WO2004100592A1 - Authentification d'une station d'abonnes - Google Patents

Authentification d'une station d'abonnes Download PDF

Info

Publication number
WO2004100592A1
WO2004100592A1 PCT/FI2003/000364 FI0300364W WO2004100592A1 WO 2004100592 A1 WO2004100592 A1 WO 2004100592A1 FI 0300364 W FI0300364 W FI 0300364W WO 2004100592 A1 WO2004100592 A1 WO 2004100592A1
Authority
WO
WIPO (PCT)
Prior art keywords
subscriber station
authentication
input
received authentication
inputs
Prior art date
Application number
PCT/FI2003/000364
Other languages
English (en)
Inventor
Teemu Asikainen
Lauri Pesonen
Petri Jehkonen
Original Assignee
Setec Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Setec Oy filed Critical Setec Oy
Priority to PCT/FI2003/000364 priority Critical patent/WO2004100592A1/fr
Priority to EP03725234A priority patent/EP1623592A1/fr
Priority to AU2003227786A priority patent/AU2003227786A1/en
Publication of WO2004100592A1 publication Critical patent/WO2004100592A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning

Definitions

  • the present invention relates to authent eating a subscriber station in a telecommunications system, wherein the ident ty of the subscriber station is verified on the basis of a subscriber-station-spec ific secret key stored in the subscriber station.
  • the invention relates to a solution for identifying an authentication message generated by an external attacker.
  • authentication of a subscriber station is based on a challenge-response procedure.
  • a subscriber- station-specific secret key Ki and an authentication algorithm A3 have been stored in the SIM (Subscriber identity module) card of the subscriber station.
  • the subscriber-station-specific secret key Ki of the subscriber station and the corresponding authentication algorithm A3 have also been stored in an au- thentication centre of a GSM network.
  • a random number generator arranged in the authentication centre first generates a random number and transmits it to a counter as an input.
  • the counter computes a response SRES on the basis of the random number, authentication algorithm A3 and secret key Ki.
  • the authentication centre transmits the random number and the response SRES to a network element, which carries out the actual authentication, and which, as regards the GSM system, is a VLR (Visitor location register).
  • VLR Visitor location register
  • the visitor location register forwards the received random number to the subscriber station to be authenticated.
  • the subscriber station comprises a counter, which computes a response SRES based on the received random number, the secret key Ki of the subscriber station and the authentication algorithm A3, and the subscriber station transmits the response SRES to the VLR.
  • the VLR compares the response transmitted by the authentication centre with the response transmitted by the subscriber station. Since the secret key Ki stored in the memory of the subscriber station is subscriber-station-specific, there is only one subscriber station capable of generating a correct response to the input transmitted thereto. If the responses of the subscriber station and the authentication centre are identical, the subscriber station has been authenticated.
  • a drawback of the known authentication procedure described above is that it is possible for an external attacker, who desires to crack the secret key stored in the subscriber station, to try to crack the secret key by supplying different inputs to the subscriber station (or the SIM card thereof) again and again and by monitoring the responses being transmitted from the subscriber station.
  • the secret key Ki may be revealed on the basis of the collected data. If the external attacker cracks the key, he or she may be capable of cloning the subscriber station (or the SIM card) by pro- ducing a second subscriber station, which has an identical secret key, in which case the cloned subscriber station can be used for making calls, for which the owner of the original subscriber station is billed.
  • the above problem is solved in PCT/FI00/00907 such that the system generates authentication inputs comprising MACs (Message authentica- tion code).
  • the subscriber station checks the correctness of the received inputs and maintains a counter function to compute the number of inputs that are incorrect. When a predetermined limit value is exceeded, the subscriber station no longer provides correct responses to the inputs.
  • the problem with this solution is that it requires modifications in the network operator functions, since the system has to be able to generate authentication inputs comprising MACs.
  • An object of the present invention is to alleviate the above- mentioned problem and to provide an improved solution owing to which it is more difficult for an external attacker to crack a secret key of a subscriber sta- tion.
  • the objects of the invention are achieved with a method, a system, a subscriber station and a SIM card, characterized by what is stated in the independent claims.
  • the preferred embodiments of the invention are disclosed in the dependent claims.
  • the underlying idea of the invention is that when an authentication input is received in a subscriber station, the randomness thereof is evaluated. According to the invention, the evaluation of the randomness of a received input is performed utilizing information of one or more inputs received earlier by the subscriber station. If, based on the evaluation, the received input cannot be considered as a random input, it may be a sign of a try to crack the secret key of the subscriber station. The subscriber station is thus able to identify inputs, which may originate from an external attacker.
  • the advantage of the invention is that it can with slight changes be applied to existing systems.
  • the invention can be directly implemented in the SIM card, which means that mobile stations can right from the start be provided with SIM cards capable of checking the randomness of the inputs according to the invention. It is not necessary to change the operation of the network elements, and no changes are required on the subscriber station/network interfaces either.
  • FIG. 1 is a simplified block diagram illustrating the system of the invention
  • Figure 2 illustrates the signaling of the invention
  • Figure 3 is a simplified flow diagram illustrating the method of the invention.
  • the present invention is applicable to any communication system utilizing a random number as a challenge.
  • embodiments of the invention will be described as implemented in the GSM system without limiting the invention to that particular system.
  • Figure 1 shows a simplified block diagram of the system S of the invention, showing only the components that are essential to illustrate the inven- tion, even though those skilled in the art naturally know that a general mobile communication system also comprises other functions and structures, which do not have to be described in more detail herein.
  • a majority of the authentication equipment of the network N is arranged in a special authentication centre AC, which, in connection with the GSM system, may be located in connection with a home location register (HLR), for example.
  • HLR home location register
  • a GSM system also comprises a mobile services switching centre MSC which enables the communication between the network elements, such as the HLR and the VLR, and the subscriber station MS.
  • the subscriber station MS i.e. the mobile station
  • the subscriber station MS can be a simplified terminal intended only for speech, or it can be a terminal intended for multiple services operating as a service platform and supporting the loading and execution of different service-related functions.
  • the subscriber station MS comprises the actual mobile equipment and an associated (usually removable) identification card SIM (not shown).
  • the subscriber identity module SIM is a smart card comprising the subscriber identity, executing authentication algorithms and storing authentication and encryption keys and subscriber data needed at the subscriber station.
  • the mobile equipment is a radio terminal used for radio communication between the subscriber station MS and the network N.
  • the mobile equipment can be any equipment or a combination of several different equipment capable of communicating in a communication system.
  • the blocks shown in the block diagram of Figure 1 may comprise electronic circuits or, alternatively, one or more blocks may be implemented by software. Hence, no two separate counters, for example, are necessary at the subscriber station, but the counters can be implemented, for example, by one processor and computer program in a manner known per se.
  • the subscriber station MS is authenticated by a visitor location register VLR such that the VLR receives from the authentication centre AC an input RAND and response SRES enabling the VLR to authenticate the subscriber station MS.
  • the authentication centre AC comprises a first counter for generating a random number RAND.
  • the authentication centre AC also comprises a memory with the secret key Ki stored therein of all those sub- scriber stations, in the authentication of which the authentication centre participates.
  • the authentication centre can be operator-specific, in which case all secret keys of the subscriber stations of the operator have been stored in the memory of the authentication centre.
  • FIG. 2 illustrates the successful signaling of the invention when no external attacker is detected.
  • the authentication centre AC supplies in step 2-1 the secret key Ki of the subscriber station retrieved from the memory and the input RAND produced by the first counter to a second counter.
  • the second counter computes a response SRES on the basis of the secret key Ki, input RAND and authentication algorithm A3.
  • the authentication centre AC transmits the input RAND and response SRES to the VLR.
  • the VLR stores the response SRES such that it will be available later for a comparing function.
  • the VLR transmits in the message 2-4 the input RAND received from the authentication centre to the subscriber station MS.
  • a comparing unit is activated in the subscriber station
  • the comparing unit evaluates the last received input based on the information of authentication inputs received earlier by the subscriber station.
  • the information of the earlier received authentication inputs comprises samples of earlier inputs that may have been manipulated in an ap-litiste statistical manner.
  • the comparing unit evaluates if the latest input resembles the information of earlier inputs, and concludes, on the basis of the evaluation, whether the latest input is random or not.
  • the evaluation may be performed utilizing information of randomly selected earlier inputs. An appearance of a non-random authentication input might be a sign of somebody trying to crack the secret key of the subscriber station.
  • the MS manipulates the latest input in an appropriate statistical manner with the information of earlier inputs and may store the information such that it is available for later authentications. There may be a predetermined time for how long the information of a received input will be stored. The time for storing the information may also be selected randomly so that the attacker cannot conclude when it would be worthwhile to try to attack again.
  • the comparing unit of the MS If the comparing unit of the MS considers the latest input as a random input, it activates a third counter to compute a response to the input RAND.
  • the third counter computes the response SRES on the basis of the input RAND, the subscriber-station-specific secret key Ki stored in a memory of the MS and the authentication algorithm A3.
  • the algorithm is the same algorithm A3 and the parameters are the same parameters as the second counter of the authentication centre AC used.
  • the subscriber station MS produces the response SRES, which is transmitted to the VLR in the message 2-6.
  • the response produced by the MS is supposed to correspond to the response SRES transmitted by the authentication centre AC. If the comparing function of the VLR detects in step 2-7 that the responses are identical, it is concluded that the subscriber station MS has been authenticated. If, on the other hand, the comparing unit of the MS indicated in step
  • the subscriber station can be programmed to operate such that cracking the secret key is made significantly more difficult when the subscriber station has identified an input originating from an external attacker.
  • the subscriber station produces and forwards an input only if the subscriber station has checked the input and concluded that the input is random.
  • a control unit of the MS interrupts the process for authenticating the subscriber station such that no response will be transmitted by the MS. Consequently, it is more difficult to crack the secret key since an external attacker cannot continue sending inputs and monitoring what kind of a response each input induces.
  • the subscriber station computes and forwards a false response such as a random response if it detects that the received input is not random.
  • the random response herein refers to any response resembling a correct one.
  • the random response may be computed by another algorithm than the authentication algorithm.
  • the random response may be computed by the authentication algorithm but, instead of the secret key of the subscriber station, the computation utilizes an- other key, which is a "pseudo key", or, alternatively, the random response may comprise a random number generated by a random number generator. The point is that the response is not computed by the authentication algorithm A3, secret key Ki and input RAND.
  • the external attacker would be provided with the real response to the supplied input, which might assist in cracking the secret key.
  • the idea is that the random response resembles a real response such that an external attacker does not, on the basis of the length of the response, for example, know that the random response is not a real response provided with an authentication algorithm and a secret key. If, on the other hand, the external attacker is provided with a random response resembling the real response, the external attacker will not know that the response is an incorrect one.
  • the subscriber station maintains a counter function to compute the number of inputs that are non- random.
  • the subscriber station locks itself such that it no longer provides a correct response to the input.
  • the subscriber station can thus produce and forward a response, which is either correct or incorrect regardless of whether the input is random until the counter function indicates that the maximum number of non-random inputs is exceeded, whereby the authentication function of the subscriber station is locked.
  • the locking may take place either such that the subscriber station no longer provides any responses or, alternatively, in order to mislead the attacker, the subscriber station may continue by producing incorrect responses only, such as random responses.
  • FIG. 3 is a flow diagram illustrating the method of the invention when an external attacker is detected.
  • step 3-1 an authentication message comprising a non-random input RAND is received in the MS.
  • the processing of the authentication message is interrupted in step 3-2. No response will then be transmitted to the authentication message.
  • a notification of interrupting the process may be forwarded in step 3-3, but this is not mandated by the invention. Consequently, the external attacker receives no response to the input, which means that the attacker is unable to collect responses and use them for cracking the secret key.
  • a random response is produced to the input in step 3-4 and forwarded to the sender of the input in step 3-5.
  • the random response can be any response which resembles a real response and which has not been computed in a similar manner as the real response. Consequently, the random response can be directly produced by a random number generator, or it can be computed from the input by utilizing a suitable algorithm and input. The external attacker will thus receive an incorrect response, however without knowing this.
  • a predetermined variable Cmax indicating the highest allowed number of non-random inputs has been stored in the subscriber station (or the SIM card thereof).
  • a variable C to keep a record of received non-random inputs is set to a predetermined initial value.
  • the authentication functions thereof When the counter function of the subscriber station reaches a predetermined limit value, the authentication functions thereof will be locked such that the subscriber station no longer provides correct responses.
  • the subscriber sta- tion is one of the kind, in which the authentication functions are arranged on the SIM card, such as a GSM mobile station, the subscriber station must next be provided with a new SIM card to replace the locked one.
  • the various embodiments of the invention may be carried out simultaneously or they may be mutually exclusive.
  • the signalling messages and steps shown in Figures 2 and 3 are not in an absolute chronological order, and they can be executed in a different order from the given one.
  • Other signalling messages can be transmitted and/or other functions can be carried out between the messages and/or steps.
  • the signalling messages are only examples and can include only some of the aforementioned information.
  • the messages can also include other information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephone Function (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé destiné à identifier les messages d'authentification générés par des attaquants extérieurs. Selon ce procédé, lorsqu'une station d'abonnés reçoit une entrée d'authentification (2-4), elle compare (2-5) l'entrée d'authentification reçue avec les informations relatives aux entrées d'authentification reçues antérieurement. La station d'abonnés évalue (2-5) le caractère aléatoire de l'entrée d'authentification reçue en utilisation les informations des entrées d'authentification reçues antérieurement. Si la station d'abonnés trouve la nouvelle entrée aléatoire, elle répond (2-6) de manière ordinaire. Si la station d'abonnés trouve la nouvelle entrée non aléatoire, elle en conclut que l'entrée a été générée par un attaquant extérieur qui essaie de obtenir la clé secrète de la station d'abonnés. Dans ce cas, la station d'abonnés peut verrouiller le processus d'authentification et / ou générer une fausse réponse.
PCT/FI2003/000364 2003-05-12 2003-05-12 Authentification d'une station d'abonnes WO2004100592A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/FI2003/000364 WO2004100592A1 (fr) 2003-05-12 2003-05-12 Authentification d'une station d'abonnes
EP03725234A EP1623592A1 (fr) 2003-05-12 2003-05-12 Authentification d'une station d'abonnes
AU2003227786A AU2003227786A1 (en) 2003-05-12 2003-05-12 Authentication of a subscriber station

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2003/000364 WO2004100592A1 (fr) 2003-05-12 2003-05-12 Authentification d'une station d'abonnes

Publications (1)

Publication Number Publication Date
WO2004100592A1 true WO2004100592A1 (fr) 2004-11-18

Family

ID=33427392

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2003/000364 WO2004100592A1 (fr) 2003-05-12 2003-05-12 Authentification d'une station d'abonnes

Country Status (3)

Country Link
EP (1) EP1623592A1 (fr)
AU (1) AU2003227786A1 (fr)
WO (1) WO2004100592A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101998400A (zh) * 2009-08-12 2011-03-30 中国移动通信集团天津有限公司 一种鉴权随机数检测方法及sim卡
US8231752B2 (en) 2005-11-14 2012-07-31 Cummins Filtration Ip Inc. Method and apparatus for making filter element, including multi-characteristic filter element

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001030104A1 (fr) 1999-10-19 2001-04-26 Setec Oy Authentification d'une station d'abonne
WO2001089253A1 (fr) * 2000-05-18 2001-11-22 Ico Services Ltd. Authentication de connexion dans un reseau mobile
WO2002013568A1 (fr) * 2000-08-03 2002-02-14 Orange Personal Communications Services Limited Authentification dans un réseau de télécommunications mobile
US20030003895A1 (en) * 2001-05-11 2003-01-02 Telefonaktiebolaget Lm Ericsson (Publ). Authentication of termination messages in telecommunications system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001030104A1 (fr) 1999-10-19 2001-04-26 Setec Oy Authentification d'une station d'abonne
US20020180583A1 (en) * 1999-10-19 2002-12-05 Setec Oy Authentication of subscriber station
WO2001089253A1 (fr) * 2000-05-18 2001-11-22 Ico Services Ltd. Authentication de connexion dans un reseau mobile
WO2002013568A1 (fr) * 2000-08-03 2002-02-14 Orange Personal Communications Services Limited Authentification dans un réseau de télécommunications mobile
US20030003895A1 (en) * 2001-05-11 2003-01-02 Telefonaktiebolaget Lm Ericsson (Publ). Authentication of termination messages in telecommunications system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8231752B2 (en) 2005-11-14 2012-07-31 Cummins Filtration Ip Inc. Method and apparatus for making filter element, including multi-characteristic filter element
CN101998400A (zh) * 2009-08-12 2011-03-30 中国移动通信集团天津有限公司 一种鉴权随机数检测方法及sim卡

Also Published As

Publication number Publication date
EP1623592A1 (fr) 2006-02-08
AU2003227786A1 (en) 2004-11-26

Similar Documents

Publication Publication Date Title
EP2385661B1 (fr) Authentification dans un réseau de communication mobile
US6427073B1 (en) Preventing misuse of a copied subscriber identity in a mobile communication system
JP4263384B2 (ja) ユーザ加入識別モジュールの認証についての改善された方法
US7773973B2 (en) Method for authentication between a mobile station and a network
US8689309B2 (en) Authentication token for identifying a cloning attack onto such authentication token
US20070293192A9 (en) Identification of a terminal to a server
US7000117B2 (en) Method and device for authenticating locally-stored program code
US20020180583A1 (en) Authentication of subscriber station
EP2718885A1 (fr) Autorisation de transaction
CN101909279B (zh) 应用于手机视频监控的鉴权方法
EP1680940B1 (fr) Procede permettant d'authentifier un utilisateur
CN100499900C (zh) 一种无线通信终端接入鉴权方法
CN109587683B (zh) 短信防监听的方法及系统、应用程序和终端信息数据库
WO2000024218A1 (fr) Procede et systeme d'authentification
CN111246464B (zh) 身份鉴别方法、装置和系统、计算机可读存储介质
WO2004100592A1 (fr) Authentification d'une station d'abonnes
CN109379744B (zh) 伪基站识别方法、装置及通信终端
KR101713395B1 (ko) 통신단말기 인증처리시스템, 통신단말기, 단말기 인증서버 및 그 인증처리방법
CN114282230A (zh) 一种数据处理方法、装置、设备及计算机存储介质
KR100606147B1 (ko) 이동 단말기를 이용한 은행 출금 보안 방법
WO2013007139A1 (fr) Procédé d'authentification et enregistreur de localisation nominal
WO2013095168A1 (fr) Procédé d'envoi d'un code à usage unique sous une forme alphanumérique

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2003725234

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2003725234

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP