To provide reliable and customized authentication, a parameter to be used in authentication is defined for the operator. A secret which may be stored e.g. in a subscriber identity module is calculated from the operator parameter and a subscriber key. An authentication response is calculated from the secret and the challenge to be used in authentication with a one-way function.

PTO Wrapper PDF
Dossier Espace Google
Patent
   RE45873
Priority
Mar 30 2000
Filed
Apr 30 2015
Issued
Jan 26 2016
Expiry
Mar 26 2021
Inventors
Nyberg, Ka…
Assg.orig
Nokia Tech…
Assg.curr
Nokia Tech…
Entity
Large
Referenced by
0
References
28
Maint.:
currently ok
18. A subscriber identify identity module, comprising:
a memory configured to store a first secret calculated with a first one-way function from only two inputs comprising a subscriber key defined for a subscriber and an operator parameter defined for an operator associated with the subscriber, the operator parameter being an operator specific parameter, a value of which has been selected by the operator; and
a processor configured to:
calculate, with a second one-way function, an output from only two different inputs comprising the stored first secret and a received challenge; and
extract, from the output, an authentication response used in authentication.
17. A subscriber identity module, comprising:
a memory configured to store a subscriber key defined for a subscriber and an operator parameter defined for an operator associated with the subscriber, the operator parameter being an operator-specific parameter, a value of which has been selected by the operator; and
a processor configured to:
calculate, with a first one-way function, a first secret from only two inputs comprising the stored subscriber key and the stored operator parameter;
calculate, with a second one-way function, an output from only two different inputs comprising the first secret and a received challenge; and
extract, from the output, an authentication response used in authentication.
14. Au authentication center, comprising:
a memory configured to store a first secret calculated with a first one-way function using only two inputs which are a subscriber key defined for a subscriber and an operator parameter defined for an operator of the subscriber, the operator parameter being an operator-specific parameter, value of which has been selected by the operator;
a random number generator for generating challenges; and
a processor configured to:
calculate an output using a second one-way function having only two different inputs comprising the stored first secret and a challenge generated by the random number generator; and
extract, from the output, an authentication response to be used in authentication.
21. A method, comprising:
calculating providing a first secret calculated with a hash function using only two inputs comprising a predefined key and a predefined operator parameter, the key being predefined for a subscriber and the operator parameter being predefined as an operator-specific parameter, a value of which has been selected by the operator, the first secret being stored in a subscriber identity module;
storing the first secret in a subscriber identify module;
calculating, during authentication in the subscriber identity module, an output with an encryption algorithm using only two different inputs comprising a random number challenge and the stored first secret;
extracting an authentication response from the output; and
authenticating the subscriber with the authentication response.
13. An authentication center, the authentication center comprising:
a memory configured to store a subscriber key defined for a subscriber and an operator parameter defined for an operator of the subscriber, the operator parameter being an operator-specific parameter, a value of which has been selected by the operator;
a random number generator that generates challenges; and
a processor configured to:
calculate, with a first one-way function, a first secret from only two inputs comprising the stored subscriber key and the stored operator parameter;
calculate, with a second one-way function, an output from only two different inputs comprising the first secret and a challenge generated by the random number generator; and
extract, from the output, an authentication response to be used in authentication.
20. A subscriber identity module, comprising:
a memory configured to store:
a first secret calculated with a first one-way function from only two inputs comprising a subscriber key defined for a subscriber and an operator parameter defined for an operator associated with the subscriber, the operator parameter being an operator-specific parameter, a value of which has been selected by the operator, and
a second secret calculated with a second one-way function from said two inputs;
a processor configured to:
calculate, with a third one-way function, an intermediate output from only two different inputs comprising a random number challenge and the stored first secret;
calculate, with a fourth one-way function, an output from only two other inputs comprising the intermediate output and the stored second secret; and
extract an authentication response from the output.
1. A method, comprising:
providing a first secret calculated using a first one-way function to calculate a first secret from only two inputs comprising a predefined key and a predefined operator parameter, wherein the key is predefined for a subscriber and the operator parameter is predefined as an operator-specific parameter having a value selected by an operator associated with the subscriber;
using a second one-way function to calculate an output from only two different inputs, the two different inputs comprising a challenge and the calculated provided first secret, wherein the challenge comprises a generated random number;
extracting the an authentication response from the output calculated by the second one-way function; and
authenticating the subscriber with the extracted authentication response,
wherein the first and second one-way functions are configured to each receive exactly two inputs.
19. A subscriber identity module, comprising
a memory configured to store a subscriber key defined for a subscriber and an operator parameter defined for an operator associated with the subscriber, the operator parameter being an operator-specific parameter, a value of which has been selected by the operator first secret calculated with a first one-way function from only two inputs comprising a subscriber key defined for a subscriber and an operator parameter defined for an operator associated with the subscriber, the operator parameter being an operator specific parameter, a value of which has been selected by the operator, and
a processor configured to:
calculate, with a first one-way function, a first secret from only two inputs comprising the stored subscriber key and the stored operator parameter;
calculate, with a second one-way function, a second secret from said two inputs;
calculate, with a third one-way function, an intermediate output from only two different inputs comprising the first secret and a received challenge;
calculate, with a fourth one-way function, an output from only two other inputs comprising the second secret and the intermediate output; and
extract, from the output, an authentication response used in authentication.
23. A non-transitory memory embodying program instructions therein executable by a processor operably coupled to the memory which, when executed by the processor, carry out the functions of:
calculating a first secret with a first one-way function from only two inputs, the two inputs for the first one-way function comprising a predefined key and a predefined parameter, the predefined key being predefined for a subscriber and the predefined parameter being predefined for an operator associated with the subscriber as an operator-specific parameter, a value of which has been selected by the operator;
calculating an output with a second one-way function using only two different inputs, the two different inputs for the second one-way function comprising a challenge and the calculated first secret, the challenge being a random number generated for use in authentication; and
extracting an authentication response from the output.
16. An authentication center, comprising:
a memory configured to store a first secret calculated with a first one-way function from only two inputs comprising a subscriber key defined for a subscriber and an operator parameter defined for an operator associated with the subscriber,
the operator parameter being an operator-specific parameter, a value of which has been selected by the operator and a second secret calculated with a second one-way function using said two inputs;
a random number generator that generates challenges; and
a processor configured to:
calculate, with a third one-way function, an intermediate output using only two different inputs comprising the stored first secret and a challenge generated by the random number generator,
calculate, with a fourth one-way function, an output using only two other inputs comprising the stored second secret and the intermediate output; and
extract an authentication response from the output.
0. 29. A mobile station, comprising:
a receiver configured to receive an authentication challenge from a network via a radio connection and to provide the authentication challenge to a subscriber identification module;
a transmitter configured to transmit an authentication response, provided from the subscriber identification module, to the network via the radio connection, the authentication response being derived in accordance with predetermined functions and at least one secret that comprise:
a first secret derived by a first one-way function from only two inputs comprising a subscriber key defined for a subscriber and an operator parameter defined for an operator that is associated with the subscriber, the operator parameter being an operator specific parameter, a value of which has been selected by the operator; and
a second one-way function used to calculate, from only two different inputs comprising the first secret and the received challenge, the authentication response.
15. An authentication center, comprising:
a memory configured to store a subscriber key defined for a subscriber and an operator parameter defined for an operator associated with the subscriber, the operator parameter being an operator-specific parameter, a value of which has been selected by the operator;
a random number generator that generates challenges; and
a processor configured to:
calculate, with a first one-way function, a first secret from only two inputs comprising the stored subscriber key and the stored operator parameter;
calculate, with a second-way function, a second secret using said two inputs;
calculate, with a third one-way function, an intermediate output from only two different inputs comprising the first secret and a challenge generated by the random number generator;
calculate, with a fourth one-way function, an output from only two other inputs comprising the second secret and the intermediate output; and
extract an authentication response from the output.
24. A non-transitory memory embodying program instructions therein executable by a processor operably coupled to the memory which, when executed by the processor, carry out the functions of:
calculating with a first one-way function a first secret from only two inputs comprising a predefined key and a predefined operator parameter, the key being defined for a subscriber and the operator parameter being defined for an operator associated with the subscriber as an operator-specific parameter, a value of which has been selected by the operator;
calculating with a second one-way function a second secret using only two different inputs comprising the key and the operator parameter;
calculating with a third one-way function an intermediate output using only two additional inputs comprising a random number challenge and the first secret;
calculating with a fourth one-way function an output using only two other inputs comprising the intermediate output and the second secret; and
extracting an authentication response from the output.
26. A non-transitory memory embodying program instructions therein executable by a processor operably coupled to the memory which, when executed by the processor, carry out the functions of:
calculating, during authentication, an intermediate output with a first one-way function from only two inputs comprising a challenge and a first secret, the first secret being pre-calculated with a second one-way function using only two different inputs comprising a subscriber key masked with a first mask and an operator parameter masked with the first mask, the key being predefined for a subscriber and the operator parameter being predefined for an operator associated with the subscriber as an operator-specific parameter, a value of which has been selected by the operator;
calculating, during authentication, an output with a third one-way function using only two further inputs comprising the intermediate output and a second secret, the second secret being precalculated with a fourth one-way function using only two other inputs comprising the key masked with a second mask and the operator parameter masked with the second mask; and
extracting an authentication response from the output.
25. A non-transitory memory embodying program instructions therein executable by a processor operably coupled to the memory which, when executed by the processor, carry out the functions of:
masking a predefined key and a predefined operator parameter with a first mask, the key being defined for a subscriber and the operator parameter being for an operator associated with the subscriber as an operator-specific parameter a value of which has been selected by the operator;
calculating with a first one-way function a first secret from only two inputs comprising the masked key and the masked parameter;
masking the key and the operator parameter with a second mask;
calculating with a second one-way function a second secret using only two different inputs comprising the key masked with the second mask and the operator parameter masked with the second mask;
calculating, during authentication, an intermediate output with a third one-way function using only two further inputs comprising a random number challenge and the first secret;
calculating, during authentication, an output with a fourth one-way function using only two additional inputs comprising the intermediate output and the second secret; and
extracting an authentication response from the output.
4. A method, comprising:
providing a first secret calculated using a first one-way function to calculate a first secret from two inputs comprising a predefined key and a predefined operator parameter wherein the predefined key is determined for a subscriber and the operator parameter is predefined as an operator-specific parameter having a value selected by an operator associated with the subscriber;
using a second one-way function to calculate a second secret from said two inputs;
calculating, with a third one-way function, an intermediate output from two different inputs, the two different inputs comprising a challenge and the provided first secret, wherein the challenge comprises a random number;
calculating, with a fourth one-way function, an output from two additional inputs, the two additional inputs comprising the intermediate output and the second secret;
forming an authentication response by extracting the authentication response from the output; and
authenticating the subscriber with the authentication response,
wherein each of the first, second, third, and fourth one-way functions is configured to only receive exactly two inputs, and
wherein a new challenge is required in subsequent authentications of the subscriber while the predefined key and the predefined operator parameter are allowed to be reused in the subsequent authentications of the subscriber.
22. A method comprising:
masking a predefined key and a predefined operator parameter with a first mask, the key being predefined for a subscriber and the parameter being predefined for an operator associated with the subscriber as an operator-specific parameter, a value of which has been selected by the operator;
calculating, with a first one-way function, a first secret from only two inputs comprising the masked key and the masked operator parameter;
masking the key and the operator parameter with a second mask;
calculating, with a second one-way function, a second secret using only two different inputs comprising the key masked with the second mask and the parameter masked with the second mask;
storing the first and the second secret in a subscriber identity module;
generating a random number challenge used in authentication of the subscriber;
calculating, in the subscriber identity module during authentication, an intermediate output with a third one-way function using only two further inputs comprising the challenge and the stored first secret;
calculating, in the subscriber identity module during authentication, an output with a fourth one-way function using only two additional inputs comprising the intermediate output and the stored second secret;
extracting an authentication response from the output; and
authenticating the subscriber with the authentication response.
11. A telecommunications system comprising:
a subscriber identity module;
an authentication center; and
a processor configured to use a challenge comprising a generated random number in authentication and to authenticate a subscriber by comparing an authentication response calculated by the subscriber identity module with an authentication response calculated by the authentication center,
wherein at least one operator parameter is predefined as an operator-specific parameter, a value of which has been selected by an operator associated with the subscriber;
wherein the authentication center is configured to:
store authentication information relating to the subscriber, the authentication information comprising at least a subscriber key defined for the subscriber and the operator parameter;
calculate, with a first one-way function, a first secret using only two inputs, the two inputs used by the first one-way function being the subscriber key and the operator parameter;
calculate, with a second one-way function, an output from only two different inputs, the two different inputs used by the second one-way function being the first secret calculated with the first one way function and the challenge; and
extract an the authentication response from the output;
wherein the subscriber identity module is configured to:
store the first secret therein,
calculate an output using the first secret and the challenge as the two inputs for the second one-way function, and
extract an authentication response from the output.
12. A telecommunications system comprising
a subscriber identify identity module;
an authentication center; and
a processor configured to:
use a challenge comprising a generated random number; and
authenticate a subscriber by comparing an authentication response calculated by the subscriber identity module with an authentication response calculated by the authentication center;
wherein at least one operator parameter is predefined as an operator-specific parameter, a value of which has been selected by an operator of the subscriber;
wherein the authentication center is configured to:
store authentication information on the subscriber, the authentication information including at least a subscriber key; and the operator parameter;
calculate, with a first one-way function, a first secret from only two inputs, the two inputs for the first one-way function being the subscriber key and the operator parameter;
calculate, with a second one-way function, a second secret from said two inputs,
calculate, with a third one-way function, an intermediate output from only two different inputs, the two different inputs for the third one-way function being the first secret calculated with the first one-way function and the challenge;
calculate, with a fourth one-way function, an output from only two other inputs, the two other inputs for the fourth one-way function being the second secret and the intermediate output; and
extract an the authentication response from the output;
wherein the subscriber identity module comprises a first and a second secret and is configured to:
calculate an intermediate output with the third one-way function;
calculate an output from the second secret and the intermediate output with the fourth one-way function; and
extract an the authentication response from the output.
2. The method of claim 1, where the first secret is stored in a subscriber identity module, and further comprising:
storing the calculated first secret in a subscriber identity module; and
calculating the output in the subscriber identify identity module with the second one-way function using the challenge and the stored first secret as the two inputs.
3. The method of claim 1, wherein the first one-way function is a hash function and the second one-way function is an encryption algorithm.
5. The method of claim 4, further comprising:
masking the predefined key and the operator parameter with a first mask before the first secret is calculated;
calculating the first secret using, as the two inputs for the first one-way function, the predefined key and the operator parameter masked with the first mask:
masking the predefined key and the operator parameter with a second mask before calculating the second secret; and
calculating the second secret using, as the two inputs for the second one-way function, the predefined key and the operator parameter masked with the second mask.
6. The method of claim 4 where the first secret is stored in a subscriber identity module, and further comprising:
storing the first and the second secret in a subscriber identity module; and
calculating, with the third one-way function, the intermediate output in the subscriber identity module using the challenge and the stored first secret as the two inputs; and
calculating, with the fourth one-way function, the output using the intermediate output and the stored second secret as said two additional inputs.
7. The method of claim 4 wherein the first and the second one-way functions comprise hash functions, and the third and the fourth one-way functions comprise encryption algorithms.
8. The method of claim 3 wherein the hash function comprises an RIPEMD-128 function; and the encryption algorithm utilizes a DES algorithm.
9. The method of claim 1 wherein the operator parameter of the subscriber's operator comprises an operator code identifying the operator and an operator secret.
10. The method of claim 1, further comprising extracting an encryption key from the output in addition to extracting said authentication response.
27. The method of claim 1, further comprising using a new challenge in each subsequent authentication of the subscriber, wherein the same key and the same operator parameter may be used in subsequent authentications of the subscriber.
28. The method of claim 1, further comprising reusing the operator parameter for all subscribers associated with the operator.
0. 30. The mobile station of claim 29, where the subscriber identification module comprises part of the mobile station.
0. 31. The mobile station of claim 29, where the second one-way function is used to calculate a second secret from said two different inputs.

where a novel proprietary hash function H of the invention is obtained by combining the standardized RIPEMD-128 and the three-round Feistel network by means of a key-scheduling operation to be described below. Key-scheduling refers to the manner in which the algorithm utilizes the key parameter. In most cases more than one partial key is derived which are used in different phases of the algorithm calculation.

The three-round Feistel network F receives two inputs which in the first preferred embodiment of the invention are a 128-bit key KEj and a 128-bit data input DIj. A 128-bit output DOj (DOj=F(KEj; DIj)) is calculated in two phases.

In the first phase we perform key scheduling. In the first preferred embodiment of the invention three 64-bit DES keys are derived from the key KEj in a new manner. First the key KEj is divided into 16 octets KEJ[0] . . . KEj[15]. These octets are converted into 32 octets Mj[0] . . . Mj[31] as follows:
Mj[k] = KEj[k], k = 0, . . . , 15;
Mj[k] = KEj[(k − 10) mod 8], k = 16, . . . , 23;
Mj[k] = KEj[((k − 20) mod 8) + 8], k = 24, . . . , 31.

Thus each octet of the key KEj occurs twice in array Mj in the following order:
0 1 2 3 4 5 6 7
8 9 10 11 12 13 14 15
6 7 0 1 2 3 4 5
12 13 14 15 8 9 10 11

The first 64-bit DES key Kj1 is obtained by changing the halves of each octet in the first row and by performing an XOR operation on the octets obtained in the change and on the octets of the second row. The key of the second round is obtained by repeating the same procedure on the octets of the second and the third row. Correspondingly, the third key is obtained by repeating the procedure on the octets of the third and the fourth row. Derivation of the DES keys Kj1, Kj2 and Kj3 from the array Mj[0, 1, . . . 31] can be expressed as follows:
Kjr[n]=(swap Mj[n+8(r−1)])⊕Mj[n+8r], n=0, . . . , 7; r=1,2,3,;

where ‘swap’ changes the halves of the octet B=B[0, . . . , 7] as follows:
swap B−B[4,5,6,7,0,1,2,3].

In the second phase the data input DIj[0 . . . 127] is divided into two parts, i.e. a left part DIjL=DIj[0 ... 63] and a right part DIjR−DIj[64 . . . . 127]. The 128-bit output is generated in two parts, a left output part DOjL=[0 . . . 63] and a right output part DOjR=DOj[64 . . . 127], as follows:
DOjR=DIjL⊕DES(Kj2;DIjR⊕DES(Kj1;DIjL))
DOjL=DIjR⊕DES(Kj1;DIjL)⊕DES(Kj3;DOjR).

In step 206 of FIG. 2 the challenge formed by the random number is used as the data input and in step 207 of FIG. 2 the intermediate output DO1. Steps 206 and 207 can be expressed by the following formulae:
DI2=DO1=F(KE1;RAND),(step 206)
DO2=F(KE2;DI2)=F(KE2;F(KE1;RAND))(step 207).

The algorithm according to the first preferred embodiment of the invention can be utilized in two ways: in a pre-calculated mode and in a direct mode. In the pre-calculated mode the partial keys KE1 and KE2 are calculated in advance (i.e. steps 202 to 205 have been carried out) and stored. In the pre-calculated mode steps 206 to 208 are carried out during authentication in addition challenge generation. When the above-mentioned Feistel network F with DES rounds is used in steps 206 to 208, the algorithm to be carried out during the actual authentication in the pre-calculated mode is the same as the 128-bit DES algorithm DEAL.

FIG. 3 illustrates authentication according to the first preferred embodiment of the invention as the mobile station registers in the network. The first preferred embodiment of the invention utilizes the algorithm described in connection with FIG. 2 as such in the authentication center AuC and in the pre-calculated mode in the subscriber identity module SIM. This means that in addition to the whole algorithm, the subscriber key Ki and the operator parameter T are stored in the authentication center, whereas only part of the algorithm and partial keys KE1 and KE2 of the extended key are stored in the subscriber identity module SIM. The partial keys are treated and secured in the same way as the subscriber key Ki. In the example of FIG. 3 it is assumed, for the sake of clarity, that the mobile switching center and the visitor location register are integrated into the same unit MSC/VLR.

At the beginning of authentication the mobile station MS transmits the identification data on the basis of which the SIM and the subscriber are identified to the mobile switching center MSC/VLR in message 3-1. Usually identification information is the IMSI or the TMSI. The mobile switching center MSC/VLR sends an authentication request to the authentication center AuC in message 3-2. The message 3-2 includes the subscriber identity IMSI. The visitor location register can change the TMSI into an IMSI. In step 3-3 the authentication center AuC selects a subscriber-specific authentication key Ki and the operator parameter T on the basis of the subscriber identity IMSI included in the authentication request. The authentication center AuC calculates the partial keys KE1 and KE2 from the operator parameter T and the subscriber key Ki as described in connection with FIG. 2. Furthermore, the random number generator generates e.g. five random number parameters RAND into challenges. A check parameter SRES and an encryption key Kc is formed of each challenge with the partial keys KE1 and KE2 as was described in connection with FIG. 2. In other words, when more than one authentication triplet is calculated at a time, it is sufficient to calculate only the partial keys KE1 and KE2 with the first triplet and then store the partial keys transiently into the memory for the calculation of the following triplets. The authentication center AuC transmits the five authentication triplets RAND, SRES, Kc so calculated in message 3-4 to the visitor location register MSC/VLR where they are stored in step 3-5.

The visitor location register MSC/VLR selects an RAND value for the parameter from the subscriber's RAND/SRES/Kc table and sends it to the mobile station MS in message 3-6 and further to the subscriber identity module SIM. In the first preferred embodiment of the invention the SIM comprises partial keys KE1 and KE2 which have been calculated from the subscriber key Ki and the operator parameter T. The SIM also comprises steps 206 to 208 of the authentication algorithm A3 shown in FIG. 2. In step 3-7 the SIM calculates the SRES parameter and the encryption key Kc by means of the received RAND parameter and keys KE1 and KE2 utilizing the Feistel network F with DES rounds as was described above. The mobile station sends the SRES parameter back to the visitor location register MSC/VLR. In step 3-9 the visitor location register MSC/VLR compares the SRES value sent by the mobile station with the stored SRES value and informs the mobile station MS whether or not the authentication was successful in message 3-10. If the SRES value sent by the mobile station is the same as the stored SRES value, authentication has succeeded and encryption with the encryption key Kc can be started on the radio path.

When the visitor location register VLR is to authenticate the subscriber for the next time, it selects the next value for the parameter RAND from the subscriber's RAND/SRES/Kc table and transmits it to the mobile station and further to the subscriber identity module SIM.

The fact that the first preferred embodiment of the invention utilizes the pre-calculated mode of the algorithm of the invention in the subscriber identity module SIM and the direct form of the algorithm in the authentication center provides the advantage that the best features of both one-way functions can be combined and optimal performance and security guaranteed in a customized manner. The RIPEMD-128 is a considerably efficient one-way function but the 8-bit processor used by the subscriber identity module SIM does not do justice to it. The DES is not as efficient as the RIPEMD-128, but it is known best and it can also be implemented safely and efficiently in the subscriber identity module SIM.

Every time the authentication center AuC uses the operator parameter T in the network, it also checks that the partial keys KE1 and KE2 included in the subscriber identity module SIM have really been derived using the operator parameter in question. Usually one operator uses several subscriber identity module SIM producers, who also form the subscriber keys Ki themselves. The operator probably also gives them the operator parameter for forming partial keys KE1 and KE2. The operator can give a different operator parameter to each producer e.g. by using a producer-specific secret part CS and/or changing the operator's name in the operator code CC. The operator can also form the subscriber keys Ki and the related partial keys KE1 and KE2 himself and give them to the producer of the subscriber identity module SIM so that they can be stored in the identity module.

The one-way functions, masks and key scheduling described above are only intended to describe how the invention can be implemented and do not in any way limit the invention. The masks and key scheduling described above are only examples and not even necessary. It is also possible to use other one-way functions which need not be public functions. Furthermore, the same one-way function can be used in each phase. On the other hand, different functions can be used in every phase so that the same function is never used twice for calculations. In addition, the first function can be used once and the second function three times, for example.

In other preferred embodiments of the invention the pre-calculated mode can be employed in the authentication center AuC, too. In that case partial keys KE1 and KE2 have to be stored in the authentication center AuC for the subscriber. On the other hand, the direct form can be used in the subscriber identity module SIM, in which case the whole algorithm, subscriber key Ki and operator parameter T are stored in the subscriber identity module, but not the partial keys KE1 and KE2.

FIG. 4 illustrates a second preferred embodiment of the invention. Here the algorithm according to the invention is described at its simplest without any detailed descriptions of functions and comments on the length of the outputs and inputs. The subscriber key Ki and the operator parameter T are defined in the second preferred embodiment of the invention, too.

The algorithm according to the second preferred embodiment of the invention begins with generation of a challenge RAND in step 401. The subscriber key Ki is retrieved in step 402 and the operator parameter T instep 403. Thereafter a key KE is calculated from the subscriber key Ki and the operator parameter T in step 404 with a one-way function. In step 405 an output is calculated from the key KE and the challenge RAND with a one-way function and an authentication response SRES is extracted from the output in step 406.

Calculation according to the second preferred embodiment of the invention can be expressed by the following formula:
H2(H1(Ki∥T)∥RAND)

In the second preferred embodiment of the invention it is possible to use the same one-way functions, e.g. RIPEMD-128 functions. Two different one-way functions can also be used, e.g. the RIPEMD-128 function in step 404 and a six-round Feistel network where the DES serves as a round function in step 405 as was explained in connection with FIG. 2.

The second preferred embodiment can also be applied in the pre-calculated mode and the direct mode. In the pre-calculated mode the key KE is calculated in advance and stored e.g. in the subscriber identity module SIM.

The steps illustrated in FIGS. 2, 3 and 4 are not in an absolute chronological order and some of the steps can be performed simultaneously or in a different order from what has been shown. Furthermore, some other functions may take place between the steps. On the other hand, some steps may be omitted. What is important is that the operator parameter is also used as the input in the authentication. The signalling messages described above in connection with FIG. 3 are only referential and may contain several separate messages for transmitting the same information. The messages may also contain other kind of information. Depending on the operator and the system, other network elements between which different functionalities have been divided can also take part in the data transmission and signalling. Furthermore, it is possible that the subscriber identity module is arranged to generate a challenge and send it to the authentication center in connection with authentication.

Even though the invention has been described above in connection with mobile communication systems, the authentication algorithm of the invention can be applied in fixed networks, too, where the subscriber is authenticated by means of the identity module.

It should be understood that the preceding specification and the related drawings are only intended to illustrate the present invention. It will be obvious to a person skilled in the art that the invention may be varied and modified without deviating from the scope and spirit of the invention defined in the appended claims.

INVENTORS:

Nyberg, Kaisa

THIS PATENT IS REFERENCED BY THESE PATENTS:
Patent Priority Assignee Title
THIS PATENT REFERENCES THESE PATENTS:
Patent Priority Assignee Title
5239294, Jul 12 1989 Motorola, Inc Method and apparatus for authenication and protection of subscribers in telecommunication systems
5455863, Jun 29 1993 Google Technology Holdings LLC Method and apparatus for efficient real-time authentication and encryption in a communication system
5557654, Feb 24 1992 Nokia Telecommunications Oy System and method for authenticating subscribers of a transmission network and subscription, having differing authentication procedures, using a common authentication center
5557676, Nov 24 1993 Telefonaktiebolaget LM Ericsson Authentication for analog communication systems
5661806, Mar 29 1994 France Telecom Process of combined authentication of a telecommunication terminal and of a user module
6105133, Mar 10 1997 RPX Corporation Bilateral authentication and encryption system
6243811, Jul 31 1998 Alcatel-Lucent USA Inc Method for updating secret shared data in a wireless communication system
6338140, Jul 27 1998 Iridium LLC Method and system for validating subscriber identities in a communications network
6373949, Apr 16 1997 WSOU Investments, LLC Method for user identity protection
6396928, Oct 25 1996 HANGER SOLUTIONS, LLC Digital message encryption and authentication
6591364, Aug 28 1998 Alcatel-Lucent USA Inc Method for establishing session key agreement
6711400, Apr 16 1997 NOKIA SOLUTIONS AND NETWORKS OY Authentication method
6839434, Jul 28 1999 GEMALTO SA; GEMATLO SA; Alcatel Lucent Method and apparatus for performing a key update using bidirectional validation
6865673, Mar 21 2000 Hewlett Packard Enterprise Development LP Method for secure installation of device in packet based communication network
6918035, Jul 31 1998 WSOU Investments, LLC Method for two-party authentication and key agreement
7007164, Nov 03 1998 Infineon Technologies AG Method and array for authenticating a first instance and a second instance
7246098, Jul 15 1997 Memjet Technology Limited Consumable authentication protocol and system
7415110, Mar 24 1999 Intel Corporation Method and apparatus for the generation of cryptographic keys
20020009199,
20020012433,
EP977452,
EP982965,
EP998095,
WO9715161,
WO9849855,
WO9849856,
WO9925086,
WO9957689,
ASSIGNMENT RECORDS    Assignment records on the USPTO
/
Executed onAssignorAssigneeConveyanceFrameReelDoc
Apr 30 2015Nokia Technologies Oy(assignment on the face of the patent)
MAINTENANCE FEES AND DATES:    Maintenance records on the USPTO
Date Maintenance Fee Events
Jan 06 2016ASPN: Payor Number Assigned.
Jan 26 2017M1551: Payment of Maintenance Fee, 4th Year, Large Entity.
Sep 28 2020M1552: Payment of Maintenance Fee, 8th Year, Large Entity.


Date Maintenance Schedule
Jan 26 20194 years fee payment window open
Jul 26 20196 months grace period start (w surcharge)
Jan 26 2020patent expiry (for year 4)
Jan 26 20222 years to revive unintentionally abandoned end. (for year 4)
Jan 26 20238 years fee payment window open
Jul 26 20236 months grace period start (w surcharge)
Jan 26 2024patent expiry (for year 8)
Jan 26 20262 years to revive unintentionally abandoned end. (for year 8)
Jan 26 202712 years fee payment window open
Jul 26 20276 months grace period start (w surcharge)
Jan 26 2028patent expiry (for year 12)
Jan 26 20302 years to revive unintentionally abandoned end. (for year 12)