CAVE-based authentication

This article is currently undergoing a major edit by the Guild of Copy Editors. As a courtesy, please do not edit this page while this message is displayed. The copy editor who added this notice is listed in the page history. This page was last revised at 19:52, 30 September 2024 (UTC) (8 months ago) by SheriffIsInTown (talk · contribs) (Click here to refresh this time calculation.). Please remove {{GOCEinuse}} from this page as this page has not been edited for at least 24 hours. If you have any questions or concerns, please direct them to the Guild of Copy Editors' talk page. Thank you for your patience.

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "CAVE-based authentication" – news · newspapers · books · scholar · JSTOR (June 2024) (Learn how and when to remove this message) This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (September 2008) (Learn how and when to remove this message) (Learn how and when to remove this message)

CAVE-based authentication is a security protocol used to verify access in CDMA2000 1X, a type of third-generation (3G) mobile network system. The term "CAVE" stands for Cellular Authentication and Voice Encryption, which is the algorithm used to perform the authentication process.^[1] This system helps to confirm that a user is authorized to connect to the mobile network.

It is also referred to as "HLR authentication" (Home Location Register authentication), "2G authentication," or "Access Authentication." In simpler terms, it ensures that the person trying to access the network is who they claim to be, protecting the network from unauthorized users.

In CAVE-based authentication, two main components work together when a user is roaming on a mobile network:

• Authentication Center (AC) (also known as HLR/AC or AuC): This is located in the user's home network and manages the authentication process. It either directly verifies the identity of the Mobile Station (MS, commonly known as a mobile phone) or shares a security key (called SSD) with the Visitor Location Register (VLR) in the network the user is visiting. The AC must have a specific security key (A-key) for each mobile device. Authentication depends on both the device and the AC having the same A-key. The AC is usually part of the Home Location Register (HLR) but can also exist as a separate system that serves multiple HLRs. Although "AuC" is the abbreviation used in GSM networks, it is sometimes incorrectly applied to CDMA networks as well.
• Visitor Location Register (VLR): This is the network component in the visited network (the one the user is currently connected to while roaming). If the SSD key is shared with this network, the VLR can authenticate the user locally. If not, it acts as a middleman, passing authentication requests to the user's home AC for verification.

This system ensures that users can be securely authenticated even when they are using networks outside their home area.

The authentication controller is the entity that determines whether the response from the MS is correct. Depending upon whether SSD is shared, the authentication controller may be either the AC or VLR. In either case, CAVE-based authentication is based on the CAVE algorithm and the following two shared keys:

• Authentication key (A-key) – A 64-bit primary secret key known only to the MS and AC. In the case of RUIM equipped mobiles, the A-key is stored on the RUIM; otherwise, it is stored in semi-permanent memory on the MS. The A-key is never shared with roaming partners. However, it is used to generate a secondary key known as SSD that may be shared with a roaming partner to enable local authentication in the visited network.
• Shared Secret Data (SSD) – A 128-bit secondary secret key that is calculated using the CAVE algorithm during an SSD Update procedure.^[2] During this procedure both MS and the AC in the user’s home network separately calculate SSD. It is this SSD, not the A-key that is used during authentication. SSD may or may not be shared between home and roaming partner networks to enable local authentication. SSD consists of two 64-bit keys: SSD_A, which is used during authentication to calculate authentication signatures, and SSD_B, which is used in the generation of session keys for encryption and voice privacy.

CAVE-based authentication provides two types of challenges:

• Global challenge – Procedure that requires any MS attempting to access the serving network to respond to a common challenge value being broadcast in the overhead message train. The MS must generate an authentication signature response (AUTHR) using CAVE with inputs of the global challenge value, ESN, either the last six dialed digits (for an origination attempt) or IMSI_S1 (for any other system access attempt), and SSD_A.
• Unique challenge – Procedure that allows a visited network (if SSD is shared) and/or home network to uniquely challenge a particular MS for any reason. The MS must generate an authentication signature response (AUTHU) using CAVE with inputs of the unique challenge value, ESN, IMSI_S1, and SSD_A.

CAVE-based authentication is a one-way authentication mechanism that always involves the network authenticating the MS (with the exception of the base station challenge procedure that occurs only during an SSD update).

CAVE-based authentication procedures are specified in TIA-41 (3GPP2 X.S0004).

• Channel access method
• Authentication and Key Agreement (AKA) - a successor authentication type
• Cellular Message Encryption Algorithm - an algorithm similar to CAVE

• TIA-41 - 3GPP2 X.S0004 (March 2004)