- it prevents unauthorized access of network by a Mobile Station (MS). The network checks whether identity provided by MS is acceptable or not.
- it provides parameters enabling MS to calculate a new ciphering key (this is used during ciphering procedure).
Authentication procedure is always initiated and controlled by the network. The network decides whether or not to use authentication, depending on the context.
The cases where authentication procedure is used are as follows:
The cases where authentication procedure is used are as follows:
- a change of subscriber related information element in VLR/HLR (change of VLR on location updating etc.)
- an access to service (Mobile originated and terminated call, activation or deactivation of supplementary services)
- first network access restart of MSC/VLR
To authenticate MS, the network (MSC) must have information of authentication vector triplets, listed below:
- RAND: 128-bit Random number
- SRES: 32-bit Signed Response
- Kc: 64-bit Ciphering Key
The network should use this information if available, otherwise they should be fetched from HLR/AuC using MAP-AUTHENTICATION-INFO (IMSI) message.
The network sends Authentication Request message to MS. Some of the important points are:
- Authentication Request is a MM (Mobility Management) message
- It is carried as DTAP message (no one looks at the contents) over A-interface
- The contents of this message are: RAND and CKSN. RAND is used by MS to generate SRES and CKSN is Ciphering Key Sequence Number used by MS to map it to a Kc
- Over Abis-interface, it is carried as Data-Req LAPD Information-frame
- Over Air-interface, it is carried over signalling channel SDCCH, LAPDm Information-frame.
The MS processes the challenge information in Authentication Request message and sends Authentication Response message to the network.
- Authentication Response is a MM message
- The content of this message is SRES
- Over Abis-interface, it is carried as Data_Ind LAPD Information-frame
- Over A-interface, it is carried over DTAP message.
The MS using RAND and Ki as input operates on A3 algorithm to give SRES as output and using RAND and Ki as input operates on A8 algorithm to give Kc. Here, Ki is Individual Subscriber Authentication Key. It is a 128-bit number that is paired with an IMSI when the SIM card is created. The Ki is only stored on the SIM card and at the Authentication Center (AuC). The Ki should never be transmitted across the network on any link. These processes are shown in below figures.
No comments:
Post a Comment