Back to index
Techniques for Privacy and Authentication in Personal
Communication Systems
Dan Brown
One-line summary:
Authentication and privacy techniques used in GSM and IS-95 are
presented, and the generic public/private key technique used as a
basis for comparison.
Overview/Main Points
- General model: Authentication and key agreement (AKA) proceeds
in three phases. Provisioning is the initial dispersement of
secrets to the handset and network, and occurs when the user buys the
handset. Visitor setup occurs when a handset establishes
credibility in a foreign network with a VLR (visited location register).
Call setup occurs when a user makes a call either in a home or
a visited location.
- GSM Method: In the GSM world, a shared secret 128 bit key
Ki is given to a user in a smart card, and recorded in the home
network when the user buys the handset. When a user roams to a
VLR, the HLR sends a list of (RAND, SRES, Kc) challenge, expected
response, conventional session key triplets to the VLR. These triplets
are used by the VLR on a one-time basis to validate a roaming cellphone
on call setup. Note that the HLR never reveals Ki to the VLR,
or anyone else for that matter, and neither does the cellphone. Users
are assigned temporary mobile station identities (tmsi) when they first
register with a network that prevents them from having to use their
true identities in subsequent registration, enabling anonymity.
- IS41/IS-54/IS-95 Method: When a user buys a cellphone, the
HLR snail-mails the user a 64-bit secret A-Key that the user types
into the phone. When a user visits a VLR, a shared secret data key
SSD is derived from the A-Key and sent to the VLR by the HLR; this SSD
can also be derived by the cell-phone, and is used to validate the
cellphone to the VLR on call setup. Replay attacks are avoided using
a "call count" monotonically increasing register. A single
challenge is broadcast to all cellphones by the VLR; each cell-phone
wanting access uses its SSD to compute a response containing its ID
and call count.
- Public/Secret Key method: Users chose public/private key
pairs (I suppose an algo does it for them), and get their public key
and identity certified by a certification authority (CA). Similarly,
networks have their public keys certified. The certificate is encoded
using the CA's secret key. Handsets obtain a serving network's certificate
and then uses the network's public key to send encrypted authorization
information.
Relevance
PCS privacy and authentication is a serious issue that has not
historically been satisfactorily addressed by vendors. GSM
and IS-95 have barely acceptable strategies; the public/secret
key method described is well known to be stronger.
Flaws
- There are weaknesses in public/private key strategies that
this paper doesn't mention, like replay attacks for false
authentication (solved with nonces), private-key discovery by
an evil hacker with physical access, etc. Such weaknesses
should be presented.
Back to index