US20090259851A1 - Methods and Apparatus for Authentication and Identity Management Using a Public Key Infrastructure (PKI) in an IP-Based Telephony Environment - Google Patents

Methods and Apparatus for Authentication and Identity Management Using a Public Key Infrastructure (PKI) in an IP-Based Telephony Environment Download PDF

Info

Publication number
US20090259851A1
US20090259851A1 US12/100,781 US10078108A US2009259851A1 US 20090259851 A1 US20090259851 A1 US 20090259851A1 US 10078108 A US10078108 A US 10078108A US 2009259851 A1 US2009259851 A1 US 2009259851A1
Authority
US
United States
Prior art keywords
key
user
encrypted
based telephony
telephony network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/100,781
Inventor
Igor Faynberg
Huilan Lu
Douglas W. Varney
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia of America Corp
Original Assignee
Lucent Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lucent Technologies Inc filed Critical Lucent Technologies Inc
Priority to US12/100,781 priority Critical patent/US20090259851A1/en
Assigned to LUCENT TECHNOLOGIES INC. reassignment LUCENT TECHNOLOGIES INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: FAYNBERG, IGOR, LU, HUILAN, VARNEY, DOUGLAS W.
Priority to CN2009801126911A priority patent/CN101999221A/en
Priority to BRPI0911196A priority patent/BRPI0911196A2/en
Priority to CN201610829491.XA priority patent/CN106411867A/en
Priority to KR1020107025279A priority patent/KR101173781B1/en
Priority to MX2010010981A priority patent/MX2010010981A/en
Priority to PCT/US2009/001920 priority patent/WO2009126209A2/en
Priority to JP2011503968A priority patent/JP5524176B2/en
Priority to AU2009234465A priority patent/AU2009234465B2/en
Priority to EP09730619A priority patent/EP2283604A2/en
Priority to RU2010145465/08A priority patent/RU2506703C2/en
Publication of US20090259851A1 publication Critical patent/US20090259851A1/en
Priority to IL208310A priority patent/IL208310A/en
Assigned to CREDIT SUISSE AG reassignment CREDIT SUISSE AG SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ALCATEL-LUCENT USA INC.
Priority to JP2013228359A priority patent/JP2014068350A/en
Assigned to ALCATEL-LUCENT USA INC. reassignment ALCATEL-LUCENT USA INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: CREDIT SUISSE AG
Priority to US15/244,591 priority patent/US10362009B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/065Continuous authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to user authentication techniques and, more particularly, to methods and apparatus for user authentication in IP-based telephony networks.
  • the IP Multimedia Subsystem is an architectural framework for delivering Internet Protocol (IP) multimedia to mobile users.
  • IP Internet Protocol
  • An IMS network is typically divided into an access domain and a network domain, each having its own security specification.
  • a user may access an IP network via the access network of an access network provider, and then access different services, such as voice, video and streaming media, through one or more service networks provided by one or more service network providers.
  • Authentication in an IMS network is typically based on the known Authentication and Key Agreement (AKA) mechanism.
  • AKA is a security protocol typically used in 3G networks.
  • AKA is a challenge-response based authentication mechanism that uses a shared secret and symmetric cryptography.
  • AKA results in the establishment of a security association (i.e., a set of security data) between the user equipment and the IMS network that enables a set of security services to be provided to the user.
  • Public cryptography has not been widely employed in the telephony domain. There is a growing trend, however, to employ a public key infrastructure (PKI) for authentication in the telephony domain, such as in IMS networks. While public cryptography techniques can significantly improve the security of an IMS network, there are a number of technical considerations that have previously limited the use of public cryptography techniques in IMS networks. In particular, there is a concern that the private keys can be recovered from the allegedly “secure” volatile memory contained in the user equipment. Thus, any solution that would allow even temporary storage of private keys in a terminal memory is deemed unacceptable.
  • PKI public key infrastructure
  • PKI Public Key Infrastructure
  • an authentication method is provided that is performed by a user device attempting to access an IP-based telephony network.
  • One or more private keys of the user are initially obtained from a secure memory associated with the user device.
  • the secure memory may be, for example, a component of a smart card having an IMS Subscriber Identity Module (ISIM) that can securely stolen data and perform computations on the data.
  • ISIM IMS Subscriber Identity Module
  • the disclosed method generates an integrity key and a ciphering key; encrypts the integrity key and the ciphering key using a session key; encrypts the session key with a public key of the IP-based telephony network; and provides the encrypted session key, encrypted integrity key and encrypted ciphering key to the IP-based telephony network fox authentication.
  • a method for authenticating a user employing a user device attempting to access an IP-based telephony network.
  • the user is authenticated by obtaining an encrypted session key encrypted with a public key of the IP-based telephony network; obtaining an encrypted integrity key and encrypted ciphering key from the user device, wherein the integrity key and the ciphering key were generated by a secure device associated with the user device using one or more private keys of the user; decrypting the encrypted session key using the public key of the IP-based telephony network; decrypting the encrypted integrity key and encrypted ciphering key using the decrypted session key; and authenticating the user device based on a Public Key Infrastructure (PKI) computation.
  • PKI Public Key Infrastructure
  • one or more of the encrypted session key, the encrypted integrity key and the encrypted ciphering key can optionally be encrypted using the one or more private keys.
  • a user identity can be encrypted using the session key. In this manner, the user identity can be obtained only by a holder of the session key.
  • a nonce can be employed to protect against a replay attack.
  • FIG. 1 illustrates an exemplary IMS network environment in which the present invention may be employed
  • FIG. 2 is a block diagram of an exemplary smart card incorporating features of the present invention
  • FIG. 3 is a flow chart describing an exemplary implementation of a PKI authentication process for use in an IP-based telephony network, such as an IMS network;
  • FIG. 4 is a flow chart describing an exemplary implementation of a server authentication process for use by a network server in an IP-based telephony network.
  • the present invention provides end user-to-network authentication based on the Public Key Infrastructure (PKI) within an IMS network.
  • PKI Public Key Infrastructure
  • a user is authenticated in an IMS network using one Or more private keys that are stored, for example, on a secure smart card having an IMS Subscriber Identity Module (ISIM), or a secure set-up box for IPTV, associated with the user equipment.
  • ISIM IMS Subscriber Identity Module
  • a secure smart card when a user is authenticated in an IMS network, all computations that involve the private keys are performed on the secure smart card or another secure processor.
  • a “secure” device such as a smart card, shall comprise a device that satisfies one or more predefined security standards.
  • a smart card having an ISIM shall comprise a secure smart card.
  • the disclosed pubic key cryptography techniques perform a mutual end user-to-network authentication for an IMS network that results in a key agreement that is substantially similar to the conventional AKA authentication mechanism.
  • the disclosed pubic key cryptography techniques do not require a shared secret.
  • FIG. 1 illustrates an exemplary IMS network environment 100 in which the present invention may be employed. While the present invention is illustrated herein in the context of an exemplary IMS network environment 100 , the present invention can also be employed in other IP-based telephony networks, such as SIP and cable television networks, as would be apparent to a person of ordinary skill in the art.
  • the exemplary IMS network environment 100 comprises a user equipment (UE) device 110 , and an IMS core network system 120 .
  • the user equipment device 110 represents the user terminal (such as a wireless phone or a set-up box) and comprises an associated smart card 114 , for example, having an ISIM application.
  • a smart card 114 represents any entity that can securely store secret data and also perform computations on that data.
  • the IMS core network system 120 comprises a home network 130 and a visited network 140 .
  • the home network 130 comprises a home subscriber server (HSS) 132 , an Interrogating Call Session Control Function (I-CSCF) 134 and a Serving Call Session Control Function (S-CSCF) 136 .
  • the S-CSCF 136 can alternatively be implemented as any network server that is responsible for user authentication.
  • the visited network 140 comprises a Proxy Call Session Control Function (P-CSCF) 144 .
  • P-CSCF Proxy Call Session Control Function
  • CSCF Call Session Control Function
  • CSCF Call Session Control Function
  • Proxy, Interrogating and Serving CSCFs are distinguished based on their corresponding functions.
  • the P-CSCF 144 is adapted for an access of the user equipment 110 , and any user equipment 110 shall gain an access to the IMS network 100 through the P-CSCF 144 .
  • the S-CSCF 136 provides core functions such as session control and routing.
  • the I-CSCF 134 is adapted for selection of the S-CSCF 136 and the intercommunication between different service providers or different area networks.
  • the HSS 132 is adapted to store subscription data and configuration data of subscribers (for example, the user's certificates), and to support a function of Authentication & Authorization (AAA) for the subscribers.
  • AAA Authentication & Authorization
  • each user equipment device 110 includes a first interface 105 and a second interface 150
  • Interface 105 is a bidirectional authentication interface between the user equipment device 110 and the IMS network 100 .
  • Interface 105 is adapted to enable a subscriber authentication function.
  • Interface 150 is adapted to provide communication security between the user equipment device 110 and the P-CSCF 144 .
  • interfaces 105 and 150 are typically implemented in the 3GPP through application of an IMS AKA mechanism during a registration process for the user equipment.
  • the present invention provides end user-to-network authentication based on the Public Key Infrastructure (PKI) within an IMS network.
  • PKI Public Key Infrastructure
  • an aspect of the present invention augments an existing smart card having an ISIM application or another secure storage device associated with the user equipment device 110 with the private key of the user, the network certificate, an (optional) function for generating an Integrity Key (IK) and Cipher Key (CK) based on the private key, and a capability of the ISIM application to perform the encryption with at least one existing PKI algorithm (such as RSA, Elliptic Curves, or El Gamal) to be chosen by a network provider.
  • IK Integrity Key
  • CK Cipher Key
  • a further aspect of the present invention augments the IMS authentication with a new protocol exchange among the end-user terminal, ISIM, and Serving Call Session Control Function (S-CSCF).
  • S-CSCF Serving Call Session Control Function
  • FIG. 2 is a block diagram of an exemplary smart card 200 , such as an ISIM, incorporating features of the present invention. As shown in FIG. 2 , the exemplary smart card 200 comprises:
  • One or more user's private keys 210 (for signature and encryption), of which, for simplicity, only one, U pr , is used herein;
  • a function 220 (typically already present in an ISIM card) for computing the integrity key, IK and the ciphering key, CK.
  • the function 220 may need to be augmented to use as an input, a private key, or some other key material in place of the ISIM shared secret, as discussed hereinafter;
  • K S a function 230 for randomly computing a one-time session key, K S , that is used to encrypt the other keys as discussed below and also serves as a challenge for the network-to-user authentication.
  • This key is generally equal in length to combined lengths of the IK and CK keys;
  • the user public and private identities 240 (such as IMS Private User Identity (IMPI) and IMS Public User Identity (IMPU) in IMS), for the purposes of illustration, grouped into one string, Id. It is noted that the user's certificate can bind the IMPI with the use's public keys.
  • IMPI IMS Private User Identity
  • IMPU IMS Public User Identity
  • FIG. 3 is a flow chart describing an exemplary implementation of a PKI authentication process 300 for use in an IMS network.
  • a session commences when the UE 310 attempts to register with the network 100 .
  • the UE 310 needs to authenticate to the network and authenticate the server as the one that belongs to the network.
  • the PKI authentication of the present invention this is achieved through the use of certificates (see, for example, ITU-J Rec. X 509).
  • the network acts as a certification authority, and so the network certificate with the public key of the network is located in the smart card 200 .
  • the UE 310 requests during step 325 that the smart card 305 provides the authenticator, Autn.
  • the smart card 305 computes (possibly, in cooperation with the UE 310 , as explained below) the authenticator, Autn, and delivers the authenticator, Autn, to the UE 310 during step 330 , as discussed further below in the section entitled “Computation of the Authenticator, Autn.”
  • the Autn parameter is passed along to the Network Server 315 during step 335 , for example, as part of a Register message (such as a SIP Register method). It is not essential that this authentication procedure is performed during the registration. Technically, the authentication procedure can be performed at any time when the authentication is needed and be part of any protocol, as would be apparent to a per son of ordinary skill in the art.
  • a Register message such as a SIP Register method
  • the user includes its certificate along with the Autn parameter.
  • the procedure of the retrieval of the certificate by the network server 315 as described below is replaced by the procedure of verifying the certificate in its chain.
  • the network server 315 Upon the reception of the Autn parameters the network server 315 performs a sever authentication process 400 , discussed further below in conjunction with FIG. 4 .
  • the authentication process 400 authenticates the user based on the received Autn parameter and computes an Autn′ parameter that the network server 315 uses to authenticate itself to the user.
  • the Autn′ parameter is transmitted to the UE 310 during step 360 .
  • the UE 310 When the UE 310 receives the Autn′ parameter message, the UE 310 checks the network signature, while handing out the part that corresponds to the encrypted nonce to the smart card 305 during step 365 for the private-key-based decryption. If either the integrity check of the message fails, or the decrypted value is not equal to freshness+1, the UE 310 proceeds according to the network policy for this specific case. If both checks pass, the procedure is complete.
  • the smart card 305 computes the authenticator, Autn, during step 330 .
  • the authenticator, Autn can be expressed as follows:
  • freshness is a nonce (such as a timer value, or the IMS SEQ parameter, or any other nonce) that protects the communication against the replay attack; and is generally equal in length to combined lengths of the IK and CK keys;
  • K S [. . . ] designates a symmetric key encryption operation (such as DES, triple-DES, AES, or a one-time pad) performed with the key K S );
  • N pu [. . . ] designates the encryption with the network public key N pu available from the network certificate
  • U pr ⁇ . . . ⁇ designates the signature operation with the user's private signature key. For example, first a hash (such as SHA2 hash) of the argument is computed, then the result is encrypted with that key, and finally this result is concatenated with the argument.
  • the presence of the signature solves two problems: first, it protects the integrity of the message, and, second, it provides (in combination with the freshness parameter), the non-repudiation feature, which is typically essential to operators inasmuch as it constitutes the proof that the session was initiated by the user.
  • the resulting Autn string consists of three concatenated components:
  • C U pr [Hash(A
  • B)] allows checking of the integrity of the previous two components as well as to prove to the receiver that the message was issued by the user.
  • step of separately computing B is not essential. It is used, as is the practice, to minimize the expensive private-key computation.
  • certain pieces of the above computation i.e., the ones that do not involve the user private key operations
  • one or more messages carrying the results of such computations may need to be exchanged between the UE 310 and the smart card 305 .
  • the only operation that is generally always performed on the card 305 in the exemplary embodiments of the invention is the signature with the private key. Ultimately, it is the only potentially intensive computation required, compared to the rest of the computations.
  • the network server 315 performs an server authentication process 400 to authenticate the user based on the received Autn parameter and to compute an Autn′ parameter that the network server 315 uses to authenticate itself to the user.
  • FIG. 4 is a flow chart describing an exemplary implementation of a server authentication process 400 for use by a network server 315 in an IMS network.
  • the network server 315 initially uses its private key during step 410 to decrypt A and recover the key K S from the received Autn parameter as the means of recovering other parameters.
  • the server authentication process 400 then proceeds to decrypt B with the key K S and recover the identity, Id, of the user during step 420 .
  • the network server 315 checks if there is a record in the subscription directory of legitimate users indexed by this identity, and, if so, whether the user is authorized to register or receive any other service specified by the particular protocol message in which this parameter has been carried.
  • the network server 315 also retrieves the certificate of the user (unless there is a necessity of the certificate to be sent by the user as described above). If there is no entry in the table, the processing stops and, depending on the network security policy, the event may be logged, or in case of server overload reported as a denial of service attack.
  • the network server 315 proceeds to recover the nonce, freshness, and determines if there is a possibility of the replay during step 430 . If for example, the timestamp is used, the network server 315 checks if it is in the acceptable time window. Likewise, if a sequence number (such as sequence in the AKA algorithm) is used, again, the network server 315 will check if its value is in acceptable range (and, if not, it may initiate re-sequencing procedure with the UE 310 ). If the examination fails, the processing stops and, depending on the network security policy, the event may be logged, or in case of server overload reported as a denial of service attack, especially if there is an obvious indication of replay.
  • a sequence number such as sequence in the AKA algorithm
  • the network server 315 a decrypts C with the public key of the user (obtained from the user's certificate); b) computes the hash of A
  • the network server 315 then proceeds to recover IK and CK during step 450 .
  • the authentication of the user 310 to the network has completed, and the network has the same information as it would have had with an AKA authentication technique.
  • the network server 315 computes the Autn′ parameter during step 460 , as follows:
  • U pu [. . . ] designates the encryption with the user's public key U pu available from the user's certificate
  • N pr [. . . ] designates the signature operation with the network private signature key: first a hash (such as SHA2 hash) of the argument is computed, then the result is encrypted with that key, and finally this result is concatenated with the argument.
  • a hash such as SHA2 hash
  • the presence of the signature solves two problems: first, it protects the integrity of the message, and, second and most important, it provides a proof that the message came from the network.
  • the present invention ensures substantially perfect forward secrecy of the IMS session in that the secrecy of a session is not less secure than that relying on the existing IMS authentication mechanism (AKA).
  • AKA IMS authentication mechanism
  • the present invention also ensures that other-factor authentication mechanisms present in AKA (such as the sequence number, SQN) can also be used if desired by the network operator.
  • the present invention can also ensure user privacy in that the user identity does not need to be transmitted in the clear.
  • the present invention can optionally ensure that only absolutely necessary computations are performed on the smart card, recognizing inefficiency of such computations.
  • FIGS. 3 and 4 show an exemplary sequence of steps, it is also an embodiment of the present invention that the sequence may be varied. Various permutations of the algorithm are contemplated as alternate embodiments of the invention.
  • the functions of the present invention can be embodied in the form of methods and apparatuses for practicing those methods.
  • One or more aspects of the present invention can be embodied in the form of program code, for example, whether stored in a storage medium, loaded into and/or executed by a machine, or transmitted over some transmission medium, wherein, when the program code is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
  • the program code segments combine with the processor to provide a device that operates analogously to specific logic circuits.
  • the invention can also be implemented in one or more of an integrated circuit, a digital signal processor, a microprocessor, and a micro-controller.
  • the computer readable program code means is operable, in conjunction with a computer system, to carry out all or some of the steps to perform the methods or create the apparatuses discussed herein
  • the computer readable medium may be a recordable medium (e.g., floppy disks, hard drives, compact disks, memory cards, semiconductor devices, chips, application specific integrated circuits (ASICs)) or may be a transmission medium (e.g., a network comprising fiber-optics, the world-wide web, cables, or a wireless channel using time-division multiple access, code-division multiple access, or other radio-frequency channel). Any medium known or developed that can store information suitable for use with a computer system may be used.
  • the computer-readable code means is any mechanism for allowing a computer to read instructions and data, such as magnetic variations on a magnetic media or height variations on the surface of a
  • the computer systems and servers described herein each contain a memory that will configure associated processors to implement the methods, steps, and functions disclosed herein.
  • the memories could be distributed or local and the processors could be distributed or singular.
  • the memories could be implemented as an electrical, magnetic or optical memory, or any combination of these or other types of storage devices.
  • the term “memory” should be construed broadly enough to encompass any information able to be read from or written to an address in the addressable space accessed by an associated processor. With this definition, information on a network is still within a memory because the associated processor can retrieve the information from the network.

Abstract

Methods and apparatus arc provided for user authentication using a Public Key Infrastructure (PKI) in an IP-based telephony environment, such as an IMS network. A user of a user device attempting to access an IP-based telephony network can be authenticated by obtaining one or more private keys of the user from a secure memory associated with the user device; generating an integrity key and a ciphering key; encrypting the integrity key and the ciphering key using a session key; encrypting the session key with a public key of the IP-based telephony network; and providing the encrypted session key, encrypted integrity key and encrypted ciphering key to the IP-based telephony network for authentication. A network-based method is also provided for authenticating a user in an IP-based telephony network.

Description

    FIELD OF THE INVENTION
  • The present invention relates to user authentication techniques and, more particularly, to methods and apparatus for user authentication in IP-based telephony networks.
    • BACKGROUND OF THE INVENTION
  • The IP Multimedia Subsystem (IMS) is an architectural framework for delivering Internet Protocol (IP) multimedia to mobile users. An IMS network is typically divided into an access domain and a network domain, each having its own security specification. A user may access an IP network via the access network of an access network provider, and then access different services, such as voice, video and streaming media, through one or more service networks provided by one or more service network providers.
  • Authentication in an IMS network is typically based on the known Authentication and Key Agreement (AKA) mechanism. AKA is a security protocol typically used in 3G networks. AKA is a challenge-response based authentication mechanism that uses a shared secret and symmetric cryptography. AKA results in the establishment of a security association (i.e., a set of security data) between the user equipment and the IMS network that enables a set of security services to be provided to the user.
  • Public cryptography has not been widely employed in the telephony domain. There is a growing trend, however, to employ a public key infrastructure (PKI) for authentication in the telephony domain, such as in IMS networks. While public cryptography techniques can significantly improve the security of an IMS network, there are a number of technical considerations that have previously limited the use of public cryptography techniques in IMS networks. In particular, there is a concern that the private keys can be recovered from the allegedly “secure” volatile memory contained in the user equipment. Thus, any solution that would allow even temporary storage of private keys in a terminal memory is deemed unacceptable.
  • A need therefore exists for end user-to-network authentication based on the Public Key Infrastructure (PKI) within an IMS network. Another need exists for methods and apparatus for authenticating a user in an IMS network that ensure that the private keys are stored on a secure smart card or another secure memory. Yet another need exists for methods and apparatus for authenticating a user in an IMS network that ensure that all computations that involve the private keys are performed on the secure smart card or another secure processor.
    • SUMMARY OF THE INVENTION
  • Generally, methods and apparatus ate provided fox user authentication using a Public Key Infrastructure (PKI) in an IP-based telephony environment, such as an IMS network. According to one aspect of the invention, an authentication method is provided that is performed by a user device attempting to access an IP-based telephony network. One or more private keys of the user are initially obtained from a secure memory associated with the user device. The secure memory may be, for example, a component of a smart card having an IMS Subscriber Identity Module (ISIM) that can securely stole data and perform computations on the data. Thereafter, the disclosed method generates an integrity key and a ciphering key; encrypts the integrity key and the ciphering key using a session key; encrypts the session key with a public key of the IP-based telephony network; and provides the encrypted session key, encrypted integrity key and encrypted ciphering key to the IP-based telephony network fox authentication.
  • According to another aspect of the invention, a method is provided for authenticating a user employing a user device attempting to access an IP-based telephony network. The user is authenticated by obtaining an encrypted session key encrypted with a public key of the IP-based telephony network; obtaining an encrypted integrity key and encrypted ciphering key from the user device, wherein the integrity key and the ciphering key were generated by a secure device associated with the user device using one or more private keys of the user; decrypting the encrypted session key using the public key of the IP-based telephony network; decrypting the encrypted integrity key and encrypted ciphering key using the decrypted session key; and authenticating the user device based on a Public Key Infrastructure (PKI) computation.
  • In various exemplary implementations, one or more of the encrypted session key, the encrypted integrity key and the encrypted ciphering key can optionally be encrypted using the one or more private keys. In addition, a user identity can be encrypted using the session key. In this manner, the user identity can be obtained only by a holder of the session key. A nonce can be employed to protect against a replay attack.
  • A more complete understanding of the present invention, as well as further features and advantages of the present invention, will be obtained by reference to the following detailed description and drawings.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates an exemplary IMS network environment in which the present invention may be employed;
  • FIG. 2 is a block diagram of an exemplary smart card incorporating features of the present invention;
  • FIG. 3 is a flow chart describing an exemplary implementation of a PKI authentication process for use in an IP-based telephony network, such as an IMS network; and
  • FIG. 4 is a flow chart describing an exemplary implementation of a server authentication process for use by a network server in an IP-based telephony network.
    •  DETAILED DESCRIPTION
  • The present invention provides end user-to-network authentication based on the Public Key Infrastructure (PKI) within an IMS network. According to one aspect of the invention, a user is authenticated in an IMS network using one Or more private keys that are stored, for example, on a secure smart card having an IMS Subscriber Identity Module (ISIM), or a secure set-up box for IPTV, associated with the user equipment. According to another aspect of the invention, when a user is authenticated in an IMS network, all computations that involve the private keys are performed on the secure smart card or another secure processor. As used herein, a “secure” device, such as a smart card, shall comprise a device that satisfies one or more predefined security standards. For example, a smart card having an ISIM shall comprise a secure smart card.
  • Generally, the disclosed pubic key cryptography techniques perform a mutual end user-to-network authentication for an IMS network that results in a key agreement that is substantially similar to the conventional AKA authentication mechanism. In addition, the disclosed pubic key cryptography techniques do not require a shared secret.
  • FIG. 1 illustrates an exemplary IMS network environment 100 in which the present invention may be employed. While the present invention is illustrated herein in the context of an exemplary IMS network environment 100, the present invention can also be employed in other IP-based telephony networks, such as SIP and cable television networks, as would be apparent to a person of ordinary skill in the art. As shown in FIG. 1, the exemplary IMS network environment 100 comprises a user equipment (UE) device 110, and an IMS core network system 120. The user equipment device 110 represents the user terminal (such as a wireless phone or a set-up box) and comprises an associated smart card 114, for example, having an ISIM application. As used herein, a smart card 114 represents any entity that can securely store secret data and also perform computations on that data. The IMS core network system 120 comprises a home network 130 and a visited network 140.
  • The home network 130 comprises a home subscriber server (HSS) 132, an Interrogating Call Session Control Function (I-CSCF) 134 and a Serving Call Session Control Function (S-CSCF) 136. The S-CSCF 136 can alternatively be implemented as any network server that is responsible for user authentication. The visited network 140 comprises a Proxy Call Session Control Function (P-CSCF) 144. Generally, a Call Session Control Function (CSCF) entity defined in the IMS network is adapted to accomplish functions such as control and routing during a call or session.
  • Proxy, Interrogating and Serving CSCFs are distinguished based on their corresponding functions. The P-CSCF 144 is adapted for an access of the user equipment 110, and any user equipment 110 shall gain an access to the IMS network 100 through the P-CSCF 144. The S-CSCF 136 provides core functions such as session control and routing. The I-CSCF 134 is adapted for selection of the S-CSCF 136 and the intercommunication between different service providers or different area networks. The HSS 132 is adapted to store subscription data and configuration data of subscribers (for example, the user's certificates), and to support a function of Authentication & Authorization (AAA) for the subscribers.
  • As shown in FIG. 1, each user equipment device 110 includes a first interface 105 and a second interface 150 Interface 105 is a bidirectional authentication interface between the user equipment device 110 and the IMS network 100. Interface 105 is adapted to enable a subscriber authentication function. Interface 150 is adapted to provide communication security between the user equipment device 110 and the P-CSCF 144.
  • As previously indicated, interfaces 105 and 150 are typically implemented in the 3GPP through application of an IMS AKA mechanism during a registration process for the user equipment. The present invention, however, provides end user-to-network authentication based on the Public Key Infrastructure (PKI) within an IMS network.
  • As discussed further below, an aspect of the present invention augments an existing smart card having an ISIM application or another secure storage device associated with the user equipment device 110 with the private key of the user, the network certificate, an (optional) function for generating an Integrity Key (IK) and Cipher Key (CK) based on the private key, and a capability of the ISIM application to perform the encryption with at least one existing PKI algorithm (such as RSA, Elliptic Curves, or El Gamal) to be chosen by a network provider. A further aspect of the present invention augments the IMS authentication with a new protocol exchange among the end-user terminal, ISIM, and Serving Call Session Control Function (S-CSCF).
  • FIG. 2 is a block diagram of an exemplary smart card 200, such as an ISIM, incorporating features of the present invention. As shown in FIG. 2, the exemplary smart card 200 comprises:
  • 1) One or more user's private keys 210 (for signature and encryption), of which, for simplicity, only one, Upr, is used herein;
  • 2) A function 220 (typically already present in an ISIM card) for computing the integrity key, IK and the ciphering key, CK. The function 220 may need to be augmented to use as an input, a private key, or some other key material in place of the ISIM shared secret, as discussed hereinafter;
  • 3) (Optionally), a function 230 for randomly computing a one-time session key, KS, that is used to encrypt the other keys as discussed below and also serves as a challenge for the network-to-user authentication. This key is generally equal in length to combined lengths of the IK and CK keys; and
  • 4) The user public and private identities 240 (such as IMS Private User Identity (IMPI) and IMS Public User Identity (IMPU) in IMS), for the purposes of illustration, grouped into one string, Id. It is noted that the user's certificate can bind the IMPI with the use's public keys.
  • FIG. 3 is a flow chart describing an exemplary implementation of a PKI authentication process 300 for use in an IMS network. Generally, a session commences when the UE 310 attempts to register with the network 100. In order to registers the UE 310 needs to authenticate to the network and authenticate the server as the one that belongs to the network. With the PKI authentication of the present invention, this is achieved through the use of certificates (see, for example, ITU-J Rec. X 509). In this case, it is assumed (although this assumption is not essential) that the network acts as a certification authority, and so the network certificate with the public key of the network is located in the smart card 200.
  • To start the registration, the UE 310 requests during step 325 that the smart card 305 provides the authenticator, Autn. The smart card 305 computes (possibly, in cooperation with the UE 310, as explained below) the authenticator, Autn, and delivers the authenticator, Autn, to the UE 310 during step 330, as discussed further below in the section entitled “Computation of the Authenticator, Autn.”
  • Once the Autn parameter has been computed, it is passed along to the Network Server 315 during step 335, for example, as part of a Register message (such as a SIP Register method). It is not essential that this authentication procedure is performed during the registration. Technically, the authentication procedure can be performed at any time when the authentication is needed and be part of any protocol, as would be apparent to a per son of ordinary skill in the art.
  • Although unnecessary (and possibly wasteful of bandwidth and execution time), it is possible that the user includes its certificate along with the Autn parameter. In this case, of course, the procedure of the retrieval of the certificate by the network server 315 as described below is replaced by the procedure of verifying the certificate in its chain.
  • Upon the reception of the Autn parameters the network server 315 performs a sever authentication process 400, discussed further below in conjunction with FIG. 4. Generally, the authentication process 400 authenticates the user based on the received Autn parameter and computes an Autn′ parameter that the network server 315 uses to authenticate itself to the user. The Autn′ parameter is transmitted to the UE 310 during step 360.
  • When the UE 310 receives the Autn′ parameter message, the UE 310 checks the network signature, while handing out the part that corresponds to the encrypted nonce to the smart card 305 during step 365 for the private-key-based decryption. If either the integrity check of the message fails, or the decrypted value is not equal to freshness+1, the UE 310 proceeds according to the network policy for this specific case. If both checks pass, the procedure is complete.
  • Computation of the Authenticator, Autn
  • As discussed above in conjunction with FIG. 3, the smart card 305 computes the authenticator, Autn, during step 330. The authenticator, Autn, can be expressed as follows:

  • Autn=U pr {N pu [K S ]|K S[Id, freshness, IK|CK]},
  • where:
  • 1) freshness is a nonce (such as a timer value, or the IMS SEQ parameter, or any other nonce) that protects the communication against the replay attack; and is generally equal in length to combined lengths of the IK and CK keys;
  • 2) “|”, designates the string concatenation operation;
  • 3) KS [. . . ] designates a symmetric key encryption operation (such as DES, triple-DES, AES, or a one-time pad) performed with the key KS);
  • 4) Npu [. . . ] designates the encryption with the network public key Npu available from the network certificate; and
  • 5) Upr {. . . } designates the signature operation with the user's private signature key. For example, first a hash (such as SHA2 hash) of the argument is computed, then the result is encrypted with that key, and finally this result is concatenated with the argument. The presence of the signature solves two problems: first, it protects the integrity of the message, and, second, it provides (in combination with the freshness parameter), the non-repudiation feature, which is typically essential to operators inasmuch as it constitutes the proof that the session was initiated by the user.
  • Thus, the resulting Autn string, consists of three concatenated components:

  • Autn=A|B|C, where
  • A=Npu[KS] can be decrypted only by the network;
  • B=KS[Id, freshness, IK|CK] allows recovery of the Id and keys only to the holder of the key KS, which, again, can be derived only by the network from A; and
  • C=Upr [Hash(A|B)] allows checking of the integrity of the previous two components as well as to prove to the receiver that the message was issued by the user.
  • It is noted that the identity of the user (contained in B) is fully protected.
  • It is further noted that the step of separately computing B is not essential. It is used, as is the practice, to minimize the expensive private-key computation. The alternative is to compute A=Npu [Id, freshness, IK|CK] and omit B altogether, in which case there may be no need to derive KS.
  • To optimize the performance, certain pieces of the above computation (i.e., the ones that do not involve the user private key operations) can actually be performed at the UE 310, in which case one or more messages carrying the results of such computations may need to be exchanged between the UE 310 and the smart card 305.
  • The only operation that is generally always performed on the card 305 in the exemplary embodiments of the invention is the signature with the private key. Ultimately, it is the only potentially intensive computation required, compared to the rest of the computations.
  • Server Authentication Process 400
  • As discussed above in conjunction with FIG. 3, the network server 315 performs an server authentication process 400 to authenticate the user based on the received Autn parameter and to compute an Autn′ parameter that the network server 315 uses to authenticate itself to the user.
  • FIG. 4 is a flow chart describing an exemplary implementation of a server authentication process 400 for use by a network server 315 in an IMS network. As shown in FIG. 4, the network server 315 initially uses its private key during step 410 to decrypt A and recover the key KS from the received Autn parameter as the means of recovering other parameters.
  • The server authentication process 400 then proceeds to decrypt B with the key KS and recover the identity, Id, of the user during step 420. Once the identify is obtained, the network server 315 checks if there is a record in the subscription directory of legitimate users indexed by this identity, and, if so, whether the user is authorized to register or receive any other service specified by the particular protocol message in which this parameter has been carried. The network server 315 also retrieves the certificate of the user (unless there is a necessity of the certificate to be sent by the user as described above). If there is no entry in the table, the processing stops and, depending on the network security policy, the event may be logged, or in case of server overload reported as a denial of service attack.
  • The network server 315 proceeds to recover the nonce, freshness, and determines if there is a possibility of the replay during step 430. If for example, the timestamp is used, the network server 315 checks if it is in the acceptable time window. Likewise, if a sequence number (such as sequence in the AKA algorithm) is used, again, the network server 315 will check if its value is in acceptable range (and, if not, it may initiate re-sequencing procedure with the UE 310). If the examination fails, the processing stops and, depending on the network security policy, the event may be logged, or in case of server overload reported as a denial of service attack, especially if there is an obvious indication of replay.
  • During step 440, the network server 315 a) decrypts C with the public key of the user (obtained from the user's certificate); b) computes the hash of A|B; and c) compares the quantities obtained in a) and b). If these quantities are different, the message is considered tampered with, and the event may be logged, or in case of server overload reported as a denial of service attack. (This step may precede step 3.)
  • The network server 315 then proceeds to recover IK and CK during step 450. At this point, the authentication of the user 310 to the network has completed, and the network has the same information as it would have had with an AKA authentication technique.
  • To authenticate itself to the user (and effectively acknowledge the success of the user's authentication), the network server 315 computes the Autn′ parameter during step 460, as follows:

  • Autn′=N pr {U pu[freshness+1]),
  • where
  • 1) Upu [. . . ] designates the encryption with the user's public key Upu available from the user's certificate; and
  • 2) Npr [. . . ] designates the signature operation with the network private signature key: first a hash (such as SHA2 hash) of the argument is computed, then the result is encrypted with that key, and finally this result is concatenated with the argument. The presence of the signature solves two problems: first, it protects the integrity of the message, and, second and most important, it provides a proof that the message came from the network.
    • CONCLUSION
  • Among other benefits, the present invention ensures substantially perfect forward secrecy of the IMS session in that the secrecy of a session is not less secure than that relying on the existing IMS authentication mechanism (AKA). The present invention also ensures that other-factor authentication mechanisms present in AKA (such as the sequence number, SQN) can also be used if desired by the network operator. The present invention can also ensure user privacy in that the user identity does not need to be transmitted in the clear. Finally, the present invention can optionally ensure that only absolutely necessary computations are performed on the smart card, recognizing inefficiency of such computations.
  • While FIGS. 3 and 4 show an exemplary sequence of steps, it is also an embodiment of the present invention that the sequence may be varied. Various permutations of the algorithm are contemplated as alternate embodiments of the invention.
  • While exemplary embodiments of the present invention have been described with respect to processing steps in a software program, as would be apparent to one skilled in the art, various functions may be implemented in the digital domain as processing steps in a software program, in hardware by circuit elements or state machines, or in combination of both software and hardware. Such software may be employed in, for example, a digital signal processor, micro-controller, or general-purpose computer. Such hardware and software may be embodied within circuits implemented within an integrated circuit.
  • Thus, the functions of the present invention can be embodied in the form of methods and apparatuses for practicing those methods. One or more aspects of the present invention can be embodied in the form of program code, for example, whether stored in a storage medium, loaded into and/or executed by a machine, or transmitted over some transmission medium, wherein, when the program code is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention. When implemented on a general-purpose processor, the program code segments combine with the processor to provide a device that operates analogously to specific logic circuits. The invention can also be implemented in one or more of an integrated circuit, a digital signal processor, a microprocessor, and a micro-controller.
  • System and Article of Manufacture Details
  • As is known in the art, the methods and apparatus discussed herein may be distributed as an article of manufacture that itself comprises a computer readable medium having computer readable code means embodied thereon. The computer readable program code means is operable, in conjunction with a computer system, to carry out all or some of the steps to perform the methods or create the apparatuses discussed herein The computer readable medium may be a recordable medium (e.g., floppy disks, hard drives, compact disks, memory cards, semiconductor devices, chips, application specific integrated circuits (ASICs)) or may be a transmission medium (e.g., a network comprising fiber-optics, the world-wide web, cables, or a wireless channel using time-division multiple access, code-division multiple access, or other radio-frequency channel). Any medium known or developed that can store information suitable for use with a computer system may be used. The computer-readable code means is any mechanism for allowing a computer to read instructions and data, such as magnetic variations on a magnetic media or height variations on the surface of a compact disk.
  • The computer systems and servers described herein each contain a memory that will configure associated processors to implement the methods, steps, and functions disclosed herein. The memories could be distributed or local and the processors could be distributed or singular. The memories could be implemented as an electrical, magnetic or optical memory, or any combination of these or other types of storage devices. Moreover, the term “memory” should be construed broadly enough to encompass any information able to be read from or written to an address in the addressable space accessed by an associated processor. With this definition, information on a network is still within a memory because the associated processor can retrieve the information from the network.
  • It is to be understood that the embodiments and variations shown and described herein are merely illustrative of the principles of this invention and that various modifications may be implemented by those skilled in the art without departing from the scope and spirit of the invention.

Claims (27)

1. An authentication method performed by a user device attempting to access an IP-based telephony network, comprising:
obtaining one or more private keys of said user from a secure memory associated with said user device;
generating an integrity key and a ciphering key;
encrypting said integrity key and said ciphering key using a session key;
encrypting said session key with a public key of said IP-based telephony network; and
providing said encrypted session key, encrypted integrity key and encrypted ciphering key to said IP-based telephony network for authentication.
2. The method of claim 1, wherein said generating step is performed by a smart card.
3. The method of claim 1, wherein said secure memory is embodied on a smart card.
4. The method of claim 3, wherein said smart card comprises a secure IMS Subscriber Identity Module (ISIM).
5. The method of claim 3, wherein said smart card is configured to securely store data and to perform computations on said data.
6. The method of claim 1, further comprising the step of encrypting one or more of said encrypted session key, said encrypted integrity key and said encrypted ciphering key using said one or more private keys.
7. The method of claim 1, wherein said step of encrypting said integrity key and said ciphering key using a session key further comprises the step of encrypting a user identity using said session key.
8. The method of claim 7, wherein said user identity can be obtained only by a holder of said session key.
9. The method of claim 1, further comprising the step of receiving an authentication of a server of said IP-based telephony network.
10. The method of claim 1, further comprising the step of providing a nonce that protects against a replay attack.
11. The method of claim 1, wherein said IP-based telephony network is an IMS network.
12. The method of claim 1, wherein said step of generating an integrity key and a ciphering key further comprises the step of generating one or more of said integrity key and said ciphering key using said one or more private keys.
13. A method for authenticating a user employing a user device attempting to access an IP-based telephony network, comprising:
obtaining an encrypted session key encrypted with a public key of said IP-based telephony network;
obtaining an encrypted integrity key and encrypted ciphering key from said user device, wherein said integrity key and said ciphering key were generated by a secure device associated with said user device using one or more private keys of said user;
decrypting said encrypted session key using said public key of said IP-based telephony network;
decrypting said encrypted integrity key and encrypted ciphering key using said decrypted session key; and
authenticating said user device based on a Public Key Infrastructure (PKI) computation.
14. The method of claim 13, further comprising the step of validating information received from said user by comparing said received information to stored information,
15. The method of claim 13, further comprising the step of authenticating said IP-based telephony network to said user.
16. The method of claim 15, wherein said step of authenticating said IP-based telephony network to said user further comprises the step of encrypting a nonce using a public key of said user.
17. The method of claim 16, wherein said step of authenticating said IP-based telephony network to said user further comprises the step of encrypting said encrypted nonce using a signature operation based on a private key of said IP-based telephony network.
18. The method of claim 13, wherein said secure device comprises a smart card having a secure IMS Subscriber Identity Module (ISIM).
19. The method of claim 13, wherein said IP-based telephony network is an IMS network.
20. An apparatus for use by a user device in an IP-based telephony network, comprising:
a secure memory for storing one or more private keys of said used; and
at least one processor, coupled to the secure memory, operative to:
generate an integrity key and a ciphering key.
21. The apparatus of claim 20, wherein said secure memory further comprises a network certificate containing a public key of said network.
22. The apparatus of claim 20, wherein said secure memory further comprises an identifier of said user.
23. The apparatus of claim 20, wherein said processor is further configured to perform an encryption with at least one PKI algorithm.
24. The apparatus of claim 20, wherein said processor is further configured to generate a session key.
25. The apparatus of claim 20, wherein said processor is further configured to generate one or more of said integrity key and said ciphering key using said one or more private keys.
26. An apparatus, comprising:
a secure memory for storing one or more private keys of a user attempting to access an IP-based telephony network; and
at least one processor; coupled to the secure memory, operative to:
obtain said one or more private keys of said user from said secure memory;
generate an integrity key and a ciphering key;
encrypt said integrity key and said ciphering key using a session key;
encrypt said session key with a public key of said IP-based telephony network; and
provide said encrypted session key, encrypted integrity key and encrypted ciphering key to said IP-based telephony network for authentication.
27. An apparatus for authenticating a user employing a user device attempting to access an IP-based telephony network, comprising:
a memory; and
at least one processor, coupled to the memory, operative to:
obtain an encrypted session key encrypted with a public key of said IP-based telephony network;
obtain an encrypted integrity key and encrypted ciphering key from said user device, wherein said integrity key and said ciphering key were generated by a secure device associated with said user device using one or more private keys of said user;
decrypt said encrypted session key using said public key of said IP-based telephony network;
decrypt said encrypted integrity key and encrypted ciphering key using said decrypted session key; and
authenticate said user device based on a Public Key Infrastructure (PKI) computation.
US12/100,781 2008-04-10 2008-04-10 Methods and Apparatus for Authentication and Identity Management Using a Public Key Infrastructure (PKI) in an IP-Based Telephony Environment Abandoned US20090259851A1 (en)

Priority Applications (14)

Application Number Priority Date Filing Date Title
US12/100,781 US20090259851A1 (en) 2008-04-10 2008-04-10 Methods and Apparatus for Authentication and Identity Management Using a Public Key Infrastructure (PKI) in an IP-Based Telephony Environment
RU2010145465/08A RU2506703C2 (en) 2008-04-10 2009-03-26 Methods and apparatus for authentication and identification using public key infrastructure in ip telephony environment
JP2011503968A JP5524176B2 (en) 2008-04-10 2009-03-26 Method and apparatus for authentication and identity management using public key infrastructure (PKI) in an IP-based telephone environment
EP09730619A EP2283604A2 (en) 2008-04-10 2009-03-26 Methods and apparatus for authentication and identity management using a public key infrastructure (pki) in an ip-based telephony environment
BRPI0911196A BRPI0911196A2 (en) 2008-04-10 2009-03-26 method and apparatus for identity and identity management using a public key (pki) infrastructure in an ip-based telephony environment
CN201610829491.XA CN106411867A (en) 2008-04-10 2009-03-26 Methods and apparatus for authentication and identity management using a public key infrastructure (pki) in an ip-based telephony environment
KR1020107025279A KR101173781B1 (en) 2008-04-10 2009-03-26 Methods and apparatus for authentication and identity management using a public key infrastructure (pki) in an ip-based telephony environment
MX2010010981A MX2010010981A (en) 2008-04-10 2009-03-26 Methods and apparatus for authentication and identity management using a public key infrastructure (pki) in an ip-based telephony environment.
PCT/US2009/001920 WO2009126209A2 (en) 2008-04-10 2009-03-26 Methods and apparatus for authentication and identity management using a public key infrastructure (pki) in an ip-based telephony environment
CN2009801126911A CN101999221A (en) 2008-04-10 2009-03-26 Methods and apparatus for authentication and identity management using a public key infrastructure (PKI) in an IP-based telephony environment
AU2009234465A AU2009234465B2 (en) 2008-04-10 2009-03-26 Methods and apparatus for authentication and identity management using a Public Key Infrastructure (PKI) in an IP-based telephony environment
IL208310A IL208310A (en) 2008-04-10 2010-09-21 Methods and apparatus for authentication and identity management using a public key infrastructure (pki) in an ip-based telephony environment
JP2013228359A JP2014068350A (en) 2008-04-10 2013-11-01 Method and apparatus for authentication and identity management using public key infrastructure (pki) in ip-based telephone environment
US15/244,591 US10362009B2 (en) 2008-04-10 2016-08-23 Methods and apparatus for authentication and identity management using a public key infrastructure (PKI) in an IP-based telephony environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/100,781 US20090259851A1 (en) 2008-04-10 2008-04-10 Methods and Apparatus for Authentication and Identity Management Using a Public Key Infrastructure (PKI) in an IP-Based Telephony Environment

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/244,591 Division US10362009B2 (en) 2008-04-10 2016-08-23 Methods and apparatus for authentication and identity management using a public key infrastructure (PKI) in an IP-based telephony environment

Publications (1)

Publication Number Publication Date
US20090259851A1 true US20090259851A1 (en) 2009-10-15

Family

ID=41051630

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/100,781 Abandoned US20090259851A1 (en) 2008-04-10 2008-04-10 Methods and Apparatus for Authentication and Identity Management Using a Public Key Infrastructure (PKI) in an IP-Based Telephony Environment
US15/244,591 Active 2028-12-21 US10362009B2 (en) 2008-04-10 2016-08-23 Methods and apparatus for authentication and identity management using a public key infrastructure (PKI) in an IP-based telephony environment

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/244,591 Active 2028-12-21 US10362009B2 (en) 2008-04-10 2016-08-23 Methods and apparatus for authentication and identity management using a public key infrastructure (PKI) in an IP-based telephony environment

Country Status (11)

Country Link
US (2) US20090259851A1 (en)
EP (1) EP2283604A2 (en)
JP (2) JP5524176B2 (en)
KR (1) KR101173781B1 (en)
CN (2) CN106411867A (en)
AU (1) AU2009234465B2 (en)
BR (1) BRPI0911196A2 (en)
IL (1) IL208310A (en)
MX (1) MX2010010981A (en)
RU (1) RU2506703C2 (en)
WO (1) WO2009126209A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3367607A4 (en) * 2015-10-23 2019-06-12 KDDI Corporation Communication device, communication method and computer program
US10931464B2 (en) 2016-02-29 2021-02-23 Kddi Corporation Communication system, hardware security module, terminal device, communication method, and program
CN113132981A (en) * 2019-12-26 2021-07-16 天翼智慧家庭科技有限公司 Intelligent terminal network access method and system

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8943571B2 (en) 2011-10-04 2015-01-27 Qualcomm Incorporated Method and apparatus for protecting a single sign-on domain from credential leakage
CN103281193B (en) * 2013-06-03 2016-08-17 中国科学院微电子研究所 Identity identifying method, system and data transmission method based on it, device
WO2019052637A1 (en) * 2017-09-12 2019-03-21 Telefonaktiebolaget Lm Ericsson (Publ) Signal plane protection within a communications network
GB2568453A (en) * 2017-09-14 2019-05-22 Blockpass Idn Ltd Systems and methods for user identity
US10872023B2 (en) 2017-09-24 2020-12-22 Microsoft Technology Licensing, Llc System and method for application session monitoring and control
CN108173644A (en) * 2017-12-04 2018-06-15 珠海格力电器股份有限公司 Data transfer encryption method, device, storage medium, equipment and server
KR102024376B1 (en) * 2017-12-14 2019-09-23 아주대학교산학협력단 Method of bootstrapping of internet of thing device
WO2022183427A1 (en) * 2021-03-04 2022-09-09 Zte Corporation Method, device, and system for protecting sequence number in wireless network

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6249867B1 (en) * 1998-07-31 2001-06-19 Lucent Technologies Inc. Method for transferring sensitive information using initially unsecured communication
US20030200433A1 (en) * 2002-04-18 2003-10-23 Nokia Corporation Method and apparatus for providing peer authentication for an internet key exchange
US20050021875A1 (en) * 2003-04-11 2005-01-27 Jean-Luc Bouthemy User identification module for access to multiple communication networks
US20050044365A1 (en) * 2003-08-22 2005-02-24 Nokia Corporation Method of protecting digest authentication and key agreement (AKA) against man-in-the-middle (MITM) attack
US20050154913A1 (en) * 2002-02-28 2005-07-14 Ericsson Telefon Ab L M Method and apparatus for handling user identities under single sign-on services
US20060079205A1 (en) * 2004-09-08 2006-04-13 James Semple Mutual authentication with modified message authentication code
US20060206710A1 (en) * 2005-03-11 2006-09-14 Christian Gehrmann Network assisted terminal to SIM/UICC key establishment
US20060281442A1 (en) * 2005-06-03 2006-12-14 Samsung Electronics Co., Ltd. Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method
US20060291660A1 (en) * 2005-12-21 2006-12-28 Telefonaktiebolaget Lm Ericsson (Publ) SIM UICC based broadcast protection
US20070143614A1 (en) * 2005-12-21 2007-06-21 Nokia Corporation Method, system and devices for protection of a communication or session
US20070180538A1 (en) * 2006-02-01 2007-08-02 General Instrument Corporation Method and apparatus for limiting the ability of a user device to replay content
US20070192602A1 (en) * 2004-12-17 2007-08-16 Telefonaktiebolaget Lm Ericsson (Publ) Clone resistant mutual authentication in a radio communication network
US20070234041A1 (en) * 2006-03-28 2007-10-04 Nokia Corporation Authenticating an application
US20080273704A1 (en) * 2005-12-01 2008-11-06 Karl Norrman Method and Apparatus for Delivering Keying Information
US20100135491A1 (en) * 2007-03-27 2010-06-03 Dhiraj Bhuyan Authentication method
US20100293372A1 (en) * 2006-03-22 2010-11-18 Patrick Fischer Asymmetric cryptography for wireless systems
US20110004758A1 (en) * 2008-02-15 2011-01-06 Telefonaktiebolaget Lm Ericsson (Publ) Application Specific Master Key Selection in Evolved Networks
US20110004754A1 (en) * 2007-06-12 2011-01-06 John Michael Walker Method And Apparatuses For Authentication And Reauthentication Of A User With First And Second Authentication Procedures

Family Cites Families (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020071564A1 (en) * 2000-12-11 2002-06-13 Kurn David Michael Scalable computer system using password-based private key encryption
US6857075B2 (en) * 2000-12-11 2005-02-15 Lucent Technologies Inc. Key conversion system and method
US20020091931A1 (en) * 2001-01-05 2002-07-11 Quick Roy Franklin Local authentication in a communication system
US20030211842A1 (en) * 2002-02-19 2003-11-13 James Kempf Securing binding update using address based keys
US8468354B2 (en) * 2002-06-06 2013-06-18 Thomson Licensing Broker-based interworking using hierarchical certificates
JP2004048596A (en) * 2002-07-15 2004-02-12 Ntt Docomo Inc Portable communication terminal and information transmission/reception method
CN1969526B (en) * 2004-04-14 2010-10-13 北方电讯网络有限公司 Securing home agent to mobile node communication with HA-MN key
US7437771B2 (en) * 2004-04-19 2008-10-14 Woodcock Washburn Llp Rendering protected digital content within a network of computing devices or the like
CN1977559B (en) * 2004-06-25 2011-05-04 意大利电信股份公司 Method and system for protecting information exchanged during communication between users
EP1780936B1 (en) * 2004-08-20 2013-05-15 Mitsubishi Electric Corporation Terminal apparatus
US8611536B2 (en) * 2004-09-08 2013-12-17 Qualcomm Incorporated Bootstrapping authentication using distinguished random challenges
US7877787B2 (en) * 2005-02-14 2011-01-25 Nokia Corporation Method and apparatus for optimal transfer of data in a wireless communications system
US20060205386A1 (en) * 2005-03-11 2006-09-14 Lei Yu Method and apparatus for providing encryption and integrity key set-up
JP2006270363A (en) * 2005-03-23 2006-10-05 Matsushita Electric Ind Co Ltd Method and system for setting secret communication
WO2007015068A1 (en) * 2005-08-01 2007-02-08 Ubiquisys Limited Handover information sent over a public wide area network (e . g . internet)
CN1859097B (en) * 2006-01-19 2010-08-04 华为技术有限公司 Verifying method and system based on general weight discrimination framework
CN101030854B (en) * 2006-03-02 2010-05-12 华为技术有限公司 Method and apparatus for inter-verifying network between multi-medium sub-systems
US7881470B2 (en) * 2006-03-09 2011-02-01 Intel Corporation Network mobility security management
CN101473668B (en) * 2006-06-19 2011-10-05 交互数字技术公司 Method and apparatus for security protection of an original user identity in an initial signaling message
EP1873668A1 (en) * 2006-06-28 2008-01-02 Nokia Siemens Networks Gmbh & Co. Kg Integration of device integrity attestation into user authentication

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6249867B1 (en) * 1998-07-31 2001-06-19 Lucent Technologies Inc. Method for transferring sensitive information using initially unsecured communication
US20050154913A1 (en) * 2002-02-28 2005-07-14 Ericsson Telefon Ab L M Method and apparatus for handling user identities under single sign-on services
US20030200433A1 (en) * 2002-04-18 2003-10-23 Nokia Corporation Method and apparatus for providing peer authentication for an internet key exchange
US20050021875A1 (en) * 2003-04-11 2005-01-27 Jean-Luc Bouthemy User identification module for access to multiple communication networks
US20050044365A1 (en) * 2003-08-22 2005-02-24 Nokia Corporation Method of protecting digest authentication and key agreement (AKA) against man-in-the-middle (MITM) attack
US20060079205A1 (en) * 2004-09-08 2006-04-13 James Semple Mutual authentication with modified message authentication code
US20070192602A1 (en) * 2004-12-17 2007-08-16 Telefonaktiebolaget Lm Ericsson (Publ) Clone resistant mutual authentication in a radio communication network
US20060206710A1 (en) * 2005-03-11 2006-09-14 Christian Gehrmann Network assisted terminal to SIM/UICC key establishment
US20060281442A1 (en) * 2005-06-03 2006-12-14 Samsung Electronics Co., Ltd. Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method
US20080273704A1 (en) * 2005-12-01 2008-11-06 Karl Norrman Method and Apparatus for Delivering Keying Information
US20060291660A1 (en) * 2005-12-21 2006-12-28 Telefonaktiebolaget Lm Ericsson (Publ) SIM UICC based broadcast protection
US20070143614A1 (en) * 2005-12-21 2007-06-21 Nokia Corporation Method, system and devices for protection of a communication or session
US20070180538A1 (en) * 2006-02-01 2007-08-02 General Instrument Corporation Method and apparatus for limiting the ability of a user device to replay content
US20100293372A1 (en) * 2006-03-22 2010-11-18 Patrick Fischer Asymmetric cryptography for wireless systems
US20070234041A1 (en) * 2006-03-28 2007-10-04 Nokia Corporation Authenticating an application
US20100135491A1 (en) * 2007-03-27 2010-06-03 Dhiraj Bhuyan Authentication method
US20110004754A1 (en) * 2007-06-12 2011-01-06 John Michael Walker Method And Apparatuses For Authentication And Reauthentication Of A User With First And Second Authentication Procedures
US20110004758A1 (en) * 2008-02-15 2011-01-06 Telefonaktiebolaget Lm Ericsson (Publ) Application Specific Master Key Selection in Evolved Networks

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3367607A4 (en) * 2015-10-23 2019-06-12 KDDI Corporation Communication device, communication method and computer program
US10671717B2 (en) 2015-10-23 2020-06-02 Kddi Corporation Communication device, communication method and computer program
US10931464B2 (en) 2016-02-29 2021-02-23 Kddi Corporation Communication system, hardware security module, terminal device, communication method, and program
CN113132981A (en) * 2019-12-26 2021-07-16 天翼智慧家庭科技有限公司 Intelligent terminal network access method and system

Also Published As

Publication number Publication date
IL208310A (en) 2015-10-29
WO2009126209A2 (en) 2009-10-15
JP2014068350A (en) 2014-04-17
RU2506703C2 (en) 2014-02-10
IL208310A0 (en) 2010-12-30
US10362009B2 (en) 2019-07-23
CN101999221A (en) 2011-03-30
AU2009234465A1 (en) 2009-10-15
EP2283604A2 (en) 2011-02-16
AU2009234465B2 (en) 2014-02-27
CN106411867A (en) 2017-02-15
JP5524176B2 (en) 2014-06-18
WO2009126209A3 (en) 2009-12-03
US20160359824A1 (en) 2016-12-08
KR101173781B1 (en) 2012-08-16
RU2010145465A (en) 2012-05-20
MX2010010981A (en) 2010-11-09
KR20100133476A (en) 2010-12-21
BRPI0911196A2 (en) 2015-10-13
JP2011519518A (en) 2011-07-07

Similar Documents

Publication Publication Date Title
US10362009B2 (en) Methods and apparatus for authentication and identity management using a public key infrastructure (PKI) in an IP-based telephony environment
US8705743B2 (en) Communication security
JP4741664B2 (en) Method and apparatus for authentication and privacy
US20110004754A1 (en) Method And Apparatuses For Authentication And Reauthentication Of A User With First And Second Authentication Procedures
US20070192602A1 (en) Clone resistant mutual authentication in a radio communication network
US20030200433A1 (en) Method and apparatus for providing peer authentication for an internet key exchange
MXPA05002221A (en) Method and apparatus for secure data transmission in a mobile communication system.
KR20080089500A (en) Authentication method, system and authentication center based on end to end communication in the mobile network
US8875236B2 (en) Security in communication networks
WO2011147364A1 (en) User identity information transmission method, and user equipment, web side equipment and system
JP2014060742A (en) Method and apparatus for authenticated user-access to kerberos-enabled application based on authentication and key agreement (aka) mechanism
Chen et al. An efficient end-to-end security mechanism for IP multimedia subsystem
Rao et al. Authenticating Mobile Users to Public Internet Commodity Services Using SIM Technology
US11838428B2 (en) Certificate-based local UE authentication
Bassil et al. Critical analysis and new perspective for securing Voice Networks
GB2450096A (en) Network Authentication and Reauthentication
Shrestha et al. Kerberos based authentication protocol with improved identity protection in 3G network
Maachaoui et al. A secure One-way authentication protocol in IMS Context
Li et al. Authentication in Wireless Cellular Networks
KR20080031731A (en) Method and arrangement for authentication and privacy

Legal Events

Date Code Title Description
AS Assignment

Owner name: LUCENT TECHNOLOGIES INC., NEW JERSEY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:FAYNBERG, IGOR;LU, HUILAN;VARNEY, DOUGLAS W.;REEL/FRAME:020979/0642

Effective date: 20080506

AS Assignment

Owner name: CREDIT SUISSE AG, NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:ALCATEL-LUCENT USA INC.;REEL/FRAME:030510/0627

Effective date: 20130130

AS Assignment

Owner name: ALCATEL-LUCENT USA INC., NEW JERSEY

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG;REEL/FRAME:033949/0016

Effective date: 20140819

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION