L.2 Impersonation of the BSF to the UE during the run of the Ub protocol

33.2203GPPGeneric Authentication Architecture (GAA)Generic Bootstrapping Architecture (GBA)TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

To prevent an impersonation attack of the BSF to the UE during the run of the Ub protocol the authentication of the BSF to the UE is improved by protecting the communication with TLS. An attacker succeeds only if he can break both, the certificate-based TLS authentication to the UE and mutual authentication provided by HTTP Digest using a password derived from GSM procedures. One way to break TLS is to compromise the certificate.

When an attacker was able to obtain a forged server certificate with the name of the genuine BSF from a compromised Certification Authority then the attacker could break the certificate-based TLS authentication to the UE. Furthermore, the attacker would be able to perform a make a man-in-the-middle attack between the UE and the BSF by playing TLS server towards the UE and TLS client towards the BSF. Such a a man-in-the-middle attack would make it possible for the attacker to read Ks-input and hence have a greater chance to compute the key Ks.

The man-in-the-middle attack could be countered by the use of channel binding as described in RFC 5929 [48]. This approach was not pursued further due to the perception that the risk posed by the relative weakness of GSM security was far greater than the risk posed by a CA.

NOTE: For a way of reducing the risk of the UE using the root key associated with a compromised Certification Authority (CA) see clause I.6.2 of the present specification.