[go: up one dir, main page]

GB2413035A - Identity authentication in a mobile network - Google Patents

Identity authentication in a mobile network Download PDF

Info

Publication number
GB2413035A
GB2413035A GB0407905A GB0407905A GB2413035A GB 2413035 A GB2413035 A GB 2413035A GB 0407905 A GB0407905 A GB 0407905A GB 0407905 A GB0407905 A GB 0407905A GB 2413035 A GB2413035 A GB 2413035A
Authority
GB
United Kingdom
Prior art keywords
function
authentication
transaction identifier
bootstrapping server
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0407905A
Other versions
GB0407905D0 (en
GB2413035B (en
Inventor
Vesa Torvinen
Vesa Lehtovirta
Bengt Sahlin
Karl Norrman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LM Ericsson Oy AB
Ericsson AB
Original Assignee
LM Ericsson Oy AB
Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by LM Ericsson Oy AB, Ericsson AB filed Critical LM Ericsson Oy AB
Priority to GB0407905A priority Critical patent/GB2413035B/en
Publication of GB0407905D0 publication Critical patent/GB0407905D0/en
Publication of GB2413035A publication Critical patent/GB2413035A/en
Application granted granted Critical
Publication of GB2413035B publication Critical patent/GB2413035B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method of authenticating a request for session keys sent from a Network Authentication Function of a visited network to a Bootstrapping Server Function of a home network in respect of User Equipment, UE, the request comprising a transaction identifier. The method comprises, at the Bootstrapping Server Function, comparing a UE identification part of the transaction identifier with a value generated by applying a one-way function to an Authentication and Key Agreement key previously agreed between the UE and the Bootstrapping Server Function as part of an Authentication and Key Agreement procedure, and if the values agree, progressing the request by sending appropriate session keys to the Network Authentication Function, otherwise denying the request.

Description

24 3035 Identity Authentication in a Mobile Network
Field of the Invention
The present invention relates to identity authentication in a mobile network and more particularly to a method of authenticating transaction identifiers in a Generic Bootstrapping Architecture.
Background to the Invention
The Generic Bootstrapping Architecture (GBA) is discussed in the 3GPP Technical Specification TS 33.220. GBA provides a mechanism whereby a client terminal (UK) can be authenticated to a Network Authentication Function, and secure session keys obtained for use between the client terminal and the Network Authentication Function.
This process bootstraps upon the known Authentication and Key Agreement (AKA) procedure which allows a client terminal to be authenticated to a Bootstrapping Server Function (BSF) of the client's home network, and establishes secure keys for subsequent communications. In particular, the AKA procedure establishes session keys that are afterwards applied between the client terminal and the operator-controlled Network Application Function (NAF). When a client terminal and NAF wish to obtain session keys from the BSF, the NAF sends a transaction identifier to the BSF, the transaction identifier containing an index which the BSF uses to identify the client terminal and appropriate keys.
GBA (Release 6) has mainly been built under an assumption that NAF is located in the home network. However, there are already use cases when NAF may be located in a visited network, e.g. Multimedia Broadcast/Multicast Service MBMS. In such "roaming" scenarios, the BSF (in the home network) cannot be sure that NAF in the visited network and which is requesting keying material, is really talking to the UK.
The only verification carried out by the BSF is based on the validity of the transaction identifier. The transaction identifier is an identifier comprising a prefix portion which uniquely identifies the client terminal and a suffix portion which uniquely identifies the BSF to which the client terminal belongs. Providing that a BSF receives a valid transaction identifier, the BSF will return keying material to the requesting NAF.
It will be appreciated that anybody who is able to monitor UE-BSF interactions will be able to construct a valid transaction identifier (currently specified as RANDBSF_servers_domain_name, where "RAND" is a random value generated during the AKA procedure). This is not a problem if only authorized NAFs have access to the BSF, or if all NAFs and BSFs use some underlying security mechanism such as TLS or IPsec. However, it might be expected that 3G networks will be more open than this in the future, and that the current GBA will therefore not be sufficiently secure.
Summary of the Invention
An object of the present invention is to enable the BSF to know that a client terminal is really involved with a NAF at the time the NAF makes a key material request.
According to a first aspect of the present invention there is provided
Brief Description of the Drawings
Figure I illustrates a simplified GBA model.
Detailed Description of Certain Embodiments
This document proposes an enhancement to the GBA transaction identifier. Instead of using RAND alone as the "username" (i.e. prefix part) in transaction identifier, the following identifier structures are considered: Including the AKA session key (CK) in the identifier. However, in order to avoid revealing the session key to unauthorized parties, a one-way hash function is applied to the session key. The resulting binary output will in some cases be encoded to text format, e.g. by using base64 encoding, suitable for transmission over the network.
In order to be able to use the same keying material for other purposes, the key should be concatenated with a "key mask", for example a static string, before applying as an input to the hash function.
An example of a more secure transaction identifier is therefore: Base64_encoded[hash(key-mask I CK)]@,BSF_servers_domain_name where keymask is a static string such as "3GPP-bootstrapping". It will be appreciated that as an alternative to the AKA session key CK, the key TK may be used. A combination of the keys CK and IK may be used.
A possible disadvantage of this transaction identifier is that it can be used only once. If for example communication with a NAF is not successful, the same transaction identifier cannot be re-used securely with other NAFs because the transaction identifier may have been revealed to unauthorized parties. In order to allow re-use of the same transaction identifier with several NAFs securely, the derivation should include some proof of freshness, for example a counter value or time-stamp. The counter or timestamp value could be generated by the client terminal, and be included both in the hash function and in clear text in the transaction identifier. The BSF checks the freshness of transaction identifier for example by checking that the time in the time-stamp is fresh, or by maintaining a register of already used counter values.
An example of a more secure transaction identifier that is not restricted to one use only is: counter. Base64_encoded[hash(counterl key-mask! CK)]@, BSF_servers_domain_name Use of such a transaction identifier will require the provision at the BSF of pre- generated hash values for all possible values of counter. A search is then conducted to see if the received hash value matches one of the pre- generated values. To overcome this problem, the transaction identifier may also include a clear text parameter that will identify the subscription and/or end-user public identity. As well as allowing the BSF to identify the right password effectively, this approach may also be used for indicating under which public identity the client terminal is authenticated. If clear text identification information is not included, the implementation becomes complex.
A possible identifier structure is one which includes a base64 encoded RAND value - in the same way that it is currently specified, i.e.: co unter. Base 64_encoded[hash (co unterl key- mask! CK)]. Base 64_encoded[RAND]@, BSF_servers_domain_name This document proposes an enhancement to the transaction identifier in order to further secure GBA infrastructure in roaming scenarios. The use of this solution could be mandatory in GBA, or alternatively the use of it could be limited to roaming scenarios.
Note, however, that the solution has potential also for other uses, e.g. simple "single- sign-on" solution (each transaction identifier is essentially "a ticket" or one-time password that can be sent in clear text).
The enhanced format of the transaction identifier could provide more freedom for the design of the GBA roaming model. For example, a client terminal may not need to maintain a parallel POP context to home network if the BSF in the visited network can act as a Diameter proxy. A NAP in the visited network, on the other hand, could help the client terminal to locate a BSF in the visited network (e.g. via the use of HTTP re- direct commands).

Claims (19)

  1. Claims 1. A method of authenticating a request for session keys sent from
    a Network Authentication Function to a Bootstrapping Server Function in respect of User Equipment, UK, the request comprising a transaction identifier, the method comprising, at the Bootstrapping Server Function: comparing a UE identification part of the transaction identifier with a value generated by applying a one-way function to an Authentication and Key Agreement key previously agreed between the UE and the Bootstrapping Server Function as part of an Authentication and Key Agreement procedure, and if the values agree, progressing the request by sending appropriate session keys to the Network Authentication Function, otherwise denying the request.
  2. 2. A method according to claim 1, wherein the Network Authentication Function is located in a visited network, and the Bootstrapping Server Function is located in a home network of the UK.
  3. 3. A method according to claim 1, wherein said UE identification part of the transaction identifier is compared with a value generated by applying a one-way function to said Authentication and Key Agreement key and to one or more further values.
  4. 4. A method according to claim 3, wherein a further value is a key mask.
  5. 5. A method according to claim 4, wherein the key mask is a static string which is known to both the UE and the Bootstrapping Server Function.
  6. 6. A method according to any one of claims 3 to 5, wherein a further value acts as a proof of freshness.
  7. 7. A method according to claim 6, wherein the proof of freshness is a counter which is included in plain text form in the transaction identifier.
  8. 8. A method according to any one of the preceding claims, wherein said one-way function is a hash function.
  9. 9. A method according to any one of the preceding claims and comprising decoding said UE identification part of the transaction identifier using a Base64 decoding process.
  10. 10. A method according to any one of the preceding claims, the transaction identifier comprising an index, wherein the Bootstrapping Server Function uses said index to identify the value to be used for said comparison from a set of stored values
  11. 11. A method according to claim 10, wherein said index is a RAND parameter previously agreed between the UE and the Bootstrapping Server Function in connection with the Authentication and Key Agreement procedure.
  12. 12. A method of enabling authentication of a request for session keys sent from a Network Authentication Function to a Bootstrapping Server Function, UK, the request comprising a transaction identifier, the method comprising, at the UK: generating a transaction identifier having a UE identification part generated by applying a one-way function to an Authentication and Key Agreement key previously agreed between the UE and the Bootstrapping Server Function as part of an Authentication and Key Agreement procedure, and sending the transaction identifier to the Network Authentication Function.
  13. 13. A method according to claim 12, wherein the Network Authentication Function is located in a visited network, and the Bootstrapping Server Function is located in a home network of the UE
  14. 14. A method according to claim 12 or 13, wherein said UE identification part is generated by applying a one-way function to an Authentication and Key Agreement key and one or more further values.
  15. 15. A method according to claim 14, wherein a further value corresponds to a static string which is known to both the UE and the Bootstrapping Server Function.
  16. 16. A method according to claim 14 or IS, wherein a further value is a counter which is included in plain text form in the transaction identifier, the UE incrementing the counter for each new session.
  17. 17. A method according to any one of claims 14 to 16, wherein said oneway function is a hash function.
  18. 18. A method according to any one of the preceding claims and comprising encoding said UE identification part of the transaction identifier using a Base64 encoding.
  19. 19. A method according to any one of claims 14 to 18 and comprising including an index in the transaction identifier.
    A method according to claim 19, wherein said index is a RAND parameter previously agreed between the UE and the Bootstrapping Server Function in connection with the Authentication and Key Agreement procedure.
GB0407905A 2004-04-08 2004-04-08 Identity authentication in a mobile network Expired - Fee Related GB2413035B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0407905A GB2413035B (en) 2004-04-08 2004-04-08 Identity authentication in a mobile network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0407905A GB2413035B (en) 2004-04-08 2004-04-08 Identity authentication in a mobile network

Publications (3)

Publication Number Publication Date
GB0407905D0 GB0407905D0 (en) 2004-05-12
GB2413035A true GB2413035A (en) 2005-10-12
GB2413035B GB2413035B (en) 2008-08-06

Family

ID=32320510

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0407905A Expired - Fee Related GB2413035B (en) 2004-04-08 2004-04-08 Identity authentication in a mobile network

Country Status (1)

Country Link
GB (1) GB2413035B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002011469A2 (en) * 2000-08-01 2002-02-07 Nokia Corporation Techniques for performing umts-authentication using sip (session initiation protocol) messages

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002011469A2 (en) * 2000-08-01 2002-02-07 Nokia Corporation Techniques for performing umts-authentication using sip (session initiation protocol) messages

Also Published As

Publication number Publication date
GB0407905D0 (en) 2004-05-12
GB2413035B (en) 2008-08-06

Similar Documents

Publication Publication Date Title
US10284555B2 (en) User equipment credential system
CA2624591C (en) Method and apparatus for establishing a security association
US8793497B2 (en) Puzzle-based authentication between a token and verifiers
US9722984B2 (en) Proximity-based authentication
US8522025B2 (en) Authenticating an application
WO2022143030A1 (en) National key identification cryptographic algorithm-based private key distribution system
CN105828332B (en) improved method of wireless local area network authentication mechanism
US20070086590A1 (en) Method and apparatus for establishing a security association
CN103906052B (en) A kind of mobile terminal authentication method, Operational Visit method and apparatus
CN103795728A (en) EAP authentication method capable of hiding identities and suitable for resource-constrained terminal
JP2016021765A (en) Method and apparatus for authenticated user-access to kerberos-enabled application based on authentication and key agreement (aka) mechanism
CN117915322A (en) A slice secondary authentication method and system based on key integrity detection
CN114915494B (en) A method, system, device and storage medium for anonymous authentication
WO2021115686A1 (en) Enhancement of authentication
CN103812843A (en) Authentication method and system based on Web Service
CN105743859A (en) Method, device and system for authenticating light application
GB2413035A (en) Identity authentication in a mobile network
CN111800791A (en) Authentication method and core network equipment and terminal
CN102474503A (en) Method for accessing message storage server securely by client and related devices
Song et al. Performance evaluation of an authentication solution for IMS services access
Jønvik et al. Strong authentication using dual SIM
Chen et al. SSL/TLS session-aware user authentication using a gaa bootstrapped key
Kang et al. A study on key distribution and ID registration in the AAA system for ubiquitous multimedia environments
Shao State of the Art on Security Procedures for UMTS

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20081106