Formal verification of LTE-UMTS and LTE–LTE handover procedures

Piergiuseppe Bettassa Copet, Guido Marchetto, Riccardo Sisto, Luciana Costa
2017 Computer Standards & Interfaces  
Long Term Evolution (LTE) is the most recent standard in mobile communications, introduced by 3 rd Generation Partnership Project (3GPP). Most of the works in literature about LTE security analyze authentication procedures, while handover procedures are far less considered. This paper focuses on the procedures that are activated when a mobile device moves between different LTE cells and between LTE and the older Universal Mobile Telecommunications System (UMTS) networks and completes previous
more » ... sults with a deeper formal analysis of these procedures. The analysis shows that security properties (secrecy of keys, including backward/forward secrecy, immunity from off-line guessing attacks, and network components authentication) hold almost as expected in nominal conditions, i.e. when all backhaul links are secured and all backhaul nodes are trusted. The paper also analyses how these security properties are affected by possible anomalous situations, such as a compromised backhaul node or a misconfiguration by which a backhaul link becomes not protected and can be accessed by an attacker. The analysis shows that some security properties hold even in these adverse cases while other properties are compromised. The 3GPP defines as IRAT (Inter-Radio Access Technology) handover the procedures in which it is necessary to map the existing security context (ciphering keys, user data) in the transition between two different technologies (such as for example from LTE to UMTS). Instead, the procedures activated when a connection must be seamlessly moved between two LTE network nodes are called 35 Intra-Handover procedures. Intra-Handover procedures have been formally analyzed in [3], while recently we presented the results of a formal analysis of the IRAT handover procedures that enable users to seamlessly switch from a 3G to a 4G connection, and vice versa [4]. 40 This paper provides a thorough formal analysis of LTE-LTE and LTE-UMTS procedures, which extends and completes the results previously provided in [3] and in our previous conference paper [4]. In particular, our analysis of LTE-LTE handover procedures includes the verification of aspects that were not considered in [3], including a wider set of security properties, a more accurate model of 45 the procedures, including the possible presence of emergency calls during the handover, and the analysis of anomalous situations where some links or nodes are compromised. Instead, for what concerns the analysis of LTE-UMTS and UMTS-LTE handover procedures, although some of the results presented here were already presented in [4], in this paper we extend those results by using 50 more accurate models, where the possibility that emergency calls are executed during the handover procedures is considered. Moreover, in this paper we provide a thorough description and motivation of all the formal models used for our analysis and the underlying design choices, which were presented only in part and in much less detail in [4], for the previously used models. 55 The tool used for formal analysis is ProVerif [5] , which is an automatic formal verifier for cryptographic protocols. In this paper we exploit many of the features of ProVerif which were not used in previous papers about LTE-LTE handover procedures analysis. Specifically, in addition to basic security properties such as secrecy of all the keys used before, during and after the handovers, secrecy of 60 . . . 48 ) .
doi:10.1016/j.csi.2016.08.009 fatcat:kl6czegvi5gpppr64c4o6wdtem