Mom's Maiden Name

Today's authentication techniques aren't without weaknesses. What's needed is a method that has millions of potential questions, each with a unique answer.

Wireless providers are playing a dangerous game. They set up cell sites broadcasting on standard frequencies that can be used by anybody in that area, yet they get paid for service if they can ensure that only legitimate subscribers are given access.

There's obviously no physical way to ensure that a legitimate phone is being used by a legitimate subscriber; any method for determining authenticity can be only through messages exchanged over the radio interface. This process, known as validation and authentication, is made more challenging because any process using radio waves can be overheard by others. Not only can the bad guys attempt to pass themselves off as legitimate, but they can see the legitimate mobiles' validation-and-authentication transactions, as well.

Validation was the first method used in wireless systems for combating technical fraud. It simply consists of checking that the identifiers transmitted by a mobile match and belong to a valid subscription. Well, perhaps the adverb "simply" doesn't apply, at least not for roamers. The mobile transmits a MIN or international mobile-subscriber identity (IMSI), which is used to identify the home system. Then the home system has to find a record that contains that MIN or IMSI and, hopefully, the same ESN that the mobile transmitted.

Validation was thought to be secure because the FCC demanded that cellular phones' ESNs be unchangeable. However, that's impossible to ensure because even if the ESN is stored in a secure chip on the phone, there's nothing to stop fraudulent users — cloners — from ignoring the stored ESN and transmitting a phony ESN from another memory location in the phone.

Authentication to the Rescue
The designers of digital systems — CDMA, GSM and TDMA — recognized the need for a more sophisticated technique, one that wouldn't just ask the question "Whom are you?" but the more complicated question, "Are you whom you claim you are?"

This type of question also is important in preventing subscription fraud. A number of personal questions may be asked for no other reason than to try to establish whether the person on the other end of the phone is legitimate or perhaps whether he just has a stolen driver's license. Asking only for information that can be found on one or two pieces of identification is asking for trouble.

One approach to authentication would be to ask the mobile to provide a secret piece of information, just as banks may ask customers for their mothers' maiden names to verify their identities indirectly. This approach would work once, but then, in a radio environment, others would know the secret, and the technique would be useless. What's needed is a method with millions of potential questions, each with a unique answer.

Imagine trying to apply the old technique of asking for customers' mothers' maiden names in a public place. Everyone soon would know everyone else's mothers' maiden names. What if, instead, you could ask for customers' second cousin's mother's sister's maiden name? Or their aunts' husband's daughter? Although humans never could get all this information straight, it would mean that even if the answer to a question were overheard, the information would be of no value because the question might never be repeated again. Computers can remember vast quantities of data, and this approach, called "challenge-response," is the basis of authentication for analog, CDMA, GSM and TDMA systems.

Challenge-response authentication is based on one device, usually the base station, asking another, usually the mobile, a question and getting an answer. The question is just a large random number, and the answer is another number that is generated from a calculation based on the question and some secret information. Only a device with the secret information can generate the right answer always.

Authentication relies on what's known as a "1-way function." This approach is like a fruit juicer: Although it's easy to put fruit in the top and have juice come out the bottom, it's impossible to put juice in the bottom and have whole fruit pop out the top. At a minimum, a 1-way function used for authentication has to accept the random number — the question — and a secret key as input, producing the answer as an output. Even if the answer is known, it's virtually impossible to determine what the random number and the secret key used as inputs were.

Authentication & Authentication
GSM and ANSI-41 (i.e., AMPS, CDMA and TDMA) use much different implementations of authentication. Although the basic concept is the same, GSM has the challenge-response pairs calculated in the home system. As a result, each home system could, if desired, use a different 1-way function. The serving system merely has to send the challenge and ensure that the response matches the precalculated answer.

By comparison, ANSI-41 has a concept known as shared secret data (SSD) that's basically a key that can be used by the serving system to generate an almost endless stream of challenge-response pairs.

Differences in authentication are one of the major incompatibilities between GSM and ANSI-41 networks. Two completely different sets of authentication data have to be provisioned and managed for each dual-mode phone. Standards committees currently are working on a new authentication method for 3G systems known as authentication and key agreement, based on the current GSM method of authentication with some major enhancements. The same method probably will be used by 3GPP systems with a GSM heritage and 3GPP2 systems with an ANSI-41 heritage.

There's some dispute over whether this approach is the best course of action. Lucent Technologies, for example, has proposed that 3G systems be based on enhanced SSD concepts. This solution has some advantages, particularly regarding air interface and network efficiency. Currently, standards committees are trying to identify a set of requirements that will allow all future systems to use compatible authentication systems incorporating some GSM concepts, some ANSI-41 concepts and some new concepts. Although different radio interfaces may use the information in different ways, only one set of authentication information will need to be stored in the phone or smart card and in the authentication center, and only one set of algorithms will have to be implemented.

Authentication is now one of the most important aspects of modern public wireless networks. Providers with authentication know that when a mobile requests service, it is who it claims to be as well as who it claims to be is valid for service. A single method of authentication for future wireless systems may prove in the long run to be more important to the wireless industry than high-speed data. After all, if you can't guarantee that you will be paid for a call, why bother providing service?

Crowe (crowed@cnp-wireless.com) is a wireless-standards consultant and editor of Cellular Networking Perspectives, a wireless-standards and -technology bulletin.