EP1470733A2 - Authentifizierungssystem und -verfahren zwischen zwei kommunikationseinheiten - Google Patents
Authentifizierungssystem und -verfahren zwischen zwei kommunikationseinheitenInfo
- Publication number
- EP1470733A2 EP1470733A2 EP20020795216 EP02795216A EP1470733A2 EP 1470733 A2 EP1470733 A2 EP 1470733A2 EP 20020795216 EP20020795216 EP 20020795216 EP 02795216 A EP02795216 A EP 02795216A EP 1470733 A2 EP1470733 A2 EP 1470733A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- authentication
- communication units
- communication
- algorithms
- units according
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Definitions
- the invention relates to an authentication system consisting of at least two communication units, wherein there is an authentication agreement between the communication units, which can be checked in each case by a processor-supported authentication unit, the
- Authentication agreement consists of at least two different authentication algorithms, which are provided in a storage unit of at least one of the communication units and which can be queried by the respective other communication unit for authentication. Furthermore, the invention relates to a method for authenticating between at least two communication units, wherein there is an authentication agreement between the communication units, which can be checked in each case by a processor-supported authentication unit, the
- Authentication agreement consists of at least two different authentication algorithms, which are provided in a storage unit of at least one of the communication units and which can be queried by the respective other communication unit for authentication.
- a secure subscriber identification is required for communication requests.
- the frequency of the verification of this identification is usually determined by the network operator.
- a possible authentication of a network participant is defined in particular in the GSM standard. It takes place according to a challenge response between the authenticating point of the communication network and the communication unit.
- the authentication authority - also called authentication center (AuC) - of the communication network generates a random number "RAND” which is transmitted to the communication unit.
- the communication unit calculates the checksum "SRES" from the random number "RAND” using a subscriber key or authentication key "10,” and an authentication algorithm "A3" and sends it back to the authenticating location.
- a new subscriber key K c is calculated from the random number "RAND" in the communication unit and in the communications network using the subscriber key IC and the data key generation algorithm "A8".
- the communication network awards together with the random number "RAND” the associated key number CKSN, which is stored together with K- in the communication unit and in the communication network.
- WO 99/62275 describes a method for controlling a subscriber identity module (SIM) in mobile radio systems, in which the mobile radio network sends one or more specific control values to the subscriber identity module which trigger certain actions within the subscriber identity module.
- SIM subscriber identity module
- random values determined and sent by the mobile radio network for the regular authentication to the subscriber module are used as control values.
- control values e.g. Several different security algorithms can be stored on the SIM and can be switched between by receiving a corresponding control value. It is also possible that several secret keys IC, are stored on the SIM card, or can be derived from a key stored there, between which it is possible to switch over by receiving a corresponding control value.
- the SIM card has two different or even several algorithms that have the same interfaces to the outside, with the same length of RAND, Ki and SRES.
- the SIM can only have one K; or each algorithm has its own IC. If the network operator would like to change the A3 / A8 algorithm used for security reasons, he can cause the authentication center AuC to generate a special random number RAND, which at the same time represents a control value according to the invention, which is also referred to as a control RAND.
- the object of the invention is therefore to create an authentication system and a corresponding method for authentication for at least two communication units, in which the disadvantages of the prior art are eliminated. Furthermore, it is an object of the invention to increase security cost-effectively without having to operate with significant additional technical outlay.
- the object is achieved in that, in an authentication system consisting of at least two communication units of the type mentioned at the beginning, means are provided for the simultaneous dynamic processing of the authentication algorithms. Furthermore, the object is achieved by a method for authentication between at least two communication units of the type mentioned in the introduction, in which the authentication algorithms are processed dynamically at the same time.
- the principle of an authentication system according to the invention is, in particular, that in addition to the identification data and the address of the subscriber who has to authenticate, the return address is transmitted at the same time.
- the authentication can be processed simultaneously by the one communication unit and by the corresponding other communication unit.
- the checksums are therefore now calculated in parallel by both communication units, in the sense of simultaneously.
- the principle of the method according to the invention for authenticating two communication units also consists in simultaneously transmitting the return address in addition to the identification data and the address of the subscriber who has to authenticate himself.
- the authentication can be processed simultaneously by the one communication unit and by the corresponding other communication unit.
- the checksums are therefore now calculated in parallel by both communication units, in the sense of simultaneously.
- the one communication unit is designed as a mobile radio terminal.
- a third party can easily switch between two communication units and misuse them via the relatively fragile air interface.
- the authentication algorithms are stored on a subscriber identity module ((U) SIM). Since the subscriber identity modules ((U) SIM) contain personal data anyway, it seems particularly advantageous to store the authentication algorithms on them. From here, the authentication algorithms can be called up practically at any time from a communication unit.
- the subscriber identity module ((U) SIM) can also be used device-independently, ie it can also be used in various mobile radio terminals, for example.
- (U) SIM cards are individually designed. Therefore, you always allow yourself assign to specific participants. Because of this, SIM cards are particularly suitable for the authentication system.
- the authentication algorithms are stored on the individual (U) SIM cards.
- a communication unit is provided as the authentication center of a communication network. This measure allows the effort of authentication of communication network participants to be carried out centrally. Centralized authentication makes it possible to react quickly to changes, in order to further increase the security standard if necessary.
- At least one authentication key is provided for the authentication algorithms.
- the authentication key is a further security feature for an authentication system according to the invention.
- the communication unit calculates the checksum using the authentication key and the authentication algorithms. This checksum is sent to the authentication center of the communication network. In the authentication center, the checksum returned by the communication unit is now compared with the checksum calculated accordingly by the authentication center itself. If both checksums match, the authentication has been successfully passed.
- a separate authentication key can be assigned to each individual authentication algorithm to increase security.
- At least one communication unit is designed as a mobile radio terminal.
- the authentication algorithms are stored on a subscriber identity module ((U) SIM).
- (U) SIM cards are individually designed. They can therefore always be assigned to a specific participant. Because of this, (U) SIM cards are particularly suitable for the authentication process.
- the authentication algorithms are stored on the individual (U) SIM cards.
- a communication unit is designed as an authentication center of a mobile radio network (UMTS / GSM). This allows authentication processes to be controlled centrally.
- UMTS / GSM mobile radio network
- the inventive method for authentication receives an additional security component. To this end, security can be increased further by providing each individual authentication algorithm with its own
- Authentication key is assigned.
- Fig. 1 shows in a schematic diagram the authentication of a conventional type.
- Fig. 2 shows a schematic diagram for authentication by selecting one
- Fig. 3 shows a schematic diagram for the generation of subscriber keys.
- FIG. 1 shows a basic sketch of the authentication currently used for a communication unit, such as for a mobile radio terminal with a mobile radio network.
- 10 denotes an input (ON).
- a random number (RAND) is transmitted via input 10 to an authentication algorithm 12 (AKA-algo) on request from an authentication center (AuC) of the mobile radio network.
- the random number (RAND) is generated by the authentication center (AuC).
- the authentication algorithm 12 is on a subscriber identity module (SIM) stored.
- SIM subscriber identity module
- a processor unit processes this authentication algorithm 12.
- a subscriber key (K) is fed to the authentication algorithm 12 via a further access 14.
- the subscriber key enables the authentication algorithm 12 to run first and a checksum (SRES) to be formed from the random number (RAND).
- the checksum (SRES) is transmitted back to the authentication center (AuC) via output 16.
- the authentication center (AuC) now also calculates the checksum under the same conditions as the mobile terminal. If the
- the authentication system has at least two inputs 18, 20. Via input 18 (ON) the random number (RAND) is fed to the authentication system. A control parameter is given to input 20 (control). A switch 22 is controlled by the random number (RAND) and the control parameter. Switch 22 (S) selects one of the authentication algorithms 24, 26, 28. The authentication algorithms 24, 26, 28 are selected randomly, depending on which random number (RAND) has been supplied to the switch 22. The authentication algorithms 24, 26, 28 are stored on a SIM card.
- the random number is used in the selected authentication algorithm 24, 26, 28.
- Each authentication algorithm 24, 26, 28 has its own subscriber key 30, 32, 34 (K,).
- the selected authentication algorithm 24, 26, 28 calculates a checksum 36, 38, 40 using the subscriber key 30, 32, 34, which is recalculated each time for each authentication process (see FIG. 3).
- the checksum 36, 38, 40 is given to the output 42, 44, 46 (OFF).
- the checksum is calculated simultaneously for both communication units, the mobile radio terminal and the authentication center (AuC) of the mobile radio network. This can only be done by starting the authentication procedures for both communication units at the same time.
- the required checksums (SRES, XRES), random numbers (RAND), subscriber key 30, 32, 34 (K and also control parameters can be exchanged.
- Kj subscriber keys 30, 32, 34.
- a general key is designated by K, from which the digital subscriber keys are produced by the key generation algorithms (h ; ) 48, 50, 52.
- this subscriber keys can each be 'associated authentication algorithms 24, 26 activate, 28th
- the authentication procedures take place simultaneously on both communication units. Due to the dynamics of the selection of the authentication algorithm 30, 32, 34 and the separate calculation of the subscriber key (IQ), the authentication system receives an additional security component without having to lose speed in the authentication. The authentication takes place simultaneously in both communication units.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Description
Claims
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10200041 | 2002-01-03 | ||
DE10200041.7A DE10200041B4 (de) | 2002-01-03 | 2002-01-03 | Authentifizierungssystem und -verfahren zwischen zwei Kommunikationseinheiten |
PCT/EP2002/014411 WO2003056863A2 (de) | 2002-01-03 | 2002-12-17 | Authentifizierungssystem und -verfahren zwischen zwei kommunikationseinheiten |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1470733A2 true EP1470733A2 (de) | 2004-10-27 |
Family
ID=7711448
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP20020795216 Withdrawn EP1470733A2 (de) | 2002-01-03 | 2002-12-17 | Authentifizierungssystem und -verfahren zwischen zwei kommunikationseinheiten |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1470733A2 (de) |
AU (1) | AU2002361000A1 (de) |
DE (1) | DE10200041B4 (de) |
WO (1) | WO2003056863A2 (de) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101047641B1 (ko) * | 2002-10-07 | 2011-07-08 | 텔레폰악티에볼라겟엘엠에릭슨(펍) | 보안 장치용 보안 및 프라이버시 강화 |
US7861097B2 (en) | 2002-10-31 | 2010-12-28 | Telefonaktiebolaget Lm Ericsson (Publ) | Secure implementation and utilization of device-specific security data |
JP4664050B2 (ja) * | 2004-07-01 | 2011-04-06 | 株式会社エヌ・ティ・ティ・ドコモ | 認証ベクトル生成装置、加入者認証モジュール、移動通信システム、認証ベクトル生成方法、演算方法及び加入者認証方法 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6105133A (en) * | 1997-03-10 | 2000-08-15 | The Pacid Group | Bilateral authentication and encryption system |
US5913196A (en) * | 1997-11-17 | 1999-06-15 | Talmor; Rita | System and method for establishing identity of a speaker |
DE19823532C2 (de) * | 1998-05-26 | 2003-08-21 | T Mobile Deutschland Gmbh | Verfahren zur Steuerung eines Teilnehmeridentitätsmoduls (SIM) in Mobilfunksystemen |
FI107486B (fi) * | 1999-06-04 | 2001-08-15 | Nokia Networks Oy | Autentikaation ja salauksen järjestäminen matkaviestinjärjestelmässä |
-
2002
- 2002-01-03 DE DE10200041.7A patent/DE10200041B4/de not_active Expired - Lifetime
- 2002-12-17 EP EP20020795216 patent/EP1470733A2/de not_active Withdrawn
- 2002-12-17 AU AU2002361000A patent/AU2002361000A1/en not_active Abandoned
- 2002-12-17 WO PCT/EP2002/014411 patent/WO2003056863A2/de not_active Application Discontinuation
Non-Patent Citations (1)
Title |
---|
See references of WO03056863A2 * |
Also Published As
Publication number | Publication date |
---|---|
AU2002361000A1 (en) | 2003-07-15 |
DE10200041B4 (de) | 2021-03-25 |
WO2003056863A2 (de) | 2003-07-10 |
DE10200041A1 (de) | 2003-07-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE19823532C2 (de) | Verfahren zur Steuerung eines Teilnehmeridentitätsmoduls (SIM) in Mobilfunksystemen | |
DE69628329T2 (de) | Informationskodierungsverfahren | |
EP2235978B1 (de) | Verfahren zur verwaltung der autorisierung von mobiltelefonen mit und ohne sim-karte | |
EP0440914B1 (de) | Verfahren zum Zuordnen von Nutzdaten zu einem bestimmten Absender | |
DE69518521T2 (de) | Verfahren und einrichtung zur schlüsselumwandlung zur unterscheidung zwischen veschiedenen netzen | |
EP0995288B1 (de) | Verfahren und vorrichtung zur gegenseitigen authentisierung von komponenten in einem netz mit dem challenge-response-verfahren | |
DE102018202176A1 (de) | Master-Slave-System zur Kommunikation über eine Bluetooth-Low-Energy-Verbindung | |
DE4242151C1 (de) | Verfahren zur Sicherung eines Mobilfunkgerätes gegen unerlaubte Benutzung | |
EP1010146A2 (de) | Verfahren zur gegenseitigen authentifizierung zweier einheiten | |
EP1112666B1 (de) | Verfahren zur erhöhung der sicherheit von authentisierungsverfahren in digitalen mobilfunksystemen | |
EP1240794B1 (de) | Verfahren zur Verschlüsselung von Daten und Telekommunikationsendgerät und Zugangsberechtigungskarte | |
DE10200041B4 (de) | Authentifizierungssystem und -verfahren zwischen zwei Kommunikationseinheiten | |
DE19720719C2 (de) | Verbindungsaufbau-Überwachungsvorrichtung | |
DE102006003167B3 (de) | Sichere Echtzeit-Kommunikation | |
EP1573955B1 (de) | Verschl sselungsverfahren | |
EP2481183A1 (de) | Verfahren zum aufbauen eines gesicherten kommunikationskanals | |
DE60007678T2 (de) | Verfahren um einen gesicherten Datenverkehr in einem Rechnernetzwerk zu liefern | |
DE102005046742B4 (de) | Zugangselement und Verfahren zur Zugangskontrolle eines Netzelements | |
DE10238928A1 (de) | Verfahren zur Authentifizierung eines Nutzers eines Kommunikationsendgerätes bei Nutzung eines Dienstnetzes | |
DE10128300A1 (de) | Authentisierungsverfahren | |
DE102006060042A1 (de) | Verfahren und Server zum Bereitstellen eines zweckgebundenen Schlüssels | |
EP3917069A1 (de) | Verfahren zum synchronisieren eines empfänger-initialisierungsvektors mit einem sender-initialisierungsvektor | |
DE102016120769A1 (de) | Datenübertragungsvorrichtung, Verfahren zur Übertragung von Daten mit einer Datenübertragungsvorrichtung und Systemanordnung | |
WO2016012086A1 (de) | Teilnehmeridentitätsmodul mit mindest-sicherheitslevel msl prüfung | |
DE3439159A1 (de) | Gegen leistungserschleichung gesichertes waehlverfahren |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20040702 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LI LU MC NL PT SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO |
|
17Q | First examination report despatched |
Effective date: 20071025 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN |
|
18W | Application withdrawn |
Effective date: 20150220 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Free format text: PREVIOUS MAIN CLASS: H04Q0007380000 Ipc: H04W0004000000 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Free format text: PREVIOUS MAIN CLASS: H04Q0007380000 Ipc: H04W0004000000 Effective date: 20150407 |