The present invention relates to a method for cryptographically verifiable identification of a physical unit in an open, wireless telecommunications network.
Although applicable to any arbitrary telecommunications devices, the present invention and the problems it is intended to solve will be explained here in terms of mobile telephone systems.
GSM mobile telephone systems and cryptographic methods pertaining to them are described for instance in “GMS System Engineering” by Asha Mehrotra, Artech Haus Pub., 1996, or “Cryptography Theory and Practice” by D. R. Stinson, CRC Press, 1995.
The identity of a mobile terminal or (terminal) device is generally known as IMEI (International Mobile Equipment Identity). It individually identifies a single device and provides a complete unique specification for it.
FIG. 7 is a schematic illustration a known identification mechanism for identifying a mobile telephone to a network operator.
In FIG. 7, M represents a mobile telephone, with a central processing unit 1 and an identity module 2, which later has a secure-access region TA in which the identity IMEI is stored in memory.
The instantaneous recognition of such a device M (mobile equipment) in the GSM system is based today on the fact that the device M introduces itself publicly by means of its IMEI. There is a need for equipment manufacturers to assure that the IMEI in the device M cannot be modified, and that the software of the device M will always, upon request by the network, furnish only the correct IMEI that is stored in memory in the device.
The usage outlined in dashed lines in FIG. 1 is an illustration of the general implementation of this identification mechanism. After an identity request IR, the device M in reaction furnishes the parameter IMEI, which has been impressed into a protected memory cell by the manufacturer IO, to the network operator.
This method can easily be counterfeited. A software jump J in the software identification system SS can (as FIG. 1 shows) furnish any other identification IMEI, instead of the correct identification IMEI. This is possible whenever it is possible to alter the software of the device M, which is usually easy to do, or to alter the identity IMEI, which as a rule is somewhat more difficult. The greatest problem, however, is that cloned devices can furnish an identity IMEI arbitrarily. All one has to do is eavesdrop on the network a single time and learn one legal IMEI, because the IMEI is always sent in the open. One can also generate legitimate IMEI identifications oneself, however, since the setup is known. Thus this type of identification does not afford an especially high standard of security.
FIG. 8 is a schematic illustration of a further known identification mechanism for identifying a mobile telephone to a network operator, using the challenge & response technique.
Secured identification using the so-called challenge & response technique in cryptographic systems is a known technique of ascertaining the identity of a device.
As FIG. 8 shows, this technique is based on question and answer. The testing station P (for instance a base station of the network operator) sends an identity request AR to the device M being tested, with a random symbol sequence RAND or “challenge pattern” of 128 bits, generated in a random generator RG, and ask for a certain reaction ARE or “response” with a data word SRES comprising 32 bits, which proves that the tested device M has a certain secret value Ki of 128 bits, just as does the testing station P; together with RAND, this response can be linked by a copy A3 with a test outcome SRES, which is returned by the tested device M to the testing station P.
The copy A3 is a highly nonlinear copy which is very difficult to reverse (it is often called a one-way function), as described by Asha Mehrotra as cited above. The copy A3 is as a rule selected to be a block enciphering process. The two entities, the tester P and the testee M, receive the same response SRES if the two secret keys Ki are identical in the tester P and the testee M. If so, the identification result ARES is positive; if not, it is negative.
This process can be repeated multiple times with different random values RAND, to enhance the security. This method is already used in the GSM system, but only for identifying a user from his user card USIM. Because of the increased threat of cloning and theft of mobile radio devices, it has become increasingly necessary to integrate a mechanism with the mobile device that causes the device to identify itself, so that both stolen and cloned or non-certified devices in a network can be detected. However, this requires the knowledge of the parameter Ki on the part of both the tester and the testee. However, since there are many service providers and manufacturers in a wireless network, complex administration is required, along with the exchange of all the Kis in the network between manufacturers and network operators.
The number of units to be identified, and their manufacturers, in today's telecommunications networks is high and changes constantly. This increases the complexity and expense of administration and maintenance still further.