The present invention relates to information or data security technology for communication networks and, more particularly, to a mutual authentication/cipher key distribution system which prevents abuse of the network in a personal mobile communication system.
The technology for information security of the system in the communication network is roughly divided into (a) a user authentication technique which prevents an unauthorized access to the network by making a check to see if a user is an authorized one, and (b) a cryptographic technique which conceals communication contents on the circuit being actually used, thereby preventing eavesdropping by a third party.
With respect to the authentication technique (a), CCITT has proposed, as an authentication technique for future personal communication technology, a system such as shown in FIG. 5, in which the network and all users employ identical encryption devices and the network authenticates the users individually without presenting or revealing their passwords or similar personal secret information on the circuit. Let the identifier of a user i and his authentication key be represented by ID.sub.i and S.sub.i, respectively, and assume that S.sub.i is an authentication key known only to the network and the user. When the user i uses the network, he present first the information ID.sub.i to the network. Then the network generates a random number r.sub.u and sends it to the user i. The user i encrypts the random number r.sub.u with the encryption device using the authentication key S.sub.i as a secret key and sends the encrypted random number back to the network. Finally, the network fetches the authentication key of the user i held therein, similarly encrypts the random number r.sub.u using the fetched the authentication key as a secret key and, when the value of the thus encrypted random number matches with the value of the encrypted random number from the user i, authenticates the user i as an authorized user. This system requires a total of three interactions between the user and the network, including the presentation of the identification of the user to the network.
Besides, to prevent eavesdropping by the outsider (b), some key distribution system is used to implement key sharing between the network and the user. Finally, the shared key is used to encrypt correspondence and then communication starts between them.
As mentioned above in connection with the prior art, attention has been directed primarily to the function that the network authenticates the user. This is because the system has been designed on the understanding that the network is always correct or HONEST. In personal communication, however, since it is supposed that a base station, which covers a very narrow communication range, effects a position registration accompanying the communication with the user or his migration, there is a possibility that an abuser sets up a false base station and accesses the user via a radio channel. In such a situation the user will use his authentication key as a key to encrypt a proper numeral intentionally chosen by the false network and send it back thereto. This is what is called a chosen plaintext attack, which is the strongest one of various attacks on the cryptosystem. It is pointed out in a literature (E. Biham and A. Shamir: "Differential cryptanalysis of DES-1 like cryptosystems," '90 EUROCRYPTO, August 1990) that there is the likelihood that according to the choice of the cipher system, user's authentication key would be revealed by several rounds of such a chosen plaintext attack. Moreover, since a plurality of traders will provide personal communication services in the future, it will be necessary to make provision for enabling a user to correctly recognize the trader whose services are being used by the user.
Besides, the conventional system requires further interactions between the network and the user for the distribution of a key which is needed to hold cipher communication.