WO2013120225A1 - Method and system for group based service bootstrap in m2m environment - Google Patents

Method and system for group based service bootstrap in m2m environment Download PDF

Info

Publication number
WO2013120225A1
WO2013120225A1 PCT/CN2012/000182 CN2012000182W WO2013120225A1 WO 2013120225 A1 WO2013120225 A1 WO 2013120225A1 CN 2012000182 W CN2012000182 W CN 2012000182W WO 2013120225 A1 WO2013120225 A1 WO 2013120225A1
Authority
WO
WIPO (PCT)
Prior art keywords
group
key
service
access network
group key
Prior art date
Application number
PCT/CN2012/000182
Other languages
French (fr)
Inventor
Youlei Chen
Yazhe ZHANG
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/CN2012/000182 priority Critical patent/WO2013120225A1/en
Priority to CN201280072421.4A priority patent/CN104205898A/en
Publication of WO2013120225A1 publication Critical patent/WO2013120225A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Definitions

  • This invention generally relates to a method and system for group based service bootstrap in Machine-to-Machine (M2M) environment.
  • M2M Machine-to-Machine
  • the invention relates to a method and system for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
  • M2M refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability.
  • M2M uses a device (such as a sensor or meter) to capture an event (such as temperature, inventory level, etc.), which is relayed through a network (wireless, wired or hybrid) to an application (software program), that translates the captured event into meaningful information.
  • a device such as a sensor or meter
  • an event such as temperature, inventory level, etc.
  • an application software program
  • M2M service bootstrap provides permanent M2M service credentials (identities, root keys, etc.), which will be used for connecting and registering with the M2M service layer.
  • ETSI TS 102 690 European Telecommunications Standards Institute Technical Specification (ETSI TS) 102 690 has standardized two methods of M2M service bootstrap depending on the business relationship between the M2M service provider and the network provider: access network assisted M2M service bootstrap and access network independent M2M service bootstrap.
  • the ETSI TS 102 690 standardization defines M2M provisioning and bootstrapping procedures. It says:"M2M Service Bootstrap and M2M Service Registration for M2M Devices and M2M Gateways are the mechanisms by which: Service layer credentials, such as permanent identifiers and root keys are provisioned to M2M Device (or M2M Gateway)."
  • ETSI has defined several methods of access network assisted M2M service bootstrap procedure, such as Generic Bootstrapping Architecture (GBA) based M2M service bootstrap procedure, Extensible Authentication Protocol (EAP)-based bootstrap procedure using Subscriber Identity Module (SIM)/Authentication and Key Agreement (AKA)-based credentials, bootstrap procedure utilizing EAP-based network access authentication, ETSI TS 102 690.
  • GBA Generic Bootstrapping Architecture
  • EAP Extensible Authentication Protocol
  • SIM Subscriber Identity Module
  • AKA Authentication and Key Agreement
  • GBA describes the security features and a mechanism to bootstrap authentication and key agreement for application security from the 3 rd Generation Partnership Project (3GPP) AKA mechanism.
  • the 3GPP authentication infrastructure including the 3GPP Authentication Centre (AuC), the Universal Subscriber Identity Module (USIM) or the IP Multimedia Services Identity Module (ISIM), and the 3GPP AKA protocol run between them, is a very valuable asset of 3GPP operators. It has been recognized that this infrastructure could be leveraged to enable application functions in the network and on the user side to establish shared keys. Therefore, 3GPP can provide the "bootstrapping of application security" to authenticate the subscriber by defining a GBA based on AKA protocol. The technical details can be found in 3GPP TS 33.220.
  • This optimization may provide easier mode to control/update/charge the M2M devices, in a granularity of group, which may decrease the redundant signalling to avoid congestion. Also the network resource could be saved by using group based optimization when the number of M2M devices is large.
  • the problem to be solved by the invention is how to do the service bootstrap for a group of M2M devices in the group level with the assistant of the access network.
  • the invention proposes a method for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
  • the method of the present invention comprises the following steps: carrying out access network registration of a group of M2M devices, establishing temporary session keys based on access network credentials of the access network,
  • GBA Generic Bootstrapping Architecture
  • the temporary session keys are derived from GBA procedure and can be Network Application Function (NAF) -specific key.
  • NAF Network Application Function
  • Hypertext Transfer Protocol (HTTP) Digest authentication is performed using a NAF-specific key in the step of establishing a group key.
  • HTTP Hypertext Transfer Protocol
  • the step of establishing a group key can be implemented by a group key agreement procedure, in which the group key can be obtained as a function of private data of all the M2M devices.
  • a Burmester-Desmedt group key agreement procedure or a modified Group Diffie-Hellman protocol No. 3 (GDH.3) group key agreement procedure can be used to establish the group key.
  • GDH.3 group key agreement procedure M2M Service Bootstrap Function (MSBF) generates a new random value used for the generation of the individual keys.
  • MSBF M2M Service Bootstrap Function
  • the group key agreement procedure is performed in the service layer.
  • the step of establishing a group key can be implemented by a group key distribution procedure, in which key distribution center is responsible for generating and allocating the shared key or the shared keys.
  • the invention proposes a system for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
  • the system comprises the following means:
  • a group based bootstrap method is proposed and group level service credentials are provisioned to all the M2M device/gateway.
  • the bootstrap policy is flexible. There are different options in different cases (Group Key Agreement (GKA) vs Group Key Distribution (GKD), group level provision vs individual level provision, gateway involved vs gateway no involved, etc.).
  • GKA Group Key Agreement
  • GKD Group Key Distribution
  • the security strength of the provisioned service credentials can be independent from the security strength of the access network, which means it can be stronger than the security strength of the access network.
  • the execution flow could be flexibly controlled.
  • the M2M gateway could be configured to control the procedure according to the network states, e.g. the M2M gateway could control the time window when to reply to the M2M device. Most of the communication could be behind the M2M gateway. It will not cause a signalling or data traffic jam on the network side.
  • the group members can securely communicate with each other. And it is unnecessary for the M2M application server to establish security associations using methods specific to the local area network that connects the group members.
  • Fig. 1 shows a system architecture used in the present invention
  • Fig. 2 shows the group service credentials provision procedure according to the present invention
  • Fig. 3 shows the group service credentials provision procedure according to the first embodiment of the present invention
  • Fig. 4 shows the group service credentials provision procedure according to the second embodiment of the present invention.
  • Fig. 5 shows the group service credentials provision procedure according to the third embodiment of the present invention.
  • the access network provider and the M2M service provider share a business relationship or the access network provider provides M2M service.
  • Figure 1 shows a system architecture used in the M2M environment.
  • a number of M2M devices and a M2M gateway are assigned to a group. All the communication between the M2M devices and the core network are implemented through a M2M gateway.
  • the M2M devices are connected to the M2M gateway through the M2M area network (WiFi, ZigBee, etc.).
  • the M2M gateway could be a normal M2M device which also run M2M applications or M2M service capabilities like other group members, or could be a special device.
  • the core idea of the invention is that the M2M service and the M2M device/gateway implement a group key establishment, which is authenticated by using the access network credentials, to establish a shared group secret key. Then the group service credentials provision procedure can be protected by the secret key.
  • the procedure is shown in Figure 2.
  • such high-level procedure comprises the following steps:
  • step 21 the M2M device/gateway carries out the access network registration.
  • step 22 the network provides access network credentials to the M2M service.
  • the network provider and the M2M service provider should have a business relationship.
  • step 23 the M2M device/gateway and the M2M service establish the temporary session keys in the service layer based on the access network credentials.
  • step 24 the M2M service and the M2M device/gateway carry out an authenticated group key establishment procedure in the service layer. At the end of the procedure, there will be a shared group key among all the participants. And also if necessary, there could be a shared individual secret key between each M2M device/gateway and the service. Each message should be protected by the temporary session keys established in step 23. Integrity or confidentiality should be provided according to the specific use cases.
  • step 25 the service and the M2M device/gateway implements a group service credentials provisioning procedure under the protection of the group key established in step 24.
  • GKE Group Key Establishment
  • GKD there exist some central key management entities, such as a key distribution center (KDC), which is responsible for generating and allocating the shared key(s) to peers.
  • KDC key distribution center
  • the M2M service provider can play the role of the key distribution center.
  • the M2M service provider can generate a random key and allocate it to all the M2M devices/gateway. It is easy to make deployment and have little computation and communication cost. But there is a potential risk that the key is exposed to the access network provider. If the M2M service provider trusts the access network provider (they share a business relationship, etc.), it can adopt the GKD method.
  • the security strength of the distributed key depends on the security strength of the access network.
  • GKA GKA
  • every entity in the group contributes to the generation of the shared key.
  • the group key could be considered as an output of a function which takes all the entities' private data as input.
  • GKA only the participants can compute the secret key. If the GKA procedure is only performed among the M2M service and the M2M device/gateway, the key is even secret to the access network provider. If the M2M service provider does not trust the access network provider, it can adopt the GKA method. Moreover, GKA can get a key whose security strength is stronger than the security strength of the access network.
  • Option i The M2M Gateway participates to the group key agreement procedure.
  • Option ii The M2M Gateway does not participate to the group key agreement procedure. It only plays the role of transferring messages.
  • Option b There are two levels of service credentials which are provided. Not only group level service credentials, but also individual level service credentials for each device are provided.
  • GKD, GKA, Options i, ii and Options a, b are separated options from different perspective. So we have six options altogether: GKD & a, GKD & b, GKA & i & a, GKA & i & b, GKA & ii & a, GKA & ii & b. In the following, three of them will be detailed explained: GKD & a, GKA & i & a, GKA & ii & b. The other three options could be deduced with the same technology.
  • the M2M service generates the group key and allocates it to all the M2M devices/gateway.
  • the M2M device is very limited in energy and computing power and the access network provider is totally trusted by the service provider, this embodiment can be implemented.
  • the access network authenticates the M2M device/gateway in the network layer.
  • the network provides the access network credentials to the M2M service.
  • the M2M service generates the required group key and sends it to the M2M device/gateway with the protection of the access network credentials.
  • the M2M service can provide the group service credentials with the protection of the group key. This procedure is shown in Figure 3.
  • Step 30 is an offline step.
  • the External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider.
  • the External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the Bootstrapping Server Function (BSF).
  • BSF Bootstrapping Server Function
  • step 3 1 after the access network successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the Home Subscriber System (HSS).
  • the BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
  • AV authentication vector
  • USS GBA User Security Settings
  • a NAF-specific key can be used as the temporary session key, which is derived from GBA.
  • a NAF-specific key can be used to protect the authenticity and integrity of the data exchanged between the M2M service and the M2M device/gateway.
  • the M2M device/gateway and the M2M Service bootstrap Function (MSBF)/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF, respectively.
  • MSBF is to facilitate the bootstrapping of permanent M2M service layer security credentials in the M2M Device (or M2M Gateway) and the M2M Service Capabilities in the Network Domain.
  • M2M Authentication Server (MAS) is used to store the permanent security credentials bootstrapped using MSBF.
  • step 33 the M2M service generates a random key as the group key.
  • the M2M service sends the group key to each M2M device/gateway separately.
  • Each message should be protected with the shared secret established in step 33.
  • step 34 the M2M service provides to all the M2M device/gateway the group service credentials with the protection of the group key.
  • Such embodiment is efficient in communication than key agreement, since only N messages are transmitted on the network in the group key establishment phase, wherein N is the number of the devices/gateway. And then, all the devices/gateway will share a group key with the service.
  • the device since the device only receives and decrypts message in the group key establishment phase, such embodiment requires lower computation performance of the device. And the M2M device does not participate in the key generation procedure.
  • the second preferred embodiment of the present invention provides a group level service credentials to the M2M device/gateway.
  • This embodiment is used in the following situation: the M2M device has the computation capability of asymmetric cryptography.
  • the M2M gateway is also a member of the group and it also knows the group key.
  • the access network provider is partially trusted by the service provider.
  • the implementation firstly uses the GBA method to provide the access network credentials to the service layer, then uses the Burmester-Desmedt GKA method to exchange a group key.
  • the gateway participates in the GKA procedure. Only group level service credentials are provided. This procedure is shown in Figure 4.
  • Fig. 4 The high-level procedure of Fig. 4 is comprised of the following steps:
  • Step 40 is an offline step.
  • the External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider.
  • the External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the BSF.
  • the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the HSS.
  • the BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
  • AV authentication vector
  • USS GBA User Security Settings
  • step 42 the M2M device/gateway and the MSBF/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF, respectively.
  • step 43 the M2M service, the M2M device and the M2M gateway carry out a Burmester-Desmedt group key agreement to establish a group key.
  • the NAF-specific keys established in step 42 will be used for the message integrity protection of the GKA procedure.
  • the M2M devices are pre-numbered from 1 to n-2.
  • the gateway is pre-numbered n-1 .
  • Burmester-Desmedt group key agreement is a specific method of exchanging keys among a group of parties.
  • the Burmester-Desmedt method allows a group of parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. It could be seen as an extension of the Diffie-Hellman key exchange to the group environment, which allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.
  • the technical details can be found in M. Burmester and Y. Desmedt, "A Secure and Efficient Conference Key Distribution System", Pre-proceedings of Eurocrypt'94, Scuola Superiore Guglielmo Reiss Romoli (SSGRR), pp. 279-290, Perugia, Italy, May 9- 12, 1994.
  • step 44 the MSBF/NAF provides the service credentials, protected by the group key established in step 43, to the M2M device/gateway and the MAS.
  • the group key is never transmitted over the network. It is a function of all the group members' private random number. Eavesdropper of the network cannot get the group key. And the group key is only known by the group member. The group key agreement protocol is taken on the service layer. The network does not participate in the protocol, so it will not gain the group key. Most of the communications are behind the gateway.
  • the third preferred embodiment of the present invention provides the group level service credentials and the individual level service credentials to the M2M device/gateway.
  • This embodiment can be used in the case of the M2M device having also the computation capability of the asymmetric cryptography.
  • the group service bootstrap and individual service bootstraps are also achieved.
  • the gateway is a special device which is only used for message transmission. It does not know the group key or any individual key. And the access network provider is partially trusted by the service provider.
  • This embodiment firstly uses the GBA method to provide the access network credentials to the service layer, then uses a modified GDH.3 GKA method to exchange a group key for all the group members and an individual key for each group member.
  • the gateway does not participate in the G A procedure.
  • Figure 5 shows the procedure of G A & ii & b.
  • This high-level procedure shown in Fig. 5 is comprised of the following steps:
  • Step 50 is an offline step.
  • the External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider.
  • the External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the BSF.
  • step 51 after the access network is successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the HSS.
  • the BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
  • AV authentication vector
  • USS GBA User Security Settings
  • step 52 the M2M device/gateway and the MSBF/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF respectively.
  • step 53 the M2M service and the M2M device implement a modified GDH.3 group key agreement to establish a group key and an individual key for each M2M device.
  • GDH.3 group key exchange is a specific method of exchanging keys among a group of parties. The technical details can be found in Michael Steiner, Gene Tsudik and Michael Waidner, "Diffie-Hellman key distribution extended to group communication" , proceedings of the 3 rd ACM conference on computer and communications security (CCS'96). ACM, New York, NY, USA, 31 -37, 1996.
  • MSBF generates a new random value g s which is used for the generation of the individual key.
  • the M2M devices are pre-numbered from 1 to n- 1.
  • the first M2M device D l generates a random value rl and sends group root key request and g rl to the M2M gateway.
  • the M2M gateway forwards g rl to the second M2M device D2.
  • the second M2M device D2 generates a random value r2 value and computes g rl r2 and then sends it to the M2M gateway.
  • the M2M gateway forwards g rl r2 to the third M2M device D3.
  • n-1 The n- l th M2M device Dn- 1 generates a random value rn-1 value and computes g rl r2 - m -' and sends it to the M2M gateway.
  • the M2M gateway forwards g rl r2 rn ⁇ ' ⁇ o all the M2M devices,
  • Each M2M device Di computes g rl r2 - rn'1/ri and sends it to the M2M gateway.
  • the M2M gateway forwards all the g rl r2 -TM- 1/ ⁇ messages together with g rl r2 - rn'1 to the M2M server.
  • the M2M server generates two random value rn, s and computes grlr2.. rr,-lm/ri ⁇ Q ⁇ g rl r2... rn-lM mes sage and sends g * and al J the g rir2.. rn-im/ri ⁇ Q the m2M gateway.
  • the M2M gateway forwards g s and grlr2.. m-lrnM ⁇ q ⁇ ⁇ 2 ⁇ device Di.
  • the M2M server and all the M2M device computes the same group key g rlr2 " r "- lrn .
  • the M2M server and each M2M device Di compute the same individual key g sn .
  • the MSBF/NAF provides the group service credentials and the individual service credentials to the M2M device/gateway and the MAS.
  • the group service credentials are protected by the group key grir2..m-irn g acn individual service credential is protected by the individual key g sri .
  • the group key and the individual key are never transmitted over the network. It is a function of all the group members' private random number. Eavesdropper of the network cannot get the group key.
  • the group key and the individual key are only known by the group member.
  • the group key agreement protocol is taken on the service layer. The network does not participate in the protocol, so it will not gain the group key.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

This invention relates to a method for provisioning group service credentials during access network assisted M2M service bootstrap procedure. This method comprises the following steps: carrying out access network registration of a group of M2M devices, establishing temporary session keys based on access network credentials of the access network, establishing a group key and/or individual keys authenticated by means of the temporary session keys, and provisioning group service credentials under the protection of the group key. This invention also relates to a system for provisioning group service credentials during access network assisted M2M service bootstrap procedure.

Description

Method and System for Group Based Service Bootstrap in M2M
environment
Technical Field
This invention generally relates to a method and system for group based service bootstrap in Machine-to-Machine (M2M) environment. In particular, the invention relates to a method and system for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
Background Art
M2M refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability. M2M uses a device (such as a sensor or meter) to capture an event (such as temperature, inventory level, etc.), which is relayed through a network (wireless, wired or hybrid) to an application (software program), that translates the captured event into meaningful information.
In the M2M environment, it is desirable to provide service credentials to the devices during the device bootstrap and registration procedure. M2M service bootstrap provides permanent M2M service credentials (identities, root keys, etc.), which will be used for connecting and registering with the M2M service layer.
European Telecommunications Standards Institute Technical Specification (ETSI TS) 102 690 has standardized two methods of M2M service bootstrap depending on the business relationship between the M2M service provider and the network provider: access network assisted M2M service bootstrap and access network independent M2M service bootstrap. The ETSI TS 102 690 standardization defines M2M provisioning and bootstrapping procedures. It says:"M2M Service Bootstrap and M2M Service Registration for M2M Devices and M2M Gateways are the mechanisms by which: Service layer credentials, such as permanent identifiers and root keys are provisioned to M2M Device (or M2M Gateway)."
ETSI has defined several methods of access network assisted M2M service bootstrap procedure, such as Generic Bootstrapping Architecture (GBA) based M2M service bootstrap procedure, Extensible Authentication Protocol (EAP)-based bootstrap procedure using Subscriber Identity Module (SIM)/Authentication and Key Agreement (AKA)-based credentials, bootstrap procedure utilizing EAP-based network access authentication, ETSI TS 102 690. GBA describes the security features and a mechanism to bootstrap authentication and key agreement for application security from the 3rd Generation Partnership Project (3GPP) AKA mechanism. The 3GPP authentication infrastructure, including the 3GPP Authentication Centre (AuC), the Universal Subscriber Identity Module (USIM) or the IP Multimedia Services Identity Module (ISIM), and the 3GPP AKA protocol run between them, is a very valuable asset of 3GPP operators. It has been recognized that this infrastructure could be leveraged to enable application functions in the network and on the user side to establish shared keys. Therefore, 3GPP can provide the "bootstrapping of application security" to authenticate the subscriber by defining a GBA based on AKA protocol. The technical details can be found in 3GPP TS 33.220.
However, the current methods defined in ETSI are all in the individual level. One bootstrap procedure will just provision one device. None of them considers the group requirement. If there are a lot of M2M devices which have the same M2M service capabilities or run the same M2M application, there will be a lot of bootstrap procedures. And all the bootstrap procedures provision the same M2M service credentials. It is duplicated and inefficient. A better idea is to do all the credentials provision in one group based bootstrap procedure. There are scenarios that M2M devices are divided into groups. M2M devices can be grouped together for the control, management or charging facilities etc. to meet the need of operators. This optimization may provide easier mode to control/update/charge the M2M devices, in a granularity of group, which may decrease the redundant signalling to avoid congestion. Also the network resource could be saved by using group based optimization when the number of M2M devices is large.
The Internet Engineering Task Force (IETF) has proposed a series of documents regarding group key management protocol (e.g. Request for Comments (RFC) 2093, RFC 2094, RFC 4046). These documents give detailed reports of how to manage the group key problem, such as group key distribution, group key rekey. However, none of the protocols consider the characteristic of the M2M application. They may not be suitable in the M2M environment due to the energy, computation limitation or other specific features of the M2M devices. For example, some of them need the support of the asymmetric signature system, which requires high computation capability and also is hard to be deployed (RFC 2093, RFC 2094, etc.). Some of them need a specific Group Control or Key Server (GCKS) to define and enforce group membership, key management and other affairs. There is no corresponding solution which fulfills the functionality of the GCKS in M2M environment.
By leveraging the access network credentials in the service layer, it will reuse the existed resources and decrease the deploy cost. And by introducing the group architecture, it will apparently decrease the data flow. So, it will be valuable to give a group based bootstrap method with the assistant of the access network.
Summary of the Invention
To this end, the problem to be solved by the invention is how to do the service bootstrap for a group of M2M devices in the group level with the assistant of the access network.
The invention proposes a method for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
The method of the present invention comprises the following steps: carrying out access network registration of a group of M2M devices, establishing temporary session keys based on access network credentials of the access network,
establishing a group key and/or individual keys authenticated by means of the temporary session keys, and
provisioning group service credentials under the protection of the group key.
Preferably, Generic Bootstrapping Architecture (GBA) procedure is used in the implementation for the access network credentials provision.
Preferably, the temporary session keys are derived from GBA procedure and can be Network Application Function (NAF) -specific key.
More preferably, Hypertext Transfer Protocol (HTTP) Digest authentication is performed using a NAF-specific key in the step of establishing a group key.
According to one preferred embodiment of the invention, the step of establishing a group key can be implemented by a group key agreement procedure, in which the group key can be obtained as a function of private data of all the M2M devices. A Burmester-Desmedt group key agreement procedure or a modified Group Diffie-Hellman protocol No. 3 (GDH.3) group key agreement procedure can be used to establish the group key. In the modified GDH.3 group key agreement procedure, M2M Service Bootstrap Function (MSBF) generates a new random value used for the generation of the individual keys.
The group key agreement procedure is performed in the service layer.
According to another preferred embodiment of the invention, the step of establishing a group key can be implemented by a group key distribution procedure, in which key distribution center is responsible for generating and allocating the shared key or the shared keys.
Furthermore, the invention proposes a system for provisioning group service credentials during access network assisted M2M service bootstrap procedure. The system comprises the following means:
means for carrying out access network registration of a group of
M2M devices,
means for establishing temporary session keys based on access network credentials of the access network,
means for establishing a group key and/or individual keys authenticated by means of the temporary session keys, and
means for provisioning group service credentials under the protection of the group key.
Thus, in comparison with the prior arts, a group based bootstrap method is proposed and group level service credentials are provisioned to all the M2M device/gateway. The bootstrap policy is flexible. There are different options in different cases (Group Key Agreement (GKA) vs Group Key Distribution (GKD), group level provision vs individual level provision, gateway involved vs gateway no involved, etc.). The security strength of the provisioned service credentials can be independent from the security strength of the access network, which means it can be stronger than the security strength of the access network. The execution flow could be flexibly controlled. The M2M gateway could be configured to control the procedure according to the network states, e.g. the M2M gateway could control the time window when to reply to the M2M device. Most of the communication could be behind the M2M gateway. It will not cause a signalling or data traffic jam on the network side.
Therefore, by implementing the method and system proposed by the invention, the group members can securely communicate with each other. And it is unnecessary for the M2M application server to establish security associations using methods specific to the local area network that connects the group members. Description of the Figures
The invention will be described in more detail with reference to the figures below, wherein,
Fig. 1 shows a system architecture used in the present invention;
Fig. 2 shows the group service credentials provision procedure according to the present invention;
Fig. 3 shows the group service credentials provision procedure according to the first embodiment of the present invention;
Fig. 4 shows the group service credentials provision procedure according to the second embodiment of the present invention; and
Fig. 5 shows the group service credentials provision procedure according to the third embodiment of the present invention.
Preferred Embodiments In the present invention, it is supposed that the access network provider and the M2M service provider share a business relationship or the access network provider provides M2M service.
Figure 1 shows a system architecture used in the M2M environment. A number of M2M devices and a M2M gateway are assigned to a group. All the communication between the M2M devices and the core network are implemented through a M2M gateway. The M2M devices are connected to the M2M gateway through the M2M area network (WiFi, ZigBee, etc.). The M2M gateway could be a normal M2M device which also run M2M applications or M2M service capabilities like other group members, or could be a special device.
The core idea of the invention is that the M2M service and the M2M device/gateway implement a group key establishment, which is authenticated by using the access network credentials, to establish a shared group secret key. Then the group service credentials provision procedure can be protected by the secret key. The procedure is shown in Figure 2.
As shown in Fig. 2, such high-level procedure comprises the following steps:
In step 21 , the M2M device/gateway carries out the access network registration.
In step 22, the network provides access network credentials to the M2M service. In this connection, the network provider and the M2M service provider should have a business relationship.
In step 23, the M2M device/gateway and the M2M service establish the temporary session keys in the service layer based on the access network credentials.
In step 24, the M2M service and the M2M device/gateway carry out an authenticated group key establishment procedure in the service layer. At the end of the procedure, there will be a shared group key among all the participants. And also if necessary, there could be a shared individual secret key between each M2M device/gateway and the service. Each message should be protected by the temporary session keys established in step 23. Integrity or confidentiality should be provided according to the specific use cases.
In step 25, the service and the M2M device/gateway implements a group service credentials provisioning procedure under the protection of the group key established in step 24.
Group Key Establishment (GKE) is a method to establish a shared secret among a group of parties. According to the technology adopted, GKE could be subdivided into two different mechanisms: GKD and GKA.
In GKD, there exist some central key management entities, such as a key distribution center (KDC), which is responsible for generating and allocating the shared key(s) to peers. In the M2M environment, the M2M service provider can play the role of the key distribution center. In step 24 of the group service credentials provision procedure in Fig. 2, the M2M service provider can generate a random key and allocate it to all the M2M devices/gateway. It is easy to make deployment and have little computation and communication cost. But there is a potential risk that the key is exposed to the access network provider. If the M2M service provider trusts the access network provider (they share a business relationship, etc.), it can adopt the GKD method. In GKD, the security strength of the distributed key depends on the security strength of the access network.
In GKA, every entity in the group contributes to the generation of the shared key. The group key could be considered as an output of a function which takes all the entities' private data as input. In GKA, only the participants can compute the secret key. If the GKA procedure is only performed among the M2M service and the M2M device/gateway, the key is even secret to the access network provider. If the M2M service provider does not trust the access network provider, it can adopt the GKA method. Moreover, GKA can get a key whose security strength is stronger than the security strength of the access network.
In the GKA method, there are also two options due to the role of the M2M gateway.
Option i : The M2M Gateway participates to the group key agreement procedure.
Option ii: The M2M Gateway does not participate to the group key agreement procedure. It only plays the role of transferring messages.
There are also two options due to the level of the service credentials.
Option a: Only the group level service credentials are provided.
Option b: There are two levels of service credentials which are provided. Not only group level service credentials, but also individual level service credentials for each device are provided.
GKD, GKA, Options i, ii and Options a, b are separated options from different perspective. So we have six options altogether: GKD & a, GKD & b, GKA & i & a, GKA & i & b, GKA & ii & a, GKA & ii & b. In the following, three of them will be detailed explained: GKD & a, GKA & i & a, GKA & ii & b. The other three options could be deduced with the same technology.
In the first preferred embodiment of the present invention, the M2M service generates the group key and allocates it to all the M2M devices/gateway. When the M2M device is very limited in energy and computing power and the access network provider is totally trusted by the service provider, this embodiment can be implemented. Firstly the access network authenticates the M2M device/gateway in the network layer. And then, according to the M2M service' s request, the network provides the access network credentials to the M2M service. The M2M service generates the required group key and sends it to the M2M device/gateway with the protection of the access network credentials. Then the M2M service can provide the group service credentials with the protection of the group key. This procedure is shown in Figure 3.
So, this high-level procedure is comprised of the following steps:
Step 30 is an offline step. The External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider. The External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the Bootstrapping Server Function (BSF).
In step 3 1 , after the access network successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the Home Subscriber System (HSS). The BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
In step 32, a NAF-specific key can be used as the temporary session key, which is derived from GBA. Such a NAF-specific key can be used to protect the authenticity and integrity of the data exchanged between the M2M service and the M2M device/gateway. The M2M device/gateway and the M2M Service bootstrap Function (MSBF)/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF, respectively. MSBF is to facilitate the bootstrapping of permanent M2M service layer security credentials in the M2M Device (or M2M Gateway) and the M2M Service Capabilities in the Network Domain. And M2M Authentication Server (MAS) is used to store the permanent security credentials bootstrapped using MSBF.
In step 33, the M2M service generates a random key as the group key.
And then the M2M service sends the group key to each M2M device/gateway separately. Each message should be protected with the shared secret established in step 33.
In step 34, the M2M service provides to all the M2M device/gateway the group service credentials with the protection of the group key.
Such embodiment is efficient in communication than key agreement, since only N messages are transmitted on the network in the group key establishment phase, wherein N is the number of the devices/gateway. And then, all the devices/gateway will share a group key with the service.
Moreover, since the device only receives and decrypts message in the group key establishment phase, such embodiment requires lower computation performance of the device. And the M2M device does not participate in the key generation procedure.
The second preferred embodiment of the present invention provides a group level service credentials to the M2M device/gateway. This embodiment is used in the following situation: the M2M device has the computation capability of asymmetric cryptography. Moreover, the M2M gateway is also a member of the group and it also knows the group key. The access network provider is partially trusted by the service provider.
The implementation firstly uses the GBA method to provide the access network credentials to the service layer, then uses the Burmester-Desmedt GKA method to exchange a group key. The gateway participates in the GKA procedure. Only group level service credentials are provided. This procedure is shown in Figure 4.
The high-level procedure of Fig. 4 is comprised of the following steps:
Step 40 is an offline step. The External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider. The External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the BSF.
In step 41 , after the access network successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the HSS. The BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
In step 42, the M2M device/gateway and the MSBF/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF, respectively.
In step 43, the M2M service, the M2M device and the M2M gateway carry out a Burmester-Desmedt group key agreement to establish a group key. The NAF-specific keys established in step 42 will be used for the message integrity protection of the GKA procedure. The M2M devices are pre-numbered from 1 to n-2. The gateway is pre-numbered n-1 .
Burmester-Desmedt group key agreement is a specific method of exchanging keys among a group of parties. The Burmester-Desmedt method allows a group of parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. It could be seen as an extension of the Diffie-Hellman key exchange to the group environment, which allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. The technical details can be found in M. Burmester and Y. Desmedt, "A Secure and Efficient Conference Key Distribution System", Pre-proceedings of Eurocrypt'94, Scuola Superiore Guglielmo Reiss Romoli (SSGRR), pp. 279-290, Perugia, Italy, May 9- 12, 1994.
In step 44, the MSBF/NAF provides the service credentials, protected by the group key established in step 43, to the M2M device/gateway and the MAS.
The advantages of this embodiment lie in: the group key is never transmitted over the network. It is a function of all the group members' private random number. Eavesdropper of the network cannot get the group key. And the group key is only known by the group member. The group key agreement protocol is taken on the service layer. The network does not participate in the protocol, so it will not gain the group key. Most of the communications are behind the gateway.
The third preferred embodiment of the present invention provides the group level service credentials and the individual level service credentials to the M2M device/gateway. This embodiment can be used in the case of the M2M device having also the computation capability of the asymmetric cryptography. The group service bootstrap and individual service bootstraps are also achieved. The gateway is a special device which is only used for message transmission. It does not know the group key or any individual key. And the access network provider is partially trusted by the service provider.
This embodiment firstly uses the GBA method to provide the access network credentials to the service layer, then uses a modified GDH.3 GKA method to exchange a group key for all the group members and an individual key for each group member. The gateway does not participate in the G A procedure. Figure 5 shows the procedure of G A & ii & b.
This high-level procedure shown in Fig. 5 is comprised of the following steps:
Step 50 is an offline step. The External Identifiers defined in 3GPP TR23.888 of M2M Devices or M2M Gateways are provided to the M2M service provider. The External Identifiers can be mapped to the M2M Node-ID and are also provided in the access network so that it is locally accessible to the BSF.
In step 51 , after the access network is successfully registered, the M2M device/gateway carries out GBA bootstrapping procedure towards the BSF, using an authentication vector (AV) the BSF fetched from the HSS. The BSF also retrieved the GBA User Security Settings (USS) from the HSS which may contain M2M specific security settings.
In step 52, the M2M device/gateway and the MSBF/NAF perform HTTP Digest authentication using the NAF-specific key. If the HTTP Digest authentication succeeds, each member of the M2M device and gateway in the group shares a NAF-specific key with the MSBF/NAF respectively.
In step 53, the M2M service and the M2M device implement a modified GDH.3 group key agreement to establish a group key and an individual key for each M2M device. GDH.3 group key exchange is a specific method of exchanging keys among a group of parties. The technical details can be found in Michael Steiner, Gene Tsudik and Michael Waidner, "Diffie-Hellman key distribution extended to group communication" , proceedings of the 3rd ACM conference on computer and communications security (CCS'96). ACM, New York, NY, USA, 31 -37, 1996.
The detail execution step is as follows:
MSBF generates a new random value gs which is used for the generation of the individual key. The M2M devices are pre-numbered from 1 to n- 1.
1 ) The first M2M device D l generates a random value rl and sends group root key request and grl to the M2M gateway. The M2M gateway forwards grl to the second M2M device D2.
2) The second M2M device D2 generates a random value r2 value and computes grl r2 and then sends it to the M2M gateway. The M2M gateway forwards grl r2 to the third M2M device D3. n-1 ) The n- l th M2M device Dn- 1 generates a random value rn-1 value and computes grl r2 - m-' and sends it to the M2M gateway. The M2M gateway forwards grl r2 rn~' \o all the M2M devices,
n) Each M2M device Di computes grl r2 - rn'1/ri and sends it to the M2M gateway. The M2M gateway forwards all the grl r2 -™-1/η messages together with grl r2- rn'1 to the M2M server.
n+ l )The M2M server generates two random value rn, s and computes grlr2.. rr,-lm/ri ^ Q^ grl r2... rn-lM mes sage and sends g* and al J the grir2.. rn-im/ri {Q the m2M gateway. The M2M gateway forwards gs and grlr2.. m-lrnM {q ^ ^2Μ device Di.
n+2)The M2M server and all the M2M device computes the same group key grlr2"r"-lrn . The M2M server and each M2M device Di compute the same individual key gsn.
In step 54, the MSBF/NAF provides the group service credentials and the individual service credentials to the M2M device/gateway and the MAS. The group service credentials are protected by the group key grir2..m-irn gacn individual service credential is protected by the individual key gsri.
The advantages of this embodiment are as follows:
- The group key and the individual key are never transmitted over the network. It is a function of all the group members' private random number. Eavesdropper of the network cannot get the group key.
- The group key and the individual key are only known by the group member. The group key agreement protocol is taken on the service layer. The network does not participate in the protocol, so it will not gain the group key.
- The group key and the individual key are both established in the same procedure.
- Most of the communications are behind the gateway.
While the invention has been described in conj unction with the preferred embodiments, those skilled in the art shall understand that many modifications and variations can be made to the invention without departing from the spirit and scope of the appended claims.

Claims

1. A method for provisioning group service credentials during access network assisted Machine-to-Machine (M2M) service bootstrap procedure, which comprises the following steps:
carrying out access network registration of a group of M2M devices, establishing temporary session keys based on access network credentials of the access network,
establishing a group key and/or individual keys authenticated by means of the temporary session keys, and
provisioning group service credentials under the protection of the group key.
2. The method according to claim 1 , wherein Generic Bootstrapping Architecture (GBA) procedure is used in the implementation for the access network credentials provision.
3. The method according to claim 1 or 2, wherein the temporary session keys are derived from GBA procedure.
4. The method according to claim 3, wherein the temporary session keys comprise a Network Application Function (NAF)-specific key.
5. The method according to claim 4, wherein Hypertext Transfer
Protocol (HTTP) Digest authentication is performed using the NAF-specific key in the step of establishing a group key.
6. The method according to one of claims 1 -5, wherein the step of establishing a group key can be implemented by a group key agreement procedure, in which the group key can be obtained as a function of private data of all the M2M devices.
7. The method according to claim 6, wherein a Burmester-Desmedt group key agreement procedure is used to establish the group key.
8. The method according to claim 6, wherein a modified Group Diffie-Hellman protocol No. 3 (GDH.3) group key agreement procedure is used to establish the group key and the individual keys, in which M2M Service Bootstrap Function (MSBF) generates a new random value used for the generation of the individual keys.
9. The method according to one of claims 6-8, wherein the group key agreement procedure is performed in the service layer.
10. The method according to one of claims 1 -5, wherein the step of establishing a group key can be implemented by a group key distribution procedure, in which a key distribution center is responsible for generating and allocating the shared key or the shared keys.
1 1. A system for provisioning group service credentials during access network assisted M2M service bootstrap procedure, which comprises the following means:
means for carrying out access network registration of a group of
M2M devices,
means for establishing temporary session keys based on access network credentials of the access network,
means for establishing a group key and/or individual keys authenticated by means of the temporary session keys, and
means for provisioning group service credentials under the protection of the group key.
PCT/CN2012/000182 2012-02-16 2012-02-16 Method and system for group based service bootstrap in m2m environment WO2013120225A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2012/000182 WO2013120225A1 (en) 2012-02-16 2012-02-16 Method and system for group based service bootstrap in m2m environment
CN201280072421.4A CN104205898A (en) 2012-02-16 2012-02-16 Method and system for group based service bootstrap in M2M environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/000182 WO2013120225A1 (en) 2012-02-16 2012-02-16 Method and system for group based service bootstrap in m2m environment

Publications (1)

Publication Number Publication Date
WO2013120225A1 true WO2013120225A1 (en) 2013-08-22

Family

ID=48983514

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/000182 WO2013120225A1 (en) 2012-02-16 2012-02-16 Method and system for group based service bootstrap in m2m environment

Country Status (2)

Country Link
CN (1) CN104205898A (en)
WO (1) WO2013120225A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015036773A3 (en) * 2013-09-13 2015-06-11 Vodafone Ip Licensing Limited Methods and systems for operating a secure mobile device
US9491196B2 (en) 2014-09-16 2016-11-08 Gainspan Corporation Security for group addressed data packets in wireless networks
CN106658349A (en) * 2015-10-30 2017-05-10 中国电信股份有限公司 Method for automatically generating and updating shared key and system thereof
US9756030B2 (en) 2014-08-08 2017-09-05 Eurotech S.P.A. Secure cloud based multi-tier provisioning
US9762392B2 (en) 2015-03-26 2017-09-12 Eurotech S.P.A. System and method for trusted provisioning and authentication for networked devices in cloud-based IoT/M2M platforms
WO2017172152A1 (en) 2016-03-31 2017-10-05 Intel Corporation Registration of devices in secure domain
US10298448B2 (en) 2016-09-20 2019-05-21 At&T Intellectual Property I, L.P. Method and apparatus for extending service capabilities in a communication network
WO2020058559A1 (en) 2018-09-17 2020-03-26 Nokia Solutions And Networks Oy Credentials management
WO2020115458A1 (en) * 2018-12-03 2020-06-11 Arm Limited Bootstrapping with common credential data
EP3707887A4 (en) * 2018-01-11 2020-12-16 Samsung Electronics Co., Ltd. Method of providing notification and electronic device supporting same
US11095653B2 (en) 2018-05-24 2021-08-17 International Business Machines Corporation Secure provisioning of unknown devices through trusted third-party devices

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1395019A2 (en) * 2002-08-30 2004-03-03 Xerox Corporation Apparatus and method for providing authentication information for a secure group communication
US6742114B1 (en) * 1999-02-18 2004-05-25 Novell, Inc. Deputization in a distributed computing system
CN101243642A (en) * 2005-08-19 2008-08-13 三星电子株式会社 Method for performing multiple pre-shared key based authentication at once and device for executing the method
CN102026180A (en) * 2009-09-15 2011-04-20 中国移动通信集团公司 M2M transmission control method, device and system
CN102215560A (en) * 2010-04-08 2011-10-12 中兴通讯股份有限公司 Method and system for managing M2M (machine to machine) terminal

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102238484B (en) * 2010-04-22 2016-03-30 中兴通讯股份有限公司 Based on the authentication method of group and system in the communication system of Machine To Machine
US9450928B2 (en) * 2010-06-10 2016-09-20 Gemalto Sa Secure registration of group of clients using single registration procedure
CN102469458B (en) * 2010-11-19 2015-08-12 中兴通讯股份有限公司 Group authentication method in a kind of M2M communication and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6742114B1 (en) * 1999-02-18 2004-05-25 Novell, Inc. Deputization in a distributed computing system
EP1395019A2 (en) * 2002-08-30 2004-03-03 Xerox Corporation Apparatus and method for providing authentication information for a secure group communication
CN101243642A (en) * 2005-08-19 2008-08-13 三星电子株式会社 Method for performing multiple pre-shared key based authentication at once and device for executing the method
CN102026180A (en) * 2009-09-15 2011-04-20 中国移动通信集团公司 M2M transmission control method, device and system
CN102215560A (en) * 2010-04-08 2011-10-12 中兴通讯股份有限公司 Method and system for managing M2M (machine to machine) terminal

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10673820B2 (en) 2013-09-13 2020-06-02 Vodafone Ip Licensing Limited Communicating with a machine to machine device
US10630646B2 (en) 2013-09-13 2020-04-21 Vodafone Ip Licensing Limited Methods and systems for communicating with an M2M device
WO2015036773A3 (en) * 2013-09-13 2015-06-11 Vodafone Ip Licensing Limited Methods and systems for operating a secure mobile device
US10764252B2 (en) 2013-09-13 2020-09-01 Vodafone Ip Licensing Ltd Communicating with machine to machine devices
US11044234B2 (en) 2013-09-13 2021-06-22 Vodafone Ip Licensing Ltd Communicating with a device
US11063912B2 (en) 2013-09-13 2021-07-13 Vodafone Ip Licensing Limited Methods and systems for communicating with an M2M device
US10439991B2 (en) 2013-09-13 2019-10-08 Vodafone Ip Licensing Limited Communicating with a machine to machine device
US10313307B2 (en) 2013-09-13 2019-06-04 Vodafone Ip Licensing Limited Communicating with a machine to machine device
US10412052B2 (en) 2013-09-13 2019-09-10 Vodafone Ip Licensing Limited Managing machine to machine devices
US9756030B2 (en) 2014-08-08 2017-09-05 Eurotech S.P.A. Secure cloud based multi-tier provisioning
US9491196B2 (en) 2014-09-16 2016-11-08 Gainspan Corporation Security for group addressed data packets in wireless networks
US9762392B2 (en) 2015-03-26 2017-09-12 Eurotech S.P.A. System and method for trusted provisioning and authentication for networked devices in cloud-based IoT/M2M platforms
CN106658349B (en) * 2015-10-30 2020-11-20 中国电信股份有限公司 Method and system for automatically generating and updating shared secret key
CN106658349A (en) * 2015-10-30 2017-05-10 中国电信股份有限公司 Method for automatically generating and updating shared key and system thereof
EP3437249A4 (en) * 2016-03-31 2019-09-04 Intel Corporation Registration of devices in secure domain
US10575273B2 (en) 2016-03-31 2020-02-25 Intel Corporation Registration of devices in secure domain
WO2017172152A1 (en) 2016-03-31 2017-10-05 Intel Corporation Registration of devices in secure domain
US10298448B2 (en) 2016-09-20 2019-05-21 At&T Intellectual Property I, L.P. Method and apparatus for extending service capabilities in a communication network
US11271803B2 (en) 2016-09-20 2022-03-08 At&T Intellectual Property I, L.P. Method and apparatus for extending service capabilities in a communication network
EP3707887A4 (en) * 2018-01-11 2020-12-16 Samsung Electronics Co., Ltd. Method of providing notification and electronic device supporting same
US11032099B2 (en) 2018-01-11 2021-06-08 Samsung Electronics Co., Ltd. Method of providing notification and electronic device supporting same
US11095653B2 (en) 2018-05-24 2021-08-17 International Business Machines Corporation Secure provisioning of unknown devices through trusted third-party devices
EP3854025A4 (en) * 2018-09-17 2022-04-06 Nokia Solutions and Networks Oy Credentials management
WO2020058559A1 (en) 2018-09-17 2020-03-26 Nokia Solutions And Networks Oy Credentials management
GB2579574A (en) * 2018-12-03 2020-07-01 Advanced Risc Mach Ltd Bootstrapping with common credential data
WO2020115458A1 (en) * 2018-12-03 2020-06-11 Arm Limited Bootstrapping with common credential data
CN113169864A (en) * 2018-12-03 2021-07-23 Arm有限公司 Bootstrapping with public credential data
GB2579574B (en) * 2018-12-03 2021-08-11 Advanced Risc Mach Ltd Bootstrapping with common credential data

Also Published As

Publication number Publication date
CN104205898A (en) 2014-12-10

Similar Documents

Publication Publication Date Title
Cao et al. GBAAM: group‐based access authentication for MTC in LTE networks
EP3432532B1 (en) Key distribution and authentication method, apparatus and system
WO2013120225A1 (en) Method and system for group based service bootstrap in m2m environment
EP3668048B1 (en) Methods and apparatuses for bootstrapping machine-to-machine service
US11588626B2 (en) Key distribution method and system, and apparatus
JP6508688B2 (en) End-to-end service layer authentication
DK1714418T3 (en) KEY MANAGEMENT FOR NETWORK ELEMENTS
US9705856B2 (en) Secure session for a group of network nodes
Asokan et al. Applicability of identity-based cryptography for disruption-tolerant networking
WO2017185999A1 (en) Method, apparatus and system for encryption key distribution and authentication
US20150149767A1 (en) Method and system for authenticating the nodes of a network
EP1997292A2 (en) Establishing communications
EP3472969B1 (en) A key generation and distribution method based on identity-based cryptography
Sathi et al. Novel protocols to mitigate network slice topology learning attacks and protect privacy of users’ service access behavior in softwarized 5G networks
Amadeo et al. Securing the mobile edge through named data networking
Braeken Device-to-device group authentication compatible with 5G AKA protocol
Guo et al. A Novel RLWE‐Based Anonymous Mutual Authentication Protocol for Space Information Network
Khumalo et al. Services and applications security in IoT enabled networks
Sen Secure and privacy-preserving authentication protocols for wireless mesh networks
Songshen et al. Hash-Based Signature for Flexibility Authentication of IoT Devices
Hamoud et al. A New Certificateless System Construction for Multiple Key Generator Centers to Secure Device-to-Device Communications.
Furtak Data Exchange Protocol for Cryptographic Key Distribution System Using MQTT Service
Cao et al. Access authentication of mass device connections for MTC in LTE networks
Hsu et al. SGD 2: Secure Group-based Device-to-Device Communications with Fine-grained Access Control for IoT in 5G
Bashir et al. Modification in Kerberos assisted authentication in mobile Ad-Hoc networks to prevent ticket replay attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12868605

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12868605

Country of ref document: EP

Kind code of ref document: A1