In case of a mobile communication system that needs to authenticate a mobile communication terminal, a mobile communication terminal generally transmits an authentication processing result as a response after receiving a paging message from a mobile communication network. As described above, the mobile communication terminal includes an authentication module for performing an authentication procedure, for example, a subscriber identity module (SIM), a universal subscriber identity module (USIM), and a user identity module (UIM).
The authentication procedure of a mobile communication system is a process that determines whether or not a subscriber information stored in a home location register (HLR) and/or a visitor location register (VLR), which are included in a mobile communication network, with predetermined information stored in a mobile communication terminal or not. Here, an authentication key is required in the authentication procedure. In general, a symmetric key method has been widely used. The symmetric key method authenticates a mobile communication terminal by comparing authentication keys stored in a home location register, a visitor location register, and a mobile communication terminal. Also, the authentication procedure may be performed for every outgoing calls or incoming calls of a subscriber, or may be selectively performed for some of outgoing calls or incoming calls. Hereinafter, an authentication method of a mobile communication terminal in a mobile communication system according to the related art will be described.
FIG. 1 is a schematic diagram illustrating a mobile communication system. FIG. 2 is a flowchart of a method for authenticating a mobile communication terminal of a mobile communication system according to the related art.
Referring to FIG. 1, the mobile communication system 100 includes a user terminal 110, a visitor location register 120, and a home location register 130. The user terminal 110, the visitor location register 120, and the home location register 130 are connected to each other through a wireless communication network. Here, the user terminal 110 may be any terminal capable of performing wireless communication.
The method for authenticating a terminal in a mobile communication system will be described with reference to FIGS. 1 and 2.
Referring to FIG. 2, the user terminal 110 transmits a location registration signal to the visitor location register 120 at step S210. Then, the visitor location register 120 determines whether an authentication vector (AV) corresponding to the user terminal 110 is stored in a provided memory or not at step S220. Here, the user terminal 110 may transmit a location registration signal to the visitor location register 120 through a repeater and/or a switch without sending the location registration signal directly.
At step S230, the visitor location register 120 requests the corresponding authentication vector to the home location register 130 if the visitor location register 120 cannot find the corresponding authentication vector from the provided memory
At step S240, the home location register 130 generates a new authentication vector corresponding to the user terminal 110 and transmit the generated authentication vector the visitor location register 120.
At step S250, the visitor location register 130 requests terminal authentication to the user terminal 110 if the corresponding authentication vector is stored in the provided memory or if the home location register 130 transmits the corresponding authentication vector. Here, the visitor location register 130 transmits a random identification variable value (RAND, random challenge), algorithm information included in the authentication field, and/or a serial number (SQN) to the user terminal 110. At step S260, the user terminal 110 performs an authentication process using the various information received from the visitor location register 120 and transmits the result of the authentication process to the visitor location register 120 at step S270. Then, the visitor location register 120 verifies the received authentication result from the user terminal 110 and transmits the verifying result to the user terminal 110 at steps S280 and S290.
The mobile communication system 100 according to the related art authenticates the user terminal 110 as described above. Here, the user terminal 110 uses a serial number (SQN) included in an authentication field (AUTN) to determine whether or not resynchronization is performed during the authentication process. That is, the user terminal 110 compares a serial number (hereinafter, a terminal serial number) stored in a memory disposed in the terminal 110 with a serial number (hereinafter, a communication network serial number) stored in an authentication field (AUTN). If the communication network serial number is not lager than the terminal serial number, that is, the communication network serial number is smaller than the terminal serial number, the user terminal 110 requests resynchronization to the visitor location register 120. The resynchronization operation is for synchronizing the communication network serial number and the terminal serial number. When the user terminal 110 transmits the resynchronization request to the visitor location register 120, the resynchronization operation is performed by generating a new authentication vector at the home location register 130.
However, the terminal authentication method of the mobile communication system 100 according to the related art cannot prevent replay attack. If the replay attack is made, the home location register must generate a serial number, confirm validity, and generate an authentication vector. Therefore, the performance thereof may be dropped. Since an unnecessary authentication vector is transmitted to an attacker terminal if the replay attack is made, network resources may be wasted. Therefore, there has been a demand for developing a terminal authentication method that can effectively deal with the replay attack.