Security Authentication Protocol for Massive Machine Type Communication in 5G Networks

. As one of the three major applications of 5G, massive machine type communication (mMTC) is mainly oriented to network access scenarios for massive devices. mMTC focuses on solving the problem that traditional mobile communication cannot well support the Internet of Things and vertical industry applications. According to the current 3GPP standard, these massive devices still use the traditional authentication process to realize mutual authentication with 5G core network, which brings a lot of communication and computing overhead. In addition, privacy protection will also be threatened in the authentication process. In order to alleviate the signaling congestion during authentication and solve the insecurity in authentication, this paper proposes a group authentication scheme for mMTC. Due to the characteristics of low power consumption and massive connection, the scheme mainly adopts lightweight encryption operation to avoid the computational burden of equipment and server. We verify the security of our scheme by using BAN logic to formally analyze the scheme. Then, through informal analysis, our proposed scheme can not only avoid signaling blocking and provide mutual authentication but also resist various possible attacks. Through performance evaluation, it is proved that our scheme has better e ﬃ ciency.


Introduction
With the deepening of 5G technology research, ITU-R formally defined massive machine type communication (mMTC) as one of the three major 5G application scenarios in 2015 [1].With its huge advantages over 4G in performance indicators such as peak rate, air interface delay, and spectrum resources, 5G can meet hundreds of millions of massive IoT terminal network performance requirements, promote the deep integration of 5G and IoT, and form a mMTC business scenario [2].From the concept definition of mMTC, hundreds of millions of terminal devices are deployed and applied to the needs of massive data acquisition and transmission [3].Massive connections and small amount of data are one of the main characteristics of the typical mMTC mode.At the same time, it has the advantages of 5G network high speed, low delay, and other network performance advantages [4].
In the mMTC business scenario, a large number of terminal devices, 5G key technologies, etc., meet the needs of digital and diversified business in terms of coverage, number of devices, and network performance [5].At the same time, it also brings network security challenges to the mMTC business scenario.The mMTC business scenario introduces 5G key technologies such as virtualization and network slicing to drive the mMTC business scenario network to a virtualized and service-oriented transition.At the same time, in the ubiquitous connection scenario, a large number of diversified terminals are easy to be used by attacks, and they lead to the threat of network attacks [6].
As a typical application scenario under the 5G Internet of Things architecture, mMTC has become the focus of many researchers and the cornerstone of building a global Internet of Things to realize the interconnection of all things.mMTC is mainly aimed at the Internet of Things aiming at sensing and data acquisition.Its goal is simply to enable more machine type communication user equipment to connect to the network.The Third Generation Partnership Project (3GPP) defines the secure access process of mMTC device [7,8].However, it also faces many problems.Firstly, there are too many information of header transmitted between MTC device and base station in the process of random access, resulting in low data transmission efficiency.Secondly, the number of MTC devices is much larger than the number of time-frequency resources that the system can provide.The serious mismatch between the two will lead to serious equipment access collision and increase the access delay of MTC devices and excessive access energy consumption.Therefore, it is necessary to reduce the signaling interaction in the random-access process and the average delay in the access process and then improve the utilization efficiency of time-frequency resources and the data transmission efficiency of MTC device.From LTE network to 5G networks, the number of users increases exponentially.But in mMTC communication scenario, the secure access scheme still adopts 3GPP standard authentication protocol and key agreement (EAP-AKA) [9].Therefore, when the mMTC device roams to the 5G network, serious signaling congestion and security issues may occur [10].The inspiration of this paper is based on [11][12][13][14][15][16][17], which proposes a lightweight security authentication protocol based on Barrel Shifter Physical Unclonable Function (BS-PUF) for mMTC in 5G network.The protocol allows the service network to authenticate a group of devices at the same time, so as to reduce the number of signaling transmission and communication delay through the home network.The main contributions of this paper are as follows: (1) Under the background that 5G networks have a large number of MTC devices, in order to reduce the computation overhead and communication delay, we aggregate the authentication messages on leader MTC into a message and send it to the server for authentication, which improves the authentication efficiency (2) We propose a lightweight security authentication scheme.Our scheme is based on lightweight encryption primitives (3) Here, we first use BAN logic to verify the correctness and safety of the scheme.Then, we use informal security analysis to analyze the related security requirements achieved by our scheme and compare it with the security functions of other related schemes later (4) Finally, in the performance evaluation, we analyze that our scheme has less computation overhead and communication overhead.Therefore, our scheme has good security and efficiency in the process of mMTC device authentication The remaining chapters of our article are listed below.In Chapter 2, we review related research work.In Chapter 3, we mainly introduce the relevant knowledge of the scheme.In Chapter 4, we mainly describe our proposed scheme in detail.In Chapter 5, we prove and analyze the security of the scheme.In Chapter 6, we evaluated the performance of the solution.Finally, in Chapter 7, we summarize the work of the full text.

Related Work
So far, many researchers have proposed a lot of research on group MTC authentication in LTE networks.With the continuous development and popularization of 5G network, many scholars also put forward the research on group MTC authentication for 5G network.
In [18], Lai et al. proposed a lightweight group authentication protocol based on aggregated messages in LTE networks.This protocol performed group authentication on MTC devices, reduced the overhead of identity verification, and effectively avoided signaling congestion in the network.Cao et al. [19] proposed a group-based access authentication scheme using aggregated signature technology.This scheme could enable a large number of MTC devices to be authenticated by the network and establish corresponding session keys, respectively.Zhang et al. [20] proposed a groupbased security authentication protocol in roaming scenarios.The protocol had a dynamic group key generation and update method, and it also avoided the blockage caused by a large number of MTC devices.Cao et al. [21] proposed an efficient group-based anonymous handover protocol.The protocol could adapt to roaming scenarios in LTE-A networks and could effectively reduce signaling costs and communication costs and protect user privacy.Li et al. [22] proposed an identity verification and key agreement scheme based on a secret sharing scheme in MTC scenarios.This scheme realized distributed authentication and dynamically updated access strategy.Cao et al. [23] proposed a secure and efficient authentication scheme based on multisignature and aggregated message authentication code technology.This solution could implement a simple authentication process and switch between different scenarios and had relatively good security.These schemes were mainly for LTE networks.
Cao et al. [11] proposed a group-based handover authentication and reauthentication protocol in 5G networks.This protocol was suitable for mMTC devices roaming to a new network, and the signaling overhead and bandwidth consumption were less than other protocols.
Basudan [12] proposed a lightweight and efficient mMTC group authentication protocol in 5G networks.The protocol was based on bilinear mapping and aggregation without certificates and realized mutual authentication, session keys, and confidentiality.Cao et al. [13] proposed a secure and efficient authentication scheme for a large number of devices in 5G networks.This scheme could not only resist a large number of protocol attacks but also could update group members and realize privacy protection.Lai et al. [9] proposed a group-based secure lightweight authentication and key protocol for machine-to-machine communication.The scheme could resist various attacks and provide the required security requirements.Cao et al. [14] proposed a lightweight and secure access authentication 2 Wireless Communications and Mobile Computing protocol based on extended chaotic mapping.This protocol was aimed at two types of equipment.One was ordinary user equipment, and the other was mMTC equipment.And the protocol implemented functions such as mutual authentication and anonymity protection.These schemes were mainly for 5G networks, but some schemes had large computation and communication overhead.

Preliminaries
3.1.System Model.As shown in Figure 1, the system model mainly includes 5G access network and 5G core network [4,14,24].The 5G access network is mainly composed of MTC devices and wireless networks.The wireless network includes 5G next-generation radio access network (NG-RAN) and non-3GPP access network, which provide with data network access and communication services for devices.In 5G core network, access and mobility management function (AMF) can provide all functions related to users and control plane session management and can authenticate through security anchor function (SEAF).Authentication Server Function (AUSF) and Unified Data Management (UDM) provide authentication and user data management services for users.When connecting to the network through NG-RAN, the user authenticates with AUSF through SEAF/ AMF.When connecting to the network through non-3GPP access network, the user establishes a security association through IKEv2 (Internet Key Exchange Protocol version 2) in the non-3GPP access interworking function (N3IWF) and then performs the authentication process through AMF/AUSF.In addition, 5G core network also provides session management function (SMF) and user plane function (UPF).

Security Model.
The protocol security analysis method mainly focuses on whether there are loopholes in protocol interaction, that is, the Dolev-Yao model [25].In the Dolev-Yao model, Dolev and Yao believe that the knowledge and capabilities of protocol attackers cannot be ignored in protocol security certification.The specific capabilities are as follows: (1) The attacker can control the whole communication channel (2) Attackers can establish connections with devices and execute security authentication and key agreement protocols by constructing masquerade nodes (3) Attackers can eavesdrop, store, forge, modify, and replay messages transmitted on the channel 3.3.Security Requirements.In order to eliminate possible security threats and ensure that mMTC devices can communicate securely, the authentication protocol we designed should meet the following security goals: (1) Identity Authentication.The communication entities authenticate each other to ensure the legitimacy of the authentication entities (2) Session Key Security.The communication entity negotiates the secure session key, and the attacker cannot obtain the session key (3) Identity Anonymity and Unlinkability.In the whole authentication process, the user identity information must be hidden, and the attacker cannot associate its identity information with the public information of the channel (4) Forward Security.This goal ensures that even if the session key is leaked, the previous session key cannot be calculated from the key, which is irrelevant to each other.The security of session key is guaranteed (5) Antiattack Ability.The proposed scheme can resist existing protocol attacks, including replay attack and forgery attack (6) Avoid Authentication Signaling Congestion.When a large number of users make access requests at the same time, it can simplify the authentication process, reduce the authentication delay, avoid signaling congestion, and finally ensure the smooth progress of the whole authentication system 3.4.Barrel Shifter Physical Unclonable Function.Physical Unclonable Function (PUF) is a group of miniature delay circuits, which extracts the differences in the chip manufacturing process to obtain a group of input and output called stimulus-response pairs.The relationship between stimulus and response is only determined by certain physical differences in the device.Due to the differences in the chip manufacturing process, it has a nonreproducible characteristic [15].In 2018, Guo et al. [16] proposed a Barrel Shifter Physical Unclonable Function (BS-PUF) based on reversible and commutativity.It is defined as follows: Property 1: reversible Given a reversible keyed PUF, the value x and the key K, calculate PUFðK, xÞ = y ⇒ PUF −1 ðK, yÞ = x, where PUF −1 is the reverse calculation on the same PUF.
3 Wireless Communications and Mobile Computing 4.1.System Setup.In order to better design the access authentication protocol for mMTC device and facilitate the security analysis of the protocol, in the scheme, it is assumed that each user device and 5GC network node can perform BS-PUF.In this initialization phase, the trusted registration center (TRC) is a trusted entity responsible for registering MTC device.TRC selects the master key s ∈ Z * q and a oneway secure hash function H : f0, 1g * ⟶ Z * q .Then, TRC publishes system parameters {Hð•Þ}.Here, we merge TRC and AUSF/UDM.Each MTC device first registers with TRC and returns relevant parameters to the user device through the secure channel.According to the Diameter protocol [4] formulated by 3GPP organization, it can be seen that the communication between AUSF/UDM and SEAF/ AMF uses the wired channel between backbone networks for transmission.Therefore, we believe that the communication channel between AUSF/UDM and SEAF/AMF is safe.In addition, for mMTC devices in the same range, we select a device leader MTC n based on the functions of the mMTC device including computing capabilities and communication capabilities.As shown in Figure 2, it shows the specific authentication details of our scheme.

Registration.
In the registration phase, each device MTC i registers with the TRC through a secure channel.Firstly, MTC i randomly selects a random value X i , calculates PK MTC i = PUF MTC i ðX i Þ, and then sends the identity ID i , X i , and PK MTC i to TRC through the secure channel.When TRC receives the values sent by MTCD i , it randomly selects the value e i , calculates the temporary identity TID i = PUF TRC ðs, e i Þ, PK i = PUF TRC ðX i Þ, A i =Hðs, e i Þ, stores (ID i ,PK MTC i ) in the database, and then sends the message (TID i , PK i , and A i ) to MTCD i through the secure channel.

Access Authentication
(1) First, the device MTC i in the group generates a random number X new i ; calculates the secret value (2) Upon receiving the messages sent by the group members, MTC n performs the same operation as MTC i .
And it generates the current timestamp T MTC n and the corresponding group identity GID and calculates Then, it compares AVS with the received AVS * .If they are equal, the correctness of the generated session key is verified Finally, MTC i communicates through the session key.In this paper, BAN logic is used to formally analyze the proposed authentication scheme.BAN logic [26] is a formal analysis tool based on knowledge and belief.

Verification.
Here, we formally verify our scheme.First, we idealize the scheme.
(1) The messages involved in our scheme are idealized Wireless Communications and Mobile Computing (2) Formal description of initial state (3) The ultimate goal of the scheme In this section, our scheme needs to meet the following goals: TRC TRC Through S 6 , S 7 , S 13 , and S 14 , we can see that our scheme reaches the goals.

Security
Analysis.The security of our scheme is mainly analyzed from the aspects of identity authentication, session key security, resistance to attacks, and so on.
(1) Identity Authentication.In our scheme, communication entities use message authentication codes to verify their legitimacy.Because the generated message verification code includes the secret value generated by BS-PUF, the security of the verification message is guaranteed (2) Session Key Security.Each MTC device negotiates a session key with the server.The corresponding session key is generated through the secret value generated by the BS-PUF and other parameters, ensuring the security of the session key (3) Identity Anonymity and Unlinkability.In our scheme, each MTC device communicates with the server through pseudonym TID i = PUF TRC ðs, e i Þ, and the real identity is encrypted as After receiving the pseudonym TID i and M MTC i , the server obtains the real identity through calculation.Because the real identity of the device can be obtained only through the calculation of the server, the anonymity of the device is guaranteed.Because the temporary identity of each MTC device in the scheme changes and the generated messages use random numbers and time stamps, the messages transmitted in the network are different, and the attacker cannot distinguish that the two messages are sent by the same device (5) Antiattack Ability.In the communication process of our scheme, each MTC device ensures the freshness of messages by using time stamps, so it can effectively avoid replay attacks.In the process of message verification, our scheme uses the message authentication code.Because the message authentication code is generated by the secret value and other parameters generated, it is difficult for the attacker to generate the correct message authentication code, so it can effectively avoid man in the middle attack.In our scheme, because the real identity is encrypted, it is difficult for the attacker to extract the user identity from the message, so it is difficult to impersonate a legitimate user for communication.In the authentication process, since the secret value K * MTC i can only be generated by the server, the attacker cannot generate this value for verification, so it is difficult for the attacker to impersonate the server (6) Avoid Authentication Signaling Congestion.Our scheme uses aggregation message authentication technology to aggregate a group of MTC device request messages into one request message.Here, we complete the message aggregation in leader MTC, reduce the signaling computation and communication overhead, and send it to the server for authentication.Our scheme effectively simplifies the authentication process, reduces the authentication delay, and avoids signaling congestion

Performance Analysis
In this section, we mainly analyze the performance of our scheme from two aspects: computation overhead and communication overhead.Here, we mainly compare the schemes similar to our scheme.
6.1.Computation Overhead.By calculating the time of various encryption operations, we analyze the computation overhead of the protocol.In this paper, we omit the lightweight operations including XOR operations and concatenation operations.Here, T D/E represents the time to calculate symmetric encryption or decryption, T H represents the time to calculate one-way hash, and T CM represents the time to calculate an extended chaotic map.In addition, we refer to [17] to obtain T H ≈ 1:6T PUF .The computation overhead of relevant schemes is obtained, as shown in Table 2. Therefore, we can see that our scheme has obvious advantages in terms of computation overhead.

Communication Overhead.
Here, we evaluate the communication overhead of our scheme by comparing similar schemes.We define the size of different authentication messages.In this article, we refer to standards [27,28].Assume that the random number, hash value, and device identity size are 128 bits.The size of the time stamp is 32 bits.The size of the chaotic map is 128 bits.In the scheme of [17], we define the size of PUF to be 128 bits.According to the size of the defined message, we obtain the size of the communication overhead of the comparison schemes.Because of different schemes, the number of server entities communicating is different.Therefore, for the sake of fairness, we mainly compare the communication overhead of the group leader MTC device in Table 3.
Figure 3 shows the comparison results of different m values and changes in the number of devices.We can see that 8 Wireless Communications and Mobile Computing [13] has small communication overhead, but it has security vulnerabilities.Therefore, our scheme has obvious advantages in terms of communication overhead and security.

Conclusion
Due to the signaling congestion security problems encountered for mMTC communication in 5G networks, we propose a mMTC group authentication scheme.The scheme is based on lightweight encryption operation, which reduces the computational burden of equipment and server, and ensures the security of the scheme.Then, security verification of the proposed scheme is carried out through BAN logic and informal security analysis.The verification results show that our scheme has strong security in the process of encryption and authentication and can resist most known attacks.The data analysis shows that the proposed scheme has great improvement in communication overhead and computation overhead compared with the existing schemes.In the future research work, we will start to study the authentication scheme based on group signature.With the development of 5G communication technology, a more efficient scheme is designed to meet the requirements of lightweight and security.

Table 1 :
Notations.:HID i , M MTC i g n i=1 , TGID, MAC L , T MTC n g to AMF (3) On receiving the messages, AMF sends the message ffTID i , HID i , M MTC i g n i=1 , TGID, MAC L , T MTC n g to TRC (4) When TRC receives the message from AMF, it first verifies whether the timestamp T MTC n is within the legal range.If it is within the legal scope, TRC calculates e i = PUF −1 TRC ðs, TID i Þ, A * i = Hðs, e i Þ, and ID * i = A * i ⊕ HID i .TRC queries the database to verify whether the identity ID * i is legal.If the verification is legal, TRC gets PK MTC i and calculates •••,MAC n , T MTC n , GIDÞ.Finally, MTC n i GIDÞ and verifies whether MAC L ′ and MAC L are equal.If they are equal, then the group MTC devices are certified.If they are not equal, there are illegal devices in the group.TRC selects random value n i and timestamp T TRC ; calculates TID new i and updates value ðID i , PK new MTC i Þ, stored in the database.Then, TRC generates verification message MAC After receiving the message sent from TRC, AMF verifies whether the timestamp T TRC is within the legal range.If the verification is legal, it stores the group identity GID and AVS; calculates and F AMF = X new MAC n receives the message sent and verifies whether the timestamp T TRC is within the legal range.If the verification is legal, it calculatesPK AMF = X new n ⊕ F AMF , K AMF ′ = PUF MTC n ðPK AMF Þ,and MAC AMF ′ = Hð PK new MTC It verifies whether MAC AMF ′ and MAC AMF are equal.If they are equal, it verifies AMF.Then, MAC n calculates A new n n , X new n , K AMF ′ , GID, T TRC Þ: and MAC TRC MTC n = HðID n , X new n , K MTC n , T TRC , A new n , PK new n Þ.If the generated value MAC TRC TRC are equal, then it verifies the server TRC and updates the device parameters at the same time.MTC n generates the session key SK TRC MTC n = HðK MTC n , X new n , ID n Þ and the verification value VS MTC n = HðSK TRC MTC n , ID n , T TRC Þ.When receiving a message from MAC n , MTC i verifies whether the received timestamp T TRC is legal.If the timestamp T TRC is legal, MTC i calculates the generated value MAC TRC MTC i and the received value MAC MTC i TRC are equal, then it verifies the server TRC and updates the device parameters at the same time.MTC i generates the session key SK TRC MTC i = HðK MTC i , X new i , ID i Þ and the verification value VS MTC i = HðSK TRC MTC i , ID i , T TRC Þ.Finally, the message fVS MTC i g is sent to MTC n (8) On receiving the message sent by the group members, MTC n calculates TAVS= K AMF ′ ⊕ X new n ⊕ Hð VS MTC 1 , VS MTC 2 •••,VS MTC n , GID, K MTC n Þ and sends it to AMF (9) AMF receives the message and calculates AVS * Logical reasoning According to the message Mes 1 sent by MTC i to TRC, it can be concluded that S 1 : TRC⊲<TID i , HID i , M MTC i , MAC i > K MTC i Given S 1 and A 2 , from the message meaning rule, we can get S 2 : TRC j≡MTCD i j ~TID i , HID i , M MTC i , MAC i From S 1 , A 3 and the freshness rule, we can get S 3 : TRCj ≡ #fTID i , HID i , M MTC i , MAC i g From S 2 ,S 3 , and nonce verification rule, we can get S 4 : TRCj≡MTCD i j ≡ fTID i , HID i , M MTC i , MAC i g From S 4 , A 4 , and arbitration rules, we can get S 5 : TRCj ≡ fTID i , HID i , M MTC i , MAC i g , A 5 , and the arbitration rule, we can get S 7 : TRCj ≡ MTCD i ↔ According to the message Mes 2 sent by TRC to MTCD i , we can get: S 8 : MTCD i ⊲<C i , D i , MAC MTC i TRC , T TRC > K MTC i Given S 8 and A 1 , from the message meaning rule, we can get S 9 : MTCD i j≡TRCj ~fC i , D i , MAC MTC i TRC , T TRC g According to S 9 , A 6 , and the freshness rule, we can get S 10 : MTCD i j ≡ #ðC i , D i , MAC MTC i TRC , T TRC Þ From S 9 , S 10 , and the nonce verification rule, we can see S 11 : MTCD i j≡TRCj ≡ fC i , D i , MAC MTC i TRC , T TRC g From S 11 , A 7 , and the arbitration rule, we can get S 12 : MTCD i j ≡ fTID i , HID i , M MTC i , MAC i g From S 12 and SK TRC MTC i = HðK MTC i , X new i , ID i Þ, we can see S 13 : MTCD i j≡TRCj ≡ MTCD i ↔ According to S 13 , A 8 , and the arbitration rule, we can get S 14 : MTCD i j ≡ TRC ↔ i , X new i , ID i Þ, we can get S 6 : TRC j≡MTCD i j ≡ MTCD i ↔

Table 2 :
Computation overhead.Forward Security.Each MTC device negotiates with the server generate a corresponding session key through the secret value and random number generated.Because the secret value and random number generated for each authentication are different, the security of the session key is guaranteed.Even if the session key is leaked, it will not affect the previously generated session keys