WO2009103188A1 - One-pass authentication mechanism and system for heterogeneous networks - Google Patents

One-pass authentication mechanism and system for heterogeneous networks Download PDF

Info

Publication number
WO2009103188A1
WO2009103188A1 PCT/CN2008/000372 CN2008000372W WO2009103188A1 WO 2009103188 A1 WO2009103188 A1 WO 2009103188A1 CN 2008000372 W CN2008000372 W CN 2008000372W WO 2009103188 A1 WO2009103188 A1 WO 2009103188A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
network
user identity
wimax
Prior art date
Application number
PCT/CN2008/000372
Other languages
French (fr)
Inventor
Zhengxiong Lei
Xueqiang Yan
Original Assignee
Alcatel Shanghai Bell Co., Ltd.
Alcatel Lucent
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel Shanghai Bell Co., Ltd., Alcatel Lucent filed Critical Alcatel Shanghai Bell Co., Ltd.
Priority to EP08714830.0A priority Critical patent/EP2248296A4/en
Priority to KR1020107018451A priority patent/KR101427447B1/en
Priority to JP2010547018A priority patent/JP5351181B2/en
Priority to US12/735,588 priority patent/US9332000B2/en
Priority to PCT/CN2008/000372 priority patent/WO2009103188A1/en
Priority to CN2008801270551A priority patent/CN101946455B/en
Publication of WO2009103188A1 publication Critical patent/WO2009103188A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/02Inter-networking arrangements

Definitions

  • the present invention generally relates to the field of authentication and, more particularly, the invention relates to a one-pass authentication mechanism and system for heterogeneous networks.
  • the next generation communication networks are characterized by the co-existent of the variety of network architectures due to the diverse requirements for data rate, radio coverage, deployment cost and multimedia service.
  • the 3GPP (3rd Generation Partnership Project) is actively specifying the roaming mechanism in the integrated Wireless LAN (Local Area Network)/ UMTS (Universal Mobile Telecommunication System) networks. It should be noted that this scenario is only a specific heterogeneous network.
  • the IEEE 802.16 standard WiMAX
  • WiMAX Wireless Metropolitan Area Networks
  • Wireless MAN Wireless Metropolitan Area Networks
  • Multimedia service provisioning is one of the primary demands and motivations for the next generation networks.
  • the IP Multimedia Subsystem is added as the core network part providing the multimedia service, e.g. voice telephony, video conference, real-time streaming media, interactive game, and instant messaging.
  • the multimedia session management, initialization and termination are specified and implemented in the Session Initiation Protocol (SIP).
  • SIP Session Initiation Protocol
  • WiMAX and IMS are used in global market now.
  • WiMAX supports Internet protocol (IP) multimedia services through IMS.
  • IP Internet protocol
  • Operators and vendors are all interested in how a WiMAX mobile station (MS) accesses to IMS and how to improve user experience.
  • a WiMAX MS Since the IMS information is delivered through the WiMAX transport network, a WiMAX MS must activate WiMAX IP Connectivity Access Network (IP-CAN) session before it can register to the IMS network.
  • IP-CAN WiMAX IP Connectivity Access Network
  • the substantial technical challenge is to design and implement the security architectures and protocols across such heterogeneous networks taking into account the performance of the network and experience of subscribers. For example, one of the most important features in the framework of network security management is mutual authentication mechanism that a subscriber is able to authenticate a network, and the network is also able to authenticate the subscriber.
  • EAP-AKA Extensible Authentication Protocol-Authentication and Key Agreement
  • IMS-AKA is the authentication method at IMS level, as illustrated in Fig.1.
  • this full authentication procedure includes two independent sub-procedures, i.e. an authentication sub-procedure at WiMAX IP-CAN level (see upper part of Fig.1) and another authentication sub-procedure at IMS level (see lower part of Fig.l).
  • this full authentication procedure a "two-pass" authentication procedure.
  • the technical problem is how to design a one-pass WiMAX and IMS authentication mechanism that can be used when a MS accesses to IMS via WiMAX.
  • the existing solution for WiMAX and IMS authentication is the normal "two-pass" authentication procedure, which brings more network traffic such as registration/authentication traffic than a "one-pass" authentication procedure.
  • the objective of the present invention is to provide a one-pass authentication mechanism and system for heterogeneous networks, specifically, to provide a one-pass authentication mechanism that can be used when a MS accesses to IMS via WiMAX.
  • the one-pass WiMAX and IMS authentication mechanism proposed only needs to perform WiMAX authentication, and thus can significantly reduce the IMS registration/authentication traffic, improve performance of the network and promote experience of subscribers.
  • a one-pass authentication mechanism for heterogeneous networks.
  • This mechanism comprises authenticating a user based on an authentication key and an authentication algorithm in response to a request of the user to register a first network, wherein the authentication key and the authentication algorithm are associated with a first user identity for the first network and a second user identity for a second network; and if the authentication is successful, then comparing the first user identity retrieved from an authentication database through the second user identity provided by the user to the first user identity provided by the user in the authentication, in response to a request of the user to register the second network, and setting up security associations between the user and the second network if the retrieved first user identity matches the first user identity provided by the user.
  • a one-pass authentication system for heterogeneous networks.
  • This system comprises an authentication database, which stores a first user identity for a first network, a second user identity for a second network, and an authentication key and an authentication algorithm associated with the first and second user identities; a first authentication server adapted to authenticate a user based on the authentication key and the authentication algorithm in response to a request of the user to register the first network; and a second authentication server adapted to compare the first user identity retrieved from the authentication database through the second user identity provided by the user to the first user identity provided by the user in the authentication, in response to a request of the user to register the second network, and set up security associations between ⁇ the user and the second network if the retrieved first user identity matches the first user identity provided by the user.
  • Fig.l is an exemplary message flow diagram illustrating a two-pass WiMAX and IMS authentication procedure of the prior art
  • Fig.2 shows schematically a functional architecture for a one-pass authentication mechanism in accordance with an embodiment of the present invention
  • Fig.3 is an exemplary message flow diagram illustrating a one-pass WiMAX and IMS authentication procedure in accordance with an embodiment of the present invention
  • Fig.4 is a diagram representation depicting traffic-cost saving of the one-pass procedure over the two-pass procedure in accordance with an embodiment of the present invention.
  • Fig.5 is a schematic flow chart illustrating a one-pass authentication mechanism in accordance with an embodiment of the present invention.
  • Fig.l is an exemplary message flow diagram illustrating a two-pass WiMAX and IMS authentication procedure of the prior art.
  • authentication is performed at both WiMAX network level and IMS network level before a MS can access to IMS services, as indicated above.
  • WiMAX network level for example, EAP-AKA is employed to perform an authentication procedure for WiMAX MS.
  • This authentication procedure consists of initial network entry, WiMAX access network authentication and IP-CAN session establishment procedures, which is represented by steps 101-125 in Fig.l and will be further discussed with respect to Fig.3 hereafter.
  • the MS needs to be authenticated through another authentication procedure such as IMS-AKA depicted by steps 126-133.
  • the present invention proposes a one-pass authentication procedure that only needs to perform WiMAX authentication.
  • authentication is implicitly performed in IMS registration.
  • Such authentication mechanism may save at least 25% and up to 50% of the IMS registration/authentication network traffic, as compared with the two-pass procedure, which will be explained in Fig.4.
  • MS shall support at least one of EAP-AKA or EAP-TTLS as specified in the WiMAX NWG specification titled as "WiMAX Forum Network Architecture stage 3, Detailed Protocols and Procedures".
  • EAP-AKA Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement
  • SUBC Subscriber Credentials
  • the NWG specification specifies that the format of SUBC depends on deployment and SUBC is known by the home network and the MS. However, the NWG specification does not define the format of SUBC.
  • EAP-AKA is used for WiMAX user authentication and SUBC is the same as the long-term security key K used in IMS authentication.
  • WiMAX authentication procedure and IMS authentication procedure use the same authentication key K and authentication functions (which are used to generate the authentication vectors).
  • the assumption is reasonable when the WiMAX network and the IMS network belong to the same operator or the WiMAX network operator gets an agreement with the IMS network operator.
  • WiMAX authentication procedure user authentication is performed at the WiMAX network level firstly, and then authentication is performed at the IMS network level. Since IMS-AKA is used for IMS authentication and EAP-AKA method is used for WiMAX authentication, most of the steps in this "two-pass" authentication procedure are identical. Second, WiMAX authentication procedure and IMS authentication procedure use the same authentication key K and authentication functions. Therefore, when WiMAX user has been successfully authenticated at the WiMAX network level, it is implied that the long-term pre-shared IMS security key K in WiMAX terminal is the same as that in IMS network (which can be found in Home Subscriber Server (HSS)), i.e. mutual authentication is achieved between the MS and the IMS network.
  • HSS Home Subscriber Server
  • the proposed one-pass authentication procedure only needs to perform WiMAX authentication.
  • authentication is implicitly performed in IMS registration. It will be formally proved hereafter that the one-pass procedure achieves mutual authentication between the MS and the network at the IMS level. It will also be evaluated how much that the present invention saves the WiMAX/IMS authentication traffic.
  • Reference throughout this specification to "one embodiment,” “an embodiment,” or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
  • Fig.2 shows schematically a functional architecture 200 for a one-pass authentication mechanism in accordance with an embodiment of the present invention.
  • functional architecture 200 may comprise various related functional entities and interfaces, such as enhanced Authentication Authorization Accounting (AAA) server 202 for WiMAX authentication and Interrogating/Serving Call Session Control Function (I/S-CSCF) 204 for IMS authentication.
  • enhanced AAA server 202 has a Diameter based interface able to retrieve authentication parameters such as authentication vectors from HSS 201.
  • AAA proxy 203 in Connectivity Service Network (CSN) proxies the authentication messages between Access Service Network Gateway (ASN GW) 207 and enhanced AAA server 202 in WiMAX network.
  • CSN Connectivity Service Network
  • I/S-CSCF 204 can invoke the authentication vector distribution procedure by Cx message delivery with the HSS 201.
  • Home Agent (HA) 206 and P-CSCF 205 can assist in communications between ASN GW 207 and I/S-CSCF 204.
  • BS 208 facilitates interactions between MS 209 and communication networks via ASN GW 207.
  • WiMAX subscriber when a WiMAX subscriber is also an IMS subscriber, and the subscriber uses the same MS to access to WiMAX and IMS network, it is assumed that:
  • EAP-AKA is used for WiMAX user authentication.
  • SUBC that is the long-term security key used in WiMAX user authentication
  • K the long-term pre-shared security key used in IMS authentication
  • the SUBC (K) is stored in the MS and the HSS.
  • WiMAX authentication procedure and IMS authentication procedure use the same authentication functions and the same authentication key K.
  • AAA server is enhanced with a Diameter based interface to retrieve authentication vectors from the HSS.
  • This enhanced AAA server may be a subset of the 3GGP AAA server in 3GPP I- WL AN specification (TS 23.234).
  • the Wx interface of 3GPP AAA server can be used to retrieve the authentication vectors from the HSS. Therefore the 3GPP AAA server can be reused in the solution of the present invention.
  • the IMS operator assigns an IMSI value imsi besides an IMPI value impi to the user.
  • the WiMAX MS has the IMSI value imsi and the IMPI value impi, and the HSS also stores the imsi and impi for the corresponding user/MS.
  • the imsi is used to locate K value k at WiMAX network authentication level, while impi is used to locate K value k at IMS network authentication level.
  • the imsi and impi are associated with the same K value k and authentication functions.
  • the imsi will be used to get the outer-identity/inner-identity (which is used in EAP based authentication at WiMAX network level).
  • the ASN GW can implement a SIP application level gateway (ALG) that may modify the format of SIP messages (to be elaborated at step 326 in Fig.3).
  • AAG SIP application level gateway
  • the assumption is reasonable when the WiMAX network and IMS network belong to the same operator or the WiMAX network operator gets an agreement with the IMS network operator.
  • MS 209 is authenticated by the enhanced AAA server 202, which can retrieve authentication vectors based on the MS's IMSI value imsi from HSS 201.
  • AAA proxy in CSN 203 can proxy the authentication messages between the ASN GW 207 and the enhanced AAA server 202.
  • MS 209 is authenticated by the S-CSCF 204, which can retrieve authentication vectors based on the the MS's IMPI value impi from HSS 201.
  • HSS 201 and WiMAX MS 209 share the same long-term security key K and authentication functions which are associated with impi (which is used at the IMS authentication level) and imsi (which is used at the WiMAX network authentication level) assigned to MS 209 by networks.
  • FIG.3 an exemplary message flow diagram of a one-pass WiMAX and IMS authentication procedure is depicted in accordance with an embodiment of the present invention.
  • the procedure consists of two parts in which WiMAX part illustrates authentication procedure at WiMAX network level, while IMS part shows the authentication procedure at IMS network level.
  • WiMAX part illustrates authentication procedure at WiMAX network level
  • IMS part shows the authentication procedure at IMS network level.
  • the MS interacts with the S-CSCF possibly through P-CSCF and I-CSCF.
  • Fig.3 uses the term "CSCF" to represent the proxy, interrogating, and service functions of CSCF.
  • the BS informs the ASN GW such as ASN GW 207 about the new MS entering the network in step 302.
  • the ASN GW may send an EAP-Request/Identity message to the MS through the BS, as shown in steps 303 and 304. Then the MS sends EAP-Response/Identity with its outer-identity complying with the format specified in "WiMAX Forum Network Architecture stage 3, Detailed Protocols and Procedures" back to the ASN GW through the BS, as shown in steps 305 and 306.
  • Outer-identity contains either a pseudonym allocated to the MS in previous authentication or, in the case of first authentication, the IMSI value imsi.
  • the username field of outer-identity complies with 3GPP TS 23.003 to indicate that the EAP-AKA authentication method is used.
  • the username field of the outer-identity could be "0 ⁇ zw,s/>@WiMAX.mnc ⁇ MNC>.mcc ⁇ MCC>.3gp ⁇ network.org" for EAP-AKA authentication, for example.
  • the ASN GW analyses the outer-identity provided by the MS and stores the imsi for the WiMAX MS.
  • the EAP-Response/Identity message is routed towards the proper enhanced AAA Server through one or several AAA proxies based on the realm part and Routing realm part of the outer-identity.
  • the AAA proxies may modify the passing message complying with "WiMAX End-to-End Network Systems Architecture, (Stage 3 : WiMAX -3 GPP Interworking)" in WiMAX Forum.
  • the enhanced AAA Server identifies the subscriber as a candidate for authentication with EAP-AKA based on the received outer-identity, and then checks if it has an unused authentication vector available for the subscriber, as described in step 308. If the enhanced AAA server has unused authentication vector, then step 308 is skipped. If not, the enhanced AAA server sends a Diameter based message to a HSS such HSS 201 (with the parameter imsi).
  • the HSS can use imsi to retrieve records (including long-term security key K value k and authentication functions, etc.) of the MS, and generate an ordered array of authentication vectors (e.g., RAND, AUTN, XRES, IK, CK) based on them.
  • the HSS can send the AV array to the enhanced AAA server.
  • the enhanced AAA server requests again the user identity by using the EAP Request/ AKA Identity message.
  • the MS responds with the same identity (which is called inner-identity) it used in the EAP Response Identity message. If no unused authentication vector is available for the WiMAX subscriber in step 315, the enhanced AAA server will retrieve an ordered array of authentication vectors (AVs) from the HSS as step 308.
  • AVs authentication vectors
  • the enhanced AAA server selects the next unused authentication vector from the ordered AV array and derives related private information such as master session key (MSK), extended master session key (EMSK), etc. from the CK, IK and the user identity. For example, the MSK, EMSK, etc. will be used at WiMAX network level to protect the user date channel. Then the enhanced AAA server sends an EAP-Request/AKA-Challenge message to the MS through the ASN GW and BS.
  • the message contains parameters in attributes, which are a random number (AT_RAND), a network authentication token (AT_AUTN), and a message authentication code (AT MAC).
  • the MS On receipt of the EAP-Request/AKA-Challenge message, the MS runs the AKA algorithm based on the long-term security key k and authentication functions in the WiMAX MS, and verifies the AT_AUTN. If this is successful, the MS should generate authentication vectors (RES, CK, IK) and derive TEK, MSK, and EMSK. The MS then verifies the AT_MAC value sent by the enhanced AAA server. If successfully, the MS sends an EAP Response/ AKA-Challenge message to the AAA server through the BS and ASN GW, as described in steps 319 to 321. The message contains ATJRES and ATJVIAC.
  • the enhanced AAA server verifies that the AT_RES and the AT JVIAC in the EAP-Response/ AKA-Challenge packet are correct. If this is successful, the enhanced AAA server sends an EAP-Success message to the MS, as described in steps 322 to 324. At that time, the AAA server should include MSK in the message.
  • the MS After successfully completing the basic access authentication procedure at the former steps, for the MS to be able to connect to IP network, the MS performs a WiMAX registration procedure in step 325. And then, if the WiMAX user is also an IMS subscriber the MS will perform the IMS registration procedure at the following steps.
  • step 326 after P-CSCF discovery procedure, the MS sends a SIP REGISTER message with the parameter impi to the ASN GW through the BS.
  • the ASN GW can identity the IMSI (user identity) value imsi of the MS that transmits data packets.
  • the ASN GW retrieves the IMSI value imsi of the MS, as indicated in Fig.3.
  • the SIP ALG in the ASN GW adds the IMSI value imsi of the MS in the SIP REGISTER message and forwards it to the CSCF.
  • the CSCF then stores the (imsi, impi) pair in the MS record.
  • the CSCF invokes the authentication vector distribution procedure in step 327 by sending a Cx Multimedia Authentication Request message to the HSS along with the parameter impi.
  • the HSS uses the received impi as an index to retrieve records (including the long-term security key k and authentication functions) of the MS, and generates an ordered array of AVs.
  • the HSS sends the AV array to the CSCF through a Cx Multimedia Authentication Answer message. Steps 327 and 328 are skipped if the CSCF already has the AV array.
  • the CSCF sends a Cx Server Assignment Request message to the HSS with the parameter impi.
  • the HSS uses the received impi as an index to retrieve imsi of the MS.
  • the IMSI value retrieved from the HSS is denoted as IMSI ⁇ ssiimpi).
  • the HSS stores the CSCF name and sends a Cx Server Assignment Answer to the CSCF (with the parameters IMSI HS &mp ⁇ )) in step 330.
  • the CSCF checks whether the IMSI value imsi (CSCF stores at step 326) and IMSIussiirnpi) are the same. If so, the S-CSCF selects the next unused AV and sends a SIP 200 Ok message with RAND, CK and IK parameter of the AV to the P-CSCF, and the P-CSCF stores CK and IK and removes them and then forwards the rest of the SIP 200 OK message to the MS. If the imsi and IMSI HS ⁇ imp ⁇ ) are different, then it implies that the registration is illegal. Upon receiving the 200 OK SIP message, the MS computes the session keys CK and IK based on k and the received RAND. Then the security associations between the MS and the P-CSCF are set up based on IK.
  • the MS sends a SIP REGISTER message to the CSCF along with the parameter impi through the WiMAX IP-CAN in step 126. If the CSCF does not have the AVs for the MS, the CSCF invokes the authentication vector distribution procedure by sending a Cx Multimedia Authentication Request message to the HSS along with the parameter impi in step 127. Then the HSS uses impi to retrieve records of the MS, and generate an ordered array of AVs. The HSS sends the AV array to the CSCF through a Cx Multimedia Authentication Answer message in step 128. Steps 127 and 128 are skipped if the CSCF already has the AV array.
  • the CSCF selects the next unused authentication vector (including RAND 5 AUTN, XRES, IK, CK) from the ordered AV array and sends the parameters RAND and AUTN to the MS through a SIP 401 Unauthorized message.
  • the MS checks whether the received AUTN can be accepted. If so, it produces a response RES and computes the session keys CK and IK. Then the security associations between MS and P-CSCF are set up. Then the MS sends RES back to the CSCF through a SIP REGISTER message in step 130.
  • the CSCF compares the received RES with the XRES. If they match, then the authentication and key agreement exchange is successfully completed.
  • the CSCF then sends a Cx Server Assignment Request message to the HSS in step 131.
  • the HSS Upon receipt of the Server Assignment Request, the HSS stores the CSCF name and replies a Cx Server Assignment Answer message to the CSCF in step 132.
  • the CSCF then sends a SIP 200 OK message to the MS through the IP-CAN in step 133, and the IMS registration procedure is completed.
  • Table 1 compares the steps executed in the one-pass authentication procedure as illustrated in Fig.3 and the two-pass authentication procedure as illustrated in Fig.1.
  • the expected SIP message delivery cost (network transmission cost) between the MS and the CSCF is one unit
  • the expected Cx message delivery cost between the CSCF and the HSS is ⁇ units. It is anticipated that ⁇ ⁇ 1 for the following two reasons.
  • the CSCF and the HSS exchange the Cx messages through IP network.
  • SIP communications between the MS and the CSCF involve WiMAX core network and radio network.
  • the CSCF and the HSS are typically located at the same location, while the MS is likely to reside at a remote location.
  • IMS registration is periodically performed.
  • an AV array of size n (where n ⁇ 1 ) is sent from the HSS to the CSCF. Therefore, one out of the n IMS registrations incurs the execution of steps 327 and 328. Therefore, from equations (1) and (2), the expected IMS registration cost C 1 for the one-pass authentication procedure is
  • Fig.4 a diagram representation depicting traffic-cost saving of the one-pass authentication procedure over the two-pass authentication procedure is provided in Fig.4, in accordance with an embodiment of the present invention.
  • Fig.4 plots 5 as a function of n and ⁇ based on equation (7). The figure indicates that compared with the two-pass authentication procedure, the proposed one-pass authentication procedure can save up to 50% and at least 25% of the network traffic generated by the IMS registration/authentication.
  • Fig.5 is a schematic flow chart illustrating a one-pass authentication mechanism in accordance with an embodiment of the present invention.
  • this one-pass authentication mechanism it is assumed that a first network and a second network share the same authentication key K and authentication functions, and respective user identities assigned to a user for different networks are associated with such authentication key K and authentication functions.
  • the authentication key K and authentication functions thus can be located by the corresponding user identity in the respective network. Therefore, if the user identities provided by the user match the user identities pre-stored in an authentication database for the first and second networks, respectively, then these user identities will correspond to the same authentication key K and authentication functions.
  • every MS maintains the attributes IMSI, IMPI, and the long-term pre-shared secret key K.
  • IMSI IMSI
  • IMPI impi
  • K K
  • R m ⁇ imsi, impi, k
  • IMSI MS (x) imsi , where imsi is the IMSI value in R MS (8)
  • K MS (x) k , where k is the K value in R MS (10)
  • HSS 201 maintains a record R HSS that consists of attributes IMSI, IMPI and K of the MS. That is,
  • IMSI HSS IMSI HSS , IMPI HSS and K HSS such that for any x e R HSS
  • IMSI HSS (x) imsi , where imsi is the IMSI value in R HSS (11)
  • K HSS (x) k , where & is the K value in i? ⁇ (13)
  • the AKA authentication mechanism used in the invention is described in 3GPP
  • K MS (imsi) K MS (impi) ( 16)
  • the HSS maps impi to the IMSI value IMSI HSS (impi) , and the CSCF confirms that
  • K HSS (impi) K HSS (IMSI HSS (impi)) ( 18)
  • K HSS (impi) K HSS (imsi) (19)
  • K HSS i im P l K MS ( imS 0 ( 20 )
  • the one-pass authentication mechanism according the present invention is also applicable to other inter-working solutions where a user requests to access service and applications in a network such as IMS via another network such as WiMAX, GPRS, UMTS, WLAN and etc.
  • a network such as IMS via another network such as WiMAX, GPRS, UMTS, WLAN and etc.
  • the inventive authentication process starts by receiving a registration request to a first network from a user, as shown in step 502.
  • the first network can obtain and store a first user identity provided by the user in step 504, wherein the first user identity is assigned to the user by the network operator for use in the first network, and it also stored in an authentication database such as HSS 201. Based on the first user identity, an authentication is performed in step 506 with the associated authentication key and functions according to an authentication agreement between the user and the first network. If the authentication is successful in step 508, the user completes the registration for the first network in step 510. Otherwise, it implies that the registration is illegal and the process ends.
  • the user may send a registration request to the second network.
  • step 512 if the user requests to register for the second network, the process will continue to step 514 where the registration request is intercepted and modified by adding the first user identity provided by the user (stored in step 504).
  • step 516 a second user identity provided by the user for the registration will be used to retrieve a first user identity pre-stored in the authentication database when assigned to the user. A determination is made as to whether the first user identity provided by the user (i.e. the first user identity stored in step 504) matches the first user identity pre-stored in the authentication database.
  • step 518 if the first user identity provided by the user matches the pre-stored first user identity, then security associations between the user and the second network are set up in step 520 based on an authentication agreement between them. Otherwise, it implies that the registration is illegal and the process ends.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A one-pass authentication mechanism and system for heterogeneous networks are provided. The mechanism comprises authenticating a user based on an authentication key and an authentication algorithm in response to a request of the user to register a first network, wherein the authentication key and the authentication algorithm are associated with a first user identity for the first network and a second user identity for a second network; and if the authentication is successful, then comparing the first user identity retrieved from an authentication database through the second user identity provided by the user to the first user identity provided by the user in the authentication, in response to a request of the user to register the second network, and setting up security associations between the user and the second network if the retrieved first user identity matches the first user identity provided by the user.

Description

ONE-PASS AUTHENTICATION MECHANISM AND SYSTEM FOR HETEROGENEOUS NETWORKS
FIELD OF TFIE INVENTION
The present invention generally relates to the field of authentication and, more particularly, the invention relates to a one-pass authentication mechanism and system for heterogeneous networks.
BACKGROUND OF THE INVENTION
The next generation communication networks are characterized by the co-existent of the variety of network architectures due to the diverse requirements for data rate, radio coverage, deployment cost and multimedia service. The 3GPP (3rd Generation Partnership Project) is actively specifying the roaming mechanism in the integrated Wireless LAN (Local Area Network)/ UMTS (Universal Mobile Telecommunication System) networks. It should be noted that this scenario is only a specific heterogeneous network. The IEEE 802.16 standard (WiMAX) is an emerging broadband wireless access system specified for Wireless Metropolitan Area Networks (Wireless MAN) bridging the last mile, replacing costly wire line and also providing high speed multimedia services. Multimedia service provisioning is one of the primary demands and motivations for the next generation networks. To achieve this goal, the IP Multimedia Subsystem (IMS) is added as the core network part providing the multimedia service, e.g. voice telephony, video conference, real-time streaming media, interactive game, and instant messaging. The multimedia session management, initialization and termination are specified and implemented in the Session Initiation Protocol (SIP).
WiMAX and IMS are used in global market now. WiMAX supports Internet protocol (IP) multimedia services through IMS. Operators and vendors are all interested in how a WiMAX mobile station (MS) accesses to IMS and how to improve user experience. Since the IMS information is delivered through the WiMAX transport network, a WiMAX MS must activate WiMAX IP Connectivity Access Network (IP-CAN) session before it can register to the IMS network. The substantial technical challenge is to design and implement the security architectures and protocols across such heterogeneous networks taking into account the performance of the network and experience of subscribers. For example, one of the most important features in the framework of network security management is mutual authentication mechanism that a subscriber is able to authenticate a network, and the network is also able to authenticate the subscriber.
In the related WiMAX forum and 3GPP specifications, authentication is performed at both WiMAX network level and IMS network level before a MS can access to IMS services. For example, Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA) can be employed to authenticate WiMAX MS at the WiMAX network level, while IMS-AKA is the authentication method at IMS level, as illustrated in Fig.1. It is very clear that this full authentication procedure includes two independent sub-procedures, i.e. an authentication sub-procedure at WiMAX IP-CAN level (see upper part of Fig.1) and another authentication sub-procedure at IMS level (see lower part of Fig.l). For simplicity, we call this full authentication procedure a "two-pass" authentication procedure. The technical problem is how to design a one-pass WiMAX and IMS authentication mechanism that can be used when a MS accesses to IMS via WiMAX.
There are no existing one-pass WiMAX and IMS authentication mechanism available currently. Yi-Bing Lin and etc. propose a one-pass authentication procedure in "One-Pass GPRS and IMS Authentication Procedure for UMTS," IEEE Journal on selected areas in communications, vol.23, no.6, pp.1233-1239, June, 2005. However, this paper only involves a one-pass GPRS and IMS authentication procedure for UMTS and can not work for WiMAX. In addition, the above proposition is limited because it does not propose how to set up security associations between MS and Proxy Call Session Control Function (P-CSCF), and it does not prove that a user correctly authenticates the IMS network.
On the other hand, the existing solution for WiMAX and IMS authentication is the normal "two-pass" authentication procedure, which brings more network traffic such as registration/authentication traffic than a "one-pass" authentication procedure.
SUMMARY OF THE INVENTION
The objective of the present invention is to provide a one-pass authentication mechanism and system for heterogeneous networks, specifically, to provide a one-pass authentication mechanism that can be used when a MS accesses to IMS via WiMAX. The one-pass WiMAX and IMS authentication mechanism proposed only needs to perform WiMAX authentication, and thus can significantly reduce the IMS registration/authentication traffic, improve performance of the network and promote experience of subscribers.
In one aspect of the present invention, there is provided a one-pass authentication mechanism for heterogeneous networks. This mechanism comprises authenticating a user based on an authentication key and an authentication algorithm in response to a request of the user to register a first network, wherein the authentication key and the authentication algorithm are associated with a first user identity for the first network and a second user identity for a second network; and if the authentication is successful, then comparing the first user identity retrieved from an authentication database through the second user identity provided by the user to the first user identity provided by the user in the authentication, in response to a request of the user to register the second network, and setting up security associations between the user and the second network if the retrieved first user identity matches the first user identity provided by the user.
In another aspect of the present invention, there is provided a one-pass authentication system for heterogeneous networks. This system comprises an authentication database, which stores a first user identity for a first network, a second user identity for a second network, and an authentication key and an authentication algorithm associated with the first and second user identities; a first authentication server adapted to authenticate a user based on the authentication key and the authentication algorithm in response to a request of the user to register the first network; and a second authentication server adapted to compare the first user identity retrieved from the authentication database through the second user identity provided by the user to the first user identity provided by the user in the authentication, in response to a request of the user to register the second network, and set up security associations between^ the user and the second network if the retrieved first user identity matches the first user identity provided by the user.
BRIEF DESCRIPTION OF THE DRAWINGS
The novel features of the invention are set forth in the appended claims. The invention itself, further objectives, and advantages thereof, will be best understood by reference to the following detailed description of the preferred embodiments when read in conjunction with the accompanying drawings, wherein:
Fig.l is an exemplary message flow diagram illustrating a two-pass WiMAX and IMS authentication procedure of the prior art;
Fig.2 shows schematically a functional architecture for a one-pass authentication mechanism in accordance with an embodiment of the present invention;
Fig.3 is an exemplary message flow diagram illustrating a one-pass WiMAX and IMS authentication procedure in accordance with an embodiment of the present invention;
Fig.4 is a diagram representation depicting traffic-cost saving of the one-pass procedure over the two-pass procedure in accordance with an embodiment of the present invention; and
Fig.5 is a schematic flow chart illustrating a one-pass authentication mechanism in accordance with an embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
Fig.l is an exemplary message flow diagram illustrating a two-pass WiMAX and IMS authentication procedure of the prior art. In Fig.l, authentication is performed at both WiMAX network level and IMS network level before a MS can access to IMS services, as indicated above. At the WiMAX network level, for example, EAP-AKA is employed to perform an authentication procedure for WiMAX MS. This authentication procedure consists of initial network entry, WiMAX access network authentication and IP-CAN session establishment procedures, which is represented by steps 101-125 in Fig.l and will be further discussed with respect to Fig.3 hereafter. At the IMS network level, however, the MS needs to be authenticated through another authentication procedure such as IMS-AKA depicted by steps 126-133. Since some steps in this "two-pass" authentication procedure are identical, the present invention proposes a one-pass authentication procedure that only needs to perform WiMAX authentication. At the IMS level, authentication is implicitly performed in IMS registration. Such authentication mechanism may save at least 25% and up to 50% of the IMS registration/authentication network traffic, as compared with the two-pass procedure, which will be explained in Fig.4.
Under the present invention, for WiMAX user authentication at the WiMAX network level, MS shall support at least one of EAP-AKA or EAP-TTLS as specified in the WiMAX NWG specification titled as "WiMAX Forum Network Architecture stage 3, Detailed Protocols and Procedures". When EAP-AKA is used for WiMAX user authentication, MS shall support the authentication procedure described in "Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)", IETF RFC4187, January 2006, and the Subscriber Credentials (SUBC) (which are used to authenticate the WiMAX subscription) shall be the credential used in generation of authentication vectors defined in RFC4187. In addition, the NWG specification specifies that the format of SUBC depends on deployment and SUBC is known by the home network and the MS. However, the NWG specification does not define the format of SUBC.
In the context of this invention, it is assumed that EAP-AKA is used for WiMAX user authentication and SUBC is the same as the long-term security key K used in IMS authentication. In other words, WiMAX authentication procedure and IMS authentication procedure use the same authentication key K and authentication functions (which are used to generate the authentication vectors). The assumption is reasonable when the WiMAX network and the IMS network belong to the same operator or the WiMAX network operator gets an agreement with the IMS network operator.
Based on these assumptions, we can draw the following conclusions. First, in the two pass authentication procedure, user authentication is performed at the WiMAX network level firstly, and then authentication is performed at the IMS network level. Since IMS-AKA is used for IMS authentication and EAP-AKA method is used for WiMAX authentication, most of the steps in this "two-pass" authentication procedure are identical. Second, WiMAX authentication procedure and IMS authentication procedure use the same authentication key K and authentication functions. Therefore, when WiMAX user has been successfully authenticated at the WiMAX network level, it is implied that the long-term pre-shared IMS security key K in WiMAX terminal is the same as that in IMS network (which can be found in Home Subscriber Server (HSS)), i.e. mutual authentication is achieved between the MS and the IMS network.
From the conclusions above, it can be understood the proposed one-pass authentication procedure only needs to perform WiMAX authentication. At the IMS level, authentication is implicitly performed in IMS registration. It will be formally proved hereafter that the one-pass procedure achieves mutual authentication between the MS and the network at the IMS level. It will also be evaluated how much that the present invention saves the WiMAX/IMS authentication traffic. Reference throughout this specification to "one embodiment," "an embodiment," or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases "in one embodiment," "in an embodiment," and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
Reference is now made to Fig.2, which shows schematically a functional architecture 200 for a one-pass authentication mechanism in accordance with an embodiment of the present invention. As shown in Fig.2, functional architecture 200 may comprise various related functional entities and interfaces, such as enhanced Authentication Authorization Accounting (AAA) server 202 for WiMAX authentication and Interrogating/Serving Call Session Control Function (I/S-CSCF) 204 for IMS authentication. Such enhanced AAA server 202 has a Diameter based interface able to retrieve authentication parameters such as authentication vectors from HSS 201. AAA proxy 203 in Connectivity Service Network (CSN) proxies the authentication messages between Access Service Network Gateway (ASN GW) 207 and enhanced AAA server 202 in WiMAX network. In IMS network, for example, I/S-CSCF 204 can invoke the authentication vector distribution procedure by Cx message delivery with the HSS 201. Home Agent (HA) 206 and P-CSCF 205 can assist in communications between ASN GW 207 and I/S-CSCF 204. BS 208 facilitates interactions between MS 209 and communication networks via ASN GW 207.
In one exemplary embodiment, when a WiMAX subscriber is also an IMS subscriber, and the subscriber uses the same MS to access to WiMAX and IMS network, it is assumed that:
(1). EAP-AKA is used for WiMAX user authentication.
(2). SUBC (that is the long-term security key used in WiMAX user authentication) is the same as the long-term pre-shared security key K used in IMS authentication, and the SUBC (K) is stored in the MS and the HSS.
(3). Besides the authentication key K, authentication functions are shared between WiMAX and IMS authentication level. In other words, WiMAX authentication procedure and IMS authentication procedure use the same authentication functions and the same authentication key K.
(4). AAA server is enhanced with a Diameter based interface to retrieve authentication vectors from the HSS. This enhanced AAA server may be a subset of the 3GGP AAA server in 3GPP I- WL AN specification (TS 23.234). The Wx interface of 3GPP AAA server can be used to retrieve the authentication vectors from the HSS. Therefore the 3GPP AAA server can be reused in the solution of the present invention.
(5). When a WiMAX user subscribes to IMS services, the IMS operator assigns an IMSI value imsi besides an IMPI value impi to the user. In other words, the WiMAX MS has the IMSI value imsi and the IMPI value impi, and the HSS also stores the imsi and impi for the corresponding user/MS. The imsi is used to locate K value k at WiMAX network authentication level, while impi is used to locate K value k at IMS network authentication level. As illustrated in assumption (2) & (3), the imsi and impi are associated with the same K value k and authentication functions. In the WiMAX MS, the imsi will be used to get the outer-identity/inner-identity (which is used in EAP based authentication at WiMAX network level).
(6). In the approach of the present invention, the ASN GW can implement a SIP application level gateway (ALG) that may modify the format of SIP messages (to be elaborated at step 326 in Fig.3).
The assumption is reasonable when the WiMAX network and IMS network belong to the same operator or the WiMAX network operator gets an agreement with the IMS network operator.
Thus, considering the functional architecture in Fig.2, at the network level, MS 209 is authenticated by the enhanced AAA server 202, which can retrieve authentication vectors based on the MS's IMSI value imsi from HSS 201. AAA proxy in CSN 203 can proxy the authentication messages between the ASN GW 207 and the enhanced AAA server 202. At the IMS network level, MS 209 is authenticated by the S-CSCF 204, which can retrieve authentication vectors based on the the MS's IMPI value impi from HSS 201. As shown in assumption (2) & (3), HSS 201 and WiMAX MS 209 share the same long-term security key K and authentication functions which are associated with impi (which is used at the IMS authentication level) and imsi (which is used at the WiMAX network authentication level) assigned to MS 209 by networks.
In the following detailed description of exemplary embodiments of the present invention, it will be illustrated how to authenticate a WiMAX MS at both the WiMAX network level and the IMS network level through a one-pass authentication mechanism.
With reference now to Fig.3, an exemplary message flow diagram of a one-pass WiMAX and IMS authentication procedure is depicted in accordance with an embodiment of the present invention. The procedure consists of two parts in which WiMAX part illustrates authentication procedure at WiMAX network level, while IMS part shows the authentication procedure at IMS network level. It should be noted that in this procedure, the MS interacts with the S-CSCF possibly through P-CSCF and I-CSCF. To simplify the discussion, Fig.3 uses the term "CSCF" to represent the proxy, interrogating, and service functions of CSCF.
Once initialization for WiMAX wireless link access is finished and basic capabilities negotiation has been successfully established between a MS such as MS 209 and a WiMAX BS such as BS 208, as shown in step 301, the BS informs the ASN GW such as ASN GW 207 about the new MS entering the network in step 302.
In order to request the identity of the MS, the ASN GW may send an EAP-Request/Identity message to the MS through the BS, as shown in steps 303 and 304. Then the MS sends EAP-Response/Identity with its outer-identity complying with the format specified in "WiMAX Forum Network Architecture stage 3, Detailed Protocols and Procedures" back to the ASN GW through the BS, as shown in steps 305 and 306. Outer-identity contains either a pseudonym allocated to the MS in previous authentication or, in the case of first authentication, the IMSI value imsi. The username field of outer-identity complies with 3GPP TS 23.003 to indicate that the EAP-AKA authentication method is used. The username field of the outer-identity could be "0<zw,s/>@WiMAX.mnc<MNC>.mcc<MCC>.3gpρnetwork.org" for EAP-AKA authentication, for example.
In step 307, the ASN GW analyses the outer-identity provided by the MS and stores the imsi for the WiMAX MS. The EAP-Response/Identity message is routed towards the proper enhanced AAA Server through one or several AAA proxies based on the realm part and Routing realm part of the outer-identity. The AAA proxies may modify the passing message complying with "WiMAX End-to-End Network Systems Architecture, (Stage 3 : WiMAX -3 GPP Interworking)" in WiMAX Forum.
The enhanced AAA Server identifies the subscriber as a candidate for authentication with EAP-AKA based on the received outer-identity, and then checks if it has an unused authentication vector available for the subscriber, as described in step 308. If the enhanced AAA server has unused authentication vector, then step 308 is skipped. If not, the enhanced AAA server sends a Diameter based message to a HSS such HSS 201 (with the parameter imsi). The HSS can use imsi to retrieve records (including long-term security key K value k and authentication functions, etc.) of the MS, and generate an ordered array of authentication vectors (e.g., RAND, AUTN, XRES, IK, CK) based on them. The HSS can send the AV array to the enhanced AAA server.
In steps 309 to 314, the enhanced AAA server requests again the user identity by using the EAP Request/ AKA Identity message. The MS responds with the same identity (which is called inner-identity) it used in the EAP Response Identity message. If no unused authentication vector is available for the WiMAX subscriber in step 315, the enhanced AAA server will retrieve an ordered array of authentication vectors (AVs) from the HSS as step 308.
In steps 316 to 318, the enhanced AAA server selects the next unused authentication vector from the ordered AV array and derives related private information such as master session key (MSK), extended master session key (EMSK), etc. from the CK, IK and the user identity. For example, the MSK, EMSK, etc. will be used at WiMAX network level to protect the user date channel. Then the enhanced AAA server sends an EAP-Request/AKA-Challenge message to the MS through the ASN GW and BS. The message contains parameters in attributes, which are a random number (AT_RAND), a network authentication token (AT_AUTN), and a message authentication code (AT MAC).
On receipt of the EAP-Request/AKA-Challenge message, the MS runs the AKA algorithm based on the long-term security key k and authentication functions in the WiMAX MS, and verifies the AT_AUTN. If this is successful, the MS should generate authentication vectors (RES, CK, IK) and derive TEK, MSK, and EMSK. The MS then verifies the AT_MAC value sent by the enhanced AAA server. If successfully, the MS sends an EAP Response/ AKA-Challenge message to the AAA server through the BS and ASN GW, as described in steps 319 to 321. The message contains ATJRES and ATJVIAC.
The enhanced AAA server verifies that the AT_RES and the AT JVIAC in the EAP-Response/ AKA-Challenge packet are correct. If this is successful, the enhanced AAA server sends an EAP-Success message to the MS, as described in steps 322 to 324. At that time, the AAA server should include MSK in the message.
After successfully completing the basic access authentication procedure at the former steps, for the MS to be able to connect to IP network, the MS performs a WiMAX registration procedure in step 325. And then, if the WiMAX user is also an IMS subscriber the MS will perform the IMS registration procedure at the following steps.
In step 326, after P-CSCF discovery procedure, the MS sends a SIP REGISTER message with the parameter impi to the ASN GW through the BS. It should be noted that after WiMAX basic access authentication procedure, the ASN GW can identity the IMSI (user identity) value imsi of the MS that transmits data packets. The ASN GW retrieves the IMSI value imsi of the MS, as indicated in Fig.3. And then the SIP ALG in the ASN GW adds the IMSI value imsi of the MS in the SIP REGISTER message and forwards it to the CSCF. The CSCF then stores the (imsi, impi) pair in the MS record.
Assume that the CSCF does not have the AVs for the MS. The CSCF invokes the authentication vector distribution procedure in step 327 by sending a Cx Multimedia Authentication Request message to the HSS along with the parameter impi. In step 328, the HSS uses the received impi as an index to retrieve records (including the long-term security key k and authentication functions) of the MS, and generates an ordered array of AVs. The HSS sends the AV array to the CSCF through a Cx Multimedia Authentication Answer message. Steps 327 and 328 are skipped if the CSCF already has the AV array.
In step 329, the CSCF sends a Cx Server Assignment Request message to the HSS with the parameter impi. The HSS uses the received impi as an index to retrieve imsi of the MS. The IMSI value retrieved from the HSS is denoted as IMSIπssiimpi). The HSS stores the CSCF name and sends a Cx Server Assignment Answer to the CSCF (with the parameters IMSIHS&mpϊ)) in step 330.
In step 331, the CSCF checks whether the IMSI value imsi (CSCF stores at step 326) and IMSIussiirnpi) are the same. If so, the S-CSCF selects the next unused AV and sends a SIP 200 Ok message with RAND, CK and IK parameter of the AV to the P-CSCF, and the P-CSCF stores CK and IK and removes them and then forwards the rest of the SIP 200 OK message to the MS. If the imsi and IMSIHS^impϊ) are different, then it implies that the registration is illegal. Upon receiving the 200 OK SIP message, the MS computes the session keys CK and IK based on k and the received RAND. Then the security associations between the MS and the P-CSCF are set up based on IK.
The existing solution for WiMAX and IMS authentication is the normal "two-pass" authentication procedure, as shown in Fig.l, which brings more network traffic than the above "one-pass" authentication procedure. However, it can be observed from Fig. l and Fig.3 that some steps in this "two-pass" authentication procedure are identical. Turning to Fig. l, the steps of a two-pass WiMAX and IMS procedure are detailed as follows. Steps 101 to 125 in Fig. l are the same as steps 301 to 325 in Fig.3, which consist of initial network entry, WiMAX access network authentication and IP-CAN session establishment procedures.
After P-CSCF discovery procedure, the MS sends a SIP REGISTER message to the CSCF along with the parameter impi through the WiMAX IP-CAN in step 126. If the CSCF does not have the AVs for the MS, the CSCF invokes the authentication vector distribution procedure by sending a Cx Multimedia Authentication Request message to the HSS along with the parameter impi in step 127. Then the HSS uses impi to retrieve records of the MS, and generate an ordered array of AVs. The HSS sends the AV array to the CSCF through a Cx Multimedia Authentication Answer message in step 128. Steps 127 and 128 are skipped if the CSCF already has the AV array.
In step 129, the CSCF selects the next unused authentication vector (including RAND5 AUTN, XRES, IK, CK) from the ordered AV array and sends the parameters RAND and AUTN to the MS through a SIP 401 Unauthorized message. The MS checks whether the received AUTN can be accepted. If so, it produces a response RES and computes the session keys CK and IK. Then the security associations between MS and P-CSCF are set up. Then the MS sends RES back to the CSCF through a SIP REGISTER message in step 130.
The CSCF compares the received RES with the XRES. If they match, then the authentication and key agreement exchange is successfully completed. The CSCF then sends a Cx Server Assignment Request message to the HSS in step 131. Upon receipt of the Server Assignment Request, the HSS stores the CSCF name and replies a Cx Server Assignment Answer message to the CSCF in step 132. The CSCF then sends a SIP 200 OK message to the MS through the IP-CAN in step 133, and the IMS registration procedure is completed.
Table 1 compares the steps executed in the one-pass authentication procedure as illustrated in Fig.3 and the two-pass authentication procedure as illustrated in Fig.1.
Table 1
Figure imgf000015_0001
Suppose that the expected SIP message delivery cost (network transmission cost) between the MS and the CSCF is one unit, and the expected Cx message delivery cost between the CSCF and the HSS is β units. It is anticipated that β < 1 for the following two reasons.
• The CSCF and the HSS exchange the Cx messages through IP network. On the other hand, besides the IP network overhead, SIP communications between the MS and the CSCF involve WiMAX core network and radio network.
• The CSCF and the HSS are typically located at the same location, while the MS is likely to reside at a remote location.
In the one-pass authentication procedure, if the distribution of authentication vectors from the HSS to the CSCF (Steps 327 & 328 in Fig.3) is performed, then the expected IMS registration cost C1 , is expressed as
Cu = 2 + 4β (1)
If the authentication vector distribution is not executed in the one-pass authentication procedure, then the expected IMS registration cost C1 2 is expressed as
C1 2 = 2 + 2/? (2)
IMS registration is periodically performed. At steps 327 and 328 of the one-pass authentication procedure, an AV array of size n (where n ≥ 1 ) is sent from the HSS to the CSCF. Therefore, one out of the n IMS registrations incurs the execution of steps 327 and 328. Therefore, from equations (1) and (2), the expected IMS registration cost C1 for the one-pass authentication procedure is
Figure imgf000016_0001
In the two-pass authentication procedure, if the authentication vector distribution (steps 127 & 128 in Fig.l) is executed, then the expected IMS registration cost C2 1 is expressed as
C2 1 = 4 + 4/? (4)
If the authentication vector distribution is not executed in the two-pass authentication procedure, then the expected IMS registration cost C2 2 is expressed as
C2i2 = 4 + 2/? (5)
As the one-pass authentication procedure, one out of the n IMS registrations incurs the execution of steps 127 and 128 for the two-pass authentication procedure. Therefore, from equations (4) and (5), the expected IMS registration cost C2 for the two-pass authentication procedure is
Figure imgf000016_0002
From equations (3) and (6), the traffic-cost saving S of the one-pass authentication procedure over the two-pass authentication procedure is
^≤LZ≤.. n
C2 2n + (n + ϊ)β
From the above analysis, a diagram representation depicting traffic-cost saving of the one-pass authentication procedure over the two-pass authentication procedure is provided in Fig.4, in accordance with an embodiment of the present invention. Taking a user requesting to access IMS network via WiMAX network as an example, Fig.4 plots 5 as a function of n and β based on equation (7). The figure indicates that compared with the two-pass authentication procedure, the proposed one-pass authentication procedure can save up to 50% and at least 25% of the network traffic generated by the IMS registration/authentication.
Fig.5 is a schematic flow chart illustrating a one-pass authentication mechanism in accordance with an embodiment of the present invention. In this one-pass authentication mechanism, it is assumed that a first network and a second network share the same authentication key K and authentication functions, and respective user identities assigned to a user for different networks are associated with such authentication key K and authentication functions. The authentication key K and authentication functions thus can be located by the corresponding user identity in the respective network. Therefore, if the user identities provided by the user match the user identities pre-stored in an authentication database for the first and second networks, respectively, then these user identities will correspond to the same authentication key K and authentication functions. With this mechanism, if a user requests to register for a first network and further wants to access a second network via the first network, it does not need to perform additional authentication in the second network when an authentication for this user is successful in the first network. This is because the authentication in the second network can be implicitly performed in a registration procedure for the second network. The following section will formally prove that the second network can correctly authenticate the user and this user can correctly authenticate the second network through the inventive one-pass authentication procedure.
Considering a WiMAX-IMS architecture illustrated in Fig.2, every MS maintains the attributes IMSI, IMPI, and the long-term pre-shared secret key K. Given a MS such as MS 209 with IMSttmsi, IMPI=impi, and K=k. To simplify the discussion, it is assumed that these parameters are grouped into a set Rm = {imsi, impi, k) in the MS. Define functions IMSI MS , IMPI MS and KMS such that for any x e RMS
IMSI MS(x) = imsi , where imsi is the IMSI value in RMS (8)
IMPI m{x) - impi , where impi is the IMPI value in RMS (9)
KMS(x) = k , where k is the K value in RMS (10)
Similarly, for every MS in the architecture illustrated in Fig.2, HSS 201 maintains a record RHSS that consists of attributes IMSI, IMPI and K of the MS. That is,
R HSS = {Jmsi,impi,k} = RMS .
Also define functions IMSIHSS , IMPIHSS and KHSS such that for any x e RHSS
IMSIHSS (x) = imsi , where imsi is the IMSI value in RHSS (11)
IMPIHSS (x) = impi , where impi is the IMPI value in RHSS (12)
KHSS(x) = k , where & is the K value in i?^ (13)
The AKA authentication mechanism used in the invention is described in 3GPP
TS 33.102, "3rd Generation Partnership Project; Technical Specification Group
Services and System Aspects; 3G Security; Security Architecture". It achieves mutual authentication by the user and the network showing knowledge of a long-term secret key K which is shared between MS and HSS. For the WiMAX-IMS-interworking network architecture showed in Fig.2, the mutual authentication at the WiMAX network level and the IMS network level are based on the following theorems.
Theorem 1: The MS is a legal WiMAX user and it successfully authenticates the WiMAX network if K MS{imsi) = K Hss{imsi) . And it is clear that if mutual authentication is successfully completed at WiMAX network level, then KMS(imsi) = KHSS(imsi) .
Theorem 2: The MS is a legal IMS user and it successfully authenticates the IMS network if KMS{impϊ) = KHSS{impϊ) .
Now, it will be proved that the one-pass authentication procedure (showed in Fig.3) can achieve mutual authentication between the MS and the network at the IMS level (i.e. the one-pass authentication procedure can check if KMS (impi) = KHSS (impi) according to Theorem 2).
In the one-pass authentication procedure in Fig.3, when the mutual authentication is successfully completed at steps 301~325, then based on Theorem 1, it can be concluded that
Km(imsi) = KHSS(imsi) (14)
At step 326 in Fig.3, the MS with IMPI value impi and secret key k claims that its IMSI value is imsi, i.e. RMS = {imsi,impi,k} . From (9) and (10) it can be concluded that
IMPIMS (imsi) = IMPIMS (k) = impi (15)
KMS (imsi) = KMS (impi) ( 16)
From steps 330 to 331, the HSS maps impi to the IMSI value IMSI HSS (impi) , and the CSCF confirms that
IMSIHSS (impi) = imsi (17)
It should be noted that impi e RHSS and IMSIHSS (impi) e RHSS . From ( 13), it can be concluded that
KHSS (impi) = KHSS (IMSIHSS (impi)) ( 18)
From (17) and (18), it can be concluded that
KHSS (impi) = KHSS (imsi) (19)
From (19) and (14), it can be concluded that
K HSS iimPl) = KMS (imS0 (20)
From (20) and (16), it can be concluded that K ass dmpi) = KMS (imPθ (21 )
From (21) and based on Theorem 2, it can be concluded that the one-pass authentication procedure showed in Fig.3 verifies that the MS is a legal IMS user and the IMS network is successfully authenticated by the MS, i.e. the one-pass authentication procedure achieves mutual authentication between the MS and the network at the IMS level.
In view of the above analysis, the one-pass authentication mechanism according the present invention is also applicable to other inter-working solutions where a user requests to access service and applications in a network such as IMS via another network such as WiMAX, GPRS, UMTS, WLAN and etc. With an assumption of the two networks sharing the same authentication key and authentication algorithm/functions, and respective user identities assigned to the user in different networks being associated with such authentication key and authentication algorithm/functions, the inventive authentication process starts by receiving a registration request to a first network from a user, as shown in step 502. Then the first network can obtain and store a first user identity provided by the user in step 504, wherein the first user identity is assigned to the user by the network operator for use in the first network, and it also stored in an authentication database such as HSS 201. Based on the first user identity, an authentication is performed in step 506 with the associated authentication key and functions according to an authentication agreement between the user and the first network. If the authentication is successful in step 508, the user completes the registration for the first network in step 510. Otherwise, it implies that the registration is illegal and the process ends.
If this user is also a subscriber of a second network which can be accessed via the first network, the user may send a registration request to the second network. In step 512, if the user requests to register for the second network, the process will continue to step 514 where the registration request is intercepted and modified by adding the first user identity provided by the user (stored in step 504). In step 516, a second user identity provided by the user for the registration will be used to retrieve a first user identity pre-stored in the authentication database when assigned to the user. A determination is made as to whether the first user identity provided by the user (i.e. the first user identity stored in step 504) matches the first user identity pre-stored in the authentication database. In step 518, if the first user identity provided by the user matches the pre-stored first user identity, then security associations between the user and the second network are set up in step 520 based on an authentication agreement between them. Otherwise, it implies that the registration is illegal and the process ends.
The foregoing descriptions of the specific embodiments of the present invention have been presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and its practical application, to thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims appended hereto and their equivalents.

Claims

CLAIMSWhat is claimed is:
1. A one-pass authentication mechanism for heterogeneous networks, comprising: authenticating a user based on an authentication key and an authentication algorithm in response to a request of the user to register a first network, wherein the authentication key and the authentication algorithm are associated with a first user identity for the first network and a second user identity for a second network; and if the authentication is successful, then comparing the first user identity retrieved from an authentication database through the second user identity provided by the user to the first user identity provided by the user in the authentication, in response to a request of the user to register the second network, and setting up security associations between the user and the second network if the retrieved first user identity matches the first user identity provided by the user.
2. The mechanism according to claim 1, further comprising: intercepting the request of the user to register the second network, wherein the request contains the second user identity provided by the user; and before forwarding the request, modifying it by adding the first user identity provided by the user in the authentication.
3. The mechanism according to claim 1 or 2, wherein authenticating the user based on the authentication key and the authentication algorithm comprises: selecting first authentication parameters for the user; and performing verifications based on the first authentication parameters according to a first authentication agreement between the user and the first network.
4. The mechanism according to claim 3, wherein the first authentication agreement shares the authentication key and the authentication algorithm with a second authentication agreement between the user and the second network.
5. The mechanism according to claim 3 or 4, further comprising performing a registration procedure of the first network for the user after performing the verifications successfully.
6. The mechanism according to any one of claims 3 to 5, further comprising generating the first authentication parameters based on records of the user retrieved from the authentication database through the first user identity provided by the user, wherein the records of the user include at least the authentication key and the authentication algorithm.
7. The mechanism according to any one of claims 4 to 6, wherein setting up the security associations between the user and the second network is based on second authentication parameters for the user according to the second authentication agreement.
8. The mechanism according to claim 7, further comprising generating the second authentication parameters based on records of the user retrieved from the authentication database through the second user identity provided by the user, wherein the records of the user include at least the authentication key and the authentication algorithm.
9. The mechanism according to any one of claims 1 to 8, wherein the first network is WiMAX network and the second network is IMS network.
10. A one-pass authentication system for heterogeneous networks, comprising: an authentication database, which stores a first user identity for a first network, a second user identity for a second network, and an authentication key and an authentication algorithm associated with the first and second user identities; a first authentication server adapted to authenticate a user based on the authentication key and the authentication algorithm in response to a request of the user to register the first network; and a second authentication server adapted to compare the first user identity retrieved from the authentication database through the second user identity provided by the user to the first user identity provided by the user in the authentication, in response to a request of the user to register the second network, and set up security associations between the user and the second network if the retrieved first user identity matches the first user identity provided by the user.
11. The system according to claim 10, further comprising an access gateway connected to the first and second authentication servers, wherein the access gateway is adapted to: intercept the request of the user to register the second network, wherein the request contains the second user identity provided by the user; and before forwarding the request, modify it by adding the first user identity provided by the user in the authentication.
12. The system according to claim 10 or 11 , wherein the first authentication server is further adapted to: select first authentication parameters for the user; and perform verifications based on the first authentication parameters according to a first authentication agreement between the user and the first network.
13. The system according to claim 12, wherein the first authentication agreement shares the authentication key and the authentication algorithm with a second authentication agreement between the user and the second network.
14. The system according to claim 12 or 13, wherein the first authentication server is further adapted to perform a registration procedure of the first network for the user after performing the verifications successfully.
15. The system according to any one of claims 12 to 14, wherein the first authentication server is further adapted to access the first authentication parameters from the authentication database, and the authentication database is further adapted to: retrieve records of the user through the first user identity provided by the user, wherein the records of the user include at least the authentication key and the authentication algorithm; and generate the first authentication parameters based on the records of the user.
16. The system according to any one of claims 13 to 15, wherein the second authentication server is further adapted to set up the security associations between the user and the second network based on second authentication parameters for the user according to the second authentication agreement.
17. The system according to claim 16, wherein the second authentication server is further adapted to access the second authentication parameters from the authentication database, and the authentication database is further adapted to: retrieve records of the user through the second user identity provided by the user, wherein the records of the user include at least the authentication key and the authentication algorithm; and generate the second authentication parameters based on the records of the user.
18. The system according to any one of claims 10 to 17, wherein the first network is WiMAX network and the second network is IMS network.
PCT/CN2008/000372 2008-02-21 2008-02-21 One-pass authentication mechanism and system for heterogeneous networks WO2009103188A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
EP08714830.0A EP2248296A4 (en) 2008-02-21 2008-02-21 One-pass authentication mechanism and system for heterogeneous networks
KR1020107018451A KR101427447B1 (en) 2008-02-21 2008-02-21 One-pass authentication mechanism and system for heterogeneous networks
JP2010547018A JP5351181B2 (en) 2008-02-21 2008-02-21 One-pass authentication mechanism and system for heterogeneous networks
US12/735,588 US9332000B2 (en) 2008-02-21 2008-02-21 One-pass authentication mechanism and system for heterogeneous networks
PCT/CN2008/000372 WO2009103188A1 (en) 2008-02-21 2008-02-21 One-pass authentication mechanism and system for heterogeneous networks
CN2008801270551A CN101946455B (en) 2008-02-21 2008-02-21 One-pass authentication mechanism and system for heterogeneous networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2008/000372 WO2009103188A1 (en) 2008-02-21 2008-02-21 One-pass authentication mechanism and system for heterogeneous networks

Publications (1)

Publication Number Publication Date
WO2009103188A1 true WO2009103188A1 (en) 2009-08-27

Family

ID=40985040

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/000372 WO2009103188A1 (en) 2008-02-21 2008-02-21 One-pass authentication mechanism and system for heterogeneous networks

Country Status (6)

Country Link
US (1) US9332000B2 (en)
EP (1) EP2248296A4 (en)
JP (1) JP5351181B2 (en)
KR (1) KR101427447B1 (en)
CN (1) CN101946455B (en)
WO (1) WO2009103188A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012045376A1 (en) * 2010-10-08 2012-04-12 Telefónica, S.A. A method, a system and a network element for ims control layer authentication from external domains
CN102972002A (en) * 2010-05-28 2013-03-13 阿尔卡特朗讯公司 Application layer authentication in packet networks
EP2699032A1 (en) * 2012-08-17 2014-02-19 Halys VoIP telephone communication system

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010054903A1 (en) * 2008-11-17 2010-05-20 Nokia Siemens Networks Oy Networking capability determination mechanism
JP2012247886A (en) * 2011-05-26 2012-12-13 Sony Corp Wireless communication device, information processing device, communication system, and method for controlling wireless communication device
US9264898B2 (en) * 2012-04-26 2016-02-16 Juniper Networks, Inc. Non-mobile authentication for mobile network gateway connectivity
CN103853949A (en) * 2012-12-04 2014-06-11 中山大学深圳研究院 Method for identifying identity of user on heterogeneous computer environment
KR20160009276A (en) * 2014-07-16 2016-01-26 한국전자통신연구원 Master terminal deviceE for sharing service based IMS, slave terminal device for dsharing service based IMS, method and system for sharing service based IMS
US9667600B2 (en) 2015-04-06 2017-05-30 At&T Intellectual Property I, L.P. Decentralized and distributed secure home subscriber server device
CN111865603A (en) 2016-09-05 2020-10-30 华为技术有限公司 Authentication method, authentication device and authentication system
US11483706B2 (en) 2018-12-21 2022-10-25 Sprint Communications Company L.P. Wireless media conferencing
CN113498055B (en) * 2020-03-20 2022-08-26 维沃移动通信有限公司 Access control method and communication equipment
WO2023015173A1 (en) * 2021-08-04 2023-02-09 Alarm.Com Incorporated Decentralized home sensor network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1650659A (en) * 2002-08-16 2005-08-03 西门子公司 Method for identifying communications terminal device
WO2006066322A1 (en) * 2004-12-21 2006-06-29 Emue Holdings Pty Ltd Authentication device and/or method
CN1802016A (en) * 2005-06-21 2006-07-12 华为技术有限公司 Method for carrying out authentication on user terminal
KR100753285B1 (en) * 2006-03-17 2007-08-29 주식회사 팬택앤큐리텔 Method for user authentication in mobile communication system

Family Cites Families (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2315193B (en) * 1996-07-10 2000-11-15 Orange Personal Comm Serv Ltd Mobile communications system
US6069877A (en) * 1996-10-18 2000-05-30 Telxon Corporation Duplicate device detection system
EP0869628A1 (en) * 1997-04-01 1998-10-07 ICO Services Ltd. Interworking between telecommunications networks
US7313381B1 (en) * 1999-05-03 2007-12-25 Nokia Corporation Sim based authentication as payment method in public ISP access networks
GB9913102D0 (en) * 1999-06-04 1999-08-04 Nokia Telecommunications Oy An element for a communications system
CN1144440C (en) * 1999-07-02 2004-03-31 诺基亚公司 Authentication method and system
NL1013930C2 (en) * 1999-12-22 2001-06-25 Koninkl Kpn Nv Mobile telecommunications system.
DE10043203A1 (en) * 2000-09-01 2002-03-21 Siemens Ag Generic WLAN architecture
US20030115452A1 (en) * 2000-12-19 2003-06-19 Ravi Sandhu One time password entry to access multiple network sites
US7743404B1 (en) * 2001-10-03 2010-06-22 Trepp, LLC Method and system for single signon for multiple remote sites of a computer network
US7441043B1 (en) * 2002-12-31 2008-10-21 At&T Corp. System and method to support networking functions for mobile hosts that access multiple networks
JP4532474B2 (en) * 2003-03-18 2010-08-25 クゥアルコム・インコーポレイテッド A mutual network between the first network and the second network
US7774828B2 (en) * 2003-03-31 2010-08-10 Alcatel-Lucent Usa Inc. Methods for common authentication and authorization across independent networks
EP2627030A1 (en) * 2003-04-02 2013-08-14 Qualcomm Incorporated Ciphering between a CDMA network and a GSM network
US7930253B1 (en) * 2003-08-26 2011-04-19 Mbira Technologies LLC System and method for correlating use of separate network services
US8027679B2 (en) * 2003-09-12 2011-09-27 Ntt Docomo, Inc. Secure intra- and inter-domain handover
US7873661B2 (en) * 2004-03-31 2011-01-18 Siemens Aktiengesellschaft Network system as well as a method for controlling access from a first network component to at least one second network component
WO2006000612A1 (en) * 2004-06-24 2006-01-05 Nokia Corporation Transfer of packet data in system comprising mobile terminal, wireless local network and mobile network
US7194763B2 (en) * 2004-08-02 2007-03-20 Cisco Technology, Inc. Method and apparatus for determining authentication capabilities
KR20070118222A (en) * 2004-11-18 2007-12-14 아자이르 네트웍스, 인코포레이티드 Service authorization in a wi-fi network interworked with 3g/gsm network
EP1708423A1 (en) * 2005-03-29 2006-10-04 Matsushita Electric Industrial Co., Ltd. Inter-domain context transfer using context tranfer managers
EP1891821A2 (en) * 2005-06-15 2008-02-27 TELEFONAKTIEBOLAGET LM ERICSSON (publ) Method and apparatus for providing a telecommunications service
US7783041B2 (en) * 2005-10-03 2010-08-24 Nokia Corporation System, method and computer program product for authenticating a data agreement between network entities
US8229398B2 (en) * 2006-01-30 2012-07-24 Qualcomm Incorporated GSM authentication in a CDMA network
JP2007299259A (en) * 2006-05-01 2007-11-15 Nippon Telegr & Teleph Corp <Ntt> Authentication information management system and application server
WO2008021513A2 (en) * 2006-08-17 2008-02-21 Neustar Inc. System and method for user identity portability in communication systems
EP1892940A1 (en) * 2006-08-23 2008-02-27 Thomson Telecom Belgium Device and method for enabling SIP DECT terminal mobility
US7929993B2 (en) * 2007-08-30 2011-04-19 International Business Machines Corporation Multi-SIM-based mobile device
JP5178843B2 (en) * 2007-12-20 2013-04-10 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Continued selection of authentication methods
CN101521581A (en) * 2008-02-25 2009-09-02 上海贝尔阿尔卡特股份有限公司 Method and system used for charging correlation for WiMAX network accessed to IMS

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1650659A (en) * 2002-08-16 2005-08-03 西门子公司 Method for identifying communications terminal device
WO2006066322A1 (en) * 2004-12-21 2006-06-29 Emue Holdings Pty Ltd Authentication device and/or method
CN1802016A (en) * 2005-06-21 2006-07-12 华为技术有限公司 Method for carrying out authentication on user terminal
KR100753285B1 (en) * 2006-03-17 2007-08-29 주식회사 팬택앤큐리텔 Method for user authentication in mobile communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2248296A4 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102972002A (en) * 2010-05-28 2013-03-13 阿尔卡特朗讯公司 Application layer authentication in packet networks
US8973125B2 (en) 2010-05-28 2015-03-03 Alcatel Lucent Application layer authentication in packet networks
WO2012045376A1 (en) * 2010-10-08 2012-04-12 Telefónica, S.A. A method, a system and a network element for ims control layer authentication from external domains
EP2699032A1 (en) * 2012-08-17 2014-02-19 Halys VoIP telephone communication system
FR2994624A1 (en) * 2012-08-17 2014-02-21 Halys TELEPHONE COMMUNICATION SYSTEM BY VOIP

Also Published As

Publication number Publication date
EP2248296A4 (en) 2017-06-21
KR20100123834A (en) 2010-11-25
US20110010764A1 (en) 2011-01-13
CN101946455B (en) 2012-09-05
CN101946455A (en) 2011-01-12
JP5351181B2 (en) 2013-11-27
KR101427447B1 (en) 2014-08-08
EP2248296A1 (en) 2010-11-10
US9332000B2 (en) 2016-05-03
JP2011515898A (en) 2011-05-19

Similar Documents

Publication Publication Date Title
US9332000B2 (en) One-pass authentication mechanism and system for heterogeneous networks
US8335487B2 (en) Method for authenticating user terminal in IP multimedia sub-system
US9503890B2 (en) Method and apparatus for delivering keying information
US9166799B2 (en) IMS security for femtocells
EP2103077B1 (en) Method and apparatus for determining an authentication procedure
US8984615B2 (en) Web to IMS registration and authentication for an unmanaged IP client device
EP1842319B1 (en) User authentication and authorisation in a communications system
EP2027666B1 (en) Access to services in a telecommunications network
EP1693995B1 (en) A method for implementing access authentication of wlan user
US20060128362A1 (en) UMTS-WLAN interworking system and authentication method therefor
US9264411B2 (en) Methods, apparatuses and computer program product for user equipment authorization based on matching network access technology specific identification information
US20080026724A1 (en) Method for wireless local area network user set-up session connection and authentication, authorization and accounting server
US10461987B2 (en) Voice and text data service for mobile subscribers
US20080092212A1 (en) Authentication Interworking
AU2004214799A1 (en) Fast re-authentication with dynamic credentials
Díaz-Sánchez et al. A general IMS registration protocol for wireless networks interworking
Dagiuklas et al. Hierarchical AAA architecture for user and multimedia service authentication in hybrid 3G/WLAN networking environments
Celentano et al. Improved authentication for ims registration in 3g/wlan interworking
Lim et al. Efficient IMS authentication architecture based on initial access authentication in WiBro-evolution (WiBro-EVO) system
Salsano et al. Technical Report N: T2. 1_2005_PR_R02 WLAN/3G secure authentication based on SIP
EP1958370A2 (en) Method and apparatus for delivering keying information

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200880127055.1

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08714830

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 5221/DELNP/2010

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 12735588

Country of ref document: US

ENP Entry into the national phase

Ref document number: 20107018451

Country of ref document: KR

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2010547018

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2008714830

Country of ref document: EP