WO2016203094A1 - Sélection de réseau assistée - Google Patents

Sélection de réseau assistée Download PDF

Info

Publication number
WO2016203094A1
WO2016203094A1 PCT/FI2015/050434 FI2015050434W WO2016203094A1 WO 2016203094 A1 WO2016203094 A1 WO 2016203094A1 FI 2015050434 W FI2015050434 W FI 2015050434W WO 2016203094 A1 WO2016203094 A1 WO 2016203094A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
nonce
cryptographic signature
user equipment
processing core
Prior art date
Application number
PCT/FI2015/050434
Other languages
English (en)
Inventor
Mika Ilkka Tapani Kasslin
Janne Marin
Janne Petteri Tervonen
Jari Pekka MUSTAJÄRVI
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Priority to PCT/FI2015/050434 priority Critical patent/WO2016203094A1/fr
Publication of WO2016203094A1 publication Critical patent/WO2016203094A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • the present invention relates to network selection, such as, for example, wireless network selection, using assistance information.
  • WLAN APs may be configured to provide pre-attachment information to mobiles.
  • pre-attachment information may comprise, for example, information that relates to a backhaul status and service accessibility via the AP.
  • a mobile device seeking to transfer a large file may select, based at least in part on the pre-attachment information, another AP for attaching.
  • FIGURE 3 illustrates an example apparatus capable of supporting at least some embodiments of the present invention
  • FIGURE 6 is a second flow graph illustrating a second method in accordance with at least some embodiments of the present invention.
  • the pre-association information may comprise a cryptographic signature.
  • the cryptographic signature may be produced using a key that the mobile device is aware of, for example due to a prior authentication process.
  • the cryptographic signature may be calculated, at least in part, over a nonce provided by the mobile device.
  • the cryptographic signature may be used not only to prove an identity of the sender but it can also protect a message from tampering, if the signature is calculated also over content to be protected, for example both the nonce and network selection information. Both scenarios are included here, respectively in applicable embodiments.
  • EAP-RP is variation of this; device 110 and authentication server 140 derive a new root key for EAP-RP usage from the EMSK.
  • the authenticator assumes ERP server role or provides the EAP-RP root key rRK to ERP server. Later we don't separate these roles and authentication server may mean either of them.
  • the authentication procedure is now carried out between device 110 and authentication server 140 using the keys derived from MSK or EMSK or rRK. Copies of the generated master keys may be stored in device 1 10 and in authentication server 140. Copies of the generated keys may be stored in device 1 10 and in base station 120 or AP 150 acting as authenticator.
  • the device 110 may have means to indicate to the authenticator which keys are in use and the authenticator or authentication server may have means to recognize this so the same keys are used in both endpoints.
  • AP 150 may provide to device 110 network selection information in the pre- association messaging.
  • Network selection information may comprise at least one of information characterizing AP 150, its connectivity and/or services accessible via AP 150, information about its neighbourhood and instruction to move to cellular networks instead.
  • network selection information may comprise information of a data bandwidth AP 150 has to a backbone network, characterizing a communication speed obtainable when communicating with the Internet via AP 150, for example.
  • device 110 may choose to use the network selection information received from AP 150 when selecting which AP or base station to attach to.
  • a maliciously behaving AP 150 may provide inaccurate network selection information intending to cause a device 110 to associate with this AP, in order, for example, to eavesdrop on communications of device 110.
  • the AP may instruct the device to move to cellular connection when there is no need for this. Therefore, device 110 advantageously could establish some trust with AP 150 before using the pre-association network selection information received from AP 150.
  • Establishing trust may comprise verifying AP 150 has the identity it claims to have, and/or that AP 150 has a secure association with an authentication server device 110 is willing to trust.
  • Device 110 may assume that only reliable access points have access to authentication servers device 110 itself uses, since device 110 is associated securely with an access provider that manages these authentication servers.
  • authentication server 140 may be managed by an access provider with which device 110 has a secure relationship via a subscription, and device 110 may be willing to trust access points that the access provider is willing to trust to the extent of providing access to authentication server 140.
  • AP 150 may be configured to obtain a cryptographic signature, such that the device nonce received in AP 150 from device 110 is comprised in input to the cryptographic signature.
  • AP 150 may obtain the cryptographic signature by transmitting a request to authentication server 140, for example via connection 151, network 160 and connection 161.
  • the request may comprise the input to be signed, or the request may comprise a request for the security key generated in connection with the authentication procedure to be provided to AP 150.
  • authentication server 140 may provide the requested cryptographic signature or security key, depending on the embodiment.
  • AP 150 may also itself possess the required security key already, identified for example by a pairwise master key security association id, PMKSAID, for example. The AP 150 may then calculate the signature itself.
  • NFC transceiver 350 may support at least one NFC technology, such as NFC, Bluetooth, Wibree or similar technologies.
  • Processor 310 may be furnished with a transmitter arranged to output information from processor 310, via electrical leads internal to device 300, to other devices comprised in device 300.
  • a transmitter may comprise a serial bus transmitter arranged to, for example, output information via at least one electrical lead to memory 320 for storage therein.
  • the transmitter may comprise a parallel bus transmitter.
  • processor 310 may comprise a receiver arranged to receive information in processor 310, via electrical leads internal to device 300, from other devices comprised in device 300.
  • Such a receiver may comprise a serial bus receiver arranged to, for example, receive information via at least one electrical lead from receiver 340 for processing in processor 310.
  • the receiver may comprise a parallel bus receiver.
  • the request comprises the device nonce, and where phase 420 was present, also the network nonce and the cryptographic signature received from device 110.
  • the request of phase 440 may comprise the identifier of device 110 or the information enabling identification of the security key, to enable authentication server 140 to use a correct key when preparing a response to the request.
  • phase 480 AP 150 may provide to device 110 the cryptographic signature obtained using the security key and the device nonce.
  • phases 480, and consequently also phases 490 and 4100, are absent.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Un exemple d'aspect de la présente invention concerne un appareil comprenant une mémoire configurée pour stocker un premier nombre de circonstance, et au moins un noyau de traitement configuré pour provoquer l'émission, à destination d'un point d'accès sans fil, d'un premier message, le premier message contenant le premier nombre de circonstance, pour vérifier l'exactitude d'une première signature cryptographique contenue dans une réponse au premier message, et pour utiliser les informations provenant du point d'accès sans fil dans une sélection de réseau effectuée en réponse au fait que la signature cryptographique a été vérifiée et qu'elle est correcte.
PCT/FI2015/050434 2015-06-15 2015-06-15 Sélection de réseau assistée WO2016203094A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/FI2015/050434 WO2016203094A1 (fr) 2015-06-15 2015-06-15 Sélection de réseau assistée

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2015/050434 WO2016203094A1 (fr) 2015-06-15 2015-06-15 Sélection de réseau assistée

Publications (1)

Publication Number Publication Date
WO2016203094A1 true WO2016203094A1 (fr) 2016-12-22

Family

ID=57545223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2015/050434 WO2016203094A1 (fr) 2015-06-15 2015-06-15 Sélection de réseau assistée

Country Status (1)

Country Link
WO (1) WO2016203094A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007080490A1 (fr) * 2006-01-10 2007-07-19 Nokia Corporation Identification securisee de droits d'itinerance avant authentification/association
US20090217043A1 (en) * 2008-02-26 2009-08-27 Motorola, Inc. Method and system for mutual authentication of nodes in a wireless communication network
WO2011134496A1 (fr) * 2010-04-27 2011-11-03 Nokia Siemens Networks Oy Actualisation d'informations de sélection de réseau
EP2424192A2 (fr) * 2010-08-24 2012-02-29 Cisco Technology, Inc. Mécanisme de préassociation pour fournir une description détaillée de services sans fil
US20140033288A1 (en) * 2012-07-25 2014-01-30 Devicescape Software, Inc. Systems and Methods for Enhanced Engagement

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007080490A1 (fr) * 2006-01-10 2007-07-19 Nokia Corporation Identification securisee de droits d'itinerance avant authentification/association
US20090217043A1 (en) * 2008-02-26 2009-08-27 Motorola, Inc. Method and system for mutual authentication of nodes in a wireless communication network
WO2011134496A1 (fr) * 2010-04-27 2011-11-03 Nokia Siemens Networks Oy Actualisation d'informations de sélection de réseau
EP2424192A2 (fr) * 2010-08-24 2012-02-29 Cisco Technology, Inc. Mécanisme de préassociation pour fournir une description détaillée de services sans fil
US20140033288A1 (en) * 2012-07-25 2014-01-30 Devicescape Software, Inc. Systems and Methods for Enhanced Engagement

Similar Documents

Publication Publication Date Title
US10932132B1 (en) Efficient authentication and secure communications in private communication systems having non-3GPP and 3GPP access
JP6715867B2 (ja) 統合スモールセルネットワークおよびwifiネットワークのための統一認証
US10904751B2 (en) System and method for using credentials of a first client station to establish a connection between a network and a second client station
EP3408988B1 (fr) Procédé et appareil d'accès au réseau
CN106102038B (zh) 移动设备为中心的电子订户身份模块(eSIM)的供应
KR101556046B1 (ko) 통신 핸드오프 시나리오를 위한 인증 및 보안 채널 설정
CN113286291A (zh) 多接入场景中的连接处理方法和装置
JP2019527504A (ja) 異種ネットワークのための統一認証
US11956626B2 (en) Cryptographic key generation for mobile communications device
CN101785343B (zh) 用于快速转换资源协商的方法、系统和装置
EP2813098A1 (fr) Procédé et appareil d'accès rapide
WO2012174959A1 (fr) Procédé, système et passerelle d'authentification de groupe dans une communication entre machines
US10979219B2 (en) Pairing of devices
EP3108633A1 (fr) Gestion de clé
CN105532028A (zh) 用于psk和sae安全模式的快速初始链路设立安全优化的系统和方法
EP3649760A1 (fr) Communications sécurisées utilisant une identité d'accès au réseau
WO2019122495A1 (fr) Authentification pour système de communication sans fil
EP4243348A1 (fr) Enregistrement d'un équipement utilisateur dans un réseau de communication
CN113115300A (zh) 电子用户身份模块转移资格检查
US10721051B2 (en) Encryption management in carrier aggregation
WO2016203094A1 (fr) Sélection de réseau assistée
US20220264296A1 (en) Enhanced onboarding in cellular communication networks
WO2016027000A1 (fr) Utilisation d'un dispositif d'abonnement
US20230413046A1 (en) Authentication procedure
US11991190B2 (en) Counteractions against suspected identity imposture

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15895517

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15895517

Country of ref document: EP

Kind code of ref document: A1