What is GSM Authentication ?

GSM Authentication is a process of validation GSM Handset in the network for call establishment .A detailed description of the authentication process, involving the different GSM Network Elements is provided here.

 

GSM Authentication is based on subscriber-specific parameters and algorithms, which are available in both the mobile station (MS) and the authentication center (AC) . The subscriber identity module (SIM) in the GSM Handset uses this information to compute a further parameter for each authentication. This parameter is compared with one computed by the AC’s security box using the same methods and algorithms. If the two match then authentication has been performed successfully.

 

GSM Authentication can be activated by any type of attempt to establish a connection between the mobile station and the Network, e.g.:

 

• Mobile originated call
• Activation of supplementary services
• Exchange of ”short messages”
• Location update
• IMSI attach

 Triplets:

 Authentication relies on the triple parameters. Upon executing the authentication procedure,the Auc system knows the mobile subscriber’s identity and then provides a triple which has already been created in advance by the AC’s security box. Each mobile subscriber has specific triples because they are computed from his secret authentication key (Ki). In fact, these triples are continuously created because after being used for subscriber authentication, each triple is replaced with a new one.

The triple consists of three parameters: a random number (RAND), a signed response (SRES), and a Cipher key (Kc).

• RAND is randomly selected each time a triple has to be created.
• SRES is used to perform the actual authentication of the mobile subscriber. It is computed from input parameters Ki and RAND, using cryptographic algorithm A3.

• Kc is used to generate a ciphering and deciphering bit stream on the radio path. It is computed from the same input parameters Ki and RAND, but now using cryptographic algorithm A8.

Mode of Operation:

 The first actions are taken when the mobile subscriber is actually created and defined in HLR that is before he is known in the actual GSM network.

There, a secret authentication key ‘Ki’ and a version indicator for each of the algorithms A3 and A8 are assigned to his international mobile subscriber identity (IMSI).

• The Authentication center (AC) Emulator is already equipped with one or more A3 and A8 algorithm versions on installation. To securely install the subscriber, his encrypted Ki and both version indicators are loaded into the AC from a command file or a specially secured administrative file. First, the subscriber is created in the AC by storing his IMSI and encrypted Ki in the subscriber database (with A2 algorithm using key K2). Then, the security box computes for him one semi-permanent and five transient triples, which are stored in the triple database.
• If the subscriber exists in the AC and the authentication triples are thereby created, then appropriate subscriber data can be administered in the HLR.
• The IMSI, the Ki and the algorithms A3 and A8 themselves are stored on the SIM, according to the previously selected indicators.

 

Once the mobile subscriber is known in the actual PLMN, he can initiate access to the individual network elements. A mobile station (MS) initiates a procedure to access the PLMN for one of the following events.

• When the mobile subscriber activates his equipment after being inactive, the MS can either initiate a location updating procedure when he roams into another location area, or it can start an IMSI attach procedure provided the subscriber remains within the location area in which he is already registered.

 

• When the MS answers to a paging after detecting that its subscriber is paged upon listening to the paging channel: either to answer a normal call or to receive a short message from a service center.

 

• When the subscriber originates a normal call or wants to leave a short message in a service center.

 

• When the mobile subscriber activates a supplementary service.

 

The access procedure is started by allocating a signalling channel to the MS for the message transfer of equipment and signalling data and to convey the subscriber’s identity.

This means that the radio resource connection with the network has already been established. Network access is given after performing the security functions initiated by the network and involving the SIM.

The following sections describe the tasks within each network element as far as subscriber authentication is concerned. The execution of this functional sequence as described further, implies a co-operation between the MS and the BSS, the MSC, the VLR, GSM HLR, and the AC

Call flow for Authentication:

The diagram below depicts the procedure of Authentication during Registration in GSM Network.

The call flow is as follows:

1. At location Update

 

2. Subsequent Authentication

If all the RAND (of the 5) are consumed then the Auth_info will be sent by the S-SMSC to the HLR, else it will use one of the RAND to create SRES.

Messages used during Authentication:

MAP_SEND_AUTHENTICATION_INFO

This service is used between the VLR and the HLR for the VLR to retrieve authentication information from the HLR. The VLR requests some sets of RAND/SRES/Kc vectors. This message is also used between SGSN and HLR during Authentication, while registering in Data Network.

The Parameters in this message are as follows:

Invoke ID

This parameter identifies corresponding service primitives. The parameter is supplied by the MAP service-user and must be unique over each service-user/service-provider interface.

AuthenticationSetList

Sets of one to five authentication vectors are transferred from the HLR to the VLR or from the HLR to the SGSN, if the outcome of the service was successful.

 User error

 One of the following error causes shall be sent by the user in case of unsuccessful outcome of the service, depending on the respective failure reason:

• Unknown subscriber;
• Unexpected data value;
• System failure;
• Data missing.

Provider error

This parameter is used to indicate a protocol related type of error:

• Duplicated invoke Id;
• Not supported service;
• Mistyped parameter;
• Resource limitation;
• Initiating release, i.e. the peer has already initiated release of the dialogue and the service has to be released;
• Unexpected response from the peer;
• Service completion failure;
• No response from the peer;
• Invalid response received.

The MSC Sends an Authentication Request to the M.S with the RAND Value received from the AuC/HLR . The Handset computes the SRES , using the Ki and the RAND (A3 Algorithm) and forwards the same in the Authentication Response to the MSC. THE MSC matches the SRES value received from the Handset and HLR/AuC , and if the two values match the Authentication has passed.

Registration Process of Handset in GSM Network

The call Flow for Registration is as follows:

In Registration, two scenarios will be discussed.

The S-MSC/VLR retrieves the IMSI and triplets from the Old MSC/VLR, based on TMSI stored in the Handset.

In this scenario, the S-MSC sends the MAP_SEND_IDENTIFICATION (OLD TMSI) to the Old VMSC/VLR based on the TMSI value received from the Handset. The authentication triplets are received by the S-SMSC.

Messages used during Registration:

MAP_SEND_IDENTIFICATION

This service is used between the VLR and the HLR for the VLR to retrieve authentication information from the HLR. The VLR requests up to five authentication vectors. Also this service is used between the SGSN and the HLR for the SGSN to retrieve authentication information from the HLR. The SGSN requests up to five authentication vectors.

Number of requested vectors

A number indicating how many authentication vectors the new VLR is prepared to receive. The previous VLR shall not return more vectors than indicated by this parameter.

This parameter shall be present in the first (or only) request of the dialogue. If multiple service requests are present in a dialogue then this parameter shall not be present in any service request other than the first one

 Authentication Set

A list of up to five authentication sets is returned, if there are any available.

User error

This parameter is mandatory if the service fails. The following error may be used, depending on the nature of the fault:

• Unidentified subscriber.

MAP_UPDATE_LOCATION

MSC Address

This parameter refers to the ISDN number of an MSC.The MSC address is used for short message delivery only, and for each incoming call set-up attempt, the MSRN will be requested from the VLR.

VLR number

This parameter refers to the ISDN number of a VLR.

LMSI

This parameter refers to a local identity allocated by the VLR to a given subscriber for internal management of data in the VLR. LMSI shall not be sent to the SGSN. It is an operator option to provide the LMSI from the VLR; it is mandatory for the HLR to support the LMSI handling procedures.

Supported CAMEL Phases

This parameter indicates which phases of CAMEL are supported. Must be present if a CAMEL phase different from phase 1 is supported. Otherwise may be absent.

 SoLSA Support Indicator

This parameter is used by the VLR to indicate to the HLR in the Update Location indication that SoLSA is supported. If this parameter is not included in the Update Location indication and the Subscriber is marked as only allowed to roam in Subscribed LSAs, then the HLR shall reject the roaming and indicate to the VLR that roaming is not allowed to that Subscriber in the VLR.

Long FTN Supported

This parameter indicates that the VLR supports Long Forwarded-to Numbers

Offered CAMEL 3 CSIs

This parameter indicates the CAMEL phase 3 CSIs offered in the VMSC/VLR.

 Inform Previous Network Entity

This parameter is used by the VLR to ask the HLR to inform the previous network entity about the update by sending the previous network entity a Cancel Location message. It is used in case Super-Charger is supported in the network and the serving network entity has not been able to inform the previous network entity that MS has moved, that is if it has not sent Send Identification to the previous serving entity.

 HLR number

This parameter refers to the ISDN number of an HLR.The presence of this parameter is mandatory in case of successful HLR updating.

User error

• Unknown Subscriber.
• Roaming Not allowed.
• System Failure.
• Unexpected data Value.

Provider error

 This parameter is used to indicate a protocol related type of error:

• Duplicated invoke Id;
• Not supported service;
• Mistyped parameter;
• Resource limitation;
• Initiating release, i.e. the peer has already initiated release of the dialogue and the service has to be released;
• Unexpected response from the peer;
• Service completion failure;
• No response from the peer;
• Invalid response received.

 

MAP_INSERT_SUBSCRIBER_DATA

This service is used by an HLR to update a VLR with certain subscriber data in the following occasions:

• The operator has changed the subscription of one or more supplementary services, basic services or data of a subscriber. Note that in case of withdrawal of a Basic or Supplementary service this primitive shall not be used;
• The operator has applied, changed or removed Operator Determined Barring;
• The subscriber has changed data concerning one or more supplementary services by using a subscriber procedure;
• The HLR provides the VLR with subscriber parameters at location updating of a subscriber or at restoration.

Also this service is used by an HLR to update an SGSN with certain subscriber data in the following occasions:

• If the GPRS subscription has changed;
• If the network access mode is changed;
• The operator has applied, changed or removed Operator Determined Barring;
• The subscriber has changed data concerning one or more supplementary services by using a subscriber procedure;
• The HLR provides the SGSN with subscriber parameters at GPRS location updating of a subscriber. If the Super‑Charger functionality is supported the HLR may not need to provide the SGSN with subscriber parameters. See 3GPP TS 23.116.

MAP_CANCEL_LOCATION_SERVICE

This service is used between HLR and VLR to delete a subscriber record from the VLR. It may be invoked automatically when an MS moves from one VLR area to another, to remove the subscriber record from the old VLR, or by the HLR operator to enforce a location updating from the VLR to the HLR, e.g. on withdrawal of a subscription.

Cancellation Type

This parameter indicates the reason of location cancellation. It is defined in 3GPP TS 23.060 [104].

User Error

 If the cancellation fails, an error cause is to be returned by the VLR or by the SGSN.

• Unexpected data value.
• Data missing.

 Provider Error

This parameter is used to indicate a protocol related type of error:

• Duplicated invoke Id;
• Not supported service;
• Mistype parameter;
• Resource limitation;
• Initiating release, i.e. the peer has already initiated release of the dialogue and the service has to be released;
• Unexpected response from the peer;
• Service completion failure;
• No response from the peer;Invalid response received.