10.1.1.105.193
DESCRIPTION
nTRANSCRIPT
-
P10/ 1
Performance Analysis of 3G Protocol: Encryption and Authentication
Anita Singhrova1, Rita Mahajan 2
1 Lecturer, Computer Science and Engineering Department, C R State College of Engineering, Murthal, Sonepat, Haryana, India. [email protected] 2 Lecturer, E & Ec Department, Punjab Engineering College, Deemed University, Chandigarh-160012, India. [email protected]
ABSTRACT 3G provides two types of security algorithms, KASUMI for encryption and Milenage for
authentication. This paper presents performance analysis and comparison between the algorithms in terms of time complexity. Parameters considered are processing power and input size. Security features may have adverse effect on quality of services offered to the end users and the system capacity. The computational cost overhead that the security protocols and algorithms impose on lightweight and users devices is analyzed. The analysis results revealed the effect of authentication and encryption algorithms of 3G on system performance defined in terms of throughput.
Keywords: Mobile Security; Universal mobile telecommunication system; Time complexity; Kasumi; Rijndael.
1. INTRODUCTION The Universal Mobile Telecommunication system (UMTS) is a realization of third generation (3G)
networks, which intend to establish a single integrated and secure network. Mobile/wireless Internet is becoming available with 3G mobile communication systems. Wireless networks are as such less secure and mobility further adds to security risk. Therefore, it is desirable that 3G is at least as secure as fixed networks.
The complete 3G security architecture consists of five major security classes: (i) network access security, (ii) network domain security, (iii) user domain security, (iv) application domain security and (v) visibility and configurability of security [1].
Security is achieved at the cost of performance degradation; it is critical and fundamental to quantitatively measure overhead caused by various security services [2][3].
Network access security is a key component in the 3G security. The class deals with the set of security mechanisms that provide users with secure access to 3G services. Such mechanisms include: (i) user identity confidentiality, (ii) authentication and key agreement, (iii) Data confidentiality and (iv) Integrity Protection. In 3G UMTS, encryption is implemented using KASUMI algorithm and authentication is implemented using MILENAGE algorithm [4] [5].
The rest of this article is organized as follows. 3G security overview is presented in section 2. In section 3, analytical analysis is provided for 3G encryption and authentication algorithms with respect to time complexity. Section 4, provides the throughput of encryption and authentication algorithm. Finally, summary and conclusion are discussed in section 5.
2. 3G SECURITY OVERVIEW Third generation mobile systems such as UMTS revolutionized telecommunications technology by
offering mobile users content rich services, wireless broadband access to Internet, and worldwide roaming. However, the broadcast nature of the wireless communication and increased popularity of wireless devices introduce serious security vulnerabilities. Mobile users and providers must be assured of the correct identity of the communicating party; user and signaling data must be protected with confidentiality and integrity mechanisms [4].
Encryption and Authentication are the two main security mechanisms in 3G network access securities [5].
-
P10/ 2
2.1 Encryption Within the security architecture of the 3GPP system there are two standardized algorithm: a
confidentiality algorithm f8, and an integrity algorithm f9 [4]. Each of these algorithms is based on the KASUMI algorithm [6][8].
2.2 Authentication The UMTS authentication algorithm consists of seven functions f1,f1*,f2,f3,f4,f5 and f5*. The
standardized algorithm set for these seven functions is called MILENAGE [4][8]. MILENAGE has been designed by the experienced group that already designed KASUMI, f8 and f9. For MILENAGE, a specific kernel has to be chosen, and therefore Rijndael was selected [7]. Rijndael is an iterated block cipher with a 128 bit block length and a 128 bit key length. It is composed of eleven rounds that transform the input into the output
3. ANALYTICAL ANALYSIS
This section focuses on 3G authentication and encryption computation time complexity. Before analyzing the encryption and authentication algorithm cryptographic algorithm requirements must be known [8].
3.1. Encryption 3G encryption uses KASUMI algorithm. KASUMI uses a 128 bit key and block size of 64 bits. The
algorithm has 8 distinct steps and 8 rounds [6]. Steps 1 to 8 are functionally identical and are dependent on different portions of input key. Out of 8 steps, in Steps 1,3,5,7 Fodd (I, RKi) = FOi (FLi (I, KLi), KOi, KIi) Steps 2,4,6,8 Feven ( I, RKi ) = FLi ( FOi ( I, , KOi, KIi ) , KLi )
3.1.1. FL Function The function FL consists of two XOR (16-bit each), four 16-bit copy, one AND, one OR and two
left shifts (cyclic) by one bit each [6]. The input to the function FL comprises a 32-bit data input I and a 32-bit sub key KLi. The sub key is split into two 16-bit sub keys, KLi,1 and KLi,2 where KLi = KL i,1 || KL i,2. The input data I is split into two 16-bit halves, L and R where I = L || R. The 32-bit output value is ( L|| R ). Where R=R ROL( L KL i,1 ) and L=L ROL( R KL i,2 ) 3.1.2. FO Function
The input to the function FO comprises a 32-bit data input I and two sets of sub keys, a 48-bit sub key KOi and 48-bit sub key KIi [6]. The 32-bit data input is split into two halves, L0 and R0 where I = L0 || R0. The 48-bit sub keys are subdivided into three 16-bit sub keys where
KOi = KOi,1 || KOi,2 || KOi,3 and KIi = KIi,1 || KIi,2 || KIi,3. Then for each integer j with 1 j 3 we define: Rj = FI(Lj-1 KOi,j , KIi,j ) Rj-1 Lj = Rj-1 Finally we return the 32-bit value (L3 || R3). This function consists of six 16-bit XOR, six 16-bit copy and three FI function call.
3.1.3. FI Function The function FI takes a 16-bit data input I and 16-bit sub key KIi,j. The input I is split into two
unequal components, a 9-bit left half L0 and a 7-bit right half R0 where I = L0 || R0. Similarly the key KIi,j is split into a 7-bit component KIi,j,1 and a 9-bit component KIi,j,2 where KIi,j = KIi,j,1 || KIi,j,2. The function uses two S-boxes, S7 and S9. It also uses two additional functions which we designate ZE( ) and TR( ). L1 = R0 R1 = S9[L0] ZE(R0) L2 = R1 KIi,j,2 R2 = S7[L1] TR(R1) KI i,j,1 L3 = R2 R3 = S9[L2] ZE(R2)
-
P10/ 3
L4 = S7[L3] TR(R3) R4 = R3 The function returns the 16-bit value (L4 || R4).This function consists of three 9-bit XOR, three 7-bit XOR and six 7-bit copy. Two times S9 and S7 mappings respectively, and invokes ZE( ) and TR( ) functions twice.
3.1.4. S-boxes The two S-boxes have been designed so that they may be easily implemented in combinational logic
as well as by a look-up table. Both forms are given for each table [6]. x = x8 || x7 || x6 || x5 || x4 || x3 || x2 || x1 || x0 y = y8 || y7 || y6 || y5 || y4 || y3 || y2 || y1 || y0 where the x8, y8 and x7,y7 bits only apply to S9, and the x0 and y0 bits are the least significant bits. In the logic equations: x0x1x2 implies x0 x1 x2 where is the AND operator.
3.1.5. Key Schedule KASUMI has a 128-bit key K. Each round of KASUMI uses 128 bits of key that are derived from K
[6]. Before the round keys can be calculated two 16-bit arrays Kj and Kj (j=1 to 8) are derived. The 128-bit key K is subdivided into eight 16-bit values K1K8 where K = K1 || K2 || K3 |||| K8. A second array of sub-keys, Kj is derived from Kj by applying: For each integer j with 1 j 8 Kj= Kj Cj where Cj is the constant value.
This function consists of eight 16-bit XOR, eight 1-bit cyclic left shift, eight 5-bit cyclic left shift, eight 8-bit cyclic left shift and eight 13-bit cyclic left shift. The extraction of round sub-keys is a 2-D table lookup.
TABLE 1. KASUMI basic operations
** for 32-bit processor and up to 32-bits N=1.
TABLE 2. KASUMI --- FL function operations t Times time needed Equivalent total 16-bit XOR 2 1 2
16-bit COPY 4 1 4 16-bit AND 1 1 1
16-bit OR 1 1 1 16-bit left shift 2 1 2
16-bit split 1 3 3 16-bit combine 1 3 3 2D key lookup 2 3 6
Total=22 operations
EQUIVALENT SIMPLE OPERATIONS Basic operation TYPE TIMES
NEEDED SPACE
NEEDED ZE XOR 1 TR XOR 1
MULTIPLY 1 ADD 1
2 --- D table map
( for i:j bit map) 1-D TABLE LOOKUP 1 I ROWS * J COLUMNS
Left Shift LEFT SHIFT BY N BITS 1 Copy** N * 32-BITCOPY N XOR** N * 32-BIT XOR N AND** N * 32-BIT AND N OR** N * 32-BIT OR N
-
P10/ 4
TABLE 3. KASUMI -- FI function operations times time needed Equivalent total
Key XOR (KIi,j,1 and KIi,j,2)
2 1 2
9-bit XOR 2 1 2 7-bit XOR 2 1 2 7-bit copy 3 1 3 9-bit copy 3 1 3
S9 mapping (1-D table map)
2 1 2
S7 mapping (1-D table map)
2 1 2
ZE 2 1 2 TR 2 1 2
7-9 bit split 1 4 4 7-9 bit combine 1 3 3
K Key split in seven 1 2 2 Key split in nine 1 2 2
Total = 31 operations
TABLE 4. KASUMI -- FO function operations times time needed Equivalent total 16-bit XOR 6 1 6
16-bit COPY 6 1 6 FI ( )* 3 31 93
16 bit split 1 3 3 16 bit combine 1 3 3 2D key lookup 6 3 18
Total = 129 operations *in one FO( ), FI ( ) is called three times
TABLE 5. KASUMI -- Keys operations times time needed Equivalent Total
Endian correct 8 5 40 K prime 8 2 16
C construct subkeys 8 34 272 Total = 328 operations
TABLE 6. KASUMI operations in one block encryption step operations
times Time
needed Equivalent total
1-8 32-bit COPY 16 1 16 1-8 32-bit XOR 8 1 8 1-8 FL ( ) 8 22 176 1-8 FO ( ) 8 129 1032
key setup 1 328 328 1 32 bit split 1 22 22 8 32 bit combine 1 14 14
Total = 1596 operations
-
P10/ 5
3.1.6 Computational cost Encryption functionality imposes an additional computational cost [2] [3]. Tkasumi is total number of operations in block (encryption)=1596. Tkasumi = 1596 Sd is the size of original message (in bytes). N is the message size in bits. N=8 *Sd n is the total number of blocks. n = Ceil (N 64) where Ceil(x) means the smallest integer >= operand Ukasumi is the total number of operations required for KASUMI encryption or decryption of message size Sd. Ukasumi = ceil ((8 * Sd) 64) * Tkasumi. = n * Tkasumi Cp is MIPS performed by the processor. tkasumi (Sd, Cp) is the time required for encryption (decryption) for processor speed Cp and message size Sd in bytes. tkasumi (Sd , Cp ) = Ukasumi (Sd ) Cp or tkasumi (Sd , Cp ) = (ceil ((8 * Sd ) 64) * Tkasumi) Cp Or tkasumi (Sd, Cp) = (n * Tkasumi) Cp
The mobile devices are equipped with embedded processors, which can perform 100-500 Million of Instructions per Seconds (MIPS) [9].
Encryption time
0
200
400
600
5 10 15 20 25 30n ( Number of input blocks)
Enc
rypt
ion
tim
e
( in m
icro
se
cs)
100 MIPS200 MIPS300 MIPS400 MIPS500 MIPS
Fig 1: Encryption time (in sec) as a function of number of packets for different processing speeds (MIPS).
3.2. Authentication 3G authentication is implemented by Rijndael. Rijndael is an iterated block cipher with a variable block length and variable key length [7]. The block and key length are independently specified as 128 bits for 3GPP and is used in encryption mode [7]. It consists of 9 rounds in addition to an initial and a final round to transform the input into the output. An intermediate result is called state. The state can be a 4 X 4 rectangular array of bytes (128 bits in total).
3.2.1. The Byte Substitution Transformation It is a non-linear byte substitution, operating on each of the State bytes independently. The
substitution table is stored as S-box. For every element of State, we apply the transformation: bi,j = S-box [ai,j] where ai,j is the initial value of the element in State, and bi,j is the output value of the element in State.
-
P10/ 6
In this transformation, we require 16 1-Dimensional lookup for 16 elements. Therefore, 16 operations are carried for 1 block of input of 128 bits.
3.2.2. The Shift Row Transformation In this transformation, the rows of the State are cyclically left shifted by different amounts. Row 0 is
not shifted, four states in row 1 are shifted by 1 byte, four states in row 2 by 2 bytes and four states in row 3 by 3 bytes. Therefore, 0 + (4*1) + (4* 2) + (4* 3) = 24 operations.
3.2.3. The Mix Column Transformation The mix column transformation operates on each column of the State independently. For column j,
we have b0,j = T2(a0,j) T3(a1,j) a2,j a3,j b1,j = a0,j T2(a1,j) T3(a2,j) a3,j b2,j = a0,j a1,j T2(a2,j) T3(a3,j) b3,j = T3(a0,j) a1, j a2,j T2(a3,j)
where T2(a) = 2*a if a < 128 or T2(a) = (2*a) 283 if a >= 128 and T3(a) = T2(a) a. For each column there are (4 XOR + 1 multiplication + 1 optional XOR) *4. Since there are 4 columns there will be 80 or 100 operations.
3.2.4. The Round Key addition In this operation, a Round Key is applied to the State by a simple bitwise exclusive-or. The Round
Key is derived from the Cipher Key by means of the key schedule. The Round Key length is equal to the block length. So, for every element of State, we have: bi,j = ai,j rki,j Where ai,j is the initial value of the element in State, bi,j is the output value of the element in State and rki,j is the round key byte. There are total of 16 XOR. Therefore, 16 operations are required for this transformation.
3.2.5. Key schedule Rijndael has 11 Round Keys, numbered 0-10, that are each 4x4 rectangular arrays of bytes.
Let rkr,i,j be the value of the rth Round Key at position (i, j) in the array and ki,j be the cipher key loaded into a 4x4 array.
Initialization: rk0,i,j = ki,j for all i and j. The other Round Keys (r=1 to 10 inclusive) are calculated from the previous one as follows. First the 0th column is constructed: rkr, 0, 0 = rkr-1,0,0 S-box[rkr-1,1,3] round-const[r] rk r, 1, 0 = rk r-1,1,0 S-box[rk r-1,2,3] rkr,2,0 = rkr-1,2,0 S-box[rk r-1,3,3] rkr,3,0 = rk r-1,3,0 S-box[rk r-1,0,3]
where round-const[1] = 1 and round-const[r] = T2(round-const[r-1]), and S-box is the previously mentioned byte substitution.
Then the remaining three columns are constructed in turn from the corresponding column of the previous Round Key and the previous column of the current Round Key: rk r,i,j = rk r-1,i,j rk r,i,j-1 for i=0,1,2,3 and j=1,2,3.
There are total 16 operations for initialization, 6 operations for zeroth column and 12 operations for other columns. Hence, there are total (6*10) + 12 = 72 operations for all the four columns.
-
P10/ 7
TABLE 7. Rijndael basic operations
TABLE 8. Rijndael operations
TABLE 9. Total Rijndael operations in one block authentication
Total = 1441 operations
3.2.6 Computational cost Authentication imposes an additional computation cost [2][3]. Trijndael is total number of operations in 1 block encryption.
EQUIVALENT SIMPLE OPERATIONS BASIC OPERATION Type Times needed Space needed
Round key Addition 8-bit XOR 1 Byte substitution
Transformation -D table lookup [B ] 1 b
Shift row Transformation
left shift by n bit 1
XOR 1 Mix column Transformation
Multiply 1 XOR 1 Key schedule
MULTIPLY 1 Key schedule Initialization 8-bit copy 1
Multiply 1 Add 1
2-D table look up (for i:j bit map)
1-D table lookup 1 i i rows*j col COPY 1 Add 1
2-D table ( for 4*4 bit map)
into 1-D or vice versa Right shift by 2 bits 1 4 rows* 4 col
Operations times time needed
Equivalent Total
Round key addition 16 1 16 Byte substitution transformation 16 1 16
Shift row transformation (1 for 1st row , 2 for 2nd row and 3 for 3rd row) 4
1+1+1=3 12
Column transformation ( 4 XOR + 1 Multiply +1 XOR optional ) *4 for 1 col. 4
(4+1)*4=20 80
Key initialization 16 4 16 Key schedule (5 XOR+ 1 Multiply )
*10 (for rounds ) + 12 XOR for 4 columns) 1 60 + 12=72 72
step operations times Time needed Equivalent total
0 Key initialization 1 1 1 Key schedule 1 72 72
0-10 Key ( 2-D lookup) 11 3 33 1 8-bit round key addition 1 16 16
1-9 Round 9 16+12+80+16 =124 1116 10 Final round 1 11 16+12+16= 44 56
0 1-D rep. into 2D 16 3 48 10 2-D rep. into 1-D 16 3 48
-
P10/ 8
Trijndael = 1441 Sd is the size of original message (in bytes). N is the message size in bits. N=8 * Sd n is the total number of blocks. n = Ceil (N 128) where Ceil(x) means the smallest integer operand Urijndael is the total number of operations required for Rijndael encryption or decryption of message size Sd. Urijndael= ceil ((8 * Sd) 128) * Trijndael = n * Trijndael Cp is MIPS performed by the processor. trijndael (Sd, Cp) is the time required for encryption (decryption) for processor speed Cp and message size Sd in bytes. trijndael (Sd , Cp ) = Urijndael (Sd ) Cp or trijndael (Sd , Cp ) = (ceil ((8 * Sd ) 128) * Trijndael) Cp or trijndael (Sd, Cp ) = (n * Trijndael) Cp
The mobile devices are equipped with embedded processors, which can perform 100-500 Million of Instructions per Seconds (MIPS) [9].
Authentication time
050
100150200250300350400450500
5 10 15 20 25 30n ( Number of blocks)
Auth
entic
atio
n tim
e (in
m
icro
se
c)
100 MIPS200 MIPS300 MIPS400 MIPS500 MIPS
Fig 2: Authentication time (in sec) Vs n of i/p blocks and processing power
To draw comparison between the computational cost of encryption and authentication, a graph is drawn with number of operations and number of packets as inputs.
Total operations required
0
2
4
6
8
10
12
100 200 300 400 500 600Number of packets
No of o
pera
tions
(in 10
0000
)
KASUMIRijndael
Fig 3: Number of operations required as a function of packet size
-
P10/ 9
4. THROUGHPUT
Throughput is defined as the number of bits in one time unit and is measured in Mbps [ 1]. throughputkasumi : n blocks require tkasumi (in sec) time period for encryption for a given Cp. Therefore, in 1sec = (n*64 bits) tkasumi (in sec)
throughputrijndael : n blocks require trijndael (in sec) time period for authentication for a given Cp. Therefore, in 1sec = (n*128 bits) trijndael (in sec)
Throughput
05
101520253035404550
100 200 300 400 500Processing power (in MIPS)
Thro
ugh
put (i
n M
bps)
KasumiRijndael
Fig 4: Throughput (in Mbps) as a function of processing speed (in MIPS)
5. SUMMARY AND CONCLUSION Encryption consumes significantly more processing resources compared to authentication. The time
required for security transformation increases proportionally with the required number of operations, but it also involves the processor capabilities. Since the numbers of operations are greater for encryption then authentication, throughput for encryption is low compared to authentication. Encryption should be used in critical user information not for regular traffic flow. Encryption if needed should be combined with authentication. In this case if the message fails authentication, decryption process is saved (not performed). Finally, except for the transformation complexity and the processor capabilities, the real time required for a packet to be protected depends on the overall system load as well.
ACKNOWLEDGEMENTS The authors would like to thank all the staff members of the Department of computer science and the Department of information technology of Punjab Engineering College, Chandigarh, India for their advice and encouragement.
REFERENCES
[1]. 3GPP TS 33.102 (v3.12.0), 3G Security: Security Architecture, Release 99, June 2002. [2]. O. Elkeelany, M. Matalgah, K. Sheikh, M. Thaker, G. Chaudhry, D. Medhi, J. Qaddouri, Performance analysis of IPSec protocol: encryption and authentication, Proc. IEEE Intl Conf. Communications, pp. 1164-1168, New York, NY, April-May 2002. [3]. Christos Xenakis, Lazaros Merakos, IPsec based end_to_end VPN deployment over UMTS, Computer Communications vol. 27, pp.1693-1708, May 2004.
-
P10/ 10
[4]. Stefan Pitz, Roland Schmitz, Tobias Martin, Security mechanisms in UMTS, Datenschutz und Datensicherheit (DUD), vol. 25, pp 1-10. 2001. [5]. Christos Xenakis, Lazaros Merakos, Security in 3G Mobile network, Computer communications, vol. 27, pp 638-650, 2004. [6]. 3GPP TS 35.201 (v.1.0), Specification of 3GPP confidentiality and integrity algorithm, Document 1: f8, f9 specification Dec 1999. [7]. 3GPP TS 35.205 (v.1.0), Specification of Milenage algorithm for the 3GPP authentication and key generation functions Nov 2000. [8]. 3GPP TS 33.105 (v4.1.0), 3G security: cryptographic algorithm requirements, release 4, 2001. [9]. ARM microprocessor solutions from ARM Ltd, http://www.arm.com/products/CPUs