1. Field the of the Invention
The present invention relates to a method and system for secure wireless communications. In particular, example embodiments relate to a method of establishing authentication keys at both the network and mobile equipment in order to establish a mutually authenticated communication channel.
2. Description of Related Art
Security methods and processes relating to wireless communications have evolved in recent years. In particular, 2G CDMA security evolved into 3G CDMA security, and many of the same characteristics of 3G CDMA security are now incorporated new systems such as IMS systems, for example.
As is well known in the art, 2G CDMA security involves cellular authentication and voice encryption (CAVE). In particular, 2G CDMA security uses at least a root key commonly referred to as an AKey and shared secret data (SSD) keys. The SSD keys are generated via a well-known SSD update procedure. The SSD keys are semi long term keys and are treated as root keys herein. The SSD keys may be shared with a Visitor Location Register (VLR) of a network if the VLR is the Home Serving System, for example. Further, conventional 2G CDMA security protocols may involve a global challenge and response procedure and a unique challenge and response procedure.
For the global challenge procedure, the network broadcasts a random challenge RAND to the mobile equipment. A mobile equipment performing system access (e.g. registration, call origination, and call termination) in a network that requires authentication, creates and sends an authentication response AUTHR using a long term key. The pair RAND/AUTHR is forwarded to the Home Location Register/Authentication Center (HLR/AC) for verification. Also for calls of type call origination, last 6 digits are used in calculating AUTHR. For both call origination and call termination the mobile generates keys that are useful for the call (i.e SMEKEY and PLCM). The HLR/AC returns to the VLR the SMEKEY and PLCM if the RAND/AUTHR pair verifies.
A unique challenge procedure can be performed by the network towards a mobile equipment at any time on either the control or traffic channel. For example, the VLR requests a unique challenge and expected response pair, RANDU and AUTHU from the HLR/AC. The network sends the RANDU to the mobile equipment and the mobile equipment calculates a response AUTHU using a long term key and sends a response AUTHU to the network. The network verifies the RANDU/AUTHU pair.
Conventional 3G CDMA security protocols are based on an authentication key agreement (AKA) and provide mutual authentication meaning (i) the mobile equipment authenticates the network and (ii) the network authenticates the mobile equipment before communications are performed. The well-known AKA security protocols used in 3G CDMA are based on quintuplets. Quintuplets include a random number RAND, expected response XRES, cipher key CK, integrity key IK and network authentication token AUTN. A conventional network authentication token AUTN is based on a sequence number SQN, an anonymity key AK, authentication management field AMF and a message authentication code MAC.
For example, the mobile equipment generates its own message authentication code MAC based on a sequence number SQN stored in the mobile equipment, a secret key K stored in the mobile equipment, the AMF, and the random number RAND. Then, the message authentication code MAC generated at the mobile equipment is compared with the MAC extracted from the network authentication token AUTN received from the serving system. Still further, the mobile equipment may determine if the sequence number SQN extracted from the network authentication token is an acceptable value. If the mobile equipment successfully authenticates the network, the mobile equipment prepares a response RES and transmits the response RES back to the serving system of the network. The serving system of the network then compares the expected response XRES with the response RES to authenticate the mobile equipment, thereby completing a mutual authentication according to the conventional AKA security protocol.
If the mobile equipment during the authentication process determines the message authentication code MAC, which was extracted from the network authentication token AUTN, does not match the MAC generated in the mobile equipment, the mobile equipment transmits a failure message to the serving system of the network. Further, if the mobile equipment during the authentication process determines the MAC value, which was extracted from the network authentication token AUTN matches the MAC value generated by the mobile equipment, but that the sequence number SQN is outside of the permissible range, the mobile equipment transmits a resynchronization message to the network. The AKA security protocol briefly described above and used in 3G CDMA is well known in the art and thus, further information is not provided herein for the sake of brevity.
While security protocols have evolved by transitioning from 2G CDMA security protocols to 3G CDMA security protocols, which are also implemented in some conventional IMS security protocols, some of the hardware equipment used for wireless communications has not been updated and/or is not capable of processing the more highly evolved protocols. For example, some companies which may have invested significant amounts of time, research and money in hardware used to process 2G CDMA security protocols have chosen not to update the hardware for various cost associated reasons. Therefore, some conventional 2G CDMA hardware devices are not currently capable of providing a mutually authenticated communication channel using the AKA security protocols of conventional 3G CDMA.
Accordingly, proposals have been made, which attempt to establish a mutually authenticated communication channel without using the quintuplet based AKA security protocol described above with respect to 3G CDMA. Stated differently, these proposals are attempting to use IS-41 authentication procedures previously used in 2G CDMA security protocols. However, all of these proposals suffer from at least the following deficiency. In particular, a compromise of a past IS-41 session key (e.g., SMEKEY and PLCM) would allow an attacker to replay a random number and successfully complete the key agreement protocol and communicate with a mobile equipment or a network. As such, these proposals are insecure when a previously used IS-41 session key is revealed.