Authentication Center (AUC)
The AUC is a processor system, it performs the “authentication” function. It will normally be co-located with the Home Location Register (HLR) as it will be required to continuously access and update, as necessary, the system subscriber records.
The AUC/HLR centre can be co-located with the MSC or located remote from the MSC. The authentication process will usually take place each time the subscriber “initializes” on the system.
To discuss the authentication process we will assume that the VLR has all the information required to perform that authentication process (Kc, SRES and RAND). If this information is unavailable, then the VLR would request it from the HLR/AUC.
1. Triples (Kc, SRES and RAND) are stored at the VLR.
2. The VLR sends RAND via the MSC and BSS, to the MS (unencrypted).
3. The MS, using the A3 and A8 algorithms and the parameter Ki stored on the MS SIM card, together with the received RAND from the VLR, calculates the values of SRES and Kc.
4. The MS sends SRES unencrypted to the VLR
5. Within the VLR the value of SRES is compared with the SRES received from the mobile. If the two values match, then the authentication is successful.
6. If cyphering is to be used, Kc from the assigned triple is passed to the BTS.
7. The mobile calculates Kc from the RAND and A8 and Ki on the SIM.
8. Using Kc, A5 and the GSM hyperframe number, encryption between the MS and the BSS can now occur over the air interface.
Note: The triples are generated at the AUC by:
- RAND = Randomly generated number.
- SRES = Derived from A3 (RAND, Ki).
- Kc = Derived from A8 (RAND, Ki).
- A3 = From 1 of 16 possible algorithms defined on allocation of IMSI and creation of SIM card.
- A8 = From 1 of 16 possible algorithms defined on allocation of IMSI and creation of SIM card.
- Ki = Authentication key, assigned at random together with the versions of A3 and A8.
The first time a subscriber attempts to make a call, the full authentication process takes place.
However, for subsequent calls attempted within a given system control time period, or within a single system provider’s network, authentication may not be necessary, as the data generated during the first authentication will still be available.