MXPA99006931A

MXPA99006931A - Method to update secret data shared in an inalambr communication system

Info

Publication number: MXPA99006931A
Application number: MXPA/A/1999/006931A
Authority: MX
Inventors: Patel Sarvar
Original assignee: Lucent Technologies Inc
Priority date: 1998-07-31
Filing date: 1999-07-26
Publication date: 2000-12-06

Abstract

In the method for updating secret shared data (SSD) in a wireless communication system, a first shared user outputs a first random number as a first interrogation signal in which the first shared user is one of a network and a mobile. A second shared user generates a second random number in response to the first interrogation signal. The second shared user is the mobile if the first shared user is the network, and the second shared user is the network if the first shared user is the mobile. The second shared user generates a response of the first interrogation signal by developing a cryptographic key function (KCF) in the first interrogation signal and the second random number using a secondary key, which is not the SSD and is derived from a key of root. The second shared user then transfers the second random number, as a second interrogation signal, and the response of the first interrogation signal to the first shared user. The first shared user verifies the second shared user based on the first and second interrogation signals and the response of the first interrogation signal, generates a response of the second interrogation signal by developing the KCF in the second interrogation signal. using the secondary key, and transfer the response of the second question mark to the second shared user. The second shared user verifies the first shared user based on the second interrogation signal and the response of the second interrogation signal. Both shared users respectively set the SSD based on the first and second interrogation signals

Description

METHOD FOR UPDATING SECRET DATA SHARED IN A WIRELESS COMMUNICATION SYSTEM BACKGROUND OF THE INVENTION Fields of the invention The present invention relates to a method for updating secret shared data in a wireless communication system.

Description of Related Art The US They currently use three main wireless systems, with different standards. The first system is a time division multiple access (TDMA) system and is governed by IS-136, the second system is a code division multiple access (CDMA) system governed by IS-95, and the third is the Advanced Mobile Telephony System (AMPS). The three communication systems use the IS-41 standard to send intersistems messages, which define the authentication procedure when the secret shared data is updated.

Ref .: 30555 Fig. 1 illustrates a wireless system that includes an authentication center (AC) and a particular location register (HLR) 10, a visitor location register (VLR) 15, and a mobile 20. more than one HLR could be associated with an AC, currently there is one-to-one correspondence. Consequently, Fig. 1 illustrates the HLR and the AC as a simple entity, although they are separated. Also for simplicity, the rest of the specification will refer to the HRL and AC jointly as the AC / HLR. Also, the VLR sends information to one of a plurality of mobile switching centers (MSCs) associated therewith, and each MSC sends the information to one of a plurality of base stations (BSs) for transmission to the mobile. For simplicity, the VLRs, MSCs and BSs will be referred to and illustrated as a VLR. Collectively, ACs, HLRs, VLRs, MSCs, and BSs operated by a network server are referred to as a network.

A root key, known as key A, is stored only in AC / HLR 10 and mobile 20. There is a secondary key, known as Shared Data SSD, which is sent to VLR 15 as the mobile travels (p. ., when the mobile leaves its particular coverage area). The SSD is generated from key A and a random core RANDSSD using an algorithm or cryptographic function. A cryptographic function is a function that generates an output that has a predetermined number of bits based on a range of possible inputs. A cryptographic function in code (KCF) is a type of cryptographic function that operates based on a key; for example, a cryptographic function that operates on two or more arguments (eg, entries) where one of the arguments is the key. From the departure and recognition of the KCF in use, the entries can not be determined unless the key is known. Coding / decoding algorithms are types of cryptographic functions. They are also functions of a pathway type pseudo random functions (PRFs) and message authentication codes (MACs). The expression KCFSK (RN ') represents the KCF of the random number RN' using the session key SK as the key. A session key is a key that lasts a session, and a session is a period of time such as the duration of the call.

In the IS-41 protocol, the cryptographic function used is CAVE (Cellular Authentication and Voice Coding). When the mobile 20 travels, the VLR 15 in that area sends an authentication request to the AC / HLR 10, which responds by sending the mobile's SSD. Once the VRL 15 has the SSD, it can authenticate the mobile 20 independently of the AC / HRL 10. For security reasons, the SSD is periodically updated.

Fig. 2 illustrates the communication between the AC / HRL 10, the VRL 15 and the mobile 15 to update the SSD. As discussed above, the AC / HRL 10 generates a random number core RANDSSD, and using the CAVE algorithm generates a new SSD using the kernel of the random number RANDSSD. The SSD is 128 bits in size. The first 64 bits serve as a first SSD, referred to as SSDA, and the second 64 bits serve as a second SSD, referred to as SSDB. As shown in Fig. 2, the AC / HLR 10 provides the VLR 15 with the new SSD and the RANDSSD. The VLR 15 then sends the RANDSSD to the mobile 20 together with an SR session request. The session request SR instructs the mobile 20 to develop the SSD update protocol that is described in detail later. In response to the RANDSSD reception and the SR session request, the mobile 20 uses the CAVE algorithm to generate the new SSD using the RANDSSD, and generates a random number RM using a random number generator. The mobile 20 sends the random number RM to the VLR 15. The mobile 20 also develops the CAVE algorithm in the random number RM using the new SSDA as the key. This calculation is represented by CAVESSDA (RM).

One of the VLR 15 and the AC / HLR 10, also calculates CAVESSDA (RM). And it sends the result to the mobile 20. The mobile 20 authenticates the network if CAVESSDA (RM), which is calculated, equals that received from the network.

Following, and usually after receiving a signal from the mobile 20 indicating the verification, the VLR 15 generates a random number RN, and sends the random number RN to the mobile 20. Meanwhile, the VLR calculates CAVESSDA (RN). At the RN reception, the mobile 20 calculates CAVESSDA (RN), and sends the result to the VLR 15. The VLR 15 authenticates the mobile if CAVESSDA (RN), which is calculated, equals that received from the mobile 20. The random numbers RM and RN are referred to as interrogation signals, while CAVESSDA (RM) and CAVESSDA (RN) are referred to as interrogation signal responses. Once the authentication is complete, the mobile 20 and the network generate session keys using SSDB.

In this protocol, the SSD is used only to answer the interrogation signals of the mobile 20 and the network. This allows an attack when an old pair of RANDSSD and SSD is revealed. Knowing this pair is enough to ask mobile 20, and answer its question mark. Thus an attacker can exit an update of the SSD for the mobile 20, and answer the interrogation signal of the mobile. Once the revealed SSD is accepted, and in spite of a secure session key agreement protocol (eg, a protocol in the communication between a mobile and a network to establish a session key), the attacker may represent the network and place a call for mobile 20 under fraudulent identities. For example, the presenter can insert their own caller ID or name and pretend to be someone else. The attacker can pretend to be a credit card company, and ask to verify the card number and pin. 0 still use the name of the telephone company in the area of the caller's name and ask to verify the numbers of the calling card, etc.

Brief Description of the Invention In the method for updating secret shared data (SSD) in a wireless communication system according to the present invention, a first shared user issues a random number as a first interrogation signal and a second shared user responds with a response from the first Question mark The first shared user is the network or a mobile. The second shared user is the mobile when the first shared user is the network, and the second shared user is the network when the first shared user is the mobile. The second shared user generates a second random number. Then, the response of the first interrogation signal is generated by developing a cryptographic key function (KCF) in the first interrogation signal and the second random number using a secondary key. The secondary key is derived from the first and second shared users of a root key, and they are not secret shared data. The second shared user generates the second random number at the reception of the first interrogation signal, and uses the second random number as a second interrogation signal. The first shared user verifies the second shared user based on the first interrogation signal and the reception of the second interrogation signal and the response of the first interrogation signal. After verification, the first shared user develops the KCF on the second interrogation signal using the secondary key to generate a response of the second interrogation signal. Based on the second interrogation signal and the reception of the response of the second interrogation signal, the second shared user verifies the first shared user. Using the first and second interrogation signals, the secret shared data is generated by both parties. In this way, a different key, the secondary key, of the secret shared data key is used to answer the interrogation signals.

Brief Description of the Drawings The present invention will come to be understood more fully from the detailed description given below and the accompanying drawings which are given by way of illustration only, where like reference numerals designate corresponding parts in several of the drawings, and where : Fig. 1 is a block diagram illustrating the basic components of a wireless system; Fig. 2 illustrates the communication between the authentication center / particular location record, visitor location record, and the mobile to update the secret shared data according to the IS-41 standard; Fig. 3 illustrates the communication between the particular location registration / authentication center, visitor location record, and mobile to update the secret shared data according to an embodiment of the present invention; Fig. 4 illustrates the communication between the particular location registration / authentication center, visitor location record, and the mobile to update the secret shared data according to another embodiment of the present invention; Y Fig. 5 illustrates the communication between the particular location authentication / registration center, visitor location record, and the mobile to update the secret shared data according to a further embodiment of the present invention.

Detailed Description of the Preferred Modalities The method or protocol for updating the secret shared data according to the present invention is employed by the same wireless system shown in Fig. 1. In the method according to the present invention, however, the AC / HLR 10 and the mobile 20 also generate another key, referred to as the key M, based on the root key or A. For example, the key M is generated by applying a pseudo-random function (PRF) indexed by the key A to a known value. A practical PRF is the well-known Data Coding Standard-Secret Transmission Code Block (DES-CBC) of the NIST (National Standards Institute). In a preferred embodiment, DES-CBC, indexed by a 64-bit key A at a known value for the network and the mobile 20, produces a M-key of 64 bits.

Fig. 3 illustrates the communication between the AC / HLR 10, the VLR 15, and the mobile 20 to update the secret shared data according to an embodiment of the present invention. As shown, the VLR 15 only acts as a communication conductor between the AC / HLR 10 and the mobile 20. More specifically, the authentication protocol according to the present invention is developed between the AC and the mobile 20.

To update the SSD, the AC / HLR 10 generates a random number RN using a random number generator, and sends the random number RN together with an SR session request to the mobile 20. The SR session request instructs the mobile 20 to develop the update SSD protocol. In response to the SR session request, the mobile 20 generates a random number RM using a random number generator, and develops a key cryptographic algorithm or function (KCF) in the random numbers RN and RM, the Type data, and the data id 0 using the key M as the key. This calculation is represented as KCFclave M (Type, 0, RM, RN). Preferably, the KCF is a code message authentication code such as HMAC, but could be a PRF such as DES-CBC. The Type data represents the type of protocol that will be developed; that is, the SSD update protocol. Other types of protocol include call origin, call termination, and mobile registration. The data id 0 indicates that the communication is emitted from the mobile. The data id 1, by contrast, indicates that the communication is from the network.

Because the AC / HLR 10 initiated the update protocol of the SSD with the SR session request, the AC / HLR 10 knows the Type data, and because the communication of the mobiles includes the same data id of 0, this value is well known by the AC / HLR 10. Therefore, on the reception of MR, the AC / HLR 10 calculates KCFclave M (Type, 0, RM, RN). The AC / HLR 10 then checks if the calculated version of KCFclave M (Type, 0, RM, RN) equals the received version of the mobile 20. If an equal one is found, the AC / HLR 10 authenticates the mobile 20. Then, the AC / HLR 10 calculates the KCFlave M (Type, 1, RM), where 1 is data id of the network, and sends the calculated result to the mobile 20.

The mobile 20 knows the data Type of the session request SR, and knows that the communication of the network includes the data id of 1. Accordingly, the mobile 20 calculates the KCFclave M (Type 1, RM). The mobile 20 then checks if the calculated version of KCFclave M (Type 1, RM) equals the received version of the AC / HLR 10. If an equal one is found, the mobile 20 authenticates the network.

After authenticating the network, mobile 20 and AC / HLR 10 have random numbers RN and RM. The mobile 20 and the AC / HLR 10 generate the SSD as PRFclave A (RN, RM); wherein the PRF is preferably DES-CBC As an alternative, instead of generating and sending a unique RN random number to each mobile with the session request SR, the AC / HLR 10 generates a global random number RN; that is, the same random number for all mobile phones. This alternative mode applies, however, when the anticipated response time of the mobile, as monitored by the network, remains the same as when a unique RN random number is sent. If durations of longer responses are desired when using the global random number RN, then, preferably, the modality exposed later with respect to Fig. 5 should be used.

The IS 41 protocol allows SSD to be updated via sharing with the VLR 15. The AC / HLR 10 sends the SSD to the VLR 15, and the VLR 15 the interrogation signals to the mobile 20 and answers the interrogation signals of the mobile 20. In the protocol according to the present invention the SSD is not used to answer the interrogation signals, and thus the representation problem of the exposed network with respect to IS-41 is not possible. Furthermore, even if the M key is revealed to an attacker, there is no direct way to obtain the A key from it because a one-way function was used to generate the M key. Even if the attacker knows an old RM, RN and SSD, there is no way to use the information and information of the key M obtained by the network or the mobile 20 to accept the revealed SSD because one of the sides of the communication will be using it in the interrogation signal, which with very high probability it will be different from the previous ones. In addition, the new SSD will be generated by the PRF of the new interrogation signal using the key A, and the attacker does not know the key A.

The update protocol - SSD discussed above with respect to Fig. 3, however, allows a coding analyst to mount a chosen attack of clear language against the M-Key. That is, a coding analyst can present the network and ask to mobile 20 by sending several RN interrogation signals. By collecting the responses, the coding analyst could be able to recover the key M. FIG. 4 illustrates the communication between the AC / HLR 10, the VLR 15, and the mobile 20 to update the secret shared data according to another modality of the present invention, which overcomes the problem indicated above with respect to Fig. 3. As shown, in this embodiment, the VLR 15 also acts as a communication conductor between the AC / HLR 10 and the mobile 20. More specifically , the authentication protocol according to the present invention is developed between the AC and the mobile 20.

To update the SSD, the AC / HLR 10 generates an SR session request to initiate the SSD update. In response, the mobile 20 generates a random number RM # and sends the random number RM to the AC / HLR 10. The AC / HLR 10 generates the random number RN and calculates the KCFclaveM (Type, 1, RM, RN), where 1 is the data id of the network. The AC / HLR 10 sends the random number RN and the KCFclave M (Type, 1, RM, RN) for the mobile 20.

In the reception of the random number RN, the mobile 20 calculates the KCFclave M (Type, 1, RM, RN). The mobile 20 then checks if the calculated version of KCFclave M (Type, 1, RM, RN) equals the received version of the AC / HLR 10. If an equal one is found, the mobile 20 authenticates the network.

Then, the mobile 20 calculates the KCFclave M (Type, 0, RN) where 0 is the id data of the mobile 20, and sends the calculated result to the AC / HLR 10. The AC / HLR 10, meanwhile, also calculates the KCFclave M (Type, 0, RN). The AC / HLR 10 then checks if the calculated version of KCFclave M (Type, 0, RN) equals the received version of the mobile 20. If an equal is found, the AC / HLR 10 authenticates the mobile 20.

After authenticating the network, mobile 20 and AC / HLR 10 have random numbers RN and RM. The mobile 20 and the AC / HLR 10 generate the SSD as PRFciave_A (RN, RM); wherein the PRF is preferably DES-CBC.

In the mode of Fig. 4, a mobile attacker can not ask mobile phones with a chosen text to wait for a response. The attacker can only collect known texts from previous sessions, because the initiator of the update, the network, does not send the first question mark to clarify.

Fig. 5 illustrates the communication between the AC / HLR 10, the VLR 15, and the mobile 20 to update the secret shared data according to a further embodiment of the present invention. As shown, the VLR 15 acts as a communication conduit between the AC / HLR 10 and the mobile 20. More specifically, the authentication protocol according to the present invention is developed between the AC and the mobile 20 To update the SSD, the AC / HLR 10 generates and outputs an RN global random number together with an SR session request for the mobile 20. The SR session request instructs the mobile 20 to develop the SSD update protocol. In the embodiment of Fig.3, the random number RN initially sent by the network to the mobile 20 was unique to the mobile 20. Different random numbers are generated and sent to other mobiles that update their SSDs. In the embodiment of Fig. 5, however, the same random number RN is sent by the AC / HLR 20 to all the mobiles 20. As discussed above, the mode of Fig. 5 is preferred in that it uses a number random global RN in the mode of Fig.3 when it is desired to provide for a longer response duration of the mobile 20.

As shown in Fig. 5, in response to the session request SR and the random number RN sent by the AC / HLR 10, the mobile 20 generates a random number RM, generates a value of the CT account, and calculates KCFcla? e M (Type, 0, RM, RN, CT), where 0 is the id data of the mobile 20. The mobile 20 includes a counter that generates the CT account value. The mobile 20 increases the previous account value to generate the interrogation signal response, (eg KCFclave M (Type, 0, RM, RN, C)) to each update request of the SSD. The mobile 20 sends the CT account value, random number RM, and KCFlave M (Type, 0, RM, RN, CT) to the network.

Upon receipt of the random number RM and the CT account value, the AC / HLR 10 stores the CT account value and determines whether the received CT account value exceeds the previously stored account value. If the CT account value received exceeds the previously stored account value, then the AC / HLR 10 goes forward with the verification of the mobile 20. That is, based on the received random number RM and the CT account value, the AC / HLR 10 calculates KCFclave M (Type, 0, RM, RN / CT), and determines if this calculated version matches the received version of the mobile 20. If an equal one is found, the AC / HLR 10 authenticates the mobile 20. If the value of ^ CT account received does not exceed the value of previously stored account ,, mobile 20 is not verified.

Once the mobile 20 has been verified, the AC / HLR 10 calculates KCFclave M (Type, 1, RM), where 1 is the data id of the network, and sends the calculated result to the mobile 20. The mobile 20, while therefore, it also calculates KCFclave M (Type, 1, RM). The mobile 20 then checks whether the calculated version of KCFclave M (Type, 1, RM) equals the received version of the AC / HLR 10. If an equal one is found, the mobile 20 authenticates the network.

After authenticating the network, mobile 20 and AC / HLR 10 have random numbers RN and RM and the CT account value. The mobile 20 and the AC / HLR 10 generate the SSD as PRFclave A (RM, RN, C), where the PRF is preferably DES-CBC.

Because an attacker uses prior interrogation signals and interrogation signal responses when mounting an attack as discussed above with respect to FIG. 3, such an attack will fail if it is done in the protocol of FIG. 5. The reason is that the attacker will be the one using an answer of the interrogation signal based on an old account value. Consequently, the network will not verify the attacker, and the attacker can not generate the SSD.

The invention thus described will be evident that it could be varied in many ways. Such variations are not considered as a deviation from the spirit and scope of the invention, and all modifications are intended to be included within the scope of the following claims.

It is noted that in relation to this date, the best method known by the applicant to carry out the said invention, is the conventional one for the manufacture of the objects to which it refers.

Having described the invention as above, the content of the following is claimed as property.

Claims

1. A method for updating the secret shared data (SSD) for a first shared user in a wireless communication system, characterized in that it comprises; (a) receiving a random number from a second shared user as a first interrogation signal, the first interrogation signal is a global interrogation signal from the second shared user; (b) generating a second random number in response to the first interrogation signal; (c) generating a response of the first interrogation signal by developing a cryptographic key function (KCF) in the first interrogation signal and the second random number using a secondary key; (d) transferring the second random number, as a second interrogation signal, and the response of the first interrogation signal for the second shared user; (e) receiving a response from the second interrogation signal of the second shared user, the response of the second interrogation signal is a result of developing the KCF in the second interrogation signal using the secondary key; (f) verifying the second shared user based on the second interrogation signal and the response of the second interrogation signal; Y (g) setting the SSD based on the first and second interrogation signals.

2. The method of claim 1, characterized in that the first shared user is a network and the second shared user is a mobile.

3. The method of claim 2, characterized in that it also comprises; (h) transfer an update request from the SSD to the mobile; and wherein step (a) receives the first interrogation signal in response to the SSD update request.

4. The method of claim 1, characterized in that step (c) generates the response of the first interrogation signal by developing the KCF in the first interrogation signal, the second interrogation signal, and an identifier for the first shared user using the secondary key.

5. The method of claim 1, characterized in that step (c) generates the response of the first interrogation signal by developing the KCF in the first interrogation signal, the second interrogation signal and the type data using the secondary key, the data type indicates an SSD update protocol that is developed by the first and second shared users.

6. The method of claim 1, characterized in that step (c) generates the response of the first interrogation signal by developing the KCF in the first interrogation signal, the second interrogation signal, an identifier for the first shared user and the data type using the secondary key, the type data indicating an SSD update protocol that is developed by the first and second shared users.

7. The method of claim 1, characterized in that the first shared user is a mobile and the second shared user is a network.

8. The method of claim 7, characterized in that it further comprises: (k) increments an account value in response to the first interrogation signal; and where step (c) generates the response of the first interrogation signal by developing the KCF at the first interrogation signal, the second interrogation signal, and the count value using the secondary key; step (d) transfers the second interrogation signal, and the response of the first interrogation signal, and the account value of the mobile to the network.

9. The method of claim 1, characterized in that the secondary key is derived from a root key.

10. The method of claim 1, characterized in that the secondary key is not a secret shared data.

11. A method for updating the secret shared data (SSD) in a first shared user in a wireless communication system, characterized in that it comprises: (a) globally output a random number as a first interrogation signal to a second shared user; (b) receiving a second random number, such as a second interrogation signal and a first response of the interrogation signal of the second shared user, the response of the first interrogation signal which is a result of a cryptographic key function (KCF) in the first interrogation signal and the second random number using a secondary key; (c) verifying the second shared user based on the first and second interrogation signals and the response of the first interrogation signal; Y (d) establish the SSD based on the first and second interrogation signals.

12. The method of claim 11, characterized in that the first shared user is a mobile and the second shared user is a network.

13. The method of claim 12, characterized in that it further comprises: (e) receive a request to update the SSD of the network; and where step (a) outputs the first interrogation signal in response to the SSD update request.

14. The method of claim 11, characterized in that the first shared user is a network and the second shared user is a mobile.

15. The method of claim 11, characterized in that it further comprises: (e) generating a response of the second interrogation signal by developing the KCF in the second interrogation signal using the secondary key; Y (h) transferring the response of the second interrogation signal to the second shared user.

16. The method of claim 15, characterized in that step (e) generates the response of the second interrogation signal by developing the KCF in the second interrogation signal and an identifier of the first shared user using the secondary key.

17. The method of claim 15, characterized in that step (e) generates the response of the second interrogation signal by developing the KCF in the second interrogation signal and the type data using the secondary key, the type data indicating a protocol of SSD update is developed by the first and second shared users.

The method of claim 15, characterized in that step (e) generates the response of the second interrogation signal by developing the KCF in the second interrogation signal, an identifier of the first shared user and type data using the secondary key, the data type which indicates an SSD update protocol is developed by the first and second shared users.

19. The method of claim 11, characterized in that the first shared user is a network and the second shared user is a mobile.

20. The method of claim 11, characterized in that step (b) receives the second interrogation signal, an account value and the response of the first interrogation signal of the mobile, the response of the first interrogation signal is a result of developing the KCF in the first interrogation signal, the second question mark, and the account value that the secondary key uses; and step (e) verifies the mobile based on the first interrogation signal, the second interrogation signal, the response of the first interrogation signal, and the count value.

21. The method of claim 11, characterized in that the secondary key is derived from a root key.

22. The method of claim 11, characterized in that the secondary key is not a secret shared data. SUMMARY OF THE INVENTION In the method for updating secret shared data (SSD) in a wireless communication system, a first shared user outputs a first random number as a first interrogation signal in which the first shared user is one of a network and a mobile. A second shared user generates a second random number in response to the first interrogation signal. The second shared user is the mobile if the first shared user is the network, and the second shared user is the network if the first shared user is the mobile. The second shared user generates a response of the first interrogation signal by developing a cryptographic key function (KCF) in the first interrogation signal and the second random number using a secondary key, which is not the SSD and is derived from a key of root. The second shared user then transfers the second random number, as a second interrogation signal, and the response of the first interrogation signal to the first shared user. The first shared user verifies the second shared user based on the first and second interrogation signals and the response of the first interrogation signal, generates a response of the second interrogation signal by developing the KCF in the second interrogation signal using the key secondary, and transfer the response of the second interrogation signal to the second shared user. The second shared user verifies the first shared user based on the second interrogation signal and the response of the second interrogation signal. Both shared users respectively set the SSD based on the first and second interrogation signals.