KR100969782B1 - Authentication method and apparatus using privacy key management protocol in wireless broadband internet system - Google Patents

Abstract

The present invention relates to a method and system for authentication in a wireless communication system, and more particularly, to perform authentication using a secret key management protocol (PKM) during handover or network re-entry of a mobile terminal in a portable Internet system. A method and apparatus for the same. In the mobile Internet system according to the present invention, a method for authenticating a mobile terminal by a base station includes a ranging request (RNG-REQ) message for requesting access from a mobile terminal reentering the network in an idle state or handover state. Receiving the ranging request message and updating information for continuously providing a security service to the mobile terminal after receiving the ranging request message, in order to continuously provide the security service to the mobile terminal. Lanes that contain a Type Length Value (TLV) that does not include a SA Challenge Tuple that includes the attributes of a Security Association-Traffic Encryption Key Challenge message and indicates an update of the information. And transmitting a RNG-RSP message to the mobile terminal.

IEEE 802.16e, WiBro, PKM, Handover, Network re-entry

Description

Authentication method and device using private key management protocol in portable internet system {AUTHENTICATION METHOD AND APPARATUS USING PRIVACY KEY MANAGEMENT PROTOCOL IN WIRELESS BROADBAND INTERNET SYSTEM}

1 illustrates a hierarchical structure of a conventional IEEE 802.16e standard;

FIG. 2 is a diagram illustrating a three-stage SA-TEK procedure when a mobile terminal initially enters a network or undergoes reauthentication in an IEEE 802.16e system for better understanding of the present invention;

3 is a diagram illustrating a three-stage SA-TEK procedure when a mobile terminal reenters a handover or a network in an IEEE 802.16e system for better understanding of the present invention;

4 is a flowchart illustrating a three-stage SA-TEK procedure when a mobile terminal re-enters a network in a handover or idle mode in the portable Internet system according to the first embodiment of the present invention;

5 is a flowchart illustrating a three-stage SA-TEK procedure when a mobile terminal re-enters a network in a handover or idle mode in a portable Internet system according to a second embodiment of the present invention;

FIG. 6 is a flowchart illustrating a three-stage SA-TEK procedure when a mobile terminal re-enters a network in a handover or idle mode in the portable Internet system according to the first embodiment of the present invention.

7 is a flowchart illustrating a three-stage SA-TEK procedure when a mobile terminal re-enters a network in a handover or idle mode in a portable Internet system according to a second embodiment of the present invention.

8 is a block diagram of a mobile terminal and a base station in a portable Internet system according to an embodiment of the present invention.

The present invention relates to a method and system for authentication in a wireless communication system, and more particularly, to authentication using a secret key management protocol (PKM) during handover or network reentry of a mobile terminal in a mobile Internet system. It relates to a method and apparatus for performing the.

In general, a wireless communication system is a system developed for a case where a fixed wired network cannot be connected and used. Representative systems of such wireless communication systems include wireless LAN, WiBro, and mobile ad hoc networks, as well as general mobile communication systems that provide voice and data services.

Recently, due to the rapid development of computer, electronic, and communication technologies and increasing user demand for Internet services, there is an increasing need for a mobile communication system capable of efficiently providing Internet services. The most basic wireless communication service is a wireless voice call service that provides a voice call to a mobile terminal user wirelessly, which can provide a service regardless of time and place. It also supplements voice call service by providing text message service. In addition, there is an increasing demand for a wireless mobile communication system that can efficiently provide wireless Internet services due to the rapid increase in the demand for users' Internet services.

However, such a conventional mobile communication network has been developed mainly for voice service, which has a relatively small data transmission bandwidth, a high base station construction cost, and thus is slow and expensive to use, and there is a limitation of content available due to the small screen size of the mobile communication terminal. Have The IEEE 802.16 standardization group of the Institute of Electrical and Electronics Engineers (IEEE), one of the international standardization bodies, is a standard for providing wireless broadband Internet services to fixed terminals as IEEE 802.16, 802.16a, and 802.16 standards. The IEEE 802.16d standard, which integrates the b standard, is enacted. At the same time, the IEEE 802.16e standard is being proposed to provide wireless broadband Internet services to mobile terminals by improving IEEE 802.16d.

The IEEE 802.16d and 802.16e standards can transmit large amounts of data in a short time due to the wider bandwidth of data than the conventional wireless technology for voice service, and it is possible for all users to share the channel and use the channel efficiently. . Meanwhile, since the IEEE 802.16d standard is for providing broadband Internet service to a fixed terminal, the mobility of the terminal is not considered, and the IEEE 802.16e standard for providing broadband Internet service to a mobile terminal is also based on the IEEE 802.16d base. Currently, various service functions are lacking, including security functions for mobile terminals. Let's learn more about IEEE 802.16e.

IEEE 802.16e has established standards to provide wireless broadband Internet services for mobile terminals, and has a 2.3 GHz operating frequency band, orthogonal frequency division multiplexing (OFDM), orthogonal frequency division multiple access (OFDMA), and single carrier modulation (Single). The specification for Carrier Modulation) is presented. As a result, the data bandwidth is wider than that of the conventional voice service wireless technology, and thus a large amount of data can be transmitted in a short time, and the channel can be efficiently used.

Hereinafter, a hierarchical structure of the conventional IEEE 802.16e standard will be briefly described with respect to information protection (authentication) of a user and a terminal.

1 is a diagram illustrating a hierarchical structure of the conventional IEEE 802.16e standard.

The IEEE 802.16e layer of FIG. 1 is largely composed of the MAC layer 110 and the PHY layer 120 which are the physical layers, and a plurality of management planes 130a and 130b that manage the MAC layer 110 and the PHY layer 120. , 130c). The MAC layer 110 is responsible for security functions for the Service Specific Convergence Sublayer (CS) 111, the MAC Common Part Sublayer (MAC CPS) 112, and the mobile terminal. The security sublayer (SS) 113 is divided into, each layer is interconnected through a service access point (SAP). The MAC layer 110 defined in IEEE 802.16e is characterized in that the MAC common auxiliary layer 112 and the security auxiliary layer 113 are connected to each other like the MAC layer structure defined in IEEE 802.16d.

The service acquiring auxiliary layer (CS) 111 performs a function of converting a service protocol such as digital audio / video multicast, digital telephone, Internet access, etc. to conform to the 802.16e MAC protocol. The MAC Common Aid Layer (MAC CPS) 112 performs a function of creating a frame to transmit and receive data and control access to a shared wireless medium, and according to a MAC protocol defining how and when a base station or subscriber starts transmission and reception. Control the flow of data and control signals. The PHY layer 120 is responsible for a frequency band, a modulation scheme, an error correction technique, synchronization between a base station and a mobile terminal, data rate, and frame structure for wireless transmission of data and control signals.

The dual security secondary layer (SS) 113 encrypts / decrypts packet data adjacent to the PHY layer 120 and manages key related information for authentication and message authentication to allow legitimate users and terminals to enter the network. It functions to transmit Privacy Key Management protocol (PKM). The PKM protocol facilitates mutual authentication of the terminal and the base station as well as distribution of traffic keying material from the base station to the mobile terminal. In addition, it supports periodic reauthentication / reauthorization and key refresh. The PKM establishes a shared secret (AK: Authorization Key) between the mobile station and the base station through authentication. This AK is used to generate a key for message authentication and a key for encrypting a Traffic Encryption Key (TEK).

The base station can allow the access of the subscriber by authenticating the mobile terminal or the user, and protects it from an attacker using the mobile terminal by impersonating a legitimate subscriber. The terminal attempts periodic re-authentication and key refreshing to obtain authentication and traffic keying material from the base station. PKMv2 of IEEE 802.16e provides authentication based on RSA (Rivest Shamir Adleman) and Extensible Authentication Protocol (EAP).

RSA authentication belongs to terminal authentication using X.509 certificate, EAP is mostly user authentication, and there is a method of terminal authentication. RSA certification does not always need to go online, but requires a CA (Certificate Authority) that provides an X.509 certificate, and requires modular exponentiation calculations, which requires a lot of resources such as CPU and power for encryption and decryption. On the other hand, EAP requires AAA (Authentication, Authorization, Accounting) server to be connected at all times, and the number of messages sent / received is higher than that of RSA.

When a valid AK is shared through RSA or EAP authentication, SA-TEK 3-way handshake, SA-TEK challenge, SA-TEK SA-TEK Request and SA-TEK Response are performed. In order to reduce the delay that occurs when the mobile terminal reenters or handovers into the network, the SA-TEK 3-step procedure is performed. There is a need for a way to quickly connect to a network without doing the following.

The present invention relates to a method and apparatus for simplifying a procedure when a mobile terminal reenters a handover or a network in a portable internet system.

In the mobile Internet system according to the present invention, a method for authenticating a mobile terminal by a base station includes a ranging request (RNG-REQ) message for requesting access from a mobile terminal reentering the network in an idle state or handover state. Receiving the ranging request message and updating information for continuously providing a security service to the mobile terminal after receiving the ranging request message, in order to continuously provide the security service to the mobile terminal. Lanes that contain a Type Length Value (TLV) that does not include a SA Challenge Tuple that includes the attributes of a Security Association-Traffic Encryption Key Challenge message and indicates an update of the information. Sending a mobile station response message (RNG-RSP) message to the mobile station; When transmitting the ranging response message to the mobile terminal, the mobile terminal and the security-traffic encryption key: characterized by (Security Association - - Traffic Encryption Key TEK SA) does not perform a three-step process.

In the portable Internet system according to the present invention, a method for a mobile terminal to authenticate from a base station includes transmitting a ranging request (RNG-REQ) message to request access to the base station when reentering or handing over to a network. And receiving a ranging response (RNG-RSP) message from the base station as a response to the ranging request message, and a security association-traffic encryption key challenge to the ranging response message. Key) checking whether the SA Challenge Tuple including the attributes of the message is not included and including information indicating update of information required to provide a security service, and updating the information. If a TLV (Type Length Value) indicating is included, the TLV indicating the update of the information is included. Updating to a value included in the mobile terminal, and when the mobile station receives the ranging response message, a three-step procedure of a security association-traffic encryption key (SA-TEK) with the base station; It is characterized by not performing.
In the mobile communication system according to the present invention, a base station apparatus for authenticating a mobile terminal receives a ranging request (RNG-REQ) message for requesting access from the mobile terminal and sends a ranging response (RNG-RSP) to the mobile terminal. And a transmitter / receiver for transmitting a message and, when receiving the ranging request message, updating of information for continuously providing a security service to the mobile terminal in response to the ranging request message. Does not include a SA Challenge Tuple that includes attributes of a Security Association-Traffic Encryption Key Challenge message to continue providing the security service to a mobile terminal; The transceiver unit includes a TLV (Type Length Value) indicating an update in a ranging response (RNG-RSP) message. And a scheduler and a controller, wherein the scheduler and the controller perform a security association traffic encryption key (SA-TEK) step 3 with the mobile terminal when the ranging response message is transmitted. It is characterized by not.
In the mobile communication system according to the present invention, a mobile terminal apparatus for receiving authentication from a base station transmits a ranging request (RNG-REQ) message for requesting access to the base station and receives a ranging response (RNG-RSP) from the base station. Transmitting and receiving unit for receiving the message, and the Security Response Challenge Tuple (SA Challenge Tuple) that includes the attributes of the Security Association-Traffic Encryption Key message in the ranging response message, A value included in the TLV (Type Length Value) indicating the update of the information, if the information indicating the update of the information necessary for providing the service is included and the information indicating the update of the information is included. And a control unit for updating to the base station, wherein the control unit secures the base station and the base station when the ranging response message is received. It does not perform the three steps of the Security Association-Traffic Encryption Key (SA-TEK).

delete

delete

delete

delete

delete

delete

Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the following description of the present invention, when it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description will be omitted.

FIG. 2 illustrates a security association-traffic encryption key (hereinafter referred to as “SA-TEK”) for initial authentication when a mobile terminal enters a network or for re-authentication in an IEEE 802.16e system to facilitate understanding of the present invention. Is a diagram illustrating a three-step procedure.

In FIG. 2, a mobile station (MS) 200 and a base station (BS) 210 perform a SA-TEK challenge (AKID) 220 and a SA-TEK request (SA-). SA-TEK 3-way handshake (TEK Request) (AKID, Security Capabilities) (230) and SA-TEK Response (AKID, SA Descriptor) 240 Reconfirm security matters negotiated through SBC-REQ / RSP, negotiate the actual encryption method of traffic data and traffic encryption key (hereinafter referred to as "TEK"). Share information).

SA-TEK Request (230) message before counting all the SA ChallengeTimer in response to the SA-TEK Challenge (220) message sent by the base station (210) If it does not receive the SAChallengeMaxResends attempts to retransmit (222). If the SA-TEK Response 240 message is not received in the SATEK Timer SATEKTimer in response to the SA-TEK Request 230 message transmitted by the mobile station, SATEKRequestMaxResends. Attempt retransmission 232.

FIG. 3 is a diagram illustrating a three-stage SA-TEK procedure when a mobile terminal reenters a handover or a network in an IEEE 802.16e system for better understanding of the present invention.

3 illustrates that when the mobile terminal 200 attempts handover or network reentry as shown by reference numeral 300, the base station 210 performs handover process optimization of a ranging response (RNG-RSP) message in step 302 (HO process optimization). ) Shows the procedure proposed by IEEE 802.16e when transmitting by setting TLV Bit # 1 (Omit PKM Authentication phase except TEK phase during current re-entry Processing) to 1.

In step 302, the base station 210 attaches and sends a SA challenge tuple serving as a SA-TEK challenge message to a ranging response (RNG-RSP) message and transmits a SA challenge timer ( SAChallengeTimer (with handover and network re-entry) has a SA challenge timer (SAChallengeTimer) longer than the initial network connection or re-authentication. When the base station 210 receives the SA-TEK Request 308 message from the mobile terminal 200 before the SA challenge timer 304 is terminated, the operation of the SA Challenge Timer 304 is performed. To exit.

If the SA-TEK request 308 message is not received even after the operation of the SA challenge timer 304 is terminated, the base station 210 initializes reauthentication or the mobile terminal 200 for the corresponding mobile terminal 200. Stop providing service.

When the ranging procedure is terminated (RNG-REQ / RSP), the negotiation procedure (SBC-REQ / RSP) is performed in step 306, but may be omitted depending on the situation when the network re-entry or handover in the idle state. The negotiation procedure 306 is a separate process from performing the three stages of SA-TEK.

In step 302, the mobile terminal 200 receiving the ranging response (RNG-RSP) message including the SA Challenge Tuple transmits a SA-TEK Request message. The mobile terminal 200 transmits a SA-TEK request message and simultaneously drives a SATEK timer SATEKTimer 307. The mobile terminal 200 terminates the operation of the SATEK timer SATEKTimer 307 when it receives the SA-TEK Response 312 message in the SATEK timer 310.

If the mobile terminal 200 does not receive a SA-TEK Response 312 message before the SATEK timer 307 counts a preset time, the mobile terminal 200 receives the SA-TEK request (SA-). TEK Request) message is retransmitted, and the SATEK timer (SATEKTimer) 307 is restarted. If there is no response even after retransmission of SAATETERequest messages by SATEKRequestMaxResends 310, the mobile terminal 200 initializes reauthentication or attempts to access another base station.

Finally, in step 312, the base station 210 receiving the SA-TEK Request message 308 transmits an SA-TEK Response message and the mobile station 200 transmits an SA-TEK Response message. The SA-TEK 3-step procedure is terminated by safely receiving a TEK Response message.

In FIG. 3, when Bit # 1 (second bit) of the ranging response (RNG-RSP) message handover process optimization (HO process optimization) TLV field of step 302 is set to "1", the following meaning is described. Have In the handover or network reentry process of the mobile terminal 200, the authentication information related to the authentication key (AK) is transmitted to the target base station (base station to which the mobile terminal intends to handover or reenter the network) through a backbone between base stations. It means the omission of the authentication procedure except the acquisition step. The authentication procedure defined in IEEE 802.16e means user authentication or terminal authentication based on EAP or RSA and generation of an authentication key (AK).

Therefore, when the mobile terminal 200 performs the handover or when the network re-enters in the idle state, if the handover process optimization TLV field Bit # 1 of the ranging response message is set to 1, the mobile terminal 200 and the base station 210 are set. The security process begins with the SA-TEK 3-way handshake. The main purpose of the SA-TEK 3-step procedure in handover and network re-entry is in sharing traffic encryption keys and sharing SAs between the base station 210 and the mobile terminal 200. The SA includes information on connection (unicast, multicast, multicast broadcast service (MBS), service type and algorithm for traffic encryption.

However, IEEE 802.16e presents a security-related identifier update (SAID_Update) field in a type length value (TLV) list included in a ranging response (RNG-RSP) message. The SAID_Update field is defined as a field for updating the SA so that the mobile terminal continues to provide security service from the new base station after the handover.

Therefore, when the mobile station 200 needs to update the SA between the base station 210 and the mobile station 200 in the process of handover or network reentry, the SA-TEK 3-step procedure defined in IEEE 802.16e is used for ranging response (RNG-). RSP) Since the SAID_Update (SA Identifier_Update) field of the message is duplicated, the above-described processes are performed once more. In addition, if the base station needs to update not only the SA but also the TEK, the SA-TEK Update TLV included in the SA-TEK Response message is attached instead of the SA Challenge Tuple defined in the general IEEE 802.16e. In this case, the 3-step procedure of SA-TEK can be omitted. In this case, the SA-TEK Update TLV is a field required for the mobile station to update the SA or the TEK in order to maintain security service to a new base station after network reentry in a handover or idle state.

Before describing the present invention, the present invention has been briefly described in two ways as follows. First, when the SA (Security Association) information needs to be updated, the base station is included in the SAID_Update TLV or the Compound TLV of the ranging response message instead of the SA Challenge Tuple of the ranging response (RNG-RSP) message to the mobile station. By including the SAID_Update TLV, the SA-TEK 3-step procedure according to the general IEEE 802.16e scheme is omitted.

Secondly, when renewal of security-related information of at least one of SA or Traffic Encryption Key (TEK) is required, the SA Challenge Tuple is included in a ranging response (RNG-RSP) message in a general IEEE 802.16e-type portable Internet system. In the present invention, the base station attaches and transmits the SA-TEK Update TLV instead of the SA Challenge Tuple. This allows the base station to simply send a ranging response (RNG-RSP) message without the need for a SA-TEK 3-way handshake, eliminating unnecessary steps in network reentry or handover situations. have. Hereinafter, in the present specification, SA and TEK will be referred to as information necessary to provide a security service.

4 is a flowchart illustrating a three-stage SA-TEK function when a mobile terminal re-enters a network in a handover or idle state in the portable Internet system according to the first embodiment of the present invention.

Referring to FIG. 4, the mobile terminal 400 performs handover or reentry into a network with the base station 402 through a ranging request (RNG-REQ) message in step 404, and the base station 402 in step 406. Transmits by setting handover process optimization TLV Bit # 1 (Omit PKM Authentication phase except TEK phase during current re-entry Processing) of ranging response (RNG-RSP) message to 1, and ranging response (RNG-RSP) Transmit without inserting SA Challenge Tuple in the message. The mobile terminal 400 checks whether the ranging response message SAID_Update TLV field received in the network reentry and handover state is included. If the SAID_Update TLV is included, the mobile terminal 400 processes the existing SA-TEK three-step procedure. Its main function is to be performed. That is, the base station 402 can omit steps 304 and 307 to 312 of FIG. 3 by transmitting the SA challenge tuple without inserting an SA challenge tuple into a ranging response (RNG-RSP) message in step 406. .

5 is a flowchart illustrating a three-stage SA-TEK procedure when a mobile terminal re-enters a network in a handover or idle state in a portable Internet system according to a second embodiment of the present invention. In a typical IEEE 802.16e system, when the mobile terminal attempts to reenter the network from a handover or idle state through a ranging request (RNG-REQ) message as in step 500, the base station 402 responds to the ranging response (RNG-RSP). Continue with the SA-TEK 3-step procedure by adding the SA Challenge Tuple to the message.

The SA-TEK Response (SA-TEK Response) message of the three-step SA-TEK procedure includes an element that the base station informs the UE of the SA and TEK update. Therefore, in the second embodiment of the present invention, the SA-TEK Update TLV, which informs the update of the SA and the TEK in the SA-TEK Response message, is attached to the ranging response (RNG-RSP) message. And to update the TEK at the same time to omit the three-step SA-TEK procedure. Therefore, the IEEE 802.16e portable Internet system can handle the main function of the SA-TEK 3-step procedure with only the ranging response (RNG-RSP) message including the SA-TEK Update TLV. That is, in FIG. 5, the base station 402 does not insert an SA Challenge Tuple in step 502, and a ranging response (RNG-RSP) message including an SA-TEK Update TLV as information indicating update of security related information. By transmitting, steps 304 and 307 to 312 of FIG. 3 may be omitted.

FIG. 6 is a flowchart illustrating a three-stage SA-TEK function when a mobile terminal re-enters a network in a handover or idle state in the portable Internet system according to the first embodiment of the present invention.

Referring to FIG. 6, the mobile terminal performs network reentry and handover with a base station through a ranging request (RNG-REQ) message in step 602, and in step 604, handover process optimization TLV Bit # 1 (Omit PKM Authentication). Receive a ranging response (RNG-RSP) message with phase except TEK phase during current re-entry Processing set to 1. In step 606, if the SAID_Update TLV field indicates security information update of a ranging response (RNG-RSP) message, and the SAID_Update TLV is included in the ranging response message, the MS is defined in the SAID_Update TLV field. Update the SA.

In addition, regardless of whether the SAID_Update TLV field is included in the check result of step 606, the mobile station determines whether an SA challenge tuple is attached in step 610. If it is determined that there is no SA Challenge Tuple, the process ends the three-step SA-TEK process, and if the SA Challenge Tuple is confirmed, the process proceeds to step 612 and the existing IEEE 802.16e as shown in FIG. Performs a three-step SA-TEK procedure.

FIG. 7 is a flowchart illustrating a three-stage SA-TEK procedure when a mobile terminal re-enters a network in a handover or idle state in the portable Internet system according to the second embodiment of the present invention.

Referring to FIG. 7, the mobile terminal performs network reentry or handover with a base station through a ranging request (RNG-REQ) message in step 702, and in step 704, handover process optimization TLV Bit # 1 (Omit PKM Authentication). Receive a ranging response (RNG-RSP) message with phase except TEK phase during current re-entry Processing set to 1.

In step 706, the mobile station checks whether the ranging response message includes SA-TEK Update TLV, which is security related-traffic encryption key update indication information, and proceeds to step 708. In step 708, the mobile station checks the SA-TEK Update TLV, updates the SA-TEK Update TLV that is security related-traffic encryption key update indication information of the ranging response message, and then terminates the SA or TEK. do. On the other hand, if there is no SA-TEK Update TLV in the ranging response (RNG-RSP) message received as a result of the check in step 706, the existing SA and TEK are used as is and the process is terminated.

8 is a block diagram of a mobile terminal 400 and a base station 402 in a portable Internet system according to an embodiment of the present invention.

The transceiver 400b of the mobile terminal 400 performs wireless communication with the base station 402, demodulates the received signal and provides the received signal to the controller 400a, and encodes and modulates a signal generated by the controller 400a to antenna. It transmits to the base station 402 through. The controller 400a generates and transmits a ranging request (RNG-REQ) message to be transmitted to the base station 402 when reentering the network or a handover situation occurs.

According to the first embodiment of the present invention, after the mobile terminal 400 transmits a ranging request (RNG-REG) message to the base station 402, the ranging response (RNG) not including an SA challenge tuple (SA Challenge Tuple) Upon receiving the -RSP) message, the controller 400a updates the SA indicated by the SAID_Update field without performing a 3-way handshake performed in a general IEEE 802.16e system. When the SA Challenge Tuple receives the ranging response (RNG-RSP) message, the controller 400a performs the three-step procedure.

According to the second exemplary embodiment, the control unit 400a transmits a ranging request (RNG-RSP) including a SA-TEK Update TLV from the base station 402 after transmitting a ranging request (RNG-REG) message to the base station 402. Upon receipt of the message, it updates the SA and TEK and does not perform the three step procedure.

In the base station 402, the transceiver 402a communicates with the mobile terminal 400 wirelessly and demodulates a signal received from the mobile terminal 400 and provides the demodulated signal to the scheduler and the controller 402b or the scheduler and the controller 402b. After encoding the signal generated by the modulated to transmit to the mobile terminal 400 through the antenna. In an embodiment of the present invention, the transceiver 402a of the base station 402 transmits a ranging response message to the mobile terminal 400 and receives a ranging request message from the mobile terminal 400.

According to an embodiment of the present invention, the scheduler and the controller 402b may use a SA challenge tuple of a ranging response (RNG-RSP) message when the mobile terminal 400 reenters the network in a handover state or an idle state. In this case, a three-step SA-TEK procedure with the mobile terminal 400 may be omitted, and when a change in security-related identifier (SAID) is required according to the first embodiment, a ranging response (RNG-RSP) message is required. The SAID_Update TLV field is included and transmitted through the transceiver unit 402a. On the other hand, when the TEK needs to be changed, a ranging response (RNG-RSP) message in which the SA Challenge Tuple is set is transmitted to the mobile terminal 400 to perform the three-step procedure. In addition, according to the second embodiment, the scheduler and the controller 402b omit the SA Challenge Tuple when the SA or the TEK needs to be updated, and the ranging response (RNG-RSP) message including the SA-TEK Update TLV. By transmitting the to the mobile terminal 400 through the transceiver 402a enables the mobile terminal 400 to update the SA or TEK, and accordingly the SA-TEK 3-step procedure can be omitted.

Looking at the improvement method according to the embodiments of the present invention as described above are as follows. First, in the first embodiment of the present invention, when the mobile station 400 is performing network reentry or handover in the idle state, the base station sets the second bit of the handover process optimization TLV field to 1 (Bit #) in the ranging response message. Set to 1) and send. In this case, if it is determined that the SA update of the UE is necessary, the challenge tuple TLV is replaced with the SAID_Update TLV in the ranging response message. Therefore, the SA-TEK 3-step procedure of the general IEEE 802.16e portable Internet system can be enabled only by the SAID_Update TLV of the ranging response message.

In the second embodiment of the present invention, instead of performing a three-stage SA-TEK procedure between the mobile station 400 and the base station 402, the base station 102 may send a SA- message to a ranging response (RNG-RSP) message. By attaching and performing the TEK Update TLV, the mobile terminal 400 can increase the performance efficiency for reentry or handover into the network in the idle state.

By doing so, the mobile station 200 transmits a ranging response (RNG-RSP) message including a SA challenge tuple transmitting and receiving between the base station 202 and the mobile terminal as proposed by the general IEEE 802.16e. A three-step process of transmitting a SA-TEK Request message and the base station 202 transmitting a SA-TEK Response message is performed by the base station 402 according to the first and second embodiments. It is also possible to send only the response (RNG-RSP) message, which speeds up handover or network re-entry.

In a typical IEEE 802.16e system, a mobile station receives a ranging response (RNG-RSP) message, sends a SA-TEK request message, and then sends a SA-TEK response message from a base station. It must be received, but there is a possibility of a message loss. If a message loss occurs, it may take more time (max SATEKTimer (time counted by SATEK timer) x (SATEKRequestMaxResends-1) + α). In this case, the SATEK timer (Timer) is the time that the mobile station waits to retransmit the message after sending the SA-TEK Request (SA-TEK Request) message, the SA-TEK Response (SA-TEK Response) message within this time If not, resend the SA-TEK request message. For reference, the standard defines the SATEK timer as "Time Prior to re-send of SA-TEK Request (in seconds)." If the SAATETE response message is not received within the time counted by the SATEK timer, the SA-TEK request message Resend SATEKRequestMaxResends is the maximum number of retransmissions of SA-TEK Request messages, where 0≤α <SATEKTimer.

Therefore, in the embodiment of the present invention, since the base station only needs to transmit a ranging response (RNG-RSP) message, the base station may occur in the transmission and reception of the SA-TEK Request and SA-TEK Response messages. Delays can be prevented.

Another effect of the present invention is to increase the probability of handover success when the mobile terminal performs handover due to the fast processing speed on the system. In general, in a mobile communication system, message loss may occur at cell boundaries, resulting in message retransmission. The timer for receiving a SA-TEK Request message and a SA-TEK Response message proposed by the IEEE 802.16e system has a relatively large value. Therefore, if a message is lost, a relatively long delay time due to retransmission increases the probability that a mobile terminal located at a cell boundary can leave the cell before terminating handover or before network reentry in idle state is completed. . In this process, the mobile station loses synchronization and must reconnect to the network. Therefore, in the embodiment of the present invention, as described above, the handover may not be performed again, and delay time due to network reconnection, which occurs when the mobile terminal loses synchronization, may be prevented.

As described above, by simplifying the procedure in the reentry or handover situation of the mobile terminal to the network, it is possible to reduce the reconnection delay time between the mobile terminal and the base station to improve the performance of the entire system.

Claims (24)

A method for authenticating a mobile terminal by a base station in a portable internet system, Receiving a ranging request (RNG-REQ) message from the mobile terminal reentering the network in the idle state or from the handover state to request access; After receiving the ranging request message, when update of information for continuously providing a security service to the mobile terminal is required, a security related-traffic encryption key challenge is provided to continue providing the security service to the mobile terminal. Security Association-Range Encryption Response (RNG-) containing a Type Length Value (TLV) indicating update of the information without including a SA Challenge Tuple containing the attributes of the Traffic Encryption Key Challenge message. RSP) sending a message to the mobile terminal, When the base station transmits the ranging response message to the mobile terminal, the base station does not perform a three-step security association-traffic encryption key (SA-TEK) procedure with the mobile terminal. Authentication method using private key management protocol in portable Internet system. According to claim 1, The TLV indicating the update is And a security association identifier update TLV (SAID_Update TLV) for authentication of the terminal. According to claim 1, The TLV indicating the update is An authentication method using a private key management protocol in a portable Internet system characterized by SA-TEK Update TLV which instructs Security Association (SA) information and Traffic Encryption Key (TEK) update. A method for a mobile terminal to authenticate with a base station in a portable internet system, Transmitting a ranging request (RNG-REQ) message to request access to the base station when reentering or handing over to a network; Receiving a ranging response (RNG-RSP) message from the base station as a response to the ranging request message; The ranging response message does not include a SA Challenge Tuple including attributes of a Security Association-Traffic Encryption Key message, and does not include information required to provide a security service. Checking for the presence of information indicative of updates; If a TLV (Type Length Value) indicating update of the information is included, updating the information to a value included in the TLV indicating update of the information; When the mobile terminal receives the ranging response message, the mobile terminal does not perform a three-step security association-traffic encryption key (SA-TEK) procedure with the base station. Authentication method using private key management protocol. 5. The method of claim 4, The TLV indicating the update is Security Association Identifier_Update TLV (SAID_Update TLV) for authentication of the terminal authentication method using a private key management protocol in a portable Internet system. 5. The method of claim 4, The TLV indicating the update is An authentication method using a private key management protocol in a portable Internet system characterized by SA-TEK Update TLV which instructs Security Association (SA) information and Traffic Encryption Key (TEK) update. A base station apparatus for authenticating a mobile terminal in a mobile communication system, A transceiver for receiving a ranging request (RNG-REQ) message for requesting access from the mobile terminal and transmitting a ranging response (RNG-RSP) message to the mobile terminal; When the ranging request message is received, when the update of information for continuously providing the security service to the mobile terminal is required in response to the ranging request message, the security service is continuously provided to the mobile terminal. A TLV (Type Length Value) indicating update of the information without including a SA Challenge Tuple containing the attributes of a Security Association-Traffic Encryption Key Challenge message in order to do so. ) Includes a scheduler and a control unit for controlling the transceiver to transmit the message in a ranging response (RNG-RSP) message. When the scheduler and the controller transmit the ranging response message, the scheduler and the control unit do not perform a security association-traffic encryption key (SA-TEK) step 3 with the mobile terminal. Authentication device using the private key management protocol in the system. The method of claim 7, wherein The TLV indicating the update is Security Association Identifier_Update TLV (SAID_Update TLV) for the authentication of the terminal authentication device using a private key management protocol in a portable Internet system. The method of claim 7, wherein The TLV indicating the update is An authentication device using a private key management protocol in a portable Internet system characterized by SA-TEK Update TLV that instructs Security Association (SA) information and Traffic Encryption Key (TEK) update. A mobile terminal apparatus for receiving authentication from a base station in a mobile communication system, A transceiver for transmitting a ranging request (RNG-REQ) message for requesting access to the base station and receiving a ranging response (RNG-RSP) message from the base station; The ranging response message does not include a SA Challenge Tuple including attributes of a Security Association-Traffic Encryption Key message, and does not include information required to provide a security service. A control unit which checks whether information indicating update is included, and updates information to a value included in a type length value (TLV) indicating update of the information, if the information indicating update is included; When the controller receives the ranging response message, the controller does not perform a three-step security association-traffic encryption key (SA-TEK) procedure with the base station. Authentication device using key management protocol. The method of claim 10, The TLV indicating the update is Security Association Identifier_Update TLV (SAID_Update TLV) for the authentication of the terminal authentication device using a private key management protocol in a portable Internet system. The method of claim 10, The TLV indicating the update is An authentication device using a private key management protocol in a portable Internet system characterized by SA-TEK Update TLV that instructs Security Association (SA) information and Traffic Encryption Key (TEK) update. delete delete delete delete delete delete delete delete delete delete delete delete

Images