<p>&lt;p&gt;&amp;lt;p&amp;gt;Security Analysis on Portable Communication Systems Roaming Protocols 可攜式通訊系統漫遊機制之安全分析與探討 Speaker: 李添福 (Tian-Fu Lee) 國立成功大學資訊工程博士 立德大學 資訊傳播學系 助理教授 Cryptography/ Network security/ Wireless networks communication/ Algorithmic graph theory/ Database and data engineering 1 Outlines lThree-Party Authenticated Key Agreements (3PAKA) lApplications lPortable Communication Systems (PCSs) Roaming Services lRFID Protocol lE-Payment Protocol lElectronic Medical Record Security and Privacy lVehicular Mobile Network lPCSs Roaming Services lApplication 1: GSM lApplication 2: 3GPP AKA lApplication 3: Authentication Technique for the Global Mobility Network lApplication 4: Delegation-Based Authentication Protocol for PCSs lConclusions 2 Three-Party Authenticated Key Agreements lAn authenticated key agreement protocol is an interactive method for two or more parties to determine session keys based on their secret keys or public/private keys. Authentication Authentication Key agreement / key exchange SK Secure communication Trusted server Client A Client B 3 Portable Communication Systems Roaming Services Mobile Station Visited NetworkHome Network PDA cellular phone notebook Authen.Service Request 4 Portable Communication Systems Roaming Protocol (Cont.) 5 Portable Communication Systems Roaming Protocol (Cont.) lAAA: lAuthentication, lAuthorization and lAccounting 6 RFID Protocol TagReaderDatabase Server Authen.Service Request 7 E-Payment Protocol Buyer Seller E-Bank Authen.Authen. Request Deal 8 醫療資訊安全-電子病歷安全與隱私 (Electronic Medical Record Security and Privacy) IC card Hospital 政府衛生行政單位 電子病歷Database 健保機關 一般民眾 Authen. Authen. 9 Vehicular Mobile Network Authen. 10 PCSs Roaming services 11 Roaming services lroaming-service-setup phase (authentication) lroaming-service-provision phase (roaming services) H (Kuh, Kvh) V (Kvh)Ui (Kuh) =&amp;amp;gt; Kauth belong to Ui and V V (Kauth)Ui (Kauth) 12 GSM (第二代手機通訊) 通訊安全嗎? 13 Architecture of GSM 14 MS VLR HLR Authen. request(TMSI, LAI) RANDj SRESj Authentication protocol for GSM (Ki)(Ki) IMSI n copies (RANDj , SRESi ,Kci) (Ki,RANDj)-A3-&amp;amp;gt;SRESj (Ki,RANDj)-A8-&amp;amp;gt;Kci (Ki,RANDj)-A3-&amp;amp;gt;SRESj (Ki,RANDj)-A8-&amp;amp;gt;Kci 15 Drawbacks of the authentication protocol for GSM lNo mutual authentication between MS and VLR. l? a bandwidth consumption between VLR and HLR if MS stays in HLR for a long time. lMany params. are stored in VLR database ? space overhead ? lAuthenticating MS needs the help of HLR for each communication. 16 3GPP AKA(第三代手機通訊) 通訊安全嗎? 17 3GPP AKA lDistribution of Authentication Vector (認證向量 的分送) lAuthentication and Key Agreement (認證與金 鑰協商) lResynchronization(序號的同步) 18 (RAND,XRES,CK,IK,AUTH) XRES= f2K(RAND) CK= f3K(RAND) IK= f4K(RAND) AK= f5K(RAND) MAC= f1K(SQN|RAND|AMF) AUTH=SQN?AK|AMF|MAC SQNHN+ AK= f5K(RAND) SQN=(SQN?AK)?AK f1K(SQN|RAND|AMF)=?MAC SQN&amp;amp;gt;? SQNMS ?XRES= f2K(RAND) Set SQNMS= SQN CK= f3K(RAND) IK= f4K(RAND) (K; MAC: f1,f1*,f2; KGF:f3, f4, f5, f5*) (K; MAC: f1,f1*,f2; KGF:f3, f4, f5, f5*) 3GPP AKA 19 Resynchronization lSQN&amp;amp;gt; SQNMSX ?resynchronization MSHLR/HN AUTS AUTS=Conc(SQNMS)|SMAC , where Conc(SQNMS)=SQNMS ? f5*K(RAND) SMAC =f1*K(SQN|RAND|AMF) VLR/SN RAND,AUTS Retrieve SQNMS Verify SQNHNSQN? synchronization failure VLR0 VLRn HLR/HNMS MS moves between different VLRs ? ? synchronization failure 26 Portable Communication Systems Roaming Protocol (可攜式通訊系統漫遊機制) ? 通訊安全嗎? 27 Application 3 Authentication Technique for the Global Mobility Network (GLOMONET) 28 The Authentication Scheme of Suzuki and Nakada IEEE JSAC 1997 Check r3 Ui: KuhV: KvhH: Kvh, Kuh Check r2 (4) EKvh(r2),EKvh(EKtmp(Kauth) (3) EKvh(r1), r2 (1) Request Generate r1 (7) EKauth(r3) Check EKauth(r3) (2) r1 Generate r2 Check r1 (5) EKuh(EKtmp(Kauth) Generate r3 (8) EKauth(EKauth(r3) (6) r3,Ktmp, EKuh(EKtmp(Kauth) 29 Weaknesses of the Scheme of Suzuki and Nakada lWeakness 1- Eavesdropping attack(1): lA legitimate but malicious user I can eavesdrop and record the protocol run lWeakness 2- Impersonate attack: lEnable I to impersonate V and to communicate with roaming user U. lWeakness 3- Eavesdropping attack(2): lThe attack I can collaborate with the home network to eavesdrop the communication between U and V. 30 Weakness 1- Eavesdropping Attack(1) I : KihV : KvhH : Kih, Kvh Check r2 (4) EKvh(r2),EKvh(EKtmp(Kauth) (3) EKvh(r1), r2 (1) Request (6) r3,Ktmp, EKih(EKtmp(Kauth) Generate r1 (2) r1 Generate r2 Check r1 (5) EKih(EKtmp(Kauth) Generate r3 EKvh(EKtmp(Kauth) Given Kih,Ktmp ?ObtainKauth User U: (4) EKvh(EKtmp(Kauth) (6) Ktmp 31 Weakness 2- Impersonate Attack U: KuhI(V)H (1) Request (6) r3,K*tmp, EKuh(EK*tmp(K*auth) Know old messages: K*tmp, K*auth , EKuh(EK*tmp(K*auth) (7) EK*auth(r3) (8) EK*auth(EK*auth(r3) 32 Weakness 3- Eavesdropping Attack(2) Check r3 Ui: KuhV: Kvh H: Kvh, Kuh Check r2 (4) EKvh(r2),EKvh(EKtmp(Kauth) (3) EKvh(r1), r2 (1) Request (6) r3,Ktmp, EKuh(EKtmp(Kauth) Check r0 Generate r1 (7) EKauth(r3) Check EKa&amp;lt;/p&amp;gt;&lt;/p&gt;</p>