Norway, May 2001
[18] M. Matsui, “Block encryption algorithm MISTY” in
Proceedings of Fast Software Encryption (FSE’97),
Volume 1267, Springer-Verlag, 1997.
[19] 3GPP TR 33.909 V1.0.0 (2000-12) Technical Report;
3rd Generation Partnership Project; Technical
Specification Group Services and System Aspects;
Report on the Evaluation of 3GPP Standard
Confidentiality and Integrity Algorithms (Release
1999)
[20] S. Babbage and L. Frisch, “On MISTY1 higher order
differential cryptanalysis”, in Proceeding of
International Conference on Information Security and
Cryptology (ICISC 2000), Lecture Notes in Computer
Science Volume. 2015, Springer-Verlag, 2001.
[21] U. Kühn, “Cryptanalysis of reduced-round MISTY”,
in Proceedings of Eurocrypt’01, Lecture Notes in
Computer Science, Volume 2045, Springer-Verlag,
2001.
[22] G. M. Koien, “Privacy enhanced cellular access
security” ACM - 2005
[23] ” S.Y. A.-R. A. Mustafa Al-Fayoumi, Shadi Nashwan,
“A new hybrid approach of symmetric/asymmetric
authentication protocol for future mobile networks
IEEE - 2007