Patent Application
20060046690
1.
The present disclosure relates generally to wireless telecommunications, and more specifically, to security in wireless telecommunications.
As wireless devices become more powerful, capable of running applications that communicate with arbitrary application servers, there is a need for such communications to be authenticated and secured. This, in turn, requires that the wireless device and the application server come to share a secret key that is given only to them, and this key is distributed by a third party that is already authenticated and trusted by both the wireless device and the application server. The network operators for the wireless device are in a good position to do this. The Third Generation Partnership Project (3GPP) is in the process of standardizing a mechanism to do this, based on their Authentication Key Agreement (AKA) protocol. The 3GPP is a collaboration agreement that brings together a number of telecommunications standards for the purpose of developing global specifications for the Global System for Mobile Communications (GSM). The 3GPP was pioneered by the European Telecommunications Standard Institute (ETSI).
The Third Generation Partnership 2 (3GPP2) is also a collaboration agreement representing North America and Asian interests. It was established to develop global specifications for ANSI/TLA/EIA-41 networks supporting analog, Time Division Multiple Access (TDMA), and Code Division Multiple Access (CDMA). While the 3GPP2 has officially adopted AKA, there has been some resistance to deploying AKA, and in some instances, an effort to promote the continued use of the Cellular Authentication and Voice Encryption (CAVE) legacy protocol, despite known weaknesses in CAVE. Probably, the biggest single problem with CAVE is that its master key is only 64-bits. This is not considered adequate security for current and future applications. At the same time, there are backward compatibility issues with the deployment of AKA, particularly when the wireless device incorporates a User Identity Module (UIM) supporting the CAVE algorithm. The UIM contains the authentication credentials and algorithms that use them.
Accordingly, there is a need in the art for technology that provides greater security in legacy devices employing CAVE. Preferably, this technology should be cryptographically proven, such as AKA.
In one aspect of the present invention, a subscriber station includes a processing system having first and second security protocols, the processing system being configured to use the first security protocol to generate a pseudo-secret key from a challenge received from a service provider, and use the second security protocol to generate a response to the challenge from the pseudo-secret key.
In another aspect of the present invention, a method secured communications includes receiving a challenge from a service provider, using a first security protocol to generate a pseudo-secret key from the challenge, and using a second security protocol to generate a response to the challenge from the pseudo-secret key.
It is understood that other embodiments of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein various embodiments of the invention are shown and described by way of illustration. As will be realized, the invention is capable of other and different embodiments and its several details are capable of modification in various other respects, all without departing from the spirit and scope of the present invention. Accordingly, the drawings and detailed description are to be regarded as illustrative in nature and not as restrictive.
Aspects of the present invention are illustrated by way of example, and not by way of limitation, in the accompanying drawings, wherein:
The detailed description set forth below in connection with the appended drawings is intended as a description of various embodiments of the present invention and is not intended to represent the only embodiments in which the present invention may be practiced. The detailed description includes specific details for the purpose of providing a thorough understanding of the present invention. However, it will be apparent to those skilled in the art that the present invention may be practiced without these specific details. In some instances, well known structures and components are shown in block diagram form in order to avoid obscuring the concepts of the present invention.
In the following detailed description, various encryption mechanisms will be described in connection with a CDMA telecommunications system. CDMA is a modulation and multiple access scheme based on spread-spectrum communications and is well known in the art. While the encryption mechanisms described throughout this disclosure may be well suited for use in a CDMA telecommunications system, those skilled in the art will readily appreciate that these techniques are likewise applicable to other wireless networks. Accordingly, any reference to a CDMA telecommunications system is intended only to illustrate various inventive aspects of the present invention, with the understanding that these inventive aspects have a wide range of applications.
The subscriber station 104 may include a transceiver 109 to support radio communications with a wireless subsystem 114. A processing system 108 may be used to provide various signal processing functions. The processing system 108 may include a processor 110 integrated into the subscriber station 104, and a UIM 112 with its own processor (not shown). The UIM 112 may or may not be removable from the subscriber station 104. A removable UIM is often referred to in the art as a R-UIM. In either case, the UIM 112 is generally designed to be tamper-resistant and capable of a reasonable level of protection for encryption keys.
The wireless subsystem 114 may be used to support communication between the subscriber station 104 and the circuit-switched and/or packet switched networks 106, 108. A Mobile Switching Center (MSC) 116 is shown as the service provider in this example, providing access to the circuit-switch network 106 and/or the packet-switched network 108 via an Interworking Function (IWF) 118. However, as those skilled in the art will appreciate, any service provider may be used to interface the subscriber station 104 to the wired subsystem 102. Accordingly, all authentication and encryption procedures described throughout this disclosure with reference to the MSC 116 are equally applicable to any service provider in the wireless subsystem 114.
The wireless subsystem also includes a Base Station Controller (BSC) 118, which controls one or more Base Station Transceivers (BTS) through the allocation and management of radio resources. Each BTS includes one or more transceivers placed at a single location to provide radio coverage throughout the entire wireless subsystem 114. For simplicity, a single BTS 120 is shown in communication with the subscriber station 104.
The wireless subsystem 114 may also include a Home Location Register (HLR) 122. The HLR 122 may be used to maintain a record of valid subscribers for various service providers. The HLR 122 also maintains all subscriber information, such as the Electronic Serial Number (ESN), the phone number of the subscriber station, the current location of the subscriber station, etc. The HLR 122 may be co-located with the MSC 116, be an integral part of the MSC 116, or be independent of the MSC 116. One HLR can serve multiple MSCs, or an HLR may be distributed over multiple locations. Typically, the HLR 122 will be coupled with an Authentication Center (AC) 124.
A Visitor Location Register (VLR) 126 is normally coupled with the MSC 116. The VLR 126 maintains a register of visiting subscriber stations operating within the coverage area of the BTSs connected to the MSC 116. The VLR 126 serves as a local cache of HLR subscriber information for quick and easy access. When a roaming subscriber station 104 enters a new service area covered by the MSC 116, the MSC 116 retrieves the subscriber station information from the HLR 122 and places it into the VLR 126.
When the subscriber station 104 initially registers with the wireless subsystem, the authentication process begins with the generation of a 128-bit secondary key called the “Shared Secret Data” (SSD) at the AC 124 and the subscriber station. At the AC 124, a RAND generator 202 is used to generate a RAND which, along with the A-key and the subscriber station's ESN, are input to a CAVE algorithm 204 to generate the SSD. The RAND is also sent to the UIM 112 so that the SSD can be generated at the subscriber station 104. At the UIM 112, the RAND, the A-key, and the ESN are input to a similar CAVE algorithm 206 to generate the SSD.
The SSD is provided from the AC 124 to the MSC 116 serving the area in which the subscriber station 104 resides. The SSD may be shared with MSC's in other service areas to allow local authentication of a roaming subscriber station 104. The SSD may be used by the MSC 116 to support a challenge/response authentication procedure. In particular, the MSC 116 generates a random challenge (Broadcast RAND) with a Broadcast RAND generator 208. The Broadcast RAND is provided to the UIM 112 in the subscriber station 104. The UIM 112 uses the Broadcast RAND and the SSD as input to a CAVE algorithm 210 to generate an authentication signature, i.e., a response to the challenge. This signature is then used by the MSC 116 to authenticate the subscriber station 104 by comparing 214 the signature to the output of a similar CAVE algorithm 212 applied to the Broadcast RAND and the SSD from the AC 124.
In at least one embodiment of the CDMA telecommunications system of
The AKA procedure is performed in two stages. The first stage involves the transfer of security credentials from the AC 124 to either the MSC 116 or some other service provider in the wireless subsystem responsible for setting up the connections with the subscriber station 104. The security credentials consist of an ordered array of authentication vectors (AV). The authentication vectors AV include challenge/response authentication data and cryptographic keys. The second stage involves a one-pass challenge/response transaction between the subscriber station 104 and the MSC 116 to achieve mutual authentication.
In the standardized AKA protocol, the authentication vectors AV are derived by the AC 124 from a 128-bit secret key (K) known only by the AC 124 and the UIM 112. However, in the described embodiment, the UIM 112 employs CAVE security credentials, and therefore, does not have a secret AKA key K. Accordingly, a pseudo-secret key (PK) is used. The pseudo-secret key (PK) may be created from information provided by the UIM 112 to the processor 110 (see
The manner in which the pseudo-secret key PK is created may vary depending on the specific design constraints and the overall system parameters.
The AC 124 uses a number of cryptographic functions to generate the authentication vectors AV. These functions may include f1-f5, f11, and other cryptographic function as defined by the appropriate standards and well known in the art. The network operators are generally free to choose any algorithm they want provided it complies with the function input/output specifications set forth in 3G TS 33.105, 3G Security; Cryptographic Algorithm Requirements. The first cryptographic function fo is used to derive the MAC from the pseudo-secret key PK and the sequence number SQN. The remaining cryptographic functions f1-f5 are used to derive the expected response to the challenge XRES, the cipher key CK, the integrity key IK, and an anonymity key (AK), respectively, from the pseudo-secret PK and the AKA RAND. The anonymity key AK is used to encrypt the sequence number SQN in the authentication token AUTN.
Once the pseudo-secret key PK is derived by the processor 110, it may be used with the AKA protocol. The pseudo-random key PK may be used, along with the AKA RAND from the authentication vector AV, to derive the anonymity key (AK) using the f5 function. The sequence number SQN from the authentication token AUTN can then be decrypted with the anonymity key AK through an XOR operation 506. The decrypted sequence number SQN, along with the pseudo-secret key PK, may then be used to derive the expected message authentication code (XMAC) using the f1. The MAC from the authentication token AUTN and the XMAC may then be input to a comparator 508. If they are different, the processor 110 sends an error message back to the MSC 116 and abandons the authentication procedure. po The next step in the process, assuming that the MAC and the XMAC are the same, is to verify that the decrypted sequence number SQN is correct. The decrypted sequence number SQN and a locally generated SQN from a counter 510 may be input to a comparator 512. If the decrypted sequence number SQN is incorrect, the processor 110 sends an error message back to the MSC 124. In response to the error message, the MSC 116 may initiate a resynchronization process between the counters in the AC 124 and the processor 110.
Assuming that the MAC and XMAC are the same, and the decrypted sequence number SQN is correct, the session keys may then be generated. In particular, the cipher key CK and the integrity key IK may be derived from the AKA RAND and the pseudo-secret key PK using the f3 and f4 functions. The processor 110 also generates a response (RES) to the AKA RAND and the pseudo-secret key PK using the f2 function. The response RES is sent to the MSC 116. The MSC compares 514 the response RES from the processor 110 with the expected response XRES contained in the authentication vector AV. If the RES equals the XRES, then the subscriber station has been authenticated. The MSC 116 may select the appropriate cipher key CI and integrity key IK from the selected authentication vector AV to begin secured communications. If, however, the RES is different from the XRES, the MSC 116 may send an error message back to the AC 124. The MSC 116 may also decide to initiate a new authentication procedure with the subscriber station 104.
Enhanced security may be achieved by using a standard Diffie-Hellman key agreement protocol between the subscriber station 104 and the MSC 116 to negotiate a 128-bit temporary key (TK). The temporary key (TK) may then be provided by the MSC 116 to the AC 124. The temporary key (TK) may then be included in the hash function at both the AC 124 and processor 110 to derive the pseudo-secret key PK.
The various illustrative logical blocks, modules, circuits, elements, and/or components described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic component, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing components, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
The methods or algorithms described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. A storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein, but is to be accorded the full scope consistent with the claims, wherein reference to an element in the singular is not intended to mean “one and only one” unless specifically so stated, but rather “one or more.” All structural and functional equivalents to the elements of the various embodiments described throughout this disclosure that are known or later come to be known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the claims. Moreover, nothing disclosed herein is intended to be dedicated to the public regardless of whether such disclosure is explicitly recited in the claims. No claim element is to be construed under the provisions of 35 U.S.C. §112, sixth paragraph, unless the element is expressly recited using the phrase “means for” or, in the case of a method claim, the element is recited using the phrase “step for.”
This application claims priority to U.S. Provisional Patent Application Ser. No. 60/606,971, filed Sep. 2, 2004, which is incorporated herein by reference in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| 60606971 | Sep 2004 | US |
