3G 核心網路 期末 project Efficient Authentication Protocols of GSM 系級: 資工所 碩一 學號: 692410001 姓名: 廖翊均 1 Efficient Authentication Protocols of GSM 1 Introduction With the rapid growth of information science, not only the wired networks have developed very well, but also the wireless ones. During the 1980s, the global system for mobile communication (GSM) networks was proposed first. Nowadays, it has been widespread through the world and has become the standard of the Pan-European digital cellular system. Even, it has also been the main standard of the worldwide wireless communication. Due to the lack of the physical protection mechanisms as in conventional fixed-topology or static-user networks, an appropriate security mechanism is therefore required to protect wireless communication from illegal attacks, such as fraudulent behavior, illegal data access, eavesdropping and etc. [5, 6, 7, 8, 9, 10, 17] MS Home System R Ki A8 Ki A3 A3 =? SRES A8 SRES Kc Authentication Visit System Kc Kc data A5 A5 data Figure 1. The GSM architecture Several years ago, mobile phones are viewed as luxuries, but they have been 2 treated as the articles for daily life now. The market of the mobile phone has witnessed marvelous growth in recent years, and it is gauged that the number of the mobile phone users will be in the region of 1.07 billion at the end of 2003. The above situation is owing to the convenience of the GSM, which makes people be able to communicate with anyone in any place at anytime, and the enormous supports from the telecommunication industry. In addition, the popularity of mobile phones also promotes the development of the wireless communication networks indirectly. However, the security issue is always the most important concern of the wireless communication. Since the mobile communication network makes people communicate with one another without direct contact, avoiding being defrauded is a serious issue. What is more, the openness of signal transmission will also cause serious security problems in the wireless communication channel [15]. Generally speaking, there are two major security issues, authentication and privacy, on the wireless communication. The authentication makes no unauthorized user be able to get required services of an authorized user from the home system. On the other hand, the privacy refers to certify that the communication messages will not be intercepted by eavesdroppers. In the GSM architecture, there are two major databases for each mobile service provider, the home location register (HLR) and the visitor location register (VLR), where HLR is responsible for maintaining the information and current location of subscribers, and VLR is responsible for keeping the information of visiting users and transmitting the location information of subscribers to HLR between whiles. And the mobile station (MS) communicates through the wireless link with the base stations (BS), which is connected to the mobile switching center (MSC) in turn. In other words, MSC can be treated as a bridge between wireless and wired networks. The authentication center (AUC), which keeps the secret keys Ki shared with subscribers 3 and generates the sets of security parameters for requests of the authentication protocol of HLR, is the most important component in GSM architecture. Each of GSM subscribers also has the secret key Ki in the Subscriber Identity Module (SIM) card of MS. During the initial registration, every subscriber gets a unique identity and an International Mobile Subscriber Module (IMSI) from the AUC. The security of GSM architecture is based on the Algorithms A3, A5 and A8, where A3 is a one-way function used to compute the certificate to authenticate the mobile station, A5 is an encryption/decryption algorithm and A8 is another one-way function used to generate the session keys KC’s. The GSM architecture is shown in Figure 1. The signed result SRES and KC are computed by using the random number R and Ki generated by HLR as the inputs through A3 and A8, respectively [3, 4, 6, 7, 11, 12, 13]. So far, several drawbacks found in GSM authentication protocol are shown as follows: (1) Mutual authentication between MS and VLR is not provided in GSM architecture. Only MS is authenticated by VLR, but VLR is not authenticated by MS. The above property is baleful to MS. (2) For each MS in the visiting VLR, there are n copies of triplet authenticating parameters stored in VLR’s database. This approach results in the storage overhead. (3) If MS stays in the same VLR for a long time and consumes all of the authenticating parameters, VLR will request HLR again for n copies of authenticating parameters. On the other hand, it is possible for MS to move frequently such that MS will send requests to several VLR’s in a short period. As mentioned above, each VLR will request HLR for n copies of triplet authentication parameters. Consequently, the bandwidth consumption and the 4 loads of HLR will increase badly. In recent periods, many authentication protocols are proposed for solving those drawbacks of the GSM authentication protocol. However, most of them cannot solve all of the drawbacks mentioned above. Park et al. proposed a secure method for GSM in 1999, which can provide non-repudiation services and can resolve some of the drawbacks. However, the architecture is changed. Later, Hwang et al. proposed a new method to solve all of the above drawbacks without changing the existing GSM architecture. Nevertheless, while the mobile station user makes the second call, drawback (1) still occurs. In this paper, we propose two methods to improve Hwang et al.’ protocol and increase round efficiency of the authentication protocol [1, 14]. 2 Preliminaries In GSM, the most important part is the authentication protocol. In the following, the notations used throughout this paper, the existing GSM authentication protocol and Hwang et al.’s authentication protocol are shown in Subsections 2.1, 2.2 and 2.3, respectively. VLR MS HLR Request(TMSI, LAI) IMSI n sets{SRES,R,KC} h R SRES 5 Figure 2. The authentication protocol of GSM 2.1 Notations Before demonstrating these authentication protocols, we first list the notations used throughout this paper in the following. HLR: The home location register VLR: The visitor location register TMSI: The temporary mobile subscriber identity IMSI: The international mobile subscriber module LAI: The location area identity IDV: The identification of VLR Ki: The secret key shared between MS and HLR T: The timestamp generated by MS Tj: The timestamp generated by MS for the jth authentication request, j N R: The random number generated by HLR Rj: Random number generated by VLR for the jth authentication request, j N A3, A5, A8: The three algorithms, on which the security of GSM is based A3/A5/A8 (M, K): To modify the input M with the key K through A3/A5/A8 SRES: The signed result computed for the first time of the authentication SRESj: The signed result computed for the jth authentication request, j > 1, j N CERT_VLR: The certificate of the visiting VLR computed for the first time of the authentication CERT_VLRj: The certificate of the visiting VLR computed for the jth authentication, j > 1, j N ||: The concatenation symbol 6 2.2 Review of current authentication protocol for GSM In this Subsection, an overview of the current GSM authentication protocol is shown in Figure 2. And the details are described as follows. Step1: While MS joins into a new visiting area and asks for new communication service, an authentication request is sent to VLR first, where the request includes TMSI and LAI. Step2: After receiving the request, the new VLR uses the received TMSI to get the IMSI from the old VLR and then sends IMSI to HLR. Step3: Then, HLR generates n distinct sets of authenticating parameters {SRES, R, KC}h, where h = 1, 2, …n, and sends them to VLR. Step4: After receiving those sets of authenticating parameters, VLR keeps them in its own database and selects one set of them to authenticate the mobile station for each call. Next, VLR sends the selected R to MS. Step5: Once MS receives R from VLR, it computes SRES = A3(R, Ki) and the temporary session key KC = A8(R, Ki), respectively, where KC is kept secret for communication. Then the SRES is sent back to VLR. Step6: Upon receiving SRES from MS, VLR compares it with the selected SRES kept in its own database. If they are not the same, the authentication is failure; otherwise, VLR can make sure that MS is legal. 7 MS VLR HLR Request(TMSI ,LAI,T) IDV, IMSI, T CERT_VLR, R, KT CERT_VLR, R, R1, T SRES Figure 3. Hwang et al.’s authentication protocol of GSM 2.3 A review of Hwang et al.’s authentication protocol To solve the existing drawbacks of the current authentication protocol of the GSM architecture, Hwang et al. proposed a new authentication protocol. The key concept is that HLR makes the visiting VLR and MS share a temporary key KT. KT is computed through A3 by HLR using Ki and R as the inputs, where Ki is the secret key shared between MS and HLR, and R is generated by HLR. In addition, HLR also computes the certificate CERT_VLR = A3(T, Ki) for the visiting VLR of MS, where T is the timestamp sent from MS. Then, the CERT_VLR is used for authenticating the validity of VLR. The flow chart of Hwang et al’s authentication protocol is shown in Figure 3. And the details of the protocol are described as follows. Step1: While MS enters a new visiting area and asks for new communication service, an authentication request including the TMSI, LAI and T is sent to VLR. Step2: After receiving the request, the new VLR uses the received TMSI to get the IMSI from the old VLR and then sends the IMSI along with its identification IDV and T to HLR through a secure channel. 8 Step3: After receiving the information from VLR, HLR checks whether the timestamp T is extinct and the identity IDV of the visiting VLR of MS is legitimate or not. If both T and IDV are valid, HLR randomly chooses a number R and computes CERT_VLR = A3(T, Ki) and KT = A3(R, Ki). Then HLR transmits the computation results and R to the visiting VLR. Otherwise, HLR will terminate the authentication protocol. Step4: Once VLR receives the information, it computes SRES = A5(R1, KT) and stores it in its own database, where R1 is the random number generated by VLR for the present communication. Then, VLR passes R, R1, T and CERT_VLR to MS. Step5: While receiving the information from VLR, MS first checks whether T is valid or not. If it holds, MS computes CERT_VLR = A3(T, Ki) of VLR. Next, MS compares CERT_VLR with the received CERT_VLR. If they are not equivalent, the authenticating process is halted; otherwise, MS computes KT = A3(R, Ki) and SRES = A5(R1, KT). Then MS sends SRES back to VLR. Step6: Upon receiving SRES from MS, VLR compares it with the SRES kept in its own database. If it holds, the authentication is successful; otherwise, the request is rejected. For the jth communication, where j > 1 and j N, VLR will randomly generate a number Rj, and then it will compute SRESj = A5(Rj, KT). Then, VLR will store SRESj in its own database and it will send R j to MS. After receiving R j from VLR, MS will compute and sends SRESj = A5(R j, KT) to VLR. Upon getting SRESj, VLR will check whether SRESj is equal to SRESj. If it holds, VLR is convinced that MS is legal; otherwise, VLR will reject the request. Different from the original authentication protocol, VLR does not need to request HLR for other authentication parameters as long as MS stays in the service area of the same visiting VLR. 9 According to the procedures of the authentication for the jth communication, where j > 1 and j N, it is obvious that mutual authentication is not confirmed since only MS is authenticated. 3 The proposed authentication protocols In Hwang et al.’s authentication protocol, while MS stays in the service area of the visiting VLR to ask for the second authentication, VLR generates another random number R2 and sends it to MS for authentication later. However, MS does not authenticate the validity of VLR. In a word, mutual authentication is only achieved in the first communication. To provide mutual authentication, we propose an improvement in Subsection 3.1. In addition, a new authentication protocol with round efficiency is presented in Subsection 3.2. 3.1 Scheme 1: An improvement on Hwang et al.’s authentication protocol In this subsection, we are going to propose an improvement providing mutual authentication whenever MS asks VLR for the authentication. As mentioned in Subsection 2.3, the temporary key KT is stored in the visiting VLR’s database and in MS’s database after the first authentication. The key concept of the improvement is that while MS asks for the jth authentication, VLR uses KT and Ti as the inputs through A3 to compute the certificate CERT_VLRj, where j > 1, j N and Tj is the timestamp included in the authentication request sent from MS. The certificate CERT_VLRj is then used for MS to authenticate VLR. The flowchart of the jth authentication is shown in Figure 4 and the details are described as follows. 10 MS VLR Request(TMSI, Tj) CERT_VLRj, Rj, Tj SRESj Figure 4. The flowchart of the jth authentication Step 1: While MS wants the communication service provided by the same visiting VLR for the jth time, it sends an authentication request to VLR, where the request includes TMSI and Tj. Step 2: After receiving the request from MS, VLR generates a random number Rj, computes SRESj = A5(Rj, KT) and keeps SRESj in the database. Next, it continues computing CERT_VLRj = A3(Tj, KT) and then sends it along with Rj to MS. Step 3: Once MS receives the messages from VLR, it computes CERT_VLRj = A3(Tj, KT) and compares it with the received CERT_VLRj. If they are not the same, the authentication process is terminated; otherwise, VLR is authenticated successfully. And then MS computes and sends SRESj = A5(Rj, KT) to VLR. Step 4: Upon receiving SRESj from MS, VLR compares SRESj with SRESj kept in its own database. If they are not equivalent, the authentication is failure; otherwise, the request can be accepted. 11 MS VLR HLR Request(TMSI ,LAI,T1) IDV, IMSI, T1 CERT_VLR, R, KT CERT_VLR, R, T1 SRES Figure 5. The flowchart of Phase 1 3.2 Scheme 2: An efficient authentication protocol of GSM Not only to overcome the found drawbacks as mentioned in Section 1 but also to make the authentication more efficient, an authentication protocol with round efficiency is proposed in this subsection. Scheme 2 consists of two phases: Phase 1 and Phase 2. Phase1 is executed while MS joins the visiting VLR just now and asks for the first time authentication, and Phase 2 is executed while MS sends the jth authentication request to the same visiting VLR, where j > 1 and j N. In the following, we are going to illustrate the details of Phase 1 and Phase 2 in Subsections 3.2.1 and 3.2.2, respectively. And the flowcharts of both phases are depicted in Figure 5 and Figure 6, respectively. 3.2.1 Phase 1: The first authentication in the visiting VLR The main concept of this phase is employing (R||T1) instead of R1 as the inputs through A5 to compute the authentication pattern SRES, where R is the random number generated by HLR and T1 is the timestamp sent by MS for the first 12 communication. The authentication process is shown as follows. Step 1: While MS joins into a new visiting area and asks for new communication service, it sends an authentication request to the new VLR. The request includes TMSI, LAI and T1. Step 2: The VLR then uses TMSI to find out the corresponding IMSI from the old VLR and sends it along with its identity IDV and T1 to HLR of MS through a secure channel. Step 3: When HLR receives the information, it first checks whether the identity IDV of the visiting VLR is legal and T1 is valid or not. If one of them is not valid, the authentication process is terminated; otherwise, HLR computes CERT_VLR= A3(T1, Ki) and KT = A3(R, Ki), where Ki is the secret key shared between MS and HLR. Then HLR sends CERT_VLR, R and KT to VLR through a secure channel. Step 4: Once VLR receives the information from HLR, it computes SRES = A5(R||T1, KT) and stores it in the database along with T1. Then, VLR sends CERT_VLR, R and T1 to MS. Step 5: When MS receives the messages, it first checks if T1 is the same as it was sent before. If T1 is not valid, the process is terminated; otherwise, MS computes CERT_VLR= A3(T1, Ki), and then compares it with the received CERT_VLR. If they are not the same, the process is terminated; otherwise, VLR is authenticated. The MS then computes KT = A3(R, Ki) and SRES = A5(R||T1, KT). Next MS sends SRES back to VLR. Step 6: While receiving the information from MS, VLR compares the received SRES with the one stored in its database. If no errors occur, KT = KT and SRES = SRES. Then, the communication request is accepted; otherwise, the authentication is failure. 13 MS VLR Request(TMSI, SRES j, T j) CERT_VLR j, T j Figure 6. The flowchart of Phase 2 3.2.2 Phase 2: The jth authentication between the same visiting VLR and MS To achieve the goal of mutual authentication anytime, the process of Phase 2 is executed. Different from Phase 1, the signed result SRESj is computed by using Tj-1||Tj and KT as the inputs through A5, where Tj-1 is the timestamp for the previous authentication and Tj is the timestamp generated by MS for the jth authentication. Furthermore, the certificate CERT_VLTj of VLR is computed by using KT and Tj as the inputs through A3. The details of the authentication are described as follows. Step 1: While MS stays in the same service area of the same visiting VLR and asks for new communication request, it computes SRESj = A5(Tj-1||Tj, KT) first and sends an authentication request to VLR. The request includes TMSI, SRESj and Tj. Step 2: When VLR receives the request from MS, it computes SRESj = A5(Tj-1||Tj, KT), where Tj-1 is the timestamp stored in its database for the previous authentication. Then VLR compares SRESj with the received one. If they are not the same, the process is terminated; otherwise, MS is authenticated and the stored timestamp is updated to Tj. The VLR then computes 14 CERT_VLRj = A3(Tj, KT) and sends the computation result along with Tj to MS. Step 3: Once MS receives the messages, it first checks if Tj is the same as it was sent before. If it is not valid, the process is terminated; otherwise, MS computes CERT_VLRj = A3(Tj, KT). Then, MS compares the CERT_VLRj with the received CERT_VLR j. If they are not equivalent, the process is terminated; otherwise, VLR is authenticated and MS will store Tj. 4 Performance analyses The authentication protocol is the main concern of the GSM architecture. First, we are going to demonstrate that Scheme 1 is secure and indeed improves Hwang et al.’s authentication protocol in Subsection 4.1. Then, the security and the performance analyses of Scheme 2 are shown in Subsection 4.2. 4.1 The analyses of Scheme 1 The security analyses and the requirement achieved by Scheme 1 are shown in Subsections 4.1.1 and 4.1.2, respectively. 4.1.1 The security analyses of Scheme 1 In Scheme 1, MS sends the first authentication request to VLR while entering the service area of VLR for the first time. These procedures are the same as those of Hwang et al.’s authentication protocol. Therefore, we emphasize the security of the procedures of the jth authentication. As shown in Subsection 3.1, VLR sends CERT_VLRj, Rj and Tj to MS, where CERT_VLRj = A3(Tj, KT) and KT is the temporary secret key shared between MS and VLR. That is, only the valid VLR can compute CERT_VLRj. On the other hand, only the legal MS can compute SRESj= A3(Rj, KT). Furthermore, the timestamp Tj is used to avoid replay attacks. Even 15 though the illegal eavesdroppers intercept Tj and CERT_VLRj, they still cannot counterfeit VLR successfully since KT is not known except for VLR and MS. The MS can easily check whether Tj is the same as that just sent by itself or not. Even if the attacker replays both Tj and CERT_VLRj, he/she will not succeed. In other words, the intercepted data is useless for the later authentication. According to the above analyses, we can make sure that Scheme 1 is secure. 4.1.2 The requirements achieved by Scheme 1 As mentioned in Subsection 3.1, the procedures of the first authentication are the same as those of Hwang et al’s authentication protocol. As a result, mutual authentication for the first authentication is confirmed. Since only HLR and MS have the knowledge of Ki, only both of them can compute the temporary session key K T. In addition, HLR sends KT to VLR through the secure channel. For that reason, VLR and MS share the temporary session key KT. In other words, without the knowledge of Ki, no one can compute the certificate and the signed result. To authenticate MS, VLR generates a different random number Rj and compute SRESj = A5(Rj, KT). The certificate CERT_VLRj = A3(Tj, KT) is also computed for being verified by MS. On the other hand, MS computes SRESj = A5(Rj, KT) for being verified by VLR. Since the temporary session key KT is only shared between VLR and MS, it denotes that only MS and VLR can compute the correct certificate and signed result. As a result, the mutual authentication is achieved in Scheme 1. On the other hand, A3 has to be executed at least n times in HLR since the original GSM authentication protocol needs to generate n copies of the authentication parameters. Instead of n copies of the authentication parameters, HLR only needs to computes CERT_VLR and KT. This approach makes the computation overhead of HLR lighter and the authentication protocol more efficient. This is especially essential while MS moves frequently among the service areas of VLR’s. Hence, Scheme 1 is 16 more efficient than the current GSM authentication protocol. 4.2 Analyses of Scheme 2 Here, Scheme 2 without altering the original GSM architecture is presented. Scheme 2 consists of Phase 1 and Phase 2. The first authentication request and the jth authentication request, where j > 1 and j N, are shown in Phases 1 and 2, respectively. In Subsections 4.2.1, 4.2.2, and 4.2.3, we are going to demonstrate that our proposed protocol indeed can solve the drawbacks as mentioned in Section 1. Next, we will show our proposed protocol is not only secure but also efficient in Subsections 4.2.4 and 4.2.5. At last, we compare Scheme 2 with other protocols in Subsection 4.2.6. 4.2.1 Mutual authentication is confirmed in Scheme 2 First, we assume that HLR has the ability to verify VLR by using some cryptography techniques: for instance, digital signature. Since VLR can be verified, HLR can compute the certificate CERT_VLR, which will be sent to MS for authenticating VLR later through a secure channel. So, MS can make sure that VLR is valid according to CERT_VLR. What is more, VLR can authenticate the legality of e MS according to SRES. Therefore, the mutual authentication is achieved at the first time of the authentication [16, 18]. While MS asks for communication service in the service area of the same visiting VLR again, MS sends the authentication request to VLR. The timestamp Tj and SRESj are included in the request. Then VLR can authenticate MS by verifying SRESj. Furthermore, VLR computes CERT_VLRj = A3(Tj, KT) and sends it to MS. Since KT is computed by HLR and is sent to VLR through a secure channel, only the verified VLR has KT. That is to say, MS can use the received CERT_VLRj to authenticate VLR. Therefore, Scheme 2 ensures mutual authentication all the time. 17 4.2.2 The storage overhead is reduced in Scheme 2 Obviously, VLR only needs to store KT and Tj-1 in its database instead of n sets of the authentication parameters {SRES, R, KC}h, where h N. Therefore, our proposed protocol can certainly economize on the memory space of VLR. 4.2.3 To reduce the bandwidth consumption Instead of generating n sets of the authentication parameters for VLR to authenticate MS, HLR computes the temporary session key KT and sends it to VLR. Therefore, VLR can use KT to compute the signed result to authenticate MS when MS sends the authentication request. That is, no mater how many authentication requests are sent from MS to the same visiting VLR, VLR does not need to ask for authentication parameters from HLR anymore. Consequently, our proposed scheme can greatly reduce the bandwidth consumption between HLR and VLR. 4.2.4 Security analyses of Scheme 2 Due to the fact that we do not change the GSM architecture, the security of the authentication protocol is also based on the security Algorithms A3, A5 and A8. Besides, our proposed protocol can achieve the mutual authentication at anytime while MS sends an authentication request as demonstrated in Subsection 4.2.1. Therefore, no one can impersonate the role of VLR to fool MS, and vice versa. What is more, the timestamp Tj is employed in our proposed protocol to avoid the replay attacks. If the request including TMSI, SRESj and Tj is intercepted by an attacker, the attacker cannot impersonate MS since the synchronization mechanisms are provided in GSM. That is, if Tj is retransmitted by the attacker, VLR can easily detect it. On the other hand, due to that Tj is not correct, the eavesdroppers still cannot counterfeit VLR successfully even if the eavesdroppers intercept Tj and CERT_VLRj simultaneously. That is, MS can easily check whether Tj is the same as the one just sent by itself even though the counterfeit VLR replays both of Tj and CERT_VLRj. 18 According to the above analyses, we can sum up that Scheme 2 can resist the possible attacks. Table 1. The numbers of the Algorithm A3/A5 executed by MS, VLR and HLR in Phase 1 MS VLR HLR A3 2 0 2 A5 1 1 0 Table 2. The numbers of the Algorithm A3/A5 executed by MS and VLR in Phase 2 MS VLR A3 1 1 A5 1 1 4.2.5 Efficiency provided in Scheme 2 According to Subsection 3.2, it is known that each of participants involved in Phase 1 needs to execute A3/A5 for authentication, and the numbers of the algorithms executed by the participants are listed in Table 1. Moreover, the numbers of the algorithms executed by the participants involved in Phase 2 are listed in Table 2. Since the original GSM authentication protocol needs to generate n copies of the authentication parameters, A3 has to be executed at least n times in HLR. Therefore, our proposed protocol is more efficient than the current GSM authentication protocol. Furthermore, instead of generating a random number for each communication request as mentioned in Hwang et al.’s protocol, VLR only needs to keep T1/Tj and uses it along with R/Tj and KT as the inputs through A5 to compute SRES/SRESj. That is to say, Scheme 2 really enhances the efficiency. What is more, there are only two rounds needed for achieving the mutual authentication in Phase 2. Obviously, it also ensures the round efficiency while MS sends the jth authentication request for communication 19 service. Table 3. Comparisons between our proposed protocol and the existing GSM authentication protocols Original Our [1] [2] [3] [4] MA1 N Y Y N N N MA2 N Y N N N N SSO N Y Y Y N N SBC N Y Y Y Y Y AC - N N N Y Y 4.2.6 Comparisons of Scheme 2 with other authentication protocols of GSM Nowadays, there are many authentication protocols are proposed to improve the existing GSM authentication protocol. However, most of them cannot solve all of the drawbacks mentioned in Section 1. Some of them even change the architecture of the original GSM. In this subsection, the comparisons of Scheme 2 with those GSM authentication protocols are shown in Table 3. Next, we define the symbols used in Table 3. MA1 means to achieve mutual authentication for the first authentication; MA2 means to achieve mutual authentication for authentication of the other times; SSO means to solve the problem of space overhead; SBC means to solve the problem of bandwidth consumption; AC means to change the GSM architecture [1, 2, 3, 4]; N denotes “no”; Y denotes “yes.” According to the comparisons, it is obvious that Scheme 2 indeed overcomes the drawbacks found in the existing authentication protocols for the GSM architecture. 20 5 Conclusions In recent years, GSM is so convenient that it is widespread in the world. Many authentication protocols are proposed to improve the original authentication protocol of GSM, but they cannot solve all drawbacks without altering the GSM architecture. In this paper, we propose two schemes to improve the existing GSM authentication protocols. Our proposed authentication protocols can not only solve all of the drawbacks but also increase the efficiency. In addition, the security is also enhanced obviously, since mutual authentication is ensured all the time. In a word, our proposed protocols are secure and efficient. References [1] C. C. Lee, M. S. Hwang, and W. P. Yang, “Extension of authentication protocol for GSM,” Proceedings of IEE on Communication, vol. 150, no. 2, pp. 91-95, April 2003. [2] C. H. Lee, M. S. Hwang, and W. P. Yang, “Enhanced privacy and authentication for the global system for the mobile communications,” Wireless Networks, vol. 5, pp. 231-243, 1999. [3] L. Harn and H. Y. Lin, “Modification to enhance the security of the GSM protocol ,” Proceedings of the 5th National Conference on Information Security, pp.416-420, Taipei, Taiwan, May 1995. [4] K. Al-tawil, A. Akrami, and H. Youssef, “A new authentication protocol for GSM network,” Proceedings of IEEE 23rd Annual Conference on Local Computer Networks, pp. 21-30, Boston, October 1998. [5] ETSI. “Recommendation GSM 03.20: Security related network functions,” Technical Reports, European Telecommunication Standards Institute, ETSI, June 1993. 21 [6] B. Mallinder, “An overview of the GSM system,” Proceedings of Third Nordic Seminar on Digital Land Mobile Radio Communication, pp. 12-15, Copenhagen, Denmark, September 1998. [7] M. Rahnema, “Overview of the GSM system and protocol architecture,” IEEE Communication, pp. 92-100, 1993. [8] A. Aziz and W. Diffie, “Privacy and authentication for wireless local area networks,” IEEE Personal Communications, pp. 24-31, July 1993. [9] C. H. Lee and M. S. Hwang, “Authenticated key-exchanged in mobile radio network,” European Transactions on Telecommunication, pp. 265-269, 1997. [10] M. S. Hwang, ”Dynamic participation in a secure conference scheme for mobile communication,” IEEE Transaction on Vehicular Technology, vol. 48, pp. 1469-1474, 1999. [11] M. S. Hwang, Y. L. Tang, and C. C. Lee, ”An efficient authentication protocol for GSM networks,” Proceedings of AFCEA/IEEE EuroComm’2000, pp. 326-330, May 2000. [12] R. Molva, D. Samfat, and G. Tsudik, “Authentication of mobile users,” IEEE Network, vol. 8, pp. 26-34, 1994. [13] ETSI. “Recommendation GSM 02.09: Security related network functions,” Technical Reports, European Telecommunications Standards Institute, ETSI, June 1993. [14] J. F. Stach, E. K. Park, and K. Makki, “Performance of an enhanced GSM protocol supporting non-repudiation of service,” Computer Communications, vol. 22, pp. 675-680, 1999. [15] S. Kumar and C. Zahn, “Mobile communications: evolution and impact on business operations,” Technovation, vol. 23, pp. 515-520, 2003. [16] W. Stallings,” Cryptography and network security: principles and practices,” 22 Prentice Hall, 2nd edn, 1999. [17] H. Y. Lin and L. Harn, “Authentication protocol with nonrepudiation services in personal communication systems,” IEEE Communication Letters, vol. 3, pp. 236-238, August 1999. [18] C. C. Chang, J. K. Jan, and H. C. Kowng, “A digital signature scheme based upon theory of quadratic residues,” Cryptologia, no. 1, pp. 55-70, January 1997. 23