1. Field of the Invention
The present invention generally relates to an authentication method, in particular, to a group authentication method.
2. Description of Related Art
Along with the emergences of different killer applications in wireless networks, various real-time communication services have also been developed. However, since data packets in a wireless network are mostly transmitted through air, the wireless network offers lower security level compared to a wired network. Besides, the bandwidth and speed of a wireless network are also much lower than those of a wired network. Together with the delay caused by authentication message relaying while roaming in different domains, the handoff time in the wireless network is considerably increased. Accordingly, how to shorten the handoff time in data transmission without damaging the security has become the focus of wireless network development.
Current authentication and key agreement (AKA) mechanisms for wireless networks are mostly designed for working with single mobile station. Taking the universal mobile telecommunications system (UMTS) AKA protocol as an example, when a mobile station roams, a local network service provider (i.e. a serving network) requests the authentication vectors of the mobile station from a home network of the mobile station, so that the serving network and the mobile station can perform authentication and master key agreement accordingly.
To meet the requirements of different wireless networks, an AKA mechanism usually includes two procedures: a. registration and authentication data distribution; and b. user authentication and key agreement. First, the serving network requests the related authentication data of the mobile station from a home network of the mobile station. Then, the serving network and the mobile station generate a series of challenge messages and response messages, and generate a master session key which can be used after the authentication succeeds.
FIG. 1 is a flowchart of the UMTS AKA authentication method adaptable to a communication system. Referring to FIG. 1, the communication system includes a mobile station MS1, a serving network SN, and a home network HN. The mobile station MS1 and the home network HN have a pre-distributed secret key K (referring to FIG. 2), and the home network HN and the mobile station MS1 have a message authentication code (MAC) generation function f1, an authentication message generation function f2, a cipher key generation function f3, and a integrity key generation function f4. The home network HN further has an authentication key generation function f5 and a plurality of authentication management fields (AMFs). The serving network SN and the home network HN respectively have a database for recording the required data during the authentication process. When the mobile station MS1 roamings, the mobile station MS1 has to perform a full authentication with the serving network SN, wherein the full authentication includes an identification step 100, an authentication vector obtaining step 101, and a user authentication and key distribution step 102. The identification step 100 and the authentication vector obtaining step 101 belong to aforementioned registration and authentication data distribution procedure, and the user authentication and key distribution step 102 belongs to abovementioned user authentication and key agreement procedure.
The UMTS AKA authentication method includes the following steps while it is applied to a communication system. First of all, the identification step 100 is executed as follows. In step 100a, the serving network SN requests the mobile station MS1 for an identification data. In step 100b, the mobile station MS1 generates the identification data and sends the identification data to the serving network SN. The identification data contains an ID of the mobile station MS1 so that the serving network SN can identify the mobile station MS1 based on the ID. In step 100c, the serving network SN receives the identification data from the mobile station MS1 and identifies the mobile station MS1, and an exclusive information field of the mobile station MS1 is established in the database of the serving network SN based on the identification data.
After that, the authentication vector obtaining step 101 is executed. In step 101a, the serving network SN sends the identification data to the home network HN and requests the authentication vectors of the mobile station MS1 from the home network HN. In step 101b, the home network HN receives the identification data and generates a plurality of authentication vectors AV(1), AV(2), . . . , AV(n) based on the identification data, and then the home network HN sends the authentication vectors AV(1)˜AV(n) to the serving network SN. In step 101c, the authentication vectors AV(1)˜AV(n) are stored in the database of the serving network SN.
Finally, the user authentication and key distribution step 102 is executed in following steps to complete the authentication of the mobile station MS1. In step 102a, the serving network SN selects an authentication vector AV(i) from the database thereof and sends RAND(i) and AUTN(i) in the authentication vector AV(i) to the mobile station MS1 (will be described below with reference to FIG. 2). In step 102b, the mobile station MS1 authenticates the home network HN based on RAND(i) and AUTN(i) in the authentication vector AV(i) (will be described below with reference to FIG. 3). In step 102c, the mobile station MS1 generates a mobile station authentication data RES(i) based on RAND(i) in the authentication vector AV(i) and the pre-distributed secret key K and sends the mobile station authentication data RES(i) to the serving network SN if the mobile station MS1 successfully authenticates the home network HN. In step 102d, the serving network SN receives the mobile station authentication data RES(i), and the serving network SN authenticates the mobile station MS1 based on the mobile station authentication data RES(i) and generates an authentication result. In step 102e, the serving network SN sends the authentication result to the mobile station MS1. In step 102f, the mobile station MS1 receives and confirms the authentication result. In step 102g, if the authentication result shows that the serving network SN has successfully authenticated the mobile station MS1, the serving network SN selects a cipher key CK(i) and a integrity key IK(i) to secure the later communication, and the mobile station MS1 inputs RAND(i) and the pre-distributed secret key K into the cipher key generation function f3 and the integrity key generation function f4 to calculate the cipher key CK(i) and the integrity key IK(i) correspondingly.
FIG. 2 is a diagram illustrating how the authentication vector AV(i) is generated in the UMTS AKA authentication method. Referring to FIG. 2, the home network HN searches for the secret key K of the mobile station MS1 from the database of the home network HN based on the ID of mobile station MS1 in the identification data (step 200), and generates a sequence number SQN(i) (step 201) and a random number RAND(i) (step 202). The home network HN inputs the random number RAND(i), the secret key K, the sequence number SQN(i), and a plurality of AMFs AMF into the MAC generation function f1 to generate a MAC MAC(i); the home network HN inputs the random number RAND(i) and the secret key K into the authentication message generation function f2 to generate an authentication message for eXpexted RESponse XRES(i); the home network HN inputs the random number RAND(i) and the secret key K into the cipher key generation function f3 to generate the cipher key CK(i); the home network HN inputs the random number RAND(i) and the secret key K into the integrity key generation function f4 to generate the integrity key IK(i); the home network HN inputs the random number RAND(i) and the secret key K into the anonymity key generation function f5 to generate an anonymity key AK(i); and the home network HN further performs an XOR calculation on the sequence number SQN(i) and the anonymity key AK(i) to obtain a result SQN(i)⊕AK(i) (step 203) so that the serving network SN will be unaware about the real sequence number SQN(i). The home network HN combines the result SQN(i)⊕AK(i), the AMFs AMF, and the MAC MAC(i) into an authentication token AUTN(i) (i.e. AUTN(i)={SQN(i)⊕AK(i)∥AMF∥MAC(i)}, wherein ∥ represents the combination operator, for example, {110∥101}={110101}). Next, the home network HN combines the random number RAND(i), the authentication message for eXpected RESponse XRES(i), the cipher key CK(i), the integrity key IK(i), and the authentication token AUTN(i) into the authentication vector AV(i) (i.e. AV(i)={RAND(i)|XRES(i)|CK(i)|IK(i)|AUTN(i)}).
FIG. 3 is a diagram illustrating how the mobile station MS1 authenticates the home network HN and generates the mobile station authentication data RES(i) based on RAND(i) and AUTN(i) sent by the serving network SN. First, the mobile station MS1 inputs the random number RAND(i) and the pre-distributed secret key K of the mobile station MS1 into the anonymity key generation function f5 to generate the anonymity key AK(i). Next, the mobile station MS1 performs an XOR calculation on the result of SQN(i)⊕AK(i) in AUTN(i) with the anonymity key AK(i) generated by the mobile station MS1 to acquire the sequence number SQN(i). The mobile station MS1 inputs the AMFs AMF, the sequence number SQN(i) derived by the mobile station MS1, and the secret key K of the mobile station MS1 into the MAC generation function f1 to generate an eXpected MAC XMAC(i). The mobile station MS1 compares the MAC XMAC(i) with the MAC MAC(i) in the AUTN(i) received from the serving network SN to authenticate the home network HN. If the result of comparison shows match which means that the mobile station MS1 successfully authenticates the home network HN, the mobile station MS1 inputs the random number RAND(i) received from the serving network SN and the secret key K of the mobile station MS1 into the authentication message generation function f2 to generate the mobile station authentication data RES(i). Meanwhile, the mobile station MS1 also inputs the secret key K of the mobile station MS1 and the random number RAND(i) received from the serving network SN into the cipher key generation function f3 and the integrity key generation function f4 to generate the cipher key CK(i) and the integrity key IK(i) which will be used to provide security for subsequent communication. The mobile station MS1 sends the mobile station authentication data RES(i) to the serving network SN. The serving network SN then compares the mobile station authentication data RES(i) with the authentication message expected RESponse XRES(i) in order to authenticate the mobile station MS1.
Either the mobile station MS1 fails to authenticate the home network HN or the serving network SN fails to authenticate the mobile station MS1, the communication system terminates the entire communication or requests re-authentication. For the convenience of description, FIG. 1 illustrates only the situation that both the authentications succeed. When a group of mobile stations perform hand off together, the UMTS AKA generates individual authentication data for each mobile stations which causes the signaling overhead between the serving network SN and the home network HN since the authentication data request and response messages are repeated and transmitted for all mobile stations in the same group.
In the UMTS AKA authentication method described above, the database of the serving network SN requires a large storage space for storing the authentication vectors AV(1)˜AV(n) that support at most n authentications. Besides, in the UMTS AKA authentication method, the home network HN cannot authenticate the mobile station MS1, namely, the home network HN cannot determine whether the mobile station MS1, who requests the authentication vectors AV(1)˜AV(n) from the home network HN through the serving network SN, is legitimate or not.
FIG. 4 illustrates an authentication flow when a mobile station MS1 hands off for the first time based on a UMTS X-AKA authentication method disclosed in the article “Authentication and Key Agreement Protocol for UMTS with Low Bandwidth Consumption” published in IEEE AINA 2005. The UMTS X-AKA authentication method is suitable for a communication system which includes a mobile station MS1, a serving network SN, and a home network HN. The mobile station MS1 and the home network HN both have a pre-distributed secret key. The serving network SN and the home network HN have a database respectively. When the mobile station MS1 hands off for the first time, the full authentication procedure is executed. The full authentication includes an identification step 400, an authentication data obtaining step 401, and a user authentication and key distribution step 402, where the identification step 400 and the authentication data obtaining step 401 belong to the aforementioned registration and authentication data distribution procedure, and the user authentication and key distribution step 402 belongs to the abovementioned user authentication and key agreement procedure.
The UMTS X-AKA authentication method includes the following steps while it is applied to a communication system. First, in step 400a, the serving network SN sends an identification data request to the mobile station MS1. In step 400b, the mobile station MS1 generates the identification data and a timestamp t and then sends the identification data and the timestamp t back to the serving network SN, where the identification data contains an ID of the mobile station MS1 so that the serving network SN can identify the mobile station MS1 based on the ID. In step 400c, the serving network SN receives the identification data from the mobile station MS1 and identifies the mobile station MS1 in the database of the serving network SN. If the authentication data of the mobile station MS1 is not recorded in the database, an exclusive information field for the mobile station MS1 is established in the database of the serving network SN based on the identification data and step 401 is then executed; if the authentication data and a temporary authentication key of the mobile station MS1 are recorded in the database, the serving network SN selects the authentication data and the temporary authentication key from the database, and step 501 as illustrated in FIG. 5 is executed consequently. In FIG. 4, the next step is assumed to be step 401 (for the convenience of description, the mobile station MS1 is assumed to hand off for the first time).
Next, the authentication data obtaining step 401 is executed in following steps. In step 401a, the serving network SN sends the identification data and the timestamp t to the home network HN and requests the authentication data of the mobile station MS1 from the home network HN. In step 401b, the home network HN receives the identification data and the timestamp t and generates the authentication data (containing a temporary authentication key) based on the identification data and the timestamp t, and then the home network HN sends the authentication data to the serving network SN. In step 401c, the authentication data and the temporary authentication key are stored in the database of the serving network SN.
Finally, the user authentication and key distribution step 402 is executed by following the steps below to complete the full authentication of the mobile station MS1. In step 402a, the serving network SN generates a serving network authentication data and a random number and then sends the serving network authentication data and the random number to the mobile station MS1. In step 402b, the mobile station MS1 authenticates the home network HN and the serving network SN based on the serving network authentication data and the random number. In step 402c, the mobile station MS1 generates a mobile station authentication data based on a part of the serving network authentication data and the temporary authentication key generated by the mobile station MS1, and then sends the mobile station authentication data to the serving network SN if the mobile station MS1 in step 402b successfully authenticates the serving network SN. In step 402d, after the serving network SN receives the mobile station authentication data, the serving network SN authenticates the mobile station MS1 based on the mobile station authentication data and generates an authentication result. In step 402e, the serving network SN sends the authentication result to the mobile station MS1. In step 402f, the mobile station MS1 receives and confirms the authentication result. In step 402g, if the authentication result shows that the serving network SN has successfully authenticated the mobile station MS1, the mobile station MS1 and the serving network SN generate a master key respectively based on the temporary authentication key and the random number generated by the serving network SN to secure the later data transmission.
FIG. 5 illustrates an authentication flow based on the UMTS X-AKA authentication method for the subsequent authentication requests after the mobile station MS1 hands off for the first time. This procedure includes an identification step 500 and a user authentication and key distribution step 501, wherein the identification step 500 belongs to aforementioned registration and authentication data distribution procedure, and the user authentication and key distribution step 501 belongs to aforementioned user authentication and key agreement procedure. The serving network SN determines whether the authentication data and temporary authentication key of the mobile station MS1 already existed in the database of the serving network SN. If the authentication data and temporary authentication key of the mobile station MS1 have been stored in the database of the serving network SN, the serving network SN stops requesting the authentication data and temporary authentication key from the home network HN. The authentication data and temporary authentication key of the mobile station MS1 can be found in the database of the serving network SN since it is not the first time that the mobile station MS1 hands off.
First, the identification step 500 is executed as follows. In step 500a, the serving network SN sends an identification data request to the mobile station MS1. In step 500b, the mobile station MS1 generates the identification data and a timestamp t and sends the identification data and the timestamp t to the serving network SN, where the identification data contains an ID of the mobile station MS1 so that the serving network SN can identify the mobile station MS1 based on the ID. In step 500c, the serving network SN receives the identification data generated by the mobile station MS1 and identifies the mobile station MS1. The serving network SN searches for the authentication data and temporary authentication key of the mobile station MS1 in the database of the serving network SN. If the authentication data and temporary authentication key of the mobile station MS1 are not found in the database of the serving network SN, the authentication method takes the flow as illustrated in FIG. 4. FIG. 5 illustrates the situation that the authentication data and temporary authentication key of the mobile station MS1 have been stored in the database of the serving network SN, thus, the serving network SN can locate the authentication data and temporary authentication key of the mobile station MS1 in the database.
After that, the user authentication and key distribution step 501 is executed in the following steps to complete the authentication of the mobile station MS1. In step 501a, the serving network SN generates a serving network authentication data and a random number and sends the serving network authentication data and the random number to the mobile station MS1. In step 501b, the mobile station MS1 authenticates the serving network SN based on the serving network authentication data and the random number. In step 501c, the mobile station MS1 generates a mobile station authentication data based on a part of the authentication data and the temporary authentication key generated previously by the mobile station MS1 and sends the mobile station authentication data to the serving network SN if the mobile station MS1 successfully authenticates the serving network SN. In step 501d, the serving network SN receives the mobile station authentication data, authenticates the mobile station MS1 based on the mobile station authentication data, and generates an authentication result. In step 501e, the serving network SN sends the authentication result to the mobile station MS1. In step 501f, the mobile station MS1 receives and confirms the authentication result. In step 501g, if the authentication result shows that the serving network SN has successfully authenticated the mobile station MS1, the mobile station MS1 and the serving network SN respectively generate a master key based on the temporary authentication key and the random number to secure the subsequent data transmission.
Additionally, either the mobile station MS1 fails to authentication the serving network SN or the home network HN or the serving network SN fails to authenticate the mobile station MS, the communication system terminates the entire communication or request re-authentication. For the convenience of description, FIG. 4 and FIG. 5 illustrate only the situation that both the authentications succeed.
According to the UMTS X-AKA authentication method, the home network HN generates a temporary authentication key for the serving network SN and authorizes the serving network SN to authenticate the mobile station MS1, so that the traffic load between the home network HN and the serving network SN can be reduced when the mobile station MS1 requests for re-authenticated. Moreover, in the UMTS X-AKA authentication method, the storage space required by the database of the serving network SN is also reduced. However, in the UMTS X-AKA authentication method, the home network HN still cannot authenticate the mobile station MS1. When a group of mobile stations perform hand off together, the UMTS X-AKA generates individual authentication data for each mobile stations which causes the signaling overhead between the serving network SN and the home network HN since the authentication data request and response messages are repeated and transmitted for all mobile stations in the same group.
FIG. 6 is a flowchart of an authentication method disclosed in U.S. Pat. No. 6,711,400. The authentication method is adaptable to a communication system which includes a mobile station MS1, a serving network SN, and a home network HN. The mobile station MS1 and the home network HN have a pre-distributed secret key, and the serving network SN and the home network HN respectively have a database. When the mobile station MS1 hands off, the mobile station MS1 has to perform a full authentication. The authentication method includes an identification step 600, an authentication data obtaining step 601, and a user authentication and key distribution step 602, where the identification step 600 and the authentication data obtaining step 601 belong to the abovementioned registration and authentication data distribution procedure, and the user authentication and key distribution step 602 belongs to the abovementioned user authentication and key agreement procedure. In this authentication method, the full authentication refers to the execution of the authentication data obtaining step 601 and the user authentication and key distribution step 602.
The authentication method includes following steps while it is applied to a communication system. First, the identification step 600 is executed in following steps. In step 600a, the mobile station MS1 generates an identification data by using the pre-distributed secret key and a first random number. The mobile station MS1 then sends the identification data and the first random number to the serving network SN, wherein the identification data contains an ID of the mobile station MS1 so that the serving network can identity the mobile station MS1 based on the ID. In step 600b, the serving network SN receives the identification data generated by the mobile station MS1 and identifies the mobile station MS1. An exclusive information field of the mobile station MS1 is established in the database of the serving network SN based on the identification data.
After that, the authentication data obtaining step 601 is executed in following steps. In step 601a, the serving network SN sends the identification data and the first random number to the home network HN and requests an authentication data of the mobile station MS1 from the home network HN. In step 601b, the home network HN receives the identification data and the first random number and selects the secret key based on the identification data. In step 601c, the home network HN generates a second random number, and then the authentication data, a cipher key, and a comparison data based on the first random number, the second random number, and the secret key. The home network HN sends the authentication data, the cipher key, the comparison data, and the second random number to the serving network SN. In step 601d, after the serving network SN receives the authentication data, the cipher key, the comparison data, and the second random number, and the cipher key and the comparison data are stored in the database of the serving network SN.
Finally, the user authentication and key distribution step 602 is executed in following steps to complete the authentication of the mobile station MS1. In step 602a, the serving network SN sends the authentication data and the second random number from the database thereof to the mobile station MS1. In step 602b, the mobile station MS1 authenticates the home network HN based on the authentication data. After the mobile station MS1 successfully authenticates the home network HN, the mobile station MS1 in step 602c generates a mobile station authentication data and a cipher key based on the pre-distributed secret key and the second random number and sends the mobile station authentication data to the serving network SN. In step 602d, the serving network SN receives the mobile station authentication data and authenticates the mobile station MS1 based on the mobile station authentication data and the comparison data in the database and then generates an authentication result. In step 602e, the serving network SN sends the authentication result to the mobile station MS1. In step 602f, the mobile station MS1 receives and confirms the authentication result. In step 602g, if the authentication result shows that the serving network SN has successfully authenticated the mobile station MS1, the mobile station MS1 and the serving network SN calculate a master key to secure the subsequent communication.
Additionally, either the mobile station fails to authenticate the home network HN or the serving network SN or the serving network SN fails to authenticate the mobile station MS1, the communication system terminates the entire communication or requests re-authentication. For the convenience of description, FIG. 6 only illustrates the situation that both the authentications succeed.
According to the authentication method disclosed in U.S. Pat. No. 6,711,400, the mobile station MS1 allocates a first random number to the home network HN to ensure the freshness of the authentication data. The serving network SN is used only for relaying the authentication data generated by the home network HN and for verifying the mobile station authentication data used for authenticating the mobile station MS1; the serving network SN is not responsible for generation any authentication data. However, in this authentication method, only one authentication data is generated every time and the generated authentication data can be used for exactly one mobile station just once. Thus, signalling overhead between the serving network SN and the home network HN is increased if the re-authentication is required or a group of mobile stations perform authentication procedures together, namely, both the traffic load between the serving network SN and the home network HN and the bandwidth wasted are increased.
However, the concept of group in wireless networks has been evolving along with the development of group communication services. Mobile stations belonging to the same home network HN often communicate in a form of group. Such a group is likely to migrate somewhere together. That is, mobile stations of an HN visit the same serving network SN or move along the same route, e.g., a tourist group from the same city or country traveling from one place to another, students having a field trip, or even mobile routers on a public transportation system. However, there is no group authentication mechanism provided in existing networks so that those roaming mobile stations of the same group have to be authenticated individually. In addition, the authentication requests and responses sent by the serving network SN and the home network HN increase the traffic load of the network, the signalling overhead, and accordingly the bandwidth between the serving network SN and the home network HN.
Foregoing authentication methods are all designed for the authentication of a single mobile station. Thus, when these authentication methods are applied to group communication, they confront the same problem: the serving network SN has to relay an authentication request regarding each mobile station to the same home network HN and then receive the authentication data of each mobile station from the home network HN at the same time. This patent proposes a new idea about shared group data for authentication. the group authentication key pre-distribution is achieved through group authentication data sharing, and on the other hand, the bandwidth used for data transmission between the serving network and the home network is reduced by adopting local authentications.