18th Oct., KDDI is a IS-95 CDMA carrier in Japan. Many Japanese travel abroad, but few people come to Japan. (due to high consumer price in Japan?) Strong interest in ANSI-41 -> GSM roaming Less interest in GSM -> ANSI-41 roaming. KDDI can rely on the IIF (Interworking Function) for roaming GSM to ANSI-41, which is planned to be deployed by some GSM carriers. It is anticipated that only a few percent of KDDI users who subscribe GSM roaming, in other words who have SIM cards, will visit and stay in the GSM network. Management of subscription data in IIF causes complexity. Background

18th Oct., Main Concept One-way roaming ANSI-41 to GSM. No subscription data in IIF. No impact on GSM infrastructure. Few impacts on ANSI-41 infrastructure. Concept allows CAVE based authentication by the ANSI-41 home while mobile is roaming in GSM system. The length of authentication parameters of GSM MAP is longer than that of ANSI-41. Therefore, GSM MAP and air-interface can contain ANSI-41 authentication parameters. 2

18th Oct., Mechanism SIM Card ANSI-41 HLR IIF GSM MSC/VLR This figure indicates the example of IIF interworking without Subscription data in IIF AUTHREQ authreq This SIM Card includes CAVE and A8 algorithm, and calculate AUTHU and SSD-B. AUTHU is contained in the SRES parameter. The SSD-B acts as Kc (ciphering key). And, this SIM Card contains MIN, ESN, fixed SSD-A and AAV parameter. (RANDU, AUTHU) Security Related Information Request Authentication Vector Response (RAND, SRES, Kc) } 32bits SRES AUTHU (18bits) } 128bits RAND RANDU (24bits) *1 *1 : HLR needs to contain fixed SSD-A for the roamer to GSM. *2 : This message is sent x times. *2 AUTHU : AuthenticationResponseUniqueChallenge RANDU : RandVariableUniqueChallenge AAV : AuthenticationAlgorithmVersion Mapping example

18th Oct., Impact on ANSI-41 The IIF doesn’t know the ESN when the user initially made a registration in the GSM system. The IIF will set a default ESN in the initial REGNOT. The HLR has to accept the REGNOT. The HLR needs to contain a fixed SSD_A for each subscriber.

18th Oct., ANSI-41MS GSM MSC/VLR IIF ANSI-41 HLR/AC ANSI-41 MSC/VLR Proposal - Authentication (without Subscription data) - Send_Auth_Req [IMSI, Number of requested vectors] AUTHREQ [MSID, ESN(fixed ESN), MSCID(IIF)] authreq [RANDU, AUTHU, SSD] ANSI-41 HLR detects that MSCID parameter in AUTHREQ is IIF ID, it allows MSID/ESN mismatch, and it sends RANDU, AUTHU and SSD in authreq. Send_Auth_Res [ AuthenticationSetList (RAND, SRES, Kc)] It continues one to five times. ESN is set to a default value. Authentication_Req (RAND) Authentication_Res (SRES) ANSI-41 MS executes the authentication using CAVE. It extracts RANDU from RAND in Auth_Req and calculates the AUTHU using RANDU and SSD-A. Authentication is needed. no Subscription data

18th Oct., ANSI-41MS GSM MSC/VLR IIF ANSI-41 HLR/AC ANSI-41 MSC/VLR Initial Registration with Authentication (without Subscription data) [1/2] Update_Location_Req (IMSI) Send_Auth_Req [IMSI, Number of requested vectors] AUTHREQ [MSID, ESN(fixed ESN), MSCID(IIF)] authreq [RANDU, AUTHU, SSD] ANSI-41 HLR detects that MSCID parameter in AUTHREQ is IIF ID, it allows MSID/ESN mismatch, and it sends RANDU, AUTHU and SSD in authreq. Send_Auth_Res [ AuthenticationSetList (RAND, SRES, Kc)] It continues one to five times. ESN is set to a default value. Authentication_Req (RAND) Authentication_Res (SRES) ANSI-41 MS executes the authentication using CAVE. It extracts RANDU from RAND in Auth_Req and calculates the AUTHU using RANDU and SSD-A. no Subscription data

18th Oct., ANSI-41MS GSM MSC/VLR IIF ANSI-41 HLR/AC ANSI-41 MSC/VLR Update_Location [IMSI] REGNOT [MSID, ESN(fixed ESN)] REGCANC [MSID, ESN] regcanc regnot [profile] Update_Location_Ack Update_Location ack Insert_Sub_Data Insert_Sub_Data ack Initial Registration with Authentication (without Subscription data) [2/2]