The prior art includes the so-called challenge-response method. In this method, a random number (challenge) is sent by the authenticating component (N=network) to the component (M=mobile station) to be authenticated and is converted into a response using an algorithm (A) and a secret key (K) which is known to both components. The expected response is calculated in the network N using the same key K and the same algorithm A; a match between the response sent back by M and the response calculated in N proves the authenticity of M.
Mutual authentication is achieved according to the prior art by the above sequence being carried out with the opposite role distribution.
Accordingly, in the known challenge-response method, the fixed network passes a challenge to the mobile station M, and the mobile station M answers with a response which has been calculated by using a computation method which is implemented in the mobile station and which includes a secret key K. This key K is unique. This means that only this mobile station can respond in the way expected of it, provided it is authenticated as being “authentic”. No other mobile station (M) can simulate this key.
A disadvantage of the previous method is that the entire authentication method can be verified only and exclusively in the AUC (authentication center), that is to say, in practice, in the computation center.
Specifically, for security reasons, it has been found to be advantageous in system architectures to control A and K at a central point (in the authentication center=AUC), with the authenticating point N (which carries out the authenticity check) having transmitted to it in advance only challenge/response pairs (possibly a number of them as a stockpile) for the purpose of authentication.
The challenge/response pairs transmitted from the AUC to the network (on request from the network in the form of a so-called “duplet request”) are thus already to a large extent calculated in advance “as a stockpile” and, when the response arrives from the mobile station M during the authentication process, the two responses are compared. If they match, this thus ends the authentication method for the mobile station M with the network N.
The known methods from the prior art accordingly provide for the mobile stations to authenticate themselves with the network. This results in a risk of the network being simulated by unauthorized persons and thus of the relevant mobile station M being “spoofed by” the simulated network, with a mirror-image of the mobile station M being created in the process, but in this case for the “right” network N. In this unallowed situation, the M would authenticate itself with the simulated network N, thus allowing the unauthorized operator on the simulated network to call up non-public data from this mobile station M.
As one example, the GSM network should be mentioned which, at the moment, carries out only single-ended authentication (M authenticates itself with N). The TETRA Standard which is also known allows double-ended authentication.
The method is explained in the following text in order to provide a better description of the terms “Challenge 1,” “Response 1,” “Challenge 2,” and “Response 2” used below:
The Challenge 1 is used to authenticate the mobile station M with the network N. As soon as this authentication has been successfully completed, the mobile station M requests reverse authentication, such that a check is now carried out as to whether the present network N is also really the authorized network and not a network being simulated in an unallowed manner. The aim is thus to authenticate the network N with the mobile station M. In this case, the mobile station M sends a Challenge 2 to the network, which passes the Challenge 2 on to the AUC where the Response 2 is calculated from it, and this is in turn sent to the network N, which passes the Response 2 to the mobile station. If the mobile station finds that the Response 2 which it has itself calculated matches the received Response 2, the authentication process is thus successfully ended. This authentication pair is referred to as Challenge 2/Response 2.
A disadvantage of mutual authentication in such system architectures is that the challenge sent by M cannot be converted into the response in N, but only in the AUC which, in some circumstances, leads to considerable time delays between the N-AUC-N data transfer and the on-line computation operation in the AUC.