Resynchronisation Authentication Code

Description

The Resynchronisation Authentication Code (MAC-S) is a core security mechanism defined within the Authentication and Key Agreement (AKA) protocol for 3GPP systems, primarily UMTS and subsequently evolved for LTE and 5G. It functions as a Message Authentication Code (MAC) specifically generated to protect the re-synchronisation procedure. This procedure is invoked when the sequence number (SQN) used in the AKA protocol becomes mismatched between the User Equipment (UE) and the network's Authentication Centre (AuC), a condition known as 'synchronisation failure'. The MAC-S is computed by the AuC using a cryptographic algorithm (e.g., MILENAGE) with inputs including the secret subscriber key (K), a random challenge (RAND), the fresh sequence number (SQN<sub>new</sub>), and other parameters. This computed MAC-S is then sent to the UE within an AUTS token, which is part of the Synchronisation Failure message.

Upon receiving the AUTS token, the UE independently computes its own expected MAC-S using the same inputs (K, RAND, SQN_new) and the same algorithm. The UE then compares the received MAC-S with its locally computed value. If they match, the UE can cryptographically verify that the re-synchronisation request originated from a legitimate network entity that knows the shared secret key K, and that the new sequence number SQN_new has not been tampered with during transmission. This verification is crucial; it prevents an attacker from forcing a sequence number rollback or injecting a malicious re-sync command, which could otherwise lead to replay attacks or service denial.

The architecture for MAC-S involves the UE, the serving network (e.g., VLR/SGSN, MME), and the home network's AuC. The AuC is the sole entity that generates the valid MAC-S, as it is the only network node besides the UE that possesses the long-term secret key K. The serving network acts as a relay, passing the AUTS token from the UE to the home network and the subsequent authentication vector with the new SQN back to the UE. The MAC-S's role is singular but critical: it provides integrity and data origin authentication specifically for the SQN re-synchronisation value, ensuring that the core AKA protocol can recover from de-synchronisation securely and without compromising the overall authentication framework. Its correct implementation is a mandatory part of compliance with 3GPP security specifications.

Purpose & Motivation

The MAC-S was introduced to address a specific vulnerability in the AKA protocol's state management. The AKA protocol uses a sequence number (SQN) to ensure freshness and prevent replay of authentication vectors. However, network failures, delays, or malicious interference could cause the SQN maintained by the UE and the AuC to diverge. Without a secure recovery mechanism, this de-synchronisation would lead to permanent authentication failures, effectively denying service to the legitimate user. Early mechanisms to resync sequence numbers were potentially insecure, risking manipulation by an attacker.

The creation of MAC-S provided a cryptographically secure solution to this problem. It allows the network to propose a new, synchronised sequence number to the UE with a guarantee of authenticity. This solves the service denial issue while actively preventing security threats. An attacker cannot forge a valid MAC-S without knowledge of the secret key K, and cannot replay an old MAC-S as it is bound to a specific RAND and SQN<sub>new</sub>. Thus, MAC-S enables robust recovery from synchronisation failures, a necessary feature for any large-scale, reliable cellular system where such failures are statistically inevitable due to the vast number of devices and transactions.