1. Field of the Invention
The present invention relates to a password protocol and a method for establishing a key using over-the-air communication and, in one embodiment, the password protocol.
2. Description of Related Art
In a wireless communication system, the handsets, often called mobiles, purchased by mobile users are typically taken to a network service provider, and long keys and parameters are entered into the handset to activate service. The network of the service provider also maintains and associates with the mobile, a copy of the long keys and parameters for the mobile. As is well-known, based on these long keys and parameters, information can be securely transferred between the network and the mobile over the air.
Alternatively, the user receives long keys from the service provider over a secure communication channel, like a telephone/land line, and must manually enter these codes into the mobile.
Because the transfer of the long keys and parameters is performed via a telephone/land line or at the network service provider as opposed to over the air, the transfer is secure against over the air attacks. However, this method of securely transferring information places certain burdens and restrictions on the mobile user. Preferably, the mobile user should be able to buy their handsets and then get service from any service provider without physically taking the handsets to the provider's location or having to manually, and error free, enter long keys into the mobile. The capability to activate and provision the mobile remotely is part of the North American wireless standards, and is referred to as "over the air service provisioning" (OTASP).
Currently, the North American Cellular standard IS41-C specifies an OTASP protocol using the well-known Diffe-Hellman (DH) key agreement for establishing a secret key between two parties. FIG. 1 illustrates the application of the DH key agreement to establishing a secret key between a mobile 20 and a network 10 used in IS41-C. Namely, FIG. 1 shows, in a simplified form for clarity, the communication between a network 10 and a mobile 20 according to the DH key agreement. As used herein, the term network refers to the authentication centers, home location registers, visiting location registers, mobile switching centers, and base stations operated by a network service provider.
The network 10 generates a random number RN, and calculates (g R.sub.N mod p). As shown in FIG. 1, the network 10 sends a 512-bit prime number p, the generator g of the group generated by the prime number p, and (g R.sub.N mod p) to the mobile 20. Next, the mobile 20 generates a random number R.sub.M, calculates (g R.sub.M mod p), and sends (g R.sub.M mod p) to the network 10.
The mobile 20 raises the received (g R.sub.N mod p) from the network 10 to the power R.sub.M to obtain (g R.sub.M R.sub.N mod p). The network 10 raises the received (g R.sub.M mod p) from the mobile 20 to the power R.sub.N to also obtain (g R.sub.M R.sub.N mod p). Both the mobile 20 and the network 10 obtain the same result, and establish the 64 least significant bits as the long-lived key called the A-key. The A-key serves as a root key for deriving other keys used in securing the communication between the mobile 20 and the network 10.
One of the problems with the DH key exchange is that it is unauthenticated and susceptible to a man-in-the-middle attack. For instance, in the above mobile-network two party example, an attacker can impersonate the network 10 and then in turn impersonate the mobile 20 to the network 10. This way the attacker can select and know the A-key as it relays messages between the mobile 20 and the network 10 to satisfy the authorization requirements. The DH key exchange is also susceptible to off-line dictionary attacks.
Another well-known protocol for protecting the over-the-air transfer of information, such as the A-key, is the Diffe-Hellman Encrypted Key Exchange (DH-EKE). DH-EKE is a password based protocol for exchanging information, and assumes that both the mobile user and the network service provider have established a password prior to the over-the-air transfer. Unlike the DH key exchange system discussed with respect to FIG. 1, the DH-EKE protects against man-in-the-middle attacks and off-line dictionary attacks.
The DH-EKE will be described with respect to FIG. 2, which illustrates the communication between the mobile 20 and the network 10 according to the DH-EKE protocol. As shown, the mobile 20 sends a 512-bit prime number p and the generator g to the network 10 along with (g R.sub.M mod p) encrypted according to an encryption/decryption algorithm ENC using the password P, known to the mobile user and the network 10, as the encryption key. This calculation is represented as ENC.sub.P (g R.sub.M mod p). The network 10 decrypts (g R.sub.M mod p) using the password P, and calculates (g R.sub.M mod p) R.sub.N, which equals (g R.sub.M R.sub.N mod p). The network 10 selects (g R.sub.M R.sub.N mod p), a hash of this value, or some portion thereof as a session key SK.
The network 10 then sends (g R.sub.N mod p) encrypted according to ENC using the password P and a random number R.sub.N ' encrypted according to ENC using the session key SK to the mobile 20. The mobile 20 decrypts (g R.sub.N mod p) using the password P, and calculates (g R.sub.N mod p) R.sub.M, which equals (g R.sub.M R.sub.N mod p). Then, the mobile 20 selects (g R.sub.M R.sub.N mod p), the hash thereof, or a portion thereof as did the network 10 as the session key SK. Using the session key SK, the mobile 20 then decrypts R.sub.N '.
Next, the mobile 20 generates a random number R.sub.M ', encrypts the random numbers R.sub.M ' and R.sub.N ' according to ENC using the session key SK, and sends the encrypted random numbers R.sub.N ' and R.sub.M ' to the network 10. The network 10 decrypts the random numbers R.sub.N ' and R.sub.M ' using the session key SK, and determines whether the decrypted version of R.sub.N ' equals the version of R.sub.N ' originally sent to the mobile 20. The session key SK is verified by the network 10 when the decrypted version of R.sub.N ' equals the version of R.sub.N ' originally sent to the mobile 20.
The network 10 then sends the random number R.sub.M ' encrypted according to ENC using the session key SK to the mobile 20. The mobile 20 decrypts the random number R.sub.M ' using the session key SK, and determines whether the calculated version of R.sub.M ' equals the version of R.sub.M ' originally sent to the network 10. The session key SK is verified by the mobile 20 when the decrypted version of R.sub.M ' equals the version of R.sub.M ' originally sent to the network 10.
Once the network 10 and the mobile 20 have verified the session key SK, the session key SK is used as the A-key, and communication between the mobile 20 and the network 10 is reconfigured using the A-key.
While the DH-EKE protocol eliminates man-in-the-middle and off-line dictionary attacks, information may still leak, and an attacker may recover the password P.