EP1668944A2 - Procede d authentification dans un reseau de radiotelephonie - Google Patents

Procede d authentification dans un reseau de radiotelephonie

Info

Publication number
EP1668944A2
EP1668944A2 EP04766873A EP04766873A EP1668944A2 EP 1668944 A2 EP1668944 A2 EP 1668944A2 EP 04766873 A EP04766873 A EP 04766873A EP 04766873 A EP04766873 A EP 04766873A EP 1668944 A2 EP1668944 A2 EP 1668944A2
Authority
EP
European Patent Office
Prior art keywords
authentication
entity
algorithm
auc
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP04766873A
Other languages
German (de)
English (en)
French (fr)
Inventor
Pierre Girard
Carine Boursier
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS France SA
Original Assignee
Gemplus Card International SA
Gemplus SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemplus Card International SA, Gemplus SA filed Critical Gemplus Card International SA
Publication of EP1668944A2 publication Critical patent/EP1668944A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the invention relates to an authentication method between a mobile radio terminal and a routing subsystem, generally called a fixed network, in a digital cellular radiotelephone network. More particularly, the invention improves uthentification through the radio interface between a microprocessor card or module, known as a SIM (Subscriber Identity Module) smart card, removable from the terminal, and a center for uthentification of the radiotelephony network.
  • SIM Subscriber Identity Module
  • a digital cellular radiotelephony network of the GSM type mainly comprises several mobile radiotelephone terminals MS and a fixed network where signaling, control, data and voice messages circulate as described in FIG. 1.
  • the RR network are represented main entities through which data intended for the SIM card of a mobile radiotelephone terminal MS located in a location area pass.
  • a mobile service switch MSC connected to at least one autonomous telephone switch CAA of the switched PSTN network manages communications for visiting mobile terminals, including the terminal MS, which are located at a given time in the location area. served by the MSC switch.
  • a VLR visitor location recorder is connected to the MSC switch and contains characteristics, such as identity and subscription profile of the mobile terminals located in the location area.
  • a base station controller BSC connected to the switch MSC manages in particular the allocation of channels to mobile terminals.
  • a base station BTS connected to the controller BSC covers the radio cell where the terminal MS is located at the given time.
  • the RR radiotelephone network also includes a nominal location register HLR cooperating with an AUC authentication center and connected to the mobile service switches through the signaling network of the RR radiotelephone network.
  • the HLR recorder is essentially a database, which contains for each MS terminal the international identity IMSI (International Mobile Subscriber Identity) of the SIM card inserted in the terminal, i.e. the subscriber owning the SIM card, the directory number, the subscriber's subscription profile, and the number of the VLR recorder to which the mobile terminal is attached at a given time. This number is updated during transfers between localization zones.
  • IMSI International Mobile Subscriber Identity
  • the AUC authentication center ensures the authentication of subscribers prior to any communication with the terminal or when the terminal is operational or during an intercellular transfer. It also participates in the confidentiality of the data passing through the radio interface IR between the terminal MS and the base station BTS to which it is attached at a given time.
  • the AUC authentication center manages an A3 authentication algorithm and an A8 encryption key determination algorithm, sometimes merged into a single A3A8 algorithm, according to the GSM standard. These algorithms are also present in the SIM card of the mobile terminal MS.
  • the AUC authentication center also stores an authentication key Ki allocated only to the subscriber. This key corresponds to the subscriber's IMSI identity stored in the HLR nominal location register when the subscriber subscribes. To be able to recognize the subscriber, it is necessary to authenticate the mobile radiotelephone terminal MS.
  • the authentication center does not authenticate the MS mobile terminal itself but the SIM card it contains. This card contains the key Ki assigned to the subscriber and proves by means of the authentication algorithm A3 that it knows the key without revealing it. As described in FIG.
  • the fixed network sends a random RAND number to the card and requests it to calculate by means of the authentication algorithm a result depending on the key and the random number.
  • This result is returned to the network in the form of a signed SRES response (Signed RESponse).
  • SRES response Signed RESponse
  • the size of the random number prevents an “attacker” from keeping in memory all the values of the signed random number-response pair in a dictionary.
  • the new technologies used in recent generations of mobile radiotelephones make it possible to load programs through the radiotelephony network and to execute them.
  • a Trojan horse loaded into a subscriber's mobile radio could, for example, allow the subscriber's radiotelephone MS to return a signed response SRES2 not to the radiotelephone network, but to a second mobile radiotelephone MS2 (of an malicious person) in response to a request for authentication issued by this second radiotelephone.
  • the second radiotelephone returns the response signed SRES2 (thus recovered) to the radiotelephony network during an authentication request, and the attacker can use the second mobile radio to make communications on behalf of the subscriber.
  • an authentication method between a first entity and a second entity in a communication network comprising steps of applying authentication keys stored in the first and second entities respectively and a random number produced by the second entity and transmitted by the second entity to the first entity respectively to first identical algorithms stored in the first and second entities, and compare in the second entity a response produced by the first algorithm stored in the first entity and transmitted to the second entity with a response result produced by the first algorithm stored in the second entity, said method is characterized in that the step of applying the random number to the first algorithm is carried out by means of a prior step of transforming said random number to obtain a random number transformed to applied to said first algorithm, said preliminary transformation step consisting in applying the random number and the response result of the previous one authentication to identical second algorithms stored respectively in the first and second entities, and in that said method further comprises the step of storing respectively in the first and second entities the response produced
  • the first and second entities are respectively a radiotelephone terminal and a fixed network in a radiotelephone network.
  • the step of applying to the second algorithms the random number and the response result of the previous authentication makes it possible to cancel any risk of attack of the “virtual cloning” type of the SIM card as described previously.
  • the response result delivered by the subscriber's radiotelephone to the malicious person's radiotelephone will not allow the latter to be authenticated to the network as being a subscriber's radiotelephone.
  • the response result delivered by the malicious person's radiotelephone depends on the signed response corresponding to the previous authentication request submitted to the mobile radiotelephone whereas the response result calculated by the authentication center depends on the last response result corresponding to the last authentication of the subscriber by the fixed network.
  • the request for authentication of the malicious person's radiotelephone is rejected by the network.
  • the invention also relates to an identity module, such as a subscriber identity card, in a first entity, such as a mobile radiotelephone terminal which is characterized in that it comprises means for storing at least a second algorithm, means for memorizing the result of response to the previous authentication and means for executing at least the steps of applying to the second algorithm and to the first algorithm according to the invention.
  • an identity module such as a subscriber identity card
  • FIG. 1 is a schematic block diagram of a digital cellular radiotelephony network
  • FIG. 2 shows the steps for authenticating a radiotelephone according to the prior art
  • FIG. 3 shows the steps allowing an "attacker” to virtually clone the identity card of a subscriber
  • FIG. 4 shows steps of an authentication method according to the invention
  • FIG. 5 shows the failure of an attack of the “virtual cloning” type by the implementation of the authentication method according to the invention.
  • a VLR / HRL-AUC fixed network is considered to be the chain of entities attached to the mobile radio terminal MS from the IR radio interface, comprising the base station BTS, the station controller BTS, the MSC switch with the VLR visitor location recorder and the HLR-AUC pair.
  • a mobile radiotelephone terminal MS comprises a microprocessor module, such as a SIM chip card.
  • the SIM smart card essentially comprises a ROM read-only memory, known as a program memory generally including an operating system and application algorithms, a non-volatile EEPROM memory which contains in particular all the data characterizing the subscription of the card holder, a directory of telephone numbers, secret codes or authentication keys or even programs and algorithms, a RAM memory for processing data used by the operating system, in particular during exchanges between the card and the mobile radiotelephone terminal which 1 'welcome.
  • FIG. 2 illustrates the main steps of the authentication method between a mobile radiotelephone terminal MS and a fixed network as it operates today.
  • the VLR / HLR-AUC radiotelephone network transmits an E12 authentication request to the mobile radiotelephone terminal in response to the transmission Eli by the mobile radiotelephone MS of the identity of the IMSI subscriber.
  • the request for authentication is accompanied by a transmission of a random RAND number from the fixed network to the mobile radiotelephone terminal MS.
  • the latter commands the SIM card to generate a response signed SRES to the request for authentication of the fixed network.
  • this response is developed using the authentication algorithm AA to which the authentication key Ki and the random number RAND are applied, transmitted by the fixed network.
  • the Ki key is previously stored in the smart card and assigned when the subscription is taken out.
  • the terminal collects the SRES response generated by the card and transmits it in El 5 in turn to the fixed network.
  • the fixed network VLR / HLR-AUC prepares an RSRES response result using an algorithm AA, the key Ki, stored in the authentication center AUC in correspondence with the IMSI of the maid.
  • the response result RSRES is compared by the authentication center AUC to the signed response SRES returned by the mobile radiotelephone terminal MS. If the RSRES response result corresponds to the signed SRES response, the subscriber's authentication request is satisfied and the subscriber can use his terminal to communicate. Otherwise, the request for authentication fails and the subscriber cannot use his mobile radio.
  • FIG. 3 depicts an attack of the “virtual cloning” type of the SIM card of a subscriber.
  • the new technologies employed in mobile radiotelephones make it possible to download via the radiotelephony network programs in radiotelephones.
  • An attacker or "attacker” wants to be able to communicate using a second MS2 mobile radio on the account of a subscriber without his knowledge.
  • a Trojan horse downloaded into a subscriber's radiotelephone MS, The malicious person makes the subscriber's radiotelephone capable of responding to an authentication request originating not from the network but from a second radiotelephone mobile.
  • the mobile radiotelephone MS of a subscriber is legitimately authenticated, in accordance with steps Elll to El 1 7
  • the second mobile radiotelephone MS2 requests authentication E121 from the fixed network VLR2 / HLR-AUC on behalf of the subscriber.
  • the second mobile radio MS2 communicates the IMSI of the subscriber to said fixed network VLR2 / HLR-AUC which in return requests it to authenticate itself by transmitting to it a random number RAND2 in step E122.
  • the malicious person's radiotelephone MS2 submits an authentication request E123 to the first mobile radiotelephone MS, communicating to it the random number RAND2, transmitted beforehand by the fixed network.
  • the mobile radio MS of the subscriber requests the SIM card to generate at step E124 a response signed SRES2 using the authentication algorithm AA of the SIM card, with the key Ki stored in the SIM card as inputs. the random number RAND2.
  • the radiotelephone collects in step E125 the response SRES2 and transmits it in step E126 in turn to the mobile radiotelephone MS2 of the malicious person.
  • the latter returns to the fixed network VLR2 / HLR-AUC the response signed SRES2 in step E127.
  • the fixed network VLR2 / HLR-AUC generates in step E131 the response result RSRES2 by applying within the authentication center AUC to the authentication algorithm AA the random number RAND2 and the authentication key Ki of the maid.
  • the RSRES2 response result is equivalent to the signed SRES2 response.
  • the fixed network therefore authenticates the second mobile radiotelephone MS2 as being the property of the subscriber in step E132. The attacker can thus use his radiotelephone and communicate on the subscriber’s account.
  • FIG. 4 describes an authentication method according to the invention in which after reception E21 of the IMSI of a subscriber by the fixed network VLR / HLR-AUC, the latter submits an authentication request E22 to the mobile radiotelephone MS.
  • Said radiotelephone requests, in step E23, the SIM card to calculate a signed response on the basis of the authentication key Ki stored in the SIM card and the random number RANDn.
  • the SIM card applies, in step E24, to a second transformation algorithm AT, algorithm stored in the SIM card, the random number RANDn and the signed response SRESn-1 corresponding to the previous one request for authentication of the MS mobile radio.
  • the result TRANDn from the transformation of the random number RANDn is applied, in step E25, to the authentication algorithm AA stored in the SIM card.
  • the response thus calculated SRESn is stored (step not shown in FIG. 4) in the SIM card to be used during the next authentication.
  • Said response SRESn is returned to the fixed network VLR / HLR-AUC by the mobile radiotelephone MS in step E26.
  • the fixed network VLR / HLR-AUC calculates, in step E28, a response result RSRESn using the AA authentication algorithm stored in the AUC authentication center to which the key is applied. Ki of the subscriber and the random number TRANDn resulting from a transformation algorithm AT, also stored in the authentication center AUC, to which are applied the number RANDn transmitted to the mobile radio in step E22, and the response result RSRESn-1 corresponding to the previous request for authentication.
  • the new response result thus calculated is stored (step not shown in FIG. 4) in the AUC authentication center to be used during the next authentication.
  • AUC Authentication Center compares in step E29, said response result RSRESn to the signed response SRESn transmitted by the mobile radiotelephone MS in step E26. If the result RSRESn corresponds to the signed response SRESn, the authentication of the subscriber is satisfied and the subscriber can use the mobile radiotelephone MS to communicate. Otherwise, authentication fails and the subscriber cannot communicate with his mobile radio. In the case of a first authentication, it is not possible to use respectively the response and the response result of the previous authentication. A number whose value is established by convention is then applied to the transformation algorithm together with the random number. In a preferred variant the value of this number is zero.
  • the SIM card can for example use the value of the random number which is transmitted to it via the radiotelephone terminal MS by the fixed network VLR / HLR-AUC.
  • the null value of the most significant bit of the random number can indicate that it is a first authentication.
  • a non-zero value of said most significant bit indicates to the SIM card that it is at least a second authentication.
  • Other configurations or technical solutions can also be used to deal with the specific case of a first authentication.
  • the nature of the AT transformation algorithm can have an influence on the robustness of the authentication method according to the invention.
  • the transformation algorithm will preferably be carried out by means of a so-called one-way function.
  • the use of a so-called collisionless function to carry out the AT transformation algorithm should preferably be considered.
  • Such a function does not make it easy to find couples (RAND1, SRES1) and (RAND2, SRES2) such that
  • the transformation algorithm AT is carried out using a hash function which satisfies both the properties of a one-way function and of a collision-free function.
  • the hash function corresponds to the SHA-1 algorithm (Secure Hash Algorithm - version 1) defined by the FIPS standard (Federal Information
  • the 128 most significant bits could be kept to conform to the specifications of the algorithm.
  • said radiotelephone MS accepts an authentication request E223 from the subscriber from the second mobile radiotelephone MS2 with as data a random number RANDm transmitted by the fixed network in step E222 to the mobile radiotelephone MS2.
  • the subscriber's radiotelephone requests, in step E224, the subscriber's SIM card to generate a signed response SRESm.
  • the SIM card applies, in step E225, the random number RANDm and the signed response SRESn corresponding to the previous authentication to the transformation algorithm AT.
  • the number TRANDm thus obtained and the authentication key Ki are applied, in step E226, to the authentication algorithm AA of the SIM card to develop the signed response SRESm.
  • the subscriber's mobile radiotelephone MS returns, in step E227, said signed response to the second mobile radiotelephone, which is transmitted, in step E228, to the fixed network VLR2 / HLR-AUC.
  • the fixed network works out by the authentication center AUC, in step E231, the response result RSRESm to be compared, in step E233 with the signed response SRESm.
  • the response result RSRESm is obtained following step E232 consisting in applying to the transformation algorithm AT stored in the authentication center AUC, the random number RANDm and the response result RSRESm-1 stored in said center authentication following the previous request for legal authentication of the subscriber.
  • the number TRANDm thus obtained is applied, in step E231, with the authentication key Ki of the subscriber to the authentication algorithm AA stored in the authentication center AUC.
  • the response result obtained is compared, in step E233, with the signed response SRESm transmitted by the second mobile radiotelephone MS2.
  • the comparison obviously fails and the attacker cannot communicate on the subscriber's account.
  • the authentication method according to the invention thus perfectly defeats the so-called “virtual cloning” attack on the subscriber's SIM card.
  • the authentication method according to the invention can be implemented in a network telecommunications in relation to two entities, one of which needs to authenticate the other, each entity being able to be a set of predetermined and linked entities.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
EP04766873A 2003-10-02 2004-10-01 Procede d authentification dans un reseau de radiotelephonie Withdrawn EP1668944A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0350638A FR2860672B1 (fr) 2003-10-02 2003-10-02 Procede d'authentification dans un reseau de radiotelephone
PCT/EP2004/052394 WO2005032195A2 (fr) 2003-10-02 2004-10-01 Procede d'authentification dans un reseau de radiotelephonie

Publications (1)

Publication Number Publication Date
EP1668944A2 true EP1668944A2 (fr) 2006-06-14

Family

ID=34307559

Family Applications (1)

Application Number Title Priority Date Filing Date
EP04766873A Withdrawn EP1668944A2 (fr) 2003-10-02 2004-10-01 Procede d authentification dans un reseau de radiotelephonie

Country Status (4)

Country Link
EP (1) EP1668944A2 (zh)
CN (1) CN1890919A (zh)
FR (1) FR2860672B1 (zh)
WO (1) WO2005032195A2 (zh)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11483709B2 (en) 2019-03-14 2022-10-25 At&T Intellectual Property I, L.P. Authentication technique to counter subscriber identity module swapping fraud attack
CN111107597B (zh) * 2019-12-28 2022-06-14 深圳市新国都通信技术有限公司 一种通讯模组网络的可靠切换方法和装置

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI20000760A0 (fi) * 2000-03-31 2000-03-31 Nokia Corp Autentikointi pakettidataverkossa

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2005032195A2 *

Also Published As

Publication number Publication date
FR2860672A1 (fr) 2005-04-08
WO2005032195A2 (fr) 2005-04-07
CN1890919A (zh) 2007-01-03
WO2005032195A3 (fr) 2006-04-20
FR2860672B1 (fr) 2006-05-19

Similar Documents

Publication Publication Date Title
EP1601225B1 (fr) Procédé et systéme de duplication sécurisée des informations d'une carte SIM
EP1550289B1 (en) Contact validation and trusted contact updating in mobile wireless communications devices
US8116733B2 (en) Method and apparatus for a wireless mobile device with SIM challenge modification capability
EP1001570A2 (en) Efficient authentication with key update
EP1157575B1 (fr) Authentification dans un reseau de radiotelephonie
WO2004030394A1 (fr) Identification d'un terminal aupres d'un serveur
JP2002537739A (ja) 安全なハンドオーバーの方法
FR2662877A1 (fr) Installation telephonique pour le chargement a distance de donnees d'abonnement telephonique d'une station autonome.
JPH11513853A (ja) 移動通信システムにおける加入者確証
CA2289452A1 (en) Initial secret key establishment including facilities for verification of identity
JP2003503896A (ja) エンティティの認証と暗号化キー生成の機密保護されたリンクのための方法と構成
JP2002502204A (ja) 電気通信システムにおけるメッセージの処理のための手順、およびシステム
FR3057132A1 (fr) Procede d'authentification mutuelle entre un equipement utilisateur et un reseau de communication
WO2009115755A2 (fr) Procédé d'authentification, système d'authentification, terminal serveur, terminal client et programmes d'ordinateur correspondants
EP1668944A2 (fr) Procede d authentification dans un reseau de radiotelephonie
WO2003041022A1 (fr) Procede de transaction securisee entre un telephone mobile equipe d'un module d'identification d'abonne (carte sim) et un serveur d'application
WO2001093528A2 (fr) Procede de communication securisee entre un reseau et une carte a puce d'un terminal
FR3111038A1 (fr) Traitements cryptographiques pour chiffrer ou déchiffrer des données
WO2003079714A1 (fr) Procede d'echange d'informations d'authentification entre une entite de communciation et un serveur-operateur
EP1321005B1 (fr) Procede d'implantation d'informations sur un identifiant
EP2735196B1 (fr) Procédé d'inhibition d'une communication d'un équipement avec un réseau
EP1605716A1 (en) Method and device to authenticate customers in a mobile phone network
EP1883199B1 (fr) Procédé de contrôle de l'accès d'une station mobile à une station de base
FR2838586A1 (fr) Procede pour securiser une liaison entre un terminal de donnees et un reseau local informatique, et terminal de donnees pour la mise en oeuvre de ce procede
FR2844409A1 (fr) Protection d'une cle secrete pour algorithme d'authentification dans un radiotelephone mobile

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL HR LT LV MK

17P Request for examination filed

Effective date: 20060321

DAX Request for extension of the european patent (deleted)
RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: GEMALTO SA

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20120502