WO2009087006A1 - Mechanism for authentication and authorization for network and service access - Google Patents

Mechanism for authentication and authorization for network and service access Download PDF

Info

Publication number
WO2009087006A1
WO2009087006A1 PCT/EP2008/067139 EP2008067139W WO2009087006A1 WO 2009087006 A1 WO2009087006 A1 WO 2009087006A1 EP 2008067139 W EP2008067139 W EP 2008067139W WO 2009087006 A1 WO2009087006 A1 WO 2009087006A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
key
service
authorization process
protocol
Prior art date
Application number
PCT/EP2008/067139
Other languages
French (fr)
Inventor
Dirk Kröselberg
Ulrike Meyer
Hannes Tschofenig
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Publication of WO2009087006A1 publication Critical patent/WO2009087006A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer

Definitions

  • the present invention relates to network access authentication and authorization for gaining access to network and service resources in a communication network.
  • the present invention relates to a mechanism usable for a network access authentication and authorization using an authentication method based, for example, on the Extensible Authentication Protocol (EAP) .
  • EAP Extensible Authentication Protocol
  • a terminal device may for example be any device by means of which a user may access a communication network; this implies mobile as well as non-mobile or fixed devices and networks, independent of the technology platform on which they are based; only as an example, it is noted that communication equipments and network elements operated according to principles standardized by the 3 rd Generation Partnership Project 3GPP, and known for example as UMTS terminals, or standardized by the IEEE (Institute of Electrical and Electronics Engineers) and known as Worldwide Interoperability for Microwave Access (WiMax) or Wireless Local Area Networks (WLAN) are suitable for being used in connection with the present invention; - when reference is made herein to a call or session, this exemplifies only a general example of a connection of any content; content as used in the present invention is intended to mean data of at least one of audio data (e.g.
  • - method steps and/or devices likely to be implemented as hardware components at one of the entities are hardware independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS, CMOS, BiCMOS, ECL, TTL, etc, using for example ASIC components or DSP components, as an example;
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention
  • - devices or means can be implemented as individual devices or means, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved.
  • UMTS Telecommunications System
  • 2G 2nd generation
  • GSM Global System for Mobile communications
  • GPRS General Packet Radio System
  • EDGE Wireless Local Area Network
  • WiMax Wireless Local Area Network
  • 3GPP 3 rd Generation Partnership Project
  • Telecoms & Internet converged Services & Protocols for Advanced Networks TISPAN
  • ITU International Telecommunication Union
  • 3GPP2 3 rd Generation Partnership Project 2
  • IETF Internet Engineering Task Force
  • IEEE Institute of Electrical and Electronics Engineers
  • AAA Authentication-Authorization-Accounting
  • Authentication refers to the confirmation that the subscriber who is requesting services is a valid user of the network services requested. For this purpose, an identity and credentials are used. Authorization describes the grant of services to the requesting subscriber on the basis of the service request and the authentication result. Accounting, on the other hand, is related to the tracking of the consumption of resources and is used for management, billing and the like.
  • EAP Extensible Authentication Protocol
  • EAP is a universal authentication framework defined by the IETF usable in particular in wireless networks.
  • EAP provides several functions and a negotiation of the desired authentication mechanism.
  • Such mechanisms are called EAP methods, for example EAP-TLS (EAP-Transport Layer Security) , EAP-TTLS (EAP-Tunneled Transport Layer Security) , EAP-IKEv2 (EAP Internet Key Exchange Protocol version 2), a number of vendor specific methods and the like.
  • communication networks of relevant network architectures such as networks based on 3GPP, WLAN or WiMAX specifications, provide roaming support.
  • a (mobile or fixed) user or device can access a local access network that is attached to a local, or country-specific network service provider making use of their subscription with a home service provider.
  • the local/visited access service provider (s) communicate with the home provider of the user/device.
  • the home provider assists the local service provider in authentication and authorization of this user/device with the help of long-term credentials it shares with the user/device as part of the subscription.
  • the user/device and the network may generate session keys for the duration of the network attachment (authentication session) .
  • Examples of such keys are a master session key (MSK) or extended master session key (EMSK) .
  • MSK master session key
  • EMSK extended master session key
  • Such keys are used for securing wireless access (for example, with the MSK key for WLAN or WiMAX access) , or other applications like Mobile Internet Protocol (IP) or device provisioning with the EMSK key.
  • IP Mobile Internet Protocol
  • security bootstrapping key generation and distribution
  • WiMAX networks are to be mentioned.
  • this scenario comprises the following steps for authentication/authorization .
  • the terminal device performs another EAP protocol run with another (or possibly the same) EAP authentication method.
  • an AAA server being responsible for authenticating/authorizing the mobility service is communicated with.
  • This (service level) AAA server may be the same as for network access, i.e. the home AAA server, or may also be a different server entity.
  • the latter case i.e. the situation of the different server, is typically the case when network access AAA is performed by the home network provider owning the access subscription in a roaming or inter-technology interworking case and mobility service is provided in the visited network locally.
  • IKEv2 can be used in combination with an EAP method in order to authenticate and authorize mobility services .
  • the conventional authentication/authorization procedure needs to execute two separate and complete (EAP based) authentication/authorization exchanges with two AAA servers, one for network access authentication and another one for service access, such as a mobility service.
  • EAP protocol exchanges two complete authentication/authorization exchanges
  • This is especially the case in scenarios of a broadband network access.
  • Corresponding performance disadvantages are both the delay for the (at least) two EAP roundtrips in general, and additional delays that occur when it is necessary to send EAP messages via an AAA protocol, such as RADIUS (Remote Authentication Dial-In User Service) or Diameter, between a local network AAA (responsible for service authentication if this is provided in the local network) and a home network that holds the subscription data and home AAA server.
  • AAA protocol such as RADIUS (Remote Authentication Dial-In User Service) or Diameter
  • the second EAP authentication for service access (such as mobility access) as an EAP method specific fast re-authentication.
  • a fast re-authentication procedure is not specified for every EAP method so that this approach would require either a reconfiguration of existing settings to compatible EAP methods (if applicable) or does not provide an overall solution.
  • this approach is only applicable in cases where the mobility service and the network access service are authorized by the same network operator.
  • an EAP method specific re-authentication typically takes at least two roundtrips, so that a significant performance advantage considering roundtrip delay over is not achievable in comparison to a standard EAP authentication.
  • EAP authenticators such as a network authentication system (NAS) authenticator
  • NAS network authentication system
  • this approach is only applicable on the same hierarchy level within the local network (e.g. between corresponding NASs) .
  • the key receiving entity for mobility service is not an authenticator, but a mobility anchor like a Mobile IP home agent.
  • key sharing between such different entities is practically infeasible and cryptographically insecure.
  • a terminal device configured to execute a first authentication and authorization process on a network access level by using a predetermined authentication procedure based on an authentication protocol, determine a key used for a re-authentication process, execute a second authentication and authorization process on a service level by using a re-authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
  • a method comprising executing, in a terminal device, a first authentication and authorization process on a network access level by using a predetermined authentication procedure based on an authentication protocol, determining, in the terminal device, a key used for a re-authentication process, and executing, in the terminal device, a second authentication and authorization process on a service level by using a re-authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
  • a computer program product for a computer comprising software code portions for making, when said product is run on the computer, said computer to function as a part of a terminal device, wherein the computer program product is configured to execute a first authentication and authorization process on a network access level by using a predetermined authentication procedure based on an authentication protocol, determine a key used for a re-authentication process, and execute a second authentication and authorization process on a service level by using a re- authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
  • the proposed solution according to these aspects may comprise one or more of the following features:
  • an authentication procedure based on the Extensible Authentication Protocol may be used in the first authentication and authorization process
  • a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication Extension may be used in the second authentication and authorization process
  • the key may be determined by deriving a re- authentication key independent from the predetermined authentication procedure used in the first authentication and authorization process; - the re-authentication key may be determined from a master key determined in the predetermined authentication procedure;
  • the second authentication and authorization process may be executed for authentication for a mobility service; - the first and second authentication and authorization processes may be executed to perform an inter-system handover, wherein the second authentication and authorization process is performed to gain access to a different access subsystem.
  • an authentication server device configured to receive a key used for a re- authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
  • a method comprising receiving, in a authentication server, a key used for a re-authentication process, and executing, in the authentication server, an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
  • a computer program product for a computer comprising software code portions for making, when said product is run on the computer, said computer to function as a part of an authentication server, wherein the computer program product is configured to receive a key used for a re-authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
  • the key may be generated in a network access level process using a predetermined authentication procedure based on an authentication protocol, wherein the re- authentication protocol may be independent to the predetermined authentication procedure;
  • a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication Extension may be used in the authentication and authorization process; - the authentication and authorization process may be executed for authentication of the service requested for a mobility service;
  • the authentication and authorization process may be executed to perform an inter-system handover for providing access to a different access subsystem
  • the key may be received from an authentication server device executing an authentication and authorization process on a network access level.
  • a service agent device configured to receive a key used for a re- authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
  • a method comprising receiving, in a service agent, a key used for a re-authentication process, and executing, in the service agent, an authentication and authorization process on a service level with a service requester by using a re- authentication protocol on the basis of the received key.
  • a computer program product for a computer comprising software code portions for making, when said product is run on the computer, said computer to function as a part of a service agent, wherein the computer program product is configured to receive a key used for a re-authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
  • the proposed solution according to these aspects may comprise one or more of the following features: - the key may be generated in a network access level process using a predetermined authentication procedure based on an authentication protocol, wherein the re- authentication protocol may be independent to the predetermined authentication procedure; - a re-authentication protocol based on the Extensible
  • Authentication Protocol Re-Authentication Extension may be used in the authentication and authorization process
  • the authentication and authorization process may be executed for authentication of the service requested for a mobility service
  • the authentication and authorization process may be executed to perform an inter-system handover for providing access to a different access subsystem
  • the key may be received from one of an authentication server device executing an authentication and authorization process on a network access level and an authentication server device executing an authentication and authorization process on a service level.
  • a home agent functionality may be comprised.
  • Fig. 1 shows a signaling diagram illustrating a first embodiment according to the present invention.
  • Fig. 2 shows a block diagram illustrating a simplified configuration of a terminal device to which an embodiment of the present invention is applicable.
  • Fig. 3 shows a block diagram illustrating a simplified configuration of an authentication/authorization server entity of a communication network, to which an embodiment of the present invention is applicable.
  • Fig. 4 shows a signaling diagram illustrating a second embodiment according to the present invention.
  • Fig. 5 shows a block diagram illustrating a simplified configuration of a service agent entity of a communication network to which an embodiment of the present invention is applicable .
  • Fig. 6 shows a diagram illustrating a network architecture to which the present application is applicable.
  • WLAN Local Area Networks
  • the invention is also applicable on inter-system handover, e.g. between a WiMAX system and a WLAN.
  • a basic system architecture of a communication network may comprise a commonly known architecture of a wired or wireless access network subsystem.
  • Such an architecture comprises one or more access network control units, radio access network elements or base transceiver stations, with which a terminal device as a subscriber's communication unit is capable of communicating via one or more channels for transmitting several types of data.
  • the general functions and interconnections of these elements are known to those skilled in the art and described in corresponding specifications so that a detailed description thereof is omitted herein. However, it is to be noted that there are provided several additional network elements and signaling links used for a communication connection or a call between end terminals and/or servers.
  • network elements and their functions described herein may be implemented by software, e.g. by a computer program product for a computer, or by hardware.
  • correspondingly used devices such as terminal device, a service agent entity and/or an authentication/authorization server, and the like comprise several means and components
  • Such means may comprise, for example, a processor unit for executing instructions, programs and for processing data, memory means for storing instructions, programs and data, for serving as a work area of the processor and the like (e.g. ROM, RAM, EEPROM, and the like) , input means for inputting data and instructions by software (e.g. floppy diskette, CD-ROM, EEPROM, and the like) , user interface means for providing monitor and manipulation possibilities to a user (e.g. a screen, a keyboard and the like), interface means for establishing links and/or connections under the control of the processor unit (e.g. wired and wireless interface means, an antenna, etc.) and the like.
  • a processor unit for executing instructions, programs and for processing data
  • memory means for storing instructions, programs and data, for serving as a work area of the processor and the like
  • input means for inputting data and instructions by software (e.g. floppy diskette, CD-ROM, EEPROM, and the like)
  • user interface means for providing
  • Fig. 6 shows a simplified diagram of an architecture of a communication network to which the present invention is applicable.
  • Fig. 6 an example based on WiMAX specification is presented.
  • other network systems can use the principles defined below, for example a 3GPP based network, a WLAN and the like, or network systems developed in the future and having similar basic functionalities.
  • the architecture could be heterogeneous in the sense that the home network components are e.g. based on WiMAX specifications while the visited network is based on WLAN specifications.
  • the respective network elements comprised by such network systems and in particular those being involved in the authentication and authorization procedure are generally known by those skilled in the art so that a detailed description thereof is omitted herein for the sake of simplicity.
  • Reference sign 10 designates a terminal device or subscriber station / mobile station (SS/MS) of a user.
  • Reference sign 200 designates a domain of a network access provider (NAP) , which represents an example of an access network subsystem.
  • NAP network access provider
  • ASN access service networks
  • ASNs 210, 220 via which the terminal device can establish a communication connection.
  • ASNs 210, 220 several (not shown) elements and functionalities are accommodated, such as base stations providing an interface to the terminal device, access controllers for controlling a communication connection, gateway elements for connecting to the core network.
  • NAS network authentication system
  • NAS network authentication system
  • Reference signs 300 and 400 denote a respective domain of a network (NW) service provider (NSP) , which represents an example of a core or backbone network system.
  • NW network
  • NSP network service provider
  • the NSP 300 is related to a visited network while the NSP 400 is related to the home network of the subscriber of the terminal device 10.
  • the NSP 300 comprises a connectivity service network (CSN) 310.
  • the CSN 310 comprises several routers or agents 31 related to services provided by the NSP 300.
  • an Authentication/Authorization/Accounting (AAA) server 40 is comprised in the CSN 300 which performs authentication/authorization, for example, on a service level for services provided by the (visited) network.
  • the NSP 400 comprises a connectivity service network (CSN) 410.
  • the CSN 410 comprises also several routers or agents related to services provided by the NSP 300.
  • the CSN 410 is connected to a Home Agent (HA) 30, such as a Mobile IP (MIP) HA, which manages subscriber data and location information of the subscriber.
  • HA Home Agent
  • MIP Mobile IP
  • Authentication/Authorization/Accounting (AAA) server 50 is comprised in the CSN 300 which performs authentication/authorization, for example, on a network level for network access for the subscriber, also via the visited network.
  • AAA Authentication/Authorization/Accounting
  • the CSNs 310, 410 provide also access to other networks or the Internet via corresponding gateways/interfaces.
  • elements as shown in Fig. 6 may be provided as separate entities or combined in one entity.
  • the NSP 300 can be omitted for the establishment of the communication connection.
  • the terminal device and the NAS 200 communicate only with the NSP 400.
  • the present invention is basically directed to an optimization of the authentication/authorization procedure to be executed in a network as shown, for example, in Fig.
  • the invention is based on the idea that once a network access is authorized, local services (such as mobility services) in a current domain (i.e. the home domain or a visited domain) can be authorized locally.
  • a terminal device executes a first authentication and authorization process on a network access level.
  • This first authentication and authorization process may be based, for example, on an EAP based authentication method (or procedure) like EAP-TLS.
  • a second authentication and authorization process is executed on a service level in order to gain access, for example, to a mobility service like Mobile IP.
  • a re- authentication protocol is used which uses a key determined or derived in the first authentication and authorization process.
  • the second authentication and authorization process may be based also on EAP, but the re-authentication protocol is independent to the predetermined authentication method (or procedure) as such.
  • a wireless broadband access may be mentioned since an authentication and authorization process based on EAP is commonly used in WLAN environments and for mobile WiMAX access. It is possible to optimize in particular the performance in scenarios where authentication/authorization of mobility services as e.g. provided by Mobile IP is based on the EAP protocol, and where also network access authentication is based on the EAP protocol and an AAA infrastructure in the network. Possible applications include Mobile IP based mobility management within one system (e.g. within one WiMAX network) or between different systems (e.g. between WLAN and WiMAX) . The latter case is related, for example, to an inter-system handover scenario where a handover between different access technologies takes place, e.g. between a WiMAX system and a WLAN.
  • Fig. 1 a signaling diagram as an example of an implementation of the authentication and authorization mechanism according to the invention is described.
  • the elements depicted in Fig. 1 may correspond to those shown in Fig. 6, for example.
  • the authentication and authorization processes are based on EAP.
  • the present example uses a so-called EAP Re-authentication extension (ERX) or EAP Re-authentication Protocol (ERP) as described, for example, in the document "EAP Extensions for EAP Re-authentication Protocol (ERP)", draft-ietf-hokey- erx-08, November 18, 2007 by V. Narayanan et al . , may be used.
  • the ERP or ERX provides a re-authentication exchange between elements independent from the EAP method used for the network (first) authentication and authorization process .
  • a terminal device 10 as an authenticator
  • a service agent 30 as a MIP HA (a mobility anchor)
  • an AAA server 40 on a service level and an AAA server 50 on a network access level are involved in the authentication and authorization mechanism according to this example.
  • step Sl the terminal device 10 executes with the AAA server 50 a first authentication and authorization process on the network level for gaining the network access authentication.
  • This first authentication and authorization process may be based on an EAP method like EAP-TLS and is completed, for example, in accordance with the steps defined in the EAP related specifications. It is to be noted that the authentication and authorization process is not limited to an EAP based method) .
  • the terminal device 10 uses the EAP-based authentication/authorization procedure and a correspondingly selected or preset EAP method to gain access to the broadband access network resources.
  • the home AAA server 50 of the terminal device may own or has access to the subscription information for this subscriber (if already subscribed) .
  • the home AAA server 50 terminates the EAP method and generates or derives appropriate keying material (e.g. MSK or EMSK) to allow setting up a protected wireless link between the terminal device and the access network .
  • appropriate keying material e.g. MSK or EMSK
  • step S2 the terminal device 10 and the AAA server 50, which is responsible for the network access authentication, negotiate and compute an EAP re-authentication key independent from the EAP method used in step Sl.
  • this key may be derived from the MSK or the EMSK and can be a re-authentication root key rRK.
  • This rRK is now present in both the terminal device 10 and the AAA server 50.
  • step S3 the AAA server 50 which is responsible for network access authentication/authorization sends the rRK (or another re-authentication key correspondingly derived in step S2) to the AAA server 40 which is responsible for authentication/authorization on the service level, e.g. for mobility service.
  • the AAA server 50 for EAP network access needs to know how to contact the AAA server 30 for mobility authentication. This may be achieved, for example, by using pre- configuration (e.g. same operator for both AAA servers), or by a dynamic negotiation during network access authentication AAA signaling (based on RADIUS or Diameter protocols, for example) . For example, in a case where a
  • the AAA server for bootstrapping mobility service in the local domain is the AAA server of the visited WiMAX network operator, that is known by the AAA server of the home operator in case a roaming agreement exists.
  • AAA servers shown in Fig. 1 may be located in the same physical entity, i.e. that the AAA server is responsible for authentication/authorization on both the network access and service level for the communication connection of the terminal device.
  • step S3 is executed internally in such an entity.
  • a next step S4 which comprises steps S4a and S4b, an authentication/authorization process on the service level for gaining access to service provided by the network is executed.
  • the terminal device 10 authenticates with the AAA server 40 for service level authentication/authorization based on EAP, using the re- authentication key as generated in step S2 and as passed to the AAA server for service level authentication/authorization in step S3.
  • the terminal device 10 contacts in step S4a via the NAS 20 the service agent 30.
  • the agent 30 is the MIP HA of the terminal device.
  • the transmissions between terminal device 10 and the agent 30 are based, for example, on a EAP protocol and a EAP method, for example, IKEv2.
  • the service agent 30 communicates in step S4b the authentication/authorization information transparently to the AAA server for service level authentication/authorization (in case of a request for mobility service to the AAA server for mobility service authentication/authorization) by using, for example, an ERX based protocol using the rRK.
  • the authentication/authorization process in step S4a/S4b uses an EAP method independent EAP re-authentication exchange.
  • step S5 a secured service session (for example a MIP session) is established.
  • a block circuit diagram of a terminal device 10 is shown which illustrates the parts of the terminal device 10 used for implementing the method described in connection with Fig . 1.
  • the terminal device 10 comprises a processor 101 as the main control unit, a transmitter/receiver unit (Tx/Rx) 102 connected to the processor 101 for establishing a connection with the access network subsystem (e.g. the
  • a key determining/deriving portion 104 which executes a function associated with step S2 in Fig. 1.
  • the key determining/deriving portion 104 provides the derived key to an authentication/authorization execution portion 105 which executes the authentication/authorization process according to step S4 (S4a) and also according to step Sl of Fig. 1.
  • This authentication/authorization process may be based, for example, on EAP methods.
  • the information input to the key determining/deriving portion 104 and output from the authentication/authorization execution portion 105 are received from or send to the network by the Tx/Rx 102.
  • FIG. 3 a block circuit diagram of an AAA server is shown which illustrates the parts of the AAA server 40 on the service level used for implementing the method described in connection with Fig. 1.
  • Fig. 3 Only those parts of the AAA server 40 are depicted in Fig. 3 which are involved in the authentication/authorization mechanism described above. There are of course other elements of the AAA server 40 which are used for other functions, which are known to those skilled in the art. These functions may be also executed in part or as a whole by the elements shown in Fig. 3.
  • the AAA server 40 comprises a processor 401 as the main control unit, input/output units (I/O) 402, 403 connected to the processor 401 for establishing a connection with the access network subsystem (e.g. the ASN of Fig. 6) or with a service agent, such as the MIP HA 30, and a memory 404 connected to the processor 401 for storing data and programs executed by the processor 401.
  • a key receiving portion 405 is provided which receives and stores the re-authentication key rRK (or a correspondingly derived key) from the AAA server 50 responsible for the authentication/authorization on the network access level and sent in step S3 of Fig. 1.
  • the key receiving portion 405 provides the received key to an authentication/authorization execution portion 406 which executes the authentication/authorization process according to step S4 (S4a, S4b) of Fig. 1.
  • This authentication/authorization process may be based, for example, on EAP methods and on the ERX protocol.
  • the I/O 402 is used to receive information (according to step S3 of
  • This alternative example differs from the first example shown in Fig. 1 in that the service agent element, like the MIP HA, directly terminates the EAP method. That means that the re-authentication key is passed to the service agent by the AAA server responsible for the network access authentication .
  • Fig. 4 The details of the alternative example are depicted in Fig. 4. Similar to Fig. 1, a signaling diagram as an alternative example of an implementation of the authentication and authorization mechanism according to the invention is described. The elements depicted in Fig. 4 may correspond to those shown in Fig. 6, for example. Furthermore, it is assumed that the authentication and authorization processes are based on EAP. In this connection, as the re- authentication protocol, the alternative example may use also the EAP Re-authentication extension (ERX) or EAP Re- authentication Protocol (ERP) described above.
  • ERX EAP Re-authentication extension
  • ERP EAP Re- authentication Protocol
  • a terminal device 15, a NAS 20 as an authenticator, a service agent 35 as a MIP HA (a mobility anchor) , an AAA server 45 on a service level and an AAA server 50 on a network access level are involved in the authentication and authorization mechanism according to this example.
  • Steps SIl to S13 are basically the same as steps Sl to S3 according to Fig. 1 so that an explanation thereof is omitted herein.
  • the AAA server 45 After receiving the re-authentication key (e.g. the rRK) from the AAA server 50 in step S13, the AAA server 45 which is responsible for authentication/authorization on the service level, e.g. for mobility service sends in step S14 the key further to the MIP HA 45 (the possibility to send the re-authentication key from the AAA server 45 to the MIP HA 35 as in step S14 is indicated also in Fig. 3 by means of the dotted arrow from the key receiving portion 405 to the I/O 403) . It is to be noted that there is also the possibility that the AAA servers shown in Fig. 4 may be located in the same physical entity, i.e. that the AAA server is responsible for authentication/authorization on both the network access and service level for the communication connection of the terminal device. In such a case, step S13 is executed internally in such an entity.
  • a next step S15 an authentication/authorization process on the service level for gaining access to service provided by the network is executed.
  • the terminal device 15 authenticates with the MIP
  • the terminal device 15 contacts in via the NAS 20 the service agent 35 (the MIP HA) .
  • the transmissions between terminal device 15 and the home agent 35 are based, for example, on a EAP-ERX protocol.
  • the home agent 35 authenticates and authorizes the service (e.g. mobility service) by using an EAP method independent EAP re-authentication exchange.
  • step S16 a secured service session (for example a MIP session) is established.
  • Fig. 5 a block circuit diagram of a service agent, in particular of a home agent for Mobile IP is shown, which illustrates the parts of the service agent 35 used for implementing the method described in connection with Fig. 4.
  • the service agent 35 (e.g. the MIP HA) comprises a processor 351 as the main control unit, input/output units (I/O) 352, 353 connected to the processor 351 for establishing a connection with the AAA servers (e.g. to the CSN of Fig. 6) or with the terminal device 15 of Fig. 4, and a memory 354 connected to the processor 351 for storing data and programs executed by the processor 351.
  • a key receiving portion 355 is provided which receives and stores the re-authentication key rRK (or a correspondingly derived key) from the AAA server in step S14 of Fig. 4.
  • the key receiving portion 355 provides the received key to an authentication/authorization execution portion 356 which executes the authentication/authorization process according to step S15 of Fig. 4.
  • This authentication/authorization process may be based, for example, on EAP methods and on the ERX protocol.
  • the I/O 352 is used to receive information (according to step S14 of Fig. 4, for example) input to the key receiving portion from the AAA server side.
  • the I/O 353 is used to receive/send information related to the authentication/authorization execution portion 356 from/to the terminal device side.
  • the present invention is also applicable in a case where an inter-system handover is executed, i.e. where a handover between different access technologies takes place, e.g. between a WiMAX system and a WLAN.
  • processing and signalling are to be effected which are known to those skilled in the art which are basically comparable to those described in connection with Figs. 1, 4 and 6, except the fact that the home network is arranged according to a first type of network specification, for example WiMAX, while the visited network is arranged according to a second type of network specification, for example WLAN.
  • the way to execute a authentication/authorization process to gain access to the other type of access network is basically the same like that described above for gaining access to a specific service in the same network, i.e. the procedure for authentication/re-authentication by using, for example, EAP based methods and ERX based protocol in the inter-system handover scenario is comparable to that of the service access scenario described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A mechanism for a network access authentication and authorization is described which uses an authentication method based, for example, on the Extensible Authentication Protocol (EAP). A first authentication and authorization process on a network access level is executed by using a predetermined authentication method. Then, a key used for a re-authentication process is determined. Thereafter, a second authentication and authorization process on a service level is executed by using a re-authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication method.

Description

MECHANISM FOR AUTHENTICATION AND AUTHORIZATION FOR NETWORK
AND SERVICE ACCESS
DESCRIPTION
BACKGROUND OF THE INVENTION
Field of the invention
The present invention relates to network access authentication and authorization for gaining access to network and service resources in a communication network. In particular, the present invention relates to a mechanism usable for a network access authentication and authorization using an authentication method based, for example, on the Extensible Authentication Protocol (EAP) .
For the purpose of the present invention to be described herein below, it should be noted that
- a terminal device may for example be any device by means of which a user may access a communication network; this implies mobile as well as non-mobile or fixed devices and networks, independent of the technology platform on which they are based; only as an example, it is noted that communication equipments and network elements operated according to principles standardized by the 3rd Generation Partnership Project 3GPP, and known for example as UMTS terminals, or standardized by the IEEE (Institute of Electrical and Electronics Engineers) and known as Worldwide Interoperability for Microwave Access (WiMax) or Wireless Local Area Networks (WLAN) are suitable for being used in connection with the present invention; - when reference is made herein to a call or session, this exemplifies only a general example of a connection of any content; content as used in the present invention is intended to mean data of at least one of audio data (e.g. speech) , video data, image data, text data, and meta data descriptive of attributes of the audio, video, image and/or text data, any combination thereof or even, alternatively or additionally, other data such as, as a further example, program code of an application program to be accessed/downloaded;
- method steps likely to be implemented as software code portions and being run using a processor at one of the entities described herein below are software code independent and can be specified using any known or future developed programming language;
- method steps and/or devices likely to be implemented as hardware components at one of the entities are hardware independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS, CMOS, BiCMOS, ECL, TTL, etc, using for example ASIC components or DSP components, as an example;
- generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention; - devices or means can be implemented as individual devices or means, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved.
Related prior art
In the last years, an increasing extension of communication networks, e.g. of wire based communication networks, such as the Integrated Services Digital Network (ISDN), or wireless communication networks, such as the cdma2000 (code division multiple access) system, cellular 3rd generation (3G) communication networks like the Universal Mobile
Telecommunications System (UMTS) , cellular 2nd generation (2G) communication networks like the Global System for Mobile communications (GSM) , the General Packet Radio System (GPRS) , the Enhanced Data Rates for Global
Evolutions (EDGE) , or other wireless communication system, such as the Wireless Local Area Network (WLAN) or WiMax, took place all over the world. Various organizations, such as the 3rd Generation Partnership Project (3GPP) , Telecoms & Internet converged Services & Protocols for Advanced Networks (TISPAN) , the International Telecommunication Union (ITU), 3rd Generation Partnership Project 2 (3GPP2), Internet Engineering Task Force (IETF), the IEEE (Institute of Electrical and Electronics Engineers) and the like are working on standards for telecommunication network and access environments.
In order to gain access to network and service resources, it is necessary that a subscriber performs an authentication and authorization procedure, also known as Authentication-Authorization-Accounting (AAA) .
Authentication refers to the confirmation that the subscriber who is requesting services is a valid user of the network services requested. For this purpose, an identity and credentials are used. Authorization describes the grant of services to the requesting subscriber on the basis of the service request and the authentication result. Accounting, on the other hand, is related to the tracking of the consumption of resources and is used for management, billing and the like.
There have been proposed a plurality of authentication mechanisms usable in the AAA procedure. One example is the so-called Extensible Authentication Protocol (EAP) . EAP is a universal authentication framework defined by the IETF usable in particular in wireless networks. EAP provides several functions and a negotiation of the desired authentication mechanism. Such mechanisms are called EAP methods, for example EAP-TLS (EAP-Transport Layer Security) , EAP-TTLS (EAP-Tunneled Transport Layer Security) , EAP-IKEv2 (EAP Internet Key Exchange Protocol version 2), a number of vendor specific methods and the like.
In particular in case of wireless network access scenarios, it is necessary that possibilities for communication connection changes, such as handovers or roaming, are provided. For this purpose, communication networks of relevant network architectures, such as networks based on 3GPP, WLAN or WiMAX specifications, provide roaming support. This is, a (mobile or fixed) user or device can access a local access network that is attached to a local, or country-specific network service provider making use of their subscription with a home service provider. In order to authorize the user or device to access the network resources, the local/visited access service provider (s) communicate with the home provider of the user/device. The home provider assists the local service provider in authentication and authorization of this user/device with the help of long-term credentials it shares with the user/device as part of the subscription.
Based on the network access authorization (based for example on EAP) , the user/device and the network may generate session keys for the duration of the network attachment (authentication session) . Examples of such keys, are a master session key (MSK) or extended master session key (EMSK) . Such keys are used for securing wireless access (for example, with the MSK key for WLAN or WiMAX access) , or other applications like Mobile Internet Protocol (IP) or device provisioning with the EMSK key. As one example where security bootstrapping (key generation and distribution) for Mobile IP services is based on the access network authentication WiMAX networks are to be mentioned.
In the following, a situation is assumed where authentication/authorization of mobility services as e.g. provided by Mobile IP is based on the EAP protocol, and where also the network access authentication is based on the EAP protocol and an AAA infrastructure in the network. Presently, this scenario comprises the following steps for authentication/authorization .
In a first step, a terminal device, such as a mobile phone or computer or the like or a fixed endpoint like a customer premises equipment (CPE) device, uses an EAP-based authentication/authorization procedure and an EAP method to gain access to the broadband access network resources. A home AAA server of the terminal device, which is responsible for granting such an access, may own or has access to the subscription information for this subscriber (if already subscribed) . The home AAA server terminates the EAP method and generates or derives appropriate keying material (e.g. MSK keys) to allow setting up a protected wireless link between the terminal device and the access network, for example.
In a next step, the terminal device performs another EAP protocol run with another (or possibly the same) EAP authentication method. In this second run, an AAA server being responsible for authenticating/authorizing the mobility service is communicated with. This (service level) AAA server may be the same as for network access, i.e. the home AAA server, or may also be a different server entity. The latter case, i.e. the situation of the different server, is typically the case when network access AAA is performed by the home network provider owning the access subscription in a roaming or inter-technology interworking case and mobility service is provided in the visited network locally. For example, in case of Mobile IP version 6 (MlPvβ) , IKEv2 can be used in combination with an EAP method in order to authenticate and authorize mobility services .
However, the conventional authentication/authorization procedure needs to execute two separate and complete (EAP based) authentication/authorization exchanges with two AAA servers, one for network access authentication and another one for service access, such as a mobility service. This results in a deteriorated overall performance and connection delay, in particular when one or both of the two complete authentication/authorization exchanges (EAP protocol exchanges) are based on costly methods, like EAP- TTLS. This is especially the case in scenarios of a broadband network access. Corresponding performance disadvantages are both the delay for the (at least) two EAP roundtrips in general, and additional delays that occur when it is necessary to send EAP messages via an AAA protocol, such as RADIUS (Remote Authentication Dial-In User Service) or Diameter, between a local network AAA (responsible for service authentication if this is provided in the local network) and a home network that holds the subscription data and home AAA server.
Conventionally, in order to deal with this problem, it is proposed to perform in cases, where the AAA server for network access and service authentication is the same network entity, the second EAP authentication for service access (such as mobility access) as an EAP method specific fast re-authentication. However, such a fast re- authentication procedure is not specified for every EAP method so that this approach would require either a reconfiguration of existing settings to compatible EAP methods (if applicable) or does not provide an overall solution. In addition, this approach is only applicable in cases where the mobility service and the network access service are authorized by the same network operator. Moreover, an EAP method specific re-authentication typically takes at least two roundtrips, so that a significant performance advantage considering roundtrip delay over is not achievable in comparison to a standard EAP authentication.
Another common approach to overcome the problem of EAP authentication delay for re-authentication is so-called key sharing between EAP authenticators (such as a network authentication system (NAS) authenticator) within or between local access networks. However, this approach is only applicable on the same hierarchy level within the local network (e.g. between corresponding NASs) . It is not usable for the above objective problem, since the key receiving entity for mobility service is not an authenticator, but a mobility anchor like a Mobile IP home agent. However, key sharing between such different entities is practically infeasible and cryptographically insecure.
SUMMARY OF THE INVENTION
Thus, it is an object of the invention to provide an improved mechanism for performing authentication/authorization of a terminal device (a subscriber) in a communication network for gaining access to network and service resources, wherein an authentication delay and the overall performance is optimized.
This object is achieved by the measures defined in the attached claims. According to one aspect of the proposed solution, there is provided, for example, a terminal device configured to execute a first authentication and authorization process on a network access level by using a predetermined authentication procedure based on an authentication protocol, determine a key used for a re-authentication process, execute a second authentication and authorization process on a service level by using a re-authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
Furthermore, according to one aspect of the proposed solution, there is provided, for example, a method comprising executing, in a terminal device, a first authentication and authorization process on a network access level by using a predetermined authentication procedure based on an authentication protocol, determining, in the terminal device, a key used for a re-authentication process, and executing, in the terminal device, a second authentication and authorization process on a service level by using a re-authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
In addition, according to one aspect of the proposed solution, there is provided, for example, a computer program product for a computer, comprising software code portions for making, when said product is run on the computer, said computer to function as a part of a terminal device, wherein the computer program product is configured to execute a first authentication and authorization process on a network access level by using a predetermined authentication procedure based on an authentication protocol, determine a key used for a re-authentication process, and execute a second authentication and authorization process on a service level by using a re- authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
According to further refinements, the proposed solution according to these aspects may comprise one or more of the following features:
- an authentication procedure based on the Extensible Authentication Protocol may be used in the first authentication and authorization process;
- a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication Extension may be used in the second authentication and authorization process;
- the key may be determined by deriving a re- authentication key independent from the predetermined authentication procedure used in the first authentication and authorization process; - the re-authentication key may be determined from a master key determined in the predetermined authentication procedure;
- the second authentication and authorization process may be executed for authentication for a mobility service; - the first and second authentication and authorization processes may be executed to perform an inter-system handover, wherein the second authentication and authorization process is performed to gain access to a different access subsystem.
Moreover, according to one aspect of the proposed solution, there is provided, for example, an authentication server device configured to receive a key used for a re- authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
Furthermore, according to one aspect of the proposed solution, there is provided, for example, a method comprising receiving, in a authentication server, a key used for a re-authentication process, and executing, in the authentication server, an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
In addition, according to one aspect of the proposed solution, there is provided, for example, a computer program product for a computer, comprising software code portions for making, when said product is run on the computer, said computer to function as a part of an authentication server, wherein the computer program product is configured to receive a key used for a re-authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
According to further refinements, the proposed solution according to these aspects may comprise one or more of the following features:
- the key may be generated in a network access level process using a predetermined authentication procedure based on an authentication protocol, wherein the re- authentication protocol may be independent to the predetermined authentication procedure;
- a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication Extension may be used in the authentication and authorization process; - the authentication and authorization process may be executed for authentication of the service requested for a mobility service;
- the authentication and authorization process may be executed to perform an inter-system handover for providing access to a different access subsystem;
- the key may be received from an authentication server device executing an authentication and authorization process on a network access level.
Furthermore, according to one aspect of the proposed solution, there is provided, for example, a service agent device configured to receive a key used for a re- authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
In addition, according to one aspect of the proposed solution, there is provided, for example, a method comprising receiving, in a service agent, a key used for a re-authentication process, and executing, in the service agent, an authentication and authorization process on a service level with a service requester by using a re- authentication protocol on the basis of the received key.
Moreover, according to one aspect of the proposed solution, there is provided, for example, a computer program product for a computer, comprising software code portions for making, when said product is run on the computer, said computer to function as a part of a service agent, wherein the computer program product is configured to receive a key used for a re-authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key. According to further refinements, the proposed solution according to these aspects may comprise one or more of the following features: - the key may be generated in a network access level process using a predetermined authentication procedure based on an authentication protocol, wherein the re- authentication protocol may be independent to the predetermined authentication procedure; - a re-authentication protocol based on the Extensible
Authentication Protocol Re-Authentication Extension may be used in the authentication and authorization process;
- the authentication and authorization process may be executed for authentication of the service requested for a mobility service;
- the authentication and authorization process may be executed to perform an inter-system handover for providing access to a different access subsystem;
- the key may be received from one of an authentication server device executing an authentication and authorization process on a network access level and an authentication server device executing an authentication and authorization process on a service level.
- a home agent functionality may be comprised.
By virtue of the proposed solutions, it is possible to significantly reduce delays in authentication/authorization for services, such as a mobility service, and to achieve a performance enhancement. In particular, on the basis of the idea that once the network access is authorized the local (mobility) services in a visited domain can be authorized locally, it is possible to provide an optimization for scenarios where authentication/authorization of services, for example (but not limited to) mobility service as e.g. provided by Mobile IP, is based on the EAP protocol, and where also network access authentication is based on the EAP protocol and an AAA infrastructure in the network. The present invention is especially useful in mobility environments where endpoint mobility is based on Mobile IP with possible extensions like Fast Mobile IP (FMIP) or Hierarchical Mobile IP.
The above and still further objects, features and advantages of the invention will become more apparent upon referring to the description and the accompanying drawings.
BRIEF DESCRIPTION QF THE DRAWINGS
Fig. 1 shows a signaling diagram illustrating a first embodiment according to the present invention.
Fig. 2 shows a block diagram illustrating a simplified configuration of a terminal device to which an embodiment of the present invention is applicable.
Fig. 3 shows a block diagram illustrating a simplified configuration of an authentication/authorization server entity of a communication network, to which an embodiment of the present invention is applicable.
Fig. 4 shows a signaling diagram illustrating a second embodiment according to the present invention.
Fig. 5 shows a block diagram illustrating a simplified configuration of a service agent entity of a communication network to which an embodiment of the present invention is applicable .
Fig. 6 shows a diagram illustrating a network architecture to which the present application is applicable.
DESCRIPTION OF PREFERRED EMBODIMENTS In the following, examples and embodiments of the present invention are described with reference to the drawings. For illustrating the present invention, the examples are based on a WiMAX system according to IEEE standards. However, it is to be noted that embodiments of the present invention are not limited to an application in such a system or environment but are also applicable in other network systems, connection types and the like, for example in networks according to 3GPP specifications, in Wireless
Local Area Networks (WLAN) or the like. The invention is also applicable on inter-system handover, e.g. between a WiMAX system and a WLAN.
A basic system architecture of a communication network may comprise a commonly known architecture of a wired or wireless access network subsystem. Such an architecture comprises one or more access network control units, radio access network elements or base transceiver stations, with which a terminal device as a subscriber's communication unit is capable of communicating via one or more channels for transmitting several types of data. The general functions and interconnections of these elements are known to those skilled in the art and described in corresponding specifications so that a detailed description thereof is omitted herein. However, it is to be noted that there are provided several additional network elements and signaling links used for a communication connection or a call between end terminals and/or servers.
Furthermore, the network elements and their functions described herein may be implemented by software, e.g. by a computer program product for a computer, or by hardware. In any case, for executing their respective functions, correspondingly used devices, such as terminal device, a service agent entity and/or an authentication/authorization server, and the like comprise several means and components
(not shown) which are required for control, processing and communication/signaling functionality. Such means may comprise, for example, a processor unit for executing instructions, programs and for processing data, memory means for storing instructions, programs and data, for serving as a work area of the processor and the like (e.g. ROM, RAM, EEPROM, and the like) , input means for inputting data and instructions by software (e.g. floppy diskette, CD-ROM, EEPROM, and the like) , user interface means for providing monitor and manipulation possibilities to a user (e.g. a screen, a keyboard and the like), interface means for establishing links and/or connections under the control of the processor unit (e.g. wired and wireless interface means, an antenna, etc.) and the like.
Fig. 6 shows a simplified diagram of an architecture of a communication network to which the present invention is applicable. In Fig. 6, an example based on WiMAX specification is presented. However, it is to be noted that also other network systems can use the principles defined below, for example a 3GPP based network, a WLAN and the like, or network systems developed in the future and having similar basic functionalities. Also, the architecture could be heterogeneous in the sense that the home network components are e.g. based on WiMAX specifications while the visited network is based on WLAN specifications. The respective network elements comprised by such network systems and in particular those being involved in the authentication and authorization procedure are generally known by those skilled in the art so that a detailed description thereof is omitted herein for the sake of simplicity. Furthermore, it is to be noted that the functional architecture can be designed into various hardware configurations rather than fixed configurations. In the network system according to Fig. 6, the following elements are shown which are useful for understanding the principles of the present invention. However, it is to be noted that there are of course several other elements not shown for the sake of simplicity which are however known to those skilled in the art. Similarly, also interconnections and interfaces between the respective elements are shown only in a simplified manner.
Reference sign 10 designates a terminal device or subscriber station / mobile station (SS/MS) of a user. Reference sign 200 designates a domain of a network access provider (NAP) , which represents an example of an access network subsystem. In this domain 200, there are provided one or more access service networks (ASN) 210, 220 via which the terminal device can establish a communication connection. In the ASNs 210, 220, several (not shown) elements and functionalities are accommodated, such as base stations providing an interface to the terminal device, access controllers for controlling a communication connection, gateway elements for connecting to the core network. Furthermore, a network authentication system (NAS) 20 is provided which has an authenticator function and is used in the authentication procedure.
Reference signs 300 and 400 denote a respective domain of a network (NW) service provider (NSP) , which represents an example of a core or backbone network system. The NSP 300 is related to a visited network while the NSP 400 is related to the home network of the subscriber of the terminal device 10.
The NSP 300 comprises a connectivity service network (CSN) 310. The CSN 310 comprises several routers or agents 31 related to services provided by the NSP 300. Furthermore, an Authentication/Authorization/Accounting (AAA) server 40 is comprised in the CSN 300 which performs authentication/authorization, for example, on a service level for services provided by the (visited) network.
The NSP 400 comprises a connectivity service network (CSN) 410. The CSN 410 comprises also several routers or agents related to services provided by the NSP 300. In particular, the CSN 410 is connected to a Home Agent (HA) 30, such as a Mobile IP (MIP) HA, which manages subscriber data and location information of the subscriber. Furthermore, a
Authentication/Authorization/Accounting (AAA) server 50 is comprised in the CSN 300 which performs authentication/authorization, for example, on a network level for network access for the subscriber, also via the visited network.
The CSNs 310, 410 provide also access to other networks or the Internet via corresponding gateways/interfaces.
As shown in Fig. 6, there exist several interconnections between the network parts shown by corresponding arrows. These interconnections may be established by means of interfaces or reference points which may be different in dependence of the employed network technology and which are known to those skilled in the art.
It is to be further noted that elements as shown in Fig. 6 may be provided as separate entities or combined in one entity. Furthermore, in case the terminal device is located within the home domain coverage area, the NSP 300 can be omitted for the establishment of the communication connection. In this case, the terminal device and the NAS 200 communicate only with the NSP 400.
The present invention is basically directed to an optimization of the authentication/authorization procedure to be executed in a network as shown, for example, in Fig.
6 when a terminal device (a subscriber) establishes a communication connection and wishes to gain access to the network and service resources provided. In brief, the invention is based on the idea that once a network access is authorized, local services (such as mobility services) in a current domain (i.e. the home domain or a visited domain) can be authorized locally.
For example, according to one example describing the principles of the invention, a terminal device executes a first authentication and authorization process on a network access level. This first authentication and authorization process may be based, for example, on an EAP based authentication method (or procedure) like EAP-TLS. Then, a second authentication and authorization process is executed on a service level in order to gain access, for example, to a mobility service like Mobile IP. Here, a re- authentication protocol is used which uses a key determined or derived in the first authentication and authorization process. The second authentication and authorization process may be based also on EAP, but the re-authentication protocol is independent to the predetermined authentication method (or procedure) as such.
As an example for an application field of this principle, a wireless broadband access may be mentioned since an authentication and authorization process based on EAP is commonly used in WLAN environments and for mobile WiMAX access. It is possible to optimize in particular the performance in scenarios where authentication/authorization of mobility services as e.g. provided by Mobile IP is based on the EAP protocol, and where also network access authentication is based on the EAP protocol and an AAA infrastructure in the network. Possible applications include Mobile IP based mobility management within one system (e.g. within one WiMAX network) or between different systems (e.g. between WLAN and WiMAX) . The latter case is related, for example, to an inter-system handover scenario where a handover between different access technologies takes place, e.g. between a WiMAX system and a WLAN.
In Fig. 1, a signaling diagram as an example of an implementation of the authentication and authorization mechanism according to the invention is described. The elements depicted in Fig. 1 may correspond to those shown in Fig. 6, for example. Furthermore, it is assumed that the authentication and authorization processes are based on EAP. In this connection, as the re-authentication protocol, the present example uses a so-called EAP Re-authentication extension (ERX) or EAP Re-authentication Protocol (ERP) as described, for example, in the document "EAP Extensions for EAP Re-authentication Protocol (ERP)", draft-ietf-hokey- erx-08, November 18, 2007 by V. Narayanan et al . , may be used. The ERP or ERX provides a re-authentication exchange between elements independent from the EAP method used for the network (first) authentication and authorization process .
In detail, according to Fig. 1, a terminal device 10, a NAS 20 as an authenticator, a service agent 30 as a MIP HA (a mobility anchor), an AAA server 40 on a service level and an AAA server 50 on a network access level are involved in the authentication and authorization mechanism according to this example.
In step Sl, the terminal device 10 executes with the AAA server 50 a first authentication and authorization process on the network level for gaining the network access authentication. This first authentication and authorization process may be based on an EAP method like EAP-TLS and is completed, for example, in accordance with the steps defined in the EAP related specifications. It is to be noted that the authentication and authorization process is not limited to an EAP based method) . For example, the terminal device 10 uses the EAP-based authentication/authorization procedure and a correspondingly selected or preset EAP method to gain access to the broadband access network resources. The home AAA server 50 of the terminal device may own or has access to the subscription information for this subscriber (if already subscribed) . The home AAA server 50 terminates the EAP method and generates or derives appropriate keying material (e.g. MSK or EMSK) to allow setting up a protected wireless link between the terminal device and the access network .
In step S2, the terminal device 10 and the AAA server 50, which is responsible for the network access authentication, negotiate and compute an EAP re-authentication key independent from the EAP method used in step Sl. For example, this key may be derived from the MSK or the EMSK and can be a re-authentication root key rRK. This rRK is now present in both the terminal device 10 and the AAA server 50.
In step S3, the AAA server 50 which is responsible for network access authentication/authorization sends the rRK (or another re-authentication key correspondingly derived in step S2) to the AAA server 40 which is responsible for authentication/authorization on the service level, e.g. for mobility service. In order to be able to execute step S3, the AAA server 50 for EAP network access needs to know how to contact the AAA server 30 for mobility authentication. This may be achieved, for example, by using pre- configuration (e.g. same operator for both AAA servers), or by a dynamic negotiation during network access authentication AAA signaling (based on RADIUS or Diameter protocols, for example) . For example, in a case where a
WiMAX network architecture is used, the AAA server for bootstrapping mobility service in the local domain is the AAA server of the visited WiMAX network operator, that is known by the AAA server of the home operator in case a roaming agreement exists.
It is to be noted that there is also the possibility that the AAA servers shown in Fig. 1 may be located in the same physical entity, i.e. that the AAA server is responsible for authentication/authorization on both the network access and service level for the communication connection of the terminal device. In such a case, step S3 is executed internally in such an entity.
In a next step S4, which comprises steps S4a and S4b, an authentication/authorization process on the service level for gaining access to service provided by the network is executed. In other words, the terminal device 10 authenticates with the AAA server 40 for service level authentication/authorization based on EAP, using the re- authentication key as generated in step S2 and as passed to the AAA server for service level authentication/authorization in step S3. In detail, the terminal device 10 contacts in step S4a via the NAS 20 the service agent 30. In case a mobility service is requested, the agent 30 is the MIP HA of the terminal device. The transmissions between terminal device 10 and the agent 30 are based, for example, on a EAP protocol and a EAP method, for example, IKEv2. The service agent 30 communicates in step S4b the authentication/authorization information transparently to the AAA server for service level authentication/authorization (in case of a request for mobility service to the AAA server for mobility service authentication/authorization) by using, for example, an ERX based protocol using the rRK. In other words, the authentication/authorization process in step S4a/S4b uses an EAP method independent EAP re-authentication exchange.
When the authentication/authorization on the service level is completed successfully, in step S5, a secured service session (for example a MIP session) is established.
In Fig. 2, a block circuit diagram of a terminal device 10 is shown which illustrates the parts of the terminal device 10 used for implementing the method described in connection with Fig . 1.
It is to be noted that only those parts of the terminal device 10 are depicted in Fig. 2 which are involved in the authentication/authorization mechanism described above.
There are of course other elements of the terminal device 10 which are used for other functions, which are known to those skilled in the art. These functions may be also executed in part or as a whole by the elements shown in Fig. 2.
In detail, the terminal device 10 comprises a processor 101 as the main control unit, a transmitter/receiver unit (Tx/Rx) 102 connected to the processor 101 for establishing a connection with the access network subsystem (e.g. the
ASN of Fig. 6), and a memory 103 connected to the processor 101 for storing data and programs executed by the processor 101. In the processor 101, a key determining/deriving portion 104 is provided which executes a function associated with step S2 in Fig. 1. The key determining/deriving portion 104 provides the derived key to an authentication/authorization execution portion 105 which executes the authentication/authorization process according to step S4 (S4a) and also according to step Sl of Fig. 1. This authentication/authorization process may be based, for example, on EAP methods. The information input to the key determining/deriving portion 104 and output from the authentication/authorization execution portion 105 are received from or send to the network by the Tx/Rx 102.
In Fig. 3, a block circuit diagram of an AAA server is shown which illustrates the parts of the AAA server 40 on the service level used for implementing the method described in connection with Fig. 1.
It is to be noted that only those parts of the AAA server 40 are depicted in Fig. 3 which are involved in the authentication/authorization mechanism described above. There are of course other elements of the AAA server 40 which are used for other functions, which are known to those skilled in the art. These functions may be also executed in part or as a whole by the elements shown in Fig. 3.
In detail, the AAA server 40 comprises a processor 401 as the main control unit, input/output units (I/O) 402, 403 connected to the processor 401 for establishing a connection with the access network subsystem (e.g. the ASN of Fig. 6) or with a service agent, such as the MIP HA 30, and a memory 404 connected to the processor 401 for storing data and programs executed by the processor 401. In the processor 401, a key receiving portion 405 is provided which receives and stores the re-authentication key rRK (or a correspondingly derived key) from the AAA server 50 responsible for the authentication/authorization on the network access level and sent in step S3 of Fig. 1. The key receiving portion 405 provides the received key to an authentication/authorization execution portion 406 which executes the authentication/authorization process according to step S4 (S4a, S4b) of Fig. 1. This authentication/authorization process may be based, for example, on EAP methods and on the ERX protocol. The I/O 402 is used to receive information (according to step S3 of
Fig. 1, for example) input to the key receiving portion from the network access server side. The I/O 403 is used to receive/send information related to the authentication/authorization execution portion 406 from/to the terminal device side (the service agent side) . By means of the authentication/authorization mechanism described in accordance with the example depicted in Figs. 1 to 3, it is possible to significantly reduce delays in service authentication/authorization processes. This is achieved by the fact that there is only one single round trip between the terminal device 10 and the AAA server responsible for service level e.g. mobility authentication, while it is not necessary to communicate with the AAA server for network access authentication in the second EAP run in step S4. Furthermore, the AAA servers responsible for the different EAP rounds (network access level and service level) can be independent.
Next, an alternative example of the authentication/authorization mechanism according to the invention is explained in connection with Figs. 4 and 5.
This alternative example differs from the first example shown in Fig. 1 in that the service agent element, like the MIP HA, directly terminates the EAP method. That means that the re-authentication key is passed to the service agent by the AAA server responsible for the network access authentication .
The details of the alternative example are depicted in Fig. 4. Similar to Fig. 1, a signaling diagram as an alternative example of an implementation of the authentication and authorization mechanism according to the invention is described. The elements depicted in Fig. 4 may correspond to those shown in Fig. 6, for example. Furthermore, it is assumed that the authentication and authorization processes are based on EAP. In this connection, as the re- authentication protocol, the alternative example may use also the EAP Re-authentication extension (ERX) or EAP Re- authentication Protocol (ERP) described above.
In detail, according to Fig. 4, a terminal device 15, a NAS 20 as an authenticator, a service agent 35 as a MIP HA (a mobility anchor) , an AAA server 45 on a service level and an AAA server 50 on a network access level are involved in the authentication and authorization mechanism according to this example.
Steps SIl to S13 are basically the same as steps Sl to S3 according to Fig. 1 so that an explanation thereof is omitted herein.
After receiving the re-authentication key (e.g. the rRK) from the AAA server 50 in step S13, the AAA server 45 which is responsible for authentication/authorization on the service level, e.g. for mobility service sends in step S14 the key further to the MIP HA 45 (the possibility to send the re-authentication key from the AAA server 45 to the MIP HA 35 as in step S14 is indicated also in Fig. 3 by means of the dotted arrow from the key receiving portion 405 to the I/O 403) . It is to be noted that there is also the possibility that the AAA servers shown in Fig. 4 may be located in the same physical entity, i.e. that the AAA server is responsible for authentication/authorization on both the network access and service level for the communication connection of the terminal device. In such a case, step S13 is executed internally in such an entity.
In a next step S15, an authentication/authorization process on the service level for gaining access to service provided by the network is executed. In the present alternative example, the terminal device 15 authenticates with the MIP
HA 35 for service level authentication/authorization based on ERX, using the re-authentication key as generated in step S12 and as passed to the MIP HA 35 from the AAA server in step S14. In detail, the terminal device 15 contacts in via the NAS 20 the service agent 35 (the MIP HA) . The transmissions between terminal device 15 and the home agent 35 are based, for example, on a EAP-ERX protocol. The home agent 35 authenticates and authorizes the service (e.g. mobility service) by using an EAP method independent EAP re-authentication exchange.
When the authentication/authorization on the service level is completed successfully, in step S16, a secured service session (for example a MIP session) is established.
In Fig. 5, a block circuit diagram of a service agent, in particular of a home agent for Mobile IP is shown, which illustrates the parts of the service agent 35 used for implementing the method described in connection with Fig. 4.
It is to be noted that only those parts of the service agent 35 are depicted in Fig. 5 which are involved in the authentication/authorization mechanism described above.
There are of course other elements of the service agent 35 which are used for other functions, which are known to those skilled in the art. These functions may be also executed in part or as a whole by the elements shown in Fig. 5.
In detail, the service agent 35 (e.g. the MIP HA) comprises a processor 351 as the main control unit, input/output units (I/O) 352, 353 connected to the processor 351 for establishing a connection with the AAA servers (e.g. to the CSN of Fig. 6) or with the terminal device 15 of Fig. 4, and a memory 354 connected to the processor 351 for storing data and programs executed by the processor 351. In the processor 351, a key receiving portion 355 is provided which receives and stores the re-authentication key rRK (or a correspondingly derived key) from the AAA server in step S14 of Fig. 4. The key receiving portion 355 provides the received key to an authentication/authorization execution portion 356 which executes the authentication/authorization process according to step S15 of Fig. 4. This authentication/authorization process may be based, for example, on EAP methods and on the ERX protocol. The I/O 352 is used to receive information (according to step S14 of Fig. 4, for example) input to the key receiving portion from the AAA server side. The I/O 353 is used to receive/send information related to the authentication/authorization execution portion 356 from/to the terminal device side.
By means of the authentication/authorization mechanism described in accordance with the alternative example according to Figs. 4 and 5, basically the same benefits as those described in connection with the first example are achievable .
As mentioned above, the present invention is also applicable in a case where an inter-system handover is executed, i.e. where a handover between different access technologies takes place, e.g. between a WiMAX system and a WLAN. In such a case, processing and signalling are to be effected which are known to those skilled in the art which are basically comparable to those described in connection with Figs. 1, 4 and 6, except the fact that the home network is arranged according to a first type of network specification, for example WiMAX, while the visited network is arranged according to a second type of network specification, for example WLAN. The way to execute a authentication/authorization process to gain access to the other type of access network is basically the same like that described above for gaining access to a specific service in the same network, i.e. the procedure for authentication/re-authentication by using, for example, EAP based methods and ERX based protocol in the inter-system handover scenario is comparable to that of the service access scenario described above.
It should be understood that the above description and accompanying figures are merely intended to illustrate the present invention by way of example only. The preferred embodiments of the present invention may thus vary within the scope of the attached claims.

Claims

1. A terminal device configured to execute a first authentication and authorization process on a network access level by using a predetermined authentication procedure based on an authentication protocol, determine a key used for a re-authentication process, execute a second authentication and authorization process on a service level by using a re-authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
2. The terminal device according to claim 1, further configured to use an authentication procedure based on the Extensible Authentication Protocol in the first authentication and authorization process.
3. The terminal device according to claim 1, further configured to use a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication
Extension in the second authentication and authorization process .
4. The terminal device according to claim 1, further configured to determine the key by deriving a re-authentication key independent from the predetermined authentication procedure used in the first authentication and authorization process.
5. The terminal device according to claim 4, further configured to derive the re-authentication key from a master key determined in the predetermined authentication procedure.
6. The terminal device according to claim 1, further configured to execute the second authentication and authorization process for authentication for a mobility service.
7. The terminal device according to claim 1, further configured to execute the first and second authentication and authorization processes to perform an inter-system handover, wherein the second authentication and authorization process is performed to gain access to a different access subsystem.
8. An authentication server device configured to receive a key used for a re-authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re- authentication protocol on the basis of the received key.
9. The authentication server device according to claim 8, wherein the key is generated in a network access level process using a predetermined authentication procedure based on an authentication protocol, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
10. The authentication server device according to claim 8, further configured to use a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication
Extension in the authentication and authorization process. - Si ¬
ll. The authentication server device according to claim 8, further configured to execute the authentication and authorization process for authentication of the service requested for a mobility service .
12. The authentication server device according to claim 8, further configured to execute the authentication and authorization process to perform an inter-system handover for providing access to a different access subsystem.
13. The authentication server device according to claim 8, further configured to receive the key from an authentication server device executing an authentication and authorization process on a network access level.
14. A service agent device configured to receive a key used for a re-authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re- authentication protocol on the basis of the received key.
15. The service agent device according to claim 14, wherein the key is generated in a network access level process using a predetermined authentication procedure based on an authentication protocol, wherein the re-authentication protocol is independent to the predetermined authentication procedure .
16. The service agent device according to claim 14, further configured to use a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication Extension in the authentication and authorization process.
17. The service agent device according to claim 14, further configured to execute the authentication and authorization process for authentication of the service requested for a mobility service .
18. The service agent device according to claim 14, further configured to execute the authentication and authorization process to perform an inter-system handover for providing access to a different access subsystem.
19. The service agent device according to claim 14, further configured to receive the key from one of an authentication server device executing an authentication and authorization process on a network access level and an authentication server device executing an authentication and authorization process on a service level.
20. The service agent device according to claim 14, comprising a home agent functionality.
21. A method comprising executing, in a terminal device, a first authentication and authorization process on a network access level by using a predetermined authentication procedure based on an authentication protocol, determining, in the terminal device, a key used for a re-authentication process, and executing, in the terminal device, a second authentication and authorization process on a service level by using a re-authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
22. The method according to claim 21, further comprising using an authentication procedure based on the Extensible Authentication Protocol in the first authentication and authorization process.
23. The method according to claim 21, further comprising using a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication Extension in the second authentication and authorization process .
24. The method according to claim 21, further comprising determining the key by deriving a re-authentication key independent from the predetermined authentication procedure used in the first authentication and authorization process.
25. The method according to claim 23, further comprising deriving the re-authentication key from a master key determined in the predetermined authentication procedure.
26. The method according to claim 21, further comprising executing the second authentication and authorization process for authentication for a mobility service.
27. The method according to claim 21, further comprising executing the first and second authentication and authorization processes to perform an inter-system handover, wherein the second authentication and authorization process is performed to gain access to a different access subsystem.
28. A method comprising receiving, in a authentication server, a key used for a re-authentication process, and executing, in the authentication server, an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
29. The method according to claim 28, wherein the key is generated in a network access level process using a predetermined authentication procedure based on an authentication protocol, wherein the re-authentication protocol is independent to the predetermined authentication procedure .
30. The method according to claim 28, further comprising using a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication Extension in the authentication and authorization process.
31. The method according to claim 28, further comprising executing the authentication and authorization process for authentication of the service requested for a mobility service .
32. The method according to claim 28, further comprising executing the authentication and authorization process to perform an inter-system handover for providing access to a different access subsystem.
33. The method according to claim 28, further comprising receiving the key from an authentication server device executing an authentication and authorization process on a network access level.
34. A method comprising receiving, in a service agent, a key used for a re- authentication process, and executing, in the service agent, an authentication and authorization process on a service level with a service requester by using a re-authentication protocol on the basis of the received key.
35. The method according to claim 34, wherein the key is generated in a network access level process using a predetermined authentication procedure based on an authentication protocol, wherein the re-authentication protocol is independent to the predetermined authentication procedure .
36. The method according to claim 34, further comprising using a re-authentication protocol based on the Extensible Authentication Protocol Re-Authentication Extension in the authentication and authorization process.
37. The method according to claim 34, further comprising executing the authentication and authorization process for authentication of the service requested for a mobility service .
38. The method according to claim 34, further comprising executing the authentication and authorization process to perform an inter-system handover for providing access to a different access subsystem.
39. The method according to claim 34, further comprising receiving the key from one of an authentication server device executing an authentication and authorization process on a network access level and an authentication server device executing an authentication and authorization process on a service level.
40. The method according to claim 34, further comprising executing a home agent functionality.
41. A computer program product for a computer, comprising software code portions for making, when said product is run on the computer, said computer to function as a part of a terminal device, wherein the computer program product is configured to execute a first authentication and authorization process on a network access level by using a predetermined authentication procedure based on an authentication protocol, determine a key used for a re-authentication process, and execute a second authentication and authorization process on a service level by using a re-authentication protocol on the basis of the determined key, wherein the re-authentication protocol is independent to the predetermined authentication procedure.
42. A computer program product for a computer, comprising software code portions for making, when said product is run on the computer, said computer to function as a part of an authentication server, wherein the computer program product is configured to receive a key used for a re-authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re- authentication protocol on the basis of the received key.
43. A computer program product for a computer, comprising software code portions for making, when said product is run on the computer, said computer to function as a part of a service agent, wherein the computer program product is configured to receive a key used for a re-authentication process, and execute an authentication and authorization process on a service level with a service requester by using a re- authentication protocol on the basis of the received key.
PCT/EP2008/067139 2008-01-09 2008-12-09 Mechanism for authentication and authorization for network and service access WO2009087006A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US1064508P 2008-01-09 2008-01-09
US61/010,645 2008-01-09

Publications (1)

Publication Number Publication Date
WO2009087006A1 true WO2009087006A1 (en) 2009-07-16

Family

ID=40647148

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2008/067139 WO2009087006A1 (en) 2008-01-09 2008-12-09 Mechanism for authentication and authorization for network and service access

Country Status (1)

Country Link
WO (1) WO2009087006A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014385A (en) * 2010-11-22 2011-04-13 中兴通讯股份有限公司 Authentication method for mobile terminal, and mobile terminal
WO2014168638A1 (en) * 2013-04-12 2014-10-16 Globoforce Limited System and method for mobile single sign-on integration
JP2015502701A (en) * 2011-11-08 2015-01-22 クゥアルコム・インコーポレイテッドQualcomm Incorporated Enabling access to key lifetime for wireless link setup
US9774595B2 (en) 2013-12-12 2017-09-26 Orange Method of authentication by token
WO2018052640A1 (en) * 2016-09-19 2018-03-22 Qualcomm Incorporated Techniques for deriving security keys for a cellular network based on performance of an extensible authentication protocol (eap) procedure

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010037466A1 (en) * 2000-04-28 2001-11-01 Konami Corporation Network connection control method and connection control system
US6487667B1 (en) * 1996-06-03 2002-11-26 Gary S. Brown System for remote pass-phrase authentication
WO2004032415A1 (en) * 2002-10-03 2004-04-15 Nokia Corporation Method and apparatus enabling reauthentication in a cellular communication system
WO2006045402A1 (en) * 2004-10-26 2006-05-04 Telecom Italia S.P.A. Method and system for transparently authenticating a mobile user to access web services

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6487667B1 (en) * 1996-06-03 2002-11-26 Gary S. Brown System for remote pass-phrase authentication
US20010037466A1 (en) * 2000-04-28 2001-11-01 Konami Corporation Network connection control method and connection control system
WO2004032415A1 (en) * 2002-10-03 2004-04-15 Nokia Corporation Method and apparatus enabling reauthentication in a cellular communication system
WO2006045402A1 (en) * 2004-10-26 2006-05-04 Telecom Italia S.P.A. Method and system for transparently authenticating a mobile user to access web services

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012068801A1 (en) * 2010-11-22 2012-05-31 中兴通讯股份有限公司 Authentication method for mobile terminal and mobile terminal
CN102014385A (en) * 2010-11-22 2011-04-13 中兴通讯股份有限公司 Authentication method for mobile terminal, and mobile terminal
JP2015502701A (en) * 2011-11-08 2015-01-22 クゥアルコム・インコーポレイテッドQualcomm Incorporated Enabling access to key lifetime for wireless link setup
US10230715B2 (en) 2013-04-12 2019-03-12 Globoforce Limited System and method for mobile single sign-on integration
WO2014168638A1 (en) * 2013-04-12 2014-10-16 Globoforce Limited System and method for mobile single sign-on integration
US9009806B2 (en) 2013-04-12 2015-04-14 Globoforce Limited System and method for mobile single sign-on integration
US9774595B2 (en) 2013-12-12 2017-09-26 Orange Method of authentication by token
CN109691157A (en) * 2016-09-19 2019-04-26 高通股份有限公司 The technology of the security key of cellular network is derived based on the execution of Extensible Authentication Protocol (EAP) process
WO2018052640A1 (en) * 2016-09-19 2018-03-22 Qualcomm Incorporated Techniques for deriving security keys for a cellular network based on performance of an extensible authentication protocol (eap) procedure
US10433163B2 (en) 2016-09-19 2019-10-01 Qualcomm Incorporated Techniques for deriving security keys for a cellular network based on performance of an extensible authentication protocol (EAP) procedure
JP2019533344A (en) * 2016-09-19 2019-11-14 クアルコム,インコーポレイテッド Techniques for deriving a security key for a cellular network based on implementation of an extensible authentication protocol (EAP) procedure
AU2017328040B2 (en) * 2016-09-19 2021-01-28 Qualcomm Incorporated Techniques for deriving security keys for a cellular network based on performance of an extensible authentication protocol (EAP) procedure
TWI745415B (en) * 2016-09-19 2021-11-11 美商高通公司 Techniques for deriving security keys for a cellular network based on performance of an extensible authentication protocol (eap) procedure
JP7008690B2 (en) 2016-09-19 2022-01-25 クアルコム,インコーポレイテッド Techniques for deriving security keys to cellular networks based on the implementation of Extensible Authentication Protocol (EAP) procedures
CN109691157B (en) * 2016-09-19 2022-05-03 高通股份有限公司 Method, apparatus, and non-transitory computer-readable medium for wireless communication
CN114727283A (en) * 2016-09-19 2022-07-08 高通股份有限公司 Method, apparatus, and non-transitory computer-readable medium for wireless communication
US11463871B2 (en) 2016-09-19 2022-10-04 Qualcomm Incorporated Techniques for deriving security keys for a cellular network based on performance of an extensible authentication protocol (EAP) procedure

Similar Documents

Publication Publication Date Title
CN110999356B (en) Network security management method and device
US20110302643A1 (en) Mechanism for authentication and authorization for network and service access
CN113796111A (en) Apparatus and method for providing mobile edge computing service in wireless communication system
EP1875707B1 (en) Utilizing generic authentication architecture for mobile internet protocol key distribution
EP1552646B1 (en) Method and apparatus enabling reauthentication in a cellular communication system
US20080026724A1 (en) Method for wireless local area network user set-up session connection and authentication, authorization and accounting server
KR101068424B1 (en) Inter-working function for a communication system
EP1842319A1 (en) User authentication and authorisation in a communications system
US20110078442A1 (en) Method, device, system and server for network authentication
US20120096529A1 (en) Method and Device for Managing Authentication of a User
WO2006126077A2 (en) Method for producing key material
CN113676904B (en) Slice authentication method and device
WO2009087006A1 (en) Mechanism for authentication and authorization for network and service access
KR20200130141A (en) Apparatus and method for providing mobile edge computing service in wireless communication system
EP2092714B1 (en) METHOD and device FOR FAST HANDOVER AND AUTHENTICATION IN A PACKET DATA NETWORK
WO2019122495A1 (en) Authentication for wireless communications system
US9137661B2 (en) Authentication method and apparatus for user equipment and LIPA network entities
US7296152B1 (en) System and method for providing access to a network in a communications environment
JP4793826B2 (en) Authentication method and system in handover of mobile terminal
WO2015013647A1 (en) Providing telephony services over wifi for non-cellular devices
US9560526B2 (en) Method and apparatus for single sign-on in a mobile communication system
KR100485517B1 (en) Apparatus and method of user authentication for WLAN system
WO2013037264A1 (en) Admission control method and system
KR20140095050A (en) Method and apparatus for supporting single sign-on in a mobile communication system
WO2008090184A2 (en) Setting management for subscriber station in wimax network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08869862

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08869862

Country of ref document: EP

Kind code of ref document: A1