The present invention relates to the field of authentication in a communication network.
When a user wishes to access a communication network, he or she is typically authenticated. Similarly, a user may be authenticated before being allowed to access a particular domain or service. The Third Generation Partnership Project (3GPP) has specified a protocol known as Authentication and Key Agreement (AKA) for performing authentication and session key distribution in Universal Mobile Telecommunications System (UMTS) networks. UMTS AKA is specified in 3GPP TS.33.102 and is a challenge-response based mechanism that uses symmetric cryptography (i.e. AKA uses a shared secret). AKA is typically run in a UMTS Services Identity Module (USIM), which resides on a smart card like device (referred to as a Universal Integrated Circuit Card or UICC) that also provides tamper resistant storage of shared secrets. AKA is run at registration and re-registration of a User Equipment (UE—where a UE is defined as the combination of a Mobile Station (MS) and a USIM) with its home network. For accessing the IP Multimedia Subsystem, AKA may be run in an IP Multimedia Subsystem Services Identity Module (ISIM). AKA may be employed in 2G networks (i.e. GSM), in which case the UICC will be provisioned with both the USIM and Subscriber Identity Module (SIM) applications. In addition, it had been decided that next generation architectures (including the System Architecture Evolution/Long Term Evolution (SAE/LTE) architecture currently being standardised) will use AKA or an AKA based security protocol.
AKA procedures are performed based on a shared secret between the network and the UE (Key K). With current technology, K is stored in the UICC.
The network node 2 challenges the UE 1 by sending (S4) the authentication token and random value to the UE 1. An ISIM or USIM application on the UICC in the UE 1 is used to check (S5) the authentication token and calculate (S6), based on the received AUTN, an expected MAC, XMAC, a response (RES), and encryption and integrity keys CK/IK. The response RES is sent (S7) from the UE 1 to the network node 2, and the network node determines whether RES=XRES; if so, then the UE 1 is authenticated.
Recently, the concept of “Soft SIMs” or “Downloadable SIMs” has been discussed. The term *SIM is used to denote any type of SIM, such as USIM, ISIM, and 2G SIM. Soft *SIM applications do not reside on a physical UICC. However, a tamper resistant security environment cannot be provided for Soft *SIM applications. Examples of attacks that may compromise the security of a Soft *SIM include:
A number of proposals to counter this have been discussed. One proposal is to provide an inbuilt tamper resistant module in the device. However, whilst tamper resistant hardware may solve the security issues (against theft and exposure of the key, K), it is an expensive solution.
Another proposal is to encrypt or obscure the *SIM in the software as such (in a similar way to the way in which a software based digital certificate is stored). However, even with K and/or the whole *SIM encrypted, it is relatively simple to make a brute force attack to recover the key K. In general, anything protected by a PIN or password has such a low information entropy that a computer can make an exhaustive search to find the real key K.
One method that has been used in some password protection systems is to only encrypt the key with the password. The attacker should not know when the correct key K has been obtained (as the attacker has nothing to compare a recovered key with). However, as illustrated in
Many different protocols exist which have different properties, in particular the number of message round trips that are required in order to perform the authentication. The present invention addresses protocols such as AKA which only require one message round trip. A problem with using AKA with Soft SIMs is that the network is authenticated before the user. However, the invention is not limited to Soft SIMs. According to a first aspect of the invention, there is provided a method of authenticating a user in a communication network. A network node receives an initial request message from a user device, and sends an authentication message to an authentication node. The network node then receives from the authentication node an expected response value and an authentication token from the authentication node. The expected response value is determined using a first shared secret known to the authentication node and the user and a second shared secret known to the authentication node and the user device, and the authentication token is determined using the second shared secret. The network node sends the authentication token from the network node to the user device, and in response receives a response value calculated using authentication token, the first shared secret and the second shared secret. The network node then determines if the response value matches the expected response value and, if so, authenticates the user. The method allows the user device to authenticate the network independently of the shared secret that the network uses to authenticate the user.
The network node is optionally selected from one of a Visitor Location Register, a Serving-Call Session Control Function, a Proxy-Call Session Control Function, a Serving GPRS Support Node, a Radio Network Controller, a Home Subscriber Server (in the event that the authentication node is an Authentication Centre), a Mobility Management Entity, an Evolved Node-B, and a General Packet Radio Services Serving Support Node, the user device is optionally selected from one of a mobile telephone, a personal computer and User Equipment, and authentication node is optionally selected from one of a Home Subscriber Server and an Authentication Centre.
As an option, the method comprises receiving at the network node an encryption key and an integrity key, both keys having been determined using the first shared secret and the second shared secret.
The first shared secret optionally comprises a one-time key provided to the user which is valid to allow the user to access the communication network a single time. This allows the user to access the network from a non-secure device, such as a shared computer. The one-time key is optionally provided to the user using a second communication network, although it is possible for other delivery methods to be used.
In order to detect fraudulent attempts to guess the first shared secret, the method optionally comprises, prior to authenticating the user, determining whether previous authentication attempts have been successful, and using this determination in determining whether to authenticate the user.
According to a second aspect, there is provided a user device for use in a communications network. The user device is provided with first transmission means for sending to a network node a request message. An input device is provided for inputting a first shared secret, and a memory is arranged to store a second shared secret. A receiver is arranged to receive from the network node a message containing an authentication token having been determined using the second shared secret. The user device processor is provided for validating the authentication token and for determining, using the first and second secrets, a response value, and second transmission means is provided for sending to the network node the determined response value. Optionally, the user device is selected from any of User Equipment, a mobile telephone, and a personal computer.
According to a third aspect, there is provided an authentication node for use in a communication network. A memory is provided for storing a first shared secret associated with a user, and a second shared secret associated with a user device. A receiver is provided for receiving from a network node an authentication message. A processor is arranged to determine an authentication token using the second shared secret, and an expected response value using the first and second shared secrets. A transmitter is provided for sending a message to the network node, the message including the authentication token and the expected response value. The authentication node is optionally selected from one of a Home Subscriber Server and an Authentication Centre.
According to a fourth aspect, there is provided a network node for use in a communication network. First receiving means is provided for receiving an initial request message from a user device, and first transmitting means is provided for sending an authentication message to an authentication node. Second receiving means is arranged to receive from the authentication node an expected response value and an authentication token. The expected response value is determined using a first shared secret known to the authentication node and the user and a second shared secret known to the authentication node and the user device. The authentication token is determined using the second shared secret. Second transmitting means is arranged to transmit the authentication token to the user device. Third receiving means is provided for receiving from the user device a response value calculated using authentication token, the first shared secret and the second shared secret. A processor is then provided for determining if the response value matches the expected response value and, if so, authenticating the user.
The network node is optionally selected from any of a Visitor Location Register, a Serving-Call Session Control Function, a Proxy-Call Session Control Function, a Serving GPRS Support Node, a Radio Network Controller, a Home Subscriber Server (in the event that the authentication node is an Authentication Centre), a Mobility Management Entity, an Evolved Node-B, and a General Packet Radio Services Serving Support Node.
In order to reduce the risk of a malicious third party attempting to guess the first shared secret, the processor is optionally arranged to determine whether previous authentication attempts have been successful, and using this determination to determine whether to authenticate the user.
The network node functions are optionally distributed over a plurality of physical locations. For example, in an IMS communication network, the first receiving means, first transmitting means and second receiving means may be located at a Proxy-Call Session Control Function, and the second transmitting and third receiving means may be located at a Serving-Call Session Control function.
To allow for a more secure system, where the attacker could not obtain any information from the network that can be used to reverse engineer the secret key K, a new secret is introduced, which is shared between the user and the authentication node 3. This shared secret is herein denoted Kp. Note that Kp is not stored in the user device. Kp may be any suitable secret, such as a password or pass-phrase, or Personal Identification Number (PIN). Kp is distinct from K, which is stored in the Soft *SIM or UICC as described above.
The following example describes the invention in circumstances where the user device is a User Equipment 1, the authentication node may be an Authentication Centre (AuC), a Home Subscriber Server (HSS), or any other suitable authentication node, and the network node 2 may be a VLR, a SGSN, a S-CSC, or any other suitable node depending on the type of network.
Referring to
S9. The UE 1 sends an initial request message requesting access in the network to the network node 2.
S10. The network node 2 sends an authentication message to the authentication node 3.
S11. The authentication node 3 replies to the network node 2. The reply contains an authentication token, generated using K, a random number, an expected response XRESs, which is generated using both K and Kp, and encryption and integrity keys CKs and IKs, which are also generated using both K and Kp.
S12. The network node 2 sends a message to the UE 1 containing the authentication token and the random number.
S13. The user enters Kp into the input device 4. Note that the input device may be any suitable input device, for example a keyboard, a touch-screen, a mouse, a microphone and so on. Kp is passed to the UE 1. Note that this step can happen at any point up until now.
S14. The UE 1 checks the authorisation code using K that is stored in the UE's Soft *SIM or UICC, to authenticate the network.
S15. The UE 1 calculates a response RESs, using both K and Kp. The UE also calculates the encryption and integrity keys using K and Kp.
S16. The UE 1 sends RESs to the network node 2.
S17. The network node 2 compares RESs received from the UE 1 with XRESs received from the authentication node 3. As Kp is only known to the user and the authentication node 3, and XRESs and RESs are both determined using KP, then if RESs=XRESs, the user can be authenticated in the network.
Note that the authentication code is still generated according to the standard AKA procedure using K and does not require Ks. This makes it possible for the UE 1 to authenticate the network based on K. However, an attacker would not be able to guess the value of RESs as the attacker does not have access to Kp.
If the network receives multiple (for example, three consecutive) responses of RESs that do not match XRESs, the user account may be locked as it is reasonable to assume that the user does not know Kp.
It may be desirable to provide network services in a high-risk environment, such as a shared computer. In this case, Soft *SIM credentials can be downloaded as part of an Internet application to the shared computer. In order to prevent a Trojan program from recording Kp and later using the Soft *SIM, Kp is in this embodiment based upon a one-time key. There are several mechanisms for delivering the one-time key Kp to the user, for example using mobile telephone SMS, secure token cards and so on.
In the scenario where the communication network is an IP Multimedia Subsystem (IMS) network, the AKA procedures is used to establish an IPsec tunnel (using CK/IK). RES is sent over this IPsec tunnel. In this case, a mechanism to stop the UE from trying various different Kp is performed in the P-CSCF, which monitors if many IPsec packets from the UE 1 are received that cannot be authenticated using IK. If so, the P-CSCF removes the IPsec SA and blocks the UE 1 from trying to send messages over the IPsec tunnel. In another embodiment, it is possible to allow the P-CSCF to indicate in an unprotected REGISTER message sent to the S-CSCF if the UE 1 has previously tried to access without valid values of CK/IK. The S-CSCF or HSS can then make a final decision whether to block the account or not, based on the history of the UE 1 trying to access the network without knowing Kp.
Turning now to
Turning now to
The invention allows the use of a Soft *SIM which is not stored in tamper resistant hardware such that a malicious party who has access to the credentials cannot access the network. Additionally, a one time Ks may be provided, which increases overall security.
It will be appreciated by the person of skill in the art that various modifications may be made to the above-described embodiments without departing from the scope of the present invention.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP08/61925 | 9/9/2008 | WO | 00 | 4/6/2011 |