EP4074087A1 - Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server - Google Patents

Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server

Info

Publication number
EP4074087A1
EP4074087A1 EP20803563.4A EP20803563A EP4074087A1 EP 4074087 A1 EP4074087 A1 EP 4074087A1 EP 20803563 A EP20803563 A EP 20803563A EP 4074087 A1 EP4074087 A1 EP 4074087A1
Authority
EP
European Patent Office
Prior art keywords
msin
secure element
imsi
decrypted
candidate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP20803563.4A
Other languages
German (de)
French (fr)
Inventor
Ly Thanh Phan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS France SAS
Original Assignee
Thales DIS France SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thales DIS France SAS filed Critical Thales DIS France SAS
Publication of EP4074087A1 publication Critical patent/EP4074087A1/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Definitions

  • the invention concerns telecommunications and in particular a symmetric key based method and system intended to protect identity privacy of loT (Internet of Things) devices.
  • loT Internet of Things
  • loT devices with low computation capability need to cipher their identity to comply with GDPR (General Data Protection Regulation).
  • loT devices are communicating with secure elements like UICCs, iUICCs (integrated UICCs), eUICCs (embedded UICCs) or soft Sims.
  • GDPR requires protection of user identity privacy. This includes identities of loT devices.
  • initial authentication to the network requires the device to which the secure element is cooperating, to send its permanent subscription identity (e.g. IMSI - International Mobile Subscriber Identity) in clear over the air interface to the serving access network.
  • identity encryption mechanism e.g. in GSM, UMTS or LTE.
  • Identity encryption exists for initial authentication in 5G, however this requires the operator to deploy secure elements (UICC) and authentication network functions supporting asymmetric key algorithms. It is known that secure elements running such asymmetric key algorithms are more complex and require more battery power that are incompatible with low power and low cost loT devices.
  • Another solution could be to use one or multiple symmetric keys stored in the USIM specifically used for the encryption of the device SUPI/IMSI.
  • these keys for practicability reasons need to be shared among groups of devices. The weakness of these system is that if one of device is penetrated and the group key is revealed then the whole group is compromised.
  • Symmetric key based authentication requires both end of the mutual authentication process to know the identity of the other end user. This is the reason why identity protection cannot be ensured in earlier technology without introduction of public key mechanism:
  • the device In symmetric key system the device needs to provide the network with its identity in clear in the initial authentication, for the network to be able to retrieve the pre-shared secret key based on the sent in clear identity (IMSI).
  • IMSI sent in clear identity
  • the invention proposes a solution to this problem.
  • the present invention proposes a method for authenticating a secure element at the level of an authentication server, the secure element being able to cooperate with a telecommunication terminal, the method comprising:
  • a first message comprising a partial IMSI of the secure element or a partial IMSI of an IMSI based user identity that is in the form of a NAI of the secure element, called MSIN_part1, the first message also comprising the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element , the MSIN_part1 comprising some of the most significant digits of the MSIN;
  • the invention also concerns a secure element being able to cooperate with a telecommunication terminal, the secure element comprising a computer program comprising instructions for:
  • a first message comprising a partial IMSI or a partial IMSI based user identity that is in the form of a NAI, called MSIN_part1, the first message comprising: o the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element and o the MSIN_part1 the MSIN_part1 comprising some of the most significant digits of the MSIN;
  • MSIN_part2 a second part, called MSIN_part2 of the MSIN of the secure element and the current sequence number, the second message being encrypted by the key Ki of the secure element in order to provide a token X, the MSIN_part2 comprising some of the less significant digits of the MSIN;
  • the invention also concerns an authentication server able to authenticate a secure element , the secure element being able to cooperate with a telecommunication terminal, the authentication server comprising a computer program comprising instructions for:
  • a first message comprising a partial IMSI or a partial IMSI based user identity that is in the form of a NAI, called MSIN_part1, the first message comprising the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element , the MSIN_part1 comprising some of the most significant digits of the MSIN; o a second message containing a second part, called MSIN_part2, of the MSIN of the secure element and the current sequence number, the second message being encrypted by the key Ki of the secure element in order to provide a token X, the MSIN_part2 comprising some of the less significant digits of the MSIN;
  • the first MSIN_part1 and second part MSIN_part2 do or not fully comprise the MSIN.
  • Figure 1 represents a flow of the exchanged signals between a secure element and a home AUSF (H-AUSF (Authentication Server Function));
  • H-AUSF Authentication Server Function
  • Figure 2 represents the generation of a partial IMSI and of a token at the level of the secure element
  • Figure 3 represents how the partial IMSI and the token are exploited at the level of the home AUSF (H-AUSF) for generating an authentication vector.
  • Figure 1 represents a flow of the exchanged signals between a secure element 10 and a home AUSF (referenced H-AUSF 12).
  • the secure element 10 is able to cooperate with a telecommunication terminal.
  • the purpose is to authenticate the secure element 10 at the level of the authentication server H-AUSF 12.
  • Figure 1 is described in parallel with figure 2 that shows what happens at the level of the secure element 10.
  • the process comprises:
  • the token X 23 comprises four fields: A first field that is a header “MSIN_part2:” announcing the content of the second field containing MSIN_part2, a third field that is a header “SQN:” announcing the last field containing SQN.
  • a generation at the secure element 10 of another message, called later on first message 20, comprising a partial IMSI (PartiaIJMSI) of the secure element 10, called MSIN_part1 , this first message 20 also comprising the MCC and MNC codes of the IMSI of the secure element 10, the MSIN_part1 comprising some of the most significant digits of the MSIN.
  • the MSIN_part1 that constitutes a partial IMSI may contain one or several of the most significant digits of the MSIN part of the IMSI.
  • the PartiaIJMSI 20 comprises a concatenation of the MCC, MNC and MSIN_part1.
  • the partial IMSI 20 (MCC II MNC II MSIN_part1) and the token X 23 are transmitted to the authentication server 12 through an AMF 11 (Access and Mobility Management Function, see 3GPP TS 23.501).
  • AMF 11 Access and Mobility Management Function, see 3GPP TS 23.501.
  • a database 30 associates each partial IMSI 20 to a complete IMSI with the corresponding key Ki 22.
  • This database permits to constitute a list 31 of the candidate secure elements for which the MSIN_part1 corresponds (step 15).
  • the token X 23 is decrypted (step 33) with the key Ki of each of the candidate secure elements of the list, in order to generate decrypted IMSIs (list 34).
  • This list 34 thus contains all decrypted IMSIs and the corresponding decrypted sequence number SQN.
  • the authentication server 12 checks, for each candidate secure elements of the list, which decrypted IMSI: a - corresponds to the IMSI of the candidate secure element of the list 31 ; and b - which candidate secure element of the list 31 has a sequence number in a valid range of the decrypted sequence number from token X 23.
  • the authentication server 12 generates an authentication vector (step 36 in figure 3) by using the key Ki corresponding to the IMSI which has the decrypted MSIN_part2 and has a valid sequence number in order to launch a challenge response process (step 16 in figure 1) between the secure element 10 and the authentication server 12.
  • the method according to the invention can be used in 2 ways: a- the first MSIN_part1 and second part MSIN_part2 do not fully comprise the MSIN; b- the first MSIN_part1 and second part MSIN_part2 do fully comprise the MSIN.
  • the first MSIN_part1 and second part MSIN_part2 do not fully comprise the MSIN (digits 567 are not sent).
  • MSIN_part1 being 123456 (or 12345) and second part MSIN_part2 being 78910 (or 678910 respectively)
  • the first MSIN_part1 and second part MSIN_part2 do fully comprise the MSIN (all the digits of the MSIN are sent).
  • the H-AUSF 12 can then (at step 36) generate an authentication vector by using the Ki of the candidate IMSI which has the correct MSIN_part2 and a valid sequence number SQN in order to launch a challenge response process between the secure element 10 and the authentication server 12.
  • IMSI is used as an example.
  • a group identity or other types of identities could be used as long as it does not identify the device/subscription uniquely and provides a certain level of identity uncertainty that complies with the GDPR regulations.
  • a NAI Network Access Identifier
  • IMSIs are used in before 5G networks (2, 3, 3 and 4G networks). In 5G networks, NAIs are used.
  • NAI typically would be in the form of “Special_Group ID. Unique ID”.
  • Special_Group ID is an identifier common to a group of secure elements in the field (comprising MCC and MNC codes) and Unique ID is the unique ID of each secure element (diversified per unique secure element) of the group.
  • the different IMSIs/NAIs are known by the H-AUSF 12.
  • the token X 13 is thus the result of the encryption, with the subscription secret key Ki, of the concatenation of a multiplicity of information pieces that include at least a part (least significant digits) of the identity of the subscription (IMSI) or the Unique ID part of the NAI when a NAI is used.
  • the token X also contains the sequence number (SQN) that is used in the mutual authentication mechanism with the network (3GPP AKA). The sequence number was increased in previous authentication process (per 3GPP AKA also), so that the token X 13 is unique following an authentication process with the network.
  • a registration counter or a random number generated by the USIM may be part of the concatenation to provide higher entropy.
  • one or more well-known labels may be part of the concatenated data to increase the level of certainty during the identification process by the home network.
  • the length of the IMSI is generally sufficient.
  • the serving network uses the information (MCC and MNC) in the partial identity (PartiaIJMSI) to route the registration request to the home network (H-AUSF 12)
  • the home network upon reception of the request (step 15) that contains the PartiaIJMSI and the token X:
  • o uses the corresponding secret key (Ki) of the candidate device to decipher the received token X; o Tries to extract data fields of the decipher data. Retrieves in the deciphered data the text labels when present as shown in figure 2 (i.e.
  • the H-AUSF 12 When the registering device is identified (only one matched candidate device), the H-AUSF 12 performs the standard process of generating the authentication vector based on the IMSI/Ki and sequence number SQN of the matched device and sends the Authentication Vector to the AMF 11 (step 16 of figure 1).
  • the computation intensive task is only performed by the H-AUSF 12, for instance using an HSM.
  • the AMF 11 performs then the standard authentication of the registering device and reports the success to the Home Network.
  • one or multiple group keys G_key could be deployed by the home network operators for the specific tasks of encrypting the token X (i.e. subscription IMSI/SQN).
  • the partial identity of the subscription is replaced by a group key identity GKJd.
  • Each group key identity GKJd is associated to a group of devices which have different MSIN_part2 within that group.
  • the USIM/device 10 is configured with not only the IMSI/Ki pair but also with a GKJd/G_key; generates the token X using its configured G_key; the token X 23 being the encryption of the concatenation of the partial subscription IMSI (MSIN_part2) and SQN as in the first description; sends the registration containing the GKJd and the generated Token X 23.
  • the remaining process is similar to the first detailed process, whereas the PartiaIJMSI and the Ki for the encryption of the token X 23 are replaced respectively by the GKJd and G_key configured in the USIM/Device.
  • one or more labels in the encrypted data is not necessary in this case as the deciphered data provide directly the correct MSIN_part2 and SQN that is in the group of devices associated to the GKJd, as by construction of the group, the MSIN_part2 of the devices are unique within this group of devices.
  • the GKJd could be added in the concatenation for verification after deciphering. However, this would lengthen the token X 23, which could be challenging for devices with low communication bandwidth.
  • the invention uses symmetric key based algorithm to protect the device identity in the initial authentication (registration) process.
  • the invention uses a differentiated key per device and does not use a group key.
  • the invention could be implemented so that only the end points (i.e. USIM 10 and H-AUSF 13) are modified and the intermediate nodes are unchanged by 3GPP standards.
  • the invention also concerns a secure element 10 being able to cooperate with a telecommunication terminal, this secure element 10 comprising a computer program comprising instructions for:
  • the invention also concerns an authentication server 12 able to authenticate a secure element 10, the secure element 10 being able to cooperate with a telecommunication terminal, the authentication server 12 comprising a computer program comprising instructions for:
  • a first message comprising a partial IMSI or a partial IMSI based user identity that is in the form of a NAI, called MSIN_part1, the first message comprising the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element 10, the MSIN_part1 comprising some of the most significant digits of the MSIN; o a second message containing a second part, called MSIN_part2, of the MSIN of the secure element 10 and the current sequence number, the second message being encrypted by the key Ki of the secure element 10 in order to provide a token X 23, the MSIN_part2 comprising some of the less significant digits of the MSIN; Retrieving a list of the candidate secure elements for which the MSIN_part1 corresponds and, for each of the candidate secure elements of the list, decrypting the token X with the key Ki of each of the candidate secure elements of the list in order to generate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention concerns a method for authenticating a secure element (10) at the level of an authentication server (12), the secure element (10) being able to cooperate with a telecommunication terminal, the method comprising: Generating at the secure element (10) a first message comprising a partial IMSI of the secure element (10) or a partial IMSI of an IMSI based user identity that is in the form of a NAI of the secure element, called MSI N_part1, the first message also comprising the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element 10, the MSIN_part1 comprising some of the most significant digits of the MSIN; Generating at the secure element (10) a second message containing a second part, called MSIN_part2, of the MSIN of the secure element (10) and the current sequence number, the second message being encrypted by the key Ki of the secure element (10) in order to provide a token X, the MSIN_part2 comprising some of the less significant digits of the MSIN; Transmitting the first message and the token X to the authentication server (12); At the authentication server (12), creating a list of the candidate secure elements for which the MSIN_part1 corresponds and, for each of the candidate secure elements of the list, decrypting the token X with the key Ki of each of the candidate secure elements of the list, in order to generate a decrypted IMSI comprising the MCC, MNC and MSIN_part1 of the first message and decrypted MSIN_part2 of the token X or a decrypted IMSI based user identity that is in the form of a NAI comprising the MCC, MNC and MSIN_part1 of the first message and the decrypted MSIN_part2 of the token X; Checking at the authentication server (12), for each candidate secure element of the list, which candidate IMSI or candidate IMSI based user identity that is in the form of a NAI : a corresponds to the decrypted IMSI of the decrypted token X; and b has an associated sequence number in a valid range of the decrypted sequence number; At the authentication server (12), generating an authentication vector by using the key Ki of the candidate secure element associated to the IMSI or IMSI based user identity that is in the form of a NAI that matches the decrypted MSIN_part2 of the decrypted token X and the candidate secure element has sequence number in a valid range of the decrypted sequence number in order to launch a challenge response process between the secure element (10) and the authentication server (12).

Description

Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server
The invention concerns telecommunications and in particular a symmetric key based method and system intended to protect identity privacy of loT (Internet of Things) devices.
It is known that loT devices with low computation capability (low cost devices) need to cipher their identity to comply with GDPR (General Data Protection Regulation). loT devices are communicating with secure elements like UICCs, iUICCs (integrated UICCs), eUICCs (embedded UICCs) or soft Sims.
GDPR requires protection of user identity privacy. This includes identities of loT devices.
In 3GPP, initial authentication to the network requires the device to which the secure element is cooperating, to send its permanent subscription identity (e.g. IMSI - International Mobile Subscriber Identity) in clear over the air interface to the serving access network. This is the case in 3GPP when identity encryption mechanism is not available (e.g. in GSM, UMTS or LTE). Identity encryption exists for initial authentication in 5G, however this requires the operator to deploy secure elements (UICC) and authentication network functions supporting asymmetric key algorithms. It is known that secure elements running such asymmetric key algorithms are more complex and require more battery power that are incompatible with low power and low cost loT devices.
In 5G networks, it is possible to send something else (of an IMSI) like an NAI, which is generally a human readable text based identifier. The home network identity (MCC / MNC) is needed and is in a different field than the identifier of the secure element.
These asymmetric key based technology are well known to be complex, costly to manage and unpractical for low end devices such as low capability and low cost loT devices.
Identity protection is provided in 5G for initial authentication. The encryption of the SUPI (Subscription Permanent Identifier) is based on the home operator pre-configured public key (Home Operator Certificate) stored in the USIM (Universal Subscriber Identity Module). Such system is cumbersome and costly to deploy and un-adapted to low capability devices that cannot afford to support public key computation due to battery constraints or cost constraints.
Another solution could be to use one or multiple symmetric keys stored in the USIM specifically used for the encryption of the device SUPI/IMSI. However, these keys for practicability reasons need to be shared among groups of devices. The weakness of these system is that if one of device is penetrated and the group key is revealed then the whole group is compromised.
It is the objective of this invention to provide a method and system to allow identity privacy protection for such devices using a symmetric key based technology.
Symmetric key based authentication requires both end of the mutual authentication process to know the identity of the other end user. This is the reason why identity protection cannot be ensured in earlier technology without introduction of public key mechanism: In symmetric key system the device needs to provide the network with its identity in clear in the initial authentication, for the network to be able to retrieve the pre-shared secret key based on the sent in clear identity (IMSI).
So, the invention proposes a solution to this problem.
More precisely, the present invention proposes a method for authenticating a secure element at the level of an authentication server, the secure element being able to cooperate with a telecommunication terminal, the method comprising:
Generating at the secure element a first message comprising a partial IMSI of the secure element or a partial IMSI of an IMSI based user identity that is in the form of a NAI of the secure element, called MSIN_part1, the first message also comprising the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element , the MSIN_part1 comprising some of the most significant digits of the MSIN;
Generating at the secure element a second message containing a second part, called MSIN_part2, of the MSIN of the secure element and the current sequence number, the second message being encrypted by the key Ki of the secure element in order to provide a token X, the MSIN_part2 comprising some of the less significant digits of the MSIN; Transmitting the first message and the token X to the authentication server ;
- At the authentication server , creating a list of the candidate secure elements for which the MSIN_part1 corresponds and, for each of the candidate secure elements of the list, decrypting the token X with the key Ki of each of the candidate secure elements of the list, in order to generate a decrypted IMSI comprising the MCC, MNC and MSIN_part1 of the first message and decrypted MSIN_part2 of the token X or a decrypted IMSI based user identity that is in the form of a NAI comprising the MCC, MNC and MSIN_part1 of the first message and the decrypted MSIN_part2 of the token X; Checking at the authentication server , for each candidate secure element of the list, which candidate IMSI or candidate IMSI based user identity that is in the form of a NAI : a) corresponds to the decrypted IMSI of the decrypted token X; and b) has an associated sequence number in a valid range of the decrypted sequence number;
- At the authentication server, generating an authentication vector by using the key Ki of the candidate secure element associated to the IMSI or IMSI based user identity that is in the form of a NAI that matches the decrypted MSIN_part2 of the decrypted token X and the candidate secure element has sequence number in a valid range of the decrypted sequence number in order to launch a challenge response process between the secure element and the authentication server.
The invention also concerns a secure element being able to cooperate with a telecommunication terminal, the secure element comprising a computer program comprising instructions for:
Generating a first message comprising a partial IMSI or a partial IMSI based user identity that is in the form of a NAI, called MSIN_part1, the first message comprising: o the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element and o the MSIN_part1 the MSIN_part1 comprising some of the most significant digits of the MSIN;
Generating a second message containing a second part, called MSIN_part2, of the MSIN of the secure element and the current sequence number, the second message being encrypted by the key Ki of the secure element in order to provide a token X, the MSIN_part2 comprising some of the less significant digits of the MSIN;
Transmitting the first message and the token X to an authentication server.
The invention also concerns an authentication server able to authenticate a secure element , the secure element being able to cooperate with a telecommunication terminal, the authentication server comprising a computer program comprising instructions for:
- After having received from the secure element : o a first message comprising a partial IMSI or a partial IMSI based user identity that is in the form of a NAI, called MSIN_part1, the first message comprising the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element , the MSIN_part1 comprising some of the most significant digits of the MSIN; o a second message containing a second part, called MSIN_part2, of the MSIN of the secure element and the current sequence number, the second message being encrypted by the key Ki of the secure element in order to provide a token X, the MSIN_part2 comprising some of the less significant digits of the MSIN;
Retrieving a list of the candidate secure elements for which the MSIN_part1 corresponds and, for each of the candidate secure elements of the list, decrypting the token X with the key Ki of each of the candidate secure elements of the list in order to generate a decrypted IMSI or a decrypted IMSI based user identity that is in the form of a NAI, the decrypted IMSI or decrypted IMSI based user identity that is in the form of a NAI comprising the MCC, MNC and MSIN_part1 of the first message and decrypted MSIN_part2 of the token X;
Checking for each candidate secure element of the list, which candidate IMSI or candidate IMSI based user identity that is in the form of a NAI: a) corresponds to the decrypted IMSI of the decrypted token X; and b) has an associated sequence number in a valid range of the decrypted sequence number;
Generating an authentication vector by using the key Ki of the candidate secure element associated to the IMSI that matches the decrypted MSIN_part2 of the decrypted token X and the candidate secure element has a sequence number in a valid range of the decrypted sequence number in order to launch a challenge response process between the secure element and the authentication server.
The first MSIN_part1 and second part MSIN_part2 do or not fully comprise the MSIN.
The present invention will be better understood by reading the description of a preferred method described in the figures that represent a preferred implementation of the method of the invention. More precisely:
Figure 1 represents a flow of the exchanged signals between a secure element and a home AUSF (H-AUSF (Authentication Server Function));
Figure 2 represents the generation of a partial IMSI and of a token at the level of the secure element;
Figure 3 represents how the partial IMSI and the token are exploited at the level of the home AUSF (H-AUSF) for generating an authentication vector.
Figure 1 represents a flow of the exchanged signals between a secure element 10 and a home AUSF (referenced H-AUSF 12). The secure element 10 is able to cooperate with a telecommunication terminal. The purpose is to authenticate the secure element 10 at the level of the authentication server H-AUSF 12.
In this figure the use of a partial identifier (here a part of an IMSI) is represented.
Figure 1 is described in parallel with figure 2 that shows what happens at the level of the secure element 10.
During the initial registration/authentication of the secure element 10, the process comprises:
- At step 13, a generation at the secure element 10 of a message, called second message, containing a second part, called MSIN_part2, of the MSIN of the secure element 10 and the current sequence number SQN 21 , this second message being encrypted by the key Ki 22 of the secure element 10 in order to provide a token X 23, the MSIN_part2 comprising some of the less significant digits of the MSIN. So the concatenation of MSIN_part2 and SQN constitutes a second message that is then encrypted by the key Ki of the secure element 10 in order to provide the token X 23.
The token X 23 comprises four fields: A first field that is a header “MSIN_part2:” announcing the content of the second field containing MSIN_part2, a third field that is a header “SQN:” announcing the last field containing SQN. a generation (step 13 also) at the secure element 10 of another message, called later on first message 20, comprising a partial IMSI (PartiaIJMSI) of the secure element 10, called MSIN_part1 , this first message 20 also comprising the MCC and MNC codes of the IMSI of the secure element 10, the MSIN_part1 comprising some of the most significant digits of the MSIN.
So, the MSIN_part1 that constitutes a partial IMSI (PartiaIJMSI 20, see figure 2) may contain one or several of the most significant digits of the MSIN part of the IMSI. The fewer the number of digits of the MSIN_part1 are contained in the partial identity MSIN_part1 , the higher is the identity privacy protection.
The PartiaIJMSI 20 comprises a concatenation of the MCC, MNC and MSIN_part1.
At step 14, the partial IMSI 20 (MCC II MNC II MSIN_part1) and the token X 23 are transmitted to the authentication server 12 through an AMF 11 (Access and Mobility Management Function, see 3GPP TS 23.501).
Then, as can be seen in figures 1 and 3, at the authentication server 12, when receiving the partial IMSI 20 (and the token X 23 which use will be later explained), a database 30 associates each partial IMSI 20 to a complete IMSI with the corresponding key Ki 22. This database permits to constitute a list 31 of the candidate secure elements for which the MSIN_part1 corresponds (step 15). For each of the candidate secure elements of the list, the token X 23 is decrypted (step 33) with the key Ki of each of the candidate secure elements of the list, in order to generate decrypted IMSIs (list 34). This list 34 thus contains all decrypted IMSIs and the corresponding decrypted sequence number SQN.
At step 35, the authentication server 12 checks, for each candidate secure elements of the list, which decrypted IMSI: a - corresponds to the IMSI of the candidate secure element of the list 31 ; and b - which candidate secure element of the list 31 has a sequence number in a valid range of the decrypted sequence number from token X 23.
Once such a candidate secure element having an IMSI of a recognized secure element has been found and for which a sequence number is in a correct range (generally within 32 consecutive values are comprised in this range), the authentication server 12 generates an authentication vector (step 36 in figure 3) by using the key Ki corresponding to the IMSI which has the decrypted MSIN_part2 and has a valid sequence number in order to launch a challenge response process (step 16 in figure 1) between the secure element 10 and the authentication server 12.
The method according to the invention can be used in 2 ways: a- the first MSIN_part1 and second part MSIN_part2 do not fully comprise the MSIN; b- the first MSIN_part1 and second part MSIN_part2 do fully comprise the MSIN.
Let’s assume that a MSIN is 1234578910.
In the first case (a), we can: have a first MSIN_part1 being 1234 and second part MSIN_part2 being 8910
In this first case, the first MSIN_part1 and second part MSIN_part2 do not fully comprise the MSIN (digits 567 are not sent).
In the second case (b), we can:
- have a first MSIN_part1 being 123456 (or 12345) and second part MSIN_part2 being 78910 (or 678910 respectively)
In this case, the first MSIN_part1 and second part MSIN_part2 do fully comprise the MSIN (all the digits of the MSIN are sent).
Not fully sending the MSIN raises the indetermination of the MSIN. So a hacking of the signals sent by the secure element 10 to the H-AUSF 12 has lower chances to be successful. The above description has been done in case of the use of an IMSI. But it is also applicable when, instead of an IMSI, a NAI (Network Access Identifier) is used (NAI is a human readable text and comprises MCC/MNC codes). In this case, the partial partiaIJMSI 20 is user identity based. Thanks to the Ki 32 associated to each candidate IMSI, the token X is decrypted (step 33). It permits to generate another list 34 where for each decrypted IMSI (which is formed of the MSIN_part1 and the decrypted MSIN_part2), the sequence number SQN is retrieved. We have then here all the decrypted IMSIs and their associated decrypted SQNs. Thanks to the decrypted MSIN_part2 and to the decrypted SQN, it is then possible to know which candidate IMSI has the MSIN_part2 corresponding to the decrypted MSIN_part2, and that has the correct SQN (known at the level of the H-AUSF 12), or at least a SQN being in a correct range, in order to decide which one of the candidate IMSIs is matching (step 35).
The H-AUSF 12 can then (at step 36) generate an authentication vector by using the Ki of the candidate IMSI which has the correct MSIN_part2 and a valid sequence number SQN in order to launch a challenge response process between the secure element 10 and the authentication server 12.
Here the IMSI is used as an example. A group identity or other types of identities could be used as long as it does not identify the device/subscription uniquely and provides a certain level of identity uncertainty that complies with the GDPR regulations.
For example, a NAI (Network Access Identifier) could be used instead of an IMSI. IMSIs are used in before 5G networks (2, 3, 3 and 4G networks). In 5G networks, NAIs are used.
In this case, a NAI typically would be in the form of “Special_Group ID. Unique ID”.
Where Special_Group ID is an identifier common to a group of secure elements in the field (comprising MCC and MNC codes) and Unique ID is the unique ID of each secure element (diversified per unique secure element) of the group.
The different IMSIs/NAIs are known by the H-AUSF 12.
The token X 13 is thus the result of the encryption, with the subscription secret key Ki, of the concatenation of a multiplicity of information pieces that include at least a part (least significant digits) of the identity of the subscription (IMSI) or the Unique ID part of the NAI when a NAI is used. The token X also contains the sequence number (SQN) that is used in the mutual authentication mechanism with the network (3GPP AKA). The sequence number was increased in previous authentication process (per 3GPP AKA also), so that the token X 13 is unique following an authentication process with the network. Optionally a registration counter or a random number generated by the USIM may be part of the concatenation to provide higher entropy.
Optionally one or more well-known labels (e.g. “IMSI “SON:”, “Session Id:”) may be part of the concatenated data to increase the level of certainty during the identification process by the home network. To be noted that the length of the IMSI is generally sufficient.
The serving network (AMF 11) uses the information (MCC and MNC) in the partial identity (PartiaIJMSI) to route the registration request to the home network (H-AUSF 12)
The home network (H-AUSF 12) upon reception of the request (step 15) that contains the PartiaIJMSI and the token X:
Retrieves the list of candidate devices which partial identity match with the received partial identity PartiaIJMSI;
For each of the candidate devices of the list: o uses the corresponding secret key (Ki) of the candidate device to decipher the received token X; o Tries to extract data fields of the decipher data. Retrieves in the deciphered data the text labels when present as shown in figure 2 (i.e. “MSIN_part2:” and “SQN:”; o Retrieves the MSIN_part2 of IMSI of the registering device based on the deciphered text labels; o Checks whether the deciphered MSIN_part2 is equal to the MSIN_part2 of this candidate device; o Retrieves the sequence number SQN from the deciphered token X based on the deciphered text labels; o Checks if the retrieved SQN value is coherent with the stored SQN value for that candidate device; o If all the checks and verifications are successful, then the registering device is considered as identified.
When the registering device is identified (only one matched candidate device), the H-AUSF 12 performs the standard process of generating the authentication vector based on the IMSI/Ki and sequence number SQN of the matched device and sends the Authentication Vector to the AMF 11 (step 16 of figure 1).
To be noted that, the computation intensive task is only performed by the H-AUSF 12, for instance using an HSM. The AMF 11 performs then the standard authentication of the registering device and reports the success to the Home Network.
In 5G, it is possible to send something else than an IMS! , like an NAI, which is text. The home network identity (MCC / MNC) is needed and is in a different field than the identity. So in this case the partial identity can be what the operator wants and not necessarily the form of a beginning of the IMSI.
In alternatives, one or multiple group keys G_key could be deployed by the home network operators for the specific tasks of encrypting the token X (i.e. subscription IMSI/SQN). In such case the partial identity of the subscription is replaced by a group key identity GKJd. Each group key identity GKJd is associated to a group of devices which have different MSIN_part2 within that group. In this alternative, the USIM/device 10: is configured with not only the IMSI/Ki pair but also with a GKJd/G_key; generates the token X using its configured G_key; the token X 23 being the encryption of the concatenation of the partial subscription IMSI (MSIN_part2) and SQN as in the first description; sends the registration containing the GKJd and the generated Token X 23.
The remaining process is similar to the first detailed process, whereas the PartiaIJMSI and the Ki for the encryption of the token X 23 are replaced respectively by the GKJd and G_key configured in the USIM/Device.
It is to be noted that the larger the number of groups (number of group keys used) are created by the home network operator, the smaller a group can be (fewer devices sharing the same group key) and the higher the level of security for the protection of the group key. However, this would limit the protection of the privacy of the user subscription identity within a smaller group.
It is also to be noted that one or more labels in the encrypted data is not necessary in this case as the deciphered data provide directly the correct MSIN_part2 and SQN that is in the group of devices associated to the GKJd, as by construction of the group, the MSIN_part2 of the devices are unique within this group of devices.
The GKJd could be added in the concatenation for verification after deciphering. However, this would lengthen the token X 23, which could be challenging for devices with low communication bandwidth.
The invention uses symmetric key based algorithm to protect the device identity in the initial authentication (registration) process.
The invention uses a differentiated key per device and does not use a group key. The invention could be implemented so that only the end points (i.e. USIM 10 and H-AUSF 13) are modified and the intermediate nodes are unchanged by 3GPP standards.
There is an asymmetric level of computation in this method, in the sense that the intensive computation is only performed by the network side which is more capable than the device/secure element 10 side. On the device/secure element 10 side the USIM/device only performs the low demanding symmetric key encryption computation.
The invention also concerns a secure element 10 being able to cooperate with a telecommunication terminal, this secure element 10 comprising a computer program comprising instructions for:
Generating a first message 20 comprising a partial IMSI or a partial IMSI based user identity that is in the form of a NAI, called MSIN_part1, the first message comprising: o the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element 10 and o the MSIN_part1 the MSIN_part1 comprising some of the most significant digits of the MSIN; Generating a second message containing a second part, called MSIN_part2, of the MSIN of the secure element 10 and the current sequence number, the second message being encrypted by the key Ki of the secure element 10 in order to provide a token X 23, the MSIN_part2 comprising some of the less significant digits of the MSIN;
Transmitting the first message and the token X 23 to an authentication server 12.
The invention also concerns an authentication server 12 able to authenticate a secure element 10, the secure element 10 being able to cooperate with a telecommunication terminal, the authentication server 12 comprising a computer program comprising instructions for:
- After having received from the secure element 10: o a first message comprising a partial IMSI or a partial IMSI based user identity that is in the form of a NAI, called MSIN_part1, the first message comprising the MCC and MNC codes of the IMSI or of the IMSI based user identity that is in the form of a NAI of the secure element 10, the MSIN_part1 comprising some of the most significant digits of the MSIN; o a second message containing a second part, called MSIN_part2, of the MSIN of the secure element 10 and the current sequence number, the second message being encrypted by the key Ki of the secure element 10 in order to provide a token X 23, the MSIN_part2 comprising some of the less significant digits of the MSIN; Retrieving a list of the candidate secure elements for which the MSIN_part1 corresponds and, for each of the candidate secure elements of the list, decrypting the token X with the key Ki of each of the candidate secure elements of the list in order to generate a decrypted IMSI or a decrypted user identity that is in the form of a NAI, both comprising the MCC, MNC and MSIN_part1 of the first message and the decrypted MSIN_part2 of the token X, that is associated to the candidate secure element;
Checking for each the candidate secure element of the list, which candidate IMSI a- corresponds to the decrypted IMSI of the decrypted token X; and b- has an associated sequence number in a valid range of the decrypted sequence number;
Generating an authentication vector by using the key Ki of the candidate secure element associated to the IMSI of the candidate secure element that matches the decrypted MSIN_part2 of the decrypted token X and the candidate secure element has sequence number in a valid range of the decrypted sequence number in order to launch a challenge response process between the secure element 10 and the authentication server 12.

Claims

1. A method for authenticating a secure element (10) at the level of an authentication server (12), said secure element (10) being able to cooperate with a telecommunication terminal, said method comprising:
Generating at said secure element (10) a first message comprising a partial IMSI of said secure element (10) or a partial IMSI of an IMSI based user identity that is in the form of a NAI of said secure element, called MSIN_part1, said first message also comprising the MCC and MNC codes of said IMSI or of said IMSI based user identity that is in the form of a NAI of said secure element (10), said MSIN_part1 comprising some of the most significant digits of said MSIN;
Generating at said secure element (10) a second message containing a second part, called MSIN_part2, of the MSIN of said secure element (10) and the current sequence number, said second message being encrypted by the key Ki of said secure element (10) in order to provide a token X, said MSIN_part2 comprising some of the less significant digits of said MSIN;
Transmitting said first message and said token X to said authentication server (12);
- At said authentication server (12), creating a list of the candidate secure elements for which said MSIN_part1 corresponds and, for each of the candidate secure elements of said list, decrypting said token X with the key Ki of each of said candidate secure elements of said list, in order to generate a decrypted IMSI comprising said MCC, MNC and MSIN_part1 of said first message and decrypted MSIN_part2 of said token X or a decrypted IMSI based user identity that is in the form of a NAI comprising said MCC, MNC and MSIN_part1 of said first message and said decrypted MSIN_part2 of said token X; Checking at said authentication server (12), for each candidate secure element of said list, which candidate IMSI or candidate IMSI based user identity that is in the form of a NAI a) corresponds to said decrypted IMSI of said decrypted token X; and b) has an associated sequence number in a valid range of the decrypted sequence number;
- At said authentication server (12), generating an authentication vector by using the key Ki of said candidate secure element associated to the IMSI or IMSI based user identity that is in the form of a NAI that matches said decrypted MSIN_part2 of said decrypted token X and said candidate secure element has sequence number in a valid range of said decrypted sequence number in order to launch a challenge response process between said secure element (10) and said authentication server (12).
2. A method according to claim 1 wherein said first MSIN_part1 and second part MSIN_part2 do not fully comprise said MSIN.
3. A method according to claim 1 wherein said first MSIN_part1 and second part MSIN_part2 do fully comprise said MSIN.
4. A secure element (10) being able to cooperate with a telecommunication terminal, said secure element (10) comprising a computer program comprising instructions for: Generating a first message comprising a partial IMSI or a partial IMSI based user identity that is in the form of a NAI, called MSIN_part1, said first message comprising: o the MCC and MNC codes of the IMSI or of said IMSI based user identity that is in the form of a NAI of said secure element (10) and o said MSIN_part1 said MSIN_part1 comprising some of the most significant digits of said MSIN; Generating a second message containing a second part, called MSIN_part2, of the MSIN of said secure element (10) and the current sequence number, said second message being encrypted by the key Ki of said secure element (10) in order to provide a token X, said MSIN_part2 comprising some of the less significant digits of said MSIN;
Transmitting said first message and said token X to an authentication server (12).
5. A secure element according to claim 4 wherein said first MSIN_part1 and second part MSIN_part2 do not fully comprise said MSIN.
6. A secure element according to claim 4 wherein said first MSIN_part1 and second part MSIN_part2 do fully comprise said MSIN.
7. An authentication server (12) able to authenticate a secure element (10), said secure element (10) being able to cooperate with a telecommunication terminal, said authentication server (12) comprising a computer program comprising instructions for:
- After having received from said secure element (10): o a first message comprising a partial IMSI or a partial IMSI based user identity that is in the form of a NAI, called MSIN_part1, said first message comprising the MCC and MNC codes of the IMSI or of said IMSI based user identity that is in the form of a NAI of said secure element (10), said MSIN_part1 comprising some of the most significant digits of said MSIN; o a second message containing a second part, called MSIN_part2, of the MSIN of said secure element (10) and the current sequence number, said second message being encrypted by the key Ki of said secure element (10) in order to provide a token X, said MSIN_part2 comprising some of the less significant digits of said MSIN;
Retrieving a list of the candidate secure elements for which said MSIN_part1 corresponds and, for each of the candidate secure elements of said list, decrypting said token X with the key Ki of each of said candidate secure elements of said list in order to generate a decrypted IMSI or a decrypted IMSI based user identity that is in the form of a NAI, said decrypted IMSI or decrypted IMSI based user identity that is in the form of a NAI comprising said MCC, MNC and MSIN_part1 of said first message and decrypted MSIN_part2 of said token X;
Checking for each candidate secure element of said list, which candidate IMSI or candidate IMSI based user identity that is in the form of a NAI: a) corresponds to said decrypted IMSI of said decrypted token X; and b) has an associated sequence number in a valid range of the decrypted sequence number;
Generating an authentication vector by using said key Ki of said candidate secure element associated to the IMSI that matches said decrypted MSIN_part2 of said decrypted token X and said candidate secure element has a sequence number in a valid range of said decrypted sequence number in order to launch a challenge response process between said secure element (10) and said authentication server (12).
8. An authentication server (12) according to claim 7 wherein said first MSIN_part1 and second part MSIN_part2 do not fully comprise said MSIN.
9. An authentication server (12) according to claim 7 wherein said first MSIN_part1 and second part MSIN_part2 do fully comprise said MSIN.
EP20803563.4A 2019-12-13 2020-11-10 Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server Pending EP4074087A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP19306651.1A EP3836589A1 (en) 2019-12-13 2019-12-13 Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server
PCT/EP2020/081566 WO2021115699A1 (en) 2019-12-13 2020-11-10 Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server

Publications (1)

Publication Number Publication Date
EP4074087A1 true EP4074087A1 (en) 2022-10-19

Family

ID=69650516

Family Applications (2)

Application Number Title Priority Date Filing Date
EP19306651.1A Withdrawn EP3836589A1 (en) 2019-12-13 2019-12-13 Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server
EP20803563.4A Pending EP4074087A1 (en) 2019-12-13 2020-11-10 Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP19306651.1A Withdrawn EP3836589A1 (en) 2019-12-13 2019-12-13 Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server

Country Status (2)

Country Link
EP (2) EP3836589A1 (en)
WO (1) WO2021115699A1 (en)

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2259545A1 (en) * 2009-06-05 2010-12-08 Gemalto SA Method for calculating a first identifier of a secured element of a mobile terminal from a second identifier of this secured element

Also Published As

Publication number Publication date
EP3836589A1 (en) 2021-06-16
WO2021115699A1 (en) 2021-06-17

Similar Documents

Publication Publication Date Title
EP1123603B1 (en) Subscription portability for wireless systems
CN115038078A (en) Authentication server, UE, method and medium for obtaining SUPI
KR20190139203A (en) Method for managing communication between server and user equipment
US20060291660A1 (en) SIM UICC based broadcast protection
US12089041B2 (en) Method for authentication a secure element cooperating with a mobile equipment within a terminal in a telecommunication network
AU2017313215B2 (en) Authentication server of a cellular telecommunication network and corresponding UICC
KR102425273B1 (en) Methods and apparatuses for ensuring secure connection in size constrained authentication protocols
CN111770496B (en) 5G-AKA authentication method, unified data management network element and user equipment
EP3836589A1 (en) Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server
US12074972B2 (en) Method for updating a secret data in a credential container
KR100330418B1 (en) Authentication Method in Mobile Communication Environment
JP2021193793A (en) Cryptographic processing event for encrypting or decrypting data
CN109155775B (en) Mobile device, network node and method thereof
CN114079924B (en) Message processing method, device, related equipment and storage medium
US20230246809A1 (en) Processing module for authenticating a communication device in a 3g capable network
WO2022268487A1 (en) Method to prevent hidden communication on a channel during device authentication, corresponding vplmn and hplmn
WO2006136280A1 (en) Sim/uicc based broadcast protection
Wang et al. Research on an improved proposal of 3G security

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20220713

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)