Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 Network entities 2 Keys 3 Authentication challenges 4 Specification 5 See also 6 References 7 External links

CAVE-based authentication

Add links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)

This article needs additional citations for verification. Please help improve this articlebyadding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "CAVE-based authentication" – news · newspapers · books · scholar · JSTOR (June 2024) (Learn how and when to remove this message)

This article may require copy editing for grammar, style, cohesion, tone, or spelling. You can assist by editing it. (June 2024) (Learn how and when to remove this message)

This article may be too technical for most readers to understand. Please help improve ittomake it understandable to non-experts, without removing the technical details. (September 2008) (Learn how and when to remove this message)

(Learn how and when to remove this message)

CAVE-based authentication is an access authentication protocol based on used in CDMA2000 1X 3G mobile network systems, using the CAVE (Cellular Authentication and Voice Encryption) algorithm.^[1] It is also known as HLR authentication, 2G Authentication, or Access Authentication.

Network entities

[edit]

There are two network entities involved in CAVE-based authentication when roaming:

Authentication Center (AC) a.k.a. HLR/AC, AuC – Located in a roamer’s home network, the AC controls the authentication process and either authenticates the Mobile Station (Mobile Phone, MS) or shares SSD with the serving VLR to allow this authentication to occur locally. The AC must be provisioned with an A-key value for each MS. Authentication is predicated on the assumption that A-key value provisioned in an MS is the same as the A-key value provisioned in the AC. The AC is often co-located with the HLR and referred to as the HLR/AC. However, the AC could be a standalone network entity that serves one or more HLRs. Though the CDMA abbreviation is AC, the GSM abbreviation of AuC is sometimes used (albeit incorrectly in CDMA networks).
Visitor Location Register (VLR) – If SSD is shared with the visited network, the VLR locally authenticates the roamer. Otherwise, the VLR proxies authentication responses from roamers to their home HLR/AC for authentication.

Keys

[edit]

The authentication controller is the entity that determines whether the response from the MS is correct. Depending upon whether SSD is shared, the authentication controller may be either the AC or VLR. In either case, CAVE-based authentication is based on the CAVE algorithm and the following two shared keys:

Authentication key (A-key) – A 64-bit primary secret key known only to the MS and AC. In the case of RUIM equipped mobiles, the A-key is stored on the RUIM; otherwise, it is stored in semi-permanent memory on the MS. The A-key is never shared with roaming partners. However, it is used to generate a secondary key known as SSD that may be shared with a roaming partner to enable local authentication in the visited network.
Shared Secret Data (SSD) – A 128-bit secondary secret key that is calculated using the CAVE algorithm during an SSD Update procedure.^[2] During this procedure both MS and the AC in the user’s home network separately calculate SSD. It is this SSD, not the A-key that is used during authentication. SSD may or may not be shared between home and roaming partner networks to enable local authentication. SSD consists of two 64-bit keys: SSD_A, which is used during authentication to calculate authentication signatures, and SSD_B, which is used in the generation of session keys for encryption and voice privacy.

Authentication challenges

[edit]

CAVE-based authentication provides two types of challenges:

Global challenge – Procedure that requires any MS attempting to access the serving network to respond to a common challenge value being broadcast in the overhead message train. The MS must generate an authentication signature response (AUTHR) using CAVE with inputs of the global challenge value, ESN, either the last six dialed digits (for an origination attempt) or IMSI_S1 (for any other system access attempt), and SSD_A.
Unique challenge – Procedure that allows a visited network (if SSD is shared) and/or home network to uniquely challenge a particular MS for any reason. The MS must generate an authentication signature response (AUTHU) using CAVE with inputs of the unique challenge value, ESN, IMSI_S1, and SSD_A.

CAVE-based authentication is a one-way authentication mechanism that always involves the network authenticating the MS (with the exception of the base station challenge procedure that occurs only during an SSD update).

Specification

[edit]

CAVE-based authentication procedures are specified in TIA-41 (3GPP2 X.S0004).

References

[edit]

^ Zhang, Chi; Liu, Jun-Rong; Gu, Da-Wu; Wang, Wei-Jia; Lu, Xiang-Jun; Guo, Zheng; Lu, Hai-Ning (1 September 2019). "Side-Channel Analysis for the Authentication Protocols of CDMA Cellular Networks". Journal of Computer Science and Technology. 34 (5): 1079–1095. doi:10.1007/s11390-019-1961-5. ISSN 1860-4749. Retrieved 18 June 2024.

^ Miceli, Andrew (2003). Wireless technician's handbook (PDF) (2. ed.). Boston, Mass.: Artech House. ISBN 978-1580533577. Retrieved 18 June 2024.

External links

[edit]

TIA-41 - 3GPP2 X.S0004 (March 2004)

Authentication

Authentication
APIs

BSD Authentication (BSD Auth)
eAuthentication (eAuth)
Generic Security Services API (GSSAPI)
Java Authentication and Authorization Service (JAAS)
Pluggable Authentication Modules (PAM)
Simple Authentication and Security Layer (SASL)
Security Support Provider Interface (SSPI)
XCert Universal Database API (XUDA)

Authentication
protocols

ACF2
Authentication and Key Agreement (AKA)
CAVE-based authentication
Challenge-Handshake Authentication Protocol (CHAP)
- MS-CHAP
Central Authentication Service (CAS)
CRAM-MD5
Diameter
Extensible Authentication Protocol (EAP)
Host Identity Protocol (HIP)
IndieAuth
Kerberos
LAN Manager
NT LAN Manager (NTLM)
OAuth
OpenID
OpenID Connect (OIDC)
Password-authenticated key agreement protocols
Password Authentication Protocol (PAP)
Protected Extensible Authentication Protocol (PEAP)
Remote Access Dial In User Service (RADIUS)
Resource Access Control Facility (RACF)
Secure Remote Password protocol (SRP)
TACACS
Woo–Lam

Retrieved from "https://en.wikipedia.org/w/index.php?title=CAVE-based_authentication&oldid=1229749935" Categories: ●Code division multiple access ●Cryptographic protocols Hidden categories: ●Articles with short description ●Short description matches Wikidata ●Articles needing additional references from June 2024 ●All articles needing additional references ●Wikipedia articles needing copy edit from June 2024 ●All articles needing copy edit ●Wikipedia articles that are too technical from September 2008 ●All articles that are too technical ●Articles with multiple maintenance issues ●This page was last edited on 18 June 2024, at 14:47 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view