US20140053249A1 - Method, apparatus, and system for preventing abuse of authentication vector - Google Patents

Method, apparatus, and system for preventing abuse of authentication vector Download PDF

Info

Publication number
US20140053249A1
US20140053249A1 US14/062,602 US201314062602A US2014053249A1 US 20140053249 A1 US20140053249 A1 US 20140053249A1 US 201314062602 A US201314062602 A US 201314062602A US 2014053249 A1 US2014053249 A1 US 2014053249A1
Authority
US
United States
Prior art keywords
access network
network
3gpp
rat
network information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/062,602
Inventor
Yanmei Yang
Yixian Xu
Jing Chen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to US14/062,602 priority Critical patent/US20140053249A1/en
Publication of US20140053249A1 publication Critical patent/US20140053249A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Definitions

  • the present invention relates to the field of mobile communications technology, and more particularly to a method, an apparatus, and a system for preventing abuse of an Authentication Vector (AV).
  • AV Authentication Vector
  • Non-3GPP access system mainly includes two types of non-3GPP access network, namely, trusted non-3GPP access networks and untrusted non-3GPP access networks.
  • the trusted non-3GPP access networks include the Worldwide Interoperability for Microwave Access (Wimax) network and Code Division Multiple Access (CDMA) 2000 network, etc.
  • the untrusted non-3GPP access networks include the Wireless Local Area Network (WLAN), etc.
  • AAA server When non-3GPP access network accesses the EPS, trusted non-3GPP access network and untrusted non-3GPP access network use different interfaces to connect to Authorization, Authentication and Accounting Server (AAA server) of the EPS.
  • the AAA server is connected to a Home Subscriber Server (HSS) only through one same interface, that is, when the non-3GPP access network accesses the EPS, the AAA server is required to acquire an AV from the HSS through the same interface.
  • HSS Home Subscriber Server
  • UE User Equipment
  • ePDG Evolved Packet Data Gateway
  • the present invention is directed to a method for preventing abuse of an AV, so that when a user accesses an EPS through a non-3GPP access network, even if an entity in the non-3GPP access network is breached, or an ePDG connected to an untrusted non-3GPP access network is breached, the stolen AV cannot be applied to other non-3GPP access networks by an attacker.
  • the present invention provides a method for preventing abuse of an AV.
  • the method includes the following steps:
  • the present invention is further directed to an apparatus and a system for implementing the preceding method.
  • the present invention provides an HSS.
  • the HSS includes a receiving unit, a processing unit, and a sending unit.
  • the receiving unit is configured to receive access network information of a non-3GPP access network where a user resides, wherein the access network information is sent by an AAA server, and provide the access network information to the processing unit.
  • the processing unit is configured to generate binding information corresponding to an AV of the user and the access network information, and provide the binding information to the sending unit.
  • the sending unit is configured to send the AAA server the binding information provided by the processing unit.
  • the present invention provides an AAA server.
  • the AAA server includes a sending unit and a receiving unit.
  • the sending unit is configured to send access network information of a non-3GPP network where a user resides to an HSS.
  • the receiving unit is configured to receive binding information corresponding to an AV of the user and the access network information, wherein the binding information is sent by the HSS.
  • the present invention provides a system for preventing abuse of an AV.
  • the system includes an AAA server and an HSS.
  • the AAA server is configured to send access network information of a non-3GPP network where a user resides to the HSS, and receive binding information corresponding to an AV of the user and the access network information, wherein the binding information is sent by the HSS.
  • the HSS is configured to receive the access network information of the non-3GPP network where the user resides, wherein the access network information is sent by the AAA server, generate the binding information corresponding to the AV of the user and the access network information, and send the binding information to the AAA server.
  • the embodiments of the present invention have the following advantages: Access network information of a non-3GPP network where a user resides is bound to an AV of the user, so that the stolen AV cannot be applied to other non-3GPP access networks by an attacker when the user accesses an EPS through the non-3GPP access network, even if an entity in the non-3GPP access network is breached, or an ePDG connected to an untrusted non-3GPP access network is breached,.
  • FIG. 1 is a flow chart illustrating a process of binding access network information to an AV in Embodiment 1 of the present invention
  • FIG. 2 is a flow chart illustrating a process of binding access network information to an AV in Embodiment 2 of the present invention
  • FIG. 3 is a structural view of an HSS in Embodiment 5 of the present invention.
  • FIG. 4 is a structural view of an AAA server in Embodiment 6 of the present invention.
  • Embodiment 1 of the present invention A method for preventing abuse of an AV is provided in Embodiment 1 of the present invention. It is assumed that a user accesses an EPS through a Wimax network. As shown in FIG. 1 , the method includes the following steps:
  • step 101 when accessing the EPS through the Wimax network, the user is connected to an AAA server through an interface between a trusted non-3GPP access network and the AAA server.
  • the AAA server reports Radio Access Technology (RAT) of the non-3GPP access network to the HSS.
  • RAT indicates that the accessed non-3GPP access network is a Wimax network.
  • letters, numbers, or other forms can be used by AAA to represent different RATs.
  • the form is not limited, as long as the form can represent the RAT of the non-3GPP access network.
  • the AAA can carry the RAT in a certain Diameter Attribute Value Pair (AVP).
  • AVP Diameter Attribute Value Pair
  • the AAA server may carry the reported RAT in a Diameter AVP: [visited-network-identifier] and send it to the HSS, or carry the RAT in a Diameter AVP: [NAS-Port-Type], in which numbers defined therein are used to represent the RAT or redefine the bits to represent the RAT.
  • the Diameter AVP carrying the RAT is not limited to the above two examples, and any Diameter AVP that can achieve the purpose of RAT reporting can be used to carry the RAT.
  • step 102 after receiving an authentication request from the AAA server, the HSS binds the RAT reported by the AAA server to an AV of the user, and generates the binding information of AV and the RAT.
  • AV is generated according to the prior art, and the inventive concept of this embodiment does not involve the generation of the AV.
  • the RAT reported by the AAA server can be bound to the AV by calculating a key, and the generated binding information is the calculated key.
  • the algorithm may be any related algorithm well known in the such as HMAC-SHA-256 as defined in IETF RFC 2104: “HMAC: Keyed-Hashing for Message Authentication”.
  • the HSS can bind the RAT to the AV by using this method, and the calculated Key is the generated binding information.
  • the HSS can also carry the RAT in [SIP-Authentication-Scheme] or [Authentication Method] in a Diameter AVP: [SIP-Ruth-Data-Item], and bind the RAT to the AV.
  • the Diameter AVP generated in this way is the binding information.
  • the Diameter AVP carrying the RAT is not limited to that described above, and any Diameter AVP that can implement the binding corresponding to the RAT and the AV can be applied.
  • the HSS sends the binding information of the AV and the RAT to the AAA server. If the RAT is bound to the AV by calculating a key, the key is sent to the AAA server; if the RAT is bound to the AV by carrying the RAT in a certain Diameter AVP, the Diameter AVP is sent to the AAA server.
  • the RAT of the non-3GPP access network where the user resides can be bound to the AV by using the above method. After the binding, the stolen AV cannot be applied to other non-3GPP networks by the attacker even if an entity in the non-3GPP access network where the user resides is breached, or an ePDG connected to an untrusted non-3GPP access network is breached.
  • the non-3GPP access network in the above embodiment takes the Wimax network for an example. In practice, this solution can also be applied to a CDMA2000 network.
  • the non-3GPP access network where the user resides can also be a WLAN network.
  • the WLAN network can also be a WLAN network.
  • no published standard documents related to the WLAN contain relevant content about the binding of an RAT to an AV, to enhance the system security, binding of an RAT to an AV may also be required when the WLAN accesses the EPS in the future development of the WLAN.
  • Embodiment 2 of the present invention is provided as follows to illustrate how to bind an RAT to an AV when a user accesses an EPS through a WLAN network. The method includes the following steps.
  • step 201 after accessing the EPS through the WLAN network, the user is connected to an AAA server through an interface between an untrusted non-3GPP access network and the AAA server.
  • the AAA server reports the RAT of the non-3GPP access network accessed by the user to an HSS.
  • the RAT indicates that the accessed non-3GPP access network is a WLAN network.
  • the AAA can use letters or numbers or other forms to represent different RATs.
  • the form is not limited as long as the form can represent the RAT of the non-3GPP access network accessed by the user.
  • the AAA can carry the RAT in a certain Diameter AVP.
  • the specific method is as described in the example in Embodiment 1.
  • step 202 after receiving an authentication request of the AAA server, the HSS binds the RAT reported by the AAA server to an AV of the user, and generates binding information corresponding to the AV and the RAT.
  • the RAT reported by the AAA server can be bound to the AV by calculating a key, and the generated binding information is the calculated key.
  • the HSS can bind the RAT to the AV by using this method, and the calculated Key is the generated binding information.
  • the HSS can also carry the RAT in [SIP-Authentication-Scheme] or [Authentication Method] in a Diameter AVP: [SIP-Ruth-Data-Item] and bind the RAT to the AV.
  • the Diameter AVP generated in this way is the binding information.
  • the Diameter AVP carrying the RAT is not limited to that described above, and any Diameter AVP that can implement the binding between the RAT and the AV can be applied.
  • the HSS sends the binding information corresponding to the AV and the RAT to the AAA server. If the RAT is bound to the AV by calculating a key, the key is sent to the AAA server; if the RAT is bound to the AV by carrying the RAT in a certain Diameter AVP, the Diameter AVP is sent to the AAA server.
  • the RAT is not limited to being categorized into specific types such as Wimax, CDMA2000, and WLAN; instead, the RAT may also be categorized into only two types, namely, trusted non-3GPP access networks and untrusted non-3GPP access networks.
  • Embodiment 1 and Embodiment 2 can also be extended to not only carry information of the RAT, but also include information of a Mobile Network Code (MNC) and a Mobile Country Code (MCC).
  • MNC Mobile Network Code
  • MCC Mobile Country Code
  • the AV, MNC+MCC, and the RAT are bound, so that when an entity in the non-3GPP access network where the user resides is breached, or an ePDG connected to the untrusted non-3GPP access network is breached, the stolen AV can neither be applied to other non-3GPP access networks by the attacker nor applied to non-3GPP access networks of the same type as long as the MCCs or MNCs are different, thereby enhancing the security.
  • Embodiment 3 of the present invention is provided as follows, to illustrate the binding mode with higher security.
  • access network information refers to the RAT
  • access network information refers to a combination of MNC+MCC and an RAT, in which MNC+MCC is referred to as a network identity.
  • access network information any parameter or combination of parameters for binding an AV to realize the objective of the present invention can be referred to as access network information.
  • access network information refers to a combination of MNC+MCC and an RAT.
  • the method includes the following steps:
  • step 301 after accessing an EPS through a non-3GPP access network, the user is connected to an AAA server through an interface between the non-3GPP access network and the AAA server.
  • the AAA server reports access network information of the non-3GPP access network accessed by the user to an HSS.
  • the access network information indicates that the accessed non-3GPP access network is a Wimax/CDMA2000/WLAN/trusted non-3GPP access network/untrusted non-3GPP access network, and the network identity is MNC+MCC, where “/” represents the relationship of OR.
  • the AAA can carry the access network information in a certain Diameter AVP.
  • the specific method is as described in the example in Embodiment 1.
  • step 302 after receiving an authentication request of the AAA server, the HSS binds the access network information reported by the AAA server to an AV of the user, and generates binding information corresponding to the AV and the access network information.
  • the access network information reported by the AAA server can be bound to the AV by calculating a key, and the generated binding information is the calculated key.
  • the HSS can bind the access network information to the AV by using this method, and the calculated Key is the generated binding information.
  • the HSS can also carry the access network information in [SIP-Authentication-Scheme] or [Authentication Method] in a Diameter AVP: [SIP-Ruth-Data-Item] and bind the RAT to the AV.
  • the Diameter AVP generated in this way is the binding information.
  • the Diameter AVP carrying the access network information is not limited to that described above, and any Diameter AVP that can implement the binding between the access network information and the AV can be applied.
  • the HSS sends the binding information corresponding to the AV and the access network information to the AAA server. If the access network information is bound to the AV by calculating a key, the key is sent to the AAA server; if the access network information is bound to the AV by carrying the access network information in a certain Diameter AVP, the Diameter AVP is sent to the AAA server.
  • Embodiment 3 can achieve higher security than that of Embodiment 1 and Embodiment 2. That is, when AV information of the user is stolen, the stolen AV can neither be applied to other non-3GPP access networks by the attacker nor applied to non-3GPP access networks of the same type as long as the MCCs or MNCs are different.
  • a system for preventing abuse of an AV is provided in Embodiment 4 of the present invention.
  • the system includes an AAA server and an HSS.
  • the AAA server is configured to send access network information of a non-3GPP access network where a user resides to the HSS, and receive binding information corresponding to an AV and the access network information, wherein the binding information is sent by the HSS.
  • the HSS is configured to receive the access network information of the non-3GPP access network where the user resides, wherein the information is sent by the AAA server, generate the binding information corresponding to the AV of the user and the access network information, and send the binding information to the AAA server.
  • the access network information in the system can be an RAT or a combination of an RAT and MNC+MCC.
  • the RAT can be categorized into a Wimax network, a CDMA2000 network, or a WLAN network, or categorized into a trusted non-3GPP access network and an untrusted non-3GPP access network.
  • the access network information can be represented by letters or numbers.
  • the AAA server can carry the access network information of the non-3GPP access network where the user resides in the AVP and send the information to the HSS.
  • the AAA server can carry the access network information in a Diameter AVP: [visited-network-identifier] and send the information to the HSS, or carry the access network information in a Diameter AVP: [NAS-Port-Type].
  • the HSS can generate the binding information corresponding to the AV and the access network information by calculating a key.
  • the HSS can also generate an AVP carrying the access network information as the binding information corresponding to the AV and the access network information, for example, carry the access network information in [ SIP-Authentication-Scheme] or [Authentication Method] in a Diameter AVP: [SIP-Ruth-Data-Item] and bind the access network information to the AV.
  • the HSS includes a receiving unit 501 , a processing unit 502 , and a sending unit 503 .
  • the receiving unit 501 is configured to receive access network information of a non-3GPP access network where a user resides, wherein the information is sent by the AAA server, and provide the access network information to the processing unit 502 .
  • the processing unit 502 is configured to generate binding information corresponding to an AV of the user and the access network information, and provide the binding information to the sending unit 503 .
  • the sending unit 503 is configured to send the binding information provided by the processing unit 502 to the AAA server.
  • An AAA server is provided in Embodiment 6 of the present invention. As shown in FIG. 4 , the AAA server includes a sending unit 601 and a receiving unit 602 .
  • the sending unit 601 is configured to send access network information of a non-3GPP access network where a user resides to an HSS.
  • the receiving unit 602 is configured to receive binding information corresponding to an AV and the access network information, wherein the binding information is sent by the HSS.
  • the present invention can be implemented by software plus a necessary universal hardware platform or by hardware. However, in most cases, using software plus a necessary universal hardware platform is preferred. Based on such understandings, the technical solution of the present invention or the part that makes contributions to the prior art can be substantially embodied in the form of a software product.
  • the software product is stored in a storage medium, and includes several instructions that enable a network device to perform the methods described in the embodiments of the present invention.

Abstract

A method for preventing abuse of an Authentication Vector (AV) and a system and apparatus for implementing the method are provided. Access network information of a non-3rd Generation Partnership Project (3GPP) access network where a user resides is bound to an AV of the user, so that when the user accesses an Evolved Packet System (EPS) through the non-3GPP access network, even if an entity in the non-3GPP access network is breached, or an Evolved Packet Data Gateway (ePDG) connected to an untrusted non-3GPP access network is breached, the stolen AV cannot be applied to other non-3GPP access networks by an attacker.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation of U.S. patent application Ser. No. 12/892,757, filed on Sep. 28, 2010, which is a continuation of International Application No. PCT/CN2009/070923, filed on Mar. 20, 2009. The International Application claims priority to Chinese Patent Application No. 200810066439.9, filed on Mar. 31, 2008. The afore-mentioned patent applications are hereby incorporated by reference in their entireties.
    • TECHNICAL FIELD
  • The present invention relates to the field of mobile communications technology, and more particularly to a method, an apparatus, and a system for preventing abuse of an Authentication Vector (AV).
    • BACKGROUND
  • Currently, in the research of the Evolved Packet System (EPS) in the 3rd Generation Partnership Project (3GPP), the requirement that non-3GPP access network accesses the EPS is proposed. Non-3GPP access system mainly includes two types of non-3GPP access network, namely, trusted non-3GPP access networks and untrusted non-3GPP access networks. The trusted non-3GPP access networks include the Worldwide Interoperability for Microwave Access (Wimax) network and Code Division Multiple Access (CDMA) 2000 network, etc. The untrusted non-3GPP access networks include the Wireless Local Area Network (WLAN), etc.
  • When non-3GPP access network accesses the EPS, trusted non-3GPP access network and untrusted non-3GPP access network use different interfaces to connect to Authorization, Authentication and Accounting Server (AAA server) of the EPS. The AAA server is connected to a Home Subscriber Server (HSS) only through one same interface, that is, when the non-3GPP access network accesses the EPS, the AAA server is required to acquire an AV from the HSS through the same interface. In this way, when User Equipment (UE) accesses the EPS through the non-3GPP access network, if an entity in the non-3GPP access network is breached, or an Evolved Packet Data Gateway (ePDG) connected to the untrusted non-3GPP access network is breached, the AV delivered by the AAA server may be stolen by an attacker, so that the attacker applies the AV to other non-3GPP access networks for further attack.
    • SUMMARY
  • The present invention is directed to a method for preventing abuse of an AV, so that when a user accesses an EPS through a non-3GPP access network, even if an entity in the non-3GPP access network is breached, or an ePDG connected to an untrusted non-3GPP access network is breached, the stolen AV cannot be applied to other non-3GPP access networks by an attacker.
  • In an embodiment, the present invention provides a method for preventing abuse of an AV. The method includes the following steps:
  • receiving access network information of a non-3GPP access network where a user resides, wherein the access network information is sent by an AAA server;
  • generating binding information corresponding to an AV of the user and the access network information; and
  • sending the binding information to the AAA server.
  • The present invention is further directed to an apparatus and a system for implementing the preceding method.
  • In an embodiment, the present invention provides an HSS. The HSS includes a receiving unit, a processing unit, and a sending unit.
  • The receiving unit is configured to receive access network information of a non-3GPP access network where a user resides, wherein the access network information is sent by an AAA server, and provide the access network information to the processing unit.
  • The processing unit is configured to generate binding information corresponding to an AV of the user and the access network information, and provide the binding information to the sending unit.
  • The sending unit is configured to send the AAA server the binding information provided by the processing unit.
  • In an embodiment, the present invention provides an AAA server. The AAA server includes a sending unit and a receiving unit.
  • The sending unit is configured to send access network information of a non-3GPP network where a user resides to an HSS.
  • The receiving unit is configured to receive binding information corresponding to an AV of the user and the access network information, wherein the binding information is sent by the HSS.
  • In an embodiment, the present invention provides a system for preventing abuse of an AV. The system includes an AAA server and an HSS.
  • The AAA server is configured to send access network information of a non-3GPP network where a user resides to the HSS, and receive binding information corresponding to an AV of the user and the access network information, wherein the binding information is sent by the HSS.
  • The HSS is configured to receive the access network information of the non-3GPP network where the user resides, wherein the access network information is sent by the AAA server, generate the binding information corresponding to the AV of the user and the access network information, and send the binding information to the AAA server.
  • Compared with the prior art, the embodiments of the present invention have the following advantages: Access network information of a non-3GPP network where a user resides is bound to an AV of the user, so that the stolen AV cannot be applied to other non-3GPP access networks by an attacker when the user accesses an EPS through the non-3GPP access network, even if an entity in the non-3GPP access network is breached, or an ePDG connected to an untrusted non-3GPP access network is breached,.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a flow chart illustrating a process of binding access network information to an AV in Embodiment 1 of the present invention;
  • FIG. 2 is a flow chart illustrating a process of binding access network information to an AV in Embodiment 2 of the present invention;
  • FIG. 3 is a structural view of an HSS in Embodiment 5 of the present invention; and
  • FIG. 4 is a structural view of an AAA server in Embodiment 6 of the present invention.
    •  DETAILED DESCRIPTION
  • A method for preventing abuse of an AV is provided in Embodiment 1 of the present invention. It is assumed that a user accesses an EPS through a Wimax network. As shown in FIG. 1, the method includes the following steps:
  • In step 101, when accessing the EPS through the Wimax network, the user is connected to an AAA server through an interface between a trusted non-3GPP access network and the AAA server. The AAA server reports Radio Access Technology (RAT) of the non-3GPP access network to the HSS. In this embodiment, the RAT indicates that the accessed non-3GPP access network is a Wimax network.
  • In this embodiment, letters, numbers, or other forms can be used by AAA to represent different RATs. The form is not limited, as long as the form can represent the RAT of the non-3GPP access network.
  • In this embodiment, the AAA can carry the RAT in a certain Diameter Attribute Value Pair (AVP). For example, the AAA server may carry the reported RAT in a Diameter AVP: [visited-network-identifier] and send it to the HSS, or carry the RAT in a Diameter AVP: [NAS-Port-Type], in which numbers defined therein are used to represent the RAT or redefine the bits to represent the RAT. The Diameter AVP carrying the RAT is not limited to the above two examples, and any Diameter AVP that can achieve the purpose of RAT reporting can be used to carry the RAT.
  • In step 102, after receiving an authentication request from the AAA server, the HSS binds the RAT reported by the AAA server to an AV of the user, and generates the binding information of AV and the RAT.
  • AV is generated according to the prior art, and the inventive concept of this embodiment does not involve the generation of the AV.
  • In this embodiment, the RAT reported by the AAA server can be bound to the AV by calculating a key, and the generated binding information is the calculated key. For example, the HSS calculates a key according to the formula: Key=K(CK, IK, Wimax), where CK and IK are two parameters in the AV; Wimax is the RAT reported by the AAA server, and may be represented by letters or numbers or in other forms; and K( ) is an algorithm for calculating the key. The algorithm may be any related algorithm well known in the such as HMAC-SHA-256 as defined in IETF RFC 2104: “HMAC: Keyed-Hashing for Message Authentication”. The HSS can bind the RAT to the AV by using this method, and the calculated Key is the generated binding information.
  • In this embodiment, the HSS can also carry the RAT in [SIP-Authentication-Scheme] or [Authentication Method] in a Diameter AVP: [SIP-Ruth-Data-Item], and bind the RAT to the AV. The Diameter AVP generated in this way is the binding information. Definitely, the Diameter AVP carrying the RAT is not limited to that described above, and any Diameter AVP that can implement the binding corresponding to the RAT and the AV can be applied.
  • In step 103, the HSS sends the binding information of the AV and the RAT to the AAA server. If the RAT is bound to the AV by calculating a key, the key is sent to the AAA server; if the RAT is bound to the AV by carrying the RAT in a certain Diameter AVP, the Diameter AVP is sent to the AAA server.
  • The RAT of the non-3GPP access network where the user resides can be bound to the AV by using the above method. After the binding, the stolen AV cannot be applied to other non-3GPP networks by the attacker even if an entity in the non-3GPP access network where the user resides is breached, or an ePDG connected to an untrusted non-3GPP access network is breached.
  • The non-3GPP access network in the above embodiment takes the Wimax network for an example. In practice, this solution can also be applied to a CDMA2000 network.
  • In addition, the non-3GPP access network where the user resides can also be a WLAN network. Although no published standard documents related to the WLAN contain relevant content about the binding of an RAT to an AV, to enhance the system security, binding of an RAT to an AV may also be required when the WLAN accesses the EPS in the future development of the WLAN. Embodiment 2 of the present invention is provided as follows to illustrate how to bind an RAT to an AV when a user accesses an EPS through a WLAN network. The method includes the following steps.
  • In step 201, after accessing the EPS through the WLAN network, the user is connected to an AAA server through an interface between an untrusted non-3GPP access network and the AAA server. The AAA server reports the RAT of the non-3GPP access network accessed by the user to an HSS. In this embodiment, the RAT indicates that the accessed non-3GPP access network is a WLAN network.
  • In this embodiment, the AAA can use letters or numbers or other forms to represent different RATs. The form is not limited as long as the form can represent the RAT of the non-3GPP access network accessed by the user.
  • In this embodiment, the AAA can carry the RAT in a certain Diameter AVP. The specific method is as described in the example in Embodiment 1.
  • In step 202, after receiving an authentication request of the AAA server, the HSS binds the RAT reported by the AAA server to an AV of the user, and generates binding information corresponding to the AV and the RAT.
  • In this embodiment, the RAT reported by the AAA server can be bound to the AV by calculating a key, and the generated binding information is the calculated key. For example, the HSS calculates a key according to the formula: Key=K(CK, IK,WLAN), in which the meanings of the parameters are as described in Embodiment 1. The HSS can bind the RAT to the AV by using this method, and the calculated Key is the generated binding information.
  • In this embodiment, the HSS can also carry the RAT in [SIP-Authentication-Scheme] or [Authentication Method] in a Diameter AVP: [SIP-Ruth-Data-Item] and bind the RAT to the AV. The Diameter AVP generated in this way is the binding information. Definitely, the Diameter AVP carrying the RAT is not limited to that described above, and any Diameter AVP that can implement the binding between the RAT and the AV can be applied.
  • In step 203, the HSS sends the binding information corresponding to the AV and the RAT to the AAA server. If the RAT is bound to the AV by calculating a key, the key is sent to the AAA server; if the RAT is bound to the AV by carrying the RAT in a certain Diameter AVP, the Diameter AVP is sent to the AAA server.
  • It is obvious that, the process of binding the RAT of the WLAN network to the AV and the binding process in Embodiment 1 can employ the same method.
  • In the above two embodiments, the RAT is not limited to being categorized into specific types such as Wimax, CDMA2000, and WLAN; instead, the RAT may also be categorized into only two types, namely, trusted non-3GPP access networks and untrusted non-3GPP access networks.
  • In addition, the solutions in Embodiment 1 and Embodiment 2 can also be extended to not only carry information of the RAT, but also include information of a Mobile Network Code (MNC) and a Mobile Country Code (MCC). In this way, more information is bound, and thus higher security is achieved. The AV, MNC+MCC, and the RAT are bound, so that when an entity in the non-3GPP access network where the user resides is breached, or an ePDG connected to the untrusted non-3GPP access network is breached, the stolen AV can neither be applied to other non-3GPP access networks by the attacker nor applied to non-3GPP access networks of the same type as long as the MCCs or MNCs are different, thereby enhancing the security.
  • Embodiment 3 of the present invention is provided as follows, to illustrate the binding mode with higher security. For ease of description, the applicant introduces the name of access network information. In Embodiment 1 and Embodiment 2, access network information refers to the RAT, and in Embodiment 3, access network information refers to a combination of MNC+MCC and an RAT, in which MNC+MCC is referred to as a network identity. In a word, any parameter or combination of parameters for binding an AV to realize the objective of the present invention can be referred to as access network information.
  • In Embodiment 3, access network information refers to a combination of MNC+MCC and an RAT. As shown in FIG. 2, the method includes the following steps:
  • In step 301, after accessing an EPS through a non-3GPP access network, the user is connected to an AAA server through an interface between the non-3GPP access network and the AAA server. The AAA server reports access network information of the non-3GPP access network accessed by the user to an HSS. In this embodiment, the access network information indicates that the accessed non-3GPP access network is a Wimax/CDMA2000/WLAN/trusted non-3GPP access network/untrusted non-3GPP access network, and the network identity is MNC+MCC, where “/” represents the relationship of OR.
  • In this embodiment, the AAA can carry the access network information in a certain Diameter AVP. The specific method is as described in the example in Embodiment 1.
  • In step 302, after receiving an authentication request of the AAA server, the HSS binds the access network information reported by the AAA server to an AV of the user, and generates binding information corresponding to the AV and the access network information.
  • In this embodiment, the access network information reported by the AAA server can be bound to the AV by calculating a key, and the generated binding information is the calculated key. For example, the HSS calculates a key according to the formula: Key=K(CK, IK, MNC+MCC, Wimax/CDMA2000/WLAN/trusted non-3GPP access networks/untrusted non-3GPP access networks), where CK and IK are two parameters in the AV, MNC+MCC is a network identity of the non-3GPP network where the user resides, a combination of MNC+MCC and an RAT is the access network information reported by the AAA server; and K( ) is an algorithm for calculating the key. The HSS can bind the access network information to the AV by using this method, and the calculated Key is the generated binding information.
  • In this embodiment, the HSS can also carry the access network information in [SIP-Authentication-Scheme] or [Authentication Method] in a Diameter AVP: [SIP-Ruth-Data-Item] and bind the RAT to the AV. The Diameter AVP generated in this way is the binding information. Definitely, the Diameter AVP carrying the access network information is not limited to that described above, and any Diameter AVP that can implement the binding between the access network information and the AV can be applied.
  • In step 303, the HSS sends the binding information corresponding to the AV and the access network information to the AAA server. If the access network information is bound to the AV by calculating a key, the key is sent to the AAA server; if the access network information is bound to the AV by carrying the access network information in a certain Diameter AVP, the Diameter AVP is sent to the AAA server.
  • The binding method in Embodiment 3 can achieve higher security than that of Embodiment 1 and Embodiment 2. That is, when AV information of the user is stolen, the stolen AV can neither be applied to other non-3GPP access networks by the attacker nor applied to non-3GPP access networks of the same type as long as the MCCs or MNCs are different.
  • A system for preventing abuse of an AV is provided in Embodiment 4 of the present invention. The system includes an AAA server and an HSS.
  • The AAA server is configured to send access network information of a non-3GPP access network where a user resides to the HSS, and receive binding information corresponding to an AV and the access network information, wherein the binding information is sent by the HSS.
  • The HSS is configured to receive the access network information of the non-3GPP access network where the user resides, wherein the information is sent by the AAA server, generate the binding information corresponding to the AV of the user and the access network information, and send the binding information to the AAA server.
  • The access network information in the system can be an RAT or a combination of an RAT and MNC+MCC. The RAT can be categorized into a Wimax network, a CDMA2000 network, or a WLAN network, or categorized into a trusted non-3GPP access network and an untrusted non-3GPP access network. The access network information can be represented by letters or numbers.
  • In the system, the AAA server can carry the access network information of the non-3GPP access network where the user resides in the AVP and send the information to the HSS. For example, the AAA server can carry the access network information in a Diameter AVP: [visited-network-identifier] and send the information to the HSS, or carry the access network information in a Diameter AVP: [NAS-Port-Type].
  • In the system, the HSS can generate the binding information corresponding to the AV and the access network information by calculating a key. The HSS can also generate an AVP carrying the access network information as the binding information corresponding to the AV and the access network information, for example, carry the access network information in [ SIP-Authentication-Scheme] or [Authentication Method] in a Diameter AVP: [SIP-Ruth-Data-Item] and bind the access network information to the AV.
  • An HSS is provided in Embodiment 5 of the present invention. As shown in FIG. 3, the HSS includes a receiving unit 501, a processing unit 502, and a sending unit 503.
  • The receiving unit 501 is configured to receive access network information of a non-3GPP access network where a user resides, wherein the information is sent by the AAA server, and provide the access network information to the processing unit 502.
  • The processing unit 502 is configured to generate binding information corresponding to an AV of the user and the access network information, and provide the binding information to the sending unit 503.
  • The sending unit 503 is configured to send the binding information provided by the processing unit 502 to the AAA server.
  • An AAA server is provided in Embodiment 6 of the present invention. As shown in FIG. 4, the AAA server includes a sending unit 601 and a receiving unit 602.
  • The sending unit 601 is configured to send access network information of a non-3GPP access network where a user resides to an HSS.
  • The receiving unit 602 is configured to receive binding information corresponding to an AV and the access network information, wherein the binding information is sent by the HSS.
  • Through the descriptions of the above embodiments, persons skilled in the art may understand that the present invention can be implemented by software plus a necessary universal hardware platform or by hardware. However, in most cases, using software plus a necessary universal hardware platform is preferred. Based on such understandings, the technical solution of the present invention or the part that makes contributions to the prior art can be substantially embodied in the form of a software product. The software product is stored in a storage medium, and includes several instructions that enable a network device to perform the methods described in the embodiments of the present invention.
  • The above descriptions are merely preferred embodiments of the present invention, but not intended to limit the scope of the present invention. Any modifications or variations that can be derived by those skilled in the art should fall within the scope of the present invention.

Claims (14)

What is claimed is:
1. A method for preventing abuse of an Authentication Vector (AV) when a user accesses an Evolved Packet System (EPS) through a non-3rd Generation Partnership Project (non-3GPP) access network, the method comprising:
sending, by an Authorization, Authentication and Accounting Server (AAA server), access network information of the non-3GPP access network where the user resides to a Home Subscriber Server (HSS);
receiving, by the AAA server, a key for binding the access network information to an Authentication Vector (AV) of the user, the key calculated according to a formula: Key=K(CK, IK, access network information), wherein CK and IK are two parameters in the AV of the user and K( ) is an algorithm for calculating the key.
2. The method according to claim 1, wherein the access network information comprises a Radio Access Technology (RAT) or a combination of an RAT and a network identity of the non-3GPP network.
3. The method according to claim 2, wherein:
the RAT indicates that the non-3GPP access network is a Worldwide Interoperability for Microwave Access (Wimax) network, a Code Division Multiple Access (CDMA) 2000 network, a Wireless Local Area Network (WLAN) network, a trusted non-3GPP access network, or an untrusted non-3GPP access network; and
the network identity of the non-3GPP access network comprises a Mobile Network Code (MNC) and a Mobile Country Code (MCC).
4. The method according to claim 1, wherein the access network information is carried in an Attribute Value Pair (AVP).
5. The method according to claim 2, wherein the access network information is carried in an Attribute Value Pair (AVP).
6. The method according to claim 3, wherein the access network information is carried in an Attribute Value Pair (AVP).
7. A Home Subscriber Server (HSS), comprising:
a receiver configured to receive access network information of a non-3rd Generation Partnership Project (non-3GPP) access network where a user resides, wherein the access network information is sent by an Authorization, Authentication and Accounting Server (AAA server);
a processor configured to calculate a key for binding the access network information to an Authentication Vector (AV) of the user according to a formula: Key=K(CK, IK, access network information), wherein CK and IK are two parameters in the AV of the user and K( ) is an algorithm for calculating the key;
a transmitter configured to send the key provided by the processor to the AAA server; and
wherein the access network information comprises a Radio Access Technology (RAT) or a combination of an RAT and a network identity of the non-3GPP network.
8. The method according to claim 7, wherein:
the RAT indicates that the non-3GPP access network is a Worldwide Interoperability for Microwave Access (Wimax) network, a Code Division Multiple Access (CDMA) 2000 network, a Wireless Local Area Network (WLAN) network, a trusted non-3GPP access network, or an untrusted non-3GPP access network; and
the network identity of the non-3GPP access network comprises a Mobile Network Code (MNC) and a Mobile Country Code (MCC).
9. The method according to claim 7, wherein the access network information is carried in an Attribute Value Pair (AVP).
10. The method according to claim 8, wherein the access network information is carried in an Attribute Value Pair (AVP).
11. An Authorization, Authentication and Accounting Server (AAA server), the AAA server comprising:
a transmitter configured to send access network information of a non-3rd Generation Partnership Project (3GPP) access network where a user resides to a Home Subscriber Server (HSS);
a receiver configured to receive a key for binding the access network information to an Authentication Vector (AV) of the user, the key calculated according to a formula: Key=K(CK, IK, access network information), wherein CK and IK are two parameters in the AV of the user and K( ) is an algorithm for calculating the key; and
wherein the access network information comprises a Radio Access Technology (RAT) or a combination of an RAT and a network identity of the non-3GPP network.
12. The method according to claim 11, wherein:
the RAT indicates that the non-3GPP access network is a Worldwide Interoperability for Microwave Access (Wimax) network, a Code Division Multiple Access (CDMA) 2000 network, a Wireless Local Area Network (WLAN) network, a trusted non-3GPP access network, or an untrusted non-3GPP access network; and
the network identity of the non-3GPP access network comprises a Mobile Network Code (MNC) and a Mobile Country Code (MCC).
13. The method according to claim 11, wherein the access network information is carried in an Attribute Value Pair (AVP).
14. The method according to claim 12, wherein the access network information is carried in an Attribute Value Pair (AVP).
US14/062,602 2008-03-31 2013-10-24 Method, apparatus, and system for preventing abuse of authentication vector Abandoned US20140053249A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/062,602 US20140053249A1 (en) 2008-03-31 2013-10-24 Method, apparatus, and system for preventing abuse of authentication vector

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
CN2008100664399A CN101552987B (en) 2008-03-31 2008-03-31 Method, device and system for preventing authentication vector from being abused
CN200810066439.9 2008-03-31
PCT/CN2009/070923 WO2009121270A1 (en) 2008-03-31 2009-03-20 Method, apparatus and system for preventing the abuse of authentication vectors
US12/892,757 US8600054B2 (en) 2008-03-31 2010-09-28 Method, apparatus, and system for preventing abuse of authentication vector
US14/062,602 US20140053249A1 (en) 2008-03-31 2013-10-24 Method, apparatus, and system for preventing abuse of authentication vector

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/892,757 Continuation US8600054B2 (en) 2008-03-31 2010-09-28 Method, apparatus, and system for preventing abuse of authentication vector

Publications (1)

Publication Number Publication Date
US20140053249A1 true US20140053249A1 (en) 2014-02-20

Family

ID=41134831

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/892,757 Active 2029-06-22 US8600054B2 (en) 2008-03-31 2010-09-28 Method, apparatus, and system for preventing abuse of authentication vector
US14/062,602 Abandoned US20140053249A1 (en) 2008-03-31 2013-10-24 Method, apparatus, and system for preventing abuse of authentication vector

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/892,757 Active 2029-06-22 US8600054B2 (en) 2008-03-31 2010-09-28 Method, apparatus, and system for preventing abuse of authentication vector

Country Status (4)

Country Link
US (2) US8600054B2 (en)
CN (1) CN101552987B (en)
BR (1) BRPI0909370B1 (en)
WO (1) WO2009121270A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143491B (en) * 2010-01-29 2013-10-09 华为技术有限公司 MTC (machine type communication) equipment authentication method, MTC gateway and relevant equipment

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030045241A1 (en) * 2001-09-06 2003-03-06 Anthony Noerpel Mobility management-radio resource layer interface system and method for handling dark beam scenarios
US20030114158A1 (en) * 2001-12-18 2003-06-19 Lauri Soderbacka Intersystem handover of a mobile terminal
US20050237963A1 (en) * 2004-04-26 2005-10-27 Motorola, Inc. System and method for facilitating network-to-network transitions
CN1832623A (en) * 2005-03-11 2006-09-13 华为技术有限公司 Method for controlling terminal access
US20080020704A1 (en) * 2006-03-13 2008-01-24 Mauro Costa Method of Providing Access to an IP Multimedia Subsystem
WO2008099254A2 (en) * 2007-02-12 2008-08-21 Nokia Corporation Authorizing n0n-3gpp ip access during tunnel establishment
US20090210743A1 (en) * 2006-10-24 2009-08-20 Huawei Technologies Co., Ltd. Method and device for realizing ip multimedia subsystem disaster tolerance
US20090239518A1 (en) * 2006-10-11 2009-09-24 Remi Feuillette Managing contextual information for wireless communications
US20100182955A1 (en) * 2007-07-13 2010-07-22 Telefonaktiebolaget Lm Ericsson (Publ) Matching Used and Allowed Radio Access Technology Types
US20100250437A1 (en) * 2007-11-07 2010-09-30 Thomas Anton Goeller System and method for multiparty billing of network services
US20110004758A1 (en) * 2008-02-15 2011-01-06 Telefonaktiebolaget Lm Ericsson (Publ) Application Specific Master Key Selection in Evolved Networks
US20110191576A1 (en) * 2007-11-15 2011-08-04 Nokia Corporation Integration of pre rel-8 home location registers in evolved packet system

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5956498A (en) * 1996-12-05 1999-09-21 Hewlett-Packard Co. Method of improving store efficiency and memory allocation in code generated by a circuit compiler
US20030159067A1 (en) * 2002-02-21 2003-08-21 Nokia Corporation Method and apparatus for granting access by a portable phone to multimedia services
CN1232079C (en) 2002-09-30 2005-12-14 华为技术有限公司 Active user's off-line processing method while intercommunicating radio LAN and mobile communication system
US7716723B1 (en) * 2002-10-07 2010-05-11 Cisco Technology, Inc. System and method for network user authentication
US7574599B1 (en) * 2002-10-11 2009-08-11 Verizon Laboratories Inc. Robust authentication and key agreement protocol for next-generation wireless networks
CN1234224C (en) * 2002-10-14 2005-12-28 华为技术有限公司 Radio local network terminal on-line realtime testing method
US7836487B2 (en) * 2003-08-26 2010-11-16 Telefonaktiebolaget L M Ericsson (Publ) Apparatus and method for authenticating a user when accessing to multimedia services
FR2867006B1 (en) * 2004-02-27 2006-06-23 Cit Alcatel METHOD FOR CONTROLLING RIGHTS OF ACCESS IN A MOBILE RADIOCOMMUNICATIONS SYSTEM
US20060019635A1 (en) * 2004-06-29 2006-01-26 Nokia Corporation Enhanced use of a network access identifier in wlan
CN1310476C (en) * 2004-07-05 2007-04-11 华为技术有限公司 Method for building session connection to wireless local network user
US7292592B2 (en) * 2004-10-08 2007-11-06 Telefonaktiebolaget Lm Ericsson (Publ) Home network-assisted selection of intermediary network for a roaming mobile terminal
CN100525186C (en) * 2004-11-05 2009-08-05 华为技术有限公司 General authentication framework and method for renewing user safety describing information in BSF
JP4786190B2 (en) * 2005-02-01 2011-10-05 株式会社エヌ・ティ・ティ・ドコモ Authentication vector generation apparatus, subscriber authentication module, wireless communication system, authentication vector generation method, calculation method, and subscriber authentication method
US7613155B2 (en) * 2005-04-30 2009-11-03 Lg Electronics Inc. Terminal, system and method for providing location information service by interworking between WLAN and mobile communication network
CN1327663C (en) * 2005-08-12 2007-07-18 华为技术有限公司 Method of user access radio communication network and radio network cut in control device
EP1798910B1 (en) * 2005-12-16 2011-07-06 Vodafone Group PLC Method of requesting and sending authentification vectors
CN101106452B (en) 2006-07-12 2010-12-08 华为技术有限公司 Generation and distribution method and system for mobile IP secret key
US20080076425A1 (en) * 2006-09-22 2008-03-27 Amit Khetawat Method and apparatus for resource management
KR100863135B1 (en) * 2006-08-30 2008-10-15 성균관대학교산학협력단 Dual Authentication Method in Mobile Networks
US8887235B2 (en) * 2006-10-17 2014-11-11 Mavenir Systems, Inc. Authentication interworking
US20110004754A1 (en) * 2007-06-12 2011-01-06 John Michael Walker Method And Apparatuses For Authentication And Reauthentication Of A User With First And Second Authentication Procedures
CN101102600B (en) 2007-06-29 2012-07-04 中兴通讯股份有限公司 Secret key processing method for switching between different mobile access systems

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030045241A1 (en) * 2001-09-06 2003-03-06 Anthony Noerpel Mobility management-radio resource layer interface system and method for handling dark beam scenarios
US20030114158A1 (en) * 2001-12-18 2003-06-19 Lauri Soderbacka Intersystem handover of a mobile terminal
US20050237963A1 (en) * 2004-04-26 2005-10-27 Motorola, Inc. System and method for facilitating network-to-network transitions
CN1832623A (en) * 2005-03-11 2006-09-13 华为技术有限公司 Method for controlling terminal access
US20080020704A1 (en) * 2006-03-13 2008-01-24 Mauro Costa Method of Providing Access to an IP Multimedia Subsystem
US20090239518A1 (en) * 2006-10-11 2009-09-24 Remi Feuillette Managing contextual information for wireless communications
US20090210743A1 (en) * 2006-10-24 2009-08-20 Huawei Technologies Co., Ltd. Method and device for realizing ip multimedia subsystem disaster tolerance
WO2008099254A2 (en) * 2007-02-12 2008-08-21 Nokia Corporation Authorizing n0n-3gpp ip access during tunnel establishment
US20100182955A1 (en) * 2007-07-13 2010-07-22 Telefonaktiebolaget Lm Ericsson (Publ) Matching Used and Allowed Radio Access Technology Types
US20100250437A1 (en) * 2007-11-07 2010-09-30 Thomas Anton Goeller System and method for multiparty billing of network services
US20110191576A1 (en) * 2007-11-15 2011-08-04 Nokia Corporation Integration of pre rel-8 home location registers in evolved packet system
US20110004758A1 (en) * 2008-02-15 2011-01-06 Telefonaktiebolaget Lm Ericsson (Publ) Application Specific Master Key Selection in Evolved Networks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"public land mobile network (PLMN)", August, 3, 1997, National Telecommunications & Information Administration, United States Department of Commerce, , retrieved from , retrieved on 4-24-2015 *

Also Published As

Publication number Publication date
US8600054B2 (en) 2013-12-03
CN101552987B (en) 2011-11-16
BRPI0909370A2 (en) 2015-10-06
CN101552987A (en) 2009-10-07
WO2009121270A1 (en) 2009-10-08
US20110023094A1 (en) 2011-01-27
BRPI0909370B1 (en) 2020-11-10

Similar Documents

Publication Publication Date Title
US8578456B2 (en) Authentication in an IP multimedia subsystem network where an in-use line identifier (LID) does not match a registered LID
US7596225B2 (en) Method for refreshing a pairwise master key
US8990925B2 (en) Security for a non-3GPP access to an evolved packet system
US7933591B2 (en) Security in a mobile communications system
US8943321B2 (en) User identity management for permitting interworking of a bootstrapping architecture and a shared identity service
Tsay et al. A vulnerability in the umts and lte authentication and key agreement protocols
US9264411B2 (en) Methods, apparatuses and computer program product for user equipment authorization based on matching network access technology specific identification information
US20060101270A1 (en) Determining a key derivation function
WO2010027314A1 (en) Secure negotiation of authentication capabilities
WO2010114475A2 (en) Security key management in ims-based multimedia broadcast and multicast services (mbms)
WO2006135217A1 (en) System and method for otimizing tunnel authentication procedure over a 3g-wlan interworking system
US8078872B2 (en) Method, system and device for determining a mobile IP key, notifying a mobile IP type
Sharma et al. Improved IP multimedia subsystem authentication mechanism for 3G-WLAN networks
US9065816B2 (en) Systems and methods of integrating openID with a telecommunications network
US20120210392A1 (en) Access method and access device
US8600054B2 (en) Method, apparatus, and system for preventing abuse of authentication vector
CN107113612B (en) Method, device and system for authorizing access point name
Huang et al. One-pass authentication and key agreement procedure in IP multimedia subsystem for UMTS
Jønvik et al. Strong authentication using dual SIM
Alfandi et al. Fast re-authentication for inter-domain handover using context transfer
CN102378179B (en) Method, device and system for preventing authentication vectors from being abused
Jadoon Evaluation of UICC-based IMS authentication schemes
Reddy et al. A Review of 3G-WLAN Interworking

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION