1. Overview
3GPP defined authentication and key agreement procedure specified in TS 33.102 V9.2.0 (2010-03) defined the mechanism for achieving mutual authentication between the user and the network by showing knowledge of a secret key K which is shared between and available only to the Universal Subscriber Identity Module (USIM) and the AuC in the user's Home Environment (HE).
The mechanism was chosen to achieve maximum compatibility with the current GSM security architecture and facilitate migration from GSM to UMTS.
The mechanism is composed of a challenge/response protocol identical to the GSM subscriber authentication and key establishment protocol combined with a sequence number-based one-pass protocol for network authentication derived from ISO/IEC 9798-4(section 5.1.1).
2. Authentication Vector Distribution
Upon receipt of a request from the VLR/SGSN, the HE/AuC sends an ordered array of n authentication vectors (the equivalent of a GSM "triplet") to the VLR/SGSN. The authentication vectors are ordered based on sequence number.
Each authentication vector consists of the following components:
--> a random number RAND,
--> an expected response XRES,
--> a cipher key CK,
--> an integrity key IK and
--> an authentication token AUTN.
Each authentication vector is good for one authentication and key agreement between the VLR/SGSN and the USIM.
3. Authentication and key Establishment
When the VLR/SGSN initiates an authentication and key agreement with the MS, it selects the next authentication vector from the ordered array and sends the parameters RAND and AUTN to the MS.
The MS/USIM checks whether AUTN can be accepted and, if so, produces a response RES which is sent back to the VLR/SGSN. The MS/USIM also computes CK and IK.
The VLR/SGSN compares the received RES with XRES. If they match the VLR/SGSN considers the authentication and key agreement exchange to be successfully completed.
The established keys CK and IK will then be transferred by the MS/USIM and the VLR/SGSN to the entities which perform ciphering and integrity functions.
4. Other Aspects
VLR/SGSNs can offer secure service even when HE/AuC links are unavailable by allowing them to use previously derived cipher and integrity keys for a user so that a secure connection can still be set up without the need for an authentication and key agreement. Authentication is in that case based on a shared integrity key, by means of data integrity protection of signalling messages.
5. Authentication Vector (AV) Generation
Authentication vector (AV) is generated by the HE/AuC.
f1 and f2 are message authentication functions, f3, f4 and f5 are key generating functions.
6. User Authentication Function
Upon receipt of RAND and AUTN the USIM first computes the anonymity key AK = f5K (RAND) and retrieves the sequence number SQN = (SQN * AK) * AK.
After that, the USIM computes XMAC = f1K (SQN || RAND || AMF) and compares this with MAC which is included in AUTN. If they are different, the user sends user authentication reject back to the VLR/SGSN with an indication of the cause and the user abandons the procedure. In this case, VLR/SGSN shall initiate an Authentication Failure Report procedure towards the HLR. VLR/SGSN may also decide to initiate a new identification and authentication procedure towards the user.
Finally, the USIM verifies that the received sequence number SQN is in the correct range. If the USIM considers the sequence number to be not in the correct range, it sends synchronisation failure back to the VLR/SGSN including an appropriate parameter, and abandons the procedure.