Authentication Procedure
Authentication Failure Procedure
The purpose of the EPS authentication and key agreement (AKA) procedure is to provide mutual authentication between the user and the network and to agree on a key KASME
The EPS AKA procedure is always initiated and controlled by the network. However, the UE can reject the EPS authentication challenge sent by the network.
The UE shall proceed with an EPS authentication challenge only if a USIM is present.
The messages involved in Authentication Procedure are:
1. Authentication Request
2. Authentication Response
3. Authentication Reject
4. Authentication Failure.
1. Authentication Request
The network initiates the authentication procedure by sending an AUTHENTICATION REQUEST message to the UE and starting the timer T3460
MME sends Authentication Request to UE that includes a random number RAND and authentication parameter AUTN.
UE will compute the authentication response parameter RES and send it to MME in Authentication Response message.
IE’s present in Authentication Request:
Authentication request message type
NAS key set identifierASME
Authentication parameter RAND: The purpose of the Authentication Parameter RAND information element is to provide the mobile station with a non- predictable number to be used to calculate the authentication response signature SRES and the ciphering key Kc (for a GSM authentication challenge), or the response RES and both the ciphering key CK and integrity key IK (for a UMTS authentication challenge).
Authentication parameter AUTN: The purpose of the Authentication Parameter AUTN information element is to provide the MS with a means of authenticating the network.
The AUTN consists of (SQN xor AK)||AMF||MAC
=48+16+64 bits
2. Authentication Response
The UE shall respond to an AUTHENTICATION REQUEST message.
The UE shall process the authentication challenge data and respond with an AUTHENTICATION RESPONSE message to the network.
Upon a successful EPS authentication challenge, the UE shall determine the PLMN identity to be used for the calculation of the new KASME from the authentication challenge data according to the following rules:
a) When the UE moves from EMM-IDLE mode to EMM-CONNECTED mode, until the first handover, the UE shall use the PLMN identity of the selected PLMN; and
In order to avoid a synchronisation failure, when the UE receives an AUTHENTICATION REQUEST message, the UE shall store the received RAND together with the RES returned from the USIM in the volatile memory of the ME.
IE’s present in Authentication Response:
——————————
Authentication response parameter:
The purpose of the Authentication response parameter information element is to provide the network with the authentication response calculated in the USIM.
The Authentication response parameter is a type 4 information element with a minimum length of 6 octets and a maximum length of 18 octets.
Upon receipt of an AUTHENTICATION RESPONSE message, the network stops the timer T3460 and checks the correctness of RES
If the authentication procedure has been completed successfully and the related eKSI is stored in the EPS security context of the network, the network shall include a different eKSI value in the AUTHENTICATION REQUEST message when it initiates a new authentication procedure.
3. Authentication Reject
If the authentication response returned by the UE is not valid, the network response depends upon the type of identity used by the UE in the initial NAS message, that is:
– if the GUTI was used; or
– if the IMSI was used.
If the GUTI was used, the network should initiate an identification procedure.
If the IMSI given by the UE during the identification procedure differs from the IMSI the network had associated with the GUTI, the authentication should be restarted with the correct parameters
If the IMSI was used for identification in the initial NAS message, or the network decides not to initiate the identification procedure after an unsuccessful authentication procedure, the network should send an AUTHENTICATION REJECT message to the UE.
If the AUTHENTICATION REJECT message is received by the UE, the UE shall abort any EMM signalling procedure, stop any of the timers T3410, T3417 or T3430 (if running) and enter state EMM-DEREGISTERED.
4. Authentication Failure.
This message is sent by the UE to the network to indicate that authentication of the network has failed.
In an EPS authentication challenge, the UE shall check the authenticity of the core network by means of the AUTN parameter received in the AUTHENTICATION REQUEST message. This enables the UE to detect a false network.
There can be 3 reasons for Authentication Failure:
a) MAC code failure:
If the UE finds the MAC code (supplied by the core network in the AUTN parameter) to be invalid, the UE shall send an AUTHENTICATION FAILURE message to the network, with the EMM cause #20 “MAC failure”.
b) Non-EPSauthenticationunacceptable:
If the UE finds that the “separation bit” in the AMF field of AUTN supplied by the core network is 0, the UE shall send an AUTHENTICATION FAILURE message to the network, with the EMM cause #26 “non-EPS authentication unacceptable”
c) SQN failure:
If the UE finds the SQN (supplied by the core network in the AUTN parameter) to be out of range, the UE shall send an AUTHENTICATION FAILURE message to the network, with the EMM cause #21 “synch failure” and a re-synchronization token AUTS provided by the USIM.
Reference: 3GPP TS 24.301