In existing data transfer networks, terminals and particular nodes (e.g. a HLR/AuC or HSS/AuC) of a network cooperate in order to authenticate the terminals in the network and to encrypt data over the radio part of the network. A detailed description is provided in GSM Recommendation 03.20 for 2G networks, 3GPP TS 33.102 for 3G networks and 3GPP TS 33.401 for 4G networks.
Briefly, for GSM/GPRS networks, a secret key Ki forms the cornerstone for the security mechanisms. The secret key Ki is stored in the terminal (usually on the SIM card) and in the HLR/AuC of the network. The HLR/AuC generates a random number RAND in response to an authentication request from a terminal containing subscriber identifier IMSI for a particular terminal session. The RAND and the secret key Ki are used to derive an encryption key KC using a key generation algorithm and to derive an expected response XRES under an authentication algorithm. The combination (RAND, XRES, KC) forms a GSM authentication vector (triplet) transmitted from the HLR/AuC to an MSC or SGSN. The MSC/SGSN then transmits the random number RAND to the terminal and the encryption key KC to a base station, or SGSN in case of GPRS. The terminal and the network communicate wirelessly over a radio path between the base station and the terminal.
Upon receipt of the RAND, the terminal derives the encryption key KC using the key generation algorithm, the RAND and the secret key Ki and also derives a response RES using the authentication algorithm, the RAND and the secret key Ki.
For authentication, the terminal sends the response RES over the radio path to the MSC/SGSN where the terminal-derived response RES is compared with the network-generated expected response XRES stored in the MSC/SGSN. When the terminal-derived RES matches the network-generates XRES, the terminal is authenticated in the network for the particular terminal session.
After authentication, the encryption key KC can be used to encrypt data transmitted over the radio path between the terminal and the base station that had stored the network-generated encryption key KC. Encryption of the data on the radio path is performed using encryption key KC in combination with an encryption algorithm.
When the terminal session is terminated, the terminal should normally again follow the authentication procedure for a subsequent terminal session.
For UMTS networks, again an authentication request is received at the HLR/AuC containing subscriber identifier IMSI. Instead of a triplet authentication vector, a quintet authentication vector is generated containing again RAND and expected response XRES together with a cipher key CK, an integrity key IK and an authentication token AUTN. AUTN is generated in a manner known as such. The quintet authentication vector is sent to a further network node, such as the VLR/SGSN. Both RAND and AUTN are transmitted over the radio interface to the terminal. At the terminal, AUTN is verified for authentication of the network in a known manner and a response RES is computed and sent back to the network for authentication of the terminal in the network. Keys CK and IK can also be derived at the terminal using the secret key Ki and the received RAND.
When the terminal session is terminated, the terminal should normally again follow the authentication procedure for a subsequent terminal session.
For 4G Evolved Packet Systems (EPS), the authentication procedure is similar to UMTS networks, although a new key hierarchy is used. The secret key Ki stored in the USIM at the terminal side and the AuC at the network side is used to derive the keys CK and IK. CK and IK, in combination with a serving network ID are used to derive a new key, KASME. From this new key, KASME, other encryption and integrity keys are derived for protection of signalling between the terminal and the core network (key KNASenc), protection of integrity between the terminal and the core network (key KNAsint), the RRC signalling and user data transfer over the radio interface, the latter including encryption key KUPenc.
The authentication and encryption procedures, generally known as Authentication and Key Agreement (AKA), involve a considerable message exchange. This message exchange may be a burden in particular cases, e.g. for machine-to-machine (M2M) communications currently being standardized in 3GPP (see e.g. TS 22.368). M2M applications typically involve hundreds, thousands or millions of communication modules. Some applications only rarely require access to a telecommunications network. An example involves collecting information by a server from e.g. smart electricity meters at the homes of a large customer base. Other examples include sensors, meters, coffee machines etc. that can be equipped with communication modules that allow for reporting status information to a data processing centre over the telecommunications network. Such devices may also be monitored from a server. The data processing centre may e.g. store the data and/or provide a schedule for maintenance people to repair a machine, meter, sensor etc.