Efficient authentication protocols of GSM
advertisement
3G 核心網路 期末 project
Efficient Authentication Protocols of GSM
系級:
資工所 碩一
學號:
692410001
姓名:
廖翊均
1
Efficient Authentication Protocols of GSM
1 Introduction
With the rapid growth of information science, not only the wired networks have
developed very well, but also the wireless ones. During the 1980s, the global system
for mobile communication (GSM) networks was proposed first. Nowadays, it has
been widespread through the world and has become the standard of the Pan-European
digital cellular system. Even, it has also been the main standard of the worldwide
wireless communication. Due to the lack of the physical protection mechanisms as in
conventional fixed-topology or static-user networks, an appropriate security
mechanism is therefore required to protect wireless communication from illegal
attacks, such as fraudulent behavior, illegal data access, eavesdropping and etc. [5, 6,
7, 8, 9, 10, 17]
MS
Home System
R
Ki
A8
Ki
A3
A3
=?
SRES
A8
SRES
Kc
Authentication
Visit System
Kc
Kc
data
A5
A5
data
Figure 1. The GSM architecture
Several years ago, mobile phones are viewed as luxuries, but they have been
2
treated as the articles for daily life now. The market of the mobile phone has
witnessed marvelous growth in recent years, and it is gauged that the number of the
mobile phone users will be in the region of 1.07 billion at the end of 2003. The above
situation is owing to the convenience of the GSM, which makes people be able to
communicate with anyone in any place at anytime, and the enormous supports from
the telecommunication industry. In addition, the popularity of mobile phones also
promotes the development of the wireless communication networks indirectly.
However, the security issue is always the most important concern of the wireless
communication.
Since
the
mobile
communication
network
makes
people
communicate with one another without direct contact, avoiding being defrauded is a
serious issue. What is more, the openness of signal transmission will also cause
serious security problems in the wireless communication channel [15].
Generally speaking, there are two major security issues, authentication and
privacy, on the wireless communication. The authentication makes no unauthorized
user be able to get required services of an authorized user from the home system. On
the other hand, the privacy refers to certify that the communication messages will not
be intercepted by eavesdroppers.
In the GSM architecture, there are two major databases for each mobile service
provider, the home location register (HLR) and the visitor location register (VLR),
where HLR is responsible for maintaining the information and current location of
subscribers, and VLR is responsible for keeping the information of visiting users and
transmitting the location information of subscribers to HLR between whiles. And the
mobile station (MS) communicates through the wireless link with the base stations
(BS), which is connected to the mobile switching center (MSC) in turn. In other
words, MSC can be treated as a bridge between wireless and wired networks. The
authentication center (AUC), which keeps the secret keys Ki shared with subscribers
3
and generates the sets of security parameters for requests of the authentication
protocol of HLR, is the most important component in GSM architecture. Each of
GSM subscribers also has the secret key Ki in the Subscriber Identity Module (SIM)
card of MS. During the initial registration, every subscriber gets a unique identity
and an International Mobile Subscriber Module (IMSI) from the AUC. The security
of GSM architecture is based on the Algorithms A3, A5 and A8, where A3 is a
one-way function used to compute the certificate to authenticate the mobile station,
A5 is an encryption/decryption algorithm and A8 is another one-way function used
to generate the session keys KC’s. The GSM architecture is shown in Figure 1. The
signed result SRES and KC are computed by using the random number R and Ki
generated by HLR as the inputs through A3 and A8, respectively [3, 4, 6, 7, 11, 12,
13].
So far, several drawbacks found in GSM authentication protocol are shown as
follows:
(1) Mutual authentication between MS and VLR is not provided in GSM architecture.
Only MS is authenticated by VLR, but VLR is not authenticated by MS. The
above property is baleful to MS.
(2) For each MS in the visiting VLR, there are n copies of triplet authenticating
parameters stored in VLR’s database. This approach results in the storage
overhead.
(3) If MS stays in the same VLR for a long time and consumes all of the
authenticating parameters, VLR will request HLR again for n copies of
authenticating parameters. On the other hand, it is possible for MS to move
frequently such that MS will send requests to several VLR’s in a short period. As
mentioned above, each VLR will request HLR for n copies of triplet
authentication parameters. Consequently, the bandwidth consumption and the
4
loads of HLR will increase badly.
In recent periods, many authentication protocols are proposed for solving those
drawbacks of the GSM authentication protocol. However, most of them cannot solve
all of the drawbacks mentioned above. Park et al. proposed a secure method for GSM
in 1999, which can provide non-repudiation services and can resolve some of the
drawbacks. However, the architecture is changed. Later, Hwang et al. proposed a new
method to solve all of the above drawbacks without changing the existing GSM
architecture. Nevertheless, while the mobile station user makes the second call,
drawback (1) still occurs. In this paper, we propose two methods to improve Hwang et
al.’ protocol and increase round efficiency of the authentication protocol [1, 14].
2 Preliminaries
In GSM, the most important part is the authentication protocol. In the following,
the notations used throughout this paper, the existing GSM authentication protocol
and Hwang et al.’s authentication protocol are shown in Subsections 2.1, 2.2 and 2.3,
respectively.
VLR
MS
HLR
Request(TMSI, LAI)
IMSI
n sets{SRES,R,KC} h
R
SRES
5
Figure 2. The authentication protocol of GSM
2.1 Notations
Before demonstrating these authentication protocols, we first list the notations
used throughout this paper in the following.
HLR: The home location register
VLR: The visitor location register
TMSI: The temporary mobile subscriber identity
IMSI: The international mobile subscriber module
LAI: The location area identity
IDV: The identification of VLR
Ki: The secret key shared between MS and HLR
T: The timestamp generated by MS
Tj: The timestamp generated by MS for the jth authentication request, j N
R: The random number generated by HLR
Rj: Random number generated by VLR for the jth authentication request, j N
A3, A5, A8: The three algorithms, on which the security of GSM is based
A3/A5/A8 (M, K): To modify the input M with the key K through A3/A5/A8
SRES: The signed result computed for the first time of the authentication
SRESj: The signed result computed for the jth authentication request, j > 1, j N
CERT_VLR: The certificate of the visiting VLR computed for the first time of the
authentication
CERT_VLRj: The certificate of the visiting VLR computed for the jth authentication,
j > 1, j N
||: The concatenation symbol
6
2.2 Review of current authentication protocol for GSM
In this Subsection, an overview of the current GSM authentication protocol is
shown in Figure 2. And the details are described as follows.
Step1: While MS joins into a new visiting area and asks for new communication
service, an authentication request is sent to VLR first, where the request
includes TMSI and LAI.
Step2: After receiving the request, the new VLR uses the received TMSI to get the
IMSI from the old VLR and then sends IMSI to HLR.
Step3: Then, HLR generates n distinct sets of authenticating parameters {SRES, R,
KC}h, where h = 1, 2, …n, and sends them to VLR.
Step4: After receiving those sets of authenticating parameters, VLR keeps them in its
own database and selects one set of them to authenticate the mobile station for
each call. Next, VLR sends the selected R to MS.
Step5: Once MS receives R from VLR, it computes SRES = A3(R, Ki) and the
temporary session key KC = A8(R, Ki), respectively, where KC is kept secret
for communication. Then the SRES is sent back to VLR.
Step6: Upon receiving SRES from MS, VLR compares it with the selected SRES
kept in its own database. If they are not the same, the authentication is failure;
otherwise, VLR can make sure that MS is legal.
7
MS
VLR
HLR
Request(TMSI ,LAI,T)
IDV, IMSI, T
CERT_VLR, R, KT
CERT_VLR, R, R1, T
SRES
Figure 3. Hwang et al.’s authentication protocol of GSM
2.3 A review of Hwang et al.’s authentication protocol
To solve the existing drawbacks of the current authentication protocol of the
GSM architecture, Hwang et al. proposed a new authentication protocol. The key
concept is that HLR makes the visiting VLR and MS share a temporary key KT. KT is
computed through A3 by HLR using Ki and R as the inputs, where Ki is the secret key
shared between MS and HLR, and R is generated by HLR. In addition, HLR also
computes the certificate CERT_VLR = A3(T, Ki) for the visiting VLR of MS, where T
is the timestamp sent from MS. Then, the CERT_VLR is used for authenticating the
validity of VLR. The flow chart of Hwang et al’s authentication protocol is shown in
Figure 3. And the details of the protocol are described as follows.
Step1: While MS enters a new visiting area and asks for new communication service,
an authentication request including the TMSI, LAI and T is sent to VLR.
Step2: After receiving the request, the new VLR uses the received TMSI to get the
IMSI from the old VLR and then sends the IMSI along with its identification
IDV and T to HLR through a secure channel.
8
Step3: After receiving the information from VLR, HLR checks whether the timestamp
T is extinct and the identity IDV of the visiting VLR of MS is legitimate or not.
If both T and IDV are valid, HLR randomly chooses a number R and computes
CERT_VLR = A3(T, Ki) and KT = A3(R, Ki). Then HLR transmits the
computation results and R to the visiting VLR. Otherwise, HLR will terminate
the authentication protocol.
Step4: Once VLR receives the information, it computes SRES = A5(R1, KT) and
stores it in its own database, where R1 is the random number generated by
VLR for the present communication. Then, VLR passes R, R1, T and
CERT_VLR to MS.
Step5: While receiving the information from VLR, MS first checks whether T is valid
or not. If it holds, MS computes CERT_VLR = A3(T, Ki) of VLR. Next, MS
compares CERT_VLR with the received CERT_VLR. If they are not
equivalent, the authenticating process is halted; otherwise, MS computes KT =
A3(R, Ki) and SRES = A5(R1, KT). Then MS sends SRES back to VLR.
Step6: Upon receiving SRES from MS, VLR compares it with the SRES kept in its
own database. If it holds, the authentication is successful; otherwise, the
request is rejected.
For the jth communication, where j > 1 and j N, VLR will randomly generate a
number Rj, and then it will compute SRESj = A5(Rj, KT). Then, VLR will store SRESj
in its own database and it will send R j to MS. After receiving R j from VLR, MS will
compute and sends SRESj = A5(R j, KT) to VLR. Upon getting SRESj, VLR will
check whether SRESj is equal to SRESj. If it holds, VLR is convinced that MS is
legal; otherwise, VLR will reject the request. Different from the original
authentication protocol, VLR does not need to request HLR for other authentication
parameters as long as MS stays in the service area of the same visiting VLR.
9
According to the procedures of the authentication for the jth communication,
where j > 1 and j N, it is obvious that mutual authentication is not confirmed since
only MS is authenticated.
3 The proposed authentication protocols
In Hwang et al.’s authentication protocol, while MS stays in the service area of
the visiting VLR to ask for the second authentication, VLR generates another random
number R2 and sends it to MS for authentication later. However, MS does not
authenticate the validity of VLR. In a word, mutual authentication is only achieved in
the first communication. To provide mutual authentication, we propose an
improvement in Subsection 3.1. In addition, a new authentication protocol with round
efficiency is presented in Subsection 3.2.
3.1 Scheme 1: An improvement on Hwang et al.’s authentication protocol
In this subsection, we are going to propose an improvement providing mutual
authentication whenever MS asks VLR for the authentication. As mentioned in
Subsection 2.3, the temporary key KT is stored in the visiting VLR’s database and in
MS’s database after the first authentication. The key concept of the improvement is
that while MS asks for the jth authentication, VLR uses KT and Ti as the inputs
through A3 to compute the certificate CERT_VLRj, where j > 1, j N and Tj is the
timestamp included in the authentication request sent from MS. The certificate
CERT_VLRj is then used for MS to authenticate VLR. The flowchart of the jth
authentication is shown in Figure 4 and the details are described as follows.
10
MS
VLR
Request(TMSI, Tj)
CERT_VLRj, Rj, Tj
SRESj
Figure 4. The flowchart of the jth authentication
Step 1: While MS wants the communication service provided by the same visiting
VLR for the jth time, it sends an authentication request to VLR, where the
request includes TMSI and Tj.
Step 2: After receiving the request from MS, VLR generates a random number Rj,
computes SRESj = A5(Rj, KT) and keeps SRESj in the database. Next, it
continues computing CERT_VLRj = A3(Tj, KT) and then sends it along with
Rj to MS.
Step 3: Once MS receives the messages from VLR, it computes CERT_VLRj = A3(Tj,
KT) and compares it with the received CERT_VLRj. If they are not the same,
the authentication process is terminated; otherwise, VLR is authenticated
successfully. And then MS computes and sends SRESj = A5(Rj, KT) to VLR.
Step 4: Upon receiving SRESj from MS, VLR compares SRESj with SRESj kept in
its own database. If they are not equivalent, the authentication is failure;
otherwise, the request can be accepted.
11
MS
VLR
HLR
Request(TMSI ,LAI,T1)
IDV, IMSI, T1
CERT_VLR, R, KT
CERT_VLR, R, T1
SRES
Figure 5. The flowchart of Phase 1
3.2 Scheme 2: An efficient authentication protocol of GSM
Not only to overcome the found drawbacks as mentioned in Section 1 but also to
make the authentication more efficient, an authentication protocol with round
efficiency is proposed in this subsection. Scheme 2 consists of two phases: Phase 1
and Phase 2. Phase1 is executed while MS joins the visiting VLR just now and asks
for the first time authentication, and Phase 2 is executed while MS sends the jth
authentication request to the same visiting VLR, where j > 1 and j N. In the
following, we are going to illustrate the details of Phase 1 and Phase 2 in Subsections
3.2.1 and 3.2.2, respectively. And the flowcharts of both phases are depicted in Figure
5 and Figure 6, respectively.
3.2.1 Phase 1: The first authentication in the visiting VLR
The main concept of this phase is employing (R||T1) instead of R1 as the inputs
through A5 to compute the authentication pattern SRES, where R is the random
number generated by HLR and T1 is the timestamp sent by MS for the first
12
communication. The authentication process is shown as follows.
Step 1: While MS joins into a new visiting area and asks for new communication
service, it sends an authentication request to the new VLR. The request
includes TMSI, LAI and T1.
Step 2: The VLR then uses TMSI to find out the corresponding IMSI from the old
VLR and sends it along with its identity IDV and T1 to HLR of MS through a
secure channel.
Step 3: When HLR receives the information, it first checks whether the identity IDV
of the visiting VLR is legal and T1 is valid or not. If one of them is not valid,
the authentication process is terminated; otherwise, HLR computes
CERT_VLR= A3(T1, Ki) and KT = A3(R, Ki), where Ki is the secret key
shared between MS and HLR. Then HLR sends CERT_VLR, R and KT to
VLR through a secure channel.
Step 4: Once VLR receives the information from HLR, it computes SRES = A5(R||T1,
KT) and stores it in the database along with T1. Then, VLR sends CERT_VLR,
R and T1 to MS.
Step 5: When MS receives the messages, it first checks if T1 is the same as it was sent
before. If T1 is not valid, the process is terminated; otherwise, MS computes
CERT_VLR= A3(T1, Ki), and then compares it with the received CERT_VLR.
If they are not the same, the process is terminated; otherwise, VLR is
authenticated. The MS then computes KT = A3(R, Ki) and SRES = A5(R||T1,
KT). Next MS sends SRES back to VLR.
Step 6: While receiving the information from MS, VLR compares the received SRES
with the one stored in its database. If no errors occur, KT = KT and SRES =
SRES. Then, the communication request is accepted; otherwise, the
authentication is failure.
13
MS
VLR
Request(TMSI, SRES j, T j)
CERT_VLR j, T j
Figure 6. The flowchart of Phase 2
3.2.2 Phase 2: The jth authentication between the same visiting VLR and MS
To achieve the goal of mutual authentication anytime, the process of Phase 2 is
executed. Different from Phase 1, the signed result SRESj is computed by using
Tj-1||Tj and KT as the inputs through A5, where Tj-1 is the timestamp for the previous
authentication and Tj is the timestamp generated by MS for the jth authentication.
Furthermore, the certificate CERT_VLTj of VLR is computed by using KT and Tj as
the inputs through A3. The details of the authentication are described as follows.
Step 1: While MS stays in the same service area of the same visiting VLR and asks
for new communication request, it computes SRESj = A5(Tj-1||Tj, KT) first
and sends an authentication request to VLR. The request includes TMSI,
SRESj and Tj.
Step 2: When VLR receives the request from MS, it computes SRESj = A5(Tj-1||Tj,
KT), where Tj-1 is the timestamp stored in its database for the previous
authentication. Then VLR compares SRESj with the received one. If they
are not the same, the process is terminated; otherwise, MS is authenticated
and the stored timestamp is updated to Tj. The VLR then computes
14
CERT_VLRj = A3(Tj, KT) and sends the computation result along with Tj to
MS.
Step 3: Once MS receives the messages, it first checks if Tj is the same as it was
sent before. If it is not valid, the process is terminated; otherwise, MS
computes CERT_VLRj = A3(Tj, KT). Then, MS compares the CERT_VLRj
with the received CERT_VLR j. If they are not equivalent, the process is
terminated; otherwise, VLR is authenticated and MS will store Tj.
4 Performance analyses
The authentication protocol is the main concern of the GSM architecture. First,
we are going to demonstrate that Scheme 1 is secure and indeed improves Hwang et
al.’s authentication protocol in Subsection 4.1. Then, the security and the performance
analyses of Scheme 2 are shown in Subsection 4.2.
4.1 The analyses of Scheme 1
The security analyses and the requirement achieved by Scheme 1 are shown in
Subsections 4.1.1 and 4.1.2, respectively.
4.1.1 The security analyses of Scheme 1
In Scheme 1, MS sends the first authentication request to VLR while entering the
service area of VLR for the first time. These procedures are the same as those of
Hwang et al.’s authentication protocol. Therefore, we emphasize the security of the
procedures of the jth authentication. As shown in Subsection 3.1, VLR sends
CERT_VLRj, Rj and Tj to MS, where CERT_VLRj = A3(Tj, KT) and KT is the
temporary secret key shared between MS and VLR. That is, only the valid VLR can
compute CERT_VLRj. On the other hand, only the legal MS can compute SRESj=
A3(Rj, KT). Furthermore, the timestamp Tj is used to avoid replay attacks. Even
15
though the illegal eavesdroppers intercept Tj and CERT_VLRj, they still cannot
counterfeit VLR successfully since KT is not known except for VLR and MS. The MS
can easily check whether Tj is the same as that just sent by itself or not. Even if the
attacker replays both Tj and CERT_VLRj, he/she will not succeed.
In other words,
the intercepted data is useless for the later authentication. According to the above
analyses, we can make sure that Scheme 1 is secure.
4.1.2 The requirements achieved by Scheme 1
As mentioned in Subsection 3.1, the procedures of the first authentication are the
same as those of Hwang et al’s authentication protocol. As a result, mutual
authentication for the first authentication is confirmed. Since only HLR and MS have
the knowledge of Ki, only both of them can compute the temporary session key K T. In
addition, HLR sends KT to VLR through the secure channel. For that reason, VLR and
MS share the temporary session key KT. In other words, without the knowledge of Ki,
no one can compute the certificate and the signed result. To authenticate MS, VLR
generates a different random number Rj and compute SRESj = A5(Rj, KT). The
certificate CERT_VLRj = A3(Tj, KT) is also computed for being verified by MS. On
the other hand, MS computes SRESj = A5(Rj, KT) for being verified by VLR. Since
the temporary session key KT is only shared between VLR and MS, it denotes that
only MS and VLR can compute the correct certificate and signed result. As a result,
the mutual authentication is achieved in Scheme 1.
On the other hand, A3 has to be executed at least n times in HLR since the
original GSM authentication protocol needs to generate n copies of the authentication
parameters. Instead of n copies of the authentication parameters, HLR only needs to
computes CERT_VLR and KT. This approach makes the computation overhead of
HLR lighter and the authentication protocol more efficient. This is especially essential
while MS moves frequently among the service areas of VLR’s. Hence, Scheme 1 is
16
more efficient than the current GSM authentication protocol.
4.2 Analyses of Scheme 2
Here, Scheme 2 without altering the original GSM architecture is presented.
Scheme 2 consists of Phase 1 and Phase 2. The first authentication request and the jth
authentication request, where j > 1 and j N, are shown in Phases 1 and 2,
respectively. In Subsections 4.2.1, 4.2.2, and 4.2.3, we are going to demonstrate that
our proposed protocol indeed can solve the drawbacks as mentioned in Section 1.
Next, we will show our proposed protocol is not only secure but also efficient in
Subsections 4.2.4 and 4.2.5. At last, we compare Scheme 2 with other protocols in
Subsection 4.2.6.
4.2.1 Mutual authentication is confirmed in Scheme 2
First, we assume that HLR has the ability to verify VLR by using some
cryptography techniques: for instance, digital signature. Since VLR can be verified,
HLR can compute the certificate CERT_VLR, which will be sent to MS for
authenticating VLR later through a secure channel. So, MS can make sure that VLR is
valid according to CERT_VLR. What is more, VLR can authenticate the legality of e
MS according to SRES. Therefore, the mutual authentication is achieved at the first
time of the authentication [16, 18].
While MS asks for communication service in the service area of the same
visiting VLR again, MS sends the authentication request to VLR. The timestamp Tj
and SRESj are included in the request. Then VLR can authenticate MS by verifying
SRESj. Furthermore, VLR computes CERT_VLRj = A3(Tj, KT) and sends it to MS.
Since KT is computed by HLR and is sent to VLR through a secure channel, only the
verified VLR has KT. That is to say, MS can use the received CERT_VLRj to
authenticate VLR. Therefore, Scheme 2 ensures mutual authentication all the time.
17
4.2.2 The storage overhead is reduced in Scheme 2
Obviously, VLR only needs to store KT and Tj-1 in its database instead of n sets
of the authentication parameters {SRES, R, KC}h, where h N. Therefore, our
proposed protocol can certainly economize on the memory space of VLR.
4.2.3 To reduce the bandwidth consumption
Instead of generating n sets of the authentication parameters for VLR to
authenticate MS, HLR computes the temporary session key KT and sends it to VLR.
Therefore, VLR can use KT to compute the signed result to authenticate MS when MS
sends the authentication request. That is, no mater how many authentication requests
are sent from MS to the same visiting VLR, VLR does not need to ask for
authentication parameters from HLR anymore. Consequently, our proposed scheme
can greatly reduce the bandwidth consumption between HLR and VLR.
4.2.4 Security analyses of Scheme 2
Due to the fact that we do not change the GSM architecture, the security of the
authentication protocol is also based on the security Algorithms A3, A5 and A8.
Besides, our proposed protocol can achieve the mutual authentication at anytime
while MS sends an authentication request as demonstrated in Subsection 4.2.1.
Therefore, no one can impersonate the role of VLR to fool MS, and vice versa. What
is more, the timestamp Tj is employed in our proposed protocol to avoid the replay
attacks. If the request including TMSI, SRESj and Tj is intercepted by an attacker, the
attacker cannot impersonate MS since the synchronization mechanisms are provided
in GSM. That is, if Tj is retransmitted by the attacker, VLR can easily detect it. On the
other hand, due to that Tj is not correct, the eavesdroppers still cannot counterfeit
VLR successfully even if the eavesdroppers intercept Tj and CERT_VLRj
simultaneously. That is, MS can easily check whether Tj is the same as the one just
sent by itself even though the counterfeit VLR replays both of Tj and CERT_VLRj.
18
According to the above analyses, we can sum up that Scheme 2 can resist the possible
attacks.
Table 1. The numbers of the Algorithm A3/A5 executed by MS, VLR and HLR in
Phase 1
MS
VLR
HLR
A3
2
0
2
A5
1
1
0
Table 2. The numbers of the Algorithm A3/A5 executed by MS and VLR in Phase 2
MS
VLR
A3
1
1
A5
1
1
4.2.5 Efficiency provided in Scheme 2
According to Subsection 3.2, it is known that each of participants involved in
Phase 1 needs to execute A3/A5 for authentication, and the numbers of the algorithms
executed by the participants are listed in Table 1. Moreover, the numbers of the
algorithms executed by the participants involved in Phase 2 are listed in Table 2.
Since the original GSM authentication protocol needs to generate n copies of the
authentication parameters, A3 has to be executed at least n times in HLR. Therefore,
our proposed protocol is more efficient than the current GSM authentication protocol.
Furthermore, instead of generating a random number for each communication request
as mentioned in Hwang et al.’s protocol, VLR only needs to keep T1/Tj and uses it
along with R/Tj and KT as the inputs through A5 to compute SRES/SRESj. That is to
say, Scheme 2 really enhances the efficiency. What is more, there are only two rounds
needed for achieving the mutual authentication in Phase 2. Obviously, it also ensures
the round efficiency while MS sends the jth authentication request for communication
19
service.
Table 3. Comparisons between our proposed protocol and the existing GSM
authentication protocols
Original
Our
[1]
[2]
[3]
[4]
MA1
N
Y
Y
N
N
N
MA2
N
Y
N
N
N
N
SSO
N
Y
Y
Y
N
N
SBC
N
Y
Y
Y
Y
Y
AC
-
N
N
N
Y
Y
4.2.6 Comparisons of Scheme 2 with other authentication protocols of GSM
Nowadays, there are many authentication protocols are proposed to improve the
existing GSM authentication protocol. However, most of them cannot solve all of the
drawbacks mentioned in Section 1. Some of them even change the architecture of the
original GSM. In this subsection, the comparisons of Scheme 2 with those GSM
authentication protocols are shown in Table 3. Next, we define the symbols used in
Table 3. MA1 means to achieve mutual authentication for the first authentication;
MA2 means to achieve mutual authentication for authentication of the other times;
SSO means to solve the problem of space overhead; SBC means to solve the problem
of bandwidth consumption; AC means to change the GSM architecture [1, 2, 3, 4]; N
denotes “no”; Y denotes “yes.” According to the comparisons, it is obvious that
Scheme 2 indeed overcomes the drawbacks found in the existing authentication
protocols for the GSM architecture.
20
5 Conclusions
In recent years, GSM is so convenient that it is widespread in the world. Many
authentication protocols are proposed to improve the original authentication protocol
of GSM, but they cannot solve all drawbacks without altering the GSM architecture.
In this paper, we propose two schemes to improve the existing GSM authentication
protocols. Our proposed authentication protocols can not only solve all of the
drawbacks but also increase the efficiency. In addition, the security is also enhanced
obviously, since mutual authentication is ensured all the time. In a word, our proposed
protocols are secure and efficient.
References
[1] C. C. Lee, M. S. Hwang, and W. P. Yang, “Extension of authentication protocol for
GSM,” Proceedings of IEE on Communication, vol. 150, no. 2, pp. 91-95, April
2003.
[2] C. H. Lee, M. S. Hwang, and W. P. Yang, “Enhanced privacy and authentication
for the global system for the mobile communications,” Wireless Networks, vol. 5,
pp. 231-243, 1999.
[3] L. Harn and H. Y. Lin, “Modification to enhance the security of the GSM
protocol ,” Proceedings of the 5th National Conference on Information Security,
pp.416-420, Taipei, Taiwan, May 1995.
[4] K. Al-tawil, A. Akrami, and H. Youssef, “A new authentication protocol for GSM
network,” Proceedings of IEEE 23rd Annual Conference on Local Computer
Networks, pp. 21-30, Boston, October 1998.
[5] ETSI. “Recommendation GSM 03.20: Security related network functions,”
Technical Reports, European Telecommunication Standards Institute, ETSI, June
1993.
21
[6] B. Mallinder, “An overview of the GSM system,” Proceedings of Third Nordic
Seminar on Digital Land Mobile Radio Communication, pp. 12-15, Copenhagen,
Denmark, September 1998.
[7] M. Rahnema, “Overview of the GSM system and protocol architecture,” IEEE
Communication, pp. 92-100, 1993.
[8] A. Aziz and W. Diffie, “Privacy and authentication for wireless local area
networks,” IEEE Personal Communications, pp. 24-31, July 1993.
[9] C. H. Lee and M. S. Hwang, “Authenticated key-exchanged in mobile radio
network,” European Transactions on Telecommunication, pp. 265-269, 1997.
[10] M. S. Hwang, ”Dynamic participation in a secure conference scheme for mobile
communication,” IEEE Transaction on Vehicular Technology, vol. 48, pp.
1469-1474, 1999.
[11] M. S. Hwang, Y. L. Tang, and C. C. Lee, ”An efficient authentication protocol for
GSM networks,” Proceedings of AFCEA/IEEE EuroComm’2000, pp. 326-330,
May 2000.
[12] R. Molva, D. Samfat, and G. Tsudik, “Authentication of mobile users,” IEEE
Network, vol. 8, pp. 26-34, 1994.
[13] ETSI. “Recommendation GSM 02.09: Security related network functions,”
Technical Reports, European Telecommunications Standards Institute, ETSI,
June 1993.
[14] J. F. Stach, E. K. Park, and K. Makki, “Performance of an enhanced GSM
protocol supporting non-repudiation of service,” Computer Communications,
vol. 22, pp. 675-680, 1999.
[15] S. Kumar and C. Zahn, “Mobile communications: evolution and impact on
business operations,” Technovation, vol. 23, pp. 515-520, 2003.
[16] W. Stallings,” Cryptography and network security: principles and practices,”
22
Prentice Hall, 2nd edn, 1999.
[17] H. Y. Lin and L. Harn, “Authentication protocol with nonrepudiation services in
personal communication systems,” IEEE Communication Letters, vol. 3, pp.
236-238, August 1999.
[18] C. C. Chang, J. K. Jan, and H. C. Kowng, “A digital signature scheme based
upon theory of quadratic residues,” Cryptologia, no. 1, pp. 55-70, January 1997.
23
