In all telecommunication networks both the users and the network operator have to be protected against undesirable intrusion of third parties as far as possible. Thus several kinds of security functions are needed in the networks. The major aspects of the network security are 1) the protection of the information that the network conveys; and 2) authentication and access control of the users of the network. The major security mechanism for the protection of information is, and is likely to remain, some form of encryption. Authentication is a means of trying to ensure that information comes from the source it is claimed to come from. It is typically based on passwords and keys. Access rights are assigned in terms of the ability to send and/or receive via the transmission medium. Also access mechanisms typically depend on some form of password or key.
Due to the use of radio communications for transmissions to the mobile subscribers, radio accessed networks, such as Public Land Mobile Networks (PLMN), are particularly sensitive to misuse of their resources by unauthorized users and eavesdropping on the information which is exchanged on the radio path. This comes from the possibility to listen to and transmit radio signals from anywhere, without tampering with a user's or an operator's equipment. It can be seen that PLMNs have a need for a higher level of security than traditional telecommunication networks.
The pan-European digital cellular radion which is known as Global System for Mobile Communications (GSM) contains a highly secure authentication system. It is based on so-called challenge and response principle. At subscription time, a secret number called a Subscbiber Authentication Key (K.sub.i) is allocated to the subscriber together with an International Mobile Subscriber Identity (IMSI). K.sub.i is stored in a special purpose element of the GSM network, called an Authentication Center (AUC) which is associated with or linked to a Home Location Register (HLR) of the subscriber. AUC contains also a ciphering algorithm, called A8, and an authentication algorithm, called A3, as well as a generation of random numbers (RAND). A parameter called a ciphering key (K.sub.c) is generated from K.sub.i and RAND by the algorithm A8. Similarly, a parameter called a Signed Response (SRES) is generated from K.sub.i and RAND by the algorithm A3. The three parameters RAND, K.sub.c and SRES make up a "triplet", specific to a subsriber, to be used for further authentication and ciphering. In order to avoid calculation and transfer of triplet every time it is needed, several triplets are calculated in advance for each subscriber by AUC/HLR and on request delivered to a Visitor Location Register (VLR) and a Mobile Services Switching Center (MSC) there they are stored. MSC/VLR will always have at least one triplet unused for each of its visitor subscribers. Tight security requires that a triplet be used only once, for one communication, and then be destroyed. When a subscriber has used all it's available triplets, the AUC/HLR is then requested to calculate and send back a new series.
A GSM mobile station is split into two parts, one which contains the hardware and software specific to the radio interface, the mobile equipment, and and another which contains the subscriber specific data: the Subscriber Identity Module, or SIM. Each subscriber has a SIM, typically in a form of a smart card, which takes responsibility for most of the security functions at the mobile station side. It stores K.sub.i, the authentication algorithm A3 and the ciphering algorithm A8, as well as the ciphering key K.sub.c received from the network side.
During authentication, the VLR/MSC sends the random number RAND (and also K.sub.c) of a respective triplet to the mobile station. The mobile station, more particularly its SIM part, processes RAND using the authentication algorithm A3 and the authentication key K.sub.i, and returns the resulting Signed Response (SRES) to the VLR/MSC. This SRES is checked against the SRES of the triplet given by the HLR to the subscriber. If the two SRESes are equal to each other, the access is allowed, and otherwise denied.
All the security mechanisms in the GSM rely on secrecy of the authentication key K.sub.i. K.sub.i is never transmitted and never leaves the AUC/HLR. Also, the SIM protects completely the K.sub.i against reading. Because the mathematical algorithm A3 works only one way (it is a so-called one-way trap door function) it is impossible to derive the key K.sub.i from the RAND-SRES pairs transmitted. Further, the authentication algorithm A3 itself is a secret algorithm, it cannot be found even in the GSM specifications. The specifications only require that computation of a K.sub.i knowing the RAND and the SRES should be as complex as possible. This level of complexity determines which security level has been achieved. Beyond this requirement, the only constraint imposed on A3 is the size of the input parameter (RAND is 128 bits long) and the size of the output parameter (SRES must be 32 bits long). K.sub.i can be of any format and length when stored in AUC/HLR, only if K.sub.i would be transported in the network it would be constrained to a maximum length of 128 bits. In fact, the design choices of GSM, both in the mobile station and in the infrastructure, make it possible for the operators to choose the A3 applicable to their own subcsribers independently from other operators.
In the U.S.A, a digital cellular system called Personal Communications System (PCS) is under development. The US PCS is based on the GSM system to a great extent, especially as regards network architecture and protocols, including the security functions. However, some minor modifications are being made in various parts of the system. One potential modification is that the authentication algorithm A3 used in the GSM system be replaced by the Cellular Authentication and Voice Encryption (CAVE) algorithm in the US PCS, since the CAVE algorithm has been developed in the USA and is already used in analog Advances Mobile Phone Service (AMPS) networks. The CAVE algorithm which might be suitable to be used for authentication in the PCS system would have an 152-bit input parameter consisting of a number of concanated information fields, and a 18-bit output parameter, whereas the A3 algorithm in the GSM has a 128-bit K.sub.i and RAND parameters as input parameters and a 32-bit SRES parameter as an output parameter. Therefore, replacement of A3 with the CAVE algorithm in a GSM based mobile communications system is not possible without further modifications. However, modifications may easily affect in various protocols, functions, messages and data structures throughout the system and thereby make the CAVE algorithm technically and economically unattractive. A further disadvantage is that the compability with the GSM system will be lost, and consequently, for example, SIM-roaming between the GSM and the US PCS systems will not be possible.