TNC 9571.pdf

Page 1 of 16

DOI: 10.14738/tnc.85.9571

Publication Date: 10th January 2021

URL: http://dx.doi.org/10.14738/tnc.85.9571

VOLUME 8, NO. 5

ISSN: 2054 -7420

SOCIETY FOR SCIENCE AND EDUCATION

UNITED KINGDOM

TRANSACTIONS ON TNC NETWORKS AND COMMUNICATIONS

Preserving Privacy Location in 5G by Using Variable Pseudonym

1,2Mamoon M. Saeed, 3,4Rashid A. Saeed, 3,4Rania A. Mokhtar, 3

Hesham Alhumyani, 4

Elmustafa Syed Ali

Electrical Engineering Department, Faculty of Engineering, Alzaiem Alazahri University, Sudan

Communications and Electronics Engineering Department, Faculty of Engineering, Modern Sciences University,

Yemen

Department of Computer Engineering, Taif University, Al Huwaya, Ta'if, Makkah Region 21974, Saudi Arabia

College of Electronics Engineering, Sudan University of Science and Technology, Sudan.

mamoon530@gmail.com;

ABSTRACT

User privacy is one of the most issues addressed extensively in mobile communications evolutions, research

literature, and standardization. Location privacy is a key parameter and crucial aspect for user privacy, where most

of the tracking, Unsolicited advertising, malicious activities, and location-based terrorism attacks are depending on

the location of the victims. For preserving location privacy, various methods in previous mobile networks use a

pseudonym instead of permanent identity i.e. Cell Radio Network Temporary Identifiers (C-RNTI), However, these

methods based on C-RNII have been proofed that faces many vulnerable due to the clear text used for C-RNII

exchange. A man-in-the-middle attack can easily trace users and collect information. The main objective of this

paper is to propose a new location privacy algorithm that can greatly enhance the capabilities of the 5G

architecture. The proposed algorithm introduces a novel variable pseudonym (V-RNTI) as an identifier for the user

radio channel. Also, it provides an enhanced pseudonyms allocation procedure for identification. A new procedure

that enabling UE to use different values for V-RNTI changed frequently using agreed equations to generate the

values of the identifier. The proposed scheme is compatible with 3GPP standards architecture, where minor

modifications/upgrades are needed for UEs eNB. Specifically, we build our model of the 5G V-RNTI authentication

protocol and perform an automated security verification tool analysis of the protocol model by using the ProVerif

model checker. Our analysis results show that the proposed procedure is working without flaws.

Keywords: 5G, Anonymity, linkability, traceability, IMSI, C-RNTI, V-RNTI, User Privacy and Location Privacy.

1 Introduction

Recently, the 5G network is rapidly grown to become the main core network, because of its capabilities in high data

rate, low latency, high capacity, and wide coverage. Because of these capabilities, the 5G network requires an

enhancement in security and privacy to ensure transferring information in a safe manner. User privacy is the main

issue in 5G networks, in addition to location privacy which is considered much more important for user privacy [1].

For consumers, the realization of specific services characteristics in 5G technology, requires to provide secure

network services. The privacy requirements in the 5G network might change according to the provided services.

Meanwhile, service-oriented privacy requirements can be enabled by 5G technology. In some 5G applications i.e.

in healthcare, a higher degree of privacy will be required to secure users' information. Moreover, an equally higher

Page 2 of 16

Transactions on Networks and Communications; Volume 8, No. 5, October 2 02 0

level of privacy protection is required in some critical tasks. A low privacy degree may be required in other

applications i.e. in searching for some kind of location information [1].

Recently, in 3GPP cellular technology, the protective privacy of user location in mobile systems has received an

increasing interest more particularly. Comparing to preceding standards to the 5G cellular networks, which is

recently proposed by 3GPP have an enhancement in security and privacy [2]. Although 3GPP introduced enhancing

the privacy of user identity [2, 4], the location privacy of the user is still vulnerable to privacy attacks [5]. For

instance, in 3GPP networks, various different temporary identities such as Global User Temporary Identifier (GUTI)

are allocated instead of permanent identity for identifying the user in the network by Home Subscriber Subsystem

(HSS). In such networks, Mobile Management Entity (MME) uses Temporary Mobile Subscriber Identifier (TMSI) for

paging users in the network. And Cell Radio Network Temporary Identifier (C-RNTI) is used for user location

updating in the coverage area of Evaluated Node B (eNB).

In location updating, C-RNTI is used to a single User Equipment (UE), which enables to mitigate the location attack

and preserve the privacy of the user in the network, in addition, to enhance linkability and traceability. However,

the C-RNTI is probably to be attacked, because C-RNTI is sent in clear text and always used more than one time in

the same coverage area of eNB. Hacker can easily trace user and collect information about him/her [6,7].

The 5G network is the first standard to benefit from location information, that is sufficiently precise to be leveraged

in wireless network design and optimization. Due to this fact, the 5G network must consider the privacy and security

challenges and resistant location hackers by improving the mechanism of location update which will terns to

improves user privacy [8]. This paper provides a location privacy scheme to enhance the pseudonyms allocation

procedure for identification and user privacy protection.

The rest of the paper is organized as follows, user and location privacy discussed in section two. Location procedure

privacy issue in 5G networks is described in section three. In section four, a summary of related work is given. The

proposed solution and its privacy analysis are presented in sections five to eight. The concludes are in section nine.

2 User and Location Privacy

In mobile communication, there are many updates and developments in user privacy and location privacy.

Authentication process and location update in 3GPP are implemented between these parties Home Subscriber

Server (HSS) and UE for authentication and Evolved Node Base station (eNB) and UE for location update as shown

in Fig. 1.

MME HSS

eNB

Home Network

Serving Network

eNB

Mutual Authentication and Key Agreement Authentication data transfer

FIGURE 1: 3GPP privacy architecture.

The message comprises the IMSI sent to the service network by UE. In Authentication Vector (AV), the service

network (Mobile Management Entity (MME)) sends a message comprises IMSI to the HSS. In the first attachment,

the HSS responds to AV requests by calculating the Sequence Number (SQN) from generating a changeable Random

challenge (RAND). Next, by using the network authentication function (f1), the Message Authentication Code (MAC)

Page 3 of 16

Mamoon M. Saeed, Rashid A. Saeed, Rania A. Mokhtar, Hesham Alhumyani, Elmustafa Syed Ali; Development of an

Improved Network Security System using Firewall for Securing Organisational Data, Transactions on Networks and

Communications, Volume 8 No. 5, October (2020); pp: 10-25

http://dx.doi.org/10.14738/tnc.85.9571 12

is computed by utilizing Authentication Management Field (AMF), SQN, and RAND. After that, the Ciphering Key

(CK), the Integrity Key (IK), the Anonymity Key (AK), and the Expected Response (XRES) are computed by using f2,

f3, f4, and f5 over RAND challenges. By XORing the Authentication Token (AUTN) which contains the SQN with the

MAC, the AK and AMF are produced. Finally, the HSS creates the AV which consists of CK, IK, XRES, AUTN, and RAND.

The HSS sends the AV to the MME, then the MME forwards the AUTN and the RAND within an authentication

request to the UE and saves XRES. After that, the MME uses the TMSI to page the UE. In cell coverage, the eNB uses

the C-RNTI to update the location of UE. The C-RNTI stills fixed in the same cell coverage area, while it changes if

the UE moves from one coverage area to another as shown in Fig. 2 [9 - 12].

UE HSS

Attach Request (IMSI)

MME

AV Request (IMSI)

AV Response (RAND,

XRES, AUTN, KSAME)

eNB

Attach Request (IMSI)

Authentication and Key

Agreement resulting in KASME

TMSI Allocation (TMSI)

Location Update Request

(C-RNTI)

Location Update Response

(C-RNTI)

FIGURE 2: Authentication and Location update in 3GPP.

3 User Location Issues in 5G Network

In 3GPP, the privacy of subscribers must be protected by cellular systems from risks associated with knowing

subscriber’s identities by attackers as a third party [7,13]. Location Tracking (LT) enables to track of the movements

of a specific user by a third party, which is one of the main privacy challenges in 3GPP networks. In mobile systems,

different temporary identities are assigned to every user equipment (UE) by serving the network during movement

from one cell to another within eNB's coverage area. This strategy will ensure the un-traceability of users. The use

of various C-RNTIs enables performance locating tracking but does not eliminate the attacks. The assignment of C- RNTIs to user UE possible to be linked by an attacker. The passive attacker how is monitoring the radio channel of

UE can initiate an attach procedure, which possibly links various C-RNTI assigned to UE through eNB with permanent

identity (IMSI). Due to this kind of attack, the invasion of user's privacy becomes more obvious. Meanwhile, the

locations visited by the target user can be recorded, and the user profile history can be saved by the attacker as

shown in Fig. 3.

Attacker

C-RNTI(d)

C-RNTI(c)

C-RNTI(b)

C-RNTI(b) C-RNTI(a)

FIGURE 3: Location tracking attack using C-RNTI.