WO2004100592A1 - Authentication of a subscriber station - Google Patents

Authentication of a subscriber station Download PDF

Info

Publication number
WO2004100592A1
WO2004100592A1 PCT/FI2003/000364 FI0300364W WO2004100592A1 WO 2004100592 A1 WO2004100592 A1 WO 2004100592A1 FI 0300364 W FI0300364 W FI 0300364W WO 2004100592 A1 WO2004100592 A1 WO 2004100592A1
Authority
WO
WIPO (PCT)
Prior art keywords
subscriber station
authentication
input
received authentication
inputs
Prior art date
Application number
PCT/FI2003/000364
Other languages
French (fr)
Inventor
Teemu Asikainen
Lauri Pesonen
Petri Jehkonen
Original Assignee
Setec Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Setec Oy filed Critical Setec Oy
Priority to PCT/FI2003/000364 priority Critical patent/WO2004100592A1/en
Priority to AU2003227786A priority patent/AU2003227786A1/en
Priority to EP03725234A priority patent/EP1623592A1/en
Publication of WO2004100592A1 publication Critical patent/WO2004100592A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning

Definitions

  • the present invention relates to authent eating a subscriber station in a telecommunications system, wherein the ident ty of the subscriber station is verified on the basis of a subscriber-station-spec ific secret key stored in the subscriber station.
  • the invention relates to a solution for identifying an authentication message generated by an external attacker.
  • authentication of a subscriber station is based on a challenge-response procedure.
  • a subscriber- station-specific secret key Ki and an authentication algorithm A3 have been stored in the SIM (Subscriber identity module) card of the subscriber station.
  • the subscriber-station-specific secret key Ki of the subscriber station and the corresponding authentication algorithm A3 have also been stored in an au- thentication centre of a GSM network.
  • a random number generator arranged in the authentication centre first generates a random number and transmits it to a counter as an input.
  • the counter computes a response SRES on the basis of the random number, authentication algorithm A3 and secret key Ki.
  • the authentication centre transmits the random number and the response SRES to a network element, which carries out the actual authentication, and which, as regards the GSM system, is a VLR (Visitor location register).
  • VLR Visitor location register
  • the visitor location register forwards the received random number to the subscriber station to be authenticated.
  • the subscriber station comprises a counter, which computes a response SRES based on the received random number, the secret key Ki of the subscriber station and the authentication algorithm A3, and the subscriber station transmits the response SRES to the VLR.
  • the VLR compares the response transmitted by the authentication centre with the response transmitted by the subscriber station. Since the secret key Ki stored in the memory of the subscriber station is subscriber-station-specific, there is only one subscriber station capable of generating a correct response to the input transmitted thereto. If the responses of the subscriber station and the authentication centre are identical, the subscriber station has been authenticated.
  • a drawback of the known authentication procedure described above is that it is possible for an external attacker, who desires to crack the secret key stored in the subscriber station, to try to crack the secret key by supplying different inputs to the subscriber station (or the SIM card thereof) again and again and by monitoring the responses being transmitted from the subscriber station.
  • the secret key Ki may be revealed on the basis of the collected data. If the external attacker cracks the key, he or she may be capable of cloning the subscriber station (or the SIM card) by pro- ducing a second subscriber station, which has an identical secret key, in which case the cloned subscriber station can be used for making calls, for which the owner of the original subscriber station is billed.
  • the above problem is solved in PCT/FI00/00907 such that the system generates authentication inputs comprising MACs (Message authentica- tion code).
  • the subscriber station checks the correctness of the received inputs and maintains a counter function to compute the number of inputs that are incorrect. When a predetermined limit value is exceeded, the subscriber station no longer provides correct responses to the inputs.
  • the problem with this solution is that it requires modifications in the network operator functions, since the system has to be able to generate authentication inputs comprising MACs.
  • An object of the present invention is to alleviate the above- mentioned problem and to provide an improved solution owing to which it is more difficult for an external attacker to crack a secret key of a subscriber sta- tion.
  • the objects of the invention are achieved with a method, a system, a subscriber station and a SIM card, characterized by what is stated in the independent claims.
  • the preferred embodiments of the invention are disclosed in the dependent claims.
  • the underlying idea of the invention is that when an authentication input is received in a subscriber station, the randomness thereof is evaluated. According to the invention, the evaluation of the randomness of a received input is performed utilizing information of one or more inputs received earlier by the subscriber station. If, based on the evaluation, the received input cannot be considered as a random input, it may be a sign of a try to crack the secret key of the subscriber station. The subscriber station is thus able to identify inputs, which may originate from an external attacker.
  • the advantage of the invention is that it can with slight changes be applied to existing systems.
  • the invention can be directly implemented in the SIM card, which means that mobile stations can right from the start be provided with SIM cards capable of checking the randomness of the inputs according to the invention. It is not necessary to change the operation of the network elements, and no changes are required on the subscriber station/network interfaces either.
  • FIG. 1 is a simplified block diagram illustrating the system of the invention
  • Figure 2 illustrates the signaling of the invention
  • Figure 3 is a simplified flow diagram illustrating the method of the invention.
  • the present invention is applicable to any communication system utilizing a random number as a challenge.
  • embodiments of the invention will be described as implemented in the GSM system without limiting the invention to that particular system.
  • Figure 1 shows a simplified block diagram of the system S of the invention, showing only the components that are essential to illustrate the inven- tion, even though those skilled in the art naturally know that a general mobile communication system also comprises other functions and structures, which do not have to be described in more detail herein.
  • a majority of the authentication equipment of the network N is arranged in a special authentication centre AC, which, in connection with the GSM system, may be located in connection with a home location register (HLR), for example.
  • HLR home location register
  • a GSM system also comprises a mobile services switching centre MSC which enables the communication between the network elements, such as the HLR and the VLR, and the subscriber station MS.
  • the subscriber station MS i.e. the mobile station
  • the subscriber station MS can be a simplified terminal intended only for speech, or it can be a terminal intended for multiple services operating as a service platform and supporting the loading and execution of different service-related functions.
  • the subscriber station MS comprises the actual mobile equipment and an associated (usually removable) identification card SIM (not shown).
  • the subscriber identity module SIM is a smart card comprising the subscriber identity, executing authentication algorithms and storing authentication and encryption keys and subscriber data needed at the subscriber station.
  • the mobile equipment is a radio terminal used for radio communication between the subscriber station MS and the network N.
  • the mobile equipment can be any equipment or a combination of several different equipment capable of communicating in a communication system.
  • the blocks shown in the block diagram of Figure 1 may comprise electronic circuits or, alternatively, one or more blocks may be implemented by software. Hence, no two separate counters, for example, are necessary at the subscriber station, but the counters can be implemented, for example, by one processor and computer program in a manner known per se.
  • the subscriber station MS is authenticated by a visitor location register VLR such that the VLR receives from the authentication centre AC an input RAND and response SRES enabling the VLR to authenticate the subscriber station MS.
  • the authentication centre AC comprises a first counter for generating a random number RAND.
  • the authentication centre AC also comprises a memory with the secret key Ki stored therein of all those sub- scriber stations, in the authentication of which the authentication centre participates.
  • the authentication centre can be operator-specific, in which case all secret keys of the subscriber stations of the operator have been stored in the memory of the authentication centre.
  • FIG. 2 illustrates the successful signaling of the invention when no external attacker is detected.
  • the authentication centre AC supplies in step 2-1 the secret key Ki of the subscriber station retrieved from the memory and the input RAND produced by the first counter to a second counter.
  • the second counter computes a response SRES on the basis of the secret key Ki, input RAND and authentication algorithm A3.
  • the authentication centre AC transmits the input RAND and response SRES to the VLR.
  • the VLR stores the response SRES such that it will be available later for a comparing function.
  • the VLR transmits in the message 2-4 the input RAND received from the authentication centre to the subscriber station MS.
  • a comparing unit is activated in the subscriber station
  • the comparing unit evaluates the last received input based on the information of authentication inputs received earlier by the subscriber station.
  • the information of the earlier received authentication inputs comprises samples of earlier inputs that may have been manipulated in an ap-litiste statistical manner.
  • the comparing unit evaluates if the latest input resembles the information of earlier inputs, and concludes, on the basis of the evaluation, whether the latest input is random or not.
  • the evaluation may be performed utilizing information of randomly selected earlier inputs. An appearance of a non-random authentication input might be a sign of somebody trying to crack the secret key of the subscriber station.
  • the MS manipulates the latest input in an appropriate statistical manner with the information of earlier inputs and may store the information such that it is available for later authentications. There may be a predetermined time for how long the information of a received input will be stored. The time for storing the information may also be selected randomly so that the attacker cannot conclude when it would be worthwhile to try to attack again.
  • the comparing unit of the MS If the comparing unit of the MS considers the latest input as a random input, it activates a third counter to compute a response to the input RAND.
  • the third counter computes the response SRES on the basis of the input RAND, the subscriber-station-specific secret key Ki stored in a memory of the MS and the authentication algorithm A3.
  • the algorithm is the same algorithm A3 and the parameters are the same parameters as the second counter of the authentication centre AC used.
  • the subscriber station MS produces the response SRES, which is transmitted to the VLR in the message 2-6.
  • the response produced by the MS is supposed to correspond to the response SRES transmitted by the authentication centre AC. If the comparing function of the VLR detects in step 2-7 that the responses are identical, it is concluded that the subscriber station MS has been authenticated. If, on the other hand, the comparing unit of the MS indicated in step
  • the subscriber station can be programmed to operate such that cracking the secret key is made significantly more difficult when the subscriber station has identified an input originating from an external attacker.
  • the subscriber station produces and forwards an input only if the subscriber station has checked the input and concluded that the input is random.
  • a control unit of the MS interrupts the process for authenticating the subscriber station such that no response will be transmitted by the MS. Consequently, it is more difficult to crack the secret key since an external attacker cannot continue sending inputs and monitoring what kind of a response each input induces.
  • the subscriber station computes and forwards a false response such as a random response if it detects that the received input is not random.
  • the random response herein refers to any response resembling a correct one.
  • the random response may be computed by another algorithm than the authentication algorithm.
  • the random response may be computed by the authentication algorithm but, instead of the secret key of the subscriber station, the computation utilizes an- other key, which is a "pseudo key", or, alternatively, the random response may comprise a random number generated by a random number generator. The point is that the response is not computed by the authentication algorithm A3, secret key Ki and input RAND.
  • the external attacker would be provided with the real response to the supplied input, which might assist in cracking the secret key.
  • the idea is that the random response resembles a real response such that an external attacker does not, on the basis of the length of the response, for example, know that the random response is not a real response provided with an authentication algorithm and a secret key. If, on the other hand, the external attacker is provided with a random response resembling the real response, the external attacker will not know that the response is an incorrect one.
  • the subscriber station maintains a counter function to compute the number of inputs that are non- random.
  • the subscriber station locks itself such that it no longer provides a correct response to the input.
  • the subscriber station can thus produce and forward a response, which is either correct or incorrect regardless of whether the input is random until the counter function indicates that the maximum number of non-random inputs is exceeded, whereby the authentication function of the subscriber station is locked.
  • the locking may take place either such that the subscriber station no longer provides any responses or, alternatively, in order to mislead the attacker, the subscriber station may continue by producing incorrect responses only, such as random responses.
  • FIG. 3 is a flow diagram illustrating the method of the invention when an external attacker is detected.
  • step 3-1 an authentication message comprising a non-random input RAND is received in the MS.
  • the processing of the authentication message is interrupted in step 3-2. No response will then be transmitted to the authentication message.
  • a notification of interrupting the process may be forwarded in step 3-3, but this is not mandated by the invention. Consequently, the external attacker receives no response to the input, which means that the attacker is unable to collect responses and use them for cracking the secret key.
  • a random response is produced to the input in step 3-4 and forwarded to the sender of the input in step 3-5.
  • the random response can be any response which resembles a real response and which has not been computed in a similar manner as the real response. Consequently, the random response can be directly produced by a random number generator, or it can be computed from the input by utilizing a suitable algorithm and input. The external attacker will thus receive an incorrect response, however without knowing this.
  • a predetermined variable Cmax indicating the highest allowed number of non-random inputs has been stored in the subscriber station (or the SIM card thereof).
  • a variable C to keep a record of received non-random inputs is set to a predetermined initial value.
  • the authentication functions thereof When the counter function of the subscriber station reaches a predetermined limit value, the authentication functions thereof will be locked such that the subscriber station no longer provides correct responses.
  • the subscriber sta- tion is one of the kind, in which the authentication functions are arranged on the SIM card, such as a GSM mobile station, the subscriber station must next be provided with a new SIM card to replace the locked one.
  • the various embodiments of the invention may be carried out simultaneously or they may be mutually exclusive.
  • the signalling messages and steps shown in Figures 2 and 3 are not in an absolute chronological order, and they can be executed in a different order from the given one.
  • Other signalling messages can be transmitted and/or other functions can be carried out between the messages and/or steps.
  • the signalling messages are only examples and can include only some of the aforementioned information.
  • the messages can also include other information.

Abstract

The invention relates to a method for identifying authentication messages that have been generated by external attackers. According to the method, when a subscriber station receives an authentication input (2-4), it compares (2-5) the received authentication input with information of earlier-received authentication inputs. The subscriber station evaluates (2-5) the randomness of the received authentication input utilizing the information of earlier-received authentication inputs. If the subscriber station finds the new input random, it responds (2-6) to it in a usual manner. If the subscriber station finds the input non-random it concludes that the input has been generated by an external attacker trying to crack the secret key of the subscriber station. In such a case the subscriber station may lock the authentication process and/or it may generate a false response.

Description

AUTHENTICATION OF A SUBSCRIBER STATION
FIELD OF THE INVENTION
The present invention relates to authent eating a subscriber station in a telecommunications system, wherein the ident ty of the subscriber station is verified on the basis of a subscriber-station-spec ific secret key stored in the subscriber station. In particular the invention relates to a solution for identifying an authentication message generated by an external attacker.
BACKGROUND OF THE INVENTION
In the GSM system, authentication of a subscriber station is based on a challenge-response procedure. For the authentication, a subscriber- station-specific secret key Ki and an authentication algorithm A3 have been stored in the SIM (Subscriber identity module) card of the subscriber station. The subscriber-station-specific secret key Ki of the subscriber station and the corresponding authentication algorithm A3 have also been stored in an au- thentication centre of a GSM network. In order to carry out the authentication, a random number generator arranged in the authentication centre first generates a random number and transmits it to a counter as an input. Next, the counter computes a response SRES on the basis of the random number, authentication algorithm A3 and secret key Ki. The authentication centre then transmits the random number and the response SRES to a network element, which carries out the actual authentication, and which, as regards the GSM system, is a VLR (Visitor location register).
The visitor location register forwards the received random number to the subscriber station to be authenticated. The subscriber station comprises a counter, which computes a response SRES based on the received random number, the secret key Ki of the subscriber station and the authentication algorithm A3, and the subscriber station transmits the response SRES to the VLR. The VLR then compares the response transmitted by the authentication centre with the response transmitted by the subscriber station. Since the secret key Ki stored in the memory of the subscriber station is subscriber-station-specific, there is only one subscriber station capable of generating a correct response to the input transmitted thereto. If the responses of the subscriber station and the authentication centre are identical, the subscriber station has been authenticated. A drawback of the known authentication procedure described above is that it is possible for an external attacker, who desires to crack the secret key stored in the subscriber station, to try to crack the secret key by supplying different inputs to the subscriber station (or the SIM card thereof) again and again and by monitoring the responses being transmitted from the subscriber station. When this procedure is repeated frequently enough and statistics is collected about the inputs and responses, the secret key Ki may be revealed on the basis of the collected data. If the external attacker cracks the key, he or she may be capable of cloning the subscriber station (or the SIM card) by pro- ducing a second subscriber station, which has an identical secret key, in which case the cloned subscriber station can be used for making calls, for which the owner of the original subscriber station is billed.
The above problem is solved in PCT/FI00/00907 such that the system generates authentication inputs comprising MACs (Message authentica- tion code). The subscriber station checks the correctness of the received inputs and maintains a counter function to compute the number of inputs that are incorrect. When a predetermined limit value is exceeded, the subscriber station no longer provides correct responses to the inputs. The problem with this solution is that it requires modifications in the network operator functions, since the system has to be able to generate authentication inputs comprising MACs.
BRIEF DESCRIPTION OF THE INVENTION
An object of the present invention is to alleviate the above- mentioned problem and to provide an improved solution owing to which it is more difficult for an external attacker to crack a secret key of a subscriber sta- tion. The objects of the invention are achieved with a method, a system, a subscriber station and a SIM card, characterized by what is stated in the independent claims. The preferred embodiments of the invention are disclosed in the dependent claims.
The underlying idea of the invention is that when an authentication input is received in a subscriber station, the randomness thereof is evaluated. According to the invention, the evaluation of the randomness of a received input is performed utilizing information of one or more inputs received earlier by the subscriber station. If, based on the evaluation, the received input cannot be considered as a random input, it may be a sign of a try to crack the secret key of the subscriber station. The subscriber station is thus able to identify inputs, which may originate from an external attacker.
The advantage of the invention is that it can with slight changes be applied to existing systems. In the GSM system, for example, the invention can be directly implemented in the SIM card, which means that mobile stations can right from the start be provided with SIM cards capable of checking the randomness of the inputs according to the invention. It is not necessary to change the operation of the network elements, and no changes are required on the subscriber station/network interfaces either.
BRIEF DESCRIPTION OF THE DRAWINGS
In the following, the invention will be described in closer detail with reference to the accompanying drawings, in which
Figure 1 is a simplified block diagram illustrating the system of the invention, Figure 2 illustrates the signaling of the invention,
Figure 3 is a simplified flow diagram illustrating the method of the invention.
DETAILED DESCRIPTION OF THE INVENTION
The present invention is applicable to any communication system utilizing a random number as a challenge. In the following, embodiments of the invention will be described as implemented in the GSM system without limiting the invention to that particular system.
Figure 1 shows a simplified block diagram of the system S of the invention, showing only the components that are essential to illustrate the inven- tion, even though those skilled in the art naturally know that a general mobile communication system also comprises other functions and structures, which do not have to be described in more detail herein.
Referring to Figure 1 , in a mobile system, such as the GSM system, a majority of the authentication equipment of the network N is arranged in a special authentication centre AC, which, in connection with the GSM system, may be located in connection with a home location register (HLR), for example.
A GSM system also comprises a mobile services switching centre MSC which enables the communication between the network elements, such as the HLR and the VLR, and the subscriber station MS. The subscriber station MS (i.e. the mobile station) can be a simplified terminal intended only for speech, or it can be a terminal intended for multiple services operating as a service platform and supporting the loading and execution of different service-related functions. The subscriber station MS comprises the actual mobile equipment and an associated (usually removable) identification card SIM (not shown). The subscriber identity module SIM is a smart card comprising the subscriber identity, executing authentication algorithms and storing authentication and encryption keys and subscriber data needed at the subscriber station. The mobile equipment is a radio terminal used for radio communication between the subscriber station MS and the network N. The mobile equipment can be any equipment or a combination of several different equipment capable of communicating in a communication system.
The blocks shown in the block diagram of Figure 1 may comprise electronic circuits or, alternatively, one or more blocks may be implemented by software. Hence, no two separate counters, for example, are necessary at the subscriber station, but the counters can be implemented, for example, by one processor and computer program in a manner known per se.
In the GSM system, the subscriber station MS is authenticated by a visitor location register VLR such that the VLR receives from the authentication centre AC an input RAND and response SRES enabling the VLR to authenticate the subscriber station MS. The authentication centre AC comprises a first counter for generating a random number RAND. The authentication centre AC also comprises a memory with the secret key Ki stored therein of all those sub- scriber stations, in the authentication of which the authentication centre participates. In practice, the authentication centre can be operator-specific, in which case all secret keys of the subscriber stations of the operator have been stored in the memory of the authentication centre.
Figure 2 illustrates the successful signaling of the invention when no external attacker is detected. Referring to Figure 2, the authentication centre AC supplies in step 2-1 the secret key Ki of the subscriber station retrieved from the memory and the input RAND produced by the first counter to a second counter. The second counter computes a response SRES on the basis of the secret key Ki, input RAND and authentication algorithm A3. In the message 2-2, the authentication centre AC transmits the input RAND and response SRES to the VLR. In step 2-3 the VLR stores the response SRES such that it will be available later for a comparing function. In order to authenticate the subscriber station MS, the VLR transmits in the message 2-4 the input RAND received from the authentication centre to the subscriber station MS. In step 2-5, a comparing unit is activated in the subscriber station
MS. According to the invention, the comparing unit evaluates the last received input based on the information of authentication inputs received earlier by the subscriber station. The information of the earlier received authentication inputs comprises samples of earlier inputs that may have been manipulated in an ap- propriate statistical manner. The comparing unit evaluates if the latest input resembles the information of earlier inputs, and concludes, on the basis of the evaluation, whether the latest input is random or not. The evaluation may be performed utilizing information of randomly selected earlier inputs. An appearance of a non-random authentication input might be a sign of somebody trying to crack the secret key of the subscriber station.
In step 2-5, the MS manipulates the latest input in an appropriate statistical manner with the information of earlier inputs and may store the information such that it is available for later authentications. There may be a predetermined time for how long the information of a received input will be stored. The time for storing the information may also be selected randomly so that the attacker cannot conclude when it would be worthwhile to try to attack again.
If the comparing unit of the MS considers the latest input as a random input, it activates a third counter to compute a response to the input RAND. The third counter computes the response SRES on the basis of the input RAND, the subscriber-station-specific secret key Ki stored in a memory of the MS and the authentication algorithm A3. The algorithm is the same algorithm A3 and the parameters are the same parameters as the second counter of the authentication centre AC used. The subscriber station MS produces the response SRES, which is transmitted to the VLR in the message 2-6. The response produced by the MS is supposed to correspond to the response SRES transmitted by the authentication centre AC. If the comparing function of the VLR detects in step 2-7 that the responses are identical, it is concluded that the subscriber station MS has been authenticated. If, on the other hand, the comparing unit of the MS indicated in step
2-5 that the input RAND is not random, the input has most likely been supplied by an external attacker, not by an authorized VLR or equivalent. According to the embodiments of the invention, the subscriber station can be programmed to operate such that cracking the secret key is made significantly more difficult when the subscriber station has identified an input originating from an external attacker.
In one embodiment of the invention, the subscriber station produces and forwards an input only if the subscriber station has checked the input and concluded that the input is random. A control unit of the MS interrupts the process for authenticating the subscriber station such that no response will be transmitted by the MS. Consequently, it is more difficult to crack the secret key since an external attacker cannot continue sending inputs and monitoring what kind of a response each input induces.
In another embodiment of the invention, the subscriber station computes and forwards a false response such as a random response if it detects that the received input is not random. The random response herein refers to any response resembling a correct one. The random response may be computed by another algorithm than the authentication algorithm. Alternatively, the random response may be computed by the authentication algorithm but, instead of the secret key of the subscriber station, the computation utilizes an- other key, which is a "pseudo key", or, alternatively, the random response may comprise a random number generated by a random number generator. The point is that the response is not computed by the authentication algorithm A3, secret key Ki and input RAND. If this were the case, the external attacker would be provided with the real response to the supplied input, which might assist in cracking the secret key. The idea is that the random response resembles a real response such that an external attacker does not, on the basis of the length of the response, for example, know that the random response is not a real response provided with an authentication algorithm and a secret key. If, on the other hand, the external attacker is provided with a random response resembling the real response, the external attacker will not know that the response is an incorrect one.
In yet another embodiment of the invention, the subscriber station maintains a counter function to compute the number of inputs that are non- random. In such a case, when a predetermined limit value is exceeded, the subscriber station locks itself such that it no longer provides a correct response to the input. In this embodiment, the subscriber station can thus produce and forward a response, which is either correct or incorrect regardless of whether the input is random until the counter function indicates that the maximum number of non-random inputs is exceeded, whereby the authentication function of the subscriber station is locked. The locking may take place either such that the subscriber station no longer provides any responses or, alternatively, in order to mislead the attacker, the subscriber station may continue by producing incorrect responses only, such as random responses.
Figure 3 is a flow diagram illustrating the method of the invention when an external attacker is detected. In step 3-1 , an authentication message comprising a non-random input RAND is received in the MS.
According to the first embodiment of the invention, if it is detected that the input is not random, the processing of the authentication message is interrupted in step 3-2. No response will then be transmitted to the authentication message. A notification of interrupting the process may be forwarded in step 3-3, but this is not mandated by the invention. Consequently, the external attacker receives no response to the input, which means that the attacker is unable to collect responses and use them for cracking the secret key.
According to the second embodiment of the invention, if it is detected that the input is not random, a random response is produced to the input in step 3-4 and forwarded to the sender of the input in step 3-5. The random response can be any response which resembles a real response and which has not been computed in a similar manner as the real response. Consequently, the random response can be directly produced by a random number generator, or it can be computed from the input by utilizing a suitable algorithm and input. The external attacker will thus receive an incorrect response, however without knowing this.
According to the third embodiment of the invention, a predetermined variable Cmax indicating the highest allowed number of non-random inputs has been stored in the subscriber station (or the SIM card thereof). In addition, a variable C to keep a record of received non-random inputs is set to a predetermined initial value. In this embodiment it is checked in step 3-2 whether or not variable C utilized by a fourth counter function has reached the limit value Cmax. If so, this means that the highest allowed number of received non- random inputs Cmax has already been reached, which means that the authen- tication process is interrupted as described above in steps 3-2 and 3-3 or a false response is created as described above in steps 3-4 and 3-5. Otherwise, the process proceeds according to steps 2-5, 2-6 and 2-7 of Figure 2. When the counter function of the subscriber station reaches a predetermined limit value, the authentication functions thereof will be locked such that the subscriber station no longer provides correct responses. When the subscriber sta- tion is one of the kind, in which the authentication functions are arranged on the SIM card, such as a GSM mobile station, the subscriber station must next be provided with a new SIM card to replace the locked one.
The various embodiments of the invention may be carried out simultaneously or they may be mutually exclusive. The signalling messages and steps shown in Figures 2 and 3 are not in an absolute chronological order, and they can be executed in a different order from the given one. Other signalling messages can be transmitted and/or other functions can be carried out between the messages and/or steps. The signalling messages are only examples and can include only some of the aforementioned information. The messages can also include other information.
It is possible that necessary parts for checking the inputs and/or producing a response in connection with authentication are arranged in the SIM card or in the subscriber station or both. The invention is also applicable to a system comprising no SIM cards at all. It is to be understood that the above description and the related drawings are only intended to illustrate the present invention. It is obvious to one skilled in the art that the invention can be modified in various ways without deviating from the scope and spirit of the invention disclosed in the attached claims.

Claims

1. A method for identifying authentication messages generated by external attackers, the method comprising receiving authentication inputs in a subscriber station (MS), the method being characterized by evaluating the randomness of a received authentication input utilizing information of earlier-received authentication inputs; and responding in a usual manner to the received authentication input if it is found random.
2. A method as claimed in claim 1, characterized by evalu- ating the randomness of a received authentication input utilizing information of randomly selected earlier-received authentication inputs.
3. A method as claimed in claim 1 or 2, characterized by locking the authentication process if the received authentication input is found non-random.
4. A method as claimed in claim 1,2 or 3, characterized by sending a false response to the received authentication input if it is found non- random.
5. A method as claimed in any of the previous claims 1 -^characterized by storing information of at least some of the received authenti- cation inputs.
6. A telecommunications system comprising at least one subscriber station (MS) arranged to receive authentication inputs, characterized in that the system is configured to evaluate the randomness of a received authentication input utilizing information of earlier-received authentication inputs; and respond in a usual manner to the received authentication input if it is found random.
7. A subscriber station being arranged to receive authentication inputs, characterized in that the subscriber station is arranged to evaluate the randomness of a received authentication input utilizing information of earlier-received authentication inputs; and respond in a usual manner to the received authentication input if it is found random.
8. A SIM card being arranged to receive authentication inputs, characterized in that the SIM card is arranged to evaluate the randomness of a received authentication input utilizing information of earlier-received authentication inputs; and respond in a usual manner to the received authentication input if it is found random.
9. A SIM card as claimed in claim 8, characterized in that it is arranged to evaluate the randomness of a received authentication input utilizing information of randomly selected earlier-received authentication inputs.
10. A SIM card as claimed in claim 8 or 9, characterized in that it is arranged to lock the authentication process if the received authentica- tion input is found non-random.
11. A SIM card as claimed in claim 8, 9 or 10, characterized in that it is arranged to send a false response to the received authentication input if it is found non-random.
12. A SIM card as claimed in any of the previous claims 8 - 11, characterized in that it is arranged to store information of at least some of the received authentication inputs.
PCT/FI2003/000364 2003-05-12 2003-05-12 Authentication of a subscriber station WO2004100592A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/FI2003/000364 WO2004100592A1 (en) 2003-05-12 2003-05-12 Authentication of a subscriber station
AU2003227786A AU2003227786A1 (en) 2003-05-12 2003-05-12 Authentication of a subscriber station
EP03725234A EP1623592A1 (en) 2003-05-12 2003-05-12 Authentication of a subscriber station

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2003/000364 WO2004100592A1 (en) 2003-05-12 2003-05-12 Authentication of a subscriber station

Publications (1)

Publication Number Publication Date
WO2004100592A1 true WO2004100592A1 (en) 2004-11-18

Family

ID=33427392

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2003/000364 WO2004100592A1 (en) 2003-05-12 2003-05-12 Authentication of a subscriber station

Country Status (3)

Country Link
EP (1) EP1623592A1 (en)
AU (1) AU2003227786A1 (en)
WO (1) WO2004100592A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101998400A (en) * 2009-08-12 2011-03-30 中国移动通信集团天津有限公司 Authentication random number detection method and SIM (Subscriber Identity Module) card
US8231752B2 (en) 2005-11-14 2012-07-31 Cummins Filtration Ip Inc. Method and apparatus for making filter element, including multi-characteristic filter element

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001030104A1 (en) 1999-10-19 2001-04-26 Setec Oy Authentication of subscriber station
WO2001089253A1 (en) * 2000-05-18 2001-11-22 Ico Services Ltd. Connection authentication in a mobile network
WO2002013568A1 (en) * 2000-08-03 2002-02-14 Orange Personal Communications Services Limited Authentication in a mobile communications network
US20030003895A1 (en) * 2001-05-11 2003-01-02 Telefonaktiebolaget Lm Ericsson (Publ). Authentication of termination messages in telecommunications system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001030104A1 (en) 1999-10-19 2001-04-26 Setec Oy Authentication of subscriber station
US20020180583A1 (en) * 1999-10-19 2002-12-05 Setec Oy Authentication of subscriber station
WO2001089253A1 (en) * 2000-05-18 2001-11-22 Ico Services Ltd. Connection authentication in a mobile network
WO2002013568A1 (en) * 2000-08-03 2002-02-14 Orange Personal Communications Services Limited Authentication in a mobile communications network
US20030003895A1 (en) * 2001-05-11 2003-01-02 Telefonaktiebolaget Lm Ericsson (Publ). Authentication of termination messages in telecommunications system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8231752B2 (en) 2005-11-14 2012-07-31 Cummins Filtration Ip Inc. Method and apparatus for making filter element, including multi-characteristic filter element
CN101998400A (en) * 2009-08-12 2011-03-30 中国移动通信集团天津有限公司 Authentication random number detection method and SIM (Subscriber Identity Module) card

Also Published As

Publication number Publication date
EP1623592A1 (en) 2006-02-08
AU2003227786A1 (en) 2004-11-26

Similar Documents

Publication Publication Date Title
EP2385661B1 (en) Authentication in a mobile communications network
US6427073B1 (en) Preventing misuse of a copied subscriber identity in a mobile communication system
JP4263384B2 (en) Improved method for authentication of user subscription identification module
US7773973B2 (en) Method for authentication between a mobile station and a network
US8689309B2 (en) Authentication token for identifying a cloning attack onto such authentication token
US6711400B1 (en) Authentication method
US20070293192A9 (en) Identification of a terminal to a server
US7000117B2 (en) Method and device for authenticating locally-stored program code
US20020180583A1 (en) Authentication of subscriber station
EP2718885A1 (en) Transaction authorisation
CN101909279B (en) Be applied to the method for authenticating of video monitoring of mobile phone
EP1680940B1 (en) Method of user authentication
CN100499900C (en) Method for authentication of access of wireless communication terminal
CN109587683B (en) Method and system for preventing short message from being monitored, application program and terminal information database
WO2000024218A1 (en) A method and a system for authentication
CN111246464B (en) Identity authentication method, device and system, and computer readable storage medium
EP1623592A1 (en) Authentication of a subscriber station
CN109379744B (en) Pseudo base station identification method and device and communication terminal
KR101713395B1 (en) Communication Terminal Certification Processing System, Communication Terminal, Server and Certification Processing Method
CN114282230A (en) Data processing method, device and equipment and computer storage medium
KR100606147B1 (en) Method For Safely Drawing from Bank Using Mobile Terminal
WO2013007139A1 (en) Authentication method and home location register
WO2013095168A1 (en) Method for transmitting a one-time code in an alphanumeric form

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2003725234

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2003725234

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP