As is generally known, mobile stations of mobile subscribers in a radio communications network have at least one identity module (User Services Identity Module in UMTS networks or Subscriber Identity Module in GSM networks). It is also known for a number of types of security functions to be used in radio communications networks. For example, EP-0 822 727 A2 describes a method and a system for subscriber authentication and/or encryption of information, in which mobile users of a cellular digital mobile radio network on the GSM standard identity themselves to the respective network using the identity module—SIM card. Security parameters and security algorithms are in this case used for subscriber authentication between the mobile station and the mobile radio network.
Furthermore, a security function in the form of a network authentication is also possible, that is to say the radio communications network authenticates itself with the mobile station, in order to detect, and as far as possible to preclude, misuse and corruption for example by means of the “cloning” of network devices such as base stations, etc., for unauthorized monitoring of communications connections. In this context, document 3G TS 33.102 from the 3GPP (3rd Generation Partnership Project), October 1999, describes an architecture which deals with the security aspect of a radio communications network for the next generation—for example UMTS—with respect to network authentication. The known authentication method is based on the “signed-challenge” method, in which the network transmits to the mobile station 1) a “challenge” (random number RAND), 2) an information parameter in the form of a sequence number, on the basis of which the mobile station can verify that it has not previously used this information parameter, and 3) an authentication code (message authentication code MAC), which is formed at the network end from the “challenge” and the sequence number. In order to allow the authentication process to be carried out, the network must also transmit an authentication token with the “challenge”. On receiving the above information (RAND, AUTN), the mobile station authenticates the source and integrity of this information by calculating an expected authentication code (XMAC) and comparing this with the value of the authentication code (MAC) contained in the authentication token which has arrived. In the situation where there are identical, the mobile station starts to check whether the received sequence number is “fresh”, that is to say that it has not already been used. To do this, it assesses the history of the sequence numbers already accepted by it. Successful verification of the authentication code together with the guarantee that the received sequence number is unused lead to the network being authenticated with the subscriber. With this method, the “challenge” must never be repeated in order to reliably avoid misuse and the like.
A number of stacks (batches) of authentication vectors are normally produced at the network end, each containing the authentication token with the sequence number. For each new authentication from the respective stack, an unused authentication vector is selected, and at least the sequence number is transmitted in an authentication request to the mobile station. A decision is then made by the identity module at the mobile station end as to whether the received sequence number will be accepted or rejected for authentication, and the identity module then responds to the authentication request.
In order to guarantee to the identity module that the sequence number has actually been “freshly” allocated, the network has only sequence numbers which are always greater than the last transmitted number. The identity module then just needs a single counter, whose current count is in each case identical to the value of the last accepted sequence number. A new sequence number is accepted only provided it is greater than the current count. Nevertheless, it is possible in this case for the sequence of transmitted numbers not to match the sequence of received numbers, for example if the mobile subscriber has moved with his subscriber station between a number of networks and wishes to register with different network devices. If the identity module were to store only a single value, sequence numbers would be rejected if they were used out of sequence—which in principle is not forbidden and not when they are repeated—a situation which must undoubtedly be avoided.
One theoretical method for reliable identification of repetition of sequence numbers is for the identity module to store all the already received numbers. Since, on the one hand, the number of numbers is in principle unlimited and, on the other hand, the storage capacity of the identity module is limited, this method has only a short life. A better method uses a list with the L largest sequence numbers which it has already received and accepted. When the mobile station receives a sequence number, it accepts that in its identity module only if it has not yet been stored and is greater than the smallest number in the list. This procedure allows sequence numbers to be used on an individual basis which have been transmitted outside the sequence to the mobile station and which are in each case less than the greatest number and the smallest list entry. In addition to considerable amount of memory, this also requires complicated management of an organized list, in which case, in particular, explicit management commands must be defined and executed in order to manage this list.