Title of Invention	A METHOD FOR ESTABLISHING A SESSION KEY
Abstract	In the method for establishing a session key, a network and a mobile transfer codes between one another. The mobile and the network perform mutual authentication based on the codes. Besides performing this mutual authentication, the mobile and the network to establish the session key based on the codes. In one embodiment, the messages forming part of the intended session are sent with the codes, and form a basis upon which the codes for authentication have been derived.

Title of Invention

A METHOD FOR ESTABLISHING A SESSION KEY

Abstract

In the method for establishing a session key, a network and a mobile transfer codes between one another. The mobile and the network perform mutual authentication based on the codes. Besides performing this mutual authentication, the mobile and the network to establish the session key based on the codes. In one embodiment, the messages forming part of the intended session are sent with the codes, and form a basis upon which the codes for authentication have been derived.

Full Text	METHOD FOR ESTABLISHING SESSION KEY AGREEMENT Related Applications The following applications, filed on July 31, 1998, are related to the subject application and are hereby incorporated by reference in their entirety: application no. unknown entitled METHOD FOR TWO PARTY AUTHENTICATION AND KEY AGREEMENT by the inventor of the subject application, application no. unknown entitled METHOD FOR UPDATING SECRET SHARED DATA IN A WIRELESS COMMUNICATION SYSTEM by the inventor of the subject application; application no, unknown entitled METHOD FOR TRANSFERRING SENSITIVE INFORMATION USING INTIALLY UNSECURED COMMUNICATION by the inventor of the subject application; application no. unknown entitled METHOD FOR SECURING OVER-THE-AIR COMMUNICATION IN A WIRELESS SYSTEM by the inventor of the subject application; and application no. unknown entitled METHOD FOR ESTABLISHING A KEY USING OVER-THE-AIR COMMUNICATION AND PASSWORD PROTOCOL AND PASSWORD PROTOCOL by the inventor of the subject application and Adam Berenzweig. The following applications, filed concurrently with the subject application, are related to the subject application and are hereby incorporated by reference in their entirety: application no. unknown entitled METHOD FOR DETERMINING TEMPORA RY MOBILE IDENTIFIERS AND MANAGING USE THEREOF by the inventor of the subject application, and application no, entitled METHOD FOR PROTECTING MOBILE ANONYMITY by the inventor of the subject application. Field of the Invention The present invention relates to a method for establishing a session key in a wireless system. Description of Related Art The U.S. currently utilizes three major wireless systems, with differing standards. The first system is a time division multiple access system (TDMA) and is governed by IS-136, the second system is a code division multiple access (CDMA) system governed by IS-95, and the third is the Advanced Mobile Phone System (AMPS) . All three communication systems use the IS-41 standard for intersystem messaging, which defines the authentication procedure for call origination, updating the secret shared data, and etc. Fig.l illustrates a wireless system including an authentication center (AC) and a home location register (HLR) 10, a visiting location register (VLR) 15, and a mobile 20. While more than one HLR may be associated with an AC, currently a one-to-one correspondence exists. Consequently, Fig, 1 illustrates the HLR and AC as a single entity, even though they are separate. Furthermore, for simplicity, the remainder of the specification will refer to the HLR and AC jointly as the AC/HLR. Also, the VLR sends information to one of a plurality of mobile switching centers (MSCs) associated therewith, and each MSC sends the information to one of a plurality of base stations (BSs) for transmission to the mobile. For simplicity, the VLR, MSCs and BSs will be referred to and illustrated as a VLR, Collectively, the ACs, HLRs, VLRs, MSCs, and BSs operated by a network provider are referred to as a network. A root key, known as the A-key, is stored only in the AC/HLR 10 and the mobile 20. There is a secondary key, knovm as Shared Secret Data SSD, which is sent to the VLR 15 as the mobile roams (i.e., when the mobile is outside its home coverage area). The SSD is generated from the A-key and a random seed RANDSSD using a cryptographic algorithm or function. A cryptographic function is a function which generates an output having a predetermined number of bits based on a range of possible inputs, A keyed cryptographic function (KCF) is a type of cryptographic function that operates based on a key; for instance, a cryptographic function which operates on two or more argioments (i • e., inputs) wherein one of the arguments is the key. From the output and knowledge of the KCF in use, the inputs can not be determined unless the key is known. Encryption/decryption algorithms are types of cryptographic functions. So are one-way functions like pseudo random functions (PRFs) and message authentication codes (MACs). The expression KCFSK(RN') represents the KCF of the random number RN' using the session key SK as the key. A session key is a key that lasts for a session, and a session is a period of time such as the length of a call. In the IS-41 protocol, the cryptographic function used is CAVE (Cellular Authentication and Voice Encryption) . When the mobile 20 roams, the VLR 15 in that area sends an authentication request to the AC/HLR 10. If operating in an unshared mode, the AC/HLR 10, using the VLR 15 as a communication conduit, authenticates the mobile 20 using the SSD associated with the mobile 20. However, in the shared mode, the AC/HLR 10 responds to the authentication request by sending the mobile's SSD to the VLR 15. Once the VLR 15 has the SSD, it can authenticate the mobile 20 independently of the AC/HLR 10. For security reasons, the SSD is periodically updated. The SSD is 128 bits long. The first 64 bits serve as a first SSD, referred to as SSDA, and the second 64 bits serve as a second SSD, referred to as SSDB. The SSDA is used in the protocol to update the SSD, and the mobile 20 and the network generate session keys using SSDB. In updating the SSD, IS-41 provides of measure of security by performing mutual authentication (i.e., the mobile and the network authenticate one another) during the update process. However, in generating session keys, IS-41 does not provide for mutual authentication. Summary Of The Invention In the method for establishing a session key, a network and a mobile transfer codes between one another. The mobile uses these codes to authenticate the network, and the network uses these codes to authenticate the mobile. Besides performing this mutual authentication, the codes are used by the mobile and the network to establish the session key. In one embodiment, communication efficiency is improved by sending messages, forming part of the intended session, with the codes. Furthermore, the codes for performing mutual authentication are derived based on the messages. Brief Description Of The Drawings The present invention will become more fully understood from the detailed description given below and the accompanying drawings which are given by way of illustration only, wherein like reference numerals designate corresponding parts in the various drawings, and wherein: Fig. 1 is a block diagram illustrating the basic components of a wireless system; Fig. 2 illustrates the communication between the network and the mobile to establish a session key during call termination according to a first embodiment of the present invention; Fig. 3 illustrates the communication between the network and the mobile to establish a session key during call origination according to the first embodiment of the present invention; Fig. 4 illustrates the communication between the network and the mobile to establish a session key during call termination according to a second embodiment of the present invention; Fig. 5 illustrates the communication between the network and the mobile to establish a session key during call origination according to the second embodiment of the present invention; Fig. 6 illustrates the communication between the network and the mobile to establish a session key during call termination according to a third embodiment of the present invention; and Fig. 7 illustrates the communication between the network and the mobile to establish a session key during call origination according to the third embodiment of the present invention. Detailed Description Of The Preferred Embodiments The method for establishing session keys according to the present invention will be described as employed by the wireless system shown in Fig. 1. For the purposes of discussion only, operation in the shared manner will be described, but one skilled in the art will understand that the system may also operate in the unshared mode. Furthermore, while numerous sessions exist, for purposes of providing examples only, the method according to the present invention will be described with respect to establishing session keys during call origination and call termination. It will also be appreciated that, for clarity, the transfer of well-known information, such as the mobile's identity information (e.g., mobile identification number, electronic serial number, etc.), between the mobile 20 and the network has not been described. Fig. 2 illustrates the communication between the network and the mobile 20 to establish a session key during call termination according to a first embodiment of the present invention. As shown, the VLR 15 generates a random number RN using a random number generator, and sends the random number RN to the mobile 20 as a challenge along with a call termination request. In response, the mobile 20 generates a count value CM, and performs a KCF on the random number RN, the count value CM, Type data, and id data 0 using the SSDA as the key. This calculation is represented as KCFssDA(Type, 0, CM, RN). Preferably, the KCF is a keyed message authentication code such as HMAC, but could be a PRF such as Data Encryption Standard-Cipher Block Chaining (DES-CBC) from NIST (National Institute of Standards). The mobile 20 includes a counter which generates the count value CM, and increments the count value CM prior to generating the challenge response (i.e., KCFssDA(Type, 0, CM, RN) ) to each challenge from the network. The Type data represents the type of protocol being performed. Types of protocols include, for example, call termination, call origination, mobile registration, etc. The id data 0 indicates that the communication issued from a mobile, and id data 1 indicates that communication is from the network. The mobile 20 sends count value CM and KCFssDA(Type, 0, CM, RN) to the network. Because the VLR 15 initiated the current call termination protocol including the protocol for establishing a session key according to the present invention, the VLR 15 knows the Type data. Also, because communication from mobiles includes the same id data, this value is known by the VLR 15 as well. Accordingly, based on the received count value CM, the VLR 15 calculates KCFssDA(Type, 0, CM, RN) and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20. Once the mobile 20 has been authenticated, the VLR 15 calculates KCFssDA(Type, 1, CM), and sends the calculated result to the mobile 20. The mobile 20, meanwhile, calculates KCFssDA(Type, 1, CM) as well. The mobile 20 then verifies whether the calculated version of KCFssDA(Type, 1, CM) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network. Both the mobile 20 and the VLR 15 generate the session key SK as PRFA-Key (CM, RN) ; wherein the PRF is preferably the DES-CBC algorithm. The mobile 20 stores the count value CM in semipermanent memory so that during power down, the count value CM is not re-initialized. This way, repetition of a count value is prevented; repetition of the count value permits an attacker to prevail in his attack. In a preferred embodiment, the count value is initialized using a random number and generated using a large bit counter such as a 64 or 75 bit counter. This provides security even when the mobile 20 crashes and loses the stored count value. Even if an attacker can cause a mobile to crash at will, and assuming it takes at least a second to initiate a session, it will take, for example, a year before the attacker manages to have the mobile repeat a count value when a 75 bit counter is used. As an alternative, instead of generating and sending a unique random number RN to each mobile, the VLR 15 generates a global random number RN; namely, the same random number for all the mobiles. In this alternative embodiment, the network sends the call termination request as a page on a control channel• This alternative embodiment applies, however, when the anticipated response time for the mobile 20, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this alternative embodiment applies when the validity period of the global random number is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, for the duration of a global random number the VLR 15 stores the count value CM and determines whether the received count value CM exceeds the previously stored count value. If the received count value CM does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CM does not exceed the previously stored count value, the mobile 20 is not authenticated. When a new global random number is sent by the VLR 15, the stored count values for each mobile are erased, and the process of storing and comparing count values begins again. Fig. 3 illustrates the communication between the network and the mobile 20 to establish a session key during call origination according to the first embodiment of the present invention. As shown, the mobile 20 sends a call origination request to the VLR 15. In return, the VLR 15 generates the random number RN using a random number generator, and sends the random number RN to the mobile 20. In response, the mobile 20 generates the count value CM, and performs a KCF on the random number RN, the dialed digits DD, the count value CM, Type data, and id data 0 using the SSDA as the key. This calculation is represented as KCFssDA(Type, 0, CM, RN, DD) • The dialed digits DD are the telephone number of the party the mobile user wants to call. The mobile 20 sends the dialed digits DD, the count value CM and KCFssDA(Type, 0, CM, RN, DD) to the network. Because the VLR 15 received the call origination request, the VLR 15 knows the Type data. Accordingly, based on the received dialed digits and count value CM, the VLR 15 calculates KCFssDA(Type, 0, CM, RN, DD) and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20. Once the mobile 20 has been authenticated, the VLR 15 calculates KCFssDA(Type, 1, CM), and sends the calculated result to the mobile 20. The mobile 20, meanwhile, calculates KCFssDA(Type, 1, CM ) as well. The mobile 20 then verifies whether the calculated version of KCFssDA(Type, 1, CM) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network. Both the mobile 20 and VLR 15 generate the session key SK as PRFA-Key(CM, RN) ; wherein the PRF is preferably the DES-CBC algorithm. As discussed above, mobile 20 stores the count value CM in semi-permanent memory, and the count value is initialized using a random number and generated using a large bit counter such as a 64 or 75 bit counter. As an alternative, instead of generating and sending a unique random number RN to each mobile, the VLR 15 generates a global random number RN; namely, the same random number for all the mobiles. This alternative embodiment applies, however, when the anticipated response time for the mobile 20, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this alternative embodiment applies when the validity period of the global random number is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, for the duration of a global random number the VLR 15 stores the count value CM and determines whether the received count value CM exceeds the previously stored count value. If the received count value CM does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CM does not exceed the previously stored count value, the mobile 20 is not authenticated. When a new global random number is sent by the VLR 15, the stored count values for each mobile are erased, and the process of storing and comparing count values begins again. Fig. 4 illustrates the communication between the network and the mobile 20 to establish a session key during call termination according to a second embodiment of the present invention. As shown, the VLR 15 generates a random number RN using a random number generator, and sends the random number RN as a global challenge. When establishing a session key for call termination with the mobile 20, the VLR 15 sends a call termination request as a page to the mobile 20 on a control channel. In response, the mobile 20 generates, using a random number generator, a random number RM, and performs a KCF on the random number RN, the random number RM, Type data, and id data 0 using the SSDA as the key. This calculation is represented as KCFssDA(Type, 0, RM, RN) . Preferably, the KCF is a keyed message authentication code such as HMAC, but could be a PRF such as Data Encryption Standard-Cipher Block Chaining (DES-CBC) from NIST (National Institute of Standards). The mobi 1 e 20 sends the random number RM and KCFSSDA (Type, 0, RM, RN) to the network. Based on the received random number RM, the VLR 15 calculates KCFssDA(Type, 0, RM, RN) and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20. Once the mobile 20 has been authenticated, the VLR 15 calculates KCFssDA(Type, 1, RM) , and sends the calculated result to the mobile 20. The mobile 20, meanwhile, calculates KCFssDA(Type, 1, RM) as well. The mobile 20 then verifies whether the calculated version of KCFssDA(Type, 1, RM) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network. Both the mobile 20 and the VLR 15 generate the session key SK as PRFA-Key(RM, RN) ; wherein the PRF is preferably the DES-CBC algorithm. Furthermore, the embodiment of Fig. 4 applies when the anticipated response time for the mobile 20, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this embodiment applies when the validity period of the global random number is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, the mobile 20 generates a count value CT in addition to the random number RM. Specifically, when a new global random number RN is received,, the mobile 20 initializes a counter included therein. Each time the mobile 20 generates a random number RM and a challenge response, the mobile 20 increments the counter to obtain the count value CT. Furthermore, the challenge response generated by the mobile 20 is KCFssDA(Type, 0, RM , RN, CT) , and the mobile 20 sends the count value CT, the random number RM and this challenge response to the network. The VLR 15 stores received count values from each mobile for the duration of a global random number RN, and determines whether a count value CT received from a mobile exceeds the previously stored count value for that mobile. If the received count value CT does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CT does not exceed the previously stored count value, the mobile 20 is not authenticated. If the VLR 15 goes forward with authenticating the mobile 20, the VLR 15 generates and sends a challenge response of KCFssDA(Type, 1, RM, CT) . Additionally, in generating the session key, the mobile 20 and the VLR 15 calculate the session key as PRFA-Key (RM, RN, CT) . Fig. 5 illustrates the communication between the network and the mobile 20 to establish a session key during call origination according to the second embodiment of the present invention. As shown, the mobile 20 sends a call origination request to the VLR 15. In return, the VLR 15 generates the random number RN using a random number generator, and sends the random number RN as a global challenge. When the mobile user dials digits to make a call, the mobile 20 generates a random number RM using a random number generator and performs a KCF on the random number RN, the dialed digits DD, the random number RM, Type data, and id data 0 using the SSDA as the key. This calculation is represented as KCFSSDA (Type, 0, RM, RN, DD) . The mobile 20 sends the dialed digits DD, the random number RM and KCFSSDA (Type, 0, RM, RN, DD) to the network. Based on the received dialed digits and random number RM, the VLR 15 calculates KCFssDA(Type, 0, RM, RN, DD) and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20. Once the mobile 20 has been authenticated, the VLR 15 calculates KCFssDA(Type, 1, RM) , and sends the calculated result to the mobile 20. The mobile 20, meanwhile, calculates KCFssDA(Type, 1, RM) as well. The mobile 20 then verifies whether the calculated version of KCFssDA(Type, 1, RM) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network. Both the mobile 20 and VLR 15 generate the session key SK as PRFA-Key(RM ,RN) ; wherein the PRF is preferably the DES-CBC algorithm. Furthermore, the embodiment of Fig. 5 applies when the anticipated response time for the mobile, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this embodiment applies when the validity period of the global random number is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, the mobile 20 generates a count value CT in addition to the random number RM. Specifically, when a new global random number RN is received, the mobile 20 initializes a counter included therein. Each time the mobile 20 generates a random number RM and a challenge response, the mobile 20 increments the counter to obtain the count value CT. Furthermore, the challenge response generated by the mobile 20 is KCFssDA(Type, 0, RM , RN, DD, CT) , and the mobile 20 sends the call origination request, the dialed digits DD, the count value CT, the random number RM and this challenge response to the network. The VLR 15 stores received count values from each mobile for the duration of a global random number RN, and determines whether a count value CT received from a mobile exceeds the previously stored count value for that mobile. If the received count value CT does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CT does not exceed the previously stored count value, the mobile 20 is not authenticated. If the VLR 15 goes forward with authenticating the mobile 20, the VLR 15 generates and sends a challenge response of KCFssDA(Type, 1, RM, CT) . Accordingly, when using a global random number RN only two rounds of communication are needed to establish the session key. Additionally, in generating the session key, the mobile 20 and the VLR 15 calculate the session key as PRFA-Key(RM, RN, CT) . Next, the third embodiment of the present invention will be described- In conventional wireless systems, after establishing the session key, messages are transferred between the mobile 20 and the network. The third embodiment of the present invention improves communication efficiency by incorporating the initial transfer of messages as part of the communication to establish the session key. Fig. 6 illustrates the communication between the network and the mobile 20 to establish a session key during call termination according to a third embodiment of the present invention. As shown, the VLR 15 generates a random number RK using a random number generator, and sends the random number RN to the mobile 20 along with a call termination request. In response, the mobile 20 generates a random number RM, and calculates a session key SK as PRFA-KBY (RM, RN) • In the typical, well-known fashion, the mobile 20 also generates a message XM and a mobile message count value CTM associated therewith. Because the generation of messages and the message count value are well-known in the art, these processes will not be described in detail. The mobile 20 then performs a KCF on the message XM, the count value CTM, and the mobile id data of 0 using the session key SK as the key to generate an authentication tag. This calculation is represented as KCFSK (0, CTM, XM) . Preferably, the KCF is a keyed message authentication code such as HMAC, but could be a PRF such as Data Encryption Standard-Cipher Block Chaining (DES-CBC) from NIST (National Institute of Standards) . The mobile 20 sends the message count value CTM, the random number RM, the message XM and the authentication tag of KCFSK(0, CTM, XM) to the network. Based on the received random number RM, the VLR 15 calculates the session key SK in the same manner as did the mobile 20. The VLR 15 also calculates KCFSK (0, CTM, XM) based on the received message XM and the count value CTM, and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20. If the VLR 15 authenticates the mobile 20, the VLR 15 processes the message XM and the message count value CTM in the typical, well-known manner, and generates a network message XN and network message count value CTN in the typical, well-known manner. Because these processes are so well-known in the art, they will not be described in detail. The VLR 15 further calculates an authentication tag of KCFSK(1, CTN, XN) , where 1 is the network id data, and sends this authentication tag to the mobile 20 along with the message XN and the message count value CTN. The mobile 20 calculates KCFSK (1, CTN, XN) based on the received message XN and the count value CTN, The mobile 20 then verifies whether the calculated version of KCFSK(1, CTN, XN) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network; and thus, the session key SK. As an alternative, instead of generating and sending a unique random number RN to each mobile, the VLR 15 generates a global random number RN; namely, the same random number for all the mobiles. In this alternative embodiment, the network sends the call termination request as a page on a control channel. Furthermore, this alternative embodiment applies when the anticipated response time for the mobile, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this embodiment applies when the validity period of the global random number RN is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, the mobile 20 generates a count value CT in addition to the random number RM. Specifically, when a new global random number RN is received, the mobile 20 initializes a counter included therein. Each time the mobile 20 generates a random number RM and an authentication tag, the mobile 20 increments the counter to obtain the count value CT. Furthermore, the mobile 20 sends the count value CT along with the message count value CTM, the random number RM, the message XM and the authentication tag. The VLR 15 stores received count values from each mobile for the duration of a global random number RN, and determines whether a count value CT received from a mobile exceeds the previously stored count value for that mobile. If the received count value CT does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CT does not exceed the previously stored count value, the mobile 20 is not authenticated. Additionally, in generating the session key, the mobile 20 and the VLR 15 calculate the session key as PRFA-KeyCRn, RN, CT) . Fig. 7 illustrates the communication between the network and the mobile 20 to establish a session key during call origination according to the third embodiment of the present invention. Once the dialed digits DD are received from a mobile user, the mobile 20 generates a random number RM using a random number generator. As shown, the mobile 20 sends a call origination request, the random number KM and the dialed digits DD to the VLR 15, In response, the VLR 15 generates a random number I^, and calculates a session key SK as PRFA-Key(RM, RN) • In the typical, well-known fashion, the VLR 15 also generates a message XN and a mobile message count value CTN associated therewith. Because the generation of messages and the message count value are well-known in the art, these processes will not be described in detail. The VLR 15 then performs a KCF on the message XN, the count value CTN, and the network id data of 1 using the session key SK as the key to generate an authentication tag. This calculation is represented as KCFSK(1, CTN, XN) . The VLR 15 sends the message count value CTN, the random number RN, the message XN and the authentication tag of KCFSK(1, CTN, XN) to the mobile 20. Based on the received random number RN, the mobile 20 calculates the session key SK in the same manner as did the VLR 15. The mobile 20 also calculates KCFSK(1, CTN, XN) based on the received message XN and the count value CTN, and determines whether this calculated value matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the VLR 15. If the mobile 20 authenticates the VLR 15, the mobile 20 processes the message XN and the message count value CTN in the typical, well-known manner, and generates a network message XM and network message count value CTM in the typical, well-known manner. Because these processes are so well-known in the art, they will not be described in detail. The mobile 20 further calculates an authentication tag of KCFSK(0, CTM, XM) , where 0 is the mobile id data, and sends this authentication tag to the VLR 15 along with the message XM and the message count value CTM. The VLR 15 calculates KCFSK(0, CTM, XM) based on the received message XM and the count value CTM. The VLR 15 then verifies whether the calculated version of KCFSK(0, CTM, XM) matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20; and thus, the session key SK. As an alternative, instead of generating and sending a unique random number RN to each mobile, the VLR 15 generates a global random number R^4; namely, the same random number for all the mobiles. Furthermore, this alternative embodiment applies when the anticipated response time for the mobile, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this embodiment applies when the validity period of the global random number RN is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, the mobile 20 generates a count value CT in addition to the random number RM. Specifically, when a new global random number RN is received, the mobile 20 initializes a counter included therein. Each time the mobile 20 generates a random number RM and an authentication tag, the mobile 20 increments the counter to obtain the count value CT, Furthermore, the mobile 20 sends the count value CT along with the call origination request. The VLR 15 stores received count values from each mobile for the duration of a global random number RN, and determines whether a count value CT received from a mobile exceeds the previously stored count value for that mobile. If the received count value CT does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CT does not exceed the previously stored count value, the mobile 20 is not authenticated. Additionally, in generating the session key, the mobile 20 and the VLR 15 calculate the session key as PRFA-Key(RM, RN, CT) . Unlike some conventional methods for establishing the session key, the method according to the present invention provides an added measure of security by performing mutual authentication. The invention being thus described, it will be obvious that the same may be varied in many ways. Such variations are not to be regarded as a departure from the spirit and scope of the invention, and all such modifications are intended to be included within the scope of the following claims. Claims; 1. A method for establishing a session key at a mobile,- comprising: a) receiving a first code from a network, said first code being a global challenge; b) generating second and third codes; c) sending said second and third codes to said network; d) receiving a fourth code from said network; e) authenticating said network based on said fourth code; and f) establishing said session key based on said first and second codes if said network is authenticated. 2. The method of claim 1, further comprising: g) incrementing a counter upon receipt of said global challenge to obtain a count value; and wherein said step c) sends said count value and said second and third codes to said network; and said step f) establishes said session key based on said first and second codes and said count value. 3. The method of claim 1, wherein said second code is a unique challenge. 4. The method of claim 1, wherein said step b) generates said third code by performing a keyed cryptographic function on said first and second codes. 5. The method of claim 1, wherein said step a) receives a first random number as said first code; and said step b) increments a counter to obtain a count value as said second code. 6. The method of claim 5, wherein said step b) generates said third code by performing a keyed cryptographic function on said first and second codes. 7. The method of claim 1, wherein said step c) sends dialed digits to said network with said second and third codes. 8. The method of claim 1, wherein said step b) generates said third code by performing a keyed cryptographic function on said first and second codes and said dialed digits. 9. A method for establishing a session key at a network comprising: a) sending a global challenge as a first code; b) receiving second and third codes from a mobile; c) establishing a session key bsed on said first and second codes; d) authenticating said mobile based on said third code and said session key. 10. The method of claim 9, wherein said step b) receives a count value; and further including, e) storing said count value; f) determining if said stored count value is greater than a previously stored count value; and wherein said step c) establishes said session key based on said first and second codes and said count value if said stored count value is greater than said previously stored count value, 11. The method of claim 9, wherein said second code is a unique challenge. 12. The method of claim 9, wherein said step b) receives a result of performing a keyed cryptographic function on said first and second codes as said third code. 13. The method of claim 9, wherein said step a) sends a first random number as said first code; and said step b) receives a count value as said second code. 14. The method of claim 13, wherein said step b) receives a result of performing a keyed cryptographic function on said first and second codes. 15. The method of claim 13, further comprising: e) storing said count value; f) determining if said stored count value is greater than a previously stored count value; and wherein said step c) establishes said session key based on said first and second codes if said stored count value is greater than said previously stored count value. 16. The method of claim 9, wherein said step b) receives dialed digits from said mobile with said second and third codes. 17. The method of claim 16, wherein said step b) receives a result of performing a keyed cryptographic function on said first and second codes and said dialed digits as said third code. 18. The method of claim 9, further comprising: e) generating a fourth code if said mobile is authenticated; and f) sending said fourth code to said mobile. 19. The method of claim 18, wherein said step e) generates said fourth code by performing a keyed cryptographic function on said second code. 20. A method for establishing a session key at a mobile, comprising: a) receiving a first code from a network; b) incrementing a counter to obtain a count value as a second code; c) generating third code; d) sending said second and third codes to said network; e) receiving a fourth code from said network; f) authenticating said network based on said fourth code; and . g) establishing said session key based on said first and second codes if said network is authenticated. 21. The method of claim 20, wherein said step a) receives a unique challenge as said first code. 22. The method of claim 20, wherein said step a) receives a global challenge as said first code. 23. The method of claim 20, wherein said step c) generates said third code by performing a keyed cryptographic function on said first and second codes. 24. The method of claim 20, wherein said step d) sends dialed digits to said network with said second and third codes. 25. The method of claim 24, wherein said step c) generates said third code by performing a keyed cryptographic function on said first and second codes and said dialed digits. 26. A method for establishing a session key at a network comprising: a) sending a first code to a mobile; b) receiving second and third codes from a mobile, said second code being a count value; c) establishing a session key based on said first and second codes; d) authenticating said mobile based on said third code and said session key. 27. The method of claim 26, wherein said step a) sends unique challenge as said first code. 28. The method of claim 26, wherein said step a) sends a global challenge as said first code. 29. The method of claim 26, wherein said step b) receives a result of performing a keyed cryptographic function on said first and second codes as said third code. 30. The method of claim 26, further comprising: e) storing said count value; f) determining if said stored count value is greater than a previously stored count value; and wherein said step c) establishes said session key based on said first and second codes if said stored count value is greater than said previously stored count value. 31. The method of claim 26, wherein said step b) receives dialed digits from said mobile with said second and third codes, 32. The method of claim 31, wherein said step b) receives a result of performing a keyed cryptographic function on said first and second codes and said dialed digits as said third code, 33. The method of claim 26 further comprising: e) generating a fourth code if said mobile is authenticated; and f) sending said fourth code to said mobile. 34. The method of claim 33, wherein said step e) generates said fourth code by performing a keyed cryptographic function on said second code. 35. A method for establishing a session key at a first party, comprising: a) receiving a first code from a second party; b) generating a second code; c) establishing a session key based on said first and second codes; d) generating a third code by performing a keyed cryptographic function on a first message using said session key; e) sending said message and said second and third codes to said second party; f) receiving a fourth code from said second party; and g) authenticating said session key based on said fourth code. 36. The method of claim 35, wherein said first party is a mobile and said second party is a network. 37. The method of claim 35, wherein said first party is a network and said second party is a mobile. 38. The method of claim 35, wherein said step d) generates said third code by performing said keyed cryptographic function on said first message and a message count value using said session key. 39. The method of claim 35, wherein said step f) receives a second message and said fourth code. 40. The method of claim 39, wherein said fourth code is a result of performing said keyed cryptographic function on said second message using said session key. 41. The method of claim 35, wherein said step f) receives a second message, a message count value, and said fourth code, and said fourth code is a result of performing said keyed cryptographic function on said second message and said message count value using said session key. 42. The method of claim 35, wherein said first code is a global challenge. 43. A method for establishing a session key at a first party, comprising: a) sending a first code to a second party; b) receiving a message, a second code, and a third code from said second party, said third code being a result of performing a keyed cryptographic function on said message using a session key; c) determining said session key based on said first and second codes; and d) authenticating said second party based on said third code and said session key. 44. The method of claim 43, wherein said first party is a mobile and said second party is a network. 45• The method of claim 43, wherein said first party is a network and said second party is a mobile. 46. The method of claim 43, wherein said third code is a result of performing said keyed cryptographic function on said first message and a message count value using said session key. 47. The method of claim 43, further comprising: e) generating a fourth code if said second party is authenticated; and f) sending said fourth code to said second party if said second party is authenticated. 48. The method of claim 47, wherein said step f) sends a second message and said fourth code. 49. The method of claim 48, wherein said fourth code is a result of performing said keyed cryptographic function on said second message using said session key. 50. The method of claim 47, wherein said step f) sends a second message, a message count value, and said fourth code, and said fourth code is a result of performing said keyed cryptographic function on said second message and said message count value using said session key. 51. The method of claim 43, wherein said step a) sends a global challenge as said first code. A method for establishing a session key at a mobile, substantially as hereinabove described and illustrated with reference to the accompanying drawings.

Full Text

METHOD FOR ESTABLISHING SESSION KEY AGREEMENT
Related Applications
The following applications, filed on July 31, 1998, are related to the subject application and are hereby incorporated by reference in their entirety: application no. unknown entitled METHOD FOR TWO PARTY AUTHENTICATION AND KEY AGREEMENT by the inventor of the subject application, application no. unknown entitled METHOD FOR UPDATING SECRET SHARED DATA IN A WIRELESS COMMUNICATION SYSTEM by the inventor of the subject application; application no, unknown entitled METHOD FOR TRANSFERRING SENSITIVE INFORMATION USING INTIALLY UNSECURED COMMUNICATION by the inventor of the subject application; application no. unknown entitled METHOD FOR SECURING OVER-THE-AIR COMMUNICATION IN A WIRELESS SYSTEM by the inventor of the subject application; and application no. unknown entitled METHOD FOR ESTABLISHING A KEY USING OVER-THE-AIR COMMUNICATION AND PASSWORD PROTOCOL AND PASSWORD PROTOCOL by the inventor of the subject application and Adam Berenzweig.
The following applications, filed concurrently with the subject application, are related to the subject application and are hereby incorporated by reference in their entirety: application no. unknown entitled METHOD FOR DETERMINING TEMPORA RY MOBILE IDENTIFIERS AND MANAGING USE THEREOF by the inventor of the subject application, and application no, entitled METHOD FOR PROTECTING MOBILE ANONYMITY by the inventor of the subject application.

Field of the Invention
The present invention relates to a method for establishing a session key in a wireless system.
Description of Related Art
The U.S. currently utilizes three major wireless systems, with differing standards. The first system is a time division multiple access system (TDMA) and is governed by IS-136, the second system is a code division multiple access (CDMA) system governed by IS-95, and the third is the Advanced Mobile Phone System (AMPS) . All three communication systems use the IS-41 standard for intersystem messaging, which defines the authentication procedure for call origination, updating the secret shared data, and etc.
Fig.l illustrates a wireless system including an authentication center (AC) and a home location register (HLR) 10, a visiting location register (VLR) 15, and a mobile 20. While more than one HLR may be associated with an AC, currently a one-to-one correspondence exists. Consequently, Fig, 1 illustrates the HLR and AC as a single entity, even though they are separate. Furthermore, for simplicity, the remainder of the specification will refer to the HLR and AC jointly as the AC/HLR. Also, the VLR sends information to one of a plurality of mobile switching centers (MSCs) associated therewith, and each MSC sends the information to one of a plurality of base stations (BSs) for transmission to the mobile. For simplicity, the VLR, MSCs and BSs will be referred to and illustrated as a VLR, Collectively, the ACs, HLRs, VLRs, MSCs, and BSs operated by a network provider are referred to as a network.
A root key, known as the A-key, is stored only in the AC/HLR 10 and the mobile 20. There is a secondary key,

knovm as Shared Secret Data SSD, which is sent to the VLR 15 as the mobile roams (i.e., when the mobile is outside its home coverage area). The SSD is generated from the A-key and a random seed RANDSSD using a cryptographic algorithm or function. A cryptographic function is a function which generates an output having a predetermined number of bits based on a range of possible inputs, A keyed cryptographic function (KCF) is a type of cryptographic function that operates based on a key; for instance, a cryptographic function which operates on two or more argioments (i • e., inputs) wherein one of the arguments is the key. From the output and knowledge of the KCF in use, the inputs can not be determined unless the key is known. Encryption/decryption algorithms are types of cryptographic functions. So are one-way functions like pseudo random functions (PRFs) and message authentication codes (MACs). The expression KCFSK(RN') represents the KCF of the random number RN' using the session key SK as the key. A session key is a key that lasts for a session, and a session is a period of time such as the length of a call.
In the IS-41 protocol, the cryptographic function used is CAVE (Cellular Authentication and Voice Encryption) . When the mobile 20 roams, the VLR 15 in that area sends an authentication request to the AC/HLR 10. If operating in an unshared mode, the AC/HLR 10, using the VLR 15 as a communication conduit, authenticates the mobile 20 using the SSD associated with the mobile 20. However, in the shared mode, the AC/HLR 10 responds to the authentication request by sending the mobile's SSD to the VLR 15. Once the VLR 15 has the SSD, it can authenticate the mobile 20 independently of the AC/HLR 10. For security reasons, the SSD is periodically updated.
The SSD is 128 bits long. The first 64 bits serve as a first SSD, referred to as SSDA, and the second 64 bits

serve as a second SSD, referred to as SSDB. The SSDA is used in the protocol to update the SSD, and the mobile 20 and the network generate session keys using SSDB. In updating the SSD, IS-41 provides of measure of security by performing mutual authentication (i.e., the mobile and the network authenticate one another) during the update process. However, in generating session keys, IS-41 does not provide for mutual authentication.
Summary Of The Invention
In the method for establishing a session key, a network and a mobile transfer codes between one another. The mobile uses these codes to authenticate the network, and the network uses these codes to authenticate the mobile. Besides performing this mutual authentication, the codes are used by the mobile and the network to establish the session key. In one embodiment, communication efficiency is improved by sending messages, forming part of the intended session, with the codes. Furthermore, the codes for performing mutual authentication are derived based on the messages.
Brief Description Of The Drawings
The present invention will become more fully understood from the detailed description given below and the accompanying drawings which are given by way of illustration only, wherein like reference numerals designate corresponding parts in the various drawings, and wherein:
Fig. 1 is a block diagram illustrating the basic components of a wireless system;
Fig. 2 illustrates the communication between the network and the mobile to establish a session key during

call termination according to a first embodiment of the present invention;
Fig. 3 illustrates the communication between the network and the mobile to establish a session key during call origination according to the first embodiment of the present invention;
Fig. 4 illustrates the communication between the network and the mobile to establish a session key during call termination according to a second embodiment of the present invention;
Fig. 5 illustrates the communication between the network and the mobile to establish a session key during call origination according to the second embodiment of the present invention;
Fig. 6 illustrates the communication between the network and the mobile to establish a session key during call termination according to a third embodiment of the present invention; and
Fig. 7 illustrates the communication between the network and the mobile to establish a session key during call origination according to the third embodiment of the present invention.
Detailed Description Of The Preferred Embodiments
The method for establishing session keys according to the present invention will be described as employed by the wireless system shown in Fig. 1. For the purposes of discussion only, operation in the shared manner will be described, but one skilled in the art will understand that the system may also operate in the unshared mode. Furthermore, while numerous sessions exist, for purposes of providing examples only, the method according to the present invention will be described with respect to

establishing session keys during call origination and call termination. It will also be appreciated that, for clarity, the transfer of well-known information, such as the mobile's identity information (e.g., mobile identification number, electronic serial number, etc.), between the mobile 20 and the network has not been described.
Fig. 2 illustrates the communication between the network and the mobile 20 to establish a session key during call termination according to a first embodiment of the present invention. As shown, the VLR 15 generates a random number RN using a random number generator, and sends the random number RN to the mobile 20 as a challenge along with a call termination request.
In response, the mobile 20 generates a count value CM, and performs a KCF on the random number RN, the count value CM, Type data, and id data 0 using the SSDA as the key. This calculation is represented as KCFssDA(Type, 0, CM, RN). Preferably, the KCF is a keyed message authentication code such as HMAC, but could be a PRF such as Data Encryption Standard-Cipher Block Chaining (DES-CBC) from NIST (National Institute of Standards). The mobile 20 includes a counter which generates the count value CM, and increments the count value CM prior to generating the challenge response (i.e., KCFssDA(Type, 0, CM, RN) ) to each challenge from the network.
The Type data represents the type of protocol being performed. Types of protocols include, for example, call termination, call origination, mobile registration, etc. The id data 0 indicates that the communication issued from a mobile, and id data 1 indicates that communication is from the network.
The mobile 20 sends count value CM and KCFssDA(Type, 0, CM, RN) to the network. Because the VLR 15 initiated the

current call termination protocol including the protocol for establishing a session key according to the present invention, the VLR 15 knows the Type data. Also, because communication from mobiles includes the same id data, this value is known by the VLR 15 as well. Accordingly, based on the received count value CM, the VLR 15 calculates KCFssDA(Type, 0, CM, RN) and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20.
Once the mobile 20 has been authenticated, the VLR 15 calculates KCFssDA(Type, 1, CM), and sends the calculated result to the mobile 20. The mobile 20, meanwhile, calculates KCFssDA(Type, 1, CM) as well. The mobile 20 then verifies whether the calculated version of KCFssDA(Type, 1, CM) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network.
Both the mobile 20 and the VLR 15 generate the session key SK as PRFA-Key (CM, RN) ; wherein the PRF is preferably the DES-CBC algorithm.
The mobile 20 stores the count value CM in semipermanent memory so that during power down, the count value CM is not re-initialized. This way, repetition of a count value is prevented; repetition of the count value permits an attacker to prevail in his attack. In a preferred embodiment, the count value is initialized using a random number and generated using a large bit counter such as a 64 or 75 bit counter. This provides security even when the mobile 20 crashes and loses the stored count value. Even if an attacker can cause a mobile to crash at will, and assuming it takes at least a second to initiate a session, it will take, for example, a year before the attacker manages to have the mobile repeat a count value when a 75 bit counter is used.

As an alternative, instead of generating and sending a unique random number RN to each mobile, the VLR 15 generates a global random number RN; namely, the same random number for all the mobiles. In this alternative embodiment, the network sends the call termination request as a page on a control channel•
This alternative embodiment applies, however, when the anticipated response time for the mobile 20, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this alternative embodiment applies when the validity period of the global random number is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, for the duration of a global random number the VLR 15 stores the count value CM and determines whether the received count value CM exceeds the previously stored count value. If the received count value CM does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CM does not exceed the previously stored count value, the mobile 20 is not authenticated. When a new global random number is sent by the VLR 15, the stored count values for each mobile are erased, and the process of storing and comparing count values begins again.
Fig. 3 illustrates the communication between the network and the mobile 20 to establish a session key during call origination according to the first embodiment of the present invention. As shown, the mobile 20 sends a call origination request to the VLR 15. In return, the VLR 15 generates the random number RN using a random number generator, and sends the random number RN to the mobile 20.
In response, the mobile 20 generates the count value CM, and performs a KCF on the random number RN, the dialed

digits DD, the count value CM, Type data, and id data 0 using the SSDA as the key. This calculation is represented as KCFssDA(Type, 0, CM, RN, DD) • The dialed digits DD are the telephone number of the party the mobile user wants to
call.
The mobile 20 sends the dialed digits DD, the count value CM and KCFssDA(Type, 0, CM, RN, DD) to the network. Because the VLR 15 received the call origination request, the VLR 15 knows the Type data. Accordingly, based on the received dialed digits and count value CM, the VLR 15 calculates KCFssDA(Type, 0, CM, RN, DD) and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20.
Once the mobile 20 has been authenticated, the VLR 15 calculates KCFssDA(Type, 1, CM), and sends the calculated result to the mobile 20. The mobile 20, meanwhile, calculates KCFssDA(Type, 1, CM ) as well. The mobile 20 then verifies whether the calculated version of KCFssDA(Type, 1, CM) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network.
Both the mobile 20 and VLR 15 generate the session key SK as PRFA-Key(CM, RN) ; wherein the PRF is preferably the DES-CBC algorithm.
As discussed above, mobile 20 stores the count value CM in semi-permanent memory, and the count value is initialized using a random number and generated using a large bit counter such as a 64 or 75 bit counter.
As an alternative, instead of generating and
sending a unique random number RN to each mobile, the VLR
15 generates a global random number RN; namely, the same
random number for all the mobiles.

This alternative embodiment applies, however, when the anticipated response time for the mobile 20, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this alternative embodiment applies when the validity period of the global random number is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, for the duration of a global random number the VLR 15 stores the count value CM and determines whether the received count value CM exceeds the previously stored count value. If the received count value CM does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CM does not exceed the previously stored count value, the mobile 20 is not authenticated. When a new global random number is sent by the VLR 15, the stored count values for each mobile are erased, and the process of storing and comparing count values begins again.
Fig. 4 illustrates the communication between the network and the mobile 20 to establish a session key during call termination according to a second embodiment of the present invention. As shown, the VLR 15 generates a random number RN using a random number generator, and sends the random number RN as a global challenge. When establishing a session key for call termination with the mobile 20, the VLR 15 sends a call termination request as a page to the mobile 20 on a control channel.
In response, the mobile 20 generates, using a random number generator, a random number RM, and performs a KCF on the random number RN, the random number RM, Type data, and id data 0 using the SSDA as the key. This calculation is represented as KCFssDA(Type, 0, RM, RN) . Preferably, the KCF is a keyed message authentication code such as HMAC, but could be a PRF such as Data Encryption Standard-Cipher

Block Chaining (DES-CBC) from NIST (National Institute of Standards).
The mobi 1 e 20 sends the random number RM and KCFSSDA (Type, 0, RM, RN) to the network. Based on the received random number RM, the VLR 15 calculates KCFssDA(Type, 0, RM, RN) and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20.
Once the mobile 20 has been authenticated, the VLR 15 calculates KCFssDA(Type, 1, RM) , and sends the calculated result to the mobile 20. The mobile 20, meanwhile, calculates KCFssDA(Type, 1, RM) as well. The mobile 20 then verifies whether the calculated version of KCFssDA(Type, 1, RM) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network.
Both the mobile 20 and the VLR 15 generate the session key SK as PRFA-Key(RM, RN) ; wherein the PRF is preferably the DES-CBC algorithm.
Furthermore, the embodiment of Fig. 4 applies when the anticipated response time for the mobile 20, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this embodiment applies when the validity period of the global random number is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, the mobile 20 generates a count value CT in addition to the random number RM.
Specifically, when a new global random number RN is received,, the mobile 20 initializes a counter included therein. Each time the mobile 20 generates a random number RM and a challenge response, the mobile 20 increments the counter to obtain the count value CT. Furthermore, the challenge response generated by the

mobile 20 is KCFssDA(Type, 0, RM , RN, CT) , and the mobile 20 sends the count value CT, the random number RM and this challenge response to the network. The VLR 15 stores received count values from each mobile for the duration of a global random number RN, and determines whether a count value CT received from a mobile exceeds the previously stored count value for that mobile. If the received count value CT does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CT does not exceed the previously stored count value, the mobile 20 is not authenticated.
If the VLR 15 goes forward with authenticating the mobile 20, the VLR 15 generates and sends a challenge response of KCFssDA(Type, 1, RM, CT) . Additionally, in generating the session key, the mobile 20 and the VLR 15 calculate the session key as PRFA-Key (RM, RN, CT) .
Fig. 5 illustrates the communication between the network and the mobile 20 to establish a session key during call origination according to the second embodiment of the present invention. As shown, the mobile 20 sends a call origination request to the VLR 15. In return, the VLR 15 generates the random number RN using a random number generator, and sends the random number RN as a global challenge.
When the mobile user dials digits to make a call, the mobile 20 generates a random number RM using a random number generator and performs a KCF on the random number RN, the dialed digits DD, the random number RM, Type data, and id data 0 using the SSDA as the key. This calculation is represented as KCFSSDA (Type, 0, RM, RN, DD) .
The mobile 20 sends the dialed digits DD, the random number RM and KCFSSDA (Type, 0, RM, RN, DD) to the network. Based on the received dialed digits and random number RM,

the VLR 15 calculates KCFssDA(Type, 0, RM, RN, DD) and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20.
Once the mobile 20 has been authenticated, the VLR 15 calculates KCFssDA(Type, 1, RM) , and sends the calculated result to the mobile 20. The mobile 20, meanwhile, calculates KCFssDA(Type, 1, RM) as well. The mobile 20 then verifies whether the calculated version of KCFssDA(Type, 1, RM) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network.
Both the mobile 20 and VLR 15 generate the session key SK as PRFA-Key(RM ,RN) ; wherein the PRF is preferably the DES-CBC algorithm.
Furthermore, the embodiment of Fig. 5 applies when the anticipated response time for the mobile, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this embodiment applies when the validity period of the global random number is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, the mobile 20 generates a count value CT in addition to the random number RM.
Specifically, when a new global random number RN is received, the mobile 20 initializes a counter included therein. Each time the mobile 20 generates a random number RM and a challenge response, the mobile 20 increments the counter to obtain the count value CT. Furthermore, the challenge response generated by the mobile 20 is KCFssDA(Type, 0, RM , RN, DD, CT) , and the mobile 20 sends the call origination request, the dialed digits DD, the count value CT, the random number RM and this challenge response to the network. The VLR 15 stores received count values from each mobile for the

duration of a global random number RN, and determines whether a count value CT received from a mobile exceeds the previously stored count value for that mobile. If the received count value CT does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CT does not exceed the previously stored count value, the mobile 20 is not authenticated.
If the VLR 15 goes forward with authenticating the mobile 20, the VLR 15 generates and sends a challenge response of KCFssDA(Type, 1, RM, CT) . Accordingly, when using a global random number RN only two rounds of communication are needed to establish the session key. Additionally, in generating the session key, the mobile 20 and the VLR 15 calculate the session key as PRFA-Key(RM, RN, CT) .
Next, the third embodiment of the present invention will be described- In conventional wireless systems, after establishing the session key, messages are transferred between the mobile 20 and the network. The third embodiment of the present invention improves communication efficiency by incorporating the initial transfer of messages as part of the communication to establish the session key.
Fig. 6 illustrates the communication between the network and the mobile 20 to establish a session key during call termination according to a third embodiment of the present invention. As shown, the VLR 15 generates a random number RK using a random number generator, and sends the random number RN to the mobile 20 along with a call termination request.
In response, the mobile 20 generates a random number RM, and calculates a session key SK as PRFA-KBY (RM, RN) • In the typical, well-known fashion, the mobile 20 also

generates a message XM and a mobile message count value CTM associated therewith. Because the generation of messages and the message count value are well-known in the art, these processes will not be described in detail.
The mobile 20 then performs a KCF on the message XM, the count value CTM, and the mobile id data of 0 using the session key SK as the key to generate an authentication tag. This calculation is represented as KCFSK (0, CTM, XM) . Preferably, the KCF is a keyed message authentication code such as HMAC, but could be a PRF such as Data Encryption Standard-Cipher Block Chaining (DES-CBC) from NIST (National Institute of Standards) .
The mobile 20 sends the message count value CTM, the random number RM, the message XM and the authentication tag of KCFSK(0, CTM, XM) to the network. Based on the received random number RM, the VLR 15 calculates the session key SK in the same manner as did the mobile 20. The VLR 15 also calculates KCFSK (0, CTM, XM) based on the received message XM and the count value CTM, and determines whether this calculated value matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20.
If the VLR 15 authenticates the mobile 20, the VLR 15 processes the message XM and the message count value CTM in the typical, well-known manner, and generates a network message XN and network message count value CTN in the typical, well-known manner. Because these processes are so well-known in the art, they will not be described in detail.
The VLR 15 further calculates an authentication tag of KCFSK(1, CTN, XN) , where 1 is the network id data, and sends this authentication tag to the mobile 20 along with the message XN and the message count value CTN. The mobile 20 calculates KCFSK (1, CTN, XN) based on the received

message XN and the count value CTN, The mobile 20 then verifies whether the calculated version of KCFSK(1, CTN, XN) matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the network; and thus, the session key SK.
As an alternative, instead of generating and sending a unique random number RN to each mobile, the VLR 15 generates a global random number RN; namely, the same random number for all the mobiles. In this alternative embodiment, the network sends the call termination request as a page on a control channel.
Furthermore, this alternative embodiment applies when the anticipated response time for the mobile, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this embodiment applies when the validity period of the global random number RN is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, the mobile 20 generates a count value CT in addition to the random number RM.
Specifically, when a new global random number RN is received, the mobile 20 initializes a counter included therein. Each time the mobile 20 generates a random number RM and an authentication tag, the mobile 20 increments the counter to obtain the count value CT. Furthermore, the mobile 20 sends the count value CT along with the message count value CTM, the random number RM, the message XM and the authentication tag. The VLR 15 stores received count values from each mobile for the duration of a global random number RN, and determines whether a count value CT received from a mobile exceeds the previously stored count value for that mobile. If the received count value CT does exceed the previously stored count value, then the VLR 15 goes forward with

authenticating the mobile 20. If the received count value CT does not exceed the previously stored count value, the mobile 20 is not authenticated. Additionally, in generating the session key, the mobile 20 and the VLR 15 calculate the session key as PRFA-KeyCRn, RN, CT) .
Fig. 7 illustrates the communication between the network and the mobile 20 to establish a session key during call origination according to the third embodiment of the present invention. Once the dialed digits DD are received from a mobile user, the mobile 20 generates a random number RM using a random number generator. As shown, the mobile 20 sends a call origination request, the random number KM and the dialed digits DD to the VLR 15,
In response, the VLR 15 generates a random number I^, and calculates a session key SK as PRFA-Key(RM, RN) • In the typical, well-known fashion, the VLR 15 also generates a message XN and a mobile message count value CTN associated therewith. Because the generation of messages and the message count value are well-known in the art, these processes will not be described in detail.
The VLR 15 then performs a KCF on the message XN, the count value CTN, and the network id data of 1 using the session key SK as the key to generate an authentication tag. This calculation is represented as KCFSK(1, CTN, XN) .
The VLR 15 sends the message count value CTN, the random number RN, the message XN and the authentication tag of KCFSK(1, CTN, XN) to the mobile 20. Based on the received random number RN, the mobile 20 calculates the session key SK in the same manner as did the VLR 15. The mobile 20 also calculates KCFSK(1, CTN, XN) based on the received message XN and the count value CTN, and determines whether this calculated value matches the version received from the VLR 15. If a match is found, the mobile 20 authenticates the VLR 15.

If the mobile 20 authenticates the VLR 15, the mobile 20 processes the message XN and the message count value CTN in the typical, well-known manner, and generates a network message XM and network message count value CTM in the typical, well-known manner. Because these processes are so well-known in the art, they will not be described in detail.
The mobile 20 further calculates an authentication tag of KCFSK(0, CTM, XM) , where 0 is the mobile id data, and sends this authentication tag to the VLR 15 along with the message XM and the message count value CTM. The VLR 15 calculates KCFSK(0, CTM, XM) based on the received message XM and the count value CTM. The VLR 15 then verifies whether the calculated version of KCFSK(0, CTM, XM) matches the version received from the mobile 20. If a match is found, the VLR 15 authenticates the mobile 20; and thus, the session key SK.
As an alternative, instead of generating and sending a unique random number RN to each mobile, the VLR 15 generates a global random number R^4; namely, the same random number for all the mobiles.
Furthermore, this alternative embodiment applies when the anticipated response time for the mobile, as monitored by the network, is kept relatively the same as when a unique random number RN is sent. Stated another way, this embodiment applies when the validity period of the global random number RN is kept relatively short. If a longer validity period for global random numbers is desired, then, preferably, the mobile 20 generates a count value CT in addition to the random number RM.
Specifically, when a new global random number RN is received, the mobile 20 initializes a counter included therein. Each time the mobile 20 generates a random number RM and an authentication tag, the mobile 20

increments the counter to obtain the count value CT, Furthermore, the mobile 20 sends the count value CT along with the call origination request. The VLR 15 stores received count values from each mobile for the duration of a global random number RN, and determines whether a count value CT received from a mobile exceeds the previously stored count value for that mobile. If the received count value CT does exceed the previously stored count value, then the VLR 15 goes forward with authenticating the mobile 20. If the received count value CT does not exceed the previously stored count value, the mobile 20 is not authenticated. Additionally, in generating the session key, the mobile 20 and the VLR 15 calculate the session key as PRFA-Key(RM, RN, CT) .
Unlike some conventional methods for establishing the session key, the method according to the present invention provides an added measure of security by performing mutual authentication.
The invention being thus described, it will be obvious that the same may be varied in many ways. Such variations are not to be regarded as a departure from the spirit and scope of the invention, and all such modifications are intended to be included within the scope of the following claims.

Claims;
1. A method for establishing a session key at a mobile,-
comprising:
a) receiving a first code from a network, said
first code being a global challenge;
b) generating second and third codes;
c) sending said second and third codes to said
network;
d) receiving a fourth code from said network;
e) authenticating said network based on said fourth code; and
f) establishing said session key based on said
first and second codes if said network is authenticated.
2. The method of claim 1, further comprising:
g) incrementing a counter upon receipt of said
global challenge to obtain a count value; and wherein
said step c) sends said count value and said second and third codes to said network; and
said step f) establishes said session key based on said first and second codes and said count value.
3. The method of claim 1, wherein said second code is a
unique challenge.
4. The method of claim 1, wherein said step b) generates
said third code by performing a keyed cryptographic
function on said first and second codes.
5. The method of claim 1, wherein

said step a) receives a first random number as said first code; and
said step b) increments a counter to obtain a count value as said second code.
6. The method of claim 5, wherein said step b) generates said third code by performing a keyed cryptographic function on said first and second codes.
7. The method of claim 1, wherein said step c) sends dialed digits to said network with said second and third codes.
8. The method of claim 1, wherein said step b) generates said third code by performing a keyed cryptographic function on said first and second codes and said dialed digits.
9. A method for establishing a session key at a network comprising:

a) sending a global challenge as a first code;
b) receiving second and third codes from a mobile;
c) establishing a session key bsed on said first and second codes;
d) authenticating said mobile based on said third code and said session key.
10. The method of claim 9, wherein
said step b) receives a count value; and further including,
e) storing said count value;

f) determining if said stored count value is greater than a previously stored count value; and wherein
said step c) establishes said session key based on said first and second codes and said count value if said stored count value is greater than said previously stored count value,
11. The method of claim 9, wherein said second code is
a unique challenge.
12. The method of claim 9, wherein said step b) receives a result of performing a keyed cryptographic function on said first and second codes as said third code.
13. The method of claim 9, wherein
said step a) sends a first random number as said first code; and
said step b) receives a count value as said second code.
14. The method of claim 13, wherein
said step b) receives a result of performing a keyed cryptographic function on said first and second codes.
15. The method of claim 13, further comprising:
e) storing said count value;
f) determining if said stored count value is greater than a previously stored count value; and wherein
said step c) establishes said session key based on said first and second codes if said stored count value is greater than said previously stored count value.

16. The method of claim 9, wherein said step b) receives dialed digits from said mobile with said second and third codes.
17. The method of claim 16, wherein said step b) receives a result of performing a keyed cryptographic function on said first and second codes and said dialed digits as said third code.
18. The method of claim 9, further comprising:
e) generating a fourth code if said mobile is
authenticated; and
f) sending said fourth code to said mobile.
19. The method of claim 18, wherein said step e) generates said fourth code by performing a keyed cryptographic function on said second code.
20. A method for establishing a session key at a mobile, comprising:

a) receiving a first code from a network;
b) incrementing a counter to obtain a count value as a second code;
c) generating third code;
d) sending said second and third codes to said
network;
e) receiving a fourth code from said network;
f) authenticating said network based on said fourth code; and .
g) establishing said session key based on said
first and second codes if said network is authenticated.

21. The method of claim 20, wherein said step a) receives a unique challenge as said first code.
22. The method of claim 20, wherein said step a) receives a global challenge as said first code.
23. The method of claim 20, wherein said step c) generates said third code by performing a keyed cryptographic function on said first and second codes.
24. The method of claim 20, wherein said step d) sends dialed digits to said network with said second and third codes.
25. The method of claim 24, wherein said step c) generates said third code by performing a keyed cryptographic function on said first and second codes and said dialed digits.
26. A method for establishing a session key at a network comprising:

a) sending a first code to a mobile;
b) receiving second and third codes from a mobile, said second code being a count value;
c) establishing a session key based on said first and second codes;
d) authenticating said mobile based on said third code and said session key.
27. The method of claim 26, wherein said step a) sends
unique challenge as said first code.
28. The method of claim 26, wherein said step a) sends a global challenge as said first code.

29. The method of claim 26, wherein said step b)
receives a result of performing a keyed cryptographic
function on said first and second codes as said third
code.
30. The method of claim 26, further comprising:
e) storing said count value;
f) determining if said stored count value is greater than a previously stored count value; and wherein
said step c) establishes said session key based on said first and second codes if said stored count value is greater than said previously stored count value.
31. The method of claim 26, wherein said step b) receives dialed digits from said mobile with said second and third codes,
32. The method of claim 31, wherein said step b) receives a result of performing a keyed cryptographic function on said first and second codes and said dialed digits as said third code,
33. The method of claim 26 further comprising:
e) generating a fourth code if said mobile is
authenticated; and
f) sending said fourth code to said mobile.
34. The method of claim 33, wherein said step e) generates said fourth code by performing a keyed cryptographic function on said second code.
35. A method for establishing a session key at a first party, comprising:
a) receiving a first code from a second party;

b) generating a second code;
c) establishing a session key based on said first and second codes;

d) generating a third code by performing a keyed cryptographic function on a first message using said session key;
e) sending said message and said second and third codes to said second party;
f) receiving a fourth code from said second party; and
g) authenticating said session key based on said fourth code.

36. The method of claim 35, wherein said first party is a mobile and said second party is a network.
37. The method of claim 35, wherein said first party is a network and said second party is a mobile.
38. The method of claim 35, wherein said step d) generates said third code by performing said keyed cryptographic function on said first message and a message count value using said session key.
39. The method of claim 35, wherein said step f) receives a second message and said fourth code.
40. The method of claim 39, wherein said fourth code is a result of performing said keyed cryptographic function on said second message using said session key.
41. The method of claim 35, wherein said step f) receives a second message, a message count value, and said fourth code, and said fourth code is a result of performing said keyed cryptographic function on said

second message and said message count value using said session key.
42. The method of claim 35, wherein said first code is a global challenge.
43. A method for establishing a session key at a first party, comprising:

a) sending a first code to a second party;
b) receiving a message, a second code, and a third code from said second party, said third code being a result of performing a keyed cryptographic function on said message using a session key;
c) determining said session key based on said first and second codes; and
d) authenticating said second party based on said third code and said session key.
44. The method of claim 43, wherein said first party is
a mobile and said second party is a network.
45• The method of claim 43, wherein said first party is a network and said second party is a mobile.
46. The method of claim 43, wherein said third code is a result of performing said keyed cryptographic function on said first message and a message count value using said session key.
47. The method of claim 43, further comprising:
e) generating a fourth code if said second party is authenticated; and

f) sending said fourth code to said second party if said second party is authenticated.
48. The method of claim 47, wherein said step f) sends a
second message and said fourth code.
49. The method of claim 48, wherein said fourth code is
a result of performing said keyed cryptographic function
on said second message using said session key.
50. The method of claim 47, wherein said step f) sends a
second message, a message count value, and said fourth
code, and said fourth code is a result of performing
said keyed cryptographic function on said second message
and said message count value using said session key.
51. The method of claim 43, wherein said step a) sends a
global challenge as said first code.
A method for establishing a session key at a mobile, substantially as hereinabove described and illustrated with reference to the accompanying drawings.

Documents:

681-mas-1999-abstract.pdf

681-mas-1999-claims filed.pdf

681-mas-1999-claims granted.pdf

681-mas-1999-correspondnece-others.pdf

681-mas-1999-correspondnece-po.pdf

681-mas-1999-description(complete)filed.pdf

681-mas-1999-description(complete)granted.pdf

681-mas-1999-drawings.pdf

681-mas-1999-form 1.pdf

681-mas-1999-form 19.pdf

681-mas-1999-form 26.pdf

681-mas-1999-form 3.pdf

« Previous Patent

Next Patent »

Patent Number

210147

Indian Patent Application Number

681/MAS/1999

PG Journal Number

50/2007

Publication Date

14-Dec-2007

Grant Date

21-Sep-2007

Date of Filing

25-Jun-1999

Name of Patentee

LUCENT TECHNOLOGIES INC

Applicant Address

600 mountain avenue, murray hill, new jersey 07974 - 0636.

Inventors:

#	Inventor's Name	Inventor's Address
1	SARVAR PATEL	600mountain hill,new jersey 07974 0636.

PCT International Classification Number

H 04 L 9/32

PCT International Application Number

N/A

PCT International Filing date

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1			NA