1. Field
The application relates generally to authentication in cellular communication networks, and more particularly to the derivation of encryption keys for application security.
2. Background
Mobile communication applications generally share a need for authentication of a subscriber (user equipment or mobile station) by a communication server before communication is initiated or a transaction is carried out. One authentication mechanism is based on a secret shared between the communicating entities, and there are a number of authentication protocols that rely on this pre-shared secret.
In a mobile communications network based on the Global System for Mobile Communications (GSM), for example, the identity of a subscriber is authenticated before the subscriber is allowed to access the communications network. In order for a subscriber's mobile station (or user equipment UE) to establish a communication session with a network element, the mobile station authenticates itself to the network element by responding to a random number challenge. The random number challenge and a shared secret key are used to establish a session encryption key for encrypting communication transmissions between the mobile station and the network element.
The communications system features described herein can be implemented in a variety of communications networks requiring authentication and encrypted communication between communicating entities. FIG. 1 is a block diagram of the communication network entities involved in authentication of a subscriber in a GSM network. A subscriber's mobile station 30 comprises a secure IC 32 and mobile equipment (ME) 34 (e.g., a cellular telephone handset). The mobile equipment 34 includes a processor 36 configured to perform authentication functions at the mobile station 30 in conjunction with the secure IC 32.
Stored on the secure IC 32 is subscriber identity and subscription related information, information for performing authentication functions with the communications network, an International Mobile Subscriber Identity (IMSI), preferred language, and IC card identification. The secure IC may be referred to as a SIM card or a smart card. Also stored at the secure IC 32 is a secret key Ki 38 which is used to authenticate the mobile station 30 to a network element 40 of the serving network for access to the network. The secret key Ki 38 is also stored at the mobile subscriber's home network at an authentication center (AuC) 42. The authentication center 42 uses the secret key Ki 38 to generate authentication data specific to the subscriber using the secret key Ki 38, and sends the authentication data to the network element 40.
An authentication and key generation process for mobile station authentication and encrypted communication is illustrated in FIGS. 1-3, wherein FIG. 2 is a flow diagram illustrating a method of authentication and encryption key generation at the mobile station 30, and FIG. 3 is a signal flow diagram illustrating a method of mobile station authentication and encryption key generation in the communications network. In reference to FIG. 3, the mobile station 30 requests a communication session with a network element 40 in a step 102. If the network element 40 does not already have security information stored for that subscriber to authenticate the mobile station 30, the network element 40 sends a request for security information to the authentication center 42 in the mobile station's home network in a step 104. In response to the security information request, the authentication center 42 generates one or more authentication vectors comprising a random number challenge RAND, an expected authentication response XRES, and a encryption key Kc. The expected response XRES and the encryption key Kc are determined based on the RAND and the secret key Ki 38. In a step 108, the authentication center 42 sends the authentication vector(s) (RAND, XRES, Kc) to the network element 40.
The network element 40 selects an authentication vector (RAND, XRES, Kc) to use in authenticating the identity of the mobile station 30 and sends the random challenge RAND of the selected authentication vector to the mobile station 30 in a step 112. Referring to FIG. 2, the mobile station 30 receives the authentication challenge with the challenge RAND in step 112, and computes and sends an authentication response in a step 114. The mobile station 30 also computes a session key in a step 115 using the secret key Ki 38 and RAND.
To produce the response and the session key, the mobile equipment 34 at the mobile station 30 passes the RAND to the secure IC in a step 113. In steps 114 and 115, the secure IC 32 computes a set of one or more values using the received random challenge RAND and the stored secret key Ki. These values generally include an authentication response SRES as shown in step 114. In step 115, the secure IC 32 computes a second value comprising a session encryption key Kc using the received random challenge RAND, the stored secret key Ki 38. In a step 116, the secure IC 32 sends the generated response SRES and the encryption key Kc to the mobile equipment 34 in a step 116. The mobile equipment 34 sends the generated authentication response SRES to the network element 40 in a step 117, and stores the key Kc at the mobile equipment in a step 118. The network element 40 compares the mobile station generated authentication response SRES to the expected response XRES of the selected authentication vector in a step 119. If the authentication parameters do not match, the authentication procedure is terminated. If the parameters do match, the mobile station 30 is considered authenticated in a step 120 and the network element 40 begins communication with the mobile unit using the encryption key Kc in step 122.
GSM authentication and key agreement procedures are subject to replay and cryptanalytic attack. For example, the conventional algorithms used by the GSM system to encrypt communications are weak. Methods have been devised to determine the encryption key Kc and determine the contents of a subscriber's communications. There is therefore a need in the art for a method of improving application security using the current capabilities of deployed mobile stations, especially as mobile communications become used for more sensitive data or require stronger authentication.