Mobile Telecommunications—Key Management, Security, and Design

Let’s learn about the differences between key management, security issues, and designs of GSM, UMTS, and LTE.

GSM, UMTS, and LTE key management

Key management in GSM and UMTS is fairly straightforward, and only slightly more complex in LTE.

Key management system

GSM, UMTS, and LTE have an entirely symmetric key management system facilitated by the fact that a mobile operator is completely in control of all keying material relating to their users. For GSM and UMTS, we can think of the underlying key management system as a very simple key hierarchy with the user keys KiK_i acting as individual user master keys and the encryption keys KCK_C and MAC keys KIK_I acting as data (session) keys.

Key generation

The user keys KiK_i are generated, normally by the SIM manufacturer (on behalf of the mobile operator), using a technique of their choice. The keys KCK_C and KIK_I are derived from the user key KiK_i using the mobile operator’s chosen cryptographic algorithm. In LTE, additional keys are derived from KCK_C and KIK_I using the key derivation function.

Key establishment

The establishment of the user key KiK_i is under the control of the SIM manufacturer (on behalf of the mobile operator), who installs KiK_i on the SIM card before it is issued to the user. The significant key management advantage exploited here is that a mobile service has no utility until a customer obtains a physical object from the mobile operator (in this case, a SIM card).

Hence, the key establishment can be tied to this process. All subsequent keys are established during the AKE protocol used for entity authentication. It is very important that the SIM manufacturer transfers all the keys KiK_i to the mobile operator using highly secure means, perhaps in the form of an encrypted database.

Key storage

Outside of the mobile operator’s authentication center, the critical user keys KiK_i are only stored in the hardware of the user’s SIM card, which offers a reasonable degree of tamper resistance. In GSM-only the encryption key KCK_C, and in UMTS additionally the MAC key KIK_I, exist outside the SIM card and the authentication center. These are session keys that can be discarded after use.

In LTE, KCK_C and KIK_I do not leave the SIM card. The local master key KLK_L derived from them is never exposed through direct use to protect communications. Instead, it is used to derive session keys. Both these and KLK_L are short-lived and discarded after use.

Key usage

Both GSM and UMTS enforce a degree of key separation by ensuring that the long-term user key KiK_i is only ever indirectly exposed to an attacker through its use to compute the short responses to the mobile operator’s challenges. The keys KCK_C, and in UMTS additionally KIK_I, most exposed to an attacker are derived keys that are not used more than once.

In LTE, key separation is rigorously enforced by establishing a range of different keys, each of which has its key usage encoded into it through the derivation process. Should it be necessary, key change of the critical key KiK_i in GSM, UMTS, and LTE can be relatively easily enabled by issuing a new SIM card. In LTE, there is also the possibility of renewing sessions keys via the local master key without going back to the home mobile operator.

Security issues

GSM broke new ground for the mass use of cryptography. It provided, and to some extent still provides, good security for a rapidly expanding mobile phone network. GSM was, by and large, well designed, and the basic security architecture of GSM is preserved in UMTS and LTE, which both build on and extend the security offered by GSM.

However, it is worth remembering that GSM, UMTS, and LTE were deliberately designed to not provide end-to-end security. The design goal of being ‘as secure as the PSTN’ means that, just as for a conventional telephone call, a mobile telephone call can still be intercepted after being switched into the conventional PSTN infrastructure.

Design considerations

The main design considerations regarding GSM, UMTS, and LTE are as follows:

  • Use of symmetric cryptography: The closed nature of the application environment lends itself to the adoption of a fully symmetric solution. The properties of stream ciphers are highly suited to mobile telecommunications.

  • Adaptation to evolving constraints: GSM was designed under several constraints, including cryptographic export restrictions and the apparent lack of a need for mobile operator authentication. As the environment determining these constraints evolved, the redesigned security mechanisms of UMTS took these into account.

    In turn, LTE extended the security protection offered, partly in response to new attack scenarios. Looking forward, LTE has been designed to accommodate the potential future need to strengthen the security it currently offers.

  • Shift from proprietary to publicly known algorithms: Mobile telecommunications provide a plausible environment for the adoption of proprietary cryptographic algorithms. However, subsequent weaknesses in some of the original GSM algorithms have influenced publicly known algorithms in UMTS and LTE.

  • Flexibility, but only when appropriate: Just as we saw for WLAN security, GSM, UMTS, and LTE only prescribe the use of particular cryptographic algorithms when this is essential, leaving a degree of flexibility for mobile operators to choose the parts of the cryptographic infrastructure that do not need to be standard across the wider network. That said, in both UMTS and LTE, mobile operators are strongly encouraged to adopt central recommendations.

Get hands-on with 1200+ tech skills courses.