WO2013109417A2 - Notarized ike-client identity and info via ike configuration payload support - Google Patents

Notarized ike-client identity and info via ike configuration payload support Download PDF

Info

Publication number
WO2013109417A2
WO2013109417A2 PCT/US2013/020292 US2013020292W WO2013109417A2 WO 2013109417 A2 WO2013109417 A2 WO 2013109417A2 US 2013020292 W US2013020292 W US 2013020292W WO 2013109417 A2 WO2013109417 A2 WO 2013109417A2
Authority
WO
WIPO (PCT)
Prior art keywords
information
ike
fap
access point
client
Prior art date
Application number
PCT/US2013/020292
Other languages
French (fr)
Other versions
WO2013109417A3 (en
Inventor
Zaifeng Zong
Xiaoyun Zhou
Tricci So
Li Zhu
Original Assignee
Zte Corporation
Zte (Usa) Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation, Zte (Usa) Inc. filed Critical Zte Corporation
Publication of WO2013109417A2 publication Critical patent/WO2013109417A2/en
Publication of WO2013109417A3 publication Critical patent/WO2013109417A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/042Public Land Mobile systems, e.g. cellular systems
    • H04W84/045Public Land Mobile systems, e.g. cellular systems using private Base Stations, e.g. femto Base Stations, home Node B

Definitions

  • IPSec IKEv2 has been adopted by many standardized network solutions to provide the secure transport between network elements over third party's infrastructure.
  • Today Femtocell deployment requires the mobile operator's Femtocell AP (FAP) to leverage the IPSec IKEv2 to support mutual authentication and data protection between the insecure Femtocell, which typically deployed in customer's premise, and its corresponding mobile core network.
  • FAP Femtocell AP
  • IKE-client i.e. IKE-initiator
  • IKE-server i.e. IKE- responder
  • IKEv2 IKEv2 standard
  • the notarized information can then be used by IKE-client to present to any 3 rd party who has trusted relationship with IKE-server to use as the proof of the true identity of the IKE-client and to use to verify for the information presented by IKE-client.
  • the present invention relates to a method for extending the IKE mutual authentication capability and the configuration payload mechanism to support the IKE-server (i.e. IKE responder) to notarize the IKE-client (i.e. IKE initiator)'s identity and the specified information provided by IKE-client which can be used to present to 3 rd party who has trust relationship with IKE-server in order to certify the IKE-client's identity and the information that is provided.
  • IKE-server i.e. IKE responder
  • IKE-client i.e. IKE initiator
  • Femtocell AP Femtocell AP
  • SeGW Security Gateway
  • the FAP is mutually authenticated with the Security Gateway (SeGW) (e.g. via IKEv2 with public key signature based
  • the SeGW knows the real identity of the FAP.
  • the operator's core network will depend on the information provided by the FAP which is transparent to the intermediate SeGW to proceed network operation decisions.
  • a compromised FAP may present false information (e.g. a wrong Closed Subscriber Group Identity (CSG ID) or false access mode for 3GPP defined mobile network architecture) to the mobile operator's core network that could not be able to validate in order to influence the wrong system behavior in the network.
  • CSG ID Closed Subscriber Group Identity
  • a solution to address the above security gap is to have the SeGW which has the ability to validate the FAP to notarize the FAP information and generate a notarized signature.
  • the FAP When the FAP needs to provide FAP information to the operator's core network, the FAP sends the FAP information together with the notarized signature certified by SeGW. The operator's core network can then verify the FAP information by validating the SeGW's notarized signature.
  • Figure-1 presents an overview of the routing paths for the NS-WLAN Offload and Non-3GPP Access.
  • the H(e)NB is one variant of FAP defined by 3GPP
  • H(e)NB GW and H(e)MS are equivalent to Femto Gateway and Femto Management as defined in Femto generic architecture, respectively.
  • the AAA server is used to support the authentication between the FAP and SeGW via IKEv2 EAP.
  • IPSec tunnel based on tunnel mode is established over the ISP which is considered as insecure link between FAP and SeGW.
  • This IPSec tunnel is used to protect the transport of mobile operator specific signaling information exchange and its mobile subscriber's traffic.
  • a FAP Femtocell Access Point
  • a FAP is typically designed in home or enterprise environment.
  • Femtocell is a low-powered wireless access point that operates in licensed spectrum to connect standard mobile devices to a mobile operator's networking using residential broadband connections.
  • Femtocell Gateway is the concentrate point of multiple FAPs.
  • Femto Management is the management system used to manage FAP.
  • a Security Gateway provides secure termination and aggregation for users and signaling traffic to reach the mobile operator's core network. Examples of functions provided by Security Gateway are IPSec Encryption, DoS Mitigation, Dynamic Session Security and Real-time Bandwidth management to provide security for mobile operators' networks and their users.
  • Node B the FAP defined by 3GPP, supports 2nd/3rd generation radio mode or LTE radio mode. It's called HNB when it supports 2 nd /3 rd generation radio mode, and HeNB when it supports LTE radio mode.
  • H(e)NB GW is the concentrate point of H(e)NBs, it controls the H(e)NB registration, and handles 3GPP specific signaling.
  • the H(e)MS is used to send configuration parameters to the H(e)NB and to manage the H(e)NB by the mobile operator.
  • User equipment it's a mobile terminal defined by 3GPP.
  • an IPSec tunnel will be established between the SeGW and the FAP.
  • This IPSec tunnel will be used to protect the transport of the signaling between the FAP and the operator's core network, as well as user packets.
  • the signaling between the FAP and the operator's core network is encapsulated in the inner IP packet of the IPSec tunnel and is transparent to the SeGW.
  • the operator's core network After successful mutual authentication between the FAP and the SeGW, the operator's core network does not verify the FAP information sent by the FAP. This introduces a security threat when a FAP is compromised (e.g. impersonation), by injecting false information to the mobile operator's core network over the established IPSec tunnel with SeGW.
  • a FAP is compromised (e.g. impersonation)
  • SeGW is the trusted gateway entry to the core network domain, and given the mutual authenticated relationship between the SeGW and the FAP, hence, it would be reliable to have the SeGW to certify all the information that is sent by the FAP prior to the core network to process the information.
  • SeGW has no standardized interface to the mobile core network entities which perform the UE access control based on the FAP information.
  • SeGW is not specific designed for FAP deployment and hence, there is no justification to define specific interface to the mobile network entities.
  • a simple solution that is proposed to resolve this issue is to notarize the FAP information by the SeGW once the SeGW verifies the identity of the FAP.
  • the notarized signature for the FAP information will be feedback to the FAP using the secured Configuration Payload (CP) as defined by IKEv2 today.
  • the FAP will then send the FAP information together with the corresponding SeGW notarized signature to its mobile operator's core network.
  • the core network verifies the FAP information by validating the SeGW notarized signature prior to the acceptance of the
  • This solution requires minimum changes to the existing RFC 5996 - Internet Key Exchange Protocol Version 2 (IKEv2) to provide a standardized solution, and it does not introduce any backward incompatibility issue to the existing RFC, the existing specification, the existing architecture and the existing implementation.
  • IKEv2 Internet Key Exchange Protocol Version 2
  • the existing IKEv2 Configuration Payload (CP) is extended to allow the IKE- initiator to specify the information that is required to be notarized, and to allow the IKE-responder (i.e., SeGW) to insert the notarized signature of the FAP information into the CP to be sent back to the IKE-initiator (i.e., FAP) after the peers are successfully mutually authenticated.
  • FAP i.e. IKE-initiator
  • o CP is part of the IKEv2 parameters which is generally supported by existing FAP-SeGW IPSec/iKEv2 authentication procedures. o Each CP is designed to be standalone and orthogonal to each other, and hence, no concern for backward incompatibility to the existing IKEv2 procedures that are supported by the FAP.
  • Figure 2 describes the high-level control flows on how the IKEv2 CP is used to carry the FAP information and SeGW's notarized signature of the FAP information.
  • Figure 1 FAP Generic System Architecture with an example of 3GPP H(e)NB Network Configuration
  • Figure 2 Example of the IKEv2 Configuration Payload solution to carry the SeGW's Notarized Signature of the FAP information
  • C LI E NT_NOTARIZED_l N FO - This info is provided by the initiator which is operated as a client in the IPSEC tunnel mode.
  • the client provides the information that requires the server to notarize in the CFG_REQUEST so that the notarized signature can be validated by the 3 rd party to verify the client's true identity and the information that is provided by the client. More details are described in 3.15.x.
  • SERVER NOTARIZED SIGNATURE This signature is generated only by the responder which is operated as a server in the IPSEC tunnel mode.
  • the responder notarizes the information provided by the initiator received over the CFG_REQUEST If both the initiator and responder are mutually authenticated, the responder generates the notarized signature based on the information provided by the initiator and the signature will be inserted in CFG_REPLY. More details are described in 3.15.y.
  • the Configuration payload is used by the IKE initiator to request its corresponding IKE responder via the CFG_REQUEST to notarize the info that is carried by this payload.
  • the exact content of this CP and the algorithm of the notarize operation to generate the signature is outside the scope of IETF.
  • the Configuration payload is used by the IKE responder to respond its corresponding IKE initiator via the CFG_REPLY to carry the notarized client's info by this payload.
  • the exact content of this CP and the algorithm of the notarize operation to generate the signature is outside the scope of IETF.
  • CP(CFG_REPLY) SERVER_NOTARIZED_SIGNATURE(yy%)

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Systems and methods for notarizing access point information are disclosed. An access point provides identity information to a gateway, wherein the gateway notarizes the identify information with a notarized signature. The notarized signature for the FAP information is sent to the access point. The access point sends both the identity information and the corresponding notarized signature to a core network associated with the access point. The core network verifies the FAP information by validating the gateway notarized signature prior to acceptance of the identity information.

Description

SPECIFICATION
TITLE
NOTARIZED IKE-CLIENT IDENTITY AND INFO VIA IKE CONFIGURATION PAYLOAD SUPPORT
[0001] IPSec IKEv2, RFC 5996, has been adopted by many standardized network solutions to provide the secure transport between network elements over third party's infrastructure. Today Femtocell deployment requires the mobile operator's Femtocell AP (FAP) to leverage the IPSec IKEv2 to support mutual authentication and data protection between the insecure Femtocell, which typically deployed in customer's premise, and its corresponding mobile core network.
• A known security threat has been identified in Femto architecture for failing to validate the FAP's identity and information provided by FAP at the mobile operator's core network.
• This invention leverages the mutual authentication protocol handshake
operation between the IKE-client (i.e. IKE-initiator) and I KE-server (i.e. IKE- responder) in today IKEv2 standard to enable the I KE-server to notarize the information specified by the IKE-client. The notarized information can then be used by IKE-client to present to any 3rd party who has trusted relationship with IKE-server to use as the proof of the true identity of the IKE-client and to use to verify for the information presented by IKE-client. In order to enable the IKE-client to specify the required information to be notarized, and to enable the IKE-server to feedback the notarized information to the IKE-client, a simple extension to the IKEv2 Configuration Payload is proposed by this invention to be used as the carriage to transport these two pieces of information between the IKE peers. FIELD OF THE INVENTION
[0002] The present invention relates to a method for extending the IKE mutual authentication capability and the configuration payload mechanism to support the IKE-server (i.e. IKE responder) to notarize the IKE-client (i.e. IKE initiator)'s identity and the specified information provided by IKE-client which can be used to present to 3rd party who has trust relationship with IKE-server in order to certify the IKE-client's identity and the information that is provided.
BACKGROUND
[0003] Today many network solutions leverage the IPSec IKEv2 to provide the secure transport as well as some form remote configuration support for their network elements over third party infrastructure (e.g. ADSL, Cable etc.).
[0004] The standardized Femtocell architecture from Femto Forum as well as from many mobile standards (e.g. 3GPP, 3GPP2 and WiMAX) are good examples that all have common architecture to leverage the IPSec IKEv2 to interconnect the
Femtocell AP (FAP) with the Security Gateway (SeGW).
[0005] In typical Femtocell deployment, the FAP is mutually authenticated with the Security Gateway (SeGW) (e.g. via IKEv2 with public key signature based
authentication with certificates). Hence, the SeGW knows the real identity of the FAP. However, since there is no interface between the SeGW and Operator's core network elements, the operator's core network will depend on the information provided by the FAP which is transparent to the intermediate SeGW to proceed network operation decisions. A compromised FAP may present false information (e.g. a wrong Closed Subscriber Group Identity (CSG ID) or false access mode for 3GPP defined mobile network architecture) to the mobile operator's core network that could not be able to validate in order to influence the wrong system behavior in the network. [0006] A solution to address the above security gap is to have the SeGW which has the ability to validate the FAP to notarize the FAP information and generate a notarized signature. When the FAP needs to provide FAP information to the operator's core network, the FAP sends the FAP information together with the notarized signature certified by SeGW. The operator's core network can then verify the FAP information by validating the SeGW's notarized signature.
The following presents the generic Femtocell architecture and an example of Femtocell network configuration defined by 3GPP.
[0007] Figure-1 presents an overview of the routing paths for the NS-WLAN Offload and Non-3GPP Access.
[0008] In figure 1 , the H(e)NB is one variant of FAP defined by 3GPP, H(e)NB GW and H(e)MS are equivalent to Femto Gateway and Femto Management as defined in Femto generic architecture, respectively. The AAA server is used to support the authentication between the FAP and SeGW via IKEv2 EAP.
[0009] Since in Femto architecture, the device and server configuration are used and hence IPSec tunnel based on tunnel mode is established over the ISP which is considered as insecure link between FAP and SeGW. This IPSec tunnel is used to protect the transport of mobile operator specific signaling information exchange and its mobile subscriber's traffic.
TERMINOLOGY
[0010] FAP
Femtocell Access Point, a FAP is typically designed in home or enterprise environment.
[0011] Femtocell
Femtocell is a low-powered wireless access point that operates in licensed spectrum to connect standard mobile devices to a mobile operator's networking using residential broadband connections.
[0012] Femto GW
Femtocell Gateway, is the concentrate point of multiple FAPs.
[0013] Femto Management
Femto Management is the management system used to manage FAP.
[0014] SeGW
A Security Gateway provides secure termination and aggregation for users and signaling traffic to reach the mobile operator's core network. Examples of functions provided by Security Gateway are IPSec Encryption, DoS Mitigation, Dynamic Session Security and Real-time Bandwidth management to provide security for mobile operators' networks and their users.
[0015] H(e)NB
Home (evolved) Node B, the FAP defined by 3GPP, supports 2nd/3rd generation radio mode or LTE radio mode. It's called HNB when it supports 2nd/3rd generation radio mode, and HeNB when it supports LTE radio mode.
[0016] H(e)NB GW
H(e)NB GW is the concentrate point of H(e)NBs, it controls the H(e)NB registration, and handles 3GPP specific signaling.
[0017] H(e)MS
H(e)NB management system, the H(e)MS is used to send configuration parameters to the H(e)NB and to manage the H(e)NB by the mobile operator. [0018] UE
User equipment, it's a mobile terminal defined by 3GPP.
[0019] There is a recent study identifying a security threat in Femtocell architecture for failing to validate the FAP's identity and information provided by FAP at the mobile operator's core network.
[0020] In Femtocell architecture, an IPSec tunnel will be established between the SeGW and the FAP. This IPSec tunnel will be used to protect the transport of the signaling between the FAP and the operator's core network, as well as user packets. The signaling between the FAP and the operator's core network is encapsulated in the inner IP packet of the IPSec tunnel and is transparent to the SeGW.
[0021] After successful mutual authentication between the FAP and the SeGW, the operator's core network does not verify the FAP information sent by the FAP. This introduces a security threat when a FAP is compromised (e.g. impersonation), by injecting false information to the mobile operator's core network over the established IPSec tunnel with SeGW.
[0022] Since FAP is resided at the untrusted domain (i.e. customer premise), whereas SeGW is the trusted gateway entry to the core network domain, and given the mutual authenticated relationship between the SeGW and the FAP, hence, it would be reliable to have the SeGW to certify all the information that is sent by the FAP prior to the core network to process the information.
[0023] Unfortunately, in today generic and even technology specific FAP architecture, SeGW has no standardized interface to the mobile core network entities which perform the UE access control based on the FAP information. One of the main reasons is because SeGW is not specific designed for FAP deployment and hence, there is no justification to define specific interface to the mobile network entities. Never-the-less, it is outside the scope of this document to discuss the motivation behind such architecture decision.
[0024] Besides, given the existing deployment for FAP for mobile operator, it is too late to change the existing architecture which will introduce backward incompatibility for the network configuration. The most desirable solution to resolve the issue is by software upgrade with a backward compatible simple change.
SUMMARY OF THE INVENTION
[0025] A simple solution that is proposed to resolve this issue is to notarize the FAP information by the SeGW once the SeGW verifies the identity of the FAP. The notarized signature for the FAP information will be feedback to the FAP using the secured Configuration Payload (CP) as defined by IKEv2 today. The FAP will then send the FAP information together with the corresponding SeGW notarized signature to its mobile operator's core network. The core network verifies the FAP information by validating the SeGW notarized signature prior to the acceptance of the
information.
[0026] This solution requires minimum changes to the existing RFC 5996 - Internet Key Exchange Protocol Version 2 (IKEv2) to provide a standardized solution, and it does not introduce any backward incompatibility issue to the existing RFC, the existing specification, the existing architecture and the existing implementation.
[0027] The details on how to derive the SeGW notarized signature will not be defined by IETF as the IKEv2 CP is just used as a carriage to transport the signature. It is within scope of the mobile operators to work with their SeGW vendors to define their own algorithm of how the signature is computed.
[0028] The existing IKEv2 Configuration Payload (CP) is extended to allow the IKE- initiator to specify the information that is required to be notarized, and to allow the IKE-responder (i.e., SeGW) to insert the notarized signature of the FAP information into the CP to be sent back to the IKE-initiator (i.e., FAP) after the peers are successfully mutually authenticated.
[0029] The major advantages of this proposal are as follows:
- Simple extension to the existing IKEv2 RFC 5996 o only a new code point is required to be defined for the CP to
indicate the carriage of the SeGW's notarized signature of the FAP information.
- Fully compatibility to the existing architecture and procedures o FAP (i.e. IKE-initiator) has signaling path with operator's core
network to pass the FAP information and the signature. o CP is part of the IKEv2 parameters which is generally supported by existing FAP-SeGW IPSec/iKEv2 authentication procedures. o Each CP is designed to be standalone and orthogonal to each other, and hence, no concern for backward incompatibility to the existing IKEv2 procedures that are supported by the FAP.
- No impact to the existing security mechanisms for the end-to-end system and the existing protocols o the new added code point has no impact to the IKEv2
Configuration Payload to continue the use of the existing IKEv2 security mechanism.
[0030] Figure 2 describes the high-level control flows on how the IKEv2 CP is used to carry the FAP information and SeGW's notarized signature of the FAP information. BRI EF DESCRIPTION OF THE DRAWINGS
[0031] Figure 1 : FAP Generic System Architecture with an example of 3GPP H(e)NB Network Configuration
[0032] Figure 2: Example of the IKEv2 Configuration Payload solution to carry the SeGW's Notarized Signature of the FAP information
DETAILED DESCRIPTION OF THE INVENTION
[0033] As described in the section "Summary Of The Invention" above, this invention introduces "two" new code points and the corresponding descriptions to be added to RFC 5996 for the IKEv2 Configuration Payload section, are shown as follows:
Attribute Type Value Multi-Valued Length
CLIENT_NOTARIZED_INFO 16 NO 0 or more
SERVER_NOTARIZED_SIGNATURE 17 NO 0 or more
[0034] C LI E NT_NOTARIZED_l N FO - This info is provided by the initiator which is operated as a client in the IPSEC tunnel mode. The client provides the information that requires the server to notarize in the CFG_REQUEST so that the notarized signature can be validated by the 3rd party to verify the client's true identity and the information that is provided by the client. More details are described in 3.15.x.
[0035] SERVER NOTARIZED SIGNATURE - This signature is generated only by the responder which is operated as a server in the IPSEC tunnel mode. The responder notarizes the information provided by the initiator received over the CFG_REQUEST If both the initiator and responder are mutually authenticated, the responder generates the notarized signature based on the information provided by the initiator and the signature will be inserted in CFG_REPLY. More details are described in 3.15.y.
[0036] 3.15.x Configuration Payloads for CUENT_NOTARIZEDJNFO
[0037] The Configuration payload is used by the IKE initiator to request its corresponding IKE responder via the CFG_REQUEST to notarize the info that is carried by this payload. The exact content of this CP and the algorithm of the notarize operation to generate the signature is outside the scope of IETF.
[0038] A minimal exchange might look like this:
CP(CFG_REQUEST) = CLIENT JSIOTARIZED_INFO(xx....)
[0039] 3.15.y Configuration Payloads for SERVER_NOTARIZED_SIGNATURE
[0040] The Configuration payload is used by the IKE responder to respond its corresponding IKE initiator via the CFG_REPLY to carry the notarized client's info by this payload. The exact content of this CP and the algorithm of the notarize operation to generate the signature is outside the scope of IETF.
[0041] A minimal exchange might look like this:
CP(CFG_REPLY) = SERVER_NOTARIZED_SIGNATURE(yy...)
References
[1] [RFC 5996] Internet Key Exchange Version 2, C. Kaulman et al
http://www.rfc-editor.org/rfc/rfc5996.txt
[2] [RFC 5389] Session Traversal Utility for NAT, J. Rosenberg et al,
http://www.rfc-editor.org/rfc/rfc5389.txt
[3] S3-1 10307:
http://www.3qpp.org/ftp/tsa sa/WG3 Securitv/TSGS3 63 Chenqdu/Docs/S3- 110307
[4] S3-110545:
http://www.3gpp.org/ftp/tsg sa/WG3 Securitv/TSGS3 63 Chengdu/Docs/S3- 110545
[5] Infosec Pals article - UMA FemtoCell Security Concerns:
http://infosecpals.com/blog/articles/uma-femtocell-securitv-concerns

Claims

1. A method for notarizing internet key exchange (IKE) identity of a client associated with an access point, comprising: providing, by the access point, information associated with the identity of the access point, to a gateway, wherein the gateway notarizes the identify information; and sending, by the access point, both the identify information and the notarizing information to a core network corresponding to a mobile operator associated with the client.
2. The method of claim 1 , further comprising: validating, by the core network, the identity information and the notarizing information.
3. The method of claim 2, wherein the access point comprises a femto access point.
4. A system for notarizing internet key exchange (IKE) identity of a client, comprising: an access point associated with the client, configured to: provide Information associated with the identity of the access point, to a gateway; and send both the identify information and the notarizing information to a core network corresponding to a mobile operator associated with the client.
5. The system of claim 4, wherein the core network validates the identity information and the notarizing information.
6. The system of claim 5, wherein the access point is a femto access point.
7. An apparatus for notarizing internet key exchange (IKE) identity of a client, comprising: means for providing information associated with the identity of an access point associated with the client, to a gateway, wherein the gateway notarizes the identify information; and means for sending both the identify information and the notarizing information to a core network corresponding to a mobile operator associated with the client.
8. The apparatus of claim 7, further comprising: means for validating, by the core network, the identity information and the notarizing information.
PCT/US2013/020292 2012-01-18 2013-01-04 Notarized ike-client identity and info via ike configuration payload support WO2013109417A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201261587772P 2012-01-18 2012-01-18
US61/587,772 2012-01-18

Publications (2)

Publication Number Publication Date
WO2013109417A2 true WO2013109417A2 (en) 2013-07-25
WO2013109417A3 WO2013109417A3 (en) 2013-09-12

Family

ID=48799800

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2013/020292 WO2013109417A2 (en) 2012-01-18 2013-01-04 Notarized ike-client identity and info via ike configuration payload support

Country Status (1)

Country Link
WO (1) WO2013109417A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014177106A1 (en) * 2013-09-26 2014-11-06 中兴通讯股份有限公司 Network access control method and system
CN106685644A (en) * 2015-11-10 2017-05-17 阿里巴巴集团控股有限公司 Communication encryption method, apparatus, gateway, server, intelligent terminal and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050063352A1 (en) * 2002-03-20 2005-03-24 Utstarcom Incorporated Method to provide dynamic Internet Protocol security policy service
US20080076392A1 (en) * 2006-09-22 2008-03-27 Amit Khetawat Method and apparatus for securing a wireless air interface
US20100125899A1 (en) * 2008-11-17 2010-05-20 Qualcomm Incorporated Remote access to local network via security gateway
US20110041003A1 (en) * 2009-03-05 2011-02-17 Interdigital Patent Holdings, Inc. METHOD AND APPARATUS FOR H(e)NB INTEGRITY VERIFICATION AND VALIDATION

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050063352A1 (en) * 2002-03-20 2005-03-24 Utstarcom Incorporated Method to provide dynamic Internet Protocol security policy service
US20080076392A1 (en) * 2006-09-22 2008-03-27 Amit Khetawat Method and apparatus for securing a wireless air interface
US20100125899A1 (en) * 2008-11-17 2010-05-20 Qualcomm Incorporated Remote access to local network via security gateway
US20110041003A1 (en) * 2009-03-05 2011-02-17 Interdigital Patent Holdings, Inc. METHOD AND APPARATUS FOR H(e)NB INTEGRITY VERIFICATION AND VALIDATION

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
'TSGSA; Security of Home Node B (HNB) / Home evolved Node B (HeNB) (Release 9)' 3GPP TS 33.320 V9.4.0 December 2010, *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014177106A1 (en) * 2013-09-26 2014-11-06 中兴通讯股份有限公司 Network access control method and system
CN106685644A (en) * 2015-11-10 2017-05-17 阿里巴巴集团控股有限公司 Communication encryption method, apparatus, gateway, server, intelligent terminal and system

Also Published As

Publication number Publication date
WO2013109417A3 (en) 2013-09-12

Similar Documents

Publication Publication Date Title
Arbaugh et al. Your 80211 wireless network has no clothes
CN102347870B (en) A kind of flow rate security detection method, equipment and system
Hwang et al. A study on MITM (Man in the Middle) vulnerability in wireless network using 802.1 X and EAP
US20070055752A1 (en) Dynamic network connection based on compliance
WO2020174121A1 (en) Inter-mobile network communication authorization
CN102215487A (en) Method and system safely accessing to a private network through a public wireless network
Sharma et al. IP Multimedia subsystem authentication protocol in LTE-heterogeneous networks
Ajah Evaluation of enhanced security solutions in 802.11-based networks
Liyanage et al. Novel secure VPN architectures for LTE backhaul networks
Singh et al. Analysis of security issues and their solutions in wireless LAN
WO2013109417A2 (en) Notarized ike-client identity and info via ike configuration payload support
Gokulakrishnan et al. A survey report on VPN security & its technologies
US20140093080A1 (en) Method and system to differentiate and assigning ip addresses to wireless femto cells h(e)nb (home (evolved) nodeb) and lgw (local gateway) by using ikev2 (internet key exchange version 2 protocol) procedure
Rajavelsamy et al. Towards security architecture for home (evolved) nodeb: challenges, requirements and solutions
Yang et al. Link-layer protection in 802.11 i WLANS with dummy authentication
Eronen et al. An Extension for EAP-Only Authentication in IKEv2
Lei et al. 5G security system design for all ages
Wu et al. An approach for prevention of MitM attack based on rogue AP in wireless network
Cybersecurity et al. Guide to ipsec vpns
Feil 802.11 wireless network policy recommendation for usage within unclassified government networks
Samoui et al. Improved IPSec tunnel establishment for 3GPP–WLAN interworking
Iyer et al. Public WLAN Hotspot Deployment and Interworking.
Arora et al. Comparison of VPN protocols–IPSec, PPTP, and L2TP
Jiang et al. Network Security in RWNs
Yamamoto et al. Softwire Security Analysis and Requirements

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13738837

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 13738837

Country of ref document: EP

Kind code of ref document: A2