The evolution of cryptographic algorithms – Ericsson

Cryptographic algorithms and security protocols are among the main building blocks for constructing secure communication solutions in the cyber world. They correspond to the locks that secure a house in the physical world. In both, it is very difficult to access the assets inside without a valid key. The algorithms and protocols are based on hard mathematical and computationally infeasible problems, whereas the lock mechanisms are based on the difficulty of solving the physical construction.

Mobile networks are critical infrastructure and heavily use advances in cryptographic algorithms and protocols to ensure the security of the information in the communication and privacy protection for the individuals. In this blog post, we take a detailed look at the cryptographic algorithms and protocols used in mobile communications and share some insights into the recent progress. We give an overview taking into consideration the development from 2G to 5G and beyond. In addition, we present detailed information on the progress toward defining the profiles to be used in the security protocols for the mobile communication systems. Last but not least, we give the current status and future plans for post-quantum cryptographic algorithms and protocols.

It can be hard to get an overview of the cryptographic algorithms used in mobile networks. The specifications are spread out over many documents, published over a period of 30 years by the three standardization organizations: 3GPP, ETSI and GSMA. The algorithms can also have quite cryptic names, with more than one name often given to the same algorithm. For example, GEA5, UEA2, 128-EEA1 and 128-NEA1 are almost identical specifications of SNOW 3G for GPRS, UMTS, LTE and NR respectively.

The 3GPP/GSMA algorithms come in three different types: authentication and key generation, encryption and integrity. The authentication and key generation algorithms are used in the Authentication and Key Agreement (AKA) protocol. The encryption and integrity algorithms are used together or independently to protect control plane and user plane data. An overview of all currently specified algorithms is shown in Figures 1 and 2.

The second generation (2G or GSM) mobile networks have quite low security by todays standards. But GSM was actually the first mass-market communication system to use cryptography, which was both revolutionary and controversial. At the time, export of cryptography was heavily restricted and GSM had to be designed with this in mind. The encryption algorithms A5/1 and A5/2 are LFSR-based stream ciphers supporting 64-bit key length. A5/2 is a so-called export cipher designed to offer only 40-bit security level. Usage of export ciphers providing weak security was common at that time and other standards like TLS also supported export cipher suites.

To further align with export control regulations, the key generation algorithms COMP128-1 and COMP128-2 decreased the effective output key length to 54 bits by setting 10 bits the key to zero. While A5/1 and A5/2 mostly met their design criteria, COMP128-1 was a very weak algorithm and was soon replaced by COMP-128-2 and COMP128-3. When packet-switched data was introduced with GPRS, slightly different algorithms GEA1 and GEA2 were introduced. Similar to A5/1 and A5/2, GEA1 and GEA2 are LFSR-based stream ciphers supporting 64-bit key length, where GEA1 was the export cipher. The export ciphers A5/2 and GEA1 are forbidden to support in phones since many years and COMP128-1 is forbidden to support in both networks and SIM cards. None of the original 2G algorithms were officially published anywhere as they were intended to be kept secret, which was quite common practice at the time. But all were reverse engineered by researchers in academia nearly a decade after their development.

The third generation (3G or UMTS) mobile networks introduced 128-bit security level public encryption and integrity algorithms. In 3G, the algorithms were selected by the ETSI Security Algorithms Group of Experts (SAGE), which has since made recommendations for all the new algorithms for mobile networks. The final decision is always taken by 3GPP SA WG3, the security working group in 3GPP. While many other designs from the same time, such as SSH and TLS, turned out to have significant flaws, the 3G algorithms and their modes of operation are still secure today.

The 3G encryption algorithms UEA1 and UEA2 use the KASUMI block cipher and the SNOW 3G stream cipher, which are slightly modified versions of the MIST block cipher and SNOW 2.0 stream cipher respectively. The integrity algorithm UIA1 is CBC-MAC using KASUMI and UEA2 is a Carter-Wegman MAC based on SNOW 3G. For authentication and key generation, the exact algorithm is not standardized and it is up to the operator to choose the algorithm deployed in their home network and SIM cards. 3GPP defines the Milenage algorithm (based on AES-128) as a well-designed example algorithm and this choice is widely used in practice. All the 3G algorithms have also been specified to be used in 2G.

Figure 1: 3GPP/GSMA algorithms for authentication and key generation - Green algorithms are secure while red algorithms only offer 64-bit security or less.

Figure 2: 3GPP/GSMA algorithms for encryption and integrity protection - Green algorithms are secure while red algorithms only offer 64-bit security or less.

The fourth generation (4G or LTE) mobile networks replaced KASUMI with AES-128. The encryption algorithm 128-EEA2 is AES in counter mode (AES-CTR) while the integrity algorithm 128-EIA2 is AES in CMAC mode. 4G also introduced Tuak, a new algorithm family for authentication and key generation based on Keccak hash algorithm but using slightly different parameters from the one which NIST later standardized as SHA-3. SIM cards are recommended to support both Milenage and Tuak. 4G also introduced an optional algorithm, ZUC, to construct 128-EEA3 and 128-EIA3 algorithms, which are the only optional ones to be supported in implementations. It is also worth mentioning that 3GPP specifies at least two mandatory algorithms due to the security practice of having a backup algorithm.

The fifth generation (5G or NR) uses exactly the same algorithms used in 4G. There are no weaknesses in any of the 4G algorithms and they offer good enough performance when implemented in hardware. However, the currently used algorithms are not suitable for future deployments as they are slow in software, does not support 256-bit keys, and only support 32-bit MACs. Software performance is essential for software implementations in virtualized deployments. While these algorithms are fast enough for 5G when implemented in hardware, they perform far worse than state-of-the art algorithms also in hardware and will likely not be suitable for 6G.

3GPP SA3 and ETSI SAGE have therefore started working together on new virtualization-friendly algorithms suitable for later 5G releases and 6G. It is essential that the new algorithms perform well in software on a wide range of architectures (such as x86, ARM and RISC-V) and that they can also be efficiently implemented in hardware. AES-CTR is already fulfilling these criteria, but would have to be accompanied by a high-performance integrity mode like GMAC. SNOW 3G is not up to the task, but the new cipher SNOW-V would be a perfect fit, outperforming even AES-GCM on x86 processors.

The new algorithms to be introduced to 3GPP will likely support only 256-bit key length and offer at least 64-bit tags. While 128-bit algorithms will be practically secure against quantum computers, cellular networks are increasingly classified as critical infrastructure. Already today, governments and financial institutions often mandate more than 128-bit security level for protection of their communication.

While mobile networks use some algorithms and security protocols specific to 3GPP, most of the security protocols used in 5G such as TLS, DTLS, IKEv2, ESP, SRTP, X.509, and JOSE are standardized or maintained by the Internet Engineering Task Force (IETF). 3GPP has, for many years, had the excellent tradition of updating their security profiles in almost every release following recommendations from academia, IETF and other organizations. A large part of this work has been driven by Ericsson.

The general 3GPP profiles for (D)TLS, IPsec and X.509 specified in TS 33.210 and TS 33.310 apply to many different 3GPP interfaces. 3GPP now has some of the best and most secure profiles for TLS and IPsec. 3GPP was, for example, very early with mandating support for TLS 1.3 and with forbidding TLS 1.1 and all weak cipher suites in TLS 1.2. Best practice today is to encrypt as much information as possible and to do key exchange with Diffie-Hellman to enable Perfect Forward Secrecy (PFS). The profiles are well ahead of most other industries as well as IETFs own profiles. 5G is increasingly referred to as critical infrastructure and as such the security profiling should be state-of-art.

For Rel-16 and Rel-17, 3GPP initiated work items specific to security updates, but similar work has been done for much longer under the general TEI work item. For Rel-17, 3GPP aims to mandate support for SHA-256 in the few remaining places where MD5 or SHA-1 is still in use, introduce Curve25519 for low latency key exchange in IKEv2, enable use of OCSP and OCSP stapling as an alternative to CRL everywhere, mandate support of DTLS-STRP and AES-GCM for SRTP, and introduce deterministic ECDSA.

Updating profiles for cryptographic algorithms and security protocols is a process that takes many years because of backward compatibility, as nodes from one release often have to talk to devices from much older releases. Before any weak algorithms or protocol versions are forbidden, the support of strong alternatives needs to have been mandatory for several releases.

Taking into consideration that 3GPP produces approximately one release every 1.5 years, it is essential to mandate the support of new versions of security protocols as soon as possible like 3GPP did with TLS 1.3. Some drawbacks of TLS 1.2 are that it requires a large amount of configuration to become secure and does not provide identity protection, therefore it should be phased out in the future.

Current best practice is to mandate the support of at least two strong algorithms everywhere, so there is always a strong algorithm supported if one of the algorithms is broken. The National Institute of Standards and Technology (NIST) has long functioned as a global standardization organization for cryptographic algorithms. NIST standardizes algorithms in open competitions, inviting contributions from academia all over the world. Both AES and SHA-3 were designed by researchers from Europe. Recently, the Internet Research Task Force Crypto Forum Research Group (IRTF CFRG) has complemented NIST as a global cryptographic Standards Developing Organization (or SDO) and has standardized algorithms like ChaCha20-Poly1305, Curve25519, EdDSA, LMS, and XMSS. NIST has introduced many of the CFRG algorithms within their own standards.

Broken algorithms were once very common, but essentially all algorithms standardized by NIST, IRTF CFRG and ETSI SAGE since 2000 (such as AES, SHA-2, SHA-3, ChaCha20, KASUMI and SNOW 3G) have remained secure, with no practical attacks. Figure 3 gives an overview of broken, weak or legacy algorithms and security protocols. 3GPP has already forbidden most of these and will likely phase out the rest in future releases.

Figure 3: Broken and legacy cryptographic algorithms and security protocols

A big part of future work in upcoming releases will be to introduce quantum-safe algorithms or Post-Quantum Cryptography (PQC). PQC algorithms are cryptographical algorithms that are secure against attacks from quantum computers, which happens to be most algorithms except RSA and Elliptic-Curve Cryptography (ECC). This is something 3GPP is well prepared for, having already future-proofed protocols like 5G Subscription Concealed Identifier (SUCI) by allowing ciphertexts and public keys to be several thousands of bytes long. If somebody builds a sufficiently large quantum computer, RSA and ECC will likely be broken in a matter of hours.

Small quantum computers already exist, however it is still uncertain when (or if) quantum computers capable of breaking these cryptographic algorithms will be built. 3GPP will likely introduce quantum-safe algorithms long before quantum computers even get close to affecting the security of 3GPP systems. Introducing non-standardized cryptographic algorithms likely introduces more risks than it solves, and both 3GPP and IETF have taken the decision to wait for NIST standardization of PQC algorithms, which is already in the final round and will be ready in 2022-2024. After that, IETF will standardize the use of PQC algorithms in (D)TLS, IKEv2, X.509, JOSE and HPKE and as soon as this is done, 3GPP will introduce the new updated IETF RFCs.

Some of the candidates for post-quantum security level 1 in the final round of NIST PQC standardization are summarized in Figure 4. It seems very likely that one of the lattice-based algorithms will be the main replacement for RSA and ECC, for both Key Encapsulation Mechanisms (KEM) and signatures. KEM provides a simplified interface for key exchange and public key encryption. Lattice-based algorithms have slightly larger public keys, signature and ciphertext sizes than the ones of RSA, but they are even faster than ECC. As can be seen from Figure 4, PQC is very practically useful for most applications. Transition to PQC can be seen as a bigger step than the transitions from 3DES to AES and SHA-1 to SHA-256, as it might require security protocol changes to a larger degree. Note that PQC algorithms are not relying on quantum mechanics and software implementation does not require any new hardware.

Figure 4: Some candidates (post-quantum security level 1) in the third and final round of NIST PQC Standardization. The performance measurements are single-core on Skylake 2.5 GHz https://bench.cr.yp.to/ebats.html (lower is better)

128-bit symmetric algorithms will not be practically affected by quantum computers and NIST is currently labeling AES-128 as post-quantum security level 1. Even so, 3GPP is moving towards increased use of 256-bit keys and algorithms such as AES-256.

More information about the algorithms used in mobile networks can be found in the specification series prepared by the 3GPP SA3 working group. For the main profiles used in the security protocols, check 3GPP TS 33.210 and TS 33.310.

To learn and keep up to date on the latest progress in post-quantum cryptography, follow NIST PQC Standardization.

Learn more about the realities of post-quantum cryptography in our previous blog post from 2020.

Discover how 5G fits into mobile communication network security in our guide to 5G network security

Read our summary of the latest standardization work from 3GPP, Release 16 (5G phase 2)

See the original post:
The evolution of cryptographic algorithms - Ericsson

Related Post

Comments are closed.