「第五代系統的安全架構及程序」 (TS 33.501) 是基於3GPP（第三代合作夥伴計劃）於2018年所發布的安全規範草稿。其中，在第五代行動通訊安全協定中，侵犯安全的議題，受到廣泛的研究與討論。根據第五代行動通訊安全協定，本篇論文提出了一種新型追蹤攻擊情境，便會使得使用者的個人隱私遭受侵犯。並且，在此追蹤攻擊情境中，只需要很少的程序，使用者便會在毫無意識的情況下，洩漏個人行為模式。另外，在本篇論文中，針對使用者隱私性問題進行更深入的分析，並針對保護真正且誠實使用者的個人敏感資訊，提出具有可行性的對策，以及針對第五代行動通訊安全協定的改善建議。此外，透過TAMARIN Prover的lemma模型，分析第五代行動通訊安全協定和追蹤攻擊情境的隱私脆弱性。最後，則是一個基於srsLTE框架（提供LTE實驗環境的開源平台）的實作實驗，演示攻擊者將如何基於本篇論文所揭露的追蹤攻擊情境，進而攻擊真正且誠實的使用者。

The security architecture and procedure for 5G systems (TS 33.501) is based on the 3GPP (the 3rd Generation Partner Project) security specification draft that is released in 2018. Furthermore, the security violations in the 5G security protocol have been intensively studied and discussed. Based on the 5G security protocol, a new tracking-attack scenario that can feasibly make subscribers suffer in a breakdown of personal privacy is illustrated in this paper. It is shown in this paper that only few procedures are needed that leads to the leakage of personal behavior patterns without any awareness during the disclosed tracking-attack scenario. An in-depth analysis of the privacy violations is presented in this paper and a potential countermeasure and recommendations for protecting the sensitive information of genuine subscribers is given. Moreover, a lemma model based on the TAMARIN Prover is illustrated to analyze the privacy vulnerabilities in the disclosed attack scenario and the 5G security specifications. A practical experiment based on the srsLTE framework, an open-source platform for LTE experimentation, is setup to demonstrate how the adversaries attack the genuine subscribers based on the procedure that is disclosed in this paper.

[1] A. A. Huurdeman, The Worldwide History of Telecommunications. Wiley-IEEE Press, 2003.
[2] G. Goggin, Cell Phone Culture: Mobile Technology in Everyday Life. Routledge, 2006.
[3] P. Sharma, "Evolution of mobile wireless communication networks-1G to 5G as well as future prospective of next generation communication network," International Journal of Computer Science and Mobile Computing vol. 2, pp. 47-53 Aug. 2013.
[4] J. A. d. Peral-Rosado, R. Raulefs, J. A. López-Salcedo, and G. Seco-Granados, "Survey of Cellular Mobile Radio Localization Methods: From 1G to 5G," IEEE Communications Surveys & Tutorials, vol. 20, no. 2, pp. 1124-1148, 2018.
[5] R. P. Jover and V. Marojevic, "Security and Protocol Exploit Analysis of the 5G Specifications," IEEE Access, vol. 7, pp. 24956-24963, Mar. 2019.
[6] "3G security; Security architecture," 3GPP, TS 33.102, V16.0.0, Jul. 2020.
[7] "3GPP System Architecture Evolution (SAE); Security architecture," 3GPP, TS 33.401, V16.3.0, Jul. 2020.
[8] "Security architecture and procedures for 5G System," 3GPP, TS 33.501, V17.0.0, Dec. 2020.
[9] G. M. Koien and T. Haslestad, "Security aspects of 3G-WLAN interworking," IEEE Communications Magazine, vol. 41, no. 11, pp. 82-88, Nov. 2003.
[10] V. Niemi and K. Nyberg, UMTS Security. WILEY, 2003.
[11] J. Cao, M. Ma, H. Li, Y. Zhang, and Z. Luo, "A Survey on Security Aspects for LTE and LTE-A Networks," IEEE Communications Surveys & Tutorials, vol. 16, no. 1, pp. 283-302, 2014.
[12] M. A. Abdrabou, A. D. E. Elbayoumy, and E. A. El-Wanis, "LTE Authentication Protocol (EPS-AKA) weaknesses solution," in 2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS), 2015, pp. 434-441.
[13] R. P. Jover, "Security attacks against the availability of LTE mobility networks: Overview and research directions," in 2013 16th International Symposium on Wireless Personal Multimedia Communications (WPMC), 2013, pp. 1-9.
[14] A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, and E. Weippl, "IMSI-catch me if you can: IMSI-catcher-catchers," presented at the Proceedings of the 30th Annual Computer Security Applications Conference, New Orleans, Louisiana, USA, 2014. Available: https://doi.org/10.1145/2664243.2664272
[15] M.-F. Lee, N. P. Smart, B. Warinschi, and G. J. J. I. j. o. i. s. Watson, "Anonymity guarantees of the UMTS/LTE authentication and connection protocol," vol. 13, no. 6, pp. 513-527, 2014.
[16] L. Chettri and R. Bera, "A Comprehensive Survey on Internet of Things (IoT) Toward 5G Wireless Systems," IEEE Internet of Things Journal, vol. 7, no. 1, pp. 16-32, Jan. 2020.
[17] D. Wang, D. Chen, B. Song, N. Guizani, X. Yu, and X. Du, "From IoT to 5G I-IoT: The Next Generation IoT-Based Intelligent Algorithms and 5G Technologies," IEEE Communications Magazine, vol. 56, no. 10, pp. 114-120, Oct. 2018.
[18] "Security architecture and procedures for 5G System," 3GPP, TS 33.501, V0.7.0, Jan. 2018.
[19] D. Basin, J. Dreier, L. Hirschi, S. Radomirovic, R. Sasse, and V. Stettler, "A Formal Analysis of 5G Authentication," presented at the Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, Canada, 2018. Available: https://doi.org/10.1145/3243734.3243846
[20] M. Dehnel-Wild and C. Cremers, "Security vulnerability in 5G-AKA draft," Feb., 2018. Available: https://www.cs.ox.ac.uk/5G-analysis/5G-AKA-draft-vulnerability.pdf
[21] R. P. Jover, "The current state of affairs in 5G security and the main remaining security challenges," arXiv:1904.08394, pp. 1-8, Apr. 2019.
[22] C. Cremers and M. Dehnel-Wild, "Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion," presented at the Network and Distributed System Security Symposiu (NDSS), San Diego, CA, Feb., 2019. Available: https://publications.cispa.saarland/id/eprint/2758
[23] R. Borgaonkar, L. Hirschi, S. Park, and A. Shaik, "New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols," (in English), Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 3, pp. 108-127, Jul. 2019.
[24] A. Koutsos, "The 5G-AKA Authentication Protocol Privacy," in 2019 IEEE European Symposium on Security and Privacy (EuroS&P), 2019, pp. 464-479.
[25] A. Braeken, M. Liyanage, P. Kumar, and J. Murphy, "Novel 5G Authentication Protocol to Improve the Resistance Against Active Attacks and Malicious Serving Networks," IEEE Access, vol. 7, pp. 64040-64052, 2019.
[26] R. Khan, P. Kumar, D. N. K. Jayakody, and M. Liyanage, "A Survey on Security and Privacy of 5G Technologies: Potential Solutions, Recent Advancements, and Future Directions," IEEE Communications Surveys & Tutorials, vol. 22, no. 1, pp. 196-248, 2020.
[27] M. Arapinis et al., "New privacy issues in mobile telephony: fix and verification," presented at the Proceedings of the 2012 ACM conference on Computer and communications security, Raleigh, North Carolina, USA, 2012. Available: https://doi.org/10.1145/2382196.2382221
[28] D. Basin, C. Cremers, J. Dreier, S. Meier, R. Sasse, and B. Schmidt. (2019). 5G-AKA Tamarin Models. Available: http://tamarin-prover.github.io/
[29] I. Gomez-Miguelez, A. Garcia-Saavedra, P. D. Sutton, P. Serrano, C. Cano, and D. J. Leith, "srsLTE: an open-source platform for LTE evolution and experimentation," presented at the Proceedings of the Tenth ACM International Workshop on Wireless Network Testbeds, Experimental Evaluation, and Characterization, New York City, NY, 2016. Available: https://doi.org/10.1145/2980159.2980163
[30] D. Dolev and A. Yao, "On the security of public key protocols," IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198-208, 1983.
[31] Z. Trabelsi and H. Saleous, "Teaching keylogging and network eavesdropping attacks: Student threat and school liability concerns," in 2018 IEEE Global Engineering Education Conference (EDUCON), 2018, pp. 437-444.
[32] A. Orebaugh, G. Ramirez, J. Burke, and J. Beale, Wireshark & Ethereal Network Protocol Analyzer Toolkit. Syngress Media Inc, 2007.