WO2013120225A1 - Method and system for group based service bootstrap in m2m environment - Google Patents
Method and system for group based service bootstrap in m2m environment Download PDFInfo
- Publication number
- WO2013120225A1 WO2013120225A1 PCT/CN2012/000182 CN2012000182W WO2013120225A1 WO 2013120225 A1 WO2013120225 A1 WO 2013120225A1 CN 2012000182 W CN2012000182 W CN 2012000182W WO 2013120225 A1 WO2013120225 A1 WO 2013120225A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- group
- key
- service
- access network
- group key
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Definitions
- This invention generally relates to a method and system for group based service bootstrap in Machine-to-Machine (M2M) environment.
- M2M Machine-to-Machine
- the invention relates to a method and system for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
- M2M refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability.
- M2M uses a device (such as a sensor or meter) to capture an event (such as temperature, inventory level, etc.), which is relayed through a network (wireless, wired or hybrid) to an application (software program), that translates the captured event into meaningful information.
- a device such as a sensor or meter
- an event such as temperature, inventory level, etc.
- an application software program
- M2M service bootstrap provides permanent M2M service credentials (identities, root keys, etc.), which will be used for connecting and registering with the M2M service layer.
- ETSI TS 102 690 European Telecommunications Standards Institute Technical Specification (ETSI TS) 102 690 has standardized two methods of M2M service bootstrap depending on the business relationship between the M2M service provider and the network provider: access network assisted M2M service bootstrap and access network independent M2M service bootstrap.
- the ETSI TS 102 690 standardization defines M2M provisioning and bootstrapping procedures. It says:"M2M Service Bootstrap and M2M Service Registration for M2M Devices and M2M Gateways are the mechanisms by which: Service layer credentials, such as permanent identifiers and root keys are provisioned to M2M Device (or M2M Gateway)."
- ETSI has defined several methods of access network assisted M2M service bootstrap procedure, such as Generic Bootstrapping Architecture (GBA) based M2M service bootstrap procedure, Extensible Authentication Protocol (EAP)-based bootstrap procedure using Subscriber Identity Module (SIM)/Authentication and Key Agreement (AKA)-based credentials, bootstrap procedure utilizing EAP-based network access authentication, ETSI TS 102 690.
- GBA Generic Bootstrapping Architecture
- EAP Extensible Authentication Protocol
- SIM Subscriber Identity Module
- AKA Authentication and Key Agreement
- GBA describes the security features and a mechanism to bootstrap authentication and key agreement for application security from the 3 rd Generation Partnership Project (3GPP) AKA mechanism.
- the 3GPP authentication infrastructure including the 3GPP Authentication Centre (AuC), the Universal Subscriber Identity Module (USIM) or the IP Multimedia Services Identity Module (ISIM), and the 3GPP AKA protocol run between them, is a very valuable asset of 3GPP operators. It has been recognized that this infrastructure could be leveraged to enable application functions in the network and on the user side to establish shared keys. Therefore, 3GPP can provide the "bootstrapping of application security" to authenticate the subscriber by defining a GBA based on AKA protocol. The technical details can be found in 3GPP TS 33.220.
- This optimization may provide easier mode to control/update/charge the M2M devices, in a granularity of group, which may decrease the redundant signalling to avoid congestion. Also the network resource could be saved by using group based optimization when the number of M2M devices is large.
- the problem to be solved by the invention is how to do the service bootstrap for a group of M2M devices in the group level with the assistant of the access network.
- the invention proposes a method for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
- the method of the present invention comprises the following steps: carrying out access network registration of a group of M2M devices, establishing temporary session keys based on access network credentials of the access network,
- GBA Generic Bootstrapping Architecture
- the temporary session keys are derived from GBA procedure and can be Network Application Function (NAF) -specific key.
- NAF Network Application Function
- Hypertext Transfer Protocol (HTTP) Digest authentication is performed using a NAF-specific key in the step of establishing a group key.
- HTTP Hypertext Transfer Protocol
- the step of establishing a group key can be implemented by a group key agreement procedure, in which the group key can be obtained as a function of private data of all the M2M devices.
- a Burmester-Desmedt group key agreement procedure or a modified Group Diffie-Hellman protocol No. 3 (GDH.3) group key agreement procedure can be used to establish the group key.
- GDH.3 group key agreement procedure M2M Service Bootstrap Function (MSBF) generates a new random value used for the generation of the individual keys.
- MSBF M2M Service Bootstrap Function
- the group key agreement procedure is performed in the service layer.
- the step of establishing a group key can be implemented by a group key distribution procedure, in which key distribution center is responsible for generating and allocating the shared key or the shared keys.
- the invention proposes a system for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
- the system comprises the following means:
- a group based bootstrap method is proposed and group level service credentials are provisioned to all the M2M device/gateway.
- the bootstrap policy is flexible. There are different options in different cases (Group Key Agreement (GKA) vs Group Key Distribution (GKD), group level provision vs individual level provision, gateway involved vs gateway no involved, etc.).
- GKA Group Key Agreement
- GKD Group Key Distribution
- the security strength of the provisioned service credentials can be independent from the security strength of the access network, which means it can be stronger than the security strength of the access network.
- the execution flow could be flexibly controlled.
- the M2M gateway could be configured to control the procedure according to the network states, e.g. the M2M gateway could control the time window when to reply to the M2M device. Most of the communication could be behind the M2M gateway. It will not cause a signalling or data traffic jam on the network side.
- the group members can securely communicate with each other. And it is unnecessary for the M2M application server to establish security associations using methods specific to the local area network that connects the group members.
- Fig. 1 shows a system architecture used in the present invention
- Fig. 2 shows the group service credentials provision procedure according to the present invention
- Fig. 3 shows the group service credentials provision procedure according to the first embodiment of the present invention
- Fig. 4 shows the group service credentials provision procedure according to the second embodiment of the present invention.
- Fig. 5 shows the group service credentials provision procedure according to the third embodiment of the present invention.
- the access network provider and the M2M service provider share a business relationship or the access network provider provides M2M service.
- Figure 1 shows a system architecture used in the M2M environment.
- a number of M2M devices and a M2M gateway are assigned to a group. All the communication between the M2M devices and the core network are implemented through a M2M gateway.
- the M2M devices are connected to the M2M gateway through the M2M area network (WiFi, ZigBee, etc.).
- the M2M gateway could be a normal M2M device which also run M2M applications or M2M service capabilities like other group members, or could be a special device.
- the core idea of the invention is that the M2M service and the M2M device/gateway implement a group key establishment, which is authenticated by using the access network credentials, to establish a shared group secret key. Then the group service credentials provision procedure can be protected by the secret key.
- the procedure is shown in Figure 2.
- such high-level procedure comprises the following steps:
- step 21 the M2M device/gateway carries out the access network registration.
- step 22 the network provides access network credentials to the M2M service.
- the network provider and the M2M service provider should have a business relationship.
- step 23 the M2M device/gateway and the M2M service establish the temporary session keys in the service layer based on the access network credentials.
- step 24 the M2M service and the M2M device/gateway carry out an authenticated group key establishment procedure in the service layer. At the end of the procedure, there will be a shared group key among all the participants. And also if necessary, there could be a shared individual secret key between each M2M device/gateway and the service. Each message should be protected by the temporary session keys established in step 23. Integrity or confidentiality should be provided according to the specific use cases.
- step 25 the service and the M2M device/gateway implements a group service credentials provisioning procedure under the protection of the group key established in step 24.
- GKE Group Key Establishment
- GKD there exist some central key management entities, such as a key distribution center (KDC), which is responsible for generating and allocating the shared key(s) to peers.
- KDC key distribution center
- the M2M service provider can play the role of the key distribution center.
- the M2M service provider can generate a random key and allocate it to all the M2M devices/gateway. It is easy to make deployment and have little computation and communication cost. But there is a potential risk that the key is exposed to the access network provider. If the M2M service provider trusts the access network provider (they share a business relationship, etc.), it can adopt the GKD method.
- the security strength of the distributed key depends on the security strength of the access network.
- GKA GKA
- every entity in the group contributes to the generation of the shared key.
- the group key could be considered as an output of a function which takes all the entities' private data as input.
- GKA only the participants can compute the secret key. If the GKA procedure is only performed among the M2M service and the M2M device/gateway, the key is even secret to the access network provider. If the M2M service provider does not trust the access network provider, it can adopt the GKA method. Moreover, GKA can get a key whose security strength is stronger than the security strength of the access network.
- Option i The M2M Gateway participates to the group key agreement procedure.
- Option ii The M2M Gateway does not participate to the group key agreement procedure. It only plays the role of transferring messages.
- Option b There are two levels of service credentials which are provided. Not only group level service credentials, but also individual level service credentials for each device are provided.
- GKD, GKA, Options i, ii and Options a, b are separated options from different perspective. So we have six options altogether: GKD & a, GKD & b, GKA & i & a, GKA & i & b, GKA & ii & a, GKA & ii & b. In the following, three of them will be detailed explained: GKD & a, GKA & i & a, GKA & ii & b. The other three options could be deduced with the same technology.
- the M2M service generates the group key and allocates it to all the M2M devices/gateway.
- the M2M device is very limited in energy and computing power and the access network provider is totally trusted by the service provider, this embodiment can be implemented.
- the access network authenticates the M2M device/gateway in the network layer.
- the network provides the access network credentials to the M2M service.
- the M2M service generates the required group key and sends it to the M2M device/gateway with the protection of the access network credentials.
- the M2M service can provide the group service credentials with the protection of the group key. This procedure is shown in Figure 3.
- Step 30 is an offline step.
- the External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider.
- the External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the Bootstrapping Server Function (BSF).
- BSF Bootstrapping Server Function
- step 3 1 after the access network successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the Home Subscriber System (HSS).
- the BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
- AV authentication vector
- USS GBA User Security Settings
- a NAF-specific key can be used as the temporary session key, which is derived from GBA.
- a NAF-specific key can be used to protect the authenticity and integrity of the data exchanged between the M2M service and the M2M device/gateway.
- the M2M device/gateway and the M2M Service bootstrap Function (MSBF)/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF, respectively.
- MSBF is to facilitate the bootstrapping of permanent M2M service layer security credentials in the M2M Device (or M2M Gateway) and the M2M Service Capabilities in the Network Domain.
- M2M Authentication Server (MAS) is used to store the permanent security credentials bootstrapped using MSBF.
- step 33 the M2M service generates a random key as the group key.
- the M2M service sends the group key to each M2M device/gateway separately.
- Each message should be protected with the shared secret established in step 33.
- step 34 the M2M service provides to all the M2M device/gateway the group service credentials with the protection of the group key.
- Such embodiment is efficient in communication than key agreement, since only N messages are transmitted on the network in the group key establishment phase, wherein N is the number of the devices/gateway. And then, all the devices/gateway will share a group key with the service.
- the device since the device only receives and decrypts message in the group key establishment phase, such embodiment requires lower computation performance of the device. And the M2M device does not participate in the key generation procedure.
- the second preferred embodiment of the present invention provides a group level service credentials to the M2M device/gateway.
- This embodiment is used in the following situation: the M2M device has the computation capability of asymmetric cryptography.
- the M2M gateway is also a member of the group and it also knows the group key.
- the access network provider is partially trusted by the service provider.
- the implementation firstly uses the GBA method to provide the access network credentials to the service layer, then uses the Burmester-Desmedt GKA method to exchange a group key.
- the gateway participates in the GKA procedure. Only group level service credentials are provided. This procedure is shown in Figure 4.
- Fig. 4 The high-level procedure of Fig. 4 is comprised of the following steps:
- Step 40 is an offline step.
- the External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider.
- the External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the BSF.
- the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the HSS.
- the BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
- AV authentication vector
- USS GBA User Security Settings
- step 42 the M2M device/gateway and the MSBF/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF, respectively.
- step 43 the M2M service, the M2M device and the M2M gateway carry out a Burmester-Desmedt group key agreement to establish a group key.
- the NAF-specific keys established in step 42 will be used for the message integrity protection of the GKA procedure.
- the M2M devices are pre-numbered from 1 to n-2.
- the gateway is pre-numbered n-1 .
- Burmester-Desmedt group key agreement is a specific method of exchanging keys among a group of parties.
- the Burmester-Desmedt method allows a group of parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. It could be seen as an extension of the Diffie-Hellman key exchange to the group environment, which allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.
- the technical details can be found in M. Burmester and Y. Desmedt, "A Secure and Efficient Conference Key Distribution System", Pre-proceedings of Eurocrypt'94, Scuola Superiore Guglielmo Reiss Romoli (SSGRR), pp. 279-290, Perugia, Italy, May 9- 12, 1994.
- step 44 the MSBF/NAF provides the service credentials, protected by the group key established in step 43, to the M2M device/gateway and the MAS.
- the group key is never transmitted over the network. It is a function of all the group members' private random number. Eavesdropper of the network cannot get the group key. And the group key is only known by the group member. The group key agreement protocol is taken on the service layer. The network does not participate in the protocol, so it will not gain the group key. Most of the communications are behind the gateway.
- the third preferred embodiment of the present invention provides the group level service credentials and the individual level service credentials to the M2M device/gateway.
- This embodiment can be used in the case of the M2M device having also the computation capability of the asymmetric cryptography.
- the group service bootstrap and individual service bootstraps are also achieved.
- the gateway is a special device which is only used for message transmission. It does not know the group key or any individual key. And the access network provider is partially trusted by the service provider.
- This embodiment firstly uses the GBA method to provide the access network credentials to the service layer, then uses a modified GDH.3 GKA method to exchange a group key for all the group members and an individual key for each group member.
- the gateway does not participate in the G A procedure.
- Figure 5 shows the procedure of G A & ii & b.
- This high-level procedure shown in Fig. 5 is comprised of the following steps:
- Step 50 is an offline step.
- the External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider.
- the External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the BSF.
- step 51 after the access network is successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the HSS.
- the BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
- AV authentication vector
- USS GBA User Security Settings
- step 52 the M2M device/gateway and the MSBF/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF respectively.
- step 53 the M2M service and the M2M device implement a modified GDH.3 group key agreement to establish a group key and an individual key for each M2M device.
- GDH.3 group key exchange is a specific method of exchanging keys among a group of parties. The technical details can be found in Michael Steiner, Gene Tsudik and Michael Waidner, "Diffie-Hellman key distribution extended to group communication" , proceedings of the 3 rd ACM conference on computer and communications security (CCS'96). ACM, New York, NY, USA, 31 -37, 1996.
- MSBF generates a new random value g s which is used for the generation of the individual key.
- the M2M devices are pre-numbered from 1 to n- 1.
- the first M2M device D l generates a random value rl and sends group root key request and g rl to the M2M gateway.
- the M2M gateway forwards g rl to the second M2M device D2.
- the second M2M device D2 generates a random value r2 value and computes g rl r2 and then sends it to the M2M gateway.
- the M2M gateway forwards g rl r2 to the third M2M device D3.
- n-1 The n- l th M2M device Dn- 1 generates a random value rn-1 value and computes g rl r2 - m -' and sends it to the M2M gateway.
- the M2M gateway forwards g rl r2 rn ⁇ ' ⁇ o all the M2M devices,
- Each M2M device Di computes g rl r2 - rn'1/ri and sends it to the M2M gateway.
- the M2M gateway forwards all the g rl r2 -TM- 1/ ⁇ messages together with g rl r2 - rn'1 to the M2M server.
- the M2M server generates two random value rn, s and computes grlr2.. rr,-lm/ri ⁇ Q ⁇ g rl r2... rn-lM mes sage and sends g * and al J the g rir2.. rn-im/ri ⁇ Q the m2M gateway.
- the M2M gateway forwards g s and grlr2.. m-lrnM ⁇ q ⁇ ⁇ 2 ⁇ device Di.
- the M2M server and all the M2M device computes the same group key g rlr2 " r "- lrn .
- the M2M server and each M2M device Di compute the same individual key g sn .
- the MSBF/NAF provides the group service credentials and the individual service credentials to the M2M device/gateway and the MAS.
- the group service credentials are protected by the group key grir2..m-irn g acn individual service credential is protected by the individual key g sri .
- the group key and the individual key are never transmitted over the network. It is a function of all the group members' private random number. Eavesdropper of the network cannot get the group key.
- the group key and the individual key are only known by the group member.
- the group key agreement protocol is taken on the service layer. The network does not participate in the protocol, so it will not gain the group key.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
This invention relates to a method for provisioning group service credentials during access network assisted M2M service bootstrap procedure. This method comprises the following steps: carrying out access network registration of a group of M2M devices, establishing temporary session keys based on access network credentials of the access network, establishing a group key and/or individual keys authenticated by means of the temporary session keys, and provisioning group service credentials under the protection of the group key. This invention also relates to a system for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
Description
Method and System for Group Based Service Bootstrap in M2M
environment
Technical Field
This invention generally relates to a method and system for group based service bootstrap in Machine-to-Machine (M2M) environment. In particular, the invention relates to a method and system for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
Background Art
M2M refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability. M2M uses a device (such as a sensor or meter) to capture an event (such as temperature, inventory level, etc.), which is relayed through a network (wireless, wired or hybrid) to an application (software program), that translates the captured event into meaningful information.
In the M2M environment, it is desirable to provide service credentials to the devices during the device bootstrap and registration procedure. M2M service bootstrap provides permanent M2M service credentials (identities, root keys, etc.), which will be used for connecting and registering with the M2M service layer.
European Telecommunications Standards Institute Technical Specification (ETSI TS) 102 690 has standardized two methods of M2M service bootstrap depending on the business relationship between the M2M service provider and the network provider: access network assisted M2M service bootstrap and access network independent M2M service bootstrap. The ETSI TS 102 690 standardization defines M2M provisioning and
bootstrapping procedures. It says:"M2M Service Bootstrap and M2M Service Registration for M2M Devices and M2M Gateways are the mechanisms by which: Service layer credentials, such as permanent identifiers and root keys are provisioned to M2M Device (or M2M Gateway)."
ETSI has defined several methods of access network assisted M2M service bootstrap procedure, such as Generic Bootstrapping Architecture (GBA) based M2M service bootstrap procedure, Extensible Authentication Protocol (EAP)-based bootstrap procedure using Subscriber Identity Module (SIM)/Authentication and Key Agreement (AKA)-based credentials, bootstrap procedure utilizing EAP-based network access authentication, ETSI TS 102 690. GBA describes the security features and a mechanism to bootstrap authentication and key agreement for application security from the 3rd Generation Partnership Project (3GPP) AKA mechanism. The 3GPP authentication infrastructure, including the 3GPP Authentication Centre (AuC), the Universal Subscriber Identity Module (USIM) or the IP Multimedia Services Identity Module (ISIM), and the 3GPP AKA protocol run between them, is a very valuable asset of 3GPP operators. It has been recognized that this infrastructure could be leveraged to enable application functions in the network and on the user side to establish shared keys. Therefore, 3GPP can provide the "bootstrapping of application security" to authenticate the subscriber by defining a GBA based on AKA protocol. The technical details can be found in 3GPP TS 33.220.
However, the current methods defined in ETSI are all in the individual level. One bootstrap procedure will just provision one device. None of them considers the group requirement. If there are a lot of M2M devices which have the same M2M service capabilities or run the same
M2M application, there will be a lot of bootstrap procedures. And all the bootstrap procedures provision the same M2M service credentials. It is duplicated and inefficient. A better idea is to do all the credentials provision in one group based bootstrap procedure. There are scenarios that M2M devices are divided into groups. M2M devices can be grouped together for the control, management or charging facilities etc. to meet the need of operators. This optimization may provide easier mode to control/update/charge the M2M devices, in a granularity of group, which may decrease the redundant signalling to avoid congestion. Also the network resource could be saved by using group based optimization when the number of M2M devices is large.
The Internet Engineering Task Force (IETF) has proposed a series of documents regarding group key management protocol (e.g. Request for Comments (RFC) 2093, RFC 2094, RFC 4046). These documents give detailed reports of how to manage the group key problem, such as group key distribution, group key rekey. However, none of the protocols consider the characteristic of the M2M application. They may not be suitable in the M2M environment due to the energy, computation limitation or other specific features of the M2M devices. For example, some of them need the support of the asymmetric signature system, which requires high computation capability and also is hard to be deployed (RFC 2093, RFC 2094, etc.). Some of them need a specific Group Control or Key Server (GCKS) to define and enforce group membership, key management and other affairs. There is no corresponding solution which fulfills the functionality of the GCKS in M2M environment.
By leveraging the access network credentials in the service layer, it will reuse the existed resources and decrease the deploy cost. And by introducing the group architecture, it will apparently decrease the data
flow. So, it will be valuable to give a group based bootstrap method with the assistant of the access network.
Summary of the Invention
To this end, the problem to be solved by the invention is how to do the service bootstrap for a group of M2M devices in the group level with the assistant of the access network.
The invention proposes a method for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
The method of the present invention comprises the following steps: carrying out access network registration of a group of M2M devices, establishing temporary session keys based on access network credentials of the access network,
establishing a group key and/or individual keys authenticated by means of the temporary session keys, and
provisioning group service credentials under the protection of the group key.
Preferably, Generic Bootstrapping Architecture (GBA) procedure is used in the implementation for the access network credentials provision.
Preferably, the temporary session keys are derived from GBA procedure and can be Network Application Function (NAF) -specific key.
More preferably, Hypertext Transfer Protocol (HTTP) Digest authentication is performed using a NAF-specific key in the step of establishing a group key.
According to one preferred embodiment of the invention, the step of establishing a group key can be implemented by a group key agreement procedure, in which the group key can be obtained as a function of private
data of all the M2M devices. A Burmester-Desmedt group key agreement procedure or a modified Group Diffie-Hellman protocol No. 3 (GDH.3) group key agreement procedure can be used to establish the group key. In the modified GDH.3 group key agreement procedure, M2M Service Bootstrap Function (MSBF) generates a new random value used for the generation of the individual keys.
The group key agreement procedure is performed in the service layer.
According to another preferred embodiment of the invention, the step of establishing a group key can be implemented by a group key distribution procedure, in which key distribution center is responsible for generating and allocating the shared key or the shared keys.
Furthermore, the invention proposes a system for provisioning group service credentials during access network assisted M2M service bootstrap procedure. The system comprises the following means:
means for carrying out access network registration of a group of
M2M devices,
means for establishing temporary session keys based on access network credentials of the access network,
means for establishing a group key and/or individual keys authenticated by means of the temporary session keys, and
means for provisioning group service credentials under the protection of the group key.
Thus, in comparison with the prior arts, a group based bootstrap method is proposed and group level service credentials are provisioned to all the M2M device/gateway. The bootstrap policy is flexible. There are different options in different cases (Group Key Agreement (GKA) vs Group Key Distribution (GKD), group level provision vs individual level provision, gateway involved vs gateway no involved, etc.). The security
strength of the provisioned service credentials can be independent from the security strength of the access network, which means it can be stronger than the security strength of the access network. The execution flow could be flexibly controlled. The M2M gateway could be configured to control the procedure according to the network states, e.g. the M2M gateway could control the time window when to reply to the M2M device. Most of the communication could be behind the M2M gateway. It will not cause a signalling or data traffic jam on the network side.
Therefore, by implementing the method and system proposed by the invention, the group members can securely communicate with each other. And it is unnecessary for the M2M application server to establish security associations using methods specific to the local area network that connects the group members. Description of the Figures
The invention will be described in more detail with reference to the figures below, wherein,
Fig. 1 shows a system architecture used in the present invention;
Fig. 2 shows the group service credentials provision procedure according to the present invention;
Fig. 3 shows the group service credentials provision procedure according to the first embodiment of the present invention;
Fig. 4 shows the group service credentials provision procedure according to the second embodiment of the present invention; and
Fig. 5 shows the group service credentials provision procedure according to the third embodiment of the present invention.
Preferred Embodiments
In the present invention, it is supposed that the access network provider and the M2M service provider share a business relationship or the access network provider provides M2M service.
Figure 1 shows a system architecture used in the M2M environment. A number of M2M devices and a M2M gateway are assigned to a group. All the communication between the M2M devices and the core network are implemented through a M2M gateway. The M2M devices are connected to the M2M gateway through the M2M area network (WiFi, ZigBee, etc.). The M2M gateway could be a normal M2M device which also run M2M applications or M2M service capabilities like other group members, or could be a special device.
The core idea of the invention is that the M2M service and the M2M device/gateway implement a group key establishment, which is authenticated by using the access network credentials, to establish a shared group secret key. Then the group service credentials provision procedure can be protected by the secret key. The procedure is shown in Figure 2.
As shown in Fig. 2, such high-level procedure comprises the following steps:
In step 21 , the M2M device/gateway carries out the access network registration.
In step 22, the network provides access network credentials to the M2M service. In this connection, the network provider and the M2M service provider should have a business relationship.
In step 23, the M2M device/gateway and the M2M service establish the temporary session keys in the service layer based on the access network credentials.
In step 24, the M2M service and the M2M device/gateway carry out an authenticated group key establishment procedure in the service layer.
At the end of the procedure, there will be a shared group key among all the participants. And also if necessary, there could be a shared individual secret key between each M2M device/gateway and the service. Each message should be protected by the temporary session keys established in step 23. Integrity or confidentiality should be provided according to the specific use cases.
In step 25, the service and the M2M device/gateway implements a group service credentials provisioning procedure under the protection of the group key established in step 24.
Group Key Establishment (GKE) is a method to establish a shared secret among a group of parties. According to the technology adopted, GKE could be subdivided into two different mechanisms: GKD and GKA.
In GKD, there exist some central key management entities, such as a key distribution center (KDC), which is responsible for generating and allocating the shared key(s) to peers. In the M2M environment, the M2M service provider can play the role of the key distribution center. In step 24 of the group service credentials provision procedure in Fig. 2, the M2M service provider can generate a random key and allocate it to all the M2M devices/gateway. It is easy to make deployment and have little computation and communication cost. But there is a potential risk that the key is exposed to the access network provider. If the M2M service provider trusts the access network provider (they share a business relationship, etc.), it can adopt the GKD method. In GKD, the security strength of the distributed key depends on the security strength of the access network.
In GKA, every entity in the group contributes to the generation of the shared key. The group key could be considered as an output of a function which takes all the entities' private data as input. In GKA, only the
participants can compute the secret key. If the GKA procedure is only performed among the M2M service and the M2M device/gateway, the key is even secret to the access network provider. If the M2M service provider does not trust the access network provider, it can adopt the GKA method. Moreover, GKA can get a key whose security strength is stronger than the security strength of the access network.
In the GKA method, there are also two options due to the role of the M2M gateway.
Option i : The M2M Gateway participates to the group key agreement procedure.
Option ii: The M2M Gateway does not participate to the group key agreement procedure. It only plays the role of transferring messages.
There are also two options due to the level of the service credentials.
Option a: Only the group level service credentials are provided.
Option b: There are two levels of service credentials which are provided. Not only group level service credentials, but also individual level service credentials for each device are provided.
GKD, GKA, Options i, ii and Options a, b are separated options from different perspective. So we have six options altogether: GKD & a, GKD & b, GKA & i & a, GKA & i & b, GKA & ii & a, GKA & ii & b. In the following, three of them will be detailed explained: GKD & a, GKA & i & a, GKA & ii & b. The other three options could be deduced with the same technology.
In the first preferred embodiment of the present invention, the M2M service generates the group key and allocates it to all the M2M devices/gateway. When the M2M device is very limited in energy and computing power and the access network provider is totally trusted by the service provider, this embodiment can be implemented.
Firstly the access network authenticates the M2M device/gateway in the network layer. And then, according to the M2M service' s request, the network provides the access network credentials to the M2M service. The M2M service generates the required group key and sends it to the M2M device/gateway with the protection of the access network credentials. Then the M2M service can provide the group service credentials with the protection of the group key. This procedure is shown in Figure 3.
So, this high-level procedure is comprised of the following steps:
Step 30 is an offline step. The External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider. The External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the Bootstrapping Server Function (BSF).
In step 3 1 , after the access network successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the Home Subscriber System (HSS). The BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
In step 32, a NAF-specific key can be used as the temporary session key, which is derived from GBA. Such a NAF-specific key can be used to protect the authenticity and integrity of the data exchanged between the M2M service and the M2M device/gateway. The M2M device/gateway and the M2M Service bootstrap Function (MSBF)/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF, respectively. MSBF is to facilitate the bootstrapping of permanent M2M service layer
security credentials in the M2M Device (or M2M Gateway) and the M2M Service Capabilities in the Network Domain. And M2M Authentication Server (MAS) is used to store the permanent security credentials bootstrapped using MSBF.
In step 33, the M2M service generates a random key as the group key.
And then the M2M service sends the group key to each M2M device/gateway separately. Each message should be protected with the shared secret established in step 33.
In step 34, the M2M service provides to all the M2M device/gateway the group service credentials with the protection of the group key.
Such embodiment is efficient in communication than key agreement, since only N messages are transmitted on the network in the group key establishment phase, wherein N is the number of the devices/gateway. And then, all the devices/gateway will share a group key with the service.
Moreover, since the device only receives and decrypts message in the group key establishment phase, such embodiment requires lower computation performance of the device. And the M2M device does not participate in the key generation procedure.
The second preferred embodiment of the present invention provides a group level service credentials to the M2M device/gateway. This embodiment is used in the following situation: the M2M device has the computation capability of asymmetric cryptography. Moreover, the M2M gateway is also a member of the group and it also knows the group key. The access network provider is partially trusted by the service provider.
The implementation firstly uses the GBA method to provide the access network credentials to the service layer, then uses the Burmester-Desmedt GKA method to exchange a group key. The gateway participates in the GKA procedure. Only group level service credentials
are provided. This procedure is shown in Figure 4.
The high-level procedure of Fig. 4 is comprised of the following steps:
Step 40 is an offline step. The External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider. The External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the BSF.
In step 41 , after the access network successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the HSS. The BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
In step 42, the M2M device/gateway and the MSBF/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF, respectively.
In step 43, the M2M service, the M2M device and the M2M gateway carry out a Burmester-Desmedt group key agreement to establish a group key. The NAF-specific keys established in step 42 will be used for the message integrity protection of the GKA procedure. The M2M devices are pre-numbered from 1 to n-2. The gateway is pre-numbered n-1 .
Burmester-Desmedt group key agreement is a specific method of exchanging keys among a group of parties. The Burmester-Desmedt method allows a group of parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. It could be seen as an extension of the
Diffie-Hellman key exchange to the group environment, which allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. The technical details can be found in M. Burmester and Y. Desmedt, "A Secure and Efficient Conference Key Distribution System", Pre-proceedings of Eurocrypt'94, Scuola Superiore Guglielmo Reiss Romoli (SSGRR), pp. 279-290, Perugia, Italy, May 9- 12, 1994.
In step 44, the MSBF/NAF provides the service credentials, protected by the group key established in step 43, to the M2M device/gateway and the MAS.
The advantages of this embodiment lie in: the group key is never transmitted over the network. It is a function of all the group members' private random number. Eavesdropper of the network cannot get the group key. And the group key is only known by the group member. The group key agreement protocol is taken on the service layer. The network does not participate in the protocol, so it will not gain the group key. Most of the communications are behind the gateway.
The third preferred embodiment of the present invention provides the group level service credentials and the individual level service credentials to the M2M device/gateway. This embodiment can be used in the case of the M2M device having also the computation capability of the asymmetric cryptography. The group service bootstrap and individual service bootstraps are also achieved. The gateway is a special device which is only used for message transmission. It does not know the group key or any individual key. And the access network provider is partially trusted by the service provider.
This embodiment firstly uses the GBA method to provide the access network credentials to the service layer, then uses a modified GDH.3 GKA
method to exchange a group key for all the group members and an individual key for each group member. The gateway does not participate in the G A procedure. Figure 5 shows the procedure of G A & ii & b.
This high-level procedure shown in Fig. 5 is comprised of the following steps:
Step 50 is an offline step. The External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider. The External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the BSF.
In step 51 , after the access network is successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the HSS. The BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
In step 52, the M2M device/gateway and the MSBF/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF respectively.
In step 53, the M2M service and the M2M device implement a modified GDH.3 group key agreement to establish a group key and an individual key for each M2M device. GDH.3 group key exchange is a specific method of exchanging keys among a group of parties. The technical details can be found in Michael Steiner, Gene Tsudik and Michael Waidner, "Diffie-Hellman key distribution extended to group communication" , proceedings of the 3rd ACM conference on computer
and communications security (CCS'96). ACM, New York, NY, USA, 31 -37, 1996.
The detail execution step is as follows:
MSBF generates a new random value gs which is used for the generation of the individual key. The M2M devices are pre-numbered from 1 to n- 1.
1 ) The first M2M device D l generates a random value rl and sends group root key request and grl to the M2M gateway. The M2M gateway forwards grl to the second M2M device D2.
2) The second M2M device D2 generates a random value r2 value and computes grl r2 and then sends it to the M2M gateway. The M2M gateway forwards grl r2 to the third M2M device D3. n-1 ) The n- l th M2M device Dn- 1 generates a random value rn-1 value and computes grl r2 - m-' and sends it to the M2M gateway. The M2M gateway forwards grl r2 rn~' \o all the M2M devices,
n) Each M2M device Di computes grl r2 - rn'1/ri and sends it to the M2M gateway. The M2M gateway forwards all the grl r2 -™-1/η messages together with grl r2- rn'1 to the M2M server.
n+ l )The M2M server generates two random value rn, s and computes grlr2.. rr,-lm/ri ^ Q^ grl r2... rn-lM mes sage and sends g* and al J the grir2.. rn-im/ri {Q the m2M gateway. The M2M gateway forwards gs and grlr2.. m-lrnM {q ^ ^2Μ device Di.
n+2)The M2M server and all the M2M device computes the same group key grlr2"r"-lrn . The M2M server and each M2M device Di compute the same individual key gsn.
In step 54, the MSBF/NAF provides the group service credentials and the individual service credentials to the M2M device/gateway and the
MAS. The group service credentials are protected by the group key grir2..m-irn gacn individual service credential is protected by the individual key gsri.
The advantages of this embodiment are as follows:
- The group key and the individual key are never transmitted over the network. It is a function of all the group members' private random number. Eavesdropper of the network cannot get the group key.
- The group key and the individual key are only known by the group member. The group key agreement protocol is taken on the service layer. The network does not participate in the protocol, so it will not gain the group key.
- The group key and the individual key are both established in the same procedure.
- Most of the communications are behind the gateway.
While the invention has been described in conj unction with the preferred embodiments, those skilled in the art shall understand that many modifications and variations can be made to the invention without departing from the spirit and scope of the appended claims.
Claims
1. A method for provisioning group service credentials during access network assisted Machine-to-Machine (M2M) service bootstrap procedure, which comprises the following steps:
carrying out access network registration of a group of M2M devices, establishing temporary session keys based on access network credentials of the access network,
establishing a group key and/or individual keys authenticated by means of the temporary session keys, and
provisioning group service credentials under the protection of the group key.
2. The method according to claim 1 , wherein Generic Bootstrapping Architecture (GBA) procedure is used in the implementation for the access network credentials provision.
3. The method according to claim 1 or 2, wherein the temporary session keys are derived from GBA procedure.
4. The method according to claim 3, wherein the temporary session keys comprise a Network Application Function (NAF)-specific key.
5. The method according to claim 4, wherein Hypertext Transfer
Protocol (HTTP) Digest authentication is performed using the NAF-specific key in the step of establishing a group key.
6. The method according to one of claims 1 -5, wherein the step of establishing a group key can be implemented by a group key agreement procedure, in which the group key can be obtained as a function of private data of all the M2M devices.
7. The method according to claim 6, wherein a Burmester-Desmedt group key agreement procedure is used to establish the group key.
8. The method according to claim 6, wherein a modified Group Diffie-Hellman protocol No. 3 (GDH.3) group key agreement procedure is used to establish the group key and the individual keys, in which M2M Service Bootstrap Function (MSBF) generates a new random value used for the generation of the individual keys.
9. The method according to one of claims 6-8, wherein the group key agreement procedure is performed in the service layer.
10. The method according to one of claims 1 -5, wherein the step of establishing a group key can be implemented by a group key distribution procedure, in which a key distribution center is responsible for generating and allocating the shared key or the shared keys.
1 1. A system for provisioning group service credentials during access network assisted M2M service bootstrap procedure, which comprises the following means:
means for carrying out access network registration of a group of
M2M devices,
means for establishing temporary session keys based on access network credentials of the access network,
means for establishing a group key and/or individual keys authenticated by means of the temporary session keys, and
means for provisioning group service credentials under the protection of the group key.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2012/000182 WO2013120225A1 (en) | 2012-02-16 | 2012-02-16 | Method and system for group based service bootstrap in m2m environment |
CN201280072421.4A CN104205898A (en) | 2012-02-16 | 2012-02-16 | Method and system for group based service bootstrap in M2M environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2012/000182 WO2013120225A1 (en) | 2012-02-16 | 2012-02-16 | Method and system for group based service bootstrap in m2m environment |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013120225A1 true WO2013120225A1 (en) | 2013-08-22 |
Family
ID=48983514
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2012/000182 WO2013120225A1 (en) | 2012-02-16 | 2012-02-16 | Method and system for group based service bootstrap in m2m environment |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN104205898A (en) |
WO (1) | WO2013120225A1 (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015036773A3 (en) * | 2013-09-13 | 2015-06-11 | Vodafone Ip Licensing Limited | Methods and systems for operating a secure mobile device |
US9491196B2 (en) | 2014-09-16 | 2016-11-08 | Gainspan Corporation | Security for group addressed data packets in wireless networks |
CN106658349A (en) * | 2015-10-30 | 2017-05-10 | 中国电信股份有限公司 | Method for automatically generating and updating shared key and system thereof |
US9756030B2 (en) | 2014-08-08 | 2017-09-05 | Eurotech S.P.A. | Secure cloud based multi-tier provisioning |
US9762392B2 (en) | 2015-03-26 | 2017-09-12 | Eurotech S.P.A. | System and method for trusted provisioning and authentication for networked devices in cloud-based IoT/M2M platforms |
WO2017172152A1 (en) | 2016-03-31 | 2017-10-05 | Intel Corporation | Registration of devices in secure domain |
US10298448B2 (en) | 2016-09-20 | 2019-05-21 | At&T Intellectual Property I, L.P. | Method and apparatus for extending service capabilities in a communication network |
WO2020058559A1 (en) | 2018-09-17 | 2020-03-26 | Nokia Solutions And Networks Oy | Credentials management |
WO2020115458A1 (en) * | 2018-12-03 | 2020-06-11 | Arm Limited | Bootstrapping with common credential data |
EP3707887A4 (en) * | 2018-01-11 | 2020-12-16 | Samsung Electronics Co., Ltd. | Method of providing notification and electronic device supporting same |
US11095653B2 (en) | 2018-05-24 | 2021-08-17 | International Business Machines Corporation | Secure provisioning of unknown devices through trusted third-party devices |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1395019A2 (en) * | 2002-08-30 | 2004-03-03 | Xerox Corporation | Apparatus and method for providing authentication information for a secure group communication |
US6742114B1 (en) * | 1999-02-18 | 2004-05-25 | Novell, Inc. | Deputization in a distributed computing system |
CN101243642A (en) * | 2005-08-19 | 2008-08-13 | 三星电子株式会社 | Method for performing multiple pre-shared key based authentication at once and device for executing the method |
CN102026180A (en) * | 2009-09-15 | 2011-04-20 | 中国移动通信集团公司 | M2M transmission control method, device and system |
CN102215560A (en) * | 2010-04-08 | 2011-10-12 | 中兴通讯股份有限公司 | Method and system for managing M2M (machine to machine) terminal |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102238484B (en) * | 2010-04-22 | 2016-03-30 | 中兴通讯股份有限公司 | Based on the authentication method of group and system in the communication system of Machine To Machine |
US9450928B2 (en) * | 2010-06-10 | 2016-09-20 | Gemalto Sa | Secure registration of group of clients using single registration procedure |
CN102469458B (en) * | 2010-11-19 | 2015-08-12 | 中兴通讯股份有限公司 | Group authentication method in a kind of M2M communication and system |
-
2012
- 2012-02-16 WO PCT/CN2012/000182 patent/WO2013120225A1/en active Application Filing
- 2012-02-16 CN CN201280072421.4A patent/CN104205898A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6742114B1 (en) * | 1999-02-18 | 2004-05-25 | Novell, Inc. | Deputization in a distributed computing system |
EP1395019A2 (en) * | 2002-08-30 | 2004-03-03 | Xerox Corporation | Apparatus and method for providing authentication information for a secure group communication |
CN101243642A (en) * | 2005-08-19 | 2008-08-13 | 三星电子株式会社 | Method for performing multiple pre-shared key based authentication at once and device for executing the method |
CN102026180A (en) * | 2009-09-15 | 2011-04-20 | 中国移动通信集团公司 | M2M transmission control method, device and system |
CN102215560A (en) * | 2010-04-08 | 2011-10-12 | 中兴通讯股份有限公司 | Method and system for managing M2M (machine to machine) terminal |
Cited By (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10673820B2 (en) | 2013-09-13 | 2020-06-02 | Vodafone Ip Licensing Limited | Communicating with a machine to machine device |
US10630646B2 (en) | 2013-09-13 | 2020-04-21 | Vodafone Ip Licensing Limited | Methods and systems for communicating with an M2M device |
WO2015036773A3 (en) * | 2013-09-13 | 2015-06-11 | Vodafone Ip Licensing Limited | Methods and systems for operating a secure mobile device |
US10764252B2 (en) | 2013-09-13 | 2020-09-01 | Vodafone Ip Licensing Ltd | Communicating with machine to machine devices |
US11044234B2 (en) | 2013-09-13 | 2021-06-22 | Vodafone Ip Licensing Ltd | Communicating with a device |
US11063912B2 (en) | 2013-09-13 | 2021-07-13 | Vodafone Ip Licensing Limited | Methods and systems for communicating with an M2M device |
US10439991B2 (en) | 2013-09-13 | 2019-10-08 | Vodafone Ip Licensing Limited | Communicating with a machine to machine device |
US10313307B2 (en) | 2013-09-13 | 2019-06-04 | Vodafone Ip Licensing Limited | Communicating with a machine to machine device |
US10412052B2 (en) | 2013-09-13 | 2019-09-10 | Vodafone Ip Licensing Limited | Managing machine to machine devices |
US9756030B2 (en) | 2014-08-08 | 2017-09-05 | Eurotech S.P.A. | Secure cloud based multi-tier provisioning |
US9491196B2 (en) | 2014-09-16 | 2016-11-08 | Gainspan Corporation | Security for group addressed data packets in wireless networks |
US9762392B2 (en) | 2015-03-26 | 2017-09-12 | Eurotech S.P.A. | System and method for trusted provisioning and authentication for networked devices in cloud-based IoT/M2M platforms |
CN106658349B (en) * | 2015-10-30 | 2020-11-20 | 中国电信股份有限公司 | Method and system for automatically generating and updating shared secret key |
CN106658349A (en) * | 2015-10-30 | 2017-05-10 | 中国电信股份有限公司 | Method for automatically generating and updating shared key and system thereof |
EP3437249A4 (en) * | 2016-03-31 | 2019-09-04 | Intel Corporation | Registration of devices in secure domain |
US10575273B2 (en) | 2016-03-31 | 2020-02-25 | Intel Corporation | Registration of devices in secure domain |
WO2017172152A1 (en) | 2016-03-31 | 2017-10-05 | Intel Corporation | Registration of devices in secure domain |
US10298448B2 (en) | 2016-09-20 | 2019-05-21 | At&T Intellectual Property I, L.P. | Method and apparatus for extending service capabilities in a communication network |
US11271803B2 (en) | 2016-09-20 | 2022-03-08 | At&T Intellectual Property I, L.P. | Method and apparatus for extending service capabilities in a communication network |
EP3707887A4 (en) * | 2018-01-11 | 2020-12-16 | Samsung Electronics Co., Ltd. | Method of providing notification and electronic device supporting same |
US11032099B2 (en) | 2018-01-11 | 2021-06-08 | Samsung Electronics Co., Ltd. | Method of providing notification and electronic device supporting same |
US11095653B2 (en) | 2018-05-24 | 2021-08-17 | International Business Machines Corporation | Secure provisioning of unknown devices through trusted third-party devices |
EP3854025A4 (en) * | 2018-09-17 | 2022-04-06 | Nokia Solutions and Networks Oy | Credentials management |
WO2020058559A1 (en) | 2018-09-17 | 2020-03-26 | Nokia Solutions And Networks Oy | Credentials management |
GB2579574A (en) * | 2018-12-03 | 2020-07-01 | Advanced Risc Mach Ltd | Bootstrapping with common credential data |
WO2020115458A1 (en) * | 2018-12-03 | 2020-06-11 | Arm Limited | Bootstrapping with common credential data |
CN113169864A (en) * | 2018-12-03 | 2021-07-23 | Arm有限公司 | Bootstrapping with public credential data |
GB2579574B (en) * | 2018-12-03 | 2021-08-11 | Advanced Risc Mach Ltd | Bootstrapping with common credential data |
Also Published As
Publication number | Publication date |
---|---|
CN104205898A (en) | 2014-12-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Cao et al. | GBAAM: group‐based access authentication for MTC in LTE networks | |
EP3432532B1 (en) | Key distribution and authentication method, apparatus and system | |
WO2013120225A1 (en) | Method and system for group based service bootstrap in m2m environment | |
EP3668048B1 (en) | Methods and apparatuses for bootstrapping machine-to-machine service | |
US11588626B2 (en) | Key distribution method and system, and apparatus | |
JP6508688B2 (en) | End-to-end service layer authentication | |
DK1714418T3 (en) | KEY MANAGEMENT FOR NETWORK ELEMENTS | |
US9705856B2 (en) | Secure session for a group of network nodes | |
Asokan et al. | Applicability of identity-based cryptography for disruption-tolerant networking | |
WO2017185999A1 (en) | Method, apparatus and system for encryption key distribution and authentication | |
US20150149767A1 (en) | Method and system for authenticating the nodes of a network | |
EP1997292A2 (en) | Establishing communications | |
EP3472969B1 (en) | A key generation and distribution method based on identity-based cryptography | |
Sathi et al. | Novel protocols to mitigate network slice topology learning attacks and protect privacy of users’ service access behavior in softwarized 5G networks | |
Amadeo et al. | Securing the mobile edge through named data networking | |
Braeken | Device-to-device group authentication compatible with 5G AKA protocol | |
Guo et al. | A Novel RLWE‐Based Anonymous Mutual Authentication Protocol for Space Information Network | |
Khumalo et al. | Services and applications security in IoT enabled networks | |
Sen | Secure and privacy-preserving authentication protocols for wireless mesh networks | |
Songshen et al. | Hash-Based Signature for Flexibility Authentication of IoT Devices | |
Hamoud et al. | A New Certificateless System Construction for Multiple Key Generator Centers to Secure Device-to-Device Communications. | |
Furtak | Data Exchange Protocol for Cryptographic Key Distribution System Using MQTT Service | |
Cao et al. | Access authentication of mass device connections for MTC in LTE networks | |
Hsu et al. | SGD 2: Secure Group-based Device-to-Device Communications with Fine-grained Access Control for IoT in 5G | |
Bashir et al. | Modification in Kerberos assisted authentication in mobile Ad-Hoc networks to prevent ticket replay attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12868605 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12868605 Country of ref document: EP Kind code of ref document: A1 |