KR20080100746A - A method and apparatus of key generation for security and authentication in mobile telecommunication system - Google Patents

Abstract

A method and an apparatus for generating a security key in a mobile communication system prevent denial of a service by a message attack in not only an RF level but also a protocol level. A master session key and an expansion master session key are generated from a long term credential(391). The device authentication, the user authentication, the generation/management of a session related key are performed from the master session key(MSK)(393). A mobile IP route key(MIP-RK) and a proxy mobile IP route key are generated from the expansion authentication key and a client mobile IP key and the proxy mobile IP key are generated from the mobile IP route key(MIP-RK) and the proxy mobile IP route key(397,398).

Description

Method and apparatus for generating a security key in a mobile communication system {A method and apparatus of Key Generation for security and authentication in mobile telecommunication system}

1 is a block diagram showing a mobile communication network environment according to a preferred embodiment of the present invention;

2 is a block diagram illustrating a mobile communication network environment for explaining the generation of a security key according to an embodiment of the present invention;

3A is a block diagram illustrating a security key generation system using an MSK and an EMSK according to a first embodiment of the present invention;

3B is a flowchart illustrating a security key generation method using an MSK and an EMSK according to a first embodiment of the present invention;

4A is a block diagram illustrating a security key generation system using an EMSK according to a second embodiment of the present invention;

4b is a flowchart illustrating a security key generation method using an EMSK according to a second embodiment of the present invention;

Figure 5a is a block diagram showing a security key generation system using MSK, EMSK, HA-RK according to a third embodiment of the present invention,

5B is a flowchart illustrating a security key generation method using MSK, EMSK, and HA-RK according to a third embodiment of the present invention;

Figure 6a is a block diagram showing a security key generation system using MSK, EMSK, HA-RK according to a fourth embodiment of the present invention,

6B is a flowchart illustrating a security key generation method using MSK, EMSK, and HA-RK according to a fourth embodiment of the present invention;

7A is a block diagram illustrating a security key generation system using MSK, EMSK, and FA-RK according to a fifth embodiment of the present invention;

7B is a flowchart illustrating a security key generation method using MSK, EMSK, FA-RK according to the fifth embodiment of the present invention;

8A is a block diagram illustrating a security key generation system using MSK, EMSK, and PMIP-RK according to a sixth preferred embodiment of the present invention;

8B is a flowchart illustrating a security key generation method using MSK, EMSK, and PMIP-RK according to a sixth embodiment of the present invention;

9A is a block diagram illustrating a security key generation system using MSK, EMSK, PMIP-RK, and MAG-RK according to a seventh preferred embodiment of the present invention;

9B is a flowchart illustrating a security key generation method using MSK, EMSK, PMIP-RK, and MAG-RK according to the seventh preferred embodiment of the present invention;

10A is a block diagram illustrating a security key generation system using EMSK, MIP-RK, PMIP-RK, and MAG-RK according to an eighth embodiment of the present invention;

10B is a flowchart illustrating a security key generation method using EMSK, MIP-RK, PMIP-RK, and MAG-RK according to an eighth embodiment of the present invention;

11A is a block diagram illustrating a security key generation system using EMSK, MIP-RK, PMIP-RK, and MAG-RK according to a ninth preferred embodiment of the present invention;

11B is a flowchart illustrating a security key generation method using EMSK, MIP-RK, PMIP-RK, and MAG-RK according to a ninth preferred embodiment of the present invention;

12A and 12B are block diagrams illustrating an example of a security key generation system using EMSK, MIP-RK, FA-RK, and HA-RK according to the tenth, eleventh, and twelfth embodiments of the present invention;

13A is a block diagram illustrating an example of a security key generation system using EMSK, MIP-RK, and PMIP-RK according to a thirteenth preferred embodiment of the present invention;

13B is a flowchart illustrating a security key generation method using EMSK, MIP-RK, and PMIP-RK according to a thirteenth preferred embodiment of the present invention;

14A is a block diagram illustrating an example of a security key generation system using EMSK, MIP-RK, and PMIP-RK according to a fourteenth preferred embodiment of the present invention;

14B is a flowchart illustrating a security key generation method using EMSK, MIP-RK, and PMIP-RK according to a fourteenth preferred embodiment of the present invention.

The present invention relates to a mobile communication system, and more particularly, to a method and apparatus for a mobile node to perform authentication and security in a mobile communication network.

In mobile communication systems such as 3rd Generation Partnership Project 2 (3GPP2) Code Division Multiple Access (CDMA) 1x and Evolution Data Only (EV-DO), a base station (hereinafter referred to as BS) is responsible for the management of many radio-related resources. In addition, a packet data serving node (hereinafter referred to as PDSN), which is a separate entity of a core network, performs a procedure related to communication of packet data.

Since the mobile communication system operates based on a point-to-point protocol (hereinafter referred to as PPP), as a framework that can operate on top of PPP even in authentication, a challenge handshake. An authentication protocol or a password authentication protocol (hereinafter referred to as PAP) is used for user or device authentication. However, the above authentication methods are not suitable for the UMB (Ultra Mobile Broadband), which is an improvement of 3GPP2, which is intended to transmit more data at higher speed. Therefore, authentication and security measures that can support UMB more efficiently are being discussed.

The authentication and security method used in the conventional 1x EV-DO system does not completely block channel hijacking, and it is possible to steal the service without paying for the communication. Was hugging. In addition, the conventional system has a problem that is vulnerable to denial of service due to message attack at the protocol level as well as the radio frequency (hereinafter referred to as RF) level. Therefore, there is a need for a system and a communication network capable of more secure communication.

On the other hand, in order to provide mobility of mobile nodes, security methods take a lot of time in security procedures and processes despite their importance. Also, since various security keys are used for security, the method of systematically creating and managing them is also fast. Required for security configuration and management.

An object of the present invention for overcoming the above problems is to propose a method and apparatus for generating a security key more securely and efficiently in device authentication, user authentication, service authentication in a mobile communication system.

One embodiment of the present invention for achieving the above object is a method for generating a security key in a mobile communication network system, the master session key (MSK) and extended master session key (EMSK) from Long Term Credential ), A process of generating / managing device authentication or user authentication or a session related key from the master session key (MSK), and a mobile IP root key (MIP-RK) from the extended authentication session key (EMSK). And proxy MIP-RK is generated, and client mobile IP key and proxy mobile IP key are generated from each.

Another embodiment of the present invention provides a method for generating a security key in a mobile communication network system, the method comprising: generating a master session key (MSK) and an extended master session key (EMSK) from a long term credential; Generating / managing device authentication or user authentication or session-related keys from the extended authentication session key (EMSK), generating a mobile IP root key (MIP-RK) from the extended authentication session key (EMSK), and Each process consists of generating a client mobile IP key and a proxy mobile IP key.

Another embodiment of the present invention provides a method for generating a security key in a mobile communication network system, the method comprising: generating a master session key (MSK) and an extended master session key (EMSK) from a long term credential; Generating / managing device authentication or user authentication or session-related keys from the master session key (MSK), generating a mobile IP root key (MIP-RK) from the extended authentication session key (EMSK), and Client mobile IP key, proxy mobile IP key generation process.

Another embodiment of the present invention provides a method for generating a security key in a mobile communication network system, the method comprising: generating a master session key (MSK) and an extended master session key (EMSK) from a long term credential; Generating / managing device authentication, user authentication, or session-related keys from the extended authentication session key (EMSK), moving IP root key (MIP-RK) and proxy moving IP root from the extended authentication session key (EMSK) And generating a client mobile IP key and a proxy mobile IP key, respectively.

Another embodiment of the present invention provides a mobile communication network system for generating a security key, comprising: an authentication server for generating a master session key (MSK) and an extended master session key (EMSK) from a long term credential; Signaling radio for generating a root master session key (RSK) from the master session key (MSK) received from the authentication server, and generating a device authentication or user authentication or session-related key from the master session key to the base station A network controller, a base station for generating a traffic session key (TSK), which is a key for data encryption or a key for data integrity verification, from the key generated from the wireless network controller, and generates and stores the master session key and the extended master session key, About device authentication and user authentication from session keys and extended master session keys It consists of a mobile terminal for generating the associated keys.

Hereinafter, with reference to the accompanying drawings will be described in detail the operating principle of the preferred embodiment of the present invention. In the following description of the present invention, detailed descriptions of well-known functions or configurations will be omitted if it is determined that the detailed description of the present invention may unnecessarily obscure the subject matter of the present invention. In addition, terms to be described below are defined in consideration of functions in the present invention, which may vary according to intentions or customs of users and operators. Therefore, the definition should be made based on the contents throughout the specification.

The subject matter of the present invention described below is to provide authentication and security for a mobile communication network. In the following description, the UMB system based on 3GPP2 will be used. However, the authentication and security method for a mobile communication network, which is a basic object of the present invention, is applicable to other mobile communication systems having a similar technical background and channel form with a slight modification without departing from the scope of the present invention. This will be possible in the judgment of a person skilled in the art of the present invention.

The present invention efficiently supports device authentication and user authentication, Mobile IP (hereinafter referred to as MIP), Proxy Mobile IP (hereinafter referred to as PMIP), or Simple IP terminal in the initial call setup process of the mobile communication system. Provided are a method and apparatus for generating a security key for securely performing a security authentication process and an IP service.

In addition, the present invention provides a method and apparatus for generating a security key for performing authentication and security using Extensible Authentication Protocol (EAP) under the premise of PPP free in a mobile communication network.

1 is a block diagram illustrating a mobile communication network environment according to a preferred embodiment of the present invention. Here, the network structure of the 3GPP2 UMB system is shown as an example.

1, a base station (BS) 101, 102, 103 establishes a wireless connection with a mobile station (hereinafter referred to as MS) 110 located in a cell which is a respective service area. And communicate. A signaling radio network controller (SRNC) 121, 122 controls communication of the MS 110 via the BS 101, 102, 103 when the MS 110 is in an idle mode. Meanwhile, the MS 110 connects to a packet data network such as the Internet through an access gateway (hereinafter referred to as AG) 131 and 132. Here, a home agent (hereinafter referred to as HA) 140 and an authentication and accounting (hereinafter referred to as AAA) server 150 are shown as main network entities of the packet data network. If the SRNC 121 has an authenticator for device authentication, the SRNC that interfaces with the AAA 150 will be used for device authentication.

An interface for managing mobility of an idle terminal exists between the BS 101 and the SRNC 121 and between the AG 131 and the SRNC 121, and between the AG 131 and the BS 101. There is a data path. For authentication of the terminal, an SR (121) is provided with an authenticator (not shown) for device authentication, and an AG (131) is provided with an authenticator (not shown) for user authentication. Alternatively, a structure in which the device authentication authentication unit and the user authentication unit are both included in the SRNC, or both in the AG may be possible. In order to perform such authentication, AG (131, 132) and SRNC (121, 122) may be implemented as a single physical entity, even if the SRNC (121, 122) exists as a single physical entity AG (131) 132 and the SRNC 121, 122 are provided with a suitable interface, the same as the AG (131, 132) and SRNC (121, 122) is implemented as a single entity.

2 is a block diagram illustrating a mobile communication network environment for explaining a security key generation subject according to an embodiment of the present invention.

2 is a view showing a preferred embodiment of the security key generator subject various modifications are possible. An embodiment of the modified form will be described with reference to FIGS. 3A to 11B. In addition, the specific key generation formula and method will be described in the embodiments of FIGS. 3A to 11B.

The AAA 201 generates a Master Session Key (hereinafter referred to as MSK) and Extended Master Session Key (hereinafter referred to as EMSK) from Long Term Credential. The MSK is generated by dividing the device-MSK (hereinafter referred to as D-MSK) used for device authentication and the User-MSK (hereinafter referred to as U-MSK) for user authentication, or from the generated MSK. MSK (hereinafter, DU-MSK) may be generated. The D-MSK, U-MSK, or DU-MSK may be used when only device authentication, user authentication, or device authentication and user authentication may be performed at the same time according to the policy of the operator. In particular, when simultaneously performing device authentication and user authentication, two security keys are managed separately as one key for convenience of operation. On the other hand, depending on the operator's policy, only one security key can be implemented even if both the device authentication and the user authentication are performed.

In the case of the MS 250, the MSK, EMSK, D-MSK, U-MSK, and DU-MSK are generated and stored. In addition, the Root-MSK (hereinafter referred to as R-MSK) and Pairwise Master Key (hereinafter referred to as PMK) are generated. ), A Session Root Key (hereinafter referred to as SRK), and a Traffic Session Key (hereinafter referred to as TSK) can be generated. The R-MSK performs a key generation process in order to solve a security problem that may occur when the U-MSK generated by the AAA 201 is transmitted to the AG after the U-MSK is transmitted to the AG. Is to add more. If it is in the policy of the operator to generate the R-MSK in the AG, the MS can also generate the R-MSK and use it later to generate the PMK.

According to an embodiment, a pairwise master key (PMK) is a key used for direct session management as the PMK itself, and may be used to generate a data encryption related key or a key (TSK) used for data integrity verification. . The PMK may be generated by the SRNC and used to generate a TSK in the SRNC, or the SRNC may transmit a PMK to the BS to generate a TSK, which is a key for data encryption or data integrity verification, from the PMK.

Meanwhile, in another embodiment, the PMK may be used to generate an SRK in generating and transmitting a Session Root Key (hereinafter referred to as an SRK) from the SRNC to the BS without generating a key for directly inducing session management. In this case, BS 241 may be involved in producing a TSK, which is a key for data integrity verification or data integrity verification from the SRK. In another embodiment, the SRK will not be used to generate the TSK, but simply for the 3-way handshake between the SRNC, BS, and MS. The key used for data encryption related key and data integrity verification may include other keys in addition to the traffic session key (TSK). In the present invention, TSK is taken as an example.

The AG 221 generates an R-MSK as described above. In the case of the SRNC 231, a PMK is generated according to the operator's policy, and a TSK is generated from the PMK. In another embodiment, the SRK may be generated from the PMK and transmitted to the BS 241, and the BS 241 may generate the TSK from the SRK. In another embodiment, the BS 241 may be configured from the SRK 231 to the PMK. An example of generating a TSK would be possible.

Hereinafter, various embodiments of the method for generating a security key will be described with reference to FIGS. 3A to 11B.

The generating subject of each key in each embodiment may be as described in FIG. 2, but may be implemented differently according to a service provider. Thus, the subject performing each step of the methods of each of the following embodiments is an overall communication network system. In this regard, each subject will not be described below.

3A and 3B are block diagrams illustrating a security key generation system using a MSK and an EMSK according to a first preferred embodiment of the present invention, and a flowchart for explaining a method for generating the security key. The following will be described with reference to FIGS. 3A and 3B.

When the MSK 303 and the EMSK 305 are generated from the long term credential 301 in step 391, the MSK 303 and the EMSK 305 may be divided into two areas. One area is a block that generates / manages device authentication 311, 315 or user authentication 313, 315, 317, and session related keys 321-325 from the MSK. This corresponds to steps 392 to 396. Another area is to create a Mobile IP Root key (MIP-RK) 331 from EMSK, from which Client Mobile IPv6 (hereinafter referred to as CMIPv6), Client Mobile IPv4 (hereinafter referred to as CMIPv4) and Proxy Mobile IPv6 (hereinafter referred to as "MIP-RK"). PMIPv6) and a key for operating Proxy Mobile IPv4 (hereinafter referred to as PMIPv4). This is true in steps 397 through 398.

The Long Term Credential 301 is used to create long-term secrets between the authentication server and the MS. A pre-shared key method may be used or a public-key based method method may be used. May be used. In the latter case, the long term credential consists of a private key. The MSK 303 is generated by an Extensible Authentication Protocol peer (EAP) peer corresponding to the MS in the present invention and a server. The MSK 303 should have a length of at least 64 octets. EMSK 305 has a length of at least 64 octets and must have a length of at least MSK size. The MSK and EMSK are divided into long term credentials (Truncated), and some of them use MSK and some of them as EMSK. However, other methods for generating the MSK and EMSK may be used, and a detailed method thereof will be omitted in the present invention.

In step 392, the D-MSK 31 or the U-MSK 313 is randomly divided into a predetermined length from the Long Term Credential to distinguish between the D-MSK and the U-MSK and the EMSK. A function (for example, a random function) may be used, but a detailed method thereof will be omitted in the present invention. However, since Long Term Credentials are shared by D-MSK, U-MSK, EMSK as parameters, their creation should be used so that Long Term Credentials can be traced back or other keys are not exposed by their relationship. . In step 393, the DU-MSK 315 is generated from the D-MSK 31 and the U-MSK 313 using a key derivation function (hereinafter referred to as KDF). However, this is a process that can be selectively performed depending on the operator.

Specific functions used in Equation 1 will be omitted in the present invention.

DU-MSK = KDF (D-MSK XOR U-MSK, MS_MAC_Addr | "DU-MSK")

In addition, in step 393, the R-MSK 317 may be generated from the U-MSK 313. The R-MSK may be generated by dividing the U-MSK 313 by a predetermined length, Can be generated using the KDF function of 1>. In step 395, the D-MSK, U-MSK, DU-MSK, or R-MSK is truncated by a predetermined length to generate PMK 321. Referring to the PMK 321 using 32 octets in wireless LAN and 20 octets in IEEE 802.16e, the PMK generation method for the UMB takes a predetermined length from the MSK as described above to generate the PMK, It can be generated using the key generation function KDF. However, specific examples of the key generation function will be omitted in the present invention.

The SRK 323 may be used for the same purpose as the PMK 321, and may be generated by taking a predetermined length from the PMK 323 in step 395, or may be generated using a KDF function. However, this is a process that can be selected by the operator. The TSK 325 or the Integration Key (IK) may be generated using a separate KDF function of the PMK 321 or a separate KDF function from the SRK 323 in step 396. It will be omitted in the invention.

However, whether to generate a key used for data encryption or integrity, such as TSK or IK, from the PMK 321 or the SRK 323 in step 396 is a part that affects the overall security architecture. It is related to the development direction of the security structure of the mobile communication system because it is a part that manages the handover situation where the terminal moves beyond the area of one base station.

Meanwhile, in step 397, the MIP-RK 331 may be generated from the EMSK 305. The MIP-RK 331 may be defined as in Equation 2 below.

MIP-RK = KDF (EMSK, key label, option data, length)

Specific examples of Equation 2 may be Equation 3 below.

MIP-RK = HMAC-SHA1 (EMSK, "MIP-RK")

In Equation 3, HMAC-SHA1 refers to the HMAC-SHA1 function.

In step 398, all keys corresponding to 351 to 375 of FIG. 3A are generated from the MIP-RK.

MN-HA _{- CMIPv6} (351), MN-HA _{- CMIPv4} (353), MN-HA _{- PMIPv6} (355), and MN-HA _{- PMIPv4} (357) are produced in MN and AAA, respectively. 4> to <Equation 7>.

MN-HA _{- CMIPv6} = KDF (MIP-RK, "CMIPv6 MN HA" | HA-IPv6 | MN-NAI)

MN-HA _{- CMIPv4} = KDF (MIP-RK, "PMIPv4 MN HA" | HA-IPv4 | MN-NAI)

MN-HA _{- PMIPv6} = KDF (MIP-RK, "PMIPv6 MN HA" | HA-IPv6 | MN-NAI)

MN-HA _{- PMIPv4 =} KDF (MIP-RK, "PMIPv4 MN HA" | HA-IPv4 | MN-NAI)

In Equations 4 to 7, HMAC-SHA1 may be used as an example of KDF. In Equations 4 to 7, MN-NAI may not be used as input data of the function.

MN-FA _{- CMIPv4} (361) is generated between MN and FA, MN-MAG _{- PMIPv6} (363), MN-MAG _-PMIPv4 (365) is generated in the MN and Mobile Access Gateway (hereinafter referred to as MAG) Can be generated using Equations 8 to 10.

However, in one embodiment, since the FA is located in the AG, an embodiment in which the MN-FA _{- CMIPv4} 361 is located in the MN and the AG is possible. Meanwhile, in another embodiment, since the Mobile Access Gateway (hereinafter referred to as MAG) may be located in the AG, the MN-MAG- _PMIPv6 363 and the MN-MAG _{- PMIPv4} 365 may be located in the MN and AG. . Meanwhile, in another embodiment, since the Mobile Access Gateway (hereinafter referred to as MAG) may be located in the BS, the MN-MAG _{- PMIPv6} 363 and the MN-MAG _{- PMIPv4} 365 may be located in the MN and BS.

MN-FA _{- CMIPv4} = KDF (MIP-RK, "CMIPv4 MN FA" | FA-IPv4 | MN-NAI)

MN-MAG _{- PMIPv6} = KDF (MIP-RK, "PMIPv6 MN MAG" | MAG-IPv6 | MN-NAI)

MN-MAG _{- PMIPv4 =} KDF (MIP-RK, 'PMIPv4 MN MAG "| MAG-IPv4 | MN-NAI)

In the above Equations 8 to 10, HMAC-SHA1 may be used as an example of the KDF. In addition, in Equation 8, MN-NAI may not be used as input data of a function.

FA-HA _{- CMIPv4} (371) is generated in FA and AAA, MAG-LMA _{- PMIPv6} (373), MAG-LMA _{- PMIPv4} (375) is generated in MAG and LMA (Local Mobility Anchor) 11> to <Equation 13>. In one embodiment, since the FA is located in the AG, an embodiment in which the FA-HA _{- CMIPv4} 371 is located in the AG and the AAA is possible. Meanwhile, in another embodiment, MAG-LMA _{- PMIPv6} (373) and MAG-LMA _-PMIPv4 (375) are AG because the Mobile Access Gateway (hereinafter referred to as MAG) may be located in the AG and the LMA may be located in the HA. It will be possible to locate at and AAA. Meanwhile, according to the embodiment, when the MAG is located in the BS, other embodiments in which the MAG-LMA _{- PMIPv6} 373 and the MAG-LMA _{- PMIPv4} 375 are located in the BS and the AAA may be possible.

FA-HA _{- CMIPv4} = KDF (MIP-RK, "CMIPv4 FA HA" | HA-IPv4 | FA-CoAv4 | Nonce)

MAG-LMA _{- PMIPv6} = KDF (MIP-RK, "PMIPv6 MAG LMA | LMA-IPv6 | MAG-Address | Nonce)

MAG-LMA _{- PMIPv4 =} KDF (MIP-RK, "PMIPv4 MAG, LMA | LMA-IPv4 | MAG-Address | Nonce)

In Equations 11 to 13, HMAC-SHA1 may be used as an example of KDF. In Equation 11, FA-CoAv4 and Nonce may not be used as input data of a function. In addition, MAG-Address and Nonce may not be used as input data of a function in Equations 12 to 13. The reason for using FA-CoAv4, MAG-Address, or Nonce above is that a number of security associations between FA and HA or MAG and LMA can be made between FA and HA or between MAG and LMA. It is intended to specify whether there is a security relationship between the FA and HA, or which MAG and LMA. In addition, a nonce value may be used to distinguish the plurality of values.

4A and 4B are flowcharts illustrating a security key generation scheme block diagram and a generation method using an EMSK according to a second embodiment of the present invention.

Although FIG. 4A shows that MSK 403 and EMSK 405 are generated from Long Term Credential 401, MSK 405, U-MSK 413, The MIP-RK 431 and the Other Application-RK (hereinafter, APP-RK) 233 are all different from the embodiment of FIG. 3A in that they are generated.

That is, in step 492, D-MSK and U-MSK are generated using the following Equations 14 to 15 in EMSK instead of MSK.

D-MSK = KDF (EMSK, Key Label, Option Data, Length)

U-MSK = KDF (EMSK, Key Label, Option Data, Length)

Steps 493 to 496 of FIG. 4B are the same as steps 396 to 393 of FIG. 3B, and thus a detailed description thereof will be omitted.

Meanwhile, in step 497, not only MIP-RK but also APP-RK are generated by using Equations 16 and 17 below from EMSK.

MIP-RK = KDF (EMSK, key label, option data, length)

APP-RK = KDF (EMSK, key label, option data, length)

In Equations 14 to 17, KDF is defined as a Pseudo Random Function (PRF). 498 of FIG. 4B is the same as step 398 of FIG. 3B, and thus a detailed description thereof will be omitted.

5A and 5B are block diagrams illustrating an example of a security key generation system using MSK, EMSK, and HA-RK according to a third preferred embodiment of the present invention, and a flowchart for explaining a method for generating the security key. Hereinafter, only differences from the third embodiment will be described.

The third embodiment is basically similar to the key generation method of the first embodiment, except that the MAG-LMA key 581 is not generated in the MIP-RK 531, but is generated from the HA-RK 541. have. This can be used when the AAA wants to allocate HA by not generating the HA-RK 541 depending on the MIP-RK 531 and generating the HA-RK 541 by the AAA. Therefore, this method can be used when HA and non-existent keys are assigned depending on a specific MIP session. HA-RK 541 is randomly generated in AAA and its length is not specified in the present invention.

Referring to FIG. 5B, in step 599, MAG-LMA _{- PMIPv6} 581 and MAG-LMA _{- PMIPv4} 583 may be derived from Equations 18 and 19, respectively.

MAG-LMA _{- PMIPv6} = KDF (HA-RK, "PMIPv6 MAG LMA" | LMA-IPv6 | MAG-Address | Nonce)

MAG-LMA _{- PMIPv4 =} KDF (HA-RK, "PMIPv4 MAG, LMA" | LMA-IPv4 | MAG-Address | Nonce)

In Equations 18 and 19, a function such as HMAC-SHA1 may be used as an example of KDF. In Equation 18 and Equation 19, MAG-Address and Nonce may not be used as input values. Instead of the nonce, a security parameter index (SPI) value of the HA-RK 541 may be used.

6A and 6B are block diagrams illustrating a security key generation system using MSK, EMSK, and HA-RK according to a fourth preferred embodiment of the present invention, and a flowchart for explaining a method of generating the security key. Hereinafter, only differences from the third embodiment will be described.

In the fourth embodiment, unlike in the third embodiment, FA-HA _{- CMIPv4} 671 is also generated from the HA-RK 607 in step 699, and Equation 20 is used.

FA-HA _{- CMIPv4} = KDF (HA-RK, "CMIPv4 FA HA" | HA-IPv4 | FA-CoAv4 | Nonce)

In Equation 20, a function such as HMAC-SHA1 may be used as an example of KDF. In Equation 20, FA-CoAv4 and Nonce may not be used as input values. Instead of the nonce, a security parameter index (SPI) value of the HA-RK 607 may be used.

7A and 7B are block diagrams illustrating an example of a security key generation system using MSK, EMSK, and FA-RK according to a fifth exemplary embodiment of the present invention, and a flowchart illustrating a method of generating a security key. Hereinafter, only differences from the first embodiment will be described.

The fifth embodiment differs from the first embodiment in that the MN-FA key 781 is derived from the FA-Root key (hereinafter, FA-RK) 741 and generated. That is, in step 799, the FA-RK is generated from the MIP-RK, and in step 800, the MN-FA key 781 is generated from the FA-RK 741. In this way, the FA-RK concept was introduced to use the FA-RK 741 as a root key to take a new FA without re-authentication in a handover situation. Equations 21 and 22 are used to derive the height of.

FA-RK = KDF (MIP-RK, "CMIPv4 FA RK")

MN-FA _{- CMIPv4} = KDF (FA-RK, "CMIPv4 MN FA" | FA-IPv4 | MN-NAI)

In Equations 21 and 22, as an example of KDF, a function such as HMAC-SHA1 may be used. In Equation 22, MN-NAI may not be used as input data of a function.

8A and 8B are block diagrams illustrating an example of a security key generation system using MSK, EMSK, and PMIP-RK according to a sixth preferred embodiment of the present invention, and a flowchart for explaining a method for generating the security key. Hereinafter, only differences from the first embodiment will be described.

In the sixth embodiment, unlike the first embodiment, the Proxy Mobile IP-RK (hereinafter referred to as PMIP-RK) 841 may be generated from the EMSK 805. In step 899, the PMIP-RK may be generated using Equation 23 below.

PMIP-RK = KDF (EMSK, key label, option data, length)

One specific example of Equation 23 is as in Equation 24 below.

PMIP-RK = KDF (EMSK, "PMIP-RK")

In Equation 24, KDF is defined as a Pseudo Random Function (PRF).

Meanwhile, in step 897, the MIP-RK 831 may be generated from the EMSK 805. The MIP-RK 831 may be defined as in Equation 25 below.

MIP-RK = KDF (EMSK, key label, option data, length)

Specific examples of Equation 25 may be Equation 26 below.

MIP-RK = KDF (EMSK, "MIP-RK")

In Equation 26, KDF is defined as a Pseudo Random Function (PRF).

And, in step 900 MAG-LMA _{- PMIPv6} 881 and MAG-LMA _{- PMIPv4} (883) can be derived from the following equations (27) and (28) from PMIK-RK.

MAG-LMA _{- PMIPv6} = KDF (PMIP-RK, "PMIPv6 MAG LMA | LMA-IPv6 | MAG-Address | Nonce)

MAG-LMA _{- PMIPv4 =} KDF (PMIP-RK, "PMIPv4 MAG LMA | LMA-IPv4 | MAG-Address | Nonce)

In Equation 27 and Equation 28, examples of KDF may be one such as HMAC-SHA1.

9A and 9B are block diagrams illustrating an example of a security key generation system using MSK, EMSK, PMIP-RK, and MAG-RK according to a seventh preferred embodiment of the present invention, and a flowchart for explaining a method for generating the security key. to be. Since the basic process is the same as in the sixth embodiment, only the differences will be described below.

MAG-LMA _{- PMIPv6} (981) and MAG-LMA _{- PMIPv4} (983) are generated from PMIP-RK (941) as shown in FIG. 8, and MAG-RK (985) can also be generated. In addition, MN-HA _{- PMIPv6} (987) and MN-HA _{- PMIPv4} (989) also show examples in which PMIP-RK can be generated. Thus, when MIP and PMIP are generated from PMIP-RK like 987 and 989, It can be used to take MN-HA separately. Meanwhile, MN-MAG _{- PMIPv6} 991 and MN-MAG _{- PMIPv4} key 993 can be derived from MAG-RK 985. Each is calculated using the following Equations (29) to (33).

MN-HA _{- PMIPv6} = KDF (PMIP-RK, "PMIPv6 MN HA" | HA-IPv6 | MN-NAI)

MN-HA _{- PMIPv4 =} KDF (PMIP-RK, "PMIPv4 MN HA" | HA-IPv4 | MN-NAI)

MAG-RK = KDF (PMIP-RK, "PMIPv4 MAG RK")

MN-MAG _{- PMIPv6} = KDF (MAG-RK, "PMIPv6 MN MAG" | MAG-IPv6 | MN-NAI)

MN-MAG _{- PMIPv4 =} KDF (MAG-RK, "PMIPv4 MN MAG" | MAG-IPv4 | MN-NAI)

In Equations 29 to 33, examples of KDF may be HMAC-SHA1. MN-NAI may not be used as input data of a function in Equations 29 to 30, and 33 to 33.

10A and 10B are block diagrams illustrating an example of a security key generation system using EMSK, MIP-RK, PMIP-RK, and MAG-RK according to an eighth preferred embodiment of the present invention, and a method of generating the security key will be described. It is a flowchart for. Since the basic process is the same as in the seventh embodiment, only the differences will be described below.

Although FIG. 10A shows that the MSK 1003 and the EMSK 1005 are generated from the Long Term Credential 1001, the MSK 1005 and the MS-KK 1011, U-MSK 1013, In addition, the MIP-RK 1031 and the PMIP-RK 1041 are all generated, which is different from the embodiment of FIG. 9A. Accordingly, in FIG. 10B, D-MSK and U-MSK are generated from EMSK in step 1092, which is different from FIG. 9B.

That is, in step 1092, D-MSK and U-MSK are generated using the following Equations 34 to 35 in EMSK instead of MSK.

D-MSK = KDF (EMSK, Key Label, Option Data, Length)

U-MSK = KDF (EMSK, Key Label, Option Data, Length)

Since steps 1093 to 1096 of FIG. 10B are the same as steps 996 to 993 of FIG. 9B, detailed descriptions thereof will be omitted.

Meanwhile, the Proxy Mobile IP-RK (hereinafter referred to as PMIP-RK) 1041 may be generated from the EMSK 1005. In step 1097, the PMIP-RK 1041 and the MIP-RK 1031 may be generated using Equations 36 to 38 below.

PMIP-RK = KDF (EMSK, key label, option data, length)

MIP-RK = KDF (EMSK, key label, option data, length)

Specific examples of Equations 36 to 37 may be the following Equations 38 to 39.

PMIP-RK = KDF (EMSK, "PMIP-RK")

MIP-RK = KDF (EMSK, "MIP-RK")

In Equations 38 to 39, KDF is defined as a Pseudo Random Function (PRF).

11A and 11B are block diagrams illustrating an example of a security key generation system using an EMSK, a MIP-RK, a PMIP-RK, and a MAG-RK according to a ninth preferred embodiment of the present invention. It is a flowchart for. Since the basic process is the same as in the tenth embodiment, only the differences will be described below.

In FIG. 11A, unlike in FIG. 10A, an MSK, D-MSK 1111, U-MSK 1113, and MIP-RK 1131 are generated from EMSK 1105 and PM-RK 1041 is D- It is different from the embodiment of FIG. 10A in that it is generated by the MSK 1111 or the U-MSK 1113. Therefore, in FIG. 11B, there is a process of generating PMIP-RK from 1192-2 process D-MSK or U-MSK after 1192 process, and then goes through processes such as 1192-3, 1192-4, and 1192-5.

Meanwhile, in step 1141, the PMIP-RK may be generated using Equation 40 below.

PMIP-RK = KDF (D-MSK or U-MSK, key label, option data, length)

One specific example of Equation 40 may be the same as Equation 41 or Equation 42 below.

PMIP-RK = HMAC-SHA1 (D-MSK, "PMIP-RK")

In Equation 41, HMAC-SHA1 refers to the HMAC-SHA1 function.

PMIP-RK = HMAC-SHA1 (U-MSK, "PMIP-RK")

In Equation 42, HMAC-SHA1 refers to the HMAC-SHA1 function.

12A and 12B are block diagrams illustrating an example of a security key generation system using EMSK, MIP-RK, FA-RK, and HA-RK according to the tenth, eleventh, and twelfth exemplary embodiments of the present invention. Since the basic process is the same as in the seventh, eighth and ninth embodiments described above, only the differences will be described below. Security keys derived from MIP-RK in the seventh, eighth, and ninth embodiments shown in FIGS. 9, 10, and 11 can be generated by a method as shown in FIG. 12A or 12B. For better understanding, the same numbers will be used. For example, x05 in FIGS. 12A and 12B may be easily understood by replacing the MIP-RK part in the corresponding drawings of FIGS.

12A and 12B, the MN-FA _{- CMIPv4} keys of x61, that is, 961, 1061, and 1161 are generated from FA-RK of x94, unlike FIGS. 9A, 10A, and 11A. That is 9a, 10a, 11a in the MN-FA _{- CMIPv4} key in Fig. 12a and Fig. 12b in comparison to those generated from the MIP-RK, and the differences in that it is produced from the FA-RK FA-RK and the MN-FA _- the _CMIPv4 key The generation method is as follows. That is, in step x94, the FA-RK is generated from the MIP-RK, and in step x61, the MN-FA _{-- CMIPv4} key (x61) is generated from the FA-RK (x94). Equations 43 and 44 are used to derive the respective heights.

FA-RK = KDF (MIP-RK, "CMIPv4 FA RK")

MN-FA _{- CMIPv4} = KDF (FA-RK, "CMIPv4 MN FA" | FA-IPv4 | MN-NAI)

In Equation 43, as an example of KDF, at least one of a function such as a pseudo random function (hereinafter referred to as PRF) or HMAC-SHA1 may be used. Meanwhile, as an example of KDF in Equation 44, a function such as HMAC-SHA1 may be used, and MN-NAI may not be used as input data of the function.

There are differences between 12a and FIG. 12b in relation to X71 FA-HA _{- CMIPv4} key generation. In FIG. 12A, the FA-HA _{- CMIPv4} keys of _X71 , that is, 971, 1071, and 1171, are generated from HA-RK of x95 unlike FIGS. 9A, 10A, and 11A. That is 9a, 10a, 11a in the FA-HA _{- CMIPv4} key in Fig. 12a as compared to the one produced from the MIP-RK, and the differences in that it is produced from HA-RK HA-RK and FA-HA _- method for generating _CMIPv4 key As follows. That is, in step x95, HA-RK is generated from MIP-RK, and in step x71, the FA-HA-- _CMIPv4 key (x71) is generated from HA-RK (x95). Equations 45 and 46 are used to derive the respective heights.

HA-RK = KDF (MIP-RK, "CMIPv4 HA RK")

As an example of KDF in Equation 45, at least one of a function such as a pseudo random function (hereinafter referred to as PRF) or HMAC-SHA1 may be used.

FA-HA _{- CMIPv4} = KDF (HA-RK, "CMIPv4 FA HA" | HA-IPv4 | FA-CoAv4 | Nonce)

In Equation 46, a function such as HMAC-SHA1 may be used as an example of KDF. In Equation 46, either FA-CoAv4 or Nonce may not be used as an input value.

On the other hand, in FIG. 12B, unlike the FIGS. 9A, 10A, and 11A, the _X71 , 971, 1071, and 1171 FA-HA _{- CMIPv4} keys are generated from the HA-RK of x95. However, unlike FIG. 12A, HA-RK is not generated from MIP-RK as in step x95, and HA-RK (x96) is not generated depending on MIP-RK (x31) as in step x96. ) Is generated by AAA, and the FA-HA _{- CMIPv4} key (x71) is generated from HA-RK (x96) in step x71 as shown in FIG. 12A.

Rather than generating HA-RK (x96) dependent on MIP-RK (x31), the method of randomly generating HA-RK (x41) in AAA can be used when AAA wants to allocate HA. Not specified in the invention. Therefore, this method can be used when HA and non-existent keys are assigned depending on a specific MIP session. In the generation of FA-HA- _CMIPv4 key (x71) from HA-RK (x96) in step x71 of FIG. 12B, Equation 46 is used, but unlike the case of 12a, HA- A Security Parameter Index (SPI) value of the RK 607 may be used.

13A and 13B are block diagrams illustrating an example of a security key generation system using an EMSK, a MIP-RK, and a PMIP-RK according to a thirteenth preferred embodiment of the present invention, and a flowchart illustrating a method of generating the security key. Since the basic process is the same as in the ninth embodiment, only the differences will be described below. The PMIP-RK of 1341 and the following key generation method are the same as in the ninth embodiment. The method of generating the MIP-RK of 1331 and the MN-HA, FA-RK, HA-RK, MN-FA, FA-HA keys of 1351, 1394, 1395, 1353, 1361, and 1371 is described in detail in FIG. Follow the embodiments of 11 and 12. Meanwhile, the method of generating the PMIP-RK of 1397 and the keys of the following keys 1397-2 to 1397-8 follows the method of generating the PMIP-RK of the eighth embodiment of FIG. 10.

14A and 14B are block diagrams illustrating an example of a security key generation system using EMSK, MIP-RK, and PMIP-RK according to a fourteenth preferred embodiment of the present invention, and a flowchart for explaining a method for generating the security key. . Since the basic process is the same as in the thirteenth embodiment, only the differences will be described below. Unlike the thirteenth embodiment, the 1496 HA-RK key generating 1471 FA-HA- _CMIPv4 is randomly generated in AAA as in the tenth, eleven, and twelve embodiments of FIG. 12B. have.

Meanwhile, in the detailed description of the present invention, specific embodiments have been described, but various modifications are possible without departing from the scope of the present invention. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be defined not only by the scope of the following claims, but also by those equivalent to the scope of the claims.

In the present invention operating as described in detail above, the effects obtained by the representative ones of the disclosed inventions will be briefly described as follows.

The present invention provides authentication and security in the UMB network, the next-generation evolution of 3GPP2. In other words, the present invention not only solves the authentication and security problems that occur in 3GPP2 1x EV-DO, that is, low-speed security settings, key management complexity, security problems that can use the service without paying just, RF, At the protocol level as well as at the protocol level, denial of service denial by message attacks is more secure.

In addition, the present invention can solve the above problems by performing device and user authentication, and also MIP service authentication more securely and communication can be performed efficiently, the effect of efficiently performing authentication even in a PPP-free environment that does not use PPP There is.

Claims (5)

In the method for generating a security key in a mobile communication network system, Generating a master session key (MSK) and an extended master session key (EMSK) from long term credentials; Generating / managing device authentication or user authentication or session-related keys from the master session key (MSK); A mobile IP root key (MIP-RK) and a proxy mobile IP root key (MIP-RK) are generated from the extended authentication session key (EMSK), and a client mobile IP key and a proxy mobile IP key are generated from them. Security key generation method characterized in that configured. In the method for generating a security key in a mobile communication network system, Generating a master session key (MSK) and an extended master session key (EMSK) from long term credentials; Generating / managing device authentication or user authentication or session-related keys from the extended authentication session key (EMSK), Generating a mobile IP root key (MIP-RK) from the extended authentication session key (EMSK), and generating a client mobile IP key and a proxy mobile IP key from them, respectively. In the method for generating a security key in a mobile communication network system, Generating a master session key (MSK) and an extended master session key (EMSK) from long term credentials; Generating / managing device authentication or user authentication or session-related keys from the master session key (MSK); Generating a mobile IP root key (MIP-RK) from the extended authentication session key (EMSK), and generating a client mobile IP key and a proxy mobile IP key from them. In the method for generating a security key in a mobile communication network system, Generating a master session key (MSK) and an extended master session key (EMSK) from long term credentials; Generating / managing device authentication or user authentication or session-related keys from the extended authentication session key (EMSK), Generating a mobile IP root key (MIP-RK) and a proxy mobile IP root key (MIP-RK) from the extended authentication session key (EMSK), and generating a client mobile IP key and a proxy mobile IP key from them Security key generation method characterized in that consisting of. A mobile communication network device for generating a security key, An authentication server that generates a master session key (MSK) and an extended master session key (EMSK) from long term credentials; An access gateway for generating a root master session key (RSK) from a master session key (MSK) received from the authentication server; A signaling wireless network controller for generating a device authentication or user authentication or session related key from the master session key and transmitting it to a base station; A base station for generating a traffic session key (TSK), which is a key for data encryption or a key for data integrity verification, from a key generated from the radio network controller; Generating and storing the master session key and the extended master session key, and generating a security key including a mobile terminal for generating keys related to device authentication and user authentication from the master session key and the extended master session key.

Images