2014 IEEE Region 10 Symposium

An Efficient Authentication and Key Agreement

Protocol for 4G (LTE) Networks
Kamal Ali Alezabi, Fazirulhisyam Hashim, Shaiful Jahari Hashim and Borhanuddin M. Ali
Dept. of Comp. and Comm. Systems Engineering, Faculty of Engineering,
Universiti Putra Malaysia, Selangor, Malaysia.
Email: [email protected], {fazirul,sjh,borhan}@upm.edu.my

Abstract—Long Term Evolution (LTE) networks designed networks leads to exponential proliferation of vulnerabilities,
by 3rd Generation Partnership Project (3GPP) represent a deficiencies, eavesdroppers and attacks, hence, the wireless
widespread technology. LTE is mainly influenced by high data security management becomes encouraging environment for
rates, minimum delay and the capacity due to scalable bandwidth a large number of studies and research. The authentication
and its flexibility. With the rapid and widespread use LTE and key agreement protocol is an important component in
networks, and increase the use in data/video transmission and
the LTE networks, and plays a key role in the security in
Internet applications in general, accordingly, the challenges of
securing and speeding up data communication in such networks such networks. The 3GPP project continues in evaluating
is also increased. Authentication in LTE networks is very impor- and developing the AKA protocol as a part of the 3GPP’s
tant process because most of the coming attacks occur during security system. Starting from 2G-AKA [1], 3G-AKA [2]
this stage. Attackers try to be authenticated and then launch or UMTS-AKA and reaching to EPS-AKA [3] for 4G
the network resources and prevent the legitimate users from networks. The 3G-AKA has been developed based on 2G
the network services. The basics of Extensible Authentication security mechanism to meet the requirements of 3G networks
Protocol-Authentication and Key Agreement (EAP-AKA) are and to overcome the deficiencies of 2G-AKA protocol.
used in LTE AKA protocol which is called Evolved Packet However, there are some deficiencies such as tapping users
System AKA (EPS-AKA) protocol to secure LTE network, identity and difficulty of sequence numbers, etc. Recently,
However it still suffers from various vulnerabilities such as
3GPP has adopted EPS-AKA protocol for the next generation
disclosure of the user identity, computational overhead, Man In
The Middle (MITM) attack and authentication delay. In this networks LTE. The framework of 3G-AKA is retained with
paper, an Efficient EPS-AKA protocol (EEPS-AKA) is proposed improvements in security and performance. The Access
to overcome those problems. The proposed protocol is based Security Management Entity (ASME) is hosted in the Mobile
on the Simple Password Exponential Key Exchange (SPEKE) Management Entity (MME) to provide access security and to
protocol. Compared to previous proposed methods, our method be considered as a key distributor in the EPS-AKA protocol.
is faster, since it uses a secret key method which is faster Despite its safety and efficacy, EPS-AKA does not provide
than certificate-based methods, In addition, the size of messages full protection for LTE networks and suffers from several
exchanged between User Equipment (UE) and Home Subscriber drawbacks such as user identity attacks, communication cost,
Server (HSS) is reduced, this reduces authentication delay and and bandwidth consumption. The user identity can be revealed
storage overhead effectively. The automated validation of internet
when the International Mobile Subscriber Identity (IMSI) is
security protocols and applications (AVISPA) tool is used to
provide a formal verification. Results show that the proposed sent in clear text in the first connection, which allows user
EEPS-AKA is efficient and secure against active and passive identity attack, MME can not retrieve IMSI using the Globally
attacks. Unique Temporary Identity (GUTI), when visiting a new
MME, or when a fake eNB request IMSI from UE [4]. Many
Keywords—LTE, EPS-AKA, SPEKE, EEPS-AKA.
solutions and protocols have been proposed in several studies
to address those drawbacks, and improve the performance
I. I NTRODUCTION of EPS-AKA, but there has been no a perfect solution so
The Third Generation Partnership Project (3GPP) started far. Unlike the previous solutions where the public key
in November 2004 to define the long-term evolution of Infrastructure (PKI) and certificate-based solutions have been
the Universal Mobile Telephone System (UMTS) which used, a shared key mechanism is used in this work, and lead
was also one of 3GPP projects. The 3GPP has many other to a decrease in the authentication delay and communication
projects such as High Speed Downlink Packet Access cost. In this paper, we present the limitations of previous
(HSPDA), High Speed Uplink Packet Access (HSUPA), works in EPS-AKA mechanism, then, an efficient EPS-AKA
Time-Division Synchronous Code Division Multiple Access protocol is proposed using a simple and strong mechanism
(TD-SCDMA), System Architecture Evolution(SAE) and based on SPEKE protocol with some improvements to be
Long Term Evolution(LTE) release 8. The next step of LTE is adapted with LTE architecture. The shared secret key is not
LTE release 10 or LTE-Advanced where multiple carriers have exchanged, instead it is computed using a strong method in
been aggregated to provide wider bandwidth and improved UE and Home Subscriber Server (HSS) and used to protect
antenna technologies have been used in both direction uplink the IMSI.
and downlink. The widespread use of 4th Generation (4G)
networks leads to more needs of high bit rate, less delay The remainder of this paper is organized as follows. Sec-
in such networks. Moreover the wireless nature in the LTE tion II discusses in some depth the overview of EAP protocol

978-1-4799-2027-3/14/$31.00 ©2014 IEEE 502

 2014 IEEE Region 10 Symposium

Fig. 2. EPS-AKA Authentication protocol

The procedure starts when eNB sends a user identity

request to UE, the details of the protocol are illustrated in
Fig. 1. LTE Architecture
Figure 2 and the following steps :

1) When the UE receives the user identity request, it

and methods; it also presents the methods that are used in sends its identity (IMSI) in the user identity response
this paper. Section III describes the proposed EEPS-AKA message to eNB which forwards it to MME.
authentication method. Section IV provides security analysis of
the proposed method, and its performance compared to other 2) MME sends the received IMSI with its identity and
methods. Section V concludes the paper. network type in the data authentication request message
to HSS.
II. BACKGROUND
3) When receiving the data authentication request, the
A. EPS-AKA protocol overview
HSS uses long term key K shared with UE, it also
LTE System has two main networks, E-UTRAN which is uses two types of functions, message authentication
the access network (a network of eNBs), and the Evolved functions f1, f1, and f2; and key generation functions
Packet Core (EPC) which is the core network, this structure f3, f4, f5, and f5 to computes the EPS authentication
makes LTE simple, scalable and efficient. LTE architecture vectors as follows:
including the Serving Gateway (SGW) and the Packet Data Generate Random Nonce (RAND),
Network Gateway (P-GW) are illustrated in Figure 1. LTE compute Message Authentication Code (MAC) =
uses Access security mechanism for authentication and key f 1K (SeqH ||RAN D),
agreement between UE and the eNB, It also uses handover Expected Response(XRES) = f 2K (RAN D),
key management to refresh the session keys securely when Cipher Key (CK) = f 3K (RAN D),
UE moves from one eNB to other one to mitigate the attacks Integrity Key (IK) = f 4K (RAN D),
caused by a malicious BS, these mechanisms called authentica- Authentication Token (AU T N ) = SeqH ||M AC,
tion and Key Agreement (AKA) which is considered as LTE the session key using Key Derivation Function (KDF)
security mechanism. AKA provides a mutual authentication (KASM E ) = KDF (CK, IK, M M EID ), the KASM E
between UE and eNB and it also provides key agreement. key is the main difference between UMTS-AKA and
EPS-AKA protocol is the last version of UMTS-AKA, EPS-AKA.
where the improvements added have raised the degree of se- The EPS-AKA Authentication Vector is (AV ) =
curity, but made the protocol more complex. The components (RAN D, AU T N, XRES, KASM E ).
that play a part during EPS-AKA authentication protocol are
as follow : 4) AVs are sent to MME in the data authentication re-
1) UE and Universal Subscriber Identity Module (USIM). sponse message.
2) Enhanced Node Base station (eNB), and Mobility Man-
agement Equipment (MME). 5) Upon the receipt of AVs from HSS, MME forwards
3) Home Subscriber Server (HSS). only RAND and AUTN with a Key set identifier
KSIASM E to UE in the user authentication request

978-1-4799-2027-3/14/$31.00 ©2014 IEEE 503

 2014 IEEE Region 10 Symposium

message. KSIASM E is used by UE and MME to

identify KASM E .

6) UE receives the message, extracts SQNH , computes

the expected MAC (XMAC) and checks if matched
with the MAC received in AUTN for freshness reasons,
then it checks the SQNH received from HSS with its
SQN if one of the two checks fails it sends errors,
otherwise it computes the response RES and sends it
to MME and computes the KASM E .

7) The MME check the RES received from UE and

XRES received from HSS, if they are equal it sends
a success message to UE and the EPS-AKA procedure
is successfully completed.

B. SPEKE Method Overview

EAP-SPEKE is one of the strongest EAP methods. It is
based on password that is shared only between peer and Fig. 3. SPEKE Authentication protocol
authenticator. In general, EAP-SPEKE is easier to setup than
certificate based authentication methods and it is resistant
to both active and passive attacks such as MITM, replay,
password sniffing and brute force. It generates a strong session by using a temporary ID and generating CK, IK keys using a
key that can be used in data encryption. The password or Id in pre-shared secret keys.
this method can be saved in a manner not easily detectable by Another solution has been provided in [6], where the authors
attacks. In this method, peer/MS and authenticator/AS share have proposed a new authentication method by improving
a password psw and use a large safe prime p and a hash the EPS-AKA. The new authentication method is based on
function h. MS and AS calculate the generator g of the prime proxy signature to solve the vulnerabilities in the handover
where g = H(psw)2 mod p. MS computes and sends A to process such as system complexity caused by multiple key
AS where A = g a mod p and a is MS’s secret value. Then management mechanisms, handover delay caused by exchang-
the AS computes the parameters to generate B where B = ing messages between UE and MME, and the backward
g b mod p and b is AS’s secret value, then it computes the secrecy. The proposed method includes two phases, initial
session key Ks as Ks = Ab mod p, it chooses a random value attach phase to prepare the next handover authentication and
Rb, encrypts it using Ks and sends it to MS. After that, MS uniform handover authentication phase to complete a mutual
computes Ks as Ks = B a mod p, it chooses a random value authentication between UE and the new eNB.
Ra, encrypts Ra and Rb using Ks, then it sends Ks(Ra, Rb) The authors in [7] have analyzed the EPS-AKA and its vul-
to AS. AS verify the received Rb with its value to authenticate nerabilities, The Idea of the proposed method is to modify the
MS, if matched, it encrypts the received Ra by Ks and sends AV by replacing some fields such as AUTN.SQN, AUTN.MAC
it to MS. MS verifies AS by checking received Ra with its by AUTN.CID, AUTN.RESUE respectively. The reason for
value. At this point the mutual authentication is completed. We this modification is to provide a full authentication between
improve SPEKE protocol to generate stronger keys and apply USIM and MME and to eliminate the need for extra steps for
it in our proposed method with some adaptation to provide a deriving IC, CK as in EPS-AKA, however some entities such
secure exchange to the user identity in LTE networks. Figure as ESIM needs a new subscriber module, the new AV is not
3 illustrates the mechanism of SPEKE protocol. fully compatible with EPS-AV and the interworking still needs
to be detailed.
On the other hand, the authors in [8] have proposed an
C. Related Work improved AKA (I-AKA) to reduce the power consumption
Many papers suggested solutions directly to secure the utilized by authentication steps and as well as to secure
network against certain types of attacks such as MITM, user the authentication process against DoS attacks. The authors
disclosure, brute force, Reply and etc, while others have discussed the network layer authentication and the IP Mul-
worked to improve the performance of AKA authentication timedia Subsystem (IMS) service layer authentication, they
mechanism in LTE networks in terms of authentication delay, improved the network authentication (EPS-AKA) by using IP
authentication cost, bandwidth, and energy consumption. Multimedia Private-user Identity (IMPI) and using a new key
One of those solutions has been presented in [5] in which, hierarchy for the IMS authentication.
the authors have proposed a fast authentication method called In [9] the vulnerabilities of EAP-AKA such as IMSI
(EAP-FAKA) to enhance the original AKA method by reduc- disclosure, MITM, bandwidth consumption, lack of forward
ing the authentication delay, signaling cost and satisfying the secrecy, computational overhead, and SQN synchronization
security properties. EAP-FAKA is based on Elliptic Curve have been discussed, a new AKA authentication protocol
Diffie-Hellman (ECDH) and symmetric cryptosystem. The based on EAP-AKA is proposed by combining Elliptic Curve
main idea in this method is to protect the UE identity (IMSI) Diffie- Hellman(ECDH) and symmetric key cryptosystem to

978-1-4799-2027-3/14/$31.00 ©2014 IEEE 504

 2014 IEEE Region 10 Symposium

overcome those vulnerabilities. The proposed method prevents by Kum and Kuh keys. To provide perfect forward secrecy,
reply, MITM attacks by using timestamp and authenticating the secret key is used also to compute the generated keys in
AP and it provides user privacy by using a temporary user the later steps such as (IK, CK, MSK). The details of the
identity, however verifying the solutions provided is required. proposed method is in Figure 4 and the following steps:
An enhancements on AKA protocol called Enhancement
Mobile Security and User Confidentiality (EMSUCU ) for 1) MME computes B = g m mod p, and attaches B to
UMTS have been proposed in [10] to overcome some problems the user identity request message which sent to UE via
such as user identity disclosure and secret key exposure. The eNB.
idea of EMSUCU protocol is to encrypt the permenant identity 2) UE computes A = g u d mod p, and uses the received
of UE (IMSI) and use the encrypted IMSI whenever the B to compute the symmetric shared key Kum = B u
temporary IMSI can not be used. the new protocol enhanced mod p which is computed in UE and MME, then
EMSUCU in some aspects such as, using hash function instead it Chooses a random nonce Ru , and uses key Kum
of encryption functions to speed up the procedure, increasing with function f to compute PIMSI, where P IM SI
the level of security by increasing the size of key (Kc) by = fKum (IM SI, Ru), and then, it sends the message
using new security function f11 to generate the key Kc that A, P IM SI, Ru to MME.
used to encrypt the IMSI, eliminating the use of the shared 3) Upon receipt user identity response message, MME
key and protecting the exchanged message of AKA protocol computes the shared key Kum = Am mod p, and
that contains (RAND, RES, AUTN, CK, IK). forwards Kum , P IM SI, Ru to HSS server. It also
In the same subject, the work in [11], has studied the EPS- computes the shared key Kuh , which is computed in
AKA protocol and addressed some issues such as user identity UE and HSS, Kuh = Kum ⊕ K, K is pre-shared key
and how to protect the users from malicious MME. The authors between UE and HSS.
proposed a modified AKA protocol called hybrid scheme 4) The HSS checks the IMSI and retrieves the corre-
HSK-AKA based on the method proposed in [12]. HSK-AKA sponding key for the UE, It also checks the received
protocol minimizes using of public key cryptography by using value Ru with the value retrieved from PIMSI, then
it in digital signature and using symmetric key cryptography in it computes key Kuh , which is computed in UE and
USIM functions to reduce the energy consumption. It achieves HSS, Kuh = Kum ⊕ K, K is pre-shared key between
better performance compared to some protocols such as SE- UE and HSS. After that it chooses random value
AKA [13] in terms of computational overhead and delay as Rh, uses Kuh and Rh to generate HSS Verification
well as fulfill the security requirements. value (HSSV) and Expected Response (XRES), where
In [14], the authors have analyzed the shortages of the HSSV = f 1Kuh (Ru, Rh) and XRES = f 2Kuh (Rh),
EPS AKA mechanism such as disclosure of user identity and then, it sends HSSV and XRES to MME.
MITM attack. The authors highlighted that the communication 5) MME generates a random value Rm, computes
between MME and HSS is not secured, as a result, the AV MME Verification value (MMEV), where M M EV
will be in risk. To overcome those issues, an enhanced = f 1Kum (HSSV, Rm) and sends the message
mechanism called Security Enhanced Authentication and (M M EV, Rm, Rh) to UE.
Key agreement (SE-EPS AKA) has been proposed based on 6) UE verifies HSSV and MMEV to authenticate HSS
Wireless Public Key Infrastructure (WPKI) and ECC (Ellipse server and MME, if matches it generates the RES
Curve Cipher) encryption method. The proposed mechanism value, where XRES = f 2Kuh (Rh) and sends it to
has been proofed using formal verification Model. To protect MME.
the user identity, the IMSI in SE-EPS-AKA protocol is 7) MME checks the received RES with the XRES, if
encrypted using the public key of HSS. In addition to public matches it sends a success message to UE, otherwise it
key, the possible IMSIs 1010 are known, which leads to a sends a failure message.
brute force attack.

IV. S ECURITY A NALYSIS

III. T HE P ROPOSED EEPS-AKA M ETHOD A. Proof of Security requirements
The proposed protocol uses the basics of SPEKE method 1) Mutual authentication: Our proposed protocol
with some modification to protect the IMSI and generate a provides a strong mutual authentication between
strong shared key in the authentication messages exchanged UE and HSS. The UE challenges the HSS in
between UE, MME, and HSS. Two random values (u and the Authentication data request message, with the
d) are chosen by UE to generate the key A, which makes encryption of his identity (IMSI) by using the secret
the shared key always different even though same values key computed in HSS. Only the HSS can compute
(Au , B m ) are used. The protocol is starting when MME the secret key, hence HSS can retrieve the user identity.
computes its value B and sends it to UE with user identity
request message. After that, UE computes its value A using 2) User identity protection: In EPS-AKA, since MME
two random values (u and d), and the shared secret key Kum sends the message of an identity request to UE, UE
using f function, this key is used to protect the IMSI. When must reply with a response message containing its
MME receives the protected IMSI (PIMSI), it calculates the real identity IMSI. Unfortunately, an adversary can
Kum key and forwards it to HSS with other values. HSS and get IMSI of UE, by sending an identity request to
UE can verify each other via the random values computed UE, then he/she can use it for different purposes. The

978-1-4799-2027-3/14/$31.00 ©2014 IEEE 505

 2014 IEEE Region 10 Symposium

Fig. 5. Output of the proposed protocol verfication tool

until the correct key found. In EEPS-AKA protocol,

the shared secret key is not exchanged to be vulnerable
to brute force attack. In addition, shared keys are
computed in a way that makes it difficult to be
obtained.

Fig. 4. The proposed EEPS-AKA protocol 6) Key Hierarchy: In EEPS-AKA protocol, the key Kuh ,
that computed in UE and HSS can be used for future
vertical handover, where no need to compute it again
in both UE and the target HSS.
adversary then gets IMSI of UE. In our proposed
EESP-AKA protocol, we use a generated secret shared 7) Perfect Forward Secrecy: The EPS-AKA uses
key Kum by UE to protect the identity IMSI of MS. symmetric key K shared between the UE and the
The secret shared key is computed based on improved HSS to provide authentication and key agreement and
SPEKE, which is considered as one of the strongest generate CK, IK, and MSK. The attacker can disclose
authentication methods. The Kum key also computed K, therefore, EPS-AKA does not provide a perfect
by MME and sent to HSS to decrypt and verify the forward secrecy. In our proposed protocol the secret
received IMSI, it also used to compute the shared key key which is linked with the long term key K, is used
Kuh . Except MME and UE, nobody can generate the to generate the AKA keys and no one owns it, except
secret key Kum . If an adversary sends an identity UE and HSS, since it is computed separately rather
request to UE to get the IMSI, he/she will not be able than exchanged.
to know the IMSI, Even if he eavesdrops A and B
values.

3) Signaling Overhead: All steps of the proposed B. Formal Analysis using AVISPA
EEPS-AKA protocol are identical to the EPS-AKA. AVISPA is a simulation tool that can be used to model
No additional round-trip delays introduced compared and analyze security protocols. The mutual authentication and
to the original EPS-AKA. secrecy property can be examined using AVISPA. In this work,
the On-the-fly Model-Checker (OFMC) backend in AVISPA
4) MITM attack: Our proposed protocol is resistant to is used to validate the proposed EEPS-AKA. This is mainly
MITM attack. The user identity cannot be retrieved or due to its interesting features such as supporting various
altered by the attacker, since it is protected by a strong security protocols, checking whether the verified protocol is
secret key, only UE and HSS can do. Moreover, the able to provide strong authentication and secrecy, and the most
secret key is not transmitted or exchanged either in important feature is that OFMC tries to prove the lack of
clear or encrypted text. security in the protocol rather than proving its security. The
OFMC also provides details about the attack traces in case it
5) Brote force attack This type of attack obtains the occurs, otherwise its output shows that the protocol is safe. The
exchanged secret keys and checks all possible keys, specifications of EEPS-AKA method is written using HLPSL

978-1-4799-2027-3/14/$31.00 ©2014 IEEE 506

 2014 IEEE Region 10 Symposium

Some of those solutions used full public cryptography which

leads to an increase in delay. Unlike the pervious methods,
we propose an efficient AKA protocol based on secret key
to provide a strong protection to user identity and generate
stronger shared key with less computational overhead. AVISPA
tool is used to provide a formal verification. The results show
that the proposed EEPS-AKA is efficient and secure against
active and passive attacks. Future work will be designing
an analytical model for the proposed method to proof its
efficiency.

Fig. 6. The goals of the proposed authentication in AVISPA R EFERENCES

[1] G. . V6.1.0., “Digital cellular telecommunications system (phase 2+);
security aspects (gsm 02.09 version 6.1.0 release 1997),,” 1997.
language and it is compiled and translated in IF tool in Security [2] T. G. P. P. (3GPP), “3g security; security architecture (release 8),” in
Protocol Animator (SPAN) for AVISPA. Figure.5 shows the 3GPP TS 33.102 v8.2.0., 2009.
output of protocol execution in using OFMC tool, which shows [3] T. G. P. P. (3GPP), “3g system architecture evolution (sae); security
architecture (release 8),” in 3GPP TS 33.401 v8.2.1., 2009.
that the proposed protocol is secure and the authentication and
[4] 3rd Generation Partnership Project (3GPP), “3gpp system architecture
session keys secrecy goals are achieved. evolution (sae), ts 33.401,” 2011.
The goal of this verification is the mutual authentication
[5] Y. Idrissi, N. Zahid, and M. Jedra, “Security analysis of 3gpp (lte) -
and secrecy of keys as showed in Figure 6. K1 represents the wlan interworking and a new local authentication method based on eap-
secret key computed in UE and HSS. It is a name for secrecy aka,” in Future Generation Communication Technology (FGCT), 2012
property declared in role UE. K2 represents the session key International Conference on, pp. 137–142, 2012.
KASM E . The keys K1 and K2 are known only to agents UE [6] J. Cao, H. Li, M. Ma, Y. Zhang, and C. Lai, “A simple and robust
and HSS in the protocol run. The names of authentication r1 handover authentication between henb and enb in {LTE} networks,”
Computer Networks, vol. 56, no. 8, pp. 2119 – 2131, 2012.
and r2 represent the authentication property declared in roles
UE and HSS. [7] G. Koien, “Mutual entity authentication for lte,” in Wireless Com-
munications and Mobile Computing Conference (IWCMC), 2011 7th
International, pp. 689–694, 2011.
C. Performance Evaluation [8] L. Gu and M. Gregory, “A green and secure authentication for the
4th generation mobile network,” in Australasian Telecommunication
Authentication messages size plays a key role in Networks and Applications Conference (ATNAC), 2011, pp. 1–7, 2011.
communication overhead, we calculate the size of [9] H. Mun, K. Han, and K. Kim, “3g-wlan interworking: security analysis
authentication messages in EEPS-AKA as follows : and new authentication and key agreement based on eap-aka,” in
Message1 = B = 192 bits. Wireless Telecommunications Symposium, 2009. WTS 2009, pp. 1–8,
Message2 = A||P M SI||Ru = 448 bits. 2009.
Message3 = Ks||P M SI||Ru = 304 bits. [10] D. Caragata, S. El Assad, C. Shoniregun, and G. Akmayeva, “Umts se-
curity: Enhancement of identification, authentication and key agreement
Message4 = HSSV ||XRES||Rh = 352 bits. protocols,” in Internet Technology and Secured Transactions (ICITST),
Message5 = M M EV ||Rm||Rh = 416 bits. 2011 International Conference for, pp. 278–282, 2011.
Message6 = RES = 64 bits. [11] K. Hamandi, I. Sarji, A. Chehab, I. Elhajj, and A. Kayssi, “Privacy en-
hanced and computationally efficient hsk-aka lte scheme,” in Advanced
The total messages size is 1776 bits, compared with authen- Information Networking and Applications Workshops (WAINA), 2013
tication protocols in [15] - [16] where the total authentication 27th International Conference on, pp. 929–934, 2013.
messages size is 2184 and 1888 bits respectively, EEPS-AKA [12] C. K. Huan, “Security analysis and enhancements in lte-advanced
networks,” doctoral dissertation, Dept. of Mobile Systems Engineer-
reduces the communication overhead. Moreover, our proposed ing,Sungkyunkwan University, South Korea, 2011.
protocol is more efficient and faster than proposed protocols
[13] Y. Deng, H. Fu, X. Xie, J. Zhou, Y. Zhang, and J. Shi, “A novel 3gpp
in [14] - [17], since it uses secret key method which is faster sae authentication and key agreement protocol,” in Network Infrastruc-
than full public key and certificate based methods, this leads ture and Digital Content, 2009. IC-NIDC 2009. IEEE International
to reduce delay and computational overhead. Conference on, pp. 557–561, 2009.
[14] L. Xiehua and W. Yongjun, “Security enhanced authentication and key
agreement protocol for lte/sae network,” in Wireless Communications,
V. C ONCLUSION Networking and Mobile Computing (WiCOM), 2011 7th International
Despite its safety and efficacy, EPS-AKA does not provide Conference on, pp. 1–4, 2011.
fully protection for LTE networks and it suffers from several [15] C. Lai, H. Li, R. Lu, and X. S. Shen, “Se-aka: A secure and efficient
drawbacks such as user identity attacks, signalling overhead, group authentication and key agreement protocol for lte networks,”
Computer Networks, vol. 57, no. 17, pp. 3492–3510, 2013.
and bandwidth consumption. The user identity can be revealed
when the IMSI is sent in clear text in the first connection, [16] Y.-W. Chen, J.-T. Wang, K.-H. Chi, and C.-C. Tseng, “Group-based
authentication and key agreement,” Wireless Personal Communications,
which leads to user identity attack. In addition, the perfect vol. 62, no. 4, pp. 965–979, 2012.
forward secrecy is not fully provided, since all keys are [17] M. Prasad and R. Manoharan, “Secure authentication scheme for long
generated using a single key which could be disclosed and be a term evolution-advanced,” in Information Communication and Embed-
weak point of the protocol. Many solutions have been proposed ded Systems (ICICES), 2013 International Conference on, pp. 11–15,
to solve those problems, but there was no perfect solution. 2013.

978-1-4799-2027-3/14/$31.00 ©2014 IEEE 507