Authentication is the verification that the International Mobile Subscriber identity (IMSI)
provided by the mobile subscriber within the identification procedure at the radio path, is the
one claimed. Its purpose is to protect the network against unauthorised access. It also
provides a degree of protection for GSM subscribers by preventing intruders from
impersonating authorised users.
Three items of information are required for the authentication process:
Ki Key
The Ki key is a ciphering key stored permanently only in the MS SIM and in the
subscriber profile in the AuC
RAND
The RAND is a random number generated within the AuC.
SRES
The SRES is a ‘Signed Result’ code generated by in the AuC by passing the Ki and
RAND through the A3 algorithm.
The AuC, upon request from the MSC, generates a number of security information ‘triplets’,
each comprising a RAND and an SRES and a Kc key. This group of triplets is sent to and
stored in the VLR associated with the MS. Each time an authorisation has been requested, a
new triplet is used.
Note: the Kc key is generated as part of the triplet but is used for encryption rather than
authentication
If all triplets held in the VLR have been used, the MSC requests a new batch from the
HLR/AuC using a ‘Send Authentication Info’ message. The HLR/AuC responds with this
information using a ‘Send Authentication Info Ack’ message.
A request for Authentication can be initiated by the MS or the network.
provided by the mobile subscriber within the identification procedure at the radio path, is the
one claimed. Its purpose is to protect the network against unauthorised access. It also
provides a degree of protection for GSM subscribers by preventing intruders from
impersonating authorised users.
Three items of information are required for the authentication process:
Ki Key
The Ki key is a ciphering key stored permanently only in the MS SIM and in the
subscriber profile in the AuC
RAND
The RAND is a random number generated within the AuC.
SRES
The SRES is a ‘Signed Result’ code generated by in the AuC by passing the Ki and
RAND through the A3 algorithm.
The AuC, upon request from the MSC, generates a number of security information ‘triplets’,
each comprising a RAND and an SRES and a Kc key. This group of triplets is sent to and
stored in the VLR associated with the MS. Each time an authorisation has been requested, a
new triplet is used.
Note: the Kc key is generated as part of the triplet but is used for encryption rather than
authentication
If all triplets held in the VLR have been used, the MSC requests a new batch from the
HLR/AuC using a ‘Send Authentication Info’ message. The HLR/AuC responds with this
information using a ‘Send Authentication Info Ack’ message.
A request for Authentication can be initiated by the MS or the network.
Authentication
• Benefits of authentication include:
• Prevents unauthorised network access
• Prevents illegal impersonation of legitimate subscribers
• Implemented by using an authentication procedure.
• Procedure triggered by:
• A change in subscriber profile data at the HLR/VLR
• Accessing a service
• First network access after MSC/VLR restart
• Cipher key sequence number mismatch
• Prevents unauthorised network access
• Prevents illegal impersonation of legitimate subscribers
• Implemented by using an authentication procedure.
• Procedure triggered by:
• A change in subscriber profile data at the HLR/VLR
• Accessing a service
• First network access after MSC/VLR restart
• Cipher key sequence number mismatch
The authentication of the GSM PLMN subscriber identity may be triggered by the network
when the subscriber applies for:
· a change of subscriber-related information element in the VLR or HLR including:
· some or all location updating involving change of VLR, registration or erasure of
a supplementary service
· an access to a service including some or all mobile originating or terminated call
setups,
· activation or deactivation of a supplementary service
· first network access after restart of MSC/VLR;
· in the event of cipher key sequence number mismatch.
If, on an access request to the GSM PLMN, the subscriber identity authentication procedure
fails and this failure is not due to network malfunction, access to the GSM PLMN is denied to
the requesting subscriber.
when the subscriber applies for:
· a change of subscriber-related information element in the VLR or HLR including:
· some or all location updating involving change of VLR, registration or erasure of
a supplementary service
· an access to a service including some or all mobile originating or terminated call
setups,
· activation or deactivation of a supplementary service
· first network access after restart of MSC/VLR;
· in the event of cipher key sequence number mismatch.
If, on an access request to the GSM PLMN, the subscriber identity authentication procedure
fails and this failure is not due to network malfunction, access to the GSM PLMN is denied to
the requesting subscriber.
The Authentication Process
The authentication process is shown in the previous diagram and described below:
STEP 1
The subscriber requests network access by sending its IMSI/TMSI to the MSC
STEP 2
The MSC checks to see if its VLR holds a valid unused triplet required authentication. If not,
new pairs are requested from the AuC. The MSC then sends the RAND component of the
pair to the MS using an ‘Authentication and Ciphering Request’ message.
STEP 3
Using its own Ki and the RAND sent from the MSC, the MS creates its own SRES and sends it
to the MSC using an ‘Authentication and Ciphering Response’ message.
STEP 4
The MSC compares its self-generated SRES with that received from the MS. If they are
identical, the user is authenticated and access is granted to the network.
The authentication process is shown in the previous diagram and described below:
STEP 1
The subscriber requests network access by sending its IMSI/TMSI to the MSC
STEP 2
The MSC checks to see if its VLR holds a valid unused triplet required authentication. If not,
new pairs are requested from the AuC. The MSC then sends the RAND component of the
pair to the MS using an ‘Authentication and Ciphering Request’ message.
STEP 3
Using its own Ki and the RAND sent from the MSC, the MS creates its own SRES and sends it
to the MSC using an ‘Authentication and Ciphering Response’ message.
STEP 4
The MSC compares its self-generated SRES with that received from the MS. If they are
identical, the user is authenticated and access is granted to the network.
No comments:
Post a Comment