XMAC

Expected Message Authentication Code

Security
Introduced in Rel-12
XMAC is a security parameter calculated by the USIM during the 3G Authentication and Key Agreement (AKA) procedure. It represents the expected value of the Message Authentication Code (MAC) received from the network. The USIM compares the XMAC with the received MAC to authenticate the network, preventing man-in-the-middle attacks.

Description

The Expected Message Authentication Code (XMAC) is a critical component within the 3GPP security architecture, specifically for the 3G Authentication and Key Agreement (AKA) protocol defined for UMTS. It is computed locally on the User Services Identity Module (USIM) card residing in the user's device. The calculation occurs when the USIM receives an authentication challenge from the visited or serving network, which includes a random number (RAND) and an authentication token (AUTN).

The XMAC is generated using a cryptographic algorithm, typically the MILENAGE algorithm suite, which is based on the Rijndael block cipher (AES). The USIM uses its long-term secret key (K), shared only with the home network's Authentication Centre (AuC), along with the received RAND and other parameters from the AUTN (specifically the Sequence Number SQN) as inputs to the same MAC generation function (f1) that the AuC used. This process yields the XMAC value. The core security operation is a comparison: the USIM extracts the received MAC (part of the AUTN) and compares it with its locally computed XMAC. If they match, it proves to the USIM that the authentication challenge originated from a legitimate network that knows the shared secret key K, thereby authenticating the network to the user.

This mechanism is a cornerstone of mutual authentication in 3G networks. While the network authenticates the user via the RES (Response) and XRES (Expected Response) check, the user authenticates the network via the XMAC/MAC check. This two-way verification is essential for preventing threats like false base station attacks where an adversary impersonates a legitimate network to intercept communications or track users. The XMAC calculation and verification are performed entirely within the secure environment of the USIM, protecting the secret key K from exposure to the device's main operating system.

The specifications governing XMAC, primarily TS 31.900 (USIM Application Toolkit) and TS 35.934 (Security algorithms), detail the exact inputs, the algorithmic steps, and the integration with the USIM's secure processing capabilities. TS 31.900 covers the commands and procedures for the USIM to perform the computation, while TS 35.934 defines the standardised example algorithms like MILENAGE. The integrity of this process ensures that a user's connection is established only with a trusted network element that has been authorized by their home operator.

Purpose & Motivation

XMAC was introduced to fulfill the requirement for mutual authentication in 3GPP networks, a significant security enhancement over the 2G (GSM) system. In GSM, only the network authenticated the mobile station; the mobile station did not authenticate the network. This one-way authentication created a vulnerability to false base station (IMSI catcher) attacks, where malicious actors could set up equipment to mimic a real network, trick phones into connecting, and then intercept calls or traffic.

The primary problem XMAC solves is providing the user equipment (via the USIM) with a means to verify the network's legitimacy. By enabling the USIM to independently compute the expected MAC value and compare it with the one provided by the network, the system ensures that the authentication request could only have been generated by an entity possessing the shared secret key (K). This key is known only to the genuine home operator's AuC and the USIM. This mechanism effectively closes the security gap present in 2G.

Its creation was motivated by the broader 3G security design principles established in 3GPP Release 99, which mandated stronger cryptographic algorithms and mutual authentication. XMAC, along with the SQN management for replay protection, forms the user's side of this mutual authentication process. Standardizing the calculation method (e.g., in the MILENAGE algorithm suite) ensured interoperability between USIMs from different vendors and AuCs from different network operators, forming a globally trusted security foundation for UMTS and later generations that inherited the AKA framework.

Key Features

  • Calculated locally on the USIM using the shared secret key K
  • Core component of 3G mutual authentication (AKA)
  • Uses standardized cryptographic functions (e.g., MILENAGE f1)
  • Inputs include RAND, SQN, and the secret key K
  • Compared against the MAC received in the AUTN from the network
  • Verification occurs within the USIM's secure execution environment

Evolution Across Releases

Rel-12 Initial

XMAC was formally specified as a term and its calculation procedures were integrated into the USIM application toolkit specifications in Release 12. This release provided detailed commands and structures for the USIM to receive authentication data, compute the XMAC, and perform the verification, solidifying its role in the 3G AKA process within the USIM's secure framework.

TS 31.900TS 35.934

Defining Specifications

SpecificationTitle
TS 31.900 3GPP TR 31.900
TS 35.934 3GPP TR 35.934