CAVE-based Authentication
Encyclopedia
CAVE-based Authentication (a.k.a. HLR
HLR
HLR may refer to:* Hoffmann-La Roche, a Swiss global health-care company* Home Location Register, a central database that contains details of each mobile phone subscriber that is authorized to use the GSM and or WCDMA core network of this PLMN....

 Authentication, 2G
2G
2G is short for second-generation wireless telephone technology. Second generation 2G cellular telecom networks were commercially launched on the GSM standard in Finland by Radiolinja in 1991...

 Authentication, Access Authentication) is an access authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

 used in CDMA
CDMA2000
CDMA2000 is a family of 3G mobile technology standards, which use CDMA channel access, to send voice, data, and signaling data between mobile phones and cell sites. The set of standards includes: CDMA2000 1X, CDMA2000 EV-DO Rev. 0, CDMA2000 EV-DO Rev. A, and CDMA2000 EV-DO Rev. B...

/1xRTT
RTT
RTT may be:Computing* Real-time text, streaming conversational text that is sent as it is typed/produced.* Real-time Timer, Timer in computer hardware used by the operation system...

 network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....

 systems.

CAVE (Cellular Authentication and Voice Encryption)

gtv

There are two network entities involved in CAVE-based authentication when roaming:
  • Authentication Center (AC) a.k.a. HLR/AC, AuC – Located in a roamer’s home network, the AC controls the authentication process and either authenticates the Mobile Station
    Mobile Station
    The mobile station comprises all user equipment and software needed for communication with a mobile network.The mobile station refers to global system connected to the mobile network, i.e. mobile phone or mobile computer connected using a mobile broadband adapter. This is the terminology of 2G...

     (Mobile Phone
    Mobile phone
    A mobile phone is a device which can make and receive telephone calls over a radio link whilst moving around a wide geographic area. It does so by connecting to a cellular network provided by a mobile network operator...

    , MS) or shares SSD with the serving VLR to allow this authentication to occur locally. The AC must be provisioned with an A-key value for each MS. Authentication is predicated on the assumption that A-key value provisioned in an MS is the same as the A-key value provisioned in the AC. The AC is often co-located with the HLR and referred to as the HLR/AC. However, the AC could be a standalone network entity that serves one or more HLRs. Though the CDMA abbreviation is AC, the GSM abbreviation of AuC is sometimes used (albeit incorrectly in CDMA networks).
  • Visitor Location Register (VLR) – If SSD is shared with the visited network, the VLR locally authenticates the roamer. Otherwise, the VLR proxies authentication responses from roamers to their home HLR/AC for authentication.


The authentication controller is the entity that determines whether the response from the MS is correct. Depending upon whether SSD is shared, the authentication controller may be either the AC or VLR. In either case, CAVE-based authentication is based on the CAVE algorithm
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...

 and the following two shared keys:
  • Authentication key (A-key) – A 64-bit primary secret key known only to the MS and AC. In the case of RUIM equipped mobiles, the A-key is stored on the RUIM; otherwise, it is stored in semi-permanent memory on the MS. The A-key is never shared with roaming partners. However, it is used to generate a secondary key known as SSD that may be shared with a roaming partner to enable local authentication in the visited network.
  • Shared Secret Data (SSD) – A 128-bit secondary secret key that is calculated using the CAVE algorithm during an SSD Update procedure. During this procedure both MS and the AC in the user’s home network separately calculate SSD. It is this SSD, not the A-key that is used during authentication. SSD may or may not be shared between home and roaming partner networks to enable local authentication. SSD consists of two 64-bit keys: SSD_A, which is used during authentication to calculate authentication signatures, and SSD_B, which is used in the generation of session keys for encryption and voice privacy.


CAVE-based authentication provides two types of challenges
  • Global challenge – Procedure that requires any MS attempting to access the serving network to respond to a common challenge value being broadcast in the overhead message train. The MS must generate an authentication signature response (AUTHR) using CAVE with inputs of the global challenge value, ESN, either the last six dialed digits (for an origination attempt) or IMSI_S1 (for any other system access attempt), and SSD_A.

  • Unique challenge – Procedure that allows a visited network (if SSD is shared) and/or home network to uniquely challenge a particular MS for any reason. The MS must generate an authentication signature response (AUTHU) using CAVE with inputs of the unique challenge value, ESN, IMSI_S1, and SSD_A.


CAVE-based authentication is a one-way authentication mechanism that always involves the network authenticating the MS (with the exception of the base station challenge procedure that occurs only during an SSD update).

CAVE based authentication procedures are specified in TIA-41 (3GPP2 X.S0004).
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK