Public PhD defence 

Mohsin Khan: Privacy of User Identities in Cellular Networks

Time : Friday 5.3.2021 at 12 o’clock

M.Sc. Mohsin Khan defends his doctoral thesis “Privacy of User Identities in Cellular Networks” on Friday the 5th of March 2021 at 12 o’clock. Professor Stig Frode Mjølsnes (Norwegian University of Science and Technology, NTNU, Norway) and custos Professor Valtteri Niemi (University of Helsinki). The defence will be held in English. Welcome!

Place : University of Helsinki Exactum building, Auditorium CK112 (Pietari Kalmin katu 5, basement) and as a live stream at https://helsinki.zoom.us/j/61972884772?pwd=TG44cE51R1k2aUpDS2JCVE1yOUE0UT09 (passcode 471118)

PhD thesis : http://urn.fi/URN:ISBN:978-951-51-6992-1

Summary:

This thesis looks into two privacy threats of cellular networks. For their operations, these networks have to deal with unique permanent user identities called International Mobile Subscriber Identity (IMSI). One of the privacy threats is posed by a device called IMSI catcher. An IMSI catcher can exploit various vulnerabilities. Some of these vulnerabilities are easier to exploit than others. This thesis looks into fixing the most easily exploitable vulnerability, which is in the procedure of identifying the subscriber. This vulnerability exists in all generations of cellular networks prior to 5G. The thesis discusses solutions to fix the vulnerability in several different contexts.

One of the solutions proposes a generic approach, which can be applied to any generation of cellular networks, to fix the vulnerability. The generic approach uses temporary user identities, which are called pseudonyms, instead of using the permanent identity IMSI. The thesis also discusses another solution to fix the vulnerability, specifically in the identification procedure of 5G. The solution uses Identity-Based Encryption (IBE), and it is different from the one that has been standardised in 5G. Our IBE-based solution has some additional advantages that can be useful in future works. The thesis also includes a solution to fix the vulnerability in the identification procedure in earlier generations of cellular networks. The solution fixes the vulnerability when a user of a 5G network connects to those earlier generation networks. The solution is a hybridisation of the pseudonym-based generic solution and the standardised solution in 5G.

The second of the two threats that this thesis deals with is related to the standards of a delegated authentication system, known as Authentication and Key Management for Applications (AKMA), which has been released in July 2020. The system enables application providers to authenticate their users by leveraging the authentication mechanism between the user and the user’s cellular network. This thesis investigates what requirements AKMA should fulfil. The investigation puts a special focus on identifying privacy requirements. It finds two new privacy requirements, which are not yet considered in the standardisation process. The thesis also presents a privacy-preserving AKMA that can co-exist with a normal-mode AKMA.