privacy through pseudonymity in mobile telephony systems · tems concerns content-secrecy,...

Privacy through Pseudonymityin Mobile Telephony Systems

Myrto ArapinisUniversity of Edinburgh

[email protected]

Loretta Ilaria ManciniUniversity of [email protected]

Eike RitterUniversity of [email protected]

Mark RyanUniversity of [email protected]

Abstract—To protect mobile phone from tracking by thirdparties, mobile telephony systems rely on periodically chang-ing pseudonyms. We experimentally and formally analyse themechanism adopted to update these pseudonyms and point outdesign and implementation weaknesses that defeat its purpose byallowing the identification and/or tracking of mobile telephonyusers. In particular, the experiments show that the pseudonymchanging mechanism as implemented by real networks does notachieve the intended privacy goals. Moreover, we found out thatthe standard is flawed and that it is possible to exploit theprocedure used to assign a new pseudonym, the TMSI reallocationprocedure, in order to track users. We propose countermeasuresto tackle the exposed vulnerabilities and formally prove thatthe 3GPP standard should require the establishment of a freshciphering key before each execution of the TMSI reallocationprocedure to provide unlinkability.

I. INTRODUCTIONIf a third party that eavesdrops on the radio link was able to

identify wireless messages as coming from a particular mobilephone, he would be able to track the location of the mobilephone user in real-time. Mobile phone signalling is used forexample by market research companies such as [1], [2] in orderto track the movements of people within a shopping centre.Contrary to location based service companies, these companiesare tracking bearers of mobile phones in an anonymous wayyet without their consent, without offering them a service,and sharing the tracking information with parties which havenot previously been agreed with the mobile phone bearers.Similar tracking techniques could lead to stalking and otherforms of harassment, as well as more mundane invasions ofprivacy [3]. In order to prevent this, mobile phone protocolsemploy temporary identifiers (TMSIs) instead of using long-term unique identities (IMSIs) to identify mobile phones.Temporary identities are periodically updated by the networkby means of the TMSI reallocation procedure. To ensureconfidentiality of a newly assigned TMSI, it is transmittedencrypted using a ciphering key.

Our aim in this paper is to analyse what conditions arerequired in order for this arrangement to guarantee user privacy

as intended. In particular, two aspects appear to be important:

1) TMSI reallocation will protect user privacy only ifTMSIs are re-allocated often enough, and at the righttimes (e.g., when users move between locations). The3GPP standard does not rigorously define the con-ditions under which TMSI reallocation takes place.We show that the lack of precise directives permitsimplementations which violate user privacy.

2) The success of TMSI reallocation requires that anattacker with access to the radio channel cannotlink the new TMSI to the old one. Encrypting theTMSI in the allocation message is necessary butnot sufficient to ensure that. It turns out that otherfactors, in particular the use of a fresh encryptionkey for each TMSI reallocation, are also necessary toguarantee unlinkability of old and new TMSIs. The3GPP standard does not mandate this, again leavinguser privacy subject to choices made by networkoperators.

We analyse the TMSI reallocation procedure from both aformal and an experimental point of view. Our experimentalanalysis exposes the adoption by deployed network implemen-tations of weak policies with respect to privacy and hence arevulnerable to tracking mobile phone users. We show that theTMSI reallocation procedure does not provide unlinkability onmost of the analysed mobile networks, because:

1) pseudonyms are not updated frequently;

2) the frequency of updates of pseudonyms does notdepend on the amount of activity exposing them totracking adversaries;

3) the same pseudonyms are maintained across differentareas, making users linkable within wide areas;

4) it is possible to mount a replay attack on the TMSIreallocation procedure.

All these issues defeat the objective of introducing TMSIs.Our formal analysis allows us to prove the condition underwhich the TMSI reallocation procedure provides unlinkability.In particular, we formally prove that the establishment of a newencryption key before each execution of the procedure shouldbe a mandatory requirement in the standard specification.

Our Contributions. We present a formal and an experi-mental analysis of the subscriber’s privacy in cellular networks

Permission� to� freely� reproduce� all� or� part� of� this� paper� for� noncommercial�purposes� is�granted�provided� that�copies�bear� this�notice�and� the� full�citation�on�the�first�page.�Reproduction� for�commercial�purposes� is�strictly�prohibited�without�the�prior�written�consent�of�the�Internet�Society,�the�first-named�author�(for� reproduction� of� an� entire� paper� only),� and� the� author’s� employer� if� the�paper�was�prepared�within� the� scope�of�employment.NDSS�’14,�23-26�February�2014,�San�Diego,�CA,�USACopyright�2014� Internet�Society,� ISBN�1-891562-35-5http://dx.doi.org/��QGVV��

http://dx.doi.org/10.14722/ndss.2014.23082

and in particular of the TMSI reallocation procedure. Wehighlight deficiencies in the standard and show how thesehave led to flawed implementations which do not trigger thereallocation procedure often enough, and when they do theysometimes allow linkability attacks. Our experimental analysisreveals some real and novel network scenarios which allow athird party to violate a user’s privacy despite the reallocationprotocol being used according to the current standard. Inour formal analysis, we prove that the TMSI reallocationprocedure provides unlinkability in case a new ciphering keyis established before each execution of the TMSI reallocationprocedure and we discuss other possible countermeasures. Thisproof is one of the few examples in the literature [4], [5]of a proof of labelled bisimilarity of a real-sized protocol.Our proof makes use of both manual and automatic prooftechniques.

Terminology. In 3GPP specifications, mobile phones to-gether with their SIM card are referred to as mobile stations,abbreviated MS. Mobile stations have a permanent identitystored in the SIM card, the International Mobile SubscriberIdentity, abbreviated IMSI. As stated, the serving network (SN)assigns a temporary identity to an MS, called the TemporaryMobile Subscriber Identity (TMSI).

When the network wants to deliver a service to a mobilestation (e.g. an incoming phone call) it sends a paging requestmessage specifying the identity of the MS (TMSI or IMSIif the TMSI is not known). The paging request is sent on acommon channel in all the locations most recently visited bythe MS. A MS continuously monitors the common channelused for paging of the area it is located in. When the MSreceives a paging request, it asks the base station it is attachedto to assign a dedicated channel. The MS the sends a pagingresponse containing its own identity (usually TMSI) in clear-text on the dedicated channel.

A. Related Work

Linkability of transactions has been identified and of-ten reported by the media as an important threat to userprivacy, in a variety of areas including on-line searches[6], road usage charging [7], electronic passports [8], andmobile telephony [3]. The problem of privacy is a multi-layer/multiprotocol problem [9] which requires all protocolsat all layers to satisfy the desired properties. Moreover,privacy properties are often violated because of subtle de-sign/implementation details, hence the need for careful analy-sis.

Most of the work on security of mobile telephony sys-tems concerns content-secrecy, integrity and authenticationproperties [10], [11], [12]. There are only few formal andexperimental studies concerning the level of usage-privacyprovided to the user by mobile telephony systems. Foo Kuneet al. [13] presented a study on the use of the paging procedureto locate mobile telephony users. They perform a trackingattack relying on passive sniffing of paging response messagestriggered by placing silent phone calls (obtained by hangingup before the receiving phone rings) for the victim phone.This technique allows one to reveal the presence of the victimin an area monitored by the attacker. Munaut and Nohl [11]

previously outlined a similar technique. They performed aGSM sniffing attack, which allows one to eavesdrop a GSMphone call by using a modification of the osmocom-BB [14]open source implementation of the GSM protocol stack and anold Motorola mobile phone. Differently from Foo Kune et al.,they used a silent SMS to trigger the paging responses neededto locate the victim. Although these works take advantage ofthe fact that a TMSI is allocated for a long time window,they do not analyse the security and privacy provided by theTMSI reallocation procedure. Moreover, in order to performthe attack, the adversary needs to know the mobile numberof the victim. Indeed, these attacks consist in establishing thepresence of a target MS in a given location by linking thetarget’s telephone number with its TMSI. This attack relies onthe fact that TMSI reallocation is not activity-dependent (asconfirmed by our experiments). This suggests the adoption ofactivity dependent reallocation strategies to thwart the attack.However, we show that reallocating a new TMSI after eachtransaction is not sufficient, because (as we experimentallyshow) encryption keys are reused in many deployed networksallowing the replay attack we present. This further privacythreat cannot be established from Foo Kune et al’s analysis.We formally prove that establishing fresh keys at each TMSIreallocation and adopting an activity-dependent reallocationstrategy thwarts Foo Kune et al’s attack. Additionally, we showthat deployed networks do not follow the standard as they donot all enforce TMSI reallocation at each change of LocationArea. This makes a MS traceable across Location Areas bysimple sniffing. This further privacy breach is beyond the scopeof Foo Kune et al’s analysis. So our findings further contributeto help improving future developments of this technology. Theexperiments we carried out show that real networks do notadopt policies for changing TMSI which are dependent on thenumber of exposure of the TMSI over-the-air by the mobilephone activity and hence they do not tackle these attacks.

Engel showed at the 25C3 conference [15] how networksignalling messages, triggered when sending/receiving SMSmessages, can be used to locate mobile telephony users. Hesuggests that network operators should use home routing, i.e.forwarding through the home network, as a countermeasure tothis SMS tracking attack. This attack requires access to theintra-network communication infrastructure, which althoughpossible may require subscription to a pay per query service.In this work, we analyse the privacy provided by the moreexposed over-the-air communication available to any attackerwith a radio enabled device and do not rely on the less easilyaccessible intra-network communication protocols.

The gsmmap project [16], [17] uses a variant of the opensource GSM protocol stack developed within the osmocom-BB project to assess and visually render on a map the level ofsecurity and privacy provided by network operators across theworld. In particular their aim is to check if network operatorsare protecting the users from well known attacks by adoptingcountermeasures such as the use of A5/3 encryption, paddingrandomization, and full authentication for outgoing calls andSMS to prevent impersonation and interception, and the useof regular TMSI updates, and home routing to prevent Engel’sSMS tracking attack.

The closest work to ours is the one presented in [18]which also analyses mobile telephony protocols from a privacy

2

MSIMSI, oTMSI,CK

NetworkIMSI, oTMSI,CK

L3 MSG, oTMSI

Management of means for ciphering: CK established

new nTMSI

{TMSI REALL CMD, nTMSI, nLAI}rCK

{TMSI REALL COMPLETE}rCK

Deallocate oTMSIDeallocate oTMSI

Fig. 1. TMSI Reallocation Procedure

point of view. Arapinis et al. [18] uncover some privacyattacks on the 3G authentication protocol and on the pagingprocedure. These attacks are exposed and exploited througha real implementation. The authors propose and automaticallyverify privacy-friendly fixes of the attacked procedures. Theprocedures analysed in [18] are not part of the identity manage-ment mechanisms of mobile telephony systems, in particularthey do not analyse the TMSI reallocation procedure that is theprocedure on which mobile telephony systems rely to provideanonymity and unlinkability from third parties. This procedureis the focus of our work. Moreover, in this work we areconcerned with both issues of the standard specifications andissues of the actual implementation by real networks. Noneof the issues concerning the identity management and thepseudonym changing mechanism that we identify in this paperarise from the analysis presented in [18]. Finally, the proofmethods used in [18] are too weak to prove the correctnessof the TMSI reallocation. We have to create new proof tech-niques. In particular we combine both manual and automaticproofs in order to obtain the unlinkability proof sketched inSection IV-C.

II. PSEUDONYMS FOR USER PRIVACY

A mobile station (MS) is uniquely identified by meansof its IMSI. To avoid over-the-air attackers from identifyingand linking a user’s transactions, a temporary identity calledTMSI is assigned by the network and is used to identifythe mobile station in protocol messages. The mobile stationidentity (its TMSI, if available, or its IMSI) is always includedin the first message sent from the MS to the network afterthe establishment of a dedicated channel. This allows thenetwork to identify the MS before delivering a service to it.For example, the identity is carried in location update requests,CM (Call Management) requests, and paging responses. Theuse of TMSIs avoids the exposure of the long term uniqueidentity (IMSI) and hence provides third-party anonymity tomobile telephony subscribers. The 3GPP standard specifies thata new TMSI should be assigned at least at each change oflocation area. Besides this constraint, the choice of how often

a new assignment is performed within a location area is leftto the network operators [19]. In order to prevent an adversarylinking the old TMSI with the new one, the assignment of anew TMSI is performed in ciphered mode. The session keyused to encrypt the new TMSI is established by executing theAKA protocol.

A. TMSI Reallocation Procedure

The TMSI reallocation procedure assigns a new pseudonym(TMSI) to a mobile station. The new TMSI is sent to the mo-bile station in an encrypted fashion. Figure 1 depicts the TMSIreallocation procedure as defined in the 3GPP standard [19],[20]:

• The mobile station sends a first message on a dedi-cated channel. This message contains the current MS’stemporary identity oTMSI;

• on receipt of this message, the network can identifythe MS and establish means for ciphering of thesubsequent communication on the dedicated channel;

• the rest of the communication is then encrypted andconsists of a TMSI reallocation command messagecontaining a new pseudonym nTMSI chosen by thenetwork and the current location area nLAI (the areawithin which nTMSI is meaningful);

• this message is followed by a TMSI reallocation com-plete message which is sent by the MS to acknowledgethe completion of the reallocation procedure.

If the network does not receive the expected acknowledge-ment from the MS, it maintains both oTMSI and nTMSI asvalid pseudonyms for the the IMSI. The network can performa TMSI reallocation at any time whilst a dedicated channel isestablished. The standard does not fully specify how often thisprocedure should be performed. However, it mandates that itshould at least be performed at each change of location [19].The standard defines two options for the management of themeans for ciphering (i.e. to establish the ciphering key CK):(1) either a fresh ciphering key is established by executingthe authentication procedure; (2) or a previously establishedciphering key can be restored by means of the security modeset-up procedure, which allows the MS and the network toagree on a ciphering algorithm.

B. Subscriber Privacy Analysis

The 3GPP standard relies on frequent reallocation of TM-SIs in order to provide user’s untraceability. In particular, itmandates that TMSI reallocation should be performed when-ever the MS moves between “location areas” (identified bylocation area identifiers, LAIs). However, it is known thatlocation areas often extend over several square kilometres, anda subscriber’s movements are typically confined within one ortwo location areas [21], [22]. So location areas may be toolarge to trigger TMSI reallocations in practice. Moreover, weshow that one of the policies defined by the standard for theestablishment of the ciphering key, namely the use of restoredkeys, allows a linkability attack on the TMSI reallocation pro-cedure. In particular, we show that is adopted by real networkswhich makes their users vulnerable to tracking. Hence the

3

Fig. 2. Experimental Tools

Fig. 3. Osmocom-BB architecture

standard should forbid the use of a previously establishedciphering key for the execution of the TMSI reallocationprocedure.

Section III reports on our experimental analysis. We mon-itored over-the-air communications of idle and active MSsin order to understand how real networks implement useridentity confidentiality through the use of TMSIs, both in termsof frequency of reallocation, and ciphering keys used. Ourexperiments confirm that the reuse of previously establishedkeys is a commonly adopted policy. However, we show that incase the reuse of encryption keys is adopted for the executionof the TMSI reallocation procedure, this enables a linkabilityattack which makes it possible to link old and new TMSIs.

In Section IV, we introduce the formal tools we use,and in Section IV-B the formal definition of unlinkability. InSection IV-C, we formally prove that using a fresh key for eachTMSI reallocation would be enough to ensure users’ privacy.

III. EXPERIMENTAL ANALYSIS

Our experiments were carried out using an old GSMMotorola C115 mobile phone in France, UK, Greece, and Italyand using SIM cards from all the major UK, Greek, and Italiannetwork operators.1

1More specifically, we used O2, T-Mobile, Vodafone, and Orange in theUK; Vodafone and Wind in Greece; Bouygues and Orange in France; andWind, Vodafone and TIM in Italy.

A. Experimental Settings and Scenarios

The Motorola C115 has a TI Calypso baseband chipsetwhich is supported by the Osmocom-BB project [14]. TheOsmocom-BB project includes an open source implementationof the GSM baseband and various other applications aiming toimplement a GSM mobile station. The radio communicationfunctions are implemented in the firmware which is flashedfrom a laptop into the mobile phone through the Osmoconsoftware, by means of a T191 unlock cable (Figure 2). Thefirmware implements layer 1 of the GSM protocol stack, whilelayers 2 and 3 are implemented in specialised applicationsrunning on the laptop and communicating with the mobilephone through the T191 cable (Figure 3). In particular, weused the ‘mobile’ application which implements layer 2 and 3of the GSM protocol stack to provide all the basic functions ofa mobile phone (network registration, location update, makingand receiving calls, and sending and receiving SMSs).

The mobile phone activities are logged on a shell terminaland the radio communication is encapsulated in UDP packetssent to a configurable IP address. This traffic can be capturedthrough the Wireshark network traffic analyser [23]. Interac-tions with the mobile phone are enabled by a telnet commandinterface. This allows one to manually select a network, startphone calls, send SMS and service requests, etc.

We captured over-the-air messages using the ‘mobile’application in different settings: (1) mobile station in idle stateand not moving; (2) mobile station in idle state and movingacross two urban areas; (3) mobile station involved in activitiessuch as receiving or starting phone calls, receiving or sendingSMSs, and requesting services as for example call diversions.

Since the 3GPP standard merely gives guidelines, realnetworks differ in the implementation details of the TMSIreallocation. To understand if the different implementationsachieve the privacy guarantees they were intended for, weanalysed the traffic captured with the mobile application. Inparticular, we are interested in finding out if the frequency ofTMSI reallocation execution is high enough to defeat passiveand active tracking attacks, if the policy of changing TMSI atleast at each change of location is actually implemented so toobtain at least location dependent privacy, and if the frequencyof execution of the TMSI reallocation procedure is related tothe amount of activity of the MS (i.e., to how often the TMSIis exposed to overhearing).

B. Findings/Results

We report on three different issues showing that someof the actual implementations of the strategy for changingpseudonyms to avoid tracking are not offering enough privacyguarantees to the mobile telephony subscribers. Our observa-tion and their consequences on users’ privacy are discussed inthis section2.

The TMSI reallocation procedure is rarely executed.Although in the standard the privacy offered to mobile phonebearers is based on frequent updates of TMSIs, our ex-periments show that the same TMSI can be allocated for2The traces that allowed us to draw the conclusions presented are made

available for inspection [24]

4

Fig. 4. Trace of a UK Vodafone SIM card obtaining a new TMSI (0xb42c2fdd) on 22/03/12. The same TMSI is still in use on 25/03/12 after 3 days from itsallocation.

several hours and even days. Moreover, turning on and off theMS does not usually result in a new TMSI being allocated.As an example Figure 4 shows that a TMSI allocated on22/03/2012 has not been updated by 25/03/2012, making thephone trackable for a period of 3 days. This behaviour can beobserved for the major UK, Greek, French and Italian networkoperators. An attacker could take advantage of the long life ofa TMSI and monitor a few sub-areas using short range devicesin order to obtain a fine grained tracking of his victim withina same LAI.

We observed that the major UK network operators andthe Vodafone and TIM Italian operators rarely execute theTMSI reallocation even in presence of MS activity, but the firstmessage sent by a MS when requesting or receiving a servicecontains its TMSI, hence exposes it to eavesdropping thirdparties. As mentioned in Section I-A, TMSI liveness makesit possible to locate mobile telephony users without alertingthem. This can be achieved by paging the victim and henceprovoking a paging response. To reduce the set of answeringTMSIs to the victim’s one, the attacker must repeat the processseveral times because more than one MS could be sending apaging response at the same time and it is possible only ifthe TMSI is not reallocated even in case of activity exposingthe TMSI (e.g.receiving calls). The attack in [13] thus relieson the low frequency of TMSI reallocations and demonstratesthat changing pseudonyms, as mechanism to provide locationprivacy, is not effective without a policy for changing ofpseudonyms which takes into account the actual exposure ofthe pseudonym caused by the mobile station activity.

A change of location area does not imply a changeof TMSI although such a change is mandated by the 3GPP

standard. We observed this behaviour when capturing thesignalling messages of a mobile station moving by coachbetween different cities in the UK, using the Orange and theO2 networks where we observed the same pseudonym beingaccepted in different location areas with no further execution ofthe TMSI reallocation procedure. Assuming an average speedof 70Km/h we observed that a new TMSI was assigned afterabout 45 min (about 53km) and a second one after about 60min (about 70km) while we observed a change of LAI every5 min on average and hence a new TMSI should have beenallocated, on average, about every 3km. Figure 5 shows anexample trace where a TMSI used at location 234/33/1381(packet no. 668) is accepted a different location 234/33/29(packet no.678).

The fact that a TMSI was accepted in two neighbouringLAIs contradicts the specification that a TMSI reallocationshould be performed at least at each change of location.However, changing pseudonym when changing location areawould provide location-dependent privacy to the user sinceit would prevent passive tracking across different LAIs. Thecombination of the two behaviours reported so far (i.e. keepingthe same TMSI for a long period of time and not changing itwhen changing location area) enables the attacker to both trackhis victim within an area and follow him across different areaswithout doing any extra effort other than passively sniffing.

Previously established keys are restored and used toencrypt the TMSI reallocation procedure. Our capturesconfirm that the reuse of previously established keys is a policyadopted by real networks and that in particular previouslyestablished keys are used for the execution of the TMSI real-location procedure. The experiments we performed show that

5

Fig. 5. Trace of a UK Orange SIM card. The TMSI used at location 234/33/1381 (packet no. 668) is accepted at location 234/33/29 (packet no.678), whilethe 3GPP standard mandates a TMSI reallocation at each change of location.

major UK and Italian network operators3 reuse previously es-tablished keys instead of performing the authentication proce-dure before each execution of the TMSI reallocation procedure.Figure 7 shows a trace from a UK Lebara SIM card attachedto the Vodafone network performing a location update (packetno. 4063). Then the execution of the authentication procedureestablishes a new ciphering key (packets 4065, 4068) andconsecutively the TMSI reallocation procedure (packets 4079,4081) is executed. The subsequent TMSI reallocations (packets9691, 9693, 71695, 71697, 92653, 92655) are executed withoutfirst performing the authentication procedure and hence reusingthe previously established ciphering key.

The use of a previously established ciphering key enablesreplay attacks such as the one depicted in Figure 6. An attacker,controlling a radio device able to sniff and inject messagesover-the-air, first captures a TMSI reallocation command (thesecond message in Figure 6). Later on, when the MS haspossibly already changed its pseudonym but not yet establisheda new encryption key, the attacker can replay the capturedTMSI reallocation command (one message before last in Fig-ure 6). The victim’s MS successfully decrypts the reallocationmessage and sends the TMSI reallocation complete message.This allows the attacker to distinguish the victim’s MS fromany other that would not successfully decrypt the message andthus would not send any reply, even though in the meantimea different TMSI (nTMSIk in Figure 6) was assigned to thevictim’s MS. For example, the TMSI reallocation packet no.71695 in Figure 7 does not achieve its goal since, by executing

3UK: Vodafone and T-mobile; Italy: Vodafone.

the above-mentioned attack, an attacker could link the newlyassigned TMSI with the previously allocated one (packet no.4079).

This attack would not be possible if a new ciphering keyCK ! was established. In this case, the replayed reallocationmessage sent from the adversary and previously encrypted withthe key CK could not be decrypted by the victim mobile phoneusing key CK ! and hence the reallocation would fail. Theadversary cannot deduce any information from this since itdoes not know if the procedure failed because the key waschanged or because the mobile phone is not the victim one.

Two realistic adversary scenarios for the TMSI reallocationattack could be the profiling of user in a defined urban areaor the tracking of a target victim in few selected areas.

An attacker interested in profiling user’s movements in aspecific area (say to few square kilometres) can use our attackto trace users’ movements in the area across different days.This attacker could use a set of short to medium range devices(from 10m to 1km), requiring an investment of a few thousanddollars.

An attacker with a more limited budget interested intracking a specific target in few sensitive locations (imaginea stalker or jealous partner or over-controlling employer)probably knows his/her victim and his/her habits. For thispurpose short range devices could be used (with an investmentof a few hundred dollars).

6

Fig. 7. Trace of a UK Lebara SIM card attached to the Vodafone network while travelling on a train. The TMSI reallocation procedure is executed by reusinga previously established key. The MS first performs a location update (packet no. 4063), then the authentication procedure to establish a ciphering key (packets4065, 4068), followed by the TMSI reallocation procedure (packets 4079, 4081). The following three TMSI reallocations (packets 9691, 9693, 71695, 71697,92653, 92655) are executed without first performing the authentication procedure and hence reusing the previously established ciphering key.

IV. FORMAL ANALYSIS

Often, deployed protocols are subsequently found to beflawed and to be subject of attacks. In this paper we showedthat the possibility of restoring the ciphering key CK enablesa linkability attack on the TMSI reallocation procedure. Thisweakness was hidden in the protocol logic and was not evidentto the protocol designers. This demonstrates that rigorousformal analysis is needed to (1) give strong guarantees onthe properties achieved by security protocols, and (2) clearlyassess the assumptions under which these properties hold.We formally analyse the TMSI reallocation procedure w.r.t.a rigorous definition of unlinkability as given by Arapinis etal. in [25]. In particular, we model the TMSI reallocationprocedure using the applied pi-calculus. We prove that ifnew session keys are established before each execution of theTMSI reallocation procedure, then the attack presented in theprevious section is thwarted, and the subscriber’s unlinkabilityis preserved by the protocol.

A. Applied pi-Calculus

The applied pi-calculus is a formal language, introduced byAbadi and Fournet [26], for modelling concurrent processesand in particular to ease the reasoning about cryptographicprotocols. In the applied pi-calculus, cryptographic primitivesare modelled as functions and messages are represented byterms L,M,N, T built over an infinite set of names a, b, c, . . .an infinite set of variables x, y, z, . . . and a finite set offunction symbols f(M1, . . . ,Ml) ! ! (which includes theconsidered cryptographic primitives). A function symbol witharity 0 is a constant symbol. Function properties are modelledby means of a set of equations defining an equational theoryE on the set of possible terms. We define equality modulo the

equational theory, written =E , as the smallest equivalence rela-tion on terms, that contains E and is closed under applicationof contexts, substitution of terms for variables and bijectiverenaming of names.

Syntax. The grammar for processes of the applied pi-calculus is the following:

P,Q,R ::= plain processes0 nullP | Q parallel!P replication! n.P restrictionif M = N then P else Q conditionalc(x).P inputc"M#.P output

A,B,C ::= extended processesP plain processA | B parallel! n.A name restriction!x.A variable restriction{M/x} active substitution

The null process does nothing. The parallel composition ofP and Q represents the parallel execution of P and Q. Thereplication of a process P acts like the parallel execution ofan unbounded number of copies of P . The name restriction!n.P creates a new name n whose scope is restricted tothe process P and then runs P . The if construct defines aprocess that evaluates the condition M = N and behaves asP , if M =E N , and otherwise behaves as Q. Note that wecheck for equality modulo the equational theory rather thansyntactic equality of terms. The message input c(x).P repre-sents a process ready to input from the channel c, the actualmessage received will be substituted to x in P . The syntactic

7

MS vIMSI, oTMSI,CK

MitMNetwork

IMSI, oTMSI,CK

L3 MSG, oTMSI

Management of means for ciphering

new nTMSI

{TMSI REALL CMD, nTMSI, LAI}rCK

Store TMSI reallocation command



next session

L3 MSG, nTMSI1

after k sessions

L3 MSG, nTMSIk

Management of means for ciphering

Replay stored TMSI REALL CMD

{TMSI REALL CMD, nTMSI, LAI}rCK


Fig. 6. TMSI Reallocation Procedure Attack

substitution of a term T for the variable x in the process P isdenoted by P{T/x}. The message output c"M#.P describesa process ready to send a term M on the channel c and thento run P . Extended processes are introduced to represent theadversarial knowledge. They include plain processes, parallelcompositions, bindings of names and variables and activesubstitutions. Active substitutions represent the knowledgeacquired by the adversary as result of the process execution,in particular the active substitution {M/x} represent the factthat the adversary can access the term M through the handlex. We define the set of bounded (resp. free) names bn(A)(resp. fn(A)) of a process A as the set containing every namen which is under restriction ! n (resp. not under the scopebinder ! n) in A . The set of bound (resp. free) variables bv(A)(resp. fv(A)) of A consists of all those variables x bound byrestriction ! x or input u(x) (resp. not under the scope of arestriction ! x or input u(x)) in A. Similarly we define fn(M)and fv(M), for the set of free names, respectively variables,which appear in the term M . We say that an extended processis closed when every variable x is either bound or defined byan active substitution {M/x} for some term M . A frame, ",

is an extended process built from 0 and active substitutions{M/x} composed by parallel composition and restriction. Thedomain dom(") of a frame is the set of variables x for which" contains an active substitution {M/x} such that x is notunder restriction. The frame "(A) of a process A is obtainedby replacing every plain process in A with 0. The frame "(A)represents the knowledge A outputs to its environment. Thedomain dom(A) of A is the domain of "(A).

Example 1: Using functions and equations we can definerandomized symmetric encryption and pairing. Let ! ={senc/3, sdec/2,pair/2,fst/1,snd/1}, and considerthe equations:sdec(k,senc(k, r,m)) = m, fst(pair(x, y)) =x, snd(pair(x, y)) = y. The first equation allows to de-crypt an encrypted message, m, given the knowledge of theencryption key k. This is the usual rule to model randomizedsymmetric encryption. The rest of the rules allow to decomposea pair and retrieve its components.

As example of processes, we introduce MS and SN mod-elling respectively a mobile station and a serving networksharing a private channel dck. This private channel modelsthe fact that MS and SN can “securely” establish a sharedsession key by executing the authentication procedure. Theprivate channel d models a mobile station’s memory (or state)recording the currently assigned TMSI. Input messages areread from the dw channel and output messages are sent onthe up channel. We consider an attacker that intercepts allcommunications on public channels.

Initdef= d "id#

MSdef= ! ck.!mr.d(x).up"x#.dck"ck#.dw(y).

if fst(sdec(ck, y)) = TMSI REALL thenup"senc(ck,mr,COMPLETE)#.d"snd(sdec(ck, y))#

else 0

SNdef= ! nid.! sr.dw(z).dck(xck).

up"senc(xck, sr, pair(TMSI REALL, nid))#.dw(w)

M def= ! dck.(!(! d.! id.(Init |!MS)) |!SN)

The Init process initializes the MS memory by storing in itthe initial pseudonym id. The current pseudonym is stored inthe memory d and is sent by the MS with its first message. TheMS then establishes a session key with the network, modelledhere by the communication of a new key ck over a privatechannel dck (note that in this model a fresh session key isestablished before the execution of each TMSI reallocation).The mobile station then receives a message and checks if it isa legitimate TMSI reallocation command message encryptedby the network using the session key (if fst(sdec(ck, y)) =TMSI REALL). In this case it sends a TMSI reallocation com-plete message (up"senc(ck,mr, COMPLETE)#) and updatesits own memory with the new pseudonym received in the TMSIReallocation command (d"snd(sdec(ck, y))#). For simplicity,we do not model the eventual updating of the location area.

Structural Equivalence. The structural equivalence relation de-fines when syntactically different processes actually representthe same process, for example by equating A | B and B | Awhich both represent the parallel execution of A and B.

8

Formally, structural equivalence ($) is the smallest equivalencerelation on extended processes that is closed by #-conversionof both bound names and bound variables, and closed underapplication of evaluation contexts such that:

A $ A | 0 PAR-0A | (B | C) $ (A | B) | C PAR-AA | B $ B | A PAR-C!P $ P |!P REPL! n.0 $ 0 NEW-0! u.! w.A $ ! w.! u.A NEW-CA | ! u.B $ !u.(A | B) NEW-PAR

where u ! fv(A) % fn(A)!x.{M/x} $ 0 ALIAS{M/x} | A $ {M/x} | A{M/x} SUBST{M/x} $ {N/x} where M =E N REWRITE

The rules for parallel composition, replication and restrictionare easy to understand and capture our intuition of the opera-tors properties. The ALIAS rule allows to introduce arbitraryactive substitutions with restricted scope. SUBST allows theapplication of an active substitution to a process running inparallel with it. REWRITE, allows the substitution of termsthat are equal modulo the equational theory.

Semantics. The internal reduction relation ( !&) describeshow processes evolve in isolation. Formally, internal reductionis the smallest relation on extended processes closed bystructural equivalence and application of evaluation contextssuch that:

c"M#.P | c(x).Q!& P | Q{M/x} Comm

if M = N then P else Q !& P if M =E N Then

if M = N then P else Q !& Q if M '=E N Else

Input and output actions on a channel c can be synchronized,resulting in the communication of the term M through thehandle x. The if construct evaluates the equality modulo theequational theory between two terms M and N and executesthe process P or the process Q accordingly. The evaluationof M and N may require the application of all the activesubstitutions in order to obtain the ground equivalent (i.e.containing no variables) of the terms M and N . We denotewith =( the reflexive and transitive closure of !

&.

The labelled reduction relation ( "&) describes how pro-cesses interact with the environment. The label # is either aninput, an output, or a restricted output. The labelled reductionrelation extends the internal reduction enabling interactions

with the environment as defined by the following rules:

c(x).Pc(M)!!!" P (INPUT)

c #u$ .Pc!u"!!!" P (OUT-ATOM)

Ac!u"!!!" A#, u %= c

!u.A!u.c!u"!!!!!" A#

(OPEN-ATOM)

A"!" A#, u does not occur in "

!u.A"!" !u.A#

(SCOPE)

A"!" A#, bv(") & fv(B) = bn(") & fn(B) = '

A | B"!" A# | B

(PAR)

A ( B, B"!" B#, B# ( A#

A"!" A#

(STRUCT)

The INPUT rule allows a process to input a term fromthe environment through its handle x. OUT-ATOM allowsa process to output a variable or a channel name, whileOPEN-ATOM enables the output of a restricted variable. TheSCOPE rule says that the scope of names and variables notinvolved in the labelled transition is preserved by the transitionrelation. The rule PAR allows one of the processes involvedin a parallel composition to evolve. The rule STRUCT statesthat the labelled transition relation is closed under structuralequivalence.

Equivalence Relations. Static equivalence defines classesof processes having released equivalent knowledge to theenvironment. It only looks at the current state of the processes,not at their possible evolutions.

Definition 1 (Static Equivalence): Two closed frames " $! n.$ and % $ ! n.& are statically equivalent, denoted " )s

%, if dom(") = dom(%) and for all terms M,N such thatn*(fn(M)%fn(N)) = +, we have thatM$ =E N$ holds ifand only ifM& =E N& holds. Two closed extended processesA,B are statically equivalent, A )s B, if "(A) )s "(B).

The labelled bisimilarity relation defines classes of processeswhose interactions with the environment are equivalent at eachstep for any possible evolution of the processes. Intuitively, twoprocesses are labelled bisimilar if one can mimic the actionsof the other step by step outputting the equivalent knowledgeto the environment at each step and vice versa.

Definition 2 (Labelled Bisimilarity): Labelled bisimilarity()l) is the largest symmetric relation R on closed extendedprocesses such that ARB implies:

• A )S B

• if A !& A! then ,B! such that B =( B! and A!RB!

• if A"-& A! and fv(#) . dom(A) and bn(#) *

fn(B) = +; then , B! such that B =("-&=( B! and

A!RB!.

9

B. Unlinkability of the Fixed TMSI Reallocation Procedure

Thanks to the equivalence relations defined above we candefine various security properties. In particular, we can uselabelled bisimilarity to state a property in terms of undistin-guishability of a process from some ideal version of it, i.e. aversion which satisfies the required property by construction.This is the idea behind the definition of unlinkability proposedby Arapinis, Chothia, Ritter and Ryan in [25].

Intuitively, such definition requires an ideal system,PUNLINK , where each agent can execute the protocol atmost once (and hence is unlinkable by construction) to beundistinguishable from a system, P , where each agent canexecute the protocol an unbounded number of times. Formally:

Definition 3 (Strong Unlinkability): Let ! be a signa-ture and E an equational theory for this signature,and let P be a protocol over ! of the form P =!(! m.init. !main protocol). We build the protocolPUNLINK =!(! m.init. main protocol). We say that Ppreserves strong unlinkability if P )l PUNLINK

The definition of strong unlinkability allows us to formallyanalyse the TMSI reallocation procedure and establish ifit achieves the desired unlinkability property when a newsession key is established prior to each execution of the TMSIreallocation procedure.

Let the Init,MS and SN processes be as defined inExample 1. We define:

SSAdef= ! d.! id.(Init | MS)

MSAdef= ! d.! id.(Init |!MS)

The processes SSA and MSA are respectively a single-session and a multi-session mobile station agent. Single-session mobile stations can only execute one session of theTMSI reallocation procedure hence are unlinkable by construc-tion and are part of the ideal system, while the multi-sessionagents represent the mobile stations of the real systems i.e.the ones we want to prove to be unlinkable, although they canexecute several sessions of the procedure.Let S and M be the two closed processes defined as follows:

Sdef= ! dck.(!SSA |!SN)

Mdef= ! dck.(!MSA |!SN)

The process S represents an unbounded number of mobilestations executing the TMSI reallocation procedure at mostonce. The process M represents an unbounded number ofmobile stations which can execute the TMSI reallocationprocedure an unbounded number of times. We want to provethatM and S are labelled bisimilar and hence that M satisfiesunlinkability.

However, the presence of the memory (state) for thestorage of the currently assigned identity makes the automaticverification of the TMSI reallocation procedure not feasiblewith the ProVerif tool [27], which is to date the only toolable to automatically verify observational equivalence basedproperties for unbounded processes like the ones consideredin this work. In fact, ProVerif cannot prove the observationalequivalence of the following toy processes which model oneprocess sending a fresh name on a public channel and another

reading a fresh name from its state (modelled by the privatechannel d) and then sending it on a public channel:

! d.!(! n.d(x).d"n#.c"n# | ! m.d"m#)! d.!(! n.d(x).d"n#.c"x# | ! m.d"m#)

This happens because the abstractions ProVerif does for thesake of termination allow the process using the private channelto never consume the input. Hence, once a name is sent onthe private channel d, that name can be read from it again andagain, making the two processes not observationally equiva-lent. This is one of the reasons that led to the developmentof StatVerif [28], an extension of ProVerif which deals withstateful processes. However, StatVerif is not suitable in ourcase since it does not yet handle observational equivalence. Forthis reason we carry out a manual analysis instead. In the nextsection we give a sketch of the proof of the unlinkability of theTMSI reallocation procedure (Proposition 1) when performedby establishing a fresh session key prior to each execution.

C. Unlinkability Proof Sketch

To be able to describe the relation R witnessing thatS )l M we define partial execution steps of the multi (resp.single)-session process’s components as specified below. Theprocess MMSk

i,j represents the ith mobile station executingthe kth step of its jth session of the TMSI reallocationprotocol, while the process SMSk

i,j represents the (i + j)th

mobile station executing the kth step of its unique session.The process SN l

m represents the lth step of the mth sessionof the serving network. The key point of the proof is toshow that processesMMSk

i,j and SMSki,j simulate each other.

We now give an outline of how this simulation works, byexplaining how to match transitions in the multi-session andsingle-session processes.

1) Any transition within a session of some mobile sta-tion is a transition from MMSk

i,j to MMSk!

i,j , withk! > k. There is always a matching transition withinthe single session of the corresponding mobile stationfrom SMSk

i,j to SMSk!

i,j , and vice versa.2) The transitions for the serving network are the same

in the multi-session an the single-session process,hence they match trivially.

3) The start of a new session for the same mobile stationis modelled by a transition from MMS6

i,j | MSto MMS7

i,j | MMS0i,j+1. The corresponding transi-

tions in the single-session process, which are SMS6i,j

to SMS7i,j and Init | MS to SMS0

i,j+1, model theuse of an additional mobile station to simulate thisextra-session.

4) The use of an additional mobile station in the multiplesession process is modelled by a transition fromInit|MS to MMS0

i+1,1. There is always a matchingtransition from Init|MS to SMS0

i+1,1 in the single-session process, and vice versa.

So far, this produces a perfect match between transitions forthe multiple-session process and the single-session processesin cases 1, 2 and 4. In case 3, we still have to find a matchingtransition for the transition from Init | MS to SMS0

i,j+1

10

without SMS6i,j being present. In this case we use the fact

that SMS0i,j+1 and SMS0

i+1,1 are #-equivalent and use case4 to find a matching transition in the multi-session process.This point is the key part of the proof and shows that thesingle-session system really models several sessions of thesame mobile station by using several mobile stations.

We now present this proof in more detail. We start bydefining matching pairs of multi and single-session mobilestations for each evolution step k.

Let i, j ! N. We denote:

Initi,jdef= di,j#idi,j$

MChki,jdef= if fst(sdec(cki,j , yi,j)) = TMSI REALL then

up#senc(cki,j , mri,j , COMPLETE)$.di,1#snd(sdec(cki,j , yi,j))$

else 0

SChki,jdef= if fst(sdec(cki,j , yi,j)) = TMSI REALL then

up#senc(cki,j , mri,j , COMPLETE)$.di,j#snd(sdec(cki,j , yi,j))$

else 0

MMS0i,j

def= di,1(xi,j).up#xi,j$.dck#cki,j$.dw(yi,j).MChki,j

SMS0i,j

def= di,j(xi,j).up#xi,j$.dck#cki,j$.dw(yi,j).SChki,j

MMS1i,j

def= up#Mi,j$.dck#cki,j$.dw(yi,j).MChki,j

SMS1i,j

def= up#idi,j$.dck#cki,j$.dw(yi,j).SChki,j

MMS2i,j

def= MXi,j | dck#cki,j$.dw(yi,j).MChki,j

SMS2i,j

def= SXi,j | dck#cki,j$.dw(yi,j).SChki,j

MMS3i,j

def= MXi,j | dw(yi,j).MChki,j

SMS3i,j

def= SXi,j | dw(yi,j).SChki,j

MMS4i,j

def= MXi,j | MChki,j{Ni,j /yi,j}

SMS4i,j

def= SXi,j | SChki,j{Ni,j /yi,j }

MMS5i,j

def= MXi,j | up#senc(cki,j , mri,j , COMPLETE)$.

di,1#snd(sdec(cki,j , Ni,j))$

SMS5i,j

def= SXi,j | up#senc(cki,j , mri,j , COMPLETE)$.

di,j#snd(sdec(cki,j , Ni,j))$

MMS6i,j

def= MXi,j | MKi,j | di,1#snd(sdec(cki,j , Ni,j))$

SMS6i,j

def= SXi,j | SKi,j | di,j#snd(sdec(cki,j , Ni,j))$

MMS7i,j

def= MXi,j | MKi,j | 0

SMS7i,j

def= SXi,j | SKi,j | di,j#snd(sdec(cki,j , Ni,j))$

MMS8i,j

def= MXi,j | 0

SMS8i,j

def= SXi,j | 0

MXi,jdef= {Mi,j/xi,j }

SXi,jdef= {idi,j /xi,j}

SKi,j ,MKi,jdef= {senc(cki,j , mri,j , COMPLETE)/ki,j

}

RMSidef= ! ck.! mr.(di,1(x).up#x$.dck#ck$.dw(y).

if fst(sdec(ck, y)) = TMSI REALL thenup#senc(ck, mr, COMPLETE)$.di,1#snd(sdec(ck, y))$

else 0

Mi,jdef=

!idi,j if j = 1nidi,j$1 otherwise

"ssi,jdef= idi,1, di,1, cki,1, mri,1, . . . ,

idi,j , di,j , cki,j , mri,j

#msi,jdef= idi,1, di,1, cki,1, mri,1, . . . , cki,j , mri,j

Note that a full execution of the TMSI reallocation proce-dure by a multi (resp. single)-session mobile station goesthrough the first 6 evolution steps. In particular, a new ses-sion of the TMSI reallocation protocol can be executed (bythe multi-session MS) only after the mobile station fullycompleted the previous session ending up at step k = 6where the synchronization on the memory channel d is en-abled by the output of the newly allocated temporary identitydi,1"snd(sdec(cki,j , Ni,j))#. In case the if condition is notsatisfied both the multi and the single-session mobile stationsend up in a deadlock state (k = 8).

SN0i

def= ! nidi.! sri.dw(zi).dck(xcki).

up#senc(xcki, sri, pair(TMSI REALL, nidi))$.dw(wi)

SN1i

def= ! nidi.! sri.dck(xcki).

up#senc(xcki, sri, pair(TMSI REALL, nidi))$.dw(wi)

SN2i

def= up#senc(xcki, sri, pair(TMSI REALL, nidi))$.

dw(wi)

SN3i

def= {senc(cki, sri, pair(TMSI REALL, nidi))/yi} | dw(wi)

SN4i

def= {senc(cki, sri, pair(TMSI REALL, nidi))/yi}

SNki,j

def= SNk

l {cki,j /xckl

, yi,j/yl ,wi,j /wl

, nidi,j /nidl ,sri,j/srl}, k ) 2

$nidi,jdef= nidi,1, sri,1, . . . nidi,j sri,j

MXi,j ,MKi,j, and SN4i (resp. SXi,j , SKi,j and SN4

i ) arethe possible active substitutions resulting from one full execu-tion of the TMSI reallocation procedure by the jth session ofthe ith mobile station in the multi-session system (resp. by thei+ jth mobile station in the single-session system). RMSi isthe replicated part of the multi-session mobile station agent.Note that we group the name restrictions and we bring themin front of the process.

We define the grouped multi-session system componentGMSi,j [ ] representing the leftovers after the execution of jsessions of the ith mobile station and the simulating groupedsingle-session system component GSSi,j [ ] representing theleftovers after the execution of j single session mobile stations

11

simulating the j sessions of the ith mobile station of the multi-session system, as follows:

GMSi,j [ ]def= ! #msi,j .!$nidi,l.(MMS7

i,1 | · · · | MMS7i,j$1 | |

!RMSi)

GSSi,j [ ]def= ! "ssi,j .!$nidi,l.(SMS7

i,1 | · · · | SMS7i,j$1 | )

l * {j ! 1, j}

The grouped multi (resp. single)-session system componentsare the building blocks of the bisimulation relation. They basi-cally define how the grouped single-session MSs can mimic thestructure resulting by the evolution of a multi-session mobilestation. We define the symmetric relation between the single-session and the multi-session system to be:

Rdef= {(C, D), (D, C) : , n, m / 0,

A $ ! dck.(C1 | · · · | Cn | PSNm |!SSA |!SN),

B $ ! dck.(D1 | · · · | Dn | PSNm |!MSA |!SN),

where 0i, 1 1 i 1 n,,li, kli , li / 0, 1 1 kli 1 8 such that

Ci = GSSi,li [SMSkli

i,li| SSNi,li] =

! !ssi,li .!"nidi,j .(SMS7i,1 | · · · | SMS7

i,li"1 |

SMSkli

i,li| SSNi,li)

Di = GMSi,li [MMSkli

i,li| MSNi,li ] =

! #msi,li .!"nidi,j .(MMS7i,1 | · · · | MMS7

i,li"1 |

MMSkli

i,li| MSNi,li |!RMSi)

SSNi,li = MSNi,li = SNh1

i,1 | · · · | SNhli"1

i,li"1 | Lhli ,h1, . . . , hli"1 / 2

Lhli =

$0 if kli ! {1, 2}

SNhli

i,liotherwise

j =

$li - 1 if Lhli = 0li otherwise

PSNm = SN1j1

| · · · | SN1jm

,for some j1, . . . , jm ! {0, 1}

}

We want to prove that R is a bisimulation. To ease this proof,we define a lemma dealing with the bisimulation part of theproof and a lemma dealing with static equivalence. Informally,Lemma 1 states that the actions of a system can be mimickedby actions of the other system and vice versa. Formally:

Lemma 1: Let C $ ! dck.(C1 | · · · | Cn | PSNm |!SA |!SN), D $ ! dck.(D1 | · · · | Dn | PSNm |!SA |!SN) suchthat SA = SSA (resp. SA = MSA) and (SA = MSA (resp.SA = SSA) and (C,D) ! R

if C #& C! with fv(') . dom(C) and bn(') * fn(D) = +

then D#& D! and (C!, D!) ! R for any ' ! {&,#}.

The proof of Lemma 1 relies on the proof of two extra lemmaswhich informally state that if the single (resp. multi)-session

system can do a transition then either one of the grouped single(resp. multi)-session system components (i.e. one of the Ci,respectively Di) can do the transition, possibly synchronizingwith one of the SN1

j components of the PSNm process(i.e. the MS synchronizes with the SN. This step models theestablishment of means for ciphering of the TMSI reallocationprotocol); or one of the components under replication isunrolled and does the transition; or one of the mobile stationsstarts a new session (in case of the multi-session system). Thedetails of the proof are available for inspection [29].

To complete the proof of Proposition 1 we have to provethat the processes obtained after each simulation step arestatically equivalent. This is stated by Lemma 2.

Lemma 2: If (C,D) ! R then C )s D

In order to ease this proof we define the following substitu-tions:

$idi,j

def= {idi,1/xi,1

, idi,2/xi,2, . . . , idi,j/xi,j

}

$Mi,j

def= {idi,1/xi,1

, Mi,2/xi,2, . . . , Mi,j/xi,j

}

$Ki,j

def= {senc(cki,1, mri,1, COMPLETE)/ki,1

, . . . ,senc(cki,j , mri,j , COMPLETE)/ki,j

}

$nidi,j

def= {senc(cki,1, sri,1, pair(TMSI REALL, nidi,1))/yi,1

, . . . ,senc(cki,j , sri,j , pair(TMSI REALL, nidi,j))/yi,j

}

Moreover, we prove in Lemma 3 that the structure of the frameof a single (resp. multi)-session system is as follows:

Lemma 3: Let (C,D) ! R, C $ ! dck.(C1 | · · · |Cn | PSNm |!SSA |!SN), D $ ! dck.(D1 | · · · | Dn |PSNm |!MSA |!SN) then ((C) $ ! dck.(((C1) | · · · |((Cn)), ((D) $ ! dck.(((D1) | · · · | ((Dn)) where0i, li 1 1 i 1 n, li / 0,

#(Ci) ( #(GSSi,li [SMSkii,li

| SSNi,li ])

( ! "ssi,li .! $nidi,jnid.($id

i,jid| $K

i,jK| $nid

i,jnid)

#(Di) ( #(GMSi,li [MMSkii,li

| MSNi,li ])

( ! #msi,li .!$nidi,jnid

.($Mi,jid

| $Ki,jK

| $nidi,jnid

)

We then use the obtained frame structure to define a ProVerifbi-process that generates the frame of the multi-session andsingle-session processes. This allows us to automatically provethe static equivalence. Hence, the full proof combines manualand automatic techniques. We can now easily prove that theTMSI reallocation procedure preserves unlinkability if a newsession key is established before each execution by provingthe following proposition.

Proposition 1: Let S andM be respectively the single andmulti- session systems as defined in Section IV-B. We have thatS )l M .

Proof: We show that (S, M) ! R.Let C = S and D = M , let n = 0, m = 0 then C $! dck.(!SSA |!SN) $ S and D $ ! dck.(!MSA |!SN) $ Mand (S, M) ! R.We show that R is a bi-simulation.We show that C )s D 0 (C,D) ! R: trivially follows byLemma 2.We show that if C !

& C! then , D! such that D D=(

!

and(C!, D!) ! R: trivially follows by Lemma 1.

12

MSIMSI, oTMSI ,CK, SQNMS

NetworkIMSI, oTMSI ,CK,SQNSN

L3 MSG, oTMSI

Management of means for ciphering:CK established

new nTMSI

{TMSI REALL CMD, nTMSI, LAI, SQNSN}rCK

if SQNMS + SQNSN



Fig. 8. TMSI Reallocation Procedure SQN Fix

We show that if C "& C! and fv(#) . dom(C), bn(#) *

fn(D) = + then , D! such that D =("&=( D! and (C!, D!) !

R: trivially follows by Lemma 1

V. DISCUSSIONThe experiments we conducted show that the adoption

of pseudonyms is not a sufficient condition to ensure theprivacy of mobile telephony users and that real networkimplementations leave plenty of room for tracking attacks.We suggest network operators should adopt activity-relatedpolicies in order to prevent active tracking attacks. In general,the execution of the TMSI reallocation procedure should bemore frequent even when the MS is in idle state, in order toprevent mere passive tracking.

Our formal analysis of the TMSI reallocation procedureconsiders a simplified version of the protocol and abstractsaway the establishment of CK through the execution of thekey agreement protocol. However, it allows us to show thatthe TMSI reallocation procedure should always be executedby first establishing new session keys, otherwise the TMSIreallocation does not guarantee the unlinkability property thatit is meant to provide to the users and is then useless.

The solution we propose and formally verify does notrequire any change in the security architecture of mobiletelephony systems. It only requires the standard to specifythat the reuse of the encryption key is not permitted whenthe key is used to execute the TMSI reallocation procedure.However, frequent executions of the authentication procedurecould burden the radio communication and slow down thedelivery of mobile telephony services. Alternative solutionsare possible, as for example the introduction of a sequencenumber in the TMSI reallocation command, similarly to theone used to avoid replay attacks against the Authenticationand Key Agreement protocol [20]. We illustrate this solutionin Figure 8. The network sends a sequence number SQNSN

along with the TMSI reallocation command. The MS checksif the received sequence number is in the expected range(SQNMS 1 SQNSN ). If so it carries on with the reallocationof the TMSI. Otherwise the MS aborts the TMSI reallocationexecution, hence avoiding replay attacks.

VI. FUTURE WORK

In this paper, we were concerned about misunderstandingregarding the capabilities of pseudonyms reallocation. Havingidentified critical scenarios in the real implementation of thepseudonym changing mechanism, and implementation detailsweakening the privacy of mobile telephony users making themlinkable, we think it would be interesting to gather data abouthow widespread these issues are throughout the existing net-works in an extensive and systematic way in order to calculatesome interesting statistics. This for example would reveal if thecritical scenarios are peculiar of a mobile network operator orinstead are linked to some specific base station implementationand to estimate how widespread the user linkability problemis within mobile telephony systems.

As previously discussed, the TMSI reallocation procedurechallenges the currently available state of the art tool forthe automatic verification of cryptographic protocols. Firstly,because the encoding of internal states is needed in order tostore the currently used MS identity and secondly because themodelling of privacy related properties requires automatic toolsable to deal with the automatic verification of observationalequivalence. We aim to address this issue in future by develop-ing an extension of the StatVerif [28] tool capable of verifyingobservational equivalence properties.

VII. CONCLUSIONS

Using pseudonyms is a good mechanism to ensure theuser’s privacy, provided that there is enough possibility ofmixing within the network (i.e. the user is not the onlyone in a given area) which is usually the case in mobiletelecommunication networks. However, the efficiency of thepseudonym change strategy depends on many factors whichthe 3GPP standard leaves as implementation choices.

We showed that the implementation choices made byreal network operators do not provide a satisfying level ofprivacy and leave space for different kinds of tracking attacks.Moreover, we showed that the standard specifications is flawedand the TMSI reallocation procedure is subject to a linkabilityattack when restored encryption keys are used.

Our analysis clarifies that the minimum criteria for theexecution of the TMSI reallocation should be defined andmandated by the standard (otherwise users are linkable). Thesecriteria should be activity, time and location dependent. Sec-ondly, implementations that don’t change TMSI at each changeof location make tracking (even passive) easy and hence thisshould be forbidden by the standard. Finally, the establishmentof new encryption keys before the execution of the TMSIreallocation should be compulsory (otherwise consecutivelyassigned TMSI are linkable).

The solution we propose as a countermeasure to the replayattack is easily and readily adoptable without changing thecurrent system architecture, with the added value of having

13

formal guarantees on the achieved privacy properties. In fact,we formally proved that if new session keys are establishedfor each TMSI reallocation execution then unlinkability is pre-served. Our proof of unlinkability is one of the few examples inthe literature of a proof of labelled bisimilarity of a real-sizedprotocol. Such manual proofs give useful insights on the wayone could automate them, and thus pave the way to automatinglabelled bisimilarity proofs.

As future work we plan on confirming the replay attackexperimentally, checking if there are or not mechanisms inplace (not stated in the standard) to thwart this attack bypreventing replayed messages from being accepted by theMobile Station. Also, a thorough and methodical analysis ofthe level of privacy achieved by different privacy policieswould be of great interest. However, this would possiblyrequire collecting further data about user mobility, aggregationareas, population density, network coverage and user base pergeographical area. This kind of analysis goes beyond the scopeof the present work and is left as future work. Moreover, theimpact of the adoption of the proposed policies on the networkperformances should be studied as well in order to balance theoffered level of privacy accordingly.

ACKNOWLEDGMENT

We are thankful to EPSRC for supporting this work throughthe projects Verifying Interoperability Requirements in Per-vasive Systems (EPSRC-reference EP/F033540/1) and TrustDomains (EPSRC-reference TS/I002529/1).

REFERENCES[1] http://www.pathintelligence.com, path Intelligence Ltd. (2010)

FootPath. [Online]. Available: http://www.pathintelligence.com[2] http://www.smart-flows.com, smart Flows. [Online]. Available: http:

//www.smart-flows.com[3] K. Rawlinson, “3G security flaw leaves smartphone users at risk of

hackers ,” Independent, October 2012.[4] V. Cortier and B. Smyth, “Attacking and fixing helios: An analysis of

ballot secrecy,” Journal of Computer Security, 2012.[5] V. Cortier and C. Wiedling, “A formal analysis of the norwegian e-

voting protocol,” in Proceedings of the 1st International Conferenceon Principles of Security and Trust (POST’12), ser. Lecture Notes inComputer Science, vol. 7215. Tallinn, Estonia: Springer, Mar. 2012,pp. 109–128.

[6] M. Barbaro and T. Zeller Jr., “A face is exposed for AOL searcher no.4417749,” The New York Times, August 9, 2006.

[7] C. Caldwell, “A pass on privacy?” The New York Times, July 17, 2005.[8] D. Goodin, “Defects in e-passports allow real-time tracking,” the

Register, 26th January 2010.[9] G. Avoine and P. Oechslin, “RFID Traceability: A Multilayer Problem,”

in Financial Cryptography, ser. FC, 2005.[10] A. Biryukov, A. Shamir, and D. Wagner, “Real time cryptanalysis of

A5/1 on a PC,” in Proceedings of the 7th International Workshop onFast Software Encryption, 2000, p. 118.

[11] K. Nohl and S. Munaut, “Wideband GSM sniffing,”http://events.ccc.de/congress/2010/Fahrplan/attachments/1783 101228.27C3.GSM-Sniffing.Nohl Munaut.pdf.

[12] Z. Ahmadian, S. Salimi, and A. Salahi, “New attacks on UMTS networkaccess,” in Conference on Wireless Telecommunications Symposium, ser.WTS’09, 2009.

[13] D. F. Kune, J. Koelndorfer, N. Hopper, and Y. Kim, “Location leaksover the GSM air interface,” in Annual Network & Distributed SystemSecurity Symposium, ser. NDSS, 2012.

[14] H. Welte, S. Munaut, A. Eversberg, and other contributors, “Osmo-comBB,” http://bb.osmocom.org.

[15] T. Engel, “Locating mobile phones using signalling system 7,”http://events.ccc.de/congress/2008/Fahrplan/attachments/126225c3-locating-mobile-phones.pdf, 25th Chaos CommunicationCongress (25C3).

[16] K. Nohl and L. Melette, “Defending mo-bile phones,” http://events.ccc.de/congress/2011/Fahrplan/attachments/1994 111217.SRLabs-28C3-Defending mobile phones.pdf, 28thChaos Communication Congress (28C3). [Online]. Available:http://www.gsmmap.org

[17] S. May and L. Melette, “Distributed GSM securityanalysis,” https://program.sigint.ccc.de/fahrplan/system/attachments/21/original/120518.GSMMAP-SIGINT.pdf, sIGINT 2012. [Online].Available: http://www.gsmmap.org

[18] M. Arapinis, L. I. Mancini, E. Ritter, M. Ryan, N. Golde, K. Redon,and R. Borgaonkar, “New privacy issues in mobile telephony: fix andverification,” in ACM Conference on Computer and CommunicationsSecurity, 2012, pp. 205–216.

[19] 3GPP, “Technical specification group core network and terminals;mobile radio interface layer 3 specification; core network protocols;stage 3 (release 9), TS 24.008,” 2010.

[20] ——, “Technical specification group services and system aspects; 3Gsecurity; security architecture (release 9), TS 33.102,” 2010.

[21] M. C. Gonzalez, C. A. Hidalgo, and A.-L. Barabasi, “Understandingindividual human mobility patterns,” Nature, vol. 453, pp. 779–782,2008. [Online]. Available: http://www.nature.com/nature/journal/v453/n7196/suppinfo/nature06958 S1.html

[22] M. Bayir, M. Demirbas, and N. Eagle, “Discovering spatiotemporalmobility profiles of cellphone users,” in World of Wireless, Mobile andMultimedia Networks Workshops, 2009. WoWMoM 2009, june 2009,pp. 1–9.

[23] G. Combs, “Wireshark,” http://www.wireshark.org.[24] “traces,” http://markryan.eu/research/mobile/tmsi-reallocation/.[25] M. Arapinis, T. Chothia, E. Ritter, and M. Ryan, “Analysing unlinka-

bility and anonymity using the applied pi calculus,” in IEEE ComputerSecurity Foundations Symposium, ser. CSF, 2010.

[26] M. Abadi and C. Fournet, “Mobile values, new names, and securecommunication,” in ACM SIGPLAN-SIGACT Symposium on Principlesof Programming Languages, ser. POPL, 2001.

[27] B. Blanchet, “Proverif: Cryptographic protocol verifier in the formalmodel,” http://www.proverif.ens.fr/.

[28] M. Arapinis, E. Ritter, and M. Ryan, “Statverif: Verification of statefulprocesses,” in IEEE Computer Security Foundations Symposium, ser.CSF, 2011.

[29] “proof,” http://markryan.eu/research/mobile/tmsi-reallocation/proof.pdf.

14

privacy through pseudonymity in mobile telephony systems · tems concerns content-secrecy,...

Documents