WO2003056863A2 - Authentication system and method between two communications units - Google Patents
Authentication system and method between two communications units Download PDFInfo
- Publication number
- WO2003056863A2 WO2003056863A2 PCT/EP2002/014411 EP0214411W WO03056863A2 WO 2003056863 A2 WO2003056863 A2 WO 2003056863A2 EP 0214411 W EP0214411 W EP 0214411W WO 03056863 A2 WO03056863 A2 WO 03056863A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- communication units
- communication
- algorithms
- units according
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Definitions
- the invention relates to an authentication system consisting of at least two communication units, wherein there is an authentication agreement between the communication units, which can be checked in each case by a processor-supported authentication unit, the
- Authentication agreement consists of at least two different authentication algorithms, which are provided in a storage unit of at least one of the communication units and which can be queried by the respective other communication unit for authentication. Furthermore, the invention relates to a method for authenticating between at least two communication units, wherein there is an authentication agreement between the communication units, which can be checked in each case by a processor-supported authentication unit, the
- Authentication agreement consists of at least two different authentication algorithms, which are provided in a storage unit of at least one of the communication units and which can be queried by the respective other communication unit for authentication.
- a secure subscriber identification is required for communication requests.
- the frequency of the verification of this identification is usually determined by the network operator.
- a possible authentication of a network participant is defined in particular in the GSM standard. It takes place according to a challenge response between the authenticating point of the communication network and the communication unit.
- the authentication authority - also called authentication center (AuC) - of the communication network generates a random number "RAND” which is transmitted to the communication unit.
- the communication unit calculates the checksum "SRES" from the random number "RAND” using a subscriber key or authentication key "10,” and an authentication algorithm "A3" and sends it back to the authenticating location.
- a new subscriber key K c is calculated from the random number "RAND" in the communication unit and in the communications network using the subscriber key IC and the data key generation algorithm "A8".
- the communication network awards together with the random number "RAND” the associated key number CKSN, which is stored together with K- in the communication unit and in the communication network.
- WO 99/62275 describes a method for controlling a subscriber identity module (SIM) in mobile radio systems, in which the mobile radio network sends one or more specific control values to the subscriber identity module which trigger certain actions within the subscriber identity module.
- SIM subscriber identity module
- random values determined and sent by the mobile radio network for the regular authentication to the subscriber module are used as control values.
- control values e.g. Several different security algorithms can be stored on the SIM and can be switched between by receiving a corresponding control value. It is also possible that several secret keys IC, are stored on the SIM card, or can be derived from a key stored there, between which it is possible to switch over by receiving a corresponding control value.
- the SIM card has two different or even several algorithms that have the same interfaces to the outside, with the same length of RAND, Ki and SRES.
- the SIM can only have one K; or each algorithm has its own IC. If the network operator would like to change the A3 / A8 algorithm used for security reasons, he can cause the authentication center AuC to generate a special random number RAND, which at the same time represents a control value according to the invention, which is also referred to as a control RAND.
- the object of the invention is therefore to create an authentication system and a corresponding method for authentication for at least two communication units, in which the disadvantages of the prior art are eliminated. Furthermore, it is an object of the invention to increase security cost-effectively without having to operate with significant additional technical outlay.
- the object is achieved in that, in an authentication system consisting of at least two communication units of the type mentioned at the beginning, means are provided for the simultaneous dynamic processing of the authentication algorithms. Furthermore, the object is achieved by a method for authentication between at least two communication units of the type mentioned in the introduction, in which the authentication algorithms are processed dynamically at the same time.
- the principle of an authentication system according to the invention is, in particular, that in addition to the identification data and the address of the subscriber who has to authenticate, the return address is transmitted at the same time.
- the authentication can be processed simultaneously by the one communication unit and by the corresponding other communication unit.
- the checksums are therefore now calculated in parallel by both communication units, in the sense of simultaneously.
- the principle of the method according to the invention for authenticating two communication units also consists in simultaneously transmitting the return address in addition to the identification data and the address of the subscriber who has to authenticate himself.
- the authentication can be processed simultaneously by the one communication unit and by the corresponding other communication unit.
- the checksums are therefore now calculated in parallel by both communication units, in the sense of simultaneously.
- the one communication unit is designed as a mobile radio terminal.
- a third party can easily switch between two communication units and misuse them via the relatively fragile air interface.
- the authentication algorithms are stored on a subscriber identity module ((U) SIM). Since the subscriber identity modules ((U) SIM) contain personal data anyway, it seems particularly advantageous to store the authentication algorithms on them. From here, the authentication algorithms can be called up practically at any time from a communication unit.
- the subscriber identity module ((U) SIM) can also be used device-independently, ie it can also be used in various mobile radio terminals, for example.
- (U) SIM cards are individually designed. Therefore, you always allow yourself assign to specific participants. Because of this, SIM cards are particularly suitable for the authentication system.
- the authentication algorithms are stored on the individual (U) SIM cards.
- a communication unit is provided as the authentication center of a communication network. This measure allows the effort of authentication of communication network participants to be carried out centrally. Centralized authentication makes it possible to react quickly to changes, in order to further increase the security standard if necessary.
- At least one authentication key is provided for the authentication algorithms.
- the authentication key is a further security feature for an authentication system according to the invention.
- the communication unit calculates the checksum using the authentication key and the authentication algorithms. This checksum is sent to the authentication center of the communication network. In the authentication center, the checksum returned by the communication unit is now compared with the checksum calculated accordingly by the authentication center itself. If both checksums match, the authentication has been successfully passed.
- a separate authentication key can be assigned to each individual authentication algorithm to increase security.
- At least one communication unit is designed as a mobile radio terminal.
- the authentication algorithms are stored on a subscriber identity module ((U) SIM).
- (U) SIM cards are individually designed. They can therefore always be assigned to a specific participant. Because of this, (U) SIM cards are particularly suitable for the authentication process.
- the authentication algorithms are stored on the individual (U) SIM cards.
- a communication unit is designed as an authentication center of a mobile radio network (UMTS / GSM). This allows authentication processes to be controlled centrally.
- UMTS / GSM mobile radio network
- the inventive method for authentication receives an additional security component. To this end, security can be increased further by providing each individual authentication algorithm with its own
- Authentication key is assigned.
- Fig. 1 shows in a schematic diagram the authentication of a conventional type.
- Fig. 2 shows a schematic diagram for authentication by selecting one
- Fig. 3 shows a schematic diagram for the generation of subscriber keys.
- FIG. 1 shows a basic sketch of the authentication currently used for a communication unit, such as for a mobile radio terminal with a mobile radio network.
- 10 denotes an input (ON).
- a random number (RAND) is transmitted via input 10 to an authentication algorithm 12 (AKA-algo) on request from an authentication center (AuC) of the mobile radio network.
- the random number (RAND) is generated by the authentication center (AuC).
- the authentication algorithm 12 is on a subscriber identity module (SIM) stored.
- SIM subscriber identity module
- a processor unit processes this authentication algorithm 12.
- a subscriber key (K) is fed to the authentication algorithm 12 via a further access 14.
- the subscriber key enables the authentication algorithm 12 to run first and a checksum (SRES) to be formed from the random number (RAND).
- the checksum (SRES) is transmitted back to the authentication center (AuC) via output 16.
- the authentication center (AuC) now also calculates the checksum under the same conditions as the mobile terminal. If the
- the authentication system has at least two inputs 18, 20. Via input 18 (ON) the random number (RAND) is fed to the authentication system. A control parameter is given to input 20 (control). A switch 22 is controlled by the random number (RAND) and the control parameter. Switch 22 (S) selects one of the authentication algorithms 24, 26, 28. The authentication algorithms 24, 26, 28 are selected randomly, depending on which random number (RAND) has been supplied to the switch 22. The authentication algorithms 24, 26, 28 are stored on a SIM card.
- the random number is used in the selected authentication algorithm 24, 26, 28.
- Each authentication algorithm 24, 26, 28 has its own subscriber key 30, 32, 34 (K,).
- the selected authentication algorithm 24, 26, 28 calculates a checksum 36, 38, 40 using the subscriber key 30, 32, 34, which is recalculated each time for each authentication process (see FIG. 3).
- the checksum 36, 38, 40 is given to the output 42, 44, 46 (OFF).
- the checksum is calculated simultaneously for both communication units, the mobile radio terminal and the authentication center (AuC) of the mobile radio network. This can only be done by starting the authentication procedures for both communication units at the same time.
- the required checksums (SRES, XRES), random numbers (RAND), subscriber key 30, 32, 34 (K and also control parameters can be exchanged.
- Kj subscriber keys 30, 32, 34.
- a general key is designated by K, from which the digital subscriber keys are produced by the key generation algorithms (h ; ) 48, 50, 52.
- this subscriber keys can each be 'associated authentication algorithms 24, 26 activate, 28th
- the authentication procedures take place simultaneously on both communication units. Due to the dynamics of the selection of the authentication algorithm 30, 32, 34 and the separate calculation of the subscriber key (IQ), the authentication system receives an additional security component without having to lose speed in the authentication. The authentication takes place simultaneously in both communication units.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP20020795216 EP1470733A2 (en) | 2002-01-03 | 2002-12-17 | Authentication system and method between two communications units |
AU2002361000A AU2002361000A1 (en) | 2002-01-03 | 2002-12-17 | Authentication system and method between two communications units |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10200041.7A DE10200041B4 (en) | 2002-01-03 | 2002-01-03 | Authentication system and procedure between two communication units |
DE10200041.7 | 2002-01-03 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2003056863A2 true WO2003056863A2 (en) | 2003-07-10 |
Family
ID=7711448
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2002/014411 WO2003056863A2 (en) | 2002-01-03 | 2002-12-17 | Authentication system and method between two communications units |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1470733A2 (en) |
AU (1) | AU2002361000A1 (en) |
DE (1) | DE10200041B4 (en) |
WO (1) | WO2003056863A2 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004032557A1 (en) * | 2002-10-07 | 2004-04-15 | Telefonaktiebolaget Lm Ericsson (Publ) | Security and privacy enhancements for security devices |
EP1613116A1 (en) * | 2004-07-01 | 2006-01-04 | NTT DoCoMo, Inc. | Attaching at least one of algorithm and secret information specification to a field for storing random numbers for usage in an authentication calculation in a SIM card |
US7861097B2 (en) | 2002-10-31 | 2010-12-28 | Telefonaktiebolaget Lm Ericsson (Publ) | Secure implementation and utilization of device-specific security data |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6105133A (en) * | 1997-03-10 | 2000-08-15 | The Pacid Group | Bilateral authentication and encryption system |
US5913196A (en) * | 1997-11-17 | 1999-06-15 | Talmor; Rita | System and method for establishing identity of a speaker |
DE19823532C2 (en) * | 1998-05-26 | 2003-08-21 | T Mobile Deutschland Gmbh | Method for controlling a subscriber identity module (SIM) in mobile radio systems |
FI107486B (en) * | 1999-06-04 | 2001-08-15 | Nokia Networks Oy | Providing authentication and encryption in a mobile communication system |
-
2002
- 2002-01-03 DE DE10200041.7A patent/DE10200041B4/en not_active Expired - Lifetime
- 2002-12-17 AU AU2002361000A patent/AU2002361000A1/en not_active Abandoned
- 2002-12-17 WO PCT/EP2002/014411 patent/WO2003056863A2/en not_active Application Discontinuation
- 2002-12-17 EP EP20020795216 patent/EP1470733A2/en not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
None |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004032557A1 (en) * | 2002-10-07 | 2004-04-15 | Telefonaktiebolaget Lm Ericsson (Publ) | Security and privacy enhancements for security devices |
KR101047641B1 (en) * | 2002-10-07 | 2011-07-08 | 텔레폰악티에볼라겟엘엠에릭슨(펍) | Enhance security and privacy for security devices |
US9282095B2 (en) | 2002-10-07 | 2016-03-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Security and privacy enhancements for security devices |
US7861097B2 (en) | 2002-10-31 | 2010-12-28 | Telefonaktiebolaget Lm Ericsson (Publ) | Secure implementation and utilization of device-specific security data |
EP1613116A1 (en) * | 2004-07-01 | 2006-01-04 | NTT DoCoMo, Inc. | Attaching at least one of algorithm and secret information specification to a field for storing random numbers for usage in an authentication calculation in a SIM card |
US8141137B2 (en) | 2004-07-01 | 2012-03-20 | Ntt Docomo, Inc. | Authentication vector generation device, subscriber identity module, mobile communication system, authentication vector generation method, calculation method, and subscriber authentication method |
Also Published As
Publication number | Publication date |
---|---|
DE10200041A1 (en) | 2003-07-24 |
DE10200041B4 (en) | 2021-03-25 |
AU2002361000A1 (en) | 2003-07-15 |
EP1470733A2 (en) | 2004-10-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE19823532C2 (en) | Method for controlling a subscriber identity module (SIM) in mobile radio systems | |
EP2235978B1 (en) | Method for administering the authorization of mobile telephones with and without a sim card | |
EP0440914B1 (en) | Method for allocating information data to a certain sender | |
EP0995288B1 (en) | Method and device for the mutual authentication of components in a network using the challenge-response method | |
DE102018202176A1 (en) | Master-slave system for communication via a Bluetooth low-energy connection | |
DE4242151C1 (en) | Protecting mobile radio, e.g. telephone, against unauthorised use - comparing authentication parameter from input code to stored parameter, only allowing use if they match. | |
WO1998048389A2 (en) | Method for mutual authentication between two units | |
DE19840742B4 (en) | Method for increasing the security of authentication methods in digital mobile radio systems | |
EP1240794B1 (en) | Method for encrypting data and a telecommunications terminal and access authorization card | |
DE10200041B4 (en) | Authentication system and procedure between two communication units | |
DE102006060967A1 (en) | Method for verification of authentication functions, involves transmitting reply message to mobile network which is generated with parameters alternatively maintained at mobile terminal | |
DE19720719C2 (en) | Connection-monitoring device | |
DE102006003167B3 (en) | Real-time communication protecting method for e.g. automation system, involves producing and managing code in discrete device for protecting real-time communication that takes place by protecting unit in connection layer of reference model | |
EP1573955B1 (en) | Encoding method | |
WO2011035899A1 (en) | Method for establishing a secure communication channel | |
DE102011009486A1 (en) | Method for configuring a communication device and communication device | |
DE3420874A1 (en) | Method and arrangement for monitoring network access in telecommunications networks | |
DE60007678T2 (en) | Process for delivering secure data traffic in a computer network | |
DE10238928A1 (en) | Mobile telecom user authentication method for mobile communications networks operates during use of a services server in a second service network as the services server organizes a first service | |
DE19648824A1 (en) | Process for secure message exchange with mass services, and subscriber facility and service provider facility therefor | |
DE10128300A1 (en) | authentication method | |
EP3917069A1 (en) | Method for synchronizing a receiver initialization vector with a transmitter initialization vector | |
WO2008074620A2 (en) | Method and server for providing a special-purpose key | |
DE102016120769A1 (en) | Data transmission device, method for transmitting data with a data transmission device and system arrangement | |
EP3172883A1 (en) | Subscriber identity module with minimum security level (msl) check |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2002795216 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2002795216 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |