Telecommunications – Radiotelephone system – Security or fraud prevention
Reexamination Certificate
1999-10-14
2004-03-23
Chin, Vivian (Department: 2682)
Telecommunications
Radiotelephone system
Security or fraud prevention
C415S189000, C713S168000, C713S169000, C380S255000, C380S270000
Reexamination Certificate
active
06711400
ABSTRACT:
FIELD OF THE INVENTION
The invention is related to the authentication between subscriber equipment and the network in a telecommunications system. The invention can be applied especially to the authentication methods of a mobile communications system.
BACKGROUND OF THE INVENTION
The purpose of the authentication is to verify the authenticity of the identities of the parties of the data transfer even before forming the telecommunications connection. The authenticity of the parties must be verified in order to ensure the data security of the subscriber. Additionally, authentication can be used to prevent the use of network services by means of another subscriber's identity.
Verifying the authenticity of the identities of the parties is especially important in mobile communications systems in which the subscriber and the network state their identities to each other before forming the connection. If the authenticity of the stated identities is not verified, a connection can be formed by using a false identity simply by giving the identification data of some other mobile subscriber or network. In the circuit-switched systems of a fixed telephone network, the subscriber identity is determined by the subscriber line, so in order to use a false identity, the subscriber line of some other subscriber must be used. In packet-switched systems, the subscriber identity is transferred in each data package sent by the subscriber, so a false identity can be used simply by giving false identification data. Basically, the authenticity of the identity stated by the subscriber can be verified in all systems by using the same kind of authentication methods.
FIG. 1
illustrates a mobile communications network and its network elements related to the authentication. The figure shows two mobile services switching centres MSC
1
, MSC
2
and the visitor location registers VLR
1
, VLR
2
related to them, base station controllers BSC, base transceiver stations BTS, a mobile station MS, a home location register HLR and an authentication centre AUC typically located in connection with the HLR. Mobile services switching centres can form signalling connections to the home location register HLR and to the authentication centre AUC, as shown with dotted lines in the figure.
Each mobile subscriber has a home public land mobile network HPLMN with whose operator the mobile subscriber has signed an agreement and in which the subscriber data is stored. In addition to the home network HPLMN, the mobile subscriber can use the services of public land mobile networks PLMN with which the subscriber's operator has a roaming agreement. The network with which the mobile station communicates is now on called as the visited public land mobile network VPLMN and it can be the home network HPLMN of the mobile station or some other mobile communications network PLMN.
The mobile communications system is connected via the mobile services switching centre MSC to other networks, such as public switched telephone network PSTN or integrated services digital network ISDN. Several base station controllers BSC are connected to the mobile services switching centre MSC. Several base stations BTS are connected to each base station controller BSC. The base stations can form connections to subscriber stations, that is, mobile stations MS comprising mobile equipment ME and subscriber identity modules SIM, via the channels of the so called air interface.
FIG. 2
illustrates an authentication method used in a known GSM system. In the system, the purpose of the authentication is to ensure that the mobile station trying to connect to the network really is what it claims to be. The principle of the authentication procedure is to have the network ask the mobile station a question for which only the mobile station with the given identity can answer correctly. The procedure is based on the use of a subscriber-specific authentication key Ki. During the entry of the subscriber data, the key Ki has been stored in the authentication centre AUC and in the subscriber identity module SIM to be placed in the mobile station. There is no way to find out the key without breaking the subscriber identity module SIM; only the authentication algorithms located in the authentication centre and in the subscriber identity module can use the key.
The authentication method has two stages. At the first stage (
FIG. 2
, stages
201
-
203
), the authentication centre forms so called authentication triplets and sends them to the network which the mobile station is currently visiting. At the second stage, the network authenticates the mobile subscriber by using the triplets it has received from the authentication centre (stages
204
-
210
).
The forming of the authentication triplets starts with generating a random number RAND by using the random number generator (stage
201
). At stage
202
, the random number RAND is entered, together with the mobile-subscriber-specific authentication key Ki, to the algorithms A
3
and A
8
. The algorithms A
3
and A
8
are secret algorithms defined in the Memorandum of Understanding (MoU) of the GSM operators' organisation. Different operators can use different versions of the algorithms. Basically, the algorithms are one-way hash functions H(K,X) with keys and the following applies to them:
1. when K and X have been given, unique H(K,X) is easy to calculate and
2. when X has been given, but the key K is unknown, H(K,X) is impossible, or at least very difficult, to calculate,
3. when a great number of arguments X and the corresponding hash function values H(K,X) have been given, but the key K is unknown, the key K is impossible, or at least very difficult, to calculate and
4. when a great number of arguments X and the corresponding hash function values H(K,X) have been given, but the key K is unknown, the hash function value H(K,X′) for given input X′ is impossible, or at least very difficult, to calculate, if the value is not known.
In addition to the GSM system algorithms A
3
and A
8
(which have a secret implementation), known one-way hash functions with keys are, for example, HMAC (Hash-Based Message Authentication Code) algorithms formed from the SHA (Secure Hash Algorithm) and MD
5
(Message Digest Algorithm
5
) algorithms.
The authentication triplet (RAND, SRES, Kc) formed by the responses SRES (Signed RESponse) and Kc, which are calculated by using the algorithms A
3
and A
8
, and the random number RAND used as input data, are sent to the network VPLMN which the mobile station is visiting at the given time. It should be noted that VPLMN can also be the subscriber's home network HPLMN. Due to the features of the algorithms A
3
and A
8
, the subscriber authentication key Ki cannot be deduced even on the basis of a large number of known triplets (RAND, SRES, Kc). In the network, the triplets are stored in the visitor location register VLR. Typically, several triplets, for example, ten, are calculated and sent to VLR at a time.
When a connection is being formed between the mobile station and the network, the network authenticates the mobile station by using the triplets received from the authentication centre. The network starts the authentication at stage
204
by sending an authentication request to the mobile station. The request contains the random input RAND belonging to the triplet. The mobile station receives the request and, at stage
205
, calculates the values SRES′ and Kc by using the algorithms A
3
and A
8
, programmed in the subscriber identity module SIM, and by using the random number RAND and the authentication key Ki, programmed in the subscriber identity module SIM, as the input. On the basis of the features of the algorithms, SRES′=SRES only, if the authentication keys Ki used by both the authentication centre and the subscriber identity module are identical.
The mobile station sends the calculated response for algorithm A
3
, SRES′, to the network which compares it to the response SRES taken from the authentication triplet at stage
206
. If SRES=SR
Chin Vivian
Nokia Corporation
Pan Yuwen
Squire Sanders & Dempsey L.L.P.
LandOfFree
Authentication method does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Authentication method, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Authentication method will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3202043