CAVE-based authentication

CAVE-based authentication is a security protocol used to verify access in CDMA2000 1X, a type of third-generation (3G) mobile network system. The term "CAVE" stands for Cellular Authentication and Voice Encryption, which is the algorithm used to perform the authentication process.^[1] This system helps to confirm that a user is authorized to connect to the mobile network.

It is also referred to as "HLR authentication" (Home Location Register authentication), "2G authentication," or "Access Authentication." In simpler terms, it ensures that the person trying to access the network is who they claim to be, protecting the network from unauthorized users.

Network entities

In CAVE-based authentication, two main components work together when a user is roaming on a mobile network:

Authentication Center (AC) (also known as HLR/AC or AuC): This is located in the user's home network and manages the authentication process. It either directly verifies the identity of the Mobile Station (MS, commonly known as a mobile phone) or shares a security key (called SSD) with the Visitor Location Register (VLR) in the network the user is visiting. The AC must have a specific security key (A-key) for each mobile device. Authentication depends on both the device and the AC having the same A-key. The AC is usually part of the Home Location Register (HLR) but can also exist as a separate system that serves multiple HLRs. Although "AuC" is the abbreviation used in GSM networks, it is sometimes incorrectly applied to CDMA networks as well.
Visitor Location Register (VLR): This is the network component in the visited network (the one the user is currently connected to while roaming). If the SSD key is shared with this network, the VLR can authenticate the user locally. If not, it acts as a middleman, passing authentication requests to the user's home AC for verification.

This system ensures that users can be securely authenticated even when they are using networks outside their home area.

Keys

In mobile network authentication, the authentication controller is responsible for determining whether the response from the Mobile Station (MS, or mobile phone) is correct. Depending on the situation, this controller can either be the Authentication Center (AC) in the user's home network or the Visitor Location Register (VLR) in the network the user is currently roaming in. This process uses two shared keys in CAVE-based authentication, which relies on the CAVE (Cellular Authentication and Voice Encryption) algorithm:

Authentication key (A-key): This is a 64-bit secret key that is only known to the MS and the AC. If the mobile phone uses a RUIM card (similar to a SIM card), the A-key is stored on the RUIM; otherwise, it is stored in the device's memory. The A-key is never shared with other networks. However, it is used to create another key called Shared Secret Data (SSD), which can be shared with a roaming network to allow local authentication.
Shared Secret Data (SSD): This is a 128-bit key created using the CAVE algorithm during a procedure known as an SSD update.^[2] Both the MS and the AC in the user’s home network independently calculate this SSD. The SSD, not the A-key, is used during the actual authentication process. SSD may or may not be shared between the user’s home network and a roaming network. If it is shared, it allows the roaming network to authenticate the user locally. The SSD is divided into two parts:
- SSD_A: Used for generating authentication signatures.
- SSD_B: Used to create session keys for encryption and voice privacy.

This process allows users to be securely authenticated without revealing the most sensitive key (A-key) to other networks.

Authentication challenges

CAVE-based authentication provides two types of challenges:

Global challenge – Procedure that requires any MS attempting to access the serving network to respond to a common challenge value being broadcast in the overhead message train. The MS must generate an authentication signature response (AUTHR) using CAVE with inputs of the global challenge value, ESN, either the last six dialed digits (for an origination attempt) or IMSI_S1 (for any other system access attempt), and SSD_A.
Unique challenge – Procedure that allows a visited network (if SSD is shared) and/or home network to uniquely challenge a particular MS for any reason. The MS must generate an authentication signature response (AUTHU) using CAVE with inputs of the unique challenge value, ESN, IMSI_S1, and SSD_A.

CAVE-based authentication is a one-way authentication mechanism that always involves the network authenticating the MS (with the exception of the base station challenge procedure that occurs only during an SSD update).

Specification

CAVE-based authentication procedures are specified in TIA-41 (3GPP2 X.S0004).

References

^ Zhang, Chi; Liu, Jun-Rong; Gu, Da-Wu; Wang, Wei-Jia; Lu, Xiang-Jun; Guo, Zheng; Lu, Hai-Ning (1 September 2019). "Side-Channel Analysis for the Authentication Protocols of CDMA Cellular Networks". Journal of Computer Science and Technology. 34 (5): 1079–1095. doi:10.1007/s11390-019-1961-5. ISSN 1860-4749. Retrieved 18 June 2024.
^ Miceli, Andrew (2003). Wireless technician's handbook (PDF) (2. ed.). Boston, Mass.: Artech House. ISBN 978-1580533577. Retrieved 18 June 2024.

External links

TIA-41 - 3GPP2 X.S0004 (March 2004)

[1] Zhang, Chi; Liu, Jun-Rong; Gu, Da-Wu; Wang, Wei-Jia; Lu, Xiang-Jun; Guo, Zheng; Lu, Hai-Ning (1 September 2019). "Side-Channel Analysis for the Authentication Protocols of CDMA Cellular Networks". Journal of Computer Science and Technology. 34 (5): 1079–1095. doi:10.1007/s11390-019-1961-5. ISSN 1860-4749. Retrieved 18 June 2024.

[2] Miceli, Andrew (2003). Wireless technician's handbook (PDF) (2. ed.). Boston, Mass.: Artech House. ISBN 978-1580533577. Retrieved 18 June 2024.

[1]

[2]

v t e Authentication
Authentication APIs	BSD Authentication (BSD Auth) eAuthentication (eAuth) Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)
Authentication protocols	ACF2 Authentication and Key Agreement (AKA) CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) IndieAuth Kerberos LAN Manager NT LAN Manager (NTLM) OAuth OpenID OpenID Connect (OIDC) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam
Category Commons