WO2009051405A2 - Procédé servant à établir une association de sécurité dans un transfert inter-rat - Google Patents

Procédé servant à établir une association de sécurité dans un transfert inter-rat Download PDF

Info

Publication number
WO2009051405A2
WO2009051405A2 PCT/KR2008/006080 KR2008006080W WO2009051405A2 WO 2009051405 A2 WO2009051405 A2 WO 2009051405A2 KR 2008006080 W KR2008006080 W KR 2008006080W WO 2009051405 A2 WO2009051405 A2 WO 2009051405A2
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
base station
mobile station
related information
network
Prior art date
Application number
PCT/KR2008/006080
Other languages
English (en)
Other versions
WO2009051405A3 (fr
Inventor
Gene Beck Hahn
Ae Ran Youn
Sung Woong Ha
Gi Won Park
Original Assignee
Lg Electronics Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR20080080904A external-priority patent/KR101481558B1/ko
Application filed by Lg Electronics Inc. filed Critical Lg Electronics Inc.
Priority to US12/738,391 priority Critical patent/US8731194B2/en
Publication of WO2009051405A2 publication Critical patent/WO2009051405A2/fr
Publication of WO2009051405A3 publication Critical patent/WO2009051405A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0016Hand-off preparation specially adapted for end-to-end data sessions

Definitions

  • the present invention relates to a radio access system, and more particularly to, a method of establishing security association during handover between heterogeneous radio access networks.
  • the IEEE 802.16 standard supports a privacy and key management (PKM) protocol.
  • PKM protocol means a protocol which safely distributes key related data from a base station a mobile station. If this PKM protocol is used, the mobile station and the base station can share the key related data, and the base station can control access of the network.
  • the PKM protocol supports both bi-directional authentication and unidirectional authentication. Also, the PKM protocol supports periodical re-authentication and key update procedure, Extensible Authentication Protocol (EAP: IETE RFC 3748) based authentication mode, X.509 digital credential (IETE RFC 3280) based authentication mode which uses Rivest Shamir Adleman (RSA) public key encryption algorithm, and a mode for performing EAP based authentication procedure after performing RSA based authentication procedure.
  • EAP Extensible Authentication Protocol
  • IETE RFC 3748 IETE RFC 3748
  • X.509 digital credential IETE RFC 3280
  • RSA Rivest Shamir Adleman
  • the PKM protocol is a protocol, which performs key exchange between the mobile station and the base station using a powerful encryption algorithm.
  • a PKM sublayer can use various authentication protocols.
  • examples of the authentication protocols include RSA protocol and an extensible authentication protocol (EAP) .
  • EAP extensible authentication protocol
  • the IEEE 802. Ix standard which uses the EAP for wire and wireless LAN.
  • the IEEE 802. Ix standard defines a format and procedure of EAPoL (EAP over LAN) frame that can transfer EAP message, and prescribes a procedure of allowing network access only if a user acquires a physical port license of a radio access point from an authentication server.
  • EAPoL EAP over LAN
  • FIG. 1 is a diagram illustrating an example of a hierarchical structure and elements of an 802. Ix system.
  • an access point which supports 802. Ix supports protocol stack of almost all layers such as Internet protocol (IP), user datagram protocol (UDP), a remote authentication dial in user service (RADIUS) client function, as well as EAPoL processing function.
  • IP Internet protocol
  • UDP user datagram protocol
  • RADIUS remote authentication dial in user service
  • EAPoL processing function EAPoL processing function
  • the 802. Ix hierarchical structure is as follows.
  • a lower layer which transfers EAP frame can include EAPoL, point-to-point (PPP) protocol, RADIUS, etc.
  • the EAP layer serves to transmit, receive, and relay EAP packets, and performs packet retransmission and repeated reception sensing functions.
  • the EAP layer classifies EAP packets using a code value of an EAP packet header and then transfers the classified EAP packets to an EAP Peer layer or an EAP authenticator layer.
  • the EAP Peer/Authenticator layers serve to transfer EAP packets to a corresponding EAP authentication mode processing layer with reference to a type region of the EAP packets.
  • FIG. 2 is a flow chart illustrating an authentication procedure for a mobile station of a general IEEE 802.16 system.
  • FIG. 2 relates to an authentication procedure currently in service, and illustrates a schematic flow of a message and a transmission type of information.
  • messages which include information transmitted to and received from a mobile station (MS) 200, a base station (BS) 220, or an authentication authorization accounting (AAA) server 240, may have various types.
  • MS mobile station
  • BS base station
  • AAA authentication authorization accounting
  • the mobile station 200 when the mobile station 200 intends to enter a network, the mobile station acquires synchronization with the base station 220, performs ranging, and performs basic capability negotiation with the base station through SBC-REQ/RSP messages (S201) .
  • Table 1 illustrates an example of the SBC-REQ/RSP message for basic capability negotiation between the mobile station and the base station. [Table 1]
  • the SBC-REQ (Subscribe Station Basic Request) message is transmitted by the mobile station during initialization.
  • the base station transmits the SBC-REQ (Subscribe Station Basic Request) message.
  • RSP Subscribe Station Basic Response
  • the SBC- REQ/RSP messages are to negotiate basic capability between the mobile station and the base station.
  • Basic capability negotiation is intended to report basic capability of the mobile station to the base station directly after ranging ends.
  • the SBC-REQ/RSP messages include parameters that can selectively be included, in addition to necessarily required parameters.
  • SA Security association
  • Table 1 examples of security association include an authorization policy support field and security negotiation parameters.
  • the authorization policy support field is one of fields included in the SBC-REQ/RSP messages, and specifies an authorization policy to be negotiated and synchronized between the mobile station and the base station. If the authorization policy support field is omitted, the mobile station and the base station should use IEEE 802.16 security having X.509 credential and RSA public key algorithm as an authorization policy.
  • Table 2 illustrates an example of the authorization policy support field, which is generally used. [Table 2]
  • the security negotiation parameter field that can be included in Table 2 specifies whether to support security capabilities to be negotiated before initial authorization or reauthorization is performed.
  • Table 3 illustrates an example of the security negotiation parameter field which is generally used. [Table 3]
  • PKM Version Support field of Table 3 specifies PKM version. Namely, both the mobile station and the base station should negotiate only one PKM version.
  • Table 4 illustrates an example of the PKM version support field, which is generally used. [Table 4]
  • the mobile station 200 requests an authentication authorization accounting server (AAA server) 240 to authenticate an extensible authentication protocol (EAP) through the base station 220.
  • AAA server authentication authorization accounting server
  • EAP extensible authentication protocol
  • An example of the EAP authentication method includes a method of using X.509 credential in case of EAP-TLS. Also, an example of the EAP authentication method includes a method of using a specific type credit credential such as a subscriber identity module (SIM) in case of EAP-SIM.
  • SIM subscriber identity module
  • an RSA authentication method which uses an encryption algorithm based on a public key encryption, may be used in accordance with requirements of the system.
  • the AAA server 240 In the step S202, if authentication of the mobile station (or user) is successfully completed, the AAA server 240 generates a master session key (MSK) through the EAP based authentication method.
  • the AAA server transmits MSK to the base station (S203) .
  • the base station 220 transmits the MSK received from the AAA server 240 to the mobile station 200 so as to share it with the mobile station 200 (S204) .
  • the mobile station 200 and the base station 220 can generate an authentication key (AK) using PMK (EAP based authentication method) (S205) . Also, the mobile station 200 or the base station 220 can generate the AK using the MS. The AK can be used to generate a traffic encryption key (TEK) for communication between the mobile station 200 and the base station 220.
  • AK authentication key
  • EAP based authentication method EAP based authentication method
  • the mobile station 200 and the base station 220 share TEK through 3-way handshaking (S206) .
  • the 3-way handshaking is performed through handshaking of three stages, such as SA-TEK challenge, SA-TEK request, and SA-TEK response.
  • the mobile station 200 and the base station 220 can generate and share TEK used to encode actual data.
  • the mobile station 200 and the base station 220 which have generated the AK by performing the authentication procedure, can share the TEK. Afterwards, the mobile station can perform a network entry procedure (S207) .
  • security association during handover between heterogeneous radio access networks is not disclosed in the mobile communication system, which is generally used.
  • the mobile station which uses IEEE 802.16 network, performs handover for other radio access system, a method of establishing security association for the handover is not defined. Accordingly, the method of establishing security association for the handover is required.
  • the mobile station when a multi-mode mobile station performs handover between heterogeneous radio access networks under the general communication environment, the mobile station should newly perform an authentication and encryption key acquisition procedure when performing second layer handover with a new network.
  • time delay will be caused in providing user service, and data loss may be caused.
  • One of basic requirements of the IEEE 802.16m system is that the IEEE 802.16m system should access another radio access systems. Accordingly, when the mobile station performs handover from the IEEE 802.16 broadband radio access system to another radio access system or vice versa, a method of establishing fast security association is required.
  • the present invention is directed to a method of establishing fast security association, which substantially obviates one or more problems due to limitations and disadvantages of the related art.
  • An object of the present invention is to provide a method of establishing fast security association, in which service quality is prevented from being deteriorated when a mobile station performs handover for heterogeneous networks.
  • Another object of the present invention is to provide a method of establishing fast security association, in which a service authentication server of a radio access network transfers authentication as to a corresponding mobile station to a target network authentication server without specified authentication for the corresponding mobile station when the mobile station performs handover for heterogeneous networks.
  • the present invention relates to a radio access system, and more particularly to, a method of establishing security association during handover between heterogeneous radio access networks.
  • a method of establishing security association before handover with a target base station included in a heterogeneous radio access network comprises transmitting a request message to a service base station, the request message requesting the service base station to transfer authentication related information of a mobile station to a target network authentication server; and receiving a response message from the service base station before the handover with the target base station is performed, the response message including security related information used in a target network.
  • the method further comprises transmitting a message to the service base station, the message requesting an inter-RAT authorization policy support parameter; and receiving the message including the parameter from the service base station.
  • the authentication related information includes information representing whether a serving network of the mobile station has successfully performed authentication.
  • the security related information includes RAND and Kc if the target network is a GSM system, and includes RAND, AUTN, CK and IK if the target network is a UMTS system.
  • the request message is a PKM request message PKM-REQ
  • the response message is a PKM response message PKM-RSP.
  • a method of establishing security association before handover with a target base station included in a heterogeneous radio access network comprises receiving a request message requesting transfer of authentication related information of a mobile station to a target network authentication server; transmitting a message including the authentication related information of the mobile station to a serving network authentication server; receiving a message including security related information used in the target network from the serving network authentication server; and transmitting the message including security related information to the mobile station.
  • the method Before receiving the request message requesting transfer of authentication related information of the mobile station to the target network authentication server, the method further comprises receiving a message from the mobile station, the message requesting an inter-RAT authorization policy support parameter; and transmitting the message including the parameter to the mobile station.
  • the authentication related information includes information representing whether a serving network of the mobile station has successfully performed authentication.
  • the security related information includes RAND and Kc if the target network is a GSM system, and includes RAND, AUTN, CK and IK if the target network is a UMTS system.
  • a method of establishing security association before handover with a target base station included in a heterogeneous radio access network comprises receiving a message from a service base station, the message including authentication related information of a mobile station; transmitting a message including the authentication related information and requesting security related information used in a target network to a target network authentication server; receiving the message including security related information from the target network authentication server; and transmitting the security related information to the service base station.
  • the authentication related information includes information representing whether a serving network of the mobile station has successfully performed authentication.
  • the security related information includes RAND and Kc if the target network is a GSM system, and includes RAND, AUTN, CK and IK if the target network is a UMTS system.
  • a method of establishing security association before handover with a target base station included in a heterogeneous radio access network comprises receiving a message including authentication related information of a mobile station and requesting security related information used in a target network from a service authentication server; searching the security related information used in the target network; and transmitting the searched security related information to the service authentication server before handover is performed.
  • the authentication related information includes information representing whether a serving network of the mobile station has successfully performed authentication.
  • the security related information includes RAND and Kc if the target network is a GSM system, and includes RAND, AUTN, CK and IK if the target network is a UMTS system.
  • a method of establishing security association before handover with a target base station included in a heterogeneous radio access network comprises transmitting an authentication transfer request message to a service base station, the authentication transfer request message including authentication related information of a mobile station; transmitting an authentication information transfer request message from the service base station to a service network authentication server, the authentication information transfer request message including the authentication related information; transmitting a security context transfer request message from the service network authentication server to a target network authentication server, the security context transfer request message including the authentication related information and requesting security related information of a target network; searching the security related information used in the target network, through the target network authentication server; transmitting a security context transfer response message to the service network authentication server, the security context transfer response message including the searched security related information; transmitting an authentication information transfer response message from the service authentication server to the service base station, the authentication information transfer response message including the security related information; and transmitting an authentication transfer response message from the service base station to the mobile station before the handover is performed, the authentication transfer response response
  • the mobile station can efficiently perform handover for heterogeneous radio access networks.
  • the mobile station before the mobile station performs handover for a target base station included in heterogeneous radio access networks, it is possible to improve service quality during handover by establishing fast security association with the target network (heterogeneous network) authentication server.
  • target network heterogeneous network
  • the mobile station which receives a service from the IEEE 802.16(WiMAX) system performs handover for heterogeneous radio access networks such as 3GPP network, using security related information of the target network previously acquired before handover, thereby obtaining a seamless service.
  • the heterogeneous authentication servers can identify whether the mobile station can access a corresponding network when the mobile station performs handover for the heterogeneous networks by exchanging the authentication result of the mobile station with each other. Accordingly, the authentication servers can transfer security contexts generated for specialized confidentiality and integrity to a radio network through pre-authentication protocol or AAA protocol not EAP level between AAA servers.
  • FIG. 1 is a diagram illustrating an example of a hierarchical structure and elements of a 802. Ix system
  • FIG. 2 is a flow chart illustrating an authentication procedure for a mobile station of a general IEEE 802.16 system
  • FIG. 3 is a flow chart illustrating handover and initial network entry procedure
  • FIG. 4 is a diagram illustrating a method of establishing security association before a mobile station performs handover from a service network to a target network in accordance with one embodiment of the present invention
  • FIG. 5 is a diagram illustrating a method of establishing security association before a mobile station performs handover from a service network to a target network in accordance with another embodiment of the present invention.
  • FIG. 6 is a diagram illustrating a method of acquiring security related information of a target base station before a mobile station performs handover in accordance with other embodiment of the present invention.
  • the present invention relates to a radio access system, and more particularly to, a method of establishing security association during handover between heterogeneous radio access networks.
  • the base station means a terminal node of a network, which performs direct communication with the mobile station.
  • a specific operation which has been described as being performed by the base station may be performed by an upper node of the base station as the case may be.
  • various operations performed for communication with the mobile station in the network which includes a plurality of network nodes along with the base station may be performed by the base station or network nodes other than the base station.
  • the base station may be replaced with terms such as a fixed station, Node B, eNode B (eNB) , or access point.
  • the mobile station may be replaced with terms such as user equipment (UE) , Subscriber Station (SS) , and mobile subscriber station (MSS) .
  • the embodiments according to the present invention may be implemented by various means, for example, hardware, firmware, software, or their combination. If the embodiment according to the present invention is implemented by hardware, the embodiment of the present invention may be implemented by one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs) , programmable logic devices (PLDs), field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, etc.
  • ASICs application specific integrated circuits
  • DSPs digital signal processors
  • DSPDs digital signal processing devices
  • PLDs programmable logic devices
  • FPGAs field programmable gate arrays
  • the method of transmitting and receiving data in the wireless communication system according to the embodiment of the present invention may be implemented by a type of a module, a procedure, or a function, which performs functions or operations described as above.
  • a software code may be stored in a memory unit and then may be driven by a processor.
  • the memory unit may be located inside or outside the processor to transmit and receive data to and from the processor through various means which are well known.
  • the embodiments of the present invention can be supported by standard documents disclosed in at least one of radio access systems, IEEE 802 system, 3GPP system, 3GPP LTE system and 3GPP2 system. Namely, steps or parts, which are not described in the embodiments of the present invention to clearly disclose technical spirits of the present invention, can be supported by the above standard documents. Also, all terminologies disclosed herein can be described by the above standard documents. Particularly, the embodiments of the present invention can be supported by one or more of the standard documents of the IEEE 802.16 system, i.e., P802.16-2004 , P802.16e-2005, and P802.16Rev2.
  • FIG. 3 is a flow chart illustrating handover and initial network entry procedure.
  • the mobile station selects a cell during handover and initial network entry (S301, S302) .
  • Cell selection is to perform scanning or ranging with at least one base station to find a proper base station for network connection or handover.
  • the mobile station should perform scheduling for a scan period or a sleep period to determine initial network entry to the base station or the possibility of handover to a target base station.
  • the mobile station acquires synchronization with a service base station and downlink parameters during initial network entry (S303) .
  • the service base station means a base station, which provides a service in a network where the mobile station currently intends to enter.
  • the mobile station which has acquired synchronization with the service base station acquires uplink parameters to the service base station (S304), performs a ranging procedure with the service base station and adjusts uplink parameters (S305) .
  • the mobile station and the service base station form basic capability for communication through the above steps (S306) .
  • the service base station applies the mobile station and exchanges a key (S307) .
  • the mobile station is subscribed to the service base station (S308), and Internet protocol (IP) connection is established in the mobile station (S309) .
  • IP Internet protocol
  • the service base station performs a communication procedure of the mobile station by transmitting action parameters to the mobile station (S310) . Also, connection between the mobile station and the service base station is established (S311), so that the mobile station and the base station can perform normal operation (S312) . The mobile station continues to search a neighboring base station while the service base station is performing the normal operation (S313) . This is to search a base station that can provide a better service due to service quality provided by the service base station, which may be deteriorated as the mobile station moves away from the service base station. Accordingly, a neighboring base station, which provides a better service than that of the service base station, is referred to as a target base station. The mobile station performs handover by searching the target base station.
  • Handover occurs when the mobile station moves a cell region from the service base station to the target base station.
  • Handover means that the mobile station converts a radio interface, a service flow and a network node from the service base station to the target base station, and starts as the mobile station, the service base station and a network manager determine it (S314) .
  • the mobile station selects the target base station (S315) , and acquires synchronization with the target base station and downlink parameters (S316) .
  • the mobile station acquires uplink parameters of the target base station (S317), and adjusts ranging and uplink parameters with the target base station (S318) .
  • the mobile station has previously received NBR-ADV message including target base station identifier, its frequency, and its uplink/downlink channel descriptors (UCD/DCD) , scan and synchronization procedures can be simplified.
  • the target base station has received handover report from the service base station through a backbone network, it can provide a non-contention based initial ranging chance to an uplink- map (UL-MAP) .
  • UL-MAP uplink- map
  • the mobile station and the target base station form basic capability through the above steps (S319) , and start a network re-entry procedure by performing ranging. Also, the mobile station is re-subscribed and re-connected to the target base station (S320) .
  • the mobile station is subscribed to the target base station (S321), and IP connection of the target base station is re-established in the mobile station (S322) .
  • the target base station serves as the service base station to provide a service to the mobile station.
  • the mobile station can select a cell through information of neighboring base stations obtained by scanning, and can determine handover from the service base station to the target base station. If the mobile station determines handover, it performs synchronization with the target base station, and also performs a ranging procedure. Afterwards, reauthorization for the mobile station is performed. At this time, the target base station can request the service base station to provide information of the mobile station, through a backbone network.
  • the handover and network re-entry procedures can be simplified in accordance with information owned by the target base station and related to the mobile station. Also, several network entry procedures can be omitted in accordance with the information of the mobile station, which is owned by the target base station.
  • several security requirements exist as follows.
  • a dual-mode mobile station has UICC or universal subscriber identify module (USIM) as well as information for association with IEEE 802.16 network to support handover between heterogeneous networks, thereby using information stored in the UICC or the USIM.
  • UICC universal subscriber identify module
  • Heterogeneous radio access networks other than IEEE 802.16 network can be associated with EAP based authentication server as suggested in the present invention, wherein the EAP based authentication server supports whether protected authentication has been successfully performed or has been failed.
  • the IEEE 802.16 network enters into a roaming agreement for association with other heterogeneous radio access network.
  • authorization information should be transferred safely between authentication servers through a pre- authentication protocol or AAA protocol. 6)
  • a pre- authentication protocol or AAA protocol for protection of user identifiers (for example,
  • IMSI IMSI
  • TMSI TMSI
  • FIG. 4 is a diagram illustrating a method of establishing security association before a mobile station performs handover from a service network to a target network in accordance with one embodiment of the present invention.
  • a communication environment can include a mobile station (MS) 400, a base station (BS) 420, a service
  • the service AAA server 440 and the target AAA server 460 represent heterogeneous radio access networks.
  • the heterogeneous radio access networks include networks supported by 3GPP and 3GPP2 as well as IEEE 802 based wire and wireless networks except for the IEEE 802.16 network.
  • the embodiments of the present invention disclose methods of supporting handover between heterogeneous radio access networks. Namely, the embodiments of the present invention provide methods of establishing security association for providing a seamless service to a mobile station, which performs handover between heterogeneous radio access networks without causing load to the networks.
  • the mobile station 400, the base station 420, and the service AAA server 440 initially perform mutual authentication procedure (S401) .
  • the basic capability negotiation procedure between the mobile station and the base station is performed by exchange between the SBC-REQ message and the SBC-RSP message after ranging ends.
  • the mobile station 400 notifies the base station of its capability, and in response to this, the base station notifies the mobile station of a common part between its capability and the capability of the mobile station.
  • the SBC-REQ and SBC-RSP messages can include inter-RAT authorization policy support parameters between heterogeneous radio access networks.
  • Table 5 illustrates an example of the SBC-REQ/RSP messages corrected for handover between heterogeneous radio access networks. [Table 5]
  • the corrected SBC-REQ and SBC-RSP messages can include inter-RAT authorization policy support parameter.
  • the inter-RAT authorization policy support parameter specifies an authorization policy to be negotiated and synchronized between the mobile station and the network when the mobile station performs handover to another radio access network different from a radio access network where the mobile station currently receives a service .
  • the inter-RAT authorization policy support parameter is a field included in SBC-REQ/RSP management encoding, similarly to the conventional authorization policy support. If this field is omitted, the mobile station and the base station should use IEEE 802.16 security having X.509 credential and RSA public key algorithm or EAP as an authorization policy. Accordingly, if the mobile station performs handover for another network other than the IEEE 802.16 network, the mobile station should perform authentication again with respect to the authentication server of the corresponding network and acguire security key.
  • Table 6 illustrates an example of the inter-RAT authorization field between heterogeneous radio access networks.
  • the security negotiation parameter field can include security capabilities to be negotiated before authorization if the mobile station performs handover for another radio access network.
  • Table 7 illustrates an example of an attribute of the security negotiation parameter that can be used in the embodiment of the present invention.
  • Table 7 specifies an attribute of the corrected security negotiation parameter field.
  • Table 8 illustrates another example of an inter-RAT authorization policy support field included in Table 7.
  • the inter-RAT authorization policy support field can have a size of 1 bit or more.
  • the inter-RAT authorization policy support field can represent whether RSA based authentication or EAP based authentication will be used during inter-RAT handover.
  • the following Table 9 illustrates a PKM version support field.
  • the PKM version support field specifies a PKM version. Namely, both the mobile station and the base station should negotiate only one PKM version. [Table 9]
  • the mobile station, the base station and the service authentication server can mutually negotiate whether to support inter-RAT authorization policy.
  • type or information of a neighboring network where the mobile station 400 intends to perform handover is obtained by scanning, and an action timing or period of scanning depends on actual implementation or operation policy of the network. Since it is assumed that multi-modes of network access nodes are supported in the embodiment of the present invention, the mobile station 400 can provide a plurality of radio standards simultaneously and establish connection with one or more radio interfaces.
  • the mobile station and the base station can use privacy key management (PKM) messages such as PKM request message PKM-REQ and PKM response message PKM-RSP.
  • PKM privacy key management
  • the PKM messages can be included in a management message payload.
  • the PKM messages can be transferred through MS primary management connection of the mobile station.
  • Table 10 illustrates an example of PKM MAC message. [Table 10]
  • Table 11 illustrates an example of a format of the PKM request message PKM-REQ.
  • Table 12 illustrates an example of a format of the PKM response message PKM-REQ.
  • the PKM messages included in Table 11 and Table 12 include as code, PKM identifier, and TLV encoded attribute parameters.
  • the code field has a length of one byte, and specifies a type of PKM packets. If packets having an invalid code are received, the corresponding packets are deleted.
  • the PKM identifier field can have a length of one byte, and the mobile station can use the PKM identifier to associate a response of the base station with its request. Also, a client and a server can exchange authentication data, authorization data, and key management data with each other using an attribute field (for example, PKM attribute) .
  • the PKM packet type has its unique compulsive or selective attributes. At this time, there are no requirements in the order of the attributes in the PKM messages unless described specifically.
  • Table 13 illustrates a PKM message code added for a fast security association procedure according to the embodiment of the present invention. [Table 13]
  • Table 13 illustrates a PKM message code added for security association suggested in the embodiment of the present invention.
  • examples of messages newly defined for the embodiments of the present invention include PKMv3 Auth Transfer Request message, PKMv3 Auth Transfer Response message, PKMv3 Key Request message, and PKMv3 Key Response message .
  • the PKMv3 auth transfer request message is to request the service base station to transmit the authentication result for the mobile station before handover.
  • the PKMv3 auth transfer request message is transmitted to the service base station by the mobile station.
  • the service base station transfers the PKMv3 auth transfer request message to the service authentication server (for example, IEEE 802.16 system), and the service authentication server transmits the PKMv3 auth transfer request message to the target network authentication server where handover will be expected.
  • the PKMv3 auth transfer response message is used as a response to the PKMv3 auth transfer request message.
  • the PKMv3 auth transfer response message can include security contexts used in the authentication server of the target network.
  • the PKMv3 auth transfer response message does not include security contexts of the target network. At this time, the PKMv3 auth transfer response message may not include security context field and protected MS identifier.
  • the PKMv3 key request message and the PKMv3 key response message are used when the mobile station cannot obtain security contexts used in target heterogeneous radio access networks through exchange of the PKMv3 auth transfer request/response message.
  • the mobile station cannot obtain security contexts from the target base station through the PKMv3 auth transfer request/response messages before handover.
  • the mobile station can obtain security contexts used in the target base station using the PKMv3 key request/response messages before handover.
  • the PKMv3 auth transfer response message does not include a security context field and a protected MS identifier field. Namely, the aforementioned security context field and the protected MS identifier field information can be transferred to the mobile station in such a manner that they are included in the PKMv3 key response message. Again, the description of FIG. 4 will be made.
  • the mobile station tries handover for the target network through scanning if a signal level of the service network is reduced to a certain level or less. At this time, the mobile station 400 can transfer authentication related information of the mobile station to the base station 420 using the PKMv3 auth transfer request message (S402) .
  • the service base station 420 which has received the PKM message transfers the authentication related information to the service authentication server 440 through an auth info transfer request message (S403) .
  • the auth info transfer request message can include mobile station temporary identifier
  • TMSI for example, TMSI, IMSI
  • target access network identifier for example, TMSI, IMSI
  • identifier of the current access network authentication server 440 for example, TMSI, IMSI
  • the service authentication server 440 requests security contexts used in the target authentication server 460 using a security context transfer request message (S404) .
  • the target authentication server 460 transfers the security contexts used in the target authentication server 460 to the service authentication server 440 using a security context transfer response message (S405) .
  • the security context transfer response message can include identifier of the target access network authentication server 460, security contexts used in the target network, and protected mobile station temporary identifier information.
  • the service authentication server 440 can transfer the auth info transfer response message to the service base station 420, wherein the auth info transfer response message includes security contexts used in the target network, protected mobile station temporary identifier, MAC address information, and authentication server identifier of the current access network (S406) .
  • the service base station 420 can transfer the authentication related information, such as security contexts used in the target authentication server 460, to the mobile station using the PKMv3 auth transfer response message (S407) .
  • auth info transfer request/response messages and the security context transfer request/response messages can be transferred using Internet engineering task force (IETF) pre-authentication protocol or AAA protocol.
  • IETF Internet engineering task force
  • the mobile station may not perform the authentication procedure newly in the target to establish security association in the target network while the mobile station is performing handover for the target network. Accordingly, the mobile station can quickly perform handover for heterogeneous radio access network without seamless service.
  • FIG. 5 is a diagram illustrating a method of establishing security association before a mobile station performs handover from a service network to a target network in accordance with another embodiment of the present invention.
  • a communication system can include a mobile station (MS) 500, a service base station 520, a service AAA server (802.16 AAA server) 540, a target AAA server (3GPP
  • AAA server 560
  • HSS home subscriber server
  • target base station 590
  • the message used in FIG. 5 is described to effectively represent technical spirits of another embodiment according to the present invention. Accordingly, any message, which performs the function of the message used in FIG. 5, may be used.
  • the steps S501 to S505 are similar to the general authentication procedure of FIG. 2. Namely, the multi-mode mobile station can perform master session key
  • the authentication server 540 of the IEEE 802.16 network has information as to whether authentication for the mobile station 500 has been successfully performed, and can use it later during handover between heterogeneous radio access networks .
  • the mobile station, the base station, and the service authentication server can smoothly perform the procedure of establishing security association used in the embodiments of the present invention by transmitting and receiving the inter-RAT authorization policy support field to and from one another.
  • the parameters and fields corresponding to Table 5 to Table 9 are used in the embodiments of the present invention.
  • the steps S506 and other following steps will be described.
  • the mobile station 500 establishes security association with the service authentication server 540 and performs communication with the service base station 520 if it is subscribed to the service network. At this time, the mobile station 500 performs scanning to perform handover if signal strength with the service base station 520 becomes weak (S506) .
  • the mobile station 500 can receive a signal from a neighbor network through scanning and perform network search and selection procedures.
  • the mobile station 500 determines handover and selects a neighbor network having the strongest signal strength (S507) .
  • S507 the strongest signal strength
  • the 3GPP network it is assumed that the 3GPP network is used as a possible handover target network. If the mobile station 500 recognizes that the signal level received from the IEEE 802.16 network has been reduced to a certain level or less, the mobile station 500 can request the IEEE 802.16 network authentication server 540 to transfer authentication related information of the mobile station 500 to a remote target network, i.e., 3GPP network authentication server 560.
  • the mobile station 500 can transfer authentication related information of the mobile station to the service base station using the PKMv3 auth transfer request message.
  • the PKMv3 auth transfer request message can be transferred to the service base station to request security information used in the target network (S508) .
  • Table 14 illustrates an example of an attribute of the PKMv3 auth transfer request message.
  • the PKMv3 auth transfer request message can include digest information of message calculated using current access network identifier, target access network identifier, authentication server identifier of the current access network, mobile station identifier, MAC address of the mobile station, AK sequence number, and AK.
  • IMSI international mobile station identity
  • TMSI temporary mobile subscriber identity
  • the 802.16 network base station 520 which has received the PKMv3 auth transfer request message can request the IEEE 802.16 network authentication server 540 to transfer the authentication result for the mobile station 500 identified in the 802.16 network to the 3GPP network authentication server 560 through the auth info transfer request message (S509) .
  • the auth info transfer request message is transmitted using a protocol defined by the IETF.
  • the auth info transfer request message can include mobile station identifier (TMSI or IMSI) , target access network identifier, and identifier of the current access network authentication server 540.
  • the auth info transfer request message can selectively include information such as MAC address of the mobile station 500 and the current access network identifier.
  • the 802.16 authentication server 540 can transfer the security context transfer request message to the 3GPP authentication server 560. Namely, the 802.16 authentication server 540 can request the 3GPP authentication server 560 to transfer security contexts used in the 3GPP network by using the security context transfer request message (S510) .
  • the security context transfer request message can include target access network identifier, target access network authentication server identifier, mobile station identifier, and a field specifying whether authentication for the corresponding mobile station has been successfully performed. Also, the security context transfer request message can additionally include current access network identifier and identifier of the current access network authentication server 540.
  • the target authentication server 560 can request re-authentication for the corresponding user. Since the authentication related information is transferred along with time stamp information as well as information as to whether authentication has been performed within the pre- authentication protocol message or AAA protocol message, it has temporal restriction. Namely, since the authentication related information cannot be used if it expires, it is preferable that the authentication related information is updated before it expires.
  • the 3GPP authentication server 560 which has received the message in the step S510 acquires authentication vectors for the corresponding mobile station by inquiring of the HSS 580 (S511) .
  • the 3GPP authentication server 560 can transmit the security context transfer response message to the 802.16 authentication server 540, wherein the security context transfer response message includes security contexts used in the 3GPP network (S512) .
  • the security context transfer response message can include mobile station identifier, identifier of the access network authentication server (560), security contexts (for example, RAND and kc in case of GSM, and RAND, AUTN, CK and IK in case of UMTS) used in the 3GPP network and protected mobile station temporary identifier information.
  • the security context transfer response message can additionally include identifier of the current access network authentication server 540.
  • the 802.16 authentication server 540 can transfer the auth info transfer response message to the service base station 520, wherein the auth info transfer response message includes the security contexts obtained in the 3GPP network (S513) .
  • the auth info transfer response message can include one or more of mobile station identifier, security contexts used in the 3GPP network, protected mobile station temporary identifier, MAC address information, and authentication server identifier of the current access network. Also, the auth info transfer response message can selectively include the target access network identifier information.
  • the service base station 520 can transmit the PKMv3 auth transfer response message to the mobile station 500, wherein the PKMv3 auth transfer response message includes security contexts to be used in the 3GPP network (S514) .
  • Table 15 illustrates an example of the PKMv3 auth transfer response message. [Table 15]
  • the PKMv3 auth transfer response message can include at least one or more of current access network identifier, target access network identifier, identifier of the target access network authentication server 560, security contexts (for example, RAND and kc in case of GSM, and RAND, AUTN, CK and IK in case of UMTS) used in the target access network, protected mobile station temporary identifier information, AK sequence number, and message digest information calculated using AK.
  • security contexts for example, RAND and kc in case of GSM, and RAND, AUTN, CK and IK in case of UMTS
  • protected mobile station temporary identifier information for example, protected mobile station temporary identifier information, AK sequence number, and message digest information calculated using AK.
  • the mobiles station 500 can previously acquire security related information used in the target base station before handover through the steps S508 to S514. Namely, the mobile station newly performs authentication in the subscription procedure to the 3GPP network, and can omit a considerable part of security procedures of obtaining a new key. Accordingly, the mobile station can perform second layer (L2) handover even without EAP based authentication and the target authentication server (S515) .
  • the 3GPP authentication server 560 transfers security related parameters of a link layer to the target base station 590 to perform safe communication with the mobile station 500 (S516) .
  • the mobile station 500 can transmit and receive data to and from the 3GPP network through third layer (L3) handover and release connection with the previous 802.16 network (S517) .
  • L3 third layer
  • S517 previous 802.16 network
  • the auth info transfer request/response messages and the security context transfer request/response messages can be transferred using the IETF pre-authentication protocol or the AAA protocol.
  • FIG. 6 is a diagram illustrating a method of acquiring security information of a target base station before a mobile station performs handover in accordance with other embodiment of the present invention.
  • a communication system can include a mobile station (MS) 600, a service base station 620, a service AAA server (802.16 AAA server) 640, a target AAA server (3GPP
  • AAA server AAA server
  • HSS home subscriber server
  • target base station 690.
  • steps S601 to S613 are similar to the steps S501 to S513 of FIG. 5. Accordingly, their description will be omitted to avoid repeated description.
  • the service base station 620 can receive security contexts used in the target network authentication server 660 from the service AAA server 640.
  • the service base station 620 can transfer the PKM response message (for example, PKMv3 auth transfer response message) to the mobile station 600, wherein the PKM response message includes security contexts of the target network (S614) .
  • the PKM response message is an example of the
  • the PKMv3 auth transfer response message used in FIG. 6 can include at least one or more of current access network identifier, target access network identifier, identifier of the target access network authentication server, AK sequence number, and message digest information calculated using AK.
  • the multi-mode mobile station 600 which has received the PKMv3 auth transfer response message in the step S614 can recognize that its authentication information has been safely transferred to the corresponding network through information of target heterogeneous access network identifier and identifier of the target network authentication server 660.
  • the mobile station can transmit the PKMv3 key request message to the service base station 620 to obtain security contexts to be used in the target network (S615) .
  • the following Table 17 illustrates an example of the PKMv3 key request message. [Table 17]
  • the PKMv3 key request message can include one or more of AK sequence number, mobile station identifier (IMSI, TMSI), MAC address of the mobile station
  • the service base station 620 can transmit the PKMv3 key response message to the mobile station 600 in response to the PKMv3 key request message, wherein the PKMv3 key response message includes security contexts of the target network (S616) .
  • Table 18 illustrates an example of the PKMv3 key response message.
  • the PKMv3 key response message can include AK sequence number, security contexts used in the target access network authentication server 660, protected mobile station temporary identifier, a random number generated by the base station, and message digest information calculated using AK.
  • the mobile station 600 can acquire security information used in the target base station of the heterogeneous networks through the PKMv3 key response message before handover.
  • the mobile station 600 can perform handover directly without performing a procedure of establishing new security association with the target authentication server 660.
  • the auth info transfer request/response messages and the security context transfer request/response messages can be transferred using the IETF pre-authentication protocol or the AAA protocol.
  • the embodiments of the present invention can be applied to various technologies of a broadband radio access system.
  • the embodiments of the present invention can be applied to handover technology between heterogeneous radio access networks.
  • the embodiments of the present invention can be applied to various methods of establishing fast security association before handover is performed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé servant à établir une association de sécurité pendant un transfert entre des réseaux hétérogènes dans un système d'accès radio. Ce procédé visant à établir une association de sécurité préalablement au transfert avec une station de base ciblée comprise dans un réseau d'accès radio hétérogène consiste à émettre un message de demande à une station de base de service de transférer les informations relatives à l'authentification d'une station mobile à un serveur d'authentification de réseau ciblé; à recevoir un message de réponse de la station de base de service avant l'exécution du transfert avec la station de base ciblée, ledit message de réponse contenant des informations relatives à la sécurité utilisées dans un réseau ciblé.
PCT/KR2008/006080 2007-10-18 2008-10-15 Procédé servant à établir une association de sécurité dans un transfert inter-rat WO2009051405A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/738,391 US8731194B2 (en) 2007-10-18 2008-10-15 Method of establishing security association in inter-rat handover

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR20070105219 2007-10-18
KR10-2007-0105219 2007-10-18
KR10-2008-0080904 2008-08-19
KR20080080904A KR101481558B1 (ko) 2007-10-18 2008-08-19 이기종 무선접속망간 보안연계 설정 방법

Publications (2)

Publication Number Publication Date
WO2009051405A2 true WO2009051405A2 (fr) 2009-04-23
WO2009051405A3 WO2009051405A3 (fr) 2009-06-11

Family

ID=40567953

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2008/006080 WO2009051405A2 (fr) 2007-10-18 2008-10-15 Procédé servant à établir une association de sécurité dans un transfert inter-rat

Country Status (1)

Country Link
WO (1) WO2009051405A2 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011028442A3 (fr) * 2009-08-24 2011-04-28 Alcatel-Lucent Usa Inc. Support de sécurité de pré-enregistrement dans un interfonctionnement multitechnologie
GB2512589A (en) * 2013-04-02 2014-10-08 Broadcom Corp Method, apparatus and computer program for operating a user equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040121772A1 (en) * 2002-12-16 2004-06-24 Seon-Soo Rue Method for supporting mobility of WLAN voice terminal

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040121772A1 (en) * 2002-12-16 2004-06-24 Seon-Soo Rue Method for supporting mobility of WLAN voice terminal

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
'COMSWARE 2007. 2nd International Conference on Communication Systems Software and Middleware', 07 January 2007 article LIM, SUN HEE ET AL.: 'A Fast and Efficient Authentication Protocol for a Seamless Handover between a WLAN and WiBro.', pages 1 - 7 *
'MobiQuitous 2007. Fourth Annual International Conference on Mobile and Ubiquitous Systems: Networking & Services, 6-10 Aug. 2007', 06 August 2007 article LOPEZ, R.M. ET AL.: 'Network-Layer Assisted Mechanism to Optimize Authentication Delay during Handoffin 802.11 Networks.', pages 1 - 8 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011028442A3 (fr) * 2009-08-24 2011-04-28 Alcatel-Lucent Usa Inc. Support de sécurité de pré-enregistrement dans un interfonctionnement multitechnologie
US8429728B2 (en) 2009-08-24 2013-04-23 Alcatel Lucent Pre-registration security support in multi-technology interworking
GB2512589A (en) * 2013-04-02 2014-10-08 Broadcom Corp Method, apparatus and computer program for operating a user equipment
GB2512589B (en) * 2013-04-02 2015-07-15 Broadcom Corp Method, apparatus and computer program for operating a user equipment
US9161221B2 (en) 2013-04-02 2015-10-13 Broadcom Corporation Method, apparatus and computer program for operating a user equipment

Also Published As

Publication number Publication date
WO2009051405A3 (fr) 2009-06-11

Similar Documents

Publication Publication Date Title
US8731194B2 (en) Method of establishing security association in inter-rat handover
US10728757B2 (en) Security implementation method, related apparatus, and system
TWI724132B (zh) 無線通訊的方法、用於無線通訊的裝置以及用於執行該方法的電腦程式軟體
US8549293B2 (en) Method of establishing fast security association for handover between heterogeneous radio access networks
AU2011201655B2 (en) Security Authentication and Key Management Within an Infrastructure-Based Wireless Multi-Hop Network
US8887251B2 (en) Handover method of mobile terminal between heterogeneous networks
US8037305B2 (en) Securing multiple links and paths in a wireless mesh network including rapid roaming
US8417219B2 (en) Pre-authentication method for inter-rat handover
US10798082B2 (en) Network authentication triggering method and related device
EP3534648B1 (fr) Accès réseau automatisé basé sur la même adresse mac
US11490252B2 (en) Protecting WLCP message exchange between TWAG and UE
KR101467784B1 (ko) 이기종망간 핸드오버시 선인증 수행방법
CN113676904B (zh) 切片认证方法及装置
EP3637815B1 (fr) Procédé de transmission de données, et dispositif et système associés
WO2009051405A2 (fr) Procédé servant à établir une association de sécurité dans un transfert inter-rat
CN115699834A (zh) 支持远程单元重新认证

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08838716

Country of ref document: EP

Kind code of ref document: A2

WWE Wipo information: entry into national phase

Ref document number: 12738391

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08838716

Country of ref document: EP

Kind code of ref document: A2