WO2006033548A1 - Method and device for authenticating ms that has non r-uim by using cave algorithm - Google Patents

Method and device for authenticating ms that has non r-uim by using cave algorithm Download PDF

Info

Publication number
WO2006033548A1
WO2006033548A1 PCT/KR2005/003127 KR2005003127W WO2006033548A1 WO 2006033548 A1 WO2006033548 A1 WO 2006033548A1 KR 2005003127 W KR2005003127 W KR 2005003127W WO 2006033548 A1 WO2006033548 A1 WO 2006033548A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
core chip
hrpd
cdma2000
network
Prior art date
Application number
PCT/KR2005/003127
Other languages
French (fr)
Inventor
Weimin Liu
Kun Li
Original Assignee
Samsung Electronics Co., Ltd.
Beijing Samsung Telecom R & D Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co., Ltd., Beijing Samsung Telecom R & D Center filed Critical Samsung Electronics Co., Ltd.
Priority to KR1020077009237A priority Critical patent/KR101205662B1/en
Priority to JP2007525556A priority patent/JP4477064B2/en
Publication of WO2006033548A1 publication Critical patent/WO2006033548A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B1/00Details of transmission systems, not covered by a single one of groups H04B3/00 - H04B13/00; Details of transmission systems not characterised by the medium used for transmission
    • H04B1/38Transceivers, i.e. devices in which transmitter and receiver form a structural unit and in which at least one part is used for functions of transmitting and receiving
    • H04B1/40Circuits
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to the Code Division Multiple Access 2000 (hereinafter referred to as cdmacdma2000) and High Rate Packet Data (hereinafter referred to as HRPD) dual-mode terminals, especially to a method and device for authenticating mobile station with non Removable User Identity Module (hereinafter referred to as R-UIM) by using Cellular Authentication and Voice Encryption (hereinafter referred to as C AVE) algorithm.
  • R-UIM Non Removable User Identity Module
  • C AVE Cellular Authentication and Voice Encryption
  • the cdmacdma2000 network has been widely applied commercially all over the world.
  • CHAP Challenge Handshake Authentication Protocol
  • This authentication system has perfect methods on illegal attack-protecting.
  • a Mobile Station's (hereinafter referred to as MS) privacy key (A-key) and the CAVE algorithm are stored in the MS and the cdma2000 network's Authentication Centre (hereinafter referred to as AuC) respectively.
  • the authentication process mainly includes such two procedures as the update of Shared Secret Data (SSD) and the implementation of authentication. Part A of the Shared Secret Data (SSD_A) is used for access authentication.
  • the network sends a message including a segment of random numbers to the MS and the AuC respectively to update the SSD_A data.
  • the MS and the AuC respectively After this message is received by the MS and the AuC respectively, the included random numbers, the A-key and other parameters are together input into the "SSD_GENEREATION PROCEDURE" to generate an SSD_A through calculation. After confirming the correctness, the old SSD_A is replaced with the new one which will be used as the key for the access authentication.
  • the network sends an authentication request message to the MS and the AuC, including a segment of random numbers.
  • the authentication results are calculated in the MS and the AuC by the random numbers included in said message, the SSD_A and other parameters according to the CAVE algorithm.
  • the MS sends the authentication result to the AuC. By comparing the differences between the authentication results, the MS can be authenticated to be valid or not.
  • the A-key can be stored in two modes. One is that it is stored in the MS, and the corresponding CAVE algorithm is also implemented in the MS and in this case, the MS has no an R-UIM. The other is that the A-key is stored in an R-UIM, and the corresponding CAVE algorithm is also implemented in the R-UIM card.
  • the MS is called a MS has an R-UIM.
  • HRPD High Rate Packet Data
  • 3GPP2 3 G Partnership Project 2
  • Both HRPD network and the cdma2000 network are independent of each other, and no information exchanges between them.
  • the subscribers can share the services through the dual-mode terminals that support both the cdma2000 network and the HRPD network, and this category of subscriber is the main cluster of HRPD network subscribers.
  • the dual-mode terminals refer to the cdma2000/HRPD ones.
  • the operations carried out by the R-UIM card mainly includes
  • the SSD is used for the calculations of all authentication and the generation of the subsequent privacy keys.
  • the SSD is derived from the "A-key" in the R-UIM card.
  • UPDATE SSD command which contains a RANDSSD parameter
  • the SSD update process starts.
  • the network that the relevant subscriber belongs to is the unique entity to update the subscriber's SSD, as shown in figure 3.
  • the subscriber's MS firstly stores a RANDSSD parameter and then generates a random number RANDSeed.
  • the MS transfers the RANDSeed parameter to the R-UIM card and starts to perform the Base Station Challenge function. Then, the R-UIM card generates a RANDBS parameter.
  • the relationship between the RANDBS and the RANDSeed is prescribed by the distributor of the R-UIM card.
  • the RANDBS can be set to equal to the RANDSeed.
  • the RANDBS parameter can be derived by implementing the pseudorandom process to the RANDSeed, or generated individually without respect to the RANDSeed.
  • a Base Station Challenge command cause the R-UIM card to transmit the RANDBS parameter to the MS and in turn to the network.
  • the MS implements the SSD update process.
  • the RANDSSD parameter is used in this process to generate a new SSD value and an AUTHBS that is used to verify the result of the base station query.
  • the RANDSSD parameter is used to generate a new SSD value.
  • the network calculates the AUTHBS with the new SSD, and then sends the AUTHBS to the MS.
  • the MS regards the received AUTHBS as the parameter of the Confirm SSD command.
  • the MS compares the received AUTHBS with that calculated by itself, and if they are just the same, the SSD update process succeeds, then the SSD will be used in after coming authentication calculations. If the two AUTHBS values are different, the MS discards the new SSD but remians the original one.
  • the authentication process is the process of a terminal's legitimacy verification. Its basic operations are illustrated in figure 3( The interactive messages between MS and AuC are transmitted via radio network, But the radio network is omitted in this figure for easy description):
  • the AuC sends a Chap Challenge message to an MS, including a 32-bit long random number RAND.
  • the MS takes the RAND and the SSD_A as the inputs of the CAVE algorithm to calculate an 18-bit long authentication parameter 1, then the MS sends this parameterl to the AuC by an Authentication Challenge Response message, and the AuC compares the authentication parameterl with the parameter2 calculated by itself with the same method. If they are just the same, the authentication passes, otherwise, the MS is rejected to access the network.
  • the message flow of the existing HRPD network on access authentication includes the following message flow(as shown in figure 4): an access network (AN) sends the Chap Challenge message to an access terminal(AT), including the random number "Random text"; 401
  • the access terminal receives the Chap Challenge message, and then calculates the authentication parameter 1 with the received Random text.
  • the encryption algorithm MD5 is taken as an example because MD5 has been used in the existing HRPD network.
  • CAVE algorithm is used in encryption in present invention, the message flow is same as the situation when MD5 algorithm is used in encryption; 402
  • the terminal sends a Chap Response message to the AN, including information of AT's Network Access ID (NAI), random text, the authentication parameter 1 and so on; 403
  • NAI Network Access ID
  • the AN After receiving the Chap Response message from the AT, the AN sends a Radius Access Request message to AN-AAA, including the three parameters included in the Chap Response message; 404
  • the AN-AAA regards the Random text and the local Password (AN-AAA Password and the AT's Password are just the same) as input value to calculate the authentication parameter 2 using the MD5 algorithm; 405
  • the AN-AAA compares the authentication parameter 1 with the authentication parameter 2; 406
  • the AN-AAA sends a Radius Access Accept message to the AN, indicating that the authentication passes; 407
  • the AN-AAA sends a Radius Access Reject message to the AN to reject the access of the terminal; 408
  • the AN After receiving the Radius Access Accept message, the AN sends a Chap Success message to the terminal, indicating that the authentication process is successful; 409
  • the AN sends the Chap Failure message to AT, indicating that the authentication process failure.
  • the voice service is normally provided by means of the cdma2000 network and the high rate data service is normally provided by means of the HRPD network. Therefore, the dual-mode terminals that support not only the cdma2000 network but also the HRPD network will take up a sizable share. Because the cdma2000 network is generally established ahead of the HRPD network, some subscribers of the HRPD network are upgraded from that of the cdma2000 network.
  • An object of the present invention is to provide a cdma2000/HRPD dual-mode terminal has non R-UIM card.
  • the terminal can reuse the CAVE algorithm has been used in the cdma2000 network in terminals' HRPD network access authentication.
  • a method for authenticating a mobile station has non R-UIM in the cdma2000 network access authentication by using a CAVE as an authentication algorithm with a character that it also can be used in HRPD network access authentication comprising steps of:
  • the authentication module After receiving Chap Challenge message, the authentication module work out the readom number RAND to be used in the counting of Authentication parameter 1 using the "Random text" in Chap Challenge message;
  • the authentication module works out Authentication parameter 1 using said random number RAND and the existing part IMSI_S1 and SSD_A,etc;
  • the core chip bearing the authentication parameter 1 by a Result domain of a Chap Response message bearing the authentication parameter 1 by a Result domain of a Chap Response message.
  • a device for authenticating a mobile station has non R-UIM by using a CAVE as an authentication algorithm including an antenna, a radio module, a memory, a Liquid Crystal Display, a keyboard and a battery module, with the character also including:
  • a core chip including cdma2000 core chip and HRPD core chip that are respectively used in the encoding to the receiving authentication messages;
  • a authentication module that supports CAVE algorithm. It implements CAVE algorithm by using the authentication parameter sent by core chip and the saved authentication parameters and response the implementing result to core chip.
  • the present invention is adapted to address the problem that no cdma2000/HRPD dual-mode terminal has non R-UIM that can support uniform althentication algorithem is in service by far.
  • the problem that cdma2000 network and HRPD network respectively use different authentication algorithm can be well settled.
  • the present invention by unifying the access authentication algorithms of the two network as CAVE algorithm bring the convenience to the operators that operate both cdma2000 network and HRPD network and also can decrease the development cost of terminal.
  • Figure 1 shows a hardware structure of the cdma2000/HRPD dual-mode terminal has non R TJIM that utilizes the CAVE as the access authentication algorithm;
  • FIG. 2 illustrates a flow chart of authentication in the HRPD network performed by the dual-mode terminal according to the present invention
  • Figure 3 illustrates a CAVE authentication process
  • FIG. 4 shows an access authentication message flow that 3GPP2 defines for the HRPD network
  • Figure 5 shows an implementation of the authentication of the dual-mode terminal according to the present invention in the HRPD network.
  • the main object of the present invention is to realize the cdma2000/HRPD dual-mode terminal with the features that CAVE algorithm is used in both cdma2000 network access authentication and HRPD network access authentication and no modification is needed to be done to the HPRD network authentication flow.
  • CAVE algorithm is used in both cdma2000 network access authentication and HRPD network access authentication and no modification is needed to be done to the HPRD network authentication flow.
  • marked benefits will be gained at very little cost.
  • the present invention is based on the following facts: by far, the cdma2000/HRPD dual-mode terminals that can supports uniform algorithm are starved for on sale. Operators need this type terminals to bring advantage in the operation and decrease the cost of terminals.
  • the main idea of the present invention is to realize the dual-mode terminals can support the two networks' access authentication with a uniform authentication algorithm, by processing the parameters carried by the message flow of the HRPD network and in virtue of the SSD update result of the cdma2000 network.
  • the problems above can be well settled.
  • each part of the dual-mode terminal has non R-UIM: Antenna 101 It is used for receiving and transmitting radio signals.
  • the master processing unit with the functions including the cdma2000 service data's coding and decoding, the physical channels' spectrum spreading and de-spreading, modulating and demodulating.
  • the dual-mode chip implements tasks such as provision of a run platform for the software in the application layer of the terminal, bearing the application software modules, transmitting, receiving and processing on-the-air interface signaling, controlling a paging process and so on. It controls every relevant module in the terminal so as to make them work cooperatively.
  • the authentication module that supports the CAVE algorithm 105
  • the authentication module is used for storing the user's identity information and other network parameters, etc.. It supports the authentication based on the CAVE algorithm. In practice, and it can shares the same entity with the cdma2000/HRPD core chip physically.
  • Memory 106 It is data memory module in the terminal and stores the data necessary to the terminal's normal operation.
  • Keyboard 108 It is used for information input. Together with the LCD, it completes the interface function that the user interacts with the terminal.
  • such units as a microphone, a headphone and so on should be served for the terminal.
  • the user sends instructions to the cdma2000 core chip (103) or the HRPD core chip (104) through the man-machine interface made up of the keyboard (108) and the LCD (107) to initiate a call.
  • the core chip constructs a signalling message with the help of the CAVE-supported authentication module (105) and the memory module (106) to complete the establishment of the call cooperatively with the network and notifies the user via the LCD (107).
  • the user can start the phone call and it's voice is sent to the core chip through the microphone and coded and modulated here. Then it is transmitted to the network.
  • the core chip demodulates and decodes the received radio channel frames and sends them to the headphone.
  • the radio module (102), the memory module (106) and the battery module (109) provide necessary support to the core chip.
  • the cdma2000/HRPD dual-mode chip (103, 104) and the authentication module (105) that supports the CAVE algorithm.
  • the core chip decodes the received authentication message and transfers the necessary parameters to authentication module (105) to the process.
  • authentication module (105) receiving the authentication parameters transferred from the core chip, it carries out the calculation based on CAVE algorithm with the stored authentication information and then returns the calculation result to the core chip.
  • the core chip constructs the corresponding message according to the result and transmits it to the cellular network.
  • the support from the Radio module (102), the memory (106) and the battery module (109) is also necessary for the core chip.
  • the Chap Challenge message is sent from the AN to the dual-mode terminals, carrying the random number "Random text". Having been processed, this random number can be used as the random number necessary to the CAVE algorithm.
  • the Random text is a character string presented by octets, and it is longer than the random number necessary to the CAVE authentication. It is necessary to convert the octets groups into binary format and extract the random number necessary to the CAVE authentication. As for the random number required for the CAVE authentication, consistency must be kept between the dual-mode terminals and the AN-AAA.
  • the operation of generating the random number necessary to the CAVE authentication is implemented inside the core chip. In practice, the terminal's antenna receives the signal from the network and transfers it to the radio module.
  • the radio module processes the signal, i.e., completes the conversion between the baseband digital signal and the RF analog signal, etc., and transfers the processed signal to the master processing chip.
  • the master processing chip identifies and processes the Chap Challenge message.
  • the functions of the antenna part and the radio module are not illustrated in the corresponding figure.
  • the authentication module to carry out the authentication calculation.
  • the authentication module uses the random number, the IMSI_S1 (part of the IMSI) and the SSD_A as input parameters, the authentication module implements the authentication calculation and generates the authentication result parameterl . 3. Storage of the NAI value
  • NAI value is the username used in the HRPD network. It should be stored in the memory module in advance.
  • the Chap Response message is the response of the dual-mode terminal to the Chap Challenge message from the AN.
  • the core chip constructs the Chap
  • the core chip transmits the Chap Response message to the network through the radio module and the antenna.
  • the functions of the antenna and the radio module parts are not illustrated in the corresponding figure.
  • Figure 2 illustrates the flow chart of the authentication in the HRPD network performed by the dual-mode terminal according to the present invention, and the steps will be explained in more detail.
  • the access network sends the Chap Challenge message, i.e., the Challenge Handshake Authentication Protocol Challenge message to the access terminal, including the "Random text"; 201
  • the authentication module of the access terminal extracts 32 bits from the Random text as the random number RAND for the authentication process and sends it to the R-UIM card; 202
  • the authentication module calculates the authentication result parameter 1 through the CAVE algorithm with the SSD_A, the RAND and other parameters and sends them to the access terminal; 203
  • the access terminal reads out the NAI from the memory module; 204 The access terminal writes the NAI into the corresponding domain of the Chap Response message, i.e., the Challenge Handshake Authentication Protocol Response message, and writes the authentication parameter 1 into the Result domain of this message, then transmits this Chap Response message to the access network; 205
  • the access network will send an Authentication Success message to the access terminal; 206
  • the access network will send an Authentication Failure message to the access terminal; 207

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A device for authenticating a mobile station has non R-UIM by using a CAVE as an authentication algorithm including an antenna, a radio module, a memory, a Liquid Crystal Display, a keyboard and a battery module, with the character including: A core chip including cdma2000 core chip and HRPD core chip that are respectively used in the encoding to the receiving authentication messages; A authentication module that supports CAVE algorithm. It implements CAVE algorithm by using the authentication parameters sent by core chip and the saved authentication parameters and response the implementing result to core chip. The present invention is adapted to address the problem of lack of cdma2000/HRPD dual-mode terminals have non R-UIM while the problem of different authentication algorithms are used in cdma2000 network and HRPD network is resolved.

Description

METHOD AND DEVICE FOR AUTHENTICATING MS THAT HAS NON R-UIM BY USING CAVE ALGORITHM
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to the Code Division Multiple Access 2000 (hereinafter referred to as cdmacdma2000) and High Rate Packet Data (hereinafter referred to as HRPD) dual-mode terminals, especially to a method and device for authenticating mobile station with non Removable User Identity Module (hereinafter referred to as R-UIM) by using Cellular Authentication and Voice Encryption (hereinafter referred to as C AVE) algorithm.
2. Description of the Related Art
The cdmacdma2000 network has been widely applied commercially all over the world. In this kind of network, a Challenge Handshake Authentication Protocol (hereinafter referred to as CHAP) based on the CAVE algorithm has been adopted to verify the legitimacy of the access terminals. This authentication system has perfect methods on illegal attack-protecting. A Mobile Station's (hereinafter referred to as MS) privacy key (A-key) and the CAVE algorithm are stored in the MS and the cdma2000 network's Authentication Centre (hereinafter referred to as AuC) respectively. The authentication process mainly includes such two procedures as the update of Shared Secret Data (SSD) and the implementation of authentication. Part A of the Shared Secret Data (SSD_A) is used for access authentication. According to specific conditions, the network sends a message including a segment of random numbers to the MS and the AuC respectively to update the SSD_A data. After this message is received by the MS and the AuC respectively, the included random numbers, the A-key and other parameters are together input into the "SSD_GENEREATION PROCEDURE" to generate an SSD_A through calculation. After confirming the correctness, the old SSD_A is replaced with the new one which will be used as the key for the access authentication. When an authentication is needed to be done on a terminal, the network sends an authentication request message to the MS and the AuC, including a segment of random numbers. After this message is received by the MS and the AuC respectively, the authentication results are calculated in the MS and the AuC by the random numbers included in said message, the SSD_A and other parameters according to the CAVE algorithm. The MS sends the authentication result to the AuC. By comparing the differences between the authentication results, the MS can be authenticated to be valid or not. In cdma 2000 network's practice, the A-key can be stored in two modes. One is that it is stored in the MS, and the corresponding CAVE algorithm is also implemented in the MS and in this case, the MS has no an R-UIM. The other is that the A-key is stored in an R-UIM, and the corresponding CAVE algorithm is also implemented in the R-UIM card. In this case, the MS is called a MS has an R-UIM. Currently the most cdma2000 operaotrs in the counters other than China adopt the MS has an R-UIM. High Rate Packet Data (hereinafter referred to as HRPD) network is an upgrade of cdma2000 network and has been gradually adopted in commercial application all over the world. In the existing HRPD networks the terminal (similar with the MS in cdma2000) has no an R-UIM. As prescribed in the corresponding standard of the 3 G Partnership Project 2 (hereinafter referred to as 3GPP2), if the access authentication is adopted by the HRPD network, the authentication mode should also be the CHAP authentication, but no detailed encryption algorithm is specified explicitly, which can be specified by the particular operator. Both HRPD network and the cdma2000 network are independent of each other, and no information exchanges between them. The subscribers can share the services through the dual-mode terminals that support both the cdma2000 network and the HRPD network, and this category of subscriber is the main cluster of HRPD network subscribers. In the following sections, except specifically pointed out, the dual-mode terminals refer to the cdma2000/HRPD ones. At present, the operations carried out by the R-UIM card mainly includes
SSD management, authentication calculation and so on.The SSD is used for the calculations of all authentication and the generation of the subsequent privacy keys. The SSD is derived from the "A-key" in the R-UIM card. When the network sends an UPDATE SSD command (which contains a RANDSSD parameter), the SSD update process starts. The network that the relevant subscriber belongs to is the unique entity to update the subscriber's SSD, as shown in figure 3. When the network initiates an SSD update process to a certain subscriber, the subscriber's MS firstly stores a RANDSSD parameter and then generates a random number RANDSeed. The MS transfers the RANDSeed parameter to the R-UIM card and starts to perform the Base Station Challenge function. Then, the R-UIM card generates a RANDBS parameter. The relationship between the RANDBS and the RANDSeed is prescribed by the distributor of the R-UIM card. For instance, in the R-UIM card, the RANDBS can be set to equal to the RANDSeed. The RANDBS parameter can be derived by implementing the pseudorandom process to the RANDSeed, or generated individually without respect to the RANDSeed. A Base Station Challenge command cause the R-UIM card to transmit the RANDBS parameter to the MS and in turn to the network. In succession, the MS implements the SSD update process.The RANDSSD parameter is used in this process to generate a new SSD value and an AUTHBS that is used to verify the result of the base station query.
In the network side, the RANDSSD parameter is used to generate a new SSD value. After receiving the RANDBS parameter from the MS, the network calculates the AUTHBS with the new SSD, and then sends the AUTHBS to the MS. The MS regards the received AUTHBS as the parameter of the Confirm SSD command. The MS compares the received AUTHBS with that calculated by itself, and if they are just the same, the SSD update process succeeds, then the SSD will be used in after coming authentication calculations. If the two AUTHBS values are different, the MS discards the new SSD but remians the original one.
The authentication process is the process of a terminal's legitimacy verification. Its basic operations are illustrated in figure 3( The interactive messages between MS and AuC are transmitted via radio network, But the radio network is omitted in this figure for easy description): The AuC sends a Chap Challenge message to an MS, including a 32-bit long random number RAND. The MS takes the RAND and the SSD_A as the inputs of the CAVE algorithm to calculate an 18-bit long authentication parameter 1, then the MS sends this parameterl to the AuC by an Authentication Challenge Response message, and the AuC compares the authentication parameterl with the parameter2 calculated by itself with the same method. If they are just the same, the authentication passes, otherwise, the MS is rejected to access the network.
(2) The message flow of the existing HRPD network on access authentication The HRPD network's access authentication includes the following message flow(as shown in figure 4): an access network (AN) sends the Chap Challenge message to an access terminal(AT), including the random number "Random text"; 401
The access terminal receives the Chap Challenge message, and then calculates the authentication parameter 1 with the received Random text. In the figure, the encryption algorithm MD5 is taken as an example because MD5 has been used in the existing HRPD network. Although CAVE algorithm is used in encryption in present invention, the message flow is same as the situation when MD5 algorithm is used in encryption; 402
The terminal sends a Chap Response message to the AN, including information of AT's Network Access ID (NAI), random text, the authentication parameter 1 and so on; 403
After receiving the Chap Response message from the AT, the AN sends a Radius Access Request message to AN-AAA, including the three parameters included in the Chap Response message; 404
The AN-AAA regards the Random text and the local Password (AN-AAA Password and the AT's Password are just the same) as input value to calculate the authentication parameter 2 using the MD5 algorithm; 405
The AN-AAA compares the authentication parameter 1 with the authentication parameter 2; 406
If they are equal to, The AN-AAA sends a Radius Access Accept message to the AN, indicating that the authentication passes; 407
If the authentication parameter 1 is not the same as the authentication parameter 2, the AN-AAA sends a Radius Access Reject message to the AN to reject the access of the terminal; 408
After receiving the Radius Access Accept message, the AN sends a Chap Success message to the terminal, indicating that the authentication process is successful; 409
And after receiving the Radius Access Reject message, the AN sends the Chap Failure message to AT, indicating that the authentication process failure. 410 In practice, the voice service is normally provided by means of the cdma2000 network and the high rate data service is normally provided by means of the HRPD network. Therefore, the dual-mode terminals that support not only the cdma2000 network but also the HRPD network will take up a sizable share. Because the cdma2000 network is generally established ahead of the HRPD network, some subscribers of the HRPD network are upgraded from that of the cdma2000 network.
However, because the different access authentication algorithms are respectively used in cdma2000 network and HRPD network, operators need to manage two types passwords and the related subscriber information. And terminals also need to support two types authentication algorithms and save two passwords. That will not only bring inconvenience in the management of operators but also increase the additional complexity of terminal. Therefore, as the cdma2000 network has been launched into operation and holds a lot of subscribers, how to realize the HRDP network's access authentication by reusing the CAVE algorithm has been used in cdma2000 network is a challenge to the HRPD network construction.
SUMMARY OF THE INVENTION
An object of the present invention is to provide a cdma2000/HRPD dual-mode terminal has non R-UIM card. The terminal can reuse the CAVE algorithm has been used in the cdma2000 network in terminals' HRPD network access authentication.
According to one side of present invention, a method for authenticating a mobile station has non R-UIM in the cdma2000 network access authentication by using a CAVE as an authentication algorithm with a character that it also can be used in HRPD network access authentication comprising steps of:
After receiving Chap Challenge message, the authentication module work out the readom number RAND to be used in the counting of Authentication parameter 1 using the "Random text" in Chap Challenge message;
The authentication module works out Authentication parameter 1 using said random number RAND and the existing part IMSI_S1 and SSD_A,etc;
The core chip bearing the authentication parameter 1 by a Result domain of a Chap Response message.
According to the other side of present invention, a device for authenticating a mobile station has non R-UIM by using a CAVE as an authentication algorithm including an antenna, a radio module, a memory, a Liquid Crystal Display, a keyboard and a battery module, with the character also including:
A core chip including cdma2000 core chip and HRPD core chip that are respectively used in the encoding to the receiving authentication messages;
A authentication module that supports CAVE algorithm. It implements CAVE algorithm by using the authentication parameter sent by core chip and the saved authentication parameters and response the implementing result to core chip.
The present invention is adapted to address the problem that no cdma2000/HRPD dual-mode terminal has non R-UIM that can support uniform althentication algorithem is in service by far. With the present invention, the problem that cdma2000 network and HRPD network respectively use different authentication algorithm can be well settled. The present invention by unifying the access authentication algorithms of the two network as CAVE algorithm bring the convenience to the operators that operate both cdma2000 network and HRPD network and also can decrease the development cost of terminal.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 shows a hardware structure of the cdma2000/HRPD dual-mode terminal has non R TJIM that utilizes the CAVE as the access authentication algorithm;
Figure 2 illustrates a flow chart of authentication in the HRPD network performed by the dual-mode terminal according to the present invention; Figure 3 illustrates a CAVE authentication process;
Figure 4 shows an access authentication message flow that 3GPP2 defines for the HRPD network; and
Figure 5 shows an implementation of the authentication of the dual-mode terminal according to the present invention in the HRPD network.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The main object of the present invention is to realize the cdma2000/HRPD dual-mode terminal with the features that CAVE algorithm is used in both cdma2000 network access authentication and HRPD network access authentication and no modification is needed to be done to the HPRD network authentication flow. In general, with the present solution, marked benefits will be gained at very little cost. The present invention is based on the following facts: by far, the cdma2000/HRPD dual-mode terminals that can supports uniform algorithm are starved for on sale. Operators need this type terminals to bring advantage in the operation and decrease the cost of terminals.
The main idea of the present invention is to realize the dual-mode terminals can support the two networks' access authentication with a uniform authentication algorithm, by processing the parameters carried by the message flow of the HRPD network and in virtue of the SSD update result of the cdma2000 network. Thus, the problems above can be well settled.
To enable the dual-mode terminal to bear the characteristics of supporting both the two networks' access authentication by a uniform algorithm, the following basic functions should be implemented by each part of the dual-mode terminal has non R-UIM: Antenna 101 It is used for receiving and transmitting radio signals.
Radio module 102
It takes charge of the tasks such as the conversion between baseband digital signals and RF analog signals, the transmission and receiving of the RF analog signals, etc.. cdma2000 core chip 103
It is the master processing unit with the functions including the cdma2000 service data's coding and decoding, the physical channels' spectrum spreading and de-spreading, modulating and demodulating. In addition, the dual-mode chip implements tasks such as provision of a run platform for the software in the application layer of the terminal, bearing the application software modules, transmitting, receiving and processing on-the-air interface signaling, controlling a paging process and so on. It controls every relevant module in the terminal so as to make them work cooperatively. HRPD core chiplO4
In practice, it shares the same entity with the cdma2000 core chip physically, but it performs the function of HRPD network's processing of data and signaling. The software modules that bears correspond to the HRPD network.
Authentication module that supports the CAVE algorithm 105 The authentication module is used for storing the user's identity information and other network parameters, etc.. It supports the authentication based on the CAVE algorithm. In practice, and it can shares the same entity with the cdma2000/HRPD core chip physically.
Memory 106 It is data memory module in the terminal and stores the data necessary to the terminal's normal operation.
LCD 107
Information display unit
Keyboard 108 It is used for information input. Together with the LCD, it completes the interface function that the user interacts with the terminal.
Battery module 109
Provides every module with power supply.
In addition, such units as a microphone, a headphone and so on should be served for the terminal.
During a normal voice call process, the user sends instructions to the cdma2000 core chip (103) or the HRPD core chip (104) through the man-machine interface made up of the keyboard (108) and the LCD (107) to initiate a call. After receiving the user's instructions, the core chip constructs a signalling message with the help of the CAVE-supported authentication module (105) and the memory module (106) to complete the establishment of the call cooperatively with the network and notifies the user via the LCD (107). Then, the user can start the phone call and it's voice is sent to the core chip through the microphone and coded and modulated here. Then it is transmitted to the network. Meanwhile, the core chip demodulates and decodes the received radio channel frames and sends them to the headphone. During this process, as the core chip's peripherals, the radio module (102), the memory module (106) and the battery module (109) provide necessary support to the core chip.
As for the authentication process based on the CAVE algorithm, following main modules are involved: the cdma2000/HRPD dual-mode chip (103, 104) and the authentication module (105) that supports the CAVE algorithm. The core chip decodes the received authentication message and transfers the necessary parameters to authentication module (105) to the process. After authentication module (105) receiving the authentication parameters transferred from the core chip, it carries out the calculation based on CAVE algorithm with the stored authentication information and then returns the calculation result to the core chip. After receiving the calculation result from authentication module (105), the core chip constructs the corresponding message according to the result and transmits it to the cellular network. During this process, the support from the Radio module (102), the memory (106) and the battery module (109) is also necessary for the core chip.
To support the HRPD network authentication, following new functions should be performed by the dual-mode terminal: 1. Utilization of the Chap Challenge message
The Chap Challenge message is sent from the AN to the dual-mode terminals, carrying the random number "Random text". Having been processed, this random number can be used as the random number necessary to the CAVE algorithm. The Random text is a character string presented by octets, and it is longer than the random number necessary to the CAVE authentication. It is necessary to convert the octets groups into binary format and extract the random number necessary to the CAVE authentication. As for the random number required for the CAVE authentication, consistency must be kept between the dual-mode terminals and the AN-AAA. The operation of generating the random number necessary to the CAVE authentication is implemented inside the core chip. In practice, the terminal's antenna receives the signal from the network and transfers it to the radio module. The radio module processes the signal, i.e., completes the conversion between the baseband digital signal and the RF analog signal, etc., and transfers the processed signal to the master processing chip. The master processing chip identifies and processes the Chap Challenge message. The functions of the antenna part and the radio module are not illustrated in the corresponding figure.
2. The authentication module to carry out the authentication calculation.
Using the random number, the IMSI_S1 (part of the IMSI) and the SSD_A as input parameters, the authentication module implements the authentication calculation and generates the authentication result parameterl . 3. Storage of the NAI value
NAI value is the username used in the HRPD network. It should be stored in the memory module in advance.
4. Generation of the Chap Response message
The Chap Response message is the response of the dual-mode terminal to the Chap Challenge message from the AN. The core chip constructs the Chap
Response message with the NAI (which is obtained through the approach described above) and the authentication parameterl (which has been written into the Result domain). The other parameters are filled in the Chap Response message according to the specifications of IETF RFC1994, PPP Challenge Handshake Authentication Protocol (CHAP), Aug 1996.
5. Transmission of the Chap Response message
The core chip transmits the Chap Response message to the network through the radio module and the antenna. The functions of the antenna and the radio module parts are not illustrated in the corresponding figure. Figure 2 illustrates the flow chart of the authentication in the HRPD network performed by the dual-mode terminal according to the present invention, and the steps will be explained in more detail.
The access network sends the Chap Challenge message, i.e., the Challenge Handshake Authentication Protocol Challenge message to the access terminal, including the "Random text"; 201
The authentication module of the access terminal extracts 32 bits from the Random text as the random number RAND for the authentication process and sends it to the R-UIM card; 202
The authentication module calculates the authentication result parameter 1 through the CAVE algorithm with the SSD_A, the RAND and other parameters and sends them to the access terminal; 203
The access terminal reads out the NAI from the memory module; 204 The access terminal writes the NAI into the corresponding domain of the Chap Response message, i.e., the Challenge Handshake Authentication Protocol Response message, and writes the authentication parameter 1 into the Result domain of this message, then transmits this Chap Response message to the access network; 205
If the authentication is successful, the access network will send an Authentication Success message to the access terminal; 206
And if the authentication fails, the access network will send an Authentication Failure message to the access terminal; 207

Claims

WHAT IS CLAIMED IS:
1. A method for authenticating a mobile station has non R-UIM by using a CAVE as an access algorithm comprising steps of: after receiving Chap Challenge message, the authentication module work out the readom number RAND to be used in the counting of Authentication parameter 1 using the "Random text" in Chap Challenge message; the authentication module works out Authentication parameter 1 using said random number RAND and the existing part IMSI-Sl and SSD_A, etc.; the core chip bearing the authentication parameter 1 by a Result domain of a
Chap Response message.
2. The method according to claim 1, wherein said the parameters need to be used in the CAVE aogorithm in authentication module comes from the cdma2000 network.
3. The method according to claim 1, wherein said core chip reads NAI from the memory module and constructs the Chap Response message with the NAI and the authentication parameter 1.
4. A device for authenticating a mobile station has non R-UIM by using a CAVE as an authentication algorithm including an antenna, a radio module, a memory, a Liquid Crystal Display, a keyboard and a battery module, with the character including: a core chip including cdma2000 core chip and HRPD core chip that are respectively used in the encoding to the receiving authentication messages; a authentication module that supports CAVE algorithm. It implements CAVE algorithm by using the authentication parameters sent by core chip and the saved authentication parameters and response the implementing result to core chip.
5. The device according to claim 4, wherein said core chip of hardware structure is a cdma2000/HRPD dual-mode chip.
6. The device according to claim 4, wherein said authentication module can support CAVE algorithm and both cdma2000 neetwork and HRPD network all use CAVE algorithm in access authentication.
7. The device according to claim 4, wherein said authentication module and the other parts of the terminal are inseparable physically.
8. The device according to claim 4, wherein said radio module is used for the conversion between baseband digital signals and RF analog signals, the transmission and receiving of the RF analog signals.
9. The device according to claim 4, wherein said cdma2000 core chip performs function of cdma2000 service data's coding and decoding, physical channels' spectrum spreading and de-spreading, modulating and demodulating, singaling signal's transmitting, singaling signal's receiving, singaling signal's process as well as call process control,etc.
10. The device according to claim 4, wherein said HRPD core chip performs function of the HRPD network's processing of data and signaling, the software modules borne by said HRPD core chip correspond to the HRPD network.
PCT/KR2005/003127 2004-09-21 2005-09-21 Method and device for authenticating ms that has non r-uim by using cave algorithm WO2006033548A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR1020077009237A KR101205662B1 (en) 2004-09-21 2005-09-21 Method and device for authenticating ms that has non r-uim by using cave algorithm
JP2007525556A JP4477064B2 (en) 2004-09-21 2005-09-21 Method and apparatus for authenticating MS with non-removable UIM using CAVE algorithm

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200410078240.X 2004-09-21
CN200410078240XA CN1753362B (en) 2004-09-21 2004-09-21 Machine card unseparated identification method as cut-in identification algorithm using CAVE and its device

Publications (1)

Publication Number Publication Date
WO2006033548A1 true WO2006033548A1 (en) 2006-03-30

Family

ID=36090271

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2005/003127 WO2006033548A1 (en) 2004-09-21 2005-09-21 Method and device for authenticating ms that has non r-uim by using cave algorithm

Country Status (4)

Country Link
JP (1) JP4477064B2 (en)
KR (1) KR101205662B1 (en)
CN (1) CN1753362B (en)
WO (1) WO2006033548A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820638A (en) * 2010-04-13 2010-09-01 青岛海信移动通信技术股份有限公司 Method for testing user authentication module and related device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188669B (en) * 2011-12-28 2016-09-14 中国电信股份有限公司 2G or 3G mobile card is made to access the method for LTE network, system and mobile terminal
CN103188671B (en) * 2011-12-28 2016-08-03 中国电信股份有限公司 HRPD Mobile phone card is made to access the method for eHRPD network, system and mobile terminal

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5513245A (en) * 1994-08-29 1996-04-30 Sony Corporation Automatic generation of private authentication key for wireless communication systems
WO1999049616A1 (en) * 1998-03-24 1999-09-30 Alcatel Usa Sourcing, L.P. Method for improved authentication for cellular phone transmissions

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1484459A (en) * 2002-09-21 2004-03-24 ����ͨѶ�ɷ����޹�˾ Certification method for multiple mobile communication systens

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5513245A (en) * 1994-08-29 1996-04-30 Sony Corporation Automatic generation of private authentication key for wireless communication systems
WO1999049616A1 (en) * 1998-03-24 1999-09-30 Alcatel Usa Sourcing, L.P. Method for improved authentication for cellular phone transmissions

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820638A (en) * 2010-04-13 2010-09-01 青岛海信移动通信技术股份有限公司 Method for testing user authentication module and related device

Also Published As

Publication number Publication date
CN1753362A (en) 2006-03-29
JP4477064B2 (en) 2010-06-09
KR101205662B1 (en) 2012-11-27
CN1753362B (en) 2011-01-12
JP2008509631A (en) 2008-03-27
KR20070054257A (en) 2007-05-28

Similar Documents

Publication Publication Date Title
US7607013B2 (en) Method and apparatus for access authentication in wireless mobile communication system
US7990930B2 (en) HRPD network access authentication method based on cave algorithm
US8433286B2 (en) Mobile communication network and method and apparatus for authenticating mobile node in the mobile communication network
KR20050027015A (en) Authenticating access to a wireless local area network based on security value(s) associated with a cellular system
JP2001111544A (en) Authenticating method in radio lan system and authentication device
JP2008504759A (en) Reuse method of identification data from user equipment identification module by peripheral device
EP2340656A1 (en) Secure negotiation of authentication capabilities
JP2001251292A (en) Method for updating communication key
US20070124587A1 (en) Re-Keying in a Generic Bootstrapping Architecture Following Handover of a Mobile Terminal
CN100370772C (en) Method for switching in radio local-area network mobile terminal
US7649995B2 (en) Method and device for authenticating MS that has an R-UIM by using CAVE algorithm
CN100563186C (en) A kind of method of in wireless access network, setting up escape way
EP3637815A1 (en) Data transmission method, and device and system related thereto
CN102378174A (en) Access method, device and system of user terminal of SIM (Subscriber Identity Module) card
CN104796891A (en) Security certification system by means of service provider's network and corresponding method
WO2006033548A1 (en) Method and device for authenticating ms that has non r-uim by using cave algorithm
CN101160784B (en) Cipher key updating negotiation method and apparatus
EP1189471A1 (en) Method for distributing encryption keys for an overlay data network
CN101162955B (en) Method of obtaining login key of handset television service system
CN1801704B (en) Method and system for user access core network
CN110311928B (en) Network authentication method and authentication device of cloud terminal system
CN2692926Y (en) Computer card separated identifying method using CAVE as access identifying algorithm and its device
KR100912287B1 (en) A user authentication system and method for interworking with code division multiple access mobile communication network and public wireless local area network
CN117242811A (en) Wireless communication method, station equipment and access point equipment
KR20050063188A (en) System for authenticating of 1x evolution-data only service subscriber station using cave algorithm in a code division multiple access mobile communication system and method thereof

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2007525556

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 1020077009237

Country of ref document: KR

122 Ep: pct application non-entry in european phase