Efficient authentication protocols of GSM - Semantic Scholar

Computer Communications 28 (2005) 921–928 www.elsevier.com/locate/comcom

Efficient authentication protocols of GSM Chin-Chen Chang*, Jung-San Lee, Ya-Fen Chang Department of Computer Science and Information Engineering, National Chung Cheng University, 160 San-Hsing, Min-Hsiung, Chiayi 621, Taiwan, ROC Received 2 December 2003; revised 12 January 2005; accepted 28 January 2005 Available online 23 February 2005

Abstract Undoubtedly, GSM is the most important standard of the worldwide wireless communication in recent periods. The authentication protocol is the main component of the GSM architecture. However, there are several drawbacks found in the existing authentication protocol of GSM, such as bandwidth consumption between VLR and HLR, storage overhead in VLR, and the property that VLR cannot be authenticated. Nowadays, many authentication protocols are proposed to improve these drawbacks. Among them, Hwang et al’s protocol [C.C. Lee, M.S. Hwang, W.P. Yang, Extension of authentication protocol for GSM, IEE Proceedings of Communication, 150(2) (2003) 91–95 [1]], proposed in 2003, can solve the above drawbacks. However, authenticating VLR is just executed at the first time, which MS joins into a new visiting VLR to ask for communication service. In this paper, we propose an improvement to modify Hwang et al’s protocol such that mutual authentication between VLR and MS is ensured at anytime while MS sends an authentication request. In addition, we also propose a brand-new authentication protocol which can not only solve those drawbacks but also make the authentication more efficient. q 2005 Elsevier B.V. All rights reserved. Keywords: Authentication; GSM

1. Introduction With the rapid growth of information science, not only the wired networks have developed very well, but also the wireless ones. During the 1980s, the global system for mobile communication (GSM) networks was proposed first. Nowadays, it has been widespread through the world and has become the standard of the Pan-European digital cellular system. Even, it has also been the main standard of the worldwide wireless communication. Due to the lack of the physical protection mechanisms as in conventional fixed-topology or static-user networks, an appropriate security mechanism is therefore required to protect wireless communication from illegal attacks, such as fraudulent behavior, illegal data access, eavesdropping and, etc. [5,6,7,8,9,10,17] * Corresponding author. Tel.: C886 5 2720411x33100; fax: C886 5 2720859. E-mail addresses: [email protected] (C.-C. Chang), [email protected]. edu.tw (J.-S. Lee), [email protected] (Y.-F. Chang).

0140-3664/$ - see front matter q 2005 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2005.01.015

Several years ago, mobile phones are viewed as luxuries, but they have been treated as the articles for daily life now. The market of the mobile phone has witnessed marvelous growth in recent years, and it is gauged that the number of the mobile phone users will be in the region of 1.07 billion at the end of 2003. The above situation is owing to the convenience of the GSM, which makes people be able to communicate with anyone in any place at anytime, and the enormous supports from the telecommunication industry. In addition, the popularity of mobile phones also promotes the development of the wireless communication networks indirectly. However, the security issue is always the most important concern of the wireless communication. Since the mobile communication network makes people communicate with one another without direct contact, avoiding being defrauded is a serious issue. What is more, the openness of signal transmission will also cause serious security problems in the wireless communication channel [15]. Generally speaking, there are two major security issues, authentication and privacy, on the wireless communication. The authentication makes no unauthorized user be able to get required services of an authorized user from the home system. On the other hand, the privacy refers to certify that

922

C.-C. Chang et al. / Computer Communications 28 (2005) 921–928

the communication messages will not be intercepted by eavesdroppers. In the GSM architecture, there are two major databases for each mobile service provider, the home location register (HLR) and the visitor location register (VLR), where HLR is responsible for maintaining the information and current location of subscribers, and VLR is responsible for keeping the information of visiting users and transmitting the location information of subscribers to HLR between whiles. And the mobile station (MS) communicates through the wireless link with the base stations (BS), which is connected to the mobile switching center (MSC) in turn. In other words, MSC can be treated as a bridge between wireless and wired networks. The authentication center (AUC), which keeps the secret key Ki shared with the subscriber and generates the sets of security parameters for requests of the authentication protocol of HLR, is the most important component in GSM architecture. Each of GSM subscribers also has the secret key Ki in the Subscriber Identity Module (SIM) card of MS. During the initial registration, every subscriber gets a unique identity and an International Mobile Subscriber Module (IMSI) from the AUC. The security of GSM architecture is based on the Algorithms A3, A5 and A8, where A3 is a one-way function used to compute the certificate to authenticate the mobile station, A5 is an encryption/decryption algorithm and A8 is another one-way function used to generate the session keys KC’s. The GSM architecture is shown in Fig. 1. The signed result SRES and KC are computed by using the random number R and Ki generated by HLR as the inputs through A3 and A8, respectively [3,4,6,7,11,12,13].

So far, several drawbacks found in GSM authentication protocol are shown as follows: (1) Mutual authentication between MS and VLR is not provided in GSM architecture. Only MS is authenticated by VLR, but VLR is not authenticated by MS. The above property is baleful to MS. (2) For each MS in the visiting VLR, there are n copies of triplet authenticating parameters stored in VLR’s database. This approach results in the storage overhead. (3) If MS stays in the same VLR for a long time and consumes all of the authenticating parameters, VLR will request HLR again for n copies of authenticating parameters. On the other hand, it is possible for MS to move frequently such that MS will send requests to several VLR’s in a short period. As mentioned above, each VLR will request HLR for n copies of triplet authentication parameters. Consequently, the bandwidth consumption and the loads of HLR will increase badly. In recent periods, many authentication protocols are proposed for solving those drawbacks of the GSM authentication protocol. However, most of them cannot solve all of the drawbacks mentioned above. Park et al. proposed a secure method for GSM in 1999, which can provide non-repudiation services and can resolve some of the drawbacks. However, the architecture is changed. Later, Hwang et al. proposed a new method to solve all of the above drawbacks without changing the existing GSM architecture. Nevertheless, while the mobile station user makes the second call, drawback (1) still occurs. In this paper, we propose two methods to improve Hwang et al.’

Fig. 1. The GSM architecture.


923

protocol and increase round efficiency of the authentication protocol [1,14]. 2. Preliminaries In GSM, the most important part is the authentication protocol. In the following, the notations used throughout this paper, the existing GSM authentication protocol and Hwang et al.’s authentication protocol are shown in Sections 2.1, 2.2 and 2.3, respectively. 2.1. Notations Before demonstrating these authentication protocols, we first list the notations used throughout this paper in the following. HLR VLR TMSI

The home location register The visitor location register The temporary mobile subscriber identity IMSI The international mobile subscriber module LAI The location area identity IDV The identification of VLR Ki The secret key shared between MS and HLR T The timestamp generated by MS Tj The timestamp generated by MS for the jth authentication request, j2N R The random number generated by HLR Rj Random number generated by VLR for the jth authentication request, j2N A3, A5, A8 The three algorithms, on which the security of GSM is based A3/A5/A8 (M, K) To modify the input M with the key K through A3/A5/A8 SRES The signed result computed for the first time of the authentication SRESj The signed result computed for the jth authentication request, jO1, j2N CERT_VLR The certificate of the visiting VLR computed for the first time of the authentication CERT_VLRj. The certificate of the visiting VLR computed for the jth authentication, jO1, j2N s The concatenation symbol

2.2. Review of current authentication protocol for GSM In this subsection, an overview of the current GSM authentication protocol is shown in Fig. 2. And the details are described as follows.

Fig. 2. The authentication protocol of GSM.

Step1: While MS joins into a new visiting area and asks for new communication service, an authentication request is sent to VLR first, where the request includes TMSI and LAI. Step2: After receiving the request, the new VLR uses the received TMSI to get the IMSI from the old VLR and then sends IMSI to HLR. Step3: Then, HLR generates n distinct sets of authenticating parameters {SRES, R, KC}h, where hZ1, 2, .n, and sends them to VLR. Step4: After receiving those sets of authenticating parameters, VLR keeps them in its own database and selects one set of them to authenticate the mobile station for each call. Next, VLR sends the selected R to MS. Step5: Once MS receives R from VLR, it computes SRES 0 ZA3(R, Ki) and the temporary session key K 0 CZ A8(R, Ki), respectively, where K 0 C is kept secret for communication. Then the SRES 0 is sent back to VLR. Step 6: Upon receiving SRES 0 from MS, VLR compares it with the selected SRES kept in its own database. If they are not the same, the authentication is failure; otherwise, VLR can make sure that MS is legal. 2.3. A review of Hwang et al.’s authentication protocol To solve the existing drawbacks of the current authentication protocol of the GSM architecture, Hwang et al. proposed a new authentication protocol. The key concept is that HLR makes the visiting VLR and MS share a temporary secret key KT. KT is computed through A3 by HLR using Ki and R as the inputs, where Ki is the secret key shared between MS and HLR, and R is generated by HLR. In addition, HLR also computes the certificate CERT_VLRZ A3(T, Ki) for the visiting VLR of MS, where T is the timestamp sent by MS. Then, the CERT_VLR is used for authenticating the validity of VLR. The flowchart of Hwang et al’s authentication protocol is shown in Fig. 3. And the details of the protocol are described as follows. Step 1: While MS enters a new visiting area and asks for new communication service, an authentication request including the TMSI, LAI and T is sent to VLR.

924


According to the procedures of the authentication for the jth communication, where jO1 and j2N, it is obvious that mutual authentication is not confirmed since only MS is authenticated.

3. The proposed authentication protocols

Fig. 3. Hwang et al.’s authentication protocol of GSM.

Step 2: After receiving the request, the new VLR uses the received TMSI to get the IMSI from the old VLR and then sends the IMSI along with its identification IDV and T to HLR through a secure channel. Step 3: After receiving the information from VLR, HLR checks whether the timestamp T is extinct and the identity IDV of the visiting VLR of MS is legitimate or not. If both T and IDV are valid, HLR randomly chooses a number R and computes CERT_VLRZA3(T, Ki) and KTZA3(R, Ki). Then HLR transmits the computation results and R to the visiting VLR. Otherwise, HLR will terminate the authentication protocol. Step 4: Once VLR receives the information, it computes SRESZA5(R1, KT) and stores it in its own database, where R1 is the random number generated by VLR for the present communication. Then, VLR passes R, R1, T and CERT_VLR to MS. Step 5: While receiving the information from VLR, MS first checks whether T is valid or not. If it holds, MS computes CERT_VLR 0 ZA3(T, Ki) of VLR. Next, MS compares CERT_VLR 0 with the received CERT_VLR. If they are not equivalent, the authenticating process is halted; otherwise, MS computes KTZA3(R, Ki) and SRES 0 Z A5(R1, KT). Then MS sends SRES 0 back to VLR. Step 6: Upon receiving SRES 0 from MS, VLR compares it with the SRES kept in its own database. If it holds, the authentication is successful; otherwise, the request is rejected. For the jth communication, where jO1 and j2N, VLR will randomly generate a number Rj, and then compute SRESjZA5(Rj, KT). Next, VLR will store SRESj in its own database and send Rj to MS. After receiving Rj from VLR, MS will compute and send SRES 0 jZA5(Rj, KT) to VLR. Upon getting SRES 0 j, VLR will check whether SRES 0 j is equal to SRESj. If it holds, VLR is convinced that MS is legal; otherwise, VLR will reject the request. Different from the original authentication protocol, VLR does not need to request HLR for other authentication parameters as long as MS stays in the service area of the same visiting VLR.

In Hwang et al.’s authentication protocol, while MS stays in the service area of the visiting VLR to ask for the second authentication, VLR generates another random number R2 and sends it to MS for authentication later. However, MS does not authenticate the validity of VLR. In a word, mutual authentication is only achieved in the first communication. To provide mutual authentication, we propose an improvement in Section 3.1. In addition, a new authentication protocol with better round efficiency is presented in Section 3.2. 3.1. Scheme 1: an improvement on Hwang et al.’s authentication protocol In this subsection, we are going to propose an improvement providing mutual authentication whenever MS asks VLR for the authentication. As mentioned in Section 2.3, the temporary secret key KT is stored in the visiting VLR’s database and in MS’s database after the first authentication. The key concept of the improvement is that while MS asks for the jth authentication, VLR uses KT and Tj as the inputs through A3 to compute the certificate CERT_VLRj, where jO1, j2N and Tj is the timestamp included in the authentication request sent by MS. The certificate CERT_VLRj is then used for MS to authenticate VLR. The flowchart of the jth authentication is shown in Fig. 4. The details of the improvement are described as follows. Step 1: While MS wants the communication service provided by the same visiting VLR for the jth time, it sends an authentication request to VLR, where the request includes TMSI and Tj. Step 2: After receiving the request from MS, VLR generates a random number Rj, computes SRESjZA5(Rj, KT) and keeps SRESj in the database. Next, it continues

Fig. 4. The flowchart of the jth authentication.


925

computing CERT_VLRjZA3(Tj, KT) and then sends it along with Rj to MS. Step 3: Once MS receives the messages from VLR, it computes CERT_VLR 0 jZA3(Tj, KT) and compares it with the received CERT_VLRj. If they are not the same, the authentication process is terminated; otherwise, VLR is authenticated successfully. And then MS computes and sends SRES 0 jZA5(Rj, KT) to VLR. Step 4: Upon receiving SRES 0 j from MS, VLR compares SRES 0 j with SRESj kept in its own database. If they are not equivalent, the authentication is failure; otherwise, the request is accepted. 3.2. Scheme 2: an efficient authentication protocol of GSM Not only to overcome the found drawbacks as mentioned in Section 1 but also to make the authentication more efficient, an authentication protocol with better round efficiency is proposed in this subsection. Scheme 2 consists of two phases: Phase 1 and Phase 2. Phase1 is executed while MS joins the visiting VLR just now and asks for the first time authentication, and Phase 2 is executed while MS sends the jth authentication request to the same visiting VLR, where jO1 and j2N. In the following, we are going to illustrate the details of Phase 1 and Phase 2 in Sections 3.2.1 and 3.2.2, respectively. The flowcharts of both phases are depicted in Fig. 5 and 6, respectively. 3.2.1. Phase 1: the first authentication in the visiting VLR The main concept of this phase is employing (RsT1) instead of R1 as the inputs through A5 to compute the authentication pattern SRES, where R is the random number generated by HLR and T1 is the timestamp sent by MS for the first communication. The authentication process is shown as follows. Step 1: While MS joins into a new visiting area and asks for new communication service, it sends an authentication request to the new VLR. The request includes TMSI, LAI and T1.

Fig. 5. The flowchart of Phase 1.

Fig. 6. The flowchart of Phase 2.

Step 2: The VLR then uses TMSI to find out the corresponding IMSI from the old VLR and sends it along with its identity IDV and T1 to HLR of MS through a secure channel. Step 3: When HLR receives the information, it first checks whether the identity IDV of the visiting VLR is legal and T1 is valid or not. If one of them is not valid, the authentication process is terminated; otherwise, HLR computes CERT_VLRZA3(T1, Ki) and KTZA3(R, Ki), where Ki is the secret key shared between MS and HLR. Then HLR sends CERT_VLR, R and KT to VLR through a secure channel. Step 4: Once VLR receives the information from HLR, it computes SRESZA5(RsT1, KT) and stores it in the database along with T1. Then, VLR sends CERT_VLR, R and T1 to MS. Step 5: When MS receives the messages, it first checks if T1 is the same as it was sent before. If T1 is not valid, the process is terminated; otherwise, MS computes CERT_VLR 0 ZA3(T1, Ki), and then compares it with the received CERT_VLR. If they are not the same, the process is terminated; otherwise, VLR is authenticated. MS then computes K 0 TZA3(R, Ki) and SRES 0 ZA5(RsT1, K 0 T), and sends SRES 0 back to VLR. Step 6: While receiving the information from MS, VLR compares the received SRES 0 with the one stored in its database. If no errors occur, K 0 TZKT and SRES 0 ZSRES. Then, the communication request is accepted; otherwise, the authentication is failure. 3.2.2. Phase 2: the jth authentication between the same visiting VLR and MS To achieve the goal of mutual authentication anytime, the process of Phase 2 is executed. Different from Phase 1, the signed result SRESj is computed by using TjK1sTj and KT as the inputs through A5, where TjK1 is the timestamp for the previous authentication and Tj is the timestamp generated by MS for the jth authentication. Furthermore, the certificate CERT_VLTj of VLR is computed by using KT

926


and Tj as the inputs through A3. The details of the authentication are described as follows. Step 1: While MS stays in the same service area of the same visiting VLR and asks for new communication request, it computes SRESjZA5(TjK1sTj, KT) first and sends an authentication request to VLR. The request includes TMSI, SRESj and Tj. Step 2: When VLR receives the request from MS, it computes SRES 0 jZA5(TjK1sTj, KT), where TjK1 is the timestamp stored in its database for the previous authentication. Then VLR compares SRES 0 j with the received one. If they are not the same, the process is terminated; otherwise, MS is authenticated and the stored timestamp is updated to Tj. VLR then computes CERT_VLRjZA3(Tj, KT) and sends the computation result along with Tj to MS. Step 3: Once MS receives the messages, it first checks if Tj is the same as it was sent before. If it does not hold, the process is terminated; otherwise, MS computes CERT_VLR 0 jZA3(Tj , KT). Then, MS compares the CERT_VLR 0 j with the received CERT_VLRj. If they are not equivalent, the process is terminated; otherwise, VLR is authenticated. Finally, MS store Tj in its database.

4. Performance analyses The authentication protocol is the main concern of the GSM architecture. First, we are going to demonstrate that Scheme 1 is secure and indeed improves Hwang et al.’s authentication protocol in Section 4.1. Then, the security and the performance analyses of Scheme 2 are shown in Section 4.2. 4.1. The analyses of Scheme 1 The security analyses and the requirement achieved by Scheme 1 are shown in Sections 4.1.1 and 4.1.2, respectively. 4.1.1. The security analyses of Scheme 1 In Scheme 1, MS sends the first authentication request to VLR while entering the service area of VLR for the first time. These procedures are the same as those of Hwang et al.’s authentication protocol. Therefore, we emphasize the security of the procedures of the jth authentication. As shown in Section 3.1, VLR sends CERT_VLRj, Rj and Tj to MS, where CERT_VLRjZA3(Tj, KT) and KT is the temporary secret key shared between MS and VLR. That is, only the valid VLR can compute CERT_VLRj. On the other hand, only the legal MS can compute SRES 0 jZA3(Rj, KT). Furthermore, the timestamp Tj is used to avoid replay attacks. Even though the illegal eavesdroppers intercept Tj and CERT_VLRj, they still cannot counterfeit VLR successfully since KT is not known except for VLR and MS. MS can easily check whether Tj is the same as that just sent by itself or not. Even if the attacker replays both Tj

and CERT_VLRj, he/she will not succeed. In other words, the intercepted data is useless for the later authentication. According to the above analyses, we can make sure that Scheme 1 is secure. 4.1.2. The requirements achieved by Scheme 1 As mentioned in Section 3.1, the procedure of the first authentication is the same as that of Hwang et al’s authentication protocol. As a result, mutual authentication for the first authentication is confirmed. Since only HLR and MS have the knowledge of Ki, only both of them can compute the temporary session key KT. In addition, HLR sends KT to VLR through the secure channel. For that reason, VLR and MS share the temporary session key KT. In other words, without the knowledge of Ki, no one can compute the certificate and the signed result. To authenticate MS, VLR generates a different random number Rj and computes SRES j ZA5(R j, KT ). The certificate CERT_VLR jZA3(Tj , KT) is also computed for being verified by MS. On the other hand, MS computes SRES 0 jZA5(Rj, KT) for being verified by VLR. Since the temporary session key KT is only shared between VLR and MS, it denotes that only MS and VLR can compute the correct certificate and signed result. As a result, the mutual authentication is achieved in Scheme 1. On the other hand, A3 has to be executed at least n times in HLR since the original GSM authentication protocol needs to generate n copies of the authentication parameters. Instead of n copies of the authentication parameters, HLR only needs to compute CERT_VLR and KT. This approach makes the computation overhead of HLR lighter and the authentication protocol more efficient. This is especially essential while MS moves frequently among the service areas of VLR’s. Hence, Scheme 1 is more efficient than the current GSM authentication protocol. 4.2. Analyses of Scheme 2 Here, Scheme 2 without altering the original GSM architecture is presented. Scheme 2 consists of Phase 1 and Phase 2. The first authentication request and the jth authentication request, where jO1 and j2N, are shown in Phases 1 and 2, respectively. In Sections 4.2.1, 4.2.2, and 4.2.3, we are going to demonstrate that our proposed protocol indeed can solve the drawbacks as mentioned in Section 1. Next, we show that our proposed protocol is not only secure but also efficient in Sections 4.2.4 and 4.2.5. At last, we compare Scheme 2 with other protocols in Section 4.2.6. 4.2.1. Mutual authentication is confirmed in Scheme 2 First, we assume that HLR has the ability to verify VLR by using some cryptography techniques: for instance, digital signature. Since VLR can be verified, HLR can compute the certificate CERT_VLR, which will be sent to MS for authenticating VLR later through a secure channel. So, MS can make sure that VLR is valid according to CERT_VLR.


What is more, VLR can authenticate the legality of MS according to SRES 0 . Therefore, the mutual authentication is achieved at the first time of the authentication [16,18]. While MS asks for communication service in the service area of the same visiting VLR again, MS sends the authentication request to VLR. The timestamp Tj and SRES 0 j are included in the request. Then VLR can authenticate MS by verifying SRES 0 j. Furthermore, VLR computes CERT_VLRjZA3(Tj, KT) and sends it to MS. Since KT is computed by HLR and is sent to VLR through a secure channel, only the verified VLR has KT. That is to say, MS can use the received CERT_VLRj to authenticate VLR. Therefore, Scheme 2 ensures mutual authentication all the time. 4.2.2. The storage overhead is reduced in Scheme 2 Obviously, VLR only needs to store KT and TjK1 in its database instead of n sets of the authentication parameters {SRES, R, KC}h, where h2N. Therefore, our proposed protocol can certainly economize on the memory space of VLR. 4.2.3. To reduce the bandwidth consumption Instead of generating n sets of the authentication parameters for VLR to authenticate MS, HLR computes the temporary session key KT and sends it to VLR. Therefore, VLR can use KT to compute the signed result to authenticate MS when MS sends the authentication request. That is, no matter how many authentication requests are sent from MS to the same visiting VLR, VLR does not need to ask for authentication parameters from HLR anymore. Consequently, our proposed scheme can greatly reduce the bandwidth consumption between HLR and VLR. 4.2.4. Security analyses of Scheme 2 Due to the fact that we do not change the GSM architecture, the security of the authentication protocol is also based on the security Algorithms A3, A5 and A8. Besides, our proposed protocol can achieve mutual authentication at anytime while MS sends an authentication request as demonstrated in Section 4.2.1. Therefore, no one can impersonate the role of VLR to fool MS, and vice versa. What is more, the timestamp Tj is employed in our proposed protocol to avoid the replay attacks. If the request including TMSI, SRES 0 j and Tj is intercepted by an attacker, the attacker cannot impersonate MS since the synchronization mechanisms are provided in GSM. That is, if Tj is retransmitted by the attacker, VLR can easily detect it. Table 1 The numbers of the algorithm A3/A5 executed by MS, VLR and HLR in Phase 1

A3 A5

MS

VLR

HLR

2 1

0 1

2 0

927

Table 2 The numbers of the algorithm A3/A5 executed by MS and VLR in Phase 2

A3 A5

MS

VLR

1 1

1 1

On the other hand, due to that Tj is not correct, the eavesdroppers still cannot counterfeit VLR successfully even if the eavesdroppers intercept Tj and CERT_VLRj simultaneously. That is, MS can easily check whether Tj is the same as the one just sent by itself even though the counterfeit VLR replays both of Tj and CERT_VLRj. According to the above analyses, we can sum up that Scheme 2 can resist the possible attacks. 4.2.5. Efficiency provided in Scheme 2 According to Section 3.2, it is known that each of participants involved in Phase 1 needs to execute A3/A5 for authentication, and the numbers of the algorithms executed by the participants are listed in Table 1. Moreover, the numbers of the algorithms executed by the participants involved in Phase 2 are listed in Table 2. Since the original GSM authentication protocol needs to generate n copies of the authentication parameters, A3 has to be executed at least n times in HLR. Therefore, our proposed protocol is more efficient than the current GSM authentication protocol. Furthermore, instead of generating a random number for each communication request as mentioned in Hwang et al.’s protocol, VLR only needs to keep T1/Tj and uses it along with R/Tj and KT as the inputs through A5 to compute SRES/SRESj. That is to say, Scheme 2 really enhances the efficiency. What is more, there are only two rounds needed for achieving mutual authentication in Phase 2. Obviously, it also ensures the round efficiency while MS sends the jth authentication request for communication service. 4.2.6. Comparisons of Scheme 2 with other authentication protocols of GSM Nowadays, there are many authentication protocols are proposed to improve the existing GSM authentication protocol. However, most of them cannot solve all of the drawbacks mentioned in Section 1. Some of them even change the architecture of the original GSM. In this subsection, the comparisons of Scheme 2 with those GSM authentication protocols are shown in Table 3. Next, we Table 3 Comparisons between our proposed protocol and the existing GSM authentication protocols

MA1 MA2 SSO SBC AC

Original

Our

[1]

[2]

[3]

[4]

N N N N –

Y Y Y Y N

Y N Y Y N

N N Y Y N

N N N Y Y

N N N Y Y

928


define the symbols used in Table 3. MA1 means to achieve mutual authentication for the first authentication; MA2 means to achieve mutual authentication for authentication of the other times; SSO means to solve the problem of space overhead; SBC means to solve the problem of bandwidth consumption; AC means to change the GSM architecture [1,2,3,4]; N denotes ‘no’; Y denotes ‘yes.’ According to the comparisons, it is obvious that Scheme 2 indeed overcomes the drawbacks found in the existing authentication protocols for the GSM architecture.

5. Conclusions In recent years, GSM is so convenient that it is widespread in the world. Many authentication protocols are proposed to improve the original authentication protocol of GSM, but they cannot solve all drawbacks without altering the GSM architecture. In this paper, we propose two schemes to improve the existing GSM authentication protocols. Our proposed authentication protocols can not only solve all of the drawbacks but also increase the efficiency. In addition, the security is also enhanced obviously, since mutual authentication is ensured all the time. In a word, our proposed protocols are secure and efficient.

References [1] C.C. Lee, M.S. Hwang, W.P. Yang, Extension of authentication protocol for GSM, IEE Proceedings of Communication 150 (2) (2003) 91–95. [2] C.H. Lee, M.S. Hwang, W.P. Yang, Enhanced privacy and authentication for the global system for the mobile communications, Wireless Networks 5 (1999) 231–243.

[3] L. Harn, H.Y. Lin, Modification to enhance the security of the GSM protocol, Proceedings of the 5th National Conference on Information Security, Taipei, Taiwan, 1995 (pp. 416–420). [4] K. Al-tawil, A. Akrami, H. Youssef, A new authentication protocol for GSM network, Proceedings of IEEE 23rd Annual Conference on Local Computer Networks, Boston, 1998 (pp. 21–30). [5] ETSI, Recommendation GSM 03.20: security related network functions, Technical Reports, European Telecommunication Standards Institute, ETSI, 1993. [6] B. Mallinder, An overview of the GSM system, Proceedings of Third Nordic Seminar on Digital Land Mobile Radio Communication, Copenhagen, Denmark, 1998 (pp. 12–15). [7] M. Rahnema, Overview of the GSM system and protocol architecture, IEEE Communications Magazine 1993; 92–100. [8] A. Aziz, W. Diffie, Privacy and authentication for wireless local area networks, IEEE Personal Communications 1993; 24–31. [9] C.H. Lee, M.S. Hwang, Authenticated key-exchanged in mobile radio network, European Transactions on Telecommunication 1997; 265– 269. [10] M.S. Hwang, Dynamic participation in a secure conference scheme for mobile communication, IEEE Transactions on Vehicular Technology 48 (1999) 1469–1474. [11] M.S. Hwang, Y.L. Tang, C.C. Lee, An efficient authentication protocol for GSM networks, Proceedings of AFCEA/IEEE EuroComm’ 2000 2000; 326–330. [12] R. Molva, D. Samfat, G. Tsudik, Authentication of mobile users, IEEE Network 8 (1994) 26–34. [13] ETSI, Recommendation GSM 02.09: security aspects, Technical Reports, European Telecommunications Standards Institute, ETSI, 1993. [14] J.F. Stach, E.K. Park, K. Makki, Performance of an enhanced GSM protocol supporting non-repudiation of service, Computer Communications 22 (1999) 675–680. [15] S. Kumar, C. Zahn, Mobile communications: evolution and impact on business operations, Technovation 23 (2003) 515–520. [16] W. Stallings, Cryptography and network security: principles and practices, second ed., Prentice Hall, 1999. [17] H.Y. Lin, L. Harn, Authentication protocol with nonrepudiation services in personal communication systems, IEEE Communication Letters 3 (1999) 236–238. [18] C.C. Chang, J.K. Jan, H.C. Kowng, A digital signature scheme based upon theory of quadratic residues, Cryptologia 1 (1997) 55–70.