AKMA+: Security and Privacy-Enhanced and Standard-Compatible AKMA for 5G Communication

The Authentication and Key Management for Applications (AKMA) protocol is a fundamental building block for security and privacy of 5G cellular networks. Therefore, it is critical that the protocol is free of vulnerabilities that can be exploited by attackers. Unfortunately, based on a detailed analysis of AKMA, we show that AKMA has several vulnerabilities that may lead to security and privacy breaches. We define AKMA+, an enhanced protocol for 5G communication that protects against security and privacy breaches while maintaining compatibility with existing standards. AKMA+ includes countermeasures for protecting communication between the user equipment (UE) and application functions (AFs) from attackers, including those within the home public land mobile network. These countermeasures ensure mutual authentication between the UE and the AKMA anchor function without altering the protocol flow. We also address vulnerabilities related to subscriber and AKMA key identifiers that could be exploited in linkability attacks. By obfuscating this data, AKMA+ prevents attackers from associating a target UE with its past application access. We employ formal verification to demonstrate that AKMA+ achieves key security and privacy objectives. We conduct extensive experiments demonstrating that AKMA+ incurs acceptable computational overhead, bandwidth costs, and UE battery consumption. [18], and Huawei [14] are integrating AKMA into 5G solutions, while telecommunication providers such as AT&T [4] and Verizon [38] are deploying AKMA-enabled networks to offer secure voice, data, and multimedia services. Mobile device manufacturers like Apple [3] and Samsung [23] are embedding AKMA support in their devices to ensure secure interaction with 5G networks and applications. AKMA is still in its early stages and is not yet fully mature. The 3GPP Technical Report (TR) 33.835 [24] identifies seventeen key issues (#1-#17) that need to be addressed as AKMA evolves. Our focus is on five key issues (#3, #5, #6, #7, and #16) that pose security and privacy threats and significantly undermine the foundation of AKMA from the protocol perspective. The remaining key issues in TR 33.835 pertain to the AKMA architecture framework, architecture interface, API, and regulatory compliance, which are beyond the scope of this work as they cannot be solved from the protocol perspective 1 . Key issues #5 (user privacy) and #7 (protecting subscriber's personal information in control and data traffic) are both related to the leakage of Subscription Permanent Identifier (SUPI) or AKMA key identifier (A-KID) within AKMA. This leakage enables application functions (AFs) and AKMA anchor functions (AAnFs) to link users across the network. We aim to address these issues to achieve user indistinguishability and thus enhance privacy protection in AKMA. Key issues #6 (secure communication between UE and AF) and #16 (application key freshness) are all related to insufficient protection of communication between user equipment (UE) and application functions (AFs). In AKMA, sensitive data exchanged between UE and AF are safeguarded by session keys derived in the home public land mobile network (HPLMN). However, the use of session keys in AKMA is vulnerable in several ways. First, the session keys can be accessed by the AKMA anchor function (AAnF) within HPLMN, al-1 Key issue #9 in TR 33.835 [24] specifies that the AKMA architecture must support key separation for different AFs. This issue has been addressed in the latest version of the AKMA specifications by including the AF identifier in the application key derive function (see Annex A.4 in TS 33.535 V18.4.0 [32] for details). Contributions. We propose AKMA+, a security and privacy-enhanced, standard-compatible revision to the 3GPP AKMA protocol. Our contributions are summarized below. ‚ We identify the root causes of the existing security and privacy issues from the AKMA protocol perspective and address them systematically in AKMA+ to achieve user indistinguishability, session key secrecy and forward secrecy for communication between UEs and AFs, and mutual authentication between UE and AAnF. ‚ We make AKMA+ standard-compatible by following all the AKMA commands, message flows, and data formats as defined by 3GPP. While data processing within each entity may be revised to enhance security and privacy, we ensure that AKMA+ can be seamlessly integrated into existing 5G infrastructure by utilizing only the cryptographic functions specified in 5G standards for data processing. ‚ We formally model AKMA+ using the Tamarin Prover and demonstrate that it achieves the desired security and privacy properties using formal verification. In one case, namely, UE indistinguishability, we combine Tamarin verification and a cryptography proof. ‚ Our implementations and performance analysis indicate that AKMA+ incurs acceptable overheads compared with AKMA. The additional computation costs range from 1.688 ms to 78.030 ms, and