1. Field of the Invention
The present invention generally relates to security schemes used in communication system and more particularly to an improvement to a security scheme for the authentication of a portion of a mobile known as User Subscription Identity Modules.
2. Description of the Related Art
The security of information conveyed over communication systems is a main source of concern for service providers. Subscribers of communication systems many times transmit and receive very sensitive and private information intended for specific parties. Service providers want to give their subscribers a certain degree of confidence in the security capabilities of the communication system. Consequently, different security schemes have been developed and are being used in current communication systems. One security scheme, used particularly in third generation wireless communication systems, is referred to as the Authentication and Key Agreement (AKA) procedure. The AKA procedure is a security scheme that not only authenticates a subscriber and generates security keys, but it also validates received subscriber information to ensure that such information was not improperly modified at some point in the communication system prior to the reception of such information. Third generation wireless communication systems digital voice and relatively high speed data; these communication systems typically convey information in accordance with standards established by standards organizations such as the American National Standards Institute (ANSI) or the European Telecommunications Standards Institute (ETSI).
Referring now to FIG. 1, there is shown a portion of a wireless communication system. Communication link 102 couples Home Location Register (HLR) 100 to a base station 104 that is part of a Serving Network (SN). The SN is a communication system or part of a communication system that is providing services to subscribers. Base station 104 communicates with subscribers (e.g., mobile 108) via wireless communication link 106. For ease of illustration, only one base station of the SN is shown and also only one mobile is shown. HLR 100 is part of system equipment (owned and operated by the service provider) that performs mobility management for the communication system. Mobility management is the proper handling of subscriber traffic and the calculation of various parameters associated with the AKA procedure. For example, a mobility manager detects the initiation of call by a subscriber and also knows the subscriber's location and which base station is serving such a subscriber. The mobility manager can then inform the base station serving the subscriber making the call as to which base station the call is to be delivered.
HLR 100 contains subscriber specific data records including identification and authentication information for mobiles of all subscribers of the communication system. Base station 104 contains, inter alia, typical radio equipment for transmitting and receiving communication signals and other equipment for processing subscriber and system information. For example, base station 104 contains a Visitors Location Register (VLR) (not shown) which receives security related information from the HLR and derives additional security related information which is then transmitted to the proper mobile. The VLR also receives security related information from mobiles which it processes to authenticate communication between mobiles and the base station. The process of authentication is described herein in the discussion of the AKA procedure. Mobile 108 represents typical subscriber communication equipment (e.g., cell phone, wireless laptop pc) that transmits and receives system information and subscriber information to and from the base station. The system information is information that is generated system equipment to operate the communication system.
Mobile 108 has a User Subscription Identity Module (USIM) portion that is interfaced to the rest of the mobile equipment. The interface between the USIM and the mobile is standardized so that any USIM built in accordance with an interface standard can be used with any mobile equipment which is also configured in accordance with the same interface standard. Typically, the USIM is attached to the mobile as a storage device containing an ID number and other mobile identification data unique to a particular subscriber. Thus, part of the information stored in the HLR is also stored in the USIM. The USIM is capable of communicating with the rest of the mobile equipment commonly referred to as the shell or the mobile shell. Many publicly accessible mobiles (e.g., taxi cell phones) can be used by a subscriber inserting a USIM (also known as a “smart card”) into the mobile. The information stored in the USIM is transferred to the mobile shell allowing the mobile to gain access to the communication system. Another type of arrangement between a USIM and a mobile shell is to integrate the USIM into the circuitry of the mobile shell. A mobile with an integrated USIM is typically owned by an individual subscriber and the communication system uses the information stored in a mobile's USIM to identify and confirm that the mobile has properly obtained access to the SN.
When a mobile wishes to gain access to a communication system, it must first be recognized as an authorized user of the communication system and then it executes an AKA procedure with the system equipment. As a result of the AKA procedure, the mobile's USIM generates two keys: (1) an Integrity Key (IK) used to compute digital signatures of information exchanged between the mobile and the base station. The digital signature computed with the IK is used to validate information integrity. The digital signature is a certain pattern which results when the proper IK is applied to any received information. The IK allows the authentication of information exchanged between the base station and the mobile; that is, the IK is applied to received information resulting in the generation of a digital signature indicating that the received information was not modified (intentionally or unintentionally) in any manner; (2) a ciphering key (CK) is used to encrypt information being transmitted over communication link 106 between base station 104 and mobile 108. Encryption of information with the ciphering key ensures privacy.
Both the IK and the CK are secret keys established between the base station and the mobile to establish a valid security association. A valid security association refers to a set of identical data patterns (e.g., IK, CK) independently generated by a USIM (coupled to a mobile) and a serving network indicating that the USIM is authorized to have access to the SN and the information received by the mobile from the SN is from an authorized and legitimate SN. A valid security association indicates that a mobile (i.e., the mobile's USIM) has authenticated itself to the SN and the SN has been authenticated by the mobile (i.e., the mobile's USIM). When the IK and CK—independently generated by the serving network and the mobile's USIM—are not identical, the security association is not valid. The determination of whether IK and CK computed at the SN are identical to the IK and CK computed at a USIM of a mobile is discussed infra. The USIM transfers the IK and CK to the mobile shell which uses them as described above. The IK and CK at the network are actually computed by the HLR. The HLR sends various information to the VLR and the mobile during an AKA procedure and generates, inter alia, the IK and CK, which it forwards to the VLR.
In a current standard (3GPP TSG 33.102) for third generation wireless communication systems, an authentication security scheme that uses an AKA procedure has been established. The information needed to execute the AKA procedure is contained in a block of information (stored in the HLR) called the Authentication Vector (AV). The AV is a block of information containing several parameters, namely: RAND, XRES, IK, CK and AUTN. Except for the AUTN and RAND parameters, each of the parameters is generated by the application of an algorithmic non-reversible function ƒn to RAND and a secret key, Ki. An algorithmic non-reversible function is a specific set of steps that mathematically manipulates and processes information such that the original information cannot be regenerated with the resulting processed information. There is actually a group of non-reversible algorithmic functions which are used to generate various parameters used in the AKA procedure; the various parameters and their associated functions are discussed infra. Ki is a secret key associated with subscriber i (where i is an integer equal to 1 or greater) and which is stored in the HLR and in subscriber i's USIM. RAND is a random number uniquely specific to each AV and is selected by the HLR. XRES is the Expected Mobile Station Response computed by the USIM of a mobile by applying a non-reversible algorithmic function to RAND and Ki. IK is computed by the USIM and the HLR also by the application of a non-reversible algorithmic function to RAND and Ki. CK is also computed by both the USIM and the HLR by applying a non-reversible algorithmic function to RAND and Ki.
AUTN is an authentication token which is a block of information sent to the VLR by the HLR for authenticating the SN to the mobile. In other words, the AUTN contains various parameters some of which are processed by the USIM of the mobile to confirm that the AUTN was indeed transmitted by a legitimate base station of the SN. AUTN contains the following parameters: AK⊕SQN, AMF and MAC. AK is an Anonymity Key used for concealing the value of SQN which is a unique sequence vector that identifies the AV. AK is computed by applying a non-reversible algorithmic function to RAND and Ki. SQN, i.e., the Sequence Number, is independently generated by the USIM and the HLR in synchronized fashion. AMF is the Authentication Management Field whose specific values identify different commands sent from the HLR to the USIM. The AMF can be thought of as an in-band control channel. MAC, i.e., the Message Authentication Code, represents the signature of a message sent between the base station and the mobile which indicates that the message contains correct information; that is, the MAC serves to verify the content of messages exchanged between a mobile and the SN. For example, MAC=ƒn(RAND, AMF, SQN, Ki) which is a signature of correct values of SQN and AMF computed with the use of non-reversible algorithmic function using a secret key Ki and randomized by RAND.
For ease of explanation only, the AKA procedure will now be described in the context of a communication system part of which is shown in FIG. 1. The communication system shown in FIG. 1 complies with the 3GPP TSG33.102 standard. Initially, the AV is transferred from HLR 100 to the VLR at base station 104 (or to a VLR coupled to base station 104). In accordance with the standard, the VLR derives XRES from the received AV. The VLR also derives AUTN and RAND from the received AV and transfers them to mobile 108 via communication link 106. Mobile 108 receives AUTN and RAND and transfers the RAND and AUTN to its USIM. The USIM validates the received AUTN as follows: The USIM uses the stored secret key (Ki) and RAND to compute the AK, and then uncovers the SQN. The USIM uncovers the SQN by exclusive OR-ing the received AK⊕ SQN with the computed value of AKj; the result is the uncovered or deciphered SQN. Then the USIM computes the MAC and compares it to the MAC received as a part of the AUTN. If MAC checks, (ie. received MAC=computed MAC) the USIM verifies that the SQN is in a valid acceptable range (as defined by the standard), in which case the USIM considers this attempt at authentication to be a valid one. The USIM uses the stored secret key (Ki) and RAND to compute RES, CK and IK. The RES is a Mobile Station Response. The USIM then transfers IK, CK and RES to the mobile shell and causes the mobile to transmit (via communication link 106) RES to base station 104. RES is received by base station 104 which transfers it to the VLR. The VLR compares RES to XRES and if they are equal to each other, the VLR also derives the CK and IK keys from the Authentication Vector. Because of the equality of XRES to REST the keys computed by the mobile are equal to the keys computed by the HLR and delivered to the VLR.
At this point, a security association exists between base station 104 and mobile 108. Mobile 108 and base station 104 encrypt information conveyed over link 106 with key CK. Mobile 108 and base station 104 use key IK to authenticate information exchanged between them over communication link 106. Further, mobile 108 and base station 104 use IK to authenticate the subscriber/SN link established for mobile 108. The communication system uses the IK for authentication; that is, a proper value of IK from the mobile during communications implies that the mobile has properly gained access to the communication system and has been authorized by the communication system to use the resources (i.e., system equipment including communication links, available channels and also services provided by the SN) of the communication system (i.e., the SN). Thus, IK is used to authenticate the mobile to the SN. The use of IK to authenticate the mobile to the SN is called local authentication. Since base station 104 and mobile 108 already have a valid IK, it is simpler to use this valid IK instead of having to generate a new one requiring exchange of information between base station 104 and HLR 100 (i.e., intersystem traffic) that usually occurs when establishing a security association. In other words, once a subscriber gains access to a system and the subscriber's mobile has been authenticated, the IK and CK generated from the authentication process are used for information exchanged between the user's mobile and the base station and for authenticating the subscriber/SN link without having to re-compute an IK for each subsequent new session. Mobile shells, which comply with the standard established for the AKA procedure, will delete the IK and CK established from the authentication process once their USIM are detached. However, there are many rogue mobiles (unauthorized mobiles that manage to obtain access to a communication system) that do not comply with the requirements of the standard established for the AKA procedure. These rogue mobiles maintain the use of the IK and CK keys even when the USIM has been detached from them. Because of the use of the local authentication technique used in the currently established AKA procedure, the rogue mobiles are able to fraudulently use the resources of a communication system.
The following scenario describes one possible way in which a rogue mobile (e.g., a Taxi phone) can make fraudulent use of a communication system that uses the currently established AKA procedure. A subscriber inserts his or her USIM card into a Taxi phone to make a call. Once the mobile is authenticated as described above, the subscriber can make one or more calls. When all the calls are completed, the subscriber removes the USIM card from the Taxi phone. If the Taxi phone is in compliance with the standard, the phone will delete the CK and IK of the subscriber. However, if the Taxi phone is a rogue phone, it will not delete the CK and IK keys of the subscriber. Unbeknownst to the subscriber, the rogue phone is still authenticated (using local authentication based on IK) even when the subscriber has removed the USIM card. Thus, fraudulent calls can then be made on the rogue phone until the security association is renewed. Depending on the service provider, the security association can last for as long as 24 hours.
What is therefore needed is an improvement to the currently established AKA procedure that will eliminate the fraudulent use of a subscriber's authentication keys by a rogue mobile.