1 Introduction

A recent increase in the usage of novel mobile applications has led to the continuous traffic increase and skyrocketing bandwidth demands [1]. In response, 3rd Generation Partnership Project (3GPP) standardized Long-Term Evolution/Long-Term Evolution Advanced (LTE/LTE-A) technology has evolved as the next generation of the mobile communication technology [2,3,4,5,6,7,8,9,10,11]. Designers of the LTE/LTE-A technology have announced Evolved Packet System (EPS) as the Fourth Generation (4G) of the mobile communication network, which has been recently deployed worldwide and its installations and applications (Machine type Communications, Internet of Things) are increasing rapidly. EPS is a completely packed switched mobile network, which implements a flat architecture with limited network components. As shown in figure 1, EPS architecture is composed of two major entities: an access network called Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and the Internet Protocol (IP)-based Evolved Packet Core (EPC). After considering the performance and implementation issues, some design decisions were made by 3GPP [12,13,14]. For instance, EPS is distributed into two separation frameworks: one is User plane (U-plane) framework and another is Control plane (C-plane) framework. The control plane framework is used to carry the signalling traffic (control messages) over the S1-C path that is established between the UE (User Equipment) and the MME (Mobility Management Entity), whereas the User plane framework carries user data traffic over the S1-U path that is established between the UE and the Serving Gateway (S-GW). These modifications, over the legacy technologies, establish physically separated paths for both types of traffic and separate key management for confidentiality and integrity protection. In an effort to make EPS secure, two layers, Access Stratum (AS) layer and Non-Access Stratum (NAS) layer, protect the traffic passing through the EPS as shown in figure 1. NAS security executes between the UE and the MME and provides integrity and confidentiality protection to the NAS signalling data in control plane, whereas AS security executes between the UE and the eNodeB and provides integrity and confidentiality protection to the Radio Resource Control (RRC) signalling data in control plane and confidentiality protection to the IP packets in user plane. Beyond the MME, Internet Protocol Security (IPsec) protocols are responsible for protecting all the insecure links.

Figure 1
figure 1

Security architecture of the Evolved Packet System.

Full size image

Although LTE /LTE-A networks implement a strong security model called Evolved Packet System Authentication and Key Agreement (EPS-AKA) protocol that is proposed by 3GPP in its release 9 (TS 33.401 V11.1.0.) [12,13,14,15], still it has multiple security loopholes and performance-decreasing factors (detailed description of the security loopholes is given in section 1.1) and need further enhancements.

1.1 Security loopholes in the LTE/LTE-A networks

For the trustworthy development of the LTE/LTE-A networks, the researchers are actively engaged with the research works focused on the unanswered security vulnerabilities of the LTE/-LTE-A networks. In this section the authors illustrate these security vulnerabilities of the LTE/LTE-A networks, and solutions for them are provided later.

  1. 1.

    Attack against the subscriber’s identity: When analysing the security gaps of the LTE/LTE-A networks, the wireless interface between the UE and the eNodeB cannot be ignored. Because of the packet switched behaviour of the LTE/LTE-A, this wireless interface is always at a risk of eavesdropping or manipulation. In some unavoidable situations (like when a subscriber registers first time to the network or the network is not able to link TMSI to the subscriber or if there is synchronization failure between the source MME and the target MME), UE cannot refuse to transfer IMSI instead of TMSI in its attach request. The EPS-AKA scheme transmits this attach request in a plain text form over the wireless interface [16]. Thus, an intruder can easily retrieve IMSI from this unprotected attach request by either using IMSI catchers or decoding attach request manually [44,45,46]. Shaik et al [17] demonstrated in his research that unprotected transmission of the paging messages over the wireless interface may also lead to the subscriber’s identity leak. SPAN representation of IMSI leak attack on EPS-AKA is shown in figure 2.

  2. 2.

    Denial of Service (DoS) attack: DoS attack prevents legitimate subscribers from getting the intended services and resources. The EPS-AKA scheme and the schemes suggested in [15, 43, 45, 48] allow unprotected transmissions of the authentication messages over the wireless interface. Thus, an adversary is able to capture and launch active attacks against these unprotected authentication messages that will automatically lead to the UE authentication failure and UE will not get intended services. In another way, for the purpose of preventing communication and increasing destruction, adversaries can collect a large number of valid IMSIs for launching a large number of false attach requests within the LTE/LTE-A network. Here, MME has to execute each received attach request and perform all the needed operations. This will exhaust the computational capacity and LTE/LTE- A resources and create congestion over the network, which will automatically lead to the DoS attack. In [5, 17, 22, 46] researchers demonstrated in detail about the feasibility of the DoS attack in the LTE/LTE-A networks.

  3. 3.

    Man in the Middle (MitM) attack: By applying the MitM attack, an intruder is able to create an independent connection between the two entities in order to intercept and inject messages. MitM attack is feasible over the LTE/LTE-A networks. For instance, an intruder sends a fake attach request using the legitimate identity of a mobile station to the MME. In response, MME forwards authentication vectors back to the intruder. After receiving authentication vectors, the intruder waits for an attach request from the legitimate UE. When UE asks for the attachment, the intruder interrupts and forwards previously received authentication parameters to the UE. In this way, the intruder is able to authenticate itself to the UE as a legitimate network and creates an independent connection between the UE and the network; execution of the MitM attack on EPS-AKA protocol is shown in figure 3.

  4. 4.

    Vulnerable handover scheme: Handover in LTE/LTE-A should ensure forward key separation (FKS) and backward key separation (BKS) to prevent exploitation of the session keys. However, in LTE/LTE-A, on intra-MME handover, target eNodeB receives fresh Next-Hop (NH) key and NH Chaining Counter (NCC) value from the MME within the path switch message after the radio link handover [13]. Thus, these new parameters can be used only to generate keying material for the next handover. In EPS-AKA, the source eNodeB computes a session key for the target eNodeB using fresh parameters (NH, NCC) received on previous handover. Thus, in the presence of the rouge base stations, horizontal key derivation never ensures FKS and vertical key derivation achieves FKS with well-defined limitation of the two-hop only [13]. Even then, rouge eNodeB may disrupt updating of NCC values that may lead to the desynchronization attack in LTE/LTE-A networks [18,19,20].

  5. 5.

    Replay attack: Replay attacks were executed on the legacy networks (GSM, UMTS) and are still feasible in LTE/LTE-A networks. As per [15], an intruder can capture the authentication parameters sent by the MME over the wireless interface and replay them to the UE. In this way, an intruder can verify the presence of the subscriber through the received error message response. The EPS-AKA scheme and the schemes suggested in [15, 48] allow unprotected transmissions of the authentication parameters. Hence, the schemes are vulnerable to the replay attack.

  6. 6.

    Redirection attack/overbilling attack: Let us make an assumption that an adversary is controlling a device that can function as a base station and entices UE to camp on its radio channel. This rouge base station can redirect subscriber’s service request to the foreign network instead of the home network and is charged accordingly, which will lead to the overbilling attack in the LTE/LTE-A networks. In another scenario, with the intention of breaching user traffic security, the rouge base station may redirect user traffic to a network where security is either weak or not provided. On access authentication, the EPS-AKA approach and the approaches suggested in [15, 43, 45, 48] never verify authenticity of the base stations; thus, this weak mutual authentication creates space for the redirection attack and the overbilling attack in the LTE/LTE-A networks. The researchers in [37, 45] demonstrated how redirection attack may occur in the LTE/LTE-A networks.

  7. 7.

    High bandwidth consumption/storage overhead: High bandwidth consumption and signalling overhead between the MME and the HSS is one of the performance-decreasing factors of the EPS-AKA protocol. If UE resides in MME for a long span of duration and exhausts all its authentication vectors received from the network, then MME requests again to the HSS for another sets of the authentication vectors. This generates high signalling overhead and high bandwidth consumption between the MME and the HSS. With this, it creates additional storage overhead at the MME for storing n sets of the authentication vectors [46].

  8. 8.

    Single-key dependency: In general, cryptographic keys have defined lifetime to limit the key exposure and compromise. If the EPS-AKA scheme or the scheme suggested in [15, 43, 44, 48] is used, then the security of the LTE/LTE-A networks is dependent on a single permanent symmetric key (K) that is shared between the USIM and the HSS at the time of manufacturing. If somehow this key is compromised, then the whole system security will be on risk and it will be feasible for an opponent to be authenticated by the LTE/LTE-A network.

Figure 2
figure 2

SPAN (AVISPA) representation of IMSI leak attack on EPS-AKA.

Full size image
Figure 3
figure 3

SPAN (AVISPA) representation of MitM attack on EPS-AKA.

Full size image

1.2 Related works

There are many studies claiming multiple security vulnerabilities in the LTE/LTE-A networks. Shaik et al [17] uncovered various security loopholes in the LTE access network protocols. They demonstrated the feasibility of inexpensive, practical attacks like subscriber’s location leak and DoS attack using the low-cost commercial LTE devices on the real networks. Rupprecht et al [21] conducted a comprehensive survey on the LTE security and found two implementation vulnerabilities: the first class of vulnerability contained network authentication, while the second class contained user traffic encryption; with this, the researchers demonstrated feasibility of the MitM attack without the need of authentication requirements. Rupprecht et al demonstrated that attackers are able to deploy fake base stations in the LTE network, which may lead to the feasibility of redirection attack. Park and Park [22] surveyed LTE technology and concluded that this technology inherits security problems from the legacy technologies and its migration to IP-network exposes it to the IP-specific security threats. Researchers exposed the feasibility of redirection attack on user traffic, attack on the lifetime of the UE to make it shorter and resynchronization attack. Cao et al [23] surveyed the security aspect of the LTE/LTE-A networks and uncovered various security vulnerabilities of the standard AKA protocol.

In order to achieve the objectives of the secure communication and better performance, in the existing literature, several authentication and key agreement protocols have been suggested [24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44]. Most of these suggested approaches demand changes in the LTE/LTE-A environment and require additional cryptographic algorithms. Abdrabou et al [45] suggested a symmetric-key-based approach named Modified Evolved Packet System Authentication and key agreement protocol (MEPS-AKA) to mitigate existing security issues. Their approach was based on simple password exponential key exchange. A pre-authentication is performed that generates dynamic keys for each access to the network. This approach introduced a communication overhead increase (in bits) up to 62% in authentication procedure. Degefa et al [46] proposed another symmetric-key-based protocol called Enhanced-AKA, which enhances the security level and performance of the LTE/SAE networks. The approach requires a secretly shared key identity (KI) between the UE and the HSS to fulfill the security needs of the subscriber. The approach was efficient as per the bandwidth consumption and reduction in storage overhead at MME, but could not resolve the issues like deployment of the rouge base station, DoS attack and MitM attack in LTE/LTE-A networks. In addition, if IPsec is not enabled on EPC this approach, it provides chances for the exposure of pre- shared LTE key (K). To recover K, an adversary can sniff KI over the air interface and secret key (s) from the core interface, and apply brute force attack on K using known function f’, KI and key (s) over a quantum supercomputer. Ekene et al [47] suggested a PKI (Public Key Infrastructure)-based authentication approach called EC-AKA, in which IMSI will never be sent in the plain text manner in an attach request. Thus, subscriber identity is safe from the disclosure. In this approach, transmission of AUTN, Rand and RES parameters is executed in clear text, which makes this protocol vulnerable to all those attacks that are possible over the unprotected wireless interface. Hamandi et al [48] proposed a hybrid protocol with a modified key to protect privacy concerns of the subscribers; the main objective of the approach was to assure that subscriber’s identity could not be tracked. This approach considered the issue of limited energy for the UEs. In this research, for UE authentication, MME generates a random number and forwards it to the UE. UE also generates a random number and feeds both the random numbers with previously shared key K to the key generation function. As a result, an anonymity key is generated, which is used for the ciphering of IMSI. In addition, the protocol used a newly introduced sequence numbers (\(\hbox {SQN}_{HSK}\)) for the identification of key K against the UE on the HSS. Thus, this approach increased the computational as well as managerial overhead for maintaining the newly introduced SQNs. In addition, some parameters that were assumed to be secure can be obtained from the authentication vectors. For instance, RMSI was confidential to the HSS and UE, but it could be easily obtained from the AUTN parameter. Zhang and Fang [37] demonstrated that 3GPP AKA protocol is vulnerable to the false base station attack, which may lead to the feasibility of redirection attack. They suggested an AP-AKA protocol that is flexible according to whether or not UE has unused parameters. This AP-AKA approach mitigates redirection attack and eliminates the need of synchronization between the UE and the HSS. However, the issues of DoS attack, MitM attack and redirection attacks are not considered in this approach. Hamandi et al [15] proposed a modified subscriber’s privacy-sensitive LTE-AKA approach to prevent various active and passive attacks in LTE network. The approach is a hybrid approach that employs both symmetric and asymmetric encryptions and its main objective is to secure subscriber’s identity. The approach suggested the use of three identities MUTI, GRid and E-IMSI instead of two, which increased the difficulty level of linking static–dynamic identities of the subscriber, which presented a new temporary UE ID reallocation scheme in order to maintain user privacy. However, this scheme does not prevent high bandwidth consumption between the HSS and the MME and storage overhead is high on the MME.

1.3 Our contributions

In the present research, an attempt is made to do the following:

  • Proposing a security and performance-enhanced access control protocol with efficient handover schemes. The suggested approach mitigates most of the security issues that still exist in the LTE/LTE-A networks. The protocol strongly authenticates to the LTE/LTE-A entities (UE, eNodeB, MME, HSS) and ensures AS layer secrecy.

  • Security analysis and verification of the proposed scheme are performed on the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. Results shows the security capabilities of the protocol against various malicious attacks.

  • We compare the Efficient Authentication and Key Agreement Protocol for Evolved Packet System (EAKA-EPS, suggested approach) performance with those of other existing approaches in terms of the bandwidth consumption, computational overhead and signalling overhead. Results indicate that the suggested approach guarantees outstanding performance while achieving more security requirements.

2 The proposed protocol

To meet the goal of perfect secrecy in the LTE/LTE-A networks, the authors try to suggest an EAKA-EPS approach that will remove redundant computations and minimize the use of PKI to achieve the goal of perfect secrecy. Following assumptions are considered for EAKA-EPS: (i) IPsec is enabled on the wired interface of the EPS, (ii) UE and MME store asymmetric key pairs (\(\hbox {PK}_{ue}\), \(\hbox {PK}_{ue}^{-1}\), \(\hbox {PK}_{mme}\), \(\hbox {PK}_{mme}^{-1}\)) and when UE enters into the area of the MME, MME shares its public key \(\hbox {PK}_{mme}\) with the UE and (iii) UE, MME, HSS have functions \(f_{1}\), \(f_{2}\), \(f_{3}\), \(f_{4}\), \(f_{5}\) and KDF stored on them.

Figure 4
figure 4

An Efficient Authentication and Key Agreement Protocol for Evolved Packet System (EAKA-EPS).

Full size image

2.1 EAKA-EPS

Security services included in the proposed scheme are mutual authentication and key agreement, NAS key agreement for NAS security set-up and AS key agreement for AS security set-up. The proposed authentication and key agreement protocol is shown in figure 4 and in order to create a clear picture of the key computations, it is diagrammatically depicted in figure 5. Protocol execution is as follows:

  1. 1.

    UE \(\rightarrow \) MME: Attach Request (E{IMSI||UE-Net-Cap ||T1||\(\hbox {PK}_{ue}\)||MAC-1}\(\hbox {PK}_{mme}\)): For initial attachment, UE sends encrypted attach request message to the MME via eNodeB. This attach request includes IMSI, UE network capabilities, timestamp (\(T_{1}\)), \(\hbox {MAC}-1\) and \(\hbox {PK}_{ue}\) (public key of the UE) where MAC-1 = \(f_{1}\)(IMSI||UE-Net-Cap||\(T_{1}\)||\(\hbox {PK}_{ue}\)) is the message authentication code computed by the UE; eNodeB attaches its security certificate (\(\hbox {C}_{eNodeB}\)) issued by the Certification Authority (CA) to the received attach request (\(\hbox {E}\{\hbox {IMSI}||\hbox {UE-Net-Cap}|| T_1||\hbox {PK}_{ue}||\hbox {MAC}-1\}\hbox {PK}_{mme}||\hbox {C}_{eNodeB}\)) and forwards it to the MME over a secure channel. MME decrypts the received message with its private key and checks the integrity of the received attach request.

  2. 2.

    MME \(\rightarrow \) HSS: Authentication Key Request (IMSI, Network-type, SN-ID, \(T_{1}\), \(\hbox {C}_{eNodeB}\)): For getting a temporary authentication key that will authorize to the MME for providing authentication to the UEs, MME forwards authentication key request (IMSI, Network-type, SN-ID, \(T_{1}\), \(C_{eNodeB}\)) to the HSS. This authentication key request includes the network type of the UE and identity of the serving network (SN-ID) with timestamp \(T_{1}\) and certificate of the eNodeB (\(C_{eNodeB}\)).

  3. 3.

    HSS \(\rightarrow \) MME: Authentication Key Response (\(K'_{ASME}\), CHV): In response to the authentication key request, HSS authenticates to the eNodeB and MME by verifying the validity of the \(\hbox {C}_{eNodeB}\) and SN-ID. If eNodeB and MME are genuine entities then HSS generates a Certificate Hash Value (CHV) = \(f_{2}(T_{1}\), \(C_{eNodeB}\)), key generating key \(K^{'}\) = (CHV \(\oplus K\)), temporary value TEMP = (SN-ID \(\oplus \) CHV), Integrity Key (IK) = \(f_{3}\)(\(K^{'}\), TEMP) and Cipher Key (CK) = \(f_{4}\)(\(K^{'}\), TEMP). With this, using a key derivation function over CK and IK, HSS computes a temporary authentication key \(K'_{ASME}\) = KDF(CK, IK). HSS forwards computed temporary authentication key \(K'_{ASME}\) and CHV to the MME.

  4. 4.

    MME \(\rightarrow \) UE: Authentication Request (E{AUTN, Rand, CHV, MAC-2}\(\hbox {PK}_{ue}\)): After receiving temporary authentication key (\(K'_{ASME}\)), MME generates a random variable (Rand), assigns an SQN and computes remaining authentication vectors as follows:

    • An anonymity key AK = \(f_{5}\) (\(K'_{ASME}\), Rand), where \(f_{5}\) is a key generating function.

    • Message authentication code MAC = \(f_{1}\) (\(K'_{ASME}\), SQN, \(T_1\), Rand), where \(f_{1}\) is an authentication function.

    • An authentication token AUTN = SQN\(\oplus \)AK||MAC.

    • An expected response XRES = \(f_{2}\)(\(K'_{ASME}\), Rand), where \(f_{2}\) is an authentication function.

    • Access security management entity key \(K_{ASME}\)= KDF (\(K'_{ASME}\), Rand, SQN), where KDF is a one-way hash function for key derivation.

    • Finally, set of the authentication vectors AV = (RAND, AUTN, XRES, \(K_{ASME}\)).

    MME computes MAC-2 = \(f_{1}\)(AUTN, Rand, CHV) and confidentially forwards a user authentication request that includes authentication parameters (E{AUTN, RAND, CHV, MAC-2}\(\hbox {PK}_{ue}\)) to the UE.

  5. 5.

    UE \(\rightarrow \) MME: Authentication Request Reply (E{RES, MAC-3}\(\hbox {PK}_{mme}\)): UE recovers authentication parameters and checks the integrity of the received message by computing MAC-2’ in a similar manner as that of MME computed MAC-2. If MAC-2 = MAC-2’, UE also computes \(K'\), TEMP, CK, IK and key \(K'_{ASME}\) in a similar way as that computed by HSS (shown in figure 5); otherwise, UE rejects the authentication request. UE computes \(\hbox {AUTN}_{UE}\) and authenticates to the eNodeB, MME and HSS by checking whether \(\hbox {AUTN}_{UE}\) = AUTN or not. After the successful authentication of the network components, UE generates authentication response RES = \(f_{2}\)( \(K'_{ASME}\), Rand), key \(K_{ASME}\) = KDF ( \(K'_{ASME}\), Rand, SQN) and MAC-3 = \(f_{1}\)(RES). UE forwards signed response (RES) to the MME in ciphered and integrity-protected manner. MME recovers the response (RES) and verifies integrity of the received message. If integrity holds, MME verifies whether XRES = RES or not; if equality holds then UE will be an authenticated entity, otherwise not. After successful mutual authentication of all the entities and sharing of the key \(K_{ASME}\), NAS security set-up procedure starts.

  6. 6.

    UE\(\leftrightarrow \) MME: NAS security set-up. MME sets up NAS security as mentioned by 3GPP. MME selects NAS security algorithms and generates NAS security keys as shown in figure 5. NAS encryption key \(K_{NASenc}\)= KDF(\(K_{ASME}\), NAS ciphering algorithm distinguisher, Algorithm-ID) and NAS integrity key \(K_{NASint}\) = KDF(\(K_{ASME}\), NAS integrity algorithm distinguisher, Algorithm-ID). MME forwards ciphered and integrity-protected NAS security set-up command to the UE with selected algorithms. UE also generates NAS security keys and forwards NAS security set-up complete command back to the MME.

  7. 7.

    UE\(\leftrightarrow \)eNodeB: AS security set-up.

    For setting-up AS security, MME computes a session key \(K_{eNB}\) = KDF(\(K_{ASME}\), NAS Uplink Count) and forwards attach accept command (UE network capabilities, \(\hbox {PK}_{ue}\), \(K_{eNB}\)) to the eNodeB. Then eNodeB selects AS security algorithms and generates AS security keys: RRC integrity key \(K_{RRCint}\) = KDF (\(K_{eNB}\), AS-algorithm-ID, AS-integrity-algorithm-distinguisher), RRC cipher key \(K_{RRCenc}\) = KDF (\(K_{eNB}\), AS- algorithm-ID, AS-encryption-algorithm-distinguisher) and user plane cipher key \(K_{UPenc}\) = KDF (\(K_{eNB}\), AS-algorithm-ID, AS-user-plane- encryption-algorithm-distinguisher); eNodeB forwards integrity-protected AS security set-up command to the UE. UE computes AS keys and forwards integrity-protected AS security set-up complete command back to the UE.

Figure 5
figure 5

Key generation model of EAKA-EPS Protocol. Key \(K'_{ASME}\) is a temporary key assigned to the MME by the HSS that authorizes the MME for the authentication of the UEs.

Full size image
Figure 6
figure 6

\(X_{2}\)-handover key chaining model.

Full size image

2.2 The \(j^{th}\) authentication between the same serving network and UE

In EAKA-EPS, when UE stays under the MME for a long span of duration and sends its \(j^{th}\) authentication request to the registered network, previously shared (between the UE and the MME) access security management entity key (\(K_{ASME}\)) will now work as temporary authentication key \(K'_{ASME}\). This key (\(K'_{ASME}\)) is known only to the previously HSS authenticated entities. Further, for the \(j^{th}\) authentication and key agreement, MME generates a random number (Rand), assigns an SQN and computes authentication vectors (AUTN, XRES and \(K_{ASME}\)) as depicted in figure 5 using (\(K'_{ASME}\)). MME forwards authentication vectors to the UE in the ciphered and integrity-protected manner and achieves mutual authentication in a similar manner as discussed in section 2.1. Thus, MME need not request back to the HSS for the authentication vectors; HSS will not be overloaded with the authentication of the UE and less bandwidth; signalling will be consumed between the MME and the HSS and storage overhead will be very less on the MME.

2.3 Key management for \({X}_{2}\)-handover

A modified \(\hbox {X}_{2}\)-handover key chaining model that is expected to provide FKS and BKS in LTE/LTE-A networks is shown in figure 6. For AS security set-up, UE and MME derive a session key \(K_{eNB}\) and MME forwards this session key to the eNodeB in attach accept message. UE and eNodeB use \(K_{eNB}\) for generating subsequent AS keys. On \(\hbox {X}_{2}\) handover in LTE/LTE-A networks, for efficiency, source eNodeB generates a temporary key \(K_{eNB}\)* for the target eNodeB (Eq. (1)) using its currently active \(K_{eNB}\) and sends handover request (\(K_{eNB}\)*, \(\hbox {PK}_{ue}\)) to the target eNodeB. For maintaining the uniqueness of the session key and to ensure FKS, target eNodeB generates a random number (Rand) and its session key \(K_{eNB}\) using a key derivation function on received temporary key \(K_{eNB}\)* and generated Rand value (Eq. (2)). Target eNodeB generates all the subsequent AS keys using the generated session key (\(K_{eNB}\)), for providing secure communication in AS with UE.

$$\begin{aligned} K_{eNB}*& {}= {\mathrm{KDF}}(K_{eNB}, \alpha ) \end{aligned}$$
(1)
$$\begin{aligned} K_{eNB}= & {} {\mathrm{KDF}}(K_{eNB}*,{\mathrm{Rand}}) \end{aligned}$$
(2)

where \(\alpha \) represents cell level values like PCI and EARFCN-DL. Target eNodeB sends Rand value within prepared handover command message to the UE via source eNodeB in a protected manner (as shown in figure 6). UE recovers Rand and generates session key \(K_{eNB}\)* and subsequent AS keys in a similar way as target eNodeB is generated. The proposed approach provides FKS/BKS at \(X_{2}\) handovers without the involvement of the MME. In addition, unlike the standard AKA (EPS-AKA) there is no need for NH key computations and NCC synchronization. Thus, this approach prevents feasibility of desynchronization attack on the network, maintains secrecy of the AS data and minimizes computational and managerial overhead between the eNodeB and the MME.

2.4 Key management for \({S}_{1}\)-handover

The proposed \(S_{1}\)-handover key chaining model is shown in figure 7. On \(S_{1}\) handover, the source eNodeB sends \(S_{1}\) handover required message to the source MME. Upon reception of \(S_{1}\) handover required message, source MME sends S10 relocation request message to the target MME. This S10 relocation request message contains key S-\(\hbox {K}_{ASME}\)(currently active \(K_{ASME}\) on source MME) and the public key of UE (\(\hbox {PK}_{ue}\)). Upon reception of relocation request the target MME generates a random number (Rand); with this target, MME computes key \(K_{ASME}\) = KDF(S-\(\hbox {K}_{ASME}\), Rand), key \(K_{eNB}= (K_{ASME}\), NAS-Uplink-Count) and NAS security keys. The target MME sends \(K_{eNB}\), \(\hbox {PK}_{ue}\) and encrypted random number (E{Rand}\(\hbox {PK}_{ue}\)) to the target eNodeB within \(S_{1}\) handover request message. Upon reception of \(S_{1}\) handover request message, target eNodeB generates AS security keys with the help of received \(K_{eNB}\) and forwards encrypted random number (\(E\{\hbox {Rand}\}\hbox {PK}_{ue}\)) within handover command to the UE via source eNodeB. Upon reception of handover command, UE recovers random number generated by the target MME (Rand) and regenerates security keys in a similar manner as the target MME and the target eNodeB generated.

Figure 7
figure 7

\(S_{1}\)-handover key chaining model.

Full size image

3 Security analysis

In this section, the authors illustrate some correctness proofs for the proposed approach with its achievements.

3.1 Theorem 1

The protocol achieves resistance to the subscriber’s identity leak, DoS attack and MitM attack.

Proof:

The EAKA-EPS comes up with the asymmetric key cryptography and uses the UE’s and MME’s asymmetric key pairs (\(\hbox {PK}_{ue}\), \(\hbox {PK}_{ue}^{-1}\), \(\hbox {PK}_{mme}\), \(\hbox {PK}_{mme}^{-1}\)) for providing secrecy over the wireless interface. An adversary cannot compromise the secret keys (\(\hbox {PK}_{ue}^{-1}\),\(\hbox {PK}_{mme}^{-1}\)) because these keys are never transmitted over air in the LTE/LTE-A network. In EAKA-EPS, before transmitting IMSI over the wireless interface, UE encrypts it with the public key (\(\hbox {PK}_{mme}\)) of the MME and MME receives IMSI encrypted with its public key (MME\(\leftarrow \) UE: E{IMSI}\(\hbox {PK}_{mme}\)) from the UE. Here, an adversary is not able to capture IMSI over the wireless interface until he is not having the secret key (\(\hbox {PK}_{mme}^{-1}\)) corresponding to the (\(\hbox {PK}_{mme}\)). Hence, only MME can recover IMSI from the attach request. In a similar way, the protocol enables secure transmissions over the wireless interface and intruder is not able to sniff any information over this wireless interface. These secure transmissions prevent subscriber’s identity leak and ensures data confidentiality in AKA procedure, as per the findings in section 1.1; these confidential transmissions also offer resistance to the DoS attack and the MitM attack. \(\square \)

3.2 Theorem 2

The protocol achieves optimization to the bandwidth consumption/storage overhead over the core network.

Proof:

The EAKA-EPS protocol optimizes the bandwidth consumption in the LTE/LTE-A networks by enabling MME to generate the authentication parameters by itself without going back to the HSS. For providing UE’s authentication authority to the MME, HSS assigns a temporary authentication key \(K'_{ASME}\) to the MME and MME uses this key to generate the authentication parameters. When UE stays under the MME for a long span of duration and sends its \(j^{th}\) authentication request to the registered serving network, previously shared access security management entity key (\(K_{ASME}\)) works as a temporary authentication key \(K'_{ASME}\) and MME uses it to generate the authentication parameters for the \(j^{th}\) authentication of the UE. In the proposed approach, if UE is once registered to the MME then MME need not go back to the HSS for the authentication parameters, which reduces the bandwidth consumption and additional storage overhead over the core network. \(\square \)

3.3 Theorem 3

The protocol preserves the FKS/BKS at the time of handovers.

Proof:

As illustrated under the “key management for the \(X_{2}\)-handover” subsection, the source eNodeB computes a temporary key \(K_{eNB}^{*} = \hbox {KDF} (K_{eNB}, \alpha \)) for the target eNodeB using the one-way key derivation function (KDF), which ensures backward key separation in the LTE/LTE-A networks. The source eNodeB sends handover request that includes computed \(K_{eNB}^{*}\) to the target eNodeB. For ensuring the FKS between the session keys, target eNodeB computes its own session key \(K_{eNB} = \hbox {KDF} (K_{eNB}^{*}\), Rand) using the received \(K_{eNB}^{*}\) and the fresh confidential parameter (Rand) under the KDF. With this, the target eNodeB shares fresh keying parameter (Rand) with the UE in a confidential manner. On handover, the proposed protocol allows session key generation on the target eNodeB using fresh, confidential keying material (Rand). Hence, the protocol achieves FKS/BKS on \(X_{2}\) handovers, which ensures resistance to the desynchronization attack and achieves the AS secrecy in the LTE/LTE-A networks. \(\square \)

3.4 Theorem 4

The protocol achieves resistance to the Replay attack.

Proof:

In the proposed approach, UE includes a fresh timestamp (\(T_{1}\)) value in its initial attach request to prevent the replays of the messages. When HSS receives the attach request, HSS verifies the freshness of the request by checking the validity of the timestamp \(T_{1}\). If the timestamp \(T_{1}\) is out of order then HSS will reject the attach request, otherwise HSS will process the request, because if HSS believes the fresh (\(T_{1}\)) then HSS also believes the fresh (\(X||T_{1}\)). When UE receives the authentication parameters, UE verifies authenticity of the serving network by computing \(\hbox {AUTN}_{UE}\) using the fresh (\(T_{1}\)) sent by the UE in its attach request. If the user authentication request is a replay then it will automatically lead to authentication failure (\(\hbox {AUTN}_{UE}\) \(\ne \) AUTN). Hence, the proposed approach ensures resistance to the replay attack in the LTE/LTE-A networks. \(\square \)

3.5 Theorem 5

The protocol ensures strong mutual authentication and resistance to the redirection attack and overbilling attack in LTE/LTE-A networks.

Proof:

To achieve the goal of strong mutual authentication between the LTE/LTE-A entities, the EAKA-EPS protocol uses the challenge–response mechanism. HSS verifies authenticity of the eNodeB and the serving network by checking the validity of received eNodeB certificate (\(C_{eNodeB}\)) and the serving network identity (SN-ID). For verifying the authenticity of the HSS, UE computes authentication token \(\hbox {AUTN}_{UE}\) in a similar manner as AUTN is computed. If \(\hbox {AUTN}_{UE} = \hbox {AUTN}\), it means HSS is an authenticated entity and eNodeB and MME are HSS-verified entities. For UE authentication, UE computes RES in a similar manner as MME computes XRES and sends RES to the MME; MME checks whether RES = XRES or not. If both values are equal, it implies that UE is an authenticated entity. Here, adversaries cannot compute the same values for the authentication parameters without the knowledge of secret key \(K'_{ASME}\). Thus, the proposed approach prevents deployment of fake base stations in the LTE/LTE-A networks, which mitigates the issues of the redirection attack and the overbilling attack in the network. \(\square \)

3.6 Theorem 6

The protocol ensures resistance to the single-key dependency problem.

Proof:

The existing EPS-AKA protocol is dependent on the secrecy of the permanent LTE key K. If anyhow K is compromised then whole system security will be compromised. Taking this into consideration, the proposed approach uses dynamic key generating key \(K'\ (K'= f_{2}(T_{1}, C_{eNodeB}) \oplus K\)) instead of the permanent LTE key K for computing all the subsequent keys. Thus, the issue of single-key dependency has been resolved in the proposed EAKA-EPS approach. Many researchers suggested various approaches for achieving perfect secrecy in the EPS; the pros and cons of these approaches are discussed in detail in section 1.1. The authors compared some of the existing approaches with the proposed approach, and comparison results are shown in table 1. Comparison is performed on the basis of the attacks prevented by the approaches and performance enhancement factors included by these approaches. Comparison results show that the proposed approach achieves security against most of the malicious attacks currently feasible in LTE/LTE-A networks. \(\square \)

Table 1 Comparison of the proposed protocol with existing protocols suggested by other researchers.
Full size table

4 Formal verification results

According to 3GPP, all the wired channels are secure (IPsec enable) in LTE/LTE-A networks, Hence, the authors simulated the wireless interface only on AVISPA over the Intel(R) Core(TM) i5 2.60 GHz, 4 gigabyte RAM, under ubuntu 12.04 operating system. AVISPA integrates different back-ends like On-the-Fly Model-Checker (OFMC) and CL-based Attack Searcher (CL-AtSe). These back-ends are complementary to each other rather than equivalent and force perfect cryptography, which implies that an attacker cannot recover information from the encrypted message without the knowledge of the corresponding decryption key [49]. The protocol is written in the “High Level Protocol Specifications Language” to be tested on AVISPA back-end servers. “SAFE” and “NO ATTACK FOUND” are the keywords that indicate that the protocol achieves specified goals and it is safe against the automatically created attacks by AVISPA. AVISPA also simulates the behaviour of Dolev-Yao intruder model (network is fully controlled by an intruder) [50]. All the messages transmitted by agents are accessible to the intruder and an intruder can analyse, modify and intercept messages sent by the agents. The primary goals of the proposed protocol are secure transmission of the data over the wireless interface and strong mutual authentication between the LTE/LTE-A components. In the model of the proposed protocol, there are two roles user_Equipment and eNodeB as shown in listings 1 and 2, respectively, and the desired goals of the protocol are declared in Listing 3. Verification results (OFMC, CL-AtSe) of the proposed protocol on AVISPA are found to be safe and shown in figures 8 and 9. From the results we can conclude that proposed protocol accomplishes goals of the mutual authentication and secrecy over the wireless interface under the test of AVISPA.

Listing 1. Role of user_equipment.

figure a

Listing 2. Role of eNodeB.

figure b

Listing 3. Goals of the model.

figure c
Figure 8
figure 8

Results reported by the OFMC back-end.

Full size image
Figure 9
figure 9

Results reported by the CL-ATSE back-end.

Full size image

5 Performance evaluation

In this section, the authors analyse the proposed scheme from three important metrics: bandwidth consumption, computational cost and storage overhead by comparison to existing authentication and key agreement schemes.

5.1 Bandwidth consumption between the MME and the HSS

To analyse signalling overhead and bandwidth consumption between the MME and the HSS a simple fluid flow mobility model has been customized [46, 51]. The mobility model says that the traffic flow in a region is directly proportional to the length of the registration area (L), density of UEs in the region (\(\rho \)) and the velocity of the UE movement (v). The mobility model assumes that the direction of movement is distributed over [0–2\(\pi \)]. Thus, the rate of registration area crossing (R) is given as (Eq. (3))

$$\begin{aligned} R=\frac{\rho *v*L}{\pi }. \end{aligned}$$
(3)

Traffic because of the arrival rate of the authentication requests is generated due to the mobility of UEs into the new registration area. Thus, the authentication requests (R) generated per registration area (as per assumptions in table 2) is 3.757/s. \(\hbox {Req}_{auth}\) is the total number of requests arriving for the authentication at the HSS in every second.

Table 2 Parameters to calculate traffic rate to the LTE database.
Full size table

Thus, the total number of authentication requests at the HSS is generated as follows (Eq. (4)):

$$\begin{aligned} {\mathrm{Req}}_{auth} = R \times \mathrm{Ar= 375.7/s.} \end{aligned}$$
(4)

Computation of bandwidth consumption between the HSS and the MME is sufficient to show the bandwidth optimization in the proposed scheme. Bandwidth consumption between the HSS and the MME (\(\hbox {BW}_{MME\leftrightarrow HSS})\) can be measured in terms of the number of bits involved in the exchanged massages for the authentication. Thus, the bandwidth consumption between the MME and the HSS can be calculated as follows (Eq. (5)):

$$\begin{aligned} {\mathrm{BW}}_{MME\leftrightarrow HSS}= & {} \sum {\mathrm{bits(core\, traffic)}}\times {\mathrm{Req}}_{auth} \end{aligned}$$
(5)
$$\begin{aligned} \sum {\mathrm{bits(core\, traffic)}}= & {} \sum _{i=1}^{i=n} |{\mathrm{message}}_{i}| \end{aligned}$$
(6)

where n is the total number of messages communicated between the MME and the HSS for the UE authentication and |\(\hbox {message}_{i}\)| represents the bit length of the ith message. Accordingly, the bandwidth consumption of the various approaches is as follows.

Figure 10
figure 10

Bandwidth consumption between HSS and MME in various approaches suggested by researchers, when needed number of authentication vectors (n) are: \(\hbox {AV}=5\), \(\hbox {AV}=10\), \(\hbox {AV}=15\) and \(\hbox {AV}=20\). EAKA-EPS reduces bandwidth consumption to 81% between UE and MME for the first authentication of the UE.

Full size image

5.1a Bandwidth analysis of the EPS-AKA (standard scheme) protocol:

In this scheme, MME receives authentication vectors from the HSS by sending two messages: \(\hbox {message}_{1}\), where MME forwards request for the authentication vectors to the HSS, and \(\hbox {message}_{2}\), where HSS forwards n sets of the authentication vectors to the MME. The total number of bits (bit size of the parameters is shown in table 3) involved in authentication procedure are

$$\begin{aligned} \hbox {message}_{1}& {}= |\hbox {IMSI}| + |\hbox {SNID}| = 128 + 48 =176 \hbox { bits}\\ \hbox {message}_{2}& {}= \hbox {AV} (|\hbox {XRES}| + |\hbox {AUTN}| + |\hbox {Rand}| + |K_{{ ASME}}|) n = 544n\hbox { bits}. \end{aligned}$$

In EPS-AKA, bandwidth consumption for the single authentication request is \(176+544n\) bits. Hence, the overall bandwidth consumption (\(\hbox {BW}_{MME\leftrightarrow HSS}\)) between the MME and the HSS in the EPS-AKA approach is 1.42 Mbits/s (Eq. (5)), where required sets of the authentication vectors (n)/request are 7.

5.1b Bandwidth analysis of the Fikadu’s approach (enhanced-AKA):

In this approach, messages that incur bandwidth between the MME and the HSS for UE authentication are message1, where MME requests the HSS for sending the secret key, and message2, where HSS forwards secret key (s), KI and IMSI back to the MME.

$$\begin{aligned} \hbox {message}_{1}= & {} 2|\hbox {SN-ID} | + |\hbox {KI}| + |\hbox {IMSI}| + |\hbox {Rand}_{UE}| + |\hbox {M-ID}| = 512 \hbox { bits}\\ \hbox {message}_{2}= & {} |s| + |\hbox {KI}| +|\hbox {IMSI}| = 384 \hbox { bits}. \end{aligned}$$

Bandwidth consumption for single authentication request is 896 bits. The overall bandwidth consumption (\(\hbox {BW}_{MME\leftrightarrow HSS}\)) between the MME and the HSS for enhanced AKA is 0.27 Mbits/s (Eq. (5)).

Table 3 Bit size of the parameters.
Full size table
Figure 11
figure 11

Comparison of computational cost of various approaches suggested by researchers. When needed number of authentication vectors (n) are: AV = 5, AV = 10, AV = 15 and AV = 20.

Full size image

5.1c Bandwidth analysis of the Hamandi’s approach (modified LTE-AKA):

In this scheme, messages that incur bandwidth between the MME and the HSS for the authentications are message1, where MME requests the HSS for the authentication vectors, and message2, where HSS forwards n copies of the authentication vectors back to the MME.

$$\begin{aligned} \hbox {message}1& {} = |\hbox {Uid}| + |\hbox {SN-ID}| = 176 \hbox { bits}\\ \hbox {message}2& {}= (\hbox {AV} (|\hbox {Rand}| + |\hbox {XRES}| + |\hbox {K}_{ASME}| + |\hbox {AUTN}| + |\hbox {IMSI}| + |\hbox {SK}|) n) = 800n \hbox { bits}. \end{aligned}$$

Bandwidth consumption for the single authentication request is 176+800n bits. Hence, the overall bandwidth consumption (\(\hbox {BW}_{MME\leftrightarrow HSS}\)) between the MME and the HSS for modified LTE-AKA is 2.0 Mbits/s (Eq. (5)), where required sets of authentication vectors (n)/request are 7.

5.1d Bandwidth analysis of the EAKA-EPS (proposed approach):

In the proposed scheme, messages that incur bandwidth between the MME and the HSS for the authentication are message1, where MME forwards a request for temporary authentication key to the HSS, and message2, where HSS forwards temporary authentication key with CHV parameter back to the MME:

$$\begin{aligned} \hbox {message}1= & {} |\hbox {SN-ID}| + |\hbox {IMSI}| + |T1| + |C_{eNodeB}| = 352 \hbox { bits},\\ \hbox {message}2= & {} (|\hbox {K}'_{ASME}| + |\hbox {CHV}|) = 384 \hbox { bits}.\\ \end{aligned}$$

Bandwidth consumption for the single authentication request is 736 bits. Hence, the overall bandwidth consumption (\(\hbox {BW}_{MME\leftrightarrow HSS}\)) between the MME and the HSS for the proposed approach is .26 Mbits/s (Eq. (5)). Calculations show that the proposed approach reduces bandwidth consumption between the HSS and the MME to 81% in comparison with the standard AKA protocol. In addition, for the \(j^{th}\) authentication request from the registered UE, bandwidth consumption will be 0% because MME need not request back the HSS for the authentication parameters. Comparison between all these approaches is depicted in figure 10 corresponding to the mean density of UEs/registration area. From figure 10 the authors can conclude that the proposed approach achieves the goal of less bandwidth consumption between the MME and the HSS in comparison with the EPS-AKA approach and the approaches suggested by other researchers.

5.2 Computational cost

For the calculations of the computational cost, the authors compare security functions that are executed for providing authentication to the UE. Although, all security functions carry different computational costs, here, for all the security functions, computation cost is assumed to be 1 [37]. Other operations will not be considered because their computational cost is very less. All the protocols are analysed under the same standards for maintaining the fairness in the computation. Computational overhead is calculated individually for the UE, MME and the HSS against the security functions performed.

Figure 12
figure 12

Comparison of storage overhead at MME for various approaches suggested by the researchers. Needed number of authentication vectors (n) are \(\hbox {AV}=5\), \(\hbox {AV}=10\), \(\hbox {AV}=15\) and \(\hbox {AV}=20\).

Full size image

5.2a Computational cost analysis of the EPS-AKA (standard approach) protocol:

Computational cost corresponding to the security functions executed on the UE, MME and the HSS for providing authentication to the UE is as follows:

$$\begin{aligned} \hbox {UE:} (f_{1} + f_{2} +f_{3} + f_{4} + f_{5} + 2\hbox {KDF})& {}= 7,\\ \hbox {MME: No. security functions}& {}= 0,\\ \hbox {HSS: AV} (f_{1} + f_{2} +f_{3} + f_{4} + f_{5} + 2\hbox {KDF}) \textit{ n}& {}= 7\textit{n}. \end{aligned}$$

For single authentication request, total number of security functions executed on the EPS-AKA are 7+7n, where n is the required number of authentication vectors/UE. Thus, the overall computation number of the EPS-AKA against the security functions is as follows:

$$\begin{aligned} \hbox {computational cost } (\hbox {Cc}) = \hbox {Req}_{auth} (7+7\textit{n})/\hbox {s}. \end{aligned}$$

5.2b Computational cost analysis of the Fikadu’s approach-(enhanced-AKA):

Computational cost corresponding to the security functions executed on the UE, MME and the HSS for providing authentication to the UE is as follows.

$$\begin{aligned} \hbox {UE: } (f' + \hbox {Enc} + f_{1} + f_{2} +f_{3} + f_{4} + 2f_{5} + \hbox {KDF} + \hbox {Denc})& {}= 10,\\ \hbox {MME: } (f_{1} + f_{2} +f_{3} + f_{4} + f_{5} + \hbox {KDF} + \hbox {Enc} + \hbox {Dec})& {}= 8,\\ \hbox {HSS: } (f' + \hbox {KDF})& {}= 2. \end{aligned}$$

For single authentication request, total number of security functions executed in Fikadu’s approach is 20. Thus, the overall computation number of the fikadu’s approach against the security functions is as follows:

$$\begin{aligned} \hbox {computational cost } (\hbox {Cc}) = \hbox {Req}_{auth}\, (20)/\hbox {s}. \end{aligned}$$

5.2c Computational cost analysis of the Hamandi’s approach:

Computational cost corresponding to the security functions executed on the UE, MME and the HSS for providing authentication to the UE are as follows.

$$\begin{aligned} \hbox {UE: } (\hbox {Enc} + 2f_{k} + \hbox {MAC} + \hbox {KDF} + f_{1} + f_{2} +f_{3} + f_{4} + f_{5} + 2\hbox {KDF})= & {} 12,\\ \hbox {MME: no. security functions}= & {} 0,\\ \hbox {HSS: } {\hbox {Dec} + \hbox {AV } (3\hbox {KDF} + f_{1} + f_{2} +f_{3} + f_{4} + f_{5})\textit{n}}= & {} 1+8\textit{n}. \end{aligned}$$

For single authentication request, the total number of security functions executed in Hamandi’s approach is 13+8n, where n is the required number of authentication vectors/UE. The overall computational cost of Hamandi’s approach against the security functions is as follows:

$$\begin{aligned} \hbox {computational cost } (\hbox {Cc}) = \hbox {Req}_{auth} (13+8\textit{n})/\hbox {s}. \end{aligned}$$

5.2d Computational cost analysis of the EAKA-EPS (proposed approach) protocol:

Computational cost corresponding to the security functions executed on the UE, MME and the HSS for providing authentication to the UE are as follows.

$$\begin{aligned} \hbox {UE}: (\hbox {Enc} + \hbox {MAC} + f_{1} + f_{2} +f_{3} + f_{4} + f_{5} + 2\hbox {KDF} + \hbox {Dec} + \hbox {Enc} + \hbox {MAC})= & {} 12,\\ \hbox {MME:} (\hbox {Dec} + f_{1} + f_{2} +f_{3} + f_{5}+ \hbox {KDF} + \hbox {Enc} + \hbox {MAC} + \hbox {Dec})= & {} 9,\\ \hbox {HSS: } (f_{3} + f_{4} + \hbox {KDF})= & {} 3. \end{aligned}$$

For single authentication request, total number of security functions executed on EAKA-EPS is 24; hence, the overall computation number of EAKA-EPS against the security functions is as follows:

$$\begin{aligned} \hbox {computational cost } (\hbox {Cc}) = \hbox {Req}_{auth}\, (24)/\hbox {s}.\\ \end{aligned}$$

Figure 11 shows the overall computational cost of various suggested approaches corresponding to the mean density of the UEs/registration area. From the comparison results (figure 11) the authors can conclude that proposed approach achieves the goal of less computational overhead in comparison with the standard AKA. Computational overhead is a little bit more in comparison with the Fikadu’s approach (enhanced-AKA), but due to the security needs fulfilled by the suggested protocol it is bearable.

5.3 Storage overhead in the serving network

Memory consumption is incurred due to the introduced new asymmetric keys, which are stored on the UE and the MME. Due to the secure wireless interface, IMSI transmission is secure and it replaces the need of dynamic TMSI assignment to the UE. With this, the suggested approach supports only horizontal key derivation; thus there is no need of NH keys and NCC values to be computed and stored on the MME and UE. Somewhere the storage overhead at the UE and the MME is compensated. In contrary to the suggested approach, the standard AKA approach stores 1.94 bits/s (\(\hbox {AV} (|\hbox {XRES}| + |\hbox {AUTN}| + |\hbox {Rand}| + |K_{ASME}|) \textit{n}\times 375.5)\) at the MME, where the required number of authentication vectors (n) is 10. However, for providing authentication to the UEs, authors’ approach needs to store only 0.09 bits/s (\(|K'_{ASME}| \times 375.5\)) at the MME. Storage overhead at MME for various suggested and standard approaches is depicted in figure 12 corresponding to the mean density of UEs/registration area, and from these results the authors conclude that EAKA-EPS achieves the goal of the storage overhead reduction at the serving network.

6 Implementation/simulation needs

Scope of the current research is to propose a more secure authentication and key agreement scheme for the LTE/LTE-A networks and to verify the security of the proposed scheme on AVISPA with its performance analysis. However, for the proof-of-concept, EAKA-EPS protocol can be simulated on Network Simulator-3 (ns-3) version 3.17 and measurements can run on Intel(R) Core(TM) i5 CPU@2.60 GHz, 4 gigabyte RAM, under ubuntu 12.04 operating system.

7 Conclusion

In this research, the authors propose an Efficient Authentication and Key Agreement Protocol for Evolved Packet System, called EAKA-EPS. To the best of the authors’ knowledge, EAKA- EPS achieves all the specified objectives successfully within the defined scope. The proposed approach is a hybrid approach that includes both symmetric and asymmetric key encryptions but minimizes the use of the asymmetric encryption due to its excessive overhead. Unlike the other approaches, EAKA-EPS enables secure transmissions over the wireless interface, maintains strong mutual authentication between the entities and achieves AS secrecy at the time of \(X_{2}\) handovers. Moreover, the suggested approach was proven to thwart subscriber’s identity leak, DoS attack, MitM attack, replay attack, desynchronization attack and redirection attack. This new approach is formally verified on AVISPA and verification results are proven to be safe. Its performance analysis demonstrates that the suggested approach achieves the subscriber’s security needs and better performance in terms of bandwidth consumption, memory consumption and involved computational cost. Moreover, the EAKA-EPS protocol is applicable to the current architecture of LTE/SAE networks without the need of special software implementations. Finally, the researchers conclude that the suggested approach is powerful for the recent and upcoming generations of the mobile networks because of its novel features.