HUAWEI BSC6000 Base Station Subsystem BSS Signaling Analysis Guide

7 Authentication

7
About This Chapter
7.2 Authentication Procedure This topic describes the authentication procedure.

Authentication

The purpose of authentication is to permit the network to check whether the identity provided by the MS is acceptable or not and to prevent the private information of the legal subscribers from being stolen. 7.1 Authentication Principles The authentication procedure is always initiated and controlled by the network.

7.3 Authentication Failure Different ways of identification used by the MS may lead to different unsuccessful authentication procedures. 7.4 Internal BSC Signaling Procedure of Authentication This topic describes the internal BSC signaling procedure of authentication. 7.5 Abnormal Authentication Cases This topic describes the abnormal authentication cases.

Issue 02 (2008-01-25)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

7-1

7 Authentication

HUAWEI BSC6000 Base Station Subsystem BSS Signaling Analysis Guide

7.1 Authentication Principles

The authentication procedure is always initiated and controlled by the network. The network initiates the authentication procedure in the following cases:
l l

The MS applies to change the subscriber information in the VLR or the HLR. Service access is initiated. For example, when the MS originates a call, is called, activated, or deactivated, or the supplementary service is initiated. The MS accesses the network for the first time after the MSC/VLR restarts. The ciphering key Kc on the network does not match that on the MS. To permit the network to check whether the identity provided by the MS is acceptable or not To provide parameters that enable the MS to calculate a new ciphering key

l l

The purpose of authentication twofold:

l

The authentication procedure uses an Authentication Triplet, namely RAND, Kc, and SERS. The Authentication Triplet is calculated in the authentication center of the GSM network. When registering in a GSM network, each subscriber is assigned a Mobile Station International ISDN Number (MSISDN) and an International Mobile Subscriber Identity (IMSI). The IMSI is written into the SIM through a SIM writer. The SIM writer also generates an authentication parameter Ki, which is stored in the SIM and the authentication center as well. The IMSI and Ki are permanent information. A pseudo-random number generator is used in the authentication center to generate an unpredictable pseudo random number RAND. In the authentication center, the RAND and Ki generate a signed response (SRES) through algorithm A3 and a ciphering key Kc through algorithm A8. The three parameters RAND, Kc, and SERS constitute an Authentication Triplet, which are stored as part of the subscriber data in the HLR. Generally, the authentication center sends five groups of Authentication Triplet to the HLR at one time. The HLR automatically stores them. The HLR can store ten groups of Authentication Triplet. Upon request, the HLR sends five groups of Authentication Triplet to the MSC/VLR at one time. The MSC/VLR uses the Authentication Triplet one by one. When only two groups are left, the MSC/VLR requests the HLR for the Authentication Triplet again.

7.2 Authentication Procedure

This topic describes the authentication procedure. Figure 7-1 shows the authentication procedure.

7-2

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

Issue 02 (2008-01-25)

HUAWEI BSC6000 Base Station Subsystem BSS Signaling Analysis Guide

7 Authentication

Figure 7-1 Authentication procedure

MS BTS BSC MSC

Authentication Request(1) SDCCH Start T3260 Authentication Response(2) SDCCH StopT3260

The authentication procedure is as follows: 1. The network initiates an authentication procedure by sending an Authentication Request message to the MS and starts timer T3260. The Authentication Request message carries a 128-bit RAND that is used to calculate the response parameters. It also carries the Ciphering Key Sequence Number (CKSN) assigned to the ciphering key. Upon receiving the Authentication Request message, the MS calculates the SRES required by the Authentication Response message and the new ciphering key Kc. The SRES is calculated based on the RAND and Ki through algorithm A3. After writing the new ciphering key Kc and the CKSN in the SIM, the MS sends the network an Authentication Response message. Upon receiving the Authentication Response message, the network stops timer T3260 and compares the stored SRES with the SRES in the Authentication Response message. If the SRESs are the same, the authentication procedure is complete, and the successive procedures, for example, the ciphering procedure, start.

2.

7.3 Authentication Failure

Different ways of identification used by the MS may lead to different unsuccessful authentication procedures. If authentication fails, that is, if the response is not valid, the network may distinguish between the following two ways of identification used by the MS: 1. If the TMSI is used, the network initiates the identification procedure. If the IMSI given by the MS differs from that in the network, the network restarts the authentication procedure. If the IMSI given by the MS is the expected one, the network returns an Authentication Reject message. 2. if the IMSI is used, the network sends an Authentication Reject message. Figure 7-2 shows the unsuccessful authentication procedure.

Issue 02 (2008-01-25)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

7-3

7 Authentication

HUAWEI BSC6000 Base Station Subsystem BSS Signaling Analysis Guide

Figure 7-2 Unsuccessful authentication procedure

MS BTS BSC MSC

Authentication Request(1) SDCCH Authentication Response(2) SDCCH Authentication Reject(3) SDCCH

If the Authentication Reject message is received when the MS is in the IMSI Detach Initiated state, timer T3220 will be stopped when the RR connection is released. The MS, if possible, starts the local release procedure after the normal release procedure or timer T3220 expiry. If not possible, for example, during IMSI detachment at MS power-down, the RR sublayer on the MS side is aborted. If the Authentication Reject message is received in any other state, the MS aborts any MM connection establishment or call re-establishment procedure, stops all the timers T3210 or T3230, releases all the MM connections, starts timer T3240, and enters the Wait For Network Command state, expecting the release of the RR connection. If the RR connection is not released within a given time controlled by timer T3240, the MS aborts the RR connection. In both cases, either after an RR connection release triggered from the network or after an RR connection abort requested by the MS, the MS enters the No IMSI substate of the MM Idle state.

7.4 Internal BSC Signaling Procedure of Authentication

This topic describes the internal BSC signaling procedure of authentication. The authentication is initiated and controlled by the MSC, and the BSC does no special processing.

7.5 Abnormal Authentication Cases

This topic describes the abnormal authentication cases. 7.5.1 RR Connection Failure This topic describes the fault, probable causes, and handling suggestions. 7.5.2 Timer T3260 Expiry This topic describes the fault, probable causes, and handling suggestions. 7.5.3 SIM Unregistered This topic describes the fault, probable causes, and handling suggestions.

7-4

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd

Issue 02 (2008-01-25)

HUAWEI BSC6000 Base Station Subsystem BSS Signaling Analysis Guide

7 Authentication

7.5.1 RR Connection Failure

This topic describes the fault, probable causes, and handling suggestions.

Fault
The authentication procedure fails, and the network releases all the MM connections.

Probable Causes
Upon detecting an RR connection failure before an Authentication Response message is received, the network releases all the MM connections (if any) and aborts any ongoing MMspecific procedure.

Handling Suggestions
Check whether interference exists on the Um interface.

7.5.2 Timer T3260 Expiry

This topic describes the fault, probable causes, and handling suggestions.

Fault
The authentication procedure fails.

Probable Causes
If timer T3260 expires before an Authentication Response message is received, the network releases the RR connection and all the MM connections, aborts the authentication procedure and all the ongoing MM connections (if any), and starts the RR connection release procedure.

Handling Suggestions
Check whether the timeout value of timer T3260 is appropriate.

7.5.3 SIM Unregistered

This topic describes the fault, probable causes, and handling suggestions.

Fault
The network directly responds to the MS with an Authentication Reject message.

Probable Causes
If the SIM of an MS is not registered in the network, the network returns an Authentication Reject message to the MS.

Handling Suggestions
Register the SIM correctly.
Issue 02 (2008-01-25) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd 7-5