[go: up one dir, main page]

WO2018046109A1 - Atténuation d'attaque dans des réseaux 5g - Google Patents

Atténuation d'attaque dans des réseaux 5g Download PDF

Info

Publication number
WO2018046109A1
WO2018046109A1 PCT/EP2016/071444 EP2016071444W WO2018046109A1 WO 2018046109 A1 WO2018046109 A1 WO 2018046109A1 EP 2016071444 W EP2016071444 W EP 2016071444W WO 2018046109 A1 WO2018046109 A1 WO 2018046109A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
public
authentication
network entity
modifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2016/071444
Other languages
English (en)
Inventor
Guenther Horn
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Solutions and Networks Oy
Original Assignee
Nokia Solutions and Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions and Networks Oy filed Critical Nokia Solutions and Networks Oy
Priority to PCT/EP2016/071444 priority Critical patent/WO2018046109A1/fr
Publication of WO2018046109A1 publication Critical patent/WO2018046109A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • the present invention relates to attack mitigation in 5G networks. More specifically, the present invention exemplarily relates to measures (including methods, apparatuses and computer program products) for realizing attack mitigation in 5G networks.
  • the present specification generally relates to 5 th Generation (5G) security as defined by the 3 rd Generation Partnership Project (3GPP). 5G is also known as "Next Generation System (NextGen)". Presently, topics related to NextGen are in a study phase.
  • 5G 5 th Generation
  • 3GPP 3 rd Generation Partnership Project
  • NextGen Next Generation System
  • security key issues addressed by embodiments of the present invention are a reduction of an impact of secret key leakage, a prevention from interception of radio interface keys sent between operator entities, and subscriber identifier privacy.
  • Ki is a permanent, shared secret key for each subscriber. If this security assumption fails, the loss of security is catastrophic. Ki might leak to an attacker for a number of reasons, e.g. hacking at the factory (subscriber identity module (SIM) vendor or subscription manager), where Ki is generated, hacking of the communication channel over which Ki is transported from SIM vendor or subscription manager to mobile operator, hacking into the mobile operators, an insider attack at a mobile operator or SIM vendor, a local attack (e.g. side channel) on the SIM card in t e supply chain, or a local attack (e.g. side channel) on the SIM card while temporarily borrowed from the customer.
  • SIM subscriber identity module
  • keys from which the keys for radio interface encryption (and integrity, where applicable) are derived are computed in the home core network (authentication center (AuC)) and then transmitted to the visited radio network over signaling links such as SS7 or Diameter.
  • AuC authentication center
  • signaling links such as SS7 or Diameter.
  • identifier privacy in a 3GPP system many types of subscriber identifiers are used during a communication process.
  • the identifiers may be tied to either a subscription or a device. Some of the identifiers may be permanent or long term (e.g. in case of current Long Term Evolution (LTE) system: International Mobile Subscriber Identity (IMSI), Mobile Subscriber Integrated Services Digital Network (MSISDN), International Mobile Equipment Identity (IMEI), and Medium Access Control (MAC) address) while others may be temporary or short term (e.g.
  • LTE Long Term Evolution
  • MSISDN Mobile Subscriber Integrated Services Digital Network
  • IMEI International Mobile Equipment Identity
  • MAC Medium Access Control
  • GUI Globally Unique Temporary Identifier
  • TMSI Temporary Mobile Subscriber Identity
  • C-RNTI Cell Radio Network Temporary Identifier
  • IP internet protocol
  • a long term secret key is updated in such a way that the new key is less exposed to potential attack than the original one was.
  • a key exchange protocol is involved, which is run between a universal integrated circuit card (UICC) and the home network home subscriber server (HSS), in order to create a newly agreed Ki value to replace t e existing one (where the Ki value is a permanent, shared secret key for each subscriber).
  • UICC universal integrated circuit card
  • HSS home network home subscriber server
  • Elliptic Curve Diffie Hellman is a preferred key exchange algorithm.
  • This approach includes a Diffie Hellman key exchange between a universal subscriber identity module (USIM) and the home network, when the USIM first contacts the networks.
  • USIM universal subscriber identity module
  • a key exchange protocol is included into the derivation of the radio interface session keys.
  • an authentication and key agreement algorithm is run in the HSS with a resulting authentication vector sent to the visited network, and is also run in the UICC to establish shared secret keys between the UE and a node in the visited network.
  • those keys are not used directly for radio interface security or as inputs to a key derivation algorithm to produce radio interface security keys.
  • those keys are used to authenticate a key exchange algorithm between the device (possibly its UICC) and that visited network node.
  • Elliptic Curve Diffie Hellman is a preferred key exchange algorithm.
  • this approach consists in applying a Diffie Hellman handshake after the intermediate key obtained from the authentication vector (e.g. a key for the access security management entity (KASME)) has been successfully established between UE and serving node (e.g. MME).
  • KASME access security management entity
  • MME serving node
  • This approach includes a Diffie Hellman key exchange between the UE and the visited network (e.g. MME in LTE). This entails sending one Diffie Hellman exponent in each direction. Furthermore, the Diffie Hellman key exchange would have to be run more often as the visited network entity (e.g. MME) changes.
  • the visited network entity e.g. MME
  • a serving network public key is bound into the derivation of the radio interface session keys.
  • a serving network public key N PU B is used to authenticate a key exchange.
  • UE user equipment
  • CP-AU which is a security anchor of the NextGen core network
  • K se ssion shared session key
  • K se ssion shared session key
  • K se ssion shared session key
  • K se ssion shared session key
  • K se ssion an Elliptic Curve Diffie Hellman technique
  • This approach affects the radio interface (which is a bandwidth-constrained resource) in that Diffie Hellman key exchange parameters sent over the radio interface are quite long. Furthermore, it is required that the UEs know the public key of the visited network.
  • the UE encrypts its permanent identifier sent to network using public-key cryptography
  • a method of a home network entity in a mobile communications network comprising receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public- private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity.
  • a method of a terminal in a mobile communications network comprising encrypting a key modifier using a public key of a public-private key pair, transmitting a message including said encrypted key modifier to a home network entity having a private key of said public- private key pair and a key derivation function, and computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • a method of a home network entity in a mobile communications network comprising determining necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, encrypting said authentication key using a public key of said public-private key pair, and transmitting a message including said encrypted authentication key to said visited network entity.
  • a method of a visited network entity in a mobile communications network comprising receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public- private key pair, and decrypting said authentication key using a private key of said public- private key pair.
  • an apparatus in a home network entity in a mobile communications network comprising receiving circuitry configured to receive, from a terminal having a public key of a public- private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting circuitry configured to decrypt said key modifier using a private key of said public-private key pair, determining circuitry configured to determine necessity to transmit a first authentication key to a visited network entity, computing circuitry configured to compute, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting circuitry configured to transmit said second authentication key to said visited network entity.
  • an apparatus in a terminal in a mobile communications network comprising encrypting circuitry configured to encrypt a key modifier using a public key of a public-private key pair, transmitting circuitry configured to transmit a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and computing circuitry configured to compute, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • an apparatus in a home network entity in a mobile communications network comprising determining circuitry configured to determine necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, encrypting circuitry configured to encrypt said authentication key using a public key of said public- private key pair, and transmitting circuitry configured to transmit a message including said encrypted authentication key to said visited network entity.
  • an apparatus in a visited network entity in a mobile communications network comprising receiving circuitry configured to receive, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and decrypting circuitry configured to decrypt said authentication key using a private key of said public-private key pair.
  • an apparatus in a home network entity in a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public-private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity.
  • an apparatus in a terminal in a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform encrypting a key modifier using a public key of a public-private key pair, transmitting a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • an apparatus in a home network entity in a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform determining necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, encrypting said authentication key using a public key of said public-private key pair, and transmitting a message including said encrypted authentication key to said visited network entity.
  • an apparatus in a visited network entity in a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and decrypting said authentication key using a private key of said public-private key pair.
  • a computer program product comprising computer-executable computer program code which, when the program is run on a computer (e.g. a computer of an apparatus according to any one of the aforementioned apparatus-related exemplary aspects of the present invention), is configured to cause the computer to carry out the method according to any one of the aforementioned method-related exemplary aspects of the present invention.
  • Such computer program product may comprise (or be embodied) a (tangible) computer- readable (storage) medium or the like on which the computer-executable computer program code is stored, and/or the program may be directly loadable into an internal memory of the computer or a processor thereof.
  • attack mitigation in 5G networks More specifically, by way of exemplary embodiments of the present invention, there are provided measures and mechanisms for realizing attack mitigation in 5G networks.
  • measures and mechanisms for realizing attack mitigation in 5G networks are provided.
  • Figure 1 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention
  • FIG. 2 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention
  • Figure 3 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention
  • Figure 4 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention
  • FIG. 5 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • Figure 6 is a schematic diagram of a procedure according to exemplary embodiments of the present invention
  • Figure 7 is a schematic diagram of a procedure according to exemplary embodiments of the present invention
  • Figure 8 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • Figure 9 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • Figure 10 is a block diagram alternatively illustrating apparatuses according to exemplary embodiments of the present invention.
  • Figure 1 1 is a block diagram alternatively illustrating further apparatuses according to exemplary embodiments of the present invention. Detailed description of drawings and embodiments of the present invention
  • FIG. 1 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • the apparatus may be a home network entity 10 such as a home subscriber server in a mobile communications network comprising a receiving circuitry 1 1 , a decrypting circuitry 12, a determining circuitry 13, a computing circuitry 14, and a transmitting circuitry 15.
  • the receiving circuitry 1 1 receives, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair.
  • the decrypting circuitry 12 decrypts said key modifier using a private key of said public-private key pair.
  • the determining circuitry 13 determines necessity to transmit a first authentication key to a visited network entity.
  • FIG. 6 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • the apparatus according to Figure 1 may perform the method of Figure 6 but is not limited to this method.
  • the method of Figure 6 may be performed by the apparatus of Figure 1 but is not limited to being performed by this apparatus.
  • a procedure comprises an operation of receiving (S61 ), from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, an operation of decrypting (S62) said key modifier using a private key of said public-private key pair, an operation of determining (S63) necessity to transmit a first authentication key to a visited network entity, an operation of computing (S64), based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and an operation of transmitting (S65) said second authentication key to said visited network entity.
  • At least some of the functionalities of the apparatus shown in Figure 1 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • said key modifier is a random value.
  • said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
  • said message further includes a permanent identifier of said terminal.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of verifying a received message authentication code which is appended to said message.
  • said first authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
  • exemplary additional operations are given, which are inherently independent from each other as such.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise, if said second authentication key is sent to said visited network, an operation of computing, based on said key derivation function, a generated random value and said key modifier, a key confirmation value, and an operation of transmitting said key confirmation value and said generated random value to said visited network entity.
  • exemplary additional operations are given, which are inherently independent from each other as such.
  • an exemplary method may comprise an operation of determining necessity to transmit a first expected response value to a visited network entity, an operation of computing, based on said key derivation function, said first expected response value and said key modifier, a second expected response value, and an operation of transmitting said second expected response value to said visited network entity.
  • Figure 2 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • the apparatus may be a terminal 20 such as a user equipment in a mobile communications network comprising an encrypting circuitry 21 , a transmitting circuitry 22, and a computing circuitry 23.
  • the encrypting circuitry 21 encrypts a key modifier using a public key of a public-private key pair.
  • the transmitting circuitry 22 transmits a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function.
  • the computing circuitry 23 computes, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • Figure 7 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • the apparatus according to Figure 2 may perform the method of Figure 7 but is not limited to this method.
  • the method of Figure 7 may be performed by the apparatus of Figure 2 but is not limited to being performed by this apparatus.
  • a procedure comprises an operation of encrypting (S71 ) a key modifier using a public key of a public-private key pair, an operation of transmitting (S72) a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and an operation of computing (S73), based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • Figure 3 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • Figure 3 illustrates a variation of the apparatus shown in Figure 2.
  • the apparatus according to Figure 3 may thus further comprise an obtaining circuitry 31 .
  • At least some of the functionalities of the apparatus shown in Figure 2 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • an exemplary method according to exemplary embodiments of the present invention may comprise an operation of obtaining a random value as said key modifier.
  • said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
  • said message further includes a permanent identifier of said terminal.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of appending a message authentication code to said key modifier before both, said message authentication code and said key modifier are encrypted with the public key.
  • exemplary additional operations are given, which are inherently independent from each other as such.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of appending, after said key modifier has been encrypted with the public key, a message authentication code to said encrypted key modifier.
  • said first authentication key is a key access for the security management entity or an extensible authentication protocol master session key.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of receiving, from said visited network entity, a key confirmation value and a random value.
  • the home network e.g. the HSS or another suitable authentication server
  • the home network e.g. the HSS or another suitable authentication server
  • all UEs or rather the part of the UE holding the subscription credentials, like the UICC in LTE
  • PKI public key infrastructure
  • a random value called key modifier is sent by the UE to the home network using the public key of the home network to encrypt the key modifier.
  • KASME key for the access security management entity
  • MSK master session key
  • EAP extensible authentication protocol
  • the home network then sends the modified key * to the visited network.
  • the UE performs the same key modification computation to obtain key * .
  • the visited network does not notice any difference between (the behavior of) key and key * .
  • the home network sends a key
  • the home network then sends conf and RAND to the visited network.
  • the visited network forwards conf and RAND to the UE.
  • the home network whenever the home network would compute an expected response (like XRES (expected response) in LTE or XRES in extensible authentication protocol (EAP) method EAP-AKA), the home network first applies a key derivation function (KDF) to the expected response and the KMOD to produce a modified expected response * , e.g. XRES * , by computing
  • KDF key derivation function
  • XRES * KDF (XRES, KMOD).
  • the key derivation function used here for deriving XRES * may be the same as the key derivation function used above for deriving key * , or may differ from the key derivation function used above for deriving key * .
  • sending the encrypted KMOD may be combined with sending an encrypted permanent identifier (e.g. IMSI, IMEI) of the UE.
  • an encrypted permanent identifier e.g. IMSI, IMEI
  • the issue of secret key leakage is mitigated.
  • the mitigation is effective against a passive attacker that was able to get hold of the long-term shared secret key (e.g. K in LTE), but not of the private key of the private/public key pair of the home network.
  • the long-term shared secret key needs to be exchanged between the SIM manufacturer and the operator with many points of exposure, while the private key can be generated in a tamper-resistant module at the home operator's side and remain there for its entire lifetime.
  • the private key can be held entirely separately from any environment storing and processing the long-term shared secret keys, no Diffie Hellman key exchange has to be run between USIM and an authentication center, such that no additional interface is exposed, that could be used for attacks.
  • the public-key encrypted KMOD is sent only in the uplink (rather than in each direction). Further, as the home network never changes, a respective key exchange has to be done less often.
  • FIG 4 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • the apparatus may be a home network entity 40 such as a home subscriber server in a mobile communications network comprising a determining circuitry 41 , an encrypting circuitry 42, and a transmitting circuitry 43.
  • the determining circuitry 41 determines necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair.
  • the encrypting circuitry 42 encrypts said authentication key using a public key of said public-private key pair.
  • the transmitting circuitry 43 transmits a message including said encrypted authentication key to said visited network entity.
  • Figure 8 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • the apparatus according to Figure 4 may perform the method of Figure 8 but is not limited to this method.
  • the method of Figure 8 may be performed by the apparatus of Figure 4 but is not limited to being performed by this apparatus.
  • a procedure according to exemplary embodiments of the present invention comprises an operation of determining (S81 ) necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, an operation of encrypting (S82) said authentication key using a public key of said public-private key pair, and an operation of transmitting (S83) a message including said encrypted authentication key to said visited network entity.
  • at least some of the functionalities of the apparatus shown in Figure 4 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • said authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
  • Figure 5 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • the apparatus may be a visited network entity 50 such as a mobility management entity in a mobile communications network comprising a receiving circuitry 51 and a decrypting circuitry 52.
  • the receiving circuitry 51 receives, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair.
  • the decrypting circuitry 52 decrypts said authentication key using a private key of said public- private key pair.
  • Figure 9 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • the apparatus according to Figure 5 may perform the method of Figure 9 but is not limited to this method.
  • the method of Figure 9 may be performed by the apparatus of Figure 5 but is not limited to being performed by this apparatus.
  • a procedure comprises an operation of receiving (S91 ), from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and an operation of decrypting (S92) said authentication key using a private key of said public-private key pair.
  • At least some of the functionalities of the apparatus shown in Figure 6 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • said authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
  • the visited network possesses a public-private key pair. While according to the prior art it may be required that all UEs need to have the public key, according to exemplary embodiments of the present invention, the home network has the public key while the UEs do not need to know the public key.
  • the home network then sends the public-key-encrypted key to the visited network.
  • the visited network uses its private key to decrypt the received encrypted key to obtain the key, e.g., KASME in LTE or MSK in EAP methods, back into clear text.
  • any other entity e.g., an attacker that is not in possession of the private key of the visited network, cannot decrypt the key correctly and would hence not be able to make any use of it.
  • the issue of key theft by impersonating a genuine serving node towards the HSS is mitigated, as the attacker is not in possession of the private key. Furthermore, carrying public-key encrypted key from the home network to the visited network would require only a very minor change to the existing S6a interface between home network and visited network, as only the information element (IE) carrying the key has to be made longer.
  • IE information element
  • the radio interface (which is a bandwidth-constrained resource) is not affected.
  • only the interconnection network (where more bandwidth is available) is affected.
  • distributing public keys to all UEs is more difficult and elaborate by several orders of magnitude than distributing public keys among operators.
  • the above-described procedures and functions may be implemented by respective functional elements, processors, or the like, as described below.
  • the network entity may comprise further units that are necessary for its respective operation. However, a description of these units is omitted in this specification.
  • the arrangement of the functional blocks of the devices is not construed to limit the invention, and the functions may be performed by one block or further split into sub- blocks.
  • the apparatus i.e. network entity (or some other means) is configured to perform some function
  • this is to be construed to be equivalent to a description stating that a (i.e. at least one) processor or corresponding circuitry, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • a (i.e. at least one) processor or corresponding circuitry potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • function is to be construed to be equivalently implementable by specifically configured circuitry or means for performing the respective function (i.e. the expression "unit configured to” is construed to be equivalent to an expression such as "means for").
  • the apparatus (home network entity) 10' (corresponding to the home network entity 10) comprises a processor 101 , a memory 102 and an interface 103, which are connected by a bus 104 or the like.
  • the apparatus (terminal) 20' (corresponding to the terminal 20) comprises a processor 105, a memory 106 and an interface 107, which are connected by a bus 108 or the like, and the apparatuses may be connected via link 109, respectively.
  • the apparatus (home network entity) 40' (corresponding to the home network entity 40) comprises a processor 1 1 1 , a memory 1 12 and an interface 1 13, which are connected by a bus 1 14 or the like.
  • the apparatus (visited network entity) 50' (corresponding to the visited network entity 50) comprises a processor 1 15, a memory 1 16 and an interface 1 17, which are connected by a bus 1 18 or the like, and the apparatuses may be connected via link 1 19, respectively.
  • the processor 101/105/1 1 1/1 15 and/or the interface 103/107/1 13/1 17 may also include a modem or the like to facilitate communication over a (hardwire or wireless) link, respectively.
  • the interface 103/107/1 13/1 17 may include a suitable transceiver coupled to one or more antennas or communication means for (hardwire or wireless) communications with the linked or connected device(s), respectively.
  • the interface 103/107/1 13/1 17 is generally configured to communicate with at least one other apparatus, i.e. the interface thereof.
  • the memory 102/106/1 12/116 may store respective programs assumed to include program instructions or computer program code that, when executed by the respective processor, enables the respective electronic device or apparatus to operate in accordance with the exemplary embodiments of the present invention.
  • the respective devices/apparatuses may represent means for performing respective operations and/or exhibiting respective functionalities, and/or the respective devices (and/or parts thereof) may have functions for performing respective operations and/or exhibiting respective functionalities.
  • processor or some other means
  • the processor is configured to perform some function
  • this is to be construed to be equivalent to a description stating that at least one processor, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • function is to be construed to be equivalently implementable by specifically configured means for performing the respective function (i.e. the expression "processor configured to [cause the apparatus to] perform xxx-ing” is construed to be equivalent to an expression such as "means for xxx-ing").
  • the processor i.e. the at least one processor 101 , with the at least one memory 102 and the computer program code
  • the processor is configured to perform receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair (thus the apparatus comprising corresponding means for receiving), to perform decrypting said key modifier using a private key of said public-private key pair (thus the apparatus comprising corresponding means for decrypting), to perform determining necessity to transmit a first authentication key to a visited network entity (thus the apparatus comprising corresponding means for determining), to perform computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key (thus the apparatus comprising corresponding means for computing), and to perform transmitting said second authentication key to said visited network entity (thus the apparatus comprising corresponding means for transmitting).
  • the processor i.e. the at least one processor 105, with the at least one memory 106 and the computer program code
  • the processor is configured to perform encrypting a key modifier using a public key of a public-private key pair (thus the apparatus comprising corresponding means for encrypting), to perform transmitting a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function (thus the apparatus comprising corresponding means for transmitting), and to perform computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity (thus the apparatus comprising corresponding means for computing).
  • the processor i.e. the at least one processor 1 11 , with the at least one memory 1 12 and the computer program code
  • the processor is configured to perform determining necessity to transmit an authentication key to a visited network entity having a private key of a public- private key pair (thus the apparatus comprising corresponding means for determining), to perform encrypting said authentication key using a public key of said public-private key pair (thus the apparatus comprising corresponding means for encrypting), and to perform transmitting a message including said encrypted authentication key to said visited network entity (thus the apparatus comprising corresponding means for transmitting).
  • the processor i.e. the at least one processor 1 11 , with the at least one memory 1 12 and the computer program code
  • the processor is configured to perform determining necessity to transmit an authentication key to a visited network entity having a private key of a public- private key pair (thus the apparatus comprising corresponding means for determining), to perform encrypting said authentication key using a public key of said public-private key pair (thus the apparatus compris
  • the at least one processor 1 15, with the at least one memory 1 16 and t e computer program code is configured to perform receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair (thus the apparatus comprising corresponding means for receiving), and to perform decrypting said authentication key using a private key of said public-private key pair (thus the apparatus comprising corresponding means for decrypting).
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the embodiments and its modification in terms of the functionality implemented;
  • CMOS Complementary MOS
  • BiMOS Bipolar MOS
  • BiCMOS Bipolar CMOS
  • ECL emitter Coupled Logic
  • TTL Transistor-Transistor Logic
  • ASIC Application Specific IC
  • FPGA Field- programmable Gate Arrays
  • CPLD Complex Programmable Logic Device
  • DSP Digital Signal Processor
  • - devices, units or means e.g. the above-defined network entity or network register, or any one of their respective units/means
  • an apparatus like the user equipment and the network entity /network register may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of an apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor;
  • a device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
  • respective functional blocks or elements according to above-described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts.
  • the mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device.
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention.
  • Devices and means can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
  • Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof.
  • a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof.
  • the present invention also covers any conceivable combination of method steps and operations described above, and any conceivable combination of nodes, apparatuses, modules or elements described above, as long as the above-described concepts of methodology and structural arrangement are applicable.
  • Such measures exemplarily comprise receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public-private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne des mesures d'atténuation d'attaque dans des réseaux 5G. De telles mesures consistent, par exemple, à : recevoir, d'un terminal ayant une clé publique d'une paire de clés publique-privée et une fonction de dérivation de clé, un message contenant un modificateur de clé chiffré à l'aide de ladite clé publique de ladite paire de clés publique-privée ; déchiffrer ledit modificateur de clé à l'aide d'une clé privée de ladite paire de clés publique-privée ; déterminer la nécessité de transmettre une première clé d'authentification à une entité de réseau visité ; calculer une seconde clé d'authentification sur la base de ladite fonction de dérivation de clé, de ladite première clé d'authentification et dudit modificateur de clé ; et transmettre ladite seconde clé d'authentification à ladite entité de réseau visité.
PCT/EP2016/071444 2016-09-12 2016-09-12 Atténuation d'attaque dans des réseaux 5g Ceased WO2018046109A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2016/071444 WO2018046109A1 (fr) 2016-09-12 2016-09-12 Atténuation d'attaque dans des réseaux 5g

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2016/071444 WO2018046109A1 (fr) 2016-09-12 2016-09-12 Atténuation d'attaque dans des réseaux 5g

Publications (1)

Publication Number Publication Date
WO2018046109A1 true WO2018046109A1 (fr) 2018-03-15

Family

ID=56893998

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/071444 Ceased WO2018046109A1 (fr) 2016-09-12 2016-09-12 Atténuation d'attaque dans des réseaux 5g

Country Status (1)

Country Link
WO (1) WO2018046109A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020041365A1 (fr) * 2018-08-20 2020-02-27 T-Mobile Usa, Inc. Sécurité de bout en bout pour des communications 5g-nr en itinérance
WO2020119815A1 (fr) * 2018-12-14 2020-06-18 华为技术有限公司 Procédé, appareil et système d'isolation de contexte de sécurité

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on the security aspects of the next generation system (Release 14)", 9 August 2016 (2016-08-09), XP051139501, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_84_Chennai/Docs/> [retrieved on 20160809] *
CARAGATA DANIEL ET AL: "Survey of network access security in UMTS/LTE networks", THE 9TH INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS (ICITST-2014), INFONOMICS SOCIETY, 8 December 2014 (2014-12-08), pages 43 - 46, XP032735467, DOI: 10.1109/ICITST.2014.7038772 *
HUAWEI ET AL: "Session Key Enforcement with Diffie-Hellman Procedure", vol. SA WG3, no. San Jose Del Cabo, Mexico; 20160509 - 20160513, 2 May 2016 (2016-05-02), XP051091666, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_83_Los_Cabos/Docs/> [retrieved on 20160502] *
KASSEM AHMAD: "Protocoles, gestion et transmission sécurisée par chaos des clés secrètes. Applications aux standards : TCP/IP via DVB-S, UMTS, EPS.", 16 July 2013 (2013-07-16), XP055311868, Retrieved from the Internet <URL:https://hal.archives-ouvertes.fr/tel-01104943/document> [retrieved on 20161018] *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020041365A1 (fr) * 2018-08-20 2020-02-27 T-Mobile Usa, Inc. Sécurité de bout en bout pour des communications 5g-nr en itinérance
US11889307B2 (en) 2018-08-20 2024-01-30 T-Mobile Usa, Inc. End-to-end security for roaming 5G-NR communications
WO2020119815A1 (fr) * 2018-12-14 2020-06-18 华为技术有限公司 Procédé, appareil et système d'isolation de contexte de sécurité

Similar Documents

Publication Publication Date Title
US11240218B2 (en) Key distribution and authentication method and system, and apparatus
US10943005B2 (en) Secure authentication of devices for internet of things
CN112154624B (zh) 针对伪基站的用户身份隐私保护
KR100625503B1 (ko) 무선 통신 시스템에서 비밀 공유 데이터를 갱신하는 방법
KR100593576B1 (ko) 두 당사자 인증 및 키 일치 방법
JP5894304B2 (ja) 基地局を自己構成する方法および装置
EP2658163B3 (fr) Génération de clés cryptographiques
CN107079023B (zh) 用于下一代蜂窝网络的用户面安全
US9590961B2 (en) Automated security provisioning protocol for wide area network communication devices in open device environment
US11582233B2 (en) Secure authentication of devices for Internet of Things
US20190036694A1 (en) Operator-Assisted Key Establishment
US11082843B2 (en) Communication method and communications apparatus
US11316670B2 (en) Secure communications using network access identity
CN108880813B (zh) 一种附着流程的实现方法及装置
EP2386170A2 (fr) Sécurité améliorée pour des communications en liaison directe
US11997078B2 (en) Secured authenticated communication between an initiator and a responder
KR102818272B1 (ko) 데이터 전송 방법 및 시스템, 전자 장치 및 컴퓨터 판독 가능 저장 매체
EP2979418B1 (fr) Etablissement d&#39;une communication vocale sécurisée utilisant une architecture gba
Ma et al. A UAV-assisted UE access authentication scheme for 5G/6G network
EP3622736B1 (fr) Clé de confidentialité dans un système de communication sans fil
Rengaraju et al. QoS-aware distributed security architecture for 4G multihop wireless networks
WO2018046109A1 (fr) Atténuation d&#39;attaque dans des réseaux 5g
Southern et al. Wireless security: securing mobile UMTS communications from interoperation of GSM
WO2025177147A1 (fr) Authentification entre un équipement utilisateur et un réseau à l&#39;aide d&#39;un échange de clé hybride
CN115668859A (zh) 用于认证支持3g的网络中的通信设备的处理模块

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16763287

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16763287

Country of ref document: EP

Kind code of ref document: A1