US20210135878A1 - Authentication Mechanism for 5G Technologies - Google Patents

Authentication Mechanism for 5G Technologies Download PDF

Info

Publication number
US20210135878A1
US20210135878A1 US17/146,297 US202117146297A US2021135878A1 US 20210135878 A1 US20210135878 A1 US 20210135878A1 US 202117146297 A US202117146297 A US 202117146297A US 2021135878 A1 US2021135878 A1 US 2021135878A1
Authority
US
United States
Prior art keywords
authentication
hss
message
imsi
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US17/146,297
Inventor
Ahmad Shawky Muhanna
Marcus Wong
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
FutureWei Technologies Inc
Original Assignee
FutureWei Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by FutureWei Technologies Inc filed Critical FutureWei Technologies Inc
Priority to US17/146,297 priority Critical patent/US20210135878A1/en
Publication of US20210135878A1 publication Critical patent/US20210135878A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Definitions

  • the present invention relates generally to wireless telecommunications, and, in particular embodiments, to a system and method for authentication mechanisms for 5G technologies while providing privacy to subscriber and UE permanent identifiers.
  • LTE networks provide three basic security features, namely: LTE authentication, non-access stratum (NAS) security, and access stratum (AS) security.
  • LTE authentication feature ensures that a user is an authorized subscriber to the network (or network service) that the user is attempting to access
  • NAS security and AS security features ensure that control and user data communicated over a radio access network (RAN) is secure at the NAS and AS levels, respectively.
  • RAN radio access network
  • a method for secure authentication includes generating a first integrity key based at least on a pre-provisioned key (K key) of the UE and a first random number (RAND 1 ), and generating a message authentication code (MAC) signature by computing a hash function of UE specific information using the first integrity key.
  • the UE specific information includes at least an International Mobile Subscriber Identity (IMSI) of the UE and the RAND 1 .
  • the method further includes encrypting the UE specific information and the MAC signature using a public key to form an encrypted portion, and sending an initial authentication request message to a base station in a serving network. The initial authentication request message carrying the encrypted portion and an unencrypted network identifier.
  • An apparatus for performing this method is also provided.
  • the method includes receiving a user authentication information request message from a mobility management entity (MME) in a serving network that includes a home network identifier (HID) and an encrypted portion, and decrypting the encrypted portion using a home network private key associated with the HID to obtain user equipment (UE) specific information and a first Message authentication code (MAC) signature.
  • the UE specific information includes at least an International Mobile Subscriber Identity (IMSI) of the UE and a first random number (RAND 1 ).
  • the method further includes obtaining a first integrity key based on the IMSI of the UE and the RAND 1 , and verifying the integrity of the user authentication information request message.
  • IMSI International Mobile Subscriber Identity
  • RAND 1 first random number
  • Verifying the integrity of the user authentication information request message comprises generating a second MAC signature by computing a hash function of UE specific information using the first integrity key, and comparing the second MAC signature with the first MAC signature to determine whether the UE specific information originated from the UE.
  • An apparatus for performing this method is also provided.
  • yet another method for secure authentication includes generating a first encryption key based on a pre-provisioned key of the UE and a first random number (RAND 1 ), encrypting at least an International Mobile Subscriber Identity (IMSI) of the UE and the RAND 1 using the first encryption key to form an encrypted inner portion, encrypting at least the inner portion, the RAND 1 , and the IMSI using a public key to form an encrypted outer portion, and sending an initial authentication request message to a base station in a serving network.
  • the initial authentication request message carries the encrypted outer portion and an unencrypted network identifier.
  • yet another method for secure authentication includes receiving an initial authentication request message from a user equipment (UE) that includes an encrypted outer portion and an unencrypted network identifier, decrypting the encrypted outer portion using a private key associated with the serving network to obtain an International Mobile Subscriber Identity (IMSI) of the UE, a first random number (RAND 1 ), and an encrypted inner-portion, and sending an authentication and data request message to a home subscriber server (HSS) in a home network of the UE.
  • the authentication and data request message includes at least the IMSI, RAND 1 , and the encrypted inner portion.
  • FIG. 1 is a diagram of an embodiment wireless communications network
  • FIG. 2 is a diagram of a 5G network architecture
  • FIG. 3 is a protocol diagram of a conventional communications sequence for authenticating a UE in a wireless network
  • FIG. 4 is a protocol diagram of an embodiment communications sequence for authenticating a UE in a wireless network
  • FIG. 5 is a diagram of embodiment frame formats for messages exchanged during the embodiment communications sequence depicted by FIG. 4 ;
  • FIG. 6 is a diagram of additional embodiment frame formats for messages exchanged during the embodiment communications sequence depicted by FIG. 4 ;
  • FIG. 7 is a flow chart of an embodiment method for generating an initial authentication request (IAR) message according to a MASA protocol
  • FIG. 8 is a flow chart of an embodiment method for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol
  • FIG. 9 is a flowchart of an embodiment method for processing an authentication and data response message and generating an initial authentication response (IAS) message according to a MASA protocol;
  • FIG. 10 is a flowchart of an embodiment method for processing an IAS message according to a MASA protocol
  • FIG. 11 is a protocol diagram of another embodiment communications sequence for authenticating a UE in a wireless network
  • FIG. 12 is a diagram of embodiment frame formats for messages exchanged during the embodiment communications sequence depicted by FIG. 11 ;
  • FIG. 13 is a flow chart of an embodiment method for generating an IAR message according to a MASA protocol
  • FIG. 14 is a flow chart of an embodiment method for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol;
  • FIG. 15 is a flowchart of an embodiment method for processing an authentication and data response message and generating an IAS message according to a MASA protocol
  • FIG. 16 is a flowchart of an embodiment method for processing an IAS message according to a MASA protocol
  • FIG. 17 is a protocol diagram of yet another embodiment communications sequence for authenticating a UE in a wireless network
  • FIG. 18 is a diagram of embodiment frame formats for messages exchanged during the embodiment communications sequence depicted by FIG. 17 ;
  • FIG. 19 is a flow chart of an embodiment method for generating an IAR message according to a MASA protocol
  • FIG. 20 is a flowchart of an embodiment method for processing an IAR message and generating an authentication and data request message according to a MASA protocol;
  • FIG. 21 is a flow chart of an embodiment method for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol;
  • FIG. 22 is a diagram of an embodiment frame formats for an IAR message
  • FIG. 23 is a diagram of an embodiment processing system
  • FIG. 24 is a diagram of an embodiment transceiver.
  • the LTE authentication and NAS security protocols are usually performed sequentially, during which time mutual authentication is established between the UE and the serving network and NAS layer encryption keys are generated.
  • a UE sends an International Mobile Subscriber Identity (IMSI) to a mobility management entity (MME) in a serving network.
  • MME mobility management entity
  • HSS home subscriber server
  • EPS Evolved Packet System
  • the EPS authentication vectors are then communicated to the MME, where they are used to authenticate the UE and generate NAS layer encryption keys in accordance with an authentication and key agreement (AKA) procedure.
  • AKA authentication and key agreement
  • the NAS layer encryption keys are used to encrypt signaling exchanged between the UE and the MME.
  • an unencrypted IMSI is communicated from the UE to the access point. This creates a potential security vulnerability because the IMSI is private information that can be exploited by malicious third parties to engage in unauthorized activities, such as tracking the UE and/or engaging denial of service attacks. Accordingly, techniques for securely communicating the IMSI during LTE authentication are desired.
  • embodiment MASA protocols that use independently generated integrity and/or encryption keys to securely communicate private information exchanged between UEs and various network-side devices (e.g., base stations, MMEs, HSSs, etc.).
  • embodiment MASA protocols may use an initial authentication request (IAR) encryption key (KIAR ENC ) to encrypt UE specific information (e.g., an IMSI, etc.) in an IAR message and/or an initial authentication response (IAS) encryption key (KIAS ENC ) to encrypt private information in an IAS message.
  • IAR initial authentication request
  • IAS initial authentication response
  • embodiment MASA protocols may use an IAR integrity protection key (KIAR INT ) to verify the integrity of information in an IAR message and/or an IAS integrity protection key (KIAS INT ) to verify the integrity of information in an IAS message.
  • the KIAR ENC , KIAR INT , KIAS ENC , and/or KIAS INT may be independently computed by the UE and a home subscriber server (HSS) based on, for example, a pre-provisioned key (K-key) of the UE and one or more random numbers (e.g., RAND 1 , RAND 2 , UE random number (RAND UE ), home network random number (RAND HN ), and/or a COUNTER.
  • K-key pre-provisioned key
  • COUNTER to compute an instance of a given key may be useful in ensuring that each generated instance of the key differs from previous generated instances of the key, as it is possible that the same random number could be selected to generate different instances of a key, which could constitute a security vulnerability.
  • a low complexity MASA protocol use integrity keys (e.g., a KIAR INT and/or a KIAS INT ) to provide integrity protection when communicating IAR and/or IAS messages having a single layer of encryption protection.
  • integrity keys e.g., a KIAR INT and/or a KIAS INT
  • a UE may encrypt UE specific information (e.g., an IMSI, random numbers, etc.) using a home network public key (HPuK) to form an encrypted portion, and then generate a media access control (MAC) signature by computing a hash function of the encrypted portion, and potentially additional information (e.g., a random number) in an outer portion of the IAR message, using a KIAR INT .
  • the UE may then send an IAR message carrying the encrypted portion and the MAC signature to a base station in a serving network, which may relay the IAR message to an MME.
  • UE specific information e.g., an IMSI, random numbers, etc.
  • HPuK home network public key
  • MAC media access control
  • the UE may then send an IAR message carrying the encrypted portion and the MAC signature to a base station in a serving network, which may relay the IAR message to an MME.
  • the MME may encapsulate the IAR message into a user authentication data request message, which may then be sent to a home subscriber server (HSS) in the UE's home network.
  • HSS home subscriber server
  • the HSS may independently compute a MAC signature of the contents of the IAR message based on an independently generate integrity key (e.g., the KIAR INT ), and then compare the independently generated MAC signature with the MAC signature included in the IAR message to verify the integrity of the encrypted portion of the IAR message.
  • integrity key e.g., the KIAR INT
  • a higher complexity MASA protocol uses encryption keys (e.g., KIAR ENC and/or KIAS ENC ) in conjunction with the home network public-private key pair to provide two layers of encryption for the contents of IAR and/or JAS messages.
  • a UE may use a pre-provisioned key and a first random number (RAND 1 ) to generate an initial authentication request encryption key (KIAR ENC ).
  • RAND 1 first random number
  • the KIAR ENC is then used to encrypt private information to form an encrypted inner portion of an authentication request message.
  • the private information may include the IMSI of the UE, the RAND 1 , a second random number (RAND 2 ), UE-Security-Capabilities, and/or a counter.
  • the UE may encrypt the RAND 1 , the IMSI, and the encrypted inner portion to obtain an encrypted outer portion of the authentication request message.
  • Other information may also be encrypted when generating the encrypted outer portion.
  • the public key used to generate the encrypted outer portion may belong to a private-public-key-pair.
  • the public key is a home network public key (HPuK).
  • the public key is a serving network public key (SPuK).
  • the UE may send the authentication request message carrying the encrypted outer portion and an unencrypted network identifier to an MME in the serving network.
  • the unencrypted network identifier in the authentication request message may be a serving network identifier (SID).
  • SID serving network identifier
  • the MME may use a serving network private key to decrypt the encrypted outer portion and obtain the RAND 1 , the IMSI, and the encrypted inner portion, which may then be forwarded to a home subscriber server (HSS) in a home network of the UE.
  • HSS home subscriber server
  • the unencrypted network identifier in the authentication request message may be a home network identifier (HID).
  • the MME would send an authentication and data request carrying the encrypted outer portion, along with the HID, MME security capability identifiers, to the HSS in the home network.
  • the HSS would then decrypt the encrypted outer portion using a home network private key and obtain the RAND 1 , the IMSI, and the encrypted inner portion.
  • the HSS would then use the RAND 1 and a K key associated with the UE to independently generate the KIAR ENC , which the HSS would subsequently use to decrypt the encrypted inner portion.
  • the HSS would then verify that IMSI in the decrypted inner portion matched the IMSI in the decrypted outer portion to verify that the encrypted outer portion had not been tampered with by an unauthorized third party. Thereafter, the HSS may verify that the counter in the decrypted inner portion matched a counter maintained by the HSS initial authentication request (IAR) was fresh (i.e., not stale).
  • the HSS may generate an initial authentication response encryption key (KIAS ENC ) based on the RAND 2 and the K key associated with the IMSI.
  • the HSS may also generate one or more authentication vectors.
  • the HSS may then send an initial authorization and data response to the MME that includes the KIAS ENC and the authentication vectors.
  • the initial authorization and data response includes a UE security capability parameter.
  • the MME may then select one of the authentication vectors, as well as a non-access stratum (NAS) ciphering algorithm.
  • the MME may also assign a temporary network identifier (e.g., a globally unique temporary identifier (GUTI)) to the UE.
  • GUI globally unique temporary identifier
  • the MME may encrypt the KIAS ENC , the temporary network identifier, and a key set identifier (KSI) associated with the selected NAS ciphering algorithm using the KIAS ENC to obtain encrypted NAS security data.
  • the encrypted NAS security data may include other information as well, such as the counter and the RAND 2 .
  • the MME may then send an initial authentication and data response to the UE carrying the encrypted NAS security data as well as an unencrypted RAND 2 .
  • the UE may then independently generate the KIAS ENC based on the RAND 2 and the K key.
  • the UE may then generate a ciphering key using the NAS ciphering algorithm associated with the KSI in the decrypted NAS security data.
  • the UE may then return a security authentication complete message to the MME, confirming that the serving network has been authenticated.
  • Encrypting the IMSI, as well as the temporary network ID, in the manner described herein allows that information to be securely exchanged during LTE authentication and NAS security protocols. Additionally, the embodiment procedures described herein reduce the number of messages exchanged between the UE and the base station during LTE authentication and NAS security protocols.
  • FIG. 1 illustrates a network 100 for communicating data.
  • the network 100 comprises a base station no having a coverage area 101 , a plurality of mobile devices 115 , and a backhaul network 130 .
  • the base station no establishes uplink (dashed line) and/or downlink (dotted line) connections with the mobile devices 115 , which serve to carry data from the mobile devices 115 to the base station no and vice-versa.
  • Data carried over the uplink/downlink connections may include data communicated between the mobile devices 115 , as well as data communicated to/from a remote-end (not shown) by way of the backhaul network 130 .
  • base station refers to any component (or collection of components) configured to provide wireless access to a network, such as an enhanced base station (eNB), a macro-cell, a femtocell, a Wi-Fi access point (AP), or other wirelessly enabled devices.
  • Base stations may provide wireless access in accordance with one or more wireless communication protocols, e.g., long term evolution (LTE), LTE advanced (LTE-A), High Speed Packet Access (HSPA), Wi-Fi 802.11a/b/g/n/ac, etc.
  • LTE long term evolution
  • LTE-A LTE advanced
  • HSPA High Speed Packet Access
  • Wi-Fi 802.11a/b/g/n/ac etc.
  • the term “mobile device” refers to any component (or collection of components) capable of establishing a wireless connection with a base station, such as a user equipment (UE), a mobile station (STA), and other wirelessly enabled devices.
  • a base station such as a user equipment (UE), a mobile station (STA), and other wirelessly enabled devices.
  • the network 100 may comprise various other wireless devices, such as relays, low power nodes, etc.
  • FIG. 2 illustrates a network architecture 200 for a 5G LTE wireless network.
  • the network architecture 200 includes a radio access network (RAN) 201 , an evolved packet core (EPC) 202 , and a home network 203 of a UE 215 attempting to access the RAN 201 .
  • the RAN 201 and the EPC 202 form a serving wireless network.
  • the RAN 201 includes a base station 210
  • the EPC 202 includes a mobility management entity (MME) 220 , a serving gateway (SGW) 222 , and a packet data network (PDN) gateway (PGW) 224 .
  • MME mobility management entity
  • SGW serving gateway
  • PGW packet data network gateway
  • the MME 220 is the termination point in the network for ciphering/integrity protection for NAS signaling and handles the security key management. It should be appreciated that the term “MME” is used in 4G LTE networks, and that 5G LTE networks may include a Security Anchor Node (SEAN) or a Security Access Function (SEAF) that performs similar functions. The terms “MME,” “SEAN,” and “SEAF” are used interchangeably throughout this document.
  • the MME 220 also provides the control plane function for mobility between LTE and 2G/3G access networks, as well as an interface to home networks of roaming UEs.
  • the SGW 222 routes and forwards user data packets, while also acting as a mobility anchor for the user plane during handovers.
  • the PGW 224 provides connectivity from UEs to external packet data networks by being the point of exit and entry of traffic for the UEs.
  • the HSS 230 is a central database that contains user-related and subscription-related information.
  • FIG. 3 illustrates a protocol diagram of a conventional communications sequence 300 for authenticating the UE 215 in a wireless network.
  • the communications sequence 300 begins when the MME 220 communicates an identity request 310 to the UE 215 .
  • the UE 215 communicates an identity response 320 to the MME 220 .
  • the identity response 320 includes an unencrypted IMSI of the UE 215 .
  • the MME 220 communicates an authorization data request 330 to the HSS 230 .
  • the authorization data request 330 may include the IMSI.
  • the HSS 230 then computes EPS authentication vectors, and sends an authorization data response 335 carrying the EPS authentication vectors to the MME 220 .
  • the MME 220 communicates a user authentication request 340 to the UE 215 .
  • the user authentication request 340 includes a random number (RAND) and an authentication parameter (AUTN).
  • the UE 215 computes an authentication response (RES) based on the RAND, AUTN, and a secret key.
  • the secret key may be a priori information to the UE 215 .
  • the secret key e.g., a subscriber-specific master key (K)
  • USBIM Universal Subscriber Identity Module
  • the UE 215 may then send a user authentication response 350 carrying the authentication response (or RES) to the MME 220 .
  • the MME 220 communicates a security mode command message 360 to the UE 215 .
  • the security mode command message 360 may indicate an integrity protection algorithm and a ciphering algorithm.
  • the UE 215 may use the integrity protection algorithm to verify the integrity of the security mode command message 360 .
  • the UE 215 uses the ciphering algorithm to derive NAS encryption keys.
  • the UE 215 then sends the security mode complete message 370 to the MME 220 to verify that the UE 215 validated the security mode command message 360 , and derived the NAS encryption keys.
  • a third party may eavesdrop on the communications sequence 300 in an attempt to intercept one or more of the messages 310 - 370 . If the identity response 320 is intercepted, then the third party may use the unencrypted IMSI to perform unauthorized activities, such as to track the UE 215 .
  • the public key may be a part of a public-private key pair such that information encrypted with the public key can only be decrypted with the private key.
  • the public key is a home network public key, and the encrypted IMSI is decrypted by an HSS in the home network of the UE using a home network private key.
  • the home network public key may be a priori information of the UE, e.g., the home network public key may be stored in a USIM of the UE.
  • the public key is a serving network public key (SPuK), and the encrypted IMSI is decrypted by an MME in the serving network using a serving network private key.
  • SPuK serving network public key
  • FIG. 4 illustrates a protocol diagram of an embodiment communications sequence 400 for authenticating a UE 215 in a wireless network.
  • the communications sequence 400 begins when the MME 220 communicates an identity request 410 to the UE 215 .
  • the UE 215 Upon receiving the identity request 410 , the UE 215 generates a MAC signature by computing a hash of UE specific information (e.g., an IMSI, a RAND 1 , etc.) using a KIAR INT , and then encrypts the UE specific information along with the MAC signature using a HPuK to obtain an encrypted portion.
  • UE specific information e.g., an IMSI, a RAND 1 , etc.
  • the UE 215 sends an initial authentication request (IAR) message 420 carrying the encrypted portion to the base station 210 , which relays the IAR message 420 to the MME 220 .
  • the IAR message 420 may also include a unencrypted home network ID (HID) of the home network of the UE 215 .
  • HID unencrypted home network ID
  • the MME 220 may identify the home network of the UE 215 based on the unencrypted HID, and communicate an authentication and data request message 430 to the HSS 230 in the identified home network.
  • the HSS 230 may decrypt encrypted portion using a HPrK, and verify the integrity of the encrypted portion based on the MAC signature.
  • the HSS 230 independently generates a MAC signature by computing a hash of the information in the authentication and data request message 430 using an independently generated integrity key (e.g., a KIAR INT ), and then compares the independently generated MAC signature with the MAC signature carried by the encrypted portion in the authentication and data request 430 .
  • the HSS 230 may also take further steps to validate the encrypted portion.
  • the HSS 230 may verify that a COUNTER in the encrypted portion of the authentication and data request message 430 (e.g., a counter originally in the IAR message 420 ) exceeds an independent COUNTER maintained by the HSS 230 in order to confirm that the encrypted portion in the authentication and data request message 430 is fresh (e.g., not stale). If the encrypted portion is stale, then it may have been intercepted by a malicious man-in-the-middle entity.
  • a COUNTER in the encrypted portion of the authentication and data request message 430 e.g., a counter originally in the IAR message 420
  • an independent COUNTER maintained by the HSS 230 in order to confirm that the encrypted portion in the authentication and data request message 430 is fresh (e.g., not stale). If the encrypted portion is stale, then it may have been intercepted by a malicious man-in-the-middle entity.
  • the HSS 230 may generate authentication vectors based on an EPS-AKA procedure, and send an authentication and data response message 435 carrying the EPS authentication vectors to the MME 220 .
  • the authentication and data response message 435 may include other information in addition to the EPS authentication vectors, such as integrity/encryption keys (e.g., a KIAS INT , KIAS ENC , etc.), the IMSI of the UE, a COUNTER, and/or a UE security capabilities.
  • the UE security capabilities may indicate protocol capabilities supported by the UE, such as, for example, NAS ciphering algorithms supported by the UE.
  • the MME 220 may then send an initial authentication response (IAS) message 450 to the UE 215 .
  • the IAS message 450 may have various different frame formats, and the contents of the IAS message 450 may vary depending on the frame format being used.
  • the IAS message 450 includes encrypted NAS security data and a key set identifier (KSI) associated with a NAS ciphering algorithm.
  • KKI key set identifier
  • the UE 215 may use the NAS ciphering algorithm along with an independently generated encryption key (e.g., a KIAS ENC ) to decrypt the encrypted NAS security data. After decrypting the encrypted NAS security data, the UE 215 may send a security and authentication complete message 470 to the MME 220 .
  • FIG. 5 illustrates frame formats for an embodiment IAR message 520 , an embodiment authentication and data request message 530 , an embodiment authentication and data response message 535 , and an embodiment IAS message 550 .
  • the embodiment IAR message 520 corresponds to the IAR message 420 sent from the UE 215 to the MME 220 .
  • the embodiment IAR message 520 includes UE Specific information (UE_info), a MAC signature, and a home network identifier (HID).
  • UE_info may include various information associated with, or generated by, the UE, including (but not limited to) an IMSI, one or more random numbers (e.g., RAND 1 , RAND 2 , etc.), a counter, and/or UE security capability parameters.
  • the MAC signature may be generated by computing a hash function of the UE_info according to an integrity key (e.g., a KIAR INT ) and/or a random number (e.g., RAND 1 ).
  • the MAC signature and the UE_info are encrypted using a HPuK to form an encrypted portion 522 of the embodiment IAR message 520 .
  • the embodiment authentication and data request message 530 corresponds to the authentication and data request message 430 sent from the MME 220 to the HSS 230 . As shown, the embodiment authentication and data request message 530 includes the embodiment IAR message 520 and an HID.
  • the embodiment authentication and data response message 535 corresponds to the authentication and data response message 435 sent from the HSS 230 to the MME 220 .
  • the user authentication information response message 535 includes UE_info (e.g., an IMSI, counter, RAND 1 , RAND 2 , UE security capabilities, etc.), as well as authentication vectors (AVs), a KIAS ENC , and a KIAS INT .
  • UE_info e.g., an IMSI, counter, RAND 1 , RAND 2 , UE security capabilities, etc.
  • AVs authentication vectors
  • KIAS ENC KIAS ENC
  • KIAS INT a KIAS INT
  • the embodiment IAS message 550 corresponds to the IAS message 450 sent from the MME 220 to the UE 215 .
  • the IAS message 450 includes an encrypted inner portion 552 , an outer portion 554 , and a MAC 556 .
  • the encrypted inner portion 552 is formed by encrypting the AVs using a KIAS ENC . It should be appreciated that the encrypted inner portion 552 may include other information (e.g., a KSI) in addition to the AVs.
  • the outer portion 554 includes a RAND 2 and the encrypted inner portion 552 .
  • the MAC signature 556 is generated by computing a hash of the outer portion 554 using the KIAS INT
  • FIG. 6 illustrates frame formats for an embodiment IAR message 620 , an embodiment authentication and data request message 630 , an embodiment authentication and data response message 635 , and an embodiment IAS message 650 .
  • the embodiment IAR message 620 corresponds to the IAR message 420 sent from the UE 215 to the MME 220 .
  • the embodiment IAR message 620 includes an encrypted portion 622 and a home network identifier (HID).
  • the encrypted portion 622 is generated by using an HPuK to encrypt a UE security capability parameter (UE_SEC_CAP), an IMSI, a RAND 1 , a RAND 2 , a COUNTER, and a MAC signature.
  • the MAC signature is generated by computing by using a KIAR INT to compute a hash of the UE_SEC_CAP, the IMSI, the RAND 1 , the RAND 2 , and the COUNTER.
  • the embodiment authentication and data request message 630 corresponds to the authentication and data request message 430 sent from the MME 220 to the HSS 230 . As shown, the embodiment authentication and data request message 630 includes the embodiment IAR message 620 and an HID.
  • the embodiment authentication and data response message 635 corresponds to the authentication and data response message 435 sent from the HSS 230 to the MME 220 .
  • the authentication and data response message 635 includes a KIAS ENC , a KIAS INT , AV(s), a UE_SEC_CAP, an IMSI, a RAND 1 , a RAND 2 , and a COUNTER.
  • the embodiment IAS message 650 corresponds to the IAS message 450 sent from the MME 220 to the UE 215 .
  • the IAS message 450 includes an encrypted inner portion 652 , an outer portion 654 , and a MAC signature 656 .
  • the encrypted inner portion 652 is formed by encrypting a KSI, and a RAND ⁇ AUTN using the KIAS ENC .
  • the RAND ⁇ AUTN may specify two or more parameters included in, or derived by the AVs, and may be used by the UE to authenticate the network and generate a response, e.g., the security and authentication complete message 470 , etc.
  • the encrypted inner portion 652 may include other UE specific information.
  • the outer portion 654 includes a RAND 2 and the encrypted inner portion 652 .
  • the MAC signature 656 is generated by computing a hash of the outer portion 654 using the KIAS INT .
  • FIG. 7 is a flowchart of an embodiment method 700 for generating an IAR message according to a MASA protocol, as may be performed by a UE.
  • the UE generates a KIAR INT based on a pre-provisioned key (K key) and a first random number (RAND 1 ).
  • the UE generates a MAC signature by computing a hash function of UE specific information using the KIAR INT .
  • the UE specific information includes at least an IMSI of the UE and the RAND 1 .
  • the UE encrypts the UE specific information and the MAC signature using a home network public key (HPuK) to form an encrypted portion.
  • HPuK belongs to a public-private key pair such that the encrypted portion can only be decrypted using a home network private key (HPrK) belonging to the public-private key pair.
  • the UE sends an IAR message carrying the encrypted portion and an unencrypted home network identifier (HID) to a base station in a serving network.
  • the base station relays the IAR message to an MME, which sends an authentication and data request message that includes the encrypted portion of the IAR message to an HSS server in a home network associated with the unencrypted network identifier in the IAR message.
  • FIG. 8 is a flowchart of an embodiment method 800 for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol, as may be performed by an HSS.
  • the HSS receives an authentication and data request message from a mobility management entity (MME) in a serving network.
  • MME mobility management entity
  • the authentication and data request message carries an encrypted portion.
  • the HSS decrypts the encrypted portion using a HPrK to obtain a first MAC signature and UE-specific information.
  • the UE-specific information includes at least an IMSI and a RAND 1 .
  • the HSS obtains a KIAR INT based on the IMSI and the RAND 1 .
  • the HSS obtains the KIAR INT by sending the IMSI and the RAND 1 to an authentication server, which looks up a pre-provisioned key (K-key) based on the IMSI, generates the KIAR INT based on the K-key and the RAND 1 , and returns the KIAR INT to the HSS.
  • K-key pre-provisioned key
  • the HSS verifies the integrity of the encrypted portion based on the KIAR INT .
  • the HSS generates a second MAC signature by computing a hash of UE-specific information in the encrypted portion according to the KIAR INT , and then compares the second MAC signature with the first MAC signature. If the MAC signatures match, then the integrity of the encrypted portion is verified.
  • the HSS generates authentication vectors (AVs) based on an EPS-AKA procedure.
  • the HSS obtains a KIAS INT and a KIAS ENC based on the IMSI of the UE and a RAND 2 .
  • the HSS obtains the KIAS INT and the KIAS ENC by sending the IMSI and the RAND 2 to an authentication server.
  • the authentication server looks up a pre-provisioned key (K-key) based on the IMSI, generates the KIAS INT and the KIAS ENC based on the K-key and the RAND 2 , and returns the KIAS INT and the KIAS ENC to the HSS.
  • K-key pre-provisioned key
  • steps 830 and 860 are performed in parallel such that the IMSI, RAND 1 , and RAND 2 are sent from the HSS to the authentication server in the same request message, and the KIAR INT , KIAS ENC , and KIAS INT are returned from the authentication server to the HSS in the same response message.
  • the HSS sends an authentication and data response message to the MME.
  • the authentication and data response message includes the KIAS INT , the KIAS ENC , the AVs, and UE_info.
  • a COUNTER is also used when generating KIAR INT , KIAS INT , and KIAS ENC .
  • FIG. 9 is a flowchart of an embodiment method 900 for processing an authentication and data response message and generating an IAS message according to a MASA protocol, as may be performed by an MME.
  • the MME receives an authentication and data response message from an HSS that includes a KIAS INT , a KIAS ENC , AVs, and user specific information.
  • the user specification information may include a UE security capabilities parameter, an IMSI, a RAND 2 , and/or a COUNTER.
  • the MME encrypts the user specific information using the KIAS ENC to obtain an encrypted portion.
  • the MME generates a MAC signature by computing a hash of the encrypted portion and the RAND 2 based on the KIAS INT .
  • the MME sends an IAS message to a UE that includes at least the encrypted portion, the RAND 2 , and MAC signature.
  • FIG. 10 is a flowchart of an embodiment method 1000 for processing an IAS message according to a MASA protocol, as may be performed by a UE.
  • the UE receives an IAS message from a base station in a serving network.
  • the IAS message includes at least an encrypted portion, a RAND 2 , and a first MAC signature.
  • the UE computes a KIAS INT and a KIAS ENC based on a K-key of UE and the RAND 2 .
  • step 1020 and 720 may be performed in parallel (e.g., by a SIM card in the UE) prior to sending an initial IAR message.
  • the UE generates a second MAC signature by computing a hash of the encrypted portion and the RAND 2 based on the KIAS INT .
  • the UE verifies that the second MAC signature matches the first MAC signature in the IAS message.
  • the UE decrypts the encrypted portion using the KIAS ENC .
  • the UE sends a security and authentication complete message to the MME confirming that the network has been authenticated.
  • FIG. 11 illustrates a protocol diagram of an embodiment communications sequence 1100 for authenticating a UE in a wireless network.
  • the communications sequence 1100 begins when the MME 220 communicates an identity request 1110 to the UE 215 .
  • the UE 215 encrypts a first copy of the IMSI using a KIAR ENC to form an encrypted inner portion, and encrypts a second copy of the IMSI and the encrypted inner portion using an HPuK to form an encrypted outer portion.
  • UE specific information may be encrypted along with the IMSI when forming the encrypted inner portion and/or the encrypted outer portion.
  • the UE sends an IAR message 1120 carrying the encrypted outer portion to the MME 220 .
  • the UE 215 sends the IAR message 1120 without having received the identity request 1110 .
  • the IAR message 1120 may include an unencrypted home network ID (HID) of the home network of the UE 215 .
  • the MME 220 Upon receiving the IAR message 1120 , the MME 220 forwards an authentication and data request message 1130 carrying the encrypted outer portion to the HSS 230 .
  • HID home network ID
  • the authentication and data request message 1130 may include other information in addition to the encrypted outer portion, such as MME security capability parameters that identify the NAS security capabilities of the MME 220 , e.g., which NAS ciphering algorithms are supported by the MME 220 .
  • the authentication and data request 1130 may also include a serving network identifier (SID) and network type (NWK Type) of the serving network of the MME 220 .
  • SID serving network identifier
  • NWK Type network type
  • the HSS 230 may decrypt the encrypted outer portion using a HPrK to obtain the second copy of the IMSI and the encrypted inner portion. The HSS 230 may then decrypt the encrypted inner portion using the KIAR ENC to obtain the first copy of the IMSI.
  • the HSS 230 validates the authentication and data request message 1130 by comparing the first copy of IMSI with the second copy of the IMSI. The HSS 230 may also compare the COUNTER with a corresponding COUNTER maintained by the HSS 230 to determine whether the authentication and data request 1130 is fresh (e.g., not stale). If the validation is successful, then the HSS 230 generates authentication vectors based on an EPS-AKA procedure, and sends an authentication and data response message 1135 carrying the EPS authentication vectors and a KIAS ENC to the MME 220 .
  • the MME 220 selects one of the authentication vectors, as well as a non-access stratum (NAS) ciphering algorithm.
  • the MME 220 may also assign a temporary network identifier (e.g., a globally unique temporary identifier (GUTI)) to the UE.
  • GUI globally unique temporary identifier
  • the MME 220 may encrypt, the temporary network identifier, and a key set identifier (KSI) associated with the selected NAS ciphering algorithm using the KIAS ENC to obtain encrypted NAS security data.
  • the encrypted NAS security data may include other information as well, such as the counter and the RAND 2 .
  • the encrypted NAS security data may be included in the IAS message 1150 sent by the MME 220 to the UE 215 .
  • the IAS message 1150 may further include an unencrypted version of the RAND 2 .
  • the UE 215 may authenticate the network by comparing RAND 2 to a local version of RAND 2 stored by the UE 215 and by decrypting the encrypted private information of the Authentication Response using the KIAS ENC key. The UE 215 then sends a security and authentication complete message 1170 to the MME 220 .
  • FIG. 12 illustrates frame formats for an embodiment IAR message 1220 , an embodiment authentication and data request message 1230 , an embodiment authentication and data response message 1235 , and an embodiment IAS message 1250 .
  • the embodiment IAR message 1220 corresponds to the IAR message 1120 sent from the UE 215 to the MME 220 .
  • the embodiment IAR message 1220 includes an encrypted inner portion 1222 , an encrypted outer portion 1224 , and an HID.
  • the encrypted inner portion 1222 is formed by encrypting a UE_SEC_CAP, a first copy of an IMSI, a first copy of a RAND 1 , a RAND 2 , and a COUNTER using a KIAR ENC .
  • the encrypted outer portion 1224 is generated by encrypting the encrypted inner portion 1222 along with a second copy of the IMSI and a second copy of the RAND 1 using a HPuK. It should be appreciated that additional information may be included in the encrypted inner portion 1222 and/or the encrypted outer portion 1224 .
  • the embodiment authentication and data request message 1230 corresponds to the authentication and data request message 1130 sent from the MME 220 to the HSS 230 . As shown, the embodiment authentication and data request message 1230 includes the embodiment IAR message 1220 and an HID.
  • the embodiment authentication and data response message 1235 corresponds to the authentication and data response message 1135 sent from the HSS 230 to the MME 220 .
  • the authentication and data response message 1235 includes a KIAS ENC , the UE_SEC_CAP, the IMSI, the RAND 2 , and the COUNTER.
  • the embodiment IAS message 1250 corresponds to the IAS message 1150 sent from the MME 220 to the UE 215 .
  • the IAS message 1150 includes an encrypted portion 1252 and the RAND 2 .
  • the encrypted portion 1252 is formed by encrypting a KSI, the AVs, and the COUNTER using the KIAS ENC .
  • FIG. 13 is a flowchart of an embodiment method 1300 for generating an IAR message according to a MASA protocol, as may be performed by a UE.
  • the UE generates a KIAR ENT based on a pre-provisioned key (K key) and a RAND 1 .
  • the UE encrypts UE specific information using the KIAR ENC to form an encrypted inner portion.
  • the UE encrypts at least the encrypted inner portion, a RAND 1 , and an IMSI using an HPuK to form an encrypted outer portion.
  • the UE sends an IAR message carrying the encrypted outer portion and an unencrypted HID to a base station in a serving network.
  • FIG. 14 is a flowchart of an embodiment method 1400 for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol, as may be performed by an HSS.
  • the HSS receives an authentication and data request message from a MME in a serving network.
  • the authentication and data request message carries an encrypted outer portion.
  • the HSS decrypts the encrypted portion using an HPrK to obtain a first MAC signature and UE-specific information.
  • the UE-specific information includes at least an IMSI and a RAND 1 .
  • the HSS obtains a KIAR ENC based on the IMSI and the RAND 1 .
  • the HSS decrypts the encrypted inner portion using the KIAR ENC to obtain UE specific information.
  • the HSS generates authentication vectors (AVs) based on an EPS-AKA procedure.
  • the HSS obtains a KIAS ENC based on the IMSI and a RAND 2 .
  • steps 1430 and 1460 are performed in parallel such that the IMSI, RAND 1 , and RAND 2 are sent from the HSS to the authentication server in the same request message, and the KIAR ENC and KIAS ENC are returned from the authentication server to the HSS in the same response message.
  • the HSS sends an authentication and data response message to the MME.
  • the authentication and data response message includes the KIAS INT , the KIAS ENC , the AVs, and UE_info.
  • FIG. 15 is a flowchart of an embodiment method 1500 for processing an authentication and data response message and generating an IAS message according to a MASA protocol, as may be performed by an MME.
  • the MME receives an authentication and data response message from an HSS that includes a KIAS ENC , AVs, and user specific information.
  • the user specification information may include a UE security capabilities parameter, an IMSI, a RAND 2 , and/or a COUNTER.
  • the MME encrypts at least the user specific information and the AVs using the KIAS ENC to obtain an encrypted portion. It should be appreciated that the encrypted portion may include other information, such as a KSI.
  • the MME sends an IAS message to a UE that includes at least the encrypted portion.
  • FIG. 16 is a flowchart of an embodiment method 1600 for processing an IAS message according to a MASA protocol, as may be performed by a UE.
  • the UE receives an IAS message from a base station in a serving network.
  • the IAS message includes at least an encrypted portion, a RAND 2 , and a first MAC signature.
  • the UE computes a KIAS INT and a KIAS ENC based on a K-key of UE and the RAND 2 .
  • step 1620 and 1310 may be performed in parallel (e.g., by a SIM card in the UE) prior to sending an initial IAR message.
  • the UE decrypts the encrypted portion using the KIAS ENC .
  • the UE sends a security and authentication complete message to the MME confirming that the network has been authenticated.
  • the UE uses a serving network public key (SPuK) to encrypt a portion of an IAR message.
  • FIG. 17 illustrates a protocol diagram of an embodiment communications sequence 1700 for authenticating a UE in a wireless network. As shown, the communications sequence 1700 begins when the MME 220 communicates an identity request 1710 to the UE 215 . Next, the UE 215 encrypts a first copy of an IMSI using a KIAR ENC to form an encrypted inner portion, and encrypts a second copy of the IMSI and the encrypted inner portion using a SPuK to form an encrypted outer portion.
  • SPuK serving network public key
  • UE specific information may be encrypted along with the IMSI when forming the encrypted inner portion and/or the encrypted outer portion.
  • the UE sends an IAR message 1720 carrying the encrypted outer portion to the MME 220 .
  • the UE 215 sends the IAR message 1720 without having received the identity request 1710 .
  • the IAR message 1720 may include an unencrypted home network ID (SID).
  • the MME 220 Upon receiving the IAR message 1720 , the MME 220 determines a serving network private key (SPrK) based on the unencrypted SID, and decrypts the encrypted outer portion of the IAR message using the SPrK. The MME 220 then forwards an authentication and data request message 1730 carrying the encrypted inner portion, the second copy of the IMSI, and a RAND 1 to the HSS 230 .
  • the authentication and data request message 1730 may include other information in addition to the encrypted outer portion, such as MME security capability parameters, the SID, and a NWK Type.
  • the HSS 230 may obtain the KIAR ENC based on the second copy of the IMSI and the RAND 1 , and decrypt the encrypted inner portion using the KIAR ENC to obtain the first copy of the IMSI. The HSS 230 may then compare the first copy of the IMSI (carried in the encrypted inner portion of the authentication and data request message 1730 ) with the second copy of the IMSI (carried in an unencrypted outer portion of the authentication and data request message 1730 ) to verify the integrity of the authentication information request message 1730 . The HSS 230 may also take other steps to validate the authentication and data request message 1730 .
  • the HSS 230 may compare the COUNTER in the encrypted inner portion with a corresponding COUNTER maintained by the HSS 230 to determine whether the authentication and data request 1730 is fresh (e.g., not stale). If the validation is successful, then the HSS 230 may obtain a KIAS ENC based on the IMSI and a random number (e.g., RAND 1 , RAND 2 , etc.), generate authentication vectors based on an EPS-AKA procedure, and send an authentication and data response message 1735 carrying the EPS authentication vectors and the KIAS ENC to the MME 220 .
  • a KIAS ENC based on the IMSI and a random number (e.g., RAND 1 , RAND 2 , etc.)
  • the MME 220 encrypts UE specific information using the KIAS ENC to obtain an encrypted portion, which is sent to the UE 215 via an IAS message 1750 .
  • the encrypted portion of the IAS message 1750 may include other information in addition to the UE specific information, such as a temporary network identifier and a KSI associated with a NAS ciphering algorithm.
  • the IAS message 1750 may further include an unencrypted version of the RAND 2 .
  • the UE 215 may decrypt the encrypted portion of the IAS message 1750 using a KIAS ENC , and send a security and authentication complete message 1770 to the MME 220 .
  • FIG. 18 illustrates frame formats for an embodiment IAR message 1820 , an embodiment authentication and data request message 1830 , an embodiment authentication and data response message 1835 , and an embodiment IAS message 1850 .
  • the embodiment IAR message 1820 corresponds to the IAR message 1780 sent from the UE 215 to the MME 220 .
  • the embodiment IAR message 1820 includes an encrypted inner portion 1822 , an encrypted outer portion 1824 , and an SID.
  • the encrypted inner portion 1822 is formed by encrypting a UE_SEC_CAP, a first copy of an IMSI, a first copy of a RAND 1 , a first copy of a RAND 2 , and a first copy of a COUNTER using a KIAR ENC .
  • the encrypted outer portion 1824 is generated by encrypting the encrypted inner portion 1822 along with a second copy of the IMSI, a second copy of the RAND 1 , a second copy of the RAND 2 , and a second copy of the COUNTER using a SPuK. It should be appreciated that additional information may be included in the encrypted inner portion 1822 and/or the encrypted outer portion 1824 . In one embodiment, a MAC signature generated by computing a hash of the encrypted outer portion 1824 using a KIAR INT is also included in the IAR message 1820 .
  • the embodiment authentication and data request message 1830 corresponds to the authentication and data request message 1730 sent from the MME 220 to the HSS 230 .
  • the embodiment authentication and data request message 1830 the encrypted inner portion 1822 from the IAR message 1820 , as well as unencrypted information 1834 .
  • the unencrypted information 1834 includes the second copy of the IMSI, the second copy of the RAND 1 , the second copy of the RAND 2 , and the second copy of the COUNTER, which were obtained from decrypting the encrypted outer portion 1824 of the IAR message 1820 using the SPrK.
  • the embodiment authentication and data response message 1835 corresponds to the authentication and data response message 1735 sent from the HSS 230 to the MME 220 .
  • the authentication and data response message 1835 includes a KIAS ENC , a KIAS INT , the first copy of the COUNTER, the first copy of the RAND 2 , the first copy of the IMSI, and AV(s).
  • the first copy of the RAND 2 and/or the COUNTER in the authentication and data response message 1835 may provide replay protection.
  • the authentication and data response message 1835 includes both the RAND 2 and the COUNTER.
  • the authentication and data response message 1835 includes the RAND 2 but excludes the COUNTER.
  • the embodiment IAS message 1850 corresponds to the IAS message 1750 sent from the MME 220 to the UE 215 .
  • the IAS message 1850 includes an encrypted portion 1852 and the RAND 2 .
  • the encrypted portion 1852 is formed by encrypting a KSI, the AVs, and the COUNTER using the KIAS ENC .
  • the embodiment IAS message 1850 includes a MAC signature that is generated by computing a hash of the encrypted portion 1852 using the KIAS INT .
  • FIG. 19 is a flowchart of an embodiment method 1900 for generating an IAR message according to a MASA protocol, as may be performed by a UE.
  • the UE generates a KIAR ENC based on a pre-provisioned key (K key) and a RAND 1 .
  • the UE encrypts UE specific information using the KIAR ENC to form an encrypted inner portion.
  • the UE encrypts at least the encrypted inner portion, a RAND 1 , and an IMSI using a SPuK to form an encrypted outer portion.
  • the UE sends an IAR message carrying the encrypted outer portion and an unencrypted SID to a base station in a serving network.
  • FIG. 20 is a flowchart of an embodiment method 2000 for processing an IAR message and generating an authentication and data request message according to a MASA protocol, as may be performed by an MME.
  • the MME receives an IAR message carrying an encrypted outer portion and an SID.
  • the MME decrypts the encrypted outer portion using a SPrK associated with the SID to obtain at least an encrypted inner portion, a RAND 1 , and an IMSI.
  • the MME sends an authentication and data request message carrying the encrypted inner portion, the RAND 1 , and the IMSI to an HSS.
  • FIG. 21 is a flowchart of an embodiment method 2100 for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol, as may be performed by an HSS.
  • the HSS receives an authentication and data request message from a MME in a serving network.
  • the authentication and data request message carries an encrypted inner portion, a second copy of a RAND 1 , and a second copy of an IMSI.
  • the authentication and data request message includes a second copy of a RAND 2 and/or a second copy of COUNTER.
  • the HSS obtains a KIAR ENC based on the second copy of the IMSI and the second copy of the RAND 1 .
  • the HSS decrypts the encrypted inner portion using the KIAR ENC to obtain at least a first copy of the IMSI, a first copy of the RAND 1 , and a RAND 2 .
  • the HSS compares the first copy of the IMSI, RAND 1 , RAND 2 , and/or COUNTER with the second copy of the IMSI, RAND 1 , RAND 2 , and/or COUNTER (respectively) to verify the integrity of the authentication and data request message.
  • the HSS generates authentication vectors (AVs) based on an EPS-AKA procedure.
  • the HSS obtains a KIAS ENC based on the IMSI and a RAND 2 .
  • steps 2120 and 2150 are performed in parallel such that the second copy of the IMSI, the second copy of the RAND 1 , and the second copy of the RAND 2 are sent from the HSS to the authentication server in the same request message, and the KIAR ENC and KIAS ENC are returned from the authentication server to the HSS in the same response message.
  • the HSS sends an authentication and data response message to the MME.
  • the authentication and data response message includes the KIAS ENC the AVs.
  • the UE 215 generates the RAND 2 , and includes the RAND 2 in the IAR message.
  • the RAND 2 is then used by the HSS 230 to independently generate the KIAS ENC and/or the KIAS INT .
  • the HSS 230 independently generates the RAND 2 , and sends the RAND 2 to the authentication server.
  • the authentication server then generates the KIAS INT and/or the KIAR ENC based on the RAND 2 , the k-key, and (in some cases) a COUNTER, and returns the KIAS INT and/or the KIAS ENC to the HSS 230 .
  • the HSS 230 then forwards the KIAS INT and/or the KIAS ENC to the MME 220 , which may use the the KIAS ENC and/or the KIAS INT to generate the IAS message.
  • the RAND 2 and the COUNTER may be sent to the UE 214 via the IAS message, and the UE may use RAND 2 , the k-key, and the COUNTER to independently compute the KIAS ENC and/or the KIAS INT .
  • a COUNTER is required to be included in an IAS message for purposes of replay protection when the RAND 2 is independently generated by the HSS 230 .
  • the HSS may compare the COUNTER with an independent COUNTER maintained by the HSS to ensure that the COUNTER in the authentication and data request message exceeds the independent COUNTER maintained by the HSS. This may confirm that information in the authentication and data request message is fresh, as well as provide replay protection.
  • the UE may compare the COUNTER with an independent COUNTER maintained by the UE to ensure that the COUNTER in the IAS message exceeds the independent COUNTER maintained by the HSS. This may confirm that information within the IAS message is fresh, as well as provide replay protection.
  • encrypting an IMSI in an IAR message (as well as other messages) using, for example, a KIAR ENC , a SNPuK, and/or a HNPuK serves to at least partially conceal the IMSI from malicious third parties.
  • MAC signature may be used to provide integrity protection for the contents of any message described herein.
  • FIG. 22 illustrates a frame formats for an embodiment IAR message 2220 .
  • the embodiment IAR message 2220 includes an encrypted inner portion 2222 , an outer portion 2224 , and a MAC signature 2226 .
  • the encrypted inner portion 2222 is formed by encrypting an IMSI and a COUNTER using an HPuK.
  • the outer portion 2224 includes the encrypted inner portion 2222 , a UE_SEC_CAP, a RAND 1 , and an HID.
  • the MAC 2226 is generated by computing a hash of the outer portion 2224 using a KIAR INT .
  • FIG. 23 illustrates a block diagram of an embodiment processing system 2300 for performing methods described herein, which may be installed in a host device.
  • the processing system 2300 includes a processor 2304 , a memory 2306 , and interfaces 2310 - 2314 , which may (or may not) be arranged as shown in FIG. 23 .
  • the processor 2304 may be any component or collection of components adapted to perform computations and/or other processing related tasks
  • the memory 2306 may be any component or collection of components adapted to store programming and/or instructions for execution by the processor 2304 .
  • the memory 2306 includes a non-transitory computer readable medium.
  • the interfaces 2310 , 2312 , 2314 may be any component or collection of components that allow the processing system 2300 to communicate with other devices/components and/or a user.
  • one or more of the interfaces 2310 , 2312 , 2314 may be adapted to communicate data, control, or management messages from the processor 2304 to applications installed on the host device and/or a remote device.
  • one or more of the interfaces 2310 , 2312 , 2314 may be adapted to allow a user or user device (e.g., personal computer (PC), etc.) to interact/communicate with the processing system 2300 .
  • the processing system 2300 may include additional components not depicted in FIG. 23 , such as long term storage (e.g., non-volatile memory, etc.).
  • the processing system 2300 is included in a network device that is accessing, or part otherwise of, a telecommunications network.
  • the processing system 2300 is in a network-side device in a wireless or wireline telecommunications network, such as a base station, a relay station, a scheduler, a controller, a gateway, a router, an applications server, or any other device in the telecommunications network.
  • the processing system 2300 is in a user-side device accessing a wireless or wireline telecommunications network, such as a mobile station, a user equipment (UE), a personal computer (PC), a tablet, a wearable communications device (e.g., a smartwatch, etc.), or any other device adapted to access a telecommunications network.
  • a wireless or wireline telecommunications network such as a mobile station, a user equipment (UE), a personal computer (PC), a tablet, a wearable communications device (e.g., a smartwatch, etc.), or any other device adapted to access a telecommunications network.
  • one or more of the interfaces 2310 , 2312 , 2314 connects the processing system 2300 to a transceiver adapted to transmit and receive signaling over the telecommunications network.
  • FIG. 24 illustrates a block diagram of a transceiver 242400 adapted to transmit and receive signaling over a telecommunications network.
  • the transceiver 2400 may be installed in a host device. As shown, the transceiver 2400 comprises a network-side interface 2402 , a coupler 2404 , a transmitter 2406 , a receiver 2408 , a signal processor 2410 , and a device-side interface 2412 .
  • the network-side interface 2402 may include any component or collection of components adapted to transmit or receive signaling over a wireless or wireline telecommunications network.
  • the coupler 2404 may include any component or collection of components adapted to facilitate bi-directional communication over the network-side interface 2402 .
  • the transmitter 2406 may include any component or collection of components (e.g., up-converter, power amplifier, etc.) adapted to convert a baseband signal into a modulated carrier signal suitable for transmission over the network-side interface 2402 .
  • the receiver 2408 may include any component or collection of components (e.g., down-converter, low noise amplifier, etc.) adapted to convert a carrier signal received over the network-side interface 2402 into a baseband signal.
  • the signal processor 2410 may include any component or collection of components adapted to convert a baseband signal into a data signal suitable for communication over the device-side interface(s) 2412 , or vice-versa.
  • the device-side interface(s) 2412 may include any component or collection of components adapted to communicate data-signals between the signal processor 2410 and components within the host device (e.g., the processing system 2300 , local area network (LAN) ports, etc.).
  • the transceiver 2400 may transmit and receive signaling over any type of communications medium.
  • the transceiver 2400 transmits and receives signaling over a wireless medium.
  • the transceiver 2400 may be a wireless transceiver adapted to communicate in accordance with a wireless telecommunications protocol, such as a cellular protocol (e.g., long-term evolution (LTE), etc.), a wireless local area network (WLAN) protocol (e.g., Wi-Fi, etc.), or any other type of wireless protocol (e.g., Bluetooth, near field communication (NFC), etc.).
  • the network-side interface 2402 comprises one or more antenna/radiating elements.
  • the network-side interface 2402 may include a single antenna, multiple separate antennas, or a multi-antenna array configured for multi-layer communication, e.g., single input multiple output (SIMO), multiple input single output (MISO), multiple input multiple output (MIMO), etc.
  • the transceiver 2400 transmits and receives signaling over a wireline medium, e.g., twisted-pair cable, coaxial cable, optical fiber, etc.
  • Specific processing systems and/or transceivers may utilize all of the components shown, or only a subset of the components, and levels of integration may vary from device to device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiment mutual authentication and security agreement (MASA) protocols may use independently generated integrity and/or encryption keys to securely communicate private information exchanged between UEs and various network-side devices (e.g., base stations, MMEs, HSSs, etc.). In particular, embodiment MASA protocols may use an initial authentication request (IAR) encryption key (KIARENC) to encrypt UE specific information (e.g., an IMSI, etc.) in an IAR message and/or an initial authentication response (IAS) encryption key (KIASENC) to encrypt private information in an IAS message. Additionally, embodiment MASA protocols may use an IAR integrity protection key (KIARINT) to verify the integrity of information in an IAR message and/or an IAS integrity protection key (KIASINT) to verify the integrity of information in an IAS message. The KIARENC, KIARINT, KIASENC, and/or KIASINT may be independently computed by the UE and a home subscriber server (HSS).

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation of U.S. patent application Ser. No. 16/433,706, filed on Jun. 6, 2019, and entitled “Authentication Mechanism for 5G Technologies,” which is a continuation of Ser. No. 15/453,776 (now U.S. Pat. No. 10,382,206), filed on Mar. 8, 2017 and entitled “Authentication Mechanism for 5G Technologies,” which claims priority to each of U.S. Provisional Application 62/306,550 entitled “Authentication Mechanism for 5G Technologies” and filed on Mar. 10, 2016, U.S. Provisional Application 62/317,295 entitled “Authentication Mechanism for 5G Technologies” filed on Apr. 1, 2016, U.S. Provisional Application 62/383,223 entitled “Systems and Methods for Integrity Protecting Serving Network Messages” and filed on Sep. 2, 2016, U.S. Provisional Application 62/399,069 entitled “System and Method for 5G MASA using 4G USIM” and filed on Sep. 23, 2016, and U.S. Provisional Application 62/399,055 entitled “System and Method for Negotiating UE Security Capabilities with 3GPP Next Generation Network” filed on Sep. 23, 2016, all of which are incorporated by reference herein as if reproduced in their entireties.
  • TECHNICAL FIELD
  • The present invention relates generally to wireless telecommunications, and, in particular embodiments, to a system and method for authentication mechanisms for 5G technologies while providing privacy to subscriber and UE permanent identifiers.
  • BACKGROUND
  • Modern wireless networks typically include various security features to prevent unauthorized third parties from access and/or manipulating data. In particular, long term evolution (LTE) networks provide three basic security features, namely: LTE authentication, non-access stratum (NAS) security, and access stratum (AS) security. The LTE authentication feature ensures that a user is an authorized subscriber to the network (or network service) that the user is attempting to access, while the NAS security and AS security features ensure that control and user data communicated over a radio access network (RAN) is secure at the NAS and AS levels, respectively.
  • SUMMARY
  • Technical advantages are generally achieved, by embodiments of this disclosure which describe authentication mechanisms for 5G technologies.
  • In accordance with an embodiment, a method for secure authentication is provided. In this example, the method includes generating a first integrity key based at least on a pre-provisioned key (K key) of the UE and a first random number (RAND1), and generating a message authentication code (MAC) signature by computing a hash function of UE specific information using the first integrity key. The UE specific information includes at least an International Mobile Subscriber Identity (IMSI) of the UE and the RAND1. The method further includes encrypting the UE specific information and the MAC signature using a public key to form an encrypted portion, and sending an initial authentication request message to a base station in a serving network. The initial authentication request message carrying the encrypted portion and an unencrypted network identifier. An apparatus for performing this method is also provided.
  • In accordance with another embodiment, another method for secure authentication is provided. In this example, the method includes receiving a user authentication information request message from a mobility management entity (MME) in a serving network that includes a home network identifier (HID) and an encrypted portion, and decrypting the encrypted portion using a home network private key associated with the HID to obtain user equipment (UE) specific information and a first Message authentication code (MAC) signature. The UE specific information includes at least an International Mobile Subscriber Identity (IMSI) of the UE and a first random number (RAND1). The method further includes obtaining a first integrity key based on the IMSI of the UE and the RAND1, and verifying the integrity of the user authentication information request message. Verifying the integrity of the user authentication information request message comprises generating a second MAC signature by computing a hash function of UE specific information using the first integrity key, and comparing the second MAC signature with the first MAC signature to determine whether the UE specific information originated from the UE. An apparatus for performing this method is also provided.
  • In accordance with yet another embodiment, yet another method for secure authentication is provided. In this example, the method includes generating a first encryption key based on a pre-provisioned key of the UE and a first random number (RAND1), encrypting at least an International Mobile Subscriber Identity (IMSI) of the UE and the RAND1 using the first encryption key to form an encrypted inner portion, encrypting at least the inner portion, the RAND1, and the IMSI using a public key to form an encrypted outer portion, and sending an initial authentication request message to a base station in a serving network. The initial authentication request message carries the encrypted outer portion and an unencrypted network identifier. An apparatus for performing this method is also provided.
  • In accordance with yet another embodiment, yet another method for secure authentication is provided. In this example, the method includes receiving an initial authentication request message from a user equipment (UE) that includes an encrypted outer portion and an unencrypted network identifier, decrypting the encrypted outer portion using a private key associated with the serving network to obtain an International Mobile Subscriber Identity (IMSI) of the UE, a first random number (RAND1), and an encrypted inner-portion, and sending an authentication and data request message to a home subscriber server (HSS) in a home network of the UE. The authentication and data request message includes at least the IMSI, RAND1, and the encrypted inner portion. An apparatus for performing this method is also provided.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • For a more complete understanding of the present disclosure, and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
  • FIG. 1 is a diagram of an embodiment wireless communications network;
  • FIG. 2 is a diagram of a 5G network architecture;
  • FIG. 3 is a protocol diagram of a conventional communications sequence for authenticating a UE in a wireless network;
  • FIG. 4 is a protocol diagram of an embodiment communications sequence for authenticating a UE in a wireless network;
  • FIG. 5 is a diagram of embodiment frame formats for messages exchanged during the embodiment communications sequence depicted by FIG. 4;
  • FIG. 6 is a diagram of additional embodiment frame formats for messages exchanged during the embodiment communications sequence depicted by FIG. 4;
  • FIG. 7 is a flow chart of an embodiment method for generating an initial authentication request (IAR) message according to a MASA protocol;
  • FIG. 8 is a flow chart of an embodiment method for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol;
  • FIG. 9 is a flowchart of an embodiment method for processing an authentication and data response message and generating an initial authentication response (IAS) message according to a MASA protocol;
  • FIG. 10 is a flowchart of an embodiment method for processing an IAS message according to a MASA protocol;
  • FIG. 11 is a protocol diagram of another embodiment communications sequence for authenticating a UE in a wireless network;
  • FIG. 12 is a diagram of embodiment frame formats for messages exchanged during the embodiment communications sequence depicted by FIG. 11;
  • FIG. 13 is a flow chart of an embodiment method for generating an IAR message according to a MASA protocol;
  • FIG. 14 is a flow chart of an embodiment method for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol;
  • FIG. 15 is a flowchart of an embodiment method for processing an authentication and data response message and generating an IAS message according to a MASA protocol;
  • FIG. 16 is a flowchart of an embodiment method for processing an IAS message according to a MASA protocol;
  • FIG. 17 is a protocol diagram of yet another embodiment communications sequence for authenticating a UE in a wireless network;
  • FIG. 18 is a diagram of embodiment frame formats for messages exchanged during the embodiment communications sequence depicted by FIG. 17;
  • FIG. 19 is a flow chart of an embodiment method for generating an IAR message according to a MASA protocol;
  • FIG. 20 is a flowchart of an embodiment method for processing an IAR message and generating an authentication and data request message according to a MASA protocol;
  • FIG. 21 is a flow chart of an embodiment method for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol;
  • FIG. 22 is a diagram of an embodiment frame formats for an IAR message;
  • FIG. 23 is a diagram of an embodiment processing system; and
  • FIG. 24 is a diagram of an embodiment transceiver.
  • DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS
  • The making and using of embodiments of this disclosure are discussed in detail below. It should be appreciated, however, that the concepts disclosed herein can be embodied in a wide variety of specific contexts, and that the specific embodiments discussed herein are merely illustrative and do not serve to limit the scope of the claims. Further, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of this disclosure as defined by the appended claims. While the inventive aspects are described primarily in the context of 5G wireless networks, it should also be appreciated that those inventive aspects may also be applicable to 4G and 3G wireless networks.
  • The LTE authentication and NAS security protocols are usually performed sequentially, during which time mutual authentication is established between the UE and the serving network and NAS layer encryption keys are generated. In particular, a UE sends an International Mobile Subscriber Identity (IMSI) to a mobility management entity (MME) in a serving network. The MME then sends the IMSI to a home subscriber server (HSS) in a home network of the UE, which generates Evolved Packet System (EPS) authentication vectors. The EPS authentication vectors are then communicated to the MME, where they are used to authenticate the UE and generate NAS layer encryption keys in accordance with an authentication and key agreement (AKA) procedure. Thereafter, the NAS layer encryption keys are used to encrypt signaling exchanged between the UE and the MME.
  • When using conventional LTE authentication protocols, an unencrypted IMSI is communicated from the UE to the access point. This creates a potential security vulnerability because the IMSI is private information that can be exploited by malicious third parties to engage in unauthorized activities, such as tracking the UE and/or engaging denial of service attacks. Accordingly, techniques for securely communicating the IMSI during LTE authentication are desired.
  • Aspects of this disclosure provide embodiment mutual authentication and security agreement (MASA) protocols that use independently generated integrity and/or encryption keys to securely communicate private information exchanged between UEs and various network-side devices (e.g., base stations, MMEs, HSSs, etc.). In particular, embodiment MASA protocols may use an initial authentication request (IAR) encryption key (KIARENC) to encrypt UE specific information (e.g., an IMSI, etc.) in an IAR message and/or an initial authentication response (IAS) encryption key (KIASENC) to encrypt private information in an IAS message. Additionally, embodiment MASA protocols may use an IAR integrity protection key (KIARINT) to verify the integrity of information in an IAR message and/or an IAS integrity protection key (KIASINT) to verify the integrity of information in an IAS message. The KIARENC, KIARINT, KIASENC, and/or KIASINTmay be independently computed by the UE and a home subscriber server (HSS) based on, for example, a pre-provisioned key (K-key) of the UE and one or more random numbers (e.g., RAND1, RAND2, UE random number (RANDUE), home network random number (RANDHN), and/or a COUNTER. Using a COUNTER to compute an instance of a given key may be useful in ensuring that each generated instance of the key differs from previous generated instances of the key, as it is possible that the same random number could be selected to generate different instances of a key, which could constitute a security vulnerability.
  • Different levels of encryption and/or integrity protection can be achieved depending on the complexity of the embodiment MASA protocol. In one embodiment, a low complexity MASA protocol use integrity keys (e.g., a KIARINT and/or a KIASINT) to provide integrity protection when communicating IAR and/or IAS messages having a single layer of encryption protection. In particular, a UE may encrypt UE specific information (e.g., an IMSI, random numbers, etc.) using a home network public key (HPuK) to form an encrypted portion, and then generate a media access control (MAC) signature by computing a hash function of the encrypted portion, and potentially additional information (e.g., a random number) in an outer portion of the IAR message, using a KIARINT. The UE may then send an IAR message carrying the encrypted portion and the MAC signature to a base station in a serving network, which may relay the IAR message to an MME. The MME may encapsulate the IAR message into a user authentication data request message, which may then be sent to a home subscriber server (HSS) in the UE's home network. The HSS may independently compute a MAC signature of the contents of the IAR message based on an independently generate integrity key (e.g., the KIARINT), and then compare the independently generated MAC signature with the MAC signature included in the IAR message to verify the integrity of the encrypted portion of the IAR message. A similar procedure can be used to provide integrity protection for the IAS message.
  • In another embodiment, a higher complexity MASA protocol uses encryption keys (e.g., KIARENC and/or KIASENC) in conjunction with the home network public-private key pair to provide two layers of encryption for the contents of IAR and/or JAS messages. In particular, a UE may use a pre-provisioned key and a first random number (RAND1) to generate an initial authentication request encryption key (KIARENC). The KIARENC is then used to encrypt private information to form an encrypted inner portion of an authentication request message. The private information may include the IMSI of the UE, the RAND1, a second random number (RAND2), UE-Security-Capabilities, and/or a counter. Next, the UE may encrypt the RAND1, the IMSI, and the encrypted inner portion to obtain an encrypted outer portion of the authentication request message. Other information may also be encrypted when generating the encrypted outer portion. The public key used to generate the encrypted outer portion may belong to a private-public-key-pair. In one embodiment, the public key is a home network public key (HPuK). In another embodiment, the public key is a serving network public key (SPuK). Thereafter, the UE may send the authentication request message carrying the encrypted outer portion and an unencrypted network identifier to an MME in the serving network. If the public key used to generate the encrypted outer portion was a SPuK, then the unencrypted network identifier in the authentication request message may be a serving network identifier (SID). In that case, the MME may use a serving network private key to decrypt the encrypted outer portion and obtain the RAND1, the IMSI, and the encrypted inner portion, which may then be forwarded to a home subscriber server (HSS) in a home network of the UE. Alternatively, if the public key used to generate the encrypted outer portion was a HPuK, then the unencrypted network identifier in the authentication request message may be a home network identifier (HID). In that case, the MME would send an authentication and data request carrying the encrypted outer portion, along with the HID, MME security capability identifiers, to the HSS in the home network. The HSS would then decrypt the encrypted outer portion using a home network private key and obtain the RAND1, the IMSI, and the encrypted inner portion.
  • In both cases, the HSS would then use the RAND1 and a K key associated with the UE to independently generate the KIARENC, which the HSS would subsequently use to decrypt the encrypted inner portion. The HSS would then verify that IMSI in the decrypted inner portion matched the IMSI in the decrypted outer portion to verify that the encrypted outer portion had not been tampered with by an unauthorized third party. Thereafter, the HSS may verify that the counter in the decrypted inner portion matched a counter maintained by the HSS initial authentication request (IAR) was fresh (i.e., not stale). If the validations were successful, then the HSS may generate an initial authentication response encryption key (KIASENC) based on the RAND2 and the K key associated with the IMSI. The HSS may also generate one or more authentication vectors. The HSS may then send an initial authorization and data response to the MME that includes the KIASENC and the authentication vectors. In some embodiments, the initial authorization and data response includes a UE security capability parameter. The MME may then select one of the authentication vectors, as well as a non-access stratum (NAS) ciphering algorithm. The MME may also assign a temporary network identifier (e.g., a globally unique temporary identifier (GUTI)) to the UE. Thereafter, the MME may encrypt the KIASENC, the temporary network identifier, and a key set identifier (KSI) associated with the selected NAS ciphering algorithm using the KIASENC to obtain encrypted NAS security data. The encrypted NAS security data may include other information as well, such as the counter and the RAND2. The MME may then send an initial authentication and data response to the UE carrying the encrypted NAS security data as well as an unencrypted RAND2. The UE may then independently generate the KIASENC based on the RAND2 and the K key. The UE may then generate a ciphering key using the NAS ciphering algorithm associated with the KSI in the decrypted NAS security data. The UE may then return a security authentication complete message to the MME, confirming that the serving network has been authenticated. Encrypting the IMSI, as well as the temporary network ID, in the manner described herein allows that information to be securely exchanged during LTE authentication and NAS security protocols. Additionally, the embodiment procedures described herein reduce the number of messages exchanged between the UE and the base station during LTE authentication and NAS security protocols. These and other details are discussed in greater detail below.
  • FIG. 1 illustrates a network 100 for communicating data. The network 100 comprises a base station no having a coverage area 101, a plurality of mobile devices 115, and a backhaul network 130. As shown, the base station no establishes uplink (dashed line) and/or downlink (dotted line) connections with the mobile devices 115, which serve to carry data from the mobile devices 115 to the base station no and vice-versa. Data carried over the uplink/downlink connections may include data communicated between the mobile devices 115, as well as data communicated to/from a remote-end (not shown) by way of the backhaul network 130. As used herein, the term “base station” refers to any component (or collection of components) configured to provide wireless access to a network, such as an enhanced base station (eNB), a macro-cell, a femtocell, a Wi-Fi access point (AP), or other wirelessly enabled devices. Base stations may provide wireless access in accordance with one or more wireless communication protocols, e.g., long term evolution (LTE), LTE advanced (LTE-A), High Speed Packet Access (HSPA), Wi-Fi 802.11a/b/g/n/ac, etc. As used herein, the term “mobile device” refers to any component (or collection of components) capable of establishing a wireless connection with a base station, such as a user equipment (UE), a mobile station (STA), and other wirelessly enabled devices. In some embodiments, the network 100 may comprise various other wireless devices, such as relays, low power nodes, etc.
  • FIG. 2 illustrates a network architecture 200 for a 5G LTE wireless network. As shown, the network architecture 200 includes a radio access network (RAN) 201, an evolved packet core (EPC) 202, and a home network 203 of a UE 215 attempting to access the RAN 201. The RAN 201 and the EPC 202 form a serving wireless network. The RAN 201 includes a base station 210, and the EPC 202 includes a mobility management entity (MME) 220, a serving gateway (SGW) 222, and a packet data network (PDN) gateway (PGW) 224. The MME 220 is the termination point in the network for ciphering/integrity protection for NAS signaling and handles the security key management. It should be appreciated that the term “MME” is used in 4G LTE networks, and that 5G LTE networks may include a Security Anchor Node (SEAN) or a Security Access Function (SEAF) that performs similar functions. The terms “MME,” “SEAN,” and “SEAF” are used interchangeably throughout this document. The MME 220 also provides the control plane function for mobility between LTE and 2G/3G access networks, as well as an interface to home networks of roaming UEs. The SGW 222 routes and forwards user data packets, while also acting as a mobility anchor for the user plane during handovers. The PGW 224 provides connectivity from UEs to external packet data networks by being the point of exit and entry of traffic for the UEs. The HSS 230 is a central database that contains user-related and subscription-related information.
  • Conventional LTE authentication protocols communicate an unencrypted IMSI of the UE over the radio access network, which presents security vulnerability. FIG. 3 illustrates a protocol diagram of a conventional communications sequence 300 for authenticating the UE 215 in a wireless network. As shown, the communications sequence 300 begins when the MME 220 communicates an identity request 310 to the UE 215. Next, the UE 215 communicates an identity response 320 to the MME 220. The identity response 320 includes an unencrypted IMSI of the UE 215. Thereafter, the MME 220 communicates an authorization data request 330 to the HSS 230. The authorization data request 330 may include the IMSI. The HSS 230 then computes EPS authentication vectors, and sends an authorization data response 335 carrying the EPS authentication vectors to the MME 220. Subsequently, the MME 220 communicates a user authentication request 340 to the UE 215. The user authentication request 340 includes a random number (RAND) and an authentication parameter (AUTN). The UE 215 computes an authentication response (RES) based on the RAND, AUTN, and a secret key. The secret key may be a priori information to the UE 215. For example, the secret key (e.g., a subscriber-specific master key (K)) may be stored in a Universal Subscriber Identity Module (USIM) of the UE 215. The UE 215 may then send a user authentication response 350 carrying the authentication response (or RES) to the MME 220.
  • Thereafter, the MME 220 communicates a security mode command message 360 to the UE 215. The security mode command message 360 may indicate an integrity protection algorithm and a ciphering algorithm. The UE 215 may use the integrity protection algorithm to verify the integrity of the security mode command message 360. After verifying the integrity of the security mode command message 360, the UE 215 uses the ciphering algorithm to derive NAS encryption keys. The UE 215 then sends the security mode complete message 370 to the MME 220 to verify that the UE 215 validated the security mode command message 360, and derived the NAS encryption keys.
  • In some instances, a third party may eavesdrop on the communications sequence 300 in an attempt to intercept one or more of the messages 310-370. If the identity response 320 is intercepted, then the third party may use the unencrypted IMSI to perform unauthorized activities, such as to track the UE 215.
  • Aspects of this disclosure prevent, or at least inhibit, unauthorized third parties from obtaining an IMSI of a UE during LTE authentication by encrypting the IMSI using a public key. The public key may be a part of a public-private key pair such that information encrypted with the public key can only be decrypted with the private key. In one example, the public key is a home network public key, and the encrypted IMSI is decrypted by an HSS in the home network of the UE using a home network private key. In such an example, the home network public key may be a priori information of the UE, e.g., the home network public key may be stored in a USIM of the UE. In another example, the public key is a serving network public key (SPuK), and the encrypted IMSI is decrypted by an MME in the serving network using a serving network private key. Other examples are also possible.
  • FIG. 4 illustrates a protocol diagram of an embodiment communications sequence 400 for authenticating a UE 215 in a wireless network. As shown, the communications sequence 400 begins when the MME 220 communicates an identity request 410 to the UE 215. Upon receiving the identity request 410, the UE 215 generates a MAC signature by computing a hash of UE specific information (e.g., an IMSI, a RAND1, etc.) using a KIARINT, and then encrypts the UE specific information along with the MAC signature using a HPuK to obtain an encrypted portion. The UE 215 sends an initial authentication request (IAR) message 420 carrying the encrypted portion to the base station 210, which relays the IAR message 420 to the MME 220. The IAR message 420 may also include a unencrypted home network ID (HID) of the home network of the UE 215.
  • Upon receiving the IAR message 420, the MME 220 may identify the home network of the UE 215 based on the unencrypted HID, and communicate an authentication and data request message 430 to the HSS 230 in the identified home network. Upon receiving the authentication and data request message 430, the HSS 230 may decrypt encrypted portion using a HPrK, and verify the integrity of the encrypted portion based on the MAC signature. In one example, the HSS 230 independently generates a MAC signature by computing a hash of the information in the authentication and data request message 430 using an independently generated integrity key (e.g., a KIARINT), and then compares the independently generated MAC signature with the MAC signature carried by the encrypted portion in the authentication and data request 430. The HSS 230 may also take further steps to validate the encrypted portion. For example, the HSS 230 may verify that a COUNTER in the encrypted portion of the authentication and data request message 430 (e.g., a counter originally in the IAR message 420) exceeds an independent COUNTER maintained by the HSS 230 in order to confirm that the encrypted portion in the authentication and data request message 430 is fresh (e.g., not stale). If the encrypted portion is stale, then it may have been intercepted by a malicious man-in-the-middle entity.
  • After verifying the integrity of the encrypted portion(s), the HSS 230 may generate authentication vectors based on an EPS-AKA procedure, and send an authentication and data response message 435 carrying the EPS authentication vectors to the MME 220. The authentication and data response message 435 may include other information in addition to the EPS authentication vectors, such as integrity/encryption keys (e.g., a KIASINT, KIASENC, etc.), the IMSI of the UE, a COUNTER, and/or a UE security capabilities. The UE security capabilities may indicate protocol capabilities supported by the UE, such as, for example, NAS ciphering algorithms supported by the UE.
  • The MME 220 may then send an initial authentication response (IAS) message 450 to the UE 215. The IAS message 450 may have various different frame formats, and the contents of the IAS message 450 may vary depending on the frame format being used. In one example, the IAS message 450 includes encrypted NAS security data and a key set identifier (KSI) associated with a NAS ciphering algorithm. The UE 215 may use the NAS ciphering algorithm along with an independently generated encryption key (e.g., a KIASENC) to decrypt the encrypted NAS security data. After decrypting the encrypted NAS security data, the UE 215 may send a security and authentication complete message 470 to the MME 220.
  • As mentioned above, the IAR message 420, the authentication and data request message 430, the user authentication information response message 435, and the IAS message 450 may have various different frame formats. FIG. 5 illustrates frame formats for an embodiment IAR message 520, an embodiment authentication and data request message 530, an embodiment authentication and data response message 535, and an embodiment IAS message 550.
  • The embodiment IAR message 520 corresponds to the IAR message 420 sent from the UE 215 to the MME 220. In this example, the embodiment IAR message 520 includes UE Specific information (UE_info), a MAC signature, and a home network identifier (HID). The UE_info may include various information associated with, or generated by, the UE, including (but not limited to) an IMSI, one or more random numbers (e.g., RAND1, RAND2, etc.), a counter, and/or UE security capability parameters. The MAC signature may be generated by computing a hash function of the UE_info according to an integrity key (e.g., a KIARINT) and/or a random number (e.g., RAND1). The MAC signature and the UE_info are encrypted using a HPuK to form an encrypted portion 522 of the embodiment IAR message 520.
  • The embodiment authentication and data request message 530 corresponds to the authentication and data request message 430 sent from the MME 220 to the HSS 230. As shown, the embodiment authentication and data request message 530 includes the embodiment IAR message 520 and an HID.
  • The embodiment authentication and data response message 535 corresponds to the authentication and data response message 435 sent from the HSS 230 to the MME 220. As shown, the user authentication information response message 535 includes UE_info (e.g., an IMSI, counter, RAND1, RAND2, UE security capabilities, etc.), as well as authentication vectors (AVs), a KIASENC, and a KIASINT.
  • The embodiment IAS message 550 corresponds to the IAS message 450 sent from the MME 220 to the UE 215. As shown, the IAS message 450 includes an encrypted inner portion 552, an outer portion 554, and a MAC 556. The encrypted inner portion 552 is formed by encrypting the AVs using a KIASENC. It should be appreciated that the encrypted inner portion 552 may include other information (e.g., a KSI) in addition to the AVs. The outer portion 554 includes a RAND2 and the encrypted inner portion 552. The MAC signature 556 is generated by computing a hash of the outer portion 554 using the KIASINT
  • Other frame formats are also possible. FIG. 6 illustrates frame formats for an embodiment IAR message 620, an embodiment authentication and data request message 630, an embodiment authentication and data response message 635, and an embodiment IAS message 650.
  • The embodiment IAR message 620 corresponds to the IAR message 420 sent from the UE 215 to the MME 220. In this example, the embodiment IAR message 620 includes an encrypted portion 622 and a home network identifier (HID). The encrypted portion 622 is generated by using an HPuK to encrypt a UE security capability parameter (UE_SEC_CAP), an IMSI, a RAND1, a RAND2, a COUNTER, and a MAC signature. The MAC signature is generated by computing by using a KIARINT to compute a hash of the UE_SEC_CAP, the IMSI, the RAND1, the RAND2, and the COUNTER.
  • The embodiment authentication and data request message 630 corresponds to the authentication and data request message 430 sent from the MME 220 to the HSS 230. As shown, the embodiment authentication and data request message 630 includes the embodiment IAR message 620 and an HID.
  • The embodiment authentication and data response message 635 corresponds to the authentication and data response message 435 sent from the HSS 230 to the MME 220. As shown, the authentication and data response message 635 includes a KIASENC, a KIASINT, AV(s), a UE_SEC_CAP, an IMSI, a RAND1, a RAND2, and a COUNTER.
  • The embodiment IAS message 650 corresponds to the IAS message 450 sent from the MME 220 to the UE 215. As shown, the IAS message 450 includes an encrypted inner portion 652, an outer portion 654, and a MAC signature 656. The encrypted inner portion 652 is formed by encrypting a KSI, and a RAND∥AUTN using the KIASENC. The RAND∥AUTN may specify two or more parameters included in, or derived by the AVs, and may be used by the UE to authenticate the network and generate a response, e.g., the security and authentication complete message 470, etc. It should be appreciated that the encrypted inner portion 652 may include other UE specific information. The outer portion 654 includes a RAND2 and the encrypted inner portion 652. The MAC signature 656 is generated by computing a hash of the outer portion 654 using the KIASINT.
  • Embodiments of this disclosure provide methods for performing MASA protocols. FIG. 7 is a flowchart of an embodiment method 700 for generating an IAR message according to a MASA protocol, as may be performed by a UE. At step 710, the UE generates a KIARINT based on a pre-provisioned key (K key) and a first random number (RAND1). At step 720, the UE generates a MAC signature by computing a hash function of UE specific information using the KIARINT. The UE specific information includes at least an IMSI of the UE and the RAND1. At step 730, the UE encrypts the UE specific information and the MAC signature using a home network public key (HPuK) to form an encrypted portion. The HPuK belongs to a public-private key pair such that the encrypted portion can only be decrypted using a home network private key (HPrK) belonging to the public-private key pair. At 740, the UE sends an IAR message carrying the encrypted portion and an unencrypted home network identifier (HID) to a base station in a serving network. The base station relays the IAR message to an MME, which sends an authentication and data request message that includes the encrypted portion of the IAR message to an HSS server in a home network associated with the unencrypted network identifier in the IAR message.
  • FIG. 8 is a flowchart of an embodiment method 800 for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol, as may be performed by an HSS. At step 810, the HSS receives an authentication and data request message from a mobility management entity (MME) in a serving network. The authentication and data request message carries an encrypted portion.
  • At step 820, the HSS decrypts the encrypted portion using a HPrK to obtain a first MAC signature and UE-specific information. The UE-specific information includes at least an IMSI and a RAND1. At step 830, the HSS obtains a KIARINT based on the IMSI and the RAND1. In one example, the HSS obtains the KIARINT by sending the IMSI and the RAND1 to an authentication server, which looks up a pre-provisioned key (K-key) based on the IMSI, generates the KIARINT based on the K-key and the RAND1, and returns the KIARINT to the HSS. At step 840, the HSS verifies the integrity of the encrypted portion based on the KIARINT. In particular, the HSS generates a second MAC signature by computing a hash of UE-specific information in the encrypted portion according to the KIARINT, and then compares the second MAC signature with the first MAC signature. If the MAC signatures match, then the integrity of the encrypted portion is verified.
  • At step 850, the HSS generates authentication vectors (AVs) based on an EPS-AKA procedure. At step 860, the HSS obtains a KIASINT and a KIASENC based on the IMSI of the UE and a RAND2. In one example, the HSS obtains the KIASINT and the KIASENC by sending the IMSI and the RAND2 to an authentication server. The authentication server looks up a pre-provisioned key (K-key) based on the IMSI, generates the KIASINT and the KIASENC based on the K-key and the RAND2, and returns the KIASINT and the KIASENC to the HSS. In some embodiments, steps 830 and 860 are performed in parallel such that the IMSI, RAND1, and RAND2 are sent from the HSS to the authentication server in the same request message, and the KIARINT, KIASENC, and KIASINT are returned from the authentication server to the HSS in the same response message. At step 870, the HSS sends an authentication and data response message to the MME. The authentication and data response message includes the KIASINT, the KIASENC, the AVs, and UE_info. In some embodiments, a COUNTER is also used when generating KIARINT, KIASINT, and KIASENC.
  • FIG. 9 is a flowchart of an embodiment method 900 for processing an authentication and data response message and generating an IAS message according to a MASA protocol, as may be performed by an MME. At step 910, the MME receives an authentication and data response message from an HSS that includes a KIASINT, a KIASENC, AVs, and user specific information. The user specification information may include a UE security capabilities parameter, an IMSI, a RAND2, and/or a COUNTER.
  • At step 920, the MME encrypts the user specific information using the KIASENC to obtain an encrypted portion. At step 930, the MME generates a MAC signature by computing a hash of the encrypted portion and the RAND2 based on the KIASINT. At step 940, the MME sends an IAS message to a UE that includes at least the encrypted portion, the RAND2, and MAC signature.
  • FIG. 10 is a flowchart of an embodiment method 1000 for processing an IAS message according to a MASA protocol, as may be performed by a UE. At step 1010, the UE receives an IAS message from a base station in a serving network. The IAS message includes at least an encrypted portion, a RAND2, and a first MAC signature. At step 1020, the UE computes a KIASINT and a KIASENC based on a K-key of UE and the RAND2. In some embodiments, step 1020 and 720 may be performed in parallel (e.g., by a SIM card in the UE) prior to sending an initial IAR message. At step 1030, the UE generates a second MAC signature by computing a hash of the encrypted portion and the RAND2 based on the KIASINT. At step 1040, the UE verifies that the second MAC signature matches the first MAC signature in the IAS message. At step 1050, the UE decrypts the encrypted portion using the KIASENC. At step 1060, the UE sends a security and authentication complete message to the MME confirming that the network has been authenticated.
  • Aspects of this disclosure prevent, or at least inhibit, unauthorized third parties from obtaining an IMSI of a UE during LTE authentication by encrypting the IMSI using a KIARENC. FIG. 11 illustrates a protocol diagram of an embodiment communications sequence 1100 for authenticating a UE in a wireless network. As shown, the communications sequence 1100 begins when the MME 220 communicates an identity request 1110 to the UE 215. Next, the UE 215 encrypts a first copy of the IMSI using a KIARENC to form an encrypted inner portion, and encrypts a second copy of the IMSI and the encrypted inner portion using an HPuK to form an encrypted outer portion. It should be appreciated that other UE specific information (e.g., RAND1, RAND2, COUNTER, UE_SEC_CAP, etc.) may be encrypted along with the IMSI when forming the encrypted inner portion and/or the encrypted outer portion. Thereafter, the UE sends an IAR message 1120 carrying the encrypted outer portion to the MME 220. In some embodiments, the UE 215 sends the IAR message 1120 without having received the identity request 1110. The IAR message 1120 may include an unencrypted home network ID (HID) of the home network of the UE 215. Upon receiving the IAR message 1120, the MME 220 forwards an authentication and data request message 1130 carrying the encrypted outer portion to the HSS 230. The authentication and data request message 1130 may include other information in addition to the encrypted outer portion, such as MME security capability parameters that identify the NAS security capabilities of the MME 220, e.g., which NAS ciphering algorithms are supported by the MME 220. The authentication and data request 1130 may also include a serving network identifier (SID) and network type (NWK Type) of the serving network of the MME 220.
  • Upon receiving the authentication and data request message 1130, the HSS 230 may decrypt the encrypted outer portion using a HPrK to obtain the second copy of the IMSI and the encrypted inner portion. The HSS 230 may then decrypt the encrypted inner portion using the KIARENC to obtain the first copy of the IMSI. In some embodiments, the HSS 230 validates the authentication and data request message 1130 by comparing the first copy of IMSI with the second copy of the IMSI. The HSS 230 may also compare the COUNTER with a corresponding COUNTER maintained by the HSS 230 to determine whether the authentication and data request 1130 is fresh (e.g., not stale). If the validation is successful, then the HSS 230 generates authentication vectors based on an EPS-AKA procedure, and sends an authentication and data response message 1135 carrying the EPS authentication vectors and a KIASENC to the MME 220.
  • Subsequently, the MME 220 selects one of the authentication vectors, as well as a non-access stratum (NAS) ciphering algorithm. The MME 220 may also assign a temporary network identifier (e.g., a globally unique temporary identifier (GUTI)) to the UE. Thereafter, the MME 220 may encrypt, the temporary network identifier, and a key set identifier (KSI) associated with the selected NAS ciphering algorithm using the KIASENC to obtain encrypted NAS security data. The encrypted NAS security data may include other information as well, such as the counter and the RAND2. The encrypted NAS security data may be included in the IAS message 1150 sent by the MME 220 to the UE 215. The IAS message 1150 may further include an unencrypted version of the RAND2. The UE 215 may authenticate the network by comparing RAND2 to a local version of RAND2 stored by the UE 215 and by decrypting the encrypted private information of the Authentication Response using the KIASENC key. The UE 215 then sends a security and authentication complete message 1170 to the MME 220.
  • FIG. 12 illustrates frame formats for an embodiment IAR message 1220, an embodiment authentication and data request message 1230, an embodiment authentication and data response message 1235, and an embodiment IAS message 1250.
  • The embodiment IAR message 1220 corresponds to the IAR message 1120 sent from the UE 215 to the MME 220. In this example, the embodiment IAR message 1220 includes an encrypted inner portion 1222, an encrypted outer portion 1224, and an HID. The encrypted inner portion 1222 is formed by encrypting a UE_SEC_CAP, a first copy of an IMSI, a first copy of a RAND1, a RAND2, and a COUNTER using a KIARENC. The encrypted outer portion 1224 is generated by encrypting the encrypted inner portion 1222 along with a second copy of the IMSI and a second copy of the RAND1 using a HPuK. It should be appreciated that additional information may be included in the encrypted inner portion 1222 and/or the encrypted outer portion 1224.
  • The embodiment authentication and data request message 1230 corresponds to the authentication and data request message 1130 sent from the MME 220 to the HSS 230. As shown, the embodiment authentication and data request message 1230 includes the embodiment IAR message 1220 and an HID.
  • The embodiment authentication and data response message 1235 corresponds to the authentication and data response message 1135 sent from the HSS 230 to the MME 220. As shown, the authentication and data response message 1235 includes a KIASENC, the UE_SEC_CAP, the IMSI, the RAND2, and the COUNTER.
  • The embodiment IAS message 1250 corresponds to the IAS message 1150 sent from the MME 220 to the UE 215. As shown, the IAS message 1150 includes an encrypted portion 1252 and the RAND2. The encrypted portion 1252 is formed by encrypting a KSI, the AVs, and the COUNTER using the KIASENC.
  • Embodiments of this disclosure provide methods for performing MASA protocols. FIG. 13 is a flowchart of an embodiment method 1300 for generating an IAR message according to a MASA protocol, as may be performed by a UE. At step 1310, the UE generates a KIARENT based on a pre-provisioned key (K key) and a RAND1. At step 1320, the UE encrypts UE specific information using the KIARENC to form an encrypted inner portion. At step 1330, the UE encrypts at least the encrypted inner portion, a RAND1, and an IMSI using an HPuK to form an encrypted outer portion. At step 1340, the UE sends an IAR message carrying the encrypted outer portion and an unencrypted HID to a base station in a serving network.
  • FIG. 14 is a flowchart of an embodiment method 1400 for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol, as may be performed by an HSS. At step 1410, the HSS receives an authentication and data request message from a MME in a serving network. The authentication and data request message carries an encrypted outer portion.
  • At step 1420, the HSS decrypts the encrypted portion using an HPrK to obtain a first MAC signature and UE-specific information. The UE-specific information includes at least an IMSI and a RAND1. At step 1430, the HSS obtains a KIARENC based on the IMSI and the RAND1. At step 1440, the HSS decrypts the encrypted inner portion using the KIARENC to obtain UE specific information. At step 1450, the HSS generates authentication vectors (AVs) based on an EPS-AKA procedure. At step 1460, the HSS obtains a KIASENC based on the IMSI and a RAND2. In some embodiments, steps 1430 and 1460 are performed in parallel such that the IMSI, RAND1, and RAND2 are sent from the HSS to the authentication server in the same request message, and the KIARENC and KIASENC are returned from the authentication server to the HSS in the same response message. At step 1470, the HSS sends an authentication and data response message to the MME. The authentication and data response message includes the KIASINT, the KIASENC, the AVs, and UE_info.
  • FIG. 15 is a flowchart of an embodiment method 1500 for processing an authentication and data response message and generating an IAS message according to a MASA protocol, as may be performed by an MME. At step 1510, the MME receives an authentication and data response message from an HSS that includes a KIASENC, AVs, and user specific information. The user specification information may include a UE security capabilities parameter, an IMSI, a RAND2, and/or a COUNTER.
  • At step 1520, the MME encrypts at least the user specific information and the AVs using the KIASENC to obtain an encrypted portion. It should be appreciated that the encrypted portion may include other information, such as a KSI. At step 1530, the MME sends an IAS message to a UE that includes at least the encrypted portion.
  • FIG. 16 is a flowchart of an embodiment method 1600 for processing an IAS message according to a MASA protocol, as may be performed by a UE. At step 1610, the UE receives an IAS message from a base station in a serving network. The IAS message includes at least an encrypted portion, a RAND2, and a first MAC signature. At step 1620, the UE computes a KIASINT and a KIASENC based on a K-key of UE and the RAND2. In some embodiments, step 1620 and 1310 may be performed in parallel (e.g., by a SIM card in the UE) prior to sending an initial IAR message. At step 1630, the UE decrypts the encrypted portion using the KIASENC. At step 1640, the UE sends a security and authentication complete message to the MME confirming that the network has been authenticated.
  • In some embodiments, the UE uses a serving network public key (SPuK) to encrypt a portion of an IAR message. FIG. 17 illustrates a protocol diagram of an embodiment communications sequence 1700 for authenticating a UE in a wireless network. As shown, the communications sequence 1700 begins when the MME 220 communicates an identity request 1710 to the UE 215. Next, the UE 215 encrypts a first copy of an IMSI using a KIARENC to form an encrypted inner portion, and encrypts a second copy of the IMSI and the encrypted inner portion using a SPuK to form an encrypted outer portion. It should be appreciated that other UE specific information (e.g., a RAND1, a RAND2, a COUNTER, a UE_SEC_CAP, etc.) may be encrypted along with the IMSI when forming the encrypted inner portion and/or the encrypted outer portion. Thereafter, the UE sends an IAR message 1720 carrying the encrypted outer portion to the MME 220. In some embodiments, the UE 215 sends the IAR message 1720 without having received the identity request 1710. The IAR message 1720 may include an unencrypted home network ID (SID). Upon receiving the IAR message 1720, the MME 220 determines a serving network private key (SPrK) based on the unencrypted SID, and decrypts the encrypted outer portion of the IAR message using the SPrK. The MME 220 then forwards an authentication and data request message 1730 carrying the encrypted inner portion, the second copy of the IMSI, and a RAND1 to the HSS 230. The authentication and data request message 1730 may include other information in addition to the encrypted outer portion, such as MME security capability parameters, the SID, and a NWK Type.
  • Upon receiving the authentication and data request message 1730, the HSS 230 may obtain the KIARENC based on the second copy of the IMSI and the RAND1, and decrypt the encrypted inner portion using the KIARENC to obtain the first copy of the IMSI. The HSS 230 may then compare the first copy of the IMSI (carried in the encrypted inner portion of the authentication and data request message 1730) with the second copy of the IMSI (carried in an unencrypted outer portion of the authentication and data request message 1730) to verify the integrity of the authentication information request message 1730. The HSS 230 may also take other steps to validate the authentication and data request message 1730. For example, the HSS 230 may compare the COUNTER in the encrypted inner portion with a corresponding COUNTER maintained by the HSS 230 to determine whether the authentication and data request 1730 is fresh (e.g., not stale). If the validation is successful, then the HSS 230 may obtain a KIASENC based on the IMSI and a random number (e.g., RAND1, RAND2, etc.), generate authentication vectors based on an EPS-AKA procedure, and send an authentication and data response message 1735 carrying the EPS authentication vectors and the KIASENC to the MME 220.
  • Subsequently, the MME 220 encrypts UE specific information using the KIASENC to obtain an encrypted portion, which is sent to the UE 215 via an IAS message 1750. The encrypted portion of the IAS message 1750 may include other information in addition to the UE specific information, such as a temporary network identifier and a KSI associated with a NAS ciphering algorithm. The IAS message 1750 may further include an unencrypted version of the RAND2. The UE 215 may decrypt the encrypted portion of the IAS message 1750 using a KIASENC, and send a security and authentication complete message 1770 to the MME 220.
  • FIG. 18 illustrates frame formats for an embodiment IAR message 1820, an embodiment authentication and data request message 1830, an embodiment authentication and data response message 1835, and an embodiment IAS message 1850.
  • The embodiment IAR message 1820 corresponds to the IAR message 1780 sent from the UE 215 to the MME 220. In this example, the embodiment IAR message 1820 includes an encrypted inner portion 1822, an encrypted outer portion 1824, and an SID. The encrypted inner portion 1822 is formed by encrypting a UE_SEC_CAP, a first copy of an IMSI, a first copy of a RAND1, a first copy of a RAND2, and a first copy of a COUNTER using a KIARENC. The encrypted outer portion 1824 is generated by encrypting the encrypted inner portion 1822 along with a second copy of the IMSI, a second copy of the RAND1, a second copy of the RAND2, and a second copy of the COUNTER using a SPuK. It should be appreciated that additional information may be included in the encrypted inner portion 1822 and/or the encrypted outer portion 1824. In one embodiment, a MAC signature generated by computing a hash of the encrypted outer portion 1824 using a KIARINT is also included in the IAR message 1820.
  • The embodiment authentication and data request message 1830 corresponds to the authentication and data request message 1730 sent from the MME 220 to the HSS 230. As shown, the embodiment authentication and data request message 1830 the encrypted inner portion 1822 from the IAR message 1820, as well as unencrypted information 1834. The unencrypted information 1834 includes the second copy of the IMSI, the second copy of the RAND1, the second copy of the RAND2, and the second copy of the COUNTER, which were obtained from decrypting the encrypted outer portion 1824 of the IAR message 1820 using the SPrK.
  • The embodiment authentication and data response message 1835 corresponds to the authentication and data response message 1735 sent from the HSS 230 to the MME 220. As shown, the authentication and data response message 1835 includes a KIASENC, a KIASINT, the first copy of the COUNTER, the first copy of the RAND2, the first copy of the IMSI, and AV(s). The first copy of the RAND2 and/or the COUNTER in the authentication and data response message 1835 may provide replay protection. In this example the authentication and data response message 1835 includes both the RAND2 and the COUNTER. In another example, the authentication and data response message 1835 includes the RAND2 but excludes the COUNTER.
  • The embodiment IAS message 1850 corresponds to the IAS message 1750 sent from the MME 220 to the UE 215. As shown, the IAS message 1850 includes an encrypted portion 1852 and the RAND2. The encrypted portion 1852 is formed by encrypting a KSI, the AVs, and the COUNTER using the KIASENC. In some examples, the embodiment IAS message 1850 includes a MAC signature that is generated by computing a hash of the encrypted portion 1852 using the KIASINT.
  • Embodiments of this disclosure provide methods for performing MASA protocols. FIG. 19 is a flowchart of an embodiment method 1900 for generating an IAR message according to a MASA protocol, as may be performed by a UE. At step 1910, the UE generates a KIARENC based on a pre-provisioned key (K key) and a RAND1. At step 1920, the UE encrypts UE specific information using the KIARENC to form an encrypted inner portion. At step 1930, the UE encrypts at least the encrypted inner portion, a RAND1, and an IMSI using a SPuK to form an encrypted outer portion. At step 1940, the UE sends an IAR message carrying the encrypted outer portion and an unencrypted SID to a base station in a serving network.
  • FIG. 20 is a flowchart of an embodiment method 2000 for processing an IAR message and generating an authentication and data request message according to a MASA protocol, as may be performed by an MME. At step 2010, the MME receives an IAR message carrying an encrypted outer portion and an SID. At step 2020, the MME decrypts the encrypted outer portion using a SPrK associated with the SID to obtain at least an encrypted inner portion, a RAND1, and an IMSI. At step 2030, the MME sends an authentication and data request message carrying the encrypted inner portion, the RAND1, and the IMSI to an HSS.
  • FIG. 21 is a flowchart of an embodiment method 2100 for processing an authentication and data request message and generating an authentication and data response message according to a MASA protocol, as may be performed by an HSS. At step 2110, the HSS receives an authentication and data request message from a MME in a serving network. The authentication and data request message carries an encrypted inner portion, a second copy of a RAND1, and a second copy of an IMSI. In some embodiments, the authentication and data request message includes a second copy of a RAND2 and/or a second copy of COUNTER.
  • At step 2120, the HSS obtains a KIARENC based on the second copy of the IMSI and the second copy of the RAND1. At step 2130, the HSS decrypts the encrypted inner portion using the KIARENC to obtain at least a first copy of the IMSI, a first copy of the RAND1, and a RAND2. In some embodiments, the HSS compares the first copy of the IMSI, RAND1, RAND2, and/or COUNTER with the second copy of the IMSI, RAND1, RAND2, and/or COUNTER (respectively) to verify the integrity of the authentication and data request message.
  • At step 2140, the HSS generates authentication vectors (AVs) based on an EPS-AKA procedure. At step 2150, the HSS obtains a KIASENC based on the IMSI and a RAND2. In some embodiments, steps 2120 and 2150 are performed in parallel such that the second copy of the IMSI, the second copy of the RAND1, and the second copy of the RAND2 are sent from the HSS to the authentication server in the same request message, and the KIARENC and KIASENC are returned from the authentication server to the HSS in the same response message. At step 2160, the HSS sends an authentication and data response message to the MME. The authentication and data response message includes the KIASENC the AVs.
  • In some examples, the UE 215 generates the RAND2, and includes the RAND2 in the IAR message. The RAND2 is then used by the HSS 230 to independently generate the KIASENC and/or the KIASINT. In other examples, the HSS 230 independently generates the RAND2, and sends the RAND2 to the authentication server. The authentication server then generates the KIASINT and/or the KIARENC based on the RAND2, the k-key, and (in some cases) a COUNTER, and returns the KIASINT and/or the KIASENC to the HSS 230. The HSS 230 then forwards the KIASINT and/or the KIASENC to the MME 220, which may use the the KIASENC and/or the KIASINT to generate the IAS message. In such an example, the RAND2 and the COUNTER may be sent to the UE 214 via the IAS message, and the UE may use RAND2, the k-key, and the COUNTER to independently compute the KIASENC and/or the KIASINT. In an embodiment, a COUNTER is required to be included in an IAS message for purposes of replay protection when the RAND2 is independently generated by the HSS 230.
  • When a COUNTER is included in an authentication and data request message, the HSS may compare the COUNTER with an independent COUNTER maintained by the HSS to ensure that the COUNTER in the authentication and data request message exceeds the independent COUNTER maintained by the HSS. This may confirm that information in the authentication and data request message is fresh, as well as provide replay protection. Likewise, when a COUNTER is included in an IAS message, the UE may compare the COUNTER with an independent COUNTER maintained by the UE to ensure that the COUNTER in the IAS message exceeds the independent COUNTER maintained by the HSS. This may confirm that information within the IAS message is fresh, as well as provide replay protection.
  • It should be appreciated that encrypting an IMSI in an IAR message (as well as other messages) using, for example, a KIARENC, a SNPuK, and/or a HNPuK serves to at least partially conceal the IMSI from malicious third parties.
  • It should be appreciated that a MAC signature may used to provide integrity protection for the contents of any message described herein.
  • FIG. 22 illustrates a frame formats for an embodiment IAR message 2220. The embodiment IAR message 2220 includes an encrypted inner portion 2222, an outer portion 2224, and a MAC signature 2226. The encrypted inner portion 2222 is formed by encrypting an IMSI and a COUNTER using an HPuK. The outer portion 2224 includes the encrypted inner portion 2222, a UE_SEC_CAP, a RAND1, and an HID. The MAC 2226 is generated by computing a hash of the outer portion 2224 using a KIARINT.
  • FIG. 23 illustrates a block diagram of an embodiment processing system 2300 for performing methods described herein, which may be installed in a host device. As shown, the processing system 2300 includes a processor 2304, a memory 2306, and interfaces 2310-2314, which may (or may not) be arranged as shown in FIG. 23. The processor 2304 may be any component or collection of components adapted to perform computations and/or other processing related tasks, and the memory 2306 may be any component or collection of components adapted to store programming and/or instructions for execution by the processor 2304. In an embodiment, the memory 2306 includes a non-transitory computer readable medium. The interfaces 2310, 2312, 2314 may be any component or collection of components that allow the processing system 2300 to communicate with other devices/components and/or a user. For example, one or more of the interfaces 2310, 2312, 2314 may be adapted to communicate data, control, or management messages from the processor 2304 to applications installed on the host device and/or a remote device. As another example, one or more of the interfaces 2310, 2312, 2314 may be adapted to allow a user or user device (e.g., personal computer (PC), etc.) to interact/communicate with the processing system 2300. The processing system 2300 may include additional components not depicted in FIG. 23, such as long term storage (e.g., non-volatile memory, etc.).
  • In some embodiments, the processing system 2300 is included in a network device that is accessing, or part otherwise of, a telecommunications network. In one example, the processing system 2300 is in a network-side device in a wireless or wireline telecommunications network, such as a base station, a relay station, a scheduler, a controller, a gateway, a router, an applications server, or any other device in the telecommunications network. In other embodiments, the processing system 2300 is in a user-side device accessing a wireless or wireline telecommunications network, such as a mobile station, a user equipment (UE), a personal computer (PC), a tablet, a wearable communications device (e.g., a smartwatch, etc.), or any other device adapted to access a telecommunications network.
  • In some embodiments, one or more of the interfaces 2310, 2312, 2314 connects the processing system 2300 to a transceiver adapted to transmit and receive signaling over the telecommunications network. FIG. 24 illustrates a block diagram of a transceiver 242400 adapted to transmit and receive signaling over a telecommunications network. The transceiver 2400 may be installed in a host device. As shown, the transceiver 2400 comprises a network-side interface 2402, a coupler 2404, a transmitter 2406, a receiver 2408, a signal processor 2410, and a device-side interface 2412. The network-side interface 2402 may include any component or collection of components adapted to transmit or receive signaling over a wireless or wireline telecommunications network. The coupler 2404 may include any component or collection of components adapted to facilitate bi-directional communication over the network-side interface 2402. The transmitter 2406 may include any component or collection of components (e.g., up-converter, power amplifier, etc.) adapted to convert a baseband signal into a modulated carrier signal suitable for transmission over the network-side interface 2402. The receiver 2408 may include any component or collection of components (e.g., down-converter, low noise amplifier, etc.) adapted to convert a carrier signal received over the network-side interface 2402 into a baseband signal. The signal processor 2410 may include any component or collection of components adapted to convert a baseband signal into a data signal suitable for communication over the device-side interface(s) 2412, or vice-versa. The device-side interface(s) 2412 may include any component or collection of components adapted to communicate data-signals between the signal processor 2410 and components within the host device (e.g., the processing system 2300, local area network (LAN) ports, etc.).
  • The transceiver 2400 may transmit and receive signaling over any type of communications medium. In some embodiments, the transceiver 2400 transmits and receives signaling over a wireless medium. For example, the transceiver 2400 may be a wireless transceiver adapted to communicate in accordance with a wireless telecommunications protocol, such as a cellular protocol (e.g., long-term evolution (LTE), etc.), a wireless local area network (WLAN) protocol (e.g., Wi-Fi, etc.), or any other type of wireless protocol (e.g., Bluetooth, near field communication (NFC), etc.). In such embodiments, the network-side interface 2402 comprises one or more antenna/radiating elements. For example, the network-side interface 2402 may include a single antenna, multiple separate antennas, or a multi-antenna array configured for multi-layer communication, e.g., single input multiple output (SIMO), multiple input single output (MISO), multiple input multiple output (MIMO), etc. In other embodiments, the transceiver 2400 transmits and receives signaling over a wireline medium, e.g., twisted-pair cable, coaxial cable, optical fiber, etc. Specific processing systems and/or transceivers may utilize all of the components shown, or only a subset of the components, and levels of integration may vary from device to device.
  • Although the description has been described in detail, it should be understood that various changes, substitutions and alterations can be made without departing from the spirit and scope of this disclosure as defined by the appended claims. Moreover, the scope of the disclosure is not intended to be limited to the particular embodiments described herein, as one of ordinary skill in the art will readily appreciate from this disclosure that processes, machines, manufacture, compositions of matter, means, methods, or steps, presently existing or later to be developed, may perform substantially the same function or achieve substantially the same result as the corresponding embodiments described herein. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or steps.

Claims (20)

What is claimed is:
1. A method for secure authentication, the method comprising:
receiving, by a home subscriber server (HSS) in a home network, an authentication and data request message from a mobility management entity (MME) in a serving network, the authentication and data request message including an encrypted portion, a first random number, and a first International Mobile Subscriber Identity (IMSI) associated with a user equipment (UE);
obtaining, by the HSS, a first encryption key based on the first IMSI and the first random number;
decrypting, by the HSS, the encrypted portion using the first encryption key to obtain a second random number;
obtaining, by the HSS, a second encryption key based on the first IMSI and the second random number; and
sending, by the HSS, an authentication and data response message to the MME, the authentication and data response message including the second encryption key.
2. The method of claim 1, further comprising generating, by the HSS, at least one authentication vector, wherein the authentication and data response message further includes the at least one authentication vector.
3. The method of claim 1, further comprising verifying an integrity of the authentication and data request message.
4. The method of claim 3, wherein decrypting the encrypted portion further obtains at least one of a second IMSI or a third random number.
5. The method of claim 4, wherein verifying the integrity of the authentication and data request message comprises at least one of comparing the second IMSI to the first IMSI or comparing the third random number to the first random number.
6. The method of claim 1, wherein the encrypted portion is an encrypted inner portion.
7. The method of claim 1, wherein the second random number is generated by the UE.
8. The method of claim 1, wherein the second random number is generated by the HSS.
9. The method of claim 1, wherein the second encryption key is generated by the HSS.
10. The method of claim 1, further comprising receiving at least one of the first encryption key or the second encryption key from an authentication server.
11. A home subscriber server (HSS) in a home network, the HSS comprising:
a processor; and
a non-transitory computer readable storage medium storing programming for execution by the processor, the programming including instructions to:
receive an authentication and data request message from a mobility management entity (MME) in a serving network, the authentication and data request message including an encrypted portion, a first random number, and a first International Mobile Subscriber Identity (IMSI) associated with a user equipment (UE);
obtain a first encryption key based on the first IMSI and the first random number;
decrypt the encrypted portion using the first encryption key to obtain a second random number;
obtain a second encryption key based on the first IMSI and the second random number; and
send an authentication and data response message to the MME, the authentication and data response message including the second encryption key.
12. The HSS of claim 11, the instructions further to generate at least one authentication vector, wherein the authentication and data response message further includes the at least one authentication vector.
13. The HSS of claim 11, the instructions further to verify an integrity of the authentication and data request message.
14. The HSS of claim 13, wherein decrypting the encrypted portion further obtains at least one of a second IMSI or a third random number.
15. The HSS of claim 14, wherein the instructions to verify the integrity of the authentication and data request message comprises instructions to at least one of compare the second IMSI to the first IMSI or compare the third random number to the first random number.
16. The HSS of claim 11, wherein the encrypted portion is an encrypted inner portion.
17. The HSS of claim 11, wherein the second random number is generated by the UE.
18. The HSS of claim 11, wherein the second random number is generated by the UE.
19. The HSS of claim 11, wherein the second encryption key is generated by the HSS.
20. The HSS of claim 11, the instructions further to receive at least one of the first encryption key or the second encryption key from an authentication server.
US17/146,297 2016-03-10 2021-01-11 Authentication Mechanism for 5G Technologies Abandoned US20210135878A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/146,297 US20210135878A1 (en) 2016-03-10 2021-01-11 Authentication Mechanism for 5G Technologies

Applications Claiming Priority (8)

Application Number Priority Date Filing Date Title
US201662306550P 2016-03-10 2016-03-10
US201662317295P 2016-04-01 2016-04-01
US201662383223P 2016-09-02 2016-09-02
US201662399069P 2016-09-23 2016-09-23
US201662399055P 2016-09-23 2016-09-23
US15/453,776 US10382206B2 (en) 2016-03-10 2017-03-08 Authentication mechanism for 5G technologies
US16/433,706 US20190288851A1 (en) 2016-03-10 2019-06-06 Authentication Mechanism for 5G Technologies
US17/146,297 US20210135878A1 (en) 2016-03-10 2021-01-11 Authentication Mechanism for 5G Technologies

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US16/433,706 Continuation US20190288851A1 (en) 2016-03-10 2019-06-06 Authentication Mechanism for 5G Technologies

Publications (1)

Publication Number Publication Date
US20210135878A1 true US20210135878A1 (en) 2021-05-06

Family

ID=59788816

Family Applications (3)

Application Number Title Priority Date Filing Date
US15/453,776 Expired - Fee Related US10382206B2 (en) 2016-03-10 2017-03-08 Authentication mechanism for 5G technologies
US16/433,706 Abandoned US20190288851A1 (en) 2016-03-10 2019-06-06 Authentication Mechanism for 5G Technologies
US17/146,297 Abandoned US20210135878A1 (en) 2016-03-10 2021-01-11 Authentication Mechanism for 5G Technologies

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US15/453,776 Expired - Fee Related US10382206B2 (en) 2016-03-10 2017-03-08 Authentication mechanism for 5G technologies
US16/433,706 Abandoned US20190288851A1 (en) 2016-03-10 2019-06-06 Authentication Mechanism for 5G Technologies

Country Status (8)

Country Link
US (3) US10382206B2 (en)
EP (1) EP3417640A4 (en)
JP (1) JP2019512942A (en)
KR (1) KR20180119651A (en)
CN (3) CN108781366B (en)
BR (1) BR112018068271A2 (en)
CA (1) CA3017240A1 (en)
WO (1) WO2017152871A1 (en)

Families Citing this family (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016108961A1 (en) * 2014-12-30 2016-07-07 Battelle Memorial Institute Anomaly detection for vehicular networks for intrusion and malfunction detection
US9800762B2 (en) * 2015-03-03 2017-10-24 Ricoh Company, Ltd. Non-transitory computer-readable information recording medium, information processing apparatus, and communications system
US10382206B2 (en) * 2016-03-10 2019-08-13 Futurewei Technologies, Inc. Authentication mechanism for 5G technologies
US10873464B2 (en) * 2016-03-10 2020-12-22 Futurewei Technologies, Inc. Authentication mechanism for 5G technologies
US10334435B2 (en) 2016-04-27 2019-06-25 Qualcomm Incorporated Enhanced non-access stratum security
WO2017211524A1 (en) * 2016-06-08 2017-12-14 Deutsche Telekom Ag Improved handling of ims services and emergency calls in a roaming scenario of a user equipment
EP3516819B1 (en) * 2016-09-20 2022-12-14 Nokia Solutions and Networks Oy Next generation key set identifier
CN110235458B (en) 2017-01-30 2022-10-28 瑞典爱立信有限公司 Method, network node and medium for handling changes to serving AMF for UE
KR20190034657A (en) * 2017-04-11 2019-04-02 후아웨이 테크놀러지 컴퍼니 리미티드 Network Authentication Methods, Devices, and Systems
EP3622736B1 (en) * 2017-05-08 2022-08-17 Telefonaktiebolaget LM Ericsson (Publ) Privacy key in a wireless communication system
US10492056B2 (en) * 2017-06-15 2019-11-26 T-Mobile Usa, Inc. Enhanced mobile subscriber privacy in telecommunications networks
US10574462B2 (en) * 2017-07-29 2020-02-25 Nokia Technologies Oy Interfaces for privacy management as service or function
EP3468130A1 (en) 2017-10-06 2019-04-10 Gemalto Sa A method for transmitting to a physical or virtual element of a telecommunications network an encrypted subscription identifier stored in a security element, corresponding security element, physical or virtual element and terminal cooperating with this security element
US10172001B1 (en) * 2017-10-30 2019-01-01 International Business Machines Corporation Authentication mechanism
WO2019088599A1 (en) * 2017-10-31 2019-05-09 엘지전자 주식회사 Method for protecting data encrypted by home network key in wireless communication system and device therefor
EP4240043A3 (en) * 2017-11-16 2023-11-15 Nokia Technologies Oy Privacy managing entity selection in communication system
EP3738330B1 (en) 2018-01-12 2021-11-03 Telefonaktiebolaget Lm Ericsson (Publ) Handling identifier validation
EP3738270B1 (en) * 2018-01-12 2024-03-06 Telefonaktiebolaget LM Ericsson (publ) Managing identifier privacy
US10645583B2 (en) * 2018-02-15 2020-05-05 Nokia Technologies Oy Security management for roaming service authorization in communication systems with service-based architecture
CN110234112B (en) * 2018-03-05 2020-12-04 华为技术有限公司 Message processing method, system and user plane function device
US11044091B1 (en) * 2018-03-15 2021-06-22 Secure Channels Inc. System and method for securely transmitting non-pki encrypted messages
CN112119651B (en) * 2018-05-22 2022-05-17 华为技术有限公司 Access technology agnostic service network authentication method and device
PL3815414T3 (en) * 2018-06-26 2024-03-11 Nokia Technologies Oy Methods and apparatuses for dynamically updating routing identifier(s)
CN111212424B (en) * 2018-11-22 2023-03-24 展讯通信(上海)有限公司 Method and system for authenticating UE during interoperation from EPS to 5GS
EP3664486A1 (en) * 2018-12-03 2020-06-10 Thales Dis France SA Method and apparatuses for ensuring secure attachment in size constrained authentication protocols
US11134376B2 (en) 2018-12-20 2021-09-28 T-Mobile Usa, Inc. 5G device compatibility with legacy SIM
US11228903B2 (en) 2018-12-28 2022-01-18 T-Mobile Usa, Inc. 5G service compatible 4G SIM
CN111464482B (en) * 2019-01-18 2022-11-08 中兴通讯股份有限公司 Authentication processing method, authentication processing device, storage medium, and electronic device
US11470473B2 (en) * 2019-01-18 2022-10-11 Qualcomm Incorporated Medium access control security
US11734458B2 (en) * 2019-02-26 2023-08-22 Intel Corporation Extensible layered trusted computing base for computing devices
WO2020188988A1 (en) * 2019-03-20 2020-09-24 日本電気株式会社 Control device, wireless communication system, control method, and recording medium in which program is recorded
CN111866884B (en) * 2019-04-26 2022-05-24 华为技术有限公司 Safety protection method and device
CN116233838A (en) 2019-04-29 2023-06-06 瑞典爱立信有限公司 Processing of multiple authentication procedures in 5G
CN112469043B (en) * 2019-09-09 2022-10-28 华为技术有限公司 Authentication method and device
US11804955B1 (en) 2019-09-13 2023-10-31 Chol, Inc. Method and system for modulated waveform encryption
US11449636B2 (en) 2019-10-04 2022-09-20 Mastercard International Incorporated Systems and methods for secure provisioning of data using secure tokens
US20210105611A1 (en) * 2019-10-04 2021-04-08 Qualcomm Incorporated User equipment radio capability protection
CN111277980B (en) * 2020-01-21 2023-09-26 杭州涂鸦信息技术有限公司 Pairing method, remote control method, system and device based on WiFi detection request frame
US11489821B2 (en) 2020-02-26 2022-11-01 International Business Machines Corporation Processing a request to initiate a secure data transfer in a computing environment
US11184160B2 (en) 2020-02-26 2021-11-23 International Business Machines Corporation Channel key loading in a computing environment
US11502834B2 (en) 2020-02-26 2022-11-15 International Business Machines Corporation Refreshing keys in a computing environment that provides secure data transfer
US11405215B2 (en) 2020-02-26 2022-08-02 International Business Machines Corporation Generation of a secure key exchange authentication response in a computing environment
US11652616B2 (en) 2020-02-26 2023-05-16 International Business Machines Corporation Initializing a local key manager for providing secure data transfer in a computing environment
US11546137B2 (en) * 2020-02-26 2023-01-03 International Business Machines Corporation Generation of a request to initiate a secure data transfer in a computing environment
US11310036B2 (en) 2020-02-26 2022-04-19 International Business Machines Corporation Generation of a secure key exchange authentication request in a computing environment
CN112260987B (en) * 2020-09-10 2021-12-21 西安电子科技大学 Bidirectional security authentication method and system in digital content protection system
CN116569576A (en) * 2020-09-30 2023-08-08 联想(北京)有限公司 Key-based authentication for mobile edge computing networks
US11502830B2 (en) * 2020-10-12 2022-11-15 Kyndryl, Inc. Ultrasound split key transmission for enhanced security
US20220294639A1 (en) * 2021-03-15 2022-09-15 Synamedia Limited Home context-aware authentication
WO2023004788A1 (en) * 2021-07-30 2023-02-02 Oppo广东移动通信有限公司 Security verification method and apparatus, and terminal
US11647392B1 (en) 2021-12-16 2023-05-09 Bank Of America Corporation Systems and methods for context-aware mobile application session protection
WO2023147767A1 (en) * 2022-02-07 2023-08-10 华为技术有限公司 Method and apparatus for verifying network
CN116321156B (en) * 2023-05-18 2023-08-04 合肥工业大学 Lightweight vehicle cloud identity authentication method and communication method
CN117395652B (en) * 2023-11-28 2024-04-09 广东石油化工学院 Bidirectional identity authentication method and system for communication at two ends of wireless network

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011115407A2 (en) * 2010-03-15 2011-09-22 Samsung Electronics Co., Ltd. Method and system for secured remote provisioning of a universal integrated circuit card of a user equipment
US20130174252A1 (en) * 2011-12-29 2013-07-04 Imation Corp. Secure User Authentication for Bluetooth Enabled Computer Storage Devices

Family Cites Families (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI106604B (en) * 1997-04-16 2001-02-28 Nokia Networks Oy A method for protecting subscriber identity
US7155526B2 (en) * 2002-06-19 2006-12-26 Azaire Networks, Inc. Method and system for transparently and securely interconnecting a WLAN radio access network into a GPRS/GSM core network
CN100544249C (en) * 2004-10-29 2009-09-23 大唐移动通信设备有限公司 Mobile communication user certification and cryptographic key negotiation method
KR20060087271A (en) * 2005-01-28 2006-08-02 엘지전자 주식회사 Methode for sending imsi(international mobile subscriber identifier) in security
JP4843511B2 (en) * 2007-01-22 2011-12-21 日本電信電話株式会社 Broadcast encryption method, information decryption method, apparatus thereof, program thereof, and recording medium thereof
CN100579010C (en) * 2007-05-09 2010-01-06 中兴通讯股份有限公司 Method and system for generating and transmitting key
KR101481558B1 (en) * 2007-10-18 2015-01-13 엘지전자 주식회사 Method of establishing security association in Inter-RAT handover
CN101511082B (en) * 2008-02-15 2011-01-05 中国移动通信集团公司 Method, equipment and system for updating group cipher key
CN101336000B (en) * 2008-08-06 2011-11-30 中兴通讯股份有限公司 Protocol configuration option transmission method, system and user equipment
JP2010157807A (en) * 2008-12-26 2010-07-15 Nec Corp Communication system, femto cell base station, authentication device, communication method, and communication program
CN101938741A (en) 2009-06-30 2011-01-05 大唐移动通信设备有限公司 Method, system and device for mutual authentication
CN102036242B (en) 2009-09-29 2014-11-05 中兴通讯股份有限公司 Access authentication method and system in mobile communication network
KR101683883B1 (en) * 2009-12-31 2016-12-08 삼성전자주식회사 Method and system for supporting security in mobile telecommunication system
JP5240404B2 (en) * 2010-03-29 2013-07-17 富士通株式会社 Node, transfer method, and transfer program
CN102131188B (en) * 2010-09-01 2013-12-04 华为技术有限公司 Method and system for transmitting user identity information as well as user equipment and network side equipment
US20130163762A1 (en) * 2010-09-13 2013-06-27 Nec Corporation Relay node device authentication mechanism
US20130227663A1 (en) 2010-10-08 2013-08-29 Telefonica S.A. Method, a system and a network element for ims control layer authentication from external domains
CN102026178B (en) * 2010-12-31 2013-06-12 成都三零瑞通移动通信有限公司 User identity protection method based on public-key mechanism
US9537848B2 (en) 2011-07-07 2017-01-03 Bottomline Technologies, Inc. Application security system and method
JP5759827B2 (en) * 2011-08-04 2015-08-05 株式会社メガチップス MEMORY SYSTEM, INFORMATION PROCESSING DEVICE, MEMORY DEVICE, AND MEMORY SYSTEM OPERATION METHOD
CN103096308B (en) * 2011-11-01 2016-01-20 华为技术有限公司 The method of group cipher key generating and relevant device
CN102905266B (en) * 2012-10-11 2015-05-20 大唐移动通信设备有限公司 Mobile equipment (ME) attaching method and device
JP5745493B2 (en) * 2012-11-14 2015-07-08 日本電信電話株式会社 Key sharing system, key sharing method, program
JP6260540B2 (en) * 2012-12-21 2018-01-17 日本電気株式会社 Radio communication system, radio access network node, and communication device
GB2509937A (en) * 2013-01-17 2014-07-23 Nec Corp Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations
CN103974248B (en) 2013-01-24 2018-10-12 中国移动通信集团公司 Terminal security guard method in ability open system, apparatus and system
CN104683093B (en) * 2013-11-27 2018-01-26 财团法人资讯工业策进会 Have block encryption device, block encryption method, block decryption device and the block decryption method of integrity verification concurrently
US20160005042A1 (en) * 2014-07-02 2016-01-07 Mistral Mobile Host card emulation out-of-bound device binding verification
US20160210612A1 (en) * 2015-01-20 2016-07-21 Mistral Mobile Rapid in Person Transactions Via Mobile Device
CN104754581B (en) 2015-03-24 2018-01-19 河海大学 A kind of safety certifying method of the LTE wireless networks based on public-key cryptosystem
KR102284954B1 (en) * 2015-04-08 2021-08-03 삼성전자 주식회사 Method and apparatus for downloading a profile in a wireless communication system
US9504011B1 (en) * 2015-05-19 2016-11-22 Qualcomm Incorporated Methods for improved single radio long term evolution (SRLTE) mobile termination (MT) call success rate for mobile switching center (MSC)-sub paging scenarios
US10382206B2 (en) * 2016-03-10 2019-08-13 Futurewei Technologies, Inc. Authentication mechanism for 5G technologies
US10873464B2 (en) * 2016-03-10 2020-12-22 Futurewei Technologies, Inc. Authentication mechanism for 5G technologies
WO2017209367A1 (en) * 2016-05-31 2017-12-07 엘지전자(주) Method for performing authentication of terminal for each service in wireless communication system, and device therefor

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011115407A2 (en) * 2010-03-15 2011-09-22 Samsung Electronics Co., Ltd. Method and system for secured remote provisioning of a universal integrated circuit card of a user equipment
US20130174252A1 (en) * 2011-12-29 2013-07-04 Imation Corp. Secure User Authentication for Bluetooth Enabled Computer Storage Devices

Also Published As

Publication number Publication date
CN113411308B (en) 2022-04-12
CN113411309A (en) 2021-09-17
CA3017240A1 (en) 2017-09-14
KR20180119651A (en) 2018-11-02
BR112018068271A2 (en) 2019-01-15
US20190288851A1 (en) 2019-09-19
WO2017152871A1 (en) 2017-09-14
EP3417640A1 (en) 2018-12-26
US20170264439A1 (en) 2017-09-14
CN113411308A (en) 2021-09-17
EP3417640A4 (en) 2019-06-12
CN108781366B (en) 2021-05-18
JP2019512942A (en) 2019-05-16
CN108781366A (en) 2018-11-09
US10382206B2 (en) 2019-08-13

Similar Documents

Publication Publication Date Title
US20210135878A1 (en) Authentication Mechanism for 5G Technologies
US11700131B2 (en) Authentication mechanism for 5G technologies
US10887295B2 (en) System and method for massive IoT group authentication
US10932132B1 (en) Efficient authentication and secure communications in private communication systems having non-3GPP and 3GPP access
CN107018676B (en) Mutual authentication between user equipment and evolved packet core
US11856402B2 (en) Identity-based message integrity protection and verification for wireless communication
US20190082325A1 (en) Method and Device for Negotiating Security and Integrity Algorithms
US11082843B2 (en) Communication method and communications apparatus
US10516994B2 (en) Authentication with privacy identity
CN112087724A (en) Communication method, network equipment, user equipment and access network equipment
WO2020056433A2 (en) SECURE COMMUNICATION OF RADIO RESOURCE CONTROL (RRC) REQUEST OVER SIGNAL RADIO BEARER ZERO (SRBo)
CN101977378A (en) Information transmission method, network side and relay node
US10412056B2 (en) Ultra dense network security architecture method
CN114245372B (en) Authentication method, device and system

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE