In mobile IP networking, a terminal, such as a laptop computer having a Wireless Local Area Network (WLAN) adapter coupled thereto, connects to its home agent via a foreign agent. In functional terms, the terminal acts as a mobile node in the network. The terms mobile node, home agent and foreign agent are explained in publication Request For Comments 2002 as follows:    Mobile Node (MT): A host or router that changes its point of attachment from one network or sub-network to another. A mobile node may change its location without changing its IP address; it may continue to communicate with other Internet nodes at any location using its (constant) IP address, assuming that link-layer connectivity to a point of attachment is available.    Home Agent (HA): A mobile node belongs to a home network to which belongs a home agent of the mobile node. The HA is a router on a mobile node's home network which tunnels datagrams for delivery to the mobile node when it is away from home, and maintains current location information for the mobile node.    Foreign Agent: A router on a network being visited by the mobile node which provides routing services to the mobile node whilst it is registered. The foreign agent detunnels and delivers datagrams to the mobile node that were tunneled by the mobile node's home agent. For datagrams sent by a mobile node, the foreign agent may serve as a default router for mobile nodes registered with it.    Mobility Agent: Either a home agent or a foreign agent.
In the publication RFC2002, it is further explained that a mobile node is given a long-term IP address or home address in its home network. This home address is administered in the same way as a “permanent” IP address which is provided to a stationary host. When away from its home network, a “care-of address” is associated by the home agent with the mobile node and indicates the mobile node's current point of attachment. The mobile node may use its home address as the source address of IP datagrams that it sends.
It is often desirable for a mobile node to be authenticated on connection to an IP network. One way for an IP network to recognise a mobile node is by using a shared secret key known by both the IP network and the mobile node. The shared secret is to be used as the cryptographic key. The shared secret can be first known by the IP network and then be stored in a mobile node if the management of the IP network gets a secure access to the mobile node. In the interest of security, the shared secret should not be sent over a network susceptible to eavesdropping. Therefore, the mobile node should be supplied to the management of the IP network. In the future, there are likely to be many different IP networks. According to the present arrangement, a mobile node would need to be provided with a database of secret keys in order to have one for each of the different IP networks with which it could be connected.
WO00/02406 discloses an authentication method intended for a telecommunications network, especially for an IP network. From a terminal in the network a first message containing an authenticator and a data unit is transmitted to the network, the data unit containing information relating to the manner in which the authen- ticator is formed. For carrying out authentication in the network, the data unit contained in the first message is used for determining a check value, which is compared with the said authenticator. To make it unnecessary for the terminal to perform any complicated and heavy exchange of messages when attaching to the network and for still obtaining the desired security characteristics for use, such an identification unit is used in the terminal which receives as input a challenge from which a response and a key can be determined essentially in the same manner as in the subscriber identity module of a known mobile communications system, a set of authentication blocks is generated into the network, of which each contains a challenge, a response, and a key, whereby the generation is performed in the same manner as in the said mobile communication system, at least some of the challenges contained by the authentication blocks are transmitted to the terminal:
one of the challenges is chosen for use at the terminal, and, based on it, a response and a key for use are determined with the aid of the terminal's identification unit, in the said first message the network is notified with the aid of the said data unit of which key corresponding to which challenge was chosen, and the authenticator of the first message and the said check value are determined with the aid of the chosen key.
WO00/02407 concerns authentication to be performed in a telecommunications network, especially in an IP network. To allow a simple and smooth authentication of users of an IP network in a geographically large area, the IP network's terminal (TE1) uses a subscriber identity module (SIM) as used in a separate mobile communications system (MN), whereby a response may be determined from the challenge given to the identity module as input. The IP network also includes a special security server (SS), to which a message about a new user is transmitted when a subscriber attaches to the IP network. The subscriber's authentication information containing at least a challenge and a response is fetched from the said mobile communications system to the IP network and authentication is carried out based on the authentication information obtained from the mobile communications system by transmitting the said challenge through the IP network to the terminal, by generating a response from the challenge in the terminal's identity module and by comparing the response with the response received from the mobile communications system. Such a database (DB) may also be used in the system, wherein subscriber-specific authentication information is stored in advance, whereby the information in question need not be fetched from the mobile communications system when a subscriber attaches to the network.
This document discloses sending a set of challenges in case some of the challenges would conflict with reserved Security Parameter Index (SPI) values, which wastes data transmission bandwidth and is a potential security risk as it provides more data for hacking a mobile communications system's secret using which the subscriber-specific authentication information is formed.
In both WO00/02406 and WO00/02407, the terminal needs to send the response without having any assurance of the challenges being fresh and received from a bona fide network. Therefore, the terminal is not able to determine whether the challenges are part of a replay attack.