WO2018046109A1 - Attack mitigation in 5g networks - Google Patents

Attack mitigation in 5g networks Download PDF

Info

Publication number
WO2018046109A1
WO2018046109A1 PCT/EP2016/071444 EP2016071444W WO2018046109A1 WO 2018046109 A1 WO2018046109 A1 WO 2018046109A1 EP 2016071444 W EP2016071444 W EP 2016071444W WO 2018046109 A1 WO2018046109 A1 WO 2018046109A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
public
authentication
network entity
modifier
Prior art date
Application number
PCT/EP2016/071444
Other languages
French (fr)
Inventor
Guenther Horn
Original Assignee
Nokia Solutions And Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions And Networks Oy filed Critical Nokia Solutions And Networks Oy
Priority to PCT/EP2016/071444 priority Critical patent/WO2018046109A1/en
Publication of WO2018046109A1 publication Critical patent/WO2018046109A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • the present invention relates to attack mitigation in 5G networks. More specifically, the present invention exemplarily relates to measures (including methods, apparatuses and computer program products) for realizing attack mitigation in 5G networks.
  • the present specification generally relates to 5 th Generation (5G) security as defined by the 3 rd Generation Partnership Project (3GPP). 5G is also known as "Next Generation System (NextGen)". Presently, topics related to NextGen are in a study phase.
  • 5G 5 th Generation
  • 3GPP 3 rd Generation Partnership Project
  • NextGen Next Generation System
  • security key issues addressed by embodiments of the present invention are a reduction of an impact of secret key leakage, a prevention from interception of radio interface keys sent between operator entities, and subscriber identifier privacy.
  • Ki is a permanent, shared secret key for each subscriber. If this security assumption fails, the loss of security is catastrophic. Ki might leak to an attacker for a number of reasons, e.g. hacking at the factory (subscriber identity module (SIM) vendor or subscription manager), where Ki is generated, hacking of the communication channel over which Ki is transported from SIM vendor or subscription manager to mobile operator, hacking into the mobile operators, an insider attack at a mobile operator or SIM vendor, a local attack (e.g. side channel) on the SIM card in t e supply chain, or a local attack (e.g. side channel) on the SIM card while temporarily borrowed from the customer.
  • SIM subscriber identity module
  • keys from which the keys for radio interface encryption (and integrity, where applicable) are derived are computed in the home core network (authentication center (AuC)) and then transmitted to the visited radio network over signaling links such as SS7 or Diameter.
  • AuC authentication center
  • signaling links such as SS7 or Diameter.
  • identifier privacy in a 3GPP system many types of subscriber identifiers are used during a communication process.
  • the identifiers may be tied to either a subscription or a device. Some of the identifiers may be permanent or long term (e.g. in case of current Long Term Evolution (LTE) system: International Mobile Subscriber Identity (IMSI), Mobile Subscriber Integrated Services Digital Network (MSISDN), International Mobile Equipment Identity (IMEI), and Medium Access Control (MAC) address) while others may be temporary or short term (e.g.
  • LTE Long Term Evolution
  • MSISDN Mobile Subscriber Integrated Services Digital Network
  • IMEI International Mobile Equipment Identity
  • MAC Medium Access Control
  • GUI Globally Unique Temporary Identifier
  • TMSI Temporary Mobile Subscriber Identity
  • C-RNTI Cell Radio Network Temporary Identifier
  • IP internet protocol
  • a long term secret key is updated in such a way that the new key is less exposed to potential attack than the original one was.
  • a key exchange protocol is involved, which is run between a universal integrated circuit card (UICC) and the home network home subscriber server (HSS), in order to create a newly agreed Ki value to replace t e existing one (where the Ki value is a permanent, shared secret key for each subscriber).
  • UICC universal integrated circuit card
  • HSS home network home subscriber server
  • Elliptic Curve Diffie Hellman is a preferred key exchange algorithm.
  • This approach includes a Diffie Hellman key exchange between a universal subscriber identity module (USIM) and the home network, when the USIM first contacts the networks.
  • USIM universal subscriber identity module
  • a key exchange protocol is included into the derivation of the radio interface session keys.
  • an authentication and key agreement algorithm is run in the HSS with a resulting authentication vector sent to the visited network, and is also run in the UICC to establish shared secret keys between the UE and a node in the visited network.
  • those keys are not used directly for radio interface security or as inputs to a key derivation algorithm to produce radio interface security keys.
  • those keys are used to authenticate a key exchange algorithm between the device (possibly its UICC) and that visited network node.
  • Elliptic Curve Diffie Hellman is a preferred key exchange algorithm.
  • this approach consists in applying a Diffie Hellman handshake after the intermediate key obtained from the authentication vector (e.g. a key for the access security management entity (KASME)) has been successfully established between UE and serving node (e.g. MME).
  • KASME access security management entity
  • MME serving node
  • This approach includes a Diffie Hellman key exchange between the UE and the visited network (e.g. MME in LTE). This entails sending one Diffie Hellman exponent in each direction. Furthermore, the Diffie Hellman key exchange would have to be run more often as the visited network entity (e.g. MME) changes.
  • the visited network entity e.g. MME
  • a serving network public key is bound into the derivation of the radio interface session keys.
  • a serving network public key N PU B is used to authenticate a key exchange.
  • UE user equipment
  • CP-AU which is a security anchor of the NextGen core network
  • K se ssion shared session key
  • K se ssion shared session key
  • K se ssion shared session key
  • K se ssion shared session key
  • K se ssion an Elliptic Curve Diffie Hellman technique
  • This approach affects the radio interface (which is a bandwidth-constrained resource) in that Diffie Hellman key exchange parameters sent over the radio interface are quite long. Furthermore, it is required that the UEs know the public key of the visited network.
  • the UE encrypts its permanent identifier sent to network using public-key cryptography
  • a method of a home network entity in a mobile communications network comprising receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public- private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity.
  • a method of a terminal in a mobile communications network comprising encrypting a key modifier using a public key of a public-private key pair, transmitting a message including said encrypted key modifier to a home network entity having a private key of said public- private key pair and a key derivation function, and computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • a method of a home network entity in a mobile communications network comprising determining necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, encrypting said authentication key using a public key of said public-private key pair, and transmitting a message including said encrypted authentication key to said visited network entity.
  • a method of a visited network entity in a mobile communications network comprising receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public- private key pair, and decrypting said authentication key using a private key of said public- private key pair.
  • an apparatus in a home network entity in a mobile communications network comprising receiving circuitry configured to receive, from a terminal having a public key of a public- private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting circuitry configured to decrypt said key modifier using a private key of said public-private key pair, determining circuitry configured to determine necessity to transmit a first authentication key to a visited network entity, computing circuitry configured to compute, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting circuitry configured to transmit said second authentication key to said visited network entity.
  • an apparatus in a terminal in a mobile communications network comprising encrypting circuitry configured to encrypt a key modifier using a public key of a public-private key pair, transmitting circuitry configured to transmit a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and computing circuitry configured to compute, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • an apparatus in a home network entity in a mobile communications network comprising determining circuitry configured to determine necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, encrypting circuitry configured to encrypt said authentication key using a public key of said public- private key pair, and transmitting circuitry configured to transmit a message including said encrypted authentication key to said visited network entity.
  • an apparatus in a visited network entity in a mobile communications network comprising receiving circuitry configured to receive, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and decrypting circuitry configured to decrypt said authentication key using a private key of said public-private key pair.
  • an apparatus in a home network entity in a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public-private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity.
  • an apparatus in a terminal in a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform encrypting a key modifier using a public key of a public-private key pair, transmitting a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • an apparatus in a home network entity in a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform determining necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, encrypting said authentication key using a public key of said public-private key pair, and transmitting a message including said encrypted authentication key to said visited network entity.
  • an apparatus in a visited network entity in a mobile communications network comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and decrypting said authentication key using a private key of said public-private key pair.
  • a computer program product comprising computer-executable computer program code which, when the program is run on a computer (e.g. a computer of an apparatus according to any one of the aforementioned apparatus-related exemplary aspects of the present invention), is configured to cause the computer to carry out the method according to any one of the aforementioned method-related exemplary aspects of the present invention.
  • Such computer program product may comprise (or be embodied) a (tangible) computer- readable (storage) medium or the like on which the computer-executable computer program code is stored, and/or the program may be directly loadable into an internal memory of the computer or a processor thereof.
  • attack mitigation in 5G networks More specifically, by way of exemplary embodiments of the present invention, there are provided measures and mechanisms for realizing attack mitigation in 5G networks.
  • measures and mechanisms for realizing attack mitigation in 5G networks are provided.
  • Figure 1 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention
  • FIG. 2 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention
  • Figure 3 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention
  • Figure 4 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention
  • FIG. 5 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • Figure 6 is a schematic diagram of a procedure according to exemplary embodiments of the present invention
  • Figure 7 is a schematic diagram of a procedure according to exemplary embodiments of the present invention
  • Figure 8 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • Figure 9 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • Figure 10 is a block diagram alternatively illustrating apparatuses according to exemplary embodiments of the present invention.
  • Figure 1 1 is a block diagram alternatively illustrating further apparatuses according to exemplary embodiments of the present invention. Detailed description of drawings and embodiments of the present invention
  • FIG. 1 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • the apparatus may be a home network entity 10 such as a home subscriber server in a mobile communications network comprising a receiving circuitry 1 1 , a decrypting circuitry 12, a determining circuitry 13, a computing circuitry 14, and a transmitting circuitry 15.
  • the receiving circuitry 1 1 receives, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair.
  • the decrypting circuitry 12 decrypts said key modifier using a private key of said public-private key pair.
  • the determining circuitry 13 determines necessity to transmit a first authentication key to a visited network entity.
  • FIG. 6 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • the apparatus according to Figure 1 may perform the method of Figure 6 but is not limited to this method.
  • the method of Figure 6 may be performed by the apparatus of Figure 1 but is not limited to being performed by this apparatus.
  • a procedure comprises an operation of receiving (S61 ), from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, an operation of decrypting (S62) said key modifier using a private key of said public-private key pair, an operation of determining (S63) necessity to transmit a first authentication key to a visited network entity, an operation of computing (S64), based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and an operation of transmitting (S65) said second authentication key to said visited network entity.
  • At least some of the functionalities of the apparatus shown in Figure 1 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • said key modifier is a random value.
  • said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
  • said message further includes a permanent identifier of said terminal.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of verifying a received message authentication code which is appended to said message.
  • said first authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
  • exemplary additional operations are given, which are inherently independent from each other as such.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise, if said second authentication key is sent to said visited network, an operation of computing, based on said key derivation function, a generated random value and said key modifier, a key confirmation value, and an operation of transmitting said key confirmation value and said generated random value to said visited network entity.
  • exemplary additional operations are given, which are inherently independent from each other as such.
  • an exemplary method may comprise an operation of determining necessity to transmit a first expected response value to a visited network entity, an operation of computing, based on said key derivation function, said first expected response value and said key modifier, a second expected response value, and an operation of transmitting said second expected response value to said visited network entity.
  • Figure 2 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • the apparatus may be a terminal 20 such as a user equipment in a mobile communications network comprising an encrypting circuitry 21 , a transmitting circuitry 22, and a computing circuitry 23.
  • the encrypting circuitry 21 encrypts a key modifier using a public key of a public-private key pair.
  • the transmitting circuitry 22 transmits a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function.
  • the computing circuitry 23 computes, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • Figure 7 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • the apparatus according to Figure 2 may perform the method of Figure 7 but is not limited to this method.
  • the method of Figure 7 may be performed by the apparatus of Figure 2 but is not limited to being performed by this apparatus.
  • a procedure comprises an operation of encrypting (S71 ) a key modifier using a public key of a public-private key pair, an operation of transmitting (S72) a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and an operation of computing (S73), based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
  • Figure 3 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • Figure 3 illustrates a variation of the apparatus shown in Figure 2.
  • the apparatus according to Figure 3 may thus further comprise an obtaining circuitry 31 .
  • At least some of the functionalities of the apparatus shown in Figure 2 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • an exemplary method according to exemplary embodiments of the present invention may comprise an operation of obtaining a random value as said key modifier.
  • said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
  • said message further includes a permanent identifier of said terminal.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of appending a message authentication code to said key modifier before both, said message authentication code and said key modifier are encrypted with the public key.
  • exemplary additional operations are given, which are inherently independent from each other as such.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of appending, after said key modifier has been encrypted with the public key, a message authentication code to said encrypted key modifier.
  • said first authentication key is a key access for the security management entity or an extensible authentication protocol master session key.
  • an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of receiving, from said visited network entity, a key confirmation value and a random value.
  • the home network e.g. the HSS or another suitable authentication server
  • the home network e.g. the HSS or another suitable authentication server
  • all UEs or rather the part of the UE holding the subscription credentials, like the UICC in LTE
  • PKI public key infrastructure
  • a random value called key modifier is sent by the UE to the home network using the public key of the home network to encrypt the key modifier.
  • KASME key for the access security management entity
  • MSK master session key
  • EAP extensible authentication protocol
  • the home network then sends the modified key * to the visited network.
  • the UE performs the same key modification computation to obtain key * .
  • the visited network does not notice any difference between (the behavior of) key and key * .
  • the home network sends a key
  • the home network then sends conf and RAND to the visited network.
  • the visited network forwards conf and RAND to the UE.
  • the home network whenever the home network would compute an expected response (like XRES (expected response) in LTE or XRES in extensible authentication protocol (EAP) method EAP-AKA), the home network first applies a key derivation function (KDF) to the expected response and the KMOD to produce a modified expected response * , e.g. XRES * , by computing
  • KDF key derivation function
  • XRES * KDF (XRES, KMOD).
  • the key derivation function used here for deriving XRES * may be the same as the key derivation function used above for deriving key * , or may differ from the key derivation function used above for deriving key * .
  • sending the encrypted KMOD may be combined with sending an encrypted permanent identifier (e.g. IMSI, IMEI) of the UE.
  • an encrypted permanent identifier e.g. IMSI, IMEI
  • the issue of secret key leakage is mitigated.
  • the mitigation is effective against a passive attacker that was able to get hold of the long-term shared secret key (e.g. K in LTE), but not of the private key of the private/public key pair of the home network.
  • the long-term shared secret key needs to be exchanged between the SIM manufacturer and the operator with many points of exposure, while the private key can be generated in a tamper-resistant module at the home operator's side and remain there for its entire lifetime.
  • the private key can be held entirely separately from any environment storing and processing the long-term shared secret keys, no Diffie Hellman key exchange has to be run between USIM and an authentication center, such that no additional interface is exposed, that could be used for attacks.
  • the public-key encrypted KMOD is sent only in the uplink (rather than in each direction). Further, as the home network never changes, a respective key exchange has to be done less often.
  • FIG 4 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • the apparatus may be a home network entity 40 such as a home subscriber server in a mobile communications network comprising a determining circuitry 41 , an encrypting circuitry 42, and a transmitting circuitry 43.
  • the determining circuitry 41 determines necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair.
  • the encrypting circuitry 42 encrypts said authentication key using a public key of said public-private key pair.
  • the transmitting circuitry 43 transmits a message including said encrypted authentication key to said visited network entity.
  • Figure 8 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • the apparatus according to Figure 4 may perform the method of Figure 8 but is not limited to this method.
  • the method of Figure 8 may be performed by the apparatus of Figure 4 but is not limited to being performed by this apparatus.
  • a procedure according to exemplary embodiments of the present invention comprises an operation of determining (S81 ) necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, an operation of encrypting (S82) said authentication key using a public key of said public-private key pair, and an operation of transmitting (S83) a message including said encrypted authentication key to said visited network entity.
  • at least some of the functionalities of the apparatus shown in Figure 4 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • said authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
  • Figure 5 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention.
  • the apparatus may be a visited network entity 50 such as a mobility management entity in a mobile communications network comprising a receiving circuitry 51 and a decrypting circuitry 52.
  • the receiving circuitry 51 receives, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair.
  • the decrypting circuitry 52 decrypts said authentication key using a private key of said public- private key pair.
  • Figure 9 is a schematic diagram of a procedure according to exemplary embodiments of the present invention.
  • the apparatus according to Figure 5 may perform the method of Figure 9 but is not limited to this method.
  • the method of Figure 9 may be performed by the apparatus of Figure 5 but is not limited to being performed by this apparatus.
  • a procedure comprises an operation of receiving (S91 ), from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and an operation of decrypting (S92) said authentication key using a private key of said public-private key pair.
  • At least some of the functionalities of the apparatus shown in Figure 6 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • said authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
  • the visited network possesses a public-private key pair. While according to the prior art it may be required that all UEs need to have the public key, according to exemplary embodiments of the present invention, the home network has the public key while the UEs do not need to know the public key.
  • the home network then sends the public-key-encrypted key to the visited network.
  • the visited network uses its private key to decrypt the received encrypted key to obtain the key, e.g., KASME in LTE or MSK in EAP methods, back into clear text.
  • any other entity e.g., an attacker that is not in possession of the private key of the visited network, cannot decrypt the key correctly and would hence not be able to make any use of it.
  • the issue of key theft by impersonating a genuine serving node towards the HSS is mitigated, as the attacker is not in possession of the private key. Furthermore, carrying public-key encrypted key from the home network to the visited network would require only a very minor change to the existing S6a interface between home network and visited network, as only the information element (IE) carrying the key has to be made longer.
  • IE information element
  • the radio interface (which is a bandwidth-constrained resource) is not affected.
  • only the interconnection network (where more bandwidth is available) is affected.
  • distributing public keys to all UEs is more difficult and elaborate by several orders of magnitude than distributing public keys among operators.
  • the above-described procedures and functions may be implemented by respective functional elements, processors, or the like, as described below.
  • the network entity may comprise further units that are necessary for its respective operation. However, a description of these units is omitted in this specification.
  • the arrangement of the functional blocks of the devices is not construed to limit the invention, and the functions may be performed by one block or further split into sub- blocks.
  • the apparatus i.e. network entity (or some other means) is configured to perform some function
  • this is to be construed to be equivalent to a description stating that a (i.e. at least one) processor or corresponding circuitry, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • a (i.e. at least one) processor or corresponding circuitry potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • function is to be construed to be equivalently implementable by specifically configured circuitry or means for performing the respective function (i.e. the expression "unit configured to” is construed to be equivalent to an expression such as "means for").
  • the apparatus (home network entity) 10' (corresponding to the home network entity 10) comprises a processor 101 , a memory 102 and an interface 103, which are connected by a bus 104 or the like.
  • the apparatus (terminal) 20' (corresponding to the terminal 20) comprises a processor 105, a memory 106 and an interface 107, which are connected by a bus 108 or the like, and the apparatuses may be connected via link 109, respectively.
  • the apparatus (home network entity) 40' (corresponding to the home network entity 40) comprises a processor 1 1 1 , a memory 1 12 and an interface 1 13, which are connected by a bus 1 14 or the like.
  • the apparatus (visited network entity) 50' (corresponding to the visited network entity 50) comprises a processor 1 15, a memory 1 16 and an interface 1 17, which are connected by a bus 1 18 or the like, and the apparatuses may be connected via link 1 19, respectively.
  • the processor 101/105/1 1 1/1 15 and/or the interface 103/107/1 13/1 17 may also include a modem or the like to facilitate communication over a (hardwire or wireless) link, respectively.
  • the interface 103/107/1 13/1 17 may include a suitable transceiver coupled to one or more antennas or communication means for (hardwire or wireless) communications with the linked or connected device(s), respectively.
  • the interface 103/107/1 13/1 17 is generally configured to communicate with at least one other apparatus, i.e. the interface thereof.
  • the memory 102/106/1 12/116 may store respective programs assumed to include program instructions or computer program code that, when executed by the respective processor, enables the respective electronic device or apparatus to operate in accordance with the exemplary embodiments of the present invention.
  • the respective devices/apparatuses may represent means for performing respective operations and/or exhibiting respective functionalities, and/or the respective devices (and/or parts thereof) may have functions for performing respective operations and/or exhibiting respective functionalities.
  • processor or some other means
  • the processor is configured to perform some function
  • this is to be construed to be equivalent to a description stating that at least one processor, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • function is to be construed to be equivalently implementable by specifically configured means for performing the respective function (i.e. the expression "processor configured to [cause the apparatus to] perform xxx-ing” is construed to be equivalent to an expression such as "means for xxx-ing").
  • the processor i.e. the at least one processor 101 , with the at least one memory 102 and the computer program code
  • the processor is configured to perform receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair (thus the apparatus comprising corresponding means for receiving), to perform decrypting said key modifier using a private key of said public-private key pair (thus the apparatus comprising corresponding means for decrypting), to perform determining necessity to transmit a first authentication key to a visited network entity (thus the apparatus comprising corresponding means for determining), to perform computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key (thus the apparatus comprising corresponding means for computing), and to perform transmitting said second authentication key to said visited network entity (thus the apparatus comprising corresponding means for transmitting).
  • the processor i.e. the at least one processor 105, with the at least one memory 106 and the computer program code
  • the processor is configured to perform encrypting a key modifier using a public key of a public-private key pair (thus the apparatus comprising corresponding means for encrypting), to perform transmitting a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function (thus the apparatus comprising corresponding means for transmitting), and to perform computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity (thus the apparatus comprising corresponding means for computing).
  • the processor i.e. the at least one processor 1 11 , with the at least one memory 1 12 and the computer program code
  • the processor is configured to perform determining necessity to transmit an authentication key to a visited network entity having a private key of a public- private key pair (thus the apparatus comprising corresponding means for determining), to perform encrypting said authentication key using a public key of said public-private key pair (thus the apparatus comprising corresponding means for encrypting), and to perform transmitting a message including said encrypted authentication key to said visited network entity (thus the apparatus comprising corresponding means for transmitting).
  • the processor i.e. the at least one processor 1 11 , with the at least one memory 1 12 and the computer program code
  • the processor is configured to perform determining necessity to transmit an authentication key to a visited network entity having a private key of a public- private key pair (thus the apparatus comprising corresponding means for determining), to perform encrypting said authentication key using a public key of said public-private key pair (thus the apparatus compris
  • the at least one processor 1 15, with the at least one memory 1 16 and t e computer program code is configured to perform receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair (thus the apparatus comprising corresponding means for receiving), and to perform decrypting said authentication key using a private key of said public-private key pair (thus the apparatus comprising corresponding means for decrypting).
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the embodiments and its modification in terms of the functionality implemented;
  • CMOS Complementary MOS
  • BiMOS Bipolar MOS
  • BiCMOS Bipolar CMOS
  • ECL emitter Coupled Logic
  • TTL Transistor-Transistor Logic
  • ASIC Application Specific IC
  • FPGA Field- programmable Gate Arrays
  • CPLD Complex Programmable Logic Device
  • DSP Digital Signal Processor
  • - devices, units or means e.g. the above-defined network entity or network register, or any one of their respective units/means
  • an apparatus like the user equipment and the network entity /network register may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of an apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor;
  • a device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
  • respective functional blocks or elements according to above-described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts.
  • the mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device.
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention.
  • Devices and means can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
  • Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof.
  • a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof.
  • the present invention also covers any conceivable combination of method steps and operations described above, and any conceivable combination of nodes, apparatuses, modules or elements described above, as long as the above-described concepts of methodology and structural arrangement are applicable.
  • Such measures exemplarily comprise receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public-private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity.

Abstract

There are provided measures for attack mitigation in 5G networks. Such measures exemplarily comprise receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public-private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity.

Description

DESCRIPTION Title
Attack mitigation in 5G networks
Field
The present invention relates to attack mitigation in 5G networks. More specifically, the present invention exemplarily relates to measures (including methods, apparatuses and computer program products) for realizing attack mitigation in 5G networks.
Background
The present specification generally relates to 5th Generation (5G) security as defined by the 3rd Generation Partnership Project (3GPP). 5G is also known as "Next Generation System (NextGen)". Presently, topics related to NextGen are in a study phase.
In relation to 3GPP networks, a number of security key issues have been identified, and it is an object of the present invention to address these security key issues with respective measures in relation to a NextGen security architecture. In other words, with measures related to the NextGen security architecture according to exemplary embodiments of the present invention, some of the identified security key issues are mitigated.
In detail, security key issues addressed by embodiments of the present invention are a reduction of an impact of secret key leakage, a prevention from interception of radio interface keys sent between operator entities, and subscriber identifier privacy.
Regarding reduction of an impact of secret key leakage, it is noted that a fundamental security assumption is that the attacker does not know Ki (where Ki is a permanent, shared secret key for each subscriber). If this security assumption fails, the loss of security is catastrophic. Ki might leak to an attacker for a number of reasons, e.g. hacking at the factory (subscriber identity module (SIM) vendor or subscription manager), where Ki is generated, hacking of the communication channel over which Ki is transported from SIM vendor or subscription manager to mobile operator, hacking into the mobile operators, an insider attack at a mobile operator or SIM vendor, a local attack (e.g. side channel) on the SIM card in t e supply chain, or a local attack (e.g. side channel) on the SIM card while temporarily borrowed from the customer.
Regarding prevention from interception of radio interface keys sent between operator entities, it is noted that generally, keys from which the keys for radio interface encryption (and integrity, where applicable) are derived are computed in the home core network (authentication center (AuC)) and then transmitted to the visited radio network over signaling links such as SS7 or Diameter. This is a clear point of exposure, and it has been demonstrated repeatedly how keys can leak. Namely, each operator network has to respond to signaling messages, which may come from any roaming partner (including roaming partners that are either hacked or misbehaving in any way). An attacker who can successfully obtain current radio interface keys for a subscriber can straightforwardly eavesdrop on the traffic of that subscriber. Regarding subscriber identifier privacy, it is noted that in a 3GPP system many types of subscriber identifiers are used during a communication process. The identifiers may be tied to either a subscription or a device. Some of the identifiers may be permanent or long term (e.g. in case of current Long Term Evolution (LTE) system: International Mobile Subscriber Identity (IMSI), Mobile Subscriber Integrated Services Digital Network (MSISDN), International Mobile Equipment Identity (IMEI), and Medium Access Control (MAC) address) while others may be temporary or short term (e.g. in case of current LTE system: Globally Unique Temporary Identifier (GUTI), Temporary Mobile Subscriber Identity (TMSI), Cell Radio Network Temporary Identifier (C-RNTI), and internet protocol (IP) address). Compromising subscriber identifiers used in the 3GPP systems is one of the most important attack strategies in compromising the subscriber privacy. Therefore, protecting all identifiers used in a NextGen system that are relevant to privacy is an important key issue towards achieving subscriber's privacy.
Known approaches for addressing the above-mentioned security key issues are as follows. In general, for these approaches it is assumed that public-key based cryptographic mechanisms are used in some form.
According to a first known approach, a long term secret key is updated in such a way that the new key is less exposed to potential attack than the original one was. In particular, according to this approach, a key exchange protocol is involved, which is run between a universal integrated circuit card (UICC) and the home network home subscriber server (HSS), in order to create a newly agreed Ki value to replace t e existing one (where the Ki value is a permanent, shared secret key for each subscriber). Elliptic Curve Diffie Hellman is a preferred key exchange algorithm. This approach includes a Diffie Hellman key exchange between a universal subscriber identity module (USIM) and the home network, when the USIM first contacts the networks. However, the risks inherent in this solution are that, if this Diffie Hellman key exchange is run between USIM and an authentication center, then the authentication center exposes an additional interface that could be used for attacks. Therefore, the potential use of a proxy for the HSS is envisaged, which, however, would have to hold copies of the long- term shared secret keys, creating yet another risk.
According to a second known approach, a key exchange protocol is included into the derivation of the radio interface session keys. In particular, according to this approach, an authentication and key agreement algorithm is run in the HSS with a resulting authentication vector sent to the visited network, and is also run in the UICC to establish shared secret keys between the UE and a node in the visited network. Those keys are not used directly for radio interface security or as inputs to a key derivation algorithm to produce radio interface security keys. Contrary, those keys are used to authenticate a key exchange algorithm between the device (possibly its UICC) and that visited network node. Elliptic Curve Diffie Hellman is a preferred key exchange algorithm. More particularly, this approach consists in applying a Diffie Hellman handshake after the intermediate key obtained from the authentication vector (e.g. a key for the access security management entity (KASME)) has been successfully established between UE and serving node (e.g. MME). The security context that results from the intermediate key combined with the Diffie Hellman handshake is then used to derive further keys to protect the radio interface.
This approach includes a Diffie Hellman key exchange between the UE and the visited network (e.g. MME in LTE). This entails sending one Diffie Hellman exponent in each direction. Furthermore, the Diffie Hellman key exchange would have to be run more often as the visited network entity (e.g. MME) changes.
According to a third known approach, a serving network public key is bound into the derivation of the radio interface session keys. In particular, according to this approach, a serving network public key NPUB is used to authenticate a key exchange. As a result of the key exchange, both, user equipment (UE) and a CP-AU which is a security anchor of the NextGen core network, own a same shared session key Ksession and use the key Ksession to derive other keys for encryption and integrity protection. An Elliptic Curve Diffie Hellman technique is preferably used in this authentication protocol. This approach affects the radio interface (which is a bandwidth-constrained resource) in that Diffie Hellman key exchange parameters sent over the radio interface are quite long. Furthermore, it is required that the UEs know the public key of the visited network.
According to a further known approach, the UE encrypts its permanent identifier sent to network using public-key cryptography
Hence, the problem arises that the known security key issues are not addressed in an efficient and secure way, such that attacks in 5G networks are not avoided or at least mitigated in an efficient and secure way.
Hence, there is a need to provide for attack mitigation in 5G networks. Summary Various exemplary embodiments of the present invention aim at addressing at least part of the above issues and/or problems and drawbacks.
Various aspects of exemplary embodiments of the present invention are set out in the appended claims.
According to an exemplary aspect of the present invention, there is provided a method of a home network entity in a mobile communications network, the method comprising receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public- private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity. According to an exemplary aspect of t e present invention, there is provided a method of a terminal in a mobile communications network, the method comprising encrypting a key modifier using a public key of a public-private key pair, transmitting a message including said encrypted key modifier to a home network entity having a private key of said public- private key pair and a key derivation function, and computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
According to an exemplary aspect of the present invention, there is provided a method of a home network entity in a mobile communications network, the method comprising determining necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, encrypting said authentication key using a public key of said public-private key pair, and transmitting a message including said encrypted authentication key to said visited network entity.
According to an exemplary aspect of the present invention, there is provided a method of a visited network entity in a mobile communications network, the method comprising receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public- private key pair, and decrypting said authentication key using a private key of said public- private key pair.
According to an exemplary aspect of the present invention, there is provided an apparatus in a home network entity in a mobile communications network, the apparatus comprising receiving circuitry configured to receive, from a terminal having a public key of a public- private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting circuitry configured to decrypt said key modifier using a private key of said public-private key pair, determining circuitry configured to determine necessity to transmit a first authentication key to a visited network entity, computing circuitry configured to compute, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting circuitry configured to transmit said second authentication key to said visited network entity. According to an exemplary aspect of the present invention, there is provided an apparatus in a terminal in a mobile communications network, the apparatus comprising encrypting circuitry configured to encrypt a key modifier using a public key of a public-private key pair, transmitting circuitry configured to transmit a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and computing circuitry configured to compute, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
According to an exemplary aspect of the present invention, there is provided an apparatus in a home network entity in a mobile communications network, the apparatus comprising determining circuitry configured to determine necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, encrypting circuitry configured to encrypt said authentication key using a public key of said public- private key pair, and transmitting circuitry configured to transmit a message including said encrypted authentication key to said visited network entity.
According to an exemplary aspect of the present invention, there is provided an apparatus in a visited network entity in a mobile communications network, the apparatus comprising receiving circuitry configured to receive, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and decrypting circuitry configured to decrypt said authentication key using a private key of said public-private key pair.
According to an exemplary aspect of the present invention, there is provided an apparatus in a home network entity in a mobile communications network, the apparatus comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public-private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity. According to an exemplary aspect of t e present invention, there is provided an apparatus in a terminal in a mobile communications network, the apparatus comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform encrypting a key modifier using a public key of a public-private key pair, transmitting a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
According to an exemplary aspect of the present invention, there is provided an apparatus in a home network entity in a mobile communications network, the apparatus comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform determining necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, encrypting said authentication key using a public key of said public-private key pair, and transmitting a message including said encrypted authentication key to said visited network entity.
According to an exemplary aspect of the present invention, there is provided an apparatus in a visited network entity in a mobile communications network, the apparatus comprising at least one processor, at least one memory including computer program code, and at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and decrypting said authentication key using a private key of said public-private key pair.
According to an exemplary aspect of the present invention, there is provided a computer program product comprising computer-executable computer program code which, when the program is run on a computer (e.g. a computer of an apparatus according to any one of the aforementioned apparatus-related exemplary aspects of the present invention), is configured to cause the computer to carry out the method according to any one of the aforementioned method-related exemplary aspects of the present invention.
Such computer program product may comprise (or be embodied) a (tangible) computer- readable (storage) medium or the like on which the computer-executable computer program code is stored, and/or the program may be directly loadable into an internal memory of the computer or a processor thereof.
Any one of the above aspects enables an efficient and secure attack avoidance or mitigation in 5G networks to thereby solve at least part of the problems and drawbacks identified in relation to the prior art. By way of exemplary embodiments of the present invention, there is provided attack mitigation in 5G networks. More specifically, by way of exemplary embodiments of the present invention, there are provided measures and mechanisms for realizing attack mitigation in 5G networks. Thus, improvement is achieved by methods, apparatuses and computer program products enabling/realizing attack mitigation in 5G networks.
Brief description of the drawings In the following, the present invention will be described in greater detail by way of non- limiting examples with reference to the accompanying drawings, in which
Figure 1 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention,
Figure 2 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention,
Figure 3 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention, Figure 4 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention,
Figure 5 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention,
Figure 6 is a schematic diagram of a procedure according to exemplary embodiments of the present invention, Figure 7 is a schematic diagram of a procedure according to exemplary embodiments of the present invention,
Figure 8 is a schematic diagram of a procedure according to exemplary embodiments of the present invention,
Figure 9 is a schematic diagram of a procedure according to exemplary embodiments of the present invention,
Figure 10 is a block diagram alternatively illustrating apparatuses according to exemplary embodiments of the present invention, and
Figure 1 1 is a block diagram alternatively illustrating further apparatuses according to exemplary embodiments of the present invention. Detailed description of drawings and embodiments of the present invention
The present invention is described herein with reference to particular non-limiting examples and to what are presently considered to be conceivable embodiments of the present invention. A person skilled in the art will appreciate that the invention is by no means limited to these examples, and may be more broadly applied.
It is to be noted that the following description of the present invention and its embodiments mainly refers to specifications being used as non-limiting examples for certain exemplary network configurations and deployments. Namely, the present invention and its embodiments are mainly described in relation to 3GPP specifications being used as non- limiting examples for certain exemplary network configurations and deployments. As such, t e description of exemplary embodiments given herein specifically refers to terminology which is directly related thereto. Such terminology is only used in the context of the presented non-limiting examples, and does naturally not limit the invention in any way. Rather, any other communication or communication related system deployment, etc. may also be utilized as long as compliant with the features described herein.
Hereinafter, various embodiments and implementations of the present invention and its aspects or embodiments are described using several variants and/or alternatives. It is generally noted that, according to certain needs and constraints, all of the described variants and/or alternatives may be provided alone or in any conceivable combination (also including combinations of individual features of the various variants and/or alternatives).
According to exemplary embodiments of the present invention, in general terms, there are provided measures and mechanisms for (enabling/realizing) attack mitigation in 5G networks.
Figure 1 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention. The apparatus may be a home network entity 10 such as a home subscriber server in a mobile communications network comprising a receiving circuitry 1 1 , a decrypting circuitry 12, a determining circuitry 13, a computing circuitry 14, and a transmitting circuitry 15. The receiving circuitry 1 1 receives, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair. The decrypting circuitry 12 decrypts said key modifier using a private key of said public-private key pair. The determining circuitry 13 determines necessity to transmit a first authentication key to a visited network entity. The computing circuitry 14 computes, based on said key derivation function, said first authentication key and said key modifier, a second authentication key. Finally, the transmitting circuitry 15 transmits said second authentication key to said visited network entity. Figure 6 is a schematic diagram of a procedure according to exemplary embodiments of the present invention. The apparatus according to Figure 1 may perform the method of Figure 6 but is not limited to this method. The method of Figure 6 may be performed by the apparatus of Figure 1 but is not limited to being performed by this apparatus. As shown in Figure 6, a procedure according to exemplary embodiments of the present invention comprises an operation of receiving (S61 ), from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, an operation of decrypting (S62) said key modifier using a private key of said public-private key pair, an operation of determining (S63) necessity to transmit a first authentication key to a visited network entity, an operation of computing (S64), based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and an operation of transmitting (S65) said second authentication key to said visited network entity.
In an embodiment at least some of the functionalities of the apparatus shown in Figure 1 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
According to further exemplary embodiments of the present invention, said key modifier is a random value.
According to further exemplary embodiments of the present invention, said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
According to further exemplary embodiments of the present invention, said message further includes a permanent identifier of said terminal.
According to a variation of the procedure shown in Figure 6, exemplary additional operations are given, which are inherently independent from each other as such. According to such variation, an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of verifying a received message authentication code which is appended to said message.
According to still further exemplary embodiments of the present invention, said first authentication key is a key for the access security management entity or an extensible authentication protocol master session key. According to a variation of the procedure shown in Figure 6, exemplary additional operations are given, which are inherently independent from each other as such. According to such variation, an exemplary method according to still further exemplary embodiments of the present invention may comprise, if said second authentication key is sent to said visited network, an operation of computing, based on said key derivation function, a generated random value and said key modifier, a key confirmation value, and an operation of transmitting said key confirmation value and said generated random value to said visited network entity. According to a variation of the procedure shown in Figure 6, exemplary additional operations are given, which are inherently independent from each other as such. According to such variation, an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of determining necessity to transmit a first expected response value to a visited network entity, an operation of computing, based on said key derivation function, said first expected response value and said key modifier, a second expected response value, and an operation of transmitting said second expected response value to said visited network entity. Figure 2 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention. The apparatus may be a terminal 20 such as a user equipment in a mobile communications network comprising an encrypting circuitry 21 , a transmitting circuitry 22, and a computing circuitry 23. The encrypting circuitry 21 encrypts a key modifier using a public key of a public-private key pair. The transmitting circuitry 22 transmits a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function. The computing circuitry 23 computes, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity. Figure 7 is a schematic diagram of a procedure according to exemplary embodiments of the present invention. The apparatus according to Figure 2 may perform the method of Figure 7 but is not limited to this method. The method of Figure 7 may be performed by the apparatus of Figure 2 but is not limited to being performed by this apparatus. As shown in Figure 7, a procedure according to exemplary embodiments of the present invention comprises an operation of encrypting (S71 ) a key modifier using a public key of a public-private key pair, an operation of transmitting (S72) a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and an operation of computing (S73), based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
Figure 3 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention. In particular, Figure 3 illustrates a variation of the apparatus shown in Figure 2. The apparatus according to Figure 3 may thus further comprise an obtaining circuitry 31 .
In an embodiment at least some of the functionalities of the apparatus shown in Figure 2 (or 3) may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
According to a variation of the procedure shown in Figure 7, exemplary additional operations are given, which are inherently independent from each other as such. According to such variation, an exemplary method according to exemplary embodiments of the present invention may comprise an operation of obtaining a random value as said key modifier.
According to further exemplary embodiments of the present invention, said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
According to further exemplary embodiments of the present invention, said message further includes a permanent identifier of said terminal.
According to a variation of the procedure shown in Figure 7, exemplary additional operations are given, which are inherently independent from each other as such. According to such variation, an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of appending a message authentication code to said key modifier before both, said message authentication code and said key modifier are encrypted with the public key. According to a variation of the procedure shown in Figure 7, exemplary additional operations are given, which are inherently independent from each other as such. According to such variation, an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of appending, after said key modifier has been encrypted with the public key, a message authentication code to said encrypted key modifier.
According to still further exemplary embodiments of the present invention, said first authentication key is a key access for the security management entity or an extensible authentication protocol master session key.
According to a variation of the procedure shown in Figure 7, exemplary additional operations are given, which are inherently independent from each other as such. According to such variation, an exemplary method according to still further exemplary embodiments of the present invention may comprise an operation of receiving, from said visited network entity, a key confirmation value and a random value.
In other words, according to exemplary embodiments of the present invention, it is assumed that the home network, e.g. the HSS or another suitable authentication server, possesses a public-private key pair, and that all UEs (or rather the part of the UE holding the subscription credentials, like the UICC in LTE) have the public key thereof. An advantage of such an approach is that no global public key infrastructure (PKI) is required, as the UEs can be provisioned with the public key by the home operator together with further necessary credentials.
According to these exemplary embodiments, a random value called key modifier (KMOD) is sent by the UE to the home network using the public key of the home network to encrypt the key modifier.
Whenever the home network would send a key (like key = key for the access security management entity (KASME) in LTE or key = master session key (MSK) in extensible authentication protocol (EAP) methods) to the visited network, the home network first applies a key derivation function (KDF) to the key and the KMOD to produce a modified key*, e.g. KASME* or MSK*, by computing key* = KDF (key, KMOD).
The home network then sends the modified key* to the visited network. The UE performs the same key modification computation to obtain key*.
As a result, according to exemplary embodiments of the present invention, the visited network does not notice any difference between (the behavior of) key and key*. In a further embodiment, whenever the home network sends a key
key* = KDF (key, KMOD), the home network additionally computes a key confirmation value conf = KDF (RAND, KMOD), where RAND is a generated random value. The home network then sends conf and RAND to the visited network. The visited network forwards conf and RAND to the UE.
In a further embodiment, whenever the home network would compute an expected response (like XRES (expected response) in LTE or XRES in extensible authentication protocol (EAP) method EAP-AKA), the home network first applies a key derivation function (KDF) to the expected response and the KMOD to produce a modified expected response*, e.g. XRES*, by computing
XRES* = KDF (XRES, KMOD).
The key derivation function used here for deriving XRES* may be the same as the key derivation function used above for deriving key*, or may differ from the key derivation function used above for deriving key*.
In order to increase efficiency, accordingly to preferred exemplary embodiments of the present invention, sending the encrypted KMOD may be combined with sending an encrypted permanent identifier (e.g. IMSI, IMEI) of the UE.
According to the above-explained exemplary embodiments of the present invention, the issue of secret key leakage is mitigated. The mitigation is effective against a passive attacker that was able to get hold of the long-term shared secret key (e.g. K in LTE), but not of the private key of the private/public key pair of the home network. In this regard, it is noted that the long-term shared secret key needs to be exchanged between the SIM manufacturer and the operator with many points of exposure, while the private key can be generated in a tamper-resistant module at the home operator's side and remain there for its entire lifetime. Contrary to known approaches, according to the exemplary embodiments of the present invention, the private key can be held entirely separately from any environment storing and processing the long-term shared secret keys, no Diffie Hellman key exchange has to be run between USIM and an authentication center, such that no additional interface is exposed, that could be used for attacks.
Further, contrary to known approaches, according to the exemplary embodiments of the present invention, the public-key encrypted KMOD is sent only in the uplink (rather than in each direction). Further, as the home network never changes, a respective key exchange has to be done less often.
Figure 4 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention. The apparatus may be a home network entity 40 such as a home subscriber server in a mobile communications network comprising a determining circuitry 41 , an encrypting circuitry 42, and a transmitting circuitry 43. The determining circuitry 41 determines necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair. The encrypting circuitry 42 encrypts said authentication key using a public key of said public-private key pair. Finally, the transmitting circuitry 43 transmits a message including said encrypted authentication key to said visited network entity. Figure 8 is a schematic diagram of a procedure according to exemplary embodiments of the present invention. The apparatus according to Figure 4 may perform the method of Figure 8 but is not limited to this method. The method of Figure 8 may be performed by the apparatus of Figure 4 but is not limited to being performed by this apparatus. As shown in Figure 8, a procedure according to exemplary embodiments of the present invention comprises an operation of determining (S81 ) necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair, an operation of encrypting (S82) said authentication key using a public key of said public-private key pair, and an operation of transmitting (S83) a message including said encrypted authentication key to said visited network entity. In an embodiment at least some of the functionalities of the apparatus shown in Figure 4 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
According to further exemplary embodiments of the present invention, said authentication key is a key for the access security management entity or an extensible authentication protocol master session key. Figure 5 is a block diagram illustrating an apparatus according to exemplary embodiments of the present invention. The apparatus may be a visited network entity 50 such as a mobility management entity in a mobile communications network comprising a receiving circuitry 51 and a decrypting circuitry 52. The receiving circuitry 51 receives, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair. The decrypting circuitry 52 decrypts said authentication key using a private key of said public- private key pair. Figure 9 is a schematic diagram of a procedure according to exemplary embodiments of the present invention. The apparatus according to Figure 5 may perform the method of Figure 9 but is not limited to this method. The method of Figure 9 may be performed by the apparatus of Figure 5 but is not limited to being performed by this apparatus.
As shown in Figure 9, a procedure according to exemplary embodiments of the present invention comprises an operation of receiving (S91 ), from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and an operation of decrypting (S92) said authentication key using a private key of said public-private key pair.
In an embodiment at least some of the functionalities of the apparatus shown in Figure 6 may be shared between two physically separate devices forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
According to further exemplary embodiments of the present invention, said authentication key is a key for the access security management entity or an extensible authentication protocol master session key. In other words, according to exemplary embodiments of the present invention, it is assumed that the visited network possesses a public-private key pair. While according to the prior art it may be required that all UEs need to have the public key, according to exemplary embodiments of the present invention, the home network has the public key while the UEs do not need to know the public key.
According to exemplary embodiments of the present invention, whenever the home network would send a key (like key = KASME in LTE or key = MSK in EAP methods) to the visited network, the home network first encrypts this key with the public key of the visited network.
The home network then sends the public-key-encrypted key to the visited network. The visited network uses its private key to decrypt the received encrypted key to obtain the key, e.g., KASME in LTE or MSK in EAP methods, back into clear text.
As a result, any other entity, e.g., an attacker that is not in possession of the private key of the visited network, cannot decrypt the key correctly and would hence not be able to make any use of it.
According to the above-explained exemplary embodiments of the present invention, the issue of key theft by impersonating a genuine serving node towards the HSS is mitigated, as the attacker is not in possession of the private key. Furthermore, carrying public-key encrypted key from the home network to the visited network would require only a very minor change to the existing S6a interface between home network and visited network, as only the information element (IE) carrying the key has to be made longer.
Contrary to known approaches, according to the exemplary embodiments of the present invention, the radio interface (which is a bandwidth-constrained resource) is not affected. In particular, according to the exemplary embodiments, only the interconnection network (where more bandwidth is available) is affected. Furthermore, according to the exemplary embodiments of the present invention, it is not required that the UEs know the public key of the visited network. In this regard, it is noted that distributing public keys to all UEs is more difficult and elaborate by several orders of magnitude than distributing public keys among operators. The above-described procedures and functions may be implemented by respective functional elements, processors, or the like, as described below.
In the foregoing exemplary description of the network entity, only the units that are relevant for understanding the principles of the invention have been described using functional blocks. The network entity may comprise further units that are necessary for its respective operation. However, a description of these units is omitted in this specification. The arrangement of the functional blocks of the devices is not construed to limit the invention, and the functions may be performed by one block or further split into sub- blocks.
When in the foregoing description it is stated that the apparatus, i.e. network entity (or some other means) is configured to perform some function, this is to be construed to be equivalent to a description stating that a (i.e. at least one) processor or corresponding circuitry, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function. Also, such function is to be construed to be equivalently implementable by specifically configured circuitry or means for performing the respective function (i.e. the expression "unit configured to" is construed to be equivalent to an expression such as "means for").
In Figure 10, an alternative illustration of apparatuses according to exemplary embodiments of the present invention is depicted. As indicated in Figure 10, according to exemplary embodiments of the present invention, the apparatus (home network entity) 10' (corresponding to the home network entity 10) comprises a processor 101 , a memory 102 and an interface 103, which are connected by a bus 104 or the like. Further, according to exemplary embodiments of the present invention, the apparatus (terminal) 20' (corresponding to the terminal 20) comprises a processor 105, a memory 106 and an interface 107, which are connected by a bus 108 or the like, and the apparatuses may be connected via link 109, respectively.
In Figure 1 1 , an alternative illustration of further apparatuses according to exemplary embodiments of the present invention is depicted. As indicated in Figure 1 1 , according to exemplary embodiments of the present invention, the apparatus (home network entity) 40' (corresponding to the home network entity 40) comprises a processor 1 1 1 , a memory 1 12 and an interface 1 13, which are connected by a bus 1 14 or the like. Further, according to exemplary embodiments of t e present invention, the apparatus (visited network entity) 50' (corresponding to the visited network entity 50) comprises a processor 1 15, a memory 1 16 and an interface 1 17, which are connected by a bus 1 18 or the like, and the apparatuses may be connected via link 1 19, respectively.
The processor 101/105/1 1 1/1 15 and/or the interface 103/107/1 13/1 17 may also include a modem or the like to facilitate communication over a (hardwire or wireless) link, respectively. The interface 103/107/1 13/1 17may include a suitable transceiver coupled to one or more antennas or communication means for (hardwire or wireless) communications with the linked or connected device(s), respectively. The interface 103/107/1 13/1 17is generally configured to communicate with at least one other apparatus, i.e. the interface thereof.
The memory 102/106/1 12/116 may store respective programs assumed to include program instructions or computer program code that, when executed by the respective processor, enables the respective electronic device or apparatus to operate in accordance with the exemplary embodiments of the present invention.
In general terms, the respective devices/apparatuses (and/or parts thereof) may represent means for performing respective operations and/or exhibiting respective functionalities, and/or the respective devices (and/or parts thereof) may have functions for performing respective operations and/or exhibiting respective functionalities.
When in the subsequent description it is stated that the processor (or some other means) is configured to perform some function, this is to be construed to be equivalent to a description stating that at least one processor, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function. Also, such function is to be construed to be equivalently implementable by specifically configured means for performing the respective function (i.e. the expression "processor configured to [cause the apparatus to] perform xxx-ing" is construed to be equivalent to an expression such as "means for xxx-ing").
In particular, according to exemplary embodiments of the present invention in relation to Figure 10, the processor (i.e. the at least one processor 101 , with the at least one memory 102 and the computer program code) is configured to perform receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair (thus the apparatus comprising corresponding means for receiving), to perform decrypting said key modifier using a private key of said public-private key pair (thus the apparatus comprising corresponding means for decrypting), to perform determining necessity to transmit a first authentication key to a visited network entity (thus the apparatus comprising corresponding means for determining), to perform computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key (thus the apparatus comprising corresponding means for computing), and to perform transmitting said second authentication key to said visited network entity (thus the apparatus comprising corresponding means for transmitting).
Further, according to exemplary embodiments of the present invention in relation to Figure
10, the processor (i.e. the at least one processor 105, with the at least one memory 106 and the computer program code) is configured to perform encrypting a key modifier using a public key of a public-private key pair (thus the apparatus comprising corresponding means for encrypting), to perform transmitting a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function (thus the apparatus comprising corresponding means for transmitting), and to perform computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity (thus the apparatus comprising corresponding means for computing). Further, according to exemplary embodiments of the present invention in relation to Figure
1 1 , the processor (i.e. the at least one processor 1 11 , with the at least one memory 1 12 and the computer program code) is configured to perform determining necessity to transmit an authentication key to a visited network entity having a private key of a public- private key pair (thus the apparatus comprising corresponding means for determining), to perform encrypting said authentication key using a public key of said public-private key pair (thus the apparatus comprising corresponding means for encrypting), and to perform transmitting a message including said encrypted authentication key to said visited network entity (thus the apparatus comprising corresponding means for transmitting). Further, according to exemplary embodiments of the present invention in relation to Figure 1 1 , the processor (i.e. the at least one processor 1 15, with the at least one memory 1 16 and t e computer program code) is configured to perform receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair (thus the apparatus comprising corresponding means for receiving), and to perform decrypting said authentication key using a private key of said public-private key pair (thus the apparatus comprising corresponding means for decrypting).
For further details regarding the operability/functionality of the individual apparatuses, reference is made to the above description in connection with any one of Figures 1 to 9, respectively.
For the purpose of the present invention as described herein above, it should be noted that
- method steps likely to be implemented as software code portions and being run using a processor at a network server or network entity (as examples of devices, apparatuses and/or modules thereof, or as examples of entities including apparatuses and/or modules therefore), are software code independent and can be specified using any known or future developed programming language as long as the functionality defined by the method steps is preserved;
- generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the embodiments and its modification in terms of the functionality implemented;
- method steps and/or devices, units or means likely to be implemented as hardware components at the above-defined apparatuses, or any module(s) thereof, (e.g., devices carrying out the functions of the apparatuses according to the embodiments as described above) are hardware independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS), BiMOS (Bipolar MOS), BiCMOS (Bipolar CMOS), ECL (Emitter Coupled Logic), TTL (Transistor-Transistor Logic), etc., using for example ASIC (Application Specific IC (Integrated Circuit)) components, FPGA (Field- programmable Gate Arrays) components, CPLD (Complex Programmable Logic Device) components or DSP (Digital Signal Processor) components;
- devices, units or means (e.g. the above-defined network entity or network register, or any one of their respective units/means) can be implemented as individual devices, units or means, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device, unit or means is preserved;
- an apparatus like the user equipment and the network entity /network register may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of an apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor;
- a device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
In general, it is to be noted that respective functional blocks or elements according to above-described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts. The mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device.
Generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention. Devices and means can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof. The present invention also covers any conceivable combination of method steps and operations described above, and any conceivable combination of nodes, apparatuses, modules or elements described above, as long as the above-described concepts of methodology and structural arrangement are applicable.
In view of the above, there are provided measures for attack mitigation in 5G networks. Such measures exemplarily comprise receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair, decrypting said key modifier using a private key of said public-private key pair, determining necessity to transmit a first authentication key to a visited network entity, computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and transmitting said second authentication key to said visited network entity.
Even though the invention is described above with reference to the examples according to the accompanying drawings, it is to be understood that the invention is not restricted thereto. Rather, it is apparent to those skilled in the art that the present invention can be modified in many ways without departing from the scope of the inventive idea as disclosed herein. List of acronyms and abbreviations
3GPP 3rd Generation Partnership Project
5G 5th Generation
AuC authentication center
C-RNTI Cell Radio Network Temporary Identifier
EAP extensible authentication protocol
GUTI Globally Unique Temporary Identifier
HSS home subscriber server
IE information element
IMEI International Mobile Equipment Identity
IMSI International Mobile Subscriber Identity
IP internet protocol
KASME key for the access security management entity
KDF key derivation function
KMOD key modifier
LTE Long Term Evolution MAC Medium Access Control
MSISDN Mobile Subscriber Integrated Services Digital Network
MSK master session key
NextGen Next Generation System
PKI public key infrastructure
SIM subscriber identity module
TMSI Temporary Mobile Subscriber Identity
UE user equipment
UICC universal integrated circuit card
USIM universal subscriber identity module

Claims

Claims
1 . A method of a home network entity in a mobile communications network, the method comprising
receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair,
decrypting said key modifier using a private key of said public-private key pair, determining necessity to transmit a first authentication key to a visited network entity,
computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and
transmitting said second authentication key to said visited network entity.
2. The method according to claim 1 , wherein
said key modifier is a random value.
3. The method according to claim 1 or 2, wherein
said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
4. The method according to any of claims 1 to 3, wherein
said message further includes a permanent identifier of said terminal.
5. The method according to any of claims 1 to 4, wherein
said first authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
6. A method of a terminal in a mobile communications network, the method comprising encrypting a key modifier using a public key of a public-private key pair, transmitting a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and
computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
7. The method according to claim 6, further comprising
obtaining a random value as said key modifier.
8. The method according to claim 6 or 7, wherein
said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
9. The method according to any of claims 6 to 8, wherein
said message further includes a permanent identifier of said terminal.
10. The method according to any of claims 6 to 9, wherein
said first authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
1 1 . A method of a home network entity in a mobile communications network, the method comprising
determining necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair,
encrypting said authentication key using a public key of said public-private key pair, and
transmitting a message including said encrypted authentication key to said visited network entity.
12. The method according to claim 1 1 , wherein
said authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
13. A method of a visited network entity in a mobile communications network, the method comprising
receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and
decrypting said authentication key using a private key of said public-private key pair.
14. The method according to claim 13, wherein
said authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
15. An apparatus in a home network entity in a mobile communications network, the apparatus comprising
receiving circuitry configured to receive, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair,
decrypting circuitry configured to decrypt said key modifier using a private key of said public-private key pair,
determining circuitry configured to determine necessity to transmit a first authentication key to a visited network entity,
computing circuitry configured to compute, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and
transmitting circuitry configured to transmit said second authentication key to said visited network entity.
16. The apparatus according to claim 15, wherein
said key modifier is a random value.
17. The apparatus according to claim 15 or 16, wherein
said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
18. The apparatus according to any of claims 15 to 17, wherein
said message further includes a permanent identifier of said terminal.
19. The apparatus according to any of claims 15 to 18, wherein
said first authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
20. An apparatus in a terminal in a mobile communications network, the apparatus comprising
encrypting circuitry configured to encrypt a key modifier using a public key of a public-private key pair, transmitting circuitry configured to transmit a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and
computing circuitry configured to compute, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
21 . The apparatus according to claim 20, further comprising
obtaining circuitry configured to obtain a random value as said key modifier.
22. The apparatus according to claim 20 or 21 , wherein
said key derivation function has at least said first authentication key and said key modifier as inputs and said second authentication key as output.
23. The apparatus according to any of claims 20 to 22, wherein
said message further includes a permanent identifier of said terminal.
24. The apparatus according to any of claims 20 to 23, wherein
said first authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
25. An apparatus in a home network entity in a mobile communications network, the apparatus comprising
determining circuitry configured to determine necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair,
encrypting circuitry configured to encrypt said authentication key using a public key of said public-private key pair, and
transmitting circuitry configured to transmit a message including said encrypted authentication key to said visited network entity.
26. The apparatus according to claim 25, wherein
said authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
27. An apparatus in a visited network entity in a mobile communications network, t e apparatus comprising
receiving circuitry configured to receive, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and
decrypting circuitry configured to decrypt said authentication key using a private key of said public-private key pair.
28. The apparatus according to claim 27, wherein
said authentication key is a key for the access security management entity or an extensible authentication protocol master session key.
29. An apparatus in a home network entity in a mobile communications network, the apparatus comprising
at least one processor,
at least one memory including computer program code, and
at least one interface configured for communication with at least another apparatus,
the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform:
receiving, from a terminal having a public key of a public-private key pair and a key derivation function, a message including a key modifier encrypted using said public key of said public-private key pair,
decrypting said key modifier using a private key of said public-private key pair, determining necessity to transmit a first authentication key to a visited network entity,
computing, based on said key derivation function, said first authentication key and said key modifier, a second authentication key, and
transmitting said second authentication key to said visited network entity.
30. An apparatus in a terminal in a mobile communications network, the apparatus comprising
at least one processor,
at least one memory including computer program code, and
at least one interface configured for communication with at least another apparatus, the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform:
encrypting a key modifier using a public key of a public-private key pair, transmitting a message including said encrypted key modifier to a home network entity having a private key of said public-private key pair and a key derivation function, and
computing, based on said key derivation function, a first authentication key and said key modifier, a second authentication key to be used in communication with a visited network entity.
31 . An apparatus in a home network entity in a mobile communications network, the apparatus comprising
at least one processor,
at least one memory including computer program code, and
at least one interface configured for communication with at least another apparatus,
the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform:
determining necessity to transmit an authentication key to a visited network entity having a private key of a public-private key pair,
encrypting said authentication key using a public key of said public-private key pair, and
transmitting a message including said encrypted authentication key to said visited network entity.
32. An apparatus in a visited network entity in a mobile communications network, the apparatus comprising
at least one processor,
at least one memory including computer program code, and
at least one interface configured for communication with at least another apparatus,
the at least one processor, with the at least one memory and the computer program code, being configured to cause the apparatus to perform:
receiving, from a home network entity having a public key of a public-private key pair, a message including an authentication key encrypted using said public key of said public-private key pair, and decrypting said authentication key using a private key of said public-private key pair.
33. A computer program product comprising computer-executable computer program code which, when the program is run on a computer, is configured to cause the computer to carry out the method according to any one of claims 1 to 5, 6 to 10, 1 1 to 12 or 13 to 14.
34. The computer program product according to claim 33, wherein the computer program product comprises a computer-readable medium on which the computer-executable computer program code is stored, and/or wherein the program is directly loadable into an internal memory of the computer or a processor thereof.
PCT/EP2016/071444 2016-09-12 2016-09-12 Attack mitigation in 5g networks WO2018046109A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2016/071444 WO2018046109A1 (en) 2016-09-12 2016-09-12 Attack mitigation in 5g networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2016/071444 WO2018046109A1 (en) 2016-09-12 2016-09-12 Attack mitigation in 5g networks

Publications (1)

Publication Number Publication Date
WO2018046109A1 true WO2018046109A1 (en) 2018-03-15

Family

ID=56893998

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/071444 WO2018046109A1 (en) 2016-09-12 2016-09-12 Attack mitigation in 5g networks

Country Status (1)

Country Link
WO (1) WO2018046109A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020041365A1 (en) * 2018-08-20 2020-02-27 T-Mobile Usa, Inc. End-to-end security for roaming 5g-nr communications
WO2020119815A1 (en) * 2018-12-14 2020-06-18 华为技术有限公司 Security context isolation method, apparatus and system

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on the security aspects of the next generation system (Release 14)", 9 August 2016 (2016-08-09), XP051139501, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_84_Chennai/Docs/> [retrieved on 20160809] *
CARAGATA DANIEL ET AL: "Survey of network access security in UMTS/LTE networks", THE 9TH INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS (ICITST-2014), INFONOMICS SOCIETY, 8 December 2014 (2014-12-08), pages 43 - 46, XP032735467, DOI: 10.1109/ICITST.2014.7038772 *
HUAWEI ET AL: "Session Key Enforcement with Diffie-Hellman Procedure", vol. SA WG3, no. San Jose Del Cabo, Mexico; 20160509 - 20160513, 2 May 2016 (2016-05-02), XP051091666, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_83_Los_Cabos/Docs/> [retrieved on 20160502] *
KASSEM AHMAD: "Protocoles, gestion et transmission sécurisée par chaos des clés secrètes. Applications aux standards : TCP/IP via DVB-S, UMTS, EPS.", 16 July 2013 (2013-07-16), XP055311868, Retrieved from the Internet <URL:https://hal.archives-ouvertes.fr/tel-01104943/document> [retrieved on 20161018] *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020041365A1 (en) * 2018-08-20 2020-02-27 T-Mobile Usa, Inc. End-to-end security for roaming 5g-nr communications
US11889307B2 (en) 2018-08-20 2024-01-30 T-Mobile Usa, Inc. End-to-end security for roaming 5G-NR communications
WO2020119815A1 (en) * 2018-12-14 2020-06-18 华为技术有限公司 Security context isolation method, apparatus and system

Similar Documents

Publication Publication Date Title
US11240218B2 (en) Key distribution and authentication method and system, and apparatus
US10943005B2 (en) Secure authentication of devices for internet of things
JP6492115B2 (en) Encryption key generation
CN107079023B (en) User plane security for next generation cellular networks
JP5894304B2 (en) Method and apparatus for self-configuring a base station
US20190068591A1 (en) Key Distribution And Authentication Method And System, And Apparatus
KR100625503B1 (en) Method for updating secret shared data in a wireless communication system
KR100593576B1 (en) Two Party Authentication and Key Matching Method
US9590961B2 (en) Automated security provisioning protocol for wide area network communication devices in open device environment
US20190036694A1 (en) Operator-Assisted Key Establishment
CN112154624A (en) User identity privacy protection for pseudo base stations
CN101405987B (en) Asymmetric cryptography for wireless systems
US11582233B2 (en) Secure authentication of devices for Internet of Things
US11082843B2 (en) Communication method and communications apparatus
EP2386170A2 (en) Enhanced security for direct link communications
EP2979418B1 (en) Method to establish a secure voice communication using generic bootstrapping architecture
US20210297400A1 (en) Secured Authenticated Communication between an Initiator and a Responder
US11316670B2 (en) Secure communications using network access identity
EP3622736B1 (en) Privacy key in a wireless communication system
Rengaraju et al. QoS-aware distributed security architecture for 4G multihop wireless networks
WO2018046109A1 (en) Attack mitigation in 5g networks
Southern et al. Wireless security: securing mobile UMTS communications from interoperation of GSM

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16763287

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16763287

Country of ref document: EP

Kind code of ref document: A1