UMTS is designed to interoperate with GSM networks. To protect GSM networks against man-in-middle attacks, 3GPP is considering to add a structure RAND authentication challenge.
Both the network and the mobile station supports all the security mechanisms of UMTS. Authentication and Key agreement is as follows −
The mobile station and the base station to establish a radio resource control connection (RRC connection). During the establishment of the connection the mobile station sends its security capabilities to the base station. Security features include UMTS integrity and encryption algorithms supported and possibly GSM encryption capabilities as well.
The mobile station sends its temporary identity TMSI current on the network.
If the network cannot solve the TMSI, he asks the mobile station to send its permanent identity and the mobile stations responding to the request with the IMSI.
The visited network requests authentication of the home network of the mobile station data.
The home network returns a random challenge RAND, the corresponding authentication token AUTN, authentication
Response XRES, integrity key IK and the encryption key CK.
The visited network sends RAND authentication challenge and authentication token AUTN to the mobile Station.
The mobile station checks AUTN and calculates the authentication response. If AUTN is corrected.
Mobile station ignores the message.
The mobile station sends its authentication response RES to the visited network.
Visiting the network checks if RES = XRES and decide which security algorithms radio subsystem is allowed to use.
The visited network sends algorithms admitted to the radio subsystem.
The radio access network decides permit (s) algorithms to use.
The radio access network informs the mobile station of their choice in the security mode command message.
The message also includes the network security features received from the mobile station in step 1.
This message is integrity protected with the integrity key IK.
The mobile station confirms the protection of the integrity and verify the accuracy of the safety functions.
The mobile unit (subscriber UMTS) supports both USIM and SIM application. The base station system uses GSM while the VLR / MSC technology components are respectively the UMTS SGSN. The mobile station and the core network both support all security mechanisms of UMTS. However, the base station system GSM (BSS) does not support the protection of the integrity and uses the GSM encryption algorithms. The first eight steps of the authentication protocol are performed as in the classical case. GSM BSS simply forwards the UMTS authentication traffic.
The MSC / SGSN decides which GSM encryption algorithms are allowed and calculates the key GSM Kc UMTS keys IK, CK.
The MSC / SGSN advises the GSM BSS authorized algorithms and transmits the GSM cipher key Kc.
GSM BSS decide which encryption algorithms allowed to use based encryption capabilities of the mobile station.
GSM BSS sends the GSM cipher mode command to the station.