WO2025153433A1

WO2025153433A1 - Method, apparatus, and computer readable medium

Info

Publication number: WO2025153433A1
Application number: PCT/EP2025/050663
Authority: WO
Inventors: Ranganathan MAVUREDDI DHANASEKARAN; Saurabh Khare; K Tirumaleswar Reddy; Aritra Banerjee
Original assignee: Nokia Technologies Oy
Current assignee: Nokia Technologies Oy
Priority date: 2024-01-16
Filing date: 2025-01-13
Publication date: 2025-07-24
Anticipated expiration: 2026-07-16
Also published as: GB202400606D0; GB2637313A

Abstract

There is provided an apparatus comprising: means for generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device, and means for providing, to a network entity, the public key of the first key material in a registration message. The apparatus also comprising means for receiving, from the network entity, a second public key of second key material that is associated with a home network, and means for generating a shared key based on the second public key and the first private key. The apparatus also comprising means for providing, to a subscriber identity module, the shared key, and means for receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

Description

METHOD, APPARATUS, AND COMPUTER READABLE MEDIUM

Technical Field

Various examples of this disclosure relate to methods, apparatuses, and a computer readable medium for a communication network.

Background

A communication network can be seen as a facility that enables communications between two or more communication devices, or provides communication devices access to a data network. A mobile or wireless communication network is one example of a communication network. A communication device may be provided with a service by an application server.

Such communication networks operate in accordance with standards such as those provided by 3GPP (Third Generation Partnership Project) or ETSI (European Telecommunications Standards Institute). Examples of standards are the so-called 5G (5th Generation) standards provided by 3GPP.

Some examples of this disclosure will be described with respect to certain aspects. These aspects are not intended to indicate key or essential features of the embodiments of this disclosure, nor are they intended to be used to limit the scope of thereof. Other features, aspects, and elements will be readily apparent to a person skilled in the art in view of this disclosure. For example, it should be appreciated that further aspects may be provided by the combination of any two or more of the various aspects described below.

According to an aspect, there is provided an apparatus, comprising: means for generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device; means for providing, to a network entity, the public key of the first key material in a registration message; means for receiving, from the network entity, a second public key of second key material that is associated with a home network; means for generating a shared key based on the second public key and the first private key; means for providing, to a subscriber identity module, the shared key; and means for receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

In some examples, the third key material comprises at least one of the following: a cipher key, an integrity key, an authentication token, or an authentication response. In some examples, the first key material comprises a first ephemeral key pair, the ephemeral key pair comprising the public key and the private key.

In some examples, the registration message provided to the network entity further comprises additional parameters related to forward secrecy.

In some examples, the registration message provided to the network entity further comprises an indication that the communication device supports forward secrecy.

In some examples, the one of the following: the apparatus is comprised in the communication device, the apparatus is for the communication device, or the apparatus is the communication device.

In some examples, the communication device is one of the following: a mobile equipment, a user equipment, a terminal.

According to an aspect, there is provided an apparatus providing a first network function, the apparatus comprising means for the first network function to perform: receiving, from a second network function, a first public key of first key material associated with a communication device; generating second key material comprising a second public key and a second private key; generating a shared key, using the second private key and the first public key; and performing an authentication associated with the communication device using the shared key, and providing, to the second network function, the second public key of the second key material.

In some examples, the second key material is associated with a home network.

In some examples, the performing an authentication associated with the communication device procedure using the shared key comprises at least one of the following: concatenating the shared key and a long term key associated with a subscriber identity module, or generating fourth key material based on the shared key.

In some examples, the performing an authentication associated with the communication device procedure using the shared key comprises: generating a cipher key and an integrity key based on the concatenated shared key and long term key.

In some examples, the performing an authentication associated with the communication device procedure using the shared key comprises: using the concatenated shared key and long term key for an authentication and key agreement challenge.

In some examples, the fourth key material comprises at least one of the following: a cipher key, an integrity key, an authentication token, or an expected response.

In some examples, the authentication associated with the communication device is further associated with one of: a fifth generation authentication and key agreement, or an extensible authentication protocol authentication and key agreement. In some examples, the first public key is received in a message from the second network function, the message further comprising an indication that the communication device supports forward secrecy.

In some examples, the first network function is one of the following: a unified data management, or a network entity for the home network.

According to an aspect, there is provided a subscriber identity module, comprising: means for receiving, from a communication device, a shared key generated based on a first private key of a first key material associated with the communication device and a second public key of a second key material that is associated with a home network; means for generating third key material using the shared key; and means for providing, to the communication device, the third key material.

In some examples, the means for generating third key material using the shared key comprises at least one of means for concatenating the shared key and a long term key associated with the subscriber identity module; or means for generating, using the shared key, at least one of the following: a cipher key, an integrity key, an authentication token, or a response.

In some examples, the subscriber identity module comprises: means for concatenating the shared key and a long term key associated with the subscriber identity module; and means for using the concatenated shared key and the long term key for an authentication and key agreement challenge.

In some examples, the third key material comprises at least one of the following: a cipher key, an integrity key, or an authentication token.

In some examples, the subscriber identity module comprises: means for receiving, from the communication device, an authentication token, the authentication token related to an authentication associated with the communication device; and means for using the shared key to verify the authentication token.

According to an aspect, there is provided an apparatus providing a second network function, the apparatus comprising means for the second network function to perform: receiving, from a communication device, a first public key of first key material that is associated with the communication device; providing, to a first network function, the first public key; receiving, from the first network function, a second public key of second key material that is associated with a home network; and providing, to the communication device, the second public key.

In some examples, the means are for the second network function to perform: receiving, from the first network function, a shared key that has been generated using the first public key and a private key of the second key material. In some examples, the means are for the second network function to perform: storing the shared key that has been received from the first network function.

In some examples, the means are for the second network function to perform: generating a master key based on the shared key.

In some examples, the second network function is one of the following: an authentication server function, or a network entity for the home network.

According to an aspect, there is provided a method comprising: generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device; providing, to a network entity, the public key of the first key material in a registration message; receiving, from the network entity, a second public key of second key material that is associated with a home network; generating a shared key based on the second public key and the first private key; providing, to a subscriber identity module, the shared key; and receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

In some examples, the third key material comprises at least one of the following: a cipher key, an integrity key, an authentication token, or an authentication response.

In some examples, the first key material comprises a first ephemeral key pair, the ephemeral key pair comprising the public key and the private key.

In some examples, the method is performed by a communication device.

According to an aspect, there is provided a method comprising: receiving, from a second network function, a first public key of first key material associated with a communication device; generating second key material comprising a second public key and a second private key; generating a shared key, using the second private key and the first public key; and performing an authentication associated with the communication device using the shared key, and providing, to the second network function, the second public key of the second key material.

In some examples, the second key material is associated with a home network.

In some examples, the authentication associated with the communication device is further associated with one of: a fifth generation authentication and key agreement, or an extensible authentication protocol authentication and key agreement.

In some examples, the first public key is received in a message from the second network function, the message further comprising an indication that the communication device supports forward secrecy.

In some examples, the method is performed by a first network function.

According to an aspect, there is provided a method comprising: receiving, from a communication device, a shared key generated based on a first private key of a first key material associated with the communication device and a second public key of a second key material that is associated with a home network; generating third key material using the shared key; and providing, to the communication device, the third key material.

In some examples, the generating third key material using the shared key comprises at least one of: concatenating the shared key and a long term key associated with the subscriber identity module; or generating, using the shared key, at least one of the following: a cipher key, an integrity key, an authentication token, or a response.

In some examples, the method comprises: concatenating the shared key and a long term key associated with the subscriber identity module; and means for using the concatenated shared key and the long term key for an authentication and key agreement challenge.

In some examples, the method comprises: receiving, from the communication device, an authentication token, the authentication token related to an authentication associated with the communication device; and using the shared key to verify the authentication token.

In some examples, the method is performed by a subscriber identity module.

According to an aspect, there is provided a method comprising: receiving, from a communication device, a first public key of first key material that is associated with the communication device; providing, to a first network function, the first public key; receiving, from the first network function, a second public key of second key material that is associated with a home network; and providing, to the communication device, the second public key.

In some examples, the method comprises: receiving, from the first network function, a shared key that has been generated using the first public key and a private key of the second key material.

In some examples, the method comprises: storing the shared key that has been received from the first network function.

In some examples, the method comprises: generating a master key based on the shared key.

In some examples, the method is performed by a second network function.

According to an aspect, there is provided an apparatus comprising: at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus to perform: generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device; providing, to a network entity, the public key of the first key material in a registration message; receiving, from the network entity, a second public key of second key material that is associated with a home network; generating a shared key based on the second public key and the first private key; providing, to a subscriber identity module, the shared key; and receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

In some examples, the registration message provided to the network entity further comprises an indication that the communication device supports forward secrecy. In some examples, the one of the following: the apparatus is comprised in the communication device, the apparatus is for the communication device, or the apparatus is the communication device.

According to an aspect, there is provided an apparatus comprising: at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus to perform: receiving, from a second network function, a first public key of first key material associated with a communication device; generating second key material comprising a second public key and a second private key; generating a shared key, using the second private key and the first public key; and performing an authentication associated with the communication device using the shared key, and providing, to the second network function, the second public key of the second key material.

In some examples, the second key material is associated with a home network.

According to an aspect, there is provided an apparatus comprising: at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus to perform: receiving, from a communication device, a shared key generated based on a first private key of a first key material associated with the communication device and a second public key of a second key material that is associated with a home network; generating third key material using the shared key; and providing, to the communication device, the third key material.

In some examples, the apparatus is caused to perform: concatenating the shared key and a long term key associated with the subscriber identity module; and means for using the concatenated shared key and the long term key for an authentication and key agreement challenge.

In some examples, the apparatus is caused to perform: receiving, from the communication device, an authentication token, the authentication token related to an authentication associated with the communication device; and using the shared key to verify the authentication token.

In some examples, the apparatus is for a subscriber identity module, or the apparatus is comprised in a subscriber identity module, or the apparatus isa subscriber identity module.

According to an aspect, there is provided an apparatus comprising: at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus to perform: receiving, from a communication device, a first public key of first key material that is associated with the communication device; providing, to a first network function, the first public key; receiving, from the first network function, a second public key of second key material that is associated with a home network; and providing, to the communication device, the second public key.

In some examples, the apparatus is caused to perform: receiving, from the first network function, a shared key that has been generated using the first public key and a private key of the second key material.

In some examples, the apparatus is caused to perform: storing the shared key that has been received from the first network function.

In some examples, the apparatus is caused to perform: generating a master key based on the shared key. In some examples, the apparatus is for a second network function, or the apparatus is comprised in a second network function, or the apparatus isa second network function.

According to an aspect, there is provided a non-transitory computer readable medium comprising program instructions, that, when executed by an apparatus, cause the apparatus to perform: generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device; providing, to a network entity, the public key of the first key material in a registration message; receiving, from the network entity, a second public key of second key material that is associated with a home network; generating a shared key based on the second public key and the first private key; providing, to a subscriber identity module, the shared key; and receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

According to an aspect, there is provided a non-transitory computer readable medium comprising program instructions, that, when executed by an apparatus, cause the apparatus to perform: receiving, from a second network function, a first public key of first key material associated with a communication device; generating second key material comprising a second public key and a second private key; generating a shared key, using the second private key and the first public key; and performing an authentication associated with the communication device using the shared key, and providing, to the second network function, the second public key of the second key material.

According to an aspect, there is provided a non-transitory computer readable medium comprising program instructions, that, when executed by an apparatus, cause the apparatus to perform: receiving, from a communication device, a shared key generated based on a first private key of a first key material associated with the communication device and a second public key of a second key material that is associated with a home network; generating third key material using the shared key; and providing, to the communication device, the third key material.

According to an aspect, there is provided a non-transitory computer readable medium comprising program instructions, that, when executed by an apparatus, cause the apparatus to perform: receiving, from a communication device, a first public key of first key material that is associated with the communication device; providing, to a first network function, the first public key; receiving, from the first network function, a second public key of second key material that is associated with a home network; and providing, to the communication device, the second public key. According to an aspect, there is an apparatus comprising: circuitry configured to perform: generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device; circuitry configured to perform: providing, to a network entity, the public key of the first key material in a registration message; circuitry configured to perform: receiving, from the network entity, a second public key of second key material that is associated with a home network; circuitry configured to perform: generating a shared key based on the second public key and the first private key; circuitry configured to perform: providing, to a subscriber identity module, the shared key; and circuitry configured to perform: receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

According to an aspect, there is an apparatus comprising: circuitry configured to perform: receiving, from a second network function, a first public key of first key material associated with a communication device; circuitry configured to perform: generating second key material comprising a second public key and a second private key; circuitry configured to perform: generating a shared key, using the second private key and the first public key; and circuitry configured to perform: performing an authentication associated with the communication device using the shared key, and providing, to the second network function, the second public key of the second key material.

According to an aspect, there is an apparatus comprising: circuitry configured to perform: receiving, from a communication device, a shared key generated based on a first private key of a first key material associated with the communication device and a second public key of a second key material that is associated with a home network; circuitry configured to perform: generating third key material using the shared key; and circuitry configured to perform: providing, to the communication device, the third key material.

According to an aspect, there is an apparatus comprising: circuitry configured to perform: receiving, from a communication device, a first public key of first key material that is associated with the communication device; circuitry configured to perform: providing, to a first network function, the first public key; circuitry configured to perform: receiving, from the first network function, a second public key of second key material that is associated with a home network; and circuitry configured to perform: providing, to the communication device, the second public key.

According to an aspect, there is provided a computer program comprising instructions, which when executed by an apparatus, cause the apparatus to perform the methods disclosed herein.

A computer product stored on a medium may cause an apparatus to perform the methods as described herein. A non-transitory computer readable medium comprising program instructions, that, when executed by an apparatus, cause the apparatus to perform the methods as described herein.

An electronic device may comprise apparatus as described herein.

Various other aspects and further embodiments are also described in the following detailed description and in the attached claims.

According to some aspects, there is provided the subject matter of the independent claims. Some further aspects are defined in the dependent claims. The embodiments that do not fall under the scope of the claims are to be interpreted as examples useful for understanding the disclosure.

List of Abbreviations:

AF: Application Function

AKMA: Authentication and key management for applications

AMF: Access and Mobility Management Function

AN: Access Network

ALITN: Authentication token

AV: Authentication Vector

BS: Base Station

CK: Cipher key

CN: Core Network

DL: Downlink

EAP: Extensible Authentication Protocol

EAP-AKA: Extensible Authentication Protocol Authentication key agreement

EAP-AKA’: Extensible Authentication Protocol Authentication key agreement prime ECDHE Elliptic Curve Diffie-Hellman Key Exchange eNB: eNodeB

FS: Forward secrecy gNB: gNodeB

IK: Integrity key

HoT: Industrial Internet of Things

LTE: Long Term Evolution

NEF: Network Exposure Function

NG-RAN: Next Generation Radio Access Network

NF: Network Function

NR: New Radio NRF: Network Repository Function

NW: Network

MS: Mobile Station

PCF Policy Control Function

PLMN: Public Land Mobile Network

RAN: Radio Access Network

RAND: Random number

RF: Radio Frequency

SMF: Session Management Function

SUCI: Subscriber Concealed Identifier

SUPI: Subscription permanent identifier

UE: User Equipment

UDR: Unified Data Repository

UDM: Unified Data Management

UL: Uplink

UPF: User Plane Function

USIM: Universal mobile telecommunications service subscriber identity module

XRES: Expected response

3GPP: 3^rd Generation Partnership Project

5G: 5^th Generation

5GC: 5G Core network

5G-AN: 5G Radio Access Network

5GS: 5G System

5G-AKA: 5G authentication and key agreement

Brief Description of Drawings

Some examples will now be described, by way of illustrative and non-limiting example only, with reference to the accompanying drawings in which:

FIG. 1 shows a schematic representation of a 5G communication system;

FIG. 2 shows a schematic representation of an apparatus for the 5G communication system of FIG. 1 ;

FIG. 3 shows a schematic representation of a communication device;

FIG. 4 shows a signalling and operations diagram for forward secrecy in the extensible authentication protocol method for authentication and key agreement prime (EAP-AKA’); FIG. 5 shows an example signalling and operations diagram for implementing forward secrecy in 5G authentication and key agreement (5G AKA);

FIG. 6 shows another example signalling and operations diagram for implementing forward secrecy in 5G authentication and key agreement (5G AKA);

FIG. 7 shows an example signalling and operations diagram for implementing forward secrecy in EAP-AKA’;

FIG. 8 shows another example signalling and operations diagram for implementing forward secrecy in EAP-AKA’;

FIG. 9 shows another example signalling and operations diagram for implementing forward secrecy in EAP-AKA’;

FIG. 10 shows an example method flow diagram performed by an apparatus;

FIG. 11 shows another example method flow diagram performed by an apparatus;

FIG. 12 shows another example method flow diagram performed by an apparatus;

FIG. 13 shows another example method flow diagram performed by an apparatus; and

FIG. 14 shows a schematic representation of a non-volatile memory medium storing instructions which when executed by a processor allow a processor to perform one or more of the steps of the method of FIGS. 10 to 13.

Detailed Description

Cryptography is the practice of techniques for secure communication in the presence of adversarial behaviour. In general, cryptography is about constructing and analysing protocols that prevent third parties or the public from reading private messages. Many cryptographic techniques are implemented in wireless communication systems, such as in 4G, 5G systems and beyond, in order to ensure that transmitted messages between entities may only be read by the desired party or parties.

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file. A key, when processed through a cryptographic algorithm, may be used to encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, wherein the strength of the encryption relies on the security of the key being maintained. A key's security strength may be dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

A key-agreement protocol is a protocol whereby two or more parties may agree on a cryptographic key in such a way that both influence the outcome. If properly done, this precludes undesired third parties from forcing a key choice on the agreeing parties. Protocols that are useful in practice also do not reveal to any eavesdropping party what key has been agreed upon. Many key exchange systems have one party generate the key, and send that key to the other party, such that the other party has no influence on the key. Protocols where both parties influence the final derived key are a way to implement forward secrecy (FS). FS (also known as perfect forward secrecy (PFS)) is a feature of specific keyagreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised. FS protects past sessions against future compromises of keys or passwords. By generating a unique session key for each session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself may not be sufficient for FS which additionally requires that a long-term secret compromise does not affect the security of past session keys.

Extensible Authentication Protocol (EAP) is an authentication framework which supports multiple authentication methods. EAP authentication and key agreement (EAP- AKA) is an EAP method for authentication and session key distribution that uses the AKA mechanism. Authentication and Key Agreement (AKA) is based on challenge-response mechanisms and symmetric cryptography. For example, AKA may run in a universal mobile telecommunications service (UMTS) subscriber identity module (USIM). Based on EAP- AKA, EAP AKA prime (EAP-AKA¹) is an EAP method that binds derived keys to the name of the access network. EAP methods such as EAP-AKA and EAP-AKA’ are often used/implemented in 5G systems.

5G Authentication and Key Agreement (5G AKA) is another key-agreement protocol that is used in 5G systems. 5G-AKA is one of the techniques available in 5G for mutual authentication between a subscriber and a network, in addition to key agreement for protection of non-access stratum (NAS), radio resource control (RRC) and user plane (UP) traffic. 5G AKA is similar to EAP AKA, although enhancements have been made to improve roaming security.

The AKA procedure is used authenticating a user to the network and vice versa. This is possible due to the long term (pre shared but secret key) ‘K’ which is stored in an authentication Centre (AuC) and in a UMTS Subscriber Identity Module (USIM). Other parameters may be derived from the ‘K’ key. During an AKA procedure, messages with parameters to be confirmed by a UE may be delivered from the AuC. These parameters are utilised together in an authentication vector (AV). The AV is delivered to one or more core network entities, which distribute at least part of the AV through the RAN to the UE. The UE performs one or more determinations to match this challenge performed in the network. The result of the UE is sent back to the network and compared to the original AV. If there is a match, then the authentication is successful, and vice versa. A subscription permanent identifier (SlIPI) is a globally unique identifier that is assigned to each subscriber in the 5G system. A SLIPI in 5G may be in two formats, one is the (legacy) format international mobile subscriber identity (I MSI) or the format adopted in 5G network access identifier (NAI). SLIPIs in the NAI format allow the use of 3GPP 5G technology in the context of private networks and wireless-wireline convergence. Subscriber Concealed Identifier (SlICI) is a privacy-preserving identifier containing a concealed SLIPI. A UE generates a SLICI using a protection scheme with a public key of the home network that was securely provisioned to the IISIM during the IISIM registration process.

USIMs are able to store long term keys (e.g., long term key, K). Security in 3GPP (2G-5G) relies on the long-term key securely stored in the IISIM cards. This long-term key enables, for example AKA-based authentication, and is a root key for the derivation of session keys. There are also other long-term keys used for the secure management of IISIM cards, called over the air (OTA) keys, which are also securely stored in the SIM cards. If these long-term keys leak due to any reason (e.g., an accidental exposure or factory compromise), the impact on security would be devastating.

There have been reported attacks that involve a compromising of the smart card supply chain, such as attacking IISIM card manufacturers and operators. These attacks are performed in an effort to compromise long-term keys (such as key K) stored on these IISIM cards. Resourceful attackers and/or hackers are always a cause for concern for network provides. In this manner, it may be assumed that there is always a breach, such as a longterm key compromise, with procedures being planned and implemented in order to minimise the impact of breaches. Thes assumptions are important for zero trust principles. Attacks on long-term keys are not specific to 5G-AKA or EAP-AKA', and if key material is stolen, security solutions may fail. Even in the face of such attacks, it would be desirable to maintain some level of protection.

FIG. 4 shows a signalling and operations diagram for forward secrecy in the extensible authentication protocol method for authentication and key agreement (EAP- AKA’). The features described alongside FIG. 4 have been proposed in order to protect against some specific attacks, but there are a number of associated problems with this approach which will be discussed below.

The signalling and operations of FIG. 4 are associated with a document related to an update for RFC 9048, i.e., an improved Extensible Authentication Protocol Method for 3GPP Mobile Network Authentication and Key Agreement (EAP-AKA¹), with an optional extension providing ephemeral key exchange. The extension EAP-AKA' Forward Secrecy (EAP-AKA¹ FS), when negotiated, provides forward secrecy for session keys generated as a part of the authentication run in EAP-AKA'. This prevents an attacker who has gained access to a long-term key from obtaining session keys established in the past, assuming these have been properly deleted. In addition, EAP-AKA' FS mitigates passive attacks (e.g., large scale pervasive monitoring) against future sessions.

As shown in FIG. 4, a unified data management (UDM) function has an EAP identity of a UE (see step S404 of FIG. 4). The UDM runs an AKA algorithm to generate a random number (RAND), authentication token (AUTN), expected response (XRES), cipher key (CK) and integrity key (IK) (see steps S405 and S406). Furthermore, the UDM also derives CK’ and IK’ keys which are tied to a serving network name (see steps S405 and S406). The UDM generates an ephemeral key pair, and sends (see steps S407 to S408c) a public key of that ephemeral key pair together with the first EAP method message, to a UE. The EAP message sent to the UE comprises: AT_PUB_ECDHE (which carries the public key) and AT_KDF_FS (which carries other FS related parameters). Both AT_PUB_ECDHE and AT_KDF_FS may be ignored by the UE if the UE does not support the FS.

The UE checks (see step S409) if the UE wants to have a FS extension in EAP AKA’. If yes, then the UE will respond with a AT_PUB_ECDHE and message authentication code (MAC). If no, the UE will ignore the AT_PUB_ECDHE received from the network.

If UE wants to participate in FS extension, the UE will (see step S409): i) generate an Elliptic Curve Diffie-Hellman Key Exchange (ECDH) key pair, ii) calculate a shared key, Ks, based on a private key of the UE (of the ECDH key pair) and the public key of the UDM (carried in AT_PUB_ECDHE).

Following this, the UDM will receive (see steps S410a and S410b) a result and AT_PUB_ECDHE comprising the public key of the UE, from the UE. As discussed above, the shared key ‘Ks’ is generated at the UE (see step S409). Furthermore, the UDM also generates a shared key ‘Ks’ (see step S411a) using the result and AT_PUB_ECDHE from the UE. In this manner, ephemeral key pairs are exchanged between the UE and UDM, to allow a master key (MK) to be generated (see step S411b). The MK is generated using the following equation:

MK_ECDHE = PRF'(IK'\CK'\SHARED_SECRET, 'EAP-AKA' FS"\ Identity) wherein PRF is a pseudo random function, shared secret is the key (Ks), IK is an integrity key and CK is a cipher key.

The procedure of FIG. 4 may need a large number of EAP messages in order to derive the master secret key. In addition, the procedure of FIG. 4 also does not define any fallback procedures when one or more entities do not support forward secrecy, leading to wasted signalling.

Furthermore, the features described above alongside FIG. 4 may be applicable only to EAP-AKA’. However, as discussed above, other key-agreements are commonly used in 3GPP communication systems. Therefore, any benefits associated with FIG. 4 are specific to EAP-AKA only, and so, for example, a UE implementing 5G AKA will not have any security benefit.

Furthermore, in the signalling of FIG. 4, the network (e.g., UDM) is not aware of a UE capability (related to FS) and so the UDM generates AT_PUB_ECDHE and AT_KDE_FS always assuming UE will support it. However, if the UE does not support the FS extension, the attempt from network side to achieve forward secrecy (FS) will be wasted.

One or more of the problems identified above are addressed in one or more of the following examples.

In examples, there is an apparatus (e.g., for an ME or UE) configured for generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device, and providing, to a network entity, the public key of the first key material in a registration message. The apparatus is also configured for receiving, from the network entity, a second public key of second key material that is associated with a home network, and generating a shared key based on the second public key and the first private key. The apparatus is also configured for providing, to a subscriber identity module, the shared key, and receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

Before the above examples are described in detail, a communication system (as shown in FIG. 1) capable of implementing authentication and key protocols/agreements, such as 5G AKA and/or EAP-AKA’, are described. A communication device (as shown in FIG. 3) capable of implementing 5G-AKA and/or EAP-AKA’ is also described. Furthermore, an apparatus (as shown in FIG. 2) that is capable of controlling one or more of the entities/network functions of FIG. 1 is described. In this manner, certain general aspects of a communication system and communication devices are briefly explained with reference to FIGS. 1 to 3 to assist in understanding the technology underlying the described examples.

FIG. 1 shows a schematic representation of a 5G communication system 100. The wireless communication system 100 comprises one more communication devices 102 such as user equipments (UEs), or terminals. The wireless communication system 100 comprises a 5G system (5GS). The 5GS comprises a 5G radio access network (5G-RAN) 106, a 5G core network (5GC) 104 comprising one or more network functions (NF), one or more application functions (AFs) 108, and one or more data networks (DNs) 110. The 5G-RAN 106 may comprise one or more gNodeB (gNB) distributed unit (DU) functions connected to one or more gNodeB (gNB) centralized unit (CU) functions.

The 5GC 104 comprises an access and mobility management function (AMF) 112, a session management function (SMF) 114, an authentication server function (AUSF) 116, a user data management (UDM) 118, a user plane function (UPF) 120, a network exposure function (NEF) 122 and/or other NFs. Some of the examples as shown below may be applicable to 3GPP 5G standards. However, some examples may also be applicable to 5G- advanced, 4G, 3G and other 3GPP standards.

In a wireless communication system 100, such as that shown in FIG. 1 , communication devices 102, such as for example, terminals, user apparatuses, user equipments (UE), and/or machine-type communication devices are provided with wireless access via at least one base station or similar wireless transmitting and/or receiving node or point. The communication device 102 is provided with an appropriate signal receiving and transmitting apparatus for enabling communications, for example enabling access to a communication network or communications directly with other devices. The communication device 102 may access a carrier provided by a base station or access point, and transmit and/or receive communications on the carrier.

FIG. 2 illustrates an example of an apparatus 200. The apparatus 200 may be for the 5G communication system of FIG. 1. The apparatus 200 may be for controlling a function of one or more network entities and/or network functions, such as the entities of the 5G-RAN or the 5GC as illustrated on FIG. 1. The apparatus 200 comprises at least one random access memory (RAM) 211a, at least one read only memory (ROM) 211b, at least one processor 212, 213 and an input/output interface 214. The at least one processor 212, 213 is coupled to the RAM 211a and the ROM 211 b. The at least one processor 212, 213 may be configured to execute an appropriate software code 215. The software code 215 may for example allow to perform one or more steps to perform one or more of the present aspects or examples. The software code 215 may be stored in the ROM 211 b. The apparatus 200 may be interconnected with another apparatus 200 controlling another entity/function of the 5G-AN or the 5GC. . In some examples, apparatus 200 may be configured to provide one or more functions of the 5G-AN or the 5GC. For example, apparatus 200 may be configured to perform at least some functionality of a particular function of the 5G-AN or the 5GC. For example, apparatus 200 may be configured to operate as a particular function of the 5G-AN or the 5GC. In alternative examples, apparatus 200 may be configured to perform at least some functionality of two or more functions of the 5G-AN and/or the 5GC. For example, apparatus 200 may be configured to operate as two or more functions of the 5G-AN and/or the 5GC. The apparatus 200 may comprise one or more circuits, or circuitry (not shown) which may be configured to perform one or more of the present aspects or examples.

FIG. 3 illustrates an example of a communication device 300. The communication device 300 may be similar to the communication device 102 illustrated in FIG. 1. The communication device 300 may be provided by any device capable of sending and receiving radio signals. Non-limiting examples of a communication device 300 are a user equipment, a terminal, a mobile station (MS) or mobile device such as a mobile phone or what is known as a ’smart phone’, a computer provided with a wireless interface card or other wireless interface facility (e.g., USB dongle), a personal data assistant (PDA) or a tablet provided with wireless communication capabilities, a machine-type communications (MTC) device, a Cellular Internet of things (CloT) device, or a terrestrial/maritime/aerial vehicle such as a car, a truck, a boat, an air plane, or a drone, or any combinations of these or the like. The communication device 300 may provide, for example, communication of data for carrying communications. The communications may be one or more of voice, electronic mail (email), text message, multimedia, data, machine data and so on.

The communication device 300 may receive signals over an air or radio interface 307 via appropriate apparatus for receiving and may transmit signals via appropriate apparatus for transmitting radio signals. In FIG. 3, a transceiver apparatus is designated schematically by block 306. The transceiver apparatus 306 may be provided for example by means of a radio part and associated antenna arrangement. The antenna arrangement may be arranged internally or externally to the mobile device.

The communication device 300 may be provided with at least one processor 301 , at least one memory ROM 302a, at least one RAM 302b and other possible components 303 for use in software and hardware aided execution of tasks it is designed to perform, including control of access to and communications with access systems and other communication devices. The at least one processor 301 is coupled to the RAM 302b and the ROM 302a. The at least one processor 301 may be configured to execute an appropriate software code 308. The software code 308 may for example allow to perform one or more of the present aspects. The software code 308 may be stored in the ROM 302a. The communication device 300 may comprise one or more circuits, or circuitry (not shown) which may be configured to perform one or more of the present aspects or examples.

The processor, storage and other relevant control apparatus may be provided on an appropriate circuit board and/or in chipsets. This feature is denoted by reference 304. The communication device may optionally have a user interface such as keypad 305, touch sensitive screen or pad, combinations thereof or the like. Optionally one or more of a display, a speaker and a microphone may be provided depending on the type of the device. FIG. 5 shows an example signalling and operations diagram for implementing forward secrecy in 5G authentication and key agreement prime (5G AKA).

In the example of FIG. 5, a communication device (e.g., a UE) is to be authenticated for connection to a serving network. The key agreement utilized to authenticate the UE, in this example, is 5G AKA. In this example, the communication device is a UE. In other examples, the communication device may be a mobile equipment (ME), terminal, machinetype communication device, etc.

In S501 , the UE generates first key material that comprises a first public key (FS_UE_PUB_KEY in FIG. 5) and a first private key. The first key material is associated with the UE. The first key material may be an ephemeral key pair. In some examples, the UE generates the first key material when the UE supports forward secrecy.

The UE performs a SUPI to SUCI concealment. In orderto protect the UE permanent identity (i.e., the SUPI) the UE may not transmit SUPI as it is. The UE conceals/encrypts the SUPI using encryption scheme to create the SUCI, before sending it to core network. The concealing/encrypting may be performed in a USIM (which may be in the UE) or in mobile equipment (ME). A user equipment/communication device may comprise ME (e.g., memory, processor, transceiver, etc.) and a USIM (or means for connecting to a USIM e.g., a USIM port). This may depend on an indication configured in the USIM by a network operator.

In S502, the UE provides, to a serving network, the SUCI and the first public key. In other examples, rather that the SUCI, the UE provides a 5G globally unique temporary identity (5G-GUTI) associated with the UE.

The serving network comprises an AMF. A security anchor function (SEAF) of the serving network may be associated with the AMF.

The SUCI and first public key may be comprised in a registration message. For example, a registration request message.

The SUCI and the first public key is initially provided to a base station (e.g., gNB) before being provided to the AMF or SEAF, of the serving network.

In S503, the AMF/SEAF provides, to an authentication server function (AUSF) of a home network (of the UE), the SUCI and the first public key. The SUCI and the first public key may be provided in an authenticate request message.

The AMF/SEAF may also provide a serving network (SN) name. In other examples, rather than the SUCI, the AMF/SEAF may provide the SUPI of the UE (once the AMF/SEAF has encrypted the SUCI of the UE).

In S504, the AUSF provides, to a UDM of the home network, the SUCI of the UE. The SUCI may be provided in an authentication get request message. The AUSF may also provide the first public key. In other examples, the first public key is accessible to the UDM (following reception of the first public key in the home network). The ALISF may also provide the SN name. In other examples, rather than the SlICI, the ALISF may provide the SlIPI of the UE.

In S505, the UDM generates second key material that comprises a second public key (FS_HN_PUB_KEY in FIG. 5) and a second private key. The second key material is associated with the home network. The second key material may be an ephemeral key pair. In some examples, the UDM generates the second key material when/if the UDM supports forward secrecy.

The UDM generates a shared key (herein ‘Ks’) based on the second private key and the first public key.

The UDM may de-conceal/decrypt the SUCI to determine the SUPI of the UE (assuming that the UDM did not receive the SUPI from the AUSF). The de- concealing/decrypting may be performed by a subscriber identity de-concealing function (SIDF). The SIDF is a functional element of the UDM that is responsible for decrypting a SUCI reveal a UE’s SUPI.

The UDM performs an authentication method selection. In this example, the UDM selects 5G AKA.

In S506, the UDM performs an authentication (or authentication procedure) associated with the UE using the shared key. (A detailed depiction of S506 is shown in FIG. 5 continued (FIG. 5 cont.))

The UDM generates key material based on the shared key. The key material may comprise at least one authentication vector (AV). The at least one AV is associated with the home network, and is herein referred to as the least one home AV (so to identify AV from other Avs). For example, the UDM concatenates a long-term key (herein ‘K’) of the UE and the shared key, Ks. A long-term key, K, is subscriber key which will be stored in a secured environment. All session keys after each authentication are a derivative of the long term key, wherein the key provisioning occurs in USIM and UDM once. Once derived in the USIM/UDM, it is likely that this will not change for a subscriber. In this manner, a long-term key may be considered to be associated with a SIM or USIM. The concatenated long-term key, K, and the shared key, Ks is used by the UDM to generate the at least one home AV.

In some examples, using an exclusive or operation (XOR) is one way to implement concatenating. It should be understood that this is an example only. Any suitable way of concatenating may be used in other examples.

The generation of the at least one authentication vector may utilize a key derivation function (KDF) and/or at least one cryptographic function. The at least one home AV may comprise at least one of the following: a random number (RAND), authentication token (ALITN), an expected response (XRES), or an ALISF key (Kausf). The at least one home AV may be a 5G home environment AV.

At least part of the authentication may be performed by an authentication credential repository (ARPF) of the home network. The ARPF is a functional element of the UDM that may be responsible for generating 5G home environment authentication vectors (5G HE AV) based on a UE’s shared secret key. ARPFs and USIMs store the permanent secrets (i.e., long-term key K) that are the base for the short term keys.

In S507, the UDM provides, to the AUSF, the second public key. The second public key may be provided in an authentication get response message.

The UDM may also provide at least one of the following of: the at least one home AV, the SUPI of the UE, or an authentication and key management for applications (AKMA) indication. AKMA is a feature between a UE and an AF. Any external AF or internal 5GS AF to support the AF sessions may request 5GS to provide a key material. An AKMA anchor function (AAnF) is a network entity that assists along with AUSF to generate the AKMA keys and AF keys. For this purpose, AUSF should know if AKMA keys needs to be generated or not. For this purpose, AKMA indication is introduced from UDM to AUSF.

In S508, the AUSF stores the at least one home AV. The AUSF may store the XRES, in some examples.

The AUSF computes a hash of the XRES, wherein an output of the hash is ‘HXRES’.

In S509, the AUSF generates at least one AV. The at least one AV is associated with the serving network, and is herein referred to as the least one serving AV. The at least one serving AV may comprise: the RAND, the AUTN, and the HXRES.

A key associated with the SEAF (herein ‘Kseaf’) is generated based on the least one home AV. Kseaf may be generated by the AUSF. Kseaf may be generated based on the at least one home AV and the SN name. In some examples, the Kausf and SN name are used to generate Kseaf.

The at least one serving AV may be a 5G serving environment authentication vector (5G SE AV).

In S510, the AUSF provides, to the AMF/SEAF, the second public key and the at least one serving AV. The second public key and the at least one serving AV may be provided in an authenticate response message.

In S511 , the AMF/SEAF stores the HXRES of the at least one serving AV.

In S512, the AMF/SEAF provides, to the UE, the second public key. The second public key may be provided in an authentication request message. The AMF/SEAF may also provide at least one of the following: the RAND, the ALITN, a unique identifier for the UE (ngKSI), or an Anti-Bidding-down Between Architectures (ABBA) parameter.

In S513, the UE generates a shared key, Ks, based on the second public key and the first private key. (A detailed depiction of S513 is shown in FIG. 5 continued (FIG. 5 cont.))

The UE may provide, to a subscriber identity module (SIM) or USIM, the shared key, Ks. The SIM may be comprised in the UE/connected to the UE.

The SIM (or UE) performs an authentication (or authentication procedure) associated with the UE using the shared key.

The SIM (or UE) generates key material based on the shared key. The key material may comprise at least one authentication vector (AV). The at least one AV is associated with the UE, and so is herein referred to as the at least one UE AV. For example, the SIM concatenates the long-term key (herein ‘K’) of the UE and the shared key, Ks. The concatenated long-term key, K, and shared key, Ks is used by the SIM to generate the key material.

The generation of the key material may utilize a key derivation function (KDF) and/or at least one cryptographic function.

The key material generated based on the shared key may comprise at least one of the following: CK, IK, a response (RES), or a key for the SEAF (Kseaf). The at least one UE AV may comprise at least one of the following: the response (RES), or the key for the SEAF (Kseaf). The RES (or RES*)_may be referred to as an authentication response, in some examples.

The SIM provides, to the UE, (at least part of) the key material that has been generated based on the shared key, Ks.

The UE may also verify that a message authentication code (MAC) (generated by the HN) matches an expected MAC (generated by the UE). If there is not a match, then the authentication may be stopped/failed. The UE may also verify that a sequence number is in the correct range. If out of range, then the authentication may be stopped/failed.

In S514, the UE provides, to the serving network (e.g., AMF/SEAF), the RES. The RES may be provided in an authentication response message.

In S515, the AMF/SEAF computes a hash of the RES (HRES). The AMF/SEAF then compares HRES to HXRES. The following signalling may be performed in response to determining that HRES and HXRES match.

In S516, the AMF/SEAF provides, to the AUSF, the RES. The RES may be provided in an authenticate request message. In S517, the ALISF verifies the RES using XRES. The following signalling may be performed in response to verifying RES (successfully).

In S518a, the ALISF provides, to the serving network (e.g., AMF/SEAF) Kseaf. Kseaf may be provided in an authenticate response message. The ALISF may also provide an indication of the result, and the SlIPI of the UE. The result is a result of the verification of the UE. Without the AUSF informing the result, the AMF does not know whether to start an NAS security mode procedure (not shown in FIG. 5). The result may be informed from the AUSF to the AMF as either SUCCESS or FAILURE.

In S518b, the AUSF provides, to the UDM, an authentication result confirmation request.

In S519, the SEAF generates a key associated with the AMF (Kamf) based on the Kseaf. Kamf may be generated based on Kseaf, the SUPI of the UE, and the ABBA indication.

The SEAF provides Kamf to the AMF. The SEAF may also provide ngKSI to the AMF.

In S520, the UDM stores an authentication status of the UE. In the example of FIG. 5, the UE is (successfully) authenticated for connection to the serving network.

In S521 , the UDM provides an authentication result confirmation response to the AUSF.

Following the authentication of the UE, the UE is able to communicate with the serving network. For example, transmit and receive user data in a secure manner.

In this manner, as per FIG. 5, the UDM derives the shared key, Ks, with the UE public key ‘FS_UE_PUB_KEY’ and the home network private key ‘FS_HN_PRIV_KEY’. The UDM uses this shared Key Ks in an exclusive-or function (XOR) with the long-term key, K, for the AKA challenge (e.g., AUTN, XRES) generation as well as for a cipher key (CK), and integrity key (IK) generation. The shared key, Ks, (along with long term key, K) thus impacts both key generation and AV generation.

The shared key, Ks, is also derived at the UE with the UE private key ‘FS_UE_PRIV_KEY’ and the home network public key ‘FS_HN_PUB_KEY’. Once the shared key, Ks, is generated, the Ks is sent to the USIM.

The USIM holds the long-term key, K, and uses the received shared key, Ks, to generate Kseaf and verify the AUTN received from the UDM. This results in enhancing the current AKA challenge verification and key generation parts compared to current procedures.

FIG. 6 shows another example signalling and operations diagram for implementing forward secrecy in 5G authentication and key agreement (5G AKA). In the example of FIG. 6, a communication device (e.g., a UE) is to be authenticated for connection to a serving network. The key agreement utilized to authenticate the UE, in this example, is 5G AKA. In this example, the communication device is a UE. In other examples, the communication device may be a mobile equipment (ME), terminal, machinetype communication device, etc.

In S601 , the UE generates first key material that comprises a first public key (FS_UE_PUB_KEY in FIG. 6) and a first private key. The first key material is associated with the UE. The first key material may be an ephemeral key pair. In some examples, the UE generates the first key material when the UE supports forward secrecy.

The UE performs a SUPI to SUCI concealment. In orderto protect the UE permanent identity (i.e., the SUPI) the UE may not transmit SUPI as it is. The UE conceals/encrypts the SUPI using encryption scheme to create the SUCI, before sending it to core network. The concealing/encrypting may be performed in a USIM (which may be in the UE) or a mobile equipment (ME). This may depend on an indication configured in the USIM by a network operator.

In S602, the UE provides, to a serving network, the SUCI and the first public key. In other examples, rather that the SUCI, the UE provides a 5G globally unique temporary identity (5G-GUTI) associated with the UE.

In S603, the AMF/SEAF provides, to an authentication server function (AUSF) of a home network (of the UE), the SUCI and the first public key. The SUCI and the first public key may be provided in an authenticate request message.

In S604, the AUSF provides, to a UDM of the home network, the SUCI of the UE. The SUCI may be provided in an authentication get request message. The AUSF may also provide the first public key. In other examples, the first public key is accessible to the UDM (following reception of the first public key in the home network). The AUSF may also provide the SN name. In other examples, rather than the SUCI, the AUSF may provide the SUPI of the UE. In S605, the UDM generates second key material that comprises a second public key (FS_HN_PUB_KEY in FIG. 6) and a second private key. The second key material is associated with the home network. The second key material may be an ephemeral key pair. In some examples, the UDM generates the second key material when the UDM supports forward secrecy.

In S606, the UDM performs an authentication (or authentication procedure) associated with the UE using the shared key. (A detailed depiction of S606 is shown in FIG. 6 continued (FIG. 6 cont.))

The UDM generates key material based on the shared key. The key material may comprise at least one authentication vector (AV). The at least one AV is associated with the home network, and is herein referred to as the least one home AV (so to identify AV from other AVs).

In this embodiment, the shared key, Ks, is concatenated with a cipher key (CK), and an integrity key (IK). In other words, the (initial) key generations of the CK and the IK are affected by the shared key Ks. The concatenated shared key, Ks, CK and IK are used to generate Kausf at the UDM.

The generation of the at least one authentication vector may utilize a key derivation function (KDF) and/or at least one cryptographic function.

The at least one home AV may comprise at least one of the following: a random number (RAND), authentication token (AUTN), an expected response (XRES), or the AUSF key (Kausf). The at least one home AV may be a 5G home environment AV.

At least part of the authentication may be performed by an authentication credential repository (ARPF) of the home network. The ARPF is a functional element of the UDM that may be responsible for generating 5G home environment authentication vectors (5G HE AV) based on a UE’s shared secret key. ARPFs and USIMs store the permanent secrets (e.g., long-term key K) that are the base for the short term keys. 1

In S607, the UDM provides, to the ALISF, the second public key. The second public key may be provided in an authentication get response message.

The UDM may also provide at least one of the following of: the at least one home AV, the SUPI of the UE, or an authentication and key management for applications (AKMA) indication.

In S608, the AUSF stores the at least one home AV. The AUSF may store the XRES, in some examples.

In S609, the AUSF generates at least one AV. The at least one AV is associated with the serving network, and is herein referred to as the least one serving AV. The at least one serving AV may comprise: the RAND, the AUTN, and the HXRES.

In S610, the AUSF provides, to the AMF/SEAF, the second public key and the at least one serving AV. The second public key and the at least one serving AV may be provided in an authenticate response message.

In S611 , the AMF/SEAF stores the HXRES of the at least one serving AV.

In S612, the AMF/SEAF provides, to the UE, the second public key. The second public key may be provided in an authentication request message.

The AMF/SEAF may also provide at least one of the following: the RAND, the AUTN, a unique identifier for the UE (ngKSI), or an Anti-Bidding-down Between Architectures (ABBA) parameter.

In S613, the UE generates a shared key, Ks, based on the second public key and the first private key. (A detailed depiction of 613 is shown in FIG. 6 continued (FIG. 6 cont.)) The UE may provide, to a subscriber identity module (SIM) or USIM, the shared key, Ks. The SIM may be comprised in the UE/connected to the UE.

The SIM (or UE) generates key material based on the shared key. The key material may comprise at least one authentication vector (AV). The at least one AV is associated with the UE, and so is herein referred to as the at least one UE AV. In this embodiment, the shared key, Ks, is concatenated with a CK and an IK. The concatenated shared key, Ks, CK and IK are used to generate Kausf at the SIM.

In S614, the UE provides, to the serving network (e.g., AMF/SEAF), the RES. The RES may be provided in an authentication response message.

In S615, the AMF/SEAF computes a hash of the RES (HRES). The AMF/SEAF then compares HRES to HXRES. The following signalling may be performed in response to determining that HRES and HXRES match.

In S616, the AMF/SEAF provides, to the AUSF, the RES. The RES may be provided in an authenticate request message.

In S617, the AUSF verifies the RES using XRES. The following signalling may be performed in response to verifying RES (successfully).

In S618a, the AUSF provides, to the serving network (e.g., AMF/SEAF) Kseaf. Kseaf may be provided in an authenticate response message. The AUSF may also provide an indication of the result, and the SUPI of the UE.

In S618b, the AUSF provides, to the UDM, an authentication result confirmation request.

In S619, the SEAF generates a key associated with the AMF (Kamf) based on the Kseaf. Kamf may be generated based on Kseaf, the SUPI of the UE, and the ABBA indication.

The SEAF provides Kamf to the AMF. The SEAF may also provide ngKSI to the AMF.

In S620, the UDM stores an authentication status of the UE. In the example of FIG. 6, the UE is (successfully) authenticated for connection to the serving network. In S621 , the UDM provides an authentication result confirmation response to the

ALISF.

In this manner, in the example of FIG. 6, the UDM derives the shared key, Ks, with the UE public key ‘FS_UE_PUB_KEY’ and the home network private key ‘FS_HN_PRIV_KEY’ (similar to FIG. 5). Then, the UDM uses the shared Key, Ks, in an XOR function with the CK and IK in order to generate further keys, such as Kausf. This means that the shared key, Ks, impacts key generation but not the AV generation.

The shared key, Ks, is also derived at the UE using the UE private key ‘FS_UE_PRIV_KEY’ and the home network public key ‘FS_HN_PUB_KEY’. Once this shared key, Ks, is generated, the Ks is sent to the SIM. The SIM stores the long-term key, K, and uses the received shared key, Ks, to generate further keys such as Kausf.

FIG. 7 shows an example signalling and operations diagram for implementing forward secrecy in EAP-AKA’.

In the example of FIG. 7, a communication device (e.g., a UE) is to be authenticated for connection to a serving network. The key agreement utilized to authenticate the UE, in this example, is EAP-AKA’. In this example, the communication device is a UE. In other examples, the communication device may be a mobile equipment (ME), terminal, machinetype communication device, etc.

In S701 , the UE generates first key material that comprises a first public key and a first private key. The first key material is associated with the UE. The first key material may be an ephemeral key pair. In some examples, the UE generates the first key material when the UE supports forward secrecy.

Forward secrecy for EAP-AKA', in this example, may be achieved using an Elliptic Curve Diffie-Hellman (ECDH) exchange. To provide FS, the exchange is performed in an ephemeral manner. Both sides (i.e., the UE and the network) generate temporary keys according to a negotiated cipher-suite. This method is referred to as ECDHE, where the last ' E' stands for ephemeral.

The UE performs a SUPI to SUCI concealment. In orderto protect the UE permanent identity (i.e., the SUPI) the UE may not transmit SUPI as it is. The UE conceals/encrypts the SUPI using encryption scheme to create the SUCI, before sending it to core network. The concealing/encrypting may be performed in a USIM (which may be in the UE) or a mobile equipment (ME). This may depend on an indication configured in the USIM by a network operator. In S702, the UE provides, to a serving network, the SlICI and the first public key. In other examples, rather that the SLICI, the UE provides a 5G globally unique temporary identity (5G-GUTI) associated with the UE.

The UE may provide the first public key in an attribute (e.g., AT_PUB_ECDHE in FIG. 7). The UE may also provide additional parameters related to forward secrecy (e.g., AT_KDF_FS in FIG. 7).

In S703, the AMF/SEAF provides, to an authentication server function (AUSF) of a home network (of the UE), the SUCI and the first public key. The SUCI and the first public key may be provided in an authenticate request message.

In some examples, the AMF/SEAF provides the attribute, AT_PUB_ECDHE, which comprises the first public key, and AT_KDF_FS to the AUSF.

In S704, the AUSF provides, to a UDM of the home network, the SUCI of the UE. The SUCI may be provided in an authentication get request message. The AUSF also provides the first public key. In other examples, the first public key is accessible to the UDM (following reception of the first public key in the home network). The AUSF may also provide the SN name. In other examples, rather than the SUCI, the AUSF may provide the SUPI of the UE.

In some examples, the AUSF provides the attribute, AT_PUB_ECDHE, which comprises the first public key, and AT_KDF_FS to the UDM.

In S705, the UDM generates second key material that comprises a second public key and a second private key. The second key material is associated with the home network. The second key material may be an ephemeral key pair. In some examples, the UDM generates the second key material when the UDM supports forward secrecy.

The UDM performs an authentication method selection. In this example, the UDM selects EAP-AKA’.

In S706, the UDM performs an authentication (or authentication procedure) associated with the UE. (A detailed depiction of S706 is shown in FIG. 7 continued (FIG. 7 cont.))

The UDM generates key material. The key material may comprise at least one authentication vector (AV). The at least one AV is associated with the home network, and is herein referred to as the least one home AV (so to identify AV from other AVs). The at least one home AV may be generated based on the received SN name.

The at least one home AV may comprise at least one of the following: a random number (RAND), authentication token (AUTN), an expected response (XRES), cipher key prime (OK’) or integrity key prime (IK’). The at least one home AV may be an EAP-AKA’ AV.

At least part of the authentication may be performed by an authentication credential repository (ARPF) of the home network. The ARPF is a functional element of the UDM that may be responsible for generating authentication vectors. ARPFs and USIMs store the permanent secrets (e.g., long-term key K) that are the base for the short-term keys.

In S707, the UDM provides, to the AUSF, the shared key, Ks, and the second public key. The second public key may be provided in an authentication get response message.

The second public key may be provided in an attribute (e.g., AT_PUB_ECDHE). The UDM may also provide the additional parameters related to forward secrecy (e.g., AT_KDF_FS) to the AUSF.

In S708a, the AUSF stores the shared key, Ks. The AUSF may also store the XRES received from the UDM. XRES may be comprised in the at least one home AV.

In S708b, the AUSF provides, to the serving network (e.g., AMF), the second public key. The second public key may be provided in an authenticate response message. The authenticate response message may comprise an EAP request and/or AKA’ challenge.

The EAP request/AKA’ challenge may comprise (or indicate) the at least one home

AV. In some examples, the ALISF provides the AT_PUB_ECDHE (comprising the second public key) and AT_KDF_FS.

In S708c, the AMF/SEAF provides, to the UE, the second public key. The second public key may be provided in an authentication request message. The authentication request message may comprise at least one of the following: an EAP request, an AKA’ challenge, an ngKSI, or an ABBA.

In some examples, the AMF/SEAF provides the AT_PUB_ECDHE (comprising the second public key) and AT_KDF_FS to the UE.

In S709, the UE generates a shared key, Ks, based on the second public key and the first private key. (A detailed depiction of S709 is shown in FIG. 7 continued (FIG. 7 cont.))

The SIM (or UE) performs an authentication (or authentication procedure) based on the authentication request.

The SIM (or UE) generates key material. The key material may comprise at least one authentication vector. The at least one authentication vector is associated with the UE, and so is herein referred to as the at least one UE AV.

The generation of key material may utilize a key derivation function (KDF) and/or at least one cryptographic function. RAND and/or the AUTN of the at least one home AV may be used an input in order to generate the key material. The long-term key, K, associated with the SIM may be used as an input in order to generate the key material.

The key material may comprise at least one of the following: a OK’, or an IK’. The at least one UE AV may comprise at least one of the following: a RES, or an XMAC.

The SIM provides, to the UE, the key material that has been generated.

In this manner, the UE receives the ephemeral public key of home network (i.e. , the second public key), and the additional parameters for forward secrecy in AT_KDF_FS. The UE is then able to generate the same shared key, Ks (as the home network has done).

In S710a, the UE provides, to the serving network, an authentication response message. The authentication response comprises an EAP-response and/or AKA’ challenge response. The EAP-response/AKA’ challenge response may comprise (or indicate) the at least one UE AV. For example, the RES may be provided by the UE to the serving network. In S710b, the serving network (e.g., AMF) forwards the authentication response to the AUSF.

In S711a, the AUSF verifies the RES using XRES. The following signalling may be performed in response to verifying RES (successfully).

In S711 b, the AUSF derives a key for the AUSF (Kausf) and a key for the SEAF (Kseaf). A master key is generated in the AUSF using the shared key Ks along with CK’ and IK’ for other key derivations. Stated differently, the shared key, Ks, may be used to generate the master key at the AUSF. For example, master key ECDHE (MK_ECDHE) is generated based on the shared key, Ks.

The Kausf may be generated based on CK’ and IK’. CK’ and IK’ is generated by the UDM. The UDM provides the CK’ and IK’ to the AUSF for Kausf generation.

The Kausf and the SN name are used to generate the Kseaf.

The Master Key (MK) and accompanying keys may be derived as follows:

MK = PRF'(IK'|CK',"EAP-AKA"'| Identity)

MK_ECDHE = PRF'(IK'|CK'|SHARED_SECRET,"EAP-AKA' FS"|ldentity)

K_encr = MK[0..127]

K_aut = MK[128..383]

K_re = MK_ECDHE[0..255]

MSK = MK_ECDHE[256..767]

EMSK = MK_ECDHE[768..1279]

In S712, there is an exchange of further EAP messages between the UE and the AUSF.

In S713a, the AUSF provides, to the serving network, the Kseaf. The Kseaf may be provided in an authenticate response message. The AUSF may also provide an indication of EAP success. The AUSF may also provide a SUPI of the UE.

In S713b, the AUSF provides, to the UDM, an authentication result confirmation request associated with the UE.

In S713c, the UDM stores an authentication status of the UE. In this example, the UDM stores a successful authentication for the UE in relation to the serving network.

In S713d, the UDM provides, to the AUSF, an authentication result confirmation response message.

In S714a, the SEAF generates a key for the AMF (Kamf). The SEAF may generate Kamf based on the Kseaf, the SUPI of the UE and the ABBA. Kamf is the key for NAS and RRC key generation for the authentication. For handovers between the AMF to a further AMF or between gNBs, the Kamf is a key used for further derivations of keys.

The SEAF provides, to the AMF, the Kamf, and the ngKSI. In S714b, the AMF provides, to the UE, an indication of the EAP success. The AMF may also provide the ngKSI and the ABBA. The indication of the EAP success may be provided in one of an authentication result message or non-access stratum security mode command (NAS SMC).

In S714c, a master key is generated in the UE using the shared key Ks. CK’ and IK’ may be used for other key derivations. Stated differently, the shared key, Ks, may be used to generate the master key at the UE. For example, master key ECDHE (MK_ECDHE) is generated based on the shared key, Ks. (A detailed depiction of S714c is shown in FIG. 7 continued (FIG. 7 cont.))

The UE may generate a Kausf based on the CK’ and the IK’. The UE may generate a Kseaf using the Kausf that has been generated with the SN name. A Kamf may be generated based on the Kseaf, the SUPI of the UE and the ABBA.

FIG. 8 shows another example signalling and operations diagram for implementing forward secrecy in EAP-AKA’. In the example of FIG. 8, a communication device (e.g., a UE) is to be authenticated for connection to a serving network. The key agreement utilized to authenticate the UE, in this example, is EAP-AKA’. In this example, the communication device is a UE. In other examples, the communication device may be a mobile equipment (ME), a terminal, machine-type communication device, etc.

In S801 , the UE generates first key material that comprises a first public key and a first private key. The first key material is associated with the UE. The first key material may be an ephemeral key pair. In some examples, the UE generates the first key material when the UE supports forward secrecy.

In S802, the UE provides, to a serving network, the SUCI and the first public key (FS_UE_PUB_KEY in FIG.8). In other examples, rather that the SUCI, the UE provides a 5G globally unique temporary identity (5G-GUTI) associated with the UE. The UE also provides an indication that the UE supports FS (FS_support_ind in FIG.

8).

The UE may provide the first public key in an attribute (e.g., AT_PUB_ECDHE). The UE may also provide additional parameters related to forward secrecy (e.g., AT_KDF_FS).

In S803, the AMF/SEAF provides, to an authentication server function (AUSF) of a home network (of the UE), the SUCI and the first public key. The SUCI and the first public key may be provided in an authenticate request message.

The AMF/SEAF also forwards the indication that the UE supports FS to the AUSF.

In S804, the AUSF provides, to a UDM of the home network, the SUCI of the UE. The SUCI may be provided in an authentication get request message. The AUSF also provides the first public key. In other examples, the first public key is accessible to the UDM (following reception of the first public key in the home network).

The AUSF may also provide the SN name. The AUSF may also provide the indication that the UE supports FS.

In other examples, rather than the SUCI, the AUSF may provide the SUPI of the UE.

In S805, the UDM generates second key material that comprises a second public key and a second private key. The second key material is associated with the home network. The second key material may be an ephemeral key pair. The UDM has received the indication that the UE supports FS. In some examples, the UDM generates the second key material when the UDM and UE support FS.

The UDM generates a shared key (herein ‘Ks’) based on the second private key and the first public key. The UDM may de-conceal/decrypt the SlICI to determine the SlIPI of the UE (assuming that the UDM did not receive the SUPI from the AUSF). The de- concealing/decrypting may be performed by a subscriber identity de-concealing function (SIDF). The SIDF is a functional element of the UDM that is responsible for decrypting a SUCI reveal a UE’s SUPI.

In S806, the UDM performs an authentication (or authentication procedure) associated with the UE. (A detailed depiction of S806 is shown in FIG. 8 continued (FIG. 8 cont.))

The UDM generates key material. The key material may comprise at least one authentication vector (AV). The at least one AV is associated with the home network, and is herein referred to as the least one home AV (so to identify AV from other AVs). The UDM generates the at least one home AV based on the shared key. The UDM concatenates a long-term key (herein ‘K’) of the UE and the shared key, Ks. The concatenated long-term key, K, and shared key, Ks is used by the UDM to generate the at least one home AV.

In S807, the UDM provides, to the AUSF, the second public key. The second public key may be provided in an authentication get response message.

In S808a, the AUSF stores the XRES received from the UDM. The XRES may be comprised in the at least one home AV. In S808b, the ALISF provides, to the serving network (e.g., AMF), the second public key. The second public key may be provided in an authenticate response message. The authenticate response message may comprise an EAP request and/or AKA’ challenge.

The EAP request/AKA’ challenge may comprise (or indicate) the at least one home AV.

In some examples, the ALISF provides the AT_PUB_ECDHE (comprising the second public key) and AT_KDF_FS.

In S808c, the AMF/SEAF provides, to the UE, the second public key. The second public key may be provided in an authentication request message. The authentication request message may comprise at least one of the following: an EAP request, an AKA’ challenge, an ngKSI, or an ABBA.

In S809, the UE generates a shared key, Ks, based on the second public key and the first private key. (A detailed depiction of S809 is shown in FIG. 8 continued (FIG. 8 cont.))

The generation of key material may utilize a key derivation function (KDF) and/or at least one cryptographic function. RAND and/or the AUTN of the at least one home AV may be used an input in order to generate the key material.

The long-term key, K, associated with the SIM concatenated with the shared key, Ks, is used as an input in order to generate the key material.

The SIM provides, to the UE, the key material that has been generated.

The UE may also verify that the message authentication code (MAC) (generated by the HN) matches the XMAC (generated by the UE). If there is not a match, then the authentication may be stopped/failed. The UE may also verify that a sequence number is in the correct range. If out of range, then the authentication may be stopped/failed.

In S810a, the UE provides, to the serving network, an authentication response message. The authentication response comprises an EAP-response and/or AKA’ challenge response. The EAP-response/AKA’ challenge response may comprise (or indicate) the at least one UE AV. For example, the RES may be provided by the UE to the serving network.

In S810b, the serving network (e.g., AMF) forwards the authentication response to the AUSF.

In S811a, the AUSF verifies the RES using XRES. The following signalling may be performed in response to verifying RES (successfully).

In S811 b, the AUSF derives a key for the AUSF (Kausf) and a key for the SEAF (Kseaf). A master key is generated in the AUSF using the shared key Ks along with CK’ and IK’ for other key derivations. Stated differently, the shared key, Ks, may be used to generate the master key at the AUSF. For example, master key ECDHE (MK_ECDHE) is generated based on the shared key, Ks.

The Kausf may be generated based on CK’ and IK’.

The Kausf and the SN name are used to generate the Kseaf.

The Master Key (MK) and accompanying keys may be derived as follows:

MK = PRF'(IK'|CK',"EAP-AKA"'| Identity)

MK_ECDHE = PRF'(IK'|CK'|SHARED_SECRET,"EAP-AKA' FS"|ldentity)

K_encr = MK[0..127]

K_aut = MK[128..383]

K_re = MK_ECDHE[0..255]

MSK = MK_ECDHE[256..767]

EMSK = MK_ECDHE[768..1279]

In S812, there is an exchange of further EAP messages between the UE and the AUSF.

In S813a, the AUSF provides, to the serving network, the Kseaf. The Kseaf may be provided in an authenticate response message. The AUSF may also provide an indication of EAP success. The AUSF may also provide a SUPI of the UE.

In S813b, the AUSF provides, to the UDM, an authentication result confirmation request associated with the UE.

In S813c, the UDM stores an authentication status of the UE. In this example, the UDM stores a successful authentication for the UE in relation to the serving network.

In S813d, the UDM provides, to the AUSF, an authentication result confirmation response message. In S814a, the SEAF generates a key for the AMF (Kamf). The SEAF may generate Kamf based on the Kseaf, the SlIPI of the UE and the ABBA.

The SEAF provides, to the AMF, the Kamf, and the ngKSI.

In S814b, the AMF provides, to the UE, an indication of the EAP success. The AMF may also provide the ngKSI and the ABBA. The indication of the EAP success may be provided in one of an authentication result message or non-access stratum security mode command (NAS SMC).

In S814c, a master key is generated in the UE using the shared key Ks. CK’ and IK’ may be used for other key derivations. (A detailed depiction of S814c is shown in FIG. 8 continued (FIG. 8 cont.))

Stated differently, the shared key, Ks, may be used to generate the master key at the UE. For example, master key ECDHE (MK_ECDHE) is generated based on the shared key, Ks.

FIG. 9 shows another example signalling and operations diagram for implementing forward secrecy in EAP-AKA’. In the example of FIG. 9, a communication device (e.g., a UE) is to be authenticated for connection to a serving network. The key agreement utilized to authenticate the UE, in this example, is EAP-AKA’. In this example, the communication device is a UE. In other examples, the communication device may be a mobile equipment (ME), terminal, machine-type communication device, etc.

In S901 , the UE generates first key material that comprises a first public key and a first private key. The first key material is associated with the UE. The first key material may be an ephemeral key pair. In some examples, the UE generates the first key material when the UE supports forward secrecy.

The UE performs a SUPI to SUCI concealment. In orderto protect the UE permanent identity (i.e., the SUPI) the UE may not transmit SUPI as it is. The UE conceals/encrypts the SUPI using encryption scheme to create the SUCI, before sending it to core network. The concealing/encrypting may be performed in a USIM (which may be in the UE) or a mobile equipment (ME). This may depend on an indication configured in the IISIM by a network operator.

In S902, the UE provides, to a serving network, the SlICI and the first public key (FS_UE_PUB_KEY in FIG. 9). In other examples, rather that the SLICI, the UE provides a 5G globally unique temporary identity (5G-GUTI) associated with the UE.

The UE also provides an indication that the UE supports FS (FS_support_ind in FIG. 9).

In S903, the AMF/SEAF provides, to an authentication server function (AUSF) of a home network (of the UE), the SUCI and the first public key. The SUCI and the first public key may be provided in an authenticate request message.

The AMF/SEAF also forwards the indication that the UE supports FS to the AUSF.

In S904, the AUSF provides, to a UDM of the home network, the SUCI of the UE. The SUCI may be provided in an authentication get request message. The AUSF also provides the first public key. In other examples, the first public key is accessible to the UDM (following reception of the first public key in the home network).

In S905, the UDM performs an authentication method selection. In this example, the UDM selects EAP-AKA’. In this examples, the UDM does not support (or does not use) FS for EAP-AKA’. The UDM may de-conceal/decrypt the SlICI to determine the SlIPI of the UE (assuming that the UDM did not receive the SUPI from the AUSF). The de- concealing/decrypting may be performed by a subscriber identity de-concealing function (SIDF). The SIDF is a functional element of the UDM that is responsible for decrypting a SUCI reveal a UE’s SUPI.

In S906, the UDM performs an authentication (or authentication procedure) associated with the UE. (A detailed depiction of S906 is shown in FIG. 9 continued (FIG. 9 cont.))

The UDM generates key material. The key material may comprise at least one authentication vector (AV). The at least one AV is associated with the home network, and is herein referred to as the least one home AV (so to identify AV from other AVs). The UDM may generate the at least one home AV based on the SUCI and/or SN-name received from the AUSF.

The at least one home AV may comprise at least one of the following: a random number (RAND), authentication token (AUTN), an expected response (XRES), cipher key prime (CK’) or integrity key prime (IK’). A MAC for the authentication may be generated by the UDM, the MAC being associated with the AUTN. The at least one home AV may be an EAP-AKA’ AV.

In S907, the UDM provides, to the AUSF, the at least one home AV. The UDM also provides an indication that the UDM does not support FS (No_FS_support_ind in FIG. 9). The at least one home AV and indication may be provided in an authentication get response message.

The UDM may also provide at least one of the following of: the SUPI of the UE, or an authentication and a key management for applications (AKMA) indication.

In S908a, the AUSF stores the XRES received from the UDM. The XRES may be comprised in the at least one home AV.

In S908b, the AUSF provides, to the serving network (e.g., AMF), an EAP request and/or AKA’ challenge and the indication that the UDM does not support FS. The EAP request/AKA’ challenge and the indication that the UDM does not support FS may be provided in an authenticate response message. The EAP request/AKA’ challenge may comprise (or indicate) the at least one home

AV.

In S908c, the AMF/SEAF provides, to the UE, the EAP request/AKA’ challenge and the indication that the UDM does not support FS. The EAP request/AKA’ challenge and the indication that the UDM does not support FS may be provided in an authentication request message. The authentication request message may comprise at least one of the following: an ngKSI, or an ABBA.

In S909, a SIM associated with the UE (or the UE) performs an authentication (or authentication procedure) based on the authentication request. (A detailed depiction of S909 is shown in FIG. 9 continued (FIG. 9 cont.))

The SIM provides, to the UE, the key material that has been generated.

The UE may also verify that the MAC (generated by the HN) matches the XMAC (generated by the UE). If there is not a match, then the authentication may be stopped/failed. The UE may also verify that a sequence number is in the correct range. If out of range, then the authentication may be stopped/failed.

In S910a, the UE provides, to the serving network, an authentication response message. The authentication response comprises an EAP-response and/or AKA’ challenge response. The EAP-response/AKA’ challenge response may comprise (or indicate) the at least one UE AV. For example, the RES may be provided by the UE to the serving network.

In S910b, the serving network (e.g., AMF) forwards the authentication response to the AUSF.

In S911a, the AUSF verifies the RES using XRES. The following signalling may be performed in response to verifying RES (successfully).

In S911 b, the AUSF derives a key for the AUSF (Kausf) and a key for the SEAF (Kseaf). A master key is generated in the AUSF using the shared key Ks along with CK’ and IK’ for other key derivations. Stated differently, the shared key, Ks, may be used to generate the master key at the ALISF. For example, master key ECDHE (MK_ECDHE) is generated based on the shared key, Ks.

The Kausf may be generated based on CK’ and IK’.

The Kausf and the SN name are used to generate the Kseaf.

The Master Key (MK) and accompanying keys may be derived as follows:

MK = PRF'(IK'|CK',"EAP-AKA"'| Identity)

MK_ECDHE = PRF'(IK'|CK'|SHARED_SECRET,"EAP-AKA' FS"|ldentity)

K_encr = MK[0..127]

K_aut = MK[128..383]

K_re = MK_ECDHE[0..255]

MSK = MK_ECDHE[256..767]

EMSK = MK_ECDHE[768..1279]

In S912, there is an exchange of further EAP messages between the UE and the AUSF.

In S913a, the AUSF provides, to the serving network, the Kseaf. The Kseaf may be provided in an authenticate response message. The AUSF may also provide an indication of EAP success. The AUSF may also provide a SUPI of the UE.

In S913b, the AUSF provides, to the UDM, an authentication result confirmation request associated with the UE.

In S913c, the UDM stores an authentication status of the UE. In this example, the UDM stores a successful authentication for the UE in relation to the serving network.

In S913d, the UDM provides, to the AUSF, an authentication result confirmation response message.

In S914a, the SEAF generates a key for the AMF (Kamf). The SEAF may generate Kamf based on the Kseaf, the SUPI of the UE and the ABBA.

The SEAF provides, to the AMF, the Kamf, and the ngKSI.

In S914b, the AMF provides, to the UE, an indication of the EAP success. The AMF may also provide the ngKSI and the ABBA. The indication of the EAP success may be provided in one of an authentication result message or non-access stratum security mode command (NAS SMC).

In S914c, a master key is generated in the UE using the shared key Ks with CK’ and IK’ for other key derivations. (A detailed depiction of S914c is shown in FIG. 9 continued (FIG. 9 cont.)) Stated differently, the shared key, Ks, may be used to generate the master key at the UE. For example, master key ECDHE (MK_ECDHE) is generated based on the shared key, Ks.

As discussed in relation to one or more of the examples above, the implementing of forward secrecy is beneficial in terms of security as forward secrecy gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised. Furthermore, a long-term secret being compromised does not affect the security of past session keys.

One or more of the examples above, such as in FIG. 5 and FIG. 6, allow the implementation of forward secrecy in 5G AKA. The use of forward secrecy in 5G AKA means that security is improved for this key-agreement.

Furthermore, other examples, such as in FIG. 7 and FIG. 8, allow forward secrecy to be implemented in EAP-AKA’ prime. In these examples, a UE generates key material comprising a public and private key, whereby the public key is provided to a serving network in a registration request message. A home network will receive the public key from the serving network and then utilize the public key of the UE to generate a shared key, Ks. This advanced providing of the public key of the UE to the HN means that the HN is aware that the UE supports FS and the HN is able to generate subsequent keys using the public key of the UE.. In some examples, the shared key, Ks, is also utilised by the HN to generate the AVs. This means that key generation is affected by the public key of the UE being provided. In some examples, the shared key (that has been generated based on the public key of the UE) is concatenated with the long term key, K, and is used for all key derivations such as CK' and IK' and also in AKA Authentication vector it has an impact due to this Ks inclusion. Therefore, the AKA challenge is always different, even if the long term key is stolen and known. In this manner, forward secrecy is achieved.

Furthermore, in FIGS. 7 and 8, there is a reduction in the number of EAP messages exchanged to derive the master key (compared to the signalling of FIG. 4).

In some situations, a network is not aware of a UE’s capability regarding forward secrecy and generates public keys assuming UE will support it. However, if the UE does not support the forward secrecy extension, then this attempt from the network side to achieve forward secrecy will be wasted. One or more of the examples described above (e.g., FIG. 9) implement the provision of indications between the entities (e.g., UE, UDM, etc), the indications indicating whether the relevant entity supports forward secrecy. Based on the indication being received, an entity may or may not determine to perform specific steps relevant to forward secrecy. In this manner, steps such as generating key material will not be performed if it is not needed. This will save on resources.

FIG. 10 shows an example method flow performed by an apparatus. The apparatus may be for a communication device. The apparatus may be comprised in a communication device. The apparatus may be a communication device. In examples, the communication device may be an ME or UE.

In S1001 , the method comprises generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device.

In S1003, the method comprises providing/transmitting, to a network entity, the public key of the first key material in a registration message.

In S1005, the method comprises receiving, from the network entity, a second public key of second key material that is associated with a home network.

In S1007, the method comprises generating a shared key based on the second public key and the first private key.

In S1009, the method comprises providing/transmitting, to a subscriber identity module, the shared key.

In S1011 , the method comprises receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

FIG. 11 shows an example method flow performed by an apparatus. The apparatus may be for a network function. The apparatus may provide a network function. In examples, the network function may be a UDM.

In S1101 , the method comprises receiving, from a second network function, a first public key of first key material associated with a communication device.

In S1103, the method comprises generating second key material comprising a second public key and a second private key.

In S1105, the method comprises generating a shared key, using the second private key and the first public key.

In S1107, the method comprises performing an authentication associated with the communication device using the shared key.

In S1109, the method comprises providing, to the second network function, the second public key of the second key material.

FIG. 12 shows an example method flow performed by an apparatus. The apparatus may be for a SIM/USIM. The apparatus may be comprised in a SIM/USIM. The apparatus may be a SIM/USIM. In S1201 , the method comprises receiving, from a communication device, a shared key generated based on a first private key of a first key material associated with the communication device and a second public key of a second key material that is associated with a home network.

In S1203, the method comprises generating third key material using the shared key.

In S1205, the method comprises providing/transmitting, to the communication device, the third key material.

Note that the method flows shown in FIGS. 10 and 12 may be performed by the same apparatus/device, e.g., a UE comprising both the apparatus performing the method flow shown in FIG. 10 (e.g., a mobile equipment (ME)) and the apparatus performing the method flow shown in FIG. 12 (e.g., IISIM).

In some embodiments, the generating of the shared key may be performed by the apparatus of FIG. 12. For example, the apparatus may receive the materials used for generating the shared key from the communication device and generates the shared key accordingly.

In some embodiments, the apparatus generates third key material (by) using the shared key by: concatenating the shared key and a long term key (associated with the apparatus (e.g., IISIM). For example, the apparatus may perform an XOR operation by using the shared key and the long term key as inputs, to acquire the output as the third key material. That is the shared key and the long term key are XORed.

In some embodiments, the apparatus generates third key material (by) using the shared key by: using the shared key to generate fourth key material comprising at least one of the following: CK, IK an authentication token, or an expected response.

In some embodiments, at least part of the third key material is used for an authentication and key agreement challenge.

FIG. 13 shows an example method flow performed by an apparatus. The apparatus may be for a network function. The apparatus may provide a network function. In examples, the network function may be an ALISF.

In S1301 , the method comprises receiving, from a communication device, a first public key of first key material that is associated with the communication device.

In S1303, the method comprises providing/transmitting, to a first network function, the first public key.

In S1305, the method comprises receiving, from the first network function, a second public key of second key material that is associated with a home network. In S1307, the method comprises providing/transmitting, to the communication device, the second public key.

FIG. 14 shows a schematic representation of non-volatile memory media 1400a (e.g. Blu-ray disc (BD), computer disc (CD) or digital versatile disc (DVD), etc.) and 1400b (e.g. flash memory, solid state memory, universal serial bus (USB) memory stick, etc.) storing instructions and/or parameters 1402 which when executed by a processor allow the processor to perform one or more of the steps of the methods of FIGS. 10 to 13.

It is noted that while the above describes example embodiments, there are several variations and modifications which may be made to the disclosed solution without departing from the scope of the present invention.

The examples may thus vary within the scope of the attached claims. In general, some embodiments may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. For example, some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although embodiments are not limited thereto. While various embodiments may be illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.

The examples may be implemented by computer software stored in a memory and executable by at least one data processor of the involved entities or by hardware, or by a combination of software and hardware. Further in this regard it should be noted that any procedures may represent program steps, or interconnected logic circuits, blocks and functions, or a combination of program steps and logic circuits, blocks and functions. The software may be stored on such physical media as memory chips, or memory blocks implemented within the processor, magnetic media such as hard disk or floppy disks, and optical media such as for example DVD and the data variants thereof, CD.

The term “non-transitory”, as used herein, is a limitation of the medium itself (i.e. tangible, not a signal) as opposed to a limitation on data storage persistency (e.g. RAM vs ROM).

As used herein, “at least one of the following:<a list of two or more elements>” and “at least one of: <a list of two or more elements>” and similar wording, where the list of two or more elements are joined by “and”, or “or”, mean at least any one of the elements, or at least any two or more of the elements, or at least all of the elements. The memory may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as semiconductor-based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory. The data processors may be of any type suitable to the local technical environment, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASIC), gate level circuits and processors based on multi core processor architecture, as non-limiting examples.

In some of the example herein, the term “means for”, or “means configured to perform” (or similar) may be any means that are suitable for performing the feature. The “means” may be configured to perform one or more of the functions and/or method steps previously described. For example, the “means” may include one or more of: at least one processor, at least one memory, transceiver circuitry, antenna circuitry, etc. It should be understood that these are provided as non-limiting examples.

Alternatively, or additionally some examples may be implemented using circuitry. The circuitry may be configured to perform one or more of the functions and/or method steps previously described. That circuitry may be provided in the base station and/or in the communications device.

As used in this application, the term “circuitry” may refer to one or more or all of the following:

(a) hardware-only circuit implementations (such as implementations in only analogue and/or digital circuitry);

(b) combinations of hardware circuits and software, such as:

(i) a combination of analogue and/or digital hardware circuit(s) with software/firmware and

(ii) any portions of hardware processor(s) with software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as the communications device or base station to perform the various functions previously described; and

(c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.

This definition of circuitry applies to uses of the term “means” in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example integrated device. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in a server, a cellular network device, or other computing or network device.

The foregoing description has provided by way of exemplary and non-limiting examples a full and informative description of some embodiments. However, various modifications and adaptations may become apparent to those skilled in the relevant arts in view of the foregoing description, when read in conjunction with the accompanying drawings and the appended claims. However, all such and similar modifications of the teachings will still fall within the scope as defined in the appended claims.

Claims

Claims:

1. An apparatus, comprising: means for generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device; means for providing, to a network entity, the public key of the first key material in a registration message; means for receiving, from the network entity, a second public key of second key material that is associated with a home network; means for generating a shared key based on the second public key and the first private key; means for providing, to a subscriber identity module, the shared key; and means for receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

2. The apparatus according to claim 1, wherein the third key material comprises at least one of the following: a cipher key, an integrity key, an authentication token, or an authentication response.

3. The apparatus according to claim 1 or 2, wherein the first key material comprises a first ephemeral key pair, the ephemeral key pair comprising the public key and the private key.

4. The apparatus according to any of claims 1 to 3, wherein the registration message provided to the network entity further comprises additional parameters related to forward secrecy.

5. The apparatus according to any of claims 1 to 4, wherein the registration message provided to the network entity further comprises an indication that the communication device supports forward secrecy.

6. The apparatus according to any of claims 1 to 5, wherein the one of the following: the apparatus is comprised in the communication device, the apparatus is for the communication device, or the apparatus is the communication device.

7. An apparatus providing a first network function, the apparatus comprising means for the first network function to perform: receiving, from a second network function, a first public key of first key material associated with a communication device; generating second key material comprising a second public key and a second private key; generating a shared key, using the second private key and the first public key; and performing an authentication associated with the communication device using the shared key, and providing, to the second network function, the second public key of the second key material.

8. The apparatus according to claim 7, wherein the second key material is associated with a home network.

9. The apparatus according to claim 7 or claim 8, wherein the performing an authentication associated with the communication device procedure using the shared key comprises at least one of the following: concatenating the shared key and a long term key associated with a subscriber identity module, or generating fourth key material based on the shared key.

10. The apparatus according to any of claims 7 to 9, wherein the performing an authentication associated with the communication device procedure using the shared key comprises: generating a cipher key and an integrity key based on the concatenated shared key and long term key.

11. The apparatus according to any of claims 7 to 10, wherein the performing an authentication associated with the communication device procedure using the shared key comprises: using the concatenated shared key and long term key for an authentication and key agreement challenge.

12. The apparatus according to any of claims 9 to 11 when appended to claim 9, wherein the fourth key material comprises at least one of the following: a cipher key, an integrity key, an authentication token, or an expected response.

13. The apparatus according to any of claims 7 to 12, wherein the authentication associated with the communication device is further associated with one of: a fifth generation authentication and key agreement, or an extensible authentication protocol authentication and key agreement.

14. The apparatus according to any of claims 7 to 13, wherein the first public key is received in a message from the second network function, the message further comprising an indication that the communication device supports forward secrecy.

15. A subscriber identity module, comprising: means for receiving, from a communication device, a shared key generated based on a first private key of a first key material associated with the communication device and a second public key of a second key material that is associated with a home network; means for generating third key material using the shared key; and means for providing, to the communication device, the third key material.

16. The subscriber identity module according to claim 15, wherein the means for generating third key material using the shared key comprises at least one of: means for concatenating the shared key and a long term key associated with the subscriber identity module; or means for generating, using the shared key, at least one of the following: a cipher key, an integrity key, an authentication token, or a response.

17. The subscriber identity module according to claim 15 or claim 16, wherein the subscriber identity module comprises: means for concatenating the shared key and a long term key associated with the subscriber identity module; and means for using the concatenated shared key and the long term key for an authentication and key agreement challenge.

18. The subscriber identity module according to any of claims 15 to 17, wherein the third key material comprises at least one of the following: a cipher key, an integrity key, or an authentication token.

19. The subscriber identity module according to any of claims 15 to 18, wherein the subscriber identity module comprises: means for receiving, from the communication device, an authentication token, the authentication token related to an authentication associated with the communication device; and means for using the shared key to verify the authentication token.

20. An apparatus providing a second network function, the apparatus comprising means for the second network function to perform: receiving, from a communication device, a first public key of first key material that is associated with the communication device; providing, to a first network function, the first public key; receiving, from the first network function, a second public key of second key material that is associated with a home network; and providing, to the communication device, the second public key.

21. A method comprising: generating first key material comprising a first public key and a first private key, wherein the first key material is associated with a communication device; providing, to a network entity, the public key of the first key material in a registration message; receiving, from the network entity, a second public key of second key material that is associated with a home network; generating a shared key based on the second public key and the first private key; providing, to a subscriber identity module, the shared key; and receiving, from the subscriber identity module, third key material that has been generated based on the shared key.

22. A method comprising: receiving, from a second network function, a first public key of first key material associated with a communication device; generating second key material comprising a second public key and a second private key; generating a shared key, using the second private key and the first public key; and performing an authentication associated with the communication device using the shared key, and providing, to the second network function, the second public key of the second key material.

23. A method comprising: receiving, from a communication device, a shared key generated based on a first private key of a first key material associated with the communication device and a second public key of a second key material that is associated with a home network; generating third key material using the shared key; and providing, to the communication device, the third key material.

24. A method comprising: receiving, from a communication device, a first public key of first key material that is associated with the communication device; providing, to a first network function, the first public key; receiving, from the first network function, a second public key of second key material that is associated with a home network; and providing, to the communication device, the second public key.

25. A non-transitory computer readable medium comprising program instructions, that, when executed by an apparatus, cause the apparatus to perform the methods of any of claims 21 to 24.