A method and a device for detecting a modification in a signaling message sent from a network unit to a communications terminal are described below.
In a communications network, in particular a mobile radio system of the second and third generation such as a GSM network and a UMTS network, the network units (mobile service switching center [MSC] or serving General Packet Radio Service (GPRS) support node [SGSN]) exchange signaling messages with the communications terminal.
A new wireless LAN architecture for combining WLAN access network technology, SIM-based user management functions and the roaming infrastructure of the network operators is known from Ala-Laurila, J., et al.: Wireless LAN access network architecture for mobile operators: IEEE Communications Magazine, Volume 39, Issue 11, November 2001, pages 82-89. In the system described, WLAN access is authenticated and charged for using a GSM-SIM card.
Postel, J.: RFC 768: User Datagram Protocol: Internet Engineering Task Force (IETF), 28 Aug. 1980 (accessible on the Internet) describes a user datagram protocol (UDP) for packet-switching computer communication in a computer network. The UDP protocol is based on the Internet Protocol (IP) and provides for a procedure for applications for sending messages to other programs with minimal protocol mechanisms.
Techniques for transmitting packets from a transmission unit via a wireless communications system to a receiver unit are known from Document D3 (2004/0037320 A1). In this case data frames contained in a packet are received. One or more headers are generated for the packet for one or more protocols in the protocol field. Possible protocols here are RTP, UDP, IP, PPP, RLP and variants.
A method for transmitting a message to a plurality of terminals in a network using a multicast service is known from Document D4 (WO 03/036908 A1), the multicast message being encrypted and simultaneously sent to several terminals.
Because the radio interface between a base station and communications terminal or mobile radio device in principle offers many opportunities for attackers, an attacker using a so-called “false base station” can position himself between a communications terminal and a real base station. The false base station acts here toward the communications terminal as a base station and toward the real base station as a communications terminal. By falsifying the messages exchanged between communications terminal and network units the false base station can for example ensure that a mobile radio call is encrypted using a cryptographically weaker method and hence can be eavesdropped on more easily.
A method for protecting against falsifications of messages is realized in the UMTS network in accordance with 3GPP TS 33.102, Universal Mobile Telecommunications System (UMTS); 3G security; Security architecture, Release 5.3.0 (2003 Oct. 10, 2003), chapter 6.3.
When the mobile radio device logs on to the communications network for the first time, an authentication procedure is carried out in which the mobile radio device authenticates itself to the communications network and a secret temporary key IK is agreed between mobile radio device and communications network.
To this end a signed response (SRES) is computed in the communications network or mobile radio network in a special network unit, the authentication center (AuC), from the user's secret key Ki and a random number RAND using a function f2K (RAND, Ki), as is a temporary secret key using another function f4K (RAND, Ki). RAND, SRES and IK are then sent to the switching center MSC or to the serving GPRS support node SGSN, to which the mobile radio device is currently connected. Finally the MSC or the SGSN sends the random number RAND to the mobile radio device in an authentication request message. The signed response (SRES) and the temporary secret key IK are computed in the mobile radio device from the RAND and the secret key Ki using the functions f2K (RAND, Ki) and f4K (RAND, Ki).
Then the mobile radio device returns the value SRES to the communications network in an authentication response message. The MSC or the SGSN compares this value with the value computed by the authentication center AuC. If both match, the mobile radio device is deemed to be successfully authenticated. Simultaneously the mobile radio device and communications network have generated a temporary secret key IK using this procedure.
For all signaling messages exchanged between the mobile radio device and communications network after the authentication procedure, the sender of the message in each case computes a test value Hash (message, IK) using the secret key IK. The test value Hash (message, IK) is computed using the temporary key IK, because the secret key Ki may in general never leave the authentication center. The test value is then transmitted with the message and is checked by the mobile radio device. If the message has been modified by a false base station, the mobile radio device will in general recognize this from the fact that the test value is no longer correct, because the false base station does not know the secret key IK and hence cannot compute the test value for the modified message.
However, this method was introduced for a UMTS network from the outset, in other words from the first protocol version. The mobile radio device hence knows that the messages must contain a test value. A distinction as to whether the mobile radio device is located in an “old network” (message does not contain a test value) or in a “new network” (message must contain a test value) is hence not necessary.
A similar suggestion was made for the GSM system: in this case a test value was to be added to the authentication request message as a new message element. A false (fraudulent) base station can however falsify the message (e.g. for the purpose of eavesdropping) in such a way that it removes the test value and forwards the message to the mobile radio device in the old format. The problem of how the mobile radio device can recognize that it is located in a new network was not solved by this suggestion. A further suggestion (3GPP TSG SA WG3 Security, Cipher key separation for A/Gb security enhancements, file S3-030463, 15-18 Jul. 2003, San Francisco, USA, Agenda point 7.5, Source: Vodafone) for the GSM system is based on the fact that the false base station must not modify the value of the RAND parameter in the authentication request message because otherwise the mobile radio device computes a false SRES value and the authentication procedure does not succeed.
According to this suggestion a specially established bit sequence is entered in the first 32 bits of the RAND parameter, the bit sequent indicating to the mobile radio device that a particular item of information is being transmitted in the following n bits of the RAND parameter. (The standardization article S3-030463 specifically suggests encoding in the next 8 bits which GSM cipher algorithms are permissible in the network and which are not. This should prevent the false base station being able to manipulate messages on the radio interface to the mobile radio device so that a cryptographically weaker cipher algorithm is selected.)
The special bit sequence is required because this protocol expansion is not supported from the outset by all networks. The longer the special bit sequence, the lower the probability that a communications network that does not yet support the protocol expansion randomly selects the special bit sequence during the selection of a RAND parameter and the mobile radio device then erroneously interprets the additional bits in the RAND parameter as information. For 32 bits this probability is for example 1:232≅1:4×109.
Generally the following requirements for a solution to a problem must be satisfied:                i) A communications terminal or a mobile radio device that likewise supports the protocol expansion should notice any falsification of the authentication request message in new networks (UMTS networks, etc.) that support the protocol expansion.        ii) The communications terminal or the mobile radio device should however also work in old networks (GSM networks, etc.) that do not yet support the protocol expansion. Naturally the communications terminal or mobile radio device cannot then recognize message falsifications.        iii) The communications terminal or the mobile radio device must be able to recognize whether it is located in an old or a new network, particularly if a false base station is attempting to feign an “old network” to it.        
The term “retrospective protocol expansion” should thus be understood as meaning that in a version “n” of the signaling protocol the message is not yet protected against falsifications, whereas as of version “n+1” of the protocol it is protected. The new version “n+1” should here be downward-compatible with the predecessor version “n”. One possible falsification by a false base station could for example be that the new message elements are simply omitted. The mobile radio device then assumes that it is located in a network using protocol version “n”.
A problem entailed with the method suggested in S3-030463 (3GPP TSG SA WG3 Security, Cipher key separation for A/Gb security enhancements, 15-18 Jul. 2003, San Francisco, USA, agenda point 7.5, Source: Vodafone) is that the information to be protected is embedded in the RAND parameters, in other words the more such information is added over time, the fewer bits can in fact be randomly selected by the communications network. This tends to weaken the authentication function f2K (RAND, Ki). Also, because of the length of the RAND parameter (16 bytes in the GSM and UMTS network), an upper limit obtains for the quantity of information that can be protected in this way.