I. Field of the Invention
The invention relates generally to wireless communication systems, such as mobile telephone systems. More particularly, the invention relates to authentication procedures in mobile telephone systems.
II. Description of the Related Art
When a telephone company first introduces cellular communications into an area, its primary focus is to establish capacity, coverage, and to enlist new customers. As its network grows, the telephone company expects to make profit from the use of its equipment by its customers. However, cellular telephone fraud and cloning, in particular, can significantly impact the ability to profitably operate the communication: system. Cloning is the duplication of a legitimate subscriber unit to seize the legitimate subscriber unit""s identity and thus acquire unauthorized telephone service. Such activities also create problems and substantial inconveniences for system users. According to the Cellular Telecommunications Industry Association (CTIA), the annual global loss in revenues due to cloning has exceeded one billion dollars.
An authentication procedure is now used to combat fraudulent access to mobile telephone service. As used herein, authentication refers to the exchange and processing of stored information to confirm a subscriber unit""s identity. The authentication procedure is performed by a network to validate the identity of a standard-compliant phone unit, such as an IS-54B, IS-136, IS-91, or IS-95 standard phone. Typically, the authentication procedure is independent of the air-interface protocol used (i.e., CDMA or TDMA).
FIG. 1 is a pictorial diagram of a typical mobile communication system having one or more mobile stations. A mobile telephone system (MTS) 100 typically includes infrastructure components 112 communicating with a plurality of mobile stations (MS) 120 using radio frequency (RF) channels. The infrastructure components include a base station (BS) 110, a mobile switching center (MSC) 130, a home location register (HLR) 150, an authentication center (AC) 160, and a visitor location register (VLR) 155. The BS 110 provides the air interface between the MS 120 and the MSC 130. The MSC 130 coordinates all communications channels and processes, and provides access for the BS 110 to networks, such as a public switched telephone network (PSTN) 140. The HLR 150 contains a subscriber database 152. The subscriber database 152 maintains each subscriber""s mobile identification number (MIN) and electronic serial number (ESN). The MIN and ESN, taken together, uniquely identify each MS.
Typically, the MSC 130 also includes the visitor location register (VLR) 155. However, the VLR 155 may be a separate component of the system. The VLR 155 contains a local, temporary subscriber database 157 similar to the permanent subscriber database in the HLR 150. The information from the HLR 150 and the VLR 155 are used to authorize system access and to authorize billing to a particular billing account. The MSC 130 also interfaces with the AC 160 through the HLR 150.
The VLR 155 and MS 120 each have access to at least three pieces of information that make up the data used for authentication: the MIN of the mobile, the ESN of the mobile, and a shared secret data (SSD-A) associated with the mobile. The SSD-A is typically derived from an authentication key (A-Key). Each MIN and associated ESN represent a unique combination that may be used to identify a particular legitimate subscriber. The A-Key is a secret value that is unique to each individual subscription. For example, the A-Key may be a 64-bit cryptographic variable key stored in the memory of the MS 120. The A-Key may, for example, be entered once from the keypad of the MS 120 when the mobile station is first put into service to serve a particular subscriber. The A-Key typically remains unchanged unless its value has been compromised. The MIN and ESN may be transmitted over the air, but the A-Key may not be transmitted over the air.
In North American systems, authentication of an MS utilizes a process commonly referred to as the xe2x80x9cCAVExe2x80x9d (cellular authentication and voice encryption) algorithm. The CAVE algorithm is a software-compatible non-linear mixing function having a 32-bit linear-feedback shift register (LFSR), sixteen 8-bit mixing registers, and a 256-entry lookup table. For further details on the CAVE algorithm refer to Common Cryptographic Algorithms cellular standard. Authentication requires both the MS 120 and the infrastructure components 112 of the system to execute the CAVE algorithm with a common set of data to generate an authentication signature. If the authentication signature generated by the MS 120 matches the authentication signature generated by the infrastructure components, then the identity of the MS 120 is authenticated and access to telephone service is granted. Otherwise, the attempt by the MS 120 to access the network is rejected.
The authentication can be performed by either a unique challenge or a broadcast challenge. In a unique challenge, a xe2x80x9cRANDxe2x80x9d is transmitted to a MS 120 that requests access to the system. The RAND is typically a randomly-generated value used in the authentication process. The RAND for a unique challenge is typically a 24-bit digital value. The MS 120 receives the RAND and executes the CAVE algorithm using the received RAND, the SSD-A, and other data to calculate an authentication signature. The authentication signature is typically an 18-bit digital value. The MS 120 transmits the RAND and the calculated authentication signature to the infrastructure components 112. The infrastructure components 112 similarly use the CAVE algorithm to calculate an authentication signature based upon the stored values for the SSD-A, the MIN, and the ESN. If the authentication signature received from the MS 120 matches the authentication signature calculated independently by the infrastructure components 112, then the MS 120 is granted access to service. Otherwise, the MS 120 is denied access to service.
In contrast, in a broadcast challenge, the infrastructure components broadcast a RAND to all MSs 120 on a dedicated broadcast channel (e.g., a cellular paging channel) rather than sending a RAND only to one MS 120 that has requested access. The broadcast challenge is sometimes referred to as the xe2x80x9cglobal challenge.xe2x80x9d Typically, a new RAND will be generated and transmitted from time to time. When an MS 120 requests access to service, the MS 120 computes the authentication signature based on, the most recently broadcast RAND prior to any communication with the infrastructure components 112. In one example, the MS 120 transmits the 8 most significant bits of the RAND and the computed authentication signature to the infrastructure components 112 for verification. Since the infrastructure components 112 send the authentication signature together with the request for services, verification of the authentication signature can begin immediately upon the MS 120 requesting access to service, thereby minimizing delay in call processing.
While broadcast challenges result in faster ;call setup than unique challenges, clone telephones, or other fraudulent intruders have been able to gain unauthorized access to the system by a method commonly known as xe2x80x9creplay attacksxe2x80x9d. A replay attack allows an intruder to appear to be a legitimate subscriber. As a result, the intruder can make calls that are billed to the legitimate subscriber. In accordance with a replay attack, an intruder monitors the information that is transmitted between an authorized MS 120 and the infrastructure components 112. The intruder stores the RAND and authorization signature transmitted by the authorized MS 120 to the infrastructure components 112. When the call ends, the intruder transmits a request for service containing the same RAND and authorization signature as sent previously by the legitimate subscriber. If the RAND has not changed since the authorized MS 120 calculated the intercepted authentication signature, then the subscriber who owns the authorized MS 120 would be billed for the intruder""s use of service.
Prior efforts to prevent replay attacks such as using the dialed digits as input to the CAVE algorithm have been unsuccessful. For a mobile originated call a subset of the dialed digits is used as input to the CAVE algorithm instead of the MIN. Since dialed digits typically change with each call, using the dialed digits as an input to the CAVE algorithm results in a unique authentication signature for each call, unless the two calls are made to the same number. However, the authorization process typically will use a predetermined number of the last digits dialed, since these are most likely to be unique to each call. In many cases, the dialed digits of the authorized call can be appended to the dialed digits of the unauthorized call without adversely affecting the call. Therefore, the infrastructure will generate the same authentication signature as was generated for the call made by the authorized MS 120. Furthermore, fraudulent access to the system is available if the unauthorized MS intercepts and an operator assisted call or a call that is made through a directory assistance operator and uses the intercepted information (i.e., RAND and authentication signature) to access the system. Since many wireless service providers are now offering directory assistance service which connects the user directly to the number requested, many users will be dialing only xe2x80x9c411xe2x80x9d to get access to the system. Accordingly, by waiting for an operator assisted call to be made by an authorized user, a fraudulent user can gain unauthorized access to the system.
Therefore, there is a need in the wireless communication technology for an authentication process that is less susceptible to unauthorized access to the system.
A method and apparatus is disclosed which confirms the identity of a station in a communication network, such as a mobile telephone system. The disclosed method and apparatus is not susceptible to replay attacks. Furthermore, the disclosed method and apparatus implements an authentication process that has a relatively short delay. The disclosed method and apparatus includes the present invention as defined by the appended claims.
The disclosed method and apparatus comprises a first station (e.g., a mobile station) that communicates a first xe2x80x9csecurity parameterxe2x80x9d (e.g., a RAND) and an authentication signature to a second station (e.g., an infrastructure component) within the communication network. For the purpose of this disclosure, a security parameter is defined as any signal, pattern, or value that can be used as an input to a signature generation (xe2x80x9cSGxe2x80x9d) algorithm, such as a conventional CAVE (cellular authentication and voice encryption) algorithm, to generate an authentication signature. An authentication signature is defined as a signal, pattern, or value which is output from an SG algorithm in response to one or more security parameters being input. It is preferable that each unique set of input security parameters produce an authentication signature that is unlike the authentication signature that would be output as the result of any other input security parameter set.
The second station receives the first security parameter and the authentication signature from the first station. If the first security parameter differs from each of a predetermined number of first security parameters previously received from the first station, then the second station performs conventional procedures to authenticate (i.e., confirm the identity of) the first station. Once the second station has authenticated the first station, the first station is granted access to the communication network. If the first security parameter is the same as one of the first security parameters transmitted by that first station in the most recent attempt by that first station to gain access, then the second station performs a xe2x80x9cunique challengexe2x80x9d.
In another embodiment of the disclosed method and apparatus, a determination is made as to whether a first station has previously accessed the communication network. If the first station has previously accessed the communication network, then a unique challenge procedure is initiated by the second station before access is granted to the first station.