Mobile Telecommunications—Key Management, Security, and Design

GSM, UMTS, and LTE key management

Key management in GSM and UMTS is fairly straightforward, and only slightly more complex in LTE.

Key management system

GSM, UMTS, and LTE have an entirely symmetric key management system facilitated by the fact that a mobile operator is completely in control of all keying material relating to their users. For GSM and UMTS, we can think of the underlying key management system as a very simple key hierarchy with the user keys $K_i$ acting as individual user master keys and the encryption keys $K_C$ and MAC keys $K_I$ acting as data (session) keys.

Key generation

The user keys $K_i$ are generated, normally by the SIM manufacturer (on behalf of the mobile operator), using a technique of their choice. The keys $K_C$ and $K_I$ are derived from the user key $K_i$ using the mobile operator’s chosen cryptographic algorithm. In LTE, additional keys are derived from $K_C$ and $K_I$ using the key derivation function.

Key establishment

The establishment of the user key $K_i$ is under the control of the SIM manufacturer (on behalf of the mobile operator), who installs $K_i$ on the SIM card before it is issued to the user. The significant key management advantage exploited here is that a mobile service has no utility until a customer obtains a physical object from the mobile operator (in this case, a SIM card).

Hence, the key establishment can be tied to this process. All subsequent keys are established during the AKE protocol used for entity authentication. It is very important that the SIM manufacturer transfers all the keys $K_i$ to the mobile operator using highly secure means, perhaps in the form of an encrypted database.

Key storage

Outside of the mobile operator’s authentication center, the critical user keys $K_i$ are only stored in the hardware of the user’s SIM card, which offers a reasonable degree of tamper resistance. In GSM-only the encryption key $K_C$, and in UMTS additionally the MAC key $K_I$, exist outside the SIM card and the authentication center. These are session keys that can be discarded after use.

In LTE, $K_C$ and $K_I$ do not leave the SIM card. The local master key $K_L$ derived from them is never exposed through direct use to protect communications. Instead, it is used to derive session keys. Both these and $K_L$ are short-lived and discarded after use.

Key usage

Both GSM and UMTS enforce a degree of key separation by ensuring that the long-term user key $K_i$ is only ever indirectly exposed to an attacker through its use to compute the short responses to the mobile operator’s challenges. The keys $K_C$, and in UMTS additionally $K_I$, most exposed to an attacker are derived keys that are not used more than once.

In LTE, key separation is rigorously enforced by establishing a range of different keys, each of which has its key usage encoded into it through the derivation process. Should it be necessary, key change of the critical key $K_i$ in GSM, UMTS, and LTE can be relatively easily enabled by issuing a new SIM card. In LTE, there is also the possibility of renewing sessions keys via the local master key without going back to the home mobile operator.

Security issues

GSM broke new ground for the mass use of cryptography. It provided, and to some extent still provides, good security for a rapidly expanding mobile phone network. GSM was, by and large, well designed, and the basic security architecture of GSM is preserved in UMTS and LTE, which both build on and extend the security offered by GSM.

However, it is worth remembering that GSM, UMTS, and LTE were deliberately designed to not provide end-to-end security. The design goal of being ‘as secure as the PSTN’ means that, just as for a conventional telephone call, a mobile telephone call can still be intercepted after being switched into the conventional PSTN infrastructure.

Design considerations

The main design considerations regarding GSM, UMTS, and LTE are as follows:

• Use of symmetric cryptography: The closed nature of the application environment lends itself to the adoption of a fully symmetric solution. The properties of stream ciphers are highly suited to mobile telecommunications.

• Adaptation to evolving constraints: GSM was designed under several constraints, including cryptographic export restrictions and the apparent lack of a need for mobile operator authentication. As the environment determining these constraints evolved, the redesigned security mechanisms of UMTS took these into account.

  In turn, LTE extended the security protection offered, partly in response to new attack scenarios. Looking forward, LTE has been designed to accommodate the potential future need to strengthen the security it currently offers.

• Shift from proprietary to publicly known algorithms: Mobile telecommunications provide a plausible environment for the adoption of proprietary cryptographic algorithms. However, subsequent weaknesses in some of the original GSM algorithms have influenced publicly known algorithms in UMTS and LTE.

• Flexibility, but only when appropriate: Just as we saw for WLAN security, GSM, UMTS, and LTE only prescribe the use of particular cryptographic algorithms when this is essential, leaving a degree of flexibility for mobile operators to choose the parts of the cryptographic infrastructure that do not need to be standard across the wider network. That said, in both UMTS and LTE, mobile operators are strongly encouraged to adopt central recommendations.