臺灣博碩士論文加值系統

近幾年來，行動通訊網路進步得非常快速，從2G GSM (Global System for Mobile Communications)
、2.5G GPRS (General Packet Radio Service)、3G UMTS (Universal Mobile
Communications System)一直到整合異質網路的All-IP 4G系統，其發展已經日趨成
熟，也越來越普及。透過行動通訊裝置來使用語音傳輸、多媒體分享的服務，已經是
日常生活的一部分。行動通訊網路帶給了我們便利的生活，使我們可以輕易地透過它
交換訊息。然而這些訊息往往隱含重要的個人資訊或者是機密檔案，隨意地在無線的
行動通訊網路下傳輸是非常容易被惡意的行動用戶擷取，甚至利用這些訊息進行犯
罪。
因此為了避免這樣的狀況發生，使行動用戶可以安心的使用行動通訊網路，安全機制
的提供就顯得相當重要了。而安全機制於無線通訊環境中的設計考量不外乎計算量、
通訊量以及安全特性等。因此在本論文中，我們提出一個在效能表現上兼具計算及通
訊效率，以及在安全性上兼具位置隱私性及前推私密性的單回合雙向認證機制，可以
確保行動用戶的通訊安全。在計算複雜度上，本協定只需使用對稱式加密及雜湊函式
的計算。在安全特性上，就算惡意的攻擊者取得通訊過程中的長期金鑰，也不能從這
把金鑰破解先前傳輸的訊息。另外，本協定還有使用者與地點隱私保護的特性，透過
亂數每次變換TMSI(Temporary Mobile Subscriber Identity)，使得第三者無法從竊聽的
訊息中連結出不同的兩次通訊之間的相關性。本協定亦可以抵擋蓋台的攻擊，避免惡
意攻擊者透過訊號較強的基地台把行動用戶的訊號導到不正確的基地台去。

In recent years, the development of mobile networks is thriving or flourishing from 2G GSM,
2.5G GPRS, 3G UMTS to All-IP 4G, which integrates all heterogeneous networks and becomes
mature and popular nowadays. Using mobile devices for voice transferring and multimedia
sharing is also a part of our life. Mobile networks provide us an efficient way to
exchange messages easily. However, these messages often contain critical personal data or
private information. Transferring these messages freely in mobile network is dangerous since
they can be eavesdropped easily by malicious mobile users for some illegal purposes, such as
committing a crime.
Hence, to avoid the exposure of the transmitted messages, robust security mechanisms are
required. In this thesis, we will propose a one-round mutual authentication protocol which is
computation and communication efficient and secure such that the privacy of mobile users’
identities and the confidentiality of their transmitted data are guaranteed. In computation
complexity, the protocol only employs symmetric encryption and hash-mac functions. Due
to the possession of forward secrecy, the past encrypted messages are secure, even under the
exposure of long-term keys. Furthermore, our scheme achieves the goal of user privacy and
location privacy by changing TMSI in every session. Therefore, the third party cannot link
two different sessions by eavesdropping the communication. Finally, our scheme also can
prevent false base attacks which make use of a powerful base station to redirect mobile users’
messages to a fake base station to obtain certain advantages.

List of Tables iii
List of Figures iv
Chapter 1 Introduction 1
1.1 Backgrounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Framework of UMTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.3 False Base Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Related Works 5
2.1 Review of the Authentication and Key Agreement Protocol (AKA) for UMTS
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Authentication and Key Agreement Protocol for UMTS Networks . . 5
2.1.2 The Security Flaw of UMTS AKA . . . . . . . . . . . . . . . . . . . 7
2.2 Zhang-Fang Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Kim et al.’s Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 3 The Proposed Scheme 13
3.1 Features of Our Scheme (Contributions) . . . . . . . . . . . . . . . . . . . . 13
3.2 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3 Assumption and Framework of Our Scheme . . . . . . . . . . . . . . . . . . 15
3.4 Authentication in Home Network . . . . . . . . . . . . . . . . . . . . . . . . 15
3.4.1 Initial Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.5 Authentication in Serving Network . . . . . . . . . . . . . . . . . . . . . . . 17
3.5.1 Initial Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.5.2 Subsequent Authentication . . . . . . . . . . . . . . . . . . . . . . . 20
3.6 Recovery Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.7 The Changing of New Hash Chain . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 4 Security Analysis 24
4.1 Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.2 Authenticated Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.3 Location Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.4 Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.5 False Base Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 5 Comparisons 28
5.1 Comparisons of Security Requirements and Features . . . . . . . . . . . . . 28
5.2 Comparisons of Space, Computation and Communication Complexity . . . . 30
Chapter 6 Conclusions 31

[1] Mustafa Al-Fayoumi, Shadi Nashwan, Sufian Yousef and Abdel-Rahman Alzoubaidi,
“New Hybrid Approach of Symmetric/Asymmetric Authentication Protocol for Future
Mobile Networks,” The Third IEEE International Conference on Wireless and Mobile
Computing, Networking and Communications 2007 (WiMOB’07), pp. 29-29, 2007.
[2] Boaz Barak, “Constant-round coin-tossing with a man in the middle or realizing the
shared random string model,” The Proceedings of The 43rd Annual IEEE Symposium
on Foundations of Computer Science, 2002, pp. 345-355, 2002.
[3] Mihir Bellare and Phillip Rogaway, “Entity Authentication and Key Distribution” , In
Proceedings of Advances in Cryptology CRYPTO 93, vol. 773, pp. 232-249, 1993.
[4] Li Gong, “A Security Risk of Depending on Synchronized Clocks,” ACM SIGOPS Operating
Systems Review, vol. 26, pp. 49-53, 1992.
[5] Li Gong, “Variations on the Themes of Message Freshness and Replay or, the Difficulty
of Devising Formal Methods to Analyze Cryptographic Protocols,” In Proceedings of
the Computer Security Foundations Workshop VI, pp. 131-136, 1993.
[6] Wen-Shenq Juang and Jing-Lin Wu, “Efficient 3GPP Authentication and Key Agreement
with Robust User Privacy Protection,” IEEE Wireless Communications and Networking
Conference 2007 (WCNC ’07), pp. 2720-2725, 2007.
[7] Wen-Shenq Juang and Jing-Lin Wu, “Two Efficient Two-Factor Authenticated Key Exchange
Protocols in PublicWireless LANs,” Computers and Electrical Engineering, vol.
35, pp. 33-40, 2009.
[8] Daeyoung Kim, Younggang Cui, Sangjin Kim, and Heekuck Oh, “A Privacy Protecting
UMTS AKA Protocol Providing Perfect Forward Secrecy,” Computational Science and
Its Applications, ICCSA 2007, vol. 4706, pp. 987-995, 2007.
[9] Taekyoung Kwon and Jooseok Song, “Clarifying Straight Replays and Forced Delays,”
ACM SIGOPS Operating Systems Review, vol. 33, no. 1, pp. 47-52, 1999.
[10] Kristin Lauter, “The Advantages of Elliptic Curve Cryptography for Wireless Security,”
IEEE Wireless Communications, vol. 11, no. 1, pp. 62-67, 2004.
[11] Alfred J. Menezes, Paul C. Van Oorschot and Scott A. Vanstone, Handbook of Applied
Cryptography, 5th, 2001.
[12] Paul Syverson, “A Taxonomy of Replay Attacks,” In Proceedings of Computer Security
Foundations Workshop VII, 1994, pp. 187-191, 1994.
[13] Muxiang Zhang and Yuguang Fang, “Security analysis and enhancements of 3GPP authentication
and key agreement protocol,” IEEE Transactions on Wireless Communications,
vol. 4, no. 2, pp. 734-742, 2005.
[14] 3rd Generation Partnership Project, Technical Specification Group Services and System
Aspects, 3G Security, “Security Architecture 4.2.0,” Release 4, 3GPP TS 33.102, 2001.
[15] 3rd Generation Partnership Project, Technical Specification Group Services and System
Aspects, 3G Security, “Security Threats and Requirements,” version 4.1.0, 3GPP TS
21.133, 2001.