Showing posts with label Apps Security. Show all posts
Showing posts with label Apps Security. Show all posts

Tuesday 17 January 2023

Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the 5G System (5GS)

3GPP Release 17 introduced a new feature called AKMA (Authentication and Key Management for Applications), the goal of which is to enable the authentication and generation of application keys based on 3GPP credentials for all UE types in the 5G System, especially IoT devices, ensuring to bootstrap the security between the UE and the applications in the 5G system.

3GPP TR 21.917 has an excellent summary as follows:

Authentication and key management for applications based on 3GPP credential in 5G (AKMA) is a cellular-network-based delegated authentication system specified for the 5G system, helping establish a secure tunnel between the end user and the application server. Using AKMA, a user can log in to an application service only based on the 3GPP credential which is the permanent key stored in the user’s tamper-resistant smart card UICC. The application service provider can also delegate the task of user authentication to the mobile network operator by using AKMA. 

The AKMA architecture and procedures are specified by SA3 in TS 33.535, with the related study showing how its general principles are derived documented in TR 33.835. The AKMA feature introduces a new Network Function into the 5G system, which is the AKMA Anchor Function (AAnF). Its detailed services and API definitions are specified by CT3 in TS 29.535. Earlier generations of cellular networks include two similar standards specified by SA3, which are generic bootstrapping architecture (GBA) and battery-efficient security for very low throughput machine type communication devices (BEST). Since the AKMA feature is deemed as a successor of these systems, the work is launched by SA3 without the involvement of stage 1.

In the latest issue of 3GPP Highlights Magazine, Suresh Nair, 3GPP Working Group SA3 Chair, Saurabh Khare & Jing Ping (Nokia) has explained the AKMA procedure. The article is also available on 3GPP website here. The article lists the following as AKMA advantages:

  • Since the AKMA framework uses authentication and authorization of the UE leveraging the PLMN credentials stored on the USIM, this becomes as strong as the network primary authentication and subsequent keys derived further to UE and Application Function (AF) interface.
  • The Application Functions can leverage the authentication service provided by the AKMA Anchor Function (AAnF) without additional CAPEX and OPEX.
  • The architecture provides a direct interface between the UE and the AF where a customized application-specific interface can be built, including the key management, key lifetime extension, etc.

The Journal of ICT Standardization has a paper on Authentication Mechanisms in the 5G System. It details AKMA and much more. It's a great place to start for anyone new looking to understand different 5G Authentication Mechanisms. 

Related Posts

Monday 16 May 2022

Lawful Intelligence and Interception in 5G World with Data and OTT Apps

Not long ago we looked at the 'Impact of 5G on Lawful Interception and Law Enforcement' by SS8. David Anstiss, Senior Solutions Architect at SS8 Networks gave another interesting talk on Evolving Location and Encryption Needs of LEAs in a 5G world at Telecoms Europe Telco to Techco virtual event in March.

In this talk, David provided an insight in​to how 5G is impacting lawful interception and the challenges Law Enforcement Agencies face as they work with Communication Service Providers to gather intelligence and safeguard society. While there is an overlap with the previous talk, in this video David looked at a real world example with WhatsApp. The talk also covered:

  • Real-world problems with 5GC encryption
  • 5G location capabilities and the impact on law enforcement investigations
  • Optimal solutions for both CSPs and LEAs

The video of the talk is embedded below:

Related Posts:

Tuesday 4 December 2018

Can KaiOS accelerate the transition from 2G / 3G to 4G?


The GSMA Mobile Economy 2018 report forecasts that 2G will still be around in 2025 and the dominant technology will be 3G in Africa. GSMA Intelligence Global Mobile Trends highlighted similar numbers but North Africa was missing in that report. As you can see in the picture below, 3G devices will make up 62% of the total number of devices in Sub-Saharan Africa and 37% in MENA.

Similar information was provided by Navindran Naidoo, Executive, Network Planning & Design, MTN Group in TIP Summit 2017 and Babak Fouladi, Technology and Information System (Group CTIO) , MTN Group in TIP Summit 2018. In fact Babak had a slide that showed 3G devices would make up 61%  of total devices in 2025 in Africa. Rob Shuter, Group President and CEO, MTN Group said at AfricaCom 2018 that Africa lags 7 years behind the Western countries in mobile technologies. Though this may not be universally true, its nevertheless a fact in many areas of the Continent as can be seen from the stats.

In my blog post "2G / 3G Switch Off: A Tale of Two Worlds", I said operators in many developing countries that maybe forced to switch off a technology would rather switch 3G off as they have a big base of 2G users and 3G devices can always fall back on 2G.

So what are the main reasons so many users are still on 2G devices or feature phones? Here are some that I can think off the top of my head:
  • Hand-me-downs
  • Cheap and affordable
  • Given as a gift (generally because its cheap and affordable)
  • 2G has better coverage than 3G and 4G in many parts of the world
  • Second/Third device, used as backup for voice calls
  • Most importantly - battery can last for a long time
This last point is important for many people across different parts of the world. In many developing countries electricity is at a premium. Many villages don't have electricity and people have to take a trip to a market or another village to get their phones charged. This is an expensive process. (Interesting article on this here and here). In developed countries, many schools do not allow smartphones. In many cases, the kids have a smartphone switched off in their bag or left at home. For parents to keep in touch, these kids usually have a feature phone too. 

While all feature phones that were available until couple of years ago were 2G phones, things have been changing recently. In an earlier tweet I mentioned that Reliance Jio has become a world leader in feature phones:


I also wrote about Jio phone 2 launch, which is still selling very well. So what is common between Jio phones and Nokia 8110 4G, a.k.a. Banana phone

They both use a new mobile operating system called KaiOS. So what is KaiOS?

KaiOS originates from the Firefox OS open-source project which started in 2011 and has continued independently from Mozilla since 2016. Today, KaiOS is a web-based operating system that enables a new category of lite phones and other IoT devices that require limited memory, while still offering a rich user experience through leading apps and services. KaiOS is a US-based company with additional offices in France, Germany, Taiwan, India, Brazil, Hong Kong, and mainland China. You can find a list of KaiOS powered devices here. In fact you can see the specifications of all the initial devices using KaiOS here.

Here is a video that explains why we need KaiOS:



There are couple of really good blog posts by Sebastien Codeville, CEO of KaiOS:

There is so much information in both these articles that I will have to copy and paste the entire articles to do them justice. Instead, I want to embed the presentation that Sebastien delivered at AfricaCom below:



I like the term 'smart feature phone' to distinguish between the smartphones and old dumb feature phones.

Finally, it should be mentioned that some phone manufacturers are using older version of Android to create a feature phone. One such phone is "Reinvent iMi" that is being billed as 'Slimmest Smart 3G Feature Phone' in India. It uses Android 4.1. See details here. Would love to find out more about its battery life in practice.

My only small concern is about security of old Android OS. As Android is extensively used, new vulnerabilities keep getting discovered all the time. Google patches them in newer versions of the software or sometimes releases a separate patch. All updates to the Android OS stops after 3 years. This means that older versions of Android can be hacked quite easily. See here for example.

Anyway, feature phones or 'smart feature phones' are here to stay. Better on 4G than on 2G.

Thursday 4 January 2018

Introduction to 3GPP Security in Mobile Cellular Networks


I recently did a small presentation on 3GPP Security, looking at the how the security mechanism works in mobile cellular networks; focusing mainly on signaling associated with authentication, integrity protection and ciphering / confidentiality. Its targeted towards people with basic understanding of mobile networks. Slides with embedded video below.



You can also check-out all such videos / presentations at the 3G4G training section.

Saturday 1 November 2014

4G Security and EPC Threats for LTE

This one is from the LTE World Summit 2014. Even though I was not there for this, I think this has some useful information about the 4G/LTE Security. Presentation as follows:


Saturday 14 June 2014

AT&T on Mobile Security


Nice presentation from Ed Amoroso from AT&T outlining how the security is evolving to cope with the new technologies and threats. He points to encryption, containerization, proxy & virtualization as the four key pillars of technology for enabling operators to protect the network in a mobility era where the perimeter can no longer do the job it used to do.

Here is the video:

If you cant see the video, click on this link to watch it on Light Reading's website.

Monday 26 November 2012

'LTE' and 'Small Cells' specific applications

Some 4 years back, I posted my first presentation here, titled "LTE Femtocells: Stepping stone for 'killer apps' presentation". I had couple of apps in mind that I thought could benefit from both LTE and Small Cells (or Femtocells to be specific).

The first was your phone acting as a Wireless Hard Disk Drive (HDD) that can be used to store things remotely in a server somewhere. This is similar to what is known as the Cloud nowadays.

Picture Source: Dialaphone.

The other day when I read why LTE is suitable for cloud connectivity, I could see that my old idea could start to become a reality. The article is here. Selective abstract as follows:


The LTE network lends itself well to cloud connectivity because it:
  • provides high-bandwidth connections
  • is IP- and Ethernet-oriented, the technologies used to connect to the cloud and within data centers
  • offers tools that operators didn't have in 2G and 3G (such as more granular ability to manage traffic flows and a better, DPI-based view of traffic running on the network)
  • features low latency, which is vital to the small flows and sessions that characterize M2M communications.
The rise of both cloud services and LTE creates a virtuous cycle. Cloud services continue to grow, which helps operators sustain their LTE business model. That growth enables them to accelerate LTE investments. Then operators can support new types of enterprise services, including cloud-based applications.
To take full advantage of this opportunity, operators have to deploy the right backhaul infrastructure. In addition to IP awareness and content awareness, the right backhaul network can leverage the technical advantages that LTE presents:
  • flattened architecture that helps distribute compute and storage resources
  • seamless migration from 2G and 3G for various physical mediums and networking protocols
  • an increase in capacity that starts to put mobile connectivity on par with fixed broadband access.


My reasoning for Small Cell here is, in most cases when you are doing operations that require large amounts of data to be transferred, you will be indoors, either at home or in office or in a low mobility scenario. The requirement for high security and at the same time high speed data transfer that should not be affected by other users in the cell (capacity issues) can be easily solved by using a Small cell (Femtocell for indoors, Metrocell for outdoors).


The other application I had in mind was the Home Security System. I read the following on TotalTele the other day:


3UK's wholesale division on Friday detailed plans to capture high-margin machine-to-machine traffic by partnering with service providers that are likely to have higher-than-average bandwidth requirements.
As a 3G-only operator, the company cannot go after high volume, low margin M2M traffic because it typically only requires a 2G connection. However, there are opportunities to use its 3G network to address more data-hungry verticals that will generate higher traffic volumes.
"The margin on one CCTV M2M connection is more than 50 times bigger than the margin on a smart meter connection," claimed Tom Gardner, lead wholesale manager at 3UK, during Breakfast with Total Telecom in London.
"There is one CCTV camera for every 14 people in the U.K.," he said. "If I can put a SIM in every one of them I'll be a very happy man."
3UK, which on Thursday launched its Ericsson-based wholesale M2M platform, sees a big opportunity in CCTV, particularly for mobile and temporary installations at festivals, for instance. Other potentially lucrative sectors it has identified include digital signage, back-up for fixed Internet connections, and backhauling WiFi traffic from public transport.


I am sure some of you may be thinking that '3' UK uses HSPA network, not LTE, which is true. The point here is that it could be done better using LTE and Small Cells.

The reason for using LTE would be to provide higher data rates, meaning that information can be sent faster, with higher resolution and more regularly. This will help identify the problems earlier. If the CCTV is used indoors or in high usage areas, it would make sense that it connects via Small Cell to avoid creating capacity issues in the Macro network.

Here is the embed again, of my old presentation just in case if it interests you:




Tuesday 17 April 2012

Release-12 Study on Integration of Single Sign-On (SSO) frameworks with 3GPP networks



This Work Item aims to provide service requirements for interworking of the operator-centric identity management with the user-centric Web services provided outside of an operator’s domain. Specifically, it addresses integration of SSO and the 3GPP services, which is essential for operators to leverage their assets and their customers’ trust, while introducing new identity services. Such integration will allow operators to become SSO providers by re-using the existing authentication mechanisms in which an end-user’s device effectively authenticates the end user.

For the operator to become the preferred SSO Identity Provider might require integration of the operator core with existing application service / content providers to allow the usage of credentials on the UE for SSO services. The 3GPP operator may leverage its trust framework and its reliable and robust secure credential handling infrastructure to provide SSO service based on operator-controlled credentials. Such SSO integration has to work with varied operator authentication configurations.

The Objective is to provide a comprehensive set of service requirements for the integration of SSO frameworks with 3GPP network by building upon the work done in the related feasibility study FS_SSO_Int (published in TR 22.895) as well as previously published related technical reports. This Work Item covers the following:

Service requirements for integration of Identity Management and SSO frameworks, e.g. OpenID;
Service requirements for Operators to enable users to access 3rd party  services using Operator controlled user credentials;
Service requirements associated with ensuring that the intended user is making use of the associated SSO capability (including the case when the UE has been stolen or lost).

3GPP TR 22.895 V12.0.0 - Study on Service aspects of integration of Single Sign-On (SSO) frameworks with 3GPP operator-controlled resources and mechanisms (Release 12) is an interesting read that provides use cases for SSO

The diagram above is from an interesting paper titled "Multi-domain authentication for IMS" that describes SSO and other authentication procedures and introduces the advantage of SSO.



Sunday 8 April 2012

Security issues in new technologies

I have attended a lot of events/talks in the last month where people talked about Augmented Reality, Proximity Marketing, QR codes, etc. but nobody seems to talk about security. Its being taken for granted. For example MAC's have been said to be Virus proof and they probably are but other Apps may be infectable and in this case its the Java that has allowed a MAC botnet about 0.6 Million strong.

Some years back proximity marketing via Bluetooth was a big thing and we were lucky to be involved with couple of projects making it possible but then the Bluetooth virus came to light and people stopped leaving their Bluetooth on in public places. Doesnt look like Bluetooth based proximity marketing has gone very far since those days.

QR codes is a simple way to for advertisers redirect the end users to their websites but then recently I read that a rogue QR code can be used to redirect the end users to a site that can be used to hack their phones. The main thing pointed out is that 99% of the time QR codes are read by mobile phones and 99% of these phones are either iPhones or Android's, which can help narrow down the exploits.

There is a good chance that when there is mass adoption of these new technologies, Security is going to be a big issue. Not sure if enough is being done. If there are any pointers on security issues please feel free to comment.

Monday 15 February 2010

New Technologies for Mobile Phone Theft prevention

Design Out Crime: Mobile Phone solutions from Design Council on Vimeo.


Three prototype solutions for preventing mobile phone theft have been unveiled.

The i-migo, the 'tie' solution and TouchSafe have been developed to counter crimes such as mobile phone identity fraud, which rose by over 70 per cent in 2009.

TouchSafe uses Near Field Communications (NFC) technology similar to that used by the Oyster Card and requires the handset's owner to carry a small card with them that they touch on the phone every time they make a purchase.

The 'tie' solution makes an association between a handset and theSIM chip so that other SIMs cannot be used on the handset should the mobile phone be stolen.

And the i-migo is a small device carried by the mobile phone's owner that sounds an alert and locks the handset should it be taken outside of a set range. Additionally, it automates the back-up of any data stored on the device.

The prototypes were inspired by a Home Office initiative to develop new ways of preventing mobile phone theft and will be shown off atMobile World Congress in Barcelona next week.

Home Office Minister Alan Campbell said: "As new technology creates new opportunities for the user it can also provide criminals with opportunities as well.

"I believe the solutions developed by this challenge have the potential to be as successful as previous innovations like Chip and Pin, which reduced fraud on lost or stolen cards to an all-time low, and would encourage industry to continue working with us and take them up," Campbell continued.

Tuesday 3 November 2009

Wavesecure: Helping track lost phones


Siliconindia organized Mobile Applications Conference (MAC) on October 31, where 25 mobile companies exhibited their applications and presented their business plans in NIMHANS (National Institute of Mental Health and Neuro Sciences) convention center, Bangalore, in front of around 400 people and entrepreneurs. Industry leaders within the mobile space also put some light on where the industry is headed and how entrepreneurs and developers can take advantage.

TenCube, whose anchor product, WaveSecure, is the market leading mobile security suite recognized by customers and analysts, won the best mobile application award. TenCube was the unanimous choice of judges as well as the audience. It got 71 votes followed by Eterno Infotech and Divium, which got 37 and 36 votes respectively. Originally developed for police and military use in Singapore, WaveSecure has become Nokia's preferred mobile security product, chosen to be bundled into millions of premium Nokia devices. It is also the preferred security service selected by leading operators like Telenor and SingTel for their subscribers.

Very interesting FAQ's for those interested.

See Demo below: