Content uploaded by Soran Hussein

Author content

All content in this area was uploaded by Soran Hussein on Jun 09, 2016

Content may be subject to copyright.

Lightweight Security Solutions for LTE/LTE-A Networks

Soran Hussein

To cite this version:

Soran Hussein. Lightweight Security Solutions for LTE/LTE-A Networks. Networking and

Internet Architecture. Universit´e Paris Sud - Paris XI, 2014. English. <NNT : 2014PA112366>.

<tel-01144657>

HAL Id: tel-01144657

https://tel.archives-ouvertes.fr/tel-01144657

Submitted on 22 Apr 2015

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of sci-

entiﬁc research documents, whether they are pub-

lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destin´ee au d´epˆot et `a la diﬀusion de documents

scientiﬁques de niveau recherche, publi´es ou non,

´emanant des ´etablissements d’enseignement et de

recherche fran¸cais ou ´etrangers, des laboratoires

publics ou priv´es.

Universit´

e Paris-Sud

Ecole Doctorale Informatique Paris Sud

Laboratoire Recherche en informatique

Discipline : Computer Science

DOCTORAL THESIS

Defended 8/12/2014 by

Soran Sabah Hussein

Lightweight Security Solutions

for LTE/LTE-A Networks

Advisor : Dr. Lila Boukhatem Universit´e Paris-Sud

Co-advisor : Pr. Steven Martin Universit´e Paris-Sud

Composition of the jury: :

Reviewers: : Pr. Hakima Chaouchi Institut T´el´ecom Sud-Paris

Dr. Hassnaa Moustafa Intel Corporation

Examiners : Pr. Joﬀroy Beauquier Universit´e Paris-Sud

Dr.Thi-Mai-Trang

NGUYEN

Universit´e Pierre et Marie Curie, Paris 6

Dr. Nadjib Ait saadi Universit´e Paris Est Cr´eteil Val de Marne

i

Abstract

Recently, the 3rd Group Project Partnership (3GPP) has developed Long Term Evolu-

tion/ Long Term Evolution-Advanced (LTE/LTE-A) systems which have been approved

by the International Telecommunication Union (ITU) as 4th Generation (4G) mobile

telecommunication networks. Security is one of critical issues which should be han-

dled carefully to protect user’s and mobile operator’s information. Thus, the 3GPP has

standardized algorithms and protocols in order to secure the communications between

diﬀerent entities of the mobile network. However, increasing the security level in such

networks should not compel heavy constrains on these networks such as complexity and

energy. Indeed, energy eﬃciency has become recently a critical need for mobile network

operators for reduced carbon emissions and operational costs. The security services

in mobile networks such as authentication, data conﬁdentiality and data integrity are

mostly performed using cryptographic techniques. However, most of the standardized

solutions already adopted by the 3GPP depend on encryption algorithms which possess

high computational complexity which in turn contributes in consuming further energy at

the diﬀerent network communication parties. Data conﬁdentiality which mainly refers

to the protection of the user’s information privacy is achieved at the Packet Data Con-

vergence Protocol (PDCP) sub-layer in the LTE/LTE-A protocol stack by one of the

three standardized algorithms (EEA1, EEA2 and EEA3). However, each of the three

algorithms requires high computational complexity since they rely on Shannon’s theory

of encryption algorithms by applying confusion and diﬀusion for several rounds. In this

thesis, we propose a novel conﬁdentiality algorithm using the concept of substitution

and diﬀusion in which the required security level is attained in only one round. Con-

sequently the computational complexity is considerably reduced which in return results

in reducing the energy consumption during both encryption and decryption procedures.

Similarly, the same approach is used to reduce the complexity of 3GPP data integrity

algorithms (EIA1, EIA2 and EIA3) which the core cipher rely on the same complex

functions. Finally, we investigate in this thesis the authentication issue in Device to

Device paradigms proposal in 4G systems. Device to Device communications refer to

direct communications between two mobile devices without passing through the core

network. They constitute a promising mean to increase the performance and reduce

energy consumptions in LTE/LTE-A networks. In such context, the authentication and

key derivation between two mobile devices have not been well investigated. Thus, a

novel lightweight authentication and key derivation protocol is proposed to authenticate

two communicating devices during session establishments as well as deriving necessary

keys for both data encryption and integrity protection.

R´esum´e

R´ecemment, le 3GPP (3rd Generation Partnership Project) a standardis´e les syst`emes

LTE/LTE-A (Long Term Evolution/LTE-Advanced) qui ont ´et´e approuv´es par l’UIT

(Union Internationale des T´el´ecommunications) comme des r´eseaux de t´el´ecommunications

mobiles de 4´eme g´en´eration. La s´ecurit´e est l’une des questions essentielles qui doivent

ˆetre trait´ees avec soin pour prot´eger les informations de l’op´erateur et des utilisateurs.

Aussi, le 3GPP a normalis´e plusieurs algorithmes et protocoles aﬁn de s´ecuriser les com-

munications entre les diﬀ´erentes entit´es du r´eseau. Cependant, l’augmentation du niveau

de s´ecurit´e dans ces syst`emes ne devrait pas leur imposer des contraintes lourdes telles

qu’une grande complexit´e de calcul ou encore une forte consommation d’´energie. En ef-

fet, l’eﬃcacit´e ´energ´etique est devenue r´ecemment un besoin critique pour les op´erateurs

aﬁn de r´eduire l’empreinte ´ecologique et les coˆuts op´erationnels de ces syst`emes. Les

services de s´ecurit´e dans les r´eseaux mobiles tels que l’authentiﬁcation, la conﬁdentialit´e

et l’int´egrit´e des donn´ees sont le plus souvent eﬀectu´es en utilisant des techniques cryp-

tographiques. Toutefois, la plupart des solutions standardis´ees d´ej`a adopt´ees par le

3GPP d´ependent des algorithmes de chiﬀrement qui poss`edent une grande complexit´e,

induisant une consommation ´energ´etique plus ´elev´ee dans les diﬀ´erentes entit´es com-

municantes du r´eseau. La conﬁdentialit´e des donn´ees, qui se r´ef`ere principalement au

fait de s’assurer que l’information n’est accessible qu’`a ceux dont l’acc`es est autoris´e,

est r´ealis´ee au niveau de la sous-couche PDCP (Packet Data Convergence Protocol) de

la pile protocolaire de LTE/LTE-A par l’un des trois algorithmes normalis´es (EEA1,

EEA2 et EEA3). Or, chacun des trois algorithmes exige une forte complexit´e de calcul

car ils reposent sur la th´eorie de chiﬀrement de Shannon qui utilise les fonctions de

confusion et de diﬀusion sur plusieurs it´erations. Dans cette th`ese, nous proposons un

nouvel algorithme de conﬁdentialit´e en utilisant le concept de substitution et de diﬀu-

sion dans lequel le niveau de s´ecurit´e requis est atteint en un seul tour. Par cons´equent,

la complexit´e de calcul est consid´erablement r´eduite ce qui entraˆıne une r´eduction de

la consommation d’´energie par les fonctions de chiﬀrement et de d´echiﬀrement. De

plus, la mˆeme approche est utilis´ee pour r´eduire la complexit´e des algorithmes 3GPP

d’int´egrit´e des donn´ees (EIA1, EIA2 et EIA3) dont le concept de chiﬀrement repose

sur les mˆemes fonctions complexes. Enﬁn, nous ´etudions dans cette th`ese le probl`eme

d’authentiﬁcation dans le contexte du paradigme D2D (Device to Device communica-

tions) introduit dans les syst`emes 4G. Le concept D2D se r´ef`ere `a la communication

directe entre deux terminaux mobiles sans passer par le cœur du r´eseau. Il constitue un

moyen prometteur pour am´eliorer les performances et r´eduire la consommation d’´energie

dans les r´eseaux LTE/LTE-A. Toutefois, l’authentiﬁcation et la d´erivation de cl´e entre

deux terminaux mobiles dans le contexte D2D n’ont pas fait l’objet d’´etudes. Aussi,

nous proposons un nouveau protocole l´eger d’authentiﬁcation et de d´erivation de cl´e

permettant d’authentiﬁer les terminaux D2D et de d´eriver les cl´es n´ecessaires `a la fois

pour le cryptage et pour la protection de l’int´egrit´e des donn´ees.

Acknowledgements

I would like to express my heartfelt gratitude to the many people who have supported

me as I completed my graduate studies and dissertation. First, I would like to sincerely

thank my advisor, Dr. Lila Boukhatem, for providing continuous support and instruc-

tive guidance throughout my studies.

I present my sincere thanks to my co-advisor Prof. Steven Martin which he has sup-

ported me not only by providing a research assistantship, but also academically and

emotionally through the rough road to ﬁnish this thesis.

I also owe a debt of gratitude to my colleagues of the Network Group in the Laboratory

of the Research in Informatics (LRI), with special thanks to Dr. Hassan Noura who was

a post doc at the time for being my another advisor to ﬁnish the thesis in time. I wish

to thank the reviewers, Prof. Hakima Chaouchi and Dr. Hassnaa Moustafa , to have

the patience to read this dissertation and to give me valuable and detailed comments on

my thesis. Thanks also to all the members of the jury, as it is a great honor for me to

have them to evaluate my work.

I would like to emphasize my love and thanks to my family, with special thanks to my

mother and father, for providing a loving and supportive environment throughout my

childhood that fostered my academic success and for continued support today.

Finally, I would also like to appreciate Kurdistan Regional Government’s funding support

during my 5 year study in France.

v

Contents

Abstract ii

Acknowledgements v

Contents vi

List of Figures ix

List of Tables xi

Abbreviations xii

1 Introduction 1

1.1 Overview .................................... 1

1.2 Researchobjectives............................... 3

1.2.1 Lightweight data integrity and data conﬁdentiality algorithms . . . 3

1.2.2 Authentication key agreement protocol for D2D communications . 4

1.3 Thesis’s Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.3.1 Novel and lightweight data conﬁdentiality algorithm for LTE/LTE-

Anetworks ............................... 4

1.3.2 Novel and lightweight data integrity algorithm for LTE/LTE-A

networks................................. 5

1.3.3 Authentication and key agreement scheme for D2D communications 6

1.4 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 LTE/LTE-A Security Architecture 9

2.1 Background................................... 9

2.2 Security levels and services of LTE/LTE-A networks . . . . . . . . . . . . 10

2.2.1 Authentication and key derivation . . . . . . . . . . . . . . . . . . 12

2.2.2 Conﬁdentiality of user plane and control plane data . . . . . . . . 13

2.2.3 Integrity of control plane data . . . . . . . . . . . . . . . . . . . . 13

2.3 EPS Authentication and Key Agreement (EPS-AKA) . . . . . . . . . . . 13

2.3.1 EPS-AKA procedure . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.3.2 EPSkeyhierarchy ........................... 15

vi

Contents vii

2.3.3 EPS-AKA functionality and related works . . . . . . . . . . . . . . 17

2.4 EPS Encryption Algorithm (EEA) . . . . . . . . . . . . . . . . . . . . . . 19

2.4.1 EEA1 .................................. 20

2.4.2 EEA2 .................................. 20

2.4.3 EEA3 .................................. 21

2.5 EPS Integrity Algorithms (EIA) . . . . . . . . . . . . . . . . . . . . . . . 22

2.5.1 EIA1................................... 23

2.5.2 EIA2................................... 23

2.5.3 EIA3................................... 24

2.6 Conclusions and Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3 Eﬃcient and Robust Ciphering Algorithms forr LTE/LTE-A Data Con-

ﬁdentiality (DC) 29

3.1 Introduction................................... 29

3.2 Cryptographic realizations in LTE/LTE-A . . . . . . . . . . . . . . . . . . 31

3.3 Eﬃcient and Robust Ciphering Algorithm (ERCA) . . . . . . . . . . . . 33

3.3.1 Initial Key Addition Layer . . . . . . . . . . . . . . . . . . . . . . 34

3.3.2 Substitution Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.3.3 DiﬀusionLayer ............................ 35

3.3.3.1 Construction of the secret matrix G............ 36

3.3.3.2 The Proposed diﬀusion Process G............. 37

3.4 Cryptographic strength and performance . . . . . . . . . . . . . . . . . . . 38

3.4.1 Cryptographic performance of the substitution layer . . . . . . . . 38

3.4.1.1 Linear Probability Approximation Boolean Function (LPF) 39

3.4.1.2 Diﬀerential Probability Approximation Function (DPF) . 39

3.4.1.3 Strict Avalanche Criterion (SAC) ............. 39

3.4.1.4 Output Bit Independence Criterion (BIC) ........ 40

3.4.2 Randomness of the produced key-stream . . . . . . . . . . . . . . . 40

3.4.3 Keysensitivity ............................. 41

3.4.4 Statistical properties . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.4.4.1 Recurrence .......................... 43

3.4.4.2 Mixingnature ........................ 43

3.4.4.3 Low coeﬃcient correlation . . . . . . . . . . . . . . . . . 44

3.4.5 ExecutionTime ............................ 46

3.4.6 Discussion and Cryptanalysis . . . . . . . . . . . . . . . . . . . . . 47

3.5 Conclusion ................................... 48

4 Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity (DI) 51

4.1 Introduction................................... 51

4.2 Realization of integrity protection in LTE/LTE-A networks . . . . . . . . 52

4.3 ERADI Algorithm Description . . . . . . . . . . . . . . . . . . . . . . . . 53

4.3.1 AdditionLayer ............................. 55

4.3.2 ChainingLayer............................. 55

4.3.3 Substitution Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4.3.4 DiﬀusionLayer ............................. 57

4.3.4.1 Secret matrix generation G................ 57

4.3.4.2 Modular matrix multiplication of G............ 58

Contents viii

4.4 Cryptographic Strength and Performance Evaluation . . . . . . . . . . . . 58

4.4.1 Cryptographic performance of the proposed dynamic substitution

layer................................... 59

4.4.2 Security analysis and performance of the proposed hash function . 60

4.4.2.1 Hash value distribution . . . . . . . . . . . . . . . . . . . 61

4.4.2.2 Hash value sensitivity to the original message . . . . . . . 62

4.4.2.3 Diﬀusion and Confusion: Key and message sensitivity . . 63

4.4.2.4 Collision resistance . . . . . . . . . . . . . . . . . . . . . 65

4.4.3 ERADI Execution Time . . . . . . . . . . . . . . . . . . . . . . . 66

5 Device to Device Lightweight Authentication and Key Agreement Pro-

tocol 69

5.1 Introduction................................... 69

5.2 D2D Authentication and key management in mobile and wireless tech-

nologies ..................................... 70

5.3 D2D Authentication and Key agreement scheme based on ECC . . . . . . 72

5.3.1 Initialization .............................. 74

5.3.2 Temporary key generation . . . . . . . . . . . . . . . . . . . . . . . 74

5.3.3 Identiﬁcation .............................. 75

5.3.4 Shared Identity Generation (SIG) . . . . . . . . . . . . . . . . . . . 77

5.3.5 Ciphering and integrity keys generation . . . . . . . . . . . . . . . 78

5.4 Security analysis of the proposed protocol . . . . . . . . . . . . . . . . . . 79

5.4.1 Randomness of the produced dynamic key . . . . . . . . . . . . . . 80

5.4.2 Identityprivacy............................. 81

5.4.3 Resistance to the man in the middle attack . . . . . . . . . . . . . 81

5.4.4 Resistance to impersonation attacks . . . . . . . . . . . . . . . . . 82

5.5 Conclusion and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6 Conclusion and future works 85

6.1 Conclusions ................................... 85

6.2 Future works and perspective . . . . . . . . . . . . . . . . . . . . . . . . . 87

A List of publications 91

Bibliography 92

List of Figures

2.1 The LTE/ LTE-A architecture . . . . . . . . . . . . . . . . . . . . . . . . 10

2.2 Security levels of LTE/LTE-A networks . . . . . . . . . . . . . . . . . . . 12

2.3 EPS-AKAprocedure.............................. 14

2.4 EPSkeyhierarchy ............................... 16

2.5 EPS key derivations on network side . . . . . . . . . . . . . . . . . . . . . 16

2.6 ASandNASProtocols............................. 19

2.7 SNOW3GAlgorithm ............................. 20

2.8 AESAlgorithm................................. 21

2.9 ZUCAlgorithm................................. 22

2.10EIA1Algorithm ................................ 23

2.11EIA2Algorithm ................................ 24

2.12EIA3Algorithm ................................ 25

3.1 PDCPLayer. .................................. 32

3.2 Ciphering a block of data. . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.3 ERCAstreamcipher.............................. 35

3.4 An example of creation of the diﬀusion Layer . . . . . . . . . . . . . . . . 38

3.5 Proposed Diﬀusion Technique . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.6 Variation of the LP F (a) and D P F (b) against the number of iterations . 40

3.7 Variation of the SAC (a) and BIC (b) against the number of iterations . 41

3.8 Recurrence of producing key-stream (a) and its distribution (b) using a

secret random key K.............................. 42

3.9 Proportion values of NIST tests . . . . . . . . . . . . . . . . . . . . . . . . 42

3.10 The key sensibility results for change random LSB of the secret key K

versus1000randomkeys............................ 43

3.11 Recurrence plot of the original packet (a) and its correspondent encrypted

ones(b) ..................................... 44

3.12 The distribution of the contents original stream packet (a) and its corre-

spondent encrypted one in (b) . . . . . . . . . . . . . . . . . . . . . . . . 45

3.13 Variation of the χ2

test of cipher packets for 12508 bytes length versus 1000

randomkeys .................................. 46

3.14 The coeﬃcient correlation between the original and encrypted stream

packets versus 1000 random keys . . . . . . . . . . . . . . . . . . . . . . . 46

3.15 Variations of the average time ratio for messages encryption (AES/ERCA)

infunctiontoitslength ............................ 47

4.1 Derivation of MAC-I/XMAC-I . . . . . . . . . . . . . . . . . . . . . . . . 54

4.2 The iterated design of the proposed keyed hash function for ERADI . . . 54

ix

List of Figures x

4.3 Proposed compression function (ERADI) . . . . . . . . . . . . . . . . . . 56

4.4 Variation of the LP F (a) and D P F (b) versus the number of random keys 60

4.5 Variation of the SAC (a) and BIC (b) versus the number of random keys 60

4.6 Spread of the message and hash value: (a) distribution of the message in

ASCII code; (b) distribution of the hash value in hexadecimal format . . . 61

4.7 Spread of all zeros message and hash value: (a) distribution of all Zeros

message; (b) distribution of the Hash value in hexadecimal format . . . . 62

4.8 Hash values under diﬀerent conditions . . . . . . . . . . . . . . . . . . . . 63

4.9 Percent of number of the changed bits versus 1000 random secret keys

(changed random bit of the secret key) (a) and its corresponding distri-

bution(b).................................... 64

4.10 Percent of number of the changed bits versus 10000 original tests (changed

random bit of the message) (a) and its corresponding distribution (b) . . 65

4.11 Variations of the average time ratio versus message length . . . . . . . . . 67

5.1 Scenario of LTE-A D2D communication . . . . . . . . . . . . . . . . . . . 72

5.2 Elliptic curve equation (5.1) (a) and the distribution of Elliptic group

(E23(1,1)(b) .................................. 73

5.3 Initialization .................................. 75

5.4 Temporary key generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

5.5 Identiﬁcation .................................. 76

5.6 Shared identity Generation . . . . . . . . . . . . . . . . . . . . . . . . . . 77

5.7 Cipher and Integrity Key generation . . . . . . . . . . . . . . . . . . . . . 79

5.8 Dynamic Key updates algorithm . . . . . . . . . . . . . . . . . . . . . . . 80

5.9 Proportion values of NIST tests . . . . . . . . . . . . . . . . . . . . . . . . 81

List of Tables

3.1 Comparison Analysis of Substitution Layer . . . . . . . . . . . . . . . . . 48

4.1 Frequency of the diﬀerent number of ASCII characters for N= 10000 . . 62

4.2 Distribution of changed bit percent under diﬀerent conditions . . . . . . . 62

4.3 StatisticalResults ............................... 65

4.4 Percent distribution of the number of ASCII characters with the same

value at the same location in the hash value for random LSB bit of secret

key K(a) or the plain-message P(b) .................... 66

xi

Abbreviations

1G 1st Generation

2G 2nd Generation

3G 3rd Generation

3GPP 3rd Generation Partenership Project

4G 4th Generation

AS Asymetric Encryption

AES Advanced Encryption Standard

AKA Authentication and Key Agreement

AS Access Stratum

BIC Output BitIndependence Criterion

CK Ciphering Key

CMAC Cipher-based Message Authentication Codes

D2D Device to Device

DC Data Conﬁdentiality

DI Data Integrity

DoS Denial ofService

DPFDiﬀerential Probability Approximation Boolean Function

ECC Elliptic Curve Cryptography

xii

Abbreviations xiii

ECDF Elliptic Curve Diﬃe-Hellman

EEA EPS Encryption Algorithm

EIA EPS Integrity Algorithm

EPS Evolved Packet System

EPC Evolved Packet Core

ERCA Eﬃcient and Robust Cipher-Algorithms

eNB eNodeB

E-UTRAN Evolved -Universal Terrestrial Radio Access Network

FN Feistel Networks

GSM Global Ssystem for Mobile communications

GMAC Galois Message Authentication Codes

HSS Home Subscriber Server

HMAC Hash Message Authentication Codes

IBC Identity Based Cryptography

IK Integrity Key

IP InternetProtocol

KHF Keyed Hash Functions

LFSR Linear Feedback Shift Register

LPFLinear Probability Approximation Boolean Function

LSB Least Signiﬁcant Bit

LTE Long Term Evolution

LTE-A LongTerm Evolution Advanced

MAC Message Authentication Codes

MDC Message Detection Codes

MitM Man inthe Middle

Abbreviations xiv

MME Mobility ManagementEntity

MTC Machine Type Communications

NAS Non Access Stratum

NIST National Institute of Standareds and Technology

PDCP Packet Data Convergence Protocol

PKG Private Key Generator

PDNGW Packet Data Network GetWay

RNC Radio Network Controller

SAC Strict Avalanche Criterion

SDN Substitution Diﬀusion Network

SE Symetric Encryption

SG Service Getway

SN Service Network

SAE System Architecture Evolution

UE User Equipment

UMTS Universal Mobile Telecommunications System

WMN Wireless Mesh Network

xv

Chapter 1

Introduction

1.1 Overview

The continuous and rapid growth of mobile data consumption especially due to the

tremendous increase of Smartphone device usage has motivated the standardization

organizations to develop 4G technologies such as (Long Term Evolution/Long Term

Evolutions-Advanced) LTE/LTE-A, moving to higher data rates compared to 3G net-

works. This 4G systems deployment has triggered the transition from the existing 3G

combined circuit and packet switching network to an all IP (Internet Protocol) architec-

ture system which made LTE/LTE-A networks to possess a new and diﬀerent security

architecture.

With the proliferation of mobile networks usage in our daily live, security has attracted

more and more attentions in order to ensure that the system is properly functioning

without any fault or misuse. Security is provided through features such as encryption,

integrity protection and authentication, which are required to guarantee the user’s pri-

vacy as well as ensuring revenue for the mobile network operators [1]. The security

architecture of mobile networks has been subject to subsequent evolutions. The ﬁrst

analog generation was in lack of any security mechanisms which later evolved within

the deﬁnition of successive generation of 3GPP: Global System for Mobile communi-

cations (GSM) then 3GPP Universal Mobile Telecommunication System (UMTS) and

now 3GPP LTE/LTE-A. The GSM has rather concentrated on the protection of the air

interface. Then, substantial improvements have been adopted for UMTS security, such

as adding new security features for radio access networks and services [2].

Security features as many other features of mobile networks should possess world-wide

interoperability to achieve global relevance and this is done through the standardization

1

Chapter 1. Introduction 2

of these features. Accordingly, the 3GPP which is the main dominant standardization

organization for mobile networks has handled the security issues in 4G LTE/LTE-A

systems through the normalization of the protocols and algorithms at diﬀerent network

security levels. At the network access level, authentication of the users and key agree-

ment are performed through EPS-AKA protocol, an authentication protocol based on

symmetric cryptography. Moreover, in order to achieve user’s privacy i.e. data conﬁ-

dentiality, the 3GPP has standardized for 4G LTE/LTE-A networks three algorithms

EEA1, EEA2 and EEA3. Similarly, three other algorithms have been standardized for

data integrity (EIA1, EIA2 and EIA3) [3].

Nowadays one of the important issues which have signiﬁcant negative impact on global

health, social and economic wellbeing is global warming which is resulted from excessive

Carbon Dioxide (CO2) emissions in the atmosphere. Currently, wireless and mobile

technologies contributes in about 2 to 3 percent of the overall emission of CO2 into

the atmosphere and this amount is subjected to further increase due to the exponential

growth in wireless and mobile networks subscribers and usages [4]. Later studies have

proved that the largest part of the consumed power in wireless and mobile networks is

located in the base stations, but an important part is also consumed in the mobile ter-

minals [5]. Yet, considerable computation power is requested when performing security

services in LTE/LTE-A networks which are carried out at base stations (denoted as eN-

odeB (eNB)) and mobile terminals denoted as (User Equipments (UE)). Furthermore,

during the standardization procedure, the main objectives of the selected algorithms

and protocols were achieving maximum security without taking in consideration any

environmental or ecological issues such as energy savings. Therefore, it would be desir-

able to consider new design structures for new protocols and algorithms acquiring less

computational power to reduce energy consumptions and consequently contributing in

the reduction of CO2 emissions.

In the light of all above considerations, our objective in this thesis is to propose lightweight

security algorithms and more particularly Data Integrity (DI) and Data Conﬁdentiality

(DC) algorithms by designing eﬃcient cipher algorithms in terms of complexity and at

the same time possessing suﬃcient security strength. These objectives will be achieved

by exploring the compromise between these two controversial properties (less complexity

and maximum security).

Another objective of our work is to consider the security issue in D2D paradigms. Re-

cently, Device to Device (D2D) communications have attracted large research attention

to develop eﬃcient solutions for direct communications between two proximate devices

Chapter 1. Introduction 3

without passing through a base station or another third-party device. Indeed, the ma-

jority of D2D related research works concentrate mainly on licensed band (in band)

modes using cellular resources where the service providers prefer to maintain a stable

and permanent control over the communication rather than using other uncontrolled en-

vironments (out band) such as (ad hoc Wi-Fi and Bluetooth) networks using unlicensed

bands [6]. The D2D paradigm has been proposed to be employed in cellular LTE/LTE-A

networks between two UEs in order to enhance the performance. It has been adopted

by 3GPP in LTE Release 12 to enable LTE becoming a competitive broadband commu-

nication technology for public safety networks [7]. These type of communications allow

the eNBs to reduce their power consumption through decreasing the signaling load since

the two UEs will not use the cells resources for communication. In addition, the UEs

will also save a portion of energy during data transmission since a closer transmission

path is expected between the two devices. To authenticate the UEs as well as provid-

ing necessary keys for DC and DI during D2D communications, a secure and eﬃcient

protocol is requested. However, although 3GPP has already adopted EPS-AKA as an

authentication protocol for UEs, the concept of D2D have not been considered in this

protocol. Hence, developing an eﬃcient and secure authentication protocols for D2D

poses a new research challenge which have not been well investigated in the literature.

Another objective in our thesis is to investigate this research issue and also providing

eﬃcient and secure solutions.

1.2 Research objectives

1.2.1 Lightweight data integrity and data conﬁdentiality algorithms

According to 3GPP, ﬁve security levels are deﬁned in LTE/LTE-A security architec-

ture: network access, network domain, user domain, application domain and non 3GPP

domain security [8]. In this thesis, we are mainly concentrating on network access secu-

rity and speciﬁcally between UE and eNB. However, to ensure a secure communication

between any two communication nodes DC and DI security services are inevitable in

any security system. DC refers to the prevention of an unauthorized disclosure of data

between two communication nodes to the third party attackers or intruders, such as

individuals, entities or processes. While DI is used to ensure that the received data

has not been modiﬁed during transmission. In LTE/LTE-A system architecture as de-

scribed in [9], UE and eNB are connected through the Access Stratum (AS) protocol,

where both DC and DI security features are carried out in the Packet Data Convergence

Protocol (PDCP) sub-layer. The PDCP performs ciphering/deciphering of both user

and the control plane data at both UE and eNB sides, similarly it performs DI but only

Chapter 1. Introduction 4

for control plane data. The keys to be used by PDCP are managed by upper layers and

derived during authentication procedure. Although the 3GPP has already standardized

till now three pairs of algorithms; (EEA1, EIA1), (EEA2, EIA2) and (EEA3, EIA3) [10],

[11] to achieve DC and DI, these solution are mostly require high computational time

and some of them surfers from security ﬂaws. Therefore, it becomes vital to propose

lightweight and eﬀective algorithms oﬀer the decreased computational time and at the

same time a strong security level.

1.2.2 Authentication key agreement protocol for D2D communications

Direct communications between two device terminals, denoted as D2D in LTE/LTE-A

systems is a new paradigm in 4G mobile networks and has not been yet standardized.

Our ﬁrst contribution suggested two algorithms for the two services DC and DI for

achieving privacy and integrity of users data could also be employed in D2D commu-

nications by the two involved UEs. However, to the best of our knowledge D2D key

management and users’ authentication has not been yet addressed. 3GPP stated that

LTE /LTE-A networks should use EPS-AKA protocol for mutual authentication be-

tween UEs and the core network which is a long and costly process. Moreover, the

EPS-AKA protocol is designed to rely on several entities in the core network which

are not necessarily available during D2D communications. Henceforth, it is desirable to

propose for such communication scenarios a novel method to achieve authentication as

well as deriving the necessary keys for DC and DI services.

1.3 Thesis’s Contributions

Following the aforementioned research objectives, the contributions of this thesis can be

summarized as follows:

1.3.1 Novel and lightweight data conﬁdentiality algorithm for LTE/LTE-

A networks

Shannon demonstrated in [12] that the conventional technique to obtain a powerful

encryption of a block of bytes is achieved by using the confusion and diﬀusion layers for

several rounds. The standard ciphers are based on rmulti-round functions, where each

one is composed of several simple iterated functions. Round functions can be categorized

into two classes: Feistel Networks (FN) and Substitution Diﬀusion Networks (SDN).

Chapter 1. Introduction 5

Accordingly, the security level depends on the number of rounds, which leads to a trade-

oﬀ between the security level and the required computational time (complexity) and

consequently the energy consumption. The multi round concept has been well applied

in the standardized solutions. In this thesis, we propose a novel stream cipher technique

based on SDN structure which showed a reduced complexity (one round only) and at the

same time possesses similar security strength compared to the standardized solutions.

The proposed stream cipher algorithm candidate has an almost-similar architecture as

the Advance Encryption Standard (AES) employed in EEA2 and EIA2. It consists of

an addition, a substitution and a diﬀusion layer. The addition layer uses binary XOR

operation with a constant block value to ensure key uniformity. The substitution layer

is constructed from the nonlinear transformation of RC6 algorithm to add confusions to

the cipher. Finally, the diﬀusion layer is built from the output of the substitution layer

by forming a sub-matrix.

1.3.2 Novel and lightweight data integrity algorithm for LTE/LTE-A

networks

The DI is performed using cryptographic hash functions that convert strings of variable

lengths to ﬁxed-size strings called hash values, hash codes or simply hash. Cryptographic

hash functions can be keyed or un-keyed. The un-keyed ones are called Modiﬁcation

Detection Codes (MDCs) which provide only data integrity. The keyed hash functions

are Message Authentication Codes (MACs), which besides the integrity protection helps

in the authentication of the origin of the data. The EIA algorithms use universal keyed

hash functions to generate a 32-bit MAC value based on key streams generated from a

stream cipher.

As LTE/LTE-A networks intend to support high data rates and an enhanced data, voice,

and video experience for end users, it is desirable to develop a low computation DI

algorithm to speed up data processing and at the same time reducing the computational

power to save energy. Our second contribution in this thesis it to propose a new DI

algorithm based on a Keyed Hash Function (KHF). The key advantage of this proposed

algorithm is the use of a Substitution Diﬀusion (SD) technique in its core cipher which

requires only one round of processing instead of several processing rounds as it is the

case for the standardized reference solutions. However, in addition to the addition,

substitution and diﬀusion layers, a chaining layer has also been employed in the core

cipher to provide more bit dependency to the algorithm.

Chapter 1. Introduction 6

1.3.3 Authentication and key agreement scheme for D2D communica-

tions

Our last contribution consists in the design of a lightweight authentication and key

derivation protocol between the two UEs communicating through a D2D link. Our pro-

posed solution is based on the concept of elliptic curve cryptography which is considered

as a promising tool for such security requirements, since the key exchange is done by

a secure manner without the diﬀusion of the real identity of the communication nodes.

This concept has been already employed in the security and authentication of vehicular

Ad Hoc networks, Mobile ad hoc networks, and authentication of Machine Type Com-

munications (MTC) and MTC group communications.

The key idea of our methodology is, in one hand using Elliptic Curve Diﬃe-Hellman

(ECDH) to realize Key Forward/Backward Security (KFS/KBS) and performing au-

thentication between the two devices and on the other hand using secured hash functions

to derive both the ciphering and integrity keys which can be employed as DC and DI

keys respectively. Our simulation analysis proved that our authentication protocol has

the same security level as EPS-AKA and can also resist MitM, DoS and replay attacks

while requiring minimum computation and communication complexity.

1.4 Organization of the Thesis

The content of this thesis is organized as follows:

•Chapter 2 describes the security architecture of LTE/LTE-A mobile networks. Af-

ter a general overview of LTE/LTE-A systems, their diﬀerent security levels are

presented with a particular focus on the access level security. Then the EPS-AKA

authentication and key derivation protocol is presented followed by a detailed

description of the key derivation procedure and the related enhanced protocols

proposed in the literature. The standardized algorithms proposed by the 3GPP

for both DI and DC services are described with a discussion about their identiﬁed

security ﬂaws and drawback.

•In Chapter 3 we ﬁrst introduce an overview of data conﬁdentiality as well as the

paradigms used to perform it. Then, the realization of a conﬁdentiality algorithm

in LTE/LTE-A networks is described. After, our proposed data conﬁdentiality

algorithm we baptized ERCA is presented which consists of three layers and a

Chapter 1. Introduction 7

detailed description about the functionality of each layer is presented. Finally,

the analysis of simulation results is presented to prove the security strength of the

ERCA and compared it to a current standard in terms of complexity.

•Chapter 4 presents ERADI, our lightweight data integrity algorithm for LTE/

LTE-A systems. First, we introduce brieﬂy the general aspects and methodologies

of data integrity. Then, the realization of a data integrity algorithm in LTE/LTE-

A networks is illustrated. Hence, ERADI algorithm is detailed. ERADI is based

on a keyed hash function which the core cipher is composed from four layers and

a detailed description is given about each layer. Extensive simulation are carried

out to prove the security strength and the eﬃciency of the proposed hash function.

•Chapter 5 ﬁrst, presents an overview of D2D communications in LTE/LTE-A sys-

tems and the concept of authentication and key agreement in D2D. Then, D2D

authentication and key managements in other mobile and wireless technologies is

detailed. Hence, we detail the main arguments which make. Thereafter, we in-

troduce the main concepts and operational steps of our lightweight authentication

and key agreement scheme is presented for LTE/LTE-A D2D communications.

Finally, the security analysis shows the eﬀectiveness of our proposal as regards to

the reference approaches.

•In the ﬁnal chapter (Chapter 6) we review the main contributions of this disserta-

tion and provide some perspectives and directions for future researches.

Chapter 2

LTE/LTE-A Security

Architecture

2.1 Background

The 3rd Generation Partnership Project (3GPP) standardized LTE in its Release 8 as

the successor of the Universal Mobile Telecommunications System (UMTS) standard

in order to provide a high-data rate, low-latency, and packet-optimized radio-access

technology supporting ﬂexible bandwidth deployments. The LTE standard has been

ﬁnalized in 2009 and has been deployed by diﬀerent mobile operators in diﬀerent coun-

tries all around the world. However, the continuous growth of mobile traﬃc has lead to

the evolution of radio technologies towards International Mobile Telecommunications-

Advanced (IMT-Advanced) which is an ITU-R initiative for developing 4G global mobile

standard. The 3GPP and IEEE 802.16 started to develop standards compatible with

IMT-Advanced requirements. This was the driving force for 3GPP to further develop

LTE towards LTE–Advanced in its Release 10 to provide higher data rates in a cost

eﬃcient way and at the same time, completely fulﬁll the requirements set by IMT-

Advanced. Finally, the IMT-Advanced had selected the LTE-A along side with LTE as

the candidate technologies for 4G mobile networks.

Because of the possible security threats in the 3G UMTS security architecture such

as Man-in-the-Middle (MitM) attacks, rogue base station attacks and Deny of Service

(DoS) attacks, better and enhanced security services were among the main goals of

LTE/LTE-A and have been taken in to consideration from the start by addressing the

security in many diﬀerent levels. Instead of UMTS-Authentication and Key Agreement

9

Chapter 2. LTE/LTE-A Security Architecture 10

Figure 2.1: The LTE/ LTE-A architecture

(UMTS-AKA), the SAE/LTE architecture adapted an enhanced new access security ap-

proach. In addition, new standardized sets of algorithms have been proposed to achieve

privacy and integrity protections. In this chapter, we ﬁrst study the LTE/ LTE-A se-

curity levels, describing brieﬂy how diﬀerent security levels are achieved between the

communication entities. Then, the security services supported by LTE/ LTE-A in the

network access level are presented followed by a detailed description of each of the ser-

vices as well as the algorithms and protocols employed to support them. Finally, we

conclude the chapter with a discussion about the main security features and the limita-

tions of current security services of LTE/LTE-A networks as well as the improvements

suggested by our proposal.

2.2 Security levels and services of LTE/LTE-A networks

The security architecture of mobile networks has been subjected to subsequent evolutions

since the ﬁrst analog 1G system, which was in lack of the main security features such

as authentication and data encryption. The Advanced Mobile Phone Service (AMPS),

which was employed in the USA and its European version Total Access Communication

System (TACS), provided no security services. Therefore, it was rather easy for an at-

tacker to intercept the calls and consequently, extract Identiﬁcation Number (MIN) and

Electronic Serial Number (ESN). Similarly, the Nordic Mobile Telephone NMT, which

Chapter 2. LTE/LTE-A Security Architecture 11

was mainly used in the European Nordic countries, Eastern Europe and Russia had the

disadvantage that the voice traﬃc was not encrypted [8]. The security of 2G systems

such as GSM has rather concentrated on the protection of the air interface. Several

security services have been implemented for GSM such as authentication of subscribers,

protection of subscriber’s identity using SIM cards and ﬁnally the encryption of com-

munication between the subscriber and the base station using A5/1 and A5/2 stream

ciphers. However, serious weaknesses have been reported in both algorithms, as it is

possible to break A5/2 in real-time using cipher-text-only attack.

The 3G systems security is based on those elements of 2G security that have proven to

be robust and also important new security features and were services integrated while

correcting the security issues of GSM by addressing its real weaknesses. Furthermore,

key lengths were increased to allow for stronger algorithms of encryption and integrity [8].

The 4G LTE/LTEA architecture shown in Figure 2.1 and also denoted as Evolved Packet

System (EPS) brings two new major ingredients into the 3GPP environment: the ra-

dio network Evolved-Universal Terrestrial Radio Access Network (E-UTRAN) with a

new radio interface, and the ﬂat IP-based core network Evolved Packet Core (EPC).

Additionally, the EPS must also be able to interwork with legacy systems and achieve

backward-compatibility. In the (3GPP TS 33.401), the security architecture is divided

into ﬁve diﬀerent functional security levels or (domains) where diﬀerent security services

are achieved in these levels (see Figure 2.2). The 3GPP TS 33.401 deﬁnes these levels

as the following:

•Network domain security (II): this security level mostly related to the protection

of the control plane data as well as user plane data during transmission from the

access network to the service network mostly through the wireline network.

•User domain security (III): it can be deﬁned as the necessary security features to

access for mobile terminals (UE in LTE/LTE-A) access.

•Application domain security (IV): stands for the set of security features that enable

applications in the user and in the provider domains to securely exchange messages.

•Visibility and conﬁgurability of security (V): the set of features that enables the

user to discover whether a security feature is in operation or not and whether the

use and provision of services should depend on the security feature.

•Network Access security (I): this level is mainly related to the radio access network

i.e. (E-UTRAN) and described as the set of security services that provide users

with secure access to services and protecting the user against attacks. The subject

Chapter 2. LTE/LTE-A Security Architecture 12

Figure 2.2: Security levels of LTE/LTE-A networks

of this thesis is particularly related to the network access security; therefore, the

rest of this document is mainly related to this topic rather than to the other

security levels.

In the following, we present the most important security services of EPS which are

mostly performed in the access network level.

2.2.1 Authentication and key derivation

Mutual authentication between UEs and network and key derivation to establish key

sessions for ciphering and integrity protection are essential security features for any mo-

bile network. The EPS shall support authenticity of information between the mobile

terminal and the network to ensure that unauthorized users cannot establish communi-

cations through the system. Moreover, without authentication it would be impossible

to securely connect users to each other. Hence, the functionality of the whole system

would be questionable if this feature is not available.

Compared to 3G systems where the authentication only provides assurance that the

serving network is authorized by the home network to serve the user, there is an en-

hancement in EPS authentication that provides means for the UE to directly verify the

serving network identity.

Indeed, the secret key derivation would be also tightly integrated with authentication

where the derived shared secret keys are used for conﬁdentiality and integrity protection

during data transmission. The 3GPP adopted for LTE/LTE-A a new authentication and

Chapter 2. LTE/LTE-A Security Architecture 13

key agreement protocol called EPS-AKA which will be described in details in section

2.3.

2.2.2 Conﬁdentiality of user plane and control plane data

According to the 3GPP security requirements, EPS shall provide several appropriate

levels of user privacy for communication, location, and identity. Additionally, com-

munication contents, origin, and destination shall be protected against disclosure to

unauthorized parties. Conﬁdentiality is achieved by ciphering the digital communica-

tion in order to protect the content packets of being seen by the eavesdroppers especially

on the radio interface. Unlike the 3G mobile systems where the end point of the en-

cryption is the Radio Network Controller (RNC), in LTE/LTE-A the endpoint is in the

eNB. Hence, additional conﬁdentiality protection mechanism is introduced for Radio

Resource Control (RRC) signaling (control plane data) between the UE and eNB [13].

Further details about conﬁdentiality algorithms already adopted for LTE/LTE-A will

be presented in section 2.4.

2.2.3 Integrity of control plane data

In order to fulﬁll 3GPP security requirements, EPS shall support authenticity of infor-

mation between the mobile terminal and the network. The purpose of this feature is

to ensure the authenticity of each control plane message separately i.e. assuring that

the message has not been altered during transmission and has been received by the

destination as it was actually sent by the source. However, no integrity protection is

provided for user plane data in 4G LTE/LTE-A except for Relays as stated in [13]. In

order to ensure data integrity, the 3GPP has standardized three algorithms which will

be described in details in section 2.5

2.3 EPS Authentication and Key Agreement (EPS-AKA)

As illustrated in Figure 2.1, the LTE/LTE-A network is composed of the Evolved Packet

Core (EPC) and the E-UTRAN. The EPC consists of a Mobility Management Entity

(MME) and a Serving Gateway (SGW), a Packet Data Network Gateway (PDNGW)

together with the Home Subscriber Server (HSS). When a UE connects to the EPC, the

MME represents the EPC to perform a mutual authentication with the UE, whilst the E-

UTRAN, including the eNB, passes the traﬃc from UE to MME. The AKA protocol for

UTMS was adopted by the 3GPP and proposed at the network level for authenticating

Chapter 2. LTE/LTE-A Security Architecture 14

Figure 2.3: EPS-AKA procedure

3G mobile subscribers and also to tackle the vulnerabilities of the GSM system. Due

to a substantial architecture modiﬁcation of the 4G LTE/LTE-A, the AKA has been

replaced by a new protocol (EPS-AKA) which is based on its predecessor in order to

ensure backward compatibility. In this section the EPS-AKA procedure is described

as well as the key derivation procedure and the functionality of the employed keys.

Then, we highlight the weak and strong aspects of the protocol along with the various

enhancements proposed by diﬀerent research works.

2.3.1 EPS-AKA procedure

In the EPS-AKA protocol as illustrated in Figure 2.3, ﬁrst the UE sends an access

request message to the MME, then the MME launches an authentication procedure by

interrogating the UE’s identity. When the UE returns back its identity by sending its

International Mobile Subscriber Identity (IMSI), the Service Network (SN) sends an

authentication data request message containing UE’s identity to the HSS for acquiring

Authentication Vectors (AVs). Any AV consists of four parameters: an expected result

(XRES), a network authentication token (AUTN), the intermediate key KASM E (based

on the CK and IK and other parameters such as the serving network identity (SN ID) as

well as the random challenge (RAND). The HSS generates AVs for the MME and sends

back an authentication data request message including the generated AV. Upon AVs

Chapter 2. LTE/LTE-A Security Architecture 15

reception, the MME sends RAND and AUTN piggy backed on the authentication request

to the UE enabling it verifying the correctness of the sequence number (SQN) associated

with that IMSI and compute the RES. The validity of SQN is checked by computing

MAC and comparing it with the MAC carried in AUTN. If so, the UE computes and

sends the corresponding response RES back to the SN in an authentication response

message. Once the MME receives and veriﬁes RES validity, it chooses the corresponding

intermediate key KASME as the session key to protect its communication with the UE.

At the same time, the UE calculates its KASM E accordingly. Finally, both the UE and

MME hold a symmetric session key from which other encryption and integrity protection

keys will be derived.

2.3.2 EPS key hierarchy

After the authentication, all necessary cryptographic keys for various security mecha-

nisms are derived from the intermediate key (KASM E ). The main advantages of this

key hierarchy are cryptographic key separation and also providing the system with key

freshness property. However, the main disadvantage is adding further complexity to

the system since there are more types of keys in the system, all of which need to be

computed, stored and protected. Moreover, one of the most important properties of the

key derivation procedure is the one-way property i.e. computing upper layers keys is

impossible using lower layers keys. In the procedure of key derivations as illustrated

in Figure 2.4, an arrow between two keys indicates that one key is derived from the

other. However, there is one special arrow in the ﬁgure, namely the loop arrow pointing

from the box representing keys KeNB /NH to itself. Indeed, there are also additional

parameters that will be mixed during keys derivation which are assumed not be secret.

The topmost key derivation from Kto CK and IK is diﬀerent from the rest of key

derivations in the sense that its details are not standardized [8]. Moreover, in Figure

2.5 the details of key derivation are presented in the network nodes. In the ﬁgure, KDF

denotes the generic Key Derivation Function based on HMAC-SHA-256 and ‘Trunc’

stands for a simple truncation function that uses only the 128 least signiﬁcant bits of a

256-bit value and eliminates the most signiﬁcant half. In the following, the purpose and

the functionality of each of the master and speciﬁc derived keys related to the network

access security are explained:

•Kis the subscriber-speciﬁc master key, stored in the USIM and the AuC and it is

not derived from any other key.

•CK and IK are128-bit keys derived from Kusing additional input parameters.

Chapter 2. LTE/LTE-A Security Architecture 16

Figure 2.4: EPS key hierarchy

Figure 2.5: EPS key derivations on network side

Chapter 2. LTE/LTE-A Security Architecture 17

•KASM E is derived from CK and IK using two additional inputs to be a local master

key in the MME.

•KeNB is derived from KAS M E and the additional input NAS uplink COUNT

which is a counter parameter. This parameter is needed to ensure that each new

KeNB derived from KASM E diﬀers from the ones derived earlier. The purpose of

this key is to be a local master key in an eNB.

•KRRCenc is a key that is used to encrypt RRC signaling traﬃc. It is derived from

KeNB and two additional parameters: the ﬁrst one (algorithm type distinguisher)

indicates that this key is used for RRC encryption, and the second one is the

identiﬁer of the encryption algorithm.

•KRRCint is used to protect the integrity of RRC signaling traﬃc. It is derived from

KeNB and two parameters: the ﬁrst one indicates that this key is used for RRC

integrity, and the second one is the integrity algorithm identiﬁer.

•Finally, KU P enc is used to encrypt user plane traﬃc. This key is derived from

KeNB and two parameters: the ﬁrst one indicates that this key is used for user

plane encryption, and the second one is the encryption algorithm identiﬁer.

The generated keys from the key hierarchy are separated in a way that each key has

a speciﬁc usage for either control or user plane traﬃc. The principle idea behind this

separation is providing more security since even though an attacker may ﬁnd a key used

for a speciﬁc context; he cannot easily get the other keys used for a diﬀerent purpose.

Additionally, a key renewal without aﬀecting the other keys is another advantage of the

key hierarchy. Accordingly, any change to a speciﬁc key, aﬀects only the keys derived

from in which aﬀected and have to be changed; the other keys may remain the same.

2.3.3 EPS-AKA functionality and related works

Although EPS-AKA has several security improvements over UMTS AKA by preventing

some attacks like redirection attacks, rogue base station attacks and MitM attacks, it

still has some vulnerabilities inherited from UTMS AKA due to compatibility issues.

Therefore, many research works were interested in overcoming these issues.

Privacy protection is among the main security ﬂaws of EPS-AKA, which results from

the diﬀusion of the IMSI mainly in plane-text in two typical scenarios [14]:

•In some cases, the SN cannot obtain UE Globally Unique Temporary Identity

(GUTI) which is transmitted instead of IMSI to hide real identity of the UE, such

Chapter 2. LTE/LTE-A Security Architecture 18

as when a UE registers to the network for the ﬁrst time or during roaming which

leads to the transmission of IMSI in a plane-text.

•In case of a MAC veriﬁcation failure, a MAC failure message (M acFail) is sent

to the network to require a new MAC veriﬁcation procedure. Therefore, the IMSI

could be leaked in a plane-text.

The discloser of the IMSI enables an adversary to obtain sensitive information about

the subscriber identity and consequently lunch identity related attacks. Moreover, the

EPS-AKA is vulnerable to potential DoS attacks which may cripple the network when

an adversary disguises as legitimate UE and constantly sends fake IMSIs to overwhelm

the HSS/AuC. As a consequence, the HSS is overloaded by generating excessive AVs for

the UE.

In order to overcome this drawback, several solutions have been proposed to improve

the security of EPS-AKA. Security Enhanced Authentication and Key Agreement (SE-

EPS AKA) based on Wireless Public Key Infrastructure (WPKI) has been proposed in

[15] in order to ensure the security of user identity using Elliptic Curve Cipher (ECC)

encryption. The authors have employed the Elliptic Curve Diﬃe-Hellman (ECDH) with

symmetric key cryptosystem to overcome the vulnerabilities presented in EPS-AKA

protocol. Furthermore, the authors in [16] have proposed an ensured conﬁdentiality

authentication and key agreement (EC AKA) to enhance the user’s conﬁdentiality by

protecting AKA messages through encryption. Consequently, the real identity of the

subscriber is preserved and cannot be tracked. The drawbacks of the above mentioned

methods are that they employ the public-key to overcome the shortcoming of the EPS-

AKA protocol by ensuring the security communication between the UE and HSS/AuC

through the use of the certiﬁcates. However, using certiﬁcates results in large number

of computational, storage and communication costs.

Unlike the aforementioned works, the authors in [17] presented a slightly modiﬁed ver-

sion of the EPS-AKA protocol to overcome its security ﬂaws. The scheme introduces a

new subscriber module ESIM instead of the USIM and provides a direct online mutual

authentication between the ESIM and the MME/HSS with minor modiﬁcations of the

access security architecture. However, this method does not attain the identity privacy

and requires a lot of message exchange causing signaling congestion on the HSS [18].

The use of the password authentication key exchange by Juggling Password Authenti-

cated Key Exchange (J-PAKE) protocol was proposed in [19]. The authors proposed

the use of J-PAKE protocol for authentication due to its high ﬂexibility and lightweight

making it very well suited for use in mobile terminals. However, this protocol still suﬀers

Chapter 2. LTE/LTE-A Security Architecture 19

from security issues presented in the EPS AKA protocol such as identity protection. Fi-

nally, the AES ciphering is used in EAP Archie method proposed in [20] was intended to

achieve a mutual authentication and key agreement between the users and the network

access layer. Yet, this scheme also suﬀers from the disclosure of the user identity and

spooﬁng attacks.

Figure 2.6: AS and NAS Protocols

2.4 EPS Encryption Algorithm (EEA)

As illustrated in Figure 2.6 the three main important components in LTE/LTE-A archi-

tecture where the security services are achieved are: UE, eNB and MME. Accordingly,

UE and MME are connected with Non Access Stratum (NAS) security protocol and

NAS messages exchanged between UE and MME are integrity protected and ciphered

with extra NAS security header. While UE and eNB are connected through the Ac-

cess Stratum (AS) protocol and the security services are performed for both control

and user plane data in the (PDCP) layer of UE and eNB. The PDCP layer in UE and

eNB sides is responsible for the conﬁdentiality and integrity protection. The conﬁden-

tiality cryptographic algorithm EPS Encryption Algorithm (EEA) is achieved after the

authentication between the UE and SN is fulﬁlled by EPS-AKA. The EEA algorithm

is assigned a 4-bit identiﬁer included in KNAS enc,KRRCint and KU P enc to indicate the

type of the encryption algorithm to be used. Accordingly, the 3GPP standardized three

algorithms namely EEA1, EEA2 and EEA3 to be used in 4G LTE/LTE-A networks. A

detailed description and convenient and inconvenient of each algorithm is given below.

Chapter 2. LTE/LTE-A Security Architecture 20

Figure 2.7: SNOW 3G Algorithm

2.4.1 EEA1

Four bits identiﬁer ”0001” is used for deﬁning 128-bit EEA1 stream cipher which is based

on another stream cipher of SNOW 3G depicted in Figure 2.7. SNOW 3G algorithm was

originally used as the cryptographic kernel of the second set of 3G UMTS conﬁdentiality

and integrity algorithms (UEA2) and has been kept as the ﬁrst set of security algorithms

for LTE/LTE-A. Originally, SNOW 3G was derived from the stream cipher SNOW 2.0,

with improvements against algebraic cryptanalysis and distinguishing attacks. It is a

word oriented stream cipher that generates a sequence of 32-bit words using a 128-bit key

and a 128-bit initialization variable [21]. The structure of SNOW 3G is composed of a

Linear Feedback Shift Register (LFSR) with 16 chained 32-bit stages and a Finite State

Machine (FSM) with 2 S-boxes. Although the authors in [22]are assuming a fault attack

to recover the secret key with only 22 fault injections, but SNOW 3G still oﬀers adequate

protection against new forms of algebraic attacks. However, in terms of time complexity

SNOW 3G is quite complicated especially in terms of hardware implementation [23].

2.4.2 EEA2

The four bit identiﬁer ”0002” is used to deﬁne the 128-bit EEA2 algorithm based on AES

using CTR mode. It is a block cipher that can process data blocks of 128-bit (16 bytes

block) using cipher keys of 128, 192 and 256 bits. Yet, the 3GPP adopted the128-bit ci-

pher key as a standard for EEA2. The design of AES depends on the principle of SDN, as

the encryption procedure for128-bit is composed of 10 rounds of processing. Each round

except the last one includes four layers as shown in the Figure 2.8: ByteSubstitution

layer (S-Box), ShiftRow layer, KeyAddition layer and MixColumn layer, which will

Chapter 2. LTE/LTE-A Security Architecture 21

be eliminated in the last round. First, a 128-bit round key is XORed to the state, then

in the next layer a byte-by-byte substitution is performed using 16 ×16 look up table to

provide the confusion property. Permutation is realized at the Shif tRow layer at the

byte level. Finally, MixColumn layer combines blocks of four bytes by using a matrix

operation. The Shif tRow and M ixC olumn layers provide the diﬀusion property. How-

ever, AES-CTR mode is similar to a stream cipher since, instead of encrypting the plain

text directly, the counter is encrypted then Xored with the plain-text to produce the

cipher-text for transmission. Until now no known attacks have been reported yet against

AES. Apart from oﬀering strong encryption via 128-bit keys, AES computational time

is high since it uses 10 rounds of iterations [24].

Figure 2.8: AES Algorithm

2.4.3 EEA3

The four bits identiﬁer ”0003” is used to deﬁne the 128-bit EEA3 algorithms and the core

which is based on a new stream cipher called ZUC [11]. Although ZUC was designed by

Chinese Academy of Science to be permitted for use in China. It is a word oriented cipher

that takes as input a128-bit initial cipher key and a128-bit initial vector. The output

is 32-bit word key-stream, also called key-word that would be used to encrypt/decrypt

the plain text. The ZUC stream cipher as shown in the Figure 2.9 has three main

Chapter 2. LTE/LTE-A Security Architecture 22

logical layers: LFSR, Bit-Reorganization (BR) and Non-Linear Function (NLF). The

LSFR is composed of 16 registers, each one containing 31 bits and taking values from

1 to 231 −1. Additionally, it has two modes of operation: the initialization mode and

the working mode. During the initialization mode, LSFR takes a 31-bit input word

computed by removing the rightmost bit from the XORing the cipher key and the initial

vector. However, in the working mode, the LSFR does not receive any input. The BR

makes four words by extracting 128 bits from LSFR states. The ﬁrst three words are

used by the NLF and the last one is used to construct a key-stream. Indeed, despite the

fact that ZUC appears to have a sound design with a large security spectrum, it requires

more analysis to gain further conﬁdence [23].

Figure 2.9: ZUC Algorithm

2.5 EPS Integrity Algorithms (EIA)

The 3GPP standardized three EIA algorithms to be used for data integrity in LTE/LTE-

A. The main principle of the three standardized algorithms (EIA1, EIA2, and EIA3) is

applying an under layer stream cipher as a tool to encrypt the public and secret keys,

and making use of the encrypted result in the upper layer using secure hash functions

to compute the MAC-I of the message. For a better understanding of the proposed

solution, we present in the following the description and the ﬂaws of each of the three

standardized algorithms.

Chapter 2. LTE/LTE-A Security Architecture 23

2.5.1 EIA1

EIA1, similarly to EEA1 is identiﬁed by 4 digits ”0001” and is based on universal

hashing and Galois Message Authentication Code (GMAC) scheme for the generation of

the MAC [25]. The core cipher of EIA1 is based on SNOW 3G as illustrated in Figure

2.10. EIA1 suﬀers from two diﬀerent forgery attacks as has been demonstrated by [26],

the ﬁrst attack is linear forgery attack, and the second one is known as a trace extension

forgery attack. Furthermore, as already mentioned, the core cipher of SNOW 3G is

quite complicated especially in terms of hardware implementation [23] .

Figure 2.10: EIA1 Algorithm

2.5.2 EIA2

Likewise EEA2 the four digit ”0002” is identifying the 128-bits EIA2. The cipher core

of EIA2 is based on a 128-bit AES in the CMAC (cipher-based MAC) mode [27]. In

CMAC mode as shown in Figure 2.11, a block cipher is used instead of a hash function.

This mode is divided into two phases: Sub-key generation and MAC generation. The

Chapter 2. LTE/LTE-A Security Architecture 24

IK is used to generate two sub-keys: K1 and K2 with 128-bits length each. To the best

of our knowledge, there are no known attacks against EIA2. However, similar to EEA2

its computational time is high since its core cipher AES uses 10 rounds of iterations to

produce the hash value for each message block.

Figure 2.11: EIA2 Algorithm

2.5.3 EIA3

As for EEA3, a four bit identiﬁer ”0003” is used to deﬁne the 128-bit EIA3. The 128-

EIA3 algorithm is based on a universal hashing and a one-time-pad masking, and uses

the GMAC mode as EIA1. The EIA3 algorithm as depicted in Figure 2.12 takes as

inputs to its ZUC core cipher a 128-bit IK and IV. However, like EIA1, EIA3 suﬀers

from linear and trace extension forgery attacks [26]. In addition, as already mentioned,

the computational complexity of EIA3 is also high since its core cipher ZUC uses multi

round operations to achieve maximum diﬀusion and confusions.

2.6 Conclusions and Discussions

This chapter was dedicated to provide a general overview of the security architecture

of LTE/LTE-A networks. The 3GPP has rigorously deﬁned the security architecture of

LTE/LTE-A networks and divide it into ﬁve diﬀerent functional levels. The access level

security constitutes the main objective of this thesis. Thus, the majority of the chapter

was dedicated to the security services of the access level and more particularly between

UE and eNB. Furthermore, the three main security features in the access network namely

Chapter 2. LTE/LTE-A Security Architecture 25

Figure 2.12: EIA3 Algorithm

authentications, conﬁdentiality and integrity were presented while indicating their im-

portance and their necessity for protecting user’s information as well as its privacy.

Authentication of subscribers followed by key agreements between the UE and the

LTE/LTE-A network are considered as the most important security features in the net-

work access. Any failure of the authentication procedure or leak of the secret keys during

key agreement would made the whole network security system questionable. Therefore,

the 3GPP has standardized EPS-AKA protocol for authentication of the subscribers

with the SN as well as the derivation procedure of the symmetric keys requested dur-

ing encryption and integrity protection of user’s and signaling data. Moreover, the key

hierarchy employed for the diﬀerent sessions and entities in the LTE/LTE-A architec-

ture enforces the security but at the expense of additional complexity to the procedure.

As regards to D2D authentication in LTE/LTE-A which constitutes one of the main

contributions of this thesis, there is no speciﬁc standardized protocol adopted by the

3GPP since the D2D concept within 4G systems is very recent and has not been yet

handled by the 3GPP. Although D2D authentication has already been well investigated

in other wireless and mobile network technologies [28], [29], [30],[31],[32] but these solu-

tions are not very appropriate for LTE/LTE-A technologies because of the considerable

diﬀerences in their security architecture. More speciﬁcally, the main issue with EPS-

AKA and its related enhanced versions is that they were originally not been designed

Chapter 2. LTE/LTE-A Security Architecture 26

to support D2D communications since the engagement of four network entities (UE,

eNB, MME and HSS) are necessary in the authentication and key derivation procedure.

While in D2D communications scenario, only two entities (UE and eNB) are involved

in the authentication procedure.

Using EPS-AKA or any other of its enhanced versions for D2D authentication results in

high communications and computation overhead and leads in extra energy consumptions

as well as higher latency. Furthermore, as previously introduced, the methodologies of

authentication and key agreement between two communication devices have been well in-

vestigated in other wireless and mobile technologies. In VANETs and MANETs most of

the methodologies are using digital certiﬁcates which is one hand the infrastructures han-

dling certiﬁcates is not supported in LTE/LTE-A networks in the second hand because

of high computation overheads followed by using such methods. Others are proposing

using symmetric polynomials in the authentication and key derivation for MANETs and

WMN respectively but with a pre-assumption of a secure channel. As a consequence

we conclude there is no suitable protocol is available which could be adapted in a way

or another for authentication and key derivation in D2D communications. Hence, the

authentication and key derivation for D2D communication is a novel topic which will be

addressed throughout this thesis.

The privacy of user’s information which is denoted as data conﬁdentiality is another

important security future which is has been taken in consideration by 3GPP. The ﬁrst

standardized algorithm denoted as EEA1 is based on the SNOW 3G which has been

already used in 3G UMTS, while the second one is based on AES with further security

enhancements. A third algorithms is based on ZUC has been proposed and designed in

China in order to fulﬁll Chinese government regulation requirements [33]. Moreover, the

standardized algorithms have been subjected to diﬀerent security analysis and computa-

tional complexity in several research works to assess their eﬃciency in terms of security

and computational complexity. Furthermore, since LTE/LTE-A networks intended to

support high data rates to the end users, substantial computational power and energy

are required during ciphering and deciphering procedure at both UE and the core net-

work sides. The traditional ciphering algorithms employed by the 3GPP standardized

solutions depend on the concept of multi-round operations i.e. applying confusion and

diﬀusion on the plane text for several rounds in order to achieve maximum security. A

trade-oﬀ between strong and suﬃcient security and computational complexity should

be taken into account during the conceptions of ciphering algorithm and trying to mini-

mize energy consumption. A novel ciphering algorithm for LTE/LTE-A to achieve data

conﬁdentiality and at the same time reduce the computational complexity would be a

Chapter 2. LTE/LTE-A Security Architecture 27

promising tool to decrease energy consumption at both UE and the core network. The

proposed solutions in this thesis is based on novel method by applying confusion and

diﬀusion for only one round to perform ciphering/deciphering procedure and achieving

the required security, which by consequence leads in reduced complexity and less energy

consumption.

The integrity protection denoted mostly as DI is also considered as an important se-

curity future for LTE/LTE-A networks especially for control plane data in which the

3GPP made it mandatory. Likewise data conﬁdentiality, three algorithms has been pro-

posed for data integrity where the same stream ciphers have been reused in the core

algorithms. However using the same core cipher in both data integrity and data con-

ﬁdentiality has not any cryptographic objectives rather than re-usability purposes [8].

Data integrity algorithms have been also subjected to security analysis in the literature

to test their eﬃciency. At least two diﬀerent attacks has been reported against EIA1 and

EIA3 and even no known attack still not reported for EIA2 but in terms of complexity

the algorithms still acquire high complexity. Again, reducing complexity of the algo-

rithms used in integrity protection is another method to decrease energy consumption

in LTE/LTE-A networks. ..

Chapter 3

Eﬃcient and Robust Ciphering

Algorithms forr LTE/LTE-A Data

Conﬁdentiality (DC)

3.1 Introduction

An important service which is essential of any secure communication in mobile networks

is Data Conﬁdentiality (DC) which refers to the prevention of an unauthorized disclo-

sure of data transmitted between two communication nodes to a third party attackers

or intruders, such as individuals, entities or processes. The disclosure of sensitive data

can result in loss or damage, such as identity theft, lawsuits, loss of business, or regu-

latory ﬁnes. To achieve DC in the networks, encryption is the best method to protect

sensitive data contained in a message. Unencrypted data, which is known as plain-text,

is converted to encrypted data, which is known as cipher text. Data is encrypted with

an algorithm and a cryptographic key. Cipher-text is then converted back to plain text

at its destination.

Accordingly, two diﬀerent cryptographic methods are mainly used to perform cipher-

ing/deciphering procedure: Asymmetric Encryption (AE) and Symmetric Encryption

(SE). AE refers to the encryption methods which require two keys: a public one used

for data encryption and a private one used for decrypting the message. While in the SE

the two parties of the communication use the same symmetric key for both encryption

and decryption.

29

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 30

In the LTE/LTE-A systems architecture as described in [3], the UE and the eNB are

connected through the AS protocols where the DC is performed at the Packet Data

Convergence Protocol PDCP sub-layer. The PDCP performs ciphering/deciphering of

user and control plane data at both UE and eNB sides through an encryption algorithm.

As it has already been explained in Chapter 2, the 3GPP has standardized three SE

algorithms for DC to ensure conﬁdentiality of user and signaling data in LTE/LTE-A

networks. The ﬁrst algorithm is a 128-bit key EPS Encryption Algorithm (128-EEA1),

which is a stream cipher algorithm, based on SNOW 3G and already employed in Uni-

versal Mobile Telecommunication System (UMTS). The second one is 128-EEA2 which

is based on the AES block cipher algorithm used in its CounTeR mode (CTR mode) [34].

The last standard 128-EEA3 has been recently designed and it is now published for pub-

lic evaluation, its core is based on ZUC stream cipher [3].

Nevertheless, the ﬂaws and drawbacks related to security and complexity of the stan-

dardized solution have been well addressed in Chapter 2. Therefore, designing a less

complex DC algorithm has adequate security strength is desirable, since it would require

lower computation power and consequently lower energy consumption at both eNB and

UE sides during ciphering/deciphering procedure.

Shannon had demonstrated in [12] that the conventional technique to obtain a powerful

encryption of a block of bytes is achieved by using the confusion and diﬀusion layers for

several rounds. A round in a cipher algorithm is typically consists of a number of build-

ing blocks that are composed together to create a function that is run multiple times.

Consequently, larger number of rounds results in stronger security performance but with

higher computation overheads. Thus, one should ﬁnd a trade-oﬀ between computation

complexity and strong security.

In this chapter, we propose a novel stream cipher technique based on SDN structure

which its main advantage is in one hand its reduced complexity to one round instead of

several rounds employed in the standardized algorithms, and on the other hand it pos-

sesses strong security strength as the standardized solutions. The proposed one round

cipher algorithm consists of an addition, a substitution and a diﬀusion layer. The addi-

tion layer uses binary XOR operation with constant block value to ensure key uniformity.

The substitution layer is constructed from the nonlinear transformation of RC6 to add

confusion. Finally, the diﬀusion layer is built from the output of the substitution layer.

The output results of the cipher are key-streams used for encryption/decryption of data.

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 31

The rest of this chapter is organized as follows: The procedure of cryptographic realiza-

tion in LTE/LTE-A networks is presented in Section 3.2. In Section 3.3, we introduce

and describe our proposed algorithm and the functionality of each layer is described in

detail. Simulation tests for the cryptographic strength and performance are introduced

in Section 3.4. Finally in Section 3.5 the chapter will be discussed and concluded.

3.2 Cryptographic realizations in LTE/LTE-A

Cryptology is sometimes deﬁned as the art and science of secret which are considered as

useful and eﬀective tool for pocketing conﬁdentiality of communications. Modern cryp-

tography is based on mathematical functions. These functions either have signiﬁcant

complexity to be computed or they can only be computed with extra information i.e.

(the key). Indeed, most cryptographic protection methods rely on the concept of using

keys and these keys themselves have to be managed and protected in an eﬃcient way

especially in the SE methodologies widely used in communication networks.

The concept of SE algorithms is based on the principle of using the same keys for en-

crypting the plane-text as well as decrypting the cipher-text and they are divided into

two main classes: block ciphers and stream ciphers. In a block cipher, a ﬁxed-length

plain-text block is transformed into cipher-text block of the same length using symmet-

ric keys. Thus, for any ﬁxed key if the plain text is pand the symmetric key used is k,

encryption function is Eand the decryption function is Dthe block cipher is a bijection:

c=E(p, k); p=D(c, k) = D(E(p, k), k).

While in the stream ciphers, the plain-text bits are combined with a pseudorandom

cipher bit stream (key-stream), typically by an exclusive-or (XOR) operation. The idea

of a stream cipher is based on a simple secure cipher called the one-time pad and the

cipher text is calculated as: c=k⊕p. Similarly at the decryption side the plain text is

obtained as: p=k⊕c.

In LTE/LTE-A networks the concept of stream ciphering is employed in the standardized

algorithms EEA1 EEA2 and EEA3. However, the AES (Core cipher of EEA2) which is

originally considered as a block cipher, is used in the counter (CTR) mode to produce

key streams and acting as a stream cipher [35]. The encryption/decryption algorithms

are located at PDCP sub-layer in the protocol stack of LTE/LTE-A networks as shown

in Figure 3.1 and the keys to be used by PDCP sub-layer are managed by the upper lay-

ers. The input parameters to the ciphering algorithm are; a 128-bit cipher key (usually

KU P enc for user plane data encryption and KRRCenc for control plane data encryption)

and a 128-bit Initial Vector (IV). The IV is a ﬁxed-size input to a cryptographic primitive

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 32

Figure 3.1: PDCP Layer.

that is typically required to be random or pseudorandom. Randomization is crucial for

encryption schemes to achieve semantic security, a property whereby repeated usage of

the scheme under the same key does not allow an attacker to infer relationships between

segments of the encrypted message [36].

For LTE/LTE-A networks, the IV is composed of a 32-bit counter, a 5-bit bearer identity,

the 1-bit direction of transmission (shall be 0 for uplink and 1 for downlink) and the

length of the required key-stream. In addition, bits are padded in order to ﬁll a 128-bit

block [37]. Typically, the cipher algorithm considers a stream of packets in plain-text

Pexists at the source (UE or eNB) and requires to be transmitted safely. This stream

is divided into many packets Pw, (w= 1, . . . , h) and each packet is divided into many

blocks Mw

j(j= 1,2, . . . , q) of 128-bit length. The process of encryption/decryption in

EEA is depicted in Figure 3.2, for the jth plain-block of the wth packet. More precisely,

at the encryption side, the cipher-text Cw

j={cw

j, 1, cw

j, 2, . . . , cw

j, n}is obtained by

XORing the bytes of the jth plain-data block (plain text) {mw

j, 1, mw

j, 2, . . . , mw

j, n}with

their corresponding output byte key-stream Sw

j={sw

j, 1, sw

j, 2, . . . , sw

j, n}obtained from

the ciphering algorithm:

cw

j, i =mw

j, i ⊕sw

j, i (3.1)

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 33

Figure 3.2: Ciphering a block of data.

Likewise, at the decryption side, the ith byte of cipher block is XORed with the ith byte

of key-stream sw

j, i to recover the ith byte of the plain block mw

j, i :

mw

j, i =cw

j, i ⊕sw

j, i (3.2)

3.3 Eﬃcient and Robust Ciphering Algorithm (ERCA)

In Section 3.2, the realization of a cipher algorithm in LTE/LTE-A networks has been

presented with a description of the necessary parameters included in the IV construc-

tion. In this section a novel and practical cipher algorithm is presented to achieve DC

in LTE-/LTE-A networks. Usually, the term eﬃciency refers to having the fastest exe-

cution time while keeping necessary security of the network. This permits to overcome

previously-described drawbacks of the standardized solutions. The main properties of

our proposed solution are: high level of security and eﬃciency in computation complex-

ity without any need for memory overhead. The eﬀectiveness of secure stream cipher is

a necessary condition for practical implementation. The proposed stream cipher algo-

rithm candidate has similar architecture to AES in the sense that it is a block cipher

used in its CTR mode.

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 34

The basic scheme of the proposed ciphering algorithm is presented in Figure 3.3. For

each input block, the process of addition layer is applied ﬁrst, then the process of sub-

stitution. After that, we reshape the output of substitution process (row) to form a

sub-matrix, which is used to construct the diﬀusion matrix. Finally, the process of dif-

fusion is applied using the obtained diﬀusion matrix on the output of substitution layer.

The proposed cipher algorithm uses secret key K={k1, k2, . . . , k16}with 128-bit

length. Indeed,the ciphering algorithm is performed on a set of bytes of input block

Xw

j={xw

j, 1, xw

j, 2, . . . , xw

j, 16}, which is obtained from the XOR between the bytes of K

generally referred as (KU P enc or KRRC enc ) in the LTE/LTE-A networks and IV w

jas

follow:

xw

j, i =ki⊕I V w

j, i, i = 1,2,...,16 (3.3)

ERCA takes the Xas an input to its ﬁrst layer i.e (addition layer) following the procedure

until we get the ciphered result at the end of the algorithm. In the following, the

functionalities of each layer are described in details.

3.3.1 Initial Key Addition Layer

The addition layer uses constant block value, that has been chosen with uniform bit

distribution to provide the uniformity to the key-stream by mixing the input block with

a constant block, which would be carried out on bytes (byte by byte) using logical XOR

operation as follows:

yw

j, i =xw

j, i ⊕ti(3.4)

where xw

j, i is a byte of the input block and tiis a byte of the constant block which all the

bits are zeros. The use of logical operation XOR ensures the uniformity, which makes

the diﬀerential cryptanalysis extremely diﬃcult.

3.3.2 Substitution Layer

The substitution process is the most important operation in any cipher algorithm due to

its non linearity which makes the algorithm immune against diﬀerential and linear crypt-

analysis. The substitution layer could be in forms of S-box as it is the case in AES and

ZUC, or could be a nonlinear transformation as we used here. Mathematically, an m×m

substitution layer is a nonlinear mapping F: (0,1)m→(0,1)m, where (0,1)mrepresents

the vector spaces of elements from binary Galois ﬁeld. The proposed substitution layer

uses the nonlinear transformation of RC6 [38], with an eﬃcient modiﬁcation, since the

original RC6 has poor cryptographic properties, especially high diﬀerential probability

approximation which makes it useless to be used as a substitution layer. The nonlinear

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 35

Figure 3.3: ERCA stream cipher

transformation of RC6 is performed as below:

z=F(y) = mod(y×(2 ×y+ 1),2Q)>> log2(Q) (3.5)

where >> is bitwise right shift and Qis equal to 8, since the substitution layer is applied

on byte level. This transformation is applied for multi-iteration irs = 1,2, . . . , rs. Hence,

a substantial enhancement of its cryptographic properties is achieved. Starting with

initial vector V, where Vj=jand j= 0,1,...,255., the output vector after each

iteration becomes the input vector for the next one. The obtained results in Figure 3.6

and 3.7 show that the optimal number of iterations to attain a good performance (LPF,

SAC ,BIC and DPF) as described in Section 3.4 is log2(Q) = 3. Therefore, in our

implementation each byte is substituted by applying the RC6 nonlinear function for

three iterations.

3.3.3 Diﬀusion Layer

The diﬀusion process includes two steps: secret matrix generation G; and Modular 256

vector matrix multiplication.

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 36

3.3.3.1 Construction of the secret matrix G

The diﬀusion layers are linear transformation, which is represented as matrices. However,

the proposed technique of key dependent diﬀusion layer is designed to be eﬃcient and

robust, which means that the avalanche eﬀect has to be achieved in cooperation with the

substitution layer. In addition, this method is based on a special rule of algebra, which

can provide the properties of ﬂexibility, eﬀortless to be implemented in hardware, key

dependent, and non invertible matrix as its determinant is equal to 0 (singular matrix).

In the following, the proposed method to build a dynamic diﬀusion matrix is described.

It is based on a particular matrix structure (non invertible 2D matrix), simple to realize

and successful in terms of speed of calculation. The 2D matrix is presented below.

A=

a b

c d

;det(A) = ad −bc (3.6)

Hence, if det(A) = 0 then a×d=b×c. To obtain the proposed structure of non in-

vertible key dependent diﬀusion layer, considering that dis equal to b, which leads to

a×b=b×c. This gives us that ais equal to c. Then, the form of a secret matrix in

2D is deﬁned as below:

A=

a b

a b

(3.7)

Assuming that bis equal to a×(2 ×a+ 1) mod 2256, the non invertible matrix requires

only one parameter a. In this formulation called back below, parameter ais replaced by

the sub matrices Ato form the diﬀusion matrix with ndimensions.

G=

A B

A B

(3.8)

Ais a non-zero matrix of size n

2timesn

2. The elements of Acan be freely chosen from

any Galois ﬁeld such that Gis full rank. In our simulation, the elements of this sub-

matrix varies between 0 and 255. Having a matrix Gconstructed from four sub-matrices

(A, B, C, D), the non- invertibility of this matrix can be proven as follows.

Its determinant is given by:

det(G) = det(A)×det(D−CA−1B) (3.9)

=det(A)×det(B−ABA−1)

=det(A)×det(B−B)

= 0

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 37

where D=B, and C=A.

Therefore, the necessary condition to not have an inverse matrix is attained and the

attackers cannot calculate the inverse secret matrix G−1to get the original substituted

data. An example to construct the secret matrix Gis shown in Figure 3.4 for n= 16.

The output of the substitution layer is reshaped to form a sub-matrix parameter temp

with size n

4×n

4. Later, this sub-matrix is replicated to form a sub-matrix Awith size

n

2×n

2., which is required to form the ﬁnal matrix (diﬀusion layer).

3.3.3.2 The Proposed diﬀusion Process G

The input of the diﬀusion layer is nbytes and diﬀusion is performed on a series of

substituted bytes {F(y1), F (y2), . . . , F (yh)}, which the output from is the produced

key-stream. The key-stream Sis obtained by performing a modular multiplication

matrix using the secret matrix G, which is obtained from the substituted data. The

architecture of the diﬀusion process is shown in Figure 3.5. The coeﬃcients vector

{G1, G2, ..., Gn}are described as the global diﬀusion matrix (G). Each global diﬀusion

vector Giis represented as a sequence of independent random numbers from a byte ﬁeld.

The relationship among input block data, Gand Scan be described as follows:

S=G×(F(Y))

=

s1

s2

.

.

.

sn

=

G1,1G1,2· · ·G1,n

G2,1G2,2· · ·G2,n

.

.

..

.

.....

.

.

Gn,1Gn,2· · ·Gn,n

·

F(y1)

F(y2)

.

.

.

F(yn)

(3.10)

Where Gi,j is a diﬀusion coeﬃcient that varies between 0 and 255 for the line iand col-

umn jand i, j = 1,2, ..., n.F(yi) is a substituted byte, siis the resulting byte key-stream

Finally, the output key-stream Sis XORed with the plane text Mto produce the cipher-

text Cto be transmitted.

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 38

Figure 3.4: An example of creation of the diﬀusion Layer

3.4 Cryptographic strength and performance

In this section, the cryptographic properties of the proposed algorithm are presented.

The algorithm is subjected to several tests such as uniformity, randomness and key sensi-

tivity to assess its eﬃciency and to show how far it is consistent with security standards.

In addition, the time complexity is quantiﬁed and compared to AES algorithm.

3.4.1 Cryptographic performance of the substitution layer

A strong n×nsubstitution layer must have some important properties, based on in-

formation theory analysis [39], [40], [41]. The main ﬁve properties are: bijectivity, non

linearity, Strict Avalanche Criterion (SAC), output Bit Independence Criterion (BIC),

and equiprobable input/output XOR distribution.

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 39

Figure 3.5: Proposed Diﬀusion Technique

3.4.1.1 Linear Probability Approximation Boolean Function (LPF)

One of the important properties of the substitution layer is non linearity to make it

capable resisting linear cryptanalysis attacks. LPFis used to measure the nonlinear

degree of a given substitution layer, it is calculated according to [39]. In Figure 3.6-a,

the variation of LPFagainst the number of iterations rs is shown. It attains its minimum

value after three iterations.

3.4.1.2 Diﬀerential Probability Approximation Function (DPF)

Diﬀerential Uniformity is one of the important properties of any substitution layer for

obtaining the nonlinear transformation and hence resisting diﬀerential cryptanalysis

attacks [40]. DPFis used to measure diﬀerential uniformity of our substitution layer as

in [42]. Figure 3.6-b, shows the variation of DPFagainst the number of iterations rs,

which attains its minimum value after 4 iterations.

3.4.1.3 Strict Avalanche Criterion (SAC )

Webster and Tavares were the ﬁrst to present SAC when they generalized the avalanche

eﬀect [41]. A cipher system function is satisfying SAC whenever a single input bit is

complemented, the output bit should be changed at least with a probability of half.

Certainly, SAC is considered a desirable characteristic of any block ciphering algorithm

and used to quantify the degree of security of the s-boxes of substitution-permutation

networks. Therefore, any strong ciphering system should fulﬁll these criteria The average

SAC value (mean of 8x8 values of the dependence matrix) versus the number of iteration

rs is shown in Figure 3.7-a. We can observe that the SAC value becomes very close to

the ideal value 0.5 after three iterations.

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 40

(a) (b)

Figure 3.6: Variation of the LP F (a) and DP F (b) against the number of iterations

3.4.1.4 Output Bit Independence Criterion (BIC)

BI C is another property which has also been described by Webster and Tavares [41]

and considered as another desirable characteristic of cipher algorithms. The BIC spec-

iﬁes that: two output bits j, k should change independently when a single input bit iis

changed for all i, j and k. The average value of BIC (mean of 8x8 values of the BIC

matrix without the diagonal) versus the number of iteration rs is shown in Figure 3.7-

b. We can observe that the BIC becomes very close to the ideal value 0.5 after three

iterations. This result is similar compared with SAC, so the number of iterations is set

to be equal to 3 to attain an acceptable performance with low complexity possible.

3.4.2 Randomness of the produced key-stream

The security strength of the proposed stream cipher is depending on the produced key-

stream; therefore the stream cipher should produce key-streams with high level of ran-

domness. Some parameters of the LTE packet header are used in addition to the counter

to form IV, which implies that the sub-matrix used in the construction of the diﬀusion

layer is renewed for each block; consequently the produced key-stream is updated. In

Figure 3.8, the recurrence (a) and distribution (b) for a random key-stream are shown.

These results indicate clearly a good degree of randomness and uniformity. To prove

these properties, the cipher key-stream has been analyzed using the randomness test

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 41

(a) (b)

Figure 3.7: Variation of the SAC (a) and BI C (b) against the number of iterations

of NIST [43]. In order to get correct statistical results one needs to provide 100 secret

keys and each key-stream sequence should be at least 1000000 bit long. The NIST test

performs 15 tests on the data sample, and the total amount of executing NIST STS

tests is 189. Results of testing the key-stream randomness are shown in Figure 3.9. The

obtained proportion values (success rate) show how many samples passed given tests.

The red line marks minimum proportion values in order to consider the sequence to be

random. Random Excursions and Random Excursions Variant tests represent 26 tests

with diﬀerent parameters, which have other minimum proportion values. The simulation

results indicate clearly the randomness of the generated key-streams.

3.4.3 Key sensitivity

The sensitivity of the secret key is analyzed for 1000 random keys. All the elements of

K0

iare equal to those of ith key Ki, except the Least Signiﬁcant Bit (LSB) which was

ﬂipped. The percent of Hamming distance is calculated as follows:

P DH =PT

k=1 Ci⊕C0

i

T×100% (3.11)

where Tis the length in bit level of the encrypted packet, and Ciand C0

iare the

corresponding cipher packets using Kiand K0

irespectively.

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 42

(a) (b)

Figure 3.8: Recurrence of producing key-stream (a) and its distribution (b) using a

secret random key K

Figure 3.9: Proportion values of NIST tests

In Figure 3.10, the sensitivity of the secret key versus 1000 random keys is shown, while

only the LSB of Kiis changed. This result indicates a high sensitivity, while the average

Hamming distance percent is closer to the optimal values (50%) in bit level.

3.4.4 Statistical properties

To demonstrate the safe use of our stream cipher, it is important to analyze its charac-

teristics, in terms of random recurrence, mixing nature, and low coeﬃcient correlation

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 43

Figure 3.10: The key sensibility results for change random LSB of the secret key K

versus 1000 random keys

between original and encrypted data packets. In our simulation, the proposed stream

cipher scheme is considered as a black box and randomly choosing a set of initial packets

with a 125000 byte length, which are normally distributed with a mean equal to 128

and a standard deviation equal to 8.

3.4.4.1 Recurrence

The recurrence plot serves to measure the evaluation of randomness and estimates the

correlations among the data of a sequence as in [44]. Considering a packet sequence

xi=xi,1, xi,2, . . . , xi,m, a vector with delay t≥1 can be constructed by:

xi(t) = xi, xi+t, xi, 2×t, ..., xi, m×t. In Figure 3.11 a and b, the variation between xi(t)

and xi(t+ 1) from the original and the encrypted packets are shown respectively. We

can observe that that no clear pattern is obtained after encryption.

3.4.4.2 Mixing nature

The mixing nature serves as a measure of the uniformity and it can be quantiﬁed by a

statistical approach. If the frequency counts of the encrypted generation are close to a

uniform distribution, then it is possible to categorize that the concerned cipher under

test has a good level of mixing. In Figure 3.12-a and b, the distribution of the original

packets and their corresponding cipher packets respectively are shown. This result shows

clearly that the contents of the encrypted packets are spread overall the space and have

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 44

(a) (b)

Figure 3.11: Recurrence plot of the original packet (a) and its correspondent en-

crypted ones (b)

a uniform distribution. To validate this uniformity, the Chi-square test [45] is applied

and works as follow:

χ2

test =

l

X

i=1

oi−ei

ei

(3.12)

where lis the number of levels (here 256), oiis the observed occurrence frequencies

of each level of ﬁeld size (0-255) in the histogram of ciphered generation contents, and

eiis the expected occurrence frequency of uniform distribution. For a signiﬁcant level

of 0.05, the null hypothesis is not rejected and the distribution of the histogram is

uniform if χ2

test ≤χ2

theory (255,0.05) ≈293. The average results of the Chi-square test

for 1000 diﬀerent sets of generation for the whole ciphered packets against his shown in

Figure 3.13. The distribution of the tested histogram is uniform for ≈97%, that means

a strong mixing property is obtained.

3.4.4.3 Low coeﬃcient correlation

Another important requirement for any encryption scheme which must be attained is

that the encrypted data should be greatly diﬀerent from its original form. The encrypted

packets should have redundancy and correlation as low as possible. First, the correlation

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 45

coeﬃcient between the original and encrypted packets is measured. The correlation

coeﬃcient is computed according to the following formulas:

(a) (b)

Figure 3.12: The distribution of the contents original stream packet (a) and its

correspondent encrypted one in (b)

ρx,y =cov(x, y)

pD(x)×D(y)(3.13)

where cov(x, y) = E[{x−E(x)}{y−E(y)}];

E(x) = 1

n×

n

X

k=1

xi

and D(x) = 1

n×

n

X

k=1

{xi−E[x]}

In Figure 3.14, the coeﬃcient correlation between the original and encrypted packets

versus 1000 diﬀerent keys and data packets is shown. This result shows the correlation

coeﬃcient is always close to zero which indicates that no detectable correlation exists

between the original and its corresponding cipher packets.

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 46

Figure 3.13: Variation of the χ2

test of cipher packets for 12508 bytes length versus

1000 random keys

Figure 3.14: The coeﬃcient correlation between the original and encrypted stream

packets versus 1000 random keys

3.4.5 Execution Time

The execution speed is very important for any DC algorithm since it is directly related

to the time and resources required for ciphering/deciphering. The execution time should

be maintained very low, especially when a huge amount of data is to be transmitted such

as in LTE systems. The average calculation times in ms (on 10000 times) to encrypt a

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 47

packet Magainst T b is quantiﬁed, where T b represents the length of the block such as

128, 256, 512, 1024, etc. These calculations are performed under the following software

and hardware environment: Matlab 2012 and micro-computer Intel Core 2 Duet 2.1 GHZ

CPU with 2 GB RAM Intel, under Windows7. we conclude that the variation of average

time is linear. The average time necessary against T b is estimated (approximately) using

the linear interpolation method. It shows that the proposed method is indeed suﬃciently

fast for LTE/LTE-A applications. Finally, we compared the mean encryption time (in

ms), versus T b, of the proposed cipher with AES. The proposed secure scheme is at least

4.5 times faster than the AES algorithm as shown in the Figure 3.15.

3.4.6 Discussion and Cryptanalysis

A cryptographic scheme is considered secure if it is strong enough to resist attacks.

According to Shannon’s theory, the confusion and diﬀusion processes must be applied

to provide resistance against the powerful attacks that is based on statistical analy-

sis [12].These processes are repeated for several rounds to achieve the avalanche eﬀect

which leads to delay in terms of execution times (high computation complexity that lead

to high delay and consumption of energy) especially for resource constrained devices.

Our proposed stream cipher ERCA is constructed in a new manner, where the diﬀusion

process changes in a dynamic manner (pseudo-random) and doesn’t possess the invert-

ible property.

Concerning the substitution layer, when the number of iterations is 8, all properties

Figure 3.15: Variations of the average time ratio for messages encryption

(AES/ERCA) in function to its length

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 48

become weak, this means that, increasing the number of iterations leads to eliminate

totally the advantage of bitwise right shift, since this function without >> is linear and

cannot be used as substitution layer. The proposed function is periodic and its periods

are 8 iterations and the best performance is attained in three iterations. To demonstrate

the performances of the proposed substitution layer, its properties are compared with

the substitution layer of AES and ZUC (S0and S1) in Table 3.1. The results showed

that the proposed substitution layer possesses suﬃcient cryptographic performances and

the obtained results of LPF,DPF,SAC and BI C are very close to the standardized

solutions. The cryptographic security of our scheme relies on two properties:

- using a new eﬃcient substitution layer

- using a dynamic diﬀusion layer with unpredictability and high sensitivity of the G

Table 3.1: Comparison Analysis of Substitution Layer

Test Proposed AES S0S1

LPF2−5.32−62−52−6

DPF2−42−62−42−6

SAC 0.5 0.4998 0.494 0.509

BI C 0.502 0.4998 0.4951 0.505

Moreover, the statistical properties of the proposed secure scheme (such as the unifor-

mity of the cipher packets and the low coeﬃcient correlation between the original and

encrypted block of packets) are attained, which can provide immunity against the statis-

tical attacks. In addition, diﬀerential and linear attacks would become ineﬀective, since

the avalanche eﬀect is attained and the diﬀusion layer changes for each block. In fact,

any change in any bit of secret key or public parameters causes a signiﬁcant diﬀerence

in the encrypted blocks as see in Figure 3.10. The key space of the secret key is 2128,

which is suﬃciently large to make the brute-force attack infeasible. Additionally, the

use of non invertible dynamic diﬀusion layer will limit the ability of the attackers who

try to break out the cipher.

3.5 Conclusion

In this Chapter, our novel algorithm ERCA has been presented to be used in data

conﬁdentiality protection in LTE/LTE-A networks. The main motivation of the novel

algorithm was to achieve the security requirements with minimum complexity. The key

idea of ERCA was based particularly on usin substitution diﬀusion networks similar

Chapter 3. Eﬃcient and Roubust Ciphering Algorithm for LTE/LTE-A 49

as AES algorithm. While AES is based on Shannon’s vision of ciphering algorithm by

performing diﬀusion and confusions functions for at least 10 rounds as in EEA2, our

proposed algorithms performs the encryption in only one round. Indeed, ERCA is a

round function consists of an addition, a substitution and a diﬀusion layer. We have in-

troduced a new technique of key dependent stream cipher which achieves the avalanche

eﬀect with an acceptable trade-oﬀ between security and complexity. Additionally, ERCA

algorithm has been subjected to several statistical and analytical tests that are essen-

tial for any cipher algorithm to be considered credible and robust. Simulation results

showed that ERCA possesses most of the necessary cryptographic properties. Moreover,

considerable reduced computational time has been achieved if compared to AES algo-

rithm. In consequence, reduced computational power and energy consumption during

ciphering/deciphering processes are attained.

.

Chapter 4

Eﬃcient and Robust Algorithm

for LTE/LTE-A Data Integrity

(DI)

4.1 Introduction

One of the important security services in any wireless channel is Data Integrity (DI) since

if compared with wired transmission, active eavesdropping in a wireless environment is

relatively easy. Integrity protection of data is mainly responsible for the prevention of

modiﬁcation of messages during transmission over the air interface. It is also respon-

sible for the protection against impersonation attacks [8]. In public key cryptography

or asymmetric cryptography, the integrity is mostly protected using digital signatures,

while MACs are preferred in symmetric cryptography. The MACs diﬀer from digital

signatures as MAC values are both generated and veriﬁed using the same secret key.

However, because of the high computation requirement of digital signature calculation,

the integrity protection in the resource constrained devices such as mobile terminals is

mostly based on MAC. In mobile networks such as LTE/LTE-A, the integrity protection

is performed using MAC that convert strings of variable lengths to ﬁxed-size strings

called hash values, hash codes or simply hash. Cryptographic hash functions can be

keyed or un-keyed. The un-keyed ones are called Modiﬁcation Detection Codes (MDCs)

that provide only data integrity. The Keyed Hash Functions (KHFs) are MACs which

besides the integrity protection help in the authentication of originality of data [46].

Moreover, as LTE networks intend to support high data rates and an enhanced data,

voice, and video experience for end users, it is desirable to develop a low computation

51

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 52

DI algorithm with acceptable security strength, to speed up data processing and conse-

quently reduce the computational time.

In this chapter we propose a new eﬃcient and robust DI algorithm we baptise Eﬃcient

and Robust Algorithm for Data Integrity (ERADI). ERADI is based on a KHF and the

concept of Merkle and Damgard [47], [48]. Its main advantage is the use of a dynamic

substitution-diﬀusion technique in the core cipher of the algorithm which requires only

one round of processing instead of several processing rounds as required by the stan-

dardized reference solutions. Likewise the ERCA cipher algorithm already presented in

Chapter 3, the core cipher of the proposed hash function consists of addition, substitu-

tion and diﬀusion layers. In addition, a chaining layer is also employed in order to ensure

more bit dependency. Notably, the core cipher employed here is not exactly as same

as the one that used in the ERCA algorithms as it is the case in the all standardized

solutions. By employing ERADI in LTE/LTE-A networks, signiﬁcant computational

complexity reduction and consequently important energy savings are expected.

The rest of this chapter is organized as follows. In Section 2, the realization of integrity

protection in LTE/LTE-A networks is presented. In Section 3, the novel proposed

ERADI algorithm is detailed. Simulation and test results are discussed in Section 4.

Finally, this Chapter’s developments and results will be discussed and concluded in

Section 5.

4.2 Realization of integrity protection in LTE/LTE-A net-

works

While the digital signatures are mostly used for the integrity protection in public key

cryptography, MACs are widely preferred in the integrity protection of the mobile net-

works where the symmetric cryptography is employed in such scenarios. There exist

several of widely used MACs, such as HMAC [49], EMAC [50], XCBC [51], OMAC [52],

[53] and XOR MAC [54]. The conventional MAC algorithms consist of two components:

the underlying cipher and the upper-level structure. An underlying cipher could be a

keyed hash function, block cipher or stream cipher. Moreover, the input message for a

MAC generation algorithm is allowed to have an arbitrary length, it passes through the

underlying cipher and becomes the cipher text. Then, the cipher text is assembled by

the upper-level structure to get a ﬁxed-length string, which is the output of the MAC.

Although most of the traditional MACs are based either on hash functions or block ci-

phers, recently the use of a stream cipher as an underlying cipher for MAC attracts more

and more attentions in current research works. The three standardized DI algorithms

for LTE/LTE-A networks EIA1, EIA2 and EIA3 apply an under layer cipher as a tool

to encrypt the public and secret keys, and make use of the encrypted result in the upper

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 53

layer to compute the Message Authentication Code for Integrity (MAC-I) of the mes-

sage. EIA1 and EIA3 algorithms adopt the concept of Galois Message Authentication

Code (GMAC) [25] which its basic idea is to employ a block cipher in its counter mode

to act as a stream cipher. While EIA2 algorithm is based on the concept of CMAC i.e.

using the output from the cipher algorithm directly as a MAC.

In LTE/LTE-A systems speciﬁcations, the integrity protection is mostly mandatory for

control plane data but the user plane data is not integrity protected except for Relay

networks [13]. When a communication session is started, the UE and the eNB are con-

nected through the Access Stratum (AS) protocol [55], and the DI feature is achieved

in the PDCP sub-layer. It is important to note that the DI algorithm and the key to

be used by the PDCP entity are conﬁgured by upper layers. Generally, an EIA algo-

rithm, as shown in Figure 4.1, takes as input a 128-bit Integrity Key (IK), which is the

KRRCint in (LTE/LTE-A key derivation hierarchy) subsequently a 32-bit COUNT, a

5-bit bearer identity, a 1-bit direction representing the transmission direction (shall be 0

for uplink and 1 for downlink), and ﬁnally the message itself which is the control plane

data (denoted also as RRC signaling traﬃc). The derived output is a 32-bit MAC-I. The

sender appends the MAC-I to the message when sent. In the same way, for DI checking,

the receiver computes the expected message authentication code (XMAC-I) using the

received message and compares it to the MAC-I.

However, the standardized solutions have their own drawbacks especially in terms of

computational complexity as already explained in Chapter 2. The next sections de-

scribe our contributions to solve the previously mentioned drawbacks, and more partic-

ularly the computational complexity. we propose a novel eﬃcient DI algorithm which

computational complexity will be reduced signiﬁcantly.

4.3 ERADI Algorithm Description

In this section,we detail our ERADI algorithm based on CMAC we called ERADI is

proposed for LTE/LTE-A networks, which has to ensure the data integrity protections

for the control plane data at PDCP sub-layer. The process of MAC generation which

uses the concept of Merkle and Damgard [47], [48] is depicted in Figure 4.2. It consists

of a round compression function (a hash function based on a block cipher), which is

applied in an iterative process.

In fact, the input message M(control plane data of LTE PDUs) with a random length N

is padded if necessary to ensure that the length of Mis multiple of T b (here T b = 128).

Mis subsequently divided into nb blocks (M1, M2, . . . , Mnb), where nb ≥1, and each

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 54

Figure 4.1: Derivation of MAC-I/XMAC-I

Figure 4.2: The iterated design of the proposed keyed hash function for ERADI

block consists of n=T b/8 bytes. Likewise, IV is formed from a 32-bit COUNT, a 5-bit

bearer identity and the 1-bit direction of the transmission; it is also is padded with

zeros to form a 128-bit block. The hash value is calculated according to the following

equation:

Hi=ERADI(Hi−1, Mi)i= 1,2, . . . , nb (4.1)

where H0=IK⊕IV. The last output Hnb is truncated by getting the 32 MSB (Most Sig-

niﬁcant Bits), which is exploited directly as MAC-I. Indeed, every Mi, IK and IV are

divided to n= 16 bytes before being taken as inputs to the cipher.

The proposed core cipher of ERADI function compromises four layers: addition, chain-

ing, substitution and diﬀusion layers, which is depicted in Figure 4.3.

It is important to note that the overall structure of this cipher is almost similar to the

structure of ERCA algorithms. The main diﬀerence is that in the ERADI algorithm

a chaining layer is added to the original structure. Therefore, the diﬀerent layers will

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 55

be explained brieﬂy since their functionalities details have been largely introduced in

Chapter 3.

4.3.1 Addition Layer

Let us consider a given block Mi,i∈[1, nb]. The addition layer uses a constant block

value, that has been chosen with uniform bit distribution to provide the uniformity to

the message by mixing this constant block with the input block, which should be carried

out on bytes (byte by byte) using logical XOR operation as follows:

yi,j =hi−1, j ⊕mi,j ⊕tj(4.2)

where hi−1, j is the jth byte of the input to the addition layer, which is the previous

output of the compression function (with h0,j =IKj⊕IVj), tjis the jth byte of the

constant block and mi,j is the jth byte of the considered message block Mi.

4.3.2 Chaining Layer

The chaining layer can be considered as a CBC mode, where each byte of the input

block is XORed with the previous output chaining byte, and would be carried out on

bytes (byte by byte) as follows, starting with ui,1=yi,1:

ui,j =yi,j ⊕ui,j−1j= 2,3, . . . , n (4.3)

This means that, each output byte of the block depends on all input byte blocks processed

up to that point. The chaining layer has been chosen to ensure a high sensibility for

the parameters of the substitution layer and consequently for the diﬀusion layer. In

addition, this guarantees that the avalanche eﬀect, key and initial vector sensibilities are

attained.

4.3.3 Substitution Layer

The proposed substitution layer presents a potential modiﬁcation of the Non Linear

Transformation (NLT) of RC6 [38], which is originally expressed as:

y=RC6(x) = mod(x×(2 ×x+ 1),2W)>> log2(W) (4.4)

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 56

Figure 4.3: Proposed compression function (ERADI)

where >> is bitwise right shift and Wis equal to 8. A modiﬁed version of RC6 is

employed to ensure a dynamic nonlinear transformation. Indeed the proposed dynamic

substitution layer is reformulated as:

Zw=F(Zw−1) (4.5)

=mod(Zw−1×(rw×Zw−1+tw),2w)>> log2(w)

where Z0=U,w= 1, . . . , 4 and (rw, tw) are the control parameters for iteration w.

In fact, rwand twhave to be an even and odd bytes respectively.

These diﬀerent control parameters are generated as:

r0=unand s0=un

rw=RC6(rw−1),(4.6)

sw=RC6(sw−1), w = 1,2,3,4

where unis used since it is the last output byte of the chaining layer and represents

the XORed value of all elements of the vector Y={y1, y2, . . . , yn}. After that, the

Least Signiﬁcant Bit (LSB) for each element rwand swis set to 0 and 1 respectively,

to ensure the bijectivity property (one-to-one). Accordingly, each byte is substituted by

applying the RC6 non linear function using four diﬀerent couples of control parameters

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 57

(rw, tw), w= 1,2,3,4. In the Table 3.1, we present the corresponding cryptographic

properties of the original RC6 and our proposition. These results indicate clearly that the

original transformation has poor cryptographic properties, especially a high diﬀerential

probability approximation which makes it useless for being used as a substitution layer.

Accordingly, a potential enhancement of the cryptographic properties is achieved using

our modiﬁcation compared to the original one.

4.3.4 Diﬀusion Layer

The diﬀusion process is a linear transformation which is represented as matrices. This

layer includes two steps: secret matrix generation Gand Modular 256 vector matrix

multiplication. Indeed, the proposed dynamic diﬀusion layer is based on a special rule of

algebra, which can provide the properties of ﬂexibility, through the use of non invertible

matrix as its determinant is equal to 0 (singular matrix). Equally important to note, it

is eﬀortless to implement this diﬀusion technique in hardware since it can be executed

in parallel as shown in Figure 3.5.

4.3.4.1 Secret matrix generation G

The output of the substitution layer is reshaped to form a sub-matrix parameter temp

with size n

4×n

4. Later, this sub-matrix is replicated to form a sub-matrix Awith size

n

2×n

2. The form of the diﬀusion matrix with ndimension is given as below:

G=

A B

A B

(4.7)

Assuming that Bis equal to A×(2 ×A+ 1) mod 2256. Besides, having a matrix G

constructed from four sub-matrices (A, B, C, D), it can be proven that this matrix is

non-invertible. Indeed, the determinant is given by:

det(G) = det(A)×det(D−CA−1B) (4.8)

=det(A)×det(B−ABA−1)

=det(A)×det(B−B)

= 0

where D=B, and C=A.

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 58

Therefore, the necessary condition for not having an inverse matrix is attained and the

attackers cannot calculate the inverse secret matrix G−1to get the original substituted

block data, which in turn ensures the one way property.

4.3.4.2 Modular matrix multiplication of G

Considering any block message Mi,i∈[1, nb], the diﬀusion process is performed on a

series of nsubstituted bytes {zi,1, zi,2, . . . , zi,n}and its output is the produced hashed

block Hi, which is obtained by performing a modular multiplication matrix using the

secret matrix G, derived from the substituted data. The architecture of the diﬀusion

process is shown in Figure 3.5.

The coeﬃcients vector {G1, G2, ..., Gn}are described as the global diﬀusion matrix (G).

Each global diﬀusion vector Giis represented as a sequence of independent random

numbers from a byte ﬁeld. The relationship between input block data, Gand Scan be

described as follows:

Hi=G0×Zi

=

hi,1

hi,2

.

.

.

hi,n

=

g1,1g1,2· · ·g1,n

g2,1g2,2· · ·g2,n

.

.

..

.

.....

.

.

gn,1gn,2· · ·gn,n

·

zi,1

zi,2

.

.

.

zi,n

(4.9)

Where Gil,ic is a diﬀusion coeﬃcient that varies between 0 and 255 for the line il and

column ic, with il and ic from 1 to n.

Finally, after the calculation of MAC-I from the sender, which is obtained directly by

truncating 32-bits of MSB of H, the result is appended to the original message and sent

to the receiver. Similarly, on the receiver side the IK and IV with ERADI function are

used to calculate XMAC-I in order check the integrity of the message.

4.4 Cryptographic Strength and Performance Evaluation

In this section, diﬀerent cryptographic properties of the proposed substitution layer of

the core cipher of the algorithm is presented since the chaining layer is added and the

cipher should be again tested to ensure its security strength. Moreover, most important

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 59

substitution layer testes are applied in order to prove its performance. Then, the overall

algorithm is analyzed using several statistical tests such as uniformity, randomness, key

sensitivity, etc. to assess its eﬃciency and to show how far it is consistent with the main

security requirements. Finally, the time complexity is quantiﬁed and compared to EIA2

algorithm.

4.4.1 Cryptographic performance of the proposed dynamic substitu-

tion layer

As been already described in the previous chapter, a strong n×nsubstitution layer

must have some important properties, based on information theory analysis [39], [40],

[41]. These main properties are: bijectivity, non linearity SAC,BI C, and equiprobable

input/output XOR distribution. The LPFcan be calculated according to [39]. In Fig-

ure 4.4-a, the variation of LPFagainst the seed (byte) unis shown and the probability of

LPF<2−4is 0.968, those of 2−6≤LPF≤2−5is 0.322 and those of LPF>2−4is only

0.0313. Moreover, LPFmaximum, minimum and average values are: 2−2,2−5.3561, and

2−4.749 respectively. The majority of LPFresults produced from the substitution layer

have acceptable values. This indicates that the proposed dynamic substitution layer

possesses an acceptable non-linearity property which can ensure the resistance against

linear attacks.

Another test is performed forDPFand the results represented in Figure 4.4-b, show the

variation of DPFagainst the seed (byte) u1. The probability of DPF<2−4is 0.8477

and that of DPF>2−2is only 0.0156. Moreover, maximum, minimum, and average

values of DPFare: 2−1,2−4.6781and2−4.1758 respectively. These results show that the

substitution layer can resist the diﬀerential attacks.

Similarly, concerning the SAC, the average value (mean of 8x8 values of the dependence

matrix) against the seed u1is shown in Figure 4.5-a. We can observe that the SAC is

always very close to the ideal value 0.5. Finally, the average value of BIC (mean of

8x8 values of the BIC matrix without the diagonal) versus the number of iterations r

is shown in Figure 4.5-b. We can observe that the majority of the BI C average values

is around the optimal value of 0.5. The simulation results indicate clearly that the

proposed substitution layer satisﬁes the two criteria of SAC and BI C and hence can

resist the known and chosen plain/cipher-text attacks. In conclusion, the substitution

layer has suitable properties for being used in the proposed core cipher of the ERADI

algorithm.

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 60

Figure 4.4: Variation of the LP F (a) and D P F (b) versus the number of random

keys

Figure 4.5: Variation of the SAC (a) and BIC (b) versus the number of random keys

4.4.2 Security analysis and performance of the proposed hash function

In this section, several tests are performed to analyze and prove the feasibility and the

strength of our proposed algorithm. Several simulation tests have been carried out and

the results of collision, key space and sensibility tests have been analyzed. Furthermore,

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 61

a comparison is carried out between ERADI algorithm and the recent EIA2 standard in

terms of the speed of execution.,

Figure 4.6: Spread of the message and hash value: (a) distribution of the message in

ASCII code; (b) distribution of the hash value in hexadecimal format

4.4.2.1 Hash value distribution

The security of any hash function is much related to the uniform distribution of the hash

value. To verify the uniformity of the hash value to the original text, a simulation of

input message in ASCII code is performed using ﬁrst 10 lines of the introduction section

of this chapter.

The original paragraph distribution as depicted in Figure 4.6 is distributed in the range

of ASCII codes, and its corresponding hash value distribution is spread out randomly.

Similarly, another test has been performed on an input message consisting of a string

of zeros. The results as illustrated in Figure 4.7 show that even in this special case the

output hash value still shows a random distribution. Furthermore, in order to check

the uniformity of hash value, another test is applied by simply computing the length

of unique elements of the obtained hash values. Table 4.1 presents the corresponding

percent of unique elements for 10000 hash values, where each value is obtained from

a random secret key and the message. The percentage distribution of unique elements

veriﬁes its uniformity, since approximately 92.312% of hash values have at least 15

diﬀerent elements, which indicates that a strong uniformity is achieved.

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 62

Table 4.1: Frequency of the diﬀerent number of ASCII characters for N= 10000

Number of diﬀerent ASCII characters 16 15 14 13

Frequency 6238 3043 649 70

Figure 4.7: Spread of all zeros message and hash value: (a) distribution of all Zeros

message; (b) distribution of the Hash value in hexadecimal format

4.4.2.2 Hash value sensitivity to the original message

Another criterion of the hash function security is its sensitivity to the original input

message. For verifying the sensitivity of hash values, hash simulations have been per-

formed under the following conditions:

C1-The original paragraph (ﬁrst 10 lines of the introduction of this chapter);

C2-Replacing the ﬁrst character O from the original paragraph by S;

C3-Modifying the word DI in the original paragraph to DE;

C4-Replacing the full stop from the original paragraph to comma;

C5-Adding a blank space to the original paragraph.

Table 4.2: Distribution of changed bit percent under diﬀerent conditions

Case C1 C2 C3 C4 C5

C1 0 48.4375 49.0625 50.7813 52.3438

C2 48.4375 0 48.7500 53.9063 57.0313

C3 49.0625 48.7500 0 55.4688 53.9063

C4 50.7813 53.9063 55.4688 0 51.5625

C5 52.3438 57.0313 53.9063 51.5625 0

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 63

Figure 4.8: Hash values under diﬀerent conditions

The simulation results of binary sequences are depicted in Figure 4.8 and the correspond-

ing percent of changed bits are presented in Table 4.2. These results indicate clearly

that a very small change in the original message produces an enormous change in the

output hash value.

4.4.2.3 Diﬀusion and Confusion: Key and message sensitivity

The sensitivity refers to a huge change in the hash value with respect to a slight change in

the keys IK or IV and the original message itself. A DI algorithm is considered as robust

against related key attacks if it ensures the sensitivity of the secret keys IK and initial

vector IV. In particular, when the payload of a control data packet is treated, a tiny

change of keys or IV should give two completely diﬀerent hash values and consequently

MAC values. The sensitivity of IK and IV are analyzed for 1000 random keys and IVs

respectively using the percent of Hamming distance for IKwwhere w= 1,2, . . . , 1000.

that can be calculated as follows:

KSw=PT

k=1 HIKw, I V (M)⊕HI K 0

w, IV (M)

T×100% (4.10)

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 64

where Tis the length in bit level of the hash value, and HIKw,HIK w0are the cor-

responding hash values using IKwand I K 0

wrespectively. All the elements of IK0

ware

equal to those of the wth key IKw, except a random LSB which was ﬂipped. Indeed,

the same processing is realized for measuring the sensitivity of IV which gives a similar

result, since IK and IV are mixed together to form H0. Likewise, the sensibility of the

original message is performed and calculated as follows:

P Sw=PT

k=1 HKw, IV (M)⊕HKw, I V (M0)

T×100% (4.11)

where all the elements of message M0are equal to those of message M, except a random

LSB which was ﬂipped.

Furthermore, in Figures 4.9 and 4.10, the sensitivity of the secret key and original

message versus 1000 random keys and messages are shown respectively, while only a LSB

is changed of the secret key IKwor M. We can observe that the majority of samples

is closer to the optimal values in bit level (50%). Additionally, 87.88% and 87.61 % of

samples have KS and P S ≥45% respectively. We can also see that KS and P S follow

a normal distribution. Their minimum, maximum, average and standard deviation are

presented in Table 4.3. Similarly, the same results are obtained for changing a single bit

in IV. Consequently we can conclude that the chosen/known plain-text attacks would

become ineﬀective.

Figure 4.9: Percent of number of the changed bits versus 1000 random secret keys

(changed random bit of the secret key) (a) and its corresponding distribution (b)

Finally, the properties of diﬀusion and confusion of the function are attained, since the

sensibility of secret key and initial vector are achieved, which indicates that the necessary

security requirement is attained within one round.

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 65

Figure 4.10: Percent of number of the changed bits versus 10000 original tests

(changed random bit of the message) (a) and its corresponding distribution (b)

Table 4.3: Statistical Results

%KS %P S

min 33.593 34.3750

max 67.187 64.8438

Avg 50.04 49.9663

ST D 4.42 4.4505

4.4.2.4 Collision resistance

Collision resistance refers to the diﬃculty to ﬁnd two diverse inputs to the hash function

whose outcomes are the same. Generally, the resistance against the collision is veriﬁed

using the following test, which is conducted for a hash value randomly generated from

a paragraph of the input message and stored in ASCII format. Randomly a bit will be

selected from the chosen paragraph and ﬂipped; the output hash value of the modiﬁed

message will be also stored in ASCII format. A comparison between the two hash values

is achieved by counting the number of identical positions of ASCII characters i.e (having

the same value in the same location) and is calculated as follows:

Dif f =

n

X

i=1

D{H(i), H0(i)},(4.12)

where D(x, y) = 1 if x=yand D(x, y) = 0 otherwise.

Simulation results presented in Table 4.4 indicate that the maximum number of equal

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 66

characters (hits) attained is three for our proposition. Consequently, a stronger collision

resistance is ensured, which makes our proposition immune against birthday, man-in-

the-middle and diﬀerential attacks [56].

Table 4.4: Percent distribution of the number of ASCII characters with the same

value at the same location in the hash value for random LSB bit of secret key K(a) or

the plain-message P(b)

Number of Hits 0 1 2 3

% (a) (random LSB bit of K) 94.1 5.75 0.15 0

% (b) (random LSB bit of P) 93.69 6.12 0.18 0.01

4.4.3 ERADI Execution Time

Besides the security features, the execution speed is an important criterion to quantify

the computational complexity of our proposed algorithm and compare it to the stan-

dardized solution. The comparison is achieved with the EIA2 (AES) algorithm since it

is considered as the most secure compared to the two other algorithms EIA1and EIA3.

The average calculation time ratio (ERADI/EIA2) to the hashed message Mwith dif-

ferent lengths is depicted in Figure 4.11.

These results were obtained using the following software and hardware environment:

Matlab 2012 and micro-computer Intel Core 2 Duet 2.1 GHZ CPU with 2 GB RAM

Intel, under Windows7. Clearly, the variation of time ratio is linear and the average

requested computational time ratio between EIA2 and ERADI is close to 4.5, which

indicates that AES requires 4.5 more times than our proposal during encryption/de-

cryption procedure. Consequently, lower computational complexity leads to faster data

processing and less energy consumption by the devices (both the UE and the eNB).

Conclusions and discussion

As the available standardized approaches such as EIA1, EIA2 and EIA3 have their own

drawbacks regarding security and/or performance, we have proposed in this Chapter

ERADI, a novel data integrity algorithm for 4G LTE/LTE-A mobile networks. The

cipher core of ERADI is based on a new technique using chaining with dependent sub-

stitution and diﬀusion layers to attain the avalanche eﬀect, secret key and initial vector

sensibility. The chaining layer is added to add more bit dependency and attain the re-

quirements of a secure MAC. Moreover, the statistical properties such as the uniformity

of the produced hash value, key sensibility are attained, which can provide immunity

Chapter 4. Eﬃcient and Robust Algorithm for LTE/LTE-A Data Integrity 67

Figure 4.11: Variations of the average time ratio versus message length

against the statistical attacks. Furthermore, known attacks such as linear attacks, dif-

ferential attacks and chosen plain/cipher-text attacks would become ineﬀective, since

the avalanche eﬀect is attained. In fact, any change in any bit of the message, secret key

or public parameters i.e(initial vector) results in a signiﬁcant diﬀerence in the produced

hash value as been illustrated in the analyses section. The key space of the secret key

is 2128, which is suﬃciently large to make the brute-force attack infeasible. Besides, the

use of non invertible dynamic confusion and diﬀusion layer will limit the ability of the

attackers to try breaking out the underlying cipher algorithm.

In addition, the advantage of the proposed ERADI scheme is its reduced complexity

compared to other standardized algorithms recently in use, since it operates one round

of iteration to achieve the necessary cryptographic properties, instead of several rounds

of iterations deployed by the reference algorithms. This ERADI lower complexity results

in reduced latency and higher data processing speed which is a desirable feature for mo-

bile terminals supporting LTE/LTE-A networks with restricted and limited resources.

Moreover, to conﬁrm better performance of our proposal, a comparison with the core

cipher of EIA2 is performed. Consequently, all simulations results demonstrated clearly

the proposed ERADI scheme has the necessary suﬃcient security features to be consid-

ered as a secure MAC and could be considered as a new and interesting candidate for

LTE/LTE-A network’s integrity protection.

Chapter 5

Device to Device Lightweight

Authentication and Key

Agreement Protocol

5.1 Introduction

Recently, D2D communications have attracted large research attentions to develop eﬃ-

cient solutions for direct communications between two proximate devices without passing

through a base station or another third-party device. D2D paradigm is proposed to be

employed in cellular networks between two UEs in order to enhance the performance.

Indeed, the majority of D2D related research works concentrate mainly on licensed band

(in band) modes using cellular resources where the service providers prefer to maintain

a stable and permanent control over the communication rather than using other uncon-

trolled environments (out band) such as (ad hoc Wi-Fi and Bluetooth) networks using

unlicensed bands [6]. At the standardization level, the concept of D2D has been adopted

by 3GPP in LTE Release12 to enable LTE becoming a competitive broadband commu-

nication technology for public safety networks [57].

D2D is considered an eﬃcient communication method since the proximity UEs may al-

low for extremely high bit rates, low delays and low energy consumption. In addition

a portion of traﬃc of which was originally had to be passed through the eNB would be

oﬄoaded which leads in again low delays and low energy consumption. Furthermore,

better security is expected since the communicated data is not routed through Internet

cloud and hence not stored in anywhere but on the speciﬁed devices.

69

Chapter 5. Device to Device Lightweight Authentication Key Agreement Protocol 70

Nevertheless, one of the major concerns in any wireless and mobile communication sys-

tem is the security of the data during transmission over unsecured channels as it is

the case in the D2D communications. Authentication and key agreement are among

the most diﬃcult and important aspects of security in any data transmission between

two transmitting nodes. Unlike the traditional mobile communications, where the key

derivation, authentication and ciphering/deciphering between two devices are passed

through the core network, D2D in LTE/LTE-A supposes direct communication between

two UEs without any involvement of the core network.

The current 3GPP authentication and key agreement protocol (AKA) deployed for 3G

mobile networks and its successor for 4G mobile systems, called Evolved Packet Sys-

tem authentication and key agreement (EPS-AKA) are used to authenticate UEs with

the Serving Network (SN) and also to generate the diverse necessary symmetric keys

to ensure DI and DC [13]. The procedure of authentication and key derivation of the

AKA protocol is achieved through four entities in LTE/LTE-A; the UE, the eNB, the

Mobility Management Entity (MME) and the Home Subscriber Server (HSS). However,

the involvement of all these entities in AKA protocol may have a negative eﬀect on the

latency and bandwidth consumption if AKA is to be employed for D2D communications.

Therefore it is desirable to have an independent protocol to ensure the authentication

of the two UEs as well as deriving the necessary keys for both DC and DI services.

Accordingly, using public cryptography would be a promising tool for such kind of au-

thentication since it has been already employed in similar scenarios for diﬀerent wireless

and mobile technologies. The principle idea is employing ECC in the authentication

procedure besides using security hash functions in derivation of symmetric keys used for

both DI and DC.

The rest of the chapter is organized as follows. In Section II, concepts of D2D in

wireless and mobile technologies are presented. Section 3 describes the proposed security

mechanism with its diﬀerent phases. In Section 4, the security properties of the proposed

scheme are analyzed and discussed. Finally, we conclude the chapter in Section 5.

5.2 D2D Authentication and key management in mobile

and wireless technologies

In Chapter 2 we have already explained in detail the authentication and key agreement

protocol AKA-EPS and we have explained why this protocol is not well suited for being

used in the D2D scenario in LTE/LTE-A networks. Moreover, the concept of D2D such

as ad-hoc WLAN mode has been available in IEEE 802.11 for many years but with a

Chapter 5. Device to Device Lightweight Authentication Key Agreement Protocol 71

limited usage compared to infrastructure mode. Additionally, authentication and key

management for D2D communications have been already well studied in other wireless

and mobile technologies such as Mobile Ad hoc Networks (MANET) [28], Wireless Sen-

sor Networks (WSN) [29], Wireless Mesh Networks (WMN) [30], Bluetooth [31] and

Vehicular Ad hoc Network (VANET) [32]. Yet, the employed paradigms and method-

ologies are not well suited for D2D in LTE/LTE-A because of the computation and

communication overheads followed by deploying such methods, as well as the explicit

diﬀerence in their security architecture.

Digital certiﬁcates issued by certiﬁcate authorities are among the cryptographic tech-

niques employed for authentication in the aforementioned networks. However, the stor-

age and transmission of the certiﬁcates are followed by a tremendous computation and

communication overheads. In addition, the network should be provided with an infras-

tructure supporting such kind of certiﬁcates [58]. The authors in [59] propose using

symmetric polynomial based key distribution for authentication and generation of sym-

metric keys using a cellular system. The main drawback of the suggested scheme is

that the authors assume a secure channel for distributing the polynomials, which is not

the case in reality. A similar concept has been used in the WMN in [60] ( i.e. using

polynomial based cryptography for key derivation). The Identity Based Cryptography

(IBC) has been employed in [61] and the authors proposed using pairing to distribute

the key between two neighboring nodes. However, this method is not well adapted for