WO2020208295A1 - Établissement de trajets de communication sécurisés avec un serveur de connexion par trajets multiples, avec une connexion initiale sur un réseau privé - Google Patents
Établissement de trajets de communication sécurisés avec un serveur de connexion par trajets multiples, avec une connexion initiale sur un réseau privé Download PDFInfo
- Publication number
- WO2020208295A1 WO2020208295A1 PCT/FI2020/050201 FI2020050201W WO2020208295A1 WO 2020208295 A1 WO2020208295 A1 WO 2020208295A1 FI 2020050201 W FI2020050201 W FI 2020050201W WO 2020208295 A1 WO2020208295 A1 WO 2020208295A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- communication network
- multipath
- network
- user equipment
- given user
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/14—Multichannel or multilink protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
- H04W88/06—Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals
Definitions
- the field relates generally to communication systems, and more particularly, but not exclusively, to security management within such systems.
- Fourth generation (4G) wireless mobile telecommunications technology also known as Long Term Evolution (LTE) technology, was designed to provide high capacity mobile multimedia with high data rates particularly for human interaction.
- Next generation or fifth generation (5G) technology is intended to be used not only for human interaction, but also for machine type communications in so-called Internet of Things (IoT) networks.
- IoT Internet of Things
- 5G networks are intended to enable massive IoT services (e.g., very large numbers of limited capacity devices) and mission-critical IoT services (e.g., requiring high reliability), improvements over legacy mobile communication services are supported in the form of enhanced mobile broadband (eMBB) services providing improved wireless Internet access for mobile devices.
- eMBB enhanced mobile broadband
- user equipment in a 5G network or, more broadly, a UE
- a base station or access point referred to as a gNB in a 5G network.
- the access point e.g., gNB
- the access network is illustratively part of an access network of the communication system.
- the access network is referred to as a 5G System and is described in 5G Technical Specification (TS) 23.501, V15.4.0, entitled “Technical Specification Group Services and System Aspects; System Architecture for the 5G System,” the disclosure of which is incorporated by reference herein in its entirety.
- TS Technical Specification
- the access point e.g., gNB
- CN core network
- a data network such as a packet data network (e.g., Internet).
- TS 23.501 goes on to define a 5G Service-Based Architecture (SBA) which models services as network functions (NFs) that communicate with each other using representational state transfer application programming interfaces (Restful APIs).
- SBA Service-Based Architecture
- TS Technical Specification
- V15.3.1 entitled“Technical Specification Group Services and System Aspects; Security Architecture and Procedures for the 5G System,” the disclosure of which is incorporated by reference herein in its entirety, further describes security management details associated with a 5G network.
- MAMS multiple access management service
- Illustrative embodiments provide improved techniques for security management in communication systems particularly with respect to multipath connectivity.
- a method comprises establishing a multipath connectivity security context when registering with a first communication network, wherein the multipath connectivity security context relates to a multipath connection server.
- the multipath connectivity security context is then utilized to establish a first connection with the multipath connection server through the first communication network and a second connection with the multipath connection server through a second communication network.
- the first communication network comprises a wireless private network (e.g., a non 3GPP network) and the second communication network comprises a wireless public network (e.g., a 3GPP network).
- a method comprises authenticating given user equipment, registering through a first communication network, using at least part of a multipath connectivity security context established with the given user equipment.
- the multipath connection server then authenticates the given user equipment through a second communication network, and receives a session establishment request from the given user equipment through the second communication network.
- the multipath connection server then re-authenticates the given user equipment using at least part of the security context, and establishes a first connection with the given user equipment through the first communication network and a second connection with the given user equipment through the second communication network.
- the first communication network comprises a wireless private network and the second communication network comprises a wireless public network.
- the multipath connection server is able to establish more connections to user equipment over available communication networks as needed.
- FIG. 1 illustrates a communication system with which one or more illustrative embodiments are implemented.
- FIG. 2 illustrates processing architectures for security management participants, according to an illustrative embodiment.
- FIG. 3 illustrates multipath connectivity scenarios, according to an illustrative embodiment.
- FIG. 4 illustrates a first connection with a multipath connection server over a wireless private network, according to an illustrative embodiment.
- FIG. 5 illustrates a second connection with a multipath connection server over a wireless public network, according to an illustrative embodiment.
- FIG. 6 illustrates a security management methodology for multiple connections with a multipath connection server, according to an illustrative embodiment.
- Embodiments will be illustrated herein in conjunction with example communication systems and associated techniques for providing security management (e.g., cryptographic key management) in communication systems. It should be understood, however, that the scope of the claims is not limited to particular types of communication systems and/or processes disclosed. Embodiments can be implemented in a wide variety of other types of communication systems, using alternative processes and operations. For example, although illustrated in the context of wireless cellular systems utilizing 3 GPP system elements such as a 3GPP next generation system (5G), the disclosed embodiments can be adapted in a straightforward manner to a variety of other types of communication systems.
- 3 GPP system elements such as a 3GPP next generation system (5G)
- 5G next generation system
- 3 GPP technical specifications TS
- TR technical reports
- 3GPP TS/TR documents provide other conventional details that one of ordinary skill in the art will realize.
- illustrative embodiments are well-suited for implementation associated with the above- mentioned 5G-related 3GPP standards, alternative embodiments are not necessarily intended to be limited to any particular standards.
- OSI model is a model that conceptually characterizes communication functions of a communication system such as, for example, a 5G network.
- the OSI model is typically conceptualized as a hierarchical stack with a given layer serving the layer above and being served by the layer below.
- the OSI model comprises seven layers with the top layer of the stack being the application layer (layer 7) followed by the presentation layer (layer 6), the session layer (layer 5), the transport layer (layer 4), the network layer (layer 3), the data link layer (layer 2), and the physical layer (layer 1).
- FIG. 1 shows a communication system 100 within which illustrative embodiments are implemented.
- the elements shown in communication system 100 are intended to represent main functions provided within the system, e.g., UE access functions, mobility management functions, authentication functions, serving gateway functions, etc.
- the blocks shown in FIG. 1 reference specific elements in 5G networks that provide these main functions.
- other network elements may be used in other embodiments to implement some or all of the main functions represented.
- not all functions of a 5G network are depicted in FIG. 1. Rather, functions that facilitate an explanation of illustrative embodiments are represented. Subsequent figures may depict some additional elements/functions.
- communication system 100 comprises user equipment (UE) 102 that communicates via an air interface 103 with an access point (gNB) 104.
- the UE 102 in some embodiments is a mobile station, and such a mobile station may comprise, by way of example, a mobile telephone, a computer, or any other type of communication device.
- the term“user equipment” as used herein is therefore intended to be construed broadly, so as to encompass a variety of different types of mobile stations, subscriber stations or, more generally, communication devices, including examples such as a combination of a data card inserted in a laptop or other equipment such as a smart phone or other cellular device.
- user equipment refers to an IoT device.
- Such communication devices are also intended to encompass devices commonly referred to as access terminals.
- UE 102 is comprised of a Universal Integrated Circuit Card (UICC) part and a Mobile Equipment (ME) part.
- UICC Universal Integrated Circuit Card
- ME Mobile Equipment
- the UICC is the user-dependent part of the UE and contains at least one Universal Subscriber Identity Module (USIM) and appropriate application software.
- USIM securely stores the permanent subscription identifier and its related key, which are used to identify and authenticate subscribers to access networks.
- the ME is the user-independent part of the UE and contains terminal equipment (TE) functions and various mobile termination (MT) functions.
- the permanent subscription identifier is an International Mobile Subscriber Identity (IMSI) of a UE.
- IMSI International Mobile Subscriber Identity
- the IMSI is a fixed 15-digit length and consists of a 3-digit Mobile Country Code (MCC), a 3-digit Mobile Network Code (MNC), and a 9-digit Mobile Station Identification Number (MSIN).
- MCC Mobile Country Code
- MNC Mobile Network Code
- MSIN Mobile Station Identification Number
- SUPI Subscription Permanent Identifier
- the MSIN provides the subscriber identity.
- the MNC and MCC portions of the IMSI provide routing information, used by the serving network to route to the correct home network.
- the MSIN of a SUPI is encrypted, it is referred to as a Subscription Concealed Identifier (SUCI).
- SUCI Subscription Concealed Identifier
- the access point 104 is illustratively part of an access network of the communication system 100.
- Such an access network comprises, for example, a 5G System having a plurality of base stations and one or more associated radio network control functions.
- the base stations and radio network control functions in some embodiments are logically separate entities, but in some embodiments are implemented in the same physical network element, such as, for example, a base station router or cellular access point.
- the access point 104 in this illustrative embodiment is operatively coupled to mobility management functions 106.
- the mobility management function is implemented by an Access and Mobility Management Function (AMF).
- a Security Anchor Function (SEAF) in some embodiments is also implemented with the AMF connecting a UE with the mobility management function.
- a mobility management function is the element or function (i.e., entity) in the core network (CN) part of the communication system that manages or otherwise participates in, among other network operations, access and mobility (including authentication/authorization) operations with the UE (through the access point 104).
- the AMF is also referred to herein, more generally, as an access and mobility management entity.
- the AMF 106 in this illustrative embodiment is operatively coupled to home subscriber functions 108, i.e., one or more functions that are resident in the home network of the subscriber. As shown, some of these functions include the Unified Data Management (UDM) function, as well as an Authentication Server Function (AUSF). The AUSF and UDM (separately or collectively) are also referred to herein, more generally, as an authentication entity.
- home subscriber functions include, but are not limited to, Network Slice Selection Function (NSSF), Network Exposure Function (NEF), Network Repository Function (NRF), and Policy Control Function (PCF).
- NSSF Network Slice Selection Function
- NEF Network Exposure Function
- NRF Network Repository Function
- PCF Policy Control Function
- third party here, it is meant to refer to a party other than the subscriber of the UE or the operator of the core network.
- the third party is an enterprise (e.g., corporation, business, group, individual, or the like).
- the subscriber of the UE is an employee of the enterprise (or otherwise affiliated) who maintains a mobile subscription with the operator of the core network or another mobile network.
- a UE is typically subscribed to what is referred to as a Home Public Land Mobile Network (HPLMN) in which some or all of the home subscriber functions 108 reside. If the UE is roaming (not in the HPLMN), it is typically connected with a Visited Public Land Mobile Network (VPLMN) also referred to as a serving network. Some or all of the mobility management functions 106 may reside in the VPLMN, in which case, functions in the VPLMN communicate with functions in the HPLMN as needed. However, in a non-roaming scenario, mobility management functions 106 and home subscriber functions 108 can reside in the same communication network.
- HPLMN Home Public Land Mobile Network
- VPLMN Visited Public Land Mobile Network
- Some or all of the mobility management functions 106 may reside in the VPLMN, in which case, functions in the VPLMN communicate with functions in the HPLMN as needed. However, in a non-roaming scenario, mobility management functions 106 and home subscriber functions 108 can reside in
- the application function is a multipath connection server in illustrative embodiments.
- the multipath connection server is associated with a third party, such as an enterprise as illustratively mentioned above.
- the access point 104 is also operatively coupled to a serving gateway function, i.e., Session Management Function (SMF) 110, which is operatively coupled to a User Plane Function (UPF) 112.
- SMF Session Management Function
- UPF 112 is operatively coupled to a Packet Data Network, e.g., Internet 114.
- the user plane (UP) or data plane carries network user traffic while the control plane (CP) carries signaling traffic.
- SMF 110 supports functionalities relating to UP subscriber sessions, e.g., establishment, modification and release of PDU sessions.
- UPF 112 supports functionalities to facilitate UP operations, e.g., packet routing and forwarding, interconnection to the data network (e.g., 114 in FIG. 1), policy enforcement, and data buffering.
- FIG. 1 is a simplified illustration in that not all communication links and connections between network functions (NFs) and other system elements are illustrated in FIG. 1.
- NFs network functions
- FIG. 1 is a simplified illustration in that not all communication links and connections between network functions (NFs) and other system elements are illustrated in FIG. 1.
- NFs network functions
- 3GPP TSs/TRs 3GPP TSs/TRs
- FIG. 1 is an example only, and other types and arrangements of additional or alternative elements can be used to implement a communication system in other embodiments.
- the system 100 comprises other elements/functions not expressly shown herein.
- FIG. 1 is for simplicity and clarity of illustration only.
- a given alternative embodiment may include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations.
- FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices.
- Network slices network partitions
- the network slices comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure.
- the network slices are instantiated as needed for a given service, e.g., eMBB service, massive IoT service, and mission-critical IoT service.
- a network slice or function is thus instantiated when an instance of that network slice or function is created. In some embodiments, this involves installing or otherwise running the network slice or function on one or more host devices of the underlying physical infrastructure.
- UE 102 is configured to access one or more of these services via gNB 104.
- NFs can also access services of other NFs.
- Illustrative embodiments provide a security management methodology for multipath connectivity where a multipath connectivity security context is established for a given UE and used when connecting with a multipath connection server.
- security context is understood to refer to any information relating to the establishment and maintenance of security of communications between two or more participants.
- a security context can comprise one or more identities and/or one or more keys or key materials (e.g., generated, derived, or otherwise obtained). Note that when the term“key” is used alone, it is understood to refer to a cryptographic key.
- FIG. 2 is a block diagram of processing architectures 200 of participants in a security management methodology for multipath connectivity in an illustrative embodiment.
- more than two participants are involved in security management according to illustrative embodiments, e.g., UE, AMF, NEF, UDM, SMF, non 3GPP elements.
- FIG. 2 illustrates processing architectures associated with any two of the participants that directly or indirectly communicate. Therefore, in illustrative embodiments, each participant in a security management methodology is understood to be configured with the processing architecture shown in FIG. 2.
- a first security management participant 202 comprises a processor 212 coupled to a memory 216 and interface circuitry 210.
- the processor 212 of the first security management participant 202 includes a security management processing module 214 that may be implemented at least in part in the form of software executed by the processor.
- the processing module 214 performs security management described in conjunction with subsequent figures and otherwise herein.
- the memory 216 of the first security management participant 202 includes a security management storage module 218 that stores data generated or otherwise used during security management operations.
- a second security management participant 204 comprises a processor 222 coupled to a memory 226 and interface circuitry 220.
- the processor 222 of the second security management participant 204 includes a security management processing module 224 that may be implemented at least in part in the form of software executed by the processor 222.
- the processing module 224 performs security management described in conjunction with subsequent figures and otherwise herein.
- the memory 226 of the second security management participant 204 includes a security management storage module 228 that stores data generated or otherwise used during security management operations.
- the processors 212 and 222 of the respective security management participants 202 and 204 may comprise, for example, microprocessors, application-specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs) or other types of processing devices or integrated circuits, as well as portions or combinations of such elements.
- ASICs application-specific integrated circuits
- FPGAs field programmable gate arrays
- DSPs digital signal processors
- Such integrated circuit devices, as well as portions or combinations thereof, are examples of“circuitry” as that term is used herein.
- a wide variety of other arrangements of hardware and associated software or firmware may be used in implementing the illustrative embodiments.
- the memories 216 and 226 of the respective security management participants 202 and 204 may be used to store one or more software programs that are executed by the respective processors 212 and 222 to implement at least a portion of the functionality described herein.
- security management operations and other functionality as described in conjunction with subsequent figures and otherwise herein may be implemented in a straightforward manner using software code executed by processors 212 and 222.
- the memory 216 or 226 may more particularly comprise, for example, an electronic random-access memory (RAM) such as static RAM (SRAM), dynamic RAM (DRAM) or other types of volatile or non-volatile electronic memory.
- RAM electronic random-access memory
- SRAM static RAM
- DRAM dynamic RAM
- the latter may include, for example, non-volatile memories such as flash memory, magnetic RAM (MRAM), phase- change RAM (PC-RAM) or ferroelectric RAM (FRAM).
- MRAM magnetic RAM
- PC-RAM phase- change RAM
- FRAM ferroelectric RAM
- the term“memory” as used herein is intended to be broadly construed, and may additionally or alternatively encompass, for example, a read-only memory (ROM), a disk-based memory, or other type of storage device, as well as portions or combinations of such devices.
- the interface circuitries 210 and 220 of the respective security management participants 202 and 204 illustratively comprise transceivers or other communication hardware or firmware that allows the associated system elements to communicate with one another in the manner described herein.
- first security management participant 202 is configured for communication with the second security management participant 204 and vice-versa via their respective interface circuitries 210 and 220. This communication involves the first security management participant 202 sending data to the second security management participant 204, and the second security management participant 204 sending data to the first security management participant 202.
- other network elements or other components may be operatively coupled between, as well as to, the security management participants 202 and 204.
- the term“data” as used herein is intended to be construed broadly, so as to encompass any type of information that may be sent between security management participants including, but not limited to, messages, tokens, identifiers, keys, indicators, user data, control data, etc.
- FIG. 2 It is to be appreciated that the particular arrangement of components shown in FIG. 2 is an example only, and numerous alternative configurations are used in other embodiments. For example, any given network element/function can be configured to incorporate additional or alternative components and to support other communication protocols.
- FIG. 3 illustrates a multipath connectivity scenario 300, according to an illustrative embodiment.
- multipath connectivity functionality e.g., MAMS
- MAMS multipath connectivity functionality
- UE 302 is connected to a multipath connection server 304 over a private network 306 (e.g., non 3GPP access such as a wireless local area network (WLAN) or wireless fidelity (Wi-Fi) network) and over a public network 308 (e.g. 3GPP access such as a 5G core network).
- a private network 306 e.g., non 3GPP access such as a wireless local area network (WLAN) or wireless fidelity (Wi-Fi) network
- Wi-Fi wireless fidelity
- 3GPP access such as a 5G core network
- Multipath connection server 304 functions as a multipath connectivity proxy (e.g., a network function in the context of a 5G network), which can be accessed over multiple independent networks (e.g., two networks in the FIG. 3 embodiments but which can be more than two independent networks in other embodiments).
- a multipath connectivity proxy e.g., a network function in the context of a 5G network
- independent networks e.g., two networks in the FIG. 3 embodiments but which can be more than two independent networks in other embodiments.
- multipath connectivity proxy e.g., multipath connection server 304
- independent networks e.g., private network 306 and public network 308
- Multipath protocol procedures may require the client to establish a multipath session when the initial access network connection is established, i.e. even when the device starts with a single access network connection.
- a robotic device connects via a WLAN, it has to setup the first leg of a multipath connection with the multipath connectivity function in the network. Later, when the robotic device connects via 5G, it establishes the second multipath leg to the same multipath connectivity function.
- the robotic devices perform critical functions in the factory, often in cooperation with other robotic devices and other types of devices in the factory network, it is important to ensure a secured connection. Irrespective of the varied level of security offered by the underlying access network connections, it is realized herein that unauthorized users should not be able to establish new multipath sessions or break into existing multipath sessions.
- the network should control which devices are authorized to establish the initial multipath session and also ensure that the second leg establishment, from an independent network, is indeed from the originator of the first leg.
- a device should assert its identity of the multipath session. In illustrative embodiments, this is ensured by exchanging a commonly derived key (part of a security context) between the UE (e.g., robotic or other IoT device) and the multipath connectivity function during establishment of initial and subsequent legs, which cannot be carried across multipath sessions.
- illustrative embodiments provide the following features.
- Multipath connection server 304 is assumed to function as an external data network (DN) server to the public network 308 (3GPP network/5G core), when UE 302 is connected over the private network 306 (non 3 GPP network/WLAN).
- DN external data network
- UE 302 first connects to multipath connection server 304 over the private network 306 (non 3GPP access or private access).
- multipath connection server 304 authenticates UE 302.
- One or more of these authentication methods may be outside the scope of 3 GPP.
- UE 302 Once UE 302 is connected over the private network 306 to multipath connection server 304, UE 302 obtains a unique identity, security key and credentials (security context) to be used for the subsequent connection over the public network 308 (3GPP access). When UE 302 meets conditions for establishment of connection over 3GPP access, UE 302 makes connection to 3GPP network (public network 308). UE 302 is authenticated as any regular 3GPP UE, e.g., using one of the 5G AKA procedures, e.g., either 3GPP EAP AKA’ (RFC 5448) procedure or 5G AKA procedure (RFC 5247).
- 5G AKA procedures e.g., either 3GPP EAP AKA’ (RFC 5448) procedure or 5G AKA procedure (RFC 5247).
- UE 302 requests a connection to the multipath connection server APN (access point name).
- APN access point name
- the APN for multipath connection server 304 is configured to trigger secondary authentication of UE 302 as specified in TS 33.501.
- Multipath connection server 304 performs secondary authentication of UE 302 using the identity and credentials previously exchanged over the non 3 GPP access (private network 306).
- Multipath connection server 304 identifies the already established multipath security context of UE 304 using the credentials.
- Illustrative embodiments assume that UE 302 first makes the connection to multipath connection server 304 over a non 3GPP access, i.e., over private network 306.
- UE 302 can start the connection over a 3GPP network or over a non 3 GPP network and move around freely without losing the connection with multipath connection server 304.
- FIG. 4 illustrates an embodiment for establishing the first or initial connection with a multipath connection (MPC) server over a private network
- FIG. 5 illustrates an embodiment for establishing the second or subsequent connection with the MPC server over a public network
- FIG. 6 illustrates an exemplary message flow for a security management methodology to establish such connections.
- MPC multipath connection
- UE 402 accesses Wifi network 410 (private network) to establish a first connection with multiple connection server
- multipath connection server 420 is configured as an external DN 430, when first accessed over Wifi network 410, so as to facilitate a subsequent 3 GPP access connection.
- Multipath connectivity scenario 500 in FIG. 5 illustrates a second connection with multipath connection server 420 (configured as external DN 430) over a wireless public network, i.e., 5G core network 510. More particularly, FIG. 5 illustrates a 5G Core 510 with SEAF 512, UDM 514, NEF 516, and AUSF 518. NEF 516 is operatively coupled to UDM 514 and multipath connection server 420, while UE 402 is operatively coupled to multipath connection server 420 and AUSF 518.
- NEF 516 interfaces with UDM 514 in 5 G Core 510 to obtain the required inputs (such as one or more AVs) for generating a UE-specific multipath connection (MPC) key (a key specific to UE 402 for multipath connection server 420).
- MPC multipath connection
- UDM 514 generates an enterprise key based on UE subscription data, which is then used by NEF 516 to generate an MPC-specific cryptographic key using an MPC identifier as one of the inputs.
- NEF 516 provides a Service-Based Interface (SBI)-based northbound interface to multipath connection server 420. Further details and/or other methods of verification and authentication are described below.
- SBI Service-Based Interface
- FIG. 6 illustrates a security management methodology for multiple connections with a multipath connection server, according to an illustrative embodiment. More particularly, FIG. 6 depicts an end-to-end message flow 600 between UE 602, AMF 604, multipath connection (MPC) server 606, NEF 608, and UDM 610. Message flow 600 depicts steps for establishing connection to the MPC server starting the connection over private non 3 GPP access and then establishing the second connection over 3GPP access.
- MPC multipath connection
- UE 602 registers over non 3GPP access, gets authenticated, and establishes a UE security context with MPC server 606, as shown.
- Step 2. (622).
- UE 602 moves around and when conditions are met, registers over 3GPP access.
- UE 602 gets authenticated in 3GPP access by 5G AKA procedures.
- Step 3 (624). Once 5G authentication is completed and a connection is established, UE 602 requests AMF (SMF) 604 connection to MPC server 606.
- MPC server 606 is configured as an external DN where secondary authentication is needed.
- Step 4 The MPC server 606 may initiate secondary authentication using Extensible Authentication Protocol (EAP) methods as specified in TS 33.501.
- Step 5 The secondary authentication verifies the UE’s identity (ID) assigned over the first non 3 GPP connection, and security credentials assigned over the first connection (i.e., in step 620).
- ID identity assigned over the first non 3 GPP connection
- security credentials assigned over the first connection i.e., in step 620.
- both UE 602 and MPC server 606 establish connection over the non 3 GPP access network, as well as the 3 GPP network.
Abstract
En lien avec un équipement utilisateur donné, un procédé selon l'invention consiste à établir un contexte de sécurité de connectivité par trajets multiples lors de l'enregistrement avec un premier réseau de communication, le contexte de sécurité de connectivité par trajets multiples se rapportant à un serveur de connexion par trajets multiples. Le contexte de sécurité de connectivité par trajets multiples est ensuite utilisé pour établir une première connexion avec le serveur de connexion par trajets multiples via le premier réseau de communication et une seconde connexion avec le serveur de connexion à trajets multiples via un second réseau de communication. Le premier réseau de communication comprend un réseau privé sans fil (par exemple, un réseau non 3GPP) et le second réseau de communication comprend un réseau public sans fil (par exemple, un réseau 3GPP).
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IN201941014730 | 2019-04-11 | ||
IN201941014730 | 2019-04-11 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020208295A1 true WO2020208295A1 (fr) | 2020-10-15 |
Family
ID=72750477
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FI2020/050201 WO2020208295A1 (fr) | 2019-04-11 | 2020-03-27 | Établissement de trajets de communication sécurisés avec un serveur de connexion par trajets multiples, avec une connexion initiale sur un réseau privé |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2020208295A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023185737A1 (fr) * | 2022-03-29 | 2023-10-05 | Telefonaktiebolaget Lm Ericsson (Publ) | Procédé et appareil permettant d'effectuer une authentification/autorisation secondaire pour un dispositif terminal dans un réseau de communication |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170223531A1 (en) * | 2014-07-28 | 2017-08-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Authentication in a wireless communications network |
WO2018206081A1 (fr) * | 2017-05-08 | 2018-11-15 | Motorola Mobility Llc | Procédé d'authentification avec un réseau de communication mobile |
-
2020
- 2020-03-27 WO PCT/FI2020/050201 patent/WO2020208295A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170223531A1 (en) * | 2014-07-28 | 2017-08-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Authentication in a wireless communications network |
WO2018206081A1 (fr) * | 2017-05-08 | 2018-11-15 | Motorola Mobility Llc | Procédé d'authentification avec un réseau de communication mobile |
Non-Patent Citations (3)
Title |
---|
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Procedures for the 5G System; Stage 2 (Release 16", 3GPP TS 23.502 V16.0.2, 1 April 2019 (2019-04-01), XP051719174 * |
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 15", 3GPP TS 33.501 V15.4.0, 28 March 2019 (2019-03-28), XP051686847 * |
KANUGOVI, S. ET AL.: "Multiple Access Management Services, draft-kanugovi-intarea-mams-framework-03", MULTIPLE ACCESS MANAGEMENT SERVICES; DRAFT-KANUGOVI-INTAREA-MAMS-FRAMEWORK-03.TXT; INTERNET-DRAFT: INTAREA,, no. 3, 28 February 2019 (2019-02-28), pages 1 - 141, XP015131312, Retrieved from the Internet <URL:https://tools.ietf.org/pdf/draft-kanugovi-intarea-mams-framework-03.pdf> [retrieved on 20200702] * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023185737A1 (fr) * | 2022-03-29 | 2023-10-05 | Telefonaktiebolaget Lm Ericsson (Publ) | Procédé et appareil permettant d'effectuer une authentification/autorisation secondaire pour un dispositif terminal dans un réseau de communication |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11844014B2 (en) | Service authorization for indirect communication in a communication system | |
US11038923B2 (en) | Security management in communication systems with security-based architecture using application layer security | |
US11483741B2 (en) | Automated roaming service level agreements between network operators via security edge protection proxies in a communication system environment | |
EP3753226B1 (fr) | Gestion de sécurité dans des systèmes de communication entre des éléments mandataires de protection de bord de sécurité | |
US20210234706A1 (en) | Network function authentication based on public key binding in access token in a communication system | |
US20210250186A1 (en) | Security management for edge proxies on an inter-network interface in a communication system | |
US11722891B2 (en) | User authentication in first network using subscriber identity module for second legacy network | |
WO2020053481A1 (fr) | Authentification de fonction réseau au moyen d'une demande de service signée numériquement dans un système de communication | |
WO2020249861A1 (fr) | Sécurité de communication entre un équipement utilisateur et une application tierce à l'aide d'une clé basée sur un réseau de communication | |
CN113994633B (zh) | 通信***中的网络功能集合的授权 | |
WO2019158817A1 (fr) | Gestion de sécurité dans des systèmes de communication avec mécanisme basé sur la fourniture pour identifier des éléments d'information | |
EP3984193A1 (fr) | Contrôle d'accès sécurisé dans un système de communication | |
WO2021094349A1 (fr) | Autorisation de services en plusieurs étapes pour la communication indirecte dans un système de communication | |
WO2022018580A1 (fr) | Autorisation de service dans des systèmes de communication | |
US11789803B2 (en) | Error handling framework for security management in a communication system | |
WO2022023943A1 (fr) | Source d'horloge sécurisée en tant que service dans un système de communication | |
WO2021090171A1 (fr) | Autorisation dans un mandataire de communication de service | |
US20230045417A1 (en) | Authentication between user equipment and communication network for onboarding process | |
WO2020208295A1 (fr) | Établissement de trajets de communication sécurisés avec un serveur de connexion par trajets multiples, avec une connexion initiale sur un réseau privé | |
US20220191008A1 (en) | Communication network-anchored cryptographic key sharing with third-party application | |
WO2020208294A1 (fr) | Établissement de voies de communication sécurisées vers un serveur de connexion à voies multiples (mpc) à connexion initiale sur un réseau public | |
US20240154803A1 (en) | Rekeying in authentication and key management for applications in communication network | |
US20230269583A1 (en) | Authentication failure cause notification in communication system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20788426 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20788426 Country of ref document: EP Kind code of ref document: A1 |