If the mobile station is equipped with Added Security, both the HLR/MTXH and, if the MS is roaming, also the MTXV must store some Authentication data.

Authentication data for the MS is generated either in HLR/MTXH or in an external AR where the MS has been introduced (solution depending on the national implementation).

If HLR/MTXH is not able to generate Authentication data by itself, the data is transferred to HLR/MTXH from the AR and from the HLR/MTXH to the MTXV.

The set of Random Number (RAND), Signed Response (SRES) and key for decryption of the B-number (BKEY) must be transferred from the HLR/MTXH to the MTXV.

When MTXV is in need of new sets (e.g. after Location Updating), it sends the Authentication Data Request Message (ADR) to the HLR/MTXH which responds by sending the Authentication Data Request Acknowledge Message (ADA). Each ADA transfers one set of Authentication data.

The MTXV must be able to store some sets of the Authentication Data. When the number of sets left is reduced below a certain limit, "k", new sets must be fetched from the HLR/MTXH. The value of "k" must be changeable by means of MML commands in the range between 2 and 10.

If HLR/MTXH is not able to provide any new sets of Authentication Data, it returns the Authentication Data Not Available Message (ADN).

An MTXV receiving the ADN in response to the ADR shall use the stored data sets until all sets have been used.

If an ADN has been received, and the number of stored sets therefore are less than "k", MTXV shall try to fetch new sets, by sending ADR, every time the

subscriber initiates any action which requires the Authentication procedure to be performed. If the MTXV now receives the ADA in response to the ADR it shall repeat fetching new sets until «k» sets have been stored.

The procedure is shown in the following figure

Figure 3.6.1: Transfer of Authentication Data between HLR/MTXH and MTXV

When HLR/MTXH is in need of Authentication data and not able to generate the data by itself, the data has to be fetched from the AR.

Transfer of Authentication data between HLR/MTXH and AR is a national matter and may be achieved in several ways, e.g. using the X.25 protocol.

As a national option also MUP may be used for this data transfer. This paragraph describes the procedure to be used if MUP is applied.

When HLR/MTXH is in need of more Authentication data from the AR it sends the Security Data Request message (SDR) to the AR connected to it.

If the AR is able to provide the requested data it responds with a Security Data Available message (SDA) containing a set of Random Number (RAND), Signed Response (SRES) and key for decryption of the B-number (BKEY).

If the AR is not able to provide the requested data it responds with the Security Data not Available message (SDN) with the appropriate reason set.

The procedure is illustrated in the following figure.

If the HLR/MTXH and the co-operating MTXV are able to handle more than one set of Authentication data in the same message an optional procedure for fetching Authentication from the HLR/MTXH may be used.

When MTXV is in need of new sets of Authentication data, it sends the «Security Data Inquiry MTXV», SDIV to the HLR/MTXH. MTXV can ask for one to eight sets of Authentication data.

If the HLR/MTXH is able to provide requested data it responds with message «Security Data Ack MTXV», (SDAV) containing one to eight sets of RAND, SRES and BKEY. The message may contain less than requested numbers of triplets.

Unused security data available in the HLR/MTXH is transferred first.

If HLR/MTXH is not able to provide the requested data it responds with the «Security Data No Acknowledge MTXV», SDNV with appropriate reason set.

The procedure is illustrated in the following figure.

Figure 3.6.3: Transfer of several Authentication

Data sets between HLR/MTXH and MTXV

If the HLR/MTXH and the co-operating AR are able to handle more than one set of Authentication data in the same message an optional procedure for fetching Authentication from the AR may be used.

When HLR/MTXH is in need of new sets of Authentication data, it sends the «Security Data Inquiry HLR/MTXH», SDIH to the AR. HLR/MTXH may ask for one to eight sets of Authentication data.

If the AR is able to provide requested data it responds with message «Security Data Ack HLR/MTXH», (SDAH) containing one to eight sets of RAND, SRES and BKEY. The message may contain less than requested numbers of triplets.

If the AR is not able to provide the requested data it responds with the «Security Data No Acknowledge HLR/MTXH», SDNH with appropriate reason set.

The procedure is illustrated in the following figure

Figure 3.6.4: Transfer of several Authentication data between AR and HLR/MTXH.