The field of this invention is to provide security for data transfers through one or several telecommunications networks.
In this case security means the capacity to authenticate parties that wish to communicate, and then if necessary to setup a secure communication channel between them.
It is particularly but not exclusively, suitable for applications in which a subscriber to a telecommunications network connects through a Mobile Equipment, for example using the GSM (Global System for Mobile communications) telecommunications standard or an equivalent or competitive standard such as DCS 1800 (Digital Cellular at 1800 MHz), PCS 1900 (Personal Communication System at 1900 MHz), DECT (Digital European Cordless Telecommunications) or UTMS (Universal Mobile Telecommunication System).
These communications networks with mobile equipment are managed by xe2x80x9cmobile network operatorsxe2x80x9d, hereinafter referred to as xe2x80x9coperatorsxe2x80x9d, that perform all subscription management and communication routing functions, and negotiation of access conditions for their subscribers to service providers (or xe2x80x9cservices or contents serversxe2x80x9d) accessible through communications networks.
The process according to the invention is preferably applicable to the case in which the subscriber to the telecommunications network through a mobile terminal would like to connect to a correspondent (typically a service provider) in a secure manner, the service provider being accessible on another telecommunications network interconnected with the subscriber""s network.
But the security process according to the invention is advantageously applicable in any other context in which a subscriber who has taken out a subscription to a service accessible through a telecommunications network would like to communicate with a remote third party in a secure manner without transferring secret elements through the network, within a data communication involving either a single network, or two or several interconnected networks, when the transfer from one network to the other involves a protocol change.
Although the invention is originally applicable to communications set up between firstly a closed (GSM type) network to which the subscriber is attached, and an open (Internet type) network; the nature (open or closed) of each of the transmission networks involved is not a restrictive characteristic of the general principle of the invention.
Many content services are usually accessible through an open communications network (typically Internet) that has its own communications protocol. Therefore when a GSM mobile terminal would like to access a service of this type, there is a protocol change at the interface between the GSM network and the access network to the Internet type service provider. The role of telecommunications operators is to perform and manage these mediation and interfacing elements.
At the present time, there are authentication and confidentiality processes specific to each of these two networks. Therefore, known solutions consist of implementing available procedures end to end firstly on one and then on the other network, at the time that each data stream is transmitted. The result is usually a loss of confidentiality at the interface. In particular, the use of secure protocols on each upstream and downstream segment makes it necessary for the operator to be in possession of secret elements, keys and/or cryptographic algorithms required by each authentication and confidentiality process. This responsibility introduces an obligation on the operator to respect confidentiality, which may be undesirable for the service provider, for the subscriber and even for the operator himself.
Another known solution consists of using a third party (usually called a xe2x80x9ctrusted third partxe2x80x9d) for management of secrets, but this solution is also complex and therefore inappropriate in some situations in which the cost and management complexity are not justified.
One purpose of the invention is to overcome these various disadvantages in the state of the art.
More precisely, a first objective of the invention is to provide an authentication procedure that may be implemented independently of the successive networks used by a communication. This type of authentication procedure must at least enable the service provider to authenticate the subscriber, and preferably also enable the subscriber to identity the service provider, during each session.
Another purpose of the invention is to provide a process for transferring data through an encrypted channel so that a subscriber and a service provider can communicate in a secure manner without any action, and possibly even unknown to, the operator of the network to which the subscriber is attached.
Another purpose of the invention is to provide a process that enables the operator to define the security system and to guarantee the quality of authentication on the link that he controls, without the need for him to know the contents or the operating elements of the encrypted channel.
Another purpose of the invention is to enable the subscriber and the service provider to share knowledge of an encryption key for messages that they exchange on the network, each key advantageously being different for each communication session, without the encryption key being transmitted on the network at any time.
Another purpose of the invention is to make optimum use of security resources inherent to a GSM network, namely essentially the use of secret element(s) and algorithm(s) that exist (or can be possibly (re)programmed) in the terminals of network subscribers, typically in the Subscriber Identity Module (the SIM card) cooperating with the subscriber""s radiotelephone terminal.
Another purpose of the invention is to provide the subscriber with a password and the means of calculating an encryption/decryption key, that are assigned and managed exclusively by the service provider, and therefore which do not need to be known to the operator or a third party.
Another purpose of the invention is to provide a process that provides genuine xe2x80x9ccompartmentalizationxe2x80x9d between the various service providers, from the communications security point of view, and any transactions initiated by the subscriber.
These purposes, and other purposes that will subsequently become evident, are achieved according to the invention by means of a process for ensuring the security of a communication between firstly a subscriber to a telecommunications network and secondly a service provider accessible through an operator of the said telecommunications network to which the subscriber is attached, this process being characterized in that it comprises firstly a process for initial registration of the said subscriber to the said service provider through the said operator, and secondly a process in which each of the communication sessions between the subscriber and the service provider takes place.
A subscriber obviously means not only the user, but also and particularly his network equipment. Similarly, the service provider means mainly the computer server connected to the network. However, as will be seen below, some information transfers may take place outside the network (for example by letter or fax, etc.) and therefore involve other entities, particularly persons, for their execution.
According to the invention, the initial registration process comprises:
firstly, the telecommunications operator provides the service provider with an identifier (Device ID) of the subscriber in his attachment network, and an authenticator (R1) of the said subscriber composed of a first numeric value calculated from an identifier (Idx) of the service provider in the operator""s network, the said identifier (Device ID) of the subscriber in his attachment network, and a secret element (Sec. Op.) characterizing the subscriber;
secondly, the service provider provides the subscriber with data for identification authentication (Login, mdp) of the subscriber with the said service provider.
Furthermore, according to the invention, the execution process of each of the said sessions comprises authentication of the subscriber by the service provider through the following steps:
a step in which a second numeric value (R2) is calculated from a subscriber identifier (mdp) with the service provider and a diversification data (Date) generated at the subscriber,
a step in which a third numeric value (R3) is calculated starting from the said first numeric value (R1), the said second numeric value (R2) and a third data (Login) identifying the subscriber with the service provider,
a step in which a first data frame composed of the said third numeric value (R3) and input data, namely data (Login) identifying the subscriber with the service provider, and the said diversification data (Date) generated at the subscriber, is transmitted from the subscriber to the service provider,
a step in which the service provider authenticates the subscriber by recalculating, as a validation, the said third numeric value (R3) starting from the said input data (Login, Date) in the said first data frame, and data (R1, mdp) already provided to the service provider and associated with the subscriber.
According to one advantageous characteristic of the invention, the process also comprises authentication of the service provider by the subscriber by means of the following steps:
a step in which a fourth numeric value (R4) is calculated starting from the said subscriber authenticator (R1), a random variable (Random) generated at the service provider and diversification data (Date);
a step in which a second data frame composed of the said fourth numeric value (R4) and the said random variable (Random), is transmitted from the service provider to the subscriber;
a step in which the subscriber authenticates the service provider by a recalculation, as a validation of said fourth numeric value (R4) starting from the said random variable (Random) in the second data frame, and data (R1, Date) provided to the said subscriber.
Thus, provided that he respects all the characteristics mentioned above, the process enables mutual authentication of the supplier and the service provider.
When the authentication has been confirmed, comprises:
a phase in which a session key (Kses) common to the said subscriber and the said service provider is generated; and
a phase in which the encrypted data are transmitted by means of the said session key (Kses).
In this case, the said phase in which a session key (Kses) is generated preferably comprises the following steps:
a step in which the service provider calculates a session key (Kses) starting from calculation data comprising the said second numeric value (R2) and a random variable (Random2);
a step in which the single random variable (Random2) is transmitted to the subscriber, except when the said random variables Random and Random2 are identical, in which case the said phase in which a session key (Kses) is generated does not include any data transmission from the service provider to the subscriber, since the random variable was already provided to the subscriber in the second data frame;
a step in which the subscriber calculates the said session key starting from the said calculation data, namely from the said transmitted random variable (Random2) and the said second numeric value (R2) provided to the said subscriber.
In The characteristics of the invention described above, the process comprises the following successive and separate steps in each session:
the service provider authenticates the subscriber;
the subscriber authenticates the service provider; channel.
a session key is calculated to setup an encrypted channel.
All or part of the proposed complete process can thus be implemented selectively.
However in another variant embodiment, the step in which the subscriber authenticates the service provider can be combined with the step in which the session key is calculated to set up the encrypted channel. According to this variant, the said data for calculation of the session key (Kses) also include the subscriber authenticator (R1), the said authenticator (R1) being available both to the service provider and to the subscriber, without the need for the service provider to transmit it to the subscriber. At this time, if the said session key (Kses) is calculated correctly, the service provider is effectively authenticated by the subscriber due to intelligibility of encrypted data received by the service provider and decrypted using the said session key (Kses) calculated by the subscriber.
Therefore there is no longer any need to use calculations and information transfers related to the fourth numeric value R4.
The calculation of the session key, either in the embodiment with separate steps or in the embodiment combining the return authentication and calculation of the key, may itself include a variant by which the said data used to calculate the session key (Kses) also include the diversification data (Date), noting that this diversification data (Date) is provided both to the said service provider and to the subscriber and that it is therefore not necessary to retransmit it from the service provider to the subscriber.
Thus, according to the invention and regardless of the variants, the authentication scheme combines two security layers, namely identification/authentication (DeviceID, R1) at network level, with an identification at application level (Login, mdp). Therefore, the intrinsic security available from a telecommunications network is used in the application, during authentication of the parties and/or when setting up an encrypted communication.
Mutual authentication is based on the operator distributing a value R1 at the time that the subscriber is registered with the service provider, the service provider being responsible for ensuring that this value that he keeps in his authentication database is protected. In principle, the subscriber does not keep this value R1 (for security reasons) but is in a position to automatically recalculate it every time that a new session is initialized. Two exchanges are then necessary for the parties to mutually authenticate each other and setup a secure channel.
Note that setting up an encrypted channel only requires one item of secret information, which is generated under the responsibility of the attachment operator, the secret information being held by the subscriber or confined within his equipment connected to the network.
According to one advantageous characteristic of the invention, the service provider builds up a database associating at least one of the following items of data with each registered subscriber:
an identifier (DeviceId) for the subscriber in his attachment network;
subscriber identification/authentication data with the service provider (Login, mdp);
the numeric value R1 received from the operator at the time of the initial registration process;
possibly, some or all of the values Date, R3, R4, Random, Random2 and Kses specific to the current communication session.
According to another characteristic of the invention, at least some of the said first, second and third (and possibly fourth) numeric values of R1, R2, R3 and R4 and the session key Kses are calculated using a cryptographic algorithm f1, f2, f3, f4, fk. Preferably, the said cryptographic algorithm belongs to the group including:
algorithms with a single-directional chopping function with a key, such as DES in MAC mode;
algorithms with a single-directional chopping function without a key, such as md5 (registered trademark), RIPEM and SHA;
algorithms with bit mixing.
Advantageously, the said first numeric value R1 is calculated using an A3/A8 type algorithm f1.
According to another preferred characteristic of the invention, the said secret element (Sec. Op.) characterizing the subscriber belongs to the group containing the key Ki contained in the SIM card of the subscriber""s mobile (in the case of a GSM type network) and an arbitrary key Kkm available in the subscriber""s terminal.
Similarly, when the subscriber is attached to the GSM network, the subscriber""s identifier (Device ID) in his attachment network advantageously belongs to the group including the IMSI (International Mobile Subscriber Identity) and the MSISDN (Mobile Station ISDN number).
Preferably, the said identification/authentication data (Login, mdp) of the subscriber with the said service provider comprise:
a subscriber identifier (Login) in the service provider""s network;
a secret element (mdp) supplied to the subscriber by the service provider.
Advantageously, the said diversification data (Date) used to calculate a second numeric value (R2) belongs to the group comprising the date and/or time of the session, a number incremented in each new session requested by the subscriber, and a random number generated at the subscriber.
Advantageously, the service provider can guarantee the quality of the subscriber""s diversification data (Date), by checking that it actually changes with time. For example, he can make this verification by keeping the value (Date) of the last connection attempt, to check if this value is actually different from the current value (Date).
According to a degraded version of the security scheme proposed by the invention, the said first numeric value (R1) is not calculated and is ignored in at least some steps of the process, the said phase in which the service provider authenticates the subscriber then being eliminated. The consequence of this simplification is loss of the mutual authentication process, making the scheme vulnerable to xe2x80x9cman in the middlexe2x80x9d type attacks (referring to intrusions within the communication). But the other identification and authentication functions remain.
Use of the second numeric value R2 can also be simplified by simply reducing it to the value of the secret element (mdp) supplied by the service provider to the subscriber. In this case, this value is no longer xe2x80x9cdynamicxe2x80x9d (in other words variable as a function of occurrences) but is fixed. Obviously, the cryptographic function f2 is then not used.
Other characteristics and advantages of the invention will become obvious from reading the following description of an illustrative and non-restrictive embodiment of the invention, and the attached drawings.