EP1273126A1 - Method and system for generating a sequence number to be used for authentication - Google Patents

Method and system for generating a sequence number to be used for authentication

Info

Publication number
EP1273126A1
EP1273126A1 EP00925175A EP00925175A EP1273126A1 EP 1273126 A1 EP1273126 A1 EP 1273126A1 EP 00925175 A EP00925175 A EP 00925175A EP 00925175 A EP00925175 A EP 00925175A EP 1273126 A1 EP1273126 A1 EP 1273126A1
Authority
EP
European Patent Office
Prior art keywords
authentication
sequence number
value
general information
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00925175A
Other languages
German (de)
French (fr)
Inventor
Valtteri Niemi
Shreekanth Lakshmeshwar
Tero Kovanen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Solutions and Networks Oy
Original Assignee
Nokia Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Oyj filed Critical Nokia Oyj
Publication of EP1273126A1 publication Critical patent/EP1273126A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the invention relates to a method and system for performing an authentication, and to a method for generating a sequence number to be used for authentication.
  • Section 6 "Authentication and key agreement” deals with a method and system for performing an authentication between a mobile station (MS) and a network, ⁇ wherein a serving network (SN) having a visitor location register (VLR) (or other support node like SGSN which is serving GPRS support node) is sending an authentication data request, to an home environment (HE) having a home location register (HLR) which responds by sending back an authentication data response comprising a batch of authentication vectors.
  • SN serving network
  • VLR visitor location register
  • HLR home location register
  • the serving network (SN) For performing an authentication between the serving network (SN) and the mobile station (MS), the serving network (SN) is sending a user authentication request which contains a random number and an authentication information (authentication token) generated based on a sequence number which is formed in the home environment according to a below defined strategy.
  • the mooile station verifies the received authentication information, thus authenticating the network, and computes an answer which is sent back to the serving network and compared therein with an expected answer. If the received response corresponds to the expected response, the subscriber authentication is successfully performed, and keys internally generated in the mobile station and the serving network depending on a secret key are used for ciphering and integrity purposes .
  • Annex C of the above-mentioned document 3G TS 33.102 V3.3.1 describes the manner of generating sequence numbers in the authentication centre. These sequence numbers are used for generating the authentication vectors in the authentication centre and are stored in individual counters (one counter per user) .
  • a global counter e.g. a clock giving universal time.
  • the home environment retrieves the user-specific value of the counter from the database and creates a new sequence number based on a predefined strategy.
  • the user-specific counter is reset to the new sequence number, i.e. the new sequence number is stored in the database.
  • Each generation of sequence number is therefore accompanied by corresponding writing accesses to the database.
  • These database writing operations require time and CPU capacity.
  • GSM Global System for Mobile Telecommunication
  • UMTS Universal Mobile Telecommunications System
  • sequence numbers used for authentication should be individual ones because of re- synchronisation, and should therefore be stored after every authentication vector generation. This writing causes a high database load and may also decrease the reliability of the database .
  • a sequence number is used in the authentication centre (AuC) when an authentication vector, or a batch of authentication vectors, is generated.
  • the USIM User Service Identity Module
  • the USIM sends a re- synchronisation message to the authentication centre together with a new sequence number.
  • the authentication centre checks if re-synchronisation is necessary, and, if yes, authenticates the USIM and re-synchronises the sequence number. This re- synchronisation means that the sequence number stored in the authentication centre is reset to the sequence number received from the USIM.
  • the invention provides a solution to the above described problem of high amount of database writing operations, and describes a new mechanism for generating sequence numbers usable for authentication purpose.
  • the invention provides a method and system for performing an authentication wherein a sequence number is used for generating an authentication information transmitted to the user equipment for authentication purpose.
  • the authentication may be performed between any two or more entities requiring or requesting an identity check.
  • the authentication may be performed between an user equipment and a network entity of a communication network
  • the sequence number is generated on the basis of a general information which changes in a defined manner, and a value stored in a memory.
  • the value preferably, but not necessarily is a user-specific value, and will be used several times for generating several different sequence numbers.
  • the value is preferably calculated based on the difference between a previously used sequence number and the general information .
  • the general information may be derived from an standardized, for instance international or global, parameter such as a global counter counting a universal time (global clock) .
  • the user-specific value is changed only in a re- synchronisation procedure so that the database writing operations are reduced to a minimum.
  • the re-synchronisation procedure may be effected when the difference between the user- specific value and the general information exceeds a certain limit, or when the previously used sequence number is higher than ne general information, or when the sequence number received by the MS is not m acceptable range.
  • the previously used sequence number may be stored in a storage (e.g. a chip or disk memory) of the user equipment, and may be compared with an actually received sequence number for deciding on the necessity of a re-synchronisation procedure.
  • a storage e.g. a chip or disk memory
  • a preferred easy and swift manner of generating the sequence number is to add the user-specific value to the general information .
  • an index number may be concatenated to the sequence number for forming a batch of different authentication vectors.
  • index numbers are generated consecutive sequence numbers for forming a batch of different authentication vectors.
  • the initial values of the user-specific values may be originally set to zero but are preferably individually set.
  • the invention provides a method and system for generating sequence numbers usable for performing an authentication e.g. between an user equipment and a network entity of a communication network.
  • the sequence numbers are generated on the basis of a general information which changes in a defined manner, and a value stored in a memory. The value will be used several times for generating several different sequence numbers.
  • the described mechanism for generating sequence numbers is usable for authentication purpose and eventually also for key agreement .
  • the invention is applicable to any system in which a sequence- numbei -based authentication scheme is used, and a possibility for re-synchrom sation may be provided, and may for instance be used in an UMTS system..
  • the invention reduces the amount of writing operations of the database storing the information for generating the sequence number (s) significantly. This also leads to a corresponding decrease of the processor load handling the writing operations, and of the necessary performance time. In addition, the reliability of the database and of the system is increased.
  • Fig. 1 shows a basic structure of a system according to one embodiment of the invention
  • Fig. 2 illustrates the generation of authentication vectors in an authentication centre and shows details of generation of authentication information and of the authentication vectors using a sequence number SQN;
  • Fig. 3 shows the processes of authentication and key agreement performed between a mobile station, a serving network, and an home environment, and illustrates the basic concept of handling of authentication requests and responses;
  • Fig. 4 illustrates the user authentication function performed in the mobile station and shows details of the generation of a response and further data in a mobile station
  • Fig. 5 illustrates the generation of an authentication response by the mobile station and shows details of construction of a parameter AUTS sent from the user equipment (mobile station) to the network for requesting a re-synchronisation ;
  • Fig. 6 illustrates the re-synchronisation mechanism and shows the message transmission between a user equipment, a serving network, and an authentication centre of a home network (home location register) .
  • FIG. 1 shows a basic structure of an embodiment of a system according to the invention.
  • a mobile station (MS) 1 may be or comprise any type of user equipment such as a mobile phone, a 5 terminal, data equipment or the like.
  • the MS 1 is equipped or co-operates with a memory 2 storing a user-specific sequence number SQN USIM .
  • the mobile station 1 communicates with a serving network SN 3 having a . visitor location register VLR (or some other support node like SGSN) .
  • the serving network 3 communicates, as indicated by a double-headed arrow, with a home environment or home network 4 having a home location register, an authentication centre AuC not separately shown, and the like.
  • the home environment HE 4 may be or comprise any type of user equipment such as a mobile phone, a 5 terminal, data equipment or the like.
  • the MS 1 is equipped or co-operates with a memory 2 storing a user-specific sequence number SQN USIM .
  • the mobile station 1 communicates
  • -.-> is equipped with a database or storage 5 which stores, for each user registered in the home environment and/or the home location register, an individual user-specific information D.
  • the home environment 4 is equipped with a global 30 counter 6 which here is a global clock (universal time) GLC, and a sequence number calculating section 7.
  • GLC global clock (universal time) GLC
  • the described method and system use a global sequence number SQN G C which is calculated or derived from the global clock GLC (counter 6) and a subscriber-specific difference D (store ⁇ in memory of the authentication centre) to the global sequence number
  • the S N is generated by using the global clock (GLC) .
  • the actual value of SQN G - is, in this embodiment, the time gap from an initial time point (e.g. 01.01.2000, 00:00.00) to the current time.
  • the rate of the GLC counter 6 is defined in such a manner that SQN GLC or any other SQN will not wrap around. If, for example, the clock rate of the global clock is one second, a 32-bit counter wraps around only in about 136 years and will thus not provide any problems.
  • the SQN GLC IS calculated in the following way: SQN GLC GLC now - GLC I ⁇ IT- GLC N o IS tne actual giooal rime, GLC INIT is the initial time.
  • Every subscriber has an individual value D.
  • This value D is the difference between a previously used sequence number SQN which is stored m memory 2 of mobile station 1, i.e. in the USIM thereof (SQN USIM ) , and the SQN GLC .
  • SQN USIM previously used sequence number
  • D may be set to 0, and will be changed in a re- synchronisation process only. It is also possible to set the initial values of D individually. This is an useful option if the sequence numbers are preferred to be individually distinguished from user to user, or at least from some user groups to some user groups.
  • the parameter D may have a positive or negative value, and is stored in the authentication database (memory 5) . The value of D is changed only in a re- synchronisation procedure.
  • a re-synchronisation is performed only when the value SQNusiy stored in memory 2 is bigger than SQN, or when SQN U ⁇ IM is much smalle- than the actually generated SQN, i.e. SQN - SQN us ⁇ > X wherein X stands for a threshold value which preferably is rather large such as about, e.g., 1,700,000 (which approximately corresponds to the number of seconds contained in a time period of twenty days) .
  • the threshold value can also be set to smaller or even larger values, and will also depend on the clock rate (in the above example, a clock rate of one second has been assumed) . In any case, the threshold should be selected in such a manner that a re-synchronisation is occurring only very rarely m a normal situation.
  • the final sequence number SQN which the authentication centre calculates (in section 7) and sends to the USIM of MS 1 via SN/VLR 3, for authentication and key agreement, is calculated in the following way:
  • the index IND is concatenated to the end of the sequence number, i.e. is added as the final least significant bits of the sequence number.
  • the index IND is used to indicate the index of the authentication vectors in a set (batch) . In one set there can be, for instance, one to five authentication vectors, i.e. the index IND is running from one to five.
  • SQN may be calculated in the following manner:
  • SQN SQN GLC + D + X, with ⁇ having consecutive values from 1 to 5 when a set of authentication vectors comprises up to five authentication vectors.
  • the system ensures that no further batches of authentication vectors are delivered for the same subscriber during a short time interval. If, for instance, the clock unit is one second, and the batch size is five, this forbidden interval is five seconds. Hence, batches of authentication vector for a user (USIM) are generated with a time interval of at least five seconds. Otherwise, when not providing such a forbidden time interval, there is a possibility that two authentication vectors will be generated having the same sequence number which might lead to an individual authentication failure.
  • a writing operation for writing to the authentication database (storage 5) is necessary only when a re-synchronisation of the sequence number is requested.
  • the user- specific value of D will simply be read from the storage 5 and added to the global sequence number SQN GL c calculated from the actual time. Using this mechanism, there is no need to store the calculated sequence number SQN in the authentication centre (storage 5 ) .
  • Fig. 2 illustrates the generation of authentication vectors by the home environment HE such as the home network comprising an authentication centre and a home location register (HE/HLR 4 in Fig. 1) .
  • the authentication centre of the home environment 4 starts, for generating one or several authentication vectors AV, with the generation of a fresh sequence number SQN ("Generate SQN") in the above discussed manner, and an unpredictable challenge RAND (“Generate RAND”) which may be a randomly selected or generated number.
  • SQN fresh sequence number
  • RAND unpredictable challenge RAND
  • the authentication centre of the home environment does no longer need to keep track of a counter counting a specific count value for each user.
  • the authentication centre merely needs the user-specific information D stored in memory 5 for generating a plurality of sequence numbers SQN.
  • sequence number SQN is preferably generated in such a way that it does not expose the identity and location of the user.
  • an anonymity key AK may be used to conceal it.
  • sequence number generation mechanism allows protection against wrap around in a USIM, i.e. the sequence number is long enough and only relatively small jumps ahead are acceptable.
  • An authentication and key management field AMF is generated in a manner known per se, and is included in the authentication token AUTN of each authentication vector.
  • Example uses of the AMF field are given in the above cited document.
  • K represents, as known, a long-term secret key shared between the USIM and the authentication centre.
  • the concealment of the sequence number is to protect against passive attacks. If no concealment is necessary, no anonymity key AK is generated, and the authentication token AUTN contains the sequence number SQN in unchanged form.
  • AUTN SQN ® AK
  • MAC authentication token
  • an authentication vector AV (or a set of AVs) is generated as indicated in Fig. 2:
  • Fig. 3 illustrates the information flow for authentication and key agreement.
  • the method is chosen in such a way as to achieve maximum compatibility with the current GSM (Global System for Mobile Telecommunication) security architecture and facilitate migration from GSM to UMTS (or any other network type such as packet-switched system GPRS (General Packet Radio Service)).
  • the method is composed of a challenge/response protocol identical to the GSM subscriber authentication and key establishment protocol combined with a sequence number-based one-pass protocol for network authentication.
  • the authentication centre of the home environment HE 4 Upon receipt of an "authentication data request" from a serving network or a support node (such as a serving GPRS support node SGSN) initiated by the visitor location register VLR for instance, the authentication centre of the home environment HE 4 generates authentication vectors AV (l...n) in the above described manner, and sends an ordered array of n authentication vectors (the equivalent of a GSM "triplet") to the SN/VLR 3 ("Authentication data response AV(l...n)".
  • a serving network or a support node such as a serving GPRS support node SGSN
  • Each authentication vector AV consists of the components shown in Fig. 2. Each authentication vector is good for one authentication and key agreement between the serving network SN 3 (for instance the VLR or SGSN) and the USIM or other authentication equipment of the mobile station MS 1. 0
  • the SN/VLR 3 When the SN/VLR 3 initiates an authentication and key agreement, it selects the next authentication vector AV( ⁇ ) from the stored array and sends the parameters RAND and AUTN to the user as shown in Fig. 3.
  • the USIM checks whether AUTN can be 5 accepted (“Verify AUTN( ⁇ )”) and, if so, produces a response RES ("Compute RES( ⁇ )") which is sent back to the SN/VLR 3 as "User authentication response”.
  • the MS 1 furthermore computes CK( ⁇ ) and IK( ⁇ ).
  • the SN/VLR 3 (or any VLR/SGSN serving for authentication purpose) compares the received response RES with 0 XRES. If they match, the VLR/SGSN 3 considers the authentication and key agreement exchange to be successfully completed.
  • the established keys CK and IK will then be transferred by the USIM and the VLR/SGSN 3 to the entities which performs ciphering and integrity functions.
  • Fig. 4 shows details of the user authentication function performed in the mobile station, e.g. in the USIM thereof.
  • the mobile station 1, e.g. the USIM thereof, that the receive ⁇ sequence number SQN is in the correct range. If the user considers the sequence number not to be in the correct range, he sends a "Synchronisation failure" message back to SN/VLR 3 including an appropriate parameter AUTS as shown m Figs. 5 and 6, and abandons the procedure.
  • SN/VLR 3 including an appropriate parameter AUTS as shown m Figs. 5 and 6, and abandons the procedure.
  • AUTS SQN MS ® AK
  • MACS f1 * ⁇ ( SQN MS
  • AMF message authentication code
  • RAND is the random value received in the current user authentication request
  • fl* is a message authentication code (MAC) function with the property that no valuable information can be inferred from the function values of fl* aoout tnose of fi, ..., f5 and vice-versa.
  • MAC message authentication code
  • the sequence number generation mechanism is adapted to allow a re-synchronisation procedure in the home environment as described below.
  • Fig. 6 illustrates the re-synchronisation procedure which is performed when the sequence number SQN contained in the authentication vector is either smaller than SQN USIM stored in memory 2 or is much larger than SQN USIM - This situation will normally occur only in rare cases so that a re-synchronisation procedure will be performed only rarely.
  • the serving network SN 3 in charge of the visitor location register, or any support node handling the connections, may send two types of "authentication data requests" to the authentication centre of the home network (HE 4), i.e. the regular one shown in Fig. 1, and one used in case of synchronisation failures which is described below.
  • HE 4 authentication centre of the home network
  • the serving network Upon receiving a synchronisation failure message containing AUTS from the user (MS 1), the serving network sends an
  • the authentication centre resets the value of D to the new value calculated in step 2 and stores this new value of D 0 in memory 5;
  • the authentication centre of the home network 4 (HLR/AuC) sends an authentication data response with a new batch of authentication vectors ⁇ QiSymbol 125 ⁇ f "Symbol" ⁇ s 12 to tne VLR or SGSN of the serving network 3. 5
  • the mobile station 1 may be adapted to perform the calculation of D according to the above equation (SQN USIM - SQN GLG ) if it has access to a global clock counter, and to send back this value of D (possibly concealed) instead of SQN USI when requesting a re-synchronisation procedure.
  • the authentication centre of the home network will then store this value D in its storage 5.
  • the mobile station 1 When first receiving a SQN value from the home environment 4 (via the serving network 3) , the mobile station 1 may be adapted to store this received SQN value in memory 2 as "SQN U IM " .
  • the system may also be adapted to use a predetermined sequence number as "SQN USIM " which will be stored in the memory 2 and be used in the calculation section 7 for calculating D.
  • the serving network 3 having a visitor location register as shown in Fig. 1 can be any serving module handling the communication between the mobile station 1 and the home network 4, i.e. can be an interrogating network, a mobile switching centre (or the VLR thereof) as shown in Fig. 6, or any support node such as an SGSN .

Abstract

The invention relates to a method and system for performing an authentication, preferably between an user equipment and a network entity of a communication network wherein sequence numbers are used for generating an authentication information which may be transmitted to the user equipment for authentication purpose. The sequence numbers are generated on the basis of a general information changing in a defined manner such as a global clock, and a value stored in a database. For reducing the number of database writing operations, the value is used several times for generating several different sequence numbers. The user-specific value may be calculated based on the difference between a previously used or predetermined sequence number and the general information, and is changed only in a re-synchronisation procedure. Such a re-synchronisation procedure may be performed when the difference between the user-specific value and the general information exceeds a certain limit, or when the previously used or predetermined sequence number is larger than the general information.

Description

METHOD AND SYSTEM FOR GENERATING A SEQUENCE NUMBER TO BE USED FOR AUTHEN ICATION
FIELD OF THE INVENTION
The invention relates to a method and system for performing an authentication, and to a method for generating a sequence number to be used for authentication.
BACKGROUND OF THE INVENTION
In mobile communication, it is customary to perform an authentication between an user and a network before starting any new data/information transmission. When initiating a connection, a mutual authentication by the user and the network will be achieved. The user equipment and the network normally have knowledge of a secret key which is shared between, and available only to, an entity of the user such as USIM (User Service Identity Module) and an authentication centre (AuC) which may be co-operating with a central register such as an home location register (HLR) or an home environment (HE) . To support a network authentication, the user entity such as USIM, and the central entity e.g. of the HE may store or generate sequence numbers. The authentication provides enhanced security against undesired or unallowed use of network components.
The document 3G TS 33.102 V3.3.1 (2000-01) of the "Third
Generation Partnership Project (3G PP)", Title: "Technical Specification Group Services and System Aspects; 3G Security; Security Architecture", Release 1999, (published by ETSI as ETSI TS 133 102 V3.3.1 ) deals with security aspects and describes network access security mechanisms (section 6, pages 17 ff.), In particular, section 6.3 "Authentication and key agreement" deals with a method and system for performing an authentication between a mobile station (MS) and a network, ι wherein a serving network (SN) having a visitor location register (VLR) (or other support node like SGSN which is serving GPRS support node) is sending an authentication data request, to an home environment (HE) having a home location register (HLR) which responds by sending back an authentication data response comprising a batch of authentication vectors.
For performing an authentication between the serving network (SN) and the mobile station (MS), the serving network (SN) is sending a user authentication request which contains a random number and an authentication information (authentication token) generated based on a sequence number which is formed in the home environment according to a below defined strategy. The mooile station verifies the received authentication information, thus authenticating the network, and computes an answer which is sent back to the serving network and compared therein with an expected answer. If the received response corresponds to the expected response, the subscriber authentication is successfully performed, and keys internally generated in the mobile station and the serving network depending on a secret key are used for ciphering and integrity purposes .
Annex C of the above-mentioned document 3G TS 33.102 V3.3.1 describes the manner of generating sequence numbers in the authentication centre. These sequence numbers are used for generating the authentication vectors in the authentication centre and are stored in individual counters (one counter per user) .
There is also provided a global counter, e.g. a clock giving universal time. When the home environment needs new sequence numbers to create a new batch of authentication vectors, the home environment retrieves the user-specific value of the counter from the database and creates a new sequence number based on a predefined strategy. When the generation of the first authentication vector in a batch has been completed, the user-specific counter is reset to the new sequence number, i.e. the new sequence number is stored in the database.
Each generation of sequence number is therefore accompanied by corresponding writing accesses to the database. These database writing operations require time and CPU capacity.
In GSM (Global System for Mobile Telecommunication) systems, the database of the authentication centre (AuC) is quite static, and updates are only performed when new subscribers are entered to the database. In UMTS (Universal Mobile Telecommunications System) , the sequence numbers used for authentication should be individual ones because of re- synchronisation, and should therefore be stored after every authentication vector generation. This writing causes a high database load and may also decrease the reliability of the database .
As mentioned above, in authentication such as UMTS authentication, a sequence number is used. This sequence number is generated in the authentication centre (AuC) when an authentication vector, or a batch of authentication vectors, is generated. The USIM (User Service Identity Module) compares the sequence number received from the authentication centre, to a previously used sequence number stored in the USIM. When the USIM does not accept the new sequence number, it sends a re- synchronisation message to the authentication centre together with a new sequence number. The authentication centre checks if re-synchronisation is necessary, and, if yes, authenticates the USIM and re-synchronises the sequence number. This re- synchronisation means that the sequence number stored in the authentication centre is reset to the sequence number received from the USIM. SUMMARY OF THE INVENTION
The invention provides a solution to the above described problem of high amount of database writing operations, and describes a new mechanism for generating sequence numbers usable for authentication purpose.
The invention provides a method and system for performing an authentication wherein a sequence number is used for generating an authentication information transmitted to the user equipment for authentication purpose. The authentication may be performed between any two or more entities requiring or requesting an identity check. In a preferred embodiment, the authentication may be performed between an user equipment and a network entity of a communication network The sequence number is generated on the basis of a general information which changes in a defined manner, and a value stored in a memory. The value preferably, but not necessarily is a user-specific value, and will be used several times for generating several different sequence numbers.
The value is preferably calculated based on the difference between a previously used sequence number and the general information .
The general information may be derived from an standardized, for instance international or global, parameter such as a global counter counting a universal time (global clock) .
Preferably, the user-specific value is changed only in a re- synchronisation procedure so that the database writing operations are reduced to a minimum. The re-synchronisation procedure may be effected when the difference between the user- specific value and the general information exceeds a certain limit, or when the previously used sequence number is higher than ne general information, or when the sequence number received by the MS is not m acceptable range.
The previously used sequence number may be stored in a storage (e.g. a chip or disk memory) of the user equipment, and may be compared with an actually received sequence number for deciding on the necessity of a re-synchronisation procedure.
A preferred easy and swift manner of generating the sequence number is to add the user-specific value to the general information .
For reducing the number of generation of sequence numbers, an index number may be concatenated to the sequence number for forming a batch of different authentication vectors.
An alternative to the use of index numbers is to generate consecutive sequence numbers for forming a batch of different authentication vectors.
The initial values of the user-specific values may be originally set to zero but are preferably individually set.
Furthermore, the invention provides a method and system for generating sequence numbers usable for performing an authentication e.g. between an user equipment and a network entity of a communication network. The sequence numbers are generated on the basis of a general information which changes in a defined manner, and a value stored in a memory. The value will be used several times for generating several different sequence numbers.
The described mechanism for generating sequence numbers is usable for authentication purpose and eventually also for key agreement . The invention is applicable to any system in which a sequence- numbei -based authentication scheme is used, and a possibility for re-synchrom sation may be provided, and may for instance be used in an UMTS system..
The invention reduces the amount of writing operations of the database storing the information for generating the sequence number (s) significantly. This also leads to a corresponding decrease of the processor load handling the writing operations, and of the necessary performance time. In addition, the reliability of the database and of the system is increased.
BRIEF DESCRIPTION OF THE FIGURES
Fig. 1 shows a basic structure of a system according to one embodiment of the invention;
Fig. 2 illustrates the generation of authentication vectors in an authentication centre and shows details of generation of authentication information and of the authentication vectors using a sequence number SQN;
Fig. 3 shows the processes of authentication and key agreement performed between a mobile station, a serving network, and an home environment, and illustrates the basic concept of handling of authentication requests and responses;
Fig. 4 illustrates the user authentication function performed in the mobile station and shows details of the generation of a response and further data in a mobile station;
Fig. 5 illustrates the generation of an authentication response by the mobile station and shows details of construction of a parameter AUTS sent from the user equipment (mobile station) to the network for requesting a re-synchronisation ; and
Fig. 6 illustrates the re-synchronisation mechanism and shows the message transmission between a user equipment, a serving network, and an authentication centre of a home network (home location register) .
0 DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS OF THE INVENTION
Fig. 1 shows a basic structure of an embodiment of a system according to the invention. A mobile station (MS) 1 may be or comprise any type of user equipment such as a mobile phone, a 5 terminal, data equipment or the like. The MS 1 is equipped or co-operates with a memory 2 storing a user-specific sequence number SQNUSIM. For handling a signal transmission and/or receipt as indicated by a double-headed arrow, the mobile station 1 communicates with a serving network SN 3 having a . visitor location register VLR (or some other support node like SGSN) . The serving network 3 communicates, as indicated by a double-headed arrow, with a home environment or home network 4 having a home location register, an authentication centre AuC not separately shown, and the like. The home environment HE 4
-.-> is equipped with a database or storage 5 which stores, for each user registered in the home environment and/or the home location register, an individual user-specific information D.
Furthermore, the home environment 4 is equipped with a global 30 counter 6 which here is a global clock (universal time) GLC, and a sequence number calculating section 7.
The described method and system use a global sequence number SQNG C which is calculated or derived from the global clock GLC (counter 6) and a subscriber-specific difference D (storeα in memory of the authentication centre) to the global sequence number
The S N is generated by using the global clock (GLC) . The actual value of SQNG - is, in this embodiment, the time gap from an initial time point (e.g. 01.01.2000, 00:00.00) to the current time. The rate of the GLC counter 6 is defined in such a manner that SQNGLC or any other SQN will not wrap around. If, for example, the clock rate of the global clock is one second, a 32-bit counter wraps around only in about 136 years and will thus not provide any problems. The SQNGLC IS calculated in the following way: SQNGLC = GLCnow - GLCIΠIT- GLCNo IS tne actual giooal rime, GLCINIT is the initial time.
In the authentication database contained in memory 5, every subscriber has an individual value D. This value D is the difference between a previously used sequence number SQN which is stored m memory 2 of mobile station 1, i.e. in the USIM thereof (SQNUSIM) , and the SQNGLC. Hence, the value of D is calculated in the following way:
D = SQ USIM - SQNGLC.
Initially, D may be set to 0, and will be changed in a re- synchronisation process only. It is also possible to set the initial values of D individually. This is an useful option if the sequence numbers are preferred to be individually distinguished from user to user, or at least from some user groups to some user groups. The parameter D may have a positive or negative value, and is stored in the authentication database (memory 5) . The value of D is changed only in a re- synchronisation procedure.
A re-synchronisation is performed only when the value SQNusiy stored in memory 2 is bigger than SQN, or when SQNUΞIM is much smalle- than the actually generated SQN, i.e. SQN - SQNusι > X wherein X stands for a threshold value which preferably is rather large such as about, e.g., 1,700,000 (which approximately corresponds to the number of seconds contained in a time period of twenty days) . In the latter case, a re- synchromsation procedure is requested when a time period of approximately twenty days has passed since the last refreshing or storing of SQNUSιM- Of course, the threshold value can also be set to smaller or even larger values, and will also depend on the clock rate (in the above example, a clock rate of one second has been assumed) . In any case, the threshold should be selected in such a manner that a re-synchronisation is occurring only very rarely m a normal situation.
The final sequence number SQN which the authentication centre calculates (in section 7) and sends to the USIM of MS 1 via SN/VLR 3, for authentication and key agreement, is calculated in the following way:
SQN = SQNGLr + D I I IND.
The index IND is concatenated to the end of the sequence number, i.e. is added as the final least significant bits of the sequence number. The index IND is used to indicate the index of the authentication vectors in a set (batch) . In one set there can be, for instance, one to five authentication vectors, i.e. the index IND is running from one to five.
It is also possible to avoid the use of the separate additional index field IND, and to use consecutive SQN numbers for vectors in one batch. In this case, SQN may be calculated in the following manner:
SQN = SQNGLC + D + X, with \ having consecutive values from 1 to 5 when a set of authentication vectors comprises up to five authentication vectors. When using this option, the system ensures that no further batches of authentication vectors are delivered for the same subscriber during a short time interval. If, for instance, the clock unit is one second, and the batch size is five, this forbidden interval is five seconds. Hence, batches of authentication vector for a user (USIM) are generated with a time interval of at least five seconds. Otherwise, when not providing such a forbidden time interval, there is a possibility that two authentication vectors will be generated having the same sequence number which might lead to an individual authentication failure.
A writing operation for writing to the authentication database (storage 5) is necessary only when a re-synchronisation of the sequence number is requested. In normal cases, the user- specific value of D will simply be read from the storage 5 and added to the global sequence number SQNGLc calculated from the actual time. Using this mechanism, there is no need to store the calculated sequence number SQN in the authentication centre (storage 5 ) .
When a re-synchronisation is requested by a MS (USIM) 1, the MS 1 will send the SQNUSιM value to the authentication centre of HE 4 (via SN/VLR 3), and the authentication centre and/or the calculation section 7 will calculate a new value of D according to the above equation (D = SQNUSIt - SQNGLC) . This newly calculated value of D will then be stored as new user-specific value D for this user.
Fig. 2 illustrates the generation of authentication vectors by the home environment HE such as the home network comprising an authentication centre and a home location register (HE/HLR 4 in Fig. 1) . The authentication centre of the home environment 4 starts, for generating one or several authentication vectors AV, with the generation of a fresh sequence number SQN ("Generate SQN") in the above discussed manner, and an unpredictable challenge RAND ("Generate RAND") which may be a randomly selected or generated number. Contrary to the prior art shown in the above cited document 3G TS 33.102 V3.3.1, the authentication centre of the home environment does no longer need to keep track of a counter counting a specific count value for each user. The authentication centre merely needs the user-specific information D stored in memory 5 for generating a plurality of sequence numbers SQN.
Further, the sequence number SQN is preferably generated in such a way that it does not expose the identity and location of the user. In case there is some possibility that the sequence number SQN might expose the identity and location of the user, an anonymity key AK may be used to conceal it. Moreover, the sequence number generation mechanism allows protection against wrap around in a USIM, i.e. the sequence number is long enough and only relatively small jumps ahead are acceptable.
An authentication and key management field AMF is generated in a manner known per se, and is included in the authentication token AUTN of each authentication vector. Example uses of the AMF field are given in the above cited document. "K" represents, as known, a long-term secret key shared between the USIM and the authentication centre.
As shown in Fig. 2, the following values are computed in the authentication centre: a message authentication code MAC = flκ (SQN I I RAND I I AMF) where fl is a message authentication function; an expected response XRES = f2K(RAND) where f2 is a (possibly truncated) message authentication function; a cipher key CK = f3f (RAND) where f3 is a key generating function; an integrity key IK = f4K(RAND) where f4 is a key generating function; and an anonymity key AK = f5K(RAND) where f5 is either a key generating function, or is equal to zero m case no anonymity key is necessary for concealing the identity and location of the user. The concealment of the sequence number is to protect against passive attacks. If no concealment is necessary, no anonymity key AK is generated, and the authentication token AUTN contains the sequence number SQN in unchanged form.
Further, the authentication token AUTN is formed which is constructed as shown in Fig. 2: AUTN = SQN ® AK | | AMF I | MAC.
Finally, an authentication vector AV (or a set of AVs) is generated as indicated in Fig. 2:
AV = RAND XRES CK IK AUTN.
The symbol " | | " indicates a simple concatenation wherein the bits of the indicated parameters are simply attached to one another in the indicated manner.
Fig. 3 illustrates the information flow for authentication and key agreement. The method is chosen in such a way as to achieve maximum compatibility with the current GSM (Global System for Mobile Telecommunication) security architecture and facilitate migration from GSM to UMTS (or any other network type such as packet-switched system GPRS (General Packet Radio Service)). The method is composed of a challenge/response protocol identical to the GSM subscriber authentication and key establishment protocol combined with a sequence number-based one-pass protocol for network authentication. Upon receipt of an "authentication data request" from a serving network or a support node (such as a serving GPRS support node SGSN) initiated by the visitor location register VLR for instance, the authentication centre of the home environment HE 4 generates authentication vectors AV (l...n) in the above described manner, and sends an ordered array of n authentication vectors (the equivalent of a GSM "triplet") to the SN/VLR 3 ("Authentication data response AV(l...n)".
Each authentication vector AV consists of the components shown in Fig. 2. Each authentication vector is good for one authentication and key agreement between the serving network SN 3 (for instance the VLR or SGSN) and the USIM or other authentication equipment of the mobile station MS 1. 0
When the SN/VLR 3 initiates an authentication and key agreement, it selects the next authentication vector AV(ι) from the stored array and sends the parameters RAND and AUTN to the user as shown in Fig. 3. The USIM checks whether AUTN can be 5 accepted ("Verify AUTN(ι)") and, if so, produces a response RES ("Compute RES(ι)") which is sent back to the SN/VLR 3 as "User authentication response". The MS 1 furthermore computes CK(ι) and IK(ι). The SN/VLR 3 (or any VLR/SGSN serving for authentication purpose) compares the received response RES with 0 XRES. If they match, the VLR/SGSN 3 considers the authentication and key agreement exchange to be successfully completed. The established keys CK and IK will then be transferred by the USIM and the VLR/SGSN 3 to the entities which performs ciphering and integrity functions.
-.5
Fig. 4 shows details of the user authentication function performed in the mobile station, e.g. in the USIM thereof. Upon receipt of RAND and AUTN, the user first computes the anonymity key AK = f5f (RAND) and retrieves the sequence number SQN = (SQN ^ θ AK) θ AK. Next, the computer computes XMAC = flκ (SQN| |RAND| lAMF) and compares this with the received MAC which is included in AUTN. If they are different, the user sends a "User authentication reject" message back to the serving network or support node handling the connection to the mobile station, with an indication of the cause, and the user abandons the procedure. Next, the mobile station 1, e.g. the USIM thereof, that the receiveα sequence number SQN is in the correct range. If the user considers the sequence number not to be in the correct range, he sends a "Synchronisation failure" message back to SN/VLR 3 including an appropriate parameter AUTS as shown m Figs. 5 and 6, and abandons the procedure.
As shown in Fig. 5, AUTS = SQNMS ® AK | |MACS. SQNMS here is SQNUSIM stored in memory 2. The sequence number is concealed in this embodiment using AK (= f5K(MACS) but may also be sent in unconcealed form. MACS = f1 *κ ( SQNMS | | RAND | | AMF) . RAND is the random value received in the current user authentication request, fl* is a message authentication code (MAC) function with the property that no valuable information can be inferred from the function values of fl* aoout tnose of fi, ..., f5 and vice-versa.
The sequence number generation mechanism is adapted to allow a re-synchronisation procedure in the home environment as described below.
Fig. 6 illustrates the re-synchronisation procedure which is performed when the sequence number SQN contained in the authentication vector is either smaller than SQNUSIM stored in memory 2 or is much larger than SQNUSIM- This situation will normally occur only in rare cases so that a re-synchronisation procedure will be performed only rarely.
The serving network SN 3 in charge of the visitor location register, or any support node handling the connections, may send two types of "authentication data requests" to the authentication centre of the home network (HE 4), i.e. the regular one shown in Fig. 1, and one used in case of synchronisation failures which is described below.
Upon receiving a synchronisation failure message containing AUTS from the user (MS 1), the serving network sends an
1 £ ajtne-*rcatιon data request with a "synchronisation failure indication" to the authentication centre of the home network, together with the parameters RAND (as sent to the MS 1 m the preceding user authentication request) and AUTS which contains the (e/entually concealed) sequence number SQNUSIM of the mobile station MSI
When the authentication centre of the home network receives such an authentication data request with "synchronisation 0 failure indication", it acts as follows:
1) the authentication centre of the home network HE 4 retrieves SQNUSIM by computing f5K(MACS), if concealed, otherwise it simply takes the unconcealed SQNUSIM value of tne AUTS parameter; 5 2) the authentication centre calculates the value of D based on the above indicated equation D = SQNUSIM - SQNQLC (actual global clock value);
3) the authentication centre resets the value of D to the new value calculated in step 2 and stores this new value of D 0 in memory 5;
4) the authentication centre of the home network 4 (HLR/AuC) sends an authentication data response with a new batch of authentication vectors {QiSymbol 125 \f "Symbol" \s 12 to tne VLR or SGSN of the serving network 3. 5
Instead of sending a batch of authentication vectors, it is also possible to send only one authentication vector. In the latter case, no concatenated index "IND" is necessary (this index IND is indicated m the drawings and above description by >n adding an index "l").
In an alternative embodiment, the mobile station 1 may be adapted to perform the calculation of D according to the above equation (SQNUSIM - SQNGLG) if it has access to a global clock counter, and to send back this value of D (possibly concealed) instead of SQNUSI when requesting a re-synchronisation procedure. The authentication centre of the home network will then store this value D in its storage 5.
When first receiving a SQN value from the home environment 4 (via the serving network 3) , the mobile station 1 may be adapted to store this received SQN value in memory 2 as "SQNU IM" . The system may also be adapted to use a predetermined sequence number as "SQNUSIM" which will be stored in the memory 2 and be used in the calculation section 7 for calculating D.
The serving network 3 having a visitor location register as shown in Fig. 1 can be any serving module handling the communication between the mobile station 1 and the home network 4, i.e. can be an interrogating network, a mobile switching centre (or the VLR thereof) as shown in Fig. 6, or any support node such as an SGSN .
Although the invention has been described above by referring to preferred embodiments, the scope of the invention is not restricted thereto and also covers any modifications, amendments, additions or the like.

Claims

:LAIMS
1. Method for performing an authentication wherein a sequence number is used for generating an authentication information for authentication purpose, the sequence number being generated on the basis of a general information changing in a defined manner, and a value stored in a memory, said value being used several times for generating several different sequence numbers .
2. Method according to claim 1, wherein the authentication is performed between a user equipment and a network entity of a communication network, the authentication information being transmitted to the user equipment for authentication purpose.
3. Method according to claim 1 or 2, wherein the value stored m the memory is a user-specific value.
4. Methoα according to any one of the preceding claims, wherein the value is calculated based on the difference between a previously used or predetermined sequence number and the general information.
5. Method according to any one of the preceding claims, wherein the general information is calculated based on, or derived from, a clock.
1 ι b Method according to claim 5, wherein the clocl< is a globi
(. 1 OCk .
7. Method according to any one of the preceding claims, wherein the value is changed only in a re-synchronisation procedure.
8. Method according to any one of the preceding claims, wherein a re-synchronisation procedure is performed when the difference between the user-specific value and the general information exceeds a certain limit.
9. Method according to any one of the preceding claims, wherein a re-synchronisation procedure is performed when the previously used sequence number is higher than the general information.
10. Method according to any one of the preceding claims, wherein a previously used or predetermined sequence number is stored in a storage of the user equipment.
11. Method according to any one of the preceding claims, wherein the sequence number is generated by adding the value to the general information.
12. Method according to any one of the preceding claims, wherein an index number is concatenated to the sequence number for forming a batch of different authentication vectors.
13. Xetnoα according to any one of claims 1 to 11, wherein consecutive sequence numbers are generated for forming a batch of αifferent authentication vectors.
14. Method according to any one of the preceding claims, wherein the initial values of the values stored m the memory are individually set.
15. System for performing an authentication wherein a sequence number is used for generating an authentication information, the system being adapted to generate sequence numbers on the basis of a general information changing in a defined manner, and a value stored in a memory, said value being used several times for generating several different sequence numbers.
16. System according to claim 15, comprising a user equipment ano a network entity of a communication network.
17. System according to claim 15 or 16, wherein the value is a user-specific value.
18. System according to claim 15, 16 or 17, comprising a calculation section for calculating the value based on the difference between a previously used or predetermined sequence number and the general information.
19. System according to any one of claims 15 to 18, comprising a counter counting a clock for generating the general information .
20. System according to claim 19, wherein the counter counts a global clock.
21. System according to any one of the preceding claims 15 to 20, which is adapted to perform a re-synchronisation procedure when the difference between the value and the general information exceeds a certain limit, or when the previously 0 used sequence number is higher than the general information, wherein the value is changed only in the re-synchronisation procedure .
5 22. System according to any one of the preceding claims 15 to 21, comprising a memory for storing a previously used or predetermined sequence number.
0 23. System according to any one of the preceding claims 15 to 22, comprising means for adding the value to the general information so as to generate the sequence number.
:5 24. System according to any one of claims 15 to 23, comprising an authentication center which is adapted to generate the sequence numbers.
30 25. System according to any one of claims 15 to 24, comprising, or being part of, a UMTS network.
26. Method for generating sequence numbers usable for performing an authentication , the sequence numbers being generated on the basis of a general information changing in a defined manner, and -. value stored in a memory, saiα value bemn useα several times for generating several different sequence numbers.
27. Method according to any one of claims 1 to 14, or 26, wherein the sequence number generation is performed in an authentication center.
28. Method according to any one of claims 1 to 14, 26, or 27, wherein the authentication is performed in a UMTS network.
EP00925175A 2000-04-06 2000-04-06 Method and system for generating a sequence number to be used for authentication Withdrawn EP1273126A1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2000/003093 WO2001078306A1 (en) 2000-04-06 2000-04-06 Method and system for generating a sequence number to be used for authentication

Publications (1)

Publication Number Publication Date
EP1273126A1 true EP1273126A1 (en) 2003-01-08

Family

ID=8163904

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00925175A Withdrawn EP1273126A1 (en) 2000-04-06 2000-04-06 Method and system for generating a sequence number to be used for authentication

Country Status (5)

Country Link
EP (1) EP1273126A1 (en)
JP (1) JP3701913B2 (en)
AU (1) AU4398400A (en)
CA (1) CA2402934C (en)
WO (1) WO2001078306A1 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100373973C (en) * 2004-08-23 2008-03-05 中兴通讯股份有限公司 Mobile communication system monoboard predefined timer managing method
US20070192602A1 (en) * 2004-12-17 2007-08-16 Telefonaktiebolaget Lm Ericsson (Publ) Clone resistant mutual authentication in a radio communication network
CN100488280C (en) 2005-06-04 2009-05-13 华为技术有限公司 Authentifying method and relative information transfer method
CN100479569C (en) * 2005-10-10 2009-04-15 华为技术有限公司 Controlled key updating method
EP1987650A2 (en) 2006-02-22 2008-11-05 Axalto SA An authentication token for identifying a cloning attack onto such authentication token
US8094817B2 (en) * 2006-10-18 2012-01-10 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographic key management in communication networks
DE102006060967A1 (en) * 2006-12-20 2008-06-26 Vodafone Holding Gmbh Method for verification of authentication functions, involves transmitting reply message to mobile network which is generated with parameters alternatively maintained at mobile terminal
US8265593B2 (en) * 2007-08-27 2012-09-11 Alcatel Lucent Method and system of communication using extended sequence number
KR101671188B1 (en) * 2009-06-16 2016-11-01 주식회사 케이티 Method and system for certificating universal subscriber identity module
CN104333864B (en) * 2014-11-05 2018-04-10 中国联合网络通信集团有限公司 A kind of authentication resynchronization method and device
US20200236548A1 (en) * 2019-01-18 2020-07-23 Qualcomm Incorporated Protection of sequence numbers in authentication and key agreement protocol

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5799084A (en) * 1996-05-06 1998-08-25 Synacom Technology, Inc. System and method for authenticating cellular telephonic communication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0178306A1 *

Also Published As

Publication number Publication date
CA2402934C (en) 2006-12-05
JP2004518309A (en) 2004-06-17
CA2402934A1 (en) 2001-10-18
JP3701913B2 (en) 2005-10-05
WO2001078306A1 (en) 2001-10-18
AU4398400A (en) 2001-10-23

Similar Documents

Publication Publication Date Title
US9032205B2 (en) Robust authentication and key agreement protocol for net-generation wireless networks
EP0856233B1 (en) Subscriber authentication in a mobile communications system
EP0976278B1 (en) Preventing misuse of a copied subscriber identity in a mobile communication system
US5319711A (en) Wireless device for verifying identification
CN101053273B (en) Method, device and system for mutual authentication with modified message authentication code
AU731100B2 (en) Finding copied SIM cards
EP1603361B1 (en) A self-synchronizing authentication and key agreement protocol
US20040162998A1 (en) Service authentication in a communication system
US20080052399A1 (en) System and method for protecting emergency response services in telecommunication networks from attack
WO2009048574A2 (en) Secure wireless communication
KR20010112618A (en) An improved method for an authentication of a user subscription identity module
US11115195B2 (en) Authentication server of a cellular telecommunication network and corresponding UICC
CA2402934C (en) Method and system for generating a sequence number to be used for authentication
EP1992185A2 (en) Fast re-authentication method in umts
WO2020147856A1 (en) Authentication processing method and device, storage medium, and electronic device
US7570764B2 (en) Sequence number calculation and authentication in a communications system
Park et al. An authentication mechanism for the UMTS-WiFi networks
WO2013095168A1 (en) Method for transmitting a one-time code in an alphanumeric form

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20021105

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NOKIA SIEMENS NETWORKS OY

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20081204