在全球移動式網路中，為了提供個人無線通訊漫遊服務，認證和資訊保密技術是兩個傳統關鍵性的議題。近年來，漫遊用戶(roamer)的身份匿名和服務的不可否認性成為另一個在個人通訊系統(Personal Communication Systems, PCSs)中備受矚目的焦點。
無線網路的特性使得攻擊者可以很容易地匿藏他們的行蹤，以避開合法實體(legitimate entities)的偵測，因此攻擊者可以輕易地為所欲為。泛歐數位式行動電話系統(Global System for Mobile Communication,GSM)面臨著上述的議題。第三代行動通訊系統(3G)雖然在一定的程度上改善了GSM的弱點，然而它依然留下許多可以改進的空間。

在本論文中，我們將會回顧一系列與GSM和3G相關的安全
議題，其中包括認證(authentication)、資訊保密(privacy)、身份╱位置匿名(identity/location anonymous)、不可否認性服務non-repudiation services)等各項議題。其中最重要的是，我們為GSM和3G新增了一個新的安全需求(security requirement)：所屬網絡(home network)在認證系統中應該是部分被信任(partial trusted)的}。我們在GSM和3G的安全機制中考慮此一需求，其中主要的原因是，我們相信所屬網路為了利益而可能將其用戶(subscriber)的認證金鑰(authentication key)洩漏給他人，導致合法用戶的權益受到侵害。我們建議各種與GSM和3G相關的安全議題應考慮此一新的安全需求。在本論文中，我們將提出一個新的防護機制來糾正上述的問題。

In global mobility network (GLOMONET), authentication and privacy techniques are two traditional critical issues to provide a personal communication user with global roaming
services. Recently, a roamer''s identity/location anonymous becomes another focus point in Personal Communication Systems (PCSs). The characteristics of wireless network cause attackers are able to hide themselves from detection of legitimate entities. Therefore the attacks become free from all inhibitions. Global System for Mobile Communications (GSM) and confront with the issues shown as above. Although the Third Generation (3G) communication systems solve some of these problems, however, they still leave many areas for improvement.

In this thesis, we will review a serial of researches which are related to the following issues: authentication, privacy, identity/location anonymous and non-repudiation
services in GSM and 3G. Most important of all, a new security requirement, emph{home network should be partial trusted in an authentication scheme} is appended. We believe that a home network may profit by leaking the authentication key of its subscribers to some other people. The results may cause the rights and interests of the legitimate subscribers be infringed. We recommend that the security issues which related to GSM and 3G should consider this new requirement. In this thesis, a new defense scheme shall be proposed to remedy all of these weaknesses.

Table of Contents
中文摘要 (Abstract in Chinese) ii
Abstract iv
誌謝 (Acknowledgements) vi
Table of Contents vii
List of Tables ix
List of Figures x
1 Introduction 1
1.1 The Security Issue Categories 3
1.2 The Motivation 6
1.3 The Thesis Architecture 8
2 Related Theories 9
2.1 Discrete Logarithm Problem 9
2.2 RSA Public Key Cryptosystem 10
3 The GSM architectures 12
3.1 The Authentication Scheme 14
3.2 The Confidentiality Scheme 16
3.3 The Subscriber Identity/location Confidential 16
4 The UMTS Architectures 19
4.1 The Authentication Scheme 20
4.2 The Con‾dentiality Scheme 24
4.3 The Integrity protection 25
4.4 The Subscriber Identity/location Confidentiality 26
4.5 The Comparisons between GSM and UMTS 27
5 Literatures Review 28
5.1 The User Tra±c Confidentiality Schemes 28
5.2 The Authentication Schemes 30
5.3 Identity/location Confidentiality Schemes 36
5.4 Non-repudiation Services 37
6 Proposed Schemes 40
6.1 The Common Registration Phase 42
6.2 The Authentication and Key Agreement scheme for GSM 44
6.3 The Authentication and Key Agreement scheme for UMTS 48
7 Security Analysis 52
8 E±ciency Analysis 56
8.1 Computational Analysis 56
8.2 Messages Transmission Length Analysis 59
9 Comparisons 60
10 Conclusions and Future Works 65
10.1 Conclusions 65
10.2 Future Works 66
Bibliography 67
List of Tables
4.1 Comparisons between GSM and UMTS 27
6.1 Software speeds of RSA 42
7.1 Comparison of the recommendation of NIST and RSA Laboratory 53
8.1 Defined variables'' value/length 58
8.2 The length of messages transmission 59
9.1 Comparisons among the GSM authentication and key agreement schemes 61
9.2 Comparisons among the UMTS authentication and key agreement schemes 63
List of Figures
1.1 The security issues and the basic requirements 4
3.1 The GSM architecture [27] 13
3.2 Authentication scheme for GSM in roaming [27] 14
3.3 Subscriber identity/location confidentiality in GSM 17
4.1 UMTS Architecture 20
4.2 Authentication and Key Agreement (AKA) in UMTS 21
5.1 Lee-Hwang-Yang''s data confidentiality scheme 29
5.2 Buttyan et al.''s authentication protocol 32
5.3 Hwang-Chang''s authentication scheme for roaming service 34
5.4 Lee-Hwang-Yang''s identity/location confidentiality scheme 36
6.1 TMSI format 43
6.2 Proposed authentication and key agreement scheme for GSM 45
6.3 Distribution of authentication vectors within one GSM serving network domain 47
6.4 Proposed authentication and key agreement scheme for UMTS 49
6.5 Distribution of authentication vectors within one UMTS serving network domain 51

[1] 3GPP TS 29.061. 3GPP: Technical specification group core network; interworking between the Public Land Mobile Network (PLMN) supporting packet based services and Packet Data Networks (PDN). Technical Report, Release 6, 3GPP, Mar. 2005.
[2] 3GPP TS 33.102. 3GPP: Techinical specification group services and system aspects; 3g security; security architecture. Technical Report, Release 6, 3GPP, Dec. 2004.
[3] 3GPP TS 33.105. 3GPP: Techinical specification group services and system aspects; 3G security; cryptographic algorithm requirements. Technical Report, Release 6, 3GPP, Jun. 2004.
[4] 3GPP TS 33.200. 3GPP: Techinical specification group services and system aspects; 3g security; Network Domain Security (NDS); IP network layer security. Technical Report, Release 6, 3GPP, Jun. 2004.
[5] 3GPP TS 33.200. 3GPP: Techinical specification group services and system aspects; 3G security; Network Domain Security (NDS); Mobile Application Part (MAP) application layer security. Technical Report. Release 6, 3GPP, Dec. 2004.
[6] G. B. Agnew, B. C. Mullin, and S. A. Vanstone.Improved digital signature scheme based on discrete exponentiation. Electronics Letters, 26(14):1024-1025, 1990.
[7] M. J. Beller, L.-F. Chang, and Y. Yacobi. Privacy and authentication on a portable communications system. In IEEE Globecom''91, pages 1922-1927, Phoenix, Dec. 1991.
[8] M. J. Beller, L.-F. Chang, and Y. Yacobi. Privacy and authentication on a portable communications system. IEEE Journal on Selected Areas in Communications, 11(6):821-829, Aug. 1993.
[9] D. Brown. Techniques for privacy and authentication in personal communication systems. IEEE Personal Communications, pages 6-10, Aug. 1995.
[10] L. Buttyan, C. Gbaguidi, S. Staamann, and U. Wilhelm. Extensions to an authentication technique proposed for the global mobility network. IEEE Transactions on Communications, 48(3):373-376, March 2000.
[11] Y.-S. Chang, T.-C. Wu, and S.-C. Huang. ElGamal-like digital signature and multisignature schemes using self-certified public keys. The Journal of Systems and Software, 50:99-105, Feb. 2000.
[12] N. El-Fishway, M. Nofal, and A. Tadros. An effective approach for authentication of mobile users. Vehicular Technology Conference, 2002. VTC Spring 2002. IEEE 55th, 2:598-601, May 2002.
[13] T. ElGamal. A public-key cryptosystem and a signature scheme basedon discrete logarithms. IEEE Transactions on Information Theory, IT-31(4):469-472, July 1985.
[14] European Telecommunication Standards Institute (ETSI). Recommendation GSM 03.20: Security related network functions. Technical report, European Telecommunications Standards Institute, ETSI, June 1993.
[15] J. Friis. TETRA, the industry standard from ETSI. In 2nd TETRA Middle East Conference, Intercontinental Hotel Dubai, May 2004.
[16] L. Harn and W.-J. Hsin. On the security of wireless network access with enhancements. In Proceedings of the 2003 ACM workshop on Wireless security, pages 88-95, San Diego, CA, USA, Sep. 2003.
[17] L. Harn and H.-Y. Lin. Modification to enhance the security of the GSM protocol. In Proceedings of the 5th National Conference on Information Security, pages 416-420, Taipei, May 1995.
[18] W.-H. He. Digital signature scheme based on factoring and discrete logarithms. Electronics Letters, 37(4):220-222, 2001.
[19] K.-F. Hwang and C.-C. Chang. A self-encryption mechanism for authentication of roaming and teleconference services. IEEE Transactions on Wireless Communications, 2(2):400-407, March 2003.
[20] M.-S. Hwang and C.-H. Lee. Authenticated key-exchange in a mobile radio network. European Transactions on Telecommunications, 8(3):265-269, 1997.
[21] W.-S Juang, C.-L. Lei, and C.-Y. Chang. Anonymous channel and authentication in wireless communications. Computer Communications, 22(15-16):1502-1511, Sep. 1999.
[22] B. Kaliski. TWIRL and RSA key size. Technical report, RSA Laboratories, May 2003.
[23] G. M. Koien. An introduction to access security in umts. IEEE Transactions on Wireless Communications, 11(1):8-18, Feb. 2004.
[24] H. Krawczyk, M. Bellare, and R. Canetti. Keyed-hashing for message authentication. Technical Report RFC 2104, IETF, Feb. 1997.
[25] J. B. Lacy, D. P. Mitchell, and W. M. Schell. Cryptolib: Cryptography in software. In Proceedings of the UNIX Security Symposium IV, pages 1-17, 1993.
[26] C.-C. Lee, M.-S. Hwang, and W.-P. Yang. Extension of authentication protocol for GSM. IEE Proc.-Commun., 150(2), April 2003.
[27] C.-H. Lee, M.-S. Hwang, and W.-P. Yang. Enhanced privacy and authentication for the global system of mobile communications. Wireless Networks, 5:231-243, July 1999.
[28] C.-H. Lee, M.-S. Hwang, and W.-P. Yang. A novel application of the phone card and its authentication in mobile communications. Journal of Information Science and Engineering, 15(4):471-484, 1999.
[29] H. Lin and L. Harn. Authentication protocols for personal communication system. ACM SIGCOMM''95, pages 256-261, Aug. 1995.
[30] H.-Y. Lin and L. Harn. Authentication protocols with nonrepudiation services in personal communication systems. IEEE Communications Letters, 3(8):236-238, Aug. 1999.
[31] W.-D. Lin and J.-K. Jan. A wireless-based authentication and anonymous channels for large scale area. In Sixth IEEE Symposium on Computers and Communications, pages 36-41, Hammamet Tunisia, Jul. 2001.
[32] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.
[33] R. C. Merkle. A digital signature based on a conventional encryption function. In Advances in Cryptology, CRYPTO''89, pages 218{238, Lecture Notes in Computer Science, Vol. 435, 1989.
[34] R. C. Merkle. One-way hash functions and DES. In Advances in Cryptology, CRYPTO''89, pages 428-446, Lecture Notes in Computer Science, Vol. 435, 1989.
[35] National Bureau of Standard. Data Encryption Standard. FIPS, NBS, 1977.
[36] National Institute of Satndards and Technology (NIST). Digital signature standard (DSS). Technical Report FIPS PUB XX, NIST, US Department Commerce, Feb. 1993.
[37] National Institute of Satndards and Technology (NIST). Advanced encryption standard. Technical Report FIPS 197, NIST, US Department Commerce, Nov. 2001.
[38] National Institute of Satndards and Technology (NIST). Sepecial publication 800-57: Recommendation for key management. part 1: General guideline. Technical report, National Institute of Standards and Technology, Jan. 2003.
[39] A. Peinado. Privacy and authentication protocol providing anonymous channels in GSM. Computer Communications, 27(17):1709-1715, Nov. 2004.
[40] M. O. Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical Report, MIT/LCS/TR212, MIT Lab., Computer Science Cambridge, MA, USA, January 1979.
[41] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, 21(2):120-126, Feb. 1978.
[42] J. Scourias. Overview of the global system for mobile communications:GSM. http://www.privateline.com/PCS/GSM0.html.
[43] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612-614, Nov 1979.
[44] J. F. Stach, E. K. Park, and K. Makki. Performance of an enhanced GSM protocol supporting non-repudiation of service. Computer Communications, 22(7):675-680, May 1999.
[45] S. Suzuki and K. Nakada. Authentication technique based on distributed security management for the global mobility network. IEEE Journal on Selected Areas in Communications, 15(8), Oct. 1997.
[46] Telecommunication Standardization Sector of ITU. ITU-T Recommendation E.212: Identification plan for land mobile stations. Technical report, ITU-T, 1993.
[47] International Telecommunication Union. Recommendation x.509-the directory authentication framework. Technical report, ITU-T, Nov. 1993.
[48] J. E. Wilkes. Privacy and authentication needs of PCS. IEEE Personal Communications, 24:11-15, Aug. 1995.