Patent Application
20110246770
The present invention concerns an authentication method between a client terminal and a server terminal connected to a data transmission network, said terminals sharing a secret and said method comprising the following steps:
It also concerns an authentication system, a server terminal, a client terminal, and corresponding computer programs.
More specifically, the invention concerns the field of security in data networks and in particular authentication between two terminals connected to such a network.
Several security protocols were recently developed to make it possible to establish an authentication between connected terminals, to encrypt and protect the data exchanged between those terminals, and to monitor access to the network's resources and services.
Two authentication modes are currently used, i.e. one-way authentication and two-way authentication.
In one-way authentication, a single terminal is authenticated.
This mode is used in particular in first-generation networks generally based on client-server architectures, in which a client requests access to information provided by a server. The security protocols used in these networks are based, in the best cases, on a challenge/response-type process, in which the server sends the client a challenge and the client applies a cryptographic function to the challenge by using a shared secret (such as a password, for example). Thus, only the client is authenticated. This results in exposing it to several active and passive attacks, in particular the “man in the middle” attack.
The man in the middle attack is an attack in which a third party inserts itself into a communication between two terminals without the terminals' knowledge. This third party can then read, insert, and modify the encrypted messages between the two terminals as it wishes without anyone suspecting that the line between them has been compromised.
In the two-way authentication mode, each terminal authenticates the other terminal and vice versa.
Most security protocols propose one-way authentication and few use two-way authentication. As a non-limiting example, the SSL (“Secure Sockets Layer”) protocol supports both of the aforementioned authentication modes, while EAP-MD5 (“Extensible Authentication Protocol-Message Digest 5”), CHAP (“Challenge Handshake Authentication Protocol”), challenge/response mechanisms (used in particular with GSM (“Global System for Mobile communications”) networks, WLAN (“Wireless Local Area Network”) networks, Internet applications such as SIP (“Session Initiation Protocol”), WEB, email, etc., Digest Authentication and HTTP Digest only offer one-way authentication.
The difficulty in improving the authentication of the terminals in these networks and applications is that they are very widely deployed and used, such that changing their functionalities creates interoperability problems.
As a result, any proposed improvement must allow interoperability and compatibility with existing uses.
Recently, several two-way authentication methods were proposed making it possible to resolve the problems of one-way authentication, in particular the man in the middle attack.
As an example, the IETF (“Internet Engineering Task Force”) RFC (“Request for Comments”) 2759, proposed an extension of the CHAP protocol, called CHAP-v2 to provide two-way authentication.
Document EP1816616 also describes a method for establishing two-way authentication between two terminals by using random values and a shared key.
Moreover, in “Nouvelle méthode d′authentification EAP-EHash” [“New EAP-EHash Authentication Method”], CFIP Colloquium 2006 dated Oct. 30, 2006, Cheikhrouhou et al. propose a new two-way authentication method.
However, none of these methods allow interoperability and compatibility with widely deployed uses, in particular in mobile telephone and Internet networks.
The aim of the invention is to resolve these problems.
To that end, the invention concerns an authentication method between a client terminal and a server terminal connected to a data network, said terminals sharing a secret and said method comprising the following steps:
characterized in that:
and in that the method comprises the following steps:
According to specific embodiments, the method comprises one or several of the following features, considered alone or according to all technically possible combinations:
the step for computation by the client terminal of a first response to the challenge comprises a step in which the client terminal concatenates the challenge and the result of the application of the first function on the first set comprising the secret and the challenge,
the first and second functions are chosen in a group of functions comprising:
the first and second sets also comprise a plurality of known parameters of the client and server terminals,
the step for generation of the challenge by the server terminal comprises a step in which said server terminal concatenates the random value, the first encrypted value and the plurality of parameters,
the step for computation by the client terminal of a first response to the challenge comprises a step in which the client terminal concatenates the challenge, the result of the application of the first function on the first set comprising the secret and the challenge and the plurality of parameters,
the data network is an Internet network using a RADIUS infrastructure,
the information exchanged between the client and server terminals is encapsulated in EAP packets,
the EAP packets are exchanged between the client terminal and the server terminal via an access point,
the access point is a network administration server NAS.
the data transfer network is a GSM network.
the client terminal is a SIM card and the server terminal comprises a home location register HLR and an authentication center AuC.
The invention also concerns an authentication system comprising a client terminal and a server terminal connected to a data transmission network, said terminals sharing a secret and said system comprising:
means for authentication of the client terminal by the server terminal if the first and second responses match,
characterized in that:
and in that the system comprises:
The invention also concerns a server terminal connected to a data network, said server terminal sharing a secret with a client terminal connected to said network, and comprising:
characterized in that:
The invention also concerns a client terminal connected to a data transmission network, said client terminal sharing a secret with a server terminal connected to said network and comprising:
characterized in that it comprises:
The invention also concerns a computer program comprising code instructions, when the program is executed on a server terminal, allowing the implementation of the steps of the authentication method consisting of:
Lastly, the invention concerns a computer program comprising code instructions, which, when the program is executed on a client terminal, make it possible to carry out the steps of the authentication method consisting of:
Thus the invention makes it possible to offset the drawbacks of the one-way authentication methods widely used in modern networks and two-way authentication methods that are not compatible with the uses existing on those networks.
The solution proposed by the invention makes it possible to provide strengthened two-way authentication between two terminals that is completely compatible with the majority of the security protocols developed that use challenge/response-type processes.
We will now describe the embodiments of the invention more precisely, but non-limitingly, in light of the appended drawings, in which:
It should be noted that in the rest of the description, the terms “client” and “client terminal” as well as the terms “server” and “server terminal” mean the same thing.
The client terminal 2 and the server terminal 4 share a secret 6 identified by an identifier.
For example, the secret 6 describes a password or a shared key or a ticket, etc.
The client terminal 2 initializes the authentication session of the prior art by sending a connection request 8 to the server terminal 4 through the network.
The server terminal 4 responds to the request 8 by sending a challenge 10 that it has randomly generated beforehand to the client terminal 2 through the network.
The client terminal 2 applies a function 12 to the challenge 10 and the secret 6. The function 12 is, for example, a mathematical function or a cryptographic algorithm.
The client 2 obtains a response 14 after application of the function 12 on the challenge 10 and the secret 6 that it sends via the network to the server 4 to show that it indeed knows the shared secret 6.
For its part, the server 4 computes a response 16 to the challenge 10 by using the same function 12 applied to the shared secret 6 and the challenge 10.
The server 4 compares the response 14 sent by the client 2 and the response 16 it computed in 18.
If the responses 14 and 16 match, the server 4 authenticates the client 2 in 20.
If the responses 14 and 16 do not match, the server 4 does not authenticate the client 2 in 22.
This one-way authentication mode described in reference to
Unfortunately, this method only makes it possible to authenticate the client 2, making it vulnerable to a large number of attacks, in particular the plaintext attack, the replay attack, the man-in-the-middle attack, the denial-of-service attack, the IP spoofing attack and the masquerade attack.
In order to resolve this vulnerability problem of the one-way authentication method, the IETF Committee extended some of the aforementioned protocols to provide two-way authentication. For example, the IETF RFC2759 proposes an extension of the CHAP protocol, named MS-CHAP-v2, to provide two-way authentication.
This extension is described in reference to
Moreover, according to the method described in
The server 4 authenticates in 20, or does not authenticate in 22, the client 2 in the same manner as in the method according to
The server 4 then applies a second function 28 to the second challenge 24 and to the secret 6. The second function 28 is, for example, a mathematical function or a cryptographic algorithm.
The server 4 obtains a response 30 following the application of the second function 28 on the second challenge 24 and the secret 6 it sends through the network to the client 2 to show that it indeed knows the shared secret.
For its part, the client 2 computes a response 32 to the second challenge 24 using the same second function 28 applied to the shared secret 6 and to the second challenge 24.
In 34, the client 2 compares the response 30 sent by the server 4 and the response 32 it computed.
If the responses 30 and 32 match, the client 2 authenticates the server 4 in 36.
If the responses 30 and 32 do not match, the client 2 does not authenticate the server 4 in 38.
The method described in
Indeed, the MS-CHAP-v2 extension is a protocol in itself that does not ensure interoperability or compatibility with the one-way security protocols used in modern networks such as CHAP1 or HTTP Digest. This extension therefore cannot be used transparently with such protocols.
This compatibility and lack of interoperability are essentially due to the fact that the client 2 must have the ability to generate a challenge 24 different from that generated by the server 4 and to send it to the server 4 to be able to authenticate the latter, which means introducing a second challenge-response mechanism.
Thus the method of
The invention makes it possible to resolve this problem by proposing an extension of the one-way authentication method of
The structure and operation of a two-way authentication system according to the invention are described in the continuation of the description in reference to
The method according to the invention thus allows mutual authentication between the client terminal 2 and the server terminal 4 connected to a data transmission network.
It should be noted that the term “terminal” has a very broad meaning in the context of the invention. Indeed, it can designate a computer or a mobile communication terminal such as a mobile telephone or a personal digital assistant, or even a computer device of the chip card or USB port or MMC card type.
The term “network” also has a very broad meaning in the context of the invention. It can designate a household network based on ADSL modems and Wi-Fi access points or a public network provided with base stations or wireless access points, or a business or government network using infrastructures of the LAN, PLAN, WLAN or MAN type.
As in the one-way authentication method according to the prior art described in reference to
Moreover, the authentication method according to the invention is also based on a challenge/response mechanism. However, contrary to the methods of the prior art described in reference to
The invention in fact defines the semantics and structure of the challenge 10 owing to a new construction of the challenge 10.
According to this construction, as illustrated in
The function 42 is a mathematical function or a cryptographic algorithm that can designate a Key Derivation Function (KDF) or a Pseudo-Random Function (PRF) or an MD5 Hash Function (Message Digest) or an SHA hash function (Secure Hash Algorithm) or a Message Authentication Code (MAC) or Key-Hashing Message Authentication Code (HMAC) or a symmetric encryption algorithm of the RC4 or DES or 3DES or AES, etc. type or an authentication algorithm A3. The function 42 can also assume the form of a combination of two or several of the aforementioned forms.
The term “other parameters” 44 designates any type whatsoever of known parameters of the terminals 2 and 4. For instance, these other parameters 44 can designate sequence numbers, the current date and time of the system, random values, part of the headers and content of the messages exchanged between the terminals 2 and 4, the function 40 used, etc.
These other parameters 44 are optional. Indeed, according to one embodiment of the invention, the server 4 applies the function 42 only to the secret 6 and the random value 40.
However, it is preferable to incorporate the other parameters 44 into the computation of the first encrypted value 46 because their use makes it possible to strengthen the integrity of the messages exchanged between the client 2 and the server 4.
Once the server 4 has obtained the first encrypted value 46, it concatenates that value with the random value 40 and, according to one embodiment, with the other parameters 44 to form the challenge 10 it sends to the client 2.
Upon receiving the challenges 10, one of two cases arises:
The client terminal 2 then applies the function 42 to the shared secret 6, the random value 40 and the other parameters 44 to obtain a second encrypted value 48.
In 50, the client terminal compares the first encrypted value 46 sent by the server 4 and the second encrypted value 48 that it computed itself.
If the two encrypted values 46 and 48 match, this proves that the server 4 indeed knows the secret 6. As a result, the client 2 authenticates the server 4 in 52.
If the two encrypted values 46 and 48 do not match, the client 2 does not authenticate the server 4 in 54.
The client 2 then computes the first response 14 to the challenge 10 generated by the server 4 by applying the function 12, cited in reference to
According to one embodiment of the invention (portion in broken lines in
The client 2 then sends the first response 14 to the server 4.
The server 4 then compares the first response 14 to the response 16 computed by it by applying the function 12 to the secret 6, the challenge 10 and the other parameters 44.
Lastly, in the same manner as in the methods of the prior art of
The two-way authentication method according to the invention having been described in reference to
It should be noted in this respect that the IETF committee approved the EAP protocol (Extensible Authentication Protocol) to allow the transport of multiple authentication scenarios, some of which are defined by the EAP-TLS (“Transport Layer Security”, RFC 2246) and EAP-SIM (“Subscriber Identity Module>>, RFC 4186”) specifications.
The EAP entities authenticate each other using an EAP authentication method. This method is a layer above the EAP layer and it defines security and key distribution mechanisms. The authentication method traditionally used in this architecture is MD5-Challenge, described by standard IETF RFC 3748 and also known as EAP-MD5. This method as currently defined does not offer two-way authentication; only the client terminal wishing to connect to the network is authenticated.
One method for authenticating a RADIUS authentication server with an EAP client and vice versa is described in reference to
In the RADIUS infrastructure of an Internet network 58 illustrated in
The NAS servers are connected, via the network 58, to a single authentication server 72 on which authentication software executed by a computer system provided with an operating system is installed.
Currently, a number of free software applications such as “OPEN RADIUS” or “FREE RADIUS” offer RADIUS authentication services.
Integrating the computer programs according to the invention in these software applications will make it possible to perform two-way authentication between the server 72 and each of the clients 60, 62 or 64.
Thus, an authentication session 74 using the method according to the invention is illustrated in
In 76, the NAS server 66 indicates the occurrence of the new authentication session 74 to the client 60 by producing an “EAP-Identity.Request” packet.
The client 60 inserts its identity in an “EAP-Identity.Response” packet in 78. In 80, the NAS server 66 sends this packet to the RADIUS server 72 in an “Access-Request” RADIUS packet.
The RADIUS server 72 generates, according to the method of the invention, described in reference to
The client 60 recovers the type of EAP authentication method, i.e. “MD5-Challenge.” Next, the client 60 analyzes the MD5 challenge 10 according to the method of the invention to authenticate the RADIUS server 72. The client 60 constructs its response using the method according to the invention, then in 86 sends the response (“MD5-Challenge Response” or “EAP-MD5 Response”) to the NAS server 66 in an “EAP.Response” packet. The NAS server 66 encapsulates the response sent by the client 60 in an “Access-Request” RADIUS packet before sending it to the RADIUS server 72 in 88.
The RADIUS server 72 verifies the response from the client 60 according to the method of the invention. If that verification is successful, the RADIUS server 72 encapsulates the indication of the success of the client authentication 60 in an “Access-Accept” RADIUS packet and in 90 sends the packet to the NAS server 66. Upon receipt, the NAS server 66 encapsulates the indication of success of the authentication in an “EAP-Success” packet and sends it to the client 60 in 92.
Thus, the solution according to the invention makes it possible to transparently perform a two-way authentication between a client terminal and a server terminal connected to an Internet network using a RADIUS architecture.
In the continuation of the description, a use of an embodiment of the invention in a GSM network is described in reference to
According to one embodiment described in
This method is similar to that described in
The SIM card 100 and the HLR/AuC server 102 share a key Ki 106.
During the authentication phase, the SIM card 100 sends its IMSI (International Mobile Subscriber Identity) identifier to the HLR/AuC server 102 via the base station 104. The HLR/AuC server 102 generates a random 128-bit number called RAND and sends it to the SIM card 100 in 108.
The SIM card 100 responds in 110 with a value called SRES generated by applying the algorithm A3 on the random number RAND and the shared key Ki 106.
The HLR/AuC server 102 performs the same computation and compares, in 111, the SRES value to the value of the result of its computation. If the two values match, the HLR/AuC server 102 authenticates the SIM card 100 in 112; otherwise, it does not authenticate it in 114.
According to the embodiment of
In order to ensure compatibility and interoperability with the method of
The case according to which the SIM card implements the extension according to the invention is illustrated in
In this case, upon receipt of the number RAND, in 122 the SIM card 100 extracts from this number the random value 116 and the result of the application of the algorithm A3 computed by the HLR/AuC server 102 that it compares in 124 to the result of the computation it did itself by applying the algorithm A3 to the private key PK 118, to the IMSI identifier, and to the random value 116. If the two results match, the HLR/AuC server 102 is authenticated in 126; otherwise it is not authenticated in 128.
Moreover, the SIM card 100 applies the algorithm A3 on the IMSI identifier, the private key PK 118 and the number RAND to obtain an encrypted value 130 that it sends in 110 in the SRES response to the HRL/AuC server 102.
The HLR/AuC server 102 performs the same computation and compares the two results to authenticate the SIM 100 card as described in
The case according to which the SIM card 100 does not implement the extension according to the invention is described in reference to
In this case, the SIM card 100 ignores the operations 122 to 130 and does not authenticate the HLR/AuC server 102.
Thus, the invention makes it possible to have a two-way authentication solution between the SIM card 100 and the HLR/AuC server 102 compatible and interoperable with the one-way authentication method currently used in GSM networks.
According to one embodiment of the invention, one manner of ensuring this interoperability of the invention with the authentication protocols of the prior art is to provide that the server 4 adds a characteristic to the challenge 10 indicating that it is a challenge structured in the manner provided in the invention.
If the client 2 implements the extension, it extracts that value from the challenge from which it previously removed the type of challenge characteristic and applies the steps of the method according to the invention described in reference to
If the client 2 does not implement the extension, it performs the steps of the authentication method of the prior art (
A method according to the invention can therefore be used in any authentication system compatible with a server or client terminal in the form of corresponding computer programs including code instructions that, when said programs are executed, allow the steps of the method to be carried out.
Of course, other embodiments can also be considered.
| Number | Date | Country | Kind |
|---|---|---|---|
| 0851674 | Mar 2008 | FR | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/FR2009/050385 | 3/10/2009 | WO | 00 | 5/23/2011 |
