Terminal device, communication method, and program
By encrypting and verifying identification information using random numbers, the method prevents attacks on SUCI, ensuring secure wireless communication between terminal devices and networks.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- KDDI CORP
- Filing Date
- 2025-10-31
- Publication Date
- 2026-06-11
AI Technical Summary
Existing wireless communication technologies, particularly in the 5G era, are vulnerable to attacks where an attacker can intercept and exploit the encrypted Subscriber Concealed Identifier (SUCI) to disrupt or tamper with information communication between terminal devices and networks.
A terminal device performs mutual authentication by generating random numbers, encrypting identification information using these numbers to create encrypted identifiers (SUCI), and verifying these identifiers during the authentication process to prevent unauthorized access, regenerating random numbers for each new registration request, and sending error messages without revealing the nature of the mismatch.
This approach enhances security by preventing attacks that exploit SUCI vulnerabilities, ensuring secure information communication between terminal devices and networks.
Smart Images

Figure JP2025038285_11062026_PF_FP_ABST
Abstract
Description
Terminal device, communication method, and program
[0001] The present invention relates to a terminal device, a communication method, and a program. This application claims priority from Japanese Patent Application No. 2024-211159 filed in Japan on December 4, 2024, the content of which is incorporated herein by reference.
[0002] Conventionally, a wireless communication system including a terminal device and a network is known. Usually, when starting new information communication between such a terminal device and a network, mutual authentication is performed. For example, Non-Patent Document 1 defines the specific specifications of such wireless communication technology.
[0003] Currently, in commonly used wireless communication technologies, in order to identify a terminal device, an identifier unique to the SIM is issued. Such an identifier is, for example, called an IMSI (International Mobile Subscriber Identity). In wireless communication technologies prior to 5G, the IMSI was not encrypted. Therefore, there was a problem that a malicious person (attacker) could obtain location information, shared information, and the data itself by intercepting the information containing the IMSI. To solve such a problem, in wireless communication technologies after 5G, a unique identifier, the SUPI (Subscriber Permanent Identifier), is encrypted and transmitted as the SUCI (Subscriber Concealed Identifier).
[0004] Here, Non-Patent Document 2 has been reported as a document pointing out the vulnerability of information communication using the SUCI, which is a wireless communication technology in the 5G era.
[0005] 3GPP, "TS 33.501", v18.5.0 Merlin Chlosta, David Rupprecht, Christina Popper, and Thorsten Holz. 2021. 5G SUCI-catchers: still catching them all? In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '21).
[0006] According to Non-Patent Document 2, there was a problem in that an attacker could, by intercepting information containing SUCI, illegally interrupt communication between terminal devices and networks, and intercept or tamper with information communications.
[0007] This invention has been made in consideration of these circumstances, and its purpose is to provide a terminal device, a communication method, and a program that enable secure information communication between terminal devices and networks.
[0008] (1) One aspect of the present invention is a terminal device that performs mutual authentication with a network, and the terminal device performs the following steps: a random number generation step of generating random numbers and storing the generated random numbers; an encryption step of encrypting identification information that uniquely identifies the terminal device using the random numbers generated in the random number generation step and generating encrypted identification information; a registration request step of transmitting the encrypted identification information to the network; an authentication request step of obtaining from the network information generated using the encrypted identification information transmitted from the terminal device to the network as a result of the registration request step; a matching step of comparing information that includes at least the random numbers contained in the information obtained from the network in the authentication request step and the random numbers generated and stored in the random number generation step; and an authentication response step of sending an error message to the network if it is determined in the matching step that there is a difference. (2) In another aspect of the present invention, in the terminal device described in (1) above, the identification information that uniquely identifies the terminal device is a Subscription Permanent Identifier (SUPI). (3) In another aspect of the present invention, in the terminal device described in (1) or (2) above, the encrypted identification information is a Subscription Concealed Identifier (SUCI). (4) In another aspect of the present invention, in any of the terminal devices described in (1) to (3) above, when the terminal device makes a new registration request, it regenerates random numbers by performing the encryption process again. (5) In another aspect of the present invention, in any of the terminal devices described in (1) to (4) above, the information transmitted from the network to the terminal device in the authentication request step includes a random number generated by the terminal device and a random number generated by the network. (6) In another aspect of the present invention, in any of the terminal devices described in (1) to (5) above, the error message transmitted in the authentication response step when a difference is determined to exist in the matching step does not include any information that would allow the system to identify that an error occurred due to a matching failure.(7) In another aspect of the present invention, in any of the terminal devices described in (1) to (6) above, the information obtained from the network in the authentication request step includes information obtained by combining the random challenge RAND with the random number generated in the random number generation step. (8) In another aspect of the present invention, in any of the terminal devices described in (1) to (6) above, the information obtained from the network in the authentication request step includes information obtained by performing an exclusive OR operation on the random challenge RAND and the random number generated in the random number generation step. (9) Another aspect of the present invention is a communication method for mutual authentication between a terminal device and a network, comprising: an encryption step of encrypting identification information that uniquely identifies the terminal device using random numbers generated by the terminal device to generate encrypted identification information; a registration request step of transmitting the encrypted identification information from the terminal device to the network; an authentication request step of the network to the terminal device using the encrypted identification information transmitted from the terminal device to the network; a matching step of comparing information that includes at least the random numbers contained in the information transmitted from the network to the terminal device in the authentication request step and the random numbers used in the encryption step; and an authentication response step of transmitting an error message from the terminal device to the network if a difference is determined in the matching step.(10) Another aspect of the present invention is a program executed by a terminal device that performs mutual authentication with a network, which includes: a random number generation step of generating random numbers and storing the generated random numbers; an encryption step of encrypting identification information that uniquely identifies the terminal device using the random numbers generated in the random number generation step and generating encrypted identification information; a registration request step of transmitting the encrypted identification information to the network; an authentication request step of obtaining from the network information generated using the encrypted identification information transmitted from the terminal device to the network as a result of the registration request step; a matching step of comparing the random numbers contained in the information obtained from the network in the authentication request step with the random numbers generated and stored in the random number generation step; and an authentication response step of sending an error message to the network if it is determined in the matching step that there is a difference.
[0009] According to the present invention, it is possible to provide a terminal device, a wireless communication method, and a program that enable secure information communication between a terminal device and a network.
[0010] This figure shows a schematic network architecture of a wireless communication system according to one embodiment. This flowchart shows the mutual authentication flow of the wireless communication system according to this embodiment. This block diagram shows an example of the internal configuration of the computing device according to this embodiment. This figure illustrates an attack that exploits a vulnerability in SUCI.
[0011] [Attacks Exploiting SUCI Vulnerabilities] Figure 4 is a diagram illustrating attacks that exploit vulnerabilities in SUCI. First, the problems that the wireless communication system according to this embodiment aims to solve will be explained with reference to this figure. The figure shows the exchange of information between the UE (User Equipment), the AMF (Access and Mobility Management Function), and the network. The attack method described with reference to this figure is reported in Non-Patent Document 2 mentioned above.
[0012] As a premise, we assume that the attacker has already intercepted information communication between the UE and the network and obtained a specific SUCI (indicated as "searched-for SUCI" in the diagram). In this state, each time a new UE (UEunknown) connects to a fake cell, the attacker attempts to determine whether that UE is the same as the UE identified from the already obtained SUCI. As shown in the diagram, this attack consists of two parts: the Reset & Sync part and the SUCI-Probe part. According to the attack reported in Non-Patent Literature 2, the attacker repeatedly performs these two parts.
[0013] First, let's explain the SUCI-Probe part. The SUCI-Probe part is similar to AKA-Linkability. The SUCI-Probe part consists of the following two components:
[0014] The first component is the Requesting Authentication Vectors. Since the registration request itself is not authenticated, an attacker can insert a fraudulently obtained SUCI (searched-for-SUCI) into the identity field. The network searches for that ID and responds to the authentication request. At this point, only users associated with the fraudulently obtained SUCI (searched-for-SUCI) can respond to the authentication request.
[0015] As the second component, the UE verifies its ID. When the UE accepts an authentication request, one of two cases occurs. Case 1 is assumed to be the attacker's UE, which is the unknown UE that accepted the authentication request. In this case, the UE successfully authenticates the network and sends an authentication response. Alternatively, the UE returns an authentication failure with a cause of synchronization failure (used for synchronizing the sequence number SQN). Case 2 is assumed to be the attacker's UE, which is the unknown UE that accepted the authentication request. In this case, the UE sends an authentication failure to the attacker (SUCI-Catcher).
[0016] However, simply executing the SUCI-Probe part described above has a significant limitation: if authentication fails twice in a row, the UE will abandon the registration attempt. This limitation allows the attacker to search for up to two targets. Therefore, the attacker performs the Reset & Sync part described below.
[0017] The Reset&Sync part takes place between the UE and the network before the SUCI-Probe part is actually performed. In the Reset&Sync part, synchronization failure processing is performed to resynchronize the sequence number on the network to avoid consecutive failures between two consecutive SUCI-Probe parts. As a result, the attacker can repeat the SUCI-Probe step and search for multiple individuals.
[0018] [Embodiments] Below, in order to prevent the attacks described above, a wireless communication method, terminal device, and program according to an embodiment of the present invention will be described. In the following embodiments, preferred embodiments will be listed and described in detail with reference to the attached drawings. Note that the embodiments of the present invention are not limited to these embodiments and include various modifications or improvements. In other words, the components described below include those that can be easily imagined by a person skilled in the art, and those that are substantially the same, and the components described below can be combined as appropriate. Furthermore, various omissions, substitutions, or changes to the components can be made without departing from the gist of the present invention. Also, in the following drawings, in order to make each component easier to understand, the scale and number of each structure may differ from the scale and number of the actual structure.
[0019] In the following description, for the sake of clarity, terms and names defined in the IETF (Internet Engineering Task Force), 3GPP (registered trademark), and LTE (3rd Generation Partnership Project Long Term Evolution) standards may be used. However, this embodiment is not limited by such terms and names and is applicable to systems based on other standards.
[0020] [Wireless Communication System] Figure 1 is a diagram showing a schematic network architecture of a wireless communication system according to one embodiment. First, with reference to the figure, the schematic of a wireless communication system to which the calculation method and calculation device according to this embodiment are applied will be described. As an example, the figure shows a 5G network architecture. In the example described below, a wireless communication system will be described, but the communication system according to this embodiment is also applicable to wired communication systems.
[0021] The network elements of a 5G network architecture include User Equipment (UE). In the following description, UE may be referred to as user equipment, user terminal, user device, terminal device, or simply terminal, etc. UE may also include smartphones, tablet devices, wearable devices, etc.
[0022] The network architecture shown in the figure further includes a Radio Access Network (RAN), Access and Mobility Function (AMF), Unified Data Management (UDM), Authentication Server Function (AUSF), Security Anchor Function (SEAF), and the like.
[0023] The primary function of a RAN (Local Area Network) is to control users for wireless access to a mobile communication network. Conceptually, a RAN is contained between devices (e.g., smartphones, computers, or any remote controllers) and provides connectivity between these devices to the core network.
[0024] AMF network elements are responsible for terminal access management and mobility management, such as registration management, connection management, mobility management, and reachability management. In practical applications, AMF network elements include mobility management functions within the LTE network framework of a Mobility Management Entity (MME), and further include access management functions.
[0025] The SEAF network element is configured to complete authentication to the UE. In 5G, the SEAF functionality may be combined with the AMF, as shown in the diagram.
[0026] The AUSF network element has authentication server functionality and is configured to respond to authentication requests made by the SEAF network element. During the authentication process, the AUSF network element receives the authentication vector sent from the UDM, processes the authentication vector, and sends the processed authentication vector to SEAF.
[0027] The UDM network element may store the user's subscription information and may generate authentication parameters, etc.
[0028] An ARPF network element has an authentication information repository and processing functions, and is configured to store the user's long-term authentication information, such as key K. In 5G, the functions of the ARPF network element may be combined with a UDM network element.
[0029] [Mutual Authentication Procedure] Figure 2 is a flowchart illustrating the mutual authentication flow of the wireless communication system according to this embodiment. The figure shows the authentication key sharing protocol in 3GPP (registered trademark). The figure shows the exchange of information between the Mobile Station (MS), Visitor Location Register (VLR) / Serving Network (SN), and Home Environment (HE) / Home Location Register (HLR). In the following description, MS may also be referred to as the terminal device, SN / VLR and HE / HLR as the network, and HE / HLR as the authentication center.
[0030] (Step S101) First, the MS generates a random number R. This process can also be called the random number generation process or random number generation step.
[0031] (Step S102) Next, the MS encrypts the identification information by combining the generated random number R with the identification information that uniquely identifies the MS. The identification information that uniquely identifies the MS may be an ID called IMSI (International Mobile Subscriber Identity) or Subscription Permanent Identifier (SUPI). In other words, the MS can be said to encrypt the identification information that uniquely identifies the MS using a random number generated by the MS. The encrypted information is, in other words, the Subscription Concealed Identifier (SUCI). Steps S101 and S102 can also be called the encryption process or encryption steps.
[0032] (Step S103) Next, the MS transmits the encrypted identification information generated in the encryption process to the SN / VLR. This process can also be called the registration request process or registration request step. When the MS makes a new registration request, it regenerates the random numbers by performing the encryption process again in steps S101 and S102.
[0033] (Step S111) First, the SN / VLR requests authentication data from the HE / HLR.
[0034] (Step S112) When HE / HLR receives an authentication data request from SN / VLR, it generates one or more (for example, N, where N is an integer greater than or equal to 1) authentication vectors AV(1...N).
[0035] (Step S113) The HE / HLR responds to the SN / VLR with one or more generated authentication vectors AV(1...N) (Authentication Data Response).
[0036] (Step S114) The SN / VLR stores one or more authentication vectors obtained from the HE / HLR upon request.
[0037] Furthermore, the process from step S111 to step S114 can also be described as the process of distributing the authentication vector from HE to SN.
[0038] (Step S115) The SN / VLR selects an authentication vector AV(i) from among the stored authentication vectors AV(1...N).
[0039] (Step S116) The SN / VLR requests user authentication from the MS. Here, the calculation of AUTN(i) conventionally used the random challenge RAND(i), but in this embodiment, this is changed to use RAND + the random number R sent from UE. Specifically, the random number R may simply be concatenated after RAND. Alternatively, if the overall length of the random number is not to be changed, the exclusive OR (XOR) of RAND and the random number R may be performed. In the user authentication request, the SN / VLR sends the random challenge RAND(i), the random number R generated by the MS, and the authentication token AUTN(i) to the MS (User Authentication Request). In other words, the user authentication request can be said to be performed from the SN / VLR to the MS using the encrypted identification information sent from the MS to the SN / VLR. Furthermore, the information transmitted from the SN / VLR to the MS can also include a random number R generated by the MS and a random challenge RAND(i) which is a random number generated by the SN / VLR. This process can also be called the authentication request process or authentication request step.
[0040] (Step S117) The MS verifies whether it can accept the authentication token AUTN(i). In this embodiment, it further compares the random number R included in the information obtained in step S116 with the random number R generated in step S101. This step can also be called the comparison step or comparison step. If the MS can accept the authentication token AUTN(i), it calculates the response RES(i).
[0041] (Step S118) The response RES(i) calculated by the MS is returned to the SN / VLR as a user authentication response (User Authentication Response). Here, in step S117, if it is determined that there is a difference (the generated random number R does not match the received random number R), the MS transmits an error message to the SN / VLR. This process can also be referred to as an authentication response process or an authentication response step. It is preferable that the error message transmitted when it is determined that there is a difference does not include information that can identify that an error has occurred due to the failure of the collation.
[0042] (Step S119) The MS further computes (Compute) a cipher key CK(i) for encryption and an integrity key IK(i) for authentication of integrity.
[0043] (Step S120) The SN / VLR compares the received response RES(i) with XRES.
[0044] (Step S121) If RES(i) matches the expected response (Expected Response) XRES, the SN / VLR determines that the authentication and key agreement exchange are completed, and selects a cipher key CK(i) for encryption and an integrity key IK(i) for authentication of integrity.
[0045] Note that the processes from step S115 to step S121 can also be referred to as an authentication and key establishment process.
[0046] [Internal Configuration] Figure 3 is a block diagram showing an example of the internal configuration of the arithmetic unit according to this embodiment. The arithmetic unit shown in the figure is provided in at least one of the UE or the network. At least some of the functions of the arithmetic unit can be realized using a computer as shown in the figure. The computer consists of a central processing unit (processor) 901, RAM 902, input / output ports 903, input / output devices 904 and 905, etc., and a bus 906. The computer itself can be realized using existing technology. The central processing unit 901 executes instructions contained in programs read from the RAM 902, etc. The central processing unit 901 writes data to the RAM 902, reads data from the RAM 902, and performs arithmetic and logical operations according to each instruction. The RAM 902 stores data and programs. Each element contained in the RAM 902 has an address and can be accessed using that address. RAM is an abbreviation for "Random Access Memory". The input / output ports 903 are ports for the central processing unit 901 to exchange data with external input / output devices, etc. Input / output devices 904 and 905 are input / output devices. Input / output devices 904 and 905 exchange data with the central processing unit 901 via the input / output port 903. Bus 906 is a common communication channel used inside the computer. For example, the central processing unit 901 reads and writes data to RAM 902 via bus 906. Also, for example, the central processing unit 901 accesses input / output ports via bus 906. Furthermore, all or part of each functional unit of the network 30 or terminal device 50 may be implemented using hardware such as ASIC, PLD, or FPGA. Furthermore, all or part of each functional unit may be implemented by a combination of software and hardware.
[0047] [Summary of Embodiment] According to the embodiment described above, the wireless communication method according to this embodiment is a method for mutual authentication between a terminal device and a network, and includes an encryption step, a registration request step, an authentication request step, a verification step, and an authentication response step. The encryption step encrypts identification information (specifically, IMSI or SUPI) that uniquely identifies the terminal device using a random number generated by the terminal device to generate encrypted identification information (specifically, SUCIs). The registration request step transmits the generated encrypted identification information from the terminal device to the network. The authentication request step uses the encrypted identification information transmitted from the terminal device to the network to transmit information from the network to the terminal device. The verification step verifies the random number included in the information transmitted from the network to the terminal device in the authentication request step and the random number used in the encryption step. The authentication response step transmits an error message from the terminal device to the network when it is determined that there is a difference in the verification step. By adopting such a configuration, according to this embodiment, attacks such as those listed in Non-Patent Document 2 can be suppressed. That is, according to this embodiment, it becomes possible to safely perform wireless information communication between the terminal device and the network.
[0048] In addition, according to the above-described embodiment, for example, "it is possible to safely perform wireless information communication between the terminal device and the network", so it is possible to contribute to Goal 9 of the Sustainable Development Goals (SDGs) led by the United Nations, "Build resilient infrastructure, promote sustainable industrialization, and foster innovation".
[0049] As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and design changes and the like within the scope not departing from the gist of the present invention are also included.
[0050] Alternatively, computer programs for realizing the functions of each of the above-mentioned devices may be recorded on a computer-readable recording medium, and the programs recorded on this recording medium may be loaded into a computer system and executed. The term "computer system" here may include hardware such as an operating system and peripheral devices. Furthermore, "computer-readable recording medium" refers to writable non-volatile memory such as flexible disks, magneto-optical disks, ROMs, and flash memory, portable media such as DVDs (Digital Versatile Discs), and storage devices such as hard disks built into a computer system.
[0051] Furthermore, "computer-readable recording media" includes volatile memory (e.g., DRAM (Dynamic Random Access Memory)) within a computer system that acts as a server or client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line, which retains the program for a certain period of time. In addition, the above program may be transmitted from the computer system that stores the program in a storage device, etc., to another computer system via a transmission medium or by transmission waves within the transmission medium. Here, the "transmission medium" for transmitting the program refers to a medium that has the function of transmitting information, such as a network such as the Internet or a communication line such as a telephone line. Furthermore, the above program may be for the purpose of realizing a part of the above-mentioned functions. Moreover, it may be a so-called differential file (differential program) that can realize the above-mentioned functions in combination with a program already recorded in the computer system.
[0052] According to the present invention, secure information communication can be performed between terminal devices and networks.
[0053] MS…Mobile Station、SN…Serving Network、VLR…Visitor Location Register、HE…Home Environment、HLR…Home Location Register
Claims
1. A terminal device that performs mutual authentication with a network, comprising: a random number generation step of generating random numbers and storing the generated random numbers; an encryption step of encrypting identification information that uniquely identifies the terminal device using the random numbers generated in the random number generation step and generating encrypted identification information; a registration request step of transmitting the encrypted identification information to the network; an authentication request step of obtaining from the network information generated using the encrypted identification information transmitted from the terminal device to the network as a result of the registration request step; a matching step of comparing information that includes at least the random numbers contained in the information obtained from the network in the authentication request step and the random numbers generated and stored in the random number generation step; and an authentication response step of sending an error message to the network if it is determined in the matching step that there is a difference.
2. The terminal device according to claim 1, wherein the identification information that uniquely identifies the terminal device is a Subscription Permanent Identifier (SUPI).
3. The terminal device according to claim 1, wherein the encrypted identification information is a Subscription Concealed Identifier (SUCI).
4. When a new registration request is made, the random number is regenerated by performing the encryption process again, according to any one of claims 1 to 3.
5. The terminal device according to any one of claims 1 to 3, wherein in the authentication request step, the information transmitted from the network to the terminal device includes a random number generated by the terminal device and a random number generated by the network.
6. The terminal device according to any one of claims 1 to 3, wherein the error message transmitted in the authentication response step when it is determined that there is a difference in the matching step does not contain any information that can identify that an error occurred due to a matching failure.
7. The terminal device according to any one of claims 1 to 3, wherein the information obtained from the network in the authentication request step includes information in which a random number generated by the random number generation step is combined with a random challenge RAND.
8. The terminal device according to any one of claims 1 to 3, wherein the information obtained from the network in the authentication request step includes information obtained by the exclusive OR of the random challenge RAND and the random number generated in the random number generation step.
9. A communication method for mutual authentication between a terminal device and a network, comprising: an encryption step of encrypting identification information that uniquely identifies the terminal device using a random number generated by the terminal device to generate encrypted identification information; a registration request step of transmitting the encrypted identification information from the terminal device to the network; an authentication request step of the network to the terminal device using the encrypted identification information transmitted from the terminal device to the network; a matching step of comparing information that includes at least a random number contained in the information transmitted from the network to the terminal device in the authentication request step and a random number used in the encryption step; and an authentication response step of transmitting an error message from the terminal device to the network if a difference is determined in the matching step.
10. A program executed by a terminal device that performs mutual authentication with a network, comprising: a random number generation step of generating random numbers and storing the generated random numbers; an encryption step of encrypting identification information that uniquely identifies the terminal device using the random numbers generated in the random number generation step and generating encrypted identification information; a registration request step of transmitting the encrypted identification information to the network; an authentication request step of obtaining from the network information generated using the encrypted identification information transmitted from the terminal device to the network as a result of the registration request step; a matching step of comparing the random numbers contained in the information obtained from the network in the authentication request step with the random numbers generated and stored in the random number generation step; and an authentication response step of sending an error message to the network if a difference is determined in the matching step.