MAC-S

Resynchronisation Authentication Code

Security
Introduced in Rel-8
A cryptographic code used in UMTS and LTE to securely re-synchronise authentication vectors between the UE and network after a failure. It prevents replay attacks and ensures the integrity of the re-synchronisation procedure, maintaining service continuity.

Description

The Resynchronisation Authentication Code (MAC-S) is a core security mechanism defined within the Authentication and Key Agreement (AKA) protocol for 3GPP systems, primarily UMTS and subsequently evolved for LTE and 5G. It functions as a Message Authentication Code (MAC) specifically generated to protect the re-synchronisation procedure. This procedure is invoked when the sequence number (SQN) used in the AKA protocol becomes mismatched between the User Equipment (UE) and the network's Authentication Centre (AuC), a condition known as 'synchronisation failure'. The MAC-S is computed by the AuC using a cryptographic algorithm (e.g., MILENAGE) with inputs including the secret subscriber key (K), a random challenge (RAND), the fresh sequence number (SQN<sub>new</sub>), and other parameters. This computed MAC-S is then sent to the UE within an AUTS token, which is part of the Synchronisation Failure message.

Upon receiving the AUTS token, the UE independently computes its own expected MAC-S using the same inputs (K, RAND, SQN<sub>new</sub>) and the same algorithm. The UE then compares the received MAC-S with its locally computed value. If they match, the UE can cryptographically verify that the re-synchronisation request originated from a legitimate network entity that knows the shared secret key K, and that the new sequence number SQN<sub>new</sub> has not been tampered with during transmission. This verification is crucial; it prevents an attacker from forcing a sequence number rollback or injecting a malicious re-sync command, which could otherwise lead to replay attacks or service denial.

The architecture for MAC-S involves the UE, the serving network (e.g., VLR/SGSN, MME), and the home network's AuC. The AuC is the sole entity that generates the valid MAC-S, as it is the only network node besides the UE that possesses the long-term secret key K. The serving network acts as a relay, passing the AUTS token from the UE to the home network and the subsequent authentication vector with the new SQN back to the UE. The MAC-S's role is singular but critical: it provides integrity and data origin authentication specifically for the SQN re-synchronisation value, ensuring that the core AKA protocol can recover from de-synchronisation securely and without compromising the overall authentication framework. Its correct implementation is a mandatory part of compliance with 3GPP security specifications.

Purpose & Motivation

The MAC-S was introduced to address a specific vulnerability in the AKA protocol's state management. The AKA protocol uses a sequence number (SQN) to ensure freshness and prevent replay of authentication vectors. However, network failures, delays, or malicious interference could cause the SQN maintained by the UE and the AuC to diverge. Without a secure recovery mechanism, this de-synchronisation would lead to permanent authentication failures, effectively denying service to the legitimate user. Early mechanisms to resync sequence numbers were potentially insecure, risking manipulation by an attacker.

The creation of MAC-S provided a cryptographically secure solution to this problem. It allows the network to propose a new, synchronised sequence number to the UE with a guarantee of authenticity. This solves the service denial issue while actively preventing security threats. An attacker cannot forge a valid MAC-S without knowledge of the secret key K, and cannot replay an old MAC-S as it is bound to a specific RAND and SQN<sub>new</sub>. Thus, MAC-S enables robust recovery from synchronisation failures, a necessary feature for any large-scale, reliable cellular system where such failures are statistically inevitable due to the vast number of devices and transactions.

Key Features

  • Provides integrity protection and data origin authentication for the new sequence number (SQN<sub>new</sub>) during re-synchronisation.
  • Generated using a cryptographic algorithm (e.g., MILENAGE) and the shared secret key K.
  • Transmitted within the AUTS token from the UE to the network to report a synchronisation failure.
  • Enables the UE to verify the network's re-synchronisation command, preventing malicious SQN manipulation.
  • Essential for recovering from AKA protocol sequence number mismatches without service interruption.
  • A core component of the UMTS/LTE/5G AKA's Synchronisation Failure procedure.

Evolution Across Releases

Rel-8 Initial

Introduced as part of the EPS AKA for LTE. The fundamental architecture and cryptographic calculation for MAC-S were defined, based on the UMTS AKA principles but adapted for the Evolved Packet System. It used the MILENAGE algorithm suite as the standard example for computation, ensuring a secure re-synchronisation mechanism for the new LTE core network (EPC).

TS 35.205TS 35.909TS 35.934

Defining Specifications

SpecificationTitle
TS 35.205 3GPP TR 35.205
TS 35.909 3GPP TR 35.909
TS 35.934 3GPP TR 35.934