I. Field of the Invention
The present invention relates to communication systems. More particularly, the present invention relates to a novel and improved method for mobile station authentication is a wireless communication system.
II. Description of the Related Art
Several cellular telephone systems standardized by the Telecommunications Industry Association (TIA) use the authentication scheme first standardized in EIA/TIA/IS-54-B. A similar scheme is described in Flanders, et al. in U.S. Pat. No. 5,239,294, entitled "METHOD AND APPARATUS FOR AUTHENTICATION AND PROTECTION OF SUBSCRIBERS IN A TELECOMMUNICATION SYSTEM", which is incorporated by reference herein. As one aspect of the authentication scheme used in IS-54-B, an authentication signature is computed by the mobile station and sent to the base station to prove that the mobile station is legitimately entitled to services via the cellular system. For mobile-originated requests for service, this authentication signature is a one-way hash, or enciphering, of some or all of the following information:
The electronic serial number of the mobile station; PA1 The mobile subscription number, which may be the directory number or other identifier of the mobile subscriber; PA1 A random "challenge" value sent by the base station; PA1 A secret key; and PA1 The last six digits of the number dialed by the mobile station user. PA1 The hashing function takes as its input at least the entire dialed digit string contained in the request for service and the number of digits. In a preferred embodiment, the ordering of the digits affects the result, as well as, the values of the digits. The preferred embodiment of the hashing function also accepts some or all of the mobile station identifier data. PA1 The hashing function provides as output a number of suitable size for input to a second calculation of an authentication signature, such as the 24 bits required for AUTH.sub.-- DATA. PA1 The hashing function takes as its input at least the entire dialed digit string contained in the request for service and the number of digits. In a preferred embodiment, the ordering of the digit, as well as, the values of the digits affect the result. The preferred embodiment of the hashing function also accepts some or all of the mobile station identifier data. PA1 The output number is created in such a way that there is a minimum likelihood that other sets of dialed digits may create the same result. PA1 In a preferred embodiment, the number of digits in the dialed string is inserted directly into the 24-bit number, to prevent changing the number of digits that can be transmitted.
The last six digits dialed by the mobile station user are placed in a 24-bit register referred to in the standards as AUTH.sub.-- DATA. The authentication signature is calculated using AUTH.sub.-- DATA, and is transmitted to the base station. The base station checks the signature provided by the phone against its own calculation of the signature and typically denies service if the signature provided does not match the calculated value. In principle, only the legitimate mobile station can create the correct signature, because the secret key is not known to fraudulent mobile stations.
The intent of including the dialed digits is to prevent "replay attacks" in which a fraudulent user simply repeats the same signature and identification information used previously by a legitimate user. In principle, the fraudulent mobile station could not obtain service in this manner unless the same directory number was being called.
There exists a flaw in the use of dialed digits as described in the IS-54-B standard and that is that in many implementations of wireless switch equipment, the attacker can simply append to the dialed number six extra digits that are the same as the last six dialed digits from an origination sent by a legitimate use and send the identification and signature as used by the legitimate user. The extra digits will be ignored by the switch (for example, in the case of the advertised number "1-800-FLY-CHEAP", the last digit corresponding to "P" is not processed). The authentication signature, however, will be computed by the base station using these extra digits, and therefore the signature will match the expected value, allowing the fraudulent user to obtain service.
One method to combat this is to avoid using only the last digits of the dialed number. For example, one may use digits selected throughout the dialed number, rather than from only the final digits. While this is an improvement, it is less secure than the method proposed in this invention, which includes the entire dialed number and the digit count as part of the calculation of the signature.