ArticlePDF Available

Lightweight Security Solutions for LTE/LTE-A Networks

Authors:

Abstract and Figures

Recently, the 3rd Group Project Partnership (3GPP) has developed Long Term Evolution/ Long Term Evolution-Advanced (LTE/LTE-A) systems which have been approved by the International Telecommunication Union (ITU) as 4th Generation (4G) mobile telecommunication networks. Security is one of critical issues which should be handled carefully to protect user's and mobile operator's information. Thus, the 3GPP has standardized algorithms and protocols in order to secure the communications between different entities of the mobile network. However, increasing the security level in such networks should not compel heavy constrains on these networks such as complexity and energy. Indeed, energy efficiency has become recently a critical need for mobile network operators for reduced carbon emissions and operational costs. The security services in mobile networks such as authentication, data confidentiality and data integrity are mostly performed using cryptographic techniques.However, most of the standardized solutions already adopted by the3GPP depend on encryption algorithms which possess high computational complexity which in turn contributes in consuming further energy at the different network communication parties.Data confidentiality which mainly refers to the protection of the user’s information privacy is achieved at the Packet Data Convergence Protocol (PDCP) sub-layer in the LTE/LTE-A protocol stack by one of the three standardized algorithms (EEA1, EEA2 and EEA3). However, each of the three algorithms requires high computational complexity since they rely on Shannon’s theory of encryption algorithms by applying confusion and diffusion for several rounds. In our thesis we propose a novel confidentiality algorithm using the concept of substitution and diffusion in which the required security level is attained in only one round. Consequently the computational complexity is considerably reduced which in return results in reducing the energy consumption during both encryption and decryption procedures. Similarly, the same approach is used to reduce the complexity of 3GPP data integrity algorithms (EIA1, EIA2 and EIA3) which the core cipher rely on the same complex functions. Finally, we investigate in this thesis the authentication issue in Device to Device paradigms proposal in 4G systems. Device to Device communications refer to direct communications between two mobile devices without passing through the core network. They constitute a promising mean to increase the performance and reduce energy consumptions in LTE/LTE-A networks. In such context, the authentication and key derivation between two mobile devices have not been well investigated. Thus, a novel lightweight authentication and key derivation protocol is proposed to authenticate two communicating devices during session establishments as well as deriving necessary keys for both data encryption and integrity protection.
Content may be subject to copyright.
Lightweight Security Solutions for LTE/LTE-A Networks
Soran Hussein
To cite this version:
Soran Hussein. Lightweight Security Solutions for LTE/LTE-A Networks. Networking and
Internet Architecture. Universit´e Paris Sud - Paris XI, 2014. English. <NNT : 2014PA112366>.
<tel-01144657>
HAL Id: tel-01144657
https://tel.archives-ouvertes.fr/tel-01144657
Submitted on 22 Apr 2015
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destin´ee au d´epˆot et `a la diffusion de documents
scientifiques de niveau recherche, publi´es ou non,
´emanant des ´etablissements d’enseignement et de
recherche fran¸cais ou ´etrangers, des laboratoires
publics ou priv´es.
Universit´
e Paris-Sud
Ecole Doctorale Informatique Paris Sud
Laboratoire Recherche en informatique
Discipline : Computer Science
DOCTORAL THESIS
Defended 8/12/2014 by
Soran Sabah Hussein
Lightweight Security Solutions
for LTE/LTE-A Networks
Advisor : Dr. Lila Boukhatem Universit´e Paris-Sud
Co-advisor : Pr. Steven Martin Universit´e Paris-Sud
Composition of the jury: :
Reviewers: : Pr. Hakima Chaouchi Institut T´el´ecom Sud-Paris
Dr. Hassnaa Moustafa Intel Corporation
Examiners : Pr. Joffroy Beauquier Universit´e Paris-Sud
Dr.Thi-Mai-Trang
NGUYEN
Universit´e Pierre et Marie Curie, Paris 6
Dr. Nadjib Ait saadi Universit´e Paris Est Cr´eteil Val de Marne
i
Abstract
Recently, the 3rd Group Project Partnership (3GPP) has developed Long Term Evolu-
tion/ Long Term Evolution-Advanced (LTE/LTE-A) systems which have been approved
by the International Telecommunication Union (ITU) as 4th Generation (4G) mobile
telecommunication networks. Security is one of critical issues which should be han-
dled carefully to protect user’s and mobile operator’s information. Thus, the 3GPP has
standardized algorithms and protocols in order to secure the communications between
different entities of the mobile network. However, increasing the security level in such
networks should not compel heavy constrains on these networks such as complexity and
energy. Indeed, energy efficiency has become recently a critical need for mobile network
operators for reduced carbon emissions and operational costs. The security services
in mobile networks such as authentication, data confidentiality and data integrity are
mostly performed using cryptographic techniques. However, most of the standardized
solutions already adopted by the 3GPP depend on encryption algorithms which possess
high computational complexity which in turn contributes in consuming further energy at
the different network communication parties. Data confidentiality which mainly refers
to the protection of the user’s information privacy is achieved at the Packet Data Con-
vergence Protocol (PDCP) sub-layer in the LTE/LTE-A protocol stack by one of the
three standardized algorithms (EEA1, EEA2 and EEA3). However, each of the three
algorithms requires high computational complexity since they rely on Shannon’s theory
of encryption algorithms by applying confusion and diffusion for several rounds. In this
thesis, we propose a novel confidentiality algorithm using the concept of substitution
and diffusion in which the required security level is attained in only one round. Con-
sequently the computational complexity is considerably reduced which in return results
in reducing the energy consumption during both encryption and decryption procedures.
Similarly, the same approach is used to reduce the complexity of 3GPP data integrity
algorithms (EIA1, EIA2 and EIA3) which the core cipher rely on the same complex
functions. Finally, we investigate in this thesis the authentication issue in Device to
Device paradigms proposal in 4G systems. Device to Device communications refer to
direct communications between two mobile devices without passing through the core
network. They constitute a promising mean to increase the performance and reduce
energy consumptions in LTE/LTE-A networks. In such context, the authentication and
key derivation between two mobile devices have not been well investigated. Thus, a
novel lightweight authentication and key derivation protocol is proposed to authenticate
two communicating devices during session establishments as well as deriving necessary
keys for both data encryption and integrity protection.
esum´e
ecemment, le 3GPP (3rd Generation Partnership Project) a standardis´e les syst`emes
LTE/LTE-A (Long Term Evolution/LTE-Advanced) qui ont ´et´e approuv´es par l’UIT
(Union Internationale des T´el´ecommunications) comme des r´eseaux de t´el´ecommunications
mobiles de 4´eme g´en´eration. La s´ecurit´e est l’une des questions essentielles qui doivent
ˆetre trait´ees avec soin pour prot´eger les informations de l’op´erateur et des utilisateurs.
Aussi, le 3GPP a normalis´e plusieurs algorithmes et protocoles afin de s´ecuriser les com-
munications entre les diff´erentes entit´es du r´eseau. Cependant, l’augmentation du niveau
de s´ecurit´e dans ces syst`emes ne devrait pas leur imposer des contraintes lourdes telles
qu’une grande complexit´e de calcul ou encore une forte consommation d’´energie. En ef-
fet, l’efficacit´e ´energ´etique est devenue r´ecemment un besoin critique pour les op´erateurs
afin de r´eduire l’empreinte ´ecologique et les coˆuts op´erationnels de ces syst`emes. Les
services de s´ecurit´e dans les r´eseaux mobiles tels que l’authentification, la confidentialit´e
et l’int´egrit´e des donn´ees sont le plus souvent effectu´es en utilisant des techniques cryp-
tographiques. Toutefois, la plupart des solutions standardis´ees d´ej`a adopt´ees par le
3GPP d´ependent des algorithmes de chiffrement qui poss`edent une grande complexit´e,
induisant une consommation ´energ´etique plus ´elev´ee dans les diff´erentes entit´es com-
municantes du r´eseau. La confidentialit´e des donn´ees, qui se r´ef`ere principalement au
fait de s’assurer que l’information n’est accessible qu’`a ceux dont l’acc`es est autoris´e,
est r´ealis´ee au niveau de la sous-couche PDCP (Packet Data Convergence Protocol) de
la pile protocolaire de LTE/LTE-A par l’un des trois algorithmes normalis´es (EEA1,
EEA2 et EEA3). Or, chacun des trois algorithmes exige une forte complexit´e de calcul
car ils reposent sur la th´eorie de chiffrement de Shannon qui utilise les fonctions de
confusion et de diffusion sur plusieurs it´erations. Dans cette th`ese, nous proposons un
nouvel algorithme de confidentialit´e en utilisant le concept de substitution et de diffu-
sion dans lequel le niveau de s´ecurit´e requis est atteint en un seul tour. Par cons´equent,
la complexit´e de calcul est consid´erablement r´eduite ce qui entraˆıne une r´eduction de
la consommation d’´energie par les fonctions de chiffrement et de d´echiffrement. De
plus, la mˆeme approche est utilis´ee pour r´eduire la complexit´e des algorithmes 3GPP
d’int´egrit´e des donn´ees (EIA1, EIA2 et EIA3) dont le concept de chiffrement repose
sur les mˆemes fonctions complexes. Enfin, nous ´etudions dans cette th`ese le probl`eme
d’authentification dans le contexte du paradigme D2D (Device to Device communica-
tions) introduit dans les syst`emes 4G. Le concept D2D se r´ef`ere `a la communication
directe entre deux terminaux mobiles sans passer par le cœur du r´eseau. Il constitue un
moyen prometteur pour am´eliorer les performances et r´eduire la consommation d’´energie
dans les r´eseaux LTE/LTE-A. Toutefois, l’authentification et la d´erivation de cl´e entre
deux terminaux mobiles dans le contexte D2D n’ont pas fait l’objet d’´etudes. Aussi,
nous proposons un nouveau protocole l´eger d’authentification et de d´erivation de cl´e
permettant d’authentifier les terminaux D2D et de d´eriver les cl´es n´ecessaires `a la fois
pour le cryptage et pour la protection de l’int´egrit´e des donn´ees.
Acknowledgements
I would like to express my heartfelt gratitude to the many people who have supported
me as I completed my graduate studies and dissertation. First, I would like to sincerely
thank my advisor, Dr. Lila Boukhatem, for providing continuous support and instruc-
tive guidance throughout my studies.
I present my sincere thanks to my co-advisor Prof. Steven Martin which he has sup-
ported me not only by providing a research assistantship, but also academically and
emotionally through the rough road to finish this thesis.
I also owe a debt of gratitude to my colleagues of the Network Group in the Laboratory
of the Research in Informatics (LRI), with special thanks to Dr. Hassan Noura who was
a post doc at the time for being my another advisor to finish the thesis in time. I wish
to thank the reviewers, Prof. Hakima Chaouchi and Dr. Hassnaa Moustafa , to have
the patience to read this dissertation and to give me valuable and detailed comments on
my thesis. Thanks also to all the members of the jury, as it is a great honor for me to
have them to evaluate my work.
I would like to emphasize my love and thanks to my family, with special thanks to my
mother and father, for providing a loving and supportive environment throughout my
childhood that fostered my academic success and for continued support today.
Finally, I would also like to appreciate Kurdistan Regional Government’s funding support
during my 5 year study in France.
v
Contents
Abstract ii
Acknowledgements v
Contents vi
List of Figures ix
List of Tables xi
Abbreviations xii
1 Introduction 1
1.1 Overview .................................... 1
1.2 Researchobjectives............................... 3
1.2.1 Lightweight data integrity and data confidentiality algorithms . . . 3
1.2.2 Authentication key agreement protocol for D2D communications . 4
1.3 Thesis’s Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3.1 Novel and lightweight data confidentiality algorithm for LTE/LTE-
Anetworks ............................... 4
1.3.2 Novel and lightweight data integrity algorithm for LTE/LTE-A
networks................................. 5
1.3.3 Authentication and key agreement scheme for D2D communications 6
1.4 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 LTE/LTE-A Security Architecture 9
2.1 Background................................... 9
2.2 Security levels and services of LTE/LTE-A networks . . . . . . . . . . . . 10
2.2.1 Authentication and key derivation . . . . . . . . . . . . . . . . . . 12
2.2.2 Confidentiality of user plane and control plane data . . . . . . . . 13
2.2.3 Integrity of control plane data . . . . . . . . . . . . . . . . . . . . 13
2.3 EPS Authentication and Key Agreement (EPS-AKA) . . . . . . . . . . . 13
2.3.1 EPS-AKA procedure . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.2 EPSkeyhierarchy ........................... 15
vi
Contents vii
2.3.3 EPS-AKA functionality and related works . . . . . . . . . . . . . . 17
2.4 EPS Encryption Algorithm (EEA) . . . . . . . . . . . . . . . . . . . . . . 19
2.4.1 EEA1 .................................. 20
2.4.2 EEA2 .................................. 20
2.4.3 EEA3 .................................. 21
2.5 EPS Integrity Algorithms (EIA) . . . . . . . . . . . . . . . . . . . . . . . 22
2.5.1 EIA1................................... 23
2.5.2 EIA2................................... 23
2.5.3 EIA3................................... 24
2.6 Conclusions and Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3 Efficient and Robust Ciphering Algorithms forr LTE/LTE-A Data Con-
fidentiality (DC) 29
3.1 Introduction................................... 29
3.2 Cryptographic realizations in LTE/LTE-A . . . . . . . . . . . . . . . . . . 31
3.3 Efficient and Robust Ciphering Algorithm (ERCA) . . . . . . . . . . . . 33
3.3.1 Initial Key Addition Layer . . . . . . . . . . . . . . . . . . . . . . 34
3.3.2 Substitution Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.3 DiusionLayer ............................ 35
3.3.3.1 Construction of the secret matrix G............ 36
3.3.3.2 The Proposed diffusion Process G............. 37
3.4 Cryptographic strength and performance . . . . . . . . . . . . . . . . . . . 38
3.4.1 Cryptographic performance of the substitution layer . . . . . . . . 38
3.4.1.1 Linear Probability Approximation Boolean Function (LPF) 39
3.4.1.2 Differential Probability Approximation Function (DPF) . 39
3.4.1.3 Strict Avalanche Criterion (SAC) ............. 39
3.4.1.4 Output Bit Independence Criterion (BIC) ........ 40
3.4.2 Randomness of the produced key-stream . . . . . . . . . . . . . . . 40
3.4.3 Keysensitivity ............................. 41
3.4.4 Statistical properties . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.4.4.1 Recurrence .......................... 43
3.4.4.2 Mixingnature ........................ 43
3.4.4.3 Low coefficient correlation . . . . . . . . . . . . . . . . . 44
3.4.5 ExecutionTime ............................ 46
3.4.6 Discussion and Cryptanalysis . . . . . . . . . . . . . . . . . . . . . 47
3.5 Conclusion ................................... 48
4 Efficient and Robust Algorithm for LTE/LTE-A Data Integrity (DI) 51
4.1 Introduction................................... 51
4.2 Realization of integrity protection in LTE/LTE-A networks . . . . . . . . 52
4.3 ERADI Algorithm Description . . . . . . . . . . . . . . . . . . . . . . . . 53
4.3.1 AdditionLayer ............................. 55
4.3.2 ChainingLayer............................. 55
4.3.3 Substitution Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.3.4 DiusionLayer ............................. 57
4.3.4.1 Secret matrix generation G................ 57
4.3.4.2 Modular matrix multiplication of G............ 58
Contents viii
4.4 Cryptographic Strength and Performance Evaluation . . . . . . . . . . . . 58
4.4.1 Cryptographic performance of the proposed dynamic substitution
layer................................... 59
4.4.2 Security analysis and performance of the proposed hash function . 60
4.4.2.1 Hash value distribution . . . . . . . . . . . . . . . . . . . 61
4.4.2.2 Hash value sensitivity to the original message . . . . . . . 62
4.4.2.3 Diffusion and Confusion: Key and message sensitivity . . 63
4.4.2.4 Collision resistance . . . . . . . . . . . . . . . . . . . . . 65
4.4.3 ERADI Execution Time . . . . . . . . . . . . . . . . . . . . . . . 66
5 Device to Device Lightweight Authentication and Key Agreement Pro-
tocol 69
5.1 Introduction................................... 69
5.2 D2D Authentication and key management in mobile and wireless tech-
nologies ..................................... 70
5.3 D2D Authentication and Key agreement scheme based on ECC . . . . . . 72
5.3.1 Initialization .............................. 74
5.3.2 Temporary key generation . . . . . . . . . . . . . . . . . . . . . . . 74
5.3.3 Identication .............................. 75
5.3.4 Shared Identity Generation (SIG) . . . . . . . . . . . . . . . . . . . 77
5.3.5 Ciphering and integrity keys generation . . . . . . . . . . . . . . . 78
5.4 Security analysis of the proposed protocol . . . . . . . . . . . . . . . . . . 79
5.4.1 Randomness of the produced dynamic key . . . . . . . . . . . . . . 80
5.4.2 Identityprivacy............................. 81
5.4.3 Resistance to the man in the middle attack . . . . . . . . . . . . . 81
5.4.4 Resistance to impersonation attacks . . . . . . . . . . . . . . . . . 82
5.5 Conclusion and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
6 Conclusion and future works 85
6.1 Conclusions ................................... 85
6.2 Future works and perspective . . . . . . . . . . . . . . . . . . . . . . . . . 87
A List of publications 91
Bibliography 92
List of Figures
2.1 The LTE/ LTE-A architecture . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Security levels of LTE/LTE-A networks . . . . . . . . . . . . . . . . . . . 12
2.3 EPS-AKAprocedure.............................. 14
2.4 EPSkeyhierarchy ............................... 16
2.5 EPS key derivations on network side . . . . . . . . . . . . . . . . . . . . . 16
2.6 ASandNASProtocols............................. 19
2.7 SNOW3GAlgorithm ............................. 20
2.8 AESAlgorithm................................. 21
2.9 ZUCAlgorithm................................. 22
2.10EIA1Algorithm ................................ 23
2.11EIA2Algorithm ................................ 24
2.12EIA3Algorithm ................................ 25
3.1 PDCPLayer. .................................. 32
3.2 Ciphering a block of data. . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.3 ERCAstreamcipher.............................. 35
3.4 An example of creation of the diffusion Layer . . . . . . . . . . . . . . . . 38
3.5 Proposed Diffusion Technique . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.6 Variation of the LP F (a) and D P F (b) against the number of iterations . 40
3.7 Variation of the SAC (a) and BIC (b) against the number of iterations . 41
3.8 Recurrence of producing key-stream (a) and its distribution (b) using a
secret random key K.............................. 42
3.9 Proportion values of NIST tests . . . . . . . . . . . . . . . . . . . . . . . . 42
3.10 The key sensibility results for change random LSB of the secret key K
versus1000randomkeys............................ 43
3.11 Recurrence plot of the original packet (a) and its correspondent encrypted
ones(b) ..................................... 44
3.12 The distribution of the contents original stream packet (a) and its corre-
spondent encrypted one in (b) . . . . . . . . . . . . . . . . . . . . . . . . 45
3.13 Variation of the χ2
test of cipher packets for 12508 bytes length versus 1000
randomkeys .................................. 46
3.14 The coefficient correlation between the original and encrypted stream
packets versus 1000 random keys . . . . . . . . . . . . . . . . . . . . . . . 46
3.15 Variations of the average time ratio for messages encryption (AES/ERCA)
infunctiontoitslength ............................ 47
4.1 Derivation of MAC-I/XMAC-I . . . . . . . . . . . . . . . . . . . . . . . . 54
4.2 The iterated design of the proposed keyed hash function for ERADI . . . 54
ix
List of Figures x
4.3 Proposed compression function (ERADI) . . . . . . . . . . . . . . . . . . 56
4.4 Variation of the LP F (a) and D P F (b) versus the number of random keys 60
4.5 Variation of the SAC (a) and BIC (b) versus the number of random keys 60
4.6 Spread of the message and hash value: (a) distribution of the message in
ASCII code; (b) distribution of the hash value in hexadecimal format . . . 61
4.7 Spread of all zeros message and hash value: (a) distribution of all Zeros
message; (b) distribution of the Hash value in hexadecimal format . . . . 62
4.8 Hash values under different conditions . . . . . . . . . . . . . . . . . . . . 63
4.9 Percent of number of the changed bits versus 1000 random secret keys
(changed random bit of the secret key) (a) and its corresponding distri-
bution(b).................................... 64
4.10 Percent of number of the changed bits versus 10000 original tests (changed
random bit of the message) (a) and its corresponding distribution (b) . . 65
4.11 Variations of the average time ratio versus message length . . . . . . . . . 67
5.1 Scenario of LTE-A D2D communication . . . . . . . . . . . . . . . . . . . 72
5.2 Elliptic curve equation (5.1) (a) and the distribution of Elliptic group
(E23(1,1)(b) .................................. 73
5.3 Initialization .................................. 75
5.4 Temporary key generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.5 Identication .................................. 76
5.6 Shared identity Generation . . . . . . . . . . . . . . . . . . . . . . . . . . 77
5.7 Cipher and Integrity Key generation . . . . . . . . . . . . . . . . . . . . . 79
5.8 Dynamic Key updates algorithm . . . . . . . . . . . . . . . . . . . . . . . 80
5.9 Proportion values of NIST tests . . . . . . . . . . . . . . . . . . . . . . . . 81
List of Tables
3.1 Comparison Analysis of Substitution Layer . . . . . . . . . . . . . . . . . 48
4.1 Frequency of the different number of ASCII characters for N= 10000 . . 62
4.2 Distribution of changed bit percent under different conditions . . . . . . . 62
4.3 StatisticalResults ............................... 65
4.4 Percent distribution of the number of ASCII characters with the same
value at the same location in the hash value for random LSB bit of secret
key K(a) or the plain-message P(b) .................... 66
xi
Abbreviations
1G 1st Generation
2G 2nd Generation
3G 3rd Generation
3GPP 3rd Generation Partenership Project
4G 4th Generation
AS Asymetric Encryption
AES Advanced Encryption Standard
AKA Authentication and Key Agreement
AS Access Stratum
BIC Output BitIndependence Criterion
CK Ciphering Key
CMAC Cipher-based Message Authentication Codes
D2D Device to Device
DC Data Confidentiality
DI Data Integrity
DoS Denial ofService
DPFDifferential Probability Approximation Boolean Function
ECC Elliptic Curve Cryptography
xii
Abbreviations xiii
ECDF Elliptic Curve Diffie-Hellman
EEA EPS Encryption Algorithm
EIA EPS Integrity Algorithm
EPS Evolved Packet System
EPC Evolved Packet Core
ERCA Efficient and Robust Cipher-Algorithms
eNB eNodeB
E-UTRAN Evolved -Universal Terrestrial Radio Access Network
FN Feistel Networks
GSM Global Ssystem for Mobile communications
GMAC Galois Message Authentication Codes
HSS Home Subscriber Server
HMAC Hash Message Authentication Codes
IBC Identity Based Cryptography
IK Integrity Key
IP InternetProtocol
KHF Keyed Hash Functions
LFSR Linear Feedback Shift Register
LPFLinear Probability Approximation Boolean Function
LSB Least Significant Bit
LTE Long Term Evolution
LTE-A LongTerm Evolution Advanced
MAC Message Authentication Codes
MDC Message Detection Codes
MitM Man inthe Middle
Abbreviations xiv
MME Mobility ManagementEntity
MTC Machine Type Communications
NAS Non Access Stratum
NIST National Institute of Standareds and Technology
PDCP Packet Data Convergence Protocol
PKG Private Key Generator
PDNGW Packet Data Network GetWay
RNC Radio Network Controller
SAC Strict Avalanche Criterion
SDN Substitution Diffusion Network
SE Symetric Encryption
SG Service Getway
SN Service Network
SAE System Architecture Evolution
UE User Equipment
UMTS Universal Mobile Telecommunications System
WMN Wireless Mesh Network
xv
Chapter 1
Introduction
1.1 Overview
The continuous and rapid growth of mobile data consumption especially due to the
tremendous increase of Smartphone device usage has motivated the standardization
organizations to develop 4G technologies such as (Long Term Evolution/Long Term
Evolutions-Advanced) LTE/LTE-A, moving to higher data rates compared to 3G net-
works. This 4G systems deployment has triggered the transition from the existing 3G
combined circuit and packet switching network to an all IP (Internet Protocol) architec-
ture system which made LTE/LTE-A networks to possess a new and different security
architecture.
With the proliferation of mobile networks usage in our daily live, security has attracted
more and more attentions in order to ensure that the system is properly functioning
without any fault or misuse. Security is provided through features such as encryption,
integrity protection and authentication, which are required to guarantee the user’s pri-
vacy as well as ensuring revenue for the mobile network operators [1]. The security
architecture of mobile networks has been subject to subsequent evolutions. The first
analog generation was in lack of any security mechanisms which later evolved within
the definition of successive generation of 3GPP: Global System for Mobile communi-
cations (GSM) then 3GPP Universal Mobile Telecommunication System (UMTS) and
now 3GPP LTE/LTE-A. The GSM has rather concentrated on the protection of the air
interface. Then, substantial improvements have been adopted for UMTS security, such
as adding new security features for radio access networks and services [2].
Security features as many other features of mobile networks should possess world-wide
interoperability to achieve global relevance and this is done through the standardization
1
Chapter 1. Introduction 2
of these features. Accordingly, the 3GPP which is the main dominant standardization
organization for mobile networks has handled the security issues in 4G LTE/LTE-A
systems through the normalization of the protocols and algorithms at different network
security levels. At the network access level, authentication of the users and key agree-
ment are performed through EPS-AKA protocol, an authentication protocol based on
symmetric cryptography. Moreover, in order to achieve user’s privacy i.e. data confi-
dentiality, the 3GPP has standardized for 4G LTE/LTE-A networks three algorithms
EEA1, EEA2 and EEA3. Similarly, three other algorithms have been standardized for
data integrity (EIA1, EIA2 and EIA3) [3].
Nowadays one of the important issues which have significant negative impact on global
health, social and economic wellbeing is global warming which is resulted from excessive
Carbon Dioxide (CO2) emissions in the atmosphere. Currently, wireless and mobile
technologies contributes in about 2 to 3 percent of the overall emission of CO2 into
the atmosphere and this amount is subjected to further increase due to the exponential
growth in wireless and mobile networks subscribers and usages [4]. Later studies have
proved that the largest part of the consumed power in wireless and mobile networks is
located in the base stations, but an important part is also consumed in the mobile ter-
minals [5]. Yet, considerable computation power is requested when performing security
services in LTE/LTE-A networks which are carried out at base stations (denoted as eN-
odeB (eNB)) and mobile terminals denoted as (User Equipments (UE)). Furthermore,
during the standardization procedure, the main objectives of the selected algorithms
and protocols were achieving maximum security without taking in consideration any
environmental or ecological issues such as energy savings. Therefore, it would be desir-
able to consider new design structures for new protocols and algorithms acquiring less
computational power to reduce energy consumptions and consequently contributing in
the reduction of CO2 emissions.
In the light of all above considerations, our objective in this thesis is to propose lightweight
security algorithms and more particularly Data Integrity (DI) and Data Confidentiality
(DC) algorithms by designing efficient cipher algorithms in terms of complexity and at
the same time possessing sufficient security strength. These objectives will be achieved
by exploring the compromise between these two controversial properties (less complexity
and maximum security).
Another objective of our work is to consider the security issue in D2D paradigms. Re-
cently, Device to Device (D2D) communications have attracted large research attention
to develop efficient solutions for direct communications between two proximate devices
Chapter 1. Introduction 3
without passing through a base station or another third-party device. Indeed, the ma-
jority of D2D related research works concentrate mainly on licensed band (in band)
modes using cellular resources where the service providers prefer to maintain a stable
and permanent control over the communication rather than using other uncontrolled en-
vironments (out band) such as (ad hoc Wi-Fi and Bluetooth) networks using unlicensed
bands [6]. The D2D paradigm has been proposed to be employed in cellular LTE/LTE-A
networks between two UEs in order to enhance the performance. It has been adopted
by 3GPP in LTE Release 12 to enable LTE becoming a competitive broadband commu-
nication technology for public safety networks [7]. These type of communications allow
the eNBs to reduce their power consumption through decreasing the signaling load since
the two UEs will not use the cells resources for communication. In addition, the UEs
will also save a portion of energy during data transmission since a closer transmission
path is expected between the two devices. To authenticate the UEs as well as provid-
ing necessary keys for DC and DI during D2D communications, a secure and efficient
protocol is requested. However, although 3GPP has already adopted EPS-AKA as an
authentication protocol for UEs, the concept of D2D have not been considered in this
protocol. Hence, developing an efficient and secure authentication protocols for D2D
poses a new research challenge which have not been well investigated in the literature.
Another objective in our thesis is to investigate this research issue and also providing
efficient and secure solutions.
1.2 Research objectives
1.2.1 Lightweight data integrity and data confidentiality algorithms
According to 3GPP, five security levels are defined in LTE/LTE-A security architec-
ture: network access, network domain, user domain, application domain and non 3GPP
domain security [8]. In this thesis, we are mainly concentrating on network access secu-
rity and specifically between UE and eNB. However, to ensure a secure communication
between any two communication nodes DC and DI security services are inevitable in
any security system. DC refers to the prevention of an unauthorized disclosure of data
between two communication nodes to the third party attackers or intruders, such as
individuals, entities or processes. While DI is used to ensure that the received data
has not been modified during transmission. In LTE/LTE-A system architecture as de-
scribed in [9], UE and eNB are connected through the Access Stratum (AS) protocol,
where both DC and DI security features are carried out in the Packet Data Convergence
Protocol (PDCP) sub-layer. The PDCP performs ciphering/deciphering of both user
and the control plane data at both UE and eNB sides, similarly it performs DI but only
Chapter 1. Introduction 4
for control plane data. The keys to be used by PDCP are managed by upper layers and
derived during authentication procedure. Although the 3GPP has already standardized
till now three pairs of algorithms; (EEA1, EIA1), (EEA2, EIA2) and (EEA3, EIA3) [10],
[11] to achieve DC and DI, these solution are mostly require high computational time
and some of them surfers from security flaws. Therefore, it becomes vital to propose
lightweight and effective algorithms offer the decreased computational time and at the
same time a strong security level.
1.2.2 Authentication key agreement protocol for D2D communications
Direct communications between two device terminals, denoted as D2D in LTE/LTE-A
systems is a new paradigm in 4G mobile networks and has not been yet standardized.
Our first contribution suggested two algorithms for the two services DC and DI for
achieving privacy and integrity of users data could also be employed in D2D commu-
nications by the two involved UEs. However, to the best of our knowledge D2D key
management and users’ authentication has not been yet addressed. 3GPP stated that
LTE /LTE-A networks should use EPS-AKA protocol for mutual authentication be-
tween UEs and the core network which is a long and costly process. Moreover, the
EPS-AKA protocol is designed to rely on several entities in the core network which
are not necessarily available during D2D communications. Henceforth, it is desirable to
propose for such communication scenarios a novel method to achieve authentication as
well as deriving the necessary keys for DC and DI services.
1.3 Thesis’s Contributions
Following the aforementioned research objectives, the contributions of this thesis can be
summarized as follows:
1.3.1 Novel and lightweight data confidentiality algorithm for LTE/LTE-
A networks
Shannon demonstrated in [12] that the conventional technique to obtain a powerful
encryption of a block of bytes is achieved by using the confusion and diffusion layers for
several rounds. The standard ciphers are based on rmulti-round functions, where each
one is composed of several simple iterated functions. Round functions can be categorized
into two classes: Feistel Networks (FN) and Substitution Diffusion Networks (SDN).
Chapter 1. Introduction 5
Accordingly, the security level depends on the number of rounds, which leads to a trade-
off between the security level and the required computational time (complexity) and
consequently the energy consumption. The multi round concept has been well applied
in the standardized solutions. In this thesis, we propose a novel stream cipher technique
based on SDN structure which showed a reduced complexity (one round only) and at the
same time possesses similar security strength compared to the standardized solutions.
The proposed stream cipher algorithm candidate has an almost-similar architecture as
the Advance Encryption Standard (AES) employed in EEA2 and EIA2. It consists of
an addition, a substitution and a diffusion layer. The addition layer uses binary XOR
operation with a constant block value to ensure key uniformity. The substitution layer
is constructed from the nonlinear transformation of RC6 algorithm to add confusions to
the cipher. Finally, the diffusion layer is built from the output of the substitution layer
by forming a sub-matrix.
1.3.2 Novel and lightweight data integrity algorithm for LTE/LTE-A
networks
The DI is performed using cryptographic hash functions that convert strings of variable
lengths to fixed-size strings called hash values, hash codes or simply hash. Cryptographic
hash functions can be keyed or un-keyed. The un-keyed ones are called Modification
Detection Codes (MDCs) which provide only data integrity. The keyed hash functions
are Message Authentication Codes (MACs), which besides the integrity protection helps
in the authentication of the origin of the data. The EIA algorithms use universal keyed
hash functions to generate a 32-bit MAC value based on key streams generated from a
stream cipher.
As LTE/LTE-A networks intend to support high data rates and an enhanced data, voice,
and video experience for end users, it is desirable to develop a low computation DI
algorithm to speed up data processing and at the same time reducing the computational
power to save energy. Our second contribution in this thesis it to propose a new DI
algorithm based on a Keyed Hash Function (KHF). The key advantage of this proposed
algorithm is the use of a Substitution Diffusion (SD) technique in its core cipher which
requires only one round of processing instead of several processing rounds as it is the
case for the standardized reference solutions. However, in addition to the addition,
substitution and diffusion layers, a chaining layer has also been employed in the core
cipher to provide more bit dependency to the algorithm.
Chapter 1. Introduction 6
1.3.3 Authentication and key agreement scheme for D2D communica-
tions
Our last contribution consists in the design of a lightweight authentication and key
derivation protocol between the two UEs communicating through a D2D link. Our pro-
posed solution is based on the concept of elliptic curve cryptography which is considered
as a promising tool for such security requirements, since the key exchange is done by
a secure manner without the diffusion of the real identity of the communication nodes.
This concept has been already employed in the security and authentication of vehicular
Ad Hoc networks, Mobile ad hoc networks, and authentication of Machine Type Com-
munications (MTC) and MTC group communications.
The key idea of our methodology is, in one hand using Elliptic Curve Diffie-Hellman
(ECDH) to realize Key Forward/Backward Security (KFS/KBS) and performing au-
thentication between the two devices and on the other hand using secured hash functions
to derive both the ciphering and integrity keys which can be employed as DC and DI
keys respectively. Our simulation analysis proved that our authentication protocol has
the same security level as EPS-AKA and can also resist MitM, DoS and replay attacks
while requiring minimum computation and communication complexity.
1.4 Organization of the Thesis
The content of this thesis is organized as follows:
Chapter 2 describes the security architecture of LTE/LTE-A mobile networks. Af-
ter a general overview of LTE/LTE-A systems, their different security levels are
presented with a particular focus on the access level security. Then the EPS-AKA
authentication and key derivation protocol is presented followed by a detailed
description of the key derivation procedure and the related enhanced protocols
proposed in the literature. The standardized algorithms proposed by the 3GPP
for both DI and DC services are described with a discussion about their identified
security flaws and drawback.
In Chapter 3 we first introduce an overview of data confidentiality as well as the
paradigms used to perform it. Then, the realization of a confidentiality algorithm
in LTE/LTE-A networks is described. After, our proposed data confidentiality
algorithm we baptized ERCA is presented which consists of three layers and a
Chapter 1. Introduction 7
detailed description about the functionality of each layer is presented. Finally,
the analysis of simulation results is presented to prove the security strength of the
ERCA and compared it to a current standard in terms of complexity.
Chapter 4 presents ERADI, our lightweight data integrity algorithm for LTE/
LTE-A systems. First, we introduce briefly the general aspects and methodologies
of data integrity. Then, the realization of a data integrity algorithm in LTE/LTE-
A networks is illustrated. Hence, ERADI algorithm is detailed. ERADI is based
on a keyed hash function which the core cipher is composed from four layers and
a detailed description is given about each layer. Extensive simulation are carried
out to prove the security strength and the efficiency of the proposed hash function.
Chapter 5 first, presents an overview of D2D communications in LTE/LTE-A sys-
tems and the concept of authentication and key agreement in D2D. Then, D2D
authentication and key managements in other mobile and wireless technologies is
detailed. Hence, we detail the main arguments which make. Thereafter, we in-
troduce the main concepts and operational steps of our lightweight authentication
and key agreement scheme is presented for LTE/LTE-A D2D communications.
Finally, the security analysis shows the effectiveness of our proposal as regards to
the reference approaches.
In the final chapter (Chapter 6) we review the main contributions of this disserta-
tion and provide some perspectives and directions for future researches.
Chapter 2
LTE/LTE-A Security
Architecture
2.1 Background
The 3rd Generation Partnership Project (3GPP) standardized LTE in its Release 8 as
the successor of the Universal Mobile Telecommunications System (UMTS) standard
in order to provide a high-data rate, low-latency, and packet-optimized radio-access
technology supporting flexible bandwidth deployments. The LTE standard has been
finalized in 2009 and has been deployed by different mobile operators in different coun-
tries all around the world. However, the continuous growth of mobile traffic has lead to
the evolution of radio technologies towards International Mobile Telecommunications-
Advanced (IMT-Advanced) which is an ITU-R initiative for developing 4G global mobile
standard. The 3GPP and IEEE 802.16 started to develop standards compatible with
IMT-Advanced requirements. This was the driving force for 3GPP to further develop
LTE towards LTE–Advanced in its Release 10 to provide higher data rates in a cost
efficient way and at the same time, completely fulfill the requirements set by IMT-
Advanced. Finally, the IMT-Advanced had selected the LTE-A along side with LTE as
the candidate technologies for 4G mobile networks.
Because of the possible security threats in the 3G UMTS security architecture such
as Man-in-the-Middle (MitM) attacks, rogue base station attacks and Deny of Service
(DoS) attacks, better and enhanced security services were among the main goals of
LTE/LTE-A and have been taken in to consideration from the start by addressing the
security in many different levels. Instead of UMTS-Authentication and Key Agreement
9
Chapter 2. LTE/LTE-A Security Architecture 10
Figure 2.1: The LTE/ LTE-A architecture
(UMTS-AKA), the SAE/LTE architecture adapted an enhanced new access security ap-
proach. In addition, new standardized sets of algorithms have been proposed to achieve
privacy and integrity protections. In this chapter, we first study the LTE/ LTE-A se-
curity levels, describing briefly how different security levels are achieved between the
communication entities. Then, the security services supported by LTE/ LTE-A in the
network access level are presented followed by a detailed description of each of the ser-
vices as well as the algorithms and protocols employed to support them. Finally, we
conclude the chapter with a discussion about the main security features and the limita-
tions of current security services of LTE/LTE-A networks as well as the improvements
suggested by our proposal.
2.2 Security levels and services of LTE/LTE-A networks
The security architecture of mobile networks has been subjected to subsequent evolutions
since the first analog 1G system, which was in lack of the main security features such
as authentication and data encryption. The Advanced Mobile Phone Service (AMPS),
which was employed in the USA and its European version Total Access Communication
System (TACS), provided no security services. Therefore, it was rather easy for an at-
tacker to intercept the calls and consequently, extract Identification Number (MIN) and
Electronic Serial Number (ESN). Similarly, the Nordic Mobile Telephone NMT, which
Chapter 2. LTE/LTE-A Security Architecture 11
was mainly used in the European Nordic countries, Eastern Europe and Russia had the
disadvantage that the voice traffic was not encrypted [8]. The security of 2G systems
such as GSM has rather concentrated on the protection of the air interface. Several
security services have been implemented for GSM such as authentication of subscribers,
protection of subscriber’s identity using SIM cards and finally the encryption of com-
munication between the subscriber and the base station using A5/1 and A5/2 stream
ciphers. However, serious weaknesses have been reported in both algorithms, as it is
possible to break A5/2 in real-time using cipher-text-only attack.
The 3G systems security is based on those elements of 2G security that have proven to
be robust and also important new security features and were services integrated while
correcting the security issues of GSM by addressing its real weaknesses. Furthermore,
key lengths were increased to allow for stronger algorithms of encryption and integrity [8].
The 4G LTE/LTEA architecture shown in Figure 2.1 and also denoted as Evolved Packet
System (EPS) brings two new major ingredients into the 3GPP environment: the ra-
dio network Evolved-Universal Terrestrial Radio Access Network (E-UTRAN) with a
new radio interface, and the flat IP-based core network Evolved Packet Core (EPC).
Additionally, the EPS must also be able to interwork with legacy systems and achieve
backward-compatibility. In the (3GPP TS 33.401), the security architecture is divided
into five different functional security levels or (domains) where different security services
are achieved in these levels (see Figure 2.2). The 3GPP TS 33.401 defines these levels
as the following:
Network domain security (II): this security level mostly related to the protection
of the control plane data as well as user plane data during transmission from the
access network to the service network mostly through the wireline network.
User domain security (III): it can be defined as the necessary security features to
access for mobile terminals (UE in LTE/LTE-A) access.
Application domain security (IV): stands for the set of security features that enable
applications in the user and in the provider domains to securely exchange messages.
Visibility and configurability of security (V): the set of features that enables the
user to discover whether a security feature is in operation or not and whether the
use and provision of services should depend on the security feature.
Network Access security (I): this level is mainly related to the radio access network
i.e. (E-UTRAN) and described as the set of security services that provide users
with secure access to services and protecting the user against attacks. The subject
Chapter 2. LTE/LTE-A Security Architecture 12
Figure 2.2: Security levels of LTE/LTE-A networks
of this thesis is particularly related to the network access security; therefore, the
rest of this document is mainly related to this topic rather than to the other
security levels.
In the following, we present the most important security services of EPS which are
mostly performed in the access network level.
2.2.1 Authentication and key derivation
Mutual authentication between UEs and network and key derivation to establish key
sessions for ciphering and integrity protection are essential security features for any mo-
bile network. The EPS shall support authenticity of information between the mobile
terminal and the network to ensure that unauthorized users cannot establish communi-
cations through the system. Moreover, without authentication it would be impossible
to securely connect users to each other. Hence, the functionality of the whole system
would be questionable if this feature is not available.
Compared to 3G systems where the authentication only provides assurance that the
serving network is authorized by the home network to serve the user, there is an en-
hancement in EPS authentication that provides means for the UE to directly verify the
serving network identity.
Indeed, the secret key derivation would be also tightly integrated with authentication
where the derived shared secret keys are used for confidentiality and integrity protection
during data transmission. The 3GPP adopted for LTE/LTE-A a new authentication and
Chapter 2. LTE/LTE-A Security Architecture 13
key agreement protocol called EPS-AKA which will be described in details in section
2.3.
2.2.2 Confidentiality of user plane and control plane data
According to the 3GPP security requirements, EPS shall provide several appropriate
levels of user privacy for communication, location, and identity. Additionally, com-
munication contents, origin, and destination shall be protected against disclosure to
unauthorized parties. Confidentiality is achieved by ciphering the digital communica-
tion in order to protect the content packets of being seen by the eavesdroppers especially
on the radio interface. Unlike the 3G mobile systems where the end point of the en-
cryption is the Radio Network Controller (RNC), in LTE/LTE-A the endpoint is in the
eNB. Hence, additional confidentiality protection mechanism is introduced for Radio
Resource Control (RRC) signaling (control plane data) between the UE and eNB [13].
Further details about confidentiality algorithms already adopted for LTE/LTE-A will
be presented in section 2.4.
2.2.3 Integrity of control plane data
In order to fulfill 3GPP security requirements, EPS shall support authenticity of infor-
mation between the mobile terminal and the network. The purpose of this feature is
to ensure the authenticity of each control plane message separately i.e. assuring that
the message has not been altered during transmission and has been received by the
destination as it was actually sent by the source. However, no integrity protection is
provided for user plane data in 4G LTE/LTE-A except for Relays as stated in [13]. In
order to ensure data integrity, the 3GPP has standardized three algorithms which will
be described in details in section 2.5
2.3 EPS Authentication and Key Agreement (EPS-AKA)
As illustrated in Figure 2.1, the LTE/LTE-A network is composed of the Evolved Packet
Core (EPC) and the E-UTRAN. The EPC consists of a Mobility Management Entity
(MME) and a Serving Gateway (SGW), a Packet Data Network Gateway (PDNGW)
together with the Home Subscriber Server (HSS). When a UE connects to the EPC, the
MME represents the EPC to perform a mutual authentication with the UE, whilst the E-
UTRAN, including the eNB, passes the traffic from UE to MME. The AKA protocol for
UTMS was adopted by the 3GPP and proposed at the network level for authenticating
Chapter 2. LTE/LTE-A Security Architecture 14
Figure 2.3: EPS-AKA procedure
3G mobile subscribers and also to tackle the vulnerabilities of the GSM system. Due
to a substantial architecture modification of the 4G LTE/LTE-A, the AKA has been
replaced by a new protocol (EPS-AKA) which is based on its predecessor in order to
ensure backward compatibility. In this section the EPS-AKA procedure is described
as well as the key derivation procedure and the functionality of the employed keys.
Then, we highlight the weak and strong aspects of the protocol along with the various
enhancements proposed by different research works.
2.3.1 EPS-AKA procedure
In the EPS-AKA protocol as illustrated in Figure 2.3, first the UE sends an access
request message to the MME, then the MME launches an authentication procedure by
interrogating the UE’s identity. When the UE returns back its identity by sending its
International Mobile Subscriber Identity (IMSI), the Service Network (SN) sends an
authentication data request message containing UE’s identity to the HSS for acquiring
Authentication Vectors (AVs). Any AV consists of four parameters: an expected result
(XRES), a network authentication token (AUTN), the intermediate key KASM E (based
on the CK and IK and other parameters such as the serving network identity (SN ID) as
well as the random challenge (RAND). The HSS generates AVs for the MME and sends
back an authentication data request message including the generated AV. Upon AVs
Chapter 2. LTE/LTE-A Security Architecture 15
reception, the MME sends RAND and AUTN piggy backed on the authentication request
to the UE enabling it verifying the correctness of the sequence number (SQN) associated
with that IMSI and compute the RES. The validity of SQN is checked by computing
MAC and comparing it with the MAC carried in AUTN. If so, the UE computes and
sends the corresponding response RES back to the SN in an authentication response
message. Once the MME receives and verifies RES validity, it chooses the corresponding
intermediate key KASME as the session key to protect its communication with the UE.
At the same time, the UE calculates its KASM E accordingly. Finally, both the UE and
MME hold a symmetric session key from which other encryption and integrity protection
keys will be derived.
2.3.2 EPS key hierarchy
After the authentication, all necessary cryptographic keys for various security mecha-
nisms are derived from the intermediate key (KASM E ). The main advantages of this
key hierarchy are cryptographic key separation and also providing the system with key
freshness property. However, the main disadvantage is adding further complexity to
the system since there are more types of keys in the system, all of which need to be
computed, stored and protected. Moreover, one of the most important properties of the
key derivation procedure is the one-way property i.e. computing upper layers keys is
impossible using lower layers keys. In the procedure of key derivations as illustrated
in Figure 2.4, an arrow between two keys indicates that one key is derived from the
other. However, there is one special arrow in the figure, namely the loop arrow pointing
from the box representing keys KeNB /NH to itself. Indeed, there are also additional
parameters that will be mixed during keys derivation which are assumed not be secret.
The topmost key derivation from Kto CK and IK is different from the rest of key
derivations in the sense that its details are not standardized [8]. Moreover, in Figure
2.5 the details of key derivation are presented in the network nodes. In the figure, KDF
denotes the generic Key Derivation Function based on HMAC-SHA-256 and ‘Trunc’
stands for a simple truncation function that uses only the 128 least significant bits of a
256-bit value and eliminates the most significant half. In the following, the purpose and
the functionality of each of the master and specific derived keys related to the network
access security are explained:
Kis the subscriber-specific master key, stored in the USIM and the AuC and it is
not derived from any other key.
CK and IK are128-bit keys derived from Kusing additional input parameters.
Chapter 2. LTE/LTE-A Security Architecture 16
Figure 2.4: EPS key hierarchy
Figure 2.5: EPS key derivations on network side
Chapter 2. LTE/LTE-A Security Architecture 17
KASM E is derived from CK and IK using two additional inputs to be a local master
key in the MME.
KeNB is derived from KAS M E and the additional input NAS uplink COUNT
which is a counter parameter. This parameter is needed to ensure that each new
KeNB derived from KASM E differs from the ones derived earlier. The purpose of
this key is to be a local master key in an eNB.
KRRCenc is a key that is used to encrypt RRC signaling traffic. It is derived from
KeNB and two additional parameters: the first one (algorithm type distinguisher)
indicates that this key is used for RRC encryption, and the second one is the
identifier of the encryption algorithm.
KRRCint is used to protect the integrity of RRC signaling traffic. It is derived from
KeNB and two parameters: the first one indicates that this key is used for RRC
integrity, and the second one is the integrity algorithm identifier.
Finally, KU P enc is used to encrypt user plane traffic. This key is derived from
KeNB and two parameters: the first one indicates that this key is used for user
plane encryption, and the second one is the encryption algorithm identifier.
The generated keys from the key hierarchy are separated in a way that each key has
a specific usage for either control or user plane traffic. The principle idea behind this
separation is providing more security since even though an attacker may find a key used
for a specific context; he cannot easily get the other keys used for a different purpose.
Additionally, a key renewal without affecting the other keys is another advantage of the
key hierarchy. Accordingly, any change to a specific key, affects only the keys derived
from in which affected and have to be changed; the other keys may remain the same.
2.3.3 EPS-AKA functionality and related works
Although EPS-AKA has several security improvements over UMTS AKA by preventing
some attacks like redirection attacks, rogue base station attacks and MitM attacks, it
still has some vulnerabilities inherited from UTMS AKA due to compatibility issues.
Therefore, many research works were interested in overcoming these issues.
Privacy protection is among the main security flaws of EPS-AKA, which results from
the diffusion of the IMSI mainly in plane-text in two typical scenarios [14]:
In some cases, the SN cannot obtain UE Globally Unique Temporary Identity
(GUTI) which is transmitted instead of IMSI to hide real identity of the UE, such
Chapter 2. LTE/LTE-A Security Architecture 18
as when a UE registers to the network for the first time or during roaming which
leads to the transmission of IMSI in a plane-text.
In case of a MAC verification failure, a MAC failure message (M acFail) is sent
to the network to require a new MAC verification procedure. Therefore, the IMSI
could be leaked in a plane-text.
The discloser of the IMSI enables an adversary to obtain sensitive information about
the subscriber identity and consequently lunch identity related attacks. Moreover, the
EPS-AKA is vulnerable to potential DoS attacks which may cripple the network when
an adversary disguises as legitimate UE and constantly sends fake IMSIs to overwhelm
the HSS/AuC. As a consequence, the HSS is overloaded by generating excessive AVs for
the UE.
In order to overcome this drawback, several solutions have been proposed to improve
the security of EPS-AKA. Security Enhanced Authentication and Key Agreement (SE-
EPS AKA) based on Wireless Public Key Infrastructure (WPKI) has been proposed in
[15] in order to ensure the security of user identity using Elliptic Curve Cipher (ECC)
encryption. The authors have employed the Elliptic Curve Diffie-Hellman (ECDH) with
symmetric key cryptosystem to overcome the vulnerabilities presented in EPS-AKA
protocol. Furthermore, the authors in [16] have proposed an ensured confidentiality
authentication and key agreement (EC AKA) to enhance the user’s confidentiality by
protecting AKA messages through encryption. Consequently, the real identity of the
subscriber is preserved and cannot be tracked. The drawbacks of the above mentioned
methods are that they employ the public-key to overcome the shortcoming of the EPS-
AKA protocol by ensuring the security communication between the UE and HSS/AuC
through the use of the certificates. However, using certificates results in large number
of computational, storage and communication costs.
Unlike the aforementioned works, the authors in [17] presented a slightly modified ver-
sion of the EPS-AKA protocol to overcome its security flaws. The scheme introduces a
new subscriber module ESIM instead of the USIM and provides a direct online mutual
authentication between the ESIM and the MME/HSS with minor modifications of the
access security architecture. However, this method does not attain the identity privacy
and requires a lot of message exchange causing signaling congestion on the HSS [18].
The use of the password authentication key exchange by Juggling Password Authenti-
cated Key Exchange (J-PAKE) protocol was proposed in [19]. The authors proposed
the use of J-PAKE protocol for authentication due to its high flexibility and lightweight
making it very well suited for use in mobile terminals. However, this protocol still suffers
Chapter 2. LTE/LTE-A Security Architecture 19
from security issues presented in the EPS AKA protocol such as identity protection. Fi-
nally, the AES ciphering is used in EAP Archie method proposed in [20] was intended to
achieve a mutual authentication and key agreement between the users and the network
access layer. Yet, this scheme also suffers from the disclosure of the user identity and
spoofing attacks.
Figure 2.6: AS and NAS Protocols
2.4 EPS Encryption Algorithm (EEA)
As illustrated in Figure 2.6 the three main important components in LTE/LTE-A archi-
tecture where the security services are achieved are: UE, eNB and MME. Accordingly,
UE and MME are connected with Non Access Stratum (NAS) security protocol and
NAS messages exchanged between UE and MME are integrity protected and ciphered
with extra NAS security header. While UE and eNB are connected through the Ac-
cess Stratum (AS) protocol and the security services are performed for both control
and user plane data in the (PDCP) layer of UE and eNB. The PDCP layer in UE and
eNB sides is responsible for the confidentiality and integrity protection. The confiden-
tiality cryptographic algorithm EPS Encryption Algorithm (EEA) is achieved after the
authentication between the UE and SN is fulfilled by EPS-AKA. The EEA algorithm
is assigned a 4-bit identifier included in KNAS enc,KRRCint and KU P enc to indicate the
type of the encryption algorithm to be used. Accordingly, the 3GPP standardized three
algorithms namely EEA1, EEA2 and EEA3 to be used in 4G LTE/LTE-A networks. A
detailed description and convenient and inconvenient of each algorithm is given below.
Chapter 2. LTE/LTE-A Security Architecture 20
Figure 2.7: SNOW 3G Algorithm
2.4.1 EEA1
Four bits identifier ”0001” is used for defining 128-bit EEA1 stream cipher which is based
on another stream cipher of SNOW 3G depicted in Figure 2.7. SNOW 3G algorithm was
originally used as the cryptographic kernel of the second set of 3G UMTS confidentiality
and integrity algorithms (UEA2) and has been kept as the first set of security algorithms
for LTE/LTE-A. Originally, SNOW 3G was derived from the stream cipher SNOW 2.0,
with improvements against algebraic cryptanalysis and distinguishing attacks. It is a
word oriented stream cipher that generates a sequence of 32-bit words using a 128-bit key
and a 128-bit initialization variable [21]. The structure of SNOW 3G is composed of a
Linear Feedback Shift Register (LFSR) with 16 chained 32-bit stages and a Finite State
Machine (FSM) with 2 S-boxes. Although the authors in [22]are assuming a fault attack
to recover the secret key with only 22 fault injections, but SNOW 3G still offers adequate
protection against new forms of algebraic attacks. However, in terms of time complexity
SNOW 3G is quite complicated especially in terms of hardware implementation [23].
2.4.2 EEA2
The four bit identifier ”0002” is used to define the 128-bit EEA2 algorithm based on AES
using CTR mode. It is a block cipher that can process data blocks of 128-bit (16 bytes
block) using cipher keys of 128, 192 and 256 bits. Yet, the 3GPP adopted the128-bit ci-
pher key as a standard for EEA2. The design of AES depends on the principle of SDN, as
the encryption procedure for128-bit is composed of 10 rounds of processing. Each round
except the last one includes four layers as shown in the Figure 2.8: ByteSubstitution
layer (S-Box), ShiftRow layer, KeyAddition layer and MixColumn layer, which will
Chapter 2. LTE/LTE-A Security Architecture 21
be eliminated in the last round. First, a 128-bit round key is XORed to the state, then
in the next layer a byte-by-byte substitution is performed using 16 ×16 look up table to
provide the confusion property. Permutation is realized at the Shif tRow layer at the
byte level. Finally, MixColumn layer combines blocks of four bytes by using a matrix
operation. The Shif tRow and M ixC olumn layers provide the diffusion property. How-
ever, AES-CTR mode is similar to a stream cipher since, instead of encrypting the plain
text directly, the counter is encrypted then Xored with the plain-text to produce the
cipher-text for transmission. Until now no known attacks have been reported yet against
AES. Apart from offering strong encryption via 128-bit keys, AES computational time
is high since it uses 10 rounds of iterations [24].
Figure 2.8: AES Algorithm
2.4.3 EEA3
The four bits identifier ”0003” is used to define the 128-bit EEA3 algorithms and the core
which is based on a new stream cipher called ZUC [11]. Although ZUC was designed by
Chinese Academy of Science to be permitted for use in China. It is a word oriented cipher
that takes as input a128-bit initial cipher key and a128-bit initial vector. The output
is 32-bit word key-stream, also called key-word that would be used to encrypt/decrypt
the plain text. The ZUC stream cipher as shown in the Figure 2.9 has three main
Chapter 2. LTE/LTE-A Security Architecture 22
logical layers: LFSR, Bit-Reorganization (BR) and Non-Linear Function (NLF). The
LSFR is composed of 16 registers, each one containing 31 bits and taking values from
1 to 231 1. Additionally, it has two modes of operation: the initialization mode and
the working mode. During the initialization mode, LSFR takes a 31-bit input word
computed by removing the rightmost bit from the XORing the cipher key and the initial
vector. However, in the working mode, the LSFR does not receive any input. The BR
makes four words by extracting 128 bits from LSFR states. The first three words are
used by the NLF and the last one is used to construct a key-stream. Indeed, despite the
fact that ZUC appears to have a sound design with a large security spectrum, it requires
more analysis to gain further confidence [23].
Figure 2.9: ZUC Algorithm
2.5 EPS Integrity Algorithms (EIA)
The 3GPP standardized three EIA algorithms to be used for data integrity in LTE/LTE-
A. The main principle of the three standardized algorithms (EIA1, EIA2, and EIA3) is
applying an under layer stream cipher as a tool to encrypt the public and secret keys,
and making use of the encrypted result in the upper layer using secure hash functions
to compute the MAC-I of the message. For a better understanding of the proposed
solution, we present in the following the description and the flaws of each of the three
standardized algorithms.
Chapter 2. LTE/LTE-A Security Architecture 23
2.5.1 EIA1
EIA1, similarly to EEA1 is identified by 4 digits ”0001” and is based on universal
hashing and Galois Message Authentication Code (GMAC) scheme for the generation of
the MAC [25]. The core cipher of EIA1 is based on SNOW 3G as illustrated in Figure
2.10. EIA1 suffers from two different forgery attacks as has been demonstrated by [26],
the first attack is linear forgery attack, and the second one is known as a trace extension
forgery attack. Furthermore, as already mentioned, the core cipher of SNOW 3G is
quite complicated especially in terms of hardware implementation [23] .
Figure 2.10: EIA1 Algorithm
2.5.2 EIA2
Likewise EEA2 the four digit ”0002” is identifying the 128-bits EIA2. The cipher core
of EIA2 is based on a 128-bit AES in the CMAC (cipher-based MAC) mode [27]. In
CMAC mode as shown in Figure 2.11, a block cipher is used instead of a hash function.
This mode is divided into two phases: Sub-key generation and MAC generation. The
Chapter 2. LTE/LTE-A Security Architecture 24
IK is used to generate two sub-keys: K1 and K2 with 128-bits length each. To the best
of our knowledge, there are no known attacks against EIA2. However, similar to EEA2
its computational time is high since its core cipher AES uses 10 rounds of iterations to
produce the hash value for each message block.
Figure 2.11: EIA2 Algorithm
2.5.3 EIA3
As for EEA3, a four bit identifier ”0003” is used to define the 128-bit EIA3. The 128-
EIA3 algorithm is based on a universal hashing and a one-time-pad masking, and uses
the GMAC mode as EIA1. The EIA3 algorithm as depicted in Figure 2.12 takes as
inputs to its ZUC core cipher a 128-bit IK and IV. However, like EIA1, EIA3 suffers
from linear and trace extension forgery attacks [26]. In addition, as already mentioned,
the computational complexity of EIA3 is also high since its core cipher ZUC uses multi
round operations to achieve maximum diffusion and confusions.
2.6 Conclusions and Discussions
This chapter was dedicated to provide a general overview of the security architecture
of LTE/LTE-A networks. The 3GPP has rigorously defined the security architecture of
LTE/LTE-A networks and divide it into five different functional levels. The access level
security constitutes the main objective of this thesis. Thus, the majority of the chapter
was dedicated to the security services of the access level and more particularly between
UE and eNB. Furthermore, the three main security features in the access network namely
Chapter 2. LTE/LTE-A Security Architecture 25
Figure 2.12: EIA3 Algorithm
authentications, confidentiality and integrity were presented while indicating their im-
portance and their necessity for protecting user’s information as well as its privacy.
Authentication of subscribers followed by key agreements between the UE and the
LTE/LTE-A network are considered as the most important security features in the net-
work access. Any failure of the authentication procedure or leak of the secret keys during
key agreement would made the whole network security system questionable. Therefore,
the 3GPP has standardized EPS-AKA protocol for authentication of the subscribers
with the SN as well as the derivation procedure of the symmetric keys requested dur-
ing encryption and integrity protection of user’s and signaling data. Moreover, the key
hierarchy employed for the different sessions and entities in the LTE/LTE-A architec-
ture enforces the security but at the expense of additional complexity to the procedure.
As regards to D2D authentication in LTE/LTE-A which constitutes one of the main
contributions of this thesis, there is no specific standardized protocol adopted by the
3GPP since the D2D concept within 4G systems is very recent and has not been yet
handled by the 3GPP. Although D2D authentication has already been well investigated
in other wireless and mobile network technologies [28], [29], [30],[31],[32] but these solu-
tions are not very appropriate for LTE/LTE-A technologies because of the considerable
differences in their security architecture. More specifically, the main issue with EPS-
AKA and its related enhanced versions is that they were originally not been designed
Chapter 2. LTE/LTE-A Security Architecture 26
to support D2D communications since the engagement of four network entities (UE,
eNB, MME and HSS) are necessary in the authentication and key derivation procedure.
While in D2D communications scenario, only two entities (UE and eNB) are involved
in the authentication procedure.
Using EPS-AKA or any other of its enhanced versions for D2D authentication results in
high communications and computation overhead and leads in extra energy consumptions
as well as higher latency. Furthermore, as previously introduced, the methodologies of
authentication and key agreement between two communication devices have been well in-
vestigated in other wireless and mobile technologies. In VANETs and MANETs most of
the methodologies are using digital certificates which is one hand the infrastructures han-
dling certificates is not supported in LTE/LTE-A networks in the second hand because
of high computation overheads followed by using such methods. Others are proposing
using symmetric polynomials in the authentication and key derivation for MANETs and
WMN respectively but with a pre-assumption of a secure channel. As a consequence
we conclude there is no suitable protocol is available which could be adapted in a way
or another for authentication and key derivation in D2D communications. Hence, the
authentication and key derivation for D2D communication is a novel topic which will be
addressed throughout this thesis.
The privacy of user’s information which is denoted as data confidentiality is another
important security future which is has been taken in consideration by 3GPP. The first
standardized algorithm denoted as EEA1 is based on the SNOW 3G which has been
already used in 3G UMTS, while the second one is based on AES with further security
enhancements. A third algorithms is based on ZUC has been proposed and designed in
China in order to fulfill Chinese government regulation requirements [33]. Moreover, the
standardized algorithms have been subjected to different security analysis and computa-
tional complexity in several research works to assess their efficiency in terms of security
and computational complexity. Furthermore, since LTE/LTE-A networks intended to
support high data rates to the end users, substantial computational power and energy
are required during ciphering and deciphering procedure at both UE and the core net-
work sides. The traditional ciphering algorithms employed by the 3GPP standardized
solutions depend on the concept of multi-round operations i.e. applying confusion and
diffusion on the plane text for several rounds in order to achieve maximum security. A
trade-off between strong and sufficient security and computational complexity should
be taken into account during the conceptions of ciphering algorithm and trying to mini-
mize energy consumption. A novel ciphering algorithm for LTE/LTE-A to achieve data
confidentiality and at the same time reduce the computational complexity would be a
Chapter 2. LTE/LTE-A Security Architecture 27
promising tool to decrease energy consumption at both UE and the core network. The
proposed solutions in this thesis is based on novel method by applying confusion and
diffusion for only one round to perform ciphering/deciphering procedure and achieving
the required security, which by consequence leads in reduced complexity and less energy
consumption.
The integrity protection denoted mostly as DI is also considered as an important se-
curity future for LTE/LTE-A networks especially for control plane data in which the
3GPP made it mandatory. Likewise data confidentiality, three algorithms has been pro-
posed for data integrity where the same stream ciphers have been reused in the core
algorithms. However using the same core cipher in both data integrity and data con-
fidentiality has not any cryptographic objectives rather than re-usability purposes [8].
Data integrity algorithms have been also subjected to security analysis in the literature
to test their efficiency. At least two different attacks has been reported against EIA1 and
EIA3 and even no known attack still not reported for EIA2 but in terms of complexity
the algorithms still acquire high complexity. Again, reducing complexity of the algo-
rithms used in integrity protection is another method to decrease energy consumption
in LTE/LTE-A networks. ..
Chapter 3
Efficient and Robust Ciphering
Algorithms forr LTE/LTE-A Data
Confidentiality (DC)
3.1 Introduction
An important service which is essential of any secure communication in mobile networks
is Data Confidentiality (DC) which refers to the prevention of an unauthorized disclo-
sure of data transmitted between two communication nodes to a third party attackers
or intruders, such as individuals, entities or processes. The disclosure of sensitive data
can result in loss or damage, such as identity theft, lawsuits, loss of business, or regu-
latory fines. To achieve DC in the networks, encryption is the best method to protect
sensitive data contained in a message. Unencrypted data, which is known as plain-text,
is converted to encrypted data, which is known as cipher text. Data is encrypted with
an algorithm and a cryptographic key. Cipher-text is then converted back to plain text
at its destination.
Accordingly, two different cryptographic methods are mainly used to perform cipher-
ing/deciphering procedure: Asymmetric Encryption (AE) and Symmetric Encryption
(SE). AE refers to the encryption methods which require two keys: a public one used
for data encryption and a private one used for decrypting the message. While in the SE
the two parties of the communication use the same symmetric key for both encryption
and decryption.
29
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 30
In the LTE/LTE-A systems architecture as described in [3], the UE and the eNB are
connected through the AS protocols where the DC is performed at the Packet Data
Convergence Protocol PDCP sub-layer. The PDCP performs ciphering/deciphering of
user and control plane data at both UE and eNB sides through an encryption algorithm.
As it has already been explained in Chapter 2, the 3GPP has standardized three SE
algorithms for DC to ensure confidentiality of user and signaling data in LTE/LTE-A
networks. The first algorithm is a 128-bit key EPS Encryption Algorithm (128-EEA1),
which is a stream cipher algorithm, based on SNOW 3G and already employed in Uni-
versal Mobile Telecommunication System (UMTS). The second one is 128-EEA2 which
is based on the AES block cipher algorithm used in its CounTeR mode (CTR mode) [34].
The last standard 128-EEA3 has been recently designed and it is now published for pub-
lic evaluation, its core is based on ZUC stream cipher [3].
Nevertheless, the flaws and drawbacks related to security and complexity of the stan-
dardized solution have been well addressed in Chapter 2. Therefore, designing a less
complex DC algorithm has adequate security strength is desirable, since it would require
lower computation power and consequently lower energy consumption at both eNB and
UE sides during ciphering/deciphering procedure.
Shannon had demonstrated in [12] that the conventional technique to obtain a powerful
encryption of a block of bytes is achieved by using the confusion and diffusion layers for
several rounds. A round in a cipher algorithm is typically consists of a number of build-
ing blocks that are composed together to create a function that is run multiple times.
Consequently, larger number of rounds results in stronger security performance but with
higher computation overheads. Thus, one should find a trade-off between computation
complexity and strong security.
In this chapter, we propose a novel stream cipher technique based on SDN structure
which its main advantage is in one hand its reduced complexity to one round instead of
several rounds employed in the standardized algorithms, and on the other hand it pos-
sesses strong security strength as the standardized solutions. The proposed one round
cipher algorithm consists of an addition, a substitution and a diffusion layer. The addi-
tion layer uses binary XOR operation with constant block value to ensure key uniformity.
The substitution layer is constructed from the nonlinear transformation of RC6 to add
confusion. Finally, the diffusion layer is built from the output of the substitution layer.
The output results of the cipher are key-streams used for encryption/decryption of data.
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 31
The rest of this chapter is organized as follows: The procedure of cryptographic realiza-
tion in LTE/LTE-A networks is presented in Section 3.2. In Section 3.3, we introduce
and describe our proposed algorithm and the functionality of each layer is described in
detail. Simulation tests for the cryptographic strength and performance are introduced
in Section 3.4. Finally in Section 3.5 the chapter will be discussed and concluded.
3.2 Cryptographic realizations in LTE/LTE-A
Cryptology is sometimes defined as the art and science of secret which are considered as
useful and effective tool for pocketing confidentiality of communications. Modern cryp-
tography is based on mathematical functions. These functions either have significant
complexity to be computed or they can only be computed with extra information i.e.
(the key). Indeed, most cryptographic protection methods rely on the concept of using
keys and these keys themselves have to be managed and protected in an efficient way
especially in the SE methodologies widely used in communication networks.
The concept of SE algorithms is based on the principle of using the same keys for en-
crypting the plane-text as well as decrypting the cipher-text and they are divided into
two main classes: block ciphers and stream ciphers. In a block cipher, a fixed-length
plain-text block is transformed into cipher-text block of the same length using symmet-
ric keys. Thus, for any fixed key if the plain text is pand the symmetric key used is k,
encryption function is Eand the decryption function is Dthe block cipher is a bijection:
c=E(p, k); p=D(c, k) = D(E(p, k), k).
While in the stream ciphers, the plain-text bits are combined with a pseudorandom
cipher bit stream (key-stream), typically by an exclusive-or (XOR) operation. The idea
of a stream cipher is based on a simple secure cipher called the one-time pad and the
cipher text is calculated as: c=kp. Similarly at the decryption side the plain text is
obtained as: p=kc.
In LTE/LTE-A networks the concept of stream ciphering is employed in the standardized
algorithms EEA1 EEA2 and EEA3. However, the AES (Core cipher of EEA2) which is
originally considered as a block cipher, is used in the counter (CTR) mode to produce
key streams and acting as a stream cipher [35]. The encryption/decryption algorithms
are located at PDCP sub-layer in the protocol stack of LTE/LTE-A networks as shown
in Figure 3.1 and the keys to be used by PDCP sub-layer are managed by the upper lay-
ers. The input parameters to the ciphering algorithm are; a 128-bit cipher key (usually
KU P enc for user plane data encryption and KRRCenc for control plane data encryption)
and a 128-bit Initial Vector (IV). The IV is a fixed-size input to a cryptographic primitive
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 32
Figure 3.1: PDCP Layer.
that is typically required to be random or pseudorandom. Randomization is crucial for
encryption schemes to achieve semantic security, a property whereby repeated usage of
the scheme under the same key does not allow an attacker to infer relationships between
segments of the encrypted message [36].
For LTE/LTE-A networks, the IV is composed of a 32-bit counter, a 5-bit bearer identity,
the 1-bit direction of transmission (shall be 0 for uplink and 1 for downlink) and the
length of the required key-stream. In addition, bits are padded in order to fill a 128-bit
block [37]. Typically, the cipher algorithm considers a stream of packets in plain-text
Pexists at the source (UE or eNB) and requires to be transmitted safely. This stream
is divided into many packets Pw, (w= 1, . . . , h) and each packet is divided into many
blocks Mw
j(j= 1,2, . . . , q) of 128-bit length. The process of encryption/decryption in
EEA is depicted in Figure 3.2, for the jth plain-block of the wth packet. More precisely,
at the encryption side, the cipher-text Cw
j={cw
j, 1, cw
j, 2, . . . , cw
j, n}is obtained by
XORing the bytes of the jth plain-data block (plain text) {mw
j, 1, mw
j, 2, . . . , mw
j, n}with
their corresponding output byte key-stream Sw
j={sw
j, 1, sw
j, 2, . . . , sw
j, n}obtained from
the ciphering algorithm:
cw
j, i =mw
j, i sw
j, i (3.1)
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 33
Figure 3.2: Ciphering a block of data.
Likewise, at the decryption side, the ith byte of cipher block is XORed with the ith byte
of key-stream sw
j, i to recover the ith byte of the plain block mw
j, i :
mw
j, i =cw
j, i sw
j, i (3.2)
3.3 Efficient and Robust Ciphering Algorithm (ERCA)
In Section 3.2, the realization of a cipher algorithm in LTE/LTE-A networks has been
presented with a description of the necessary parameters included in the IV construc-
tion. In this section a novel and practical cipher algorithm is presented to achieve DC
in LTE-/LTE-A networks. Usually, the term efficiency refers to having the fastest exe-
cution time while keeping necessary security of the network. This permits to overcome
previously-described drawbacks of the standardized solutions. The main properties of
our proposed solution are: high level of security and efficiency in computation complex-
ity without any need for memory overhead. The effectiveness of secure stream cipher is
a necessary condition for practical implementation. The proposed stream cipher algo-
rithm candidate has similar architecture to AES in the sense that it is a block cipher
used in its CTR mode.
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 34
The basic scheme of the proposed ciphering algorithm is presented in Figure 3.3. For
each input block, the process of addition layer is applied first, then the process of sub-
stitution. After that, we reshape the output of substitution process (row) to form a
sub-matrix, which is used to construct the diffusion matrix. Finally, the process of dif-
fusion is applied using the obtained diffusion matrix on the output of substitution layer.
The proposed cipher algorithm uses secret key K={k1, k2, . . . , k16}with 128-bit
length. Indeed,the ciphering algorithm is performed on a set of bytes of input block
Xw
j={xw
j, 1, xw
j, 2, . . . , xw
j, 16}, which is obtained from the XOR between the bytes of K
generally referred as (KU P enc or KRRC enc ) in the LTE/LTE-A networks and IV w
jas
follow:
xw
j, i =kiI V w
j, i, i = 1,2,...,16 (3.3)
ERCA takes the Xas an input to its first layer i.e (addition layer) following the procedure
until we get the ciphered result at the end of the algorithm. In the following, the
functionalities of each layer are described in details.
3.3.1 Initial Key Addition Layer
The addition layer uses constant block value, that has been chosen with uniform bit
distribution to provide the uniformity to the key-stream by mixing the input block with
a constant block, which would be carried out on bytes (byte by byte) using logical XOR
operation as follows:
yw
j, i =xw
j, i ti(3.4)
where xw
j, i is a byte of the input block and tiis a byte of the constant block which all the
bits are zeros. The use of logical operation XOR ensures the uniformity, which makes
the differential cryptanalysis extremely difficult.
3.3.2 Substitution Layer
The substitution process is the most important operation in any cipher algorithm due to
its non linearity which makes the algorithm immune against differential and linear crypt-
analysis. The substitution layer could be in forms of S-box as it is the case in AES and
ZUC, or could be a nonlinear transformation as we used here. Mathematically, an m×m
substitution layer is a nonlinear mapping F: (0,1)m(0,1)m, where (0,1)mrepresents
the vector spaces of elements from binary Galois field. The proposed substitution layer
uses the nonlinear transformation of RC6 [38], with an efficient modification, since the
original RC6 has poor cryptographic properties, especially high differential probability
approximation which makes it useless to be used as a substitution layer. The nonlinear
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 35
Figure 3.3: ERCA stream cipher
transformation of RC6 is performed as below:
z=F(y) = mod(y×(2 ×y+ 1),2Q)>> log2(Q) (3.5)
where >> is bitwise right shift and Qis equal to 8, since the substitution layer is applied
on byte level. This transformation is applied for multi-iteration irs = 1,2, . . . , rs. Hence,
a substantial enhancement of its cryptographic properties is achieved. Starting with
initial vector V, where Vj=jand j= 0,1,...,255., the output vector after each
iteration becomes the input vector for the next one. The obtained results in Figure 3.6
and 3.7 show that the optimal number of iterations to attain a good performance (LPF,
SAC ,BIC and DPF) as described in Section 3.4 is log2(Q) = 3. Therefore, in our
implementation each byte is substituted by applying the RC6 nonlinear function for
three iterations.
3.3.3 Diffusion Layer
The diffusion process includes two steps: secret matrix generation G; and Modular 256
vector matrix multiplication.
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 36
3.3.3.1 Construction of the secret matrix G
The diffusion layers are linear transformation, which is represented as matrices. However,
the proposed technique of key dependent diffusion layer is designed to be efficient and
robust, which means that the avalanche effect has to be achieved in cooperation with the
substitution layer. In addition, this method is based on a special rule of algebra, which
can provide the properties of flexibility, effortless to be implemented in hardware, key
dependent, and non invertible matrix as its determinant is equal to 0 (singular matrix).
In the following, the proposed method to build a dynamic diffusion matrix is described.
It is based on a particular matrix structure (non invertible 2D matrix), simple to realize
and successful in terms of speed of calculation. The 2D matrix is presented below.
A=
a b
c d
;det(A) = ad bc (3.6)
Hence, if det(A) = 0 then a×d=b×c. To obtain the proposed structure of non in-
vertible key dependent diffusion layer, considering that dis equal to b, which leads to
a×b=b×c. This gives us that ais equal to c. Then, the form of a secret matrix in
2D is defined as below:
A=
a b
a b
(3.7)
Assuming that bis equal to a×(2 ×a+ 1) mod 2256, the non invertible matrix requires
only one parameter a. In this formulation called back below, parameter ais replaced by
the sub matrices Ato form the diffusion matrix with ndimensions.
G=
A B
A B
(3.8)
Ais a non-zero matrix of size n
2timesn
2. The elements of Acan be freely chosen from
any Galois field such that Gis full rank. In our simulation, the elements of this sub-
matrix varies between 0 and 255. Having a matrix Gconstructed from four sub-matrices
(A, B, C, D), the non- invertibility of this matrix can be proven as follows.
Its determinant is given by:
det(G) = det(A)×det(DCA1B) (3.9)
=det(A)×det(BABA1)
=det(A)×det(BB)
= 0
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 37
where D=B, and C=A.
Therefore, the necessary condition to not have an inverse matrix is attained and the
attackers cannot calculate the inverse secret matrix G1to get the original substituted
data. An example to construct the secret matrix Gis shown in Figure 3.4 for n= 16.
The output of the substitution layer is reshaped to form a sub-matrix parameter temp
with size n
4×n
4. Later, this sub-matrix is replicated to form a sub-matrix Awith size
n
2×n
2., which is required to form the final matrix (diffusion layer).
3.3.3.2 The Proposed diffusion Process G
The input of the diffusion layer is nbytes and diffusion is performed on a series of
substituted bytes {F(y1), F (y2), . . . , F (yh)}, which the output from is the produced
key-stream. The key-stream Sis obtained by performing a modular multiplication
matrix using the secret matrix G, which is obtained from the substituted data. The
architecture of the diffusion process is shown in Figure 3.5. The coefficients vector
{G1, G2, ..., Gn}are described as the global diffusion matrix (G). Each global diffusion
vector Giis represented as a sequence of independent random numbers from a byte field.
The relationship among input block data, Gand Scan be described as follows:
S=G×(F(Y))
=
s1
s2
.
.
.
sn
=
G1,1G1,2· · ·G1,n
G2,1G2,2· · ·G2,n
.
.
..
.
.....
.
.
Gn,1Gn,2· · ·Gn,n
·
F(y1)
F(y2)
.
.
.
F(yn)
(3.10)
Where Gi,j is a diffusion coefficient that varies between 0 and 255 for the line iand col-
umn jand i, j = 1,2, ..., n.F(yi) is a substituted byte, siis the resulting byte key-stream
Finally, the output key-stream Sis XORed with the plane text Mto produce the cipher-
text Cto be transmitted.
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 38
Figure 3.4: An example of creation of the diffusion Layer
3.4 Cryptographic strength and performance
In this section, the cryptographic properties of the proposed algorithm are presented.
The algorithm is subjected to several tests such as uniformity, randomness and key sensi-
tivity to assess its efficiency and to show how far it is consistent with security standards.
In addition, the time complexity is quantified and compared to AES algorithm.
3.4.1 Cryptographic performance of the substitution layer
A strong n×nsubstitution layer must have some important properties, based on in-
formation theory analysis [39], [40], [41]. The main five properties are: bijectivity, non
linearity, Strict Avalanche Criterion (SAC), output Bit Independence Criterion (BIC),
and equiprobable input/output XOR distribution.
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 39
Figure 3.5: Proposed Diffusion Technique
3.4.1.1 Linear Probability Approximation Boolean Function (LPF)
One of the important properties of the substitution layer is non linearity to make it
capable resisting linear cryptanalysis attacks. LPFis used to measure the nonlinear
degree of a given substitution layer, it is calculated according to [39]. In Figure 3.6-a,
the variation of LPFagainst the number of iterations rs is shown. It attains its minimum
value after three iterations.
3.4.1.2 Differential Probability Approximation Function (DPF)
Differential Uniformity is one of the important properties of any substitution layer for
obtaining the nonlinear transformation and hence resisting differential cryptanalysis
attacks [40]. DPFis used to measure differential uniformity of our substitution layer as
in [42]. Figure 3.6-b, shows the variation of DPFagainst the number of iterations rs,
which attains its minimum value after 4 iterations.
3.4.1.3 Strict Avalanche Criterion (SAC )
Webster and Tavares were the first to present SAC when they generalized the avalanche
effect [41]. A cipher system function is satisfying SAC whenever a single input bit is
complemented, the output bit should be changed at least with a probability of half.
Certainly, SAC is considered a desirable characteristic of any block ciphering algorithm
and used to quantify the degree of security of the s-boxes of substitution-permutation
networks. Therefore, any strong ciphering system should fulfill these criteria The average
SAC value (mean of 8x8 values of the dependence matrix) versus the number of iteration
rs is shown in Figure 3.7-a. We can observe that the SAC value becomes very close to
the ideal value 0.5 after three iterations.
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 40
(a) (b)
Figure 3.6: Variation of the LP F (a) and DP F (b) against the number of iterations
3.4.1.4 Output Bit Independence Criterion (BIC)
BI C is another property which has also been described by Webster and Tavares [41]
and considered as another desirable characteristic of cipher algorithms. The BIC spec-
ifies that: two output bits j, k should change independently when a single input bit iis
changed for all i, j and k. The average value of BIC (mean of 8x8 values of the BIC
matrix without the diagonal) versus the number of iteration rs is shown in Figure 3.7-
b. We can observe that the BIC becomes very close to the ideal value 0.5 after three
iterations. This result is similar compared with SAC, so the number of iterations is set
to be equal to 3 to attain an acceptable performance with low complexity possible.
3.4.2 Randomness of the produced key-stream
The security strength of the proposed stream cipher is depending on the produced key-
stream; therefore the stream cipher should produce key-streams with high level of ran-
domness. Some parameters of the LTE packet header are used in addition to the counter
to form IV, which implies that the sub-matrix used in the construction of the diffusion
layer is renewed for each block; consequently the produced key-stream is updated. In
Figure 3.8, the recurrence (a) and distribution (b) for a random key-stream are shown.
These results indicate clearly a good degree of randomness and uniformity. To prove
these properties, the cipher key-stream has been analyzed using the randomness test
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 41
(a) (b)
Figure 3.7: Variation of the SAC (a) and BI C (b) against the number of iterations
of NIST [43]. In order to get correct statistical results one needs to provide 100 secret
keys and each key-stream sequence should be at least 1000000 bit long. The NIST test
performs 15 tests on the data sample, and the total amount of executing NIST STS
tests is 189. Results of testing the key-stream randomness are shown in Figure 3.9. The
obtained proportion values (success rate) show how many samples passed given tests.
The red line marks minimum proportion values in order to consider the sequence to be
random. Random Excursions and Random Excursions Variant tests represent 26 tests
with different parameters, which have other minimum proportion values. The simulation
results indicate clearly the randomness of the generated key-streams.
3.4.3 Key sensitivity
The sensitivity of the secret key is analyzed for 1000 random keys. All the elements of
K0
iare equal to those of ith key Ki, except the Least Significant Bit (LSB) which was
flipped. The percent of Hamming distance is calculated as follows:
P DH =PT
k=1 CiC0
i
T×100% (3.11)
where Tis the length in bit level of the encrypted packet, and Ciand C0
iare the
corresponding cipher packets using Kiand K0
irespectively.
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 42
(a) (b)
Figure 3.8: Recurrence of producing key-stream (a) and its distribution (b) using a
secret random key K
Figure 3.9: Proportion values of NIST tests
In Figure 3.10, the sensitivity of the secret key versus 1000 random keys is shown, while
only the LSB of Kiis changed. This result indicates a high sensitivity, while the average
Hamming distance percent is closer to the optimal values (50%) in bit level.
3.4.4 Statistical properties
To demonstrate the safe use of our stream cipher, it is important to analyze its charac-
teristics, in terms of random recurrence, mixing nature, and low coefficient correlation
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 43
Figure 3.10: The key sensibility results for change random LSB of the secret key K
versus 1000 random keys
between original and encrypted data packets. In our simulation, the proposed stream
cipher scheme is considered as a black box and randomly choosing a set of initial packets
with a 125000 byte length, which are normally distributed with a mean equal to 128
and a standard deviation equal to 8.
3.4.4.1 Recurrence
The recurrence plot serves to measure the evaluation of randomness and estimates the
correlations among the data of a sequence as in [44]. Considering a packet sequence
xi=xi,1, xi,2, . . . , xi,m, a vector with delay t1 can be constructed by:
xi(t) = xi, xi+t, xi, 2×t, ..., xi, m×t. In Figure 3.11 a and b, the variation between xi(t)
and xi(t+ 1) from the original and the encrypted packets are shown respectively. We
can observe that that no clear pattern is obtained after encryption.
3.4.4.2 Mixing nature
The mixing nature serves as a measure of the uniformity and it can be quantified by a
statistical approach. If the frequency counts of the encrypted generation are close to a
uniform distribution, then it is possible to categorize that the concerned cipher under
test has a good level of mixing. In Figure 3.12-a and b, the distribution of the original
packets and their corresponding cipher packets respectively are shown. This result shows
clearly that the contents of the encrypted packets are spread overall the space and have
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 44
(a) (b)
Figure 3.11: Recurrence plot of the original packet (a) and its correspondent en-
crypted ones (b)
a uniform distribution. To validate this uniformity, the Chi-square test [45] is applied
and works as follow:
χ2
test =
l
X
i=1
oiei
ei
(3.12)
where lis the number of levels (here 256), oiis the observed occurrence frequencies
of each level of field size (0-255) in the histogram of ciphered generation contents, and
eiis the expected occurrence frequency of uniform distribution. For a significant level
of 0.05, the null hypothesis is not rejected and the distribution of the histogram is
uniform if χ2
test χ2
theory (255,0.05) 293. The average results of the Chi-square test
for 1000 different sets of generation for the whole ciphered packets against his shown in
Figure 3.13. The distribution of the tested histogram is uniform for 97%, that means
a strong mixing property is obtained.
3.4.4.3 Low coefficient correlation
Another important requirement for any encryption scheme which must be attained is
that the encrypted data should be greatly different from its original form. The encrypted
packets should have redundancy and correlation as low as possible. First, the correlation
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 45
coefficient between the original and encrypted packets is measured. The correlation
coefficient is computed according to the following formulas:
(a) (b)
Figure 3.12: The distribution of the contents original stream packet (a) and its
correspondent encrypted one in (b)
ρx,y =cov(x, y)
pD(x)×D(y)(3.13)
where cov(x, y) = E[{xE(x)}{yE(y)}];
E(x) = 1
n×
n
X
k=1
xi
and D(x) = 1
n×
n
X
k=1
{xiE[x]}
In Figure 3.14, the coefficient correlation between the original and encrypted packets
versus 1000 different keys and data packets is shown. This result shows the correlation
coefficient is always close to zero which indicates that no detectable correlation exists
between the original and its corresponding cipher packets.
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 46
Figure 3.13: Variation of the χ2
test of cipher packets for 12508 bytes length versus
1000 random keys
Figure 3.14: The coefficient correlation between the original and encrypted stream
packets versus 1000 random keys
3.4.5 Execution Time
The execution speed is very important for any DC algorithm since it is directly related
to the time and resources required for ciphering/deciphering. The execution time should
be maintained very low, especially when a huge amount of data is to be transmitted such
as in LTE systems. The average calculation times in ms (on 10000 times) to encrypt a
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 47
packet Magainst T b is quantified, where T b represents the length of the block such as
128, 256, 512, 1024, etc. These calculations are performed under the following software
and hardware environment: Matlab 2012 and micro-computer Intel Core 2 Duet 2.1 GHZ
CPU with 2 GB RAM Intel, under Windows7. we conclude that the variation of average
time is linear. The average time necessary against T b is estimated (approximately) using
the linear interpolation method. It shows that the proposed method is indeed sufficiently
fast for LTE/LTE-A applications. Finally, we compared the mean encryption time (in
ms), versus T b, of the proposed cipher with AES. The proposed secure scheme is at least
4.5 times faster than the AES algorithm as shown in the Figure 3.15.
3.4.6 Discussion and Cryptanalysis
A cryptographic scheme is considered secure if it is strong enough to resist attacks.
According to Shannon’s theory, the confusion and diffusion processes must be applied
to provide resistance against the powerful attacks that is based on statistical analy-
sis [12].These processes are repeated for several rounds to achieve the avalanche effect
which leads to delay in terms of execution times (high computation complexity that lead
to high delay and consumption of energy) especially for resource constrained devices.
Our proposed stream cipher ERCA is constructed in a new manner, where the diffusion
process changes in a dynamic manner (pseudo-random) and doesn’t possess the invert-
ible property.
Concerning the substitution layer, when the number of iterations is 8, all properties
Figure 3.15: Variations of the average time ratio for messages encryption
(AES/ERCA) in function to its length
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 48
become weak, this means that, increasing the number of iterations leads to eliminate
totally the advantage of bitwise right shift, since this function without >> is linear and
cannot be used as substitution layer. The proposed function is periodic and its periods
are 8 iterations and the best performance is attained in three iterations. To demonstrate
the performances of the proposed substitution layer, its properties are compared with
the substitution layer of AES and ZUC (S0and S1) in Table 3.1. The results showed
that the proposed substitution layer possesses sufficient cryptographic performances and
the obtained results of LPF,DPF,SAC and BI C are very close to the standardized
solutions. The cryptographic security of our scheme relies on two properties:
- using a new efficient substitution layer
- using a dynamic diffusion layer with unpredictability and high sensitivity of the G
Table 3.1: Comparison Analysis of Substitution Layer
Test Proposed AES S0S1
LPF25.3262526
DPF24262426
SAC 0.5 0.4998 0.494 0.509
BI C 0.502 0.4998 0.4951 0.505
Moreover, the statistical properties of the proposed secure scheme (such as the unifor-
mity of the cipher packets and the low coefficient correlation between the original and
encrypted block of packets) are attained, which can provide immunity against the statis-
tical attacks. In addition, differential and linear attacks would become ineffective, since
the avalanche effect is attained and the diffusion layer changes for each block. In fact,
any change in any bit of secret key or public parameters causes a significant difference
in the encrypted blocks as see in Figure 3.10. The key space of the secret key is 2128,
which is sufficiently large to make the brute-force attack infeasible. Additionally, the
use of non invertible dynamic diffusion layer will limit the ability of the attackers who
try to break out the cipher.
3.5 Conclusion
In this Chapter, our novel algorithm ERCA has been presented to be used in data
confidentiality protection in LTE/LTE-A networks. The main motivation of the novel
algorithm was to achieve the security requirements with minimum complexity. The key
idea of ERCA was based particularly on usin substitution diffusion networks similar
Chapter 3. Efficient and Roubust Ciphering Algorithm for LTE/LTE-A 49
as AES algorithm. While AES is based on Shannon’s vision of ciphering algorithm by
performing diffusion and confusions functions for at least 10 rounds as in EEA2, our
proposed algorithms performs the encryption in only one round. Indeed, ERCA is a
round function consists of an addition, a substitution and a diffusion layer. We have in-
troduced a new technique of key dependent stream cipher which achieves the avalanche
effect with an acceptable trade-off between security and complexity. Additionally, ERCA
algorithm has been subjected to several statistical and analytical tests that are essen-
tial for any cipher algorithm to be considered credible and robust. Simulation results
showed that ERCA possesses most of the necessary cryptographic properties. Moreover,
considerable reduced computational time has been achieved if compared to AES algo-
rithm. In consequence, reduced computational power and energy consumption during
ciphering/deciphering processes are attained.
.
Chapter 4
Efficient and Robust Algorithm
for LTE/LTE-A Data Integrity
(DI)
4.1 Introduction
One of the important security services in any wireless channel is Data Integrity (DI) since
if compared with wired transmission, active eavesdropping in a wireless environment is
relatively easy. Integrity protection of data is mainly responsible for the prevention of
modification of messages during transmission over the air interface. It is also respon-
sible for the protection against impersonation attacks [8]. In public key cryptography
or asymmetric cryptography, the integrity is mostly protected using digital signatures,
while MACs are preferred in symmetric cryptography. The MACs differ from digital
signatures as MAC values are both generated and verified using the same secret key.
However, because of the high computation requirement of digital signature calculation,
the integrity protection in the resource constrained devices such as mobile terminals is
mostly based on MAC. In mobile networks such as LTE/LTE-A, the integrity protection
is performed using MAC that convert strings of variable lengths to fixed-size strings
called hash values, hash codes or simply hash. Cryptographic hash functions can be
keyed or un-keyed. The un-keyed ones are called Modification Detection Codes (MDCs)
that provide only data integrity. The Keyed Hash Functions (KHFs) are MACs which
besides the integrity protection help in the authentication of originality of data [46].
Moreover, as LTE networks intend to support high data rates and an enhanced data,
voice, and video experience for end users, it is desirable to develop a low computation
51
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 52
DI algorithm with acceptable security strength, to speed up data processing and conse-
quently reduce the computational time.
In this chapter we propose a new efficient and robust DI algorithm we baptise Efficient
and Robust Algorithm for Data Integrity (ERADI). ERADI is based on a KHF and the
concept of Merkle and Damgard [47], [48]. Its main advantage is the use of a dynamic
substitution-diffusion technique in the core cipher of the algorithm which requires only
one round of processing instead of several processing rounds as required by the stan-
dardized reference solutions. Likewise the ERCA cipher algorithm already presented in
Chapter 3, the core cipher of the proposed hash function consists of addition, substitu-
tion and diffusion layers. In addition, a chaining layer is also employed in order to ensure
more bit dependency. Notably, the core cipher employed here is not exactly as same
as the one that used in the ERCA algorithms as it is the case in the all standardized
solutions. By employing ERADI in LTE/LTE-A networks, significant computational
complexity reduction and consequently important energy savings are expected.
The rest of this chapter is organized as follows. In Section 2, the realization of integrity
protection in LTE/LTE-A networks is presented. In Section 3, the novel proposed
ERADI algorithm is detailed. Simulation and test results are discussed in Section 4.
Finally, this Chapter’s developments and results will be discussed and concluded in
Section 5.
4.2 Realization of integrity protection in LTE/LTE-A net-
works
While the digital signatures are mostly used for the integrity protection in public key
cryptography, MACs are widely preferred in the integrity protection of the mobile net-
works where the symmetric cryptography is employed in such scenarios. There exist
several of widely used MACs, such as HMAC [49], EMAC [50], XCBC [51], OMAC [52],
[53] and XOR MAC [54]. The conventional MAC algorithms consist of two components:
the underlying cipher and the upper-level structure. An underlying cipher could be a
keyed hash function, block cipher or stream cipher. Moreover, the input message for a
MAC generation algorithm is allowed to have an arbitrary length, it passes through the
underlying cipher and becomes the cipher text. Then, the cipher text is assembled by
the upper-level structure to get a fixed-length string, which is the output of the MAC.
Although most of the traditional MACs are based either on hash functions or block ci-
phers, recently the use of a stream cipher as an underlying cipher for MAC attracts more
and more attentions in current research works. The three standardized DI algorithms
for LTE/LTE-A networks EIA1, EIA2 and EIA3 apply an under layer cipher as a tool
to encrypt the public and secret keys, and make use of the encrypted result in the upper
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 53
layer to compute the Message Authentication Code for Integrity (MAC-I) of the mes-
sage. EIA1 and EIA3 algorithms adopt the concept of Galois Message Authentication
Code (GMAC) [25] which its basic idea is to employ a block cipher in its counter mode
to act as a stream cipher. While EIA2 algorithm is based on the concept of CMAC i.e.
using the output from the cipher algorithm directly as a MAC.
In LTE/LTE-A systems specifications, the integrity protection is mostly mandatory for
control plane data but the user plane data is not integrity protected except for Relay
networks [13]. When a communication session is started, the UE and the eNB are con-
nected through the Access Stratum (AS) protocol [55], and the DI feature is achieved
in the PDCP sub-layer. It is important to note that the DI algorithm and the key to
be used by the PDCP entity are configured by upper layers. Generally, an EIA algo-
rithm, as shown in Figure 4.1, takes as input a 128-bit Integrity Key (IK), which is the
KRRCint in (LTE/LTE-A key derivation hierarchy) subsequently a 32-bit COUNT, a
5-bit bearer identity, a 1-bit direction representing the transmission direction (shall be 0
for uplink and 1 for downlink), and finally the message itself which is the control plane
data (denoted also as RRC signaling traffic). The derived output is a 32-bit MAC-I. The
sender appends the MAC-I to the message when sent. In the same way, for DI checking,
the receiver computes the expected message authentication code (XMAC-I) using the
received message and compares it to the MAC-I.
However, the standardized solutions have their own drawbacks especially in terms of
computational complexity as already explained in Chapter 2. The next sections de-
scribe our contributions to solve the previously mentioned drawbacks, and more partic-
ularly the computational complexity. we propose a novel efficient DI algorithm which
computational complexity will be reduced significantly.
4.3 ERADI Algorithm Description
In this section,we detail our ERADI algorithm based on CMAC we called ERADI is
proposed for LTE/LTE-A networks, which has to ensure the data integrity protections
for the control plane data at PDCP sub-layer. The process of MAC generation which
uses the concept of Merkle and Damgard [47], [48] is depicted in Figure 4.2. It consists
of a round compression function (a hash function based on a block cipher), which is
applied in an iterative process.
In fact, the input message M(control plane data of LTE PDUs) with a random length N
is padded if necessary to ensure that the length of Mis multiple of T b (here T b = 128).
Mis subsequently divided into nb blocks (M1, M2, . . . , Mnb), where nb 1, and each
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 54
Figure 4.1: Derivation of MAC-I/XMAC-I
Figure 4.2: The iterated design of the proposed keyed hash function for ERADI
block consists of n=T b/8 bytes. Likewise, IV is formed from a 32-bit COUNT, a 5-bit
bearer identity and the 1-bit direction of the transmission; it is also is padded with
zeros to form a 128-bit block. The hash value is calculated according to the following
equation:
Hi=ERADI(Hi1, Mi)i= 1,2, . . . , nb (4.1)
where H0=IKIV. The last output Hnb is truncated by getting the 32 MSB (Most Sig-
nificant Bits), which is exploited directly as MAC-I. Indeed, every Mi, IK and IV are
divided to n= 16 bytes before being taken as inputs to the cipher.
The proposed core cipher of ERADI function compromises four layers: addition, chain-
ing, substitution and diffusion layers, which is depicted in Figure 4.3.
It is important to note that the overall structure of this cipher is almost similar to the
structure of ERCA algorithms. The main difference is that in the ERADI algorithm
a chaining layer is added to the original structure. Therefore, the different layers will
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 55
be explained briefly since their functionalities details have been largely introduced in
Chapter 3.
4.3.1 Addition Layer
Let us consider a given block Mi,i[1, nb]. The addition layer uses a constant block
value, that has been chosen with uniform bit distribution to provide the uniformity to
the message by mixing this constant block with the input block, which should be carried
out on bytes (byte by byte) using logical XOR operation as follows:
yi,j =hi1, j mi,j tj(4.2)
where hi1, j is the jth byte of the input to the addition layer, which is the previous
output of the compression function (with h0,j =IKjIVj), tjis the jth byte of the
constant block and mi,j is the jth byte of the considered message block Mi.
4.3.2 Chaining Layer
The chaining layer can be considered as a CBC mode, where each byte of the input
block is XORed with the previous output chaining byte, and would be carried out on
bytes (byte by byte) as follows, starting with ui,1=yi,1:
ui,j =yi,j ui,j1j= 2,3, . . . , n (4.3)
This means that, each output byte of the block depends on all input byte blocks processed
up to that point. The chaining layer has been chosen to ensure a high sensibility for
the parameters of the substitution layer and consequently for the diffusion layer. In
addition, this guarantees that the avalanche effect, key and initial vector sensibilities are
attained.
4.3.3 Substitution Layer
The proposed substitution layer presents a potential modification of the Non Linear
Transformation (NLT) of RC6 [38], which is originally expressed as:
y=RC6(x) = mod(x×(2 ×x+ 1),2W)>> log2(W) (4.4)
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 56
Figure 4.3: Proposed compression function (ERADI)
where >> is bitwise right shift and Wis equal to 8. A modified version of RC6 is
employed to ensure a dynamic nonlinear transformation. Indeed the proposed dynamic
substitution layer is reformulated as:
Zw=F(Zw1) (4.5)
=mod(Zw1×(rw×Zw1+tw),2w)>> log2(w)
where Z0=U,w= 1, . . . , 4 and (rw, tw) are the control parameters for iteration w.
In fact, rwand twhave to be an even and odd bytes respectively.
These different control parameters are generated as:
r0=unand s0=un
rw=RC6(rw1),(4.6)
sw=RC6(sw1), w = 1,2,3,4
where unis used since it is the last output byte of the chaining layer and represents
the XORed value of all elements of the vector Y={y1, y2, . . . , yn}. After that, the
Least Significant Bit (LSB) for each element rwand swis set to 0 and 1 respectively,
to ensure the bijectivity property (one-to-one). Accordingly, each byte is substituted by
applying the RC6 non linear function using four different couples of control parameters
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 57
(rw, tw), w= 1,2,3,4. In the Table 3.1, we present the corresponding cryptographic
properties of the original RC6 and our proposition. These results indicate clearly that the
original transformation has poor cryptographic properties, especially a high differential
probability approximation which makes it useless for being used as a substitution layer.
Accordingly, a potential enhancement of the cryptographic properties is achieved using
our modification compared to the original one.
4.3.4 Diffusion Layer
The diffusion process is a linear transformation which is represented as matrices. This
layer includes two steps: secret matrix generation Gand Modular 256 vector matrix
multiplication. Indeed, the proposed dynamic diffusion layer is based on a special rule of
algebra, which can provide the properties of flexibility, through the use of non invertible
matrix as its determinant is equal to 0 (singular matrix). Equally important to note, it
is effortless to implement this diffusion technique in hardware since it can be executed
in parallel as shown in Figure 3.5.
4.3.4.1 Secret matrix generation G
The output of the substitution layer is reshaped to form a sub-matrix parameter temp
with size n
4×n
4. Later, this sub-matrix is replicated to form a sub-matrix Awith size
n
2×n
2. The form of the diffusion matrix with ndimension is given as below:
G=
A B
A B
(4.7)
Assuming that Bis equal to A×(2 ×A+ 1) mod 2256. Besides, having a matrix G
constructed from four sub-matrices (A, B, C, D), it can be proven that this matrix is
non-invertible. Indeed, the determinant is given by:
det(G) = det(A)×det(DCA1B) (4.8)
=det(A)×det(BABA1)
=det(A)×det(BB)
= 0
where D=B, and C=A.
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 58
Therefore, the necessary condition for not having an inverse matrix is attained and the
attackers cannot calculate the inverse secret matrix G1to get the original substituted
block data, which in turn ensures the one way property.
4.3.4.2 Modular matrix multiplication of G
Considering any block message Mi,i[1, nb], the diffusion process is performed on a
series of nsubstituted bytes {zi,1, zi,2, . . . , zi,n}and its output is the produced hashed
block Hi, which is obtained by performing a modular multiplication matrix using the
secret matrix G, derived from the substituted data. The architecture of the diffusion
process is shown in Figure 3.5.
The coefficients vector {G1, G2, ..., Gn}are described as the global diffusion matrix (G).
Each global diffusion vector Giis represented as a sequence of independent random
numbers from a byte field. The relationship between input block data, Gand Scan be
described as follows:
Hi=G0×Zi
=
hi,1
hi,2
.
.
.
hi,n
=
g1,1g1,2· · ·g1,n
g2,1g2,2· · ·g2,n
.
.
..
.
.....
.
.
gn,1gn,2· · ·gn,n
·
zi,1
zi,2
.
.
.
zi,n
(4.9)
Where Gil,ic is a diffusion coefficient that varies between 0 and 255 for the line il and
column ic, with il and ic from 1 to n.
Finally, after the calculation of MAC-I from the sender, which is obtained directly by
truncating 32-bits of MSB of H, the result is appended to the original message and sent
to the receiver. Similarly, on the receiver side the IK and IV with ERADI function are
used to calculate XMAC-I in order check the integrity of the message.
4.4 Cryptographic Strength and Performance Evaluation
In this section, different cryptographic properties of the proposed substitution layer of
the core cipher of the algorithm is presented since the chaining layer is added and the
cipher should be again tested to ensure its security strength. Moreover, most important
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 59
substitution layer testes are applied in order to prove its performance. Then, the overall
algorithm is analyzed using several statistical tests such as uniformity, randomness, key
sensitivity, etc. to assess its efficiency and to show how far it is consistent with the main
security requirements. Finally, the time complexity is quantified and compared to EIA2
algorithm.
4.4.1 Cryptographic performance of the proposed dynamic substitu-
tion layer
As been already described in the previous chapter, a strong n×nsubstitution layer
must have some important properties, based on information theory analysis [39], [40],
[41]. These main properties are: bijectivity, non linearity SAC,BI C, and equiprobable
input/output XOR distribution. The LPFcan be calculated according to [39]. In Fig-
ure 4.4-a, the variation of LPFagainst the seed (byte) unis shown and the probability of
LPF<24is 0.968, those of 26LPF25is 0.322 and those of LPF>24is only
0.0313. Moreover, LPFmaximum, minimum and average values are: 22,25.3561, and
24.749 respectively. The majority of LPFresults produced from the substitution layer
have acceptable values. This indicates that the proposed dynamic substitution layer
possesses an acceptable non-linearity property which can ensure the resistance against
linear attacks.
Another test is performed forDPFand the results represented in Figure 4.4-b, show the
variation of DPFagainst the seed (byte) u1. The probability of DPF<24is 0.8477
and that of DPF>22is only 0.0156. Moreover, maximum, minimum, and average
values of DPFare: 21,24.6781and24.1758 respectively. These results show that the
substitution layer can resist the differential attacks.
Similarly, concerning the SAC, the average value (mean of 8x8 values of the dependence
matrix) against the seed u1is shown in Figure 4.5-a. We can observe that the SAC is
always very close to the ideal value 0.5. Finally, the average value of BIC (mean of
8x8 values of the BIC matrix without the diagonal) versus the number of iterations r
is shown in Figure 4.5-b. We can observe that the majority of the BI C average values
is around the optimal value of 0.5. The simulation results indicate clearly that the
proposed substitution layer satisfies the two criteria of SAC and BI C and hence can
resist the known and chosen plain/cipher-text attacks. In conclusion, the substitution
layer has suitable properties for being used in the proposed core cipher of the ERADI
algorithm.
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 60
Figure 4.4: Variation of the LP F (a) and D P F (b) versus the number of random
keys
Figure 4.5: Variation of the SAC (a) and BIC (b) versus the number of random keys
4.4.2 Security analysis and performance of the proposed hash function
In this section, several tests are performed to analyze and prove the feasibility and the
strength of our proposed algorithm. Several simulation tests have been carried out and
the results of collision, key space and sensibility tests have been analyzed. Furthermore,
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 61
a comparison is carried out between ERADI algorithm and the recent EIA2 standard in
terms of the speed of execution.,
Figure 4.6: Spread of the message and hash value: (a) distribution of the message in
ASCII code; (b) distribution of the hash value in hexadecimal format
4.4.2.1 Hash value distribution
The security of any hash function is much related to the uniform distribution of the hash
value. To verify the uniformity of the hash value to the original text, a simulation of
input message in ASCII code is performed using first 10 lines of the introduction section
of this chapter.
The original paragraph distribution as depicted in Figure 4.6 is distributed in the range
of ASCII codes, and its corresponding hash value distribution is spread out randomly.
Similarly, another test has been performed on an input message consisting of a string
of zeros. The results as illustrated in Figure 4.7 show that even in this special case the
output hash value still shows a random distribution. Furthermore, in order to check
the uniformity of hash value, another test is applied by simply computing the length
of unique elements of the obtained hash values. Table 4.1 presents the corresponding
percent of unique elements for 10000 hash values, where each value is obtained from
a random secret key and the message. The percentage distribution of unique elements
verifies its uniformity, since approximately 92.312% of hash values have at least 15
different elements, which indicates that a strong uniformity is achieved.
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 62
Table 4.1: Frequency of the different number of ASCII characters for N= 10000
Number of different ASCII characters 16 15 14 13
Frequency 6238 3043 649 70
Figure 4.7: Spread of all zeros message and hash value: (a) distribution of all Zeros
message; (b) distribution of the Hash value in hexadecimal format
4.4.2.2 Hash value sensitivity to the original message
Another criterion of the hash function security is its sensitivity to the original input
message. For verifying the sensitivity of hash values, hash simulations have been per-
formed under the following conditions:
C1-The original paragraph (first 10 lines of the introduction of this chapter);
C2-Replacing the first character O from the original paragraph by S;
C3-Modifying the word DI in the original paragraph to DE;
C4-Replacing the full stop from the original paragraph to comma;
C5-Adding a blank space to the original paragraph.
Table 4.2: Distribution of changed bit percent under different conditions
Case C1 C2 C3 C4 C5
C1 0 48.4375 49.0625 50.7813 52.3438
C2 48.4375 0 48.7500 53.9063 57.0313
C3 49.0625 48.7500 0 55.4688 53.9063
C4 50.7813 53.9063 55.4688 0 51.5625
C5 52.3438 57.0313 53.9063 51.5625 0
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 63
Figure 4.8: Hash values under different conditions
The simulation results of binary sequences are depicted in Figure 4.8 and the correspond-
ing percent of changed bits are presented in Table 4.2. These results indicate clearly
that a very small change in the original message produces an enormous change in the
output hash value.
4.4.2.3 Diffusion and Confusion: Key and message sensitivity
The sensitivity refers to a huge change in the hash value with respect to a slight change in
the keys IK or IV and the original message itself. A DI algorithm is considered as robust
against related key attacks if it ensures the sensitivity of the secret keys IK and initial
vector IV. In particular, when the payload of a control data packet is treated, a tiny
change of keys or IV should give two completely different hash values and consequently
MAC values. The sensitivity of IK and IV are analyzed for 1000 random keys and IVs
respectively using the percent of Hamming distance for IKwwhere w= 1,2, . . . , 1000.
that can be calculated as follows:
KSw=PT
k=1 HIKw, I V (M)HI K 0
w, IV (M)
T×100% (4.10)
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 64
where Tis the length in bit level of the hash value, and HIKw,HIK w0are the cor-
responding hash values using IKwand I K 0
wrespectively. All the elements of IK0
ware
equal to those of the wth key IKw, except a random LSB which was flipped. Indeed,
the same processing is realized for measuring the sensitivity of IV which gives a similar
result, since IK and IV are mixed together to form H0. Likewise, the sensibility of the
original message is performed and calculated as follows:
P Sw=PT
k=1 HKw, IV (M)HKw, I V (M0)
T×100% (4.11)
where all the elements of message M0are equal to those of message M, except a random
LSB which was flipped.
Furthermore, in Figures 4.9 and 4.10, the sensitivity of the secret key and original
message versus 1000 random keys and messages are shown respectively, while only a LSB
is changed of the secret key IKwor M. We can observe that the majority of samples
is closer to the optimal values in bit level (50%). Additionally, 87.88% and 87.61 % of
samples have KS and P S 45% respectively. We can also see that KS and P S follow
a normal distribution. Their minimum, maximum, average and standard deviation are
presented in Table 4.3. Similarly, the same results are obtained for changing a single bit
in IV. Consequently we can conclude that the chosen/known plain-text attacks would
become ineffective.
Figure 4.9: Percent of number of the changed bits versus 1000 random secret keys
(changed random bit of the secret key) (a) and its corresponding distribution (b)
Finally, the properties of diffusion and confusion of the function are attained, since the
sensibility of secret key and initial vector are achieved, which indicates that the necessary
security requirement is attained within one round.
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 65
Figure 4.10: Percent of number of the changed bits versus 10000 original tests
(changed random bit of the message) (a) and its corresponding distribution (b)
Table 4.3: Statistical Results
%KS %P S
min 33.593 34.3750
max 67.187 64.8438
Avg 50.04 49.9663
ST D 4.42 4.4505
4.4.2.4 Collision resistance
Collision resistance refers to the difficulty to find two diverse inputs to the hash function
whose outcomes are the same. Generally, the resistance against the collision is verified
using the following test, which is conducted for a hash value randomly generated from
a paragraph of the input message and stored in ASCII format. Randomly a bit will be
selected from the chosen paragraph and flipped; the output hash value of the modified
message will be also stored in ASCII format. A comparison between the two hash values
is achieved by counting the number of identical positions of ASCII characters i.e (having
the same value in the same location) and is calculated as follows:
Dif f =
n
X
i=1
D{H(i), H0(i)},(4.12)
where D(x, y) = 1 if x=yand D(x, y) = 0 otherwise.
Simulation results presented in Table 4.4 indicate that the maximum number of equal
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 66
characters (hits) attained is three for our proposition. Consequently, a stronger collision
resistance is ensured, which makes our proposition immune against birthday, man-in-
the-middle and differential attacks [56].
Table 4.4: Percent distribution of the number of ASCII characters with the same
value at the same location in the hash value for random LSB bit of secret key K(a) or
the plain-message P(b)
Number of Hits 0 1 2 3
% (a) (random LSB bit of K) 94.1 5.75 0.15 0
% (b) (random LSB bit of P) 93.69 6.12 0.18 0.01
4.4.3 ERADI Execution Time
Besides the security features, the execution speed is an important criterion to quantify
the computational complexity of our proposed algorithm and compare it to the stan-
dardized solution. The comparison is achieved with the EIA2 (AES) algorithm since it
is considered as the most secure compared to the two other algorithms EIA1and EIA3.
The average calculation time ratio (ERADI/EIA2) to the hashed message Mwith dif-
ferent lengths is depicted in Figure 4.11.
These results were obtained using the following software and hardware environment:
Matlab 2012 and micro-computer Intel Core 2 Duet 2.1 GHZ CPU with 2 GB RAM
Intel, under Windows7. Clearly, the variation of time ratio is linear and the average
requested computational time ratio between EIA2 and ERADI is close to 4.5, which
indicates that AES requires 4.5 more times than our proposal during encryption/de-
cryption procedure. Consequently, lower computational complexity leads to faster data
processing and less energy consumption by the devices (both the UE and the eNB).
Conclusions and discussion
As the available standardized approaches such as EIA1, EIA2 and EIA3 have their own
drawbacks regarding security and/or performance, we have proposed in this Chapter
ERADI, a novel data integrity algorithm for 4G LTE/LTE-A mobile networks. The
cipher core of ERADI is based on a new technique using chaining with dependent sub-
stitution and diffusion layers to attain the avalanche effect, secret key and initial vector
sensibility. The chaining layer is added to add more bit dependency and attain the re-
quirements of a secure MAC. Moreover, the statistical properties such as the uniformity
of the produced hash value, key sensibility are attained, which can provide immunity
Chapter 4. Efficient and Robust Algorithm for LTE/LTE-A Data Integrity 67
Figure 4.11: Variations of the average time ratio versus message length
against the statistical attacks. Furthermore, known attacks such as linear attacks, dif-
ferential attacks and chosen plain/cipher-text attacks would become ineffective, since
the avalanche effect is attained. In fact, any change in any bit of the message, secret key
or public parameters i.e(initial vector) results in a significant difference in the produced
hash value as been illustrated in the analyses section. The key space of the secret key
is 2128, which is sufficiently large to make the brute-force attack infeasible. Besides, the
use of non invertible dynamic confusion and diffusion layer will limit the ability of the
attackers to try breaking out the underlying cipher algorithm.
In addition, the advantage of the proposed ERADI scheme is its reduced complexity
compared to other standardized algorithms recently in use, since it operates one round
of iteration to achieve the necessary cryptographic properties, instead of several rounds
of iterations deployed by the reference algorithms. This ERADI lower complexity results
in reduced latency and higher data processing speed which is a desirable feature for mo-
bile terminals supporting LTE/LTE-A networks with restricted and limited resources.
Moreover, to confirm better performance of our proposal, a comparison with the core
cipher of EIA2 is performed. Consequently, all simulations results demonstrated clearly
the proposed ERADI scheme has the necessary sufficient security features to be consid-
ered as a secure MAC and could be considered as a new and interesting candidate for
LTE/LTE-A network’s integrity protection.
Chapter 5
Device to Device Lightweight
Authentication and Key
Agreement Protocol
5.1 Introduction
Recently, D2D communications have attracted large research attentions to develop effi-
cient solutions for direct communications between two proximate devices without passing
through a base station or another third-party device. D2D paradigm is proposed to be
employed in cellular networks between two UEs in order to enhance the performance.
Indeed, the majority of D2D related research works concentrate mainly on licensed band
(in band) modes using cellular resources where the service providers prefer to maintain
a stable and permanent control over the communication rather than using other uncon-
trolled environments (out band) such as (ad hoc Wi-Fi and Bluetooth) networks using
unlicensed bands [6]. At the standardization level, the concept of D2D has been adopted
by 3GPP in LTE Release12 to enable LTE becoming a competitive broadband commu-
nication technology for public safety networks [57].
D2D is considered an efficient communication method since the proximity UEs may al-
low for extremely high bit rates, low delays and low energy consumption. In addition
a portion of traffic of which was originally had to be passed through the eNB would be
offloaded which leads in again low delays and low energy consumption. Furthermore,
better security is expected since the communicated data is not routed through Internet
cloud and hence not stored in anywhere but on the specified devices.
69
Chapter 5. Device to Device Lightweight Authentication Key Agreement Protocol 70
Nevertheless, one of the major concerns in any wireless and mobile communication sys-
tem is the security of the data during transmission over unsecured channels as it is
the case in the D2D communications. Authentication and key agreement are among
the most difficult and important aspects of security in any data transmission between
two transmitting nodes. Unlike the traditional mobile communications, where the key
derivation, authentication and ciphering/deciphering between two devices are passed
through the core network, D2D in LTE/LTE-A supposes direct communication between
two UEs without any involvement of the core network.
The current 3GPP authentication and key agreement protocol (AKA) deployed for 3G
mobile networks and its successor for 4G mobile systems, called Evolved Packet Sys-
tem authentication and key agreement (EPS-AKA) are used to authenticate UEs with
the Serving Network (SN) and also to generate the diverse necessary symmetric keys
to ensure DI and DC [13]. The procedure of authentication and key derivation of the
AKA protocol is achieved through four entities in LTE/LTE-A; the UE, the eNB, the
Mobility Management Entity (MME) and the Home Subscriber Server (HSS). However,
the involvement of all these entities in AKA protocol may have a negative effect on the
latency and bandwidth consumption if AKA is to be employed for D2D communications.
Therefore it is desirable to have an independent protocol to ensure the authentication
of the two UEs as well as deriving the necessary keys for both DC and DI services.
Accordingly, using public cryptography would be a promising tool for such kind of au-
thentication since it has been already employed in similar scenarios for different wireless
and mobile technologies. The principle idea is employing ECC in the authentication
procedure besides using security hash functions in derivation of symmetric keys used for
both DI and DC.
The rest of the chapter is organized as follows. In Section II, concepts of D2D in
wireless and mobile technologies are presented. Section 3 describes the proposed security
mechanism with its different phases. In Section 4, the security properties of the proposed
scheme are analyzed and discussed. Finally, we conclude the chapter in Section 5.
5.2 D2D Authentication and key management in mobile
and wireless technologies
In Chapter 2 we have already explained in detail the authentication and key agreement
protocol AKA-EPS and we have explained why this protocol is not well suited for being
used in the D2D scenario in LTE/LTE-A networks. Moreover, the concept of D2D such
as ad-hoc WLAN mode has been available in IEEE 802.11 for many years but with a
Chapter 5. Device to Device Lightweight Authentication Key Agreement Protocol 71
limited usage compared to infrastructure mode. Additionally, authentication and key
management for D2D communications have been already well studied in other wireless
and mobile technologies such as Mobile Ad hoc Networks (MANET) [28], Wireless Sen-
sor Networks (WSN) [29], Wireless Mesh Networks (WMN) [30], Bluetooth [31] and
Vehicular Ad hoc Network (VANET) [32]. Yet, the employed paradigms and method-
ologies are not well suited for D2D in LTE/LTE-A because of the computation and
communication overheads followed by deploying such methods, as well as the explicit
difference in their security architecture.
Digital certificates issued by certificate authorities are among the cryptographic tech-
niques employed for authentication in the aforementioned networks. However, the stor-
age and transmission of the certificates are followed by a tremendous computation and
communication overheads. In addition, the network should be provided with an infras-
tructure supporting such kind of certificates [58]. The authors in [59] propose using
symmetric polynomial based key distribution for authentication and generation of sym-
metric keys using a cellular system. The main drawback of the suggested scheme is
that the authors assume a secure channel for distributing the polynomials, which is not
the case in reality. A similar concept has been used in the WMN in [60] ( i.e. using
polynomial based cryptography for key derivation). The Identity Based Cryptography
(IBC) has been employed in [61] and the authors proposed using pairing to distribute
the key between two neighboring nodes. However, this method is not well adapted for