WO2007075068A1

WO2007075068A1 - Method for authentication between ue and network in wireless communication system

Info

Publication number: WO2007075068A1
Application number: PCT/KR2006/005851
Authority: WO
Inventors: Xiaoqiang Li; Yanmin Zhu
Original assignee: Samsung Electronics Co., Ltd.; Beijing Samsung Telecom R & D Center
Priority date: 2005-09-30
Filing date: 2006-12-28
Publication date: 2007-07-05

Abstract

The method for authentication between a UE and a network in a wireless communication system is proposed in present invention, the method comprising steps of: the UE sending an authentication request message to the network, the message including an authentication reference value; the network judging whether its own generated authentication value is consistent with the authentication reference value, if yes, authentication in the network side succeeds and the network sends an authentication response message to the UE, the message including another authentication reference value; after receiving the authentication response message sent from the network, the UE verifying whether the another authentication reference value included in the received response message is consistent with the one generated by itself, and if yes, the authentication in the UE side succeeds.

Description

METHOD FOR AUTHENTICATION BETWEEN UE AND NETWORK IN WIRELESS COMMUNICATION SYSTEM

Technical Field

[1] The present invention relates to a wireless communication system, especially to a method for authentication between a network and user equipment (UE) in a wireless communication system to accelerate establishment of calling. Background Art

[2] In the 3^rd generation mobile communication system, the main aim is to provide seamless service to end users anywhere and at any time. Here, as a network platform of the 3G mobile communication system, Universal Mobile Telecommunication System (hereinafter referred to as UMTS) is applied in many operators' networks. Figure 1 shows the architecture of UMTS.

[3] User Equipment 101 (hereinafter referred to as UE) is a device used to receive the called service or call, and to transmit the calling service or call. Base station 102 (hereinafter referred to as Node B) is an equipment used to communicate with UE through the transmitting and receiving devices via radio signals. The air-interface between UE and Node B involves in the physical layer and the media access control layer (hereinafter referred to as the MAC layer). The physical layer is responsible for processing the operations on the receiving and transmitting of radio signals, and the MAC is responsible for mapping different services to the physical layer.

[4] The Control Radio Network Controller (hereinafter referred to as CRNC) controls the management, allocation and utilization of the radio resources in each cell of a Node B, and is responsible for allocating the radio resources of each cell to a UE. From the point of view of UE, the Radio Network Controller (RNC) includes the Service Radio Network Controller (hereinafter referred to as SRNC) and the Drift Radio Network Controller (hereinafter referred to as DRNC). SRNC is an entity providing for the UE the radio resource control (hereinafter referred to as RRC) connection, with which the UE can transmit and receive control signaling through the network. The SRNC obtains the network resources allocated to the user from a CRNC and sends the resource's configuration parameters to the UE by means of RRC signaling.

[5] In this way, the UE can communicate with the network. The interface between the

SRNC and a UE is the Uu interface. Service GPRS (General Packet Radio Service) Support Node 105 (hereinafter referred to as SGSN) is an entity that manages mobile management state and session management state of the UE. The mobility management and the negotiation of the service quality related to the session are also operated between the UE and the SGSN. The interface between the SGSN and the SRNC of the UE is an Iu interface which is responsible for establishing the user plane transmission channel and the signaling connection of transmission signaling for data transmission of the user.

[6] The Gateway GPRS Support Node 106 (hereinafter referred to as GGSN) acts as a gateway for the data transmission between a UE and a Packet Data Network (hereinafter referred to as PDN). A GGSN allocates an Internet Protocol (hereinafter referred to as IP) address for the UE. Both the data from the user and that sent to the user are identified by the address. The interface between the GGSN and the SGSN is called Gn interface, which is responsible for the negotiation of the service quality and the establishment of the user plane's GPRS User Plane Tunnel (hereinafter referred to as GTP-U) for the data transmission between the SGSN and the GGSN. The interface between the GGSN and the PDN is Gi interface, which has several functions such as allocating IP address, authentication and identification, accounting for the user. The main function of the GGSN is to receive and analyze the received data, then to transmit the data of a certain user to the corresponding GTP-U tunnel.

[7] The UTRAN can connect to both of the two domains simultaneously or just either of them. The UTRAN aims at providing a group of uniform radio bearers. It can be applied either in the burst packet service or in the conventional telephone service. Each URAN bears the capacity of definite radio coverage and service delivery. This area is defined as the UTRAN registry area (hereinafter referred to as URA). To offer the radio coverage stated, each URAN contains a radio network controller (hereinafter referred to as RNC) and at least one base station (hereinafter referred to as Node B) which is under the control of the URAN. Logically, each Node B possibly contains at least one cell. The RNC can connect to any other RNCs. It supports such tasks as switching and mobility management brought in by the moving of a UE. A CN connects to other types of networks so as to provide end users with seamless services.

[8] Radio resource processing is interior function of an UTRAN. A CN does not define the types for allocated radio resources. Usually it is necessary to establish a Radio Resource Control (hereinafter referred to as RRC) connection between UE and RNC for the convenience of transferring a great deal of user data streams and signaling streams between the UTRAN and the UE. The RRC has two modes: RRC connection mode and RRC idle mode. The RRC modes indicate the approach to identifying a UE. In RRC idle mode, the operation on identifying a UE can be done according to the CN- related IDs. In RRC connection mode, the operation on identifying the UE can be done according to the radio network temporary identification (hereinafter referred to as RNTI) allocated to the UE through the common transmission channel.

[9] Now referring to Figure 2, four different domain concepts are applied in UMTS system on the mobility function of the UE. Both Location Areas (hereinafter referred to as LA) and Routing Areas (hereinafter referred to as RA) are applied in the core network. The URA and the Cell areas are applied in the UTRAN. The LA relates to CS service, and the RA relates to PS service. A CN node processes an LA. That a UE has registered in an LA also means that it has registered in the CN node which processes the LA. A CN node processes a RA. That UE has registered in a RA also means that it has registered in the CN node which processes the RA. In UMTS system, MSC/VLR pages a UE using LA, and SGSN pages a UE using RA. URA and Cell area are visible only in an UTRAN. They are used in RRC connection mode.

[10] Combined MSC/VLR+SGSN

[11] The CN adopts LA/RA for CS/PS services. When the CN begins paging CS/

PS-services-related UEs, it uses LA/RA. MSC/VLR and SGSN can allocate a CS/ RS-service-related temporary identification, TMSI/P-TMSI to UE. This temporary identification is unique in the LA/RA.

[12] When the terminal is in RRC connection mode, the internal area of UTRAN is used.

These areas are used when an UTRAN begins paging. The update of an UTRAN internal area is a process of radio network and its structure may not be seen outside the UTRAN. In RRC connection mode, the main states include cell connection state and URA connection state. The location of a UE can be learned about in cell level or URA level. In the UTRAN, when the radio network temporary identification (hereinafter referred to RNTI) is used as the temporary identification of the UE, it is allocated to the UE at the moment RRC connection is being established. In this mode, only one RNC is used as the service RNC, and the RRC connection is established between the UE and the SRNC.

[13] One RA consists of several cells of RNCs that connect to the same CN. The mapping process between the RA and the RNCs is performed by the SGSN which possesses the RA. One LA consists of several cells of RNC that connect to the same CN. The mapping process between the LA and the RNC is performed by the MSC/ VLR which possesses the LA. One RA/LA is processed by only one CN service node, i.e., one SGSN or one MSC/VLR. Some operators may adopt network structuring modes below: the number of RAs is the same as that of LA, or one RA is a subset of only another LA , i.e., one RA can not exceed one LA. The mappings between LA and Cell as well as between RA and Cell are done inside the RNC.

[14] At the beginning, the UE performs registration in each service area of the CN.

When the UE moves from one URA (hereinafter referred to as the old URA) to a new URA, the RNC that the new URA belongs to performs the URA update process. In this way, only when it is required the UE can be located. So, it is necessary for the network operator to make sure through a certain validation procedure that no one but the valid UE initiates the URA update. This validation procedure involves in the integrity verification done by the RNC on the data transmitted between the RNC and the UE.

[15] As shown in Figure 3, each UE contains a SIM card (which bears user's specific information and is used for user identifying) and the mobile equipment (hereinafter referred to ME, which is adopted to process other functions especially to support user's mobility). AU sorts of data and executive files are recorded in the SIM card. Where, the data part includes such information as a user's unique and permanent international mobile user identification (hereinafter referred to as IMSI), the current location of the UE, the integrity key (hereinafter referred to as IK) and other security and management information. In the cases that a calling terminates, the handset already terminates its service or a terminal moves from one URA to another, the location information will be updated correspondingly. The location information includes the anonymous identification used to temporarily identify a UE. This anonymous identification is used inside each URA. In different RRC modes or in different CS/PS service areas, this anonymous identification may be different, such as the temporary mobile user identification (hereinafter referred to as TMSI), the packet temporary mobile user identification (hereinafter referred to as P-TMSI), or the radio network temporary identification (hereinafter referred to as RNTI).

[16] For the consideration of security, no IMSI is directly used but TMSI or any of other temporary identifications is used to anonymously identify a certain UE. Because the user identification is important and sensitive information, its confidentiality must be guaranteed. The user identification must be kept confidential so as to protect user privacy and to avoid the leakage of IMSI information.

[17] TMSI/P-TMSI bears localized features. It is valid only in MSC/VLR or in user registered RA. Beyond this area, additional location area identification (hereinafter referred to as LAI) or routing area identification (hereinafter referred to as RAI) may be added in order to avoid confusion. The relationship between the temporary user identification and the permanent user identification is saved in the user registered MSC/VLR or in the SGSN.

[18] To avoid tracking to users, in usual, long-term application of the same TMSI/

P-TMSI in user identifying may not be allowed. Referring to Figure 4, PS area is taken as an example. Update of P-TMSI is initiated by the SGSN after the security mode is well established. The re-allocation process is as follows: firstly, the SGSN generates a new P-TMSIn and saves mapping relationship between the P-TMSIn and the IMSI in its database. Then, the SGSN sends the P-TMSIn and a new routing area identification RAIn to an UE. After the UE receives the P-TMSIn and the new RAIn, it save the P- TMSIn and automatically deletes the mapping relationship between this P-TMSIn and the previous P-TMSIo, then responds to the SGSN. Finally, after the SGSN receives the response from the UE, it deletes the mapping relationship between this P-TMSIn and the previous P-TMSIo from its database. The P-TMSIn is used in subsequent identification process.

[19] In the UMTS system, if the identification may not be well done with the P-TMSI, the IMSI may used to do so. This process is performed in the case that the user registers for the first time to a service network or the SGSN can not obtain the IMSI from the P-TMSI. In this case, the SGSN sends an IMSI request to the user, and the response of the user is a piece of pure text information that contains the IMSI.

[20] Also for the consideration of security, the communication between the UE and the

URAN may be encrypted with a confidential key. In usual, the confidential key is the one (CK) that is saved in the authentication center (hereinafter referred to as AuC) in home environment of the UE (hereinafter referred to as HE) or the home location register (hereinafter referred to as HLR). Different CKs are usually specified for CS area and PS area. To avoid redundant description on this patent, in the following introduction, only the example of PS area is given, and the detail on CS area is omitted.

[21] The CK mentioned above is obtained through the process of authentication and key arranging (hereinafter referred to as AKA). The process is based on a certain key which is shared by the SIM card and the HLR and the authentication between the UE and the network is implemented based on the fact that both UE and the network may learn about this key ^J . Besides this,» a seq 1uence number SO ^¹N MS and SON HE are re- spectively saved in the SIM card and the HE of the user. Each user has a unique sequence number SQN , and the SQN indicates the most superior sequence number the SIM has accepted. The UE sends the process access request message to the relevant SGSN to render it obtain parameters of the mobile terminal. The network sends out an authentication request including a random number. After the UE processes this random number with a certain algorithm, it sends an authentication response to the network and the network determines whether this user is valid or not.

[22] Referring to Figure 5, an AKA detailed process is as follows: firstly, the UE sends an identification indicating its identity to the SGSN. The SGSN is able to directly obtain the IMSI (which indicates an identity of the unique permanent identified user) and its HLR information, or indirectly obtain the IMSI (which indicates an identity of the unique permanent identified user) and its HLR information according to the saved mapping relationship between the P-TMSI and IMSI. Then, SGSN sends an "authentication data request" to this HLR, requesting to learn about the authentication data related to the IMSI. The "authentication data request" includes IMSI of the user and the type of the requested area (PS or CS).

[23] Next, after the HLR receives the "authentication data request" from the SGSN, it generates n authentication vectors (hereinafter referred to as AV), or picks out necessary number from the worked out AV database and sends to VLR after sorting. The method for generating AV is illustrated in Figure 17. Where, algorithms like AMF, fl, f2, f3, f4 and f5 are beyond present invention, no detailed description is given to either of them. Each AV contains following information: a random number RAND, an expected response XRES, a confidential key CK, an integrity key IK and an authentication

[24] token AUTN. Each AV may be applied in one authentication and key arranging between the SGSN and the SIM.

[25] Then, when the SGSN initiates an authentication and a key arranging, it selects the next AV from the sorted AV array, and sends the random number RAND and the authentication token AUTN to the UE, requesting the user to generate authentication data. The principle of first in first out memory (FIFO) is adopted by every node to process the AV.

[26] Next, after the SIM receives the authentication request, it first calculates the XMAC and compares it with the MAC which is in the AUTN. If they are different with each other, the SIM sends an "authentication reject" message to the VLR and aborts the authentication process. Meanwhile, it is necessary to verify whether the received sequence number SQN is within the valid range or not. If not, the MS sends a "synchronization failure" message to the VLR and aborts the process. After these two verifications pass, the UE calculates RES with f2, calculates CK with f3, calculates IK with f4 and sends the RES to the SGSN.

[27] Finally, after the SGSN receives the RES from the UE, it compares RES with the

XRES of AV. If they are consistent with each other, the authentication succeeds, otherwise, the authentication fails. Since both MS and HLR use the same algorithm f3 to calculate the CK and the same algorithm f4 to calculate IK, they get the same results of CK and IK. After the identity authentication and key arrangement between each other, the SIM and the SGSN respectively send the CK and IK to ME (which performs the function of encrypting) and RNC (which performs the function of integrity protecting) for later application in security communications between the UE and the RNC.

[28] The mutual authentication process between the UE and the network includes two aspects: user authentication and network authentication. The user authentication makes the network confirm the identity of the user, and the network authentication makes user confirm that the service network he/she is using is licensed by his/her registered HE so that this network may be able to provide service for him/her. Here, it includes the process of confirming that a license is the latest. To reach the goal mentioned above, it is usually necessary to perform mutual authentication on identity each time when the connection between UE and the network is established. During the process of identity authentication in the UMTS system, it includes two authentication mechanisms: AKA and local authentication.

[29] in, if the number of local authentication with previous AKA generated IK does not hit the maximum limitation, the service network initiates this kind of local authentication process. From above, it is known that the interval between AKA processes is comparatively longer while that between the local authentications is comparatively shorter.

[30] Figure 6 illustrates an initial process of the local authentication and connection establishment in a UMTS system.

[31] Step 601, the UE sends a value of a parameter START which is saved in the SIM card and "security capability of UE" information to a RNC during a process of establishing the RRC connection. If the UE bears the capability, GSM grade 2 and 3 capability will be possibly transmitted in the previous step. The security capability of UE information includes both encryption algorithms UEAs and integrity protecting algorithms UIA that the UE is able to support. Both the START value and the security capability information of UE are saved in the service RNC (hereinafter referred to as SRNC). If GSM grade 2 and 3 capability is transmitted during the process of establishing RRC connection, it is necessary for the RNC to save GSM domain encryption capability of the UE (referring to step 607).

[32] Step 602, the UE sends a initial third layer (L3) message to the VLR/SGSN. The L3 message includes "connection management service request

(CM-SERVICE-REQUEST)", "LOCATION UPDATE REQUEST", "ROUTING AREA UPDATE REQUEST", "ATTAH REQUEST", "PAGING RESPONSE" and so on. It includes information such as user identity identification information and key suit identification (hereinafter referred to as KSI) information. Where the KSI refers to the identification allocated to the CK/IK suit during the previous authentication process in CS area or PS area.

[33] Step 603, if necessary, certain interworking operations may be adopted inside the network or between the network and UE to confirm the identification IMSI of the user. According to the maximum value of IK, an AKA process will be possibly adopted to perform user authentication and to generate new IK and CK. Meanwhile, a KSI will be allocated to the IK/CK suit by the network. The process of AKA is illustrated in Figure 4.

[34] Step 604, the SGSN specifies the allowed UIA algorithms and UEA algorithms, and sorts them by priority.

[35] Step 605, the SGSN sends a RANAP message "(Security_mode_command)" to the

RNC to achieve the goal of integrity protection and encryption. The parameters brought by the "Security_mode_command" message include a list of UIAs (which are sorted by priority and are allowed to be used by RNC) and an IK to be used. If later communication needs to be encrypted, the message above also includes a list of UEAs (which are sorted by priority and are allowed to be used by RNC) and a CK to be used. If a new AKA process has operated before, the message sent to the RNC may indicate this information. This indication means that the START value is reset to "0" when the new key is applied. Otherwise, the RNC uses the START value obtained in Step 601.

[36] Step 606, after receiving the "Security_mode_command" message, the RNC compares the UIAAJEA that the UE supports with other allowed UIAAJEAs and selects the UIAAJEA algorithm with highest priority in the list of algorithms that UE supports. Then it generates the random number FRESH and starts the process of downlink integrity protection. If the demand included in the received "Security_mode_command" message may not be met, the RNC sends a "SECURITY MODE REJECT" message to the SGSN.

[37] Step 607, the RNC generates the "Security_mode_command" message. The message includes information such as security capability of the UE, an optional GSM encryption capability (if the RNC has received this message in step 601), UIA parameters and FRESH parameters to be used, and necessary UEA for encryption. Other information (e.g., the mark that indicates the beginning of encryption) may possible be included. Since the UE simultaneously has two suits of keys for encryption and integrity protection respectively in CS area and PS area, a CN area indicator may be adopted by the network to indicate which suit of the keys (either the CS area key suit or the PS area key suit) is to be applied. The RNC generates a message identification code MAC-I for integrity protection before sending a message, and includes it in the message.

[38] Step 608, after the UE receives the "Security_mode_command" message sent from the RNC, it first determine whether the "security capability of UE" included in this message is consistent with that mentioned in Step 601 or not. Similarly, if the GSM grade capability is mentioned in Step 601, it may be verified also. With the parameters included in the received "Security_mode_command" message, the UE calculates a XMAC-I according to the indicated UIA, the saved START parameter and the received FRESH parameter. Through comparing the received MAC-I with the generated XMAC-I, the verification on integrity protection is completed.

[39] Step 609, if the integrity protection is successfully implemented, the UE generates

MAC-I and sends a "Security_mode_complete" that includes the MAC-I to the RNC. Otherwise, the UE terminates this process.

[40] Step 610, once the SRNC receives the response message

"Security_mode_complete", it calculates the XMAC-I of the message. The SRNC checks whether the integrity protection is implemented successfully or not by comparing the received MAC-I and the generated XMAC-I.

[41] Step 611, if the integrity protection is implemented successfully, the RNC sends the

RANAP message "Security_mode_complete" that includes the selected algorithms to the SGSN and now the local authentication process completes.

[42] The "Security_mode_command" message sent to the UE starts the implementation of integrity protection process in downlink, i.e., all messages after this one and later downlink ones sent to the UE are protected by the new integrity protection configuration. The "Security_mode_complete" message sent from the UE starts the implementation of integrity protection process in uplink, i.e., all messages after this one and later uplink ones sent from the UE are protected by the new integrity protection configuration. If the encryption is needed, the encryption start time is exchanged during the process of establishing the safety mode between the RNC and the UE. This encryption start time specifies the RLC serial number and the CFN serial number for downlink

[43] Encrypting and uplink encrypting with new encryption configuration.

[44] In the UMTS system, when a certain UE initiates a call to another mobile station

(MS) or a fixed network user via the random access channel, the PLMN system network begins a series of operations. Firstly, when the UE initiates a call, its RRC unit starts the signaling link connection through the random access process. In this process, a channel request message and a security capability message are sent through the random access channel from Node B to the RNC. If this request is successfully received by the RNC, it is transferred to the RRC unit of the RNC. A dedicated channel is allocated by the RRC unit, and the allocation message is immediately transmitted through the access allowed channel. When the UE starts a calling process, it sets in the timer the interval for the repeat of calling. If the calling is repeated for the preset times, but it yet may not be received, the UE abandons this call.

[45] After the UE receives an immediate allocation message, it switches to the allocated dedicated channel to establish the master signaling connection between it and RNC. Till the time the wireless service channel is allocated, all signaling is transmitted through the dedicated channel. After the service channel is well established, the signaling in the session process is transmitted through the associated control channel. The connection management CM unit of the UE starts the process of establishing data link with the service request message that is transmitted to the data link layer. In fact, this service request is included in the third layer (L3) "CM_SERVICE_REQUEST" message mentioned in Step 602, then is forwarded to the SGSN via the RNC.

[46] Then, according to concrete environment, after the mutual identity authentication process between the UE and the network, the UE checks the integrity for the received message. At the same time, its mobility management layer MM monitors the imple- mentation of integrity protection. After the SGSN receives the Security_mode_complete message from the RNC, it successfully starts the process of security control. If encryption is needed, the UE and the RNC begin to encrypt information such as service data, channel identification, signaling after it is enabled.

[47] Similarly, a process that a mobile station is called is similar to this process above.

The security flow is the same as the process following the random access process.

[48] Now the problems in the prior art will be described.

[49] The existing UMTS system structure has the defects of poor update, long time on establishing a call, complex and so on. At present, the 3^rd generation mobile communication partner project (3GPP) standardization organize, which is responsible for establishing UMTS standard, is working on the standardization related to long-term evolution of the UMTS system (hereinafter referred to LTE). Here, one object of the LTE is to accelerate the process of establishing a call to reduce the time on establishing a call. For all objects of LTE in the UMTS system, each corporation has proposed its desired LTE system structure. One of them is shown in Figure 7 and Figure 8.

[50] In Figure 7, an evolution Node B (hereinafter referred to as ENB) gathers the functions of Node B and the RNC in the UMTS system. It is mainly responsible for transmitting and receiving radio signals, signaling connecting with UEs, mobility management and so on. The evolution GGSN (hereinafter referred to as E-GGSN) gathers the functions of the SGSN and the GGSN in the UMTS system. It is mainly responsible for mobility management, interface with PDN network, and arrangement of service quality and so on.

[51] Little difference exists between the functions of the ENB in Figure 8 and that in the

UMTS. They both are responsible for transmitting and receiving radio signals, as well as having part of the functions of MAC layer. The anchor bears similar function as that of the RNC in the UMTS, which is responsible for tasks so as to encrypt or decrypt user data, to control the allocation of radio resources in ENB, to perform signaling connection with UE and to manage the mobility of the user who is in the connection state. The E-GGSN bears the functions of that of the SGSN and the GGSN in the UMTS system. It is mainly responsible for the mobility management, the interface between it and the PDN network, the arrangement of quality and so on.

[52] For the sake of simplification, following description to the present invention is not limited in a certain system structure. The ENB in Figure 7 as well as the ENB and the anchor in Figure 8 are called as an E-RAN, and the E-GGSN is called as the E-CN.

[53] During the process of establishing a connection, the call is hoped to be established as quick as possible after the user keys in the called number and presses an "OK" key. According to previous introduction, it is necessary to perform mutual identity authentication between the UE and the network after the master signaling link is es- tablished between the UE and the RRC. Then, the call may continue. However, a lot of time will be spent on the mutual identity authentication process between UE and the network. Therefore, to simplify the system structure is not enough to meet the demand raised by the LTE on the time spent on connection establishing.

Disclosure of Invention Technical Solution

[54] Therefore, an object of the present invention is to reduce time for establishing a call so as to accelerate a service access process for a user, and a method for mutual authentication between the UE and a network with shorter time is proposed in the present invention. With this method, the process of establishing a call is accelerated.

[55] To achieve the object mentioned above, there is proposed a method for authentication between a UE and a network in a wireless communication system, the method comprising steps of: the UE sending an authentication request message to the network, the message including an authentication reference value; the network judging whether its own generated authentication value is consistent with the authentication reference value; if yes, authentication in the network side succeeds and the network sends an authentication response message to the UE, the message including another authentication reference value; after receiving the authentication response message sent from the network, the UE verifying whether the another authentication reference value included in the received response message is consistent with the one generated by itself; and if yes, the authentication in the UE side succeeds.

[56] Preferably, the authentication request message includes such UE-adopted information as the encryption algorithm, the integrity protection algorithm and the parameters for authentication.

[57] Preferably, the authentication value generated by the network is obtained according to information on the encryption algorithm, the integrity protection algorithm, the parameters for authentication, and the key generated by the network.

[58] Preferably, the authentication value generated by the UE is obtained according to information on the encryption algorithm, the integrity protection algorithm, the parameters for authentication, and key.

[59] Preferably, the parameters for authentication include a random number FRESH and a value of START.

[60] Preferably, the information on the key generated by the network includes information on a confidential key CK and an integrity protection key IK.

[61] Preferably, both the information on the confidential key CK and the information on integrity protection key IK are generated by a core network entity of the network.

[62] Preferably, the encryption algorithm and the integrity protection algorithm included in authentication request message sent from the UE to the network are selected out of many encryption algorithms and integrity protection algorithms offered by the network and supported by the UE.

[63] Preferably, the random number FRESH is broadcast through the network.

[64] Preferably, the random number FRESH is inherent in the UE.

[65] Preferably, the random number FRESH may be updated.

Brief Description of the Drawings [66] With reference to the detailed descriptions to embodiments adopted in the present invention and with the help of the following figures, the above objects, advantages and features according to present invention will be obvious, in which: [67] Figure 1 illustrates a network structure of UMTS;

[68] Figure 2 illustrates a relationship between different areas in a UMTS system;

[69] Figure 3 illustrates a structure of a UE;

[70] Figure 4 illustrates a process of allocating temporary identifications;

[71] Figure 5 illustrates a process of AKA;

[72] Figure 6 illustrates a local authentication process and a connection establishing process;

[73] Figure 7 illustrates a system structure of an E-UTMS;

[74] Figure 8 illustrates another system structure of E-UTMS;

[75] Figure 9 illustrates a process of mutual identity authentication (proposed in the present invention) between a UE and a network; [76] Figure 10 illustrates calculation and verification on MAC-I;

[77] Figure 11 illustrates a process of mutual identity authentication (which is performed according to a first example of present invention) between a network and a UE; [78] Figure 12 illustrates a process of mutual identity authentication (which is performed according to a second example of present invention) between a network and a UE; [79] Figure 13 illustrates a message forwarding approaches applied in the examples of the present invention; [80] Figure 14 illustrates the operation flow of UE during the process of mutual identity authentication of the examples in present invention; [81] Figure 15 illustrates an operation flow of E-RAN during a process of mutual identity authentication of the examples in present invention; [82] Figure 16 illustrates an operation flow of E-CN during a process of mutual identity authentication of the examples in the present invention; and [83] Figure 17 illustrates generation of authentication vector group.

Best Mode for Carrying Out the Invention [84] Firstly, it is noted that present invention may be based on the system structure shown in Figure 7 or Figure 8, but is not limited in these system structures.

[85] Now, the embodiments according to present invention will be described in detail with reference to the drawings.

[86] Figure 9 illustrates a process of mutual identity authentication proposed in present invention between a UE and a network (that is RAN).

[87] As shown in Figure 9, when a UE communicates with a network, it is necessary for the UE to send a message to the network. In the UMTS system, this message may be a service request, or a routing area update, etc. In present invention, no constraint is designed to contents of the first transmitted message. The UE calculates and verifies a MAC-I with a method illustrated in Figure 10 according to the available parameters in the first message in Step 901. Parameters for the calculation of MAC-I include IK, COUNT-I, MESSAGE, DIRECTION and FRESH.

[88] In special cases, such as the UE performs regular routing area update at the same location, it is possible that the messages transmitted during two processes bear the same content when the UE communicates with the network. Meanwhile, it is possible that some invalid users intercept the message transmitted from a valid UE to the network, and some appropriate time later, the invalid user pretends to be the valid user to re-transmit a message that contains the same content as the one it is intercepted to the network. In this case, it is necessary for the network to distinguish whether the received message is from the valid user or from a fake. The parameter FRESH is adopted for this purpose.

[89] During the process of MAC-I calculating, different MAC-Is may be obtained with different parameter FRESH although IKs are just the same, so to COUNT-I, MESSAGE, and DIRECTION, etc... In this case, only a valid UE may learn about the IK so as to calculate the new MAC-I.

[90] IK is generated during the process of authentication. For details, Figure 6 is referred to. Since the UE possibly saves several IKs, it is necessary for UE to inform the network of the CK and IK when it sends the first message to the network. A serial number is adopted to denote the IK and CK. This serial number uniquely denotes the combination of IK and CK. After the E-CN receives this serial number, it knows the IK and the CK which the UE adopts.

[91 ] COUNT-I is a parameter saved in the UE. This value is initialized with a START when the UE begins to communicate with the network. START is a parameter saved in the UE and may be updated each time the UE returns the idle state. The updated value equals a value of the higher 20 bits (which are consistent with that in COUNT-C) and then plus the number 2.

[92] MESSAGE is a message itself that may experience integrity protection.

[93] DIRECTION indicates a direction of the message, either an uplink one from the UE to the network or a downlink one from the network to the UE.

[94] The way for obtaining parameter FRESH is one of the focuses of present invention.

It will be introduced in the following.

[95] MAC-I will be calculated after the above five parameters are applied in algorithm f9.

[96] After the receiving side receives the MAC-I, it calculates the XMAC-I with the algorithm and the input parameters shown on the right of Figure 10. Then, it compares the received MAC-I with the calculated XMAC-I. If they are equal to each other, it confirms that the transmitting side be a valid user terminal or network equipment.

[97] Then, the UE well encapsulates a first message that is to be sent to the network, including the MAC-I (which is mentioned in Step 902). After the wireless access network receives this message, it saves the MAC-I and performs necessary processes to the first message. For instance, in Step 903, the MAC-I is extracted out from this message, and the rest is forwarded to the E-CN. Or the message from the UE is encapsulated with the message of interface Iu+ and is sent to the E-CN. After the E-CN receives the first message, it checks whether this UE has valid identifications (e.g., P- TMSI) or not, which IK is used to perform integrity protection and which CK is used to perform encryption. Then, the E-CN sends a Security_mode_command (in step 904) to the wireless access network, including elements such as a CK which is necessary for encryption and the IK which is necessary for integrity protection, as well as the encryption algorithm and the integrity protection algorithm. In addition, this message may perform other functions like to establish the user plane, to arrange service quality, etc... However these have nothing to do with present invention, and no description will be given here.

[98] After the RAN receives the IK for integrity protection, and verifies (Step 905) it with the MAC-Il according to the process illustrated in Figure 10. If the verification passes, the RAN generates another MAC-I named MAC-I2 (Step 906), whose generation approach is the same as that UE adopts to generate MAC-I. After the five parameters are applied in algorithm f9, the MAC-I2 may be obtained. Then, the RAN includes the MAC-I in the Security_mode_command message to be sent to the UE (907), including the parameters like the encryption algorithm, the integrity protection algorithm, etc.. In Step 904, if functions such as arranging the service quality, establishing the user plane and so on are performed, functions similar to the establishment of user radio bearer may be performed in Step 907. After the UE receives the Security_mode_command, it extracts the MAC-I and checks whether no modification has been done to the MACI-I or not (Step 908) according to the algorithm illustrated in Figure 10. If yes, it indicates that this RAN may be believed in and is a valid network equipment. [99] Now, a first embodiment and a second embodiment of present invention will be described.

[100] In present invention, how to obtain the parameter FRESH may be reached through different embodiments.

[101] Figure 11 illustrates a process of mutual identity authentication which is performed according to a first example of present invention between the network and the UE.

[102] The E-CN (i.e., a core network entity) specifies one or more encryption algorithms and integrity protection algorithms that the network may adopt. If several algorithms are specified for the network, different sequence orders refer to different priorities. For instance, the E-CN hopes the UE to preferably adopt algorithm 1, then algorithm 2 and then algorithm 3 on the premise of capability. In this case, algorithm 1, 2 and 3 will be included in the Security_mode_command message broadcast in Step 1101. After the E- RAN receives this broadcast message, it broadcasts these algorithms and corresponding priorities in all of its cells (Step 1102). The Security_mode_command broadcast message includes not only the encryption algorithms and integrity algorithms for the UE, but also the FRESH value that the network hopes UE to use. How to use the parameter FRESH is well illustrated in Figure 10. After the UE receives these parameters, it saves them for later application in the communication with the network.

[103] When the UE wants to communicate with the network, it sends a first message to the E-RAN (Step 1103), including parameters such as a serial number of the key for encryption and the key for integrity protection, a MAC-I calculated according to the steps shown in Figure 10, and selected encryption algorithms and integrity protection algorithm, user identifications and so on. After the E-RAN receives the first message from the UE, it saves the MAC-I, the encryption algorithms and the integrity protec tion algorithms, and forwards the rest or the entire of the message to the E-CN (Step 1104). This process will be illustrated in detail in Figure 13. After the E-CN receives the first message from the UE, it checks whether the UE selected encryption algorithm or the integrity protection algorithm is valid or not. By checking the KSI, it learns about the keys adopted by the UE for encryption and for integrity protection respectively. In general, this message also includes the parameters such as identification of user (e.g., the P-TMSI), etc...

[104] After the E-CN confirms that the UE is a valid one, it sends the

Security_mode_command message (Step 1105) to the E-RAN, including the algorithms applied by both the UE and the E-RAN for encryption and integrity protection. The algorithms may be the same as that selected by the UE in Step 1103. If the parameter is not included in the message transmitted in Step 1105, both the E-RAN and the UE adopt the default algorithms selected by the UE for encryption and integrity protection. Otherwise, they adopt the algorithms re-configured by the network. In addition, the message transmitted in Step 1105 includes a confidential key CK and an integrity protection key IK. These two parameters are transmitted to the E- RAN to implement integrity protection and encryption on the downlink signaling and data.

[105] After receiving the Security_mode_command (in Step 1105), the UE verifies whether the received MAC-I is correct or not with the IK (which is transferred through the network), the integrity protection algorithm (which is included in the message transmitted by UE in Step 1103), the MAC-I received in Step 1103, and according to the operation method illustrated in Figure 10. If yes, this UE is a valid UE, otherwise, invalid. If the UE is valid, the E-RAN sends the Security_mode_command message (in Step 1106), including the algorithms that the network hopes to re-configure for encryption and integrity protection. If no algorithm for encryption or for integrity protection is included in the message in Step 1105, no algorithm for encryption or for integrity protection is either included in the message in Step 1106. Meanwhile, the E- RAN calculates the MAC-I and includes it in the Security_mode_command message to transmit to the UE. The integrity protection algorithm adopted to calculate the MAC-I may be the one that Step 1105 relates to, or the one that the UE informs the E-RAN in Step 1103.

[106] After receiving the Security_mode_command message, the UE verifies whether the

MAC-I is correct or not according to the integrity protection algorithm selected by itself and the method illustrated in Figure 10 if neither encryption algorithm nor integrity protection algorithm is included in the message. Otherwise, it implements the verification according to the integrity protection algorithm included in the message. If the verification passes, it indicates that the network is valid and goes to subsequent operation.

[107] According to a variation of present embodiment, no encryption algorithm or integrity protection algorithm is broadcast through the network, and the UE selects one in its own security capability and informs the E-RAN of it in Step 1103.

[108] Figure 12 illustrates a second embodiment of present invention.

[109] An E-GGSN (i.e., a core network entity) specifies one or more encryption algorithms and integrity protection algorithms that the network may adopt. If several algorithms are specified for the network, different sequence orders refer to different priorities. For instance, the E-GGSN hopes the UE to preferably adopt algorithm 1, then algorithm 2 and then algorithm 3 on the premise of capability. In this case, algorithm 1, 2 and 3 will be included in the Security_mode_command message broadcast in Step 1201. After the E-RAN receives this broadcast message, it broadcasts these algorithms and corresponding priorities in all of its cells (Step 1202). The Security_mode_command broadcast message transmitted in Step 1202 includes the encryption algorithms and integrity algorithms for UE. After the UE receives these parameters, it saves them for later application in the communication with the network.

[110] When the UE wants to communicate with the network, it sends a first message to E-

RAN (Step 1203), including parameters such as a serial number of the key for encryption and the key for integrity protection, a MAC-I calculated according to the steps shown in Figure 10, and a selected encryption algorithms and integrity protection algorithm, user identifications, a FRESH value for the generation of MAC-I, and so on. Here, the FRESH for the calculation of MAC-I may be either a random number or a value of START plus a random number or plus a fixed value.

[Ill] After receiving the first message from the UE (Step 1203), the E-RAN saves the

MAC-I, the FRESH, the encryption algorithms and the integrity protection algorithms, and forwards the rest or the entire of the message to the E-GGSN (Step 1203). This process will be illustrated in detail in Figure 13. After the E-CN receives the first message from the UE (step 1204), it checks whether the UE selected encryption algorithm or the integrity protection algorithm is valid or not. By checking the KSI, it learns about the keys adopted by the UE for encryption and for integrity protection respectively. In general, this message transmitted in Step 1204 also includes the parameters such as the identification of the user (e.g., the P-TMSI), etc...

[112] After the E-CN confirms that the UE is a valid one, it sends the

Security_mode_command message (step 1205) to the E-RAN, including the algorithms applied by both the UE and the E-RAN for encryption and integrity protection. The algorithms may be the same as that selected by the UE in Step 1203. If the parameter is not included in the message transmitted in Step 1205, both the E-RAN and the UE adopt the default algorithms selected by the UE for encryption and integrity protection. Otherwise, they adopt the algorithms re-configured by the network. In addition, the message transmitted in Step 1205 includes the confidential key CK and the integrity protection key IK. These two parameters are transmitted to the E-RAN to implement integrity protection and encryption on the downlink signaling and data.

[113] After receiving the Security_mode_command (in Step 1205), the E-RAN verifies whether the received MAC-I is correct or not with the IK (which is transferred through the network), the integrity protection algorithm (which is included in the message transmitted by UE in Step 1203), the MAC-I received in Step 1203, and according to the operation method illustrated in Figure 10. If yes, this UE is a valid UE, otherwise, invalid. If the UE is valid, the E-RAN sends the Security_mode_command message (in Step 1206), including the algorithms that the network hopes to re-configure for encryption and integrity protection. If no algorithm for encryption or for integrity protection is included in the message in Step 1205, no algorithm for encryption or for integrity protection is either included in the message in Step 1206. Meanwhile, the E- RAN calculates the MAC-I and includes it in the Security_mode_command message to transmit to the UE. The integrity protection algorithm adopted to calculate MAC-I may be the one that Step 1205 relates to, or the one that UE informs E-RAN in Step 1203.

[114] After receiving the Security_mode_command message, the UE verifies whether the

MAC-I is correct or not according to the integrity protection algorithm selected by itself and the method illustrated in Figure 10 if neither encryption algorithm nor integrity protection algorithm is included in the message. Otherwise, it implements the verification according on the integrity protection algorithm included in the message. If the verification passes, it indicates that the network is valid and goes to subsequent operation.

[115] According to another variation of present embodiment, the

Security_mode_command message transmitted in Step 1206 includes a new FRESH value, and this message experiences integrity protection with the new FRESH value. Then, after the UE receives the Security_mode_command message transmitted in Step 1206, it implements integrity verification on the received message with the included FRESH. If the verification passes, it indicates that the network is valid and believable.

[116] According to another variation of present embodiment, no encryption algorithm or integrity protection algorithm is broadcast through the network, but the UE selects one in its own security capability and informs E-RAN of it in Step 1203.

[117] In fact, a stipulation may be made between the UE and the network in advance that the calculation of MAC-I needs no FRESH parameter. In this case, in order to guarantee that the MAC-Is generated through the two calculations are different, different COUN-Is may be applied in the two calculation processes. Since the COUNT-I is initialized by START, i.e., different START values are applied in the two calculation processes. Therefore, as a variation of present embodiment, the network may specify a new START value for next application of the UE when performing the previous communication with the UE. Thus, during the next communication process, the UE adopts the specified new START value to calculate MAC-I and the network also adopts the saved START value to calculate MAC-I. In this case, the START value may be either transmitted to the network from the UE in the next communication process, or transmitted to the UE from the network. Otherwise no START value is transmitted. If the transmission of START is implemented, the receiver may verify whether the START value applied in the communication process is consistent with the saved START of its own or not.

[118] Similarly, as another variation of present embodiment, the UE adopts a new

START value in each communication process. In this way, both the network and the UE apply the START value to calculate the MAC-I. Here, the START value is needed to be transmitted from the UE to the network. The network may save the START value applied in previous communication process so as to verify whether the START value applied in this communication process is consistent with the saved START value or not.

[119] Figure 13 illustrates a method with which a UE performs signaling interaction with a network.

[120] A dedicated interface Uu+ is established between the UE and the E-RAN, and corresponding messages are prepared for this interface. Here, some messages may be responsible for the transmission of signaling named L3 signaling from the UE to the E- CN. This is similar to INITIAL DIRECT TRANSFER and UPLINK DIRECT TRANSFER and DOWNLINK DIRECT TRANSFER in UMTS. L3 signaling is included in the messages of the dedicated Uu+ interface.

[121] After the E-RAN receives this message, it forwards the L3 signaling to the E-CN or the UE. The interface lu+ between the E-RAN and the E-CN is responsible for the transmission of the signaling message between the UE and the E-CN. This is similar to INITIAL UE MESSAGE and DIRECT TRANSFER in UMTS. L3 signaling is included in the messages of the dedicated lu+ interface.

[122] Steps 1301 and 1302 in Figure 13 adopt this mechanism to transmit the signaling between the UE and the E-CN. In Step 1301 the UE transmits the signaling between the UE and the E-RAN to the E-RAN, including the information unit needed to be processed by the E-RAN, as well as the L3 signaling. Similarly, after the E-RAN receives this message, it forwards the L3 signaling to the E-CN. 1302 the E-RAN transmits the signaling forward L3 signaling between the E-RAN and the E-CN to the E-GGSN, including not only the L3 signaling but also the information unit needed to be processed by the E-GGSN.

[123] The signaling interaction process between the UE and the E-CN may be implemented through Steps 1311 and 1312. The names for the messages in Steps 1311 and 1312 may be either different or just the same. However a one-to-one mapping relationship may be established for the interfaces between the UE and the E-RAN and between the E-RAN and the E-CN for two messages. The E-RAN may extract some information units from the message in Step 1311 not to transmit to the E-CN. It may add some new information units in this message and transmit to the E-CN in Step 1302.

[124] Figure 14 illustrates an operation implemented by UE of present invention.

[125] The UE receives the Security_mode_command broadcast message in the broadcast message in Step 1401, including encryption algorithms and integrity protection algorithms for UE and their priorities. The UE saves this information for later application in the inter- working with the network. If the broadcast message includes the FRESH, the UE also needs to save this parameter (Step 1402). When the UE sends the first message to the network, it is necessary to calculate the MAC-I according to the process illustrated in Figure 10. Then it includes the MAC-I in the first message and transmits to E-RAN (Step 1403). In addition, this message includes the encryption algorithm and integrity protection algorithm for the UE. After the UE receives the Security_mode_command, it extracts the MAC-I and verifies it according to the method illustrated in Figure 10 (step 1404). If the verification passes, goes to subsequent operations. Otherwise, the UE confirms that the network is invalid and aborts the communication with the network.

[126] Figure 15 illustrates an operation implemented by an E-RAN of present invention.

[127] The E-RAN receives the Security_mode_command broadcast message in the broadcast message from the E-CN in Step 1501, including encryption algorithms and integrity protection algorithms to be broadcast for UE and their priorities. Then, E- RAN informs UEs of the encryption algorithms and integrity protection algorithms and the corresponding priorities (which are included in the system information broadcast of the cells under the control of the E-RAN) through cell broadcasting. In the first implementation example of present invention (as shown in Figure 11), it is necessary for the E-RAN to broadcast the parameter FRESH. After the E-RAN receives the first message from the UE (Step 1502), it verifies whether the MAC-I included in the received message is correct or not (Step 1503) according to the integrity protection algorithm and other relevant parameters. The E-RAN needs to save the UE-selected encryption algorithm and integrity protection algorithm.

[ 128] In Step 1501 , if the E-RAN has the broadcast FRESH value, it adopts it to verify the MAC-I in Step 1503. Otherwise, this message may include the FRESH value used by UE for integrity protection. The verification on MAC-I may be implemented according to the method illustrated in Figure 10 (Step 1504). If the verification passes, the E-RAN forwards the first message received from the UE to the E-CN in Step 1505. Otherwise, the E-RAN confirms that the UE is invalid and then ends this process. In Step 1506, after the E-RAN receives the Security_mode_command from the E-CN, if it includes the encryption algorithm and integrity protection algorithm, it is necessary for the E-RAN to overwrite the ones selected by UE, otherwise, it uses the algorithm s selected by the UE. The E-RAN sends the Security_mode_command message to the UE, including the MAC-I calculated by the E-RAN, and the encryption algorithm and integrity protection algorithm modified by the E-CN.

[129] Figure 16 illustrates an operation implemented by the E-CN of present invention.

[130] The E-CN transmits the Security_mode_command broadcast message to the E-

RAN, for asking the E-RAN to broadcast the encryption algorithms and integrity protection algorithms and their priorities configured by the network throughout the cells controlled by E-RAN (Step 1601). After the E-CN receives the first message of the UE forwarded by the E-RAN (Step 1602), the encryption algorithm and the integrity protection algorithm selected by the UE are included. The E-CN checks whether the identification of the UE (e.g., the P-TMSI) in the message is valid or not (Step 1603). If yes, the E-CN sends the Security_mode_command message to the E- RAN (Step 1604), including the identification of the UE as well as the encryption algorithm and the integrity protection algorithm. If the E-CN does not want to change the encryption algorithm and the integrity protection algorithm, this message include no information on algorithm. Finally, the operation process completes in Step 1605.

[131] With present invention, time spent on establishing the call process of E-UMTS becomes shorter and therefore, the establishment process speeds up and the goal of optimizing UMTS reaches.

[132] Although a few embodiments of the present general inventive concept have been shown and described, it will be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the principles and spirit of the general inventive concept, the scope of which is defined in the appended claims and their equivalents.

Claims

[1] A method for authentication between a UE and a network in a wireless communication system, the method comprising steps of: the UE sending an authentication request message to the network, the message including an authentication reference value; the network judging whether its own generated authentication value is consistent with the authentication reference value, if yes, authentication in the network side succeeds and the network sends an authentication response message to the UE, the message including another authentication reference value; after receiving the authentication response message sent from the network, the UE verifying whether the another authentication reference value included in the received response message is consistent with the one generated by itself, and if yes, the authentication in the UE side succeeds.

[2] The method according to Claim 1, wherein the authentication request message includes information on an encryption algorithm, an integrity protection algorithm and parameters for authentication that are adopted by the UE.

[3] The method according to Claim 1, wherein the authentication value of the network is generated with an encryption algorithm, an integrity protection algorithm, parameters for authentication, and network generated keys.

[4] The method according to Claim 1, wherein the authentication value of the UE is generated with an encryption algorithm, an integrity protection algorithm, parameters for authentication, and keys saved in the network terminal equipment.

[5] The method according to claim 2, 3 or 4, wherein the parameters for authentication include a FRESH random number or a START value.

[6] The method according to Claim 3 or Claim 4, wherein the information on keys generated by the network includes information on CK and that on IK.

[7] The method according to Claim 6, wherein the CK and IK are generated by a core network entity of the network.

[8] The method according to Claim 2, wherein the encryption algorithm and the integrity protection algorithm included in the authentication request message sent from the network terminal equipment to the network are selected out of many encryption algorithms and integrity protection algorithms offered by the network and supported by the UE.

[9] The method according to Claim 5, wherein the random number FRESH is broadcast through the network.

[10] The method according to Claim 5, wherein the random number FRESH is generated by the network terminal equipment. [11] The method according to Claim 5, wherein the random number FRESH is updated. [12] The method according to Claim 1, wherein the authentication response message includes an encryption algorithm, an integrity protection algorithm and parameters for authentication that are re-allocated by the network to the UE. [13] The method according to Claim 5, wherein the START value is specified by the network. [14] The method according to Claim 5, wherein the START value is generated by the

UE. [15] The method according to Claim 5, wherein that the network or the UE verifies whether the received START value is consistent with the saved one or not after receiving the START value. [16] The method according to Claim 5, wherein the UE adopts a new START value in each communication process.