WO2001022685A1 - Method and arrangement for communications security - Google Patents

Method and arrangement for communications security Download PDF

Info

Publication number
WO2001022685A1
WO2001022685A1 PCT/SE2000/001795 SE0001795W WO0122685A1 WO 2001022685 A1 WO2001022685 A1 WO 2001022685A1 SE 0001795 W SE0001795 W SE 0001795W WO 0122685 A1 WO0122685 A1 WO 0122685A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
access
network
access point
key
Prior art date
Application number
PCT/SE2000/001795
Other languages
French (fr)
Inventor
Andras Gergely Valko
Istvan Maricza
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to AU76942/00A priority Critical patent/AU7694200A/en
Publication of WO2001022685A1 publication Critical patent/WO2001022685A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information

Definitions

  • This invention is concerned with a method and arrangement in a communication network for establishing a secure connection between one or more access points and a terminal in a network.
  • the invention is especially advantageous at handover processes in wireless packet based networks for communication with a mobile terminal .
  • a security risk in wireless communication is that the information can be listened in to or intercepted by- unauthorised entities. Therefore, most wireless networks include some kind of built-in security functions. In the network there are of course, in addition to the different built-in security functions, access points which may require passwords and other information for entering the wireless network.
  • a risk in a packet data based network is that the packets transferred in the network may arrive at or be caught by wrong terminals. Another risk is that a terminal may impersonate another one and send packets on behalf thereof .
  • wireless packet data systems include the security risks of both wireless communication and packet data networks. These risks can potentially make the system highly vulnerable to security attacks. Reliable security functions are essential in getting wireless packet data networks widely accepted.
  • wireless access networks In wireless access networks, however, packets exchanged between mobile terminals - and wireless access points also carry important control information related to mobile users. This represents a potential security risk enabling malicious users to listen to or forge control information. Forged packets could interfere with routing, charging, location management or other functions associated with the attacked user. In addition to end-to-end security functions, wireless access networks therefore have local mechanisms to authenticate and encrypt packets exchanged between mobile devices and wireless access points .
  • decoupling local authentication and encryption mechanisms from end-to-end security support it is ensured that charging and authentication information related to a particular mobile user remains protected even when the user is engaged in a "regular", i.e. unprotected session.
  • decoupling allows mobile users to run secure data sessions over a secure wireless network without sharing end-to-end secret keys with the access network. It is furthermore advantageous if the endpoint of this local secure relationship at any time is the access point to which the mobile terminal is actually connected. This allows packets originating from mobile units to be authenticated as soon as they enter the access network. This is important because packets originating from mobile units may trigger actions related to charging and routing information associated with the sending mobile device .
  • Symmetric methods rely on a secret key shared by two or more entities. This key must be exchanged between the communicating parties prior to communication and the same key is used for both encryption and decryption.
  • the sender uses the secret key to compute an authentication field or to encrypt a payload.
  • the receiver uses the same key to verify the authentication field or to decrypt the packet.
  • An example of a method of exchanging secret keys is disclosed in the RFC 2409 standard concerned with Internet Key Exchange.
  • a secret key based packet authentication mechanism is presented in P. Metzger, : Simpson, "IP Authentication using Keyed MD5" , Internet RFC 1828, August 1995.
  • Asymmetric security solutions rely on pairs of public and private keys.
  • An entity willing to send authenticated packets uses its own private, e.g. secret, key to generate the authentication field.
  • the sender advertises the public key associated with its private key. Authentication data generated by a given private key can only be decoded using the associated public key. This allows receivers having the public key to determine whether the packet was really transmitted by the claimed sender.
  • PGP digital signatures are an example of asymmetric authentication.
  • two binary numbers are generated, the public and the private key. These are saved in a separate file, but the public key is converted to ASCII format so that it can be distributed to everyone that intends to send messages to the user.
  • the private key shall be kept secret and it is even encrypted before saving.
  • both symmetric and asymmetric security techniques require the receiver to have some kind of security information associated with the sender.
  • this information is the shared secret key, whereas in asymmetric solutions it is the sender's public key.
  • Security information must either be available to the sender and the receiver prior to communication or it must be obtained when the communication session is established.
  • a mobile terminal is allowed to roam large areas while maintaining connectivity to a wired network.
  • the terminals may migrate from one access point to another during active communication sessions by means of handover methods.
  • the access point through which the communication is performed is changed.
  • Security considerations require the mobile terminal to have a secure relationship with the access point to which it is actually attached.
  • Another solution for the access points is to obtain security information from an adjacent access point, to which the mobile terminal has been connected prior to handover. Whereas this solution eliminates the scalability problems represented by the server approach, it has similar disadvantages in terms of the requirement of relying on explicit signalling messages. In addition, some access networks may not support direct communication between access points .
  • MOTOROLA INC. discloses an example of a prior art handover method in the published International Patent Application WO 96/36191. It describes a system in which handover involves exchanging control messages between access points and (semi) - centralised control points. This system also gives a possibility for security information related to the mobile device to be exchanged in the same way. In the method disclosed in this prior patent application, there is a need for centralised control and for control messaging at handover. Another example of a method that involves control messages between access points at handover is disclosed in the published European Patent Application 0 851 633, filed by LUCENT TECHNOLOGIES INC.
  • GSM Global System for Mobile Telecommunications
  • the object of the present invention is to provide a method in which the mobile device is not required to act as a relay station thereby avoiding that the constrained radio resource and power available for the mobile device are used for this purpose.
  • relaying through the mobile device only works if the mobile spends a sufficient amount of time within the area in which the two access points are reachable by wireless communication.
  • the method disclosed in the cited International Patent Application WO 97/01943 is only capable of providing authentication once, when handover is performed.
  • An object of this invention is to find a more general method in which any message sent between a mobile device and an access point can use the shared secret for security.
  • the general object of the invention is to provide a method that allows mobile terminals to establish secure relationships in a very short time at handover.
  • the object of the invention is to provide a method that does not presuppose the use of any signalling messages for handover.
  • a method is provided to be used in a packet based communication network for establishing a secure communication between an access point and an entity, the network comprising an access network having access points for two or more entities belonging to the access network.
  • a first access point is contacted in an access network with the intention to initiate a session from an entity in the network.
  • a secret key is generated from the information obtained from the entity at the first access point using a converter known by two or more access points of the network.
  • the secret key is sent from the first access point to the entity using encryption which is decrypted at the entity.
  • the secret key is then used as a shared security key in communication between the mobile terminal and any access point of the network knowing the converter .
  • a function is stored in the access points for generating a secret key from identification information of the entities in the access network.
  • Initial authentication can be performed by the entity and then the initial authentication can be carried out by communicating identification information of the entity to a first access point in the network to prove the identity of the entity.
  • the identification information is non-encrypted or encrypted using a key that is shared by all entities in the access network.
  • the generation of the secret key in the converter can be carried out by means of a function f or by means of a secret number shared by the access points which use it as a parameter for a pre-defined, well-known function generating the secret key.
  • the function f can be stored by the access point in a mathematical form or as a lookup table.
  • the input of the function f could be the identification information of the first entity and the output is an arbitrary password.
  • An important benefit of the invention is that a secure communication between an access point in the access network and the mobile terminal can be achieved without any previous signalling about the identity of the mobile terminal . Even if each access point does not know the password of each mobile device, authentication and/or encryption can be achieved between a mobile device and any access point or base station in this method. This is achieved with the function f, which is used to generate a password for each mobile terminal. For the mobile device, the password appears to be random, but from the point of view of the access point, it is not random as it is generated by the same function.
  • the method can support any secret based authentication or encryption algorithm, for example CAST or IDEA.
  • CAST is described in the Internet RFC 2144.
  • IDEA is the "International Data Encryption Algorithm described at http: /www. ascom. ch/infosec/idea.html .
  • No signalling messages in the access network are required, except for the initial distribution of the generated secret key. The avoiding of signalling messages at handover makes handover smoother because the only handover delay caused is the time that it takes to derive the secret key and the actual security calculation associated therewith.
  • the method described herein can be combined with other security techniques, e.g. mobile terminals may use generated secret keys to authenticate packets and at the same time use the public key of the access network to encrypt the same packets. Due to the low cost involved, it can be used to authenticate each data packet if necessary. In this case, it is advantageous for the access point to temporarily store generated secret keys associated with devices currently connected to it.
  • the method described herein scales to almost an arbitrary number of access points and mobile terminals. In systems in which handover does not need control information exchange between the old and new access points or between access points and central controllers, it becomes a burden if the security key must be explicitly exchanged between these entities. The method as described herein is especially important in these systems .
  • the invention is, in addition to wireless access networks, applicable to all scenarios in which an entity needs to establish secure relationship with a set of entities, which are in secure relationship with one another.
  • the main idea is that, one entity can perform some initial security negotiation with one of the other entities and after the initial security negotiation, the entity must be able to start secure communication without further negotiation and without the entities having to communicate with one another in forehand.
  • FIG. 1 is a schematic view of a network allowing a secure communication between an access point and an entity
  • FIG. 2 is a general block scheme of a method performed in the network of Figure 1 for establishing the secure communication
  • a network 14 comprising an access network 13 having access points 10, through which mobile terminals 11 can establish communication with the access network.
  • the network also comprises a server 12 storing information on the mobile terminals belonging to the access network.
  • the access network 13 represents a single administrative domain and its access points 10 and potentially other entities may have shared secrets, like public encryption keys.
  • an encryption system comprising public and private keys is used.
  • all the entities in the access network share the public encryption keys for encryption of their messages, whereas every entity has an own private key for decryption.
  • the function f can be almost any function as long as each access point knows it .
  • the input of the function is the identifier or identification information of the mobile terminal and its output is a number.
  • the function f It should not be easy, e.g. to an intruder, to determine the function f, but it does not have to be a cryptographically strong function.
  • An example of the function f is to compute the MD5hash, described in R. Rivest, "MD5 Digest Algorithm", RFC 1321, April 1992, from the concatenation of the mobile terminal identifier and the secret password of the access network, which can be any secret shared by the access points .
  • the access points can share a secret number and use it as a parameter for a pre-defined, well-known function.
  • Outputs of f may be fixed or have variable lengths.
  • it is required for f to be known by all access points of the network and to be unknown to entities not belonging to the access- network.
  • Access points will typically store f either in a mathematical form as an algorithm or as a lookup table.
  • a mobile terminal 11 first performs initial authentication and thereafter connecting to an access network according to step 1.
  • This step may be omitted in access networks that allow any device to connect to it.
  • the initial authentication process may be identical to authentication solutions generally used in the Internet, because it is performed only once and delay requirements can be relaxed.
  • the access network uses its secret function f to convert the mobile terminal identifier to an output that here will be called the generated secret key in accordance with step 2.
  • This output is then communicated to the mobile terminal in accordance with step 3 using encryption so that other terminals cannot capture it.
  • communication between the mobile terminal and the access point can take place using the generated secret key.
  • the mobile terminal can send messages via the access point and messages from the access point can be sent using the generated secret key.
  • the generated secret key can be used for encryption of packets.
  • Other aspects of security are authentication, data integrity, and non-repudiation.
  • encryption means protecting the content of messages so that only those users who have the right key can read it.
  • authentication the receiver verifies that the message was transmitted by the claimed origin and was not transmitted by somebody else.
  • non-repudiation the receiver proves that the sender transmitted the message or the receiver received the message .
  • a mobile terminal 11 When a mobile terminal 11 starts a session, it first communicates its global mobile terminal identifier to an access point 10 of the access network in step 1' . This allows the access network to find and contact a server 12 in step 2 ' that contains security information related to the mobile terminal 11.
  • the access network downloads the public cryptographic key of the mobile terminal 11 sent from the sender 12 in step 3' and uses it to encrypt the generated secret key in step 5' .
  • the access point can obtain a private encryption key and use it to encrypt the generated secret key, as a message can be encrypted using either the public or private encryption key.
  • the access network can obtain the secret private key of the mobile terminal if the access network has a secure relationship with the "home" of the mobile terminal or with any server that knows this secret private key. Then it can get the secret private key and use it for encryption.
  • the access network can have a central unit that does this .
  • this access point informs the central unit server on the mobile device having come in contact .
  • the central unit contacts the home of the mobile terminal and gets the secret key if there is trust among access networks.
  • it encrypts the generated secret key using the private key and sends it to the terminal .
  • the encrypted generated secret key is transmitted over the wireless channel to the mobile terminal 11 as is indicated in step 6' . If the mobile terminal 11 is indeed the device that it claimed to be, it can decrypt the generated secret key in accordance with reference number 7' using its private encryption key. The transmitted message is useless for any other mobile terminal . The mobile terminal 11 can now use the generated secret key to authenticate or encrypt its packets in accordance with reference number 8' and send them to any access point in the access network.
  • the mobile terminal shares a secret with all access points of the access network. This is achieved without the mobile terminal ever having contacted the access points, and hence the method is scalable to very large networks .
  • the mobile terminal and the access points can now use any shared secret based security technique available.
  • the access network has different secrets to share with different mobile terminals.
  • the mobile terminal can use the generated secret key to authenticate and/or encrypt its packets, using the generated secret key never encrypts the identifier of the mobile terminal .
  • the identifier is either not encrypted at all or it is encrypted using another key that is shared by all mobile terminals, e.g. the public encryption key of the access network. This allows the access points to identify the claimed sender of received packets . The access point then uses f to compute the generated secret key of the claimed sender.
  • the mobile terminal can then decode the authentication information to verify the identity of the sender and/or it can decrypt the packet.
  • access points can use the generated secret key to encrypt or authenticate a packet transmitted to a given mobile terminal, which can then decrypt or verify the packet using its own generated secret key.
  • the access point may temporarily store the mapping of mobile terminal identifiers to generate secret keys later in order to avoid frequent recomputing of generated secret keys .
  • the transmission of plain text mobile terminal identifiers is not acceptable if the identity of attached mobile devices should be kept secret.
  • the initial authentication process can include the assignment of a possible random, temporary identifier to the mobile terminal or encrypting the real identifier using the public cryptographic key of the access network can generate a temporary identifier.
  • the secret key will then be generated using the temporary identifier, but in other aspects, the mechanism remains the same.
  • Some wireless channels have built-in security, whereas other ones have no such functionality. In the latter case, higher layers will provide security information.
  • the invention is applicable for both cases.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

In a method for establishing a secure communication in a packet based network comprising an access network (13) having access points (10) for two or more mobile terminals (11) belonging to the access network, a first access point is contacted by one mobile terminal in the intention of initiating a session from the mobile terminal. A secret key is generated using a function f stored in the access points acting on the information from the mobile terminal at the first access point by a converter known by two or more access points. The secret key is sent from the first access point to the mobile terminal using encryption, which is decrypted at the mobile terminal. The secret key is then used as a shared security key in communication between the mobile terminal and any access point knowing the converter.

Description

METHOD AND ARRANGEMENT FORCOMMUNICATIONS SECURITY
TECHNICAL FIELD
This invention is concerned with a method and arrangement in a communication network for establishing a secure connection between one or more access points and a terminal in a network. The invention is especially advantageous at handover processes in wireless packet based networks for communication with a mobile terminal .
BACKGROUND A security risk in wireless communication is that the information can be listened in to or intercepted by- unauthorised entities. Therefore, most wireless networks include some kind of built-in security functions. In the network there are of course, in addition to the different built-in security functions, access points which may require passwords and other information for entering the wireless network.
A risk in a packet data based network is that the packets transferred in the network may arrive at or be caught by wrong terminals. Another risk is that a terminal may impersonate another one and send packets on behalf thereof .
Hence, wireless packet data systems include the security risks of both wireless communication and packet data networks. These risks can potentially make the system highly vulnerable to security attacks. Reliable security functions are essential in getting wireless packet data networks widely accepted.
Other methods of making the communication between terminals communicating with each other in a network secure are end-to- end authentication and encryption. These methods ensure that the receiver can verify that a data packet has really been transmitted by the claimed sender and that third parties capturing data packets can not understand their content because they cannot be read without a given decryption key. Because packets can be captured and forged over wired as well as wireless links, end-to-end security solutions need not be wireless specific.
In wireless access networks, however, packets exchanged between mobile terminals - and wireless access points also carry important control information related to mobile users. This represents a potential security risk enabling malicious users to listen to or forge control information. Forged packets could interfere with routing, charging, location management or other functions associated with the attacked user. In addition to end-to-end security functions, wireless access networks therefore have local mechanisms to authenticate and encrypt packets exchanged between mobile devices and wireless access points .
By decoupling local authentication and encryption mechanisms from end-to-end security support it is ensured that charging and authentication information related to a particular mobile user remains protected even when the user is engaged in a "regular", i.e. unprotected session. In addition, decoupling allows mobile users to run secure data sessions over a secure wireless network without sharing end-to-end secret keys with the access network. It is furthermore advantageous if the endpoint of this local secure relationship at any time is the access point to which the mobile terminal is actually connected. This allows packets originating from mobile units to be authenticated as soon as they enter the access network. This is important because packets originating from mobile units may trigger actions related to charging and routing information associated with the sending mobile device .
Different methods of implementing secure relationships exist. Symmetric methods rely on a secret key shared by two or more entities. This key must be exchanged between the communicating parties prior to communication and the same key is used for both encryption and decryption. Before transmitting a packet, the sender uses the secret key to compute an authentication field or to encrypt a payload. The receiver uses the same key to verify the authentication field or to decrypt the packet. An example of a method of exchanging secret keys is disclosed in the RFC 2409 standard concerned with Internet Key Exchange. A secret key based packet authentication mechanism is presented in P. Metzger, : Simpson, "IP Authentication using Keyed MD5" , Internet RFC 1828, August 1995.
Asymmetric security solutions rely on pairs of public and private keys. An entity willing to send authenticated packets uses its own private, e.g. secret, key to generate the authentication field. In addition, the sender advertises the public key associated with its private key. Authentication data generated by a given private key can only be decoded using the associated public key. This allows receivers having the public key to determine whether the packet was really transmitted by the claimed sender.
PGP digital signatures are an example of asymmetric authentication. By means of the PGP software, two binary numbers are generated, the public and the private key. These are saved in a separate file, but the public key is converted to ASCII format so that it can be distributed to everyone that intends to send messages to the user. The private key shall be kept secret and it is even encrypted before saving.
In summary, both symmetric and asymmetric security techniques require the receiver to have some kind of security information associated with the sender. In symmetric solutions, this information is the shared secret key, whereas in asymmetric solutions it is the sender's public key. Security information must either be available to the sender and the receiver prior to communication or it must be obtained when the communication session is established.
A mobile terminal is allowed to roam large areas while maintaining connectivity to a wired network. The terminals may migrate from one access point to another during active communication sessions by means of handover methods. In an handover process, the access point through which the communication is performed is changed. Security considerations require the mobile terminal to have a secure relationship with the access point to which it is actually attached.
Due to the potentially large number of access points and mobile devices, there are benefits of not having a pre-established secure relationship with all access points of an access network. Instead, a secure relationship is established as the mobile terminal migrates to an access point.
Conventional methods require the access point to obtain security information from a central server at handover. These solutions do not give a smooth handover due to the time that they require and they are therefore in contradiction with the quality requirements of access networks. In addition, such methods encounter scalability problems because the load on the central server represents a single point of failure. Finally, such server based methods rely on explicit signalling messages between access points and servers, what raises problems in low- end packet data environments built without using signalling, such as those described in A. Valkδ, "Cellular IP - A new approach to Internet Host Mobility" ACM Computer Communication Review, Vol. 29, No. 1, January 1999, pp. 50-65.
Another solution for the access points is to obtain security information from an adjacent access point, to which the mobile terminal has been connected prior to handover. Whereas this solution eliminates the scalability problems represented by the server approach, it has similar disadvantages in terms of the requirement of relying on explicit signalling messages. In addition, some access networks may not support direct communication between access points .
MOTOROLA INC. discloses an example of a prior art handover method in the published International Patent Application WO 96/36191. It describes a system in which handover involves exchanging control messages between access points and (semi) - centralised control points. This system also gives a possibility for security information related to the mobile device to be exchanged in the same way. In the method disclosed in this prior patent application, there is a need for centralised control and for control messaging at handover. Another example of a method that involves control messages between access points at handover is disclosed in the published European Patent Application 0 851 633, filed by LUCENT TECHNOLOGIES INC. In the GSM technique (Global System for Mobile Telecommunications) , a conventional authentication method is used in which the mobile device is not in a secure relationship with the access point or base station. Instead, it is in secure relationship with the MSC, see M. Mouly, M-B. Pautet, "The GSM System for Mobile Communication", ISBN 2-9507190-0-7. A description of the GSM authentication details can be also found in the published International Patent Application WO 97/01943, p. 11, lines 1-25, these details described therein as being prior art .
Thus, existing methods of establishing secure relationship between mobile terminals and access points have serious limitations. Whereas the server-based approach is applicable to cellular telephony networks, it becomes inefficient in packet data systems in which the cell sizes typically are smaller and handovers thus more frequent .
The published International Patent Application WO 97/01943 instead discloses a solution to a similar problem as this invention, i.e. avoiding authentication-related messages between the base station and the central server for economical reasons . This prior art method uses a concept in which messages between the old and the new base stations are instead exchanged via the terminal .
SUMMARY OF THE INVENTION
The object of the present invention is to provide a method in which the mobile device is not required to act as a relay station thereby avoiding that the constrained radio resource and power available for the mobile device are used for this purpose. In addition, relaying through the mobile device only works if the mobile spends a sufficient amount of time within the area in which the two access points are reachable by wireless communication. Furthermore, the method disclosed in the cited International Patent Application WO 97/01943 is only capable of providing authentication once, when handover is performed. An object of this invention is to find a more general method in which any message sent between a mobile device and an access point can use the shared secret for security.
The general object of the invention is to provide a method that allows mobile terminals to establish secure relationships in a very short time at handover.
In addition, in association with the recent emergence of low- end access networks having no signalling support, the object of the invention is to provide a method that does not presuppose the use of any signalling messages for handover.
Thus generally, a method is provided to be used in a packet based communication network for establishing a secure communication between an access point and an entity, the network comprising an access network having access points for two or more entities belonging to the access network. A first access point is contacted in an access network with the intention to initiate a session from an entity in the network. A secret key is generated from the information obtained from the entity at the first access point using a converter known by two or more access points of the network. The secret key is sent from the first access point to the entity using encryption which is decrypted at the entity. The secret key is then used as a shared security key in communication between the mobile terminal and any access point of the network knowing the converter .
In the network as described herein, a function is stored in the access points for generating a secret key from identification information of the entities in the access network.
Initial authentication can be performed by the entity and then the initial authentication can be carried out by communicating identification information of the entity to a first access point in the network to prove the identity of the entity.
The identification information is non-encrypted or encrypted using a key that is shared by all entities in the access network.
The generation of the secret key in the converter can be carried out by means of a function f or by means of a secret number shared by the access points which use it as a parameter for a pre-defined, well-known function generating the secret key. The function f can be stored by the access point in a mathematical form or as a lookup table. The input of the function f could be the identification information of the first entity and the output is an arbitrary password.
An important benefit of the invention is that a secure communication between an access point in the access network and the mobile terminal can be achieved without any previous signalling about the identity of the mobile terminal . Even if each access point does not know the password of each mobile device, authentication and/or encryption can be achieved between a mobile device and any access point or base station in this method. This is achieved with the function f, which is used to generate a password for each mobile terminal. For the mobile device, the password appears to be random, but from the point of view of the access point, it is not random as it is generated by the same function.
The method can support any secret based authentication or encryption algorithm, for example CAST or IDEA. CAST is described in the Internet RFC 2144. IDEA is the "International Data Encryption Algorithm described at http: /www. ascom. ch/infosec/idea.html . No signalling messages in the access network are required, except for the initial distribution of the generated secret key. The avoiding of signalling messages at handover makes handover smoother because the only handover delay caused is the time that it takes to derive the secret key and the actual security calculation associated therewith.
Furthermore, the method described herein can be combined with other security techniques, e.g. mobile terminals may use generated secret keys to authenticate packets and at the same time use the public key of the access network to encrypt the same packets. Due to the low cost involved, it can be used to authenticate each data packet if necessary. In this case, it is advantageous for the access point to temporarily store generated secret keys associated with devices currently connected to it. Finally, the method described herein scales to almost an arbitrary number of access points and mobile terminals. In systems in which handover does not need control information exchange between the old and new access points or between access points and central controllers, it becomes a burden if the security key must be explicitly exchanged between these entities. The method as described herein is especially important in these systems .
In the following, the method will be explained by examples. The intention is not to restrict the invention to the details of the following description, as the details can vary in accordance with the claims. For example, even if the example is described as concerning wireless networks, the invention is, in addition to wireless access networks, applicable to all scenarios in which an entity needs to establish secure relationship with a set of entities, which are in secure relationship with one another. The main idea is that, one entity can perform some initial security negotiation with one of the other entities and after the initial security negotiation, the entity must be able to start secure communication without further negotiation and without the entities having to communicate with one another in forehand.
BRIEF DESCRIPTION OF THE DRAWINGS
- Figure 1 is a schematic view of a network allowing a secure communication between an access point and an entity,
- Figure 2 is a general block scheme of a method performed in the network of Figure 1 for establishing the secure communication, and
- Figure 3 is a detailed example of an embodiment of the invention.
DETAILED DESCRIPTION In Figure 1, a network 14 is shown, comprising an access network 13 having access points 10, through which mobile terminals 11 can establish communication with the access network. The network also comprises a server 12 storing information on the mobile terminals belonging to the access network.
The access network 13 represents a single administrative domain and its access points 10 and potentially other entities may have shared secrets, like public encryption keys. In one embodiment, an encryption system comprising public and private keys is used. Thus, all the entities in the access network share the public encryption keys for encryption of their messages, whereas every entity has an own private key for decryption.
All access points are aware of a function f . The function f can be almost any function as long as each access point knows it . The input of the function is the identifier or identification information of the mobile terminal and its output is a number.
It should not be easy, e.g. to an intruder, to determine the function f, but it does not have to be a cryptographically strong function. An example of the function f is to compute the MD5hash, described in R. Rivest, "MD5 Digest Algorithm", RFC 1321, April 1992, from the concatenation of the mobile terminal identifier and the secret password of the access network, which can be any secret shared by the access points . Instead of sharing a secret function f, the access points can share a secret number and use it as a parameter for a pre-defined, well-known function. Outputs of f may be fixed or have variable lengths. In addition, it is not required for f to necessarily provide different outputs for two different input identifiers. However, it is required for f to be known by all access points of the network and to be unknown to entities not belonging to the access- network. Access points will typically store f either in a mathematical form as an algorithm or as a lookup table.
Referring now to Figure 2, a mobile terminal 11 first performs initial authentication and thereafter connecting to an access network according to step 1. This step may be omitted in access networks that allow any device to connect to it. The initial authentication process may be identical to authentication solutions generally used in the Internet, because it is performed only once and delay requirements can be relaxed. Upon the initial authentication, the access network uses its secret function f to convert the mobile terminal identifier to an output that here will be called the generated secret key in accordance with step 2. This output is then communicated to the mobile terminal in accordance with step 3 using encryption so that other terminals cannot capture it. After that, communication between the mobile terminal and the access point can take place using the generated secret key. The mobile terminal can send messages via the access point and messages from the access point can be sent using the generated secret key.
The generated secret key can be used for encryption of packets. Other aspects of security are authentication, data integrity, and non-repudiation. In this application encryption means protecting the content of messages so that only those users who have the right key can read it. In authentication, the receiver verifies that the message was transmitted by the claimed origin and was not transmitted by somebody else. In non-repudiation, the receiver proves that the sender transmitted the message or the receiver received the message .
One possible solution of the initial authentication and transmitting the generated secret key is described in Figure 3. Using the same reference numbers as in Figure 1, the access points are indicated by the reference number 10, the mobile terminals by the reference number 11 and the server by the reference number 12.
When a mobile terminal 11 starts a session, it first communicates its global mobile terminal identifier to an access point 10 of the access network in step 1' . This allows the access network to find and contact a server 12 in step 2 ' that contains security information related to the mobile terminal 11. In step 4', the access network downloads the public cryptographic key of the mobile terminal 11 sent from the sender 12 in step 3' and uses it to encrypt the generated secret key in step 5' . Alternatively, the access point can obtain a private encryption key and use it to encrypt the generated secret key, as a message can be encrypted using either the public or private encryption key. The access network can obtain the secret private key of the mobile terminal if the access network has a secure relationship with the "home" of the mobile terminal or with any server that knows this secret private key. Then it can get the secret private key and use it for encryption.
This has not to be done by the access point. Instead, the access network can have a central unit that does this . When the mobile terminal first contacts one of the access points, this access point informs the central unit server on the mobile device having come in contact . Then the central unit contacts the home of the mobile terminal and gets the secret key if there is trust among access networks. Next, it encrypts the generated secret key using the private key and sends it to the terminal .
Next, the encrypted generated secret key is transmitted over the wireless channel to the mobile terminal 11 as is indicated in step 6' . If the mobile terminal 11 is indeed the device that it claimed to be, it can decrypt the generated secret key in accordance with reference number 7' using its private encryption key. The transmitted message is useless for any other mobile terminal . The mobile terminal 11 can now use the generated secret key to authenticate or encrypt its packets in accordance with reference number 8' and send them to any access point in the access network.
Following the initial authentication, the mobile terminal shares a secret with all access points of the access network. This is achieved without the mobile terminal ever having contacted the access points, and hence the method is scalable to very large networks . The mobile terminal and the access points can now use any shared secret based security technique available. At the same time, the access network has different secrets to share with different mobile terminals.
Even if the mobile terminal can use the generated secret key to authenticate and/or encrypt its packets, using the generated secret key never encrypts the identifier of the mobile terminal . The identifier is either not encrypted at all or it is encrypted using another key that is shared by all mobile terminals, e.g. the public encryption key of the access network. This allows the access points to identify the claimed sender of received packets . The access point then uses f to compute the generated secret key of the claimed sender.
Using the generated secret key, the mobile terminal can then decode the authentication information to verify the identity of the sender and/or it can decrypt the packet. Similarly, access points can use the generated secret key to encrypt or authenticate a packet transmitted to a given mobile terminal, which can then decrypt or verify the packet using its own generated secret key.
If a sequence of authenticated/encrypted packets from the same mobile terminal are likely to arrive to the access point, then the access point may temporarily store the mapping of mobile terminal identifiers to generate secret keys later in order to avoid frequent recomputing of generated secret keys .
In systems using non-encrypted wireless channels, the transmission of plain text mobile terminal identifiers is not acceptable if the identity of attached mobile devices should be kept secret. In these cases, the initial authentication process can include the assignment of a possible random, temporary identifier to the mobile terminal or encrypting the real identifier using the public cryptographic key of the access network can generate a temporary identifier. The secret key will then be generated using the temporary identifier, but in other aspects, the mechanism remains the same.
Some wireless channels have built-in security, whereas other ones have no such functionality. In the latter case, higher layers will provide security information. The invention is applicable for both cases.

Claims

1. A method in a communication network (14) for establishing a secure communication between an access point (10) and an entity (11) , the communication network being a packed based network comprising an access network (13) having access points for at least two entities belonging to the access network, the method characterized by the steps of : a) contacting a first access point by an entity in the access network in the intention of initiating a session from the entity in the communication network, b) generating a secret key from the information obtained from the entity at the first access point by a converter known by two or more access points of the network, c) sending the secret key from the first access point to the entity using encryption, d) decrypting the secret key at the entity, and e) using the secret key as a shared security key in communication between the mobile terminal and any access point of the network knowing the converter.
2. A method according to claim 1, characterized in that step a) is carried out by performing initial authentication by the entity.
3. A method according to claim 2 , characterized in that the initial authentication is carried out by communicating identification information of the entity to a first access point in the network to prove the identity of the entity.
4. A method according to claim 3 , characterized in that the identification information is encrypted using a key that is shared by all entities in the access network.
5. A method according to claim 3 , characterized in that the identification information is non-encrypted.
6. A method according to any of claims 1 - 5, characterized in that the generation of the key in step b) is carried out by means of a function f .
7. A method according to any of claims 1 - 5, characterized in that the generation of the key in step b) is carried out by means of a secret number shared by the access points which use it as a parameter for a pre-defined, well-known function generating the secret key.
8. A method according to claim 6, characterized in that the function f is stored by the access point in a mathematical form or as a lookup table .
9. A method according to claim 6 , characterized in that the input of the function f is the identification information of the first entity and the output is a password.
10. A method according to any of claims 1 - 9, characterized in that after having received the identification information of the entity, the access point takes contact with a server (12) having information on the entities belonging to the access network to download a public cryptographic key of the entity, which is used in the encryption of point c) .
11. A method according to any of claims 1 - 9, characterized in that after having received the identification information of the entity, the access point takes contact with a server having or being allowed to get information about the entities belonging to the access network to download a private cryptographic key of the entity, which is used in the encryption of point c) .
12. A method according to any of claims 1 - 11, characterized in that the encryption is performed by the access point.
13. A method according to any of claims 10 or 11, characterized in that the encryption is performed by the server.
14. A method according to any of claims 1 - 13 , characterized in that the decryption of step d) is carried out using a private encryption key of the entity.
15. A method according to any of claims 1 - 14, characterized in that in step e) the generated secret key is used by the entity for authentication, data integrity, non-repudiation and/or encryption of its packets.
16. A method according to claim 15, characterized in that the authentication information or the packets sent from the entity is/are decoded at the access point using the generated secret key.
17. A method according to any of claims 1 - 16, characterized in that the generated secret key is used by the access points to send protected messages to the mobile terminal .
18. A method according to any of claims 1 - 17, characterized in that the access network is a wireless access network and the entities are mobile terminals.
19. A packet based network, comprising an access network (13) having access points (10) for at least two entities (11) belonging to the access network, allowing a secure communication between the access points of the access network and an entity, characterized by a function f stored in the access points for generating a secret key from identification information of the entities in the access network.
20. A packed based network according to claim 19, characterized in that the function f is stored by the access point in a mathematical form or as a lookup table, by means of which the secret key can be generated.
PCT/SE2000/001795 1999-09-20 2000-09-15 Method and arrangement for communications security WO2001022685A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU76942/00A AU7694200A (en) 1999-09-20 2000-09-15 Method and arrangement for communications security

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE9903370-6 1999-09-20
SE9903370A SE519471C2 (en) 1999-09-20 1999-09-20 Method for establishing a secure connection between access points and a mobile terminal in a packet switched network

Publications (1)

Publication Number Publication Date
WO2001022685A1 true WO2001022685A1 (en) 2001-03-29

Family

ID=20417062

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2000/001795 WO2001022685A1 (en) 1999-09-20 2000-09-15 Method and arrangement for communications security

Country Status (3)

Country Link
AU (1) AU7694200A (en)
SE (1) SE519471C2 (en)
WO (1) WO2001022685A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2374497A (en) * 2001-04-03 2002-10-16 Ericsson Telefon Ab L M Facilitating legal interception of IP connections
EP1322091A1 (en) * 2001-12-19 2003-06-25 Canon Kabushiki Kaisha Communication system, server device, client device and method for controlling the same
WO2004034717A1 (en) * 2002-09-30 2004-04-22 Siemens Aktiengesellschaft Verifying check-in authentication by using an access authentication token
KR100628566B1 (en) * 2005-04-25 2006-09-26 삼성전자주식회사 Method for security information configuration wlan
WO2010127806A1 (en) * 2009-05-06 2010-11-11 Heinrich-Heine-Universität Düsseldorf Method for sharing wireless access points to a communications network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997001943A1 (en) * 1995-06-29 1997-01-16 Ericsson Inc. Authentication and handover methods and systems for radio personal communications
WO1997012461A1 (en) * 1995-09-27 1997-04-03 Telefonaktiebolaget Lm Ericsson (Publ) Method for encryption of information
US5850444A (en) * 1996-09-09 1998-12-15 Telefonaktienbolaget L/M Ericsson (Publ) Method and apparatus for encrypting radio traffic in a telecommunications network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997001943A1 (en) * 1995-06-29 1997-01-16 Ericsson Inc. Authentication and handover methods and systems for radio personal communications
WO1997012461A1 (en) * 1995-09-27 1997-04-03 Telefonaktiebolaget Lm Ericsson (Publ) Method for encryption of information
US5850444A (en) * 1996-09-09 1998-12-15 Telefonaktienbolaget L/M Ericsson (Publ) Method and apparatus for encrypting radio traffic in a telecommunications network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MOLVA R ET AL: "AUTHENTICATION OF MOBILE USERS", IEEE NETWORK: THE MAGAZINE OF COMPUTER COMMUNICATIONS,US,IEEE INC. NEW YORK, vol. 8, no. 2, 1 March 1994 (1994-03-01), pages 26 - 34, XP000515077, ISSN: 0890-8044 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2374497A (en) * 2001-04-03 2002-10-16 Ericsson Telefon Ab L M Facilitating legal interception of IP connections
GB2374497B (en) * 2001-04-03 2003-03-12 Ericsson Telefon Ab L M Facilitating legal interception of IP connections
EP1322091A1 (en) * 2001-12-19 2003-06-25 Canon Kabushiki Kaisha Communication system, server device, client device and method for controlling the same
US7424605B2 (en) 2001-12-19 2008-09-09 Canon Kabushiki Kaisha Communication system, server device, client device and method for controlling the same
WO2004034717A1 (en) * 2002-09-30 2004-04-22 Siemens Aktiengesellschaft Verifying check-in authentication by using an access authentication token
US7171202B2 (en) 2002-09-30 2007-01-30 Siemens Aktiengesellschaft Verifying check-in authentication by using an access authentication token
KR100628566B1 (en) * 2005-04-25 2006-09-26 삼성전자주식회사 Method for security information configuration wlan
WO2010127806A1 (en) * 2009-05-06 2010-11-11 Heinrich-Heine-Universität Düsseldorf Method for sharing wireless access points to a communications network

Also Published As

Publication number Publication date
SE9903370L (en) 2001-03-21
AU7694200A (en) 2001-04-24
SE9903370D0 (en) 1999-09-20
SE519471C2 (en) 2003-03-04

Similar Documents

Publication Publication Date Title
US8295488B2 (en) Exchange of key material
US8254581B2 (en) Lightweight key distribution and management method for sensor networks
JP3816337B2 (en) Security methods for transmission in telecommunications networks
EP1025675B1 (en) Security of data connections
JP4112623B2 (en) Wireless traffic encryption method and apparatus in telecommunication network
WO2017185999A1 (en) Method, apparatus and system for encryption key distribution and authentication
US20020118674A1 (en) Key distribution mechanism for IP environment
EP1374533B1 (en) Facilitating legal interception of ip connections
US20090276629A1 (en) Method for deriving traffic encryption key
CN103155512A (en) System and method for providing secured access to services
KR20080089500A (en) Authentication method, system and authentication center based on end to end communication in the mobile network
CA2703719A1 (en) Method and system for secure session establishment using identity-based encryption (vdtls)
WO2011041962A1 (en) Method and system for end-to-end session key negotiation which support lawful interception
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
CN110808834A (en) Quantum key distribution method and quantum key distribution system
CN112602344A (en) End-to-end security for roaming 5G-NR communications
CN108882233B (en) IMSI encryption method, core network and user terminal
US20190281530A1 (en) X2 service transmission method and network device
WO2001022685A1 (en) Method and arrangement for communications security
CN113765900B (en) Protocol interaction information output transmission method, adapter device and storage medium
US8359470B1 (en) Increased security during network entry of wireless communication devices
CN115567195A (en) Secure communication method, client, server, terminal and network side equipment
CN1996838A (en) AAA certification and optimization method for multi-host WiMAX system
CN116321158A (en) Certificate-based local UE authentication
CN115766172A (en) Message forwarding method, device, equipment and medium based on DPU and national password

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP