Countering Subscription Concealed Identifier (SUCI)-Catchers in Cellular Communications

Countering Subscription Concealed Identifier (SUCI)-Catchers in Cellular Communications

연구 분야: Infrastructure

학회: International Conference on Information Systems Security

We address privacy in the context of cellular communications; in particular, a lingering problem that a subscriber can be tracked via use of a Subscription Concealed Identifier (SUCI) that is an encryption of their Subscription Permanent Identifier (SUPI). The attack leverages the 5G Authentication and Key Agreement (AKA) protocol. We address the problem via a change to the protocol, that is the use of an ephemeral identifier generated from the SUPI rather than the SUPI itself. We articulate a number of design constraints from our observations about prior proposed solutions, that our solution meets. We address also the fact that we need two such identifiers to be valid at any moment, practical considerations such as a particular backwards-compatibility that our solution has, a formal verification of our approach using a theorem prover that has previously been used for 5G-AKA, and limitations of our approach. As such, our work addresses an important gap in security in the context of cellular communications.