FI115097B - Circuit authentication method in online data communication, involves forming authentication key for encrypting client credentials independent of client response using client's secret - Google Patents

Abstract

Credentials are formed based on identify information received from a client. An authentication key for encrypting the credentials independent of client response is formed using a secret received form the client. The encrypted credentials are transmitted along with a challenge to the client and the authentication key is formed at the client for decrypting the credentials. Independent claims are included for the following: (1) Client authentication system; (2) Client; (3) Authentication block; and (4) Computer program product for client authentication.

Description

115097

This invention relates to authentication in data communication. In particular, the invention relates to, but is not limited to, authentication of mobile stations and network servers communicating over a network, such as the Internet.

The Internet is used to share public information. Because it is an open system, it should not be used to share confidential information 10 unless precautions have been taken to protect the information with passwords, encryption and the like. Even so, if passwords are used, hackers can set them. There are clients on the Internet (typically PCs with computer programs) and servers (server computers that run computer programs that cause them to provide a service to clients). Typically, programs used on clients and servers assume that users are honest about their identity. Some client / server applications rely on the client to limit its activity to those for which it is allowed, without any other forced action from the server.

20

Some sites use firewalls to improve their '· * · * network security. Unfortunately, firewalls are based on the assumption that • ·: security threats come from outside, which is not always the case. Computer crime can be committed by insiders who have access to / .: 25 private networks that are connected to the Internet through firewalls, or intranets. These insiders can listen to data traffic and sniff other users' passwords. An insider can use these illegally obtained passwords to access services he would not normally have access to. In other words, firewalls can limit viruses ... 30 from randomly infecting an intranet, but generally do not provide any assurance of the true authenticity of a client or server. Strong ./: 'authentication is highly desirable for money, sensitive data, or:' '[: for both transfers.

. 35 One way to improve the situation is to use a specified authentication protocol and, if necessary, encryption protocols party authenticity of 2 115 097 certification and to prevent illegitimate parties to access. Additionally, these protocols can typically be used to verify the integrity of any information exchanged over a link so that the recipient can be assured that the received data has not been altered.

5

Kerberos is a protocol designed to provide strong authentication for client / server applications using secret-key cryptography. There are currently at least two versions of Kerberos, versions 4 and 5. Kerberos version 5 is described in J. Kohl and C. 10 Neumann, 'The Kerberos Network Authentication Service (Version 5)', RFC 1510, September 1993. Versions 4 and 5 are also described in W. Stallings, '' Cryptography and Network Security, Principles and Practice '', second edition, pp. 323-340. These two versions of Kerberos are briefly described below.

15

Figure 1 shows an overview of the Kerberos KS system according to Kerberos Version 4. The Kerberos system KS comprises a client c who can access the Internet, a Kerberos server KSS on the Internet and a service server V to provide a service 20 requiring authentication. The Kerberos server KSS comprises an authentication server AS, a ticket-granting server TGS, and a database DB that ·· 'contains hashed passwords from different clients. Customer c includes; : a personal computer (PC) comprising an input / output module IOc (such as a modem or a network adapter) for connecting to the Internet, · * '· .: 25 central processing units CPUc for processing data and memory MEMC.

The memory has a non-volatile portion for storing CPUc controlling applications and a read-write portion for use in data processing. Additionally, client c includes a user interface UI for user interaction. The UI may prompt the user to enter a password ... 30 and may receive the password. In Kerberos, the applications, together with *: * 'the personal computer, form a client c that can access the services of the host (computer) accessed over an insecure network.

,. 35 V is the server that provides the service to the client c. It authenticates client c using a series of authentications in which client c is first authenticated to 3 115097 to obtain the tickettgs that issue the ticket to the AS. Client c can then use ticketettgS to obtain ticketv from the service issuing ticket. This flag can then be used for the service. This procedure is explained in more detail with reference to Figures 1 and 2.

5

For the Kerberos system to work, client c, AS and TGS should already know the first shared secret (or first authentication key, Kc). The second shared secret (Kv) should be known to AS, TGS and service server V, but not to client c. These shared 10 secrets are assumed to exist.

In order for any particular secret may be known of any particular party, it is sufficient that the party to be used to obtain, for example, by asking it a secret from the user (in the party client) or by requesting it from the database 15 (party of AS or TGS). Typically, TGS and AS are co-located, but in some cases the Kerberos server may also be shared so that TGS and AS are not co-located.

The operation of the Kerberos system KS in a series of steps is illustrated in Figure 2. Briefly, Figure 2 illustrates communication between the user, the client c, the authentication server AS, the flag issuing server TGS, and the * * service server V. For convenience, the notation used here is: follow the one used in the above-mentioned Stallings publication. Steps of Figure 2: Λ: Now described.

25

Step 21: The user logs on to client c and requests the desired service from the service server (host) by sending a login and a service request. To log in, the user enters the client password Kc, which he and the authentication server know. The customer's password is »· ... 30 first shared secret. From now on, Who is called the first authentication key.

Step 22: Client c sends a request to the AS for the ticket issuing the tickets. The request comprises the customer c identifier (IDC), the TGS identifier. 35 (IDtgs), and TSi of the first timestamp corresponding to the time at which the request was transmitted.

4115097

Step 23: The AS creates tickettgs using another authentication key, Ktgs, which AS and TGS know but client c does not. Tickettgs = EKtgs [Kc, tgs || IDC || ADC || IDtgs || TS2 || Lifetime2]. E represents an encryption algorithm 5 that uses the second authentication key Ktgs as its encryption key. Ke, tgs is the first session key that the AS generates (for example, a random key) for use between the client c and the TGS. ADC is the address of client c, fDtgs is the identifier of the TGS, TS2 is the second timestamp representing the tickettgs issue time of the ticket, and Lifetime2 is the tickettgs expiration time of the ticket. The lines "||" 10 represent concatenation. Tickettgs is intended to be used later to obtain a service ticket (ticketv) to use various services. AS then encrypts the data using Kc as follows: EKc [Kc, tgs || IDtgs II TS21 | Lifetime21 | tickettgs] and send the encrypted data to the client c.

Step 24: Client c then prompts the user to enter Kc. 15 The user should know Kc.

Step 25: The user provides the client with c Kc.

Step 26: Using Who and Kc, tgs client c decrypts the encrypted data received from the AS and generates the first client Authenticator, Authenticator = EKc.tgs [IDC || ADC || 20 IDv || TS3]. IDv is the identifier of V and TS3 is the time the Authenticator was created. As the skilled reader will understand, client c can only run Kc.tgsm if it knows Kc. TGS will later use the verifier:.: · Authenticator for client c authentication. Client c then sends a request v for the service granting ticket (ticketv) to TGS. The request includes IDv, tickettgs 25 and Authenticator.

Step 27: TGS generates the ticketv and sends it to the client c. : 'TGS generates ticketv using information about V's other shared secret

Kv as follows: ticketv = as EKv [Kc, v || IDC || ADC || IDv || TS4 || Ufetime4],. ,,,; where 30 KCt v is the second session key for use between client c and V: · 'TS4 is the time stamp indicating the time the flag was created, and

Lifetime4 sets the ticketv lifetime to prevent replay attacks: '': (replay attacks) after the ticketv lifetime expires.

Step 28: Client c sends a service request to V. The request contains. 35 ticketv and another client verifier, Authenticator, where Authenticator = 5 115097

Eko. v [IDC || ADC || TS5]. TS5 is a timestamp that displays the time the second client verifier is being created.

Step 29: After the service server V has examined the authenticator authenticator 21, it can authenticate itself to the client c for mutual authentication. This can be done by answering TSs ^ 1 with 1 added and encrypted with Ke, v so that client c can trust V to be the correct server because it can encrypt at the same time with Ke, vr. The answer is therefore Ekc. v [TS5 + 1] · 10 Steps 22 and 23 occur once per user login session. Tickettgs is thus valid for the duration of the user login session (or until it expires). Steps 26 and 27 occur once for each service type. In other words, each type of service is subject to a different ticketv. Steps 28 and 29 occur once for each service session of the 15 service types granted.

The description in Figure 2 illustrates how Kerberos can provide centralized authentication to a number of different service servers that rely on the Kerberos server for KSS (a combination of AS and TGS). The KSS has a different 20 second shared secret Kv for each V and each V is registered with the KSS.

The system of Figure 1 shows one area: For example, a single:. i: all entities are owned by the employer in one country or city.

* · · 25 Kerberos Version 5 offers some improvements over Version 4, including the ability for multiple Kerberos domains to interact with one another so that one Authentication Server AS can issue ticketing tickets to service servers in different Authentication Areas V.

30 The operation of the Kerberos system according to Kerberos Version 5 will now be described with reference to Figure 1. In Kerberos Version 5, authentication and key distribution begins with an Authentication Service Exchange where the client c requests tickettgs from AS .... and AS creates and sends tickettgs and other parameters encrypted with Kc 35 in response. Tickettgs and the key Tc, tgs are used as authorization for service 115097 I 6 | to obtain ticketv to use the Services.

The authentication service exchange is as follows: (1) from c to AS message KRB_AS_REQ = Options || IDC || Realmc || IDtgs || Times || Noncei 5 (2) from AS to c message KRB_AS_REP = realmc || IDC || tickettgs || EKc [Kc, tgs H times || nonce! || realmtgS || IDtgs] where tickettgs = EKtgs [flags || Kc, tgs || realmc || IDC || ADC || times] and where options different options used to request 10 specific flags to be returned in the returned flag flags different message frame characters to use

In Kerberos Version 5 protocol realmc client region realmtgs TGS region 15 times tickettgs start time, expiration time and renewal time nonce! a random number created by the client to ensure that the answer is fresh (not a copy of a previous answer) 20 It should be borne in mind that different types of fields can be encrypted together, since different types will eventually be represented as binary codes (zeros and v: s). their • ·: origin.

* * · 25 Kc is used to encrypt Kc, tgs and other parameters in the message KRB_AS_REP. Note that in Kerberos anyone can request tickettgs, but only a valid user can use it. Because only a valid user knows KG, others cannot decrypt Kc, tgS, which is required for tickettgs. In Kerberos, Kc is only used in message KRB_AS_REP to encrypt Kc, v-'and other parameters. All other Kerberos messages use different session keys instead of Kc.

* · ·

With Tickettgs and Kc, tgs, customer c can obtain new versions of 35 ticketvs and KCl v-s from TGS. The new versions may still be used to obtain service from Vs.

115097 WO 00/02406 provides a method that allows users of an IP mobility network (Mobile IP Network) to establish Kc using a Subscriber Identification Module (SIM) of a GSM operator. GSM operators have databases containing subscriber identities and their sensitive information. In GSM, the secret stored on the SIM is called Ki. The SIM is capable of generating the GSM session key KgSm, based on the 10 challenges RAND secret K, of the one-way hashed signed response SRES. This procedure of WO 00/02406 is shown in Figure 3 as a series of steps 31 to 37.

Step 31: The Security Server SS (equivalent to KSS) sends an authentication request to the terminal TE1 (corresponding to client c).

15 Step 32: Client c responds with its International Mobile Subscriber Identity (IMSI).

Step 33: The security server sends a security request to the proxy server.

Step 34: The proxy server obtains security information containing the GSM triplet (KgSm, RAND and challenge) from the Home Location Register from the GSM operator using the SIM.

'·' · * Step 35: Proxy sends GSM triplet to: Security server.

»* V. · 'Step 36: Security server sends challenge to RAND client 25 c.

* ·

Step 37: Client c generates its own version of the GSM session key KgSm and the SRES corresponding to the Ki and the received RAND. The client c then sends back the SRES so that the security server can compare it with the GSM-*, ... 30 triplet SRES received from the proxy. If the proxy provided by the SRES and the client-generated SRES match, then the positive authentication is done and the security server can start using the GSM session key as Kgsm Kc between the client c and the security server (i.e. the Kerberos server).

<Itt. WO 00/02406 combines GSM technology with Kerberos technology.

• ·

Instead of authenticating a mobile wireless device in a GSM network using 8115097 GSM triplets and comparing different responses against each other, the SIM is used to provide a response to a challenge received from an IP mobility network. The response is then sent to the IP mobility network for comparison with the correct response to Ki and RAND to detect whether the client c is correct 5 and does not attempt to access the services illegally using another client's IMSI.

According to a first aspect of the invention, there is provided a method of client authentication, the method comprising the steps of: sending a client identification information to the authentication block; providing at least one challenge and at least one first secret to the authentication block based on the client-specific secret; forming a first authorization; 15 generating a first authentication key using at least one first secret; encrypting the first authorization using the first authentication key; sending at least one challenge and encrypted first authorization to 20 clients; generating a first authentication key for the client; • »* ·· 'decryption of the first authorization by the client using: .i: first authentication key; characterized by:, v encrypting the first authorization is independent of receiving any 25 client secret responses from the client: to the authentication block.

Preferably, the first authorization is encrypted before receiving any client-based response from the client * ·, ... t 30 to the authentication block.

•> ·

Preferably, the encrypted first authorization is sent with :: at least one challenge to the client.

35 Even more advantageously, the client secret is not sent from the client to the authentication block. Failure to send any such response 9115097 allows the use of the entire first secret to generate the first authentication key, which cryptographically enhances it.

Preferably, the generation of the first authentication key is based on two or more first secrets. This further reinforces the first authentication key cryptographically.

The invented method is based on a new approach to the problem of establishing the first 10 shared secrets between the authentication block and the client. The approach is fundamentally different from prior art, where telecommunication network instruction was combined with instruction on authentication in different packet data networks, and the telecommunication network authentication mechanism was used in a similar manner as in telecommunication networks. The inventor realized that it is possible to generate a first authorization, a first authentication key, and encrypt a first authorization with a first authentication key when the authentication block acquires a challenge and a first secret. Cryptography is used for both indirect authentication and initial authorization. 20 Only if the client has correctly solved the first authentication key can it decrypt the first authorization. The client can then · *. * 'Generate the service request message using cryptographically the first ;, · decrypted authorization, and thus be authenticated as a byproduct of generating the service request message. This offers significant benefits. 25 The method enables secure and fast authentication, where the first authorization is created and then sent to at least one · · · ·, with the challenge without the need to authenticate the client individually. This makes the method applicable to a variety of known verification methods,. including Kerberos versions 4 and 5 and also reduces ... * 30 data usage. Further, the method does not require the authentication block to store the first secret after the first authentication key and first authorization are generated. This reduces: ": the complexity of the authentication process and speeds it up as some messages become redundant. Authentication is also stronger if all the data in the · ·. 35 first secret is used to form the first authentication key. This was not possible in the known 10 115097 technology where SRES) was transferred from the client to the authentication block in plain language so that any third party could easily have obtained it.

Preferably, the step of acquiring at least one challenge and at least one first secret for the client block based on client specific client secret occurs before the client needs to be authenticated. Even more advantageously, a collection of challenges and first secrets sufficient to establish at least the first two authorizations for the client is acquired in batches. Even more advantageously, such a collection 10 is acquired for a group of clients such that the authentication block already has information available to authenticate any client in the group without first having to obtain the information. This allows for a faster authentication of a group of clients belonging to the same organization or group as their client secrets information is already available for 15 authentication blocks and does not need to be obtained separately for each client authentication.

Preferably, the customer identification information is a subscriber identifier. Even more preferably, the authentication block generates an identifier for use in subsequent authentication messages to the client without the need to include a subscriber identifier therein.

*; Preferably, the first authentication key is generated using: V: a hash function of at least one of the first secrets. Still more preferably, the first authentication key is generated using at least the hash function of the first secret and replay attack protector. The use of a loopback protector to generate the first authentication key and the use of the hash function enable the authentication block to authenticate the client.

· In an alternative embodiment, the first ;; · generation of the authentication key is based on the first secret part.

35 Preferably, forming the first authorization includes # sub-steps:! 115097! 11 encrypting the first data corresponding to the client with a second authentication key which the client does not know; and confirming that the first information is encrypted using a second authentication key.

5

Preferably, the method further comprises the step of generating a service request message using cryptographic first decryption.

Preferably, the first information includes at least one item selected from the group consisting of: a client identifier, a flag server identity, a client region, and a timestamp.

Preferably, the client is a multifunctional mobile terminal having at least functionality for wireless communication and functionality for communicating with a packet data network. Even more preferably, the functionality for wireless communication supports GSM (Global System for Mobile Communications). This provides a large pool of existing Subscriber Identity Units (SIMs) for use in authentication of clients in 20 different data communication networks other than telecommunication networks.

According to another aspect of the invention, there is provided a method for verifying a client, the method comprising the steps of: v, sending a client identification information to the authentication block; : j 25 receive at least one challenge from the authentication block and encrypted: ''; first customer authorization; creating the customer's first secret based on the customer's • secret and challenge; , Ij>; generating the first authentication key with the client using the »» ... first 30 secrets; and *; * 'decrypting the encrypted first authorization by the client.,; · * Using the first authentication key; characterized in that

MB decryption of the first encrypted authorization is • ». 35 independent of sending any customer secret response from the customer to the authentication block.

j 115097 12

According to a third aspect of the invention there is provided a method of client authentication comprising the steps of: receiving client identification information from a client 5 to an authentication block; providing at least one challenge and at least one first secret to the authentication block based on the client-specific secret; forming a first authorization; 10 generating a first authentication key using at least one first secret; encrypting the first authorization using the first authentication key; sending at least one challenge and encrypted first authorization to 15 clients; receiving a message from the client containing the first information; and checking whether the first authorization is used cryptographically to process the first information; 20 characterized in that the encryption of the first authorization is independent of anything. receiving a response from a customer to the authentication block based on customer secrecy.

. ·. According to a fourth aspect of the invention there is provided a method. · · ·] To authenticate the client, which method comprises the steps:>!;! <sending client identification information to the authentication block; '···' acquires at least one challenge and at least one first secret by the authentication block on the basis of the client-specific '* 30 secret; '...: establishing the first authorization; generating a first authentication key using at least one • · I ·. · *. the first secret; • · encrypt the first authorization using the first *: 35 authentication keys by the authentication block; «· 13 115097 send at least one challenge and encrypted first authorization to client by authentication block; generating a first authentication key with the client; decrypting the first authorization with the client using the first 5 authentication keys; and verifying the client using the first authorization.

According to a fifth aspect of the invention there is provided an authentication system comprising an authentication block and a client; and: a first input verification block 10 for receiving customer identification information; a second revenue verification block for receiving at least one challenge and at least one first secret based on the client specific client secret; A first processor in the authentication block for establishing a first authorization; for generating a first authentication key using at least one first secret; and encrypting the first authorization using the first 20 authentication keys; at least one challenge and encrypted in the output authentication block. : *: to provide first authorization to the customer; and a first processor client for generating a first authentication key and an encrypted first authorization. ·. : 25 to decrypt using the first authentication key; • · · Known for encrypting the first authorization is independent of receiving any “···” client-based response from the client to the authentication block.

»* · ♦ • * 30

According to a sixth aspect of the invention, there is provided a client for an authentication system comprising an authentication block and a client; who! ···. the client comprises: a first output for providing client identification information to: "35 authentication blocks; 14 115097 first input for receiving at least one challenge and encrypted first authorization; first processor first secret based on client I5 secret and challenge; first encryption key using first secret; and encrypted first authorization 10, characterized in that the decryption of the encrypted first authorization is independent of sending any client secret response from the client to the authentication block.

According to a seventh aspect of the invention, there is provided an authentication block for an authentication system comprising a client; the authentication block comprising: a first input for receiving customer identification information; A second input for receiving at least one challenge and at least one first secret based on client specific client secret .V:; : first processor: y; forming a first authorization; : 25 for generating the first authentication key using: at least one first secret; and y for encrypting the first authorization using the first authentication key; an output to provide the client with at least one challenge and an encrypted first * '30 authorization; which first input is still arranged to receive; a message from the customer containing the first information; and. ···. each first processor further configured to check whether the first authorization has been used to cryptographically process the first information; characterized in that the 15 115097 first authorization encryption is independent of receiving any client secret response from the client to the authentication block.

According to an eighth aspect of the invention, there is provided a computer program product for controlling a computer that causes the computer to authenticate a client, the computer program product comprising: a computer program code causing the computer to send the client identification information to the authentication block; 10 computer program code that causes the computer to receive at least one challenge and an encrypted first authorization from the authentication block to the client; a computer program code that causes the computer to establish a first secret for the client based on the client's secret 15 and challenge; a computer program code which causes the computer to generate a first authentication key using the first secret with the client; and a computer program code which causes the computer to decrypt 20 encrypted first authorizations using the first authentication key on the client; . A: Known for: decrypting the first proxy is independent of sending any client-based counterparts ·,: 25 from the client to the authentication block.

According to a ninth aspect of the invention, there is provided a computer program product for controlling a computer that causes a computer to authenticate a client, the computer program product comprising: '* 30 computer program code that causes the computer' ...: to receive client identification information from the client to the authentication block; computer program code that causes the computer to acquire. ···. at least one challenge and at least one first secret for the client based on client-specific secret; ': 35 computer program code that triggers the computer':: to establish a first authorization; A computer program code which causes the computer to generate a first authentication key using at least one of the first secrets; a computer program code that causes the computer to encrypt the first 5 authorizations using the first authentication key; a computer program code that causes the computer to send at least one challenge and an encrypted first authorization to the client; a computer program code that causes the computer to receive from the client a message comprising the first information; and 10 computer program code which causes the computer to verify whether the first authorization has been used to cryptographically process the first information; characterized in that the first authorization encryption is independent of receiving any 15 client secret responses from the client to the authentication block.

Embodiments of one aspect are also applicable to various other aspects of the invention. For the sake of brevity, embodiments have not been repeated in all aspects of the invention. The skilled reader will appreciate the advantages of various aspects based on the advantages of the first aspect of the invention.

The invention will now be described, by way of example only, with reference to: V: the accompanying drawings, in which:; 25 Figure 1 shows the Kerberos version of Kerberos Version 4. ···! system; # "* t Figure 2 illustrates the operation of the Kerberos system of Figure 1;

Figure 3 illustrates the authentication procedure of WO 0002406;

Fig. 4 is a block diagram showing a client according to a preferred embodiment of the invention;

Fig. 5 is a block diagram showing an authentication server according to a preferred embodiment of the invention; and * · »·. ···. Figure 6 illustrates the operation of the Kerberos system modified in accordance with a preferred embodiment of the invention.

! 35 * * Figures 1-3 are described above.

17 115097

Fig. 4 is a block diagram showing a client c according to a preferred embodiment of the invention. The client c comprises a telephone functionality block Tel, an IP terminal functionality block for connecting to an IP IP-5 network, a non-volatile memory ROM, a read-only memory RAMC, a user interface Ulc, a SIM reader having a SIM stored in the ROMc and a CPU for processing software. c to guide operations accordingly. Telephone Function Block Tel provides conventional telephone functionality such as call setup and modem communication functionality such as data call setup, sending or receiving faxes, emails. Typically, Tel is compatible with GSM Phase 2+. It can also support GPRS (General Packet Radio Service), a 15 packet based communication service built on GSM. In this case, client c supports two different packet data networks. The operation of client c will be described in more detail with reference to Figure 6.

Figure 5 is a block diagram of an authentication server AS according to a preferred embodiment 20 of the invention. The authentication server AS comprises an input / output block IOAs, a key database for storing (possibly geographically distributed) DB pass keys, as such or compressed, non-volatile memory ROMAs> read-only memory software SWAs, Y: ROMAs software SWAs, access to a communication network 25 (typically GSM network) authentication center AuC (Authentication. ···. Center), and a central processing unit CPUAs to execute software ASs and to control AS operation accordingly. The operation of the authentication server will be described in more detail with reference to Figure 6.

Figure 6 illustrates the operation of a modified Kerberos system according to a preferred embodiment of the invention. The system comprises the client c of Figure 4 and the authentication server AS of Figure 5. Corresponding reference numerals are used to refer to the corresponding messages and steps described in Figures 1 and 2 • »· *. The steps will now be described.

• t 35 »18 115097

Step 61: The SIM provides the International Mobile Subscriber Identity (IMSI) subscriber of the communication network subscriber (of which it is a SIM) to a client c (a mobile node, a TGS identifier (IDtgs), and a first timestamp or random number (replay protection, or nonce) time.

Step 63: The AS requests a number (one or more) GSM triplets from the AuC of the mobile network identified by the IMSI. These triplets are formed by a cryptographic function and a subscriber secret known to both SIM and AuC.

Step 64: Auc responds with one or more challenge (RAND) batches and GSM session keys (Kgsm) and typically also with corresponding identification responses (SRES). The AS generates a first authentication key Ke using n GSM session keys Kgsm and / or GSM triplet authentication responses SRES as follows: Ke = Hashi [n x Kgsm, n x SRES, noncei], where hash! is the first hash function that is a parallel hash function known to both customer c and AS. x is a notation of n KgSm parameters, not a multiplication. According to a preferred embodiment of the invention, the recognition responses are not compared at all (and thus not transmitted in plain language) so that the received recognition responses SRES can also be used to generate Kc I20. Using more secret data to generate Kc increases its cryptographic strength. Alternatively ν '.: only GSM session keys KgSm or authentication responses: SRES can be used. Further, in forming the first authentication key Kc

* t) I

* Y: The number of GSM session keys used in Kgsm may differ from the number of authentication responses used in the SRES. For client c, only. · \ It is necessary to know how to make Kc. Kc works on authentication between AS and client c. Further, the AS generates the first session key Kc, tgs · Kc, tgs may be, for example, a random number generated by the AS.

M · · '' 30 Step 23 ': The AS generates ticketing ticket ticketigs, as described above in the prior art. Step 23 'differs from step 23 of the prior art portion in that the AS also transmits n RANDs used to generate Kc with tickettgs and Kc in addition to the encrypted Kc, tgs'.

Ill '*' 35 Step 65: Client c provides n RANDs to the SIM, which forms '' corresponds to n pairs of recognition responses SRES and Kgsm values.

! ! 115097 j 19

Step 66: The SIM provides the n pairs of authentication responses SRES and Kgsm generated in the previous step to the client c. Next, client c builds its own version of Kc using the SRES and Kgsm values in a similar way as AS had done before. When it has its own version 5 of Kc, the operation of the system then follows steps 26-29 of the standard Kerberos Version 5 protocol described above with reference to Figure 2.

Steps 24 and 25 are replaced with steps 65 and 66, since authentication 10 can be performed automatically if the user has allowed access to his or her SIM.

As mentioned above, the IMSI is sent from the client to the c AS and then the RANDs are sent from the AS to the client c. This communication can be accomplished in various ways, one of which is the implementation of the preferred embodiment 15 shown below.

The Kerberos Version 5 Authentication Service Exchange involves initial transmitting Alternate Pre-Authentication Data (PA_DATA) from the client to c AS. The presence of the pre-authentication data is indicated by the PRE-AUTHENT frame symbol. The use of PA_DATA is not standardized, but according to Stallings, “MIT authentication from version 5 has an encrypted timestamp pre-authentication block which. includes a random confounder, a version number, and: a time stamp, encrypted with the customer's password-based key. "

::: The pre-authentication block, or data, is then decrypted by the AS. AS can. ; 25 then verify customer c's true authenticity and only send tickets if, ·] pre-validation is confirmed. Stallings goes on to describe another option,, that uses a smart card that generates a series of passwords, each with its own "" limited validity period. Passwords may be based on the user's password, but as they change, the passwords that are transferred are actually • 1 [* 30 random and difficult to set. The use of a smart card reader can be indicated by the HW_AUTHENT frame character, which identifies the protocols that ·: · require the use of hardware that is assumed to be only correct. "*, Held by client c.

* ·

'| In a preferred embodiment of the invention, frame characters PA_DATA

: * and HW_AUTHENT are utilized in the present invention so that IMSI

I 115097 20 can be sent in the PA_DATA field and the HW_AUTHENT frame character can be used to indicate the use of SIM in authentication. Instead of using PA_DATA for any pre-authentication, the AS requests, in response to the reserved value of the HW_AUTHENT frame symbol, GSM triplets from the subscriber 5's AuC. The correct AuC can be found using IMSI.

The AS sends n RANDs to client c in the Kerberos Version 5 message KRB_AS_REP, in the Pre-Authentication Data (PA_DATA) field. After receiving the RANDs, the client c can create their own version of K ^ and 10 decrypt the Kc, tgs.

In a preferred embodiment, the PA_DATA field is used to send the IMSI from the client to the c AS. The customer identifier IDC, a fake IDc that is not a real customer identifier (for example, a random number or a constant of 15 such as zero), is used as the IDc. The (fake) IDC is placed in each of the following verification messages that request or issue tickets. The advantage of sending IMSI in the PA_DATA field is that IMSI does not become part of a series of additional messages. This is good because IMSI identifies the subscriber. For security reasons, it is desirable to limit its general availability. The use of pre-authentication frame symbols and data fields is also advantageous in order to provide a standardized way of indicating to the AS that the SIM authentication method according to the invention is used. The standard Kerberos version 5 '·' · 1 can be used with minimal changes and no proprietary protocols need to be executed to get the first \ v 25 session key Kc, tgS to be used in the Kerberos version 5: / · j protocol.

It was also mentioned in the previous paragraph that the customer IDC can be given an arbitrary value. The AS can still select the IDc ..,.: 30 later. The IDC is sent back from the AS in plain language, so it does not matter if the IDC changes after client c has sent the first message with an arbitrary original IDC. It is advantageous for AS to select IDC because it offers the possibility of centralized tag allocation so that each tag can have a unique lifetime.

35 »· 21 115097

Detailed embodiments and embodiments of the invention have been described. It will be apparent to one skilled in the art that the invention is not limited to the details of the embodiments described above, but may be embodied in other embodiments employing equivalent means without departing from the features of the invention. The scope of the invention is limited only by the appended claims.

! | 1 • t tr · • »

Claims (18)

A method for authenticating a customer (c), which method comprises the following steps: sending customer identification information (IMSI) to an authentication block; providing at least one challenge (RAND) and at least a first secret (Kgsm, SRES) to the authentication block (AS) on the basis of a customer-specific (Ki) -specific secret (Ki); creation of a first authority (tickettgs, Kc, tgS); Creating a first authentication key (Kc) using the at least one first secret (KgSm, SRES); encryption of the first authority (tickettgs, Kc, tgs) using the first authentication key (Kc); sending the at least one challenge (RAND) and the encrypted first power (tickettgs, Kc, tgs) to the customer (c); creation of the first authentication key (Kc) of the customer (c); and decryption of the first authority (tickettgs, Kc, tgs) using the first authentication key (Kc) of the customer; distinguishing feature of: ·. the encryption of the first authority (tickettgs, Kc, tgs) is independent of the reception of anyone who hoisted the customer secret (Ki) based re; , * sponsor from customer (c) to the authentication block (AS). »· * * * · '·' 25 2. The method according to claim 1, characterized by the encryption of the first authority (tickettgs, Kc, tgs) takes place prior to receiving someone who heist on the customer secret (Ki) based response from the customer (c) to the authentication block (AS). : 30 3. A method according to claim 1 or 2, characterized in that the transmission of the at least one challenge and the encrypted first command; the joint is done in the same message. f: 4. A method according to any preceding claim, wherein a response based on the customer secret (Ki) is not sent from the customer (c) to the authentication block (AS). 30 115097 5. A method according to any preceding claim, characterized in that the creation of the first authentication key (Ke) is based on two or more first secrets. 5 Method according to any of the preceding claims, characterized by the step of obtaining the at least one challenge (RAND) and the at least one first secret (KgSm, SRES) on the authentication block (AS) on the basis of a customer-specific customer (c) -the (Ki) happens before the customer needs authentication. 10 7. A method according to any of the preceding claims, characterized in that the customer information consists of a subscriber identifier. 15 8. A method according to any of the preceding claims, characterized in that the method further comprises a step where the authentication block creates an identifier for use in later authentication messages to the customer. 20 9. A method according to any of the preceding claims, characterized in that the method further comprises a step for receiving a protector against repeated attacks (non-ι) from the customer for authentication. ring block; and the creation of the first authentication key comprises a sub-step using a hash function for the first secret and the repeater against repeated attacks. 10. A method according to any of the preceding claims, characterized in that the creation of the first authority comprises the following -: * 30 minor steps:, · encryption of first information (IDC) corresponding to the customer with a: second authentication key (Ktgs) as the customer (c ) do not know; and verification that the first information has been encrypted using the first authentication key (Ktgs). ,; : 35 * »t s> • 31 115097 11. A method according to any preceding claim, characterized in that the process further comprises a step of creating a message requesting a service using the first decrypted authority cryptographically. 5 A method for authenticating a customer (c), which method comprises the following steps: sending customer identification information (IMSI) to an authentication block (AS); Receiving at least one challenge (RAND) and an encrypted first power (tickettgs, Kc, tgs) from the authentication block (AS) to the customer (c); creation of a first secret (Kgsm, SRES) of the customer on the basis of a customer secret (Ki) and the challenge (RAND); Creating a first authentication key (Kc) of the customer (c) using the first secret (KgSm. SRES); and decrypting the encrypted first authorization (tickettgs, Kc, tgs) of the customer using the first authentication key (Kc); The characteristic of the decryption of the first encrypted authority (tickettgs, Kc, tgs) is independent of transmission of any one that heisted on the customer secret (Ki) based response from the customer (c) to the authentication block (AS). I * ·. A method for authenticating a customer (c), the method comprising the following steps: * receiving customer identification information (IMSI) from the customer (c); 'An authentication block (AS); providing at least one challenge (RAND) and at least a first secret (Kgsm, SRES) to the authentication block (AS) on the basis of a customer secret (Ki) specific customer (Ki); ,: creation of a first authority (tickettgs, Kc, tgs); ,: creation of a first authentication key (Kc) using ',, | of the at least one first secret (KgSm, SRES); encryption of the first authority (tickettgs, Kc, tgs) with use ;; : Generating the first authentication key (Kc); In I 32 sending the at least one challenge (RAND) and the encrypted first power (tickettgs, Kc, tgs) to the customer (c); receiving a message containing initial information from the customer (c); and checking whether the first authority has been used cryptographically to process the first information; The characteristic of the encryption of the first authority (tickets, KCttgs) is independent of receiving anyone who heisted on the customer secret (Ki) based response from the customer (c) to the authentication block (AS). 10 Authentication system, which authentication system comprises an authentication block (AS) and a customer (c); and a first input (IOAs) of the authentication block (AS) for receiving customer identification information (IMSI); A second input (IOAs) of the authentication block (AS) for receiving at least one challenge (RAND) and at least a first secret (Kgsm, SRES) based on one for the customer (c) specific customer secret (Ki); a first processor (CPUAS) of the authentication block (AS) for creating a first power (tickets, Kc, tgs); for creating a first authentication key (Kc) using; creation of the at least one first secret (KgSm. SRES); and for encrypting the first authority (tickettgs, Kc, tgs) using the first authentication key (Kc); . : An output (IOAs) of the authentication block (AS) to provide the at least one challenge (RAND) and the encrypted first power (tickettgs, Kc, tgs) to the customer (c); and • a first processor (CPUc) of the customer (c) for creating the first authentication key (Kc) and for decrypting the encrypted first authorization (tickettgs, Kc.tgs) using the first authentication key: the key (Kc); feature water; . ; the encryption of the first authority (tickettgs, Kc, tgs) is independent of the receipt of anyone who hoisted the customer secret (Ki) based on; _ sponsor from customer (c) to the authentication block (AS). v; 35 • · • · 33 115097 15. Customer (c) for an authentication system comprising an authentication block (AS) and a customer (c); which customer comprises a first output (IOc) for providing customer identification information (IMSI) with the authentication block (AS); A first input (IOc) for receiving at least one challenge (RAND) and an encrypted first power (tickettgs, Kc, tgs); a first processor (CPUc) for creating a first secret (KgSrn, SRES) on the basis of a customer secret (Ki) and the challenge (RAND); 10 for creating a first authentication key (Kc) using the first secret (KgSm, SRES); and for decrypting the encrypted first authority (tickettgs, Kc, tgs) using the first authentication key (Kc); characterized by the decryption of the encrypted first authority (tickettgs, Kcitgs) is independent of the transmission of anyone who heisted the customer secret (Ki) based response from the customer (c) to the authentication block (AS). 16. Authentication block (AS) for an authentication system comprising a customer (c); which authentication block comprises a first input (IOAs) for receiving customer identification information (IMSI); in a second input (IOAs) for receiving at least one challenge (RAND) and at least one first secret (KgSm, SRES) based on; *. t: one for the customer (c) specific customer secret (Ki); A first processor (CPUAs), for creating a first authority (tickettgs, KCitgS); I for creating a first authentication key (Kc) using the at least one first secret (Kgsm, SRES); and; for encrypting the first authority (tickettgs, Kc, tgs) using the first authentication key (Kc); an output (IOAs) to provide the at least one challenge. the encrypted first authority (tickettgs, Kc, tgS) eats the customer; which first input (IOAs) is further arranged to receive from the customer '*,' / 35 (c) a message containing first information; and on * »34 115097 which first processor (CPUAs) is additionally arranged to check whether the first power has been used cryptographically to process the first information; features of which the encryption of the first power (ticket gS, Kc, tgS) are independent of reception of someone who heisted on the customer secret (Ki) based response from the customer (c) to the authentication block (AS). in A computer program product for controlling a computer, which computer program product causes the computer to authenticate a customer (c) and which computer program product comprises a computer program code which causes the computer to send customer identification information (IMSI) to an authentication block (AS); a computer program code that causes the computer to receive at least one challenge (RAND) and an encrypted first power (tickettgs, Kc, tgS) from the authentication block (AS) to the customer (c); a computer program code that causes the computer to create with the customer a first secret (Kgsm, SRES) on the basis of a customer secret (Ki) and the challenge (RAND); a computer program code that causes the computer to create at the customer (c) a first authentication key (Kc) using the first secret (Kgsmi SRES); and, * a computer program code that causes the computer to decrypt the encrypted first authorization (ticketgs. Kc, tgS) using the first authentication key (Kc) of the customer; characterized by the decryption of the encrypted first authority (tickets, »· Kc.tgs) is independent of the transmission of anyone who hoisted the customer secret (Ki). based response from the customer (c) to the authentication block (AS). ? » 18. Computer software product for controlling a computer, which computer program; A computer program code that causes the computer to receive customer identification information (IMSI) from the customer (c) to an authentication block (AS); a computer program code that causes the computer to provide the authentication block 35 (AS) with at least one challenge (RAND) and at least a first secret (Kgsm, SRES) on the basis of a secret (Ki) specific to the customer (Ki); A computer program code that causes the computer to create a first authority (ticketgg, Kc, tgs)> a computer program code that causes the computer to create a first authentication key (Kc) using the at least one first secret (Kgsm> SRES), a computer program code that causes the computer to encrypt the first authority (tickets, Kc, tgS) using the first authentication key (Kc); a computer program code that causes the computer to send the at least one challenge (RAND) and the encrypted first authority (tickettgs, KCitgs) to the customer (c); a computer program code that receives the date from the customer (c) to receive a message containing initial information; and a computer program code that causes the computer to check whether the first authority has been used cryptographically to process the first information; characterized by the encryption of the first authority (tickettgs, Kc, tgS) is independent of the receipt of anyone who raised the customer secret (Ki) based response from the customer (c) to the authentication block (AS). * · »! *