Clone resistant mutual authentication in a radio communication network
First Claim
1. A method of preventing unauthorized duplication of an identity module (IM), said method comprising:
- generating internally within the IM, at least a first key (K1) and a second, different key (K2), wherein the generating step includes assuring that K1 cannot be derived from K2, and K2 cannot be derived from K1; and
exporting K2 and an identifier (ID) from the IM to an authentication server (AS) while keeping K1 internally secret within the IM.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for preventing unauthorized duplication of an identity module, IM, and authenticating valid IMs. Different information is stored in the IM and an authentication center, AuC, and if the information in the AuC is leaked, it is insufficient to clone the IM. The IM generates a first key, K1, and a second key, K2, while assuring that K1 cannot be derived from K2, and optionally that K2 cannot be derived from K1. The IM exports K2 and an identifier to the AuC while keeping K1 secret within the IM. During authentication, the IM provides to a third party such as a VLR, information containing the identifier. The VLR forwards the information to the AuC, which retrieves K2 based on the identifier and generates a first value, R, and a second value, X, based on at least K2. The AuC then returns R and X to the VLR, which forwards R to the IM. The IM then generates a response, RES, based on at least K1 and R, and sends the RES to the VLR. The VLR then verifies the RES based on X.
36 Citations
24 Claims
-
1. A method of preventing unauthorized duplication of an identity module (IM), said method comprising:
-
generating internally within the IM, at least a first key (K1) and a second, different key (K2), wherein the generating step includes assuring that K1 cannot be derived from K2, and K2 cannot be derived from K1; and
exporting K2 and an identifier (ID) from the IM to an authentication server (AS) while keeping K1 internally secret within the IM. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An identity module (IM), resistant to duplication, comprising:
-
means for generating internally within the IM, at least a first key (K1) and a second key (K2) while assuring that K1 cannot be derived from K2, and K2 cannot be derived from K1; and
means for exporting K2 and an identifier (ID) from the IM to an authentication server (AS) while keeping K1 internally secret within the IM. - View Dependent Claims (10)
-
-
11. An authentication server for authenticating an accessing identity module (IM) while preventing unauthorized duplication of the accessing IM, said authentication server comprising:
-
means for receiving an access request from the accessing IM;
means for generating a challenge utilizing information stored in the authentication server but not in the accessing IM, wherein the information stored in the authentication server is not sufficient to generate an IM clone capable of responding as a valid IM;
means for generating an expected response that is expected from a valid IM; and
means for sending the challenge to the accessing IM, wherein the challenge varies for each access attempt.
-
-
12. A system for providing a valid identity module (IM) with access to a network while preventing access to the network by an unauthorized IM clone, said system comprising:
-
an authentication server for receiving an access request from an accessing IM, generating a challenge utilizing information stored in the authentication server but not in the accessing IM, generating an expected response that is expected from a valid IM, and sending the challenge to the accessing IM, wherein the challenge varies for each access attempt, and the information stored in or generated by the authentication server is not sufficient to create an IM clone capable of responding as a valid IM;
means within the accessing IM for receiving the challenge, and preparing and sending a response based on information in the challenge and information stored in the accessing IM but not in the authentication server; and
means for providing the accessing IM with access to the network only if the response prepared by the accessing IM equals the expected response generated by the authentication server. - View Dependent Claims (13, 14)
-
-
15. A method of providing a valid identity module (IM) with access to a network while preventing access to the network by an unauthorized IM clone, wherein an accessing IM sends an access request to an authentication server, said method comprising:
-
in the authentication server;
selecting a random value y;
calculating a random value (RAND) utilizing RAND=gy;
calculating a value R=gxy, where x is a Diffie-Hellman private key known to the accessing IM, and gx is known to the authentication server;
calculating a shared secret key (K) utilizing K=KDF(R, . . . ), where KDF is a key derivation function;
sending the RAND and an expected response (XRES) to an intermediary node; and
forwarding the RAND from the intermediary node to the accessing IM; and
in the accessing IM;
determining R utilizing R=RANDx, where x is the Diffie-Hellman private key;
calculating the shared secret key, K=KDF(R, . . . ) using the key derivation function;
calculating a response (RES) utilizing RES=f2(K, RAND); and
sending the RES to the intermediary node;
determining by the intermediary node, whether the RES received from the accessing IM is equal to the XRES received from the authentication server; and
providing the accessing IM with access to the network only if the RES received from the accessing IM is equal to the XRES received from the authentication server. - View Dependent Claims (16)
-
-
17. A method of authenticating an accessing identity module (IM) while preventing unauthorized duplication of the accessing IM, said method comprising:
-
generating internally within the accessing IM, at least a first key (K1) and a second, different key (K2); and
exporting K2 and an identifier (ID) from the accessing IM to an authentication server (AS) while keeping K1 internally secret within the accessing IM;
sending from the accessing IM to a third party, information containing at least the ID;
forwarding the information from the third party to the AS;
retrieving K2 by the AS based on the ID received from the third party;
selecting by the AS a random number R;
generating by the AS, at least a value (RAND) based on at least the number R;
generating by the AS a key K based on at least the number R;
generating by the AS a value (X) based on at least the value (RAND) and the key K;
returning the value RAND and X from the AS to the third party;
forwarding the value RAND from the third party to the accessing IM;
receiving by the third party, a response, RES from the accessing IM; and
verifying the RES by the third party based on X. - View Dependent Claims (18, 19, 20)
-
-
21. A method of authenticating an accessing identity module (IM) while preventing unauthorized duplication of the accessing IM in a network utilizing a signature scheme with message recovery, said method comprising:
-
generating a public key, U_EK, internally within the accessing IM;
enrolling the public key, U_EK, at an authentication server (AS);
sending an access request from the accessing IM to the AS, said access request including at least an identifier for the accessing IM;
retrieving by the AS, the accessing IM'"'"'s public key, U_EK;
preparing a challenge, CHAL, by the AS, said challenge including at least one of a random value (RAND), a sequence number (SEQ), and additional data (DATA);
sending the challenge and the accessing IM'"'"'s public key, U_EK, from the AS to an intermediary node;
forwarding the challenge from the intermediary node to the accessing IM;
preparing by the accessing IM, a digital signature U_SIGN(CHAL) of the challenge;
sending the digital signature U_SIGN(CHAL) from the accessing IM to the intermediary node as a response, RES, to the challenge; and
verifying the response by the intermediary node by determining whether the challenge (CHAL) equals the public key U_EK(RES). - View Dependent Claims (22, 23)
-
-
24. A method of authenticating an accessing identity module (IM) while preventing unauthorized duplication of the accessing IM in a network utilizing signatures with an appendix, said method comprising:
-
generating a public key, U_EK, internally within the accessing IM;
enrolling the public key, U_EK, at an authentication server (AS);
sending an access request from the accessing IM to the AS, said access request including at least an identifier for the accessing IM;
retrieving by the AS, the accessing IM'"'"'s public key, U_EK;
preparing a challenge, CHAL, by the AS, said challenge including at least one of a random value (RAND), a sequence number (SEQ), and additional data (DATA);
sending the challenge and the accessing IM'"'"'s public key, U_EK, from the AS to an intermediary node;
forwarding the challenge from the intermediary node to the accessing IM;
preparing by the accessing IM, a digital signature U_SIGN(hash(CHAL)) of the challenge;
sending the digital signature U_SIGN(hash(CHAL)) from the accessing IM to the intermediary node as a response, RES, to the challenge; and
verifying the response by the intermediary node by determining whether the hash of the challenge, hash(CHAL), equals the public key U_EK(RES).
-
Specification