1.4 AC - Authentication Center

The central point of the security services in GSM networks are the authentication centers (AC), which are assigned to each mobile switchung center (MSC). They generate and store the IMSI and the authentication key Ki for each subscriber, which are also stored in the subscriber’s SIM. Using the algorithms A3 and A8, a triples of random bit streams RAND, signed responses SRES and session keys Kc are generated in the AC in advance, and than they are saved in the associated HLR, in conjunction with the appropriate identifier.

The specific security and administrative requirements for an authentication center are not standardized but left to each network operator. The GSM 3.20 standard only states that the individual subscriber authentication keys Ki are stored in an AC and that an AC also contains the authentication algorithm A3 and the cipher key generating algorithm A8. A malfunction or a temporary loss of the information contained in an AC would have severe consequences for the security as it affects the generation of the authentication triplets. Since other information about the subscriptions, including the possibly black lists of barred subscriptions, is contained in HLR, it is logical to ”integrate” the AC into HLR. In networks with more than one HLR, the backup and overload facilities could be distributed over several HLR /ACs. Key management is a major issue when designing an AC. The method used for generating and storing potentially several million individual subscriber authentication keys and the handling of the authentication request are of importance for both the secure and the smooth running of the network. There are two standard methods to generate keys. They may be generated by using a random number generator or by deriving them from user related data with the help of an algorithm under the control of a master key MK. Both methods have their advantages and disadvantages. The main advantage of deriving a key from non-secret (subscribtion) data under a master key is that such derivable keys need not be stored and that the back-up of the subscriber keys is reduced to the back-up of the master key. No databanks containing secret information are thus required in the AC.

When an authentication request comes from the VLR, the AC would just load the relevant data, say the IMSI, into the algorithm and derive the individual subscriber authentication key Ki from this data using the top secret master key MK. This method has a few undesirable effects if it is not managed with extreme care from both an administrative as well as a security point of view. The main problem is of course to keep the very secret key MK secret. Anybody comming into possesion of this key could (if he knows the method of deriving Ki and the algorithms A3 and A8) compromise every SIM card issued under MK. The method can also lead to the production of ”identical” SIMs. If the same IMSI has been used by mistake to generate the keys for two SIMs, these SIMs will be identical from a security point of view, i.e. they contain the same IMSI and Ki. One can avoid the risk of producing identical SIMs by combining subscription data with random data. Using a random number generator to produce the subscriber authentication keys insures that all strings consisting of 128 its are equally likely. This advantage can not be achieved by an algorithm using IMSIs as an input. As there is no ”link” between the subscription and the authentication key, all keys have to be stored in a database of the AC and have to be backed-up at a physically different location. To protect the keys against authorized reading in the AC they have to be stored in an encrypted form. The key (or keys) using for decrypting the subscriber authentication keys is clearly very sensitive.

IMSI: internationale Kennung des Teilnehmers

Ki: geheimer Schlüssel des Teilnehmers (128 Bit)

RAND: Zufallsbitfolge (128 Bit)

SRES: Antwortsequenz (32 Bit)

Kc: Sitzungsschlüssel (64 Bit)