WO2011023223A1 - Method of performing an authentication in a communications network - Google Patents

Method of performing an authentication in a communications network Download PDF

Info

Publication number
WO2011023223A1
WO2011023223A1 PCT/EP2009/060920 EP2009060920W WO2011023223A1 WO 2011023223 A1 WO2011023223 A1 WO 2011023223A1 EP 2009060920 W EP2009060920 W EP 2009060920W WO 2011023223 A1 WO2011023223 A1 WO 2011023223A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
server
authentication
network
common secret
Prior art date
Application number
PCT/EP2009/060920
Other languages
French (fr)
Inventor
Wolf-Dietrich Moeller
Hans-Jochen Morper
Christian Markwart
Manfred Schaefer
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/EP2009/060920 priority Critical patent/WO2011023223A1/en
Publication of WO2011023223A1 publication Critical patent/WO2011023223A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/042Public Land Mobile systems, e.g. cellular systems
    • H04W84/045Public Land Mobile systems, e.g. cellular systems using private Base Stations, e.g. femto Base Stations, home Node B

Definitions

  • the invention generally relates to a method of performing an authentication in a communications network. More specifically, the invention relates to secure transmission in home NodeB and Femto based access.
  • the fixed network access provider equips home users with specific devices that enable the user to utilize the operators' network for internet and voice access that hide the specifics of the access technology to the end user.
  • users are equipped with an access router (Residential Gateway) , which includes an Ethernet switch with commodity functions such as a DHCP server for a user's local home network (LAN part) and a modem part suitable for the given physical access, e.g. a DSL modem (WAN part) .
  • LAN part local home network
  • modem part suitable for the given physical access, e.g. a DSL modem (WAN part)
  • HNB HNB
  • Femto access point may be installed in the home of a user, which offers native 2G/3G/LTE radio access to users while they are at home.
  • the traffic is either tunnelled to the operator core or directly offloaded to the internet using the existing DSL access of the users, which requires the utilization of existing wire line access.
  • HNB Home NodeB
  • H(e)MS Home NodeB Management System
  • the HMS server cannot be considered trustworthy as it is located in the external network, e.g. internet, and should not be able to see user/subscriber credentials.
  • HNB client
  • HMS server
  • the HNB must use a security mechanism, e.g. a SIM card, and security interworking is required in the untrusted network (e.g. the fixed DSL network), which allows access to the security mechanisms of the trusted network (e.g. the mobile network subscribed to by the user) .
  • implementing security interworking is a very expensive solution and thus not attractive to network providers.
  • a first aspect of the invention provides a method of performing an authentication in a communications network.
  • a secure first path for transmitting and receiving data over the communications network is established.
  • a second path is established and authentication of a network authentication module is performed on the second path. If authentication of the network authentication module is successful, secret information is generated in a secure domain. The secret information is used to authenticate the network authentication module, a client and a server involved in communication over the first path.
  • the second path allows a network authentication module authentication procedure not supported on the first path.
  • authentication of the network authentication module, as well as the client and the server may be performed by deploying standardized protocols, with no new protocols being required to be specified.
  • standardized network elements modules or nodes e.g. bootstrapping function (BSF) or network application function (NAF)
  • BSF bootstrapping function
  • NAF network application function
  • the trusted relationship between the client and the server is only based on the secret information generated in the secure domain, therefore no misuse of an authentication vector (AV) is possible in an element which may be located outside the security domain of the network operator.
  • Further advantages of the invention are that it is easy and cheap to implement, as no ad- ditional hardware is required, it uses a secure transport of security relevant information and can be applied to any network (e.g.
  • the network authentication module may be a SIM, USIM or UICC, for example, and can be owned by a hosting party. In other words, the network authentication module acts as technical representative for a hosting party.
  • the client may be a home NodeB (HNB) or a residential gateway, for example, and the server may be, for example, a management system or home management system (HMS) .
  • HNB home NodeB
  • HMS home management system
  • a method of authenticating a hosting party of a client in a communications network comprises establishing a protected channel using client and server authentication. Subsequently, the hosting party is authenticated using the server so that only an authenticated client is allowed to establish a connection to an authenticated server. Either mutual (e.g. parallel) or one-sided client and server authentication is performed in order to establish a protected channel (secure channel). Secret information, e.g. keys, generated by the client and server authentication are then used for performing authentication of the hosting party. Both authentications are bound together, e.g. by being executed in the same protocol run, or by performing the second authentication within a secure tunnel, which is established based on the first authentication (client and server authentication) . In this way, the critical data remain inside the security domain of the communications network operator, keeping the security level high and providing the same trust level between subscribers and the network operator. Furthermore, this is a low cost solution as it does not require any additional hardware .
  • the client and server authentication is based on certificates associated with the client and the server.
  • the hosting party authentication is performed inside the protected channel.
  • the protected or secure channel may be a TLS tunnel. Communication within the tunnel may be based on a HTTP protocol.
  • a common secret is generated based on the authentication of the hosting party and distributing the common secret to the server and the client .
  • the invention also provides a client, which is adapted to perform authentication with a server in a communications network based on server and client certificates.
  • the client is also adapted to establish a protected channel to the server and to perform an authentication of the hosting party with a subscriber database when it has established the protected channel successfully.
  • the client is further adapted to receive a common secret from a bootstrapping function run on a bootstrapping node used to communicate with the client.
  • the common secret is received at the client after the client has successfully performed the hosting party authentication.
  • the invention further provides a server, which is adapted to perform authentication with a client in a communication network based on server and client certificates, while establishing a protected channel to a client.
  • the server is adapted to receive a common secret from a bootstrapping function run on a bootstrapping node used to communicate with the client.
  • a method of authenticating a hosting party of a client in a communications network is provided.
  • the hosting party authenticates a subscriber database of the communications network via a secure network interface.
  • a server generates a common secret from which pa- rameters used to establish a protected channel are derived on both client and server sides of the protected channel.
  • the server distributes the common secret via the network interface to the client.
  • the common secret establishes the protected channel towards the server.
  • parameters generated from the common secret are used to establish a secure channel in which secure communication towards the server can take place.
  • a client comprising means for performing a hosting party authentication with a subscriber database in a communications network
  • the client is further adapted to receive a common secret via a secure network interface and to generate parameters derived from the common secret to establish a protected channel towards a server.
  • a server is adapted to generate a common secret from which parameters to establish a protected channel towards a client can be derived.
  • the server is further adapted to forward the common secret to- wards the client.
  • the common secret is forwarded via a communication path to the client via the secure network interface.
  • the communication path is a different communication path from the protected channel.
  • Figure 1 is a simplified schematic diagram of a commu- nications network implementing a method according to an embodiment of the invention.
  • Figure 2 is a simplified schematic diagram of two communications networks implementing a method according to an embodiment of the invention.
  • FIG. 1 shows a communications network including a client HNB that may be connected to a server HMS over a secure interface Ua.
  • the client HNB is shown here as a Home NodeB and the server as a Home Management System.
  • the client and server may be components of any communications network, either fixed, mobile or a combination of both.
  • the client HNB may provide access to a mobile communications network and/or to a fixed network.
  • the client HNB includes a network authentication module NAM, which can be a SIM, USIM or UICC, for example, and is the technical representative of a hosting party.
  • NAM network authentication module
  • the server HMS includes a network application function NAF coupled to a bootstrapping node BN running a bootstrapping function (BSF) , e.g. by a Zn proxy.
  • the bootstrapping node BN is coupled to a home location register HLR, which contains information about subscribers to the network (subscriber database) , and is also coupled to the network authentication module NAM over an interface Ub.
  • the bootstrapping node BN and the home lo- cation register HLR are components of a security domain SD of the network.
  • the client HNB is provided with a client certificate (and related private key) provided by the manufacturer and signed by its own certification authority.
  • the network operator provides the client HNB with the root certificate of the operator.
  • the server HMS is also provided with a server certificate (and related private key) provided by the mobile network operator signed by its own certification authority.
  • the mo- bile network operator puts the root certificate of the manufacturer into the server.
  • the mobile network operator provides the hosting party (owner) of the client HNB with the network authentication module NAM, e.g. a UICC containing a USIM.
  • the home location register HLR of the mobile network contains a subscriber database having the entry for the NAM (USIM) .
  • the client HNB communicates with the network application function NAF in the server HMS over the Ua inter- face, which is a secure communication path.
  • the client HNB and the server HMS authenticate each other by means of their client and server certificates using a generic bootstrapping architecture (GBA) .
  • GAA generic bootstrapping architecture
  • the client and server authentication may be mutual or just one-sided.
  • a protected or secure channel PC e.g. a TLS tunnel, is established between the client HNB and the server HMS.
  • the server receives a common or shared secret from the BSF run on the bootstrapping node BN via the Zn interface and authentication of the network authentication module NAM is then performed with the server HMS inside the protected channel PC using the common secret.
  • the client HNB authenticates the network authentication module NAM with the subscriber database stored in the home location register HLR using the BSF run on the bootstrapping node BN. If this authentication is successful, then it is proved that the client HNB and the network authentication module are "bound to- gether". Only if the client HNB, the server HMS and the network authentication module NAM (hosting party) are all authenticated successfully, then a connection can be established between the client HNB and the server NAM. In other words, keys are generated by the client and server authentication on the secure path (over the Ua interface) that does not support the hosting party authentication, which are then used to generate a secure and protected channel (also over the Ua interface) in which hosting party authenti- cation is supported.
  • FIG. 2 shows two related communications networks in which an authentication method according to a second embodiment of the invention is used.
  • secret informa- tion such as keys
  • the first communications network MNO is a mobile network having a home base station as a client HNB, which is an access point to the first network MNO, and a home location register HLR accessed via a public base station PBS, in which information about subscribers to the network is contained in a sub- scriber database.
  • the client HNB has a network authentication module NAM, e.g. SIM card, USIM or UICC.
  • the client HNB can connect with the mobile network MNO and home location register HLR included therein via an air interface Il and the base station PBS.
  • the second communications network FNO is a fixed network.
  • the client HNB can have access through the second network FNO via to a server HMS over an interface 12, e.g. a DSL line.
  • the first network MNO is subscribed to by a hosting party who owns the client HNB, as well as the hosting party identification and is trusted.
  • the second network FNO is not trusted by the hosting party.
  • the network authentication module NAM in the client HNB which is the technical representative of a hosting party, performs an authentication with the subscriber database located in the home location register HLR of the network over the network interface Ua.
  • the server HMS then generates a common secret and forwards the common secret to the client HNB over the communication path (network interface) 12.
  • the server HMS may forward the common secret to the client HNB over the mobile network MNO.
  • the server HMS can send the common secret via an SMS or email to an SMS cen- tre in the first network MNO, which then forwards the SMS or email to the client HNB.
  • the common secret could be a one time password or a SIM challenge (out of triplets derived from the home location register HLR) .
  • Parameters derived from the generated common secret are then used by the client HNB to establish a protected channel PC towards the server HMS over the interface 12, which is then used as a communication path between the client and the server.
  • This communication path over the protected channel PC is secure and therefore the client HNB may communicate with the server HMS in the network FNO, even though the network FNO is not trusted.
  • communication between the client HNB and the public base station PBS in the first network MNO is used to transfer parameters typical to the first network MNO which are used to secure a tunnel (the protected channel PC) between the access point and a node on the second network FNO; i.e., from the client HNB, and the first network MNO through the untrusted second network FNO to the server HMS.

Abstract

A method of performing an authentication in a communications network comprises establishing a secure first path for transmitting and receiving data over the communications network, establishing a second path, performing authentication of a network authentication module on the second path and, upon successful authentication of the authentication module, generating secret information in a secure domain and using the secret information to authenticate the network authentication module, a client and a server involved in communication over the first path. The second path allows a network authentication module authentication procedure not supported on the first path.

Description

METHOD OF PERFORMING AN AUTHENTICATION IN A COMMUNICATIONS NETWORK
FIELD OF THE INVENTION
The invention generally relates to a method of performing an authentication in a communications network. More specifically, the invention relates to secure transmission in home NodeB and Femto based access.
BACKGROUND OF THE INVENTION In today's public telecommunication and IT environment, roles are defined for access providers, transport providers and service providers to determine the operators' position in the value chain. While in many countries roles may be mixed or overlapping, there is still a distinct differentiation be- tween Fixed Network Providers (FNO) and Mobile Network Providers (MNO) . Most commonly, fixed network providers offer wire line access to the internet with voice becoming more and more an addendum to a broadband wire line subscription. Mobile networks offer access for voice calls with broadband data access becoming more and more popular for mobile users.
In many cases of fixed broadband connections, the fixed network access provider equips home users with specific devices that enable the user to utilize the operators' network for internet and voice access that hide the specifics of the access technology to the end user. Typically, users are equipped with an access router (Residential Gateway) , which includes an Ethernet switch with commodity functions such as a DHCP server for a user's local home network (LAN part) and a modem part suitable for the given physical access, e.g. a DSL modem (WAN part) . This way the users will experience an access which offers commodity LAN access to the outside world with the transport technology being hidden to them.
There is now a trend for fixed network providers to implement mobile voice services and mobile network operators to offer wireless DSL services. For the latter case, a Home(e)NodeB
(HNB) or Femto access point may be installed in the home of a user, which offers native 2G/3G/LTE radio access to users while they are at home. The traffic is either tunnelled to the operator core or directly offloaded to the internet using the existing DSL access of the users, which requires the utilization of existing wire line access.
If routed to the mobile core, entities are required that mediate user payload and control data in a suitable manner for mobile networks. If not owned by the MNO, the wire line access network is considered insecure and thus traffic between the Femto node or HNB (trusted) and the mobile network (trusted) has to be securely tunnelled through an access network, which is untrusted. For establishment of communication between Home (e) NodeBs (HNBs) or home base stations and a communications network, for example the public internet, the HNB (client) connects to a Home (e) NodeB Management System (H(e)MS) in the public internet, which is a remote server. The HMS server cannot be considered trustworthy as it is located in the external network, e.g. internet, and should not be able to see user/subscriber credentials.
Thus there is a need for authentication when the client (HNB) connects to the server (HMS) . This is currently achieved by setting up a secure tunnel that allows secure data transfer between the HNB and the HMS by ensuring that keying material on both sides mutually matches. The HNB must use a security mechanism, e.g. a SIM card, and security interworking is required in the untrusted network (e.g. the fixed DSL network), which allows access to the security mechanisms of the trusted network (e.g. the mobile network subscribed to by the user) . However, implementing security interworking is a very expensive solution and thus not attractive to network providers.
SUMMARY OF THE INVENTION
Accordingly, a first aspect of the invention provides a method of performing an authentication in a communications network. A secure first path for transmitting and receiving data over the communications network is established. A second path is established and authentication of a network authentication module is performed on the second path. If authentication of the network authentication module is successful, secret information is generated in a secure domain. The secret information is used to authenticate the network authentication module, a client and a server involved in communication over the first path. The second path allows a network authentication module authentication procedure not supported on the first path.
In this way, authentication of the network authentication module, as well as the client and the server may be performed by deploying standardized protocols, with no new protocols being required to be specified. Furthermore, standardized network elements modules or nodes (e.g. bootstrapping function (BSF) or network application function (NAF) ) may be used that are already available in the network anyway. The trusted relationship between the client and the server is only based on the secret information generated in the secure domain, therefore no misuse of an authentication vector (AV) is possible in an element which may be located outside the security domain of the network operator. Further advantages of the invention are that it is easy and cheap to implement, as no ad- ditional hardware is required, it uses a secure transport of security relevant information and can be applied to any network (e.g. GSM, 3G, LTE) and does not require certificates to authenticate the network authentication module. The network authentication module may be a SIM, USIM or UICC, for example, and can be owned by a hosting party. In other words, the network authentication module acts as technical representative for a hosting party. The client may be a home NodeB (HNB) or a residential gateway, for example, and the server may be, for example, a management system or home management system (HMS) .
In a second aspect of the invention, a method of authenticating a hosting party of a client in a communications network is provided. The method comprises establishing a protected channel using client and server authentication. Subsequently, the hosting party is authenticated using the server so that only an authenticated client is allowed to establish a connection to an authenticated server. Either mutual (e.g. parallel) or one-sided client and server authentication is performed in order to establish a protected channel (secure channel). Secret information, e.g. keys, generated by the client and server authentication are then used for performing authentication of the hosting party. Both authentications are bound together, e.g. by being executed in the same protocol run, or by performing the second authentication within a secure tunnel, which is established based on the first authentication (client and server authentication) . In this way, the critical data remain inside the security domain of the communications network operator, keeping the security level high and providing the same trust level between subscribers and the network operator. Furthermore, this is a low cost solution as it does not require any additional hardware .
Preferably, the client and server authentication is based on certificates associated with the client and the server.
In one embodiment of the invention, the hosting party authentication is performed inside the protected channel. The protected or secure channel may be a TLS tunnel. Communication within the tunnel may be based on a HTTP protocol.
In a further embodiment of the invention, a common secret is generated based on the authentication of the hosting party and distributing the common secret to the server and the client .
The invention also provides a client, which is adapted to perform authentication with a server in a communications network based on server and client certificates. The client is also adapted to establish a protected channel to the server and to perform an authentication of the hosting party with a subscriber database when it has established the protected channel successfully.
Preferably the client is further adapted to receive a common secret from a bootstrapping function run on a bootstrapping node used to communicate with the client. The common secret is received at the client after the client has successfully performed the hosting party authentication. The invention further provides a server, which is adapted to perform authentication with a client in a communication network based on server and client certificates, while establishing a protected channel to a client. When the protected channel has been established successfully by the server, the server is adapted to receive a common secret from a bootstrapping function run on a bootstrapping node used to communicate with the client. In another aspect of the invention, a method of authenticating a hosting party of a client in a communications network is provided. The hosting party authenticates a subscriber database of the communications network via a secure network interface. A server generates a common secret from which pa- rameters used to establish a protected channel are derived on both client and server sides of the protected channel. The server distributes the common secret via the network interface to the client. The common secret establishes the protected channel towards the server. In other words parameters generated from the common secret are used to establish a secure channel in which secure communication towards the server can take place. This provides the advantage that no additional hardware is required; therefore the cost is kept low while maintaining a high level of security.
A client comprising means for performing a hosting party authentication with a subscriber database in a communications network Preferably, the client is further adapted to receive a common secret via a secure network interface and to generate parameters derived from the common secret to establish a protected channel towards a server. In a further aspect of the invention, a server is adapted to generate a common secret from which parameters to establish a protected channel towards a client can be derived. The server is further adapted to forward the common secret to- wards the client.
Preferably, the common secret is forwarded via a communication path to the client via the secure network interface. The communication path is a different communication path from the protected channel.
The invention will now be described, by way of example only, with reference to specific embodiments, and to the accompanying drawings, in which:
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a simplified schematic diagram of a commu- nications network implementing a method according to an embodiment of the invention; and
Figure 2 is a simplified schematic diagram of two communications networks implementing a method according to an embodiment of the invention.
DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS Figure 1 shows a communications network including a client HNB that may be connected to a server HMS over a secure interface Ua. The client HNB is shown here as a Home NodeB and the server as a Home Management System. However, this is only an example and the client and server may be components of any communications network, either fixed, mobile or a combination of both. The client HNB may provide access to a mobile communications network and/or to a fixed network. The client HNB includes a network authentication module NAM, which can be a SIM, USIM or UICC, for example, and is the technical representative of a hosting party. The server HMS includes a network application function NAF coupled to a bootstrapping node BN running a bootstrapping function (BSF) , e.g. by a Zn proxy. The bootstrapping node BN is coupled to a home location register HLR, which contains information about subscribers to the network (subscriber database) , and is also coupled to the network authentication module NAM over an interface Ub. The bootstrapping node BN and the home lo- cation register HLR are components of a security domain SD of the network.
The client HNB is provided with a client certificate (and related private key) provided by the manufacturer and signed by its own certification authority. The network operator provides the client HNB with the root certificate of the operator. The server HMS is also provided with a server certificate (and related private key) provided by the mobile network operator signed by its own certification authority. The mo- bile network operator puts the root certificate of the manufacturer into the server. Furthermore, the mobile network operator provides the hosting party (owner) of the client HNB with the network authentication module NAM, e.g. a UICC containing a USIM. The home location register HLR of the mobile network contains a subscriber database having the entry for the NAM (USIM) .
In operation, the client HNB communicates with the network application function NAF in the server HMS over the Ua inter- face, which is a secure communication path. The client HNB and the server HMS authenticate each other by means of their client and server certificates using a generic bootstrapping architecture (GBA) . The client and server authentication may be mutual or just one-sided. Using this authentication of the client HNB and the server HMS, a protected or secure channel PC, e.g. a TLS tunnel, is established between the client HNB and the server HMS. The server then receives a common or shared secret from the BSF run on the bootstrapping node BN via the Zn interface and authentication of the network authentication module NAM is then performed with the server HMS inside the protected channel PC using the common secret. At the same time, the client HNB authenticates the network authentication module NAM with the subscriber database stored in the home location register HLR using the BSF run on the bootstrapping node BN. If this authentication is successful, then it is proved that the client HNB and the network authentication module are "bound to- gether". Only if the client HNB, the server HMS and the network authentication module NAM (hosting party) are all authenticated successfully, then a connection can be established between the client HNB and the server NAM. In other words, keys are generated by the client and server authentication on the secure path (over the Ua interface) that does not support the hosting party authentication, which are then used to generate a secure and protected channel (also over the Ua interface) in which hosting party authenti- cation is supported.
Figure 2 shows two related communications networks in which an authentication method according to a second embodiment of the invention is used. In this embodiment, secret informa- tion, such as keys, is generated using one communication path (e.g. an air interface) and are used to establish a separate, different communication path which is a protected channel. The first communications network MNO is a mobile network having a home base station as a client HNB, which is an access point to the first network MNO, and a home location register HLR accessed via a public base station PBS, in which information about subscribers to the network is contained in a sub- scriber database. The client HNB has a network authentication module NAM, e.g. SIM card, USIM or UICC. The client HNB can connect with the mobile network MNO and home location register HLR included therein via an air interface Il and the base station PBS.
The second communications network FNO is a fixed network. The client HNB can have access through the second network FNO via to a server HMS over an interface 12, e.g. a DSL line. The first network MNO is subscribed to by a hosting party who owns the client HNB, as well as the hosting party identification and is trusted. The second network FNO is not trusted by the hosting party.
In operation of the second embodiment of the invention, the network authentication module NAM in the client HNB, which is the technical representative of a hosting party, performs an authentication with the subscriber database located in the home location register HLR of the network over the network interface Ua. The server HMS then generates a common secret and forwards the common secret to the client HNB over the communication path (network interface) 12. Alternatively, the server HMS may forward the common secret to the client HNB over the mobile network MNO. For example, the server HMS can send the common secret via an SMS or email to an SMS cen- tre in the first network MNO, which then forwards the SMS or email to the client HNB. The common secret could be a one time password or a SIM challenge (out of triplets derived from the home location register HLR) .
Parameters derived from the generated common secret are then used by the client HNB to establish a protected channel PC towards the server HMS over the interface 12, which is then used as a communication path between the client and the server. This communication path over the protected channel PC is secure and therefore the client HNB may communicate with the server HMS in the network FNO, even though the network FNO is not trusted. In other words, communication between the client HNB and the public base station PBS in the first network MNO is used to transfer parameters typical to the first network MNO which are used to secure a tunnel (the protected channel PC) between the access point and a node on the second network FNO; i.e., from the client HNB, and the first network MNO through the untrusted second network FNO to the server HMS.
Although the invention has been described hereinabove with reference to specific embodiments, it is not limited to these embodiments and no doubt further alternatives will occur to the skilled person that lie within the scope of the invention as claimed.

Claims

1. A method of performing an authentication in a communications network, the method comprising establishing a secure first path for transmitting and receiving data over the communications network, establishing a second path, performing authentication of a network authentication module on the second path and, upon successful authentication of the network authentication module, generating secret information in a se- cure domain and using the secret information to authenticate the network authentication module, a client and a server involved in communication over the first path, wherein the second path allows a network authentication module authentication procedure not supported on the first path.
2. A method of authenticating a hosting party of a client in a communications network, the method comprising establishing a protected channel using authentication of a client and a server, and subsequently authenticating the hosting party us- ing the server so that only an authenticated client is allowed to establish a connection to an authenticated server.
3. The method according to claim 2, wherein the client and server authentication is based on certificates associated with the client and the server.
4. The method according to claim 2 or claim 3, wherein the hosting party authentication is performed inside the protected channel.
5. The method according to any of claims 2 to 4, further comprising generating a common secret based on the authentication of the hosting party and distributing the common secret to the server and the client.
6. The method according to any one of claims 1 to 5, wherein the protected channel is a TLS tunnel.
7. A client adapted to perform authentication with a server in a communication network based on server and client certificates while establishing a protected channel to the server and being further adapted to perform an authentication of the hosting party with a subscriber database when it has established the protected channel successfully.
8. The client according to claim 7, being further adapted, after having successfully performed the hosting party authentication, to receive a common secret from a bootstrapping function run on a bootstrapping node used to communicate with the client.
9. A server adapted to perform authentication with a client in a communication network based on server and client cer- tificates while establishing a protected channel to a client and when established successfully, adapted to receive a common secret from bootstrapping function run on a bootstrapping node used to communicate with the client.
10. A method of authenticating a hosting party of a client in a communications network, wherein the hosting party authenticates a subscriber database of the communications network via a secure network interface, a server generates a common secret from which parameters used to establish a pro- tected channel are derived on both client and server sides of the protected channel, and the server distributes the common secret via a network interface to the client, wherein the common secret establishes the protected channel towards the server .
11. A client, comprising means for performing a hosting party authentication with a subscriber database in a communications network.
12. The client according to claim 11, being further adapted to receive a common secret via a secure network interface and to generate parameters derived from the common secret to establish a protected channel towards a server.
13. A server adapted to generate a common secret from which parameters to establish a protected channel towards a client can be derived and adapted to forward the common secret towards the client.
14. The server according to claim 13, wherein the common secret is forwarded via a communication path to the client via the secure network interface, wherein the communication path is a different communication path from the protected channel.
PCT/EP2009/060920 2009-08-25 2009-08-25 Method of performing an authentication in a communications network WO2011023223A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/060920 WO2011023223A1 (en) 2009-08-25 2009-08-25 Method of performing an authentication in a communications network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/060920 WO2011023223A1 (en) 2009-08-25 2009-08-25 Method of performing an authentication in a communications network

Publications (1)

Publication Number Publication Date
WO2011023223A1 true WO2011023223A1 (en) 2011-03-03

Family

ID=42288961

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/060920 WO2011023223A1 (en) 2009-08-25 2009-08-25 Method of performing an authentication in a communications network

Country Status (1)

Country Link
WO (1) WO2011023223A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104869116A (en) * 2015-05-12 2015-08-26 中国人民解放军信息工程大学 Telecommunication network signaling safety active protection method
WO2023216276A1 (en) * 2022-05-13 2023-11-16 北京小米移动软件有限公司 Authentication method and apparatus, and communication device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070042754A1 (en) * 2005-07-29 2007-02-22 Bajikar Sundeep M Security parameter provisioning in an open platform using 3G security infrastructure
WO2010036611A1 (en) * 2008-09-24 2010-04-01 Interdigital Patent Holdings, Inc. Home node-b apparatus and security protocols
WO2010069202A1 (en) * 2008-12-15 2010-06-24 华为技术有限公司 Authentication negotiation method and the system thereof, security gateway, home node b

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070042754A1 (en) * 2005-07-29 2007-02-22 Bajikar Sundeep M Security parameter provisioning in an open platform using 3G security infrastructure
WO2010036611A1 (en) * 2008-09-24 2010-04-01 Interdigital Patent Holdings, Inc. Home node-b apparatus and security protocols
WO2010069202A1 (en) * 2008-12-15 2010-06-24 华为技术有限公司 Authentication negotiation method and the system thereof, security gateway, home node b

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
3GPP: "3rd Generation Partnership Project; Technical Specification Group Service and System Aspects; Security of H(e)NB; (Release 8)", 3GPP STANDARD; 3GPP TR 33.820, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V8.1.0, 1 June 2009 (2009-06-01), pages 1 - 78, XP050376886 *
3GPP: "Smart Cards; Secure channel between a UICC and an end-point terminal (Release 7)", TECHNICAL SPECIFICATION, EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE (ETSI), 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS ; FRANCE, no. V7.4.0, 1 June 2009 (2009-06-01), XP014044474 *
GSMA: "Femtocell Deployment Security Issues White Paper", 3GPP DRAFT; S3-081097 GSMA FCG SECURITY WHITE PAPER, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. Sophia; 20080918, 18 September 2008 (2008-09-18), XP050334141 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104869116A (en) * 2015-05-12 2015-08-26 中国人民解放军信息工程大学 Telecommunication network signaling safety active protection method
WO2023216276A1 (en) * 2022-05-13 2023-11-16 北京小米移动软件有限公司 Authentication method and apparatus, and communication device and storage medium

Similar Documents

Publication Publication Date Title
US8261078B2 (en) Access to services in a telecommunications network
US7200383B2 (en) Subscriber authentication for unlicensed mobile access signaling
US8249553B2 (en) System and method for securing a base station using SIM cards
US7817986B2 (en) Method and system for providing cellular assisted secure communications of a plurality of ad hoc devices
JP5992554B2 (en) System and method for authenticating a second client station using first client station credentials
RU2464729C2 (en) Method to authenticate mobile devices connected to femtocell acting according to multistation access with code channel division
EP1770940B1 (en) Method and apparatus for establishing a communication between a mobile device and a network
US20110302643A1 (en) Mechanism for authentication and authorization for network and service access
US10461987B2 (en) Voice and text data service for mobile subscribers
WO2019179608A1 (en) Initial network authorization for a communications device
US9185092B2 (en) Confidential communication method using VPN, system thereof, program thereof, and recording medium for the program
US11070355B2 (en) Profile installation based on privilege level
KR20130040210A (en) Method of connecting a mobile station to a communications network
Hall Detection of rogue devices in wireless networks
WO2011023223A1 (en) Method of performing an authentication in a communications network
Lei et al. 5G security system design for all ages
RU2779029C1 (en) Access of a non-3gpp compliant apparatus to the core network
GB2417856A (en) Wireless LAN Cellular Gateways
Tukkensæter User Friendly Access Solutions for Mobile WiMAX

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09782154

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09782154

Country of ref document: EP

Kind code of ref document: A1