The invention is related to the authentication between subscriber equipment and the network in a telecommunications system. The invention can be applied especially to the authentication methods of a mobile communications system.
The purpose of the authentication is to verify the authenticity of the identities of the parties of the data transfer even before forming the telecommunications connection. The authenticity of the parties must be verified in order to ensure the data security of the subscriber. Additionally, authentication can be used to prevent the use of network services by means of another subscriber""s identity.
Verifying the authenticity of the identities of the parties is especially important in mobile communications systems in which the subscriber and the network state their identities to each other before forming the connection. If the authenticity of the stated identities is not verified, a connection can be formed by using a false identity simply by giving the identification data of some other mobile subscriber or network. In the circuit-switched systems of a fixed telephone network, the subscriber identity is determined by the subscriber line, so in order to use a false identity, the subscriber line of some other subscriber must be used. In packet-switched systems, the subscriber identity is transferred in each data package sent by the subscriber, so a false identity can be used simply by giving false identification data. Basically, the authenticity of the identity stated by the subscriber can be verified in all systems by using the same kind of authentication methods.
FIG. 1 illustrates a mobile communications network and its network elements related to the authentication. The figure shows two mobile services switching centres MSC1, MSC2 and the visitor location registers VLR1, VLR2 related to them, base station controllers BSC, base transceiver stations BTS, a mobile station MS, a home location register HLR and an authentication centre AUC typically located in connection with the HLR. Mobile services switching centres can form signalling connections to the home location register HLR and to the authentication centre AUC, as shown with dotted lines in the figure.
Each mobile subscriber has a home public land mobile network HPLMN with whose operator the mobile subscriber has signed an agreement and in which the subscriber data is stored. In addition to the home network HPLMN, the mobile subscriber can use the services of public land mobile networks PLMN with which the subscriber""s operator has a roaming agreement. The network with which the mobile station communicates is now on called as the visited public land mobile network VPLMN and it can be the home network HPLMN of the mobile station or some other mobile communications network PLMN.
The mobile communications system is connected via the mobile services switching centre MSC to other networks, such as public switched telephone network PSTN or integrated services digital network ISDN. Several base station controllers BSC are connected to the mobile services switching centre MSC. Several base stations BTS are connected to each base station controller BSC. The base stations can form connections to subscriber stations, that is, mobile stations MS comprising mobile equipment ME and subscriber identity modules SIM, via the channels of the so called air interface.
FIG. 2 illustrates an authentication method used in a known GSM system. In the system, the purpose of the authentication is to ensure that the mobile station trying to connect to the network really is what it claims to be. The principle of the authentication procedure is to have the network ask the mobile station a question for which only the mobile station with the given identity can answer correctly. The procedure is based on the use of a subscriber-specific authentication key Ki. During the entry of the subscriber data, the key Ki has been stored in the authentication centre AUC and in the subscriber identity module SIM to be placed in the mobile station. There is no way to find out the key without breaking the subscriber identity module SIM; only the authentication algorithms located in the authentication centre and in the subscriber identity module can use the key.
The authentication method has two stages. At the first stage (FIG. 2, stages 201-203), the authentication centre forms so called authentication triplets and sends them to the network which the mobile station is currently visiting. At the second stage, the network authenticates the mobile subscriber by using the triplets it has received from the authentication centre (stages 204-210).
The forming of the authentication triplets starts with generating a random number RAND by using the random number generator (stage 201). At stage 202, the random number RAND is entered, together with the mobile-subscriber-specific authentication key Ki, to the algorithms A3 and A8. The algorithms A3 and A8 are secret algorithms defined in the Memorandum of Understanding (MoU) of the GSM operators"" organisation. Different operators can use different versions of the algorithms. Basically, the algorithms are one-way hash functions H(K,X) with keys and the following applies to them:
1. when K and X have been given, unique H(K,X) is easy to calculate and
2. when X has been given, but the key K is unknown, H(K,X) is impossible, or at least very difficult, to calculate,
3. when a great number of arguments X and the corresponding hash function values H(K,X) have been given, but the key K is unknown, the key K is impossible, or at least very difficult, to calculate and
4. when a great number of arguments X and the corresponding hash function values H(K,X) have been given, but the key K is unknown, the hash function value H(K,Xxe2x80x2) for given input Xxe2x80x2 is impossible, or at least very difficult, to calculate, if the value is not known.
In addition to the GSM system algorithms A3 and A8 (which have a secret implementation), known one-way hash functions with keys are, for example, HMAC (Hash-Based Message Authentication Code) algorithms formed from the SHA (Secure Hash Algorithm) and MD5 (Message Digest Algorithm 5) algorithms.
The authentication triplet (RAND, SRES, Kc) formed by the responses SRES (Signed RESponse) and Kc, which are calculated by using the algorithms A3 and A8, and the random number RAND used as input data, are sent to the network VPLMN which the mobile station is visiting at the given time. It should be noted that VPLMN can also be the subscriber""s home network HPLMN. Due to the features of the algorithms A3 and A8, the subscriber authentication key Ki cannot be deduced even on the basis of a large number of known triplets (RAND, SRES, Kc). In the network, the triplets are stored in the visitor location register VLR. Typically, several triplets, for example, ten, are calculated and sent to VLR at a time.
When a connection is being formed between the mobile station and the network, the network authenticates the mobile station by using the triplets received from the authentication centre. The network starts the authentication at stage 204 by sending an authentication request to the mobile station. The request contains the random input RAND belonging to the triplet. The mobile station receives the request and, at stage 205, calculates the values SRESxe2x80x2 and Kc by using the algorithms A3 and A8, programmed in the subscriber identity module SIM, and by using the random number RAND and the authentication key Ki, programmed in the subscriber identity module SIM, as the input. On the basis of the features of the algorithms, SRESxe2x80x2=SRES only, if the authentication keys Ki used by both the authentication centre and the subscriber identity module are identical.
The mobile station sends the calculated response for algorithm A3, SRESxe2x80x2, to the network which compares it to the response SRES taken from the authentication triplet at stage 206. If SRES=SRESxe2x80x2, the network accepts the mobile station authentication and forms a connection with it. The connection can be defined to use ciphering, which is done by using the response Kc of the algorithm A8 as the key. As the key Kc is not sent via the air interface, an active eavesdropper cannot break the ciphering or, at least, it is difficult. The breaking of the ciphering can be made more difficult by making the authentication often, for example, in relation to every forming of a connection.
As it is virtually impossible to deduce the key Ki by listening to the authentications of a mobile station, a passive eavesdropper cannot decipher the connection nor is it possible to pretend to be the mobile subscriber by actively changing the messages.
In the above described method, only the mobile station is authenticated. So the mobile communications network is assumed to be reliable. However, eavesdroppers may use their own base station which blocks the signals from the base stations of the real mobile communications network and which is connected, for example, to the fixed telephone network. By using this base station, an eavesdropper may send the authentication input RAND to a mobile station and receive SRESxe2x80x2 as a response. The mobile station cannot detect the falsity of the base station, but assumes that the authentication succeeded. Later, the base station directs the mobile station not to use ciphering; after that it is easy to listen to the traffic of the mobile station. Alternatively, the eavesdropper may use an authentication triplet acquired by honest or dishonest means, pretend to be a base station and decipher the connection by using a key contained in the triplet. Triplets can be acquired by, for example, all of the GSM operators which have a roaming agreement with the subscriber""s home network; the validity or re-use of the triplets is not limited in any way.
To solve this problem, algorithms authenticating the network have also been developed for systems which require eavesdropping by means of a separate base station to be prevented. An example of this kind of an algorithm is the algorithm used in the TETRA system and illustrated in FIG. 3. The algorithm uses the mobile subscriber authentication key Ki. The authentication centre generates (stage 301) the random number RS and uses it and the authentication key Ki to calculate keys KS and KSxe2x80x2 by using the algorithms TA11 and TA21 (stages 302 and 303). It sends the created triplet (RS,KS,KSxe2x80x2) to the base station BS.
The base station generates the random number RAND1 (stage 311) and sends the random numbers RAND1 and RS to the mobile station. The mobile station calculates keys KS and KSxe2x80x2 on the basis of the random number RS and its own key Ki by using the algorithms T11 and T21 (stages 321 and 322). If the authentication centre and the mobile station use the same key Ki, they both have the same values KS and KSxe2x80x2 at this point.
At stage 323, the mobile station uses the algorithm TA12 to calculate in the subscriber identity module SIM the variables RES1 and DCK1 by using the keys KS and the random number RAND1. So, RES1 and DCK depend on the subscriber-specific key Ki and the random numbers RS and RAND1 generated in the authentication centre and the base station. At stage 324, the mobile station generates a new random number RAND2 and sends it and the calculated value RES1 to the base station. Correspondingly, the base station calculates the corresponding variables XRES1 and DCK1 by using the algorithm TA12 at stage 312. If XRES1=RES1, the base station can assume that the mobile station has the same key Ki as the authentication centre. On the basis of this, the network knows that the mobile station is what it claims to be. As the network has been able to find out that the mobile station has the same key Ki as the authentication centre and, thus, the same key KS as the network, it can now rely on both having the same value for the variable DCK1. This means that at stage 313, the value of the truth-variable R1, which shows the success of the mobile station authentication, is R1=true. If this is not the case, R1 is false.
The mobile station authenticates the network by sending the input RAND2. At stage 314, the responses RES2 and DCK2 are calculated in the base station on the basis of inputs KSxe2x80x2 and RAND2 by using the algorithm. TA22. Correspondingly, the same algorithm TA22 and the same inputs KSxe2x80x2 and RAND2 are used to calculate responses XRES2 and DCK2 in the mobile station. RES2, XRES2 and DCK2 depend on the subscriber-specific key Ki and the random numbers RS and RAND2 generated in the authentication centre and in the mobile station. The base station sends the calculated value RES2 to the mobile station together with the truth-value R1. If the base station and the mobile station both have the same keys KSxe2x80x2, then XRES2=RES2. If this is true, the mobile station knows that the base station has got the value KSxe2x80x2 from the authentication centre AUC and, thus, it considers the network reliable. Additionally, the mobile station can assume that the base station has the same key DCK2 as the mobile station itself. As the base station has also stated than R1=true, the mobile station knows that they both have the same keys DCK1. In this case, the variable R2, which is returned by the mobile station to the network and which shows the success of the authentication, gets the value true. After receiving the information R2=true, also the base station knows that they both now have the same keys DCK1 and DCK2.
Finally, at stages 327 and 315, the mobile station and the network calculate the cipher key DCK for the connection on the basis of variables DCK1 and DCK2. So DCK is dependent on the key Ki and the random numbers RS, RAND1 and RAND2. If the mixing of keys of different sessions is not possible, both the mobile station and the base station know, on the basis of the description above, that they both have the same key DCK which can be successfully used for ciphering the connection.
In the described method the keys Ki, KS, KSxe2x80x2, DCK1, DCK2 and DCK are never transferred via the air interface, so an eavesdropper cannot decipher the connection or pretend to be the mobile station, if the keys (except Ki) are changed often enough. The mobile station can also be sure that the base station has got its authentication variables RS, KS and KSxe2x80x2 from the authentication centre of the mobile subscriber. However, it cannot be sure that the network is not using variables that have been used before. If the authentication centre AUC has trusted the base station BS once and sent it a triplet (RS, KS, KSxe2x80x2), the BS can always use this triplet to show that the AUC trusts it. This leaves an eavesdropper the possibility of somehow acquiring one authentication variable triplet (RS, KS, KSxe2x80x2), which can be used several times.
Thus, the methods in accordance with the prior art cannot guarantee for the mobile station that the base station, which the mobile station is connecting to, is reliable. The objective of the invention is to create a method, which can solve this problem in the prior art. This objective can be achieved with the method described in the independent patent claims.
The idea of the invention is to perform the authentication as a two-way connection between the subscriber station and the authentication centre by using secret ciphering keys. In this case the network, which the subscriber station is connected to, cannot make the authentication independently and the mobile station can always be sure that the network authentication is reliable.
In the method of the invention, the subscriber station and the authentication centre both generate and send a random number input to each other. On the basis of the random number input generated by themselves and received from the other party via the network, the subscriber station and the authentication centre calculate the responses by using at least two pre-defined functions. Additionally, the authentication centre can verify the reliability of the network by using a separate authentication method, if necessary. The response for the first function, calculated in the authentication centre, is sent to the mobile station. The subscriber station compares the calculated response for the first function to the value received from the network and if the values are the same, it considers the network reliable. The subscriber station sends the calculated response for the second function to the network. The second responses calculated in the subscriber station and in the authentication centre are compared to each other in some suitable network element. The checking can be done, for example, in the network which the subscriber station is connected to or in the authentication centre. The traffic in the connection is preferably ciphered after successful authentication by using a ciphering key calculated in the subscriber station and in the authentication centre by using a third function.
In accordance with one embodiment of the invention, the subscriber identity is never transferred as such via a transfer network and a possible air interface. In this case the identity is ciphered so that the network can, on the basis of the ciphered identity, route the messages concerning the subscriber to the subscriber""s home network where the identity is deciphered.