As mentioned earlier, user authentication has the problem of verifying the identities of Alice and Bob when they start a new session. Authentication protocols typically follow the method of challenge-response, where Alice challenges Bob with a random challenge that Bob should respond to in an expected way. In turn, Bob verifies Alices identity in the same way. In this lab, let us go through an example of how challenge-response is handled in GSM (Global System for Mobile Communications).
Select the following link for an example of how challenge-response is handled in GSM.
Challenge-Response Handled in GSM
Given below are two scenarios. Read each scenario carefully and then answer the questions that follow each scenario.
Scenario: Refer to Figures 1 and 2. The A3 and A8 algorithms were initially kept secret in the hope of preventing fraudulent calls. Eventually the algorithms were reverse engineered. This is an example where “security by obscurity” failed.
Now, respond to the following questions:
Question 1: What is the general approach of security by obscurity?
Question 2: Why do most security experts believe that security by obscurity is a faulty approach?
Scenario: The user’s AuC sends the triplet (R, S, CK) instead of the user’s subscription information to the MSC. In particular, the AuC does not send the user’s secret key K to the MSC in order for the MSC to compute the response S. The MSC is simply given the expected response S by the AuC. The reason is that there is not complete trust between the home network and visited network.
Now, respond to the following questions:
Question 3: Why does there need to be trust between the two networks? Be specific with regard to the scenario.
Question 4: Why is trust limited between the service providers in the home network and visited network?
Answer all questions completely. If sources are used, follow APA guidelines for writing and citations. Post your work to the dropbox.
