WO2000008879A1 - Method for authenticating a source of communication in a communication system - Google Patents

Method for authenticating a source of communication in a communication system Download PDF

Info

Publication number
WO2000008879A1
WO2000008879A1 PCT/US1999/012454 US9912454W WO0008879A1 WO 2000008879 A1 WO2000008879 A1 WO 2000008879A1 US 9912454 W US9912454 W US 9912454W WO 0008879 A1 WO0008879 A1 WO 0008879A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
data
source
mobile station
base station
Prior art date
Application number
PCT/US1999/012454
Other languages
French (fr)
Inventor
Daniel Peter Brown
Valentin Oprescu-Surcobe
Original Assignee
Motorola Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola Inc. filed Critical Motorola Inc.
Publication of WO2000008879A1 publication Critical patent/WO2000008879A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

In a communication system that includes a base station and a mobile station, a method of authenticating a source of communication includes authenticating a source of a first communication between the mobile station and base station, generating a token field of data based on at least a result of the authenticating step, and adding the token field of data to a data field to produce a burst of data for a second communication between the mobile station and base station. The token field of data authenticates the source of the second communication.

Description

Method for Authenticating a Source of Communication in a Communication system
Field of the Invention The present invention generally relates to communication systems, and
more particularly to a method of authenticating a source of communication in a
communication system.
Background of the Invention In most communication systems, such as cellular communication systems
(e.g. communication systems: TIA/ELA/IS-41, -95, -136, and GSM), base stations authenticate the sources of communications by interacting with the sources through exchanges of several data. If the data supplied by the source matches an expected data in the base station, the sources of the communication are authenticated, and as a result, allowed to function in the communication system. Base stations are vulnerable to access by unauthorized mobile stations. Therefore,
in current cellular communication systems, the mobile stations are authenticated by the base station before the mobile stations are allowed to function in the communication system. However, in most instances, the mobile stations do not authenticate the base stations which are also sources of communication in the system.
The mobile stations are also vulnerable to unauthorized probing by a base station. The base station may probe the mobile station to acquire sensitive information, such as the mobile station location. Since the mobile station does not perform an authentication of a source of communication, practically, it may respond to any base station that originates a communication with the mobile station. As such, one may fraudulently set up a base station in a communication
system to probe the mobile stations in that communication system. Therefore, there is a need for the mobile station to authenticate the source of a communication before it responds to the communication source.
The process of authentication is lengthy and time consuming in most
instances. In most communication systems, the mobile station user and the base station network share a secret number. Through a one-way mixing function, the secret number is used to calculate an authentication response to a random challenge number. The one way mixing function does not permit synthesis of the secret number from the authentication response, and as such, the user secret number remains secret. The authentication response is transmitted so the source
of the communication can prove its identity without the need to transmit the secret number over the air interface. The authentication response in the recipient of the
communication is compared with a locally produced authentication response to authenticate the source of the communication. In few of the North American systems, the process is sometimes mutual, whereby the network authenticates the user and the user authenticates the network.
A traditional means of performing mutual authentication requires the mobile station and the base station network to transmit challenge numbers to each other, to calculate responses, to transmit the responses, and to confirm the matching of the received responses with the internally-calculated responses. Nevertheless, these techniques impose a burden, specially, on packet communications where transmissions are typically short and bursty. Furthermore, a source of communication (the mobile station or the base station) may not need to be in an active state in certain types of short communications.
The source of communication may not be in an active state at all times. It may go into a "dormant" state or inactive state from time to time to conserve resources. When the mobile station is required to use the conventional means to authenticate the source of every communication, it has to wake-up from the inactive state and switch to an active state every time a source of communication attempts to communicate to the mobile station. Therefore, if the mobile station is required to authenticate the source of every communication, it may spend a
considerable amount of time and battery power to authenticate the sources of the
communications . Therefore, there is a need for an efficient method of authenticating a source of a communication in a communication system.
Detailed Description of the Preferred Embodimentfs") According to an aspect of the invention, in a communication system that includes a base station and a mobile station, a method of authenticating a source
of communication includes authenticating a source of a first communication between the mobile station and base station, generating a token field of data based on at least a result of the authenticating step, and adding the token field of data to a data field to produce a burst of data for a second communication between the mobile station and base station. The data field may be a control data field, a message data field, or a signaling data field. The second communication may be a communication subsequent to the first communication. The token field of data authenticates the source of the second communication. According to the invention, there is no transmission of mobile and base station "challenges" beyond the authentication of the first communication. The first communication may be a component of an initial call set-up exchange. The authentication of the second source of communication may thus be performed with minimal overhead in over-the-air communication. Accordingly, the invention permits an efficient method of authenticating a source of communication.
The first communication may occur after said mobile station has switched from an inactive state to said active state. Such a switch normally occurs when the mobile station makes an initial communication with a base station. The mobile station may have a plurality of quasi-active states corresponding to a plurality of activity levels. Such activity levels are normally defined by the system specification. One example of a quasi-active state is when the mobile station is in a state which allows its location to be acquired by the base station. The second communication is after the mobile station has switched from at least one of the plurality of quasi-active states to the active state. The token fields of data may be generated in conjunction with the authenticating step. In any case, the source of the second communication may be the mobile station or the base station. As such, the invention provides an efficient method of mutual
authentication during any state of the mobile station.
At the receiving end of the second communication, the token field of data is locally generated to produce an identical token field of data using the same parameters used to generate the token field of data, followed by comparing the identical token field of data with the token field of data received via the second communication to authenticate a source of the second communication. The
recipient of the second communication may the mobile station or the base station.
Token fields of data are short information fields that are derived from the
authentication step. Such authentication may be performed upon the initial access of the mobile station with the network. Token fields of data are generated by further execution of the authentication algorithm, with additional inputs that may include time, direction of transmission and possibly sequence number. A message check sum or CRC may also be added. The invention accordingly permits efficient use of air interface bandwidth and time. Adding the token fields of data to a subset of data packets is an efficient means of providing authentication with a minimum of overhead information. The token fields of data are relatively short fields of data compared to data packets. Such authentication may be mutual between the mobile station and the base station. The invention allows the mobile station and the base station a means of authenticating each other without substantial overhead. Each packet of data that is transmitted may be added with a token field of data for authentication purpose. In a typical application, a one way mixing function such as CAVE (CAVE is an authentication algorithm commonly used by those skilled in the art) is initialized with a set of parameters including a random challenge number, a user secret number and other information. The parameters are mixed according to the CAVE algorithm to produce an authentication response that is used for user-to- network authentication of a session. Upon establishing the initial session, two
copies of the state of CAVE are retained. These two copies are used at the mobile station of the user and at the base station of the network to generate token fields of data. Each side may have a "network-to-subscriber" version and a "subscriber-to-
network" version. A token is generated upon the transmission of a packet from
the network to the subscriber. The token is calculated by running the network-to- subscriber copy of CAVE for an additional 8 rounds, with a modification to the initial state of CAVE. This modification consists of an exclusive-oring of the "authentication- data" input stages with a 24-bit number consisting of a single bit direction indicator, a seven-bit packet number, and a 16-bit cyclic redundancy check (CRC) that is the result of running the packet through an appropriate polynomial generator. The resulting token is added to the data packet. The packet may or may not be encrypted, depending on regulatory and service provider policies. The token is similarly calculated at the subscriber terminal. If it matches the token that was sent from the network, the transmission is considered to be authentic. Tokens that are sent from the subscriber terminal to the network are generated in the same manner, except that the direction bit is inverted relative to the network-to-subscriber direction bit. When a transmitter or receiver in either the mobile station or the base station wakes up from any state to an active state to transmit or receive data, the first few packets of data that are communicated most preferably include token fields of data. Such packets include the packets that are communicated to initiate the wake-up process. The wake-up process may be from an inactive state which is normally a sleep or dormant state.
The advantage of the invention includes a means for authenticating the
network or the base station as a source of communication. As such, a base station
can not fraudulently access a mobile station. Moreover, the invention provides
the authentication through an efficient means.
According to various aspect of the invention, the generating step may include generating a plurality of token fields of data based on at least the result of said authenticating step, and one of the plurality of token fields of data is used in the adding step. The plurality of token fields of data corresponds to a plurality of the second communications where each token field of data is not reused. In the recipient of the second communication, the plurality of token fields of data are locally generated to produce an identical plurality of token fields of data, followed by comparing the identical plurality of token fields of data with the token field of data received via the second communication to authenticate a source of the second communication. The second communication is authenticated when the received token field of data matches at least one of the locally generated identical plurality of token fields of data. -o-
Moreover, the plurality of token fields of data may be corresponding to the plurality of second communications in a pre-defined order. In a recipient of the second communication, the plurality of token fields of data are locally generated to produce an identical plurality of token fields of data. The recipient receives at
least a first and second of the plurality of second communications, and compares the identical plurality of token fields of data with the token field of data received via the first of plurality of second communications to authenticate a source of the first of plurality of second communications. It is followed by comparing the
token field of data received via the second received second communication with the pre-defined order to authenticate a source of the second of plurality of second communications. In case one or more of the tokens are missing due to loss of communications, the pre-defined order is adjusted in the recipient of the plurality of second communications to coincide with an order of token fields of data received via the plurality of second communications. Synchronization of data which may include the token field of data or data field may be used as a means for facilitating the adjustment process.
Transmission of some data packets may not need authentications. A qualifier may be generated along with the data packets. The qualifier may be based on the content of the data packet or order of the data packets. The qualifier
indicates if any token field of data is added to the data field in the burst of data.
While the invention has been particularly shown and described with reference to a particular embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention. The corresponding structures, materials, acts and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or acts for performing the functions in combination with other claimed elements as specifically claimed.

Claims

What is claimed is:
1. In a communication system that includes a base station, and at least a mobile station, a method comprising the steps of: authenticating a source of a first communication between said mobile station and base station; generating a token field of data based on at least a result of said authenticating step; adding said token field of data to a data field to produce a burst of data for a second communication between said mobile station and said base station, wherein said token field of data authenticates a source of said second communication.
2. The method as recited in claim 1 wherein said second communication is subsequent to said first communication.
3. The method as recited in claim 1 wherein said second communication occurs after said mobile station switches from a quasi-active state to an active state.
4. The method as recited in claim 1 wherein said first communication occurs after said mobile station or the base station switches from an inactive state to said active state.
5. The method as recited in claim 1 wherein said generating step is in conjunction with said authenticating step.
6. The method as recited in claim 1 wherein said source of said second communication is said mobile station.
7. The method as recited in claim 1 wherein said source of second communication is said base station.
8. The method as recited in claim 1 further comprising the steps of: generating in a recipient of said second communication said token field of data to produce an identical token field of data; comparing said identical token field of data in said recipient of said second communication with said token field of data received via said second communication to authenticate a source of said second communication.
9. The method as recited in claim 8 wherein said recipient of said second communication is said mobile station.
10. The method as recited in claim 8 wherein said recipient of said second communication is said base station.
PCT/US1999/012454 1998-08-06 1999-06-04 Method for authenticating a source of communication in a communication system WO2000008879A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13041798A 1998-08-06 1998-08-06
US09/130,417 1998-08-06

Publications (1)

Publication Number Publication Date
WO2000008879A1 true WO2000008879A1 (en) 2000-02-17

Family

ID=22444599

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1999/012454 WO2000008879A1 (en) 1998-08-06 1999-06-04 Method for authenticating a source of communication in a communication system

Country Status (1)

Country Link
WO (1) WO2000008879A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6896955B2 (en) 2000-04-04 2005-05-24 Air Products & Chemicals, Inc. Ionic additives for extreme low dielectric constant chemical formulations
US9119076B1 (en) 2009-12-11 2015-08-25 Emc Corporation System and method for authentication using a mobile communication device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5390245A (en) * 1990-03-09 1995-02-14 Telefonaktiebolaget L M Ericsson Method of carrying out an authentication check between a base station and a mobile station in a mobile radio system
US5642401A (en) * 1993-06-29 1997-06-24 Nec Corporation System and method of authenticating a service request in a mobile communication system
US5794139A (en) * 1994-08-29 1998-08-11 Sony Corporation Automatic generation of private authentication key for wireless communication systems
US5822691A (en) * 1996-05-02 1998-10-13 Nokia Mobile Phones Limited Method and system for detection of fraudulent cellular telephone use
US5920821A (en) * 1995-12-04 1999-07-06 Bell Atlantic Network Services, Inc. Use of cellular digital packet data (CDPD) communications to convey system identification list data to roaming cellular subscriber stations

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5390245A (en) * 1990-03-09 1995-02-14 Telefonaktiebolaget L M Ericsson Method of carrying out an authentication check between a base station and a mobile station in a mobile radio system
US5642401A (en) * 1993-06-29 1997-06-24 Nec Corporation System and method of authenticating a service request in a mobile communication system
US5794139A (en) * 1994-08-29 1998-08-11 Sony Corporation Automatic generation of private authentication key for wireless communication systems
US5920821A (en) * 1995-12-04 1999-07-06 Bell Atlantic Network Services, Inc. Use of cellular digital packet data (CDPD) communications to convey system identification list data to roaming cellular subscriber stations
US5822691A (en) * 1996-05-02 1998-10-13 Nokia Mobile Phones Limited Method and system for detection of fraudulent cellular telephone use

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6896955B2 (en) 2000-04-04 2005-05-24 Air Products & Chemicals, Inc. Ionic additives for extreme low dielectric constant chemical formulations
US9119076B1 (en) 2009-12-11 2015-08-25 Emc Corporation System and method for authentication using a mobile communication device

Similar Documents

Publication Publication Date Title
US6918035B1 (en) Method for two-party authentication and key agreement
EP0977452B1 (en) Method for updating secret shared data in a wireless communication system
EP1478204B1 (en) Method and apparatus for performing authentication in a communications system
US6014085A (en) Strengthening the authentication protocol
EP1430640B1 (en) A method for authenticating a user in a terminal, an authentication system, a terminal, and an authorization device
US6374355B1 (en) Method for securing over-the-air communication in a wireless system
US6950521B1 (en) Method for repeated authentication of a user subscription identity module
US6839434B1 (en) Method and apparatus for performing a key update using bidirectional validation
US8116733B2 (en) Method and apparatus for a wireless mobile device with SIM challenge modification capability
EP1001570A2 (en) Efficient authentication with key update
US20020197979A1 (en) Authentication system for mobile entities
JP2012110009A (en) Methods and arrangements for secure linking of entity authentication and ciphering key generation
JP2005510989A (en) Mobile phone authentication
US20100042844A1 (en) Method, base station, relay station and relay communication system for implementing message authentication
WO2000008879A1 (en) Method for authenticating a source of communication in a communication system
US6118993A (en) Effective use of dialed digits in call origination
JPH04352525A (en) Mobile communication authentification system
MXPA99006930A (en) Authentication method for two sponsors and class agreement
JPH07264668A (en) Authenticating method for mobile communication
MXPA99006931A (en) Method to update secret data shared in an inalambr communication system
MXPA98010832A (en) Effective use of digits marked in the origin of flame
KR20040073125A (en) Authentication method of mobile communication terminal

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): BR JP KR

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase