Manipulation and restoration of authentication challenge parameters in network authentication procedures
First Claim
1. An apparatus, comprising:
- a processor and a memory communicatively connected to the processor, the processor configured to;
receive an equipment identity of a mobile device and a subscriber identity associated with a network authentication module of the mobile device;
determine, based on the subscriber identity associated with the network authentication module of the mobile device and the equipment identity of the mobile device, whether the network authentication module of the mobile device is authorized to be used with the mobile device;
obtain an authentication vector (AV) for the mobile device, the AV including an original authentication challenge parameter;
obtain, based on the equipment identity of the mobile device, a binding key associated with the network authentication module of the mobile device;
encrypt the original authentication challenge parameter of the AV, based on the binding key, to form an encrypted authentication challenge parameter;
replace the original authentication challenge parameter of the AV with the encrypted authentication challenge parameter;
propagate the AV including the encrypted authentication challenge parameter toward a wireless access network supporting the mobile device;
receive, from the wireless access network, a synchronization failure message including an authentication token and the encrypted authentication challenge parameter;
decrypt the encrypted authentication challenge parameter of the synchronization failure message, based on the binding key, to recover the original authentication challenge parameter; and
regenerate the AV for the mobile device based on the original authentication challenge parameter recovered from the synchronization failure message.
14 Assignments
0 Petitions
Accused Products
Abstract
A challenge manipulation and restoration capability is provided for use during network authentication. A mobile device (MD) and a subscriber server (SS) each have provisioned therein a binding key (B-KEY) that is associated with a subscriber identity of a network authentication module (NAM) of the MD. The SS obtains an authentication vector (AV) in response to a request from a Radio Access Network (RAN) when the MD attempts to attach to the RAN. The AV includes an original authentication challenge parameter (ACP). The SS encrypts the original ACP based on its B-KEY, and updates the AV by replacing the original ACP with the encrypted ACP. The MD receives the encrypted ACP, and decrypts the encrypted ACP based on its B-KEY to recover the original ACP. The MD provides the original ACP to the NAM for use in computing an authentication response for validation by the RAN.
-
Citations
8 Claims
-
1. An apparatus, comprising:
a processor and a memory communicatively connected to the processor, the processor configured to; receive an equipment identity of a mobile device and a subscriber identity associated with a network authentication module of the mobile device; determine, based on the subscriber identity associated with the network authentication module of the mobile device and the equipment identity of the mobile device, whether the network authentication module of the mobile device is authorized to be used with the mobile device; obtain an authentication vector (AV) for the mobile device, the AV including an original authentication challenge parameter; obtain, based on the equipment identity of the mobile device, a binding key associated with the network authentication module of the mobile device; encrypt the original authentication challenge parameter of the AV, based on the binding key, to form an encrypted authentication challenge parameter; replace the original authentication challenge parameter of the AV with the encrypted authentication challenge parameter; propagate the AV including the encrypted authentication challenge parameter toward a wireless access network supporting the mobile device; receive, from the wireless access network, a synchronization failure message including an authentication token and the encrypted authentication challenge parameter; decrypt the encrypted authentication challenge parameter of the synchronization failure message, based on the binding key, to recover the original authentication challenge parameter; and regenerate the AV for the mobile device based on the original authentication challenge parameter recovered from the synchronization failure message. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A method, comprising:
-
receiving, via a processor, an equipment identity of a mobile device and a subscriber identity associated with a network authentication module of the mobile device; determining, based on the subscriber identity associated with the network authentication module of the mobile device and the equipment identity of the mobile device, whether the network authentication module of the mobile device is authorized to be used with the mobile device; obtaining an authentication vector (AV) for the mobile device, the AV including an original authentication challenge parameter; obtaining, based on the equipment identity of the mobile device, a binding key associated with the network authentication module of the mobile device; encrypting the original authentication challenge parameter of the AV, based on the binding key, to form an encrypted authentication challenge parameter; replacing the original authentication challenge parameter of the AV with the encrypted authentication challenge parameter; propagating the AV including the encrypted authentication challenge parameter toward a wireless access network supporting the mobile device; receiving, from the wireless access network, a synchronization failure message including an authentication token and the encrypted authentication challenge parameter; decrypting the encrypted authentication challenge parameter of the synchronization failure message, based on the binding key, to recover the original authentication challenge parameter; and regenerating the AV for the mobile device based on the original authentication challenge parameter recovered from the synchronization failure message.
-
Specification