What is the GSM authentication triplet, who creates it, and where does it travel?
The Authentication Center (AUC) creates a triplet (RAND, SRES, Kc) for a subscriber; it is sent to the VLR/MSC of the visited network so that network can run challenge-response and set up encryption without ever learning the secret key Ki.
* Triplet flow: the AuC supplies (RAND, SRES, Kc); Ki never leaves it. *
The triplet (RAND, SRES, Kc):
| Element | Meaning |
|---|---|
| RAND | random number (the challenge) |
| SRES | the signed response expected back (computed with RAND and Ki) |
| Kc | the session key for A5 encryption |
The flow of secrets:
- Ki never leaves the AUC (and the SIM). The HLR stores IMSI, MSISDN, Ki; the AUC computes triplets from Ki
- The triplet is handed to the VLR of the network currently serving the subscriber
- The serving MSC/VLR can now: send RAND, compare the returned SRES, and use Kc to encrypt — all without knowing Ki
Why this design is elegant: it lets a visited network authenticate a roaming subscriber and encrypt their calls without the home operator ever exposing the master secret. The visited network gets disposable, single-use credentials.
Tip: The triplet is "everything you need to challenge and encrypt one (or a few) sessions, minus the crown jewel (Ki)." That separation is the heart of GSM's roaming security.
Go deeper:
GSM (Wikipedia) — covers the AuC, the (RAND, SRES, Kc) triplet and how the home network supplies it to a visited VLR/MSC without exposing Ki.