WO2007102702A2 - Fast re-authentication method in umts - Google Patents

Fast re-authentication method in umts Download PDF

Info

Publication number
WO2007102702A2
WO2007102702A2 PCT/KR2007/001125 KR2007001125W WO2007102702A2 WO 2007102702 A2 WO2007102702 A2 WO 2007102702A2 KR 2007001125 W KR2007001125 W KR 2007001125W WO 2007102702 A2 WO2007102702 A2 WO 2007102702A2
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
message
mobile terminal
umts
identifier
Prior art date
Application number
PCT/KR2007/001125
Other languages
French (fr)
Other versions
WO2007102702A3 (en
Inventor
Hye-Yeon Kwon
Ae-Soon Park
Kwang-Hyun Ro
Original Assignee
Electronics And Telecommunications Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electronics And Telecommunications Research Institute filed Critical Electronics And Telecommunications Research Institute
Priority to EP07715525A priority Critical patent/EP1992185A4/en
Publication of WO2007102702A2 publication Critical patent/WO2007102702A2/en
Publication of WO2007102702A3 publication Critical patent/WO2007102702A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/14Reselecting a network or an air interface
    • H04W36/144Reselecting a network or an air interface over a different radio air interface technology
    • H04W36/1446Reselecting a network or an air interface over a different radio air interface technology wherein at least one of the networks is unlicensed
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks

Definitions

  • the present invention relates to a re-authentication method in a mobile communication system during handover between a wireless local area network (WLAN) access system and the mobile communication system, and more particularly, to a fast re-authentication method of more quickly authenticating a subscriber during handover to a UMTS (universal mobile telecommunication system).
  • WLAN wireless local area network
  • WLAN to the UMTS network occurs, a user should pass through a user authentication process requested by the network to access the network.
  • the user authentication process in the network is an important process that is necessarily performed to protect user information and prevent an unauthorized user from accessing the network.
  • the user authentication process causes a large amount of handover delay.
  • the UMTS uses a UMTS AKA (authentication and key agreement) authentication mechanism.
  • a 3GPP (3rd generation partnership project) standard group defining the UMTS standard has defined and used a 3GPP-WLAN in- terworking standard for providing a 3GPP service through the WLAN.
  • the standard uses an EAP-AKA (extensible authentication protocol AKA) authentication mechanism in order to access the 3GPP network through the WLAN.
  • EAP-AKA includes a full authentication process and a fast re-authentication process.
  • the full authentication process an authentication vector related to authentication is newly generated in a network, and the generated authentication vector is transmitted to a mobile terminal such that the mobile terminal checks the authentication vector. It takes a large amount of time to process an authentication algorithm and to generate a ciphering key.
  • the fast re-authentication process accepts user authentication that is identified through the previous authentication process, and identifies only the re-authentication identifier that has been previously received, which makes it unnecessary to perform an authentication algorithm and generate a new key. As a result, it is possible to simplify the authentication process and thus reduce the time required to perform authentication.
  • the present invention has been made in an effort to provide a method of perform fast re-authentication on a mobile terminal subscriber in a mobile communication system.
  • a re-authentication method in a universal mobile telecommunications system includes: transmitting an identity request message for requesting an identifier of a mobile terminal to the mobile terminal according to an attach request message transmitted from the mobile terminal; receiving an identity response message from the mobile terminal in response to the identity request message, the identity response message including a first re-authentication identifier that the mobile terminal is given by a home network through an authentication of the home network; requesting the home network to authenticate the mobile terminal on the basis of the first re- authentication identifier; receiving a response message agreeing on fast re- authentication from the home network identifying the first re-authentication identifier; and, when receiving the response message from the home network in response to the authentication request, transmitting a re-authentication request message to the mobile terminal and transmitting a response message to the attach request message.
  • FlG. 1 is a flowchart illustrating an authentication process for an attach request from a subscriber in a mobility management sub-protocol PMM (packet mobility management) which is a general UMTS layer 3 protocol.
  • PMM packet mobility management
  • FlGs. 2 and 3 are diagrams illustrating the configuration of general PMM authentication and ciphering request/response messages.
  • FlG. 4 is a flowchart illustrating a general EAP-AKA full authentication process.
  • FlG. 5 is a flowchart illustrating a general EAP-AKA fast re-authentication process.
  • FlGs. 6 and 7 are diagrams illustrating the configuration of a PMM re- authentication request message and a response message thereto according to an exemplary embodiment of the present invention.
  • FlG. 8 is a diagram illustrating the configuration of a MAP re-authentication data request message and a response message thereto according to an exemplary embodiment of the present invention.
  • FlG. 9 is a flowchart illustrating a fast re-authentication process in UMTS AKA according to an exemplary embodiment of the present invention.
  • FlG. 10 is a diagram illustrating the configuration of a modified authentication and ciphering request message according to an exemplary embodiment of the present invention. Best Mode for Carrying Out the Invention
  • FlG. 1 is a flowchart illustrating an authentication process in response to an attach request from a subscriber in mobility management sub-protocol PMM (packet mobility management), which is a general UMTS layer 3 protocol.
  • PMM packet mobility management
  • an authentication center (AuC) 40 in a home network and a USIM 10 of a user may share a secret key K (subscriber specific secret key) and an authentication algorithm distributed there between.
  • the AuC 40 generates a random number RAND and a sequence number SQN, and the USIM 10 checks that the sequence number having been generated and received from the AuC 40 is the latest sequence number.
  • sequence number SQN generated by the AuC 40 is transmitted to a mobile terminal 20
  • the sequence number SQN is generated using an algorithm provided in the mobile terminal 20, and the generated sequence number is compared with the sequence number SQN transmitted from the AuC 40.
  • the USIM 10 checks that the sequence number SQN is the latest sequence number. Since the method of checking whether the sequence number SQN is the latest is known, a detailed description thereof will be omitted in this exemplary embodiment of the present invention.
  • the AuC 40 When an SGSN/VLR (serving general packet radio services service node/visitor location register) 30 in a visited network to which a user is accessing requests transmission of authentication data, the AuC 40 generates a set of authentication vectors and transmits the set of authentication vectors to the SGSN/VLR 30.
  • the SGSN/VLR 30 selects one authentication vector from the set of authentication vectors received from the AuC 40 and transmits the selected authentication vector to the USIM 10 of the user.
  • the authentication vector transmitted to the USIM 10 of the user is used to perform authentication and key setting between the SGSN/VLR 30 and the USIM 10 at once.
  • the authentication vector is composed of a random number RAND, an expected response XRES, a ciphering key CK, an integrity key IK, and an authentication token AUTN.
  • the authentication token AUTN is generated by combining the sequence number SQN, an authentication management field AMF, and a message authentication code MAC.
  • the transmission of authentication vector parameters between the SGSN/ VLR 30 and the USIM 10 is performed by an authentication signaling process of transmitting/receiving an authentication and ciphering request/response message of PMM.
  • the mobile terminal 20 transmits an attach request message to the SGSN/VLR 30 disposed in the visited network to be connected to the visited network (SlO).
  • the SGSN/VLR 30 in the visited network having received the attach request message transmits an identity request message for requesting a user identifier to the mobile terminal 20 (Sl 1), and the USIM 10 of the mobile terminal 20 transmits an international mobile subscriber identity IMSI or a temporary mobile subscriber identity TMSI as a response (S 12).
  • the SGSN/VLR 30 transmits a MAP (mobile application part) request message to an HLR/AuC 40 in the home network of the user on the basis of the received user identifiers (S 13).
  • the HLR/AuC 40 having received the MAP request message generates an authentication vector AV having n arrays on the basis of the random number RAND, the sequence number SQN, and the secret key K previously shared with the mobile terminal 20 (S 14).
  • the HLR/AuC 40 After generating the authentication vector AV, the HLR/AuC 40 includes the generated authentication vector AV (1, ..., n) in the MAP response message and transmits the MAP response message to the VLR/SGSN 30 (S15).
  • AuC 40 stores the authentication vector AV, and selects one of the authentication vector values 1 to n (S 16). That is, the VLR/SGSN 30 stores n authentication vectors, and selects an i* authentication vector.
  • the VLR/SGSN 30 includes the random number RAND and the authentication token AUTN in a PMM authentication/ciphering request message and transmits the PMM authentication/ciphering request message to the USIM 10 of the mobile terminal (S 17).
  • the USIM 10 of the mobile terminal 20 determines whether the authentication token AUTN is available on the basis of the authentication vector received from the VLR/SGSN 30, and calculates a user response RES (S 18). After calculating the user response RES, the USIM 10 includes the calculated user response RES to the PMM authentication/ciphering response message and transmits the PMM authentication/ ciphering response message to the VLR/SGSN 30 (S 19).
  • the USIM 10 of the mobile terminal 20 calculates the ciphering key CK and the integrity key IK (S20), and compares the user response received from the USIM 10 of the VLR/SGSN 30 with the expected response XRES previously stored to perform the authentication of the mobile terminal 20 and the user. Then, the USIM 10 checks that key setting has been completed and selects the ciphering key CK and the integrity key IK (S21). Thereafter, the VLR/SGSN 30 transmits an attach accept message to the mobile terminal 20 (S22). In this way, the authentication process in PMM is completed.
  • FIGs. 2 and 3 are diagrams illustrating the configuration of general PMM authentication and ciphering request/response messages.
  • An authentication security method using a UMTS AKA process is set in the current standard (3GPP TSG 33.102) related to a 3G wireless communication system.
  • Information required to perform the UMTS AKA process is stored in an information block called an authentication vector.
  • the authentication vector is an information block including various parameters, that is, the random number RAND, the expected response XRES, the integrity key IK, the ciphering key CK, and the authentication token AUTN.
  • the authentication/ciphering request message includes a protocol identifier field, a skip indicator field, an authentication/ciphering request message identity field, a ciphering algorithm field, an IMEISV (international mobile equipment identity together with the software version number) request field, and an A &C reference number field.
  • the authentication/ciphering response message includes an SRES value in addition to the fields included in the request message.
  • the protocol identifier is a first field value for designating that message data is a message defined by the protocol.
  • the protocol identifiers only when first field values of input data are the same, interfacing is approved and data is processed. If the first field values are not equal to each other, the interfacing is not approved, and data is not processed but is ignored.
  • the authentication token AUTN is an information block that is transmitted to VLR by HLR in order to perform the authentication of an SN (serving node) with respect to the mobile terminal 20. That is, the authentication token AUTN includes various parameters, and the USIM 10 of the mobile terminal 20 processes some of the parameters in order to check whether the authentication token AUTN is actually transmitted to a lawful base station at the service node SN.
  • the authentication token AUTN includes the subsequent parameters, that is, the sequence number SQN, an anonymity key AK, the authentication management field AMF, and the message authentication code MAC.
  • the anonymity key AK is used to hide the value of the sequence number SQN, which is a dedicated sequence vector for identifying an authentication vector.
  • the anonymity key AK is calculated by applying an algorithm non-reversible function to the random number RAND and a secret key Ki.
  • the secret key Ki is associated with an 1 th subscriber, and "algorithm non-reversible function" means a specific step of mathematically adjusting and processing information such that raw information is not reproduced to final information.
  • the sequence number SQN is independently generated by the USIM and the HLR in a synchronous method, and the authentication management filed AMF is for identifying different commands to transmit specific values from the HLR to the USIM.
  • the message authentication code MAC indicates the signature of the message transmitted between the network and the mobile terminal, and also indicates that the message includes correct information.
  • EAP- SIM is used to be compatible with 2G, a detailed description thereof will be omitted in this exemplary embodiment of the present invention.
  • EAP-AKA is an authentication method in a 3G network, such as UMTS or
  • EAP-AKA includes a full authentication method that frequently generates authentication vectors and new keys and a fast re-authentication method that reuses keys introduced in the full authentication method.
  • FIG. 4 is a flowchart illustrating the full authentication method of EAP-AKA.
  • AKA is based on symmetric encryption with respect to an attempt-response mechanism, and is operated in USIM, which is a UMTS subscriber identification module similar to a smart card.
  • the mobile terminal 20 and a WLAN AN 50 are connected to each other by using a WLAN-specific technique (S30).
  • the WLAN AN 50 connected to the mobile terminal 20 transmits an EAP identity request message to the mobile terminal 20 (S31).
  • an EAP packet is encapsulated in a security protocol based on a WLAN technique, and is then transmitted to a WLAN interface.
  • the mobile terminal 20 reads the pseudonym allocated in the previous authentication process from USIM or reads IMSI in the case of a first authentication process (S32), and converts it into an NAI (network access identifier) format specified in RFC 2486 (S33).
  • the pseudonym is an anonymous identifier corresponding to a telephone number of the mobile terminal 20 that is used while the mobile terminal 20 is connected to a call in order to hide the telephone number of the mobile terminal 20.
  • the mobile terminal After the pseudonym or IMSI is converted into the NAI format (S33), the mobile terminal transmits an EAP identity response message including the NAI format to an AAA (authentication, authorization, and accounting) server 70 in the home network.
  • AAA authentication, authorization, and accounting
  • the AAA server 70 having received the EAP identity response message is a 3GPP AAA server that is appropriately routed on the basis of a "realm" portion of NAI.
  • the message may be routed to one AAA proxy server or several AAA proxy servers.
  • the AAA server 70 After receiving the EAP identity response message including the identifier of the subscriber, the AAA server 70 identifies the subscriber for EAP-AKA authentication on the basis of the identifier of the subscriber included in the received message (S34). The AAA server 70 checks whether an authentication vector that is usable for the subscriber is present. In this case, "usable authentication vector" means an au- thentication vector that has never been used before.
  • the authentication vector when it is determined that the authentication vector that has never been used before exists, the authentication vector is used for the identification of a subscriber for EAP-AKA authentication.
  • the AAA server 70 receives new authentication vectors from an HSS 80.
  • mapping from a temporary identifier to the IMSI may be requested.
  • the HSS 80 manages different networks such that the networks can share mutual information when they are incorporated into one network. Therefore, the mapping from a temporary identifier to the IMSI means mapping from a temporary identifier to information of the mobile terminal 20 stored in the HSS 80 and the above-mentioned pseudonym when the mobile terminal 20 performs authentication over a WLAN.
  • the AAA server 70 having checked the authentication vector, checks whether the subscriber has a WLAN access profile (S35). As the check result, when the subscriber does not have the WLAN access profile, the AAA server 70 retrieves the profile from the HSS 80. Further, the AAA server 70 verifies whether the subscriber has authority to use the WLAN service.
  • new keying material is introduced from the integrity key IK and the ciphering key CK (S36).
  • additional keying materials may be generated.
  • the keying material may be protected by a keying material generated by selection of a new pseudonym.
  • the keying material is a parameter requested for encryption, and the introduction of the keying material may or may not be performed.
  • the AAA server 70 transmits an EAP request/AKA-challenge message to the
  • the EAP request/AKA-challenge message includes the random number RAND, the authentication token AUTN, the message authentication code MAC, protected pseudonym, and re-authentication ID information.
  • the WLAN AN 50 transmits the EAP request/AKA-challenge message received from the AAA server 70 to the mobile terminal 20 (S37).
  • the mobile terminal 20 performs an AKA authentication algorithm in the USIM 10
  • the USIM 10 verifies whether the authentication token AUTN included in the message is correct to authenticate a network having the mobile terminal 20 connected thereto. If the authentication token AUTN is incorrect, the mobile terminal 20 rejects the authentication of the network. When the verification of the authentication token AUTN is completed, the USIM 10 checks whether the sequence number SQN is synchronized. When the sequence number SQN is not synchronized, the mobile terminal 20 performs a synchronization process. [53] When it is verified that the authentication token AUTN is correct, the USIM 10 calculates the user response RES, the integrity key IK, and the ciphering key CK.
  • the mobile terminal 20 introduces requested additional keying materials from the integrity key IK and the ciphering key CK calculated by the USIM 10.
  • the mobile terminal 20 verifies a received message authentication code MAC on the basis of a newly introduced keying material.
  • the mobile terminal 20 stores the pseudonym for subsequent authentication. Then, the mobile terminal 20 calculates the value of a new message authentication code MAC for an EAP message on the basis of the new keying material.
  • the mobile terminal 20 transmits the EAP response/AKA-challenge message including the calculated user response RES and message authentication code MAC to the WLAN AN 50, and the WLAN AN 50 transmits the EAP response/AKA-challenge message to the AAA server 70 through the AAA proxy 60 (S39).
  • the AAA server 70 having received the EAP response/AKA-challenge message checks the received message authentication code MAC and compares the received user response RES with the expected response XRES (S40).
  • the AAA server 70 transmits an EAP success message to the WLAN AN 50.
  • the AAA server 70 transmits the EAP success message including the generated keying material to the WLAN AN 50 (S41).
  • the WLAN AN 50 stores the keying material included in the message in order to allow communication with the authenticated mobile terminal 20.
  • the WLAN AN 50 transmits an EAP success message indicating the success of authentication to the mobile terminal 20.
  • EAP AKA the exchange of EAP AKA is successfully completed, the mobile terminal 20 and the WLAN-AN 50 share the keying material.
  • NAI which is a subscriber identifier of the mobile terminal described in FIG. 4, has, for example, the form of "username® realm.” Meanwhile, when authentication is frequently performed, the larger the number of users connected to the network b ecomes, the larger the load applied to the network becomes. Therefore, rapid re- authentication is effective in reducing the load of the network.
  • the fast re-authentication reuses the key introduced in the full authentication process described in FIG. 4, which makes it possible to perform user authentication faster than the structure in which the WLAN AN 50 performs full authentication.
  • the use of the fast re-authentication depends on the policy of the service provider, but EAP-AKA should include the fast re-authentication mechanism.
  • the use of the fast re-authentication makes it possible to shorten the time required to perform authentication in the mobile terminal 20 and the AAA server 70 and to reduce the power consumption of the mobile terminal 20.
  • the fast re-authentication is used when the user accesses the WLAN AN 50 having high reliability.
  • FIG. 5 is a flowchart illustrating a fast re-authentication process in a general EAP-
  • the AAA server 70 determines the use of the fast re-authentication. In order to perform the fast re-authentication, in the authentication process, the AAA server 70 transmits a re-authentication identifier (re-auth id) to the mobile terminal 20.
  • a re-authentication identifier (re-auth id)
  • the use of the fast re-authentication depends on the policy of a 3GPP service provider, and the reliability of the WLAN AN 50. If the mobile terminal 20 receives the re- authentication identifier, the AAA server 70 will perform the fast re-authentication in the next authentication process. If the mobile terminal 20 receives only the pseudonym, the AAA server 70 will perform full authentication.
  • the WLAN AN 50 transmits an EAP identity request message to the mobile terminal 20, the fast re-authentication process starts (S50).
  • the mobile terminal 20 transmits the EAP identity request message including the re- authentication identifier allocated in the full authentication process described in FIG. 4 to the AAA server 70 (S51).
  • the AAA server 70 having received the EAP identity request message starts a counter initialized to "1" in the full authentication process, includes the value of the counter together with NONCE, MAC, and a re-authentication identifier to be used in the next stage in the EAP-request/AKA-re-authentication message, and transmits the message to the mobile terminal 20 (S52). If the AAA server 70 cannot transmit the re- authentication identifier to the mobile terminal 20, the mobile terminal 20 should perform full authentication in the next authentication process. In this case, the AAA server 70 may transmit a result indicator to the WLAN AN 50 in order to encrypt a success message.
  • the WLAN AN 50 having received the result indicator transmits the EAP- response/AKA-re-authentication message to the mobile terminal 20, and the mobile terminal 20 checks whether the value of the counter included in the message is a new value and whether the message authentication code MAC is correct (S53). As the check result, when the value of the counter is a new value and the message authentication code MAC is correct, the mobile terminal 20 transmits to the WLAN AN 50 the EAP-response/AKA-re-authentication message received from the WLAN AN 50, and the WLAN AN 50 transmits the message to the AAA server 70 (S54). On the other hand, when the value of the counter is not a new value or when the message authentication code MAC is incorrect, re-authentication fails.
  • the AAA server 70 transmits the EAP request/AKA-notification message to the mobile terminal 20 before the EAP success message (S56).
  • the EAP-request/AKA-Notification message is encoded to the message authentication code MAC, and includes an encrypted copy of the counter that has been used in the previous re-authentication process.
  • the mobile terminal 20 transmits the EAP response/AKA-Notification message to the WLAN AN 50, and the WLAN AN 50 transmits the message to the AAA server 70.
  • the AAA server 70 transmits the EAP success message to the mobile terminal 20 regardless of the content of the message (S57).
  • the UMTS AKA and EAP-AKA have the same structure, except that when a lower level packet transmission protocol for transmitting AKA is the UMTS a PMM protocol is used and when the lower level packet transmission protocol is WLAN an EAP protocol is used, and the UMTS AKA does not have the fast re-authentication function, unlike the EAP-AKA. This means that the two systems can share information on authentication vectors and keys.
  • fields included in each AKA message can have a one-to-one correspondence.
  • the counter of the EAP-AKA corresponds to the sequence number SQN of the UMTS AKA
  • NONCE and MAC of the EAP- request/AKA-re-authentication message correspond to RAND and AUTN of UMTS AKA, respectively.
  • the message authentication code MAC of the EAP- response/AKA-re-authentication message corresponds to the user response of UMTS AKA
  • the key generation of the fast re-authentication corresponds to a random or fresh material of UMTS AKA.
  • UMTS and WLAN can mutually share the authentication vector and state of the mobile terminal.
  • EAP-AKA uses the fast re-authentication process when it is unnecessary to perform the algorithm and to generate the new authentication vector.
  • the fast re-authentication process does not cause overhead in the USIM 10 and the AAA server 70.
  • the fast re-authentication process can be performed more simply than the full authentication process.
  • the fast re-authentication process is optional in the EAP-AKA server, and the mobile terminal 20 should necessarily perform the process.
  • the transmission of a re-authentication identifier depends on the policy of a 3GPP subscriber for the use of the fast authentication process.
  • a new PMM message needs to be defined between the mobile terminal 20 and the SGSN 30. Therefore, in this exemplary embodiment of the present invention, a new re- authentication request/response message is defined to the PMM message of UMTS.
  • the newly defined re-authentication request/response message will be described in detail with reference to FIGs. 6 and 7.
  • a re-authentication identifier to be used in the next stage should be transmitted in the existing UMTS AKA authentication process, which makes it necessary to add the re-authentication identifier to be used in the next stage to the existing authentication/ciphering request message.
  • FIGs. 6 and 7 are diagrams illustrating the configuration of a PMM re- authentication request message and a PMM re-authentication response message according to an exemplary embodiment of the present invention.
  • the PMM re-authentication response message each includes a plurality of fields.
  • the PMM re-authentication request message includes a COUNTER field, a NONCE field, a MAC field, and a Reauth id field
  • the PMM re-authentication response message includes a COUNTER field and a MAC field.
  • the COUNTER field indicates the number of times re-authentication succeeds, and the NONCE field indicates a random number.
  • the MAC field indicates a message authentication code, and the Reauth id field indicates a re-authentication identifier.
  • the PMM message does not have fields for performing re-authentication. Therefore, in order to perform the re-authentication, the PMM message must additionally have the above-mentioned fields.
  • FIG. 8 is a diagram illustrating the configuration of a MAP re-authentication data request and a response message thereto according to an exemplary embodiment of the present invention.
  • a MAP message transmitted between a VLR/SGSN 200 and an AuC/HSS 300 has a primitive added thereto for the re-authentication data request and response.
  • a Reauth-id parameter is added to the MAP message transmitted from the VLR/SGSN 200 to the AuC/HSS 300, and parameters such as Count, NONCE, MAC, and Reauth-id, are added to the MAP message transmitted from the AuC/HSS 300 to the VLR/SGSN 200.
  • FIG. 9 is a flowchart illustrating a fast re-authentication process in UMTS AKA according to an exemplary embodiment of the present invention.
  • the fast re-authentication process in UMTS AKA starts when a mobile terminal 110 transmits an attach request message to the VLR/SGSN 200 of a visited network (SlOO).
  • authentication is also performed when a service request message and a location update message other than the attach request message are transmitted. Therefore, the message for starting the authentication is not limited to the attach request message.
  • the VLR/SGSN 200 having received the attach request message transmits an identity request message for identifying a user identifier to the USIM 100 of the mobile terminal 110 (Sl 10).
  • the identity request message includes the type of identifier for identifying the identifier of the mobile terminal 110.
  • the USIM 100 indicates a smart card.
  • the USIM 100 may be inserted into the mobile terminal 110, or it may be independently provided to have the same size as a standard credit card.
  • FIG. 9 it is assumed that the USIM 100 is independently provided, but the invention is not limited thereto.
  • the USIM 100 includes the re-authentication identifier that has been received and stored in the previous EAP-AKA authentication process in the WLAN, and transmits an identity response message to the SGSN/VLR 200 (S 120).
  • the SGSN/VLR 200 having received the message including the re-authentication identifier generates the MAP request message shown in FIG. 8 that includes the received re-authentication identifier, and transmits the generated message to the HSS/AuC 300 in the home network (S 130).
  • the HSS/AuC 300 checks the re-authentication identifier included in the received message, and agrees on the re-authentication process to start the counter. Then, the HSS/AuC 300 generates a MAP response message including the value of the counter, the random number NONCE, the message authentication code MAC, and the re- authentication identifier Reauth-id to be used in the next stage (S 140), and transmits the message to the VLR/SGSN 200 in the visited network (S 150).
  • the MAP response message includes information on the identification of an identifier and the agreement on fast re-authentication.
  • the existing full authentication process is performed.
  • the VLR/SGSN 200 having received the MAP response message from the home network transmits a re-authentication request message to the mobile terminal 110 (S 160), and the mobile terminal 110 having received the message checks whether the value of the counter is a new value and the message authentication code MAC is correct (S 170).
  • the mobile terminal 110 when the value of the counter is a new value and the message authentication code MAC is correct, the mobile terminal 110 generates a re- authentication response message including the value of the counter and the message authentication code MAC and transmits the message to the VLR/SGSN 200 (S 180).
  • the VLR/SGSN 200 having received the re-authentication response message determines whether the value of the counter included in the message is equal to the value of the counter included in the re-authentication request message transmitted to the mobile terminal 110 and whether the message authentication code MAC is correct (S 190).
  • the VLR/SGSN 200 transmits an access accept message to the mobile terminal 110 (S200).
  • the authentication process fails, which makes it difficult to set up a call.
  • the mobile terminal 110 In order for fast re-authentication, the mobile terminal 110 always receives a re- authentication identifier to be used in the next stage from the HSS/AuC 300 and stores the identifier during the previous successful authentication process.
  • the re-authentication identifier field that is, the Reauth id field, needs to be added to an authentication and ciphering request message, which is a UMTS PMM authentication message, such that the re-authentication identifier can always be transmitted.
  • next pseudonym field which is the pseudonym field
  • Next re-auth id field which is the re-authentication identifier field
  • FIG. 10 is a diagram illustrating the configuration of a modified authentication and ciphering request message according to an exemplary embodiment of the present invention.
  • the authentication and ciphering request message is modified to transmit a re- authentication identifier to be used in the fast re-authentication process that may be performed when full authentication is executed on the mobile terminal.
  • a re-authentication identifier to be used in the fast re-authentication process that may be performed when full authentication is executed on the mobile terminal.
  • an encrypted next pseudonym field which is the pseudonym identifier field
  • an encrypted next re-auth id field which is the re-authentication identifier field
  • the identity request and response message includes the type of identifier, which allows fast re-authentication to be performed on the subscriber of the mobile terminal having the corresponding identifier type.
  • the re-authentication request message includes counter, NONCE, MAC, and re-auth id, which make it possible to perform fast re-authentication.
  • a program for realizing functions corresponding to the structure of the exemplary embodiment of the present invention or a recording medium having the program recorded thereon are also included in the scope of the present invention.

Abstract

The present invention relates to a fast re-authentication method in a UMTS (universal mobile telecommunications system) during handover between a WLAN (wireless local area network) and the UMTS. A fast re-authentication message is added to a PMM (packet mobility management) protocol, which is a packet mobility management protocol, in the UMTS, which is a 3G mobile communication system, and a re-authentication identifier is added to the existing authentication and encryption message, which makes it possible to perform a fast re-authentication process on a mobile terminal subscriber when handover occurs between a WLAN system and the UMTS and the inside of the UMTS. Therefore, it is possible to reduce a handover delay to the minimum by supporting fast re-authentication that is capable of reducing delay due to an algorithm process for authentication and the generation of authentication vectors and keys during the handover between the UMTS and the WLAN access system.

Description

Description
FAST RE- AUTHENTICATION METHOD IN UMTS
Technical Field
[1] The present invention relates to a re-authentication method in a mobile communication system during handover between a wireless local area network (WLAN) access system and the mobile communication system, and more particularly, to a fast re-authentication method of more quickly authenticating a subscriber during handover to a UMTS (universal mobile telecommunication system). Background Art
[2] When handover occurs between a UMTS, which is a third generation mobile communication system, and a WLAN of the IEEE 802.11 standard, the quality of communication being currently served and the interruption time of communication depend on a handover delay time required until access to a new network is completed. That is, as the handover delay time becomes longer, it is more difficult to ensure the continuity of a communication service.
[3] Particularly, when handover from the UMTS network to the WLAN or from the
WLAN to the UMTS network occurs, a user should pass through a user authentication process requested by the network to access the network.
[4] The user authentication process in the network is an important process that is necessarily performed to protect user information and prevent an unauthorized user from accessing the network. However, in general, the user authentication process causes a large amount of handover delay.
[5] Generally, the UMTS uses a UMTS AKA (authentication and key agreement) authentication mechanism. In contrast, a 3GPP (3rd generation partnership project) standard group defining the UMTS standard has defined and used a 3GPP-WLAN in- terworking standard for providing a 3GPP service through the WLAN. The standard uses an EAP-AKA (extensible authentication protocol AKA) authentication mechanism in order to access the 3GPP network through the WLAN.
[6] EAP-AKA includes a full authentication process and a fast re-authentication process. In the full authentication process, an authentication vector related to authentication is newly generated in a network, and the generated authentication vector is transmitted to a mobile terminal such that the mobile terminal checks the authentication vector. It takes a large amount of time to process an authentication algorithm and to generate a ciphering key. In contrast, the fast re-authentication process accepts user authentication that is identified through the previous authentication process, and identifies only the re-authentication identifier that has been previously received, which makes it unnecessary to perform an authentication algorithm and generate a new key. As a result, it is possible to simplify the authentication process and thus reduce the time required to perform authentication.
[7] On the other hand, UMTS AKA does not provide the fast re-authentication process.
Therefore, a large amount of handover delay occurs due to the transmission/reception of authentication data, the management of keys, and a complicated authentication algorithm process.
[8] The above information disclosed in this Background Art section is only for enhancement of understanding of the background of the invention and therefore it may contain information that does not form the prior art that is already known in this country to a person of ordinary skill in the art.
Disclosure of Invention Technical Problem
[9] The present invention has been made in an effort to provide a method of perform fast re-authentication on a mobile terminal subscriber in a mobile communication system. Technical Solution
[10] According to an embodiment of the invention, there is provided a re-authentication method in a universal mobile telecommunications system (UMTS). The method includes: transmitting an identity request message for requesting an identifier of a mobile terminal to the mobile terminal according to an attach request message transmitted from the mobile terminal; receiving an identity response message from the mobile terminal in response to the identity request message, the identity response message including a first re-authentication identifier that the mobile terminal is given by a home network through an authentication of the home network; requesting the home network to authenticate the mobile terminal on the basis of the first re- authentication identifier; receiving a response message agreeing on fast re- authentication from the home network identifying the first re-authentication identifier; and, when receiving the response message from the home network in response to the authentication request, transmitting a re-authentication request message to the mobile terminal and transmitting a response message to the attach request message. Advantageous Effects
[11] It is possible to reduce a handover delay to a minimum by supporting fast re- authentication that is capable of reducing delay due to an algorithm process for authentication and the generation of authentication vectors and keys during the handover between UMTS and a WLAN access system. Brief Description of the Drawings [12] FlG. 1 is a flowchart illustrating an authentication process for an attach request from a subscriber in a mobility management sub-protocol PMM (packet mobility management) which is a general UMTS layer 3 protocol.
[13] FlGs. 2 and 3 are diagrams illustrating the configuration of general PMM authentication and ciphering request/response messages.
[14] FlG. 4 is a flowchart illustrating a general EAP-AKA full authentication process.
[15] FlG. 5 is a flowchart illustrating a general EAP-AKA fast re-authentication process.
[16] FlGs. 6 and 7 are diagrams illustrating the configuration of a PMM re- authentication request message and a response message thereto according to an exemplary embodiment of the present invention.
[17] FlG. 8 is a diagram illustrating the configuration of a MAP re-authentication data request message and a response message thereto according to an exemplary embodiment of the present invention.
[18] FlG. 9 is a flowchart illustrating a fast re-authentication process in UMTS AKA according to an exemplary embodiment of the present invention.
[19] FlG. 10 is a diagram illustrating the configuration of a modified authentication and ciphering request message according to an exemplary embodiment of the present invention. Best Mode for Carrying Out the Invention
[20] In the following detailed description, only certain exemplary embodiments of the present invention have been shown and described, simply by way of illustration. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present invention. Accordingly, the drawings and description are to be regarded as illustrative in nature and not restrictive. Like reference numerals designate like elements throughout the specification.
[21] In addition, unless explicitly described to the contrary, the word "comprise" and variations such as "comprises" or "comprising" will be understood to imply the inclusion of stated elements but not the exclusion of any other elements.
[22] FlG. 1 is a flowchart illustrating an authentication process in response to an attach request from a subscriber in mobility management sub-protocol PMM (packet mobility management), which is a general UMTS layer 3 protocol.
[23] In general, in a UMTS, when the subscriber makes an attach request, a detach request, a service request, and a routing area update request, a network requests a subscriber authenticating process.
[24] In an authentication process in PMM, an authentication center (AuC) 40 in a home network and a USIM 10 of a user may share a secret key K (subscriber specific secret key) and an authentication algorithm distributed there between. The AuC 40 generates a random number RAND and a sequence number SQN, and the USIM 10 checks that the sequence number having been generated and received from the AuC 40 is the latest sequence number.
[25] In this case, when the sequence number SQN generated by the AuC 40 is transmitted to a mobile terminal 20, the sequence number SQN is generated using an algorithm provided in the mobile terminal 20, and the generated sequence number is compared with the sequence number SQN transmitted from the AuC 40. When the two sequence numbers are identical to each other, the USIM 10 checks that the sequence number SQN is the latest sequence number. Since the method of checking whether the sequence number SQN is the latest is known, a detailed description thereof will be omitted in this exemplary embodiment of the present invention.
[26] When an SGSN/VLR (serving general packet radio services service node/visitor location register) 30 in a visited network to which a user is accessing requests transmission of authentication data, the AuC 40 generates a set of authentication vectors and transmits the set of authentication vectors to the SGSN/VLR 30. The SGSN/VLR 30 selects one authentication vector from the set of authentication vectors received from the AuC 40 and transmits the selected authentication vector to the USIM 10 of the user. In this case, the authentication vector transmitted to the USIM 10 of the user is used to perform authentication and key setting between the SGSN/VLR 30 and the USIM 10 at once.
[27] The authentication vector is composed of a random number RAND, an expected response XRES, a ciphering key CK, an integrity key IK, and an authentication token AUTN. The authentication token AUTN is generated by combining the sequence number SQN, an authentication management field AMF, and a message authentication code MAC. The transmission of authentication vector parameters between the SGSN/ VLR 30 and the USIM 10 is performed by an authentication signaling process of transmitting/receiving an authentication and ciphering request/response message of PMM.
[28] The authentication process in PMM will be described in detail below. As shown in
FIG. 1, the mobile terminal 20 transmits an attach request message to the SGSN/VLR 30 disposed in the visited network to be connected to the visited network (SlO). The SGSN/VLR 30 in the visited network having received the attach request message transmits an identity request message for requesting a user identifier to the mobile terminal 20 (Sl 1), and the USIM 10 of the mobile terminal 20 transmits an international mobile subscriber identity IMSI or a temporary mobile subscriber identity TMSI as a response (S 12).
[29] The SGSN/VLR 30 transmits a MAP (mobile application part) request message to an HLR/AuC 40 in the home network of the user on the basis of the received user identifiers (S 13). The HLR/AuC 40 having received the MAP request message generates an authentication vector AV having n arrays on the basis of the random number RAND, the sequence number SQN, and the secret key K previously shared with the mobile terminal 20 (S 14). After generating the authentication vector AV, the HLR/AuC 40 includes the generated authentication vector AV (1, ..., n) in the MAP response message and transmits the MAP response message to the VLR/SGSN 30 (S15).
[30] The VLR/SGSN 30 having received the authentication vector AV from the HLR/
AuC 40 stores the authentication vector AV, and selects one of the authentication vector values 1 to n (S 16). That is, the VLR/SGSN 30 stores n authentication vectors, and selects an i* authentication vector. The VLR/SGSN 30 includes the random number RAND and the authentication token AUTN in a PMM authentication/ciphering request message and transmits the PMM authentication/ciphering request message to the USIM 10 of the mobile terminal (S 17).
[31] The USIM 10 of the mobile terminal 20 determines whether the authentication token AUTN is available on the basis of the authentication vector received from the VLR/SGSN 30, and calculates a user response RES (S 18). After calculating the user response RES, the USIM 10 includes the calculated user response RES to the PMM authentication/ciphering response message and transmits the PMM authentication/ ciphering response message to the VLR/SGSN 30 (S 19).
[32] After transmitting the user response RES to the VLR/SGSN 30, the USIM 10 of the mobile terminal 20 calculates the ciphering key CK and the integrity key IK (S20), and compares the user response received from the USIM 10 of the VLR/SGSN 30 with the expected response XRES previously stored to perform the authentication of the mobile terminal 20 and the user. Then, the USIM 10 checks that key setting has been completed and selects the ciphering key CK and the integrity key IK (S21). Thereafter, the VLR/SGSN 30 transmits an attach accept message to the mobile terminal 20 (S22). In this way, the authentication process in PMM is completed.
[33] Next, as described in steps S17 and S18 in FIG. 1, a message structure for performing user authentication and transmitting the authentication vector parameter for checking whether keys are identical to each other will be described with reference to FTGs. 2 and 3.
[34] FIGs. 2 and 3 are diagrams illustrating the configuration of general PMM authentication and ciphering request/response messages.
[35] An authentication security method using a UMTS AKA process is set in the current standard (3GPP TSG 33.102) related to a 3G wireless communication system. Information required to perform the UMTS AKA process is stored in an information block called an authentication vector. The authentication vector is an information block including various parameters, that is, the random number RAND, the expected response XRES, the integrity key IK, the ciphering key CK, and the authentication token AUTN.
[36] As shown in FlGs. 2 and 3, the authentication/ciphering request message includes a protocol identifier field, a skip indicator field, an authentication/ciphering request message identity field, a ciphering algorithm field, an IMEISV (international mobile equipment identity together with the software version number) request field, and an A &C reference number field. The authentication/ciphering response message includes an SRES value in addition to the fields included in the request message.
[37] Among the above-mentioned message fields, the protocol identifier is a first field value for designating that message data is a message defined by the protocol. In the protocol identifiers, only when first field values of input data are the same, interfacing is approved and data is processed. If the first field values are not equal to each other, the interfacing is not approved, and data is not processed but is ignored.
[38] The authentication token AUTN is an information block that is transmitted to VLR by HLR in order to perform the authentication of an SN (serving node) with respect to the mobile terminal 20. That is, the authentication token AUTN includes various parameters, and the USIM 10 of the mobile terminal 20 processes some of the parameters in order to check whether the authentication token AUTN is actually transmitted to a lawful base station at the service node SN. The authentication token AUTN includes the subsequent parameters, that is, the sequence number SQN, an anonymity key AK, the authentication management field AMF, and the message authentication code MAC.
[39] The anonymity key AK is used to hide the value of the sequence number SQN, which is a dedicated sequence vector for identifying an authentication vector. The anonymity key AK is calculated by applying an algorithm non-reversible function to the random number RAND and a secret key Ki. The secret key Ki is associated with an 1th subscriber, and "algorithm non-reversible function" means a specific step of mathematically adjusting and processing information such that raw information is not reproduced to final information.
[40] The sequence number SQN is independently generated by the USIM and the HLR in a synchronous method, and the authentication management filed AMF is for identifying different commands to transmit specific values from the HLR to the USIM. The message authentication code MAC indicates the signature of the message transmitted between the network and the mobile terminal, and also indicates that the message includes correct information.
[41] For WLAN access, a SIM-based EAP-SIM mechanism and a USIM-based EAP- AKA mechanism are used to perform authentication and key agreement. Since EAP- SIM is used to be compatible with 2G, a detailed description thereof will be omitted in this exemplary embodiment of the present invention.
[42] EAP-AKA is an authentication method in a 3G network, such as UMTS or
CDMA2000, which is transmitted by the signaling of an EAP authentication mechanism that provides various and safe user authentication on a wired network or a wireless network. In this case, EAP-AKA includes a full authentication method that frequently generates authentication vectors and new keys and a fast re-authentication method that reuses keys introduced in the full authentication method. Next, the full authentication method of EAP-AKA will be described in detail below with reference to FIG. 4.
[43] FIG. 4 is a flowchart illustrating the full authentication method of EAP-AKA.
[44] AKA is based on symmetric encryption with respect to an attempt-response mechanism, and is operated in USIM, which is a UMTS subscriber identification module similar to a smart card.
[45] As shown in FIG. 4, the mobile terminal 20 and a WLAN AN 50 are connected to each other by using a WLAN-specific technique (S30). The WLAN AN 50 connected to the mobile terminal 20 transmits an EAP identity request message to the mobile terminal 20 (S31). In this case, an EAP packet is encapsulated in a security protocol based on a WLAN technique, and is then transmitted to a WLAN interface. Then, the mobile terminal 20 reads the pseudonym allocated in the previous authentication process from USIM or reads IMSI in the case of a first authentication process (S32), and converts it into an NAI (network access identifier) format specified in RFC 2486 (S33). The pseudonym is an anonymous identifier corresponding to a telephone number of the mobile terminal 20 that is used while the mobile terminal 20 is connected to a call in order to hide the telephone number of the mobile terminal 20.
[46] After the pseudonym or IMSI is converted into the NAI format (S33), the mobile terminal transmits an EAP identity response message including the NAI format to an AAA (authentication, authorization, and accounting) server 70 in the home network. In this case, the AAA server 70 having received the EAP identity response message is a 3GPP AAA server that is appropriately routed on the basis of a "realm" portion of NAI. The message may be routed to one AAA proxy server or several AAA proxy servers.
[47] After receiving the EAP identity response message including the identifier of the subscriber, the AAA server 70 identifies the subscriber for EAP-AKA authentication on the basis of the identifier of the subscriber included in the received message (S34). The AAA server 70 checks whether an authentication vector that is usable for the subscriber is present. In this case, "usable authentication vector" means an au- thentication vector that has never been used before.
[48] As the check result, when it is determined that the authentication vector that has never been used before exists, the authentication vector is used for the identification of a subscriber for EAP-AKA authentication. On the other hand, when the authentication vector that has never been used before does not exist, the AAA server 70 receives new authentication vectors from an HSS 80. In this case, instead of the authentication vectors, mapping from a temporary identifier to the IMSI may be requested. The HSS 80 manages different networks such that the networks can share mutual information when they are incorporated into one network. Therefore, the mapping from a temporary identifier to the IMSI means mapping from a temporary identifier to information of the mobile terminal 20 stored in the HSS 80 and the above-mentioned pseudonym when the mobile terminal 20 performs authentication over a WLAN.
[49] The AAA server 70, having checked the authentication vector, checks whether the subscriber has a WLAN access profile (S35). As the check result, when the subscriber does not have the WLAN access profile, the AAA server 70 retrieves the profile from the HSS 80. Further, the AAA server 70 verifies whether the subscriber has authority to use the WLAN service.
[50] When the verification is completed, the full authentication process is performed.
For the full authentication process, first, new keying material is introduced from the integrity key IK and the ciphering key CK (S36). Alternatively, additional keying materials may be generated. In this case, the keying material may be protected by a keying material generated by selection of a new pseudonym. The keying material is a parameter requested for encryption, and the introduction of the keying material may or may not be performed.
[51] The AAA server 70 transmits an EAP request/AKA-challenge message to the
WLAN AN 50. The EAP request/AKA-challenge message includes the random number RAND, the authentication token AUTN, the message authentication code MAC, protected pseudonym, and re-authentication ID information. The WLAN AN 50 transmits the EAP request/AKA-challenge message received from the AAA server 70 to the mobile terminal 20 (S37).
[52] The mobile terminal 20 performs an AKA authentication algorithm in the USIM 10
(S38). The USIM 10 verifies whether the authentication token AUTN included in the message is correct to authenticate a network having the mobile terminal 20 connected thereto. If the authentication token AUTN is incorrect, the mobile terminal 20 rejects the authentication of the network. When the verification of the authentication token AUTN is completed, the USIM 10 checks whether the sequence number SQN is synchronized. When the sequence number SQN is not synchronized, the mobile terminal 20 performs a synchronization process. [53] When it is verified that the authentication token AUTN is correct, the USIM 10 calculates the user response RES, the integrity key IK, and the ciphering key CK. The mobile terminal 20 introduces requested additional keying materials from the integrity key IK and the ciphering key CK calculated by the USIM 10. The mobile terminal 20 verifies a received message authentication code MAC on the basis of a newly introduced keying material. When the pseudonym, which is an anonymous identifier, is received, the mobile terminal 20 stores the pseudonym for subsequent authentication. Then, the mobile terminal 20 calculates the value of a new message authentication code MAC for an EAP message on the basis of the new keying material.
[54] The mobile terminal 20 transmits the EAP response/AKA-challenge message including the calculated user response RES and message authentication code MAC to the WLAN AN 50, and the WLAN AN 50 transmits the EAP response/AKA-challenge message to the AAA server 70 through the AAA proxy 60 (S39). The AAA server 70 having received the EAP response/AKA-challenge message checks the received message authentication code MAC and compares the received user response RES with the expected response XRES (S40).
[55] When all tests succeed, the AAA server 70 transmits an EAP success message to the WLAN AN 50. When an additional key material is generated in the message authentication code verifying step, the AAA server 70 transmits the EAP success message including the generated keying material to the WLAN AN 50 (S41). When receiving the EAP success message, the WLAN AN 50 stores the keying material included in the message in order to allow communication with the authenticated mobile terminal 20.
[56] Then, the WLAN AN 50 transmits an EAP success message indicating the success of authentication to the mobile terminal 20. When the exchange of EAP AKA is successfully completed, the mobile terminal 20 and the WLAN-AN 50 share the keying material.
[57] NAI, which is a subscriber identifier of the mobile terminal described in FIG. 4, has, for example, the form of "username® realm." Meanwhile, when authentication is frequently performed, the larger the number of users connected to the network b ecomes, the larger the load applied to the network becomes. Therefore, rapid re- authentication is effective in reducing the load of the network.
[58] The fast re-authentication reuses the key introduced in the full authentication process described in FIG. 4, which makes it possible to perform user authentication faster than the structure in which the WLAN AN 50 performs full authentication. The use of the fast re-authentication depends on the policy of the service provider, but EAP-AKA should include the fast re-authentication mechanism.
[59] The use of the fast re-authentication makes it possible to shorten the time required to perform authentication in the mobile terminal 20 and the AAA server 70 and to reduce the power consumption of the mobile terminal 20. However, when the user accesses the WLAN AN 50 having low reliability, the continuous reuse of the key may cause a serious problem. Therefore, preferably, the fast re-authentication is used when the user accesses the WLAN AN 50 having high reliability.
[60] Next, the fast re-authentication process in EAP-AKA will be described with reference to FIG. 5.
[61] FIG. 5 is a flowchart illustrating a fast re-authentication process in a general EAP-
AKA.
[62] The AAA server 70 determines the use of the fast re-authentication. In order to perform the fast re-authentication, in the authentication process, the AAA server 70 transmits a re-authentication identifier (re-auth id) to the mobile terminal 20. The use of the fast re-authentication depends on the policy of a 3GPP service provider, and the reliability of the WLAN AN 50. If the mobile terminal 20 receives the re- authentication identifier, the AAA server 70 will perform the fast re-authentication in the next authentication process. If the mobile terminal 20 receives only the pseudonym, the AAA server 70 will perform full authentication.
[63] As shown in FIG. 5, when the WLAN AN 50 transmits an EAP identity request message to the mobile terminal 20, the fast re-authentication process starts (S50). The mobile terminal 20 transmits the EAP identity request message including the re- authentication identifier allocated in the full authentication process described in FIG. 4 to the AAA server 70 (S51).
[64] The AAA server 70 having received the EAP identity request message starts a counter initialized to "1" in the full authentication process, includes the value of the counter together with NONCE, MAC, and a re-authentication identifier to be used in the next stage in the EAP-request/AKA-re-authentication message, and transmits the message to the mobile terminal 20 (S52). If the AAA server 70 cannot transmit the re- authentication identifier to the mobile terminal 20, the mobile terminal 20 should perform full authentication in the next authentication process. In this case, the AAA server 70 may transmit a result indicator to the WLAN AN 50 in order to encrypt a success message.
[65] The WLAN AN 50 having received the result indicator transmits the EAP- response/AKA-re-authentication message to the mobile terminal 20, and the mobile terminal 20 checks whether the value of the counter included in the message is a new value and whether the message authentication code MAC is correct (S53). As the check result, when the value of the counter is a new value and the message authentication code MAC is correct, the mobile terminal 20 transmits to the WLAN AN 50 the EAP-response/AKA-re-authentication message received from the WLAN AN 50, and the WLAN AN 50 transmits the message to the AAA server 70 (S54). On the other hand, when the value of the counter is not a new value or when the message authentication code MAC is incorrect, re-authentication fails.
[66] Then, when the received value of the counter is equal to the value counter that has been transmitted, the message authentication code MAC is correct, and the AAA server 70 has requested to use a success result indicator (S55), the AAA server 70 transmits the EAP request/AKA-notification message to the mobile terminal 20 before the EAP success message (S56). The EAP-request/AKA-Notification message is encoded to the message authentication code MAC, and includes an encrypted copy of the counter that has been used in the previous re-authentication process.
[67] The mobile terminal 20 transmits the EAP response/AKA-Notification message to the WLAN AN 50, and the WLAN AN 50 transmits the message to the AAA server 70. The AAA server 70 transmits the EAP success message to the mobile terminal 20 regardless of the content of the message (S57).
[68] As described above, the UMTS AKA and EAP-AKA have the same structure, except that when a lower level packet transmission protocol for transmitting AKA is the UMTS a PMM protocol is used and when the lower level packet transmission protocol is WLAN an EAP protocol is used, and the UMTS AKA does not have the fast re-authentication function, unlike the EAP-AKA. This means that the two systems can share information on authentication vectors and keys.
[69] Therefore, fields included in each AKA message can have a one-to-one correspondence. For example, the counter of the EAP-AKA corresponds to the sequence number SQN of the UMTS AKA, and NONCE and MAC of the EAP- request/AKA-re-authentication message correspond to RAND and AUTN of UMTS AKA, respectively. In addition, the message authentication code MAC of the EAP- response/AKA-re-authentication message corresponds to the user response of UMTS AKA, and the key generation of the fast re-authentication corresponds to a random or fresh material of UMTS AKA. For these reasons, UMTS and WLAN can mutually share the authentication vector and state of the mobile terminal.
[70] In this case, in order for EAP-AKA full authentication, the AKA algorithm should be performed, and the AAA server 70 should generate a new authentication vector every time. Therefore, when the use of the network increases, the full authentication process causes a considerably large amount of overhead. Therefore, in order to solve these problems, EAP-AKA uses the fast re-authentication process when it is unnecessary to perform the algorithm and to generate the new authentication vector.
[71] In the full authentication process shown in FIG. 4 and the fast re-authentication process shown in FIG. 5, the fast re-authentication process does not cause overhead in the USIM 10 and the AAA server 70. Thus, the fast re-authentication process can be performed more simply than the full authentication process. In this embodiment, the fast re-authentication process is optional in the EAP-AKA server, and the mobile terminal 20 should necessarily perform the process. In addition, the transmission of a re-authentication identifier depends on the policy of a 3GPP subscriber for the use of the fast authentication process.
[72] Meanwhile, in order to support the fast re-authentication in UMTS, a new PMM message needs to be defined between the mobile terminal 20 and the SGSN 30. Therefore, in this exemplary embodiment of the present invention, a new re- authentication request/response message is defined to the PMM message of UMTS. The newly defined re-authentication request/response message will be described in detail with reference to FIGs. 6 and 7. In this exemplary embodiment of the present invention, a re-authentication identifier to be used in the next stage should be transmitted in the existing UMTS AKA authentication process, which makes it necessary to add the re-authentication identifier to be used in the next stage to the existing authentication/ciphering request message.
[73] FIGs. 6 and 7 are diagrams illustrating the configuration of a PMM re- authentication request message and a PMM re-authentication response message according to an exemplary embodiment of the present invention.
[74] Referring to FIGs. 6 and 7, the PMM re-authentication request message and the
PMM re-authentication response message according to the exemplary embodiment of the present invention each includes a plurality of fields. Specifically, the PMM re- authentication request message includes a COUNTER field, a NONCE field, a MAC field, and a Reauth id field, and the PMM re-authentication response message includes a COUNTER field and a MAC field.
[75] The COUNTER field indicates the number of times re-authentication succeeds, and the NONCE field indicates a random number. The MAC field indicates a message authentication code, and the Reauth id field indicates a re-authentication identifier. In general, the PMM message does not have fields for performing re-authentication. Therefore, in order to perform the re-authentication, the PMM message must additionally have the above-mentioned fields.
[76] Next, the configuration of a message including a MAP (mobile application part) message between SGSN and AuC/HSS (reference numeral 300 in FIG. 9), and a primitive for a re-authentication data request and response that is added to the MAP message will be described below with reference to FIG. 8.
[77] FIG. 8 is a diagram illustrating the configuration of a MAP re-authentication data request and a response message thereto according to an exemplary embodiment of the present invention.
[78] As shown in FIG. 8, a MAP message transmitted between a VLR/SGSN 200 and an AuC/HSS 300 has a primitive added thereto for the re-authentication data request and response. A Reauth-id parameter is added to the MAP message transmitted from the VLR/SGSN 200 to the AuC/HSS 300, and parameters such as Count, NONCE, MAC, and Reauth-id, are added to the MAP message transmitted from the AuC/HSS 300 to the VLR/SGSN 200.
[79] Next, a re-authentication process performed in UMTS on the basis of the above- mentioned message will be described in detail with reference to FIG. 9.
[80] FIG. 9 is a flowchart illustrating a fast re-authentication process in UMTS AKA according to an exemplary embodiment of the present invention.
[81] As shown in FIG. 9, the fast re-authentication process in UMTS AKA according to the exemplary embodiment of the present invention starts when a mobile terminal 110 transmits an attach request message to the VLR/SGSN 200 of a visited network (SlOO). In general, authentication is also performed when a service request message and a location update message other than the attach request message are transmitted. Therefore, the message for starting the authentication is not limited to the attach request message. The VLR/SGSN 200 having received the attach request message transmits an identity request message for identifying a user identifier to the USIM 100 of the mobile terminal 110 (Sl 10). In this case, the identity request message includes the type of identifier for identifying the identifier of the mobile terminal 110.
[82] The USIM 100 indicates a smart card. The USIM 100 may be inserted into the mobile terminal 110, or it may be independently provided to have the same size as a standard credit card. In this exemplary embodiment of the present invention, as shown in FIG. 9, it is assumed that the USIM 100 is independently provided, but the invention is not limited thereto.
[83] The USIM 100 includes the re-authentication identifier that has been received and stored in the previous EAP-AKA authentication process in the WLAN, and transmits an identity response message to the SGSN/VLR 200 (S 120). The SGSN/VLR 200 having received the message including the re-authentication identifier generates the MAP request message shown in FIG. 8 that includes the received re-authentication identifier, and transmits the generated message to the HSS/AuC 300 in the home network (S 130).
[84] The HSS/AuC 300 checks the re-authentication identifier included in the received message, and agrees on the re-authentication process to start the counter. Then, the HSS/AuC 300 generates a MAP response message including the value of the counter, the random number NONCE, the message authentication code MAC, and the re- authentication identifier Reauth-id to be used in the next stage (S 140), and transmits the message to the VLR/SGSN 200 in the visited network (S 150). In this case, the MAP response message includes information on the identification of an identifier and the agreement on fast re-authentication.
[85] If the home network does not identify the re-authentication identifier or does not agree on the fast re-authentication, the existing full authentication process is performed. The VLR/SGSN 200 having received the MAP response message from the home network transmits a re-authentication request message to the mobile terminal 110 (S 160), and the mobile terminal 110 having received the message checks whether the value of the counter is a new value and the message authentication code MAC is correct (S 170).
[86] As the check result, when the value of the counter is a new value and the message authentication code MAC is correct, the mobile terminal 110 generates a re- authentication response message including the value of the counter and the message authentication code MAC and transmits the message to the VLR/SGSN 200 (S 180). The VLR/SGSN 200 having received the re-authentication response message determines whether the value of the counter included in the message is equal to the value of the counter included in the re-authentication request message transmitted to the mobile terminal 110 and whether the message authentication code MAC is correct (S 190).
[87] When it is determined that the values of the counter are equal to each other, and that the message authentication code MAC is correct, the VLR/SGSN 200 transmits an access accept message to the mobile terminal 110 (S200). On the other hand, when it is determined that the values of the counter are not equal to each other or the message authentication code MAC is incorrect, the authentication process fails, which makes it difficult to set up a call.
[88] In order for fast re-authentication, the mobile terminal 110 always receives a re- authentication identifier to be used in the next stage from the HSS/AuC 300 and stores the identifier during the previous successful authentication process. However, in the current UMTS authentication process, there is no way to receive the re-authentication identifier. Therefore, the re-authentication identifier field, that is, the Reauth id field, needs to be added to an authentication and ciphering request message, which is a UMTS PMM authentication message, such that the re-authentication identifier can always be transmitted.
[89] In addition, in the UMTS authentication process, the pseudonym to be used in the next full authentication to provide the anonymity of an identifier in the full authentication is not provided. Therefore, a next pseudonym field, which is the pseudonym field, together with a Next re-auth id field, which is the re-authentication identifier field, should be added.
[90] The configuration of a message composed of the authentication and ciphering request message included in the existing PMM and the re-authentication identifier and the pseudonym identifier added thereto will be described in detail with reference to FIG. 10.
[91] FIG. 10 is a diagram illustrating the configuration of a modified authentication and ciphering request message according to an exemplary embodiment of the present invention.
[92] As shown in FIG. 10, the authentication and ciphering request message according to the exemplary embodiment of the present invention is modified to transmit a re- authentication identifier to be used in the fast re-authentication process that may be performed when full authentication is executed on the mobile terminal. In this case, an encrypted next pseudonym field, which is the pseudonym identifier field, and an encrypted next re-auth id field, which is the re-authentication identifier field, is added to the existing authentication and ciphering request message.
[93] As such, the identity request and response message includes the type of identifier, which allows fast re-authentication to be performed on the subscriber of the mobile terminal having the corresponding identifier type. In addition, the re-authentication request message includes counter, NONCE, MAC, and re-auth id, which make it possible to perform fast re-authentication.
[94] A program for realizing functions corresponding to the structure of the exemplary embodiment of the present invention or a recording medium having the program recorded thereon are also included in the scope of the present invention.
[95] While this invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims

Claims
[1] A re-authentication method in a universal mobile telecommunications system
(UMTS), comprising: transmitting an identity request message for requesting an identifier of a mobile terminal to the mobile terminal in accordance with an attach request message transmitted from the mobile terminal; receiving an identity response message from the mobile terminal in response to the identity request message, the identity response message including a first re- authentication identifier that the mobile terminal is given by a home network through an authentication of the home network; requesting the home network to authenticate the mobile terminal based on the first re-authentication identifier; receiving a response message indicating an agreement of fast re-authentication from the home network which has identified the first re-authentication identifier; and when receiving the response message from the home network in response to the authentication request, transmitting a re-authentication request message to the mobile terminal and transmitting a response message to the attach request message.
[2] The re-authentication method of claim 1, wherein the requesting the home network includes: generating a mobile application part (MAP) request message for processing a call based on the first re-authentication identifier; and transmitting the MAP request message to the home network, wherein the receiving of the response message includes receiving a MAP response message indicating the identification of the first re-authentication identifier and the agreement of the re-authentication for the mobile terminal from the home network as a response to the MAP request message, the MAP response message including a second re-authentication identifier.
[3] The re-authentication method of claim 2, wherein the first re-authentication identifier is provided from the home network in a subscriber authentication process of a wireless local area network before a handover to the UMTS occurs, and is used by the mobile terminal as a response to the identity request message.
[4] The re-authentication method of claim 2, wherein the second re-authentication identifier is provided by the home network in order to perform the fast re- authentication for the mobile terminal.
[5] The re-authentication method in the UMTS of claim 1, wherein the re- authentication request message includes a counter value indicating the number of times the re-authentication of the mobile terminal succeeds, a message authentication code, and a second re-authentication identifier.
[6] The re-authentication method in the UMTS of claim 1, wherein the transmitting of the response message further includes: receiving a re-authentication response message to the re-authentication request message from the mobile terminal, and transmitting any one of an attach accept message, a service accept message, and a location update accept message to the mobile terminal.
[7] The re-authentication method in the UMTS of claim 6, wherein the transmitting of the message to the mobile terminal includes: receiving a re-authentication response message including a counter value and a message authentication code from the mobile terminal; checking the counter value and the message authentication code included in the received re-authentication response message; and completing the fast re-authentication process on the mobile terminal when the counter value and the message authentication code are identical to those transmitted to the mobile terminal.
[8] The re-authentication method in the UMTS of claim 7, wherein the mobile terminal includes: checking the counter value and the message authentication code included in the re-authentication request message received from a visited network; generating a re-authentication response message including the counter value and the message authentication code when the counter value is not identical to the value previously stored in the mobile terminal and the message authentication code is correct; and transmitting the generated re-authentication response message to the visited network.
[9] The re-authentication method in the UMTS of claim 8, wherein the visited network is the UMTS or a wireless local area network.
[10] The re-authentication method in the UMTS of claim 9, wherein the visited network is the UMTS when handover occurs from the wireless local area network to the UMTS in a system in which the handover between the UMTS and the wireless local area network is permitted.
[11] The re-authentication method in the UMTS of claim 9, wherein, when the visited network is the wireless local area network, the mobile terminal attempts the fast re-authentication in the wireless local area network by using the second re- authentication identifier given by the home network. [12] The re-authentication method in the UMTS of claim 1, wherein the attach request message is a service request message or a location update request message.
PCT/KR2007/001125 2006-03-07 2007-03-07 Fast re-authentication method in umts WO2007102702A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP07715525A EP1992185A4 (en) 2006-03-07 2007-03-07 Fast re-authentication method in umts

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2006-0021334 2006-03-07
KR20060021334 2006-03-07
KR10-2006-0113448 2006-11-16
KR1020060113448A KR100755394B1 (en) 2006-03-07 2006-11-16 Method for fast re-authentication in umts for umts-wlan handover

Publications (2)

Publication Number Publication Date
WO2007102702A2 true WO2007102702A2 (en) 2007-09-13
WO2007102702A3 WO2007102702A3 (en) 2008-11-13

Family

ID=38736464

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2007/001125 WO2007102702A2 (en) 2006-03-07 2007-03-07 Fast re-authentication method in umts

Country Status (3)

Country Link
EP (1) EP1992185A4 (en)
KR (1) KR100755394B1 (en)
WO (1) WO2007102702A2 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009115552A3 (en) * 2008-03-18 2009-11-26 Eads Secure Networks Management of the identities of users in a system
EP2293611A1 (en) * 2008-06-30 2011-03-09 Huawei Technologies Co., Ltd. A method, apparatus, system and server for network authentication
US20110246777A1 (en) * 2009-10-07 2011-10-06 Research In Motion Limited System and Method for Managing Security Key Architecture in Multiple Security Contexts of a Network Environment
EP2997767A4 (en) * 2013-05-13 2016-05-04 Ericsson Telefon Ab L M Mobility in mobile communications network
WO2016196958A1 (en) * 2015-06-05 2016-12-08 Convida Wireless, Llc Unified authentication for integrated small cell and wi-fi networks
WO2018013052A1 (en) * 2016-07-13 2018-01-18 Huawei International Pte. Ltd. Unified authentication for heterogeneous networks
FR3057132A1 (en) * 2016-10-04 2018-04-06 Orange METHOD FOR MUTUAL AUTHENTICATION BETWEEN USER EQUIPMENT AND A COMMUNICATION NETWORK
CN108513295A (en) * 2018-04-12 2018-09-07 北京佰才邦技术有限公司 Rapid authentication method, server and user equipment
EP3637815A4 (en) * 2017-07-21 2020-06-17 Huawei International Pte. Ltd. Data transmission method, and device and system related thereto

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101061899B1 (en) 2007-09-12 2011-09-02 삼성전자주식회사 Fast Authentication Method and Device for Heterogeneous Network Handover
KR100977114B1 (en) 2008-02-28 2010-08-23 주식회사 케이티 Method for re-authentication of indoor mobile terminal in indoor WiBro system, and method for authentication of indoor RAS using it
KR101718096B1 (en) * 2009-12-01 2017-03-20 삼성전자주식회사 Method and system for authenticating in wireless communication system
KR101018470B1 (en) 2010-07-03 2011-03-02 주식회사 유비즈코아 Secure authentication system in binary cdma communication networks and drive method of the same
KR101236894B1 (en) 2010-11-11 2013-03-06 주식회사 유비즈코아 Mutuality Secure Authentication System in Wire-Wireless Communication Networks and Authentication Method of the Same
KR101832366B1 (en) * 2011-10-12 2018-02-27 주식회사 케이티 Method for Providing WiFi Wireless Internet Service Without SIM Card to Inbound Roamer

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005027559A1 (en) * 2003-09-12 2005-03-24 Docomo Communications Laboratories Europe Gmbh Fast authentication method and apparatus for inter-domain handover
US20050233729A1 (en) * 2002-07-05 2005-10-20 Saso Stojanovski Method and control member for controlling access to a radio communication cellular system through a wireless local netwrok
US20050251681A1 (en) * 2004-03-10 2005-11-10 Robles Luis R GSM-like and UMTS-like authentication in a CDMA2000 network environment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2403880B (en) * 2002-06-12 2005-11-09 Ericsson Telefon Ab L M Non-repudiation of service agreements
US20040105413A1 (en) 2002-07-02 2004-06-03 Interdigital Technology Corporation System and method for tight inter-working between wireless local area network (WLAN) and universal mobile telecommunication systems (UMTS)
US7047036B2 (en) 2002-07-02 2006-05-16 Interdigital Technology Corporation Method and apparatus for handoff between a wireless local area network (WLAN) and a universal mobile telecommunication system (UMTS)
KR100735242B1 (en) * 2003-12-16 2007-07-03 삼성전자주식회사 Method for providing/notifying interworking information of mobile telecommunication network and wireless local area network and therefor system
KR100762644B1 (en) 2004-12-14 2007-10-01 삼성전자주식회사 WLAN-UMTS Interworking System and Authentication Method Therefor

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050233729A1 (en) * 2002-07-05 2005-10-20 Saso Stojanovski Method and control member for controlling access to a radio communication cellular system through a wireless local netwrok
WO2005027559A1 (en) * 2003-09-12 2005-03-24 Docomo Communications Laboratories Europe Gmbh Fast authentication method and apparatus for inter-domain handover
US20050251681A1 (en) * 2004-03-10 2005-11-10 Robles Luis R GSM-like and UMTS-like authentication in a CDMA2000 network environment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CHOI H.H. ET AL.: 'A Seamless Handoff Scheme for UMTS-WLAN Interworking' IEEE GLOBAL TELECOMMUNICATIONS CONFERENCE, GLOBECOM'2004, NEW YORK: IEEE 29 November 2004, pages 1559 - 1564, XP010757784 *
KWON H. ET AL.: 'Consideration of UMTS-WLAN Seamless Handover' IEEE INTERNATIONAL SYMPOSIUM ON MULTIMEDIA, ISM'05, NEW YORK: IEEE 12 December 2005, XP010870597 *
KWON H. ET AL.: 'UMTS-WLAN Interworking Strategies for Reducing Handover Delays' IEEE VEHICULAR TECHNOLOGY CONFERENCE, VTC-2006 FALL, NEW YORK: IEEE 01 September 2006, XP031051549 *

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009115552A3 (en) * 2008-03-18 2009-11-26 Eads Secure Networks Management of the identities of users in a system
EP2293611A1 (en) * 2008-06-30 2011-03-09 Huawei Technologies Co., Ltd. A method, apparatus, system and server for network authentication
EP2293611A4 (en) * 2008-06-30 2011-06-22 Huawei Tech Co Ltd A method, apparatus, system and server for network authentication
US20110246777A1 (en) * 2009-10-07 2011-10-06 Research In Motion Limited System and Method for Managing Security Key Architecture in Multiple Security Contexts of a Network Environment
US8645695B2 (en) * 2009-10-07 2014-02-04 Blackberry Limited System and method for managing security key architecture in multiple security contexts of a network environment
EP2997767A4 (en) * 2013-05-13 2016-05-04 Ericsson Telefon Ab L M Mobility in mobile communications network
US10448286B2 (en) 2013-05-13 2019-10-15 Telefonaktiebolaget Lm Ericsson (Publ) Mobility in mobile communications network
JP2018517368A (en) * 2015-06-05 2018-06-28 コンヴィーダ ワイヤレス, エルエルシー Unified authentication for integrated small cell and WIFI networks
CN107852407A (en) * 2015-06-05 2018-03-27 康维达无线有限责任公司 Unified certification for integration of compact cell and Wi Fi networks
US11818566B2 (en) 2015-06-05 2023-11-14 Ipla Holdings Inc. Unified authentication for integrated small cell and Wi-Fi networks
US11032706B2 (en) 2015-06-05 2021-06-08 Convida Wireless, Llc Unified authentication for integrated small cell and Wi-Fi networks
US20180184297A1 (en) * 2015-06-05 2018-06-28 Convida Wireless, Llc Unified authentication for integrated small cell and wi-fi networks
CN111726804A (en) * 2015-06-05 2020-09-29 康维达无线有限责任公司 Unified authentication for integrating small cells and Wi-Fi networks
CN107852407B (en) * 2015-06-05 2020-07-28 康维达无线有限责任公司 Unified authentication for integrating small cells and Wi-Fi networks
WO2016196958A1 (en) * 2015-06-05 2016-12-08 Convida Wireless, Llc Unified authentication for integrated small cell and wi-fi networks
JP2019527504A (en) * 2016-07-13 2019-09-26 ホアウェイ インターナショナル ピーティーイー. リミテッド Unified authentication for heterogeneous networks
CN110049492A (en) * 2016-07-13 2019-07-23 华为国际有限公司 The unified certification frame of heterogeneous network
CN109076339A (en) * 2016-07-13 2018-12-21 华为国际有限公司 The unified certification frame of heterogeneous network
CN110049492B (en) * 2016-07-13 2020-09-18 华为国际有限公司 Communication method, core network element, terminal device and storage medium
WO2018013052A1 (en) * 2016-07-13 2018-01-18 Huawei International Pte. Ltd. Unified authentication for heterogeneous networks
US10849191B2 (en) 2016-07-13 2020-11-24 Huawei International PTE., Ltd. Unified authentication for heterogeneous networks
WO2018065712A1 (en) * 2016-10-04 2018-04-12 Orange Method for mutual authentication between user equipment and a communications network
US11159940B2 (en) 2016-10-04 2021-10-26 Orange Method for mutual authentication between user equipment and a communication network
FR3057132A1 (en) * 2016-10-04 2018-04-06 Orange METHOD FOR MUTUAL AUTHENTICATION BETWEEN USER EQUIPMENT AND A COMMUNICATION NETWORK
EP3637815A4 (en) * 2017-07-21 2020-06-17 Huawei International Pte. Ltd. Data transmission method, and device and system related thereto
US11381973B2 (en) 2017-07-21 2022-07-05 Huawei International Pte. Ltd. Data transmission method, related device, and related system
CN108513295A (en) * 2018-04-12 2018-09-07 北京佰才邦技术有限公司 Rapid authentication method, server and user equipment

Also Published As

Publication number Publication date
EP1992185A2 (en) 2008-11-19
EP1992185A4 (en) 2013-01-02
KR100755394B1 (en) 2007-09-04
WO2007102702A3 (en) 2008-11-13

Similar Documents

Publication Publication Date Title
KR100755394B1 (en) Method for fast re-authentication in umts for umts-wlan handover
US10425808B2 (en) Managing user access in a communications network
US8122250B2 (en) Authentication in data communication
US7181196B2 (en) Performing authentication in a communications system
EP1719316B1 (en) Means and method for single sign-on access to a service network through an access network
US8261078B2 (en) Access to services in a telecommunications network
CN102318386B (en) To the certification based on service of network
US9668139B2 (en) Secure negotiation of authentication capabilities
JP4624785B2 (en) Interworking function in communication system
US20060019635A1 (en) Enhanced use of a network access identifier in wlan
US11159940B2 (en) Method for mutual authentication between user equipment and a communication network
KR102456280B1 (en) Method for authenticating a secure element cooperating with a mobile device within a terminal of a telecommunications network
US20050135624A1 (en) System and method for pre-authentication across wireless local area networks (WLANS)
CN106921965B (en) Method for realizing EAP authentication in W L AN network
US20060095959A1 (en) System and method to provide umts and internet authentication
Abdelkader et al. A novel advanced identity management scheme for seamless handoff in 4G wireless networks
Lin et al. Performance Evaluation of the Fast Authentication Schemes in GSM-WLAN Heterogeneous Networks.
Lin et al. Authentication schemes based on the EAP-SIM mechanism in GSM-WLAN heterogeneous mobile networks
KR20100054191A (en) Improved 3gpp-aka method for the efficient management of authentication procedure in 3g network
GB2450096A (en) Network Authentication and Reauthentication
Park et al. An authentication mechanism for the UMTS-WiFi networks
Audestad Mobile Security
Bluszcz UMTS Security UMTS Security
KR20050016605A (en) Inter-working function for a communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2007715525

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE