Professional Documents
Culture Documents
Authentication Feature Parameter Description
Authentication Feature Parameter Description
Description
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
BSS
Authentication
Contents
Contents
1 Introduction ................................................................................................................................1-1
1.1 Scope ............................................................................................................................................ 1-1
1.2 Intended Audience ........................................................................................................................ 1-1
1.3 Change History.............................................................................................................................. 1-1
2 Overview of Authentication....................................................................................................2-1
3 Authentication Principles .......................................................................................................3-1
4 Authentication Procedure.......................................................................................................4-1
4.1 Authentication Success ................................................................................................................. 4-1
4.2 Authentication Failure.................................................................................................................... 4-1
5 Parameters .................................................................................................................................5-1
6 Counters......................................................................................................................................6-1
7 Glossary ......................................................................................................................................7-1
8 Reference Documents .............................................................................................................8-1
Issue 01 (2010-01-12)
iii
BSS
Authentication
1 Introduction
1 Introduction
1.1 Scope
This document describes the function and purpose of authentication, authentication procedures, and
handling of successful and failed authentication on the network side.
Feature change: refers to the change in the Authentication feature of a specific product version.
Editorial change: refers to the change in wording or the addition of the information that was not
described in the earlier version.
Document Issues
The document issues are as follows:
z
01 (2010-01-12)
01 (2010-01-12)
This is the first commercial release of BSS9.0.
Issue 01 (2010-01-12)
1-1
BSS
Authentication
2 Overview of Authentication
2 Overview of Authentication
Authentication is a procedure in which the GSM network verifies the validity of the identity of an MS, that
is, verifies the validity of the International Mobile Subscriber Identity (IMSI) or Temporary Mobile
Subscriber Identity (TMSI) transmitted over the Um interface.
Authentication aims to prevent unauthorized subscribers from accessing the network and to protect the
private information of authorized subscribers.
The functions of authentication are as follows:
z
Issue 01 (2010-01-12)
2-1
BSS
Authentication
3 Authentication Principles
3 Authentication Principles
The network initiates the authentication procedure in the following situations:
z
Service access is initiated. For example, when the MS originates a call, the MS is called, activated, or
deactivated, or the supplementary service is initiated.
The MS accesses the network for the first time after the MSC/VLR restarts.
The ciphering key Kc on the network does not match that on the MS.
The authentication procedure uses an authentication triplet, namely, RAND, Kc, and SERS. The
authentication triplet is calculated in the authentication center (AUC) of the GSM network. When
registering in a GSM network, each subscriber is assigned a Mobile Station International ISDN Number
(MSISDN) and an IMSI. The IMSI is written into the SIM through a SIM writer. The SIM writer also
generates an authentication parameter Ki, which is stored in the SIM and the authentication center as
well. The IMSI and Ki are permanent information.
A pseudo-random number generator is used in the AUC to generate an unpredictable pseudo random
number RAND. In the AUC, the RAND and Ki are used to generate a signed response (SRES) through
algorithm A3 and to generate a ciphering key Kc through algorithm A8. The three parameters RAND, Kc,
and SERS constitute an authentication triplet, which is stored as part of the subscriber data in the HLR.
Generally, the AUC sends five groups of authentication triplets to the HLR at one time. The HLR
automatically stores them. The HLR can store ten groups of authentication triplets. Upon request, the
HLR sends five groups of authentication triplets to the MSC/VLR at one time. The MSC/VLR uses the
authentication triplets one by one. When only two groups are left, the MSC/VLR requests the HLR for
new authentication triplets again.
The network initiates an authentication procedure by sending an Authentication Request message to the
MS and starts timer T3260. The Authentication Request message carries a 128-bit RAND, which is used
to calculate the values of the authentication response parameters. This message also carries the
Ciphering Key Sequence Number (CKSN) assigned to the ciphering key.
Upon receiving the Authentication Request message, the MS calculates the SRES required by the
Authentication Response message and the new ciphering key Kc. After writing the new ciphering key Kc
and the CKSN into the SIM, the MS sends the network an Authentication Response message.
Upon receiving the Authentication Response message, the network stops timer T3260 and checks
whether the Authentication Response message is valid..
Issue 01 (2010-01-12)
3-1
BSS
Authentication
4 Authentication Procedure
4 Authentication Procedure
4.1 Authentication Success
Figure 4-1 shows a successful authentication procedure.
Figure 4-1 Successful authentication procedure
The Authentication Request message carries a 128-bit RAND and a Ciphering Key Sequence Number
(CKSN).
The Authentication Response message carries an SRES, which is calculated on the basis of the
RAND and Ki through algorithm A3.
The network compares the stored SRES with the SRES carried in the Authentication Response
message. If the SRESs are the same, the authentication is successful. After the authentication succeeds,
subsequent procedures, for example, the ciphering procedure, are initiated.
If the IMSI provided by the MS differs from that in the network, the network restarts the authentication
procedure.
If the IMSI provided by the MS is the expected one, the network responds with an Authentication
Reject message.
If the IMSI is used, the network responds with an Authentication Reject message.
Figure 4-2 shows a failed authentication procedure.
Issue 01 (2010-01-12)
4-1
BSS
Authentication
4 Authentication Procedure
After sending an Authentication Reject message to the MS, the network releases all the existing MM
connections and restarts an RR connection release procedure.
Upon receiving the Authentication Reject message, the MS sets the roaming flag to prohibited and
deletes the information such as TMSI, LAI, and ciphering key.
If the Authentication Reject message is received when the MS is in the IMSI Detach Initiated state, timer
T3220 will be stopped after the RR connection is released. The MS, if possible, starts the local release
procedure after the normal release procedure is complete or timer T3220 expires. If not possible, for
example, during IMSI detachment at MS power-off, the RR sublayer on the MS side is aborted.
If the Authentication Reject message is received in any other state, the MS aborts any MM connection
establishment or call re-establishment procedure, stops timer T3210 or T3230, releases all the MM
connections, starts timer T3240, enters the Wait For Network Command state, and waits for the release
of the RR connection. If the RR connection is not released after timer T3240 expires, the MS aborts the
RR connection. In both cases, either after an RR connection release triggered by the network or after an
RR connection abort requested by the MS, the MS enters the NO IMSI state, which is a sub-state of the
MM Idle state.
4-2
Issue 01 (2010-01-12)
BSS
Authentication
5 Parameters
5 Parameters
None.
Issue 01 (2010-01-12)
5-1
BSS
Authentication
6 Counters
6 Counters
None.
Issue 01 (2010-01-12)
6-1
BSS
Authentication
7 Glossary
7 Glossary
For the acronyms, abbreviations, terms, and definitions, see the Glossary.
Issue 01 (2010-01-12)
7-1
BSS
Authentication
8 Reference Documents
8 Reference Documents
z
3GPP TS 24.008
3GPP TS 42.009
3GPP TS 43.020
Issue 01 (2010-01-12)
8-1