[go: up one dir, main page]

MXPA99006930A - Authentication method for two sponsors and class agreement - Google Patents

Authentication method for two sponsors and class agreement

Info

Publication number
MXPA99006930A
MXPA99006930A MXPA/A/1999/006930A MX9906930A MXPA99006930A MX PA99006930 A MXPA99006930 A MX PA99006930A MX 9906930 A MX9906930 A MX 9906930A MX PA99006930 A MXPA99006930 A MX PA99006930A
Authority
MX
Mexico
Prior art keywords
interrogation signal
key
shared user
response
mobile
Prior art date
Application number
MXPA/A/1999/006930A
Other languages
Spanish (es)
Inventor
Patel Sarvar
Original Assignee
Lucent Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lucent Technologies Inc filed Critical Lucent Technologies Inc
Publication of MXPA99006930A publication Critical patent/MXPA99006930A/en

Links

Abstract

According to the authentication method of two shared users, a first shared user generates and transfers a random number to a second shared user as a first interrogation signal. The second shared user increments an account value in response to the first interrogation signal, generates a response of the first interrogation signal by developing a cryptographic key function (KCF) in the first interrogation signal and the account value used by an first key, and transfer the account value, as a second interrogation signal, and the response of the first interrogation signal to the first shared user. The first shared user verifies the second shared user based on the first interrogation signal, the second interrogation signal and the response of the first interrogation signal. The first shared user also generates a response from the second interrogation signal by developing the KCF in the second interrogation signal using the first key, and transferring the response from the second interrogation signal to the second shared user. The second shared user verifies the first shared user based on the second interrogation signal and the response of the second interrogation signal. For example, the first and second shared users can be a network and mobile, respectively, in a wireless system. Also, based on the first and second interrogation signals, the first and second shared users could generate another clause.

Description

METHOD OF AUTHENTICATION FOR TWO SHARED USERS AND KEY AGREEMENT BACKGROUND OF THE INVENTION Field of the Invention The present invention relates to a method for authenticating two shared users communicating with one another, and in one application, a method for authenticating a mobile and a network in wireless communication. The present invention also relates to a key agreement based on the authentication protocol.
Description of Related Art The protocols for authenticating the communication of shared users with one another provide a measure of security for communication. Several protocols that are used by the wireless industry and are part of the different communication standards in the US, Europe and Japan.
Ref .: 30554 While the shared user authentication system and method according to the present invention is not limited to wireless communication, to promote ease of understanding, the present invention will be described in the context of a wireless system. For this reason, a general view of wireless systems is presented, including a discussion of the shared user authentication protocol used in at least one of the standards.
The US They currently use three main wireless systems, with different standards. The first system is a time division multiple access (TDMA) system and is governed by IS-136, the second system is a code division multiple access (CDMA) system governed by IS-95, and the third is the Advanced Mobile Telephony System (AMPS). The three communication systems use the IS-41 standard to send intersystem messages, which define the authentication procedure for origin calls, which update the secret shared data, and etc.
Fig.1 illustrates a wireless system including an authentication center (AC) and a particular location register (HLR) 10, a visitor location register (VLR) 15, and a mobile 20. While more than one HLR could be associated with an AC, currently there is one-to-one correspondence. Consequently, Fig. 1 illustrates the HLR and the AC as a simple entity, although they are separated. Also for simplicity, the rest of the specification will refer to the HRL and AC jointly as the AC / HLR. Also, the VLR sends information to one of a plurality of mobile switching centers (MSCs) associated therewith, and each MSC sends the information to one of a plurality of base stations (BSs) for transmission to the mobile. For simplicity, the VLRs, MSCs and BSs will be referred to and illustrated as a VLR. Collectively, ACs, HLRs, VLRs, MSCs, and BSs operated by a network server are referred to as a network.
A root key, known as a key A, is stored only in the AC / HLR 10 and the mobile 20. There is a secondary key, known as Shared Data SSD, which is sent to the VLR 15 as the mobile travels (eg. ., when the mobile leaves its particular coverage area). The SSD is generated from key A and a random core RANDSSD using an algorithm or cryptographic function. A cryptographic function is a function that generates an output that has a predetermined number of bits based on a range of possible inputs. A cryptographic function in code (KCF) is a type of cryptographic function that operates based on a key; for example, a cryptographic function that operates on two or more arguments (eg, entries) where one of the arguments is the key. From the departure and recognition of the KCF in use, the entries can not be determined unless the key is known. Coding / decoding algorithms are types of cryptographic functions. They are also functions of a pathway type pseudo random functions (PRFs) and message authentication codes (MACs). The expression KCFSK (RN ') represents the KCF of the random number RN' using the session key SK as the key. A session key is a key that lasts a session, and a session is a period of time such as the duration of the call.
In the IS-41 protocol, the cryptographic function used is CAVE (Cellular Authentication and Voice Coding). When the mobile 20 travels, the VLR 15 in that area sends an authentication request to the AC / HLR 10, which responds by sending the mobile's SSD. Once the VLR 15 has the SSD, it can authenticate the mobile 20 independently of the AC / HRL 10. For security reasons, the SSD is periodically updated.
Fig. 2 illustrates the communication between the AC / HRL 10, the VLR 15 and the mobile 20 to update the SSD. As discussed above, AC / HRL 10 generates a random number core RANDSSD, and using the CAVE algorithm generates a new SSD using the RANDSSD random number kernel. The SSD is 128 bits in size. The first 64 bits serve as a first SSD, referred to as SSDA, and the second 64 bits serve as a second SSD, referred to as SSDB. As shown in Fig. 2, the AC / HLR 10 provides the VLR 15 with the new SSD and the RANDSSD. The VLR 15 then sends the RANDSSD to the mobile 20 together with an SR session request. The SR session request instructs the mobile 20 to develop the SSD update protocol which is described in detail later. In response to the RANDSSD reception and the SR session request, the mobile 20 uses the CAVE algorithm to generate the new SSD using the RANDSSD, and generates a random number RM using a random number generator. The mobile sends the random number RM to the VLR 15. The mobile 20 also develops the CAVE algorithm in the random number RM using the new SSDA as the key. This calculation is represented by CAVEss i (Ry).
One of the VLR 15 and the AC / HLR 10, also calculates CAVESSD ^ (RM). And it sends the result to mobile 20. He died 1 authenticates the network if CAVEssr¿ (R »> Which is calculated, equals that received from the network.
Following, and usually after receiving a signal from the mobile 20 indicating the verification, the VLR 15 generates a random number R, and sends the random number R to the mobile 20. Meanwhile, the VLR calculates CAVE? SDA (RN). In the RN reception, the mobile 20 calculates CAVES? DA (RN), and sends the result to the VLR 15. The VLR 15 authenticates the mobile if CAVESSDA (RN), which is calculated, equals that received from the mobile 20. The numbers random R and RN are referred to as interrogation signals, while CAVEesDA (RM) and CAVESSDA (RN) are referred to as interrogation signal responses. Once the authentication is complete, the mobile 20 and the network generate session keys using SSDB.
In this protocol, the SSD is used only to answer the interrogation signals of the mobile 20 and the network. This allows an attack when an old pair of RANDSSD and SSD is revealed. Knowing this pair is enough to ask mobile 20, and answer its question mark. Thus an attacker can exit an update of the SSD for the mobile 20, and answer the interrogation signal of the mobile. Once the revealed SSD is accepted, and in spite of a secure session key agreement protocol (eg, a protocol in the communication between a mobile and a network to establish a session key), the attacker can represent the network and place a call for mobile 20 under fraudulent identities. For example, the presenter can insert their own caller ID or name and pretend to be someone else. The attacker can pretend to be a credit card company, and ask to verify the card number and pin. 0 still use the name of the telephone company in the area of the caller's name and ask to verify the numbers of the calling card, etc.
Brief Description of the Invention In an authentication method of two shared users according to the present invention, a first shared user issues a random number as a first interrogation signal, and a second shared user responds with a response of the first interrogation signal. The first answer of the interrogation signal is generated by developing a cryptographic key function (KCF) in the first interrogation signal and an account value using a first key. The second shared user increases the count value at the reception of the first question mark, and use the account value as a second question mark. The first shared user verifies the second shared user based on the first interrogation signal and the reception of the second interrogation signal and the response of the first interrogation signal. After verification, the first shared user develops the KCF at the second interrogation signal using the first key to generate a response from the second interrogation signal. Based on the second interrogation signal and the reception of the response of the second interrogation signal, the second shared user verifies the first shared user. Using the first and second interrogation signals, a coding key is generated by both shared users. In this way, a different key, the first key, of the coding key is used in responding to interrogation signals. The present invention has many applications that include the wireless industry wherein the first and second shared user are a network and mobile, respectively.
Brief Description of the Drawings The present invention will come to be understood more fully from the detailed description given below and the accompanying drawings which are given by way of illustration only, where like reference numerals designate corresponding parts in several of the drawings, and where : Fig. 1 is a block diagram illustrating the basic components of a wireless system; Fig. 2 illustrates the communication between the authentication center / particular location record, visitor location record, and the mobile to update the secret shared data according to the IS-41 standard; Y Fig. 3 illustrates the communication between the network and the mobile to authenticate these two shared users according to an embodiment of the present invention.
Detailed Description of the Preferred Modalities As discussed above, while the shared user authentication system and method according to the present invention is not limited to wireless communication, to promote ease of understanding, the present invention will be described in the context of a wireless system. More specifically, the method or protocol for the authentication of two shared users according to the present invention will be described as employed by the wireless system shown in Fig. 1.
In contrast to the method or protocol discussed above with respect to Figs. 1 and 2, in the method of the present invention, the AC / HLR 10 and the mobile 20 also generate another key, referred to as the key M, based on the key A. For example, the key M is generated by applying a function pseudo-random (PRF) indexed by key A at a known value to the network and to the mobile 20. A practical PRF is the well-known algorithm of the Data Coding Standard - Secret Transmission Key Block (DES-CBC) of the NIST (National Institute of Standards). In a preferred embodiment, DES-CBC, indexed by a 64-bit A key at a known value, produces a M-key of 64 bits.
Fig. 3 illustrates the communication between the network and the mobile 20 to authenticate these two shared users according to one embodiment of the present invention. As shown, the VLR 15 acts as a communication conduit between the AC / HLR 10 and the mobile 20. More specifically, the authentication of the protocol according to the present invention takes place between the AC and the mobile 20.
As shown, a shared user, the AC / HLR 10, generates and sends a random number RN for the other shared user, the mobile 20. Typically, the AC / HLR 10, in addition to sending the random number RN / sends a request for SR session that specifies the type of protocol that will be developed. The types of protocols include, for example, originating call, secret shared data update (SSD), call termination, and mobile registration.
In response, the mobile 20 generates a CM account value and develops a KCF in the random number RN, CM account value, Type data, and id IDM data using the key M as the key. This calculation represents a KCFclave (Type, IDM, CM, RN). Preferably, the KCF is a code message authentication code such as HMAC, but could be a PRF such as DES-CBC. The mobile 20 includes a counter that generates the CM account value. The mobile 20 increases the previous CM count value to generate the interrogation signal response (eg KCFlave? (Type, IDM, CM, RN)) to each interrogation signal of the network.
The Type data represents the type of protocol that is developed. The data id indicates that the communication is broadcast from the mobile. Usually, the data id 1 indicates that the communication is from the network, and the data id 0 indicates that the communication comes from the mobile. For discussion purposes, however, the data id for the mobile 20 is shown as IDM and the data id for the network is shown as IDN. The system and method for the authentication of two shared users does not require the inclusion of the Type data when the KCF is developed in the random number RN and the value of the CM account. The Type data and the specific id data have been included as part of the application of the method and authentication system of two shared users for a wireless system.Dog.
Mobile 20 sends the value of account CM and KCFclave? (Type, IDM, CM, RN) to the network. Because the AC / HLR 10 initiated the current protocol that includes the authentication protocol of two shared users according to the present invention, the AC / HLR 10 knows the data Kind. Also, because the communication of the mobiles includes the same data id, this value is also known by the AC / HLR 10. Therefore, based on the CM account value received, the AC / HLR 10 calculates the KCFile M ( Type, IDM, CM / RN) and determines if this calculated value equals the version received from the mobile . If an equal is found, the AC / HLR 10 authenticates the mobile 20.
Once the mobile 20 has been verified, the AC / HLR 10 calculates KCFclaveM (Type, IDN, CM), and sends the calculated result to the mobile 20. The mobile 20, meanwhile, also calculates KCFclave M (Type, IDN, CM). The mobile 20 then checks if the calculated version of KCFclave M (Type, IDN, CM) equals the received version of the AC / HLR 10. If an equal one is found, the mobile 20 authenticates the network.
In addition, after developing this authentication protocol of two shared users, other keys be generated. For example, if the wireless system of Fig. 1 uses this authentication protocol of two shared users as part of the SSD update protocol, then, after the mobile 20 authenticates the network, the mobile 20 and the AC / HLR 10 have the random number R and the account value CM. The mobile 20 and the AC / HLR 10 generate the SSD as PRFclave A (CM, RM); wherein the PRF is preferably the DES-CBC algorithm. Alternatively, in other protocols, this same technique is used to generate other keys.
When applied to a wireless system, the mobile 20 needs to store the CM account value in semi-permanent memory so that during low power, the CM account value is not reinitialized. In this way, the repetition of an account value is avoided; the repetition of an account value allows an attacker to prevail in his attack. In a preferred embodiment, the count value is initialized using a random number and is generated using a large bit counter such as a 64 or 75 bit counter. This provides security even when the mobile 20 breaks and loses the value of the stored account. Even if an attacker cause a mobile to break it, and assuming it takes at least a second to initiate a session, it will take, for example, a year before the attacker's handles to have to repeat the mobile an account value when it is used a 75-bit counter.
As a further alternative, instead of sending a unique RN random number, the sharing user that starts (eg the network) issues a global random number. That is, for each communication, the shared user that starts emits a different random number, only R? in the embodiment of Fig. 3. However, in this alternative mode, the sharing user that starts emits the same random number R? for each communication.
In the protocol according to the present invention the previously established key among the shared users (eg, the A key or the SSD) is not used to answer the interrogation signals, and thus the problem of network representation discussed with with respect to IS41 it is not possible. Also, even if the M key is revealed to an attacker, there is no direct way to obtain the A key from it because a one-way function was used to generate the M key. Because an attacker uses interrogation signals above and responses of the interrogation signal when an attack is mounted, such an attack will fail if it is done in the protocol according to the present invention. The reason is that the attacker will be the one using an answer of the interrogation signal based on an old account value. Therefore, the network will not verify the attacker. In addition, the keys generated after authentication as discussed above will be generated by the PRF of the new interrogation signal using the key A, and the attacker does not know the key A.
The invention thus described will be evident that it could be varied in many ways. Such variations are not considered as a deviation from the spirit and scope of the invention, and all modifications are intended to be included within the scope of the following claims.
It is noted that in relation to this date, the best method known by the applicant to carry out the aforementioned invention, is the conventional one for the manufacture of the objects to which it relates. Having described the invention as above, the content of the following is claimed as property.

Claims (22)

1. A method for authenticating a first shared user to a second shared user, characterized in that it comprises: (a) receiving a random number from the first shared user as a first interrogation signal; (b) increasing an account value in response to receipt of the first interrogation signal; (c) generating a response of the first interrogation signal by developing a cryptographic key function (KCF) in the first interrogation signal and in the account value using the first key; (d) transferring the account value, as a second interrogation signal, and the response of the first interrogation signal to the first shared user; (e) receiving a response from the second interrogation signal of the first shared user, the response of the second interrogation signal resulting from developing the KCF in the second interrogation signal using the first key; Y (f) verifying the first shared user based on the second interrogation signal and the response of the second interrogation signal.
2. The method of claim 1, step (c) above, characterized in that it further comprises: generate the first key using a root key.
3. The method of claim 1, characterized in that step (c) generates the response of the first interrogation signal by developing the KCF in the first interrogation signal, the count value, and an identifier of the second shared user using the first key.
4. The method of claim 1, characterized in that it further comprises: (g) establishing a second key based on the first and second interrogation signals.
5. The method of claim 1, characterized in that step (a) receives a global interrogation signal as a first interrogation signal from the first shared user.
6. The method of claim 1, characterized in that the first shared user is a network of a wireless system and the second shared user is a mobile.
7. The method of claim 6, characterized in that step (c) generates the response of the first interrogation signal by developing the KCF in the first interrogation signal, the count value and the type data using the first key, the data type which indicates a type of protocol that is developed by the network and the mobile.
8. The method of claim 6, characterized in that step (c) generates the response of the first interrogation signal by developing the KCF in the first interrogation signal, the count value, an identifier of the mobile, and the type data used by the first key, the type data that indicates a type of protocol that is developed by the network and the mobile.
9. The method of claim 6, characterized in that it further comprises: (g) Establish a second key based on the first and second interrogation signals.
10. The method of claim 9, characterized in that the second key is one of the secret shared data and one key session.
11. The method of claim 6, characterized in that step (b) increments the count value using a bit counter greater than 64 bits and that was initialized using a random number.
12. A method for authenticating a first shared user to a second shared user, characterized in that it comprises: (a) draw a random number as a first question mark; (b) receiving a second interrogation signal and a response from the first interrogation signal of the first shared user, the second interrogation signal is an account value, and the response of the first interrogation signal which is a result to develop a cryptographic key function (KCF) in the first interrogation signal and the account value using the first key; Y (e) verifying the first shared user based on the first interrogation signal, the second interrogation signal, and the response of the first interrogation signal.
13. The method of claim 12, characterized in that it further comprises: (f) establishing a second key based on the first and second interrogation signals.
14. The method of claim 12, characterized in that step (a) outputs the first interrogation signal as a global interrogation signal.
15. The method of claim 12, characterized in that the first shared user is a mobile of a wireless system and the second shared user is a network.
16. The method of claim 15, characterized in that it further comprises: (f) establishing a second key based on the first and second interrogation signals.
17. The method of claim 16, characterized in that the second key is one of the secret shared data and a session key.
18. The method of claim 12, characterized in that it further comprises: (f) generating a response of the second interrogation signal by developing the KCF in the second interrogation signal using the first key; Y (g) transferring the response of the second interrogation signal to the second shared user.
19. The method of claim 18, characterized in that step (f) generates the response of the second interrogation signal by developing the KCF in the second interrogation signal and an identifier of the second shared user using the first key.
20. The method of claim 18, characterized in that the first shared user is a mobile of a wireless system and the second shared user is a network.
21. The method of claim 20, characterized in that step (f) generates the response of the second interrogation signal by developing the KCF in the second interrogation signal and the type data using the first key, the type data indicating a type of interrogation. protocol that is developed by the network and the mobile.
22. The method of claim 20, characterized in that step (f) generates the response of the second interrogation signal by developing the KCF in the second interrogation signal, an identifier of the network, and a data type using the first key, the data type that indicates a type of protocol that is developed by the network and the mobile. SUMMARY OF THE INVENTION According to the authentication method of two shared users, a first shared user generates and transfers a random number to a second shared user as a first interrogation signal. The second shared user increments an account value in response to the first interrogation signal, generates a response of the first interrogation signal by developing a cryptographic key function (KCF) in the first interrogation signal and the account value used by an first key, and transfer the account value, as a second interrogation signal, and the response of the first interrogation signal to the first shared user. The first shared user verifies the second shared user based on the first interrogation signal, the second interrogation signal and the response of the first interrogation signal. The first shared user also generates a response from the second interrogation signal by developing the KCF in the second interrogation signal using the first key, and transferring the response from the second interrogation signal to the second shared user. The second shared user verifies the first shared user based on the second interrogation signal and the response of the second interrogation signal. For example, the first and second shared users can be a network and mobile, respectively, in a wireless system. Also, based on the first and second interrogation signals, the first and second shared users could generate another key.
MXPA/A/1999/006930A 1998-07-31 1999-07-26 Authentication method for two sponsors and class agreement MXPA99006930A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US127767 1998-07-31

Publications (1)

Publication Number Publication Date
MXPA99006930A true MXPA99006930A (en) 2000-04-24

Family

ID=

Similar Documents

Publication Publication Date Title
US6918035B1 (en) Method for two-party authentication and key agreement
US6243811B1 (en) Method for updating secret shared data in a wireless communication system
US7181196B2 (en) Performing authentication in a communications system
EP0982965B1 (en) Method for establishing session key agreement
US8792641B2 (en) Secure wireless communication
CN100454808C (en) An authentication method, device and system
US7224800B1 (en) System and method for authentication of a roaming subscriber
US8774032B2 (en) Integrity check in a communication system
KR100564674B1 (en) Method for securing over-the-air communication in a wireless system
CA2104092C (en) Wireless device for verifying identification
KR20010112618A (en) An improved method for an authentication of a user subscription identity module
EP0915630A2 (en) Strengthening the authentification protocol
US6532290B1 (en) Authentication methods
JP2002232962A (en) Mobile communication authentication interworking method
MXPA99006930A (en) Authentication method for two sponsors and class agreement
MXPA99006931A (en) Method to update secret data shared in an inalambr communication system
WO2000008879A1 (en) Method for authenticating a source of communication in a communication system