EP1668944A2 - Procede d authentification dans un reseau de radiotelephonie - Google Patents
Procede d authentification dans un reseau de radiotelephonieInfo
- Publication number
- EP1668944A2 EP1668944A2 EP04766873A EP04766873A EP1668944A2 EP 1668944 A2 EP1668944 A2 EP 1668944A2 EP 04766873 A EP04766873 A EP 04766873A EP 04766873 A EP04766873 A EP 04766873A EP 1668944 A2 EP1668944 A2 EP 1668944A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- authentication
- entity
- algorithm
- auc
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- the invention relates to an authentication method between a mobile radio terminal and a routing subsystem, generally called a fixed network, in a digital cellular radiotelephone network. More particularly, the invention improves uthentification through the radio interface between a microprocessor card or module, known as a SIM (Subscriber Identity Module) smart card, removable from the terminal, and a center for uthentification of the radiotelephony network.
- SIM Subscriber Identity Module
- a digital cellular radiotelephony network of the GSM type mainly comprises several mobile radiotelephone terminals MS and a fixed network where signaling, control, data and voice messages circulate as described in FIG. 1.
- the RR network are represented main entities through which data intended for the SIM card of a mobile radiotelephone terminal MS located in a location area pass.
- a mobile service switch MSC connected to at least one autonomous telephone switch CAA of the switched PSTN network manages communications for visiting mobile terminals, including the terminal MS, which are located at a given time in the location area. served by the MSC switch.
- a VLR visitor location recorder is connected to the MSC switch and contains characteristics, such as identity and subscription profile of the mobile terminals located in the location area.
- a base station controller BSC connected to the switch MSC manages in particular the allocation of channels to mobile terminals.
- a base station BTS connected to the controller BSC covers the radio cell where the terminal MS is located at the given time.
- the RR radiotelephone network also includes a nominal location register HLR cooperating with an AUC authentication center and connected to the mobile service switches through the signaling network of the RR radiotelephone network.
- the HLR recorder is essentially a database, which contains for each MS terminal the international identity IMSI (International Mobile Subscriber Identity) of the SIM card inserted in the terminal, i.e. the subscriber owning the SIM card, the directory number, the subscriber's subscription profile, and the number of the VLR recorder to which the mobile terminal is attached at a given time. This number is updated during transfers between localization zones.
- IMSI International Mobile Subscriber Identity
- the AUC authentication center ensures the authentication of subscribers prior to any communication with the terminal or when the terminal is operational or during an intercellular transfer. It also participates in the confidentiality of the data passing through the radio interface IR between the terminal MS and the base station BTS to which it is attached at a given time.
- the AUC authentication center manages an A3 authentication algorithm and an A8 encryption key determination algorithm, sometimes merged into a single A3A8 algorithm, according to the GSM standard. These algorithms are also present in the SIM card of the mobile terminal MS.
- the AUC authentication center also stores an authentication key Ki allocated only to the subscriber. This key corresponds to the subscriber's IMSI identity stored in the HLR nominal location register when the subscriber subscribes. To be able to recognize the subscriber, it is necessary to authenticate the mobile radiotelephone terminal MS.
- the authentication center does not authenticate the MS mobile terminal itself but the SIM card it contains. This card contains the key Ki assigned to the subscriber and proves by means of the authentication algorithm A3 that it knows the key without revealing it. As described in FIG.
- the fixed network sends a random RAND number to the card and requests it to calculate by means of the authentication algorithm a result depending on the key and the random number.
- This result is returned to the network in the form of a signed SRES response (Signed RESponse).
- SRES response Signed RESponse
- the size of the random number prevents an “attacker” from keeping in memory all the values of the signed random number-response pair in a dictionary.
- the new technologies used in recent generations of mobile radiotelephones make it possible to load programs through the radiotelephony network and to execute them.
- a Trojan horse loaded into a subscriber's mobile radio could, for example, allow the subscriber's radiotelephone MS to return a signed response SRES2 not to the radiotelephone network, but to a second mobile radiotelephone MS2 (of an malicious person) in response to a request for authentication issued by this second radiotelephone.
- the second radiotelephone returns the response signed SRES2 (thus recovered) to the radiotelephony network during an authentication request, and the attacker can use the second mobile radio to make communications on behalf of the subscriber.
- an authentication method between a first entity and a second entity in a communication network comprising steps of applying authentication keys stored in the first and second entities respectively and a random number produced by the second entity and transmitted by the second entity to the first entity respectively to first identical algorithms stored in the first and second entities, and compare in the second entity a response produced by the first algorithm stored in the first entity and transmitted to the second entity with a response result produced by the first algorithm stored in the second entity, said method is characterized in that the step of applying the random number to the first algorithm is carried out by means of a prior step of transforming said random number to obtain a random number transformed to applied to said first algorithm, said preliminary transformation step consisting in applying the random number and the response result of the previous one authentication to identical second algorithms stored respectively in the first and second entities, and in that said method further comprises the step of storing respectively in the first and second entities the response produced
- the first and second entities are respectively a radiotelephone terminal and a fixed network in a radiotelephone network.
- the step of applying to the second algorithms the random number and the response result of the previous authentication makes it possible to cancel any risk of attack of the “virtual cloning” type of the SIM card as described previously.
- the response result delivered by the subscriber's radiotelephone to the malicious person's radiotelephone will not allow the latter to be authenticated to the network as being a subscriber's radiotelephone.
- the response result delivered by the malicious person's radiotelephone depends on the signed response corresponding to the previous authentication request submitted to the mobile radiotelephone whereas the response result calculated by the authentication center depends on the last response result corresponding to the last authentication of the subscriber by the fixed network.
- the request for authentication of the malicious person's radiotelephone is rejected by the network.
- the invention also relates to an identity module, such as a subscriber identity card, in a first entity, such as a mobile radiotelephone terminal which is characterized in that it comprises means for storing at least a second algorithm, means for memorizing the result of response to the previous authentication and means for executing at least the steps of applying to the second algorithm and to the first algorithm according to the invention.
- an identity module such as a subscriber identity card
- FIG. 1 is a schematic block diagram of a digital cellular radiotelephony network
- FIG. 2 shows the steps for authenticating a radiotelephone according to the prior art
- FIG. 3 shows the steps allowing an "attacker” to virtually clone the identity card of a subscriber
- FIG. 4 shows steps of an authentication method according to the invention
- FIG. 5 shows the failure of an attack of the “virtual cloning” type by the implementation of the authentication method according to the invention.
- a VLR / HRL-AUC fixed network is considered to be the chain of entities attached to the mobile radio terminal MS from the IR radio interface, comprising the base station BTS, the station controller BTS, the MSC switch with the VLR visitor location recorder and the HLR-AUC pair.
- a mobile radiotelephone terminal MS comprises a microprocessor module, such as a SIM chip card.
- the SIM smart card essentially comprises a ROM read-only memory, known as a program memory generally including an operating system and application algorithms, a non-volatile EEPROM memory which contains in particular all the data characterizing the subscription of the card holder, a directory of telephone numbers, secret codes or authentication keys or even programs and algorithms, a RAM memory for processing data used by the operating system, in particular during exchanges between the card and the mobile radiotelephone terminal which 1 'welcome.
- FIG. 2 illustrates the main steps of the authentication method between a mobile radiotelephone terminal MS and a fixed network as it operates today.
- the VLR / HLR-AUC radiotelephone network transmits an E12 authentication request to the mobile radiotelephone terminal in response to the transmission Eli by the mobile radiotelephone MS of the identity of the IMSI subscriber.
- the request for authentication is accompanied by a transmission of a random RAND number from the fixed network to the mobile radiotelephone terminal MS.
- the latter commands the SIM card to generate a response signed SRES to the request for authentication of the fixed network.
- this response is developed using the authentication algorithm AA to which the authentication key Ki and the random number RAND are applied, transmitted by the fixed network.
- the Ki key is previously stored in the smart card and assigned when the subscription is taken out.
- the terminal collects the SRES response generated by the card and transmits it in El 5 in turn to the fixed network.
- the fixed network VLR / HLR-AUC prepares an RSRES response result using an algorithm AA, the key Ki, stored in the authentication center AUC in correspondence with the IMSI of the maid.
- the response result RSRES is compared by the authentication center AUC to the signed response SRES returned by the mobile radiotelephone terminal MS. If the RSRES response result corresponds to the signed SRES response, the subscriber's authentication request is satisfied and the subscriber can use his terminal to communicate. Otherwise, the request for authentication fails and the subscriber cannot use his mobile radio.
- FIG. 3 depicts an attack of the “virtual cloning” type of the SIM card of a subscriber.
- the new technologies employed in mobile radiotelephones make it possible to download via the radiotelephony network programs in radiotelephones.
- An attacker or "attacker” wants to be able to communicate using a second MS2 mobile radio on the account of a subscriber without his knowledge.
- a Trojan horse downloaded into a subscriber's radiotelephone MS, The malicious person makes the subscriber's radiotelephone capable of responding to an authentication request originating not from the network but from a second radiotelephone mobile.
- the mobile radiotelephone MS of a subscriber is legitimately authenticated, in accordance with steps Elll to El 1 7
- the second mobile radiotelephone MS2 requests authentication E121 from the fixed network VLR2 / HLR-AUC on behalf of the subscriber.
- the second mobile radio MS2 communicates the IMSI of the subscriber to said fixed network VLR2 / HLR-AUC which in return requests it to authenticate itself by transmitting to it a random number RAND2 in step E122.
- the malicious person's radiotelephone MS2 submits an authentication request E123 to the first mobile radiotelephone MS, communicating to it the random number RAND2, transmitted beforehand by the fixed network.
- the mobile radio MS of the subscriber requests the SIM card to generate at step E124 a response signed SRES2 using the authentication algorithm AA of the SIM card, with the key Ki stored in the SIM card as inputs. the random number RAND2.
- the radiotelephone collects in step E125 the response SRES2 and transmits it in step E126 in turn to the mobile radiotelephone MS2 of the malicious person.
- the latter returns to the fixed network VLR2 / HLR-AUC the response signed SRES2 in step E127.
- the fixed network VLR2 / HLR-AUC generates in step E131 the response result RSRES2 by applying within the authentication center AUC to the authentication algorithm AA the random number RAND2 and the authentication key Ki of the maid.
- the RSRES2 response result is equivalent to the signed SRES2 response.
- the fixed network therefore authenticates the second mobile radiotelephone MS2 as being the property of the subscriber in step E132. The attacker can thus use his radiotelephone and communicate on the subscriber’s account.
- FIG. 4 describes an authentication method according to the invention in which after reception E21 of the IMSI of a subscriber by the fixed network VLR / HLR-AUC, the latter submits an authentication request E22 to the mobile radiotelephone MS.
- Said radiotelephone requests, in step E23, the SIM card to calculate a signed response on the basis of the authentication key Ki stored in the SIM card and the random number RANDn.
- the SIM card applies, in step E24, to a second transformation algorithm AT, algorithm stored in the SIM card, the random number RANDn and the signed response SRESn-1 corresponding to the previous one request for authentication of the MS mobile radio.
- the result TRANDn from the transformation of the random number RANDn is applied, in step E25, to the authentication algorithm AA stored in the SIM card.
- the response thus calculated SRESn is stored (step not shown in FIG. 4) in the SIM card to be used during the next authentication.
- Said response SRESn is returned to the fixed network VLR / HLR-AUC by the mobile radiotelephone MS in step E26.
- the fixed network VLR / HLR-AUC calculates, in step E28, a response result RSRESn using the AA authentication algorithm stored in the AUC authentication center to which the key is applied. Ki of the subscriber and the random number TRANDn resulting from a transformation algorithm AT, also stored in the authentication center AUC, to which are applied the number RANDn transmitted to the mobile radio in step E22, and the response result RSRESn-1 corresponding to the previous request for authentication.
- the new response result thus calculated is stored (step not shown in FIG. 4) in the AUC authentication center to be used during the next authentication.
- AUC Authentication Center compares in step E29, said response result RSRESn to the signed response SRESn transmitted by the mobile radiotelephone MS in step E26. If the result RSRESn corresponds to the signed response SRESn, the authentication of the subscriber is satisfied and the subscriber can use the mobile radiotelephone MS to communicate. Otherwise, authentication fails and the subscriber cannot communicate with his mobile radio. In the case of a first authentication, it is not possible to use respectively the response and the response result of the previous authentication. A number whose value is established by convention is then applied to the transformation algorithm together with the random number. In a preferred variant the value of this number is zero.
- the SIM card can for example use the value of the random number which is transmitted to it via the radiotelephone terminal MS by the fixed network VLR / HLR-AUC.
- the null value of the most significant bit of the random number can indicate that it is a first authentication.
- a non-zero value of said most significant bit indicates to the SIM card that it is at least a second authentication.
- Other configurations or technical solutions can also be used to deal with the specific case of a first authentication.
- the nature of the AT transformation algorithm can have an influence on the robustness of the authentication method according to the invention.
- the transformation algorithm will preferably be carried out by means of a so-called one-way function.
- the use of a so-called collisionless function to carry out the AT transformation algorithm should preferably be considered.
- Such a function does not make it easy to find couples (RAND1, SRES1) and (RAND2, SRES2) such that
- the transformation algorithm AT is carried out using a hash function which satisfies both the properties of a one-way function and of a collision-free function.
- the hash function corresponds to the SHA-1 algorithm (Secure Hash Algorithm - version 1) defined by the FIPS standard (Federal Information
- the 128 most significant bits could be kept to conform to the specifications of the algorithm.
- said radiotelephone MS accepts an authentication request E223 from the subscriber from the second mobile radiotelephone MS2 with as data a random number RANDm transmitted by the fixed network in step E222 to the mobile radiotelephone MS2.
- the subscriber's radiotelephone requests, in step E224, the subscriber's SIM card to generate a signed response SRESm.
- the SIM card applies, in step E225, the random number RANDm and the signed response SRESn corresponding to the previous authentication to the transformation algorithm AT.
- the number TRANDm thus obtained and the authentication key Ki are applied, in step E226, to the authentication algorithm AA of the SIM card to develop the signed response SRESm.
- the subscriber's mobile radiotelephone MS returns, in step E227, said signed response to the second mobile radiotelephone, which is transmitted, in step E228, to the fixed network VLR2 / HLR-AUC.
- the fixed network works out by the authentication center AUC, in step E231, the response result RSRESm to be compared, in step E233 with the signed response SRESm.
- the response result RSRESm is obtained following step E232 consisting in applying to the transformation algorithm AT stored in the authentication center AUC, the random number RANDm and the response result RSRESm-1 stored in said center authentication following the previous request for legal authentication of the subscriber.
- the number TRANDm thus obtained is applied, in step E231, with the authentication key Ki of the subscriber to the authentication algorithm AA stored in the authentication center AUC.
- the response result obtained is compared, in step E233, with the signed response SRESm transmitted by the second mobile radiotelephone MS2.
- the comparison obviously fails and the attacker cannot communicate on the subscriber's account.
- the authentication method according to the invention thus perfectly defeats the so-called “virtual cloning” attack on the subscriber's SIM card.
- the authentication method according to the invention can be implemented in a network telecommunications in relation to two entities, one of which needs to authenticate the other, each entity being able to be a set of predetermined and linked entities.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0350638A FR2860672B1 (fr) | 2003-10-02 | 2003-10-02 | Procede d'authentification dans un reseau de radiotelephone |
PCT/EP2004/052394 WO2005032195A2 (fr) | 2003-10-02 | 2004-10-01 | Procede d'authentification dans un reseau de radiotelephonie |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1668944A2 true EP1668944A2 (fr) | 2006-06-14 |
Family
ID=34307559
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP04766873A Withdrawn EP1668944A2 (fr) | 2003-10-02 | 2004-10-01 | Procede d authentification dans un reseau de radiotelephonie |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1668944A2 (zh) |
CN (1) | CN1890919A (zh) |
FR (1) | FR2860672B1 (zh) |
WO (1) | WO2005032195A2 (zh) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11483709B2 (en) | 2019-03-14 | 2022-10-25 | At&T Intellectual Property I, L.P. | Authentication technique to counter subscriber identity module swapping fraud attack |
CN111107597B (zh) * | 2019-12-28 | 2022-06-14 | 深圳市新国都通信技术有限公司 | 一种通讯模组网络的可靠切换方法和装置 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FI20000760A0 (fi) * | 2000-03-31 | 2000-03-31 | Nokia Corp | Autentikointi pakettidataverkossa |
-
2003
- 2003-10-02 FR FR0350638A patent/FR2860672B1/fr not_active Expired - Fee Related
-
2004
- 2004-10-01 CN CNA2004800359339A patent/CN1890919A/zh active Pending
- 2004-10-01 WO PCT/EP2004/052394 patent/WO2005032195A2/fr active Application Filing
- 2004-10-01 EP EP04766873A patent/EP1668944A2/fr not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
See references of WO2005032195A2 * |
Also Published As
Publication number | Publication date |
---|---|
FR2860672A1 (fr) | 2005-04-08 |
WO2005032195A2 (fr) | 2005-04-07 |
CN1890919A (zh) | 2007-01-03 |
WO2005032195A3 (fr) | 2006-04-20 |
FR2860672B1 (fr) | 2006-05-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1601225B1 (fr) | Procédé et systéme de duplication sécurisée des informations d'une carte SIM | |
EP1550289B1 (en) | Contact validation and trusted contact updating in mobile wireless communications devices | |
US8116733B2 (en) | Method and apparatus for a wireless mobile device with SIM challenge modification capability | |
EP1001570A2 (en) | Efficient authentication with key update | |
EP1157575B1 (fr) | Authentification dans un reseau de radiotelephonie | |
WO2004030394A1 (fr) | Identification d'un terminal aupres d'un serveur | |
JP2002537739A (ja) | 安全なハンドオーバーの方法 | |
FR2662877A1 (fr) | Installation telephonique pour le chargement a distance de donnees d'abonnement telephonique d'une station autonome. | |
JPH11513853A (ja) | 移動通信システムにおける加入者確証 | |
CA2289452A1 (en) | Initial secret key establishment including facilities for verification of identity | |
JP2003503896A (ja) | エンティティの認証と暗号化キー生成の機密保護されたリンクのための方法と構成 | |
JP2002502204A (ja) | 電気通信システムにおけるメッセージの処理のための手順、およびシステム | |
FR3057132A1 (fr) | Procede d'authentification mutuelle entre un equipement utilisateur et un reseau de communication | |
WO2009115755A2 (fr) | Procédé d'authentification, système d'authentification, terminal serveur, terminal client et programmes d'ordinateur correspondants | |
EP1668944A2 (fr) | Procede d authentification dans un reseau de radiotelephonie | |
WO2003041022A1 (fr) | Procede de transaction securisee entre un telephone mobile equipe d'un module d'identification d'abonne (carte sim) et un serveur d'application | |
WO2001093528A2 (fr) | Procede de communication securisee entre un reseau et une carte a puce d'un terminal | |
FR3111038A1 (fr) | Traitements cryptographiques pour chiffrer ou déchiffrer des données | |
WO2003079714A1 (fr) | Procede d'echange d'informations d'authentification entre une entite de communciation et un serveur-operateur | |
EP1321005B1 (fr) | Procede d'implantation d'informations sur un identifiant | |
EP2735196B1 (fr) | Procédé d'inhibition d'une communication d'un équipement avec un réseau | |
EP1605716A1 (en) | Method and device to authenticate customers in a mobile phone network | |
EP1883199B1 (fr) | Procédé de contrôle de l'accès d'une station mobile à une station de base | |
FR2838586A1 (fr) | Procede pour securiser une liaison entre un terminal de donnees et un reseau local informatique, et terminal de donnees pour la mise en oeuvre de ce procede | |
FR2844409A1 (fr) | Protection d'une cle secrete pour algorithme d'authentification dans un radiotelephone mobile |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL HR LT LV MK |
|
17P | Request for examination filed |
Effective date: 20060321 |
|
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: GEMALTO SA |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20120502 |