Security architectures for B3G mobile networks

Computer Communications, 2004

In the last few years, we have witnessed an explosion in demand for security measures motivated by the proliferation of mobile/wireless networks, the fixed-mobile network convergence, and the emergence of new services, such as e-commerce. 3G-systems play a key role in this network evolution, and, thus, all stakeholders are interested in the security level supported in the new emerging mobile environment. This paper elaborates on the security framework in 3G mobile networks. The security requirements imposed by the different types of traffic, and by the different players involved (mobile users, serving network and service providers) are investigated. The security architecture, which comprises all the security mechanisms that are projected for the Universal Mobile Telecommunication System (UMTS) network, is analyzed. The employment of traditional security technologies, originally designed for fixed networking, such as firewalls, and static Virtual Private Network (VPN), in order to safeguard the UMTS core network from external attacks, as well as to protect user data when conveyed over the network are examined. Critical points in the 3G-security architecture that may cause network and service vulnerability are identified and discussed. Furthermore, proposals for the enhancement of the 3G-security architecture, and the provision of advanced security services to end-user data traffic within and outside the UMTS core network are discussed. The proposed enhancements can be easily integrated in the existing network infrastructure, and operate transparently to the UMTS network functionality. q IPsec IP security KAC key administration center MAC message authentication code MAP mobile application part MAPsec MAP security MS mobile station MT mobile terminal MSC mobile switching centre NE network entities NDS network domain security PS packet switched Rel-4 release 4 Rel-5 release 5 R99 release '99 RAND random challenge RES user response to challenge RNC radio network controller

2005

Controlled access to resources offered by network operators and service providers is a key component for any commercial deployment of a Beyond-3G (B3G) communication system: complex scenarios involving users accessing advanced multimedia services using heterogeneous network technologies in different administrative domains do require tight access control. This paper presents an authorization model that provides secured access control to network-dependent as well as to applicative services. Stemming from a new identity model that not only protects user's privacy but also allows for more powerful services, advanced authorization procedures are defined. We describe how innovative enhancements to authentication protocols easily and profitably make them usable for the purpose of authorization. A special focus is put on new registration procedures that can be built on top of these improvements in order to provide new security features to the infrastructure (e.g. granular access control rules, generic security model) while offering new security services to the end user (e.g. anonymity, fast attach procedure).

Proceedings of IEEE Singapore International Conference on Networks/International Conference on Information Engineering '93, 2000

Second generation mobile networks, as the Global System for Mobile Communications (GSM) and the Digital European Cordless Telecommunications (DECT) have been studied in the environment of the European mobile communications. These networks will be used for the nineties. However, third generation for mobile communications are being developed in order to join these networks and to provide a singlc access. This paper claims to givc a description of thc Universal Mobile Telecommunication System (UMTS) and the Future Public Land Mobile Telecommunications Systems (EPLMTS) and to make a comparison between them with regards to security. For this purpose, several aspects of security mainly related to security services and security architecture are specially studied for both systems. The UMTS network is being developed within the European Commission's Research on Advanced Communications in Europe (RACE) in order to give telephonic mobile support in Europe and the rest of the world in the 2000s. * The purpose of this article is to explain the security architecture of the third generation mobile networks, basically, UMTS network in relation to the FPLMTS network. It is a requirement of both the UMTS and FPLMTS networks the compatibility between them. In the last years, at least four groups have been developing network architectures in the third generation of mobile networks: Task Group 8/1 of the International Consultative Committee on Radio (CCIR) (with the FPLMTS network),

Wireless Personal Communications, 2004

Wireless communications have developed rapidly and have been applied for many services. Cellular (the third-generation) mobile networks and wireless local area network (WLAN) are two important technologies for providing wireless communications. The third-generation (3G) networks provide wider service areas, and "always-on" and ubiquitous connectivity with low-speed data rate. WLAN networks offer higher data rate and the easy compatibility of wired Internet, but cover smaller areas. In fact, 3G and WLAN possess complementary properties. Integrating 3G and WLAN networks may offer subscribers high-speed wireless data services and ubiquitous connectivity. For integrating two heterogeneous networks, several issues should be involved, authentication, billing, quality of service, and seamless roaming between 3G and WLAN networks. In this paper, we address the authentication and billing problems and propose two protocols that provide both authentication and billing services. One protocol utilizes a one-time password approach to authenticate subscribers. This protocol is efficient in both computation time and authentication procedures. Because of the restrictions of the password-based approach, this protocol could not offer the non-repudiation property for the billing problem. Another protocol is constructed on a public-key-based system (i.e., certificates). Although it requires more computation time than the password-based approach, non-repudiation is guaranteed. Performance analysis simulation results are given to validate our two protocols.

2007 IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications, 2007

This paper proposes a security protocol that provides mutual authentication between a user and a WLAN that the first tries to connect to, and deploys a mobile Virtual Private Network (VPN) that protects the user's data conveyed over the wireless network. For the user authentication as well as for the initialization of the VPN and the related key agreement, the EAP-SIM encapsulated within the Internet Key Exchange version 2 (IKEv2) is proposed. The deployed VPN, which is based on IPsec, ensures confidentiality, source authentication and integrity of the data exchanged over the WLAN. At the same time, the user has been subscribed to the 3G-network for charging and billing purposes using the legacy EAP-SIM authentication protocol. The established VPN can seamlessly operate and continuously provide security services as the mobile user moves and roams, materializing the notion of mobile VPN. The proposed security protocol eliminates the required enhancements to the current network infrastructure and operates transparently to the existing network functionality

Computers & Security, 2010

A user in Beyond 3 rd Generation (B3G) networks in order to get access to the network services must perform a multi-pass authentication procedure, which includes two or three sequential authentications steps. These multiple authentication steps include a redundant repetition of the same or similar authentication functions, which impose an unnecessary authentication overhead. This paper proposes a security binding mechanism, which reduces the execution of the redundant authentication functions of multi-pass authentications in a simple yet effective and secure manner. To achieve this, the proposed mechanism authenticates a user in the second and third step of a multi-pass authentication, by using the user's authentication credentials of the initial step. The focal point of the security binding mechanism is its generic application in multi-pass authentications, regardless of the underlying network architecture or protocols. To prove this, we have selected to present and analyze the application of the proposed mechanism in two different B3G scenarios (i.e., , resulting in the improved authentication procedures. A security analysis of the improved procedures has been carried out to identify possible attacks and propose security measures to eliminate them. Moreover, a simulation model has been developed to estimate and compare the performance of the improved 3G-WLAN authentication procedure to that of the legacy 3G-WLAN authentication. Simulation results show that the improved procedure presents better performance than its legacy counterpart.

Wireless communications are being driven by the need for providing network access to mobile or nomadic computing devices. The need for wireless access to a network is evident in current work environments. A number of new protocols have been recently published with the goal of providing both privacy of data and authentication of users for mobile systems. Such protocols can employ private-key and/or public key cryptographic algorithms. Publickey algorithms hold the promise of simplifying the network infrastructure required to provide security services such as: privacy, authentication and non-repudiation, while symmetric algorithms require less processing power on the mobile device.In this paper a selection of protocols are reviewed and they are broadly divided into two categories: second generation and third generation protocols. A summary of the capabilities and services provided by each protocol is then provided.

… Conference, 2004. VTC …, 2004

Recently, several authentication protocols have been proposed for wireless local area networks (WLANs) to improve security in hotspot public access and corporate networks, and some have been proposed for integrated 3G-WLAN networks. These authentication protocols are based on the extensible authentication protocol and have been directly applied to wireless networks based on their widespread use in wired networks. Depending on the 3G-WLAN architecture and how the WLAN is tied to the 3G network, these protocols could have large latency. Moreover they do not have mechanisms for authenticating the usage time of a mobile in a WLAN. In this paper, we first discuss these issues related to existing authentication protocols for a 3G-WLAN integrated network. Then, we propose a new authentication mechanism based on the dual signature concept used in secure electronic transactions that can be used in a loosely coupled architecture. Finally, we present a preliminary evaluation of the energy performance and latency of the existing and proposed protocols.

Significant developments in the recent times have led to an increasing use of mobile devices such as smart phones in accessing Internet services and applications over wireless networks. In this paper, we propose a security architecture for counteracting denial of service attacks in Beyond 3G (B3G) network architecture with mobile nodes. We describe the system architecture and discuss the different cases of attack scenarios involving the mobility of the attacking and victim nodes. Our proposed solution takes into account practical issues such as limited resources of the mobile nodes. It has distinct advantages such as monitoring of the traffic to the victim node and the attack traffic being dropped before reaching the victim; the ability to traceback the attacking node and prevent the attack at the home agent or foreign agent that is closer to the attacking node; and the ability to deal with dynamic changes in attack traffic patterns. We also present an analysis of our proposed architecture as well as simulation results.

2002

Security is a primary concern in mobile communication systems. Wireless access is inherently less secure, and mobility implies higher security risks than static operation. The security framework for 3G mobile systems is considered, and its principles and security requirements are discussed. Furthermore, the security features that are currently being standardized in 3GPP, as well as the emerging 3G-security architecture are elaborated. The focus is on the various mechanisms and protocols, which are employed to provide security at different levels, and on their effect on network operation.