Security issues were not completely addressed properly in first-generation (“1G”) analogue wireless telephone systems. With low-cost equipment, an intruder could eavesdrop user traffic or even change the identity of mobile phones to obtain fraudulent service. Given this background, a number of security measures were considered in the design of second-generation (“2G”) digital cellular systems. The Global System for Mobile Communications (“GSM”) system was designed from the beginning with security in mind and has adopted several mechanisms to provide subscriber identity confidentiality, subscriber authentication, and the confidentiality of user data and signaling information. The authentication and key agreement protocol (“AKA”) in a GSM system is based on a secret authentication key shared between the Subscriber Identity Module (“SIM”), a smart card-like device issued by the service provider, and the authentication center (“AuC”, or “HE/AuC” to designate the authentication center in the home environment) in the user's home environment (“HE”). The SIM is a removable module that acts as a security processor inside the user's terminal device. The GSM network authenticates the identity of the user through a challenge-response mechanism. The user device proves its identity by providing a response to a time-variant challenge raised by the network. Upon successful authentication, both the network and the user device also agree on a cipher key, which is used for encryption of user data and signaling information.
The GSM challenge-response mechanism is simple and has merits in several aspects. First of all, the cryptographic processing is confined to the SIM and the AuC only. Serving networks (“SN”) in which the user device may travel do not require the authentication key and cryptographic algorithms to compute responses and the cipher key. This helps to minimize the trust that the home environment needs to place in the serving networks. Second, the home environment can select its own algorithms used in the challenge-response protocol; no standardized algorithms are needed. Third, the home environment is not on-line involved in most user authentication procedures. This lightens the burden on the authentication center and reduces the overhead caused by interactions between the serving network and the home environment.
Nevertheless, weaknesses of the challenge-response mechanism in GSM have been discovered over time. Above all, authentication is only unidirectional. The subscriber is not given the assurance that a connection has been established with an authentic serving network. The lack of authentication of the serving network allows the possibility of false base station attacks against the radio interface. In addition, authentication information is transferred in clear between and within networks. No assurance is provided to the user that authentication information and cipher keys are not being reused. Data integrity, which helps to defeat false base station attacks and, in the absence of encryption, provides protection against channel hijacking, is also not provided.
The Universal Mobile Telecommunication System (“UMTS”) is one of the emerging standards developed for third generation (“3G”) wireless communications. UMTS security is based on GSM security and includes enhancements to address and correct real and perceived weaknesses in GSM and other 2G systems. The UMTS AKA retains the challenge-response mechanism used in GSM but provides significant improvements to achieve additional goals such as mutual authentication, agreement on an integrity key between the user device and the SN, and the assurance of fresh agreed-upon cipher and integrity keys. The UMTS AKA also retains the use of a Subscriber Identity Module (“USIM”, as used in the context of UMTS) as a terminal-independent security module. The authentication key is shared between and available only to the USIM and the AuC of the user's home environment.
Similar to GSM, a serving network in UMTS authenticates the user device by using authentication data (called authentication vectors) transferred from the user's home environment. It is possible for a dishonest party to intercept a transmission of such data from the home environment to the serving network. The dishonest party may then at a future time use the intercepted data to impersonate a legitimate serving network vis-à-vis the user device. One way to lower the probability of success of such an attack is for the home environment to periodically update authentication data in connection with the user and to timely inform the user device that it has performed such updates. For this purpose, a sequence number is included in each authentication vector. The user device, which independently tracks the sequence number, may verify that the sequence number in the received authentication vector matches the sequence number that it independently tracks. A mismatch may indicate that a dishonest party is replaying prior authentication data that it has intercepted. By such means, the user device may assure the freshness of agreed cipher and integrity keys. Assuring the freshness of these keys protects the user device against false base station attacks and/or replay attacks.
To facilitate sequence number generation and verification, two counters are maintained for each user: one, SQNMS, in the mobile station and another, SQNHE, in the home environment. Normally, the counter in the user device has a value less than or equal to the counter in the home environment. A mismatch between the two counters, e.g., a situation in which SQNHE<SQNMS, could arise, for example, from a failure in the AuC. In that event, sequence numbers generated in the home environment may not be acceptable on the user-device side. Such a “loss of synchronization” requires the execution of a re-synchronization procedure to adjust the counter in the home environment.
The UMTS system is susceptible to spurious resynchronization requests arising from the use of the two counters SQNMS and SQNHE. For example, an unused authentication vector in a first SN will contain outdated values for SQNHE where the user device leaves the first SN for a second SN, uses authentication vectors in the second SN and subsequently returns to the first SN. In this example, when the unused authentication vector is subsequently used by the first SN, the user device will generate a spurious resynchronization request arising from the mismatch between the current value for SQNMS and the value for SQNHE corresponding to the unused authentication vector.
Re-synchronization adds extra cost to signaling and may cause deletion of unused authentication vectors corresponding to the user. Moreover, frequent resynchronization may cause the shortening of the useful life of the user device, because the user device counter SQNMS has a maximum value; once this maximum value is reached, the user device is rendered unusable. In fact, user devices in UMTS could be subjected to attacks specifically targeting the generation of spurious resynchronization requests with the goal of rendering the user device useless.
There is thus a need for an AKA that reduces the risk of spurious resynchronization requests arising from the use of counters in the user device and home environment. Such an AKA should nevertheless provide assurance regarding the freshness of agreed cipher and integrity keys. In particular, such an AKA should continue to provide robust protection against replay and/or false base station attacks, or even improve such protection compared to known systems.