Definitions

• the present invention relates to a method and apparatus for delivering keying information and in particular, though not necessarily, to a method and apparatus for delivering service related keying information.
• the invention is applicable in particular, though not necessarily, to the distribution of keying information in a communications system comprising a Universal Mobile Telecommunications System network facilitating wireless access for user equipment.
• the Third Generation Partnership Project (3GPP) was formed as a collaboration agreement bringing together a number of standards bodies with the aim of standardising globally applicable technical specifications for third generation mobile systems based on evolved GSM core networks and the radio access technology Universal Terrestrial Radio Access (UTRA).
• 3GPP Third Generation Partnership Project
• UTRA Universal Terrestrial Radio Access
• 3GPP has specified a protocol known as Authentication and Key Agreement (AKA) for performing authentication and session key distribution in Universal Mobile Telecommunications System (UMTS) networks.
• AKA Authentication and Key Agreement
• UMTS AKA is specified in 3GPP TS.33.102 and is a challenge-response based mechanism that uses symmetric cryptography.
• AKA is typically run in a UMTS Services Identity Module (USIM), which resides on a smart card like device (referred to as a Universal Integrated Circuit Card or UICC) that also provides tamper resistant storage of shared secrets.
• USIM UMTS Services Identity Module
• AKA is run at registration and re-registration of a User Equipment (UE - where a UE is defined as the combination of a Mobile Station (MS) and a USIM) with its home network.
• UE User Equipment
• AKA may be employed in 2G networks (i.e. GSM), in which case the UICC will be provisioned with both the USIM and Subscriber Identity Module (SIM) applications.
• GSM Global System for Mobile communications
• SIM Subscriber Identity Module
• next generation architectures including the Long Term Evolution architecture currently being standardised will use AKA or an AKA based security protocol.
• One of the key objectives of UMTS AKA is to provide for the securing of data on the link between the User Equipment (UE) and an Enforcement Point (EP) where access policy is enforced within the UMTS access network.
• UE User Equipment
• EP Enforcement Point
• RNC Radio Network Controller
• SGSN Serving Gateway Support Node
• BTS Base Transceiver Station
• an EP may for example be within a User Plane Entity (UPE), with possibly multiple EPs present for a single connection.
• UPE User Plane Entity
• AKA achieves appropriate security levels by delivering to the access network keying material generated using a secret shared K between the USIM on the UE and the Home Location Register (HLR)/ Authentication Centre (AuC).
• HLR Home Location Register
• AuC Authentication Centre
• the HLR/AUC enhanced with IP Multimedia Subsystem functionality is referred to as the Home Subscriber Server (HSS).
• FIG. 1 Considering a packet switched access network, signalling associated with AKA is shown in Figure 1 , where the process is initiated by the UE (a combination of the USIM and the ME) sending an attach request to the SGSN in the access network.
• the SGSN requests an Authentication Vector (AV) from the HSS in the UE's home network which in turn requests the AV from an Authentication Centre (AuC).
• AV Authentication Vector
• AuC Authentication Centre
• Figure 1 shows only the packet switched domain, it will be appreciated that the Visited Location Register (VLR) will perform functions corresponding of the SGSN functions in the circuit switched domain. Where reference is made to "SGSN" in the following discussion, it will be appreciated that the VLR will provide equivalent functionality in the circuit switched domain.
• VLR Visited Location Register
• Two keys result from the UMTS AKA run, namely a cipher key (CK) and an integrity key (IK).
• CK and IK are generated at the HSS on the basis of a secret shared between the HSS and the USIM of the UE, and a random value RAND.
• the HSS also generates an expected result XRES by applying a suitable function to the shared secret and the random value.
• the keys, together with the RAND value, XRES and an authentication token (AUTN), are sent by the HSS to the SGSN.
• the SGSN forwards the RAND and AUTN values to the UE where they are delivered to the USIM.
• the SGSN also passes the keys CK and IK to the enforcement function in the SGSN.
• the USIM authenticates the HSS, and hence verifies the trust relationship between the home network and the EP, using the AUTN value.
• the USIM also generates the keys CK and IK using the RAND value and the shared secret.
• a secure tunnel can be established between the EP within the SGSN and the UE. This secures communication over the access network, and in particular the air interface.
• the USIM also generates a result RES using the shared secret and the RAND value, and returns this to the SGSN.
• the SGSN compares RES with XRES, and if the two agree traffic is allowed to flow through the secure tunnel.
• the simple network model for the GBA architecture is illustrated in the schematic diagram of Figure 2.
• a UE When a UE knows that a bootstrapping procedure is required, it will first perform a bootstrapping authentication with the BSF using the http digest AKA procedure (RFC 3310). Keys CK and IK will be agreed upon between the UE and the BSF (again, these keys must be distinguished from the keys agreed at registration or re-registration and which are used to secure the radio link).
• the BSF also provides to the UE a unique bootstrapping transaction identifier (B-TID).
• B-TID unique bootstrapping transaction identifier
• the UE delivers the B-TID to the NAF, which the NAF then forwards to the BSF.
• the B-TID contains an index which the BSF uses to identify the UE and obtain appropriate NAF specific keys (Ks_NAF).
• Ks_NAF appropriate NAF specific keys
• the NAF specific keys are then forwarded to the NAF.
• the lifetime of the key material is set according to the local policy of the BSF.
• the IMS makes use of the Session Initiation Protocol (SIP) to set up and control calls or sessions between user terminals (or user terminals and application servers).
• SIP Session Initiation Protocol
• SDP Session Description Protocol
• SIP was created as a user-to-user protocol
• IMS allows operators and service providers to control user access to services and to charge users accordingly.
• a user registers in the IMS using the specified SIP REGISTER method. This is a mechanism for attaching to the IMS and announcing to it the address at which a SIP user identity can be reached.
• the IMS authenticates the user, and allocates a S-CSCF to that user from the set of available S-CSCFs. Whilst the criteria for allocating S- CSCFs is not specified by 3GPP, these may include load sharing and service requirements. It is noted that the allocation of an S-CSCF is key to controlling (and charging for) user access to IMS-based services. Operators may provide a mechanism for preventing direct user-to-user SIP sessions, which sessions would otherwise bypass the S-CSCF.
• Every IMS user possesses one or more Private User Identities.
• a private identity is assigned by the home network operator and is used by the IMS, for example, for registration, authorisation, administration, and accounting purposes.
• This identity takes the form of a Network Access Identifier (NAI) as defined in RFC 2486 [14]. It is possible for a representation of the International Mobile Subscriber Identity (IMSI) to be contained within the NAI for the private identity.
• NAI Network Access Identifier
• IMSI International Mobile Subscriber Identity
• every IMS user shall have one or more Public User Identities.
• the Public User Identity/identities are used by any user to request communications to other users.
• a user might for example include a Public User Identity (but not a Private User Identity) on a business card.
• the IMS authentication procedure is described on a very high level in Figure 4.
• AKA is handled by an IP Multimedia Services Identity Module (ISIM).
• ISIM IP Multimedia Services Identity Module
• the AKA protocol performs authentication of the User Equipment (UE) to the S-CSCF and vice versa, and is analogous to the AKA process described above.
• the Authentication Vector (AV) is obtained by the S-CSCF and is delivered to the P-CSCF via the I-CSCF.
• Figure 5 illustrates how GBA may be mapped to the IMS architecture, with the BSF functionality being implemented at the S-CSCF and the P-CSCF sitting between the S-CSCF and the UE.
• the EP exists within the P-CSCF. This is considered in the ETSI TISPAN working group proposal 07-TD-17.
• GBA performs a re-run of the AKA procedure in order to establish fresh keying material (CK, IK) which can in turn be used to generate application/service specific (NAF) keys.
• CK, IK fresh keying material
• NAF application/service specific
• a method of delivering an application key or keys to an application server for use in securing data exchanged between the application server and a user equipment, the user equipment accessing a communications network via an access domain comprising: running an Authentication and Key Agreement procedure between the user equipment and a home domain in order to make keying material available to the user equipment and to an access enforcement point, and using at least a part of said keying material to secure a communication tunnel between the user equipment and the access enforcement point; deriving one or more application keys within the home domain using at least part of said keying material, providing said application key(s) to said application server, and deriving the same application key(s) at the user equipment, wherein said access enforcement point is unable to derive or have access to said application key(s).
• the term "user equipment” as used here is not restricted to any particular protocols or network architecture.
• the user equipment may be a combination of a user terminal and a subscriber identity module card, or may be only a user terminal.
• the inventive functionality may be implemented only on the user terminal, or may be implemented on a combination of the user terminal and the subscriber identity module card.
• running of the Authentication and Key Agreement procedure occurs at registration or re-registration of the user equipment with the home domain.
• This has the advantage that only a single run of the procedure is required in order to both register the subscriber and thereby establish access protection, and establish keying material from which application keys can be derived.
• Said step of running an Authentication and Key Agreement procedure between the user equipment and a home domain comprises sending from the home domain to the access enforcement point controller an authentication vector including a random value, and secondary cipher and integrity keys derivable from the random value, and forwarding the random value to the user equipment.
• the user equipment then applies a first key derivation function to the random value to generate primary cipher and integrity keys, and applies a second key derivation function to the primary cipher and integrity keys to generate said secondary cipher and integrity keys.
• the secondary cipher and integrity keys are passed by the access enforcement point controller to the access enforcement point, whereby a secure tunnel can be established between the access enforcement point and the user equipment on the basis of said secondary cipher and integrity keys.
• said keying material comprises the random value and the secondary cipher and integrity keys.
• said application keys(s) are derived at the user equipment and at the home domain using one or both of said primary cipher and integrity keys.
• said keying material comprises first and second random values and first cipher and integrity keys derivable from the first random value
• the method comprising forwarding the random values from the access enforcement point controller to the user equipment, and the user equipment applying a first key derivation function to the first random value to generate first cipher and integrity keys, whereupon a secure tunnel can be established between the access enforcement point and the user equipment on the basis of said first cipher and integrity keys.
• Said application key(s) may be derived at the user equipment and within the home domain using said second random value.
• the method may comprise deriving said second cipher and integrity keys from the second random value, and then applying a key derivation function to the second cipher and integrity keys to generate the application key(s).
• Said steps of deriving an application key or keys within the home domain and at the user equipment may comprise utilising a secret shared between the home domain and the User Equipment to derive the application service key(s) from at least part of said keying material.
• Said application service key(s) may be derived by applying a key derivation function to cipher and integrity keys, and to a service node identifier.
• Said access enforcement point may be provided within a Proxy Call Session Control Function (P-CSCF) of an IP Multimedia Subsystem (IMS). Said access enforcement point controller may also be provided within the Proxy Call Session Control Function.
• P-CSCF Proxy Call Session Control Function
• IMS IP Multimedia Subsystem
• Said access enforcement point controller may also be provided within the Proxy Call Session Control Function.
• S-CSCF Serving Call Session Control Function
• S-CSCF is responsible for handling said Authentication and Key Agreement procedure in conjunction with a Home Subscriber Server.
• user equipment for accessing a communications network via an access domain
• the user equipment comprising: means for running an Authentication and Key Agreement procedure with a home domain in order to make keying material available to the user equipment and to an access enforcement point, and using at least a part of said keying material to secure a communication tunnel between the user equipment and the access enforcement point; means for deriving one or more application keys using at least part of said keying material, and for using the application key to secure a communication tunnel with an application server.
• a method of delivering an application key or keys to an application server for use in securing data exchanged between the application server and a user equipment, the user equipment accessing a communications network via an access domain comprising: running an Authentication and Key Agreement procedure between the user equipment and a home domain in order to make keying material available to the user equipment and to an access enforcement point, and using at least a part of said keying material to secure a communication tunnel between the user equipment and the access enforcement point; and deriving one or more application keys at said access enforcement point using at least part of said keying material, providing said application key(s) to said application server, and deriving the same application key(s) at the user equipment.
• Figure 2 illustrates schematically the GBA architecture
• Figure 3 illustrates schematically an IP Multimedia Subsystem architecture within a cellular telecommunications network
• Figure 5 illustrates schematically the generic GBA architecture, and the GBA architecture mapped to the IMS
• Figure 7 illustrates a process for establishing keying information shared between a UE and a NAF of an IMS according to a second embodiment of the invention
• Figure 8 is a block diagram illustrating implementation of BSF functionality at a P-CSCF of the IMS
• Figure 10 illustrates a process for establishing keying information shared between a UE and a NAF of an IMS according to a still further embodiment of the invention
• Figure 11 illustrates schematically a 3G network incorporating a SAE/LTE access network
• Figure 12 illustrates a process for initial key establishment in the network of Figure 11 where authentication is delegated by a home network to a visited network
• Figure 13 illustrates a process for initial key establishment in the network of Figure 11 where authentication is performed with a home network.
• a secure IPsec tunnel can be established between the User Equipment (UE) and the P- CSCF on the basis of the cipher and integrity keys CK, IK.
• CK 1 KDF(CK, P_CSCF_ID)
• IK' KDF(IK, P_CSCF_ID)
• KDF is a Key Derivation Function (for example as defined for GBA).
• the S-CSCF provides the derived keys CK' and IK' as the keys to use for the IPsec tunnel.
• AV (RAND, CK, IK, XRES, AUTN) 1 from the HSS.
• the P-CSCF receives AV and forwards RAND/AUTN to the UE (this step is marked with circle 1 in Figure 4)
• the UE receives the RAND/AUTN and runs this tuple through the ISIM. The result of this operation is that the UE gets back CK and IK from the ISIM. The UE now applies the same KDF as was used by the S-CSCF to compute CK' and IK'. This step is marked with circle 2 in the Figure. -The UE and the P-CSCF establish an IPsec tunnel based on CK' and IK'.
• the UE derives a service specific key Ks_NAF for the particular NAF it wishes to communicate with. This may be done by applying a KDF, potentially the same as the one previously used, to CK and IK and the NAFJD.
• IK KDF(IK, ⁇ some GBA ID>, ⁇ other param>).
• the reason for deriving CK" and IK" is that a NAF may want to have separate integrity and ciphering keys for the security protocol used between the UE and itself. The NAF could then use CK" and IK" directly.
• the ⁇ some GBA ID> parameter is an ID that identifies the enhanced GBA system (e.g., the string "eGBA”, or the string “eGBA@operator.com”), and is used in order to tie the generated keys to this particular key distribution system and to avoid potential key-collisions. " The UE then contacts the NAF and provides the NAF with an identity that uniquely identifies the CK/IK that resulted from the IMS registration.
• This identity is (in GBA) called B-TID, and is provided to the UE from the BSF during the AKA procedure, i.e. it is provided by the S-CSCF during the IMS registration procedure (when AKA is run).
• B-TID This identity is (in GBA) called B-TID, and is provided to the UE from the BSF during the AKA procedure, i.e. it is provided by the S-CSCF during the IMS registration procedure (when AKA is run).
• the NAF contacts the S-CSCF and requests the Ks_NAF corresponding to the given B-TID.
• -The S-CSCF derives the KsJMAF from CK and IK in the same way the UE did.
• the first key set is used to establish the IPsec tunnel between the P-CSCF and the UE, whilst the second set can be used to derive keys for the IMS application servers.
• This alternative process is depicted in Figure 7.
• the UE is a legacy UE which does not support the enhanced GBA functionality, it will simply not see, or ignore, the RAND' and AUTN' values, and will process only RAND and AUTN as normal.
• the UE sends a SIP register to the S-CSCF.
• the S-CSCF sends AV and AV to the P-CSCF.
• the P-CSCF receives AV and AV and forwards RAND/AUTN and
• the UE receives the RAND/AUTN and RANDVAUTN' and runs the RAND/AUTN through the ISIM. The result of this operation is that the UE gets back CK and IK from the ISIM. The UE uses CK and IK to establish the IPsec tunnel with the P-CSCF. The UE runs RANDVAUTN' through the ISIM and as a result gets back CK' and IK' from the ISIM. This step is marked with circle 2 in the Figure.
• the UE derives a service specific key Ks_NAF for the particular NAF it wishes to communicate with. This is done by applying a KDF to CK' and IK' and NAFJD.
• the UE contacts the NAF and provides the NAF with an identity (e.g. B-TID) that uniquely identifies the CKVIK' that resulted from the IMS registration.
• an identity e.g. B-TID
• the NAF contacts the S-CSCF and requests the Ks_NAF corresponding to the given B-TID.
• the S-CSCF derives the Ks_NAF from CK' and IK' in the same way the UE did.
• the S-CSCF returns the Ks_NAF to the NAF.
• the UE and the NAF can now establish a secure connection based on Ks_NAF.
• the RANDVAUTN' can be included in the initial IMS AKA exchange in such a way that legacy UEs can still function in the network, i.e. establish a secure tunnel with the P-CSCF.
• RANDVAUTN' can be present in a new SIP header, which will not be recognised (and hence ignored) by a legacy UE.
• legacy UEs will still not be able to access Application Servers that require a key derived from the RANDVAUTN' pair.
• the application service key(s) is(are) derived by following the conventional IMS AKA process, i.e. as illustrated in Figure 4, and post processing the resulting keys, CK/IK, using a KDF.
• This is achieved by including an additional argument into the KDF that is known only to the S-CSCF and the UE, i.e., a shared secret.
• the P-CSCF will again not be able to derive the application service key(s).
• part (or all) of the KDF could be implemented as a soft-SIM in the UE or a new or existing SIM application in a smart-card accessed by the UE.
• the KDF could for example contain a regular SIM application as a sub-function.
• the shared secret could be stored in the Authentication Centre (AuC) - it could potentially be the same shared secret used to derive the authentication vectors. This would require that it be possible to request from the AuC, the result of running a given RAND through a particular function (the function could be part of the AuC or it could be supplied by the S-CSCF).
• the shared secret could also be stored in any other database which responds to queries to compute the function on the given RAND from the S-CSCF.
• the solution will not affect legacy UEs, but the legacy UEs will of course not be able to derive the application service key(s).
• this alternative process is not necessarily optimal because of the significant changes required at the UE and within the IMS.
• the S-CSCF may restrict the usage of Application Service keys based on the public user identities received during registration.
• the S-CSCF can re-use the current IMS subscription handling mechanism for this.
• the user may register one or more public identities, of which some may be classified as barred (not allowed except for limited use cases).
• barred identities can also ensure that barred identities will not be used by enhanced GBA, by comparing the identity received from the Application Server (to which it requests an AS key) with the barred identities.
• the S-CSCF may apply a local policy to allow or disallow enhanced GBA functionality for given users or public user identities, independently of user access to other services.
• the Application Server knows the identity of, and is able to communicate with, the S-CSCF. This will be the case when the Application Server is located within the same network as the S-CSCF. However, that may not be the case, and the Application Server may, for example, be located in the same visited network as the P-CSCF. In this case, the P-CSCF may have the BSF functionality toward the AS in the visited network. This is illustrated in Figure 8. The AS in the visited network must be able to determine whether to contact the P-CSCF or the local S-CSCF (for non-roaming users) to get the AS keys.
• CK" and IK" are used to derive the AS key (using AS-SERV-ID).
• a User Credential Manager Server is a new entity sitting between the HLR/AuC and the AMS, and between the HLR/AuC and the traditional SGSN/VLR.
• the UCMS performs a BSF like function, creating a base key and using this key to derive the keys needed by the access network entities AMS and VLR when the proposed new functionality is to be used.
• the BSF like function within the UCMS will also implement a Zn interface towards NAFs for establishing service keys between the NAF and the UE at a later stage (unless some intermediate entity provides the Zn interface on behalf of the UCMS).
• the UCMS discriminates between authentication using legacy SIMs and cases when a new enhanced USIM (an "XSIM”) is used.
• a request for AVs from the AMS or SGSN ⁇ /LR triggers BSF like functionality.
• the UCMS acts as a transparent entity and merely forwards the requests and responses between the AMS SGSN/VLR and the HLR/AuC.
• the UCMS stores Ks and the associated B-TID, and then derives a further ciphering key CK' and an integrity key IK'.
• the UCMS forwards the vector (RAND, AUTN, CK', IK', XRES) to the AMS or SGSN/VLR. As described above with reference to the IMS scenario, the AMS or SGSN/VLR forwards RAND and AUTN to the UE.
• the RAND and the AUTN are entered into the XSIM which performs the GBA derivation of CK and IK and subsequently of CK' and IK', and any other required keys used for protection in the access network.
• CK' and IK' are entered into the XSIM which performs the GBA derivation of CK and IK and subsequently of CK' and IK', and any other required keys used for protection in the access network.
• the signalling flow in Figure 12 illustrates the process that follows after the UE has notified the network that it wishes to perform authentication and key establishment. In case the UE is already attached to the network, the network may initiate a re-authentication procedure according to the same signalling flow. Considering the process steps in more detail:
• the AMS or SGSN/VLR may inform the UCMS of the result of the authentication process. This signalling is not shown in Figure 12 but could be needed if the home network wants to maintain a record of a user's whereabouts (This is discussed further below).
• the UCMS may update the HLR when it receives the information from the AMS or SGSN/VLR.
• BSF functionality within the UCMS sets the LSB to 1 if the new key derivations shall be used, and sets it to 0 if the legacy key derivations shall be performed.
• the XSIM receives the (RAND, AUTN) it checks the LSB to see which key derivations should be performed, resets the LSB to 0 if necessary and continues.
• a problem with this approach is that a malicious user possessing a "hacked" phone could set the LSB of the RAND to 0 before passing the RAND, AUTN to the XSIM.
• the XSIM would return the real CK/IK to the MS. Not only can the user access the network, he can also derive CK' and IK' and therefore the NAF_keys used to secure any services.
• the BSF would simply talk to the AMS or SGSN/VLR in the visited network as normal (see Figure 12). It is of course imperative that the signalling between the UCMS and the AMS or SGSN ⁇ /LR is confidentiality protected.

Landscapes

• Mobile Radio Communication Systems (AREA)

Priority Applications (1)

Applications Claiming Priority (3)

Publications (1)

Family

ID=39620443

Family Applications (1)

Country Status (1)

• 2006
  • 2006-07-11 EP EP06777707A patent/EP1958370A2/de not_active Withdrawn

Non-Patent Citations (1)

Similar Documents

Legal Events