WO2002068418A2 - Authentication and distribution of keys in mobile ip network - Google Patents

Authentication and distribution of keys in mobile ip network Download PDF

Info

Publication number
WO2002068418A2
WO2002068418A2 PCT/IB2002/001658 IB0201658W WO02068418A2 WO 2002068418 A2 WO2002068418 A2 WO 2002068418A2 IB 0201658 W IB0201658 W IB 0201658W WO 02068418 A2 WO02068418 A2 WO 02068418A2
Authority
WO
WIPO (PCT)
Prior art keywords
network
key
mobile node
security association
mobile
Prior art date
Application number
PCT/IB2002/001658
Other languages
French (fr)
Other versions
WO2002068418A3 (en
Inventor
Stefano Faccin
Franck Le
Original Assignee
Nokia Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation filed Critical Nokia Corporation
Priority to AU2002258068A priority Critical patent/AU2002258068A1/en
Publication of WO2002068418A2 publication Critical patent/WO2002068418A2/en
Publication of WO2002068418A3 publication Critical patent/WO2002068418A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • This invention is related to Mobile IP (Internet Protocol) based network architecture and more particularly Mobile based cellular networks.
  • MN mobile node
  • HA Home Agent
  • HMIPv ⁇ - Hierarchical Mobile IPv6 hierarchical mobility mechanisms
  • This invention describes two methods to distribute the necessary keys in an optimised way.
  • An authentication method is also provided.
  • the authentication procedure provides both user authentication and network authentication.
  • This invention introduces an optimised authentication and key distribution mechanisms for a mobile node in a Mobile IP based cellular network.
  • This invention enables a network to authenticate a mobile node and a mobile node to authenticate the network.
  • the required security associations in a Mobile IP network architecture are set up without sending an excess of messages over the air interface, and without sending any keys (even encrypted) over the air interface.
  • Figure 2 illustrates a second embodiment of the present invention
  • Figure 3 illustrates a first modification to the first embodiment of the present invention
  • Figure . 4 illustrates a second modification to the first embodiment of the present invention.
  • Figure 5 illustrates a third modification to the first embodiment of the present invention.
  • the present invention is described herein with reference to particular, non-limiting examples. One skilled in the art will appreciate the applicability of the present invention in applications other than those specifically disclosed herein.
  • the process of initial registration that may occur when a mobile node (MN) powers on or when a MN enters a new visited network, is described in the following.
  • the user is identified by a Network Address Identifier (NAT) and is authenticated by the network.
  • NAT Network Address Identifier
  • the mobile node actually requires three sets of key: i) A Mobile IP key set to be shared between the mobile and its home network including the associated home agent, termed Km. ii) A key for the hierarchical mobility mechanism set to be shared between the MN and the visited or serving domain, termed Ks. iii) A Ciphering key to encrypt the data over the access link if the MN is accessing the network through an access network with a link layer connection that requires ciphering of the data, termed Kc.
  • K (datal, data2): (datal, data2) are sent encrypted with the key K.
  • the MN and the home network have a long term secret Ki defining a security association therebetween; the home and visited networks share a security association allowing data to be sent between these two networks securely; and the AAA-H and home agent also share a security association.
  • the key distribution is combined with the authentication procedure: before giving keys to any entity, the entity distributing the keys authenticates the parties first.
  • the authentication procedure may also be performed separately.
  • the first embodiment of the present invention is described with reference to the various network elements shown in Figure 1.
  • the network elements comprise a mobile node (MN) 100, an access network router (ANR)/ mobile agent (MA) 102, an AAA-V 104, a AAA- H/AuC 106, and a home agent (HA) 108.
  • the access network router (ANR)/mobile agent (MA) 102 of the visited domain generates a first random number, RAND_ND, and pages it over the air interface as represented by arrow 110.
  • the mobile node 100 powers on (or moves to a new visited network) and listens to the router advertisements, and the paged random numbers from the network.
  • the M ⁇ also receives a current care-of-address (CoA), and a regional care-of- address (RCoA), from the network.
  • CoA current care-of-address
  • RoA regional care-of- address
  • Kcl Fn(Ki, RA ⁇ D_ND.
  • step 113 All these computations are carried out in step 113.
  • the mobile node then sends a binding update (BU) to the ANR/MA as indicated by the arrow 112.
  • the binding update includes the MN regional care-of-address MN_RCoA, the ciphered and integrity protected random number and authentication data MN_AuthData, i.e. CK1,IK1 (RAND_MN, MN_AuthData), the key request, a MAC value, and the visited domain random number RAND_ND.
  • the A ⁇ R/MA 102 receives the BU from the M ⁇ , and forwards it to the visited domain AAA server 104. Since this message carries a user authentication extension and a key request extension, the visited domain AAA server 104 forwards the request to the home AAA server 106 associated with the mobile node 100.
  • the server deciphers the RANDJVLN and MN_Auth Data and authenticates the MN based on Ki and MN AuthData.
  • the server computes NW-Auth Data based on Ki and RAND-MN.
  • AuC computes three sets of keys: i) MD? Key: Km, RandJCM ii) Key for hierarchical mobility model: Ks, RAND_KS " iii) Cipjering Key: Kc2, RAND_Kc2 These computations are carried out in step 115.
  • the AA-H/AuC 106 then chooses a home agent for the mobile node 100, and sends to the chosen home agent 108, as represented by arrow 118, the Mobile IP Key Km to share with the MN to authenticate subsequent Binding Updates (MN-HA authentication extensions), and requests the HA to make a binding between the Home address and the Regional Care of Address MN_RCoAof the MN.
  • the Home Agent confirms the reception of the key Km and the Binding Updtae as represented by arrow 120.
  • the AAA-H/ AuC 106 then sends all the keying material to the visited domain in a second message as represented by arrow 122.
  • Ks is used to authenticate the binding updates for the hierarchical mobility model from the MN (MN-MA authentication extensions).
  • the ANR/MA 102 knows from the message received from the mobile node's home network that the user is a valid one, and as such the mobile node has been authenticated.
  • the ANR MA 102 therefore performs a Binding Update for the hierarchical mobility model as represented by block 125.
  • the keys may also be computed using the well known Diffie Hellman (DH) algorithm.
  • DH Diffie Hellman
  • the visited domain receives DHJVLN encrypted with KI . Since the visited domain has an established relationship with the home domain and trusts the home domain, it can decrypt the mobile node DH value encrypted with key KI to recover the mobile node DH value. It knows DHJVLN is the DH public value of the mobile node. The visited domain forwards a message 214 comprising the visited domain DH value encrypted with key CK and integrity protected by IK, compiled by the home domain 201, to the mobile node 200.
  • the random number is generated by the visited network. Compared to generation by the home network, this saves one round trip between the visited and the home networks. However, if the network operators prefers, the home network may generate the random value. The random value may still be paged over the air, but as an alternative the mobile node may first send a challenge request to the visited domain and the visited dom ain forwards it to the home network, and receive the random number responsive thereto.
  • a first BU 516 requests the Challenge.
  • a second BU 518 carries the authentication data and the keying material.
  • a third BU 521 includes two BUs: one 520 for the hierarchical mobility mechanism and one 522 for the HA BU (this latter one will be computed with MN Mobile IP key).
  • the AR will first perform the registration for the hierarchical mobility mechanism; if it fails then the AR informs the MN without executing the HA BU. Inn the case of success, it transmits the HA BU to the MN's Home Agent.

Abstract

There is disclosed a method of establishing a connection between a mobile station and a serving domain, in which a first security association exists between the mobile node and an associated home domain, and a second security association exists between the serving domain and the home domain, the method comprising: transmitting a first message from the mobile node to the serving domain, the first message being encrypted in accordance with the first security association; transmitting the first message from the serving domain to the home domain; decrypting the first message in the home domain in accordance the first security association; transmitting a second message from the home domain to the serving domain, the second message being encrypted according to the first security association; transmitting the second message from the serving domain to the mobile node; decrypting the second message in the mobile node in accordance with the first security association.

Description

AUTHENTICATION AND DISTRIBUTION OF KEYS IN MOBILE IP NETWORK
Field of the invention
This invention is related to Mobile IP (Internet Protocol) based network architecture and more particularly Mobile based cellular networks. Background to the Invention
Many developing network architectures are based on Mobile L?. However, using the Mobile IP protocol for mobility, the mobile node (MN) needs to share a security association with its Home Agent (HA) in its home domain or home network. In addition if hierarchical mobility mechanisms (such as MIPvόRR-regional registration or HMIPvδ- Hierarchical Mobile IPv6) are used to optimise signalling in the network, at least one other security association needs to be set up between the mobile node and the Mobility Agent in the visited or serving domain.
If the mobile node is also accessing the network through an access network with a link layer connection that requires ciphering of the data transmitted over the access link in order to protect the data from eavesdropping, another security association must be agreed upon between the MN and some entity in the access network to cipher the data carried over the access link.
Therefore three set of keys need to be distributed for a MN in a Mobile IP network: i) The Mobile IP key set to be shared between the MN and its Home Agent, termed Km. ii) The key for the hierarchical mobility mechanism set to be shared between the MN and the Mobility Agent in the visited domain, termed Ks. iii) The Ciphering key to encrypt data over the access link if the MN is accessing the network through an access network with a link layer connection that requires ciphering of the data, termed Kc. Today many key distribution protocols exist such as Internet Key Exchange [RFC 2409], Kerberos, etc. to distribute the keys. However these protocols require many messages to be exchanged. As in radio access networks radio resources are limited, such current solutions which rely on many message are not appropriate. When the access network uses a wireless access link (e.g. in cellular networks), it is highly desirable to reduce the number of messages to be sent over the air interface.
For authentication of the MN and for key distribution some generic mechanisms such as IKE, Kerberos, etc. exist, but they also require many messages to be exchanged, and are thus not suitable for networks using a wireless access link such as cellular networks. In addition many of these solutions distribute the keys by sending them encrypted. However this must be avoided in networks using a wireless access link such as cellular networks, since the wireless link is easily subject to eavesdropping and thus there is the danger of having the keys intercepted. Even if the keys are distributed Over the access link by encrypting them, the danger of having the keys intercepted is still too large and this type of solution has traditionally been avoided for networks using a wireless access link such as cellular networks.
One internet draft, 'AAA Registration Keys for Mobile IP (draft-ietf-mobileip-aaa-key- 01.txt)', suggests a way to derive the Mobile IP security associations. However the Mobile IP key is sent over the air interface (encrypted), and this must be avoided in cellular networks. In addition this Internet Draft just suggests how to derive the Mobile IP keys. It is an object of the present invention to provide an improved technique for the authentication of the mobile nodes and distribution of keys in a network, and particularly a mobile IP network. Summary of the Invention
This invention describes two methods to distribute the necessary keys in an optimised way. An authentication method is also provided. The authentication procedure provides both user authentication and network authentication.
This invention introduces an optimised authentication and key distribution mechanisms for a mobile node in a Mobile IP based cellular network.
The authentication mechanism provides mutual authentication and is based on challenge- response mechanism. The key distribution procedure requires a minimal number of messages. The key distribution procedure does not require any key, even encrypted, to be sent over the air interface. Two specific key distribution methods are described in two embodiments. A first method is based on random values, and a second is based on Diffie Hellman values.
This invention enables a network to authenticate a mobile node and a mobile node to authenticate the network. The required security associations in a Mobile IP network architecture are set up without sending an excess of messages over the air interface, and without sending any keys (even encrypted) over the air interface.
The present invention describes a way to authenticate the keys as well as derive them. The authentication and key distribution are advantageously combined in order to reduce the number of messages, but these two procedures may also be performed separately. The technique of the present invention has a number of significant advantages. The procedure does not require many messages to be sent over the air interface. The key distribution mechanisms do not require the key to be sent over the air interface. The key distribution method based on Diffie Hellman is more flexible for a future evolution towards Public Key Infrastructure (PKI). Brief description of the Drawings
The invention will now be described with regard to illustrative examples by way of reference to the accompanying drawings, in which:
Figure 1 illustrates a first embodiment of the present invention;
Figure 2 illustrates a second embodiment of the present invention; Figure 3 illustrates a first modification to the first embodiment of the present invention;
Figure.4 illustrates a second modification to the first embodiment of the present invention; and
Figure 5 illustrates a third modification to the first embodiment of the present invention.
Description of Preferred Embodiments The present invention is described herein with reference to particular, non-limiting examples. One skilled in the art will appreciate the applicability of the present invention in applications other than those specifically disclosed herein. The process of initial registration, that may occur when a mobile node (MN) powers on or when a MN enters a new visited network, is described in the following.. The user is identified by a Network Address Identifier (NAT) and is authenticated by the network.
At the initial registration, the MN may not have any home agent (HA) assigned to serve it, and may not have the appropriate security keys for communication. In such case, home agent assignment and key distribution happen upon user request during the initial registration.
The mobile node actually requires three sets of key: i) A Mobile IP key set to be shared between the mobile and its home network including the associated home agent, termed Km. ii) A key for the hierarchical mobility mechanism set to be shared between the MN and the visited or serving domain, termed Ks. iii) A Ciphering key to encrypt the data over the access link if the MN is accessing the network through an access network with a link layer connection that requires ciphering of the data, termed Kc.
Notations: K (datal, data2): (datal, data2) are sent encrypted with the key K.
Notations: CK, IK (datal, data2): (datal, data2) are sent encrypted with the key CK and integrity protected with the key IK.
The first embodiment of the invention, described hereinbelow with reference to Figure 1, is based on random numbers. The second embodiment, discussed hereinafter with reference to Figure 2, is based on DH exchange.
In describing the first embodiment with reference to Figure 1, it is assumed that: the MN and the home network have a long term secret Ki defining a security association therebetween; the home and visited networks share a security association allowing data to be sent between these two networks securely; and the AAA-H and home agent also share a security association.
In this embodiment the key distribution is combined with the authentication procedure: before giving keys to any entity, the entity distributing the keys authenticates the parties first. However, the authentication procedure may also be performed separately. The first embodiment of the present invention is described with reference to the various network elements shown in Figure 1. The network elements comprise a mobile node (MN) 100, an access network router (ANR)/ mobile agent (MA) 102, an AAA-V 104, a AAA- H/AuC 106, and a home agent (HA) 108. In a first step, the access network router (ANR)/mobile agent (MA) 102 of the visited domain generates a first random number, RAND_ND, and pages it over the air interface as represented by arrow 110. The mobile node 100 powers on (or moves to a new visited network) and listens to the router advertisements, and the paged random numbers from the network. The MΝ also receives a current care-of-address (CoA), and a regional care-of- address (RCoA), from the network.
From the received random number, RAΝD_ND, and the secret key Ki common to the mobile node and the home network, the mobile node 100 computes a master key Kcl which is a function of these two numbers, i.e. Kcl = Fn(Ki, RAΝD_ND). The mobile node then derives the access network specific ciphering key (CK1) and the the access network specific integrity protection key (IKl) from Kcl using functions L and M, i.e. L(Kcl)=CKl and M(Kcl)=IKl. The ciphering and integrity protection keys are used to encrypt the data transmitted over the access link.
The mobile node then generates a second random number for network authorisation being a mobile node random value RAΝD_MΝ for use in authenticating the network, and computes authentication data. The authentication data is computed from the value RAND_ND by using the key Ki and an authentication algorithm. Thus the authentication data can be identified as MΝ_AuthData.
All these computations are carried out in step 113.
The mobile node then sends a binding update (BU) to the ANR/MA as indicated by the arrow 112. The binding update includes the MN regional care-of-address MN_RCoA, the ciphered and integrity protected random number and authentication data MN_AuthData, i.e. CK1,IK1 (RAND_MN, MN_AuthData), the key request, a MAC value, and the visited domain random number RAND_ND.
The AΝR/MA 102 receives the BU from the MΝ, and forwards it to the visited domain AAA server 104. Since this message carries a user authentication extension and a key request extension, the visited domain AAA server 104 forwards the request to the home AAA server 106 associated with the mobile node 100.
From the user identity, i.e. the identity of the mobile node, the server 106 retrieves Ki. The server 106 uses the RAND_VD value and computes the key Kcl using Ki. The server 106 derives the keys CKl and IKl from Kcl using the functions L and M, i.e. L(Kcl)=CKl and M(Kcl)=IKl. The server 106 applies CKl and IKl to decipher and verify the integrity of the RAND_MN and MN_AuthData... The server 106 computes a MN_AuthData based on RAND_MN and Ki. . The server deciphers the RANDJVLN and MN_Auth Data and authenticates the MN based on Ki and MN AuthData. The server computes NW-Auth Data based on Ki and RAND-MN. Based on Ki, AuC computes three sets of keys: i) MD? Key: Km, RandJCM ii) Key for hierarchical mobility model: Ks, RAND_KS " iii) Cipjering Key: Kc2, RAND_Kc2 These computations are carried out in step 115.
The server 106 then verifies the MAC value to make sure the message has not been modified, and generates three further random values: RAND_Km, RAND_Ks, and RAND_Kc2. From these two values, it computes three sets of keys using functions G, H and J: i) G (RANDJCm, Ki) = Km; ii) H (RAND_Ks, Ki)=Ks; and iii) J (RAND_Kc2, Ki)=KC2.
The AA-H/AuC 106 then chooses a home agent for the mobile node 100, and sends to the chosen home agent 108, as represented by arrow 118, the Mobile IP Key Km to share with the MN to authenticate subsequent Binding Updates (MN-HA authentication extensions), and requests the HA to make a binding between the Home address and the Regional Care of Address MN_RCoAof the MN. The Home Agent confirms the reception of the key Km and the Binding Updtae as represented by arrow 120. The AAA-H/ AuC 106 then sends all the keying material to the visited domain in a second message as represented by arrow 122. The second message comprises the network authentication data NW_AuthData, and the random values RANDJ n, RAND_Kc2 and RAND_Ks ciphered and integrity protected by CKl and IKl, i.e. CKl, IKl (RAND_ Km, RAND_Ks, RAND_KC2, RAND_MN, NW_AuthData). Message 122 comprises also the keys Ks and Kc2, and the MAC value. The AAA-H AuC 106 includes the RAND_MN used to compute the NW_AuthData to allow the MN to verify the network authentication data correctly in case the MN has sent multiple RANDJVFN to the home network for different authentication procedures. The AAA-V 104 keeps a copy of the master key Kc2 and the key Ks for the hierarchical mobility mechanism in step 121.
The AAA-V 104, after storing the values Kc2 and Ks, then transmits all the received information to the ANR MA 102 as represented by arrow 124, which also stores the keys Kc2 and Ks in step 123. The content of the message represented by arrow 124 corresponds tot hat represented by arrow 122. Kc2 is used in steps 123 to derive the access network specific ciphering key CK2 and integrity protection key IK2, which are used to cipher and protect data over the air interface, using the functions L and M, i.e. L(Kc2)=CK2 and M(Kc2)=IK2.
Ks is used to authenticate the binding updates for the hierarchical mobility model from the MN (MN-MA authentication extensions). The ANR/MA 102 knows from the message received from the mobile node's home network that the user is a valid one, and as such the mobile node has been authenticated. The ANR MA 102 therefore performs a Binding Update for the hierarchical mobility model as represented by block 125.
The ANR/MA 102 then sends a binding acknowledgement to the mobile node, as represented by arrow 126, to inform it of the success of the binding updates. The ANR MA 102 also sends to the MN the network authentication data NW_AuthData, and the random values RAND_km, RAND_Kc2 and RAND_Ks ciphered and integrity protected by CKl and IKl, i.e. CKl, IKl (RAND_Km, RANDJ s, RAND_KC2, RAND_MN, NW_AuthData). Message 126 comprises also a MAC value. MN verifies thanks to the MAC that the message has not been altered. MN deciphers and verify for integrity the RAND_Km, RAND_Ks, RAND_KC2, RAND_MN, NW_AuthData. MN authenticates the network based on NW_AuthData and Ki. MN uses Ki, F, H and J functions (see above) to compute Ks, Km and Kc2 . The MN derives CK2 and IK2 from Kc2 using the functions L and M, i.e. L(Kc2)=CK2 and M(Kc2)=IK2, and can then use CK2 and 1K2 to cipher and protect data sent over the access link to the ANR MA.
If the registration for the hierarchical mobility mechanism fails, the mobile node must send a binding update to its home agent informing the regional CoA MN_RCoA is not valid, and requesting the home agent to use its current CoA.
A number of alternatives to the technique described with reference to Figure 1 are described hereinbelow with reference to Figures 3 to 5.
In a second embodiment, it is proposed that the keys may also be computed using the well known Diffie Hellman (DH) algorithm. The mobile node and the other entity with which it is communicating only need to exchange their DH public values in an authenticated way. An example embodiment utilising this technique is described hereinbelow with reference to Figure 2.
In the following, a key establishment between the mobile node and the serving or visited domain is described, (i.e. establishment of Ks). It is assumed that the MN and the Home Domain share a security association based on Ki, and that the visited domain and home domain share a security association based on KI. hi a first step, the access network router (ANR)/mobile agent (MA) 202 of the visited domain generates a first random number, RANDJVD, and pages it over the air interface as represented by arrow 206. The mobile node 200 powers on (or moves to a new visited network) and listens to the router advertisements, and the paged random RANDJVD from the network.
The mobile node 200 then generates its Diffie Hellman value DH using the Diffie Hellman algorithm. The MN 200 also computes a key Kc from Ki and RAND_ND using function J as indicated above, i.e. J(RAΝD_Kc, Ki)=Kc. The MN 200 derives the keys CK and IK from Kc using the functions L and M, i.e. L(Kc)=CK and M(Kc)=IK.' As represented by arrow 208, the MN 200 sends its DH value, encrypted with CK and integrity protected with IK, i.e. CK, IK (DH_MN). Message 208 comprises also of RANDJVD. The Visited Domain 202 receives the first message but cannot decrypt it since it does not know how to compute Kc, and transmits it to the home domain 204 as represented by arrow 210. Before transmitting it to the home domain, the visited domain adds its own DH value encrypted with KI, i.e. the security association shared between the visited domain 202 and the home domain 204. At this point it should be noted that the visited domain may also be referred to as the serving domain.
The Home Domain 204 derives Kc from Ki and RAND_VD, and derives the keys CK and IK from Kc using the functions L and M, i.e. L(Kc)=CK and M(Kc)=IK. The Home Domain 204 can then decrypt both CK, IK (DH MN) and KI (DHJVD) to recover the mobile node DH value MN_DH, and the visited domain DH value VD_DH. The home domain then encrypts mobile node DH value, DHJVTN, using KI, and the visited domain DH value, DHJVD, using CK and IK. The thus encrypted DH values are transmitted to the visited domain 202 as represented by arrow 212.
The visited domain receives DHJVLN encrypted with KI . Since the visited domain has an established relationship with the home domain and trusts the home domain, it can decrypt the mobile node DH value encrypted with key KI to recover the mobile node DH value. It knows DHJVLN is the DH public value of the mobile node. The visited domain forwards a message 214 comprising the visited domain DH value encrypted with key CK and integrity protected by IK, compiled by the home domain 201, to the mobile node 200.
In the same way as the visited domain, when the MN receives CK, IK (DH_VD), it can decrypt using CK and IK. Since it trusts its home domain, it knows DH_VD is the DH public value of the visited domain.
The mobile node and the visited domain have at this point exchange the respective DH public values in an authenticated way and can both compute the DH key Ks by using DHJVTN and DH-VD. The keys Kc2 and Km may be established in the same way, using the DH mechanism and different DH values, one for each of the three keys to be established. This procedure has the advantage to set up keys at points in the network (namely MN 200 and Visited Domain 202) without having to send any key over the network. hi the described embodiments, the home domain is used to authenticate the DH public value of the different network entities. In the future, when PKI is implemented, the PKI infrastructure may be used to substitute the home domain role and authenticate the DH public values. This scheme therefore allows easy evolution towards PKI.
In addition, in the above-described embodiments, user authentication is based on symmetric key mechanisms (Ki). However if the mobile node and the home domain have Public Keys, Public Key authentication mechanisms can also be used. The solution may be implemented in existing networks by adding: new extensions in Diameter; or new extensions in Mobile IP.
In the embodiment illustrated in Figure 1, the random number is generated by the visited network. Compared to generation by the home network, this saves one round trip between the visited and the home networks. However, if the network operators prefers, the home network may generate the random value. The random value may still be paged over the air, but as an alternative the mobile node may first send a challenge request to the visited domain and the visited dom ain forwards it to the home network, and receive the random number responsive thereto.
In the embodiment illustrated in Figure 1, the random value generated by the serving system is used for user authentication and ciphering key computation. In an alternative, this random value may be used for user authentication only, and the home domain may generate the ciphering key Kc in the same way that it computes the keys Km and Ks.
There are three possibilities for sending the keying material to the mobile node over the air interface, as detailed hereafter. "In cleartext": Any user which captures RANDJKm, Kc_mat and RAND_Ks, does not know Ki and therefore can not compute Km, Kc nor Ks. For that reason, the keying material can be sent in "cleartext"
Encrypted with a temporal Key shared between the MN and the Home Domain: A temporal key Kt may be derived from Ki and used to encrypt RANDJKm, RAND JKs and 15
for the hierarchical mobility mechanism, it can initiate the registration procedure for the hierarchical mobility mechanism thus saving one round trip over the air interface.
The third BU (arrows 424, 426) is a BU with the MN's Home Agent: the AR cannot perform this BU because it does not have the Mobile IP Key. In the example of Figure 4, the number of messages sent over the air interface is reduced to six.
An alternative embodiment is shown in Figure 4. Reference is now made to Figure 5. A first BU 516 requests the Challenge. A second BU 518 carries the authentication data and the keying material. A third BU 521 includes two BUs: one 520 for the hierarchical mobility mechanism and one 522 for the HA BU (this latter one will be computed with MN Mobile IP key). The AR will first perform the registration for the hierarchical mobility mechanism; if it fails then the AR informs the MN without executing the HA BU. Inn the case of success, it transmits the HA BU to the MN's Home Agent.
11
Kcjnat. This adds another level of protection: to know Km, Ks and Kc, two levels of security must be broken: Kt and Ki. But Kt needs to be re-freshed.
Encrypted with the session key. The mobile node and the visited domain must first share the session key Kc. This can be realized as indicated in the case above (generation of the challenge number by the visited domain). Then RANDJKm and RAND_Ks can be sent encrypted over the air interface
For Integrity protection, a MAC can be computed over every message or if preferred, a MAC can be computed over RANDJKm, another over RAND_Ks, and eventually one over Kcjtnat. Computing different MACs, the user may know which one is corrupted, and request a new value for this specific set. However, this results in more MACs being sent over the air interface.
Depending on the access link technology, the access link may have a limited ability to carry information and may not be able to carry all the parameters such as the key request, the random value generated by the MN to authenticate the network, etc.
Therefore the procedure may be split into different parts. After receiving the challenge, the user only sends back the user authentication data; and then once the user is authenticated and a dedicated channel assigned, the mobile node can request key distribution and network authentication. The operators may not let the user send too much mformation over the air before authentication.
In the embodiments described hereinabove, there is described the combination of the authentication procedure, the key distribution, the mobile IP hierarchical mobility mechanism and the mobile IP home registration. However, one skilled in the art will appreciate that all these procedures can be performed separately or ordered differently. Narious possibilities will be presented and described with reference to Figure 3 to 5. However, further modifications may exist and the variations described below are in no way limiting. It should be noted that in Figures 3 to 5 a number of operations are shown which correspond directly to those described hereinabove with reference to Figures 1 and 12
2. For conciseness, only those message exchanges necessary for an understanding of the modifications presented are described in detail.
Reference is now made to Figure 3. The MN 300 powers on or moves to a new visited domain and listens to the router advertisements. The MN 300 creates and sends (arrow 316) a Binding update (BU) request: the destination address is the Mobility Agent (AR) 302 whose address has been provided during the router advertisement. The BU includes the identity of the user, which is the user's NAI, and also include a Challenge Request to indicate to the home network the need to register and be authenticated.
The AR receives the BU from the MN and since this message carries a Challenge Request, it forwards the request (arrow 318) to the local AAA server 310, which transfers it to the Home Network of the user (arrow 320). The AAA-H/AuC 312 generates a random number RANDJHD and sends it to the MN (arrows 322, 324, 326).
This random number provides a strong authentication mechanism, and also serves for anti replay attacks. Timestamp is a possible alternative: it requires fewer messages but requests secured synchronized clocks between the MN 300 and the AAA-H/AuC 312.
From the received random number, RANDJ3D, and the secret key Ki common to the mobile node and the home network, the mobile node 300 computes a master key Kcl which is a function of these two numbers, i.e. Kc = Fn(Ki, RANfDJELD). The mobile node then derives the access network specific ciphering key (CKl) and the the access network specific integrity protection key (IKl) from Kcl using the functions L and M, i.e. L(Kcl)=CKl and M(Kcl)=IKl. The ciphering and integrity protection keys are used to encrypt the data transmitted over the access link.
The mobile node then generates a second random number being a mobile node random value RANDJVLN for use in authenticating the network, and computes authentication data MN_AuthData. The authentication data is computed from the value RAND JED by using the key Ki and an authentication algorithm.
The MN then sends a BU including the authentication data MN_AuthData, computed with Ki, and a Key Request (arrow 328). The binding update includes the ciphered and integrity protected random number and authentication data MN_AuthData, i.e. CKl, IKl 13
(RAND_MN, MN_AuthData), the key request, a MAC value, and the home domain random number RAND_HD.
The BU is forwarded to the AAA-H (arrows 330, 332). The AAA-H/AuC 312 verifies the MAC value to make sure the message has not been modified. From the user identity, i.e. the identity of the mobile node, the server AAA-H/ AuC 312 retrieves Ki. The AAA- H/AuC 312 derives Kcl from Ki and RANDJHD, and derives CKl and TKl from Kcl. The AAA-H/ AuC 312 will then decipher and verify the integrity of RANDJVTN and MN_AuthData, and authenticates the user by using MN_AuthData and Ki. The AAA- H/AuC 312 computes NW_AuthData based on Ki and RAND_MN. Finally, the AAA- H/AuC 312 generates three further random values: RAND_Km, RAND_Ks, and RAND__Kc2.From these three values, the AAA-H/ AuC 312 computes three sets of keys using functions G, H and J: i) G (RAND Km, Ki) = Km; ii) H (RAND Ks, Ki)=Ks; and iii) J (RAND_Kc2, Ki)=KC2.
Thus in box 331 the AAA-H/AuC derives Kcl from Ki and Rand-HD, derives CKl and IK 1 from Kcl, authenticates the MN based on MN_AutbData and Ki. Further NW_AuthData is computed based on Ki and RANDJVLN. Based on Ki, AuC computes three sets of keys: i) MEP Key: Km, RAND_Km ii) Key for hierarchical mobility model: Ks, RAND_Ks iii) Ciphering Key: Kc2, RAND _Kc2
The AAA-H/AuC 312 then chooses a Home Agent and sends the Mobile IP key Km to the selected HA. The AAA-H then sends the keying material to the AAA-V (arrow 334) in a message containing the ciphered and integrity protected RAND_Km, 'RANDJKs, RANDJKC2, RANDJVrN, NW_AuthData, i.e. CKl, TKl (RANDJKm, RAND_Ks, RANDJKC2, RAND_MN, NW_AuthData). Message 334 comprises also the keys Ks and Kc2, and a MAC. The AAA-v 310 stores the keys Kc2 and Ks (step 336). A security association 14
between the home and visited domains enables the AAA-H and the AAA-V servers to exchange data in a secure way.
The AAA-V 310 transfers the keying material to the AR which will enable the MN to compute the required keys, including the network authentication data the MN will use to authenticate the network (arrow 338). Message 338 contains the ciphered and integrity protected RANDJ m, RANDJKs, RAND_KC2, RANDJVfN, NW_AuthData, i.e. CKl, TKl (RANDJKm, RAND_Ks, RAND KC2, RANDJVIN, NW_AuthData). Message 338 comprises also the keys Ks and Kc2, and a MAC.
The AR 302 stores the key Ks (step 340) and the key Kc2, and derives CK2 and 1K2 from Kc2 using the functions L and M, i.e. L(Kc2)=CK2 and M(Kc2)=IK2. The AR 302 forwards the the ciphered and integrity protected RANDJKm, RANDJKs, RAND JKC2, RAND_MN, NW_AuthData, i.e. CKl, TKl (RANDJKm, RANDJKs, RAND_KC2, RAND_MN, NW_AuthData), the MAC to the MN (arrow 342).
MN (steps 344) verifies thanks to the MAC that the message has not been altered. MN deciphers and verify for integrity the RANDJKm, RANDJKs, RAND JKC2, RAND_MN, NW_AufhData. MN authenticates the network based on NWJAutliData and Ki. MN uses Ki, F, H and J functions (see above) to compute Ks, Km and Kc2 . The MN derives CK2 and IK2 from Kc2 using the functions L and M, i.e. L(Kc2)=CK2 and M(Kc2)=LK2, and can then use CK2 and IK2 to cipher and protect data sent over the access link to the ANR/MA.
The MN then performs a BU for the hierarchical mobility mechanism with the Visited Network (arrow 346).
Θnce the registration for the hierarchical mobility mechanism (step 348) has succeeded, as indicated by arrow 350, the MN executes a BU with its HA (arrows 352, 354). An alternative embodiment is shown in Figure 4. Reference is now made to Figure 4, which illustrates a modification in which the key request and the registration for the hierarchical mobility mechanism are combined.
The first BU (arrow 416, 418) requests the Challenge. The second BU (arrows 420, 422) carries the authentication data and the key request. After the Home network has authenticated the user, the AR knows that the MN is a valid one and since it has the key

Claims

Claims
1. A method of establishing a connection between a mobile station and a serving network for serving the mobile station, wherein the mobile station is associated with a home network, a first security association being established between the mobile station and the home network, and a second security association being established between the home network and the supporting network, the method comprising using the first security association to authenticate a communication from the mobile node at the home network, and confirming such authentication to the visited network using the second security association, whereby there is authenticated a connection between the mobile station and the serving network.
2. A method according to claim 1 wherein the mobile node receives a first random number from the visited network, and generates mobile node authentication data in dependence on an authentication algorithm applied to the first random number and the first security association.
3. A method according to claim 2 wherein the mobile node authentication data and the first random number is transmitted from the mobile node to the home network via the visited network.
4. A method according to claim 3 wherein responsive to receipt of the mobile node authentication data and the first random number, the home network authenticates the mobile node
5. A method according to any one of claims 2 to 4 wherein the mobile node further generates a second random number for use in network authentication.
6. A method according to claim 5 wherein the second random number is transmitted from the mobile node to the home network via the visited network
7. A method according to claim 6 wherein the home network generates network authentication data in dependence on an authentication algorithm applied to the second random number and the second security association.
8. A method according to claim 7 wherein the home network transmits the network authentication data and the second random number to the visited network.
9. A method according to claim 4 wherein responsive to the network authentication data and the second random number the mobile node authenticates the network.
10. A method according to any one of claims 1 to 9 wherein the mobile node determines a master security key derived from the first security association and the first random number.
11. A method according to claim 10, wherein in dependence on the master security key the mobile node derives an access network specific ciphering key and an access network specific integrity protection key using respective predetermined functions.
12. A method according to claim 11 when dependent upon claim 3 wherein the mobile node authorisation data is encrypted using said cipher and integrity keys.
13. A method according to claim 12 wherein the first random number is not encrypted.
14. A method according to claim 12 or 13 wherein the home network derives the master key based on the first security association and the first random number.
15. A method according to claim 14 wherein in dependence on the master security key the mobile node derives an access network specific ciphering key and an access network specific integrity protection key using respective predetermined functions.
16. A method according to claim 1 wherein the step of using the first security association to authenticate a communication from the mobile node at the home network includes transmitting at least one Diffie Hellman value of the mobile node to the visited network using the first security association, wherein the visited network forwards such to the home network.
17. A method according to claim 16 further including transmitting at least one Diffie Hellman value associated with the visited network to the home network using the second security association.
18. A method according to claim 16 or claim 17, further including transmitting the at least one Diffie Hellman value associated with the mobile node from the home network to the visited network using the second security association.
19. A method according to claim 18 further including transmitting the at least one Diffie Hellman value associated with the visited network from the visited network to the mobile node.
20. A method according to any one of claims 16 to 19, wherein said at least one Diffie Hellman value is used for distribution of Mobile IP key and/or Hierarchical key and/or
Master key.
21. A method according to any one of claims 16 to 19, wherein the mobile node receives a first random number from the visited network, and the mobile node computes a master key in dependence on a function of the first random number and the first security association.
22. A method according to claim 21 wherein the mobile node computes a ciphering key and an integrity key as functions of the master key.
23. A method according to claim 21 wherein the at least one mobile node Diffie Hellman value is encrypted with the ciphering key and the integrity key.
24. A method according to claim 23 wherein the at least one visited domain Diffie Hellman value is encrypted in accordance with the second security association.
25. A method according to any one of claims 21 to 24 wherein the home domain derives the master key from the first random value and the first security association.
26. A method according any preceding claim, wherein the home network further generates at least one random number for distribution of Mobile IP key and/or Hierarchical key and/or Master key.
27. A method according any preceding claim wherein the home network provides the Mobile IP key (or Diffie Hellman value for Mobile IP key) to the Home Agent.
28. A method according any preceding claim wherein hierarchical key is delivered to Mobility Agent in the serving network.
29. A method according any preceding claim wherein the Master key is stored in the serving network.
30. A method according to claim 20, wherein the mobile node derives from said at least one Diffie Hellman value the Mobile IP key and/or the Hierarchical key and/or the Master key.
31. A method according any preceding claim wherein public key infrastructure instead of home network is used for authentication of the subscriber.
32. A method according to claim 2, wherein said first random number is generated by the home network.
33. A method of establishing a connection between a mobile station and a serving domain, in which a first security association exists between the mobile node and an associated home domain, and a second security association exists between the serving domain and the home domain, the method comprising transmitting a first message proxied security association negotiation request from the mobile node to a serving domain, the first message being encrypted in accordance with the first security association transmitting such first message request for proxied security association negotiation from the serving domain to said home domain; transmitting a second message from the home domain to the serving domain transmitting the second message from the serving domain to the mobile node.
34. A mobile communication system in which a connection is established between a mobile station and a serving network for serving the mobile station, wherein the mobile station is associated with a home network, a first security association being established between the mobile station and the home network, and a second security association being established between the home network and the supporting network, the method comprising using the first security association to authenticate a communication from the mobile node at the home network, and confirming such authentication to the visited network using the second security association, whereby there is authenticated a connection between the mobile station and the serving network.
PCT/IB2002/001658 2001-02-23 2002-02-25 Authentication and distribution of keys in mobile ip network WO2002068418A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002258068A AU2002258068A1 (en) 2001-02-23 2002-02-25 Authentication and distribution of keys in mobile ip network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/792,682 2001-02-23
US09/792,682 US20020120844A1 (en) 2001-02-23 2001-02-23 Authentication and distribution of keys in mobile IP network

Publications (2)

Publication Number Publication Date
WO2002068418A2 true WO2002068418A2 (en) 2002-09-06
WO2002068418A3 WO2002068418A3 (en) 2002-11-28

Family

ID=25157719

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2002/001658 WO2002068418A2 (en) 2001-02-23 2002-02-25 Authentication and distribution of keys in mobile ip network

Country Status (3)

Country Link
US (1) US20020120844A1 (en)
AU (1) AU2002258068A1 (en)
WO (1) WO2002068418A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007051787A1 (en) * 2005-11-04 2007-05-10 Siemens Aktiengesellschaft Method and server for providing a mobile key

Families Citing this family (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002069560A1 (en) * 2001-02-23 2002-09-06 Nokia Inc. System and method for strong authentication achieved in a single round trip
US20020157024A1 (en) * 2001-04-06 2002-10-24 Aki Yokote Intelligent security association management server for mobile IP networks
US20020147820A1 (en) * 2001-04-06 2002-10-10 Docomo Communications Laboratories Usa, Inc. Method for implementing IP security in mobile IP networks
US7900242B2 (en) * 2001-07-12 2011-03-01 Nokia Corporation Modular authentication and authorization scheme for internet protocol
EP3401794A1 (en) * 2002-01-08 2018-11-14 Seven Networks, LLC Connection architecture for a mobile network
US20030211842A1 (en) * 2002-02-19 2003-11-13 James Kempf Securing binding update using address based keys
CN1268093C (en) * 2002-03-08 2006-08-02 华为技术有限公司 Distribution method of wireless local area network encrypted keys
FR2837336B1 (en) * 2002-03-15 2006-03-03 Oberthur Card Syst Sa METHOD OF EXCHANGING AUTHENTICATION INFORMATION BETWEEN A COMMUNICATION ENTITY AND A SERVER-OPERATOR
US7418596B1 (en) 2002-03-26 2008-08-26 Cellco Partnership Secure, efficient, and mutually authenticated cryptographic key distribution
US8195940B2 (en) * 2002-04-05 2012-06-05 Qualcomm Incorporated Key updates in a mobile wireless system
US7529933B2 (en) * 2002-05-30 2009-05-05 Microsoft Corporation TLS tunneling
CN1666190B (en) * 2002-06-28 2010-04-28 诺基亚有限公司 Method of registering home address of a mobile node with a home agent
US20040043756A1 (en) * 2002-09-03 2004-03-04 Tao Haukka Method and system for authentication in IP multimedia core network system (IMS)
US7475241B2 (en) * 2002-11-22 2009-01-06 Cisco Technology, Inc. Methods and apparatus for dynamic session key generation and rekeying in mobile IP
US7350077B2 (en) * 2002-11-26 2008-03-25 Cisco Technology, Inc. 802.11 using a compressed reassociation exchange to facilitate fast handoff
US7870389B1 (en) 2002-12-24 2011-01-11 Cisco Technology, Inc. Methods and apparatus for authenticating mobility entities using kerberos
WO2004112348A1 (en) * 2003-06-18 2004-12-23 Telefonaktiebolaget Lm Ericsson (Publ) Method, system and apparatus to support mobile ip version 6 services
JP4305087B2 (en) * 2003-07-28 2009-07-29 日本電気株式会社 Communication network system and security automatic setting method thereof
CN100450000C (en) * 2003-08-20 2009-01-07 华为技术有限公司 Method for realizing share of group safety alliance
US8296558B1 (en) 2003-11-26 2012-10-23 Apple Inc. Method and apparatus for securing communication between a mobile node and a network
US7802085B2 (en) * 2004-02-18 2010-09-21 Intel Corporation Apparatus and method for distributing private keys to an entity with minimal secret, unique information
WO2005101793A1 (en) 2004-04-14 2005-10-27 Nortel Networks Limited Securing home agent to mobile node communication with ha-mn key
EP2698965A1 (en) 2004-04-14 2014-02-19 Microsoft Corporation Mobile IPV6 authentication and authorization
KR100693603B1 (en) * 2004-06-29 2007-03-14 주식회사 팬택 Method for authentication of mobile ip service
US8611536B2 (en) * 2004-09-08 2013-12-17 Qualcomm Incorporated Bootstrapping authentication using distinguished random challenges
US7639802B2 (en) * 2004-09-27 2009-12-29 Cisco Technology, Inc. Methods and apparatus for bootstrapping Mobile-Foreign and Foreign-Home authentication keys in Mobile IP
US7502331B2 (en) * 2004-11-17 2009-03-10 Cisco Technology, Inc. Infrastructure-less bootstrapping: trustless bootstrapping to enable mobility for mobile devices
FI20050384A0 (en) * 2005-04-14 2005-04-14 Nokia Corp Use of generic authentication architecture for distribution of Internet protocol keys in mobile terminals
US7907948B2 (en) * 2005-04-22 2011-03-15 Telefonaktiebolaget L M Ericsson (Publ) Providing anonymity to a mobile node in a session with a correspondent node
US7783041B2 (en) * 2005-10-03 2010-08-24 Nokia Corporation System, method and computer program product for authenticating a data agreement between network entities
US7626963B2 (en) * 2005-10-25 2009-12-01 Cisco Technology, Inc. EAP/SIM authentication for mobile IP to leverage GSM/SIM authentication infrastructure
DE102006008745A1 (en) * 2005-11-04 2007-05-10 Siemens Ag Method and server for providing a mobility key
US8015594B2 (en) * 2006-03-17 2011-09-06 Cisco Technology, Inc. Techniques for validating public keys using AAA services
US8239671B2 (en) * 2006-04-20 2012-08-07 Toshiba America Research, Inc. Channel binding mechanism based on parameter binding in key derivation
KR100860404B1 (en) * 2006-06-29 2008-09-26 한국전자통신연구원 Device authenticaton method and apparatus in multi-domain home networks
WO2008002081A1 (en) * 2006-06-29 2008-01-03 Electronics And Telecommunications Research Institute Method and apparatus for authenticating device in multi domain home network environment
DE102006038037A1 (en) * 2006-08-14 2008-02-21 Siemens Ag Method and system for providing an access-specific key
EP1895798A1 (en) * 2006-08-29 2008-03-05 Axalto SA Ascertaining the authentication of a roaming subscriber
FI20070157A0 (en) * 2007-02-23 2007-02-23 Nokia Corp Fast authentication of update messages with key differentiation on mobile IP systems
CA2590989C (en) * 2007-06-05 2014-02-11 Diversinet Corp. Protocol and method for client-server mutual authentication using event-based otp
US7984486B2 (en) * 2007-11-28 2011-07-19 Nokia Corporation Using GAA to derive and distribute proxy mobile node home agent keys
US20120189122A1 (en) * 2011-01-20 2012-07-26 Yi-Li Huang Method with dynamic keys for mutual authentication in wireless communication environments without prior authentication connection
KR20130031660A (en) * 2011-09-21 2013-03-29 삼성전자주식회사 Network apparatus based contents name and method for generate and authenticate contents name
US10333696B2 (en) 2015-01-12 2019-06-25 X-Prime, Inc. Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency
EP3912377A4 (en) * 2019-01-15 2022-01-12 ZTE Corporation Method and device for preventing user tracking, storage medium and electronic device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000067446A1 (en) * 1999-05-03 2000-11-09 Nokia Corporation SIM BASED AUTHENTICATION MECHANISM FOR DHCRv4/v6 MESSAGES

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69534012T2 (en) * 1994-03-17 2006-05-04 Kokusai Denshin Denwa Co., Ltd. Authentication method for mobile communication
FI102235B1 (en) * 1996-01-24 1998-10-30 Nokia Telecommunications Oy Management of authentication keys in a mobile communication system
JP2877199B2 (en) * 1996-06-21 1999-03-31 日本電気株式会社 Roaming method
JP3651721B2 (en) * 1996-11-01 2005-05-25 株式会社東芝 Mobile computer device, packet processing device, and communication control method
FI20000760A0 (en) * 2000-03-31 2000-03-31 Nokia Corp Authentication in a packet data network
US6766453B1 (en) * 2000-04-28 2004-07-20 3Com Corporation Authenticated diffie-hellman key agreement protocol where the communicating parties share a secret key with a third party
US6950521B1 (en) * 2000-06-13 2005-09-27 Lucent Technologies Inc. Method for repeated authentication of a user subscription identity module

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000067446A1 (en) * 1999-05-03 2000-11-09 Nokia Corporation SIM BASED AUTHENTICATION MECHANISM FOR DHCRv4/v6 MESSAGES

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LA PORTA T F ET AL: "Mobile IP and wide area wireless data" WIRELESS COMMUNICATIONS AND NETWORKING CONFERENCE, 1999. WCNC. 1999 IEEE NEW ORLEANS, LA, USA 21-24 SEPT. 1999, PISCATAWAY, NJ, USA,IEEE, US, 21 September 1999 (1999-09-21), pages 1528-1532, XP010353715 ISBN: 0-7803-5668-3 *
YAIR FRANKEL ET AL: "SECURITY ISSUES IN A CDPD WIRELESS NETWORK" IEEE PERSONAL COMMUNICATIONS, IEEE COMMUNICATIONS SOCIETY, US, vol. 2, no. 4, 1 August 1995 (1995-08-01), pages 16-27, XP000517586 ISSN: 1070-9916 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007051787A1 (en) * 2005-11-04 2007-05-10 Siemens Aktiengesellschaft Method and server for providing a mobile key
EA013704B1 (en) * 2005-11-04 2010-06-30 Сименс Акциенгезелльшафт Method and server for providing a mobile key
KR101037844B1 (en) * 2005-11-04 2011-05-31 지멘스 악티엔게젤샤프트 Method and server for providing a mobile key
US9043599B2 (en) 2005-11-04 2015-05-26 Siemens Aktiengesellschaft Method and server for providing a mobility key

Also Published As

Publication number Publication date
AU2002258068A1 (en) 2002-09-12
WO2002068418A3 (en) 2002-11-28
US20020120844A1 (en) 2002-08-29

Similar Documents

Publication Publication Date Title
US20020120844A1 (en) Authentication and distribution of keys in mobile IP network
US11588626B2 (en) Key distribution method and system, and apparatus
EP2062189B1 (en) Method and system for secure processing of authentication key material in an ad hoc wireless network
EP2702741B1 (en) Authenticating a device in a network
JP5597676B2 (en) Key material exchange
US8561200B2 (en) Method and system for controlling access to communication networks, related network and computer program therefor
US9197615B2 (en) Method and system for providing access-specific key
US8918522B2 (en) Re-establishment of a security association
US20080046732A1 (en) Ad-hoc network key management
US20030211842A1 (en) Securing binding update using address based keys
KR100749846B1 (en) Device for realizing security function in mac of portable internet system and authentication method using the device
JP2012110009A (en) Methods and arrangements for secure linking of entity authentication and ciphering key generation
CN109075973B (en) Method for carrying out unified authentication on network and service by using ID-based cryptography
CN101160924A (en) Method for distributing certificates in a communication system
JP5290323B2 (en) Integrated handover authentication method for next-generation network environment to which radio access technology and mobile IP-based mobility control technology are applied
KR100636318B1 (en) Method and system for authentication of address ownership using care of address binding protocol
WO2008040178A1 (en) Method and device for binding update between mobile node and correspondent node
WO2008000165A1 (en) Method and system for distributing key in wireless network
WO2007134547A1 (en) A method and system for generating and distributing mobile ip security key after reauthentication
JP2000115161A (en) Method for protecting mobile object anonymity
KR20080056055A (en) Communication inter-provider roaming authentication method and key establishment method, and recording medium storing program including the same
Li et al. A proxy based authentication localisation scheme for handover between non trust-associated domains
Hwang et al. A Key management for wireless communications
CN1996838A (en) AAA certification and optimization method for multi-host WiMAX system
Liu et al. Privacy-preserving quick authentication in fast roaming networks

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP