EP1470733A2 - Procede et systeme d'authentification entre deux unites de communication - Google Patents

Procede et systeme d'authentification entre deux unites de communication

Info

Publication number
EP1470733A2
EP1470733A2 EP20020795216 EP02795216A EP1470733A2 EP 1470733 A2 EP1470733 A2 EP 1470733A2 EP 20020795216 EP20020795216 EP 20020795216 EP 02795216 A EP02795216 A EP 02795216A EP 1470733 A2 EP1470733 A2 EP 1470733A2
Authority
EP
European Patent Office
Prior art keywords
authentication
communication units
communication
algorithms
units according
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP20020795216
Other languages
German (de)
English (en)
Inventor
Benno Tietz
Jens RÜDINGER
Stephen Babbage
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vodafone Holding GmbH
Original Assignee
Vodafone Holding GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vodafone Holding GmbH filed Critical Vodafone Holding GmbH
Publication of EP1470733A2 publication Critical patent/EP1470733A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the invention relates to an authentication system consisting of at least two communication units, wherein there is an authentication agreement between the communication units, which can be checked in each case by a processor-supported authentication unit, the
  • Authentication agreement consists of at least two different authentication algorithms, which are provided in a storage unit of at least one of the communication units and which can be queried by the respective other communication unit for authentication. Furthermore, the invention relates to a method for authenticating between at least two communication units, wherein there is an authentication agreement between the communication units, which can be checked in each case by a processor-supported authentication unit, the
  • Authentication agreement consists of at least two different authentication algorithms, which are provided in a storage unit of at least one of the communication units and which can be queried by the respective other communication unit for authentication.
  • a secure subscriber identification is required for communication requests.
  • the frequency of the verification of this identification is usually determined by the network operator.
  • a possible authentication of a network participant is defined in particular in the GSM standard. It takes place according to a challenge response between the authenticating point of the communication network and the communication unit.
  • the authentication authority - also called authentication center (AuC) - of the communication network generates a random number "RAND” which is transmitted to the communication unit.
  • the communication unit calculates the checksum "SRES" from the random number "RAND” using a subscriber key or authentication key "10,” and an authentication algorithm "A3" and sends it back to the authenticating location.
  • a new subscriber key K c is calculated from the random number "RAND" in the communication unit and in the communications network using the subscriber key IC and the data key generation algorithm "A8".
  • the communication network awards together with the random number "RAND” the associated key number CKSN, which is stored together with K- in the communication unit and in the communication network.
  • WO 99/62275 describes a method for controlling a subscriber identity module (SIM) in mobile radio systems, in which the mobile radio network sends one or more specific control values to the subscriber identity module which trigger certain actions within the subscriber identity module.
  • SIM subscriber identity module
  • random values determined and sent by the mobile radio network for the regular authentication to the subscriber module are used as control values.
  • control values e.g. Several different security algorithms can be stored on the SIM and can be switched between by receiving a corresponding control value. It is also possible that several secret keys IC, are stored on the SIM card, or can be derived from a key stored there, between which it is possible to switch over by receiving a corresponding control value.
  • the SIM card has two different or even several algorithms that have the same interfaces to the outside, with the same length of RAND, Ki and SRES.
  • the SIM can only have one K; or each algorithm has its own IC. If the network operator would like to change the A3 / A8 algorithm used for security reasons, he can cause the authentication center AuC to generate a special random number RAND, which at the same time represents a control value according to the invention, which is also referred to as a control RAND.
  • the object of the invention is therefore to create an authentication system and a corresponding method for authentication for at least two communication units, in which the disadvantages of the prior art are eliminated. Furthermore, it is an object of the invention to increase security cost-effectively without having to operate with significant additional technical outlay.
  • the object is achieved in that, in an authentication system consisting of at least two communication units of the type mentioned at the beginning, means are provided for the simultaneous dynamic processing of the authentication algorithms. Furthermore, the object is achieved by a method for authentication between at least two communication units of the type mentioned in the introduction, in which the authentication algorithms are processed dynamically at the same time.
  • the principle of an authentication system according to the invention is, in particular, that in addition to the identification data and the address of the subscriber who has to authenticate, the return address is transmitted at the same time.
  • the authentication can be processed simultaneously by the one communication unit and by the corresponding other communication unit.
  • the checksums are therefore now calculated in parallel by both communication units, in the sense of simultaneously.
  • the principle of the method according to the invention for authenticating two communication units also consists in simultaneously transmitting the return address in addition to the identification data and the address of the subscriber who has to authenticate himself.
  • the authentication can be processed simultaneously by the one communication unit and by the corresponding other communication unit.
  • the checksums are therefore now calculated in parallel by both communication units, in the sense of simultaneously.
  • the one communication unit is designed as a mobile radio terminal.
  • a third party can easily switch between two communication units and misuse them via the relatively fragile air interface.
  • the authentication algorithms are stored on a subscriber identity module ((U) SIM). Since the subscriber identity modules ((U) SIM) contain personal data anyway, it seems particularly advantageous to store the authentication algorithms on them. From here, the authentication algorithms can be called up practically at any time from a communication unit.
  • the subscriber identity module ((U) SIM) can also be used device-independently, ie it can also be used in various mobile radio terminals, for example.
  • (U) SIM cards are individually designed. Therefore, you always allow yourself assign to specific participants. Because of this, SIM cards are particularly suitable for the authentication system.
  • the authentication algorithms are stored on the individual (U) SIM cards.
  • a communication unit is provided as the authentication center of a communication network. This measure allows the effort of authentication of communication network participants to be carried out centrally. Centralized authentication makes it possible to react quickly to changes, in order to further increase the security standard if necessary.
  • At least one authentication key is provided for the authentication algorithms.
  • the authentication key is a further security feature for an authentication system according to the invention.
  • the communication unit calculates the checksum using the authentication key and the authentication algorithms. This checksum is sent to the authentication center of the communication network. In the authentication center, the checksum returned by the communication unit is now compared with the checksum calculated accordingly by the authentication center itself. If both checksums match, the authentication has been successfully passed.
  • a separate authentication key can be assigned to each individual authentication algorithm to increase security.
  • At least one communication unit is designed as a mobile radio terminal.
  • the authentication algorithms are stored on a subscriber identity module ((U) SIM).
  • (U) SIM cards are individually designed. They can therefore always be assigned to a specific participant. Because of this, (U) SIM cards are particularly suitable for the authentication process.
  • the authentication algorithms are stored on the individual (U) SIM cards.
  • a communication unit is designed as an authentication center of a mobile radio network (UMTS / GSM). This allows authentication processes to be controlled centrally.
  • UMTS / GSM mobile radio network
  • the inventive method for authentication receives an additional security component. To this end, security can be increased further by providing each individual authentication algorithm with its own
  • Authentication key is assigned.
  • Fig. 1 shows in a schematic diagram the authentication of a conventional type.
  • Fig. 2 shows a schematic diagram for authentication by selecting one
  • Fig. 3 shows a schematic diagram for the generation of subscriber keys.
  • FIG. 1 shows a basic sketch of the authentication currently used for a communication unit, such as for a mobile radio terminal with a mobile radio network.
  • 10 denotes an input (ON).
  • a random number (RAND) is transmitted via input 10 to an authentication algorithm 12 (AKA-algo) on request from an authentication center (AuC) of the mobile radio network.
  • the random number (RAND) is generated by the authentication center (AuC).
  • the authentication algorithm 12 is on a subscriber identity module (SIM) stored.
  • SIM subscriber identity module
  • a processor unit processes this authentication algorithm 12.
  • a subscriber key (K) is fed to the authentication algorithm 12 via a further access 14.
  • the subscriber key enables the authentication algorithm 12 to run first and a checksum (SRES) to be formed from the random number (RAND).
  • the checksum (SRES) is transmitted back to the authentication center (AuC) via output 16.
  • the authentication center (AuC) now also calculates the checksum under the same conditions as the mobile terminal. If the
  • the authentication system has at least two inputs 18, 20. Via input 18 (ON) the random number (RAND) is fed to the authentication system. A control parameter is given to input 20 (control). A switch 22 is controlled by the random number (RAND) and the control parameter. Switch 22 (S) selects one of the authentication algorithms 24, 26, 28. The authentication algorithms 24, 26, 28 are selected randomly, depending on which random number (RAND) has been supplied to the switch 22. The authentication algorithms 24, 26, 28 are stored on a SIM card.
  • the random number is used in the selected authentication algorithm 24, 26, 28.
  • Each authentication algorithm 24, 26, 28 has its own subscriber key 30, 32, 34 (K,).
  • the selected authentication algorithm 24, 26, 28 calculates a checksum 36, 38, 40 using the subscriber key 30, 32, 34, which is recalculated each time for each authentication process (see FIG. 3).
  • the checksum 36, 38, 40 is given to the output 42, 44, 46 (OFF).
  • the checksum is calculated simultaneously for both communication units, the mobile radio terminal and the authentication center (AuC) of the mobile radio network. This can only be done by starting the authentication procedures for both communication units at the same time.
  • the required checksums (SRES, XRES), random numbers (RAND), subscriber key 30, 32, 34 (K and also control parameters can be exchanged.
  • Kj subscriber keys 30, 32, 34.
  • a general key is designated by K, from which the digital subscriber keys are produced by the key generation algorithms (h ; ) 48, 50, 52.
  • this subscriber keys can each be 'associated authentication algorithms 24, 26 activate, 28th
  • the authentication procedures take place simultaneously on both communication units. Due to the dynamics of the selection of the authentication algorithm 30, 32, 34 and the separate calculation of the subscriber key (IQ), the authentication system receives an additional security component without having to lose speed in the authentication. The authentication takes place simultaneously in both communication units.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
EP20020795216 2002-01-03 2002-12-17 Procede et systeme d'authentification entre deux unites de communication Withdrawn EP1470733A2 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE10200041 2002-01-03
DE10200041.7A DE10200041B4 (de) 2002-01-03 2002-01-03 Authentifizierungssystem und -verfahren zwischen zwei Kommunikationseinheiten
PCT/EP2002/014411 WO2003056863A2 (fr) 2002-01-03 2002-12-17 Procede et systeme d'authentification entre deux unites de communication

Publications (1)

Publication Number Publication Date
EP1470733A2 true EP1470733A2 (fr) 2004-10-27

Family

ID=7711448

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20020795216 Withdrawn EP1470733A2 (fr) 2002-01-03 2002-12-17 Procede et systeme d'authentification entre deux unites de communication

Country Status (4)

Country Link
EP (1) EP1470733A2 (fr)
AU (1) AU2002361000A1 (fr)
DE (1) DE10200041B4 (fr)
WO (1) WO2003056863A2 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101047641B1 (ko) * 2002-10-07 2011-07-08 텔레폰악티에볼라겟엘엠에릭슨(펍) 보안 장치용 보안 및 프라이버시 강화
US7861097B2 (en) 2002-10-31 2010-12-28 Telefonaktiebolaget Lm Ericsson (Publ) Secure implementation and utilization of device-specific security data
JP4664050B2 (ja) * 2004-07-01 2011-04-06 株式会社エヌ・ティ・ティ・ドコモ 認証ベクトル生成装置、加入者認証モジュール、移動通信システム、認証ベクトル生成方法、演算方法及び加入者認証方法

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6105133A (en) * 1997-03-10 2000-08-15 The Pacid Group Bilateral authentication and encryption system
US5913196A (en) * 1997-11-17 1999-06-15 Talmor; Rita System and method for establishing identity of a speaker
DE19823532C2 (de) * 1998-05-26 2003-08-21 T Mobile Deutschland Gmbh Verfahren zur Steuerung eines Teilnehmeridentitätsmoduls (SIM) in Mobilfunksystemen
FI107486B (fi) * 1999-06-04 2001-08-15 Nokia Networks Oy Autentikaation ja salauksen järjestäminen matkaviestinjärjestelmässä

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO03056863A2 *

Also Published As

Publication number Publication date
AU2002361000A1 (en) 2003-07-15
DE10200041B4 (de) 2021-03-25
WO2003056863A2 (fr) 2003-07-10
DE10200041A1 (de) 2003-07-24

Similar Documents

Publication Publication Date Title
DE19823532C2 (de) Verfahren zur Steuerung eines Teilnehmeridentitätsmoduls (SIM) in Mobilfunksystemen
DE69628329T2 (de) Informationskodierungsverfahren
EP2235978B1 (fr) Procédé pour gérer l'autorisation d'accès relative à des téléphones mobiles avec et sans carte sim
EP0440914B1 (fr) Procédé d'allocation de données d'information à un expéditeur particulier
DE69518521T2 (de) Verfahren und einrichtung zur schlüsselumwandlung zur unterscheidung zwischen veschiedenen netzen
EP0995288B1 (fr) Procede et dispositif d'authentification reciproque d'elements constitutifs dans un reseau par procede de defi-reponse
DE102018202176A1 (de) Master-Slave-System zur Kommunikation über eine Bluetooth-Low-Energy-Verbindung
DE4242151C1 (de) Verfahren zur Sicherung eines Mobilfunkgerätes gegen unerlaubte Benutzung
EP1010146A2 (fr) Procede d'authentification mutuelle de deux unites
EP1112666B1 (fr) Procede de renforcement de la securite de procedures d'authentification dans des systemes radiomobiles numeriques
EP1240794B1 (fr) Procédé de codage de données et terminal de télécommunications et carte d'autorisation d'accés
DE10200041B4 (de) Authentifizierungssystem und -verfahren zwischen zwei Kommunikationseinheiten
DE19720719C2 (de) Verbindungsaufbau-Überwachungsvorrichtung
DE102006003167B3 (de) Sichere Echtzeit-Kommunikation
EP1573955B1 (fr) Procede de chiffrement
EP2481183A1 (fr) Procédé pour établir un canal de communication sécurisé
DE60007678T2 (de) Verfahren um einen gesicherten Datenverkehr in einem Rechnernetzwerk zu liefern
DE102005046742B4 (de) Zugangselement und Verfahren zur Zugangskontrolle eines Netzelements
DE10238928A1 (de) Verfahren zur Authentifizierung eines Nutzers eines Kommunikationsendgerätes bei Nutzung eines Dienstnetzes
DE10128300A1 (de) Authentisierungsverfahren
DE102006060042A1 (de) Verfahren und Server zum Bereitstellen eines zweckgebundenen Schlüssels
EP3917069A1 (fr) Procédé de synchronisation d'un vecteur d'initialisation de récepteur avec un vecteur d'initialisation d'émetteur
DE102016120769A1 (de) Datenübertragungsvorrichtung, Verfahren zur Übertragung von Daten mit einer Datenübertragungsvorrichtung und Systemanordnung
WO2016012086A1 (fr) Module d'identité d'abonné avec vérification d'un niveau minimal de sécurité msl
DE3439159A1 (de) Gegen leistungserschleichung gesichertes waehlverfahren

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20040702

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LI LU MC NL PT SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO

17Q First examination report despatched

Effective date: 20071025

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20150220

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: H04Q0007380000

Ipc: H04W0004000000

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: H04Q0007380000

Ipc: H04W0004000000

Effective date: 20150407