Terminal device, communication method, and program

By encrypting identification information with random numbers and sending error messages upon mismatches, the method enhances security in wireless communication systems, preventing attacks on SUCI vulnerabilities and ensuring secure information exchange.

JP2026097147APending Publication Date: 2026-06-16KDDI CORP

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
KDDI CORP
Filing Date
2024-12-04
Publication Date
2026-06-16

AI Technical Summary

Technical Problem

In wireless communication technologies, particularly after 5G, attackers can intercept and exploit the encrypted SUCI to illegally interrupt or tamper with information communications between terminal devices and networks.

Method used

A terminal device performs mutual authentication by generating random numbers, encrypting identification information using these numbers, and transmitting encrypted identifiers (SUCI) to the network, with error messages sent upon detection of mismatches, thereby enhancing security.

Benefits of technology

This method deters attacks on SUCI vulnerabilities, ensuring secure information communication between terminal devices and networks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026097147000001_ABST
    Figure 2026097147000001_ABST
Patent Text Reader

Abstract

Secure information communication is performed between terminal devices and the network. [Solution] The terminal device performs a random number generation step of mutual authentication with the network and storing the generated random numbers; an encryption step of encrypting identification information that uniquely identifies the terminal device using the generated random numbers and generating encrypted identification information; a registration request step of transmitting the encrypted identification information to the network; an authentication request step of obtaining from the network information generated using the encrypted identification information transmitted from the terminal device to the network as a result of the registration request step; a matching step of comparing information that includes at least the random numbers contained in the information obtained from the network with the random numbers generated and stored in the random number generation step; and an authentication response step of sending an error message if it is determined that there is a difference.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to a terminal device, a communication method, and a program.

Background Art

[0002] Conventionally, a wireless communication system including a terminal device and a network is known. Usually, when starting new information communication between such a terminal device and a network, mutual authentication is performed. For example, Non-Patent Document 1 defines specific specifications of technologies related to such wireless communication.

[0003] Currently, in generally used wireless communication technologies, in order to identify a terminal device, an identifier unique to the SIM is issued. Such an identifier is called, for example, IMSI (International Mobile Subscriber Identity). In wireless communication technologies before 5G, the IMSI was not encrypted. Therefore, there was a problem that a malicious person (attacker) could obtain location information, shared information, and the data itself by intercepting information containing the IMSI. To solve such a problem, in wireless communication technologies after 5G, a unique identifier, SUPI (Subscriber Permanent Identifier), is encrypted and transmitted as SUCI (Subscriber Concealed Identifier).

[0004] Here, Non-Patent Document 2 has been reported as a document pointing out the vulnerability of information communication using SUCI, which is a wireless communication technology in the 5G era.

Prior Art Documents

Non-Patent Documents

[0005]

Non-Patent Document 1

Non-Patent Document 2

[0006] According to Non-Patent Document 2, there was a problem in that an attacker could, by intercepting information containing SUCI, illegally interrupt communication between terminal devices and networks, and intercept or tamper with information communications.

[0007] This invention has been made in consideration of these circumstances, and its purpose is to provide a terminal device, a communication method, and a program that enable secure information communication between terminal devices and networks. [Means for solving the problem]

[0008] (1) One aspect of the present invention is a terminal device that performs mutual authentication with a network, and the terminal device performs a random number generation step of generating random numbers and storing the generated random numbers; an encryption step of encrypting identification information that uniquely identifies the terminal device using the random numbers generated in the random number generation step and generating encrypted identification information; a registration request step of transmitting the encrypted identification information to the network; an authentication request step of obtaining from the network information generated using the encrypted identification information transmitted from the terminal device to the network as a result of the registration request step; a matching step of comparing information that includes at least the random numbers contained in the information obtained from the network in the authentication request step and the random numbers generated and stored in the random number generation step; and an authentication response step of sending an error message to the network if it is determined in the matching step that there is a difference. (2) In another aspect of the present invention, in the terminal device described in (1) above, the identification information that uniquely identifies the terminal device is a Subscription Permanent Identifier (SUPI). (3) In addition, in one aspect of the present invention, in the terminal device described in (1) or (2) above, the encrypted identification information is a Subscription Concealed Identifier (SUCI). (4) In addition, in one aspect of the present invention, in any of the terminal devices described in (1) to (3) above, when the terminal device makes a new registration request, it performs the encryption process again to regenerate random numbers. (5) In another aspect of the present invention, in any of the terminal devices described in (1) to (4) above, the information transmitted from the network to the terminal device in the authentication request step includes a random number generated by the terminal device and a random number generated by the network. (6) In addition, in one aspect of the present invention, any of the terminal devices described in (1) to (5) above, in the authentication response step, the error message transmitted when it is determined that there is a difference in the matching step does not contain any information that can identify that an error occurred due to a matching failure. (7) In another aspect of the present invention, any of the terminal devices described in (1) to (6) above, in the authentication request step, includes information obtained from the network in which a random number generated by the random number generation step is combined with the random challenge RAND. (8) In another aspect of the present invention, any of the terminal devices described in (1) to (6) above, in the authentication request step, includes information obtained by the exclusive OR of the random challenge RAND and the random number generated by the random number generation step, with respect to the information obtained from the network. (9) Another aspect of the present invention is a communication method for mutual authentication between a terminal device and a network, comprising: an encryption step of encrypting identification information that uniquely identifies the terminal device using random numbers generated by the terminal device to generate encrypted identification information; a registration request step of transmitting the encrypted identification information from the terminal device to the network; an authentication request step of the network to the terminal device using the encrypted identification information transmitted from the terminal device to the network; a matching step of comparing information that includes at least random numbers contained in the information transmitted from the network to the terminal device in the authentication request step and random numbers used in the encryption step; and an authentication response step of transmitting an error message from the terminal device to the network if a difference is determined in the matching step. (10) Another aspect of the present invention is a program executed by a terminal device that performs mutual authentication with a network, which includes: a random number generation step of generating random numbers and storing the generated random numbers; an encryption step of encrypting identification information that uniquely identifies the terminal device using the random numbers generated in the random number generation step and generating encrypted identification information; a registration request step of transmitting the encrypted identification information to the network; an authentication request step of obtaining from the network information generated using the encrypted identification information transmitted from the terminal device to the network as a result of the registration request step; a matching step of comparing the random numbers contained in the information obtained from the network in the authentication request step with the random numbers generated and stored in the random number generation step; and an authentication response step of sending an error message to the network if it is determined in the matching step that there is a difference. [Effects of the Invention]

[0009] According to the present invention, it is possible to provide a terminal device, a wireless communication method, and a program that enable secure information communication between a terminal device and a network. [Brief explanation of the drawing]

[0010] [Figure 1] This figure shows a schematic network architecture of a wireless communication system according to one embodiment. [Figure 2] This flowchart shows the mutual authentication process for the wireless communication system according to this embodiment. [Figure 3] This is a block diagram showing an example of the internal configuration of the arithmetic unit according to this embodiment. [Figure 4] This diagram illustrates an attack that exploits a vulnerability in SUCI. [Modes for carrying out the invention]

[0011] [Attacks exploiting SUCI vulnerabilities] Figure 4 is a diagram illustrating an attack that exploits a vulnerability in SUCI. First, the problem that the wireless communication system according to this embodiment aims to solve will be explained with reference to this figure. The figure shows the exchange of information between the UE (User Equipment), the AMF (Access and Mobility Management Function), and the network. The attack method described with reference to this figure is reported in Non-Patent Document 2 mentioned above.

[0012] As a prerequisite, we assume that the attacker has already intercepted information communication between the UE and the network and obtained a specific SUCI (indicated as "searched-for SUCI" in the diagram). In this state, each time a new UE (UEunknown) connects to a fake cell, the attacker attempts to determine if that UE is the same as the UE identified from the already obtained SUCI. As illustrated, this attack consists of two parts: the Reset&Sync part and the SUCI-Probe part. According to the attack reported in Non-Patent Literature 2, the attacker repeatedly performs these two parts.

[0013] First, let's explain the SUCI-Probe part. The SUCI-Probe part is similar to AKA-Linkability. The SUCI-Probe part consists of the following two components:

[0014] The first component is the Requesting Authentication Vectors. Since the registration request itself is not authenticated, an attacker can insert a fraudulently obtained SUCI (searched-for SUCI) into the identity field. The network searches for that ID and responds to the authentication request. At this point, only users associated with the fraudulently obtained SUCI can respond to the authentication request.

[0015] As a second component, the UE verifies its ID. When the UE receives an authentication request, one of the following two cases occurs. Case 1 assumes that the unknown UE that received the authentication request is actually an attacker's UE (UEsearched - for). In this case, the UE successfully authenticates with the network and sends an authentication response. Or, the UE returns an authentication failure accompanied by a cause of synchronization failure (used for synchronizing the sequence number SQN). Case 2 assumes that the unknown UE that received the authentication request is not actually an attacker's UE. In this case, the UE sends an Authentication Failure to the attacker (SUCI - Catcher).

[0016] Here, simply executing the above - mentioned SUCI - Probe part has the following significant limitation. That is, if authentication fails twice consecutively, the UE aborts the registration attempt. Due to this limitation, the attacker is allowed to search for a maximum of two targets. Therefore, the attacker performs the Reset&Sync part described below.

[0017] The Reset&Sync part is performed between the UE and the network before the SUCI - Probe part is actually carried out. In the Reset&Sync part, in order to avoid consecutive failures during two consecutive executions of the SUCI - Probe part, the network performs a synchronization failure process to resynchronize the sequence number. As a result, the attacker can repeat the steps of SUCI - Probe and search for multiple individuals.

[0018] [Embodiment] Hereinafter, in order to prevent the attacks as described above, a wireless communication method, a terminal device, and a program according to an aspect of the present invention will be described. In the following embodiments, preferred embodiments will be presented and described in detail while referring to the accompanying drawings. Note that the aspects of the present invention are not limited to these embodiments, and also include those with various modifications or improvements. That is, the components described below include those that can be easily assumed by those skilled in the art and substantially the same ones, and the components described below can be combined as appropriate. Also, various omissions, substitutions, or changes of the components can be made without departing from the gist of the present invention. Also, in the following drawings, in order to make each configuration easy to understand, the scale and number, etc. of each structure may be different from those of the actual structure.

[0019] In the following description, for the sake of convenience of explanation, terms and names defined in the IETF (Internet Engineering Task Force), 3GPP (registered trademark) LTE (3rd Generation Partnership Project Long Term Evolution) standard may be used. However, this embodiment is not limited by such terms and names and is also applicable to systems according to other standards.

[0020] [Wireless Communication System] FIG. 1 is a diagram showing a schematic network architecture of a wireless communication system according to an embodiment. First, while referring to the figure, an overview of the wireless communication system to which the arithmetic method and arithmetic device according to this embodiment are applied will be described. In the figure, as an example, a 5G network architecture is shown. Note that in the example described below, a wireless communication system will be described, but the communication system according to this embodiment is also applicable to a wired communication system.

[0021] The network elements of a 5G network architecture include User Equipment (UE). In the following description, UE may be referred to as user equipment, user terminal, user device, terminal device, or simply terminal, etc. UE may also refer to smartphones, tablet devices, wearable devices, etc.

[0022] The network architecture shown in the figure further includes a Radio Access Network (RAN), Access and Mobility Function (AMF), Unified Data Management (UDM), Authentication Server Function (AUSF), Security Anchor Function (SEAF), and the like.

[0023] The primary function of a RAN (Range of Networks) is to control users for wireless access to a mobile communication network. Conceptually, a RAN is contained between devices (e.g., smartphones, computers, or any remote controllers) and provides connectivity between these devices to the core network.

[0024] AMF network elements are responsible for terminal access management and mobility management, such as registration management, connection management, mobility management, and reachability management. In practical applications, AMF network elements include mobility management functions of Mobility Management Entity (MME) within the LTE network framework, as well as access management functions.

[0025] The SEAF network element is configured to complete authentication to the UE. In 5G, the functionality of SEAF may be combined with AMF, as shown in the diagram.

[0026] The AUSF network element has authentication server functionality and is configured to respond to authentication requests made by the SEAF network element. During the authentication process, the AUSF network element receives the authentication vector sent from the UDM, processes the authentication vector, and sends the processed authentication vector to SEAF.

[0027] The UDM network element may store the user's subscription information and may generate authentication parameters, etc.

[0028] An ARPF network element has an authentication information repository and processing functions, and is configured to store the user's long-term authentication information, such as key K. In 5G, the functions of the ARPF network element may be combined with a UDM network element.

[0029] [Mutual Authentication Procedure] Figure 2 is a flowchart illustrating the mutual authentication flow of the wireless communication system according to this embodiment. The figure shows the authentication key sharing protocol in 3GPP®. The figure shows the exchange of information between the Mobile Station (MS), Visitor Location Register (VLR) / Serving Network (SN), and Home Environment (HE) / Home Location Register (HLR). In the following description, MS may also be referred to as the terminal device, SN / VLR and HE / HLR as the network, and HE / HLR as the authentication center.

[0030] (Step S101) First, the MS generates a random number R. This process can also be called the random number generation process or random number generation step.

[0031] (Step S102) Next, the MS encrypts the identification information by combining the generated random number R with the identification information that uniquely identifies the MS. The identification information that uniquely identifies the MS may be an ID called IMSI (International Mobile Subscriber Identity) or Subscription Permanent Identifier (SUPI). In other words, the MS can be said to encrypt the identification information that uniquely identifies the MS using a random number generated by the MS. The encrypted information is, in other words, the Subscription Concealed Identifier (SUCI). Steps S101 and S102 can also be called the encryption process or encryption steps.

[0032] (Step S103) Next, the MS transmits the encrypted identification information generated in the encryption process to the SN / VLR. This process can also be called the registration request process or registration request step. When the MS makes a new registration request, it regenerates the random numbers by performing the encryption process again in steps S101 and S102.

[0033] (Step S111) First, the SN / VLR makes an Authentication Data Request to the HE / HLR.

[0034] (Step S112) When HE / HLR receives an authentication data request from SN / VLR, it generates one or more (e.g., N, where N is an integer greater than or equal to 1) authentication vectors AV(1··N).

[0035] (Step S113) HE / HLR responds to SN / VLR with one or more generated authentication vectors AV(1··N) (Authentication Data Response).

[0036] (Step S114) The SN / VLR stores one or more authentication vectors obtained from the HE / HLR upon request.

[0037] Furthermore, the process from step S111 to step S114 can also be described as the process of distributing the authentication vector from HE to SN.

[0038] (Step S115) SN / VLR selects authentication vector AV(i) from the stored one or more authentication vectors AV(1··N).

[0039] (Step S116) The SN / VLR makes a user authentication request to the MS. Here, the calculation of AUTN(i) conventionally used the random challenge RAND(i), but in this embodiment, this is changed to RAND + the random number R sent from the UE. Specifically, the random number R may simply be concatenated after RAND. Alternatively, if the overall length of the random number is not to be changed, the exclusive OR (XOR) of RAND and the random number R may be performed. In the user authentication request, the SN / VLR sends the random challenge RAND(i), the random number R generated by the MS, and the authentication token AUTN(i) to the MS (User Authentication Request). In other words, the user authentication request can be said to be performed from the SN / VLR to the MS using the encrypted identification information sent from the MS to the SN / VLR. It can also be said that the information sent from the SN / VLR to the MS includes the random number R generated by the MS and the random challenge RAND(i), which is a random number generated by the SN / VLR. This process can also be called the certification request process or certification request step.

[0040] (Step S117) The MS verifies whether it can accept the authentication token AUTN(i). In this embodiment, it further compares the random number R contained in the information obtained in step S116 with the random number R generated in step S101. This process can also be called the comparison process or comparison step. If the MS can accept the authentication token AUTN(i), it computes the response RES(i).

[0041] (Step S118) The response RES(i) calculated by the MS is sent back to the SN / VLR as a user authentication response (User Authentication Response). If, in step S117, it is determined that there is a difference (the generated random number R and the received random number R do not match), the MS sends an error message to the SN / VLR. This process can also be called the authentication response process or authentication response step. It is preferable that the error message sent when a difference is determined not to contain any information that would identify that an error occurred due to a matching failure.

[0042] (Step S119) The MS further computes a cipher key (CK(i)) and an integrity key (IK(i)).

[0043] (Step S120) SN / VLR compares the received response RES(i) with XRES.

[0044] (Step S121) If RES(i) and the Expected Response (XRES) match, the SN / VLR determines that authentication and key agreement exchange are complete and selects the Cipher Key (CK(i)) and the Integrity Key (IK(i)).

[0045] Furthermore, the process from step S115 to step S121 can also be described as the authentication and key establishment process.

[0046] [Internal structure] Figure 3 is a block diagram showing an example of the internal configuration of a computing device according to this embodiment. The computing device shown in the figure is provided in at least one of the UE or the network. At least some of the functions of the computing device can be realized using a computer as shown in the figure. The computer consists of a central processing unit (processor) 901, RAM 902, input / output ports 903, input / output devices 904 and 905, etc., and a bus 906. The computer itself can be realized using existing technology. The central processing unit 901 executes instructions contained in programs read from RAM 902, etc. The central processing unit 901 writes data to RAM 902, reads data from RAM 902, and performs arithmetic and logical operations according to each instruction. RAM 902 stores data and programs. Each element contained in RAM 902 has an address and can be accessed using that address. RAM stands for "Random Access Memory". Input / output ports 903 are ports for the central processing unit 901 to exchange data with external input / output devices, etc. Input / output devices 904 and 905 are input / output devices. Input / output devices 904 and 905 exchange data with the central processing unit 901 via input / output port 903. Bus 906 is a common communication channel used inside the computer. For example, the central processing unit 901 reads and writes data to RAM 902 via bus 906. Also, for example, the central processing unit 901 accesses input / output ports via bus 906. Furthermore, all or part of each functional unit of the network 30 or terminal device 50 may be implemented using hardware such as ASICs, PLDs, or FPGAs. Furthermore, all or part of each functional unit may be implemented by a combination of software and hardware.

[0047] [Summary of Embodiments] According to the embodiments described above, the wireless communication method according to this embodiment is a method for mutual authentication between a terminal device and a network, comprising an encryption step and a registration request step, The system comprises an authentication request step, a matching step, and an authentication response step. The encryption step encrypts identification information (specifically IMSI or SUPI) that uniquely identifies the terminal device using random numbers generated by the terminal device to generate encrypted identification information (specifically SUCI). The registration request step transmits the generated encrypted identification information from the terminal device to the network. The authentication request step transmits information from the network to the terminal device using the encrypted identification information transmitted from the terminal device to the network. The matching step compares the random numbers contained in the information transmitted from the network to the terminal device in the authentication request step with the random numbers used in the encryption step. The authentication response step transmits an error message from the terminal device to the network if a difference is determined in the matching step. By adopting such a configuration, this embodiment can deter attacks such as those described in Non-Patent Literature 2. In other words, this embodiment enables secure wireless information communication between the terminal device and the network.

[0048] Furthermore, the above-described embodiment makes it possible to securely communicate wireless information between terminal devices and networks, thereby contributing to Goal 9 of the United Nations-led Sustainable Development Goals (SDGs), "Build resilient infrastructure, promote sustainable industrialization and foster innovation."

[0049] Although embodiments of the present invention have been described in detail above with reference to the drawings, the specific configuration is not limited to these embodiments, and design modifications and the like are also included within the scope of the gist of the present invention.

[0050] Alternatively, computer programs for realizing the functions of each of the above-mentioned devices may be recorded on a computer-readable recording medium, and the programs recorded on this recording medium may be loaded into a computer system and executed. Note that the term "computer system" here may include hardware such as an operating system and peripheral devices. Furthermore, "computer-readable recording media" refers to writable non-volatile memory such as flexible disks, magneto-optical disks, ROMs, and flash memory, portable media such as DVDs (Digital Versatile Discs), and storage devices such as hard disks built into computer systems.

[0051] Furthermore, "computer-readable recording media" also includes volatile memory (e.g., DRAM (Dynamic Random Access Memory)) within a computer system that acts as a server or client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line, which retains the program for a certain period of time. In addition, the above program may be transmitted from the computer system that stores the program in a storage device, etc., to another computer system via a transmission medium or by transmission waves within the transmission medium. Here, the "transmission medium" for transmitting the program refers to a medium that has the function of transmitting information, such as a network such as the Internet or a communication line such as a telephone line. Furthermore, the above program may be for the purpose of realizing a part of the above-mentioned functions. Moreover, it may be a so-called differential file (differential program) that can realize the above-mentioned functions in combination with a program already recorded in the computer system. [Explanation of Symbols]

[0052] MS…Mobile Station、SN…Serving Network、VLR…Visitor Location Register、HE…Home Environment、HLR…Home Location Register

Claims

1. A terminal device that performs mutual authentication with a network, A random number generation process that generates random numbers and stores the generated random numbers, An encryption step which encrypts identification information that uniquely identifies the terminal device using random numbers generated by the random number generation step to generate encrypted identification information, A registration request step of transmitting the encrypted identification information to the network, As a result of the registration request step, the authentication request step involves obtaining from the network information generated using the encrypted identification information transmitted from the terminal device to the network, A matching step which compares information that includes at least a random number contained in the information obtained from the network in the authentication request step and a random number generated and stored in the random number generation step, If a difference is determined in the aforementioned matching step, an authentication response step is performed to send an error message to the network, A terminal device that performs the following.

2. The identification information that uniquely identifies the terminal device is the Subscription Permanent Identifier (SUPI). The terminal device according to claim 1.

3. The aforementioned encrypted identification information is a Subscription Concealed Identifier (SUCI). The terminal device according to claim 1.

4. When a new registration request is made, the encryption process is repeated to regenerate random numbers. The terminal device according to any one of claims 1 to 3.

5. In the authentication request step, the information transmitted from the network to the terminal device includes a random number generated by the terminal device and a random number generated by the network. The terminal device according to any one of claims 1 to 3.

6. In the authentication response step, the error message sent when a difference is determined to exist in the matching step does not include any information that would allow it to identify that an error occurred due to a matching failure. The terminal device according to any one of claims 1 to 3.

7. In the authentication request step, the information obtained from the network includes information in which a random number generated by the random number generation step is combined with the random challenge RAND. The terminal device according to any one of claims 1 to 3.

8. In the authentication request step, the information obtained from the network includes the information obtained by the exclusive OR of the random challenge RAND and the random number generated in the random number generation step. The terminal device according to any one of claims 1 to 3.

9. A communication method for mutual authentication between a terminal device and a network, An encryption step is to encrypt identification information that uniquely identifies the terminal device using a random number generated by the terminal device, thereby generating encrypted identification information. A registration request step of transmitting the encrypted identification information from the terminal device to the network, An authentication request process is performed from the network to the terminal device using the encrypted identification information transmitted from the terminal device to the network, A matching step which compares information that includes at least a random number contained in the information transmitted from the network to the terminal device in the authentication request step and a random number used in the encryption step, If a difference is determined in the verification step, the authentication response step involves sending an error message from the terminal device to the network. A communication method that includes [something].

10. A program executed by a terminal device that performs mutual authentication with a network, A random number generation step that generates random numbers and stores the generated random numbers, An encryption step which encrypts identification information that uniquely identifies the terminal device using random numbers generated in the random number generation step to generate encrypted identification information, A registration request step of transmitting the encrypted identification information to the network, An authentication request step which involves obtaining from the network information generated using the encrypted identification information transmitted from the terminal device to the network as a result of the registration request step, A matching step in which a random number included in the information obtained from the network in the authentication request step is compared with a random number generated and stored in the random number generation step, If a difference is determined in the matching step, an authentication response step is performed which sends an error message to the network. A program that executes this task.