Authentication method
First Claim
1. A method for authenticating both a subscriber station and a communications network to establish a communication connection, the subscriber station having its own identity data, the method comprising:
- generating a first random number in the subscriber station which is transferred along with the subscriber identity data to an authentication centre;
generating a second random number in the authentication centre which is transferred to the subscriber station, calculating a first set of parameters in the authentication centre having first and second responses and calculating a second set of parameters in the subscriber station including first and second responses, wherein both sets of parameters are defined on the basis of the subscriber identity and at least one of said random numbers;
sending the first responses of the first set of parameters to the subscriber station;
comparing the first responses in the subscriber station, wherein if the first responses are equal then the communications network is authenticated by the subscriber station;
sending the second responses of the second set of parameters to the communications network;
comparing the second responses in the communications network, wherein if the second responses are equal then the subscriber station is authenticated by the communications network, in which the home network has been defined for at least some subscribers, wherein the identity data is divided into first and second parts in such a way that the first part contains the information for identifying the subscriber group and the second part identifies the subscriber within the subscriber group, a third random number is generated in the subscriber station, the second part of the subscriber identifier is ciphered by using a random input and a subscriber group specific key, a message containing a partially ciphered identifier, consisting of the first part and the ciphered second part, and the used random input is sent to a network element of the communications network, the message is routed from the communications network to the subscriber'"'"'s home network and the identity is deciphered in the subscriber'"'"'s home network.
3 Assignments
0 Petitions
Accused Products
Abstract
In telecommunications systems, the traffic can be protected from eavesdropping and the use of a false identity can be prevented by verifying the authenticity of the terminal equipment by means of an authentication procedure. Verifying the authenticity of the terminal equipment is especially important in the mobile communications systems. In the authentication procedure, the network checks the authenticity of the identity stated by the subscriber device. Additionally, the subscriber device can check the authenticity of the network identity. In the systems in accordance with prior art, the secret information required for making the authentication must be transferred via unsecure transfer networks and given to the visited networks. The information makes it possible to make unlimited number of authentications in an unlimited time. In this case, an active eavesdropper may be able to acquire the information and make the authentication process without forming a connection to the subscriber'"'"'s authentication centre. The invention presents a method in which each individual authentication process is done between the mobile station and the authentication center. This means that the reliability of the network is checked in connection with every authentication, and not enough information is transferred between the network elements to make it possible to use a false identity.
-
Citations
12 Claims
-
1. A method for authenticating both a subscriber station and a communications network to establish a communication connection, the subscriber station having its own identity data, the method comprising:
-
generating a first random number in the subscriber station which is transferred along with the subscriber identity data to an authentication centre;
generating a second random number in the authentication centre which is transferred to the subscriber station, calculating a first set of parameters in the authentication centre having first and second responses and calculating a second set of parameters in the subscriber station including first and second responses, wherein both sets of parameters are defined on the basis of the subscriber identity and at least one of said random numbers;
sending the first responses of the first set of parameters to the subscriber station;
comparing the first responses in the subscriber station, wherein if the first responses are equal then the communications network is authenticated by the subscriber station;
sending the second responses of the second set of parameters to the communications network;
comparing the second responses in the communications network, wherein if the second responses are equal then the subscriber station is authenticated by the communications network, in which the home network has been defined for at least some subscribers, wherein the identity data is divided into first and second parts in such a way that the first part contains the information for identifying the subscriber group and the second part identifies the subscriber within the subscriber group, a third random number is generated in the subscriber station, the second part of the subscriber identifier is ciphered by using a random input and a subscriber group specific key, a message containing a partially ciphered identifier, consisting of the first part and the ciphered second part, and the used random input is sent to a network element of the communications network, the message is routed from the communications network to the subscriber'"'"'s home network and the identity is deciphered in the subscriber'"'"'s home network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
Specification