WO2017188895A1 - Method and system for authentication with asymmetric key - Google Patents

Method and system for authentication with asymmetric key Download PDF

Info

Publication number
WO2017188895A1
WO2017188895A1 PCT/SG2017/050220 SG2017050220W WO2017188895A1 WO 2017188895 A1 WO2017188895 A1 WO 2017188895A1 SG 2017050220 W SG2017050220 W SG 2017050220W WO 2017188895 A1 WO2017188895 A1 WO 2017188895A1
Authority
WO
WIPO (PCT)
Prior art keywords
random number
authentication
core network
network entity
key
Prior art date
Application number
PCT/SG2017/050220
Other languages
French (fr)
Inventor
Haiguang Wang
Jie Shi
Xin KANG
Original Assignee
Huawei International Pte. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei International Pte. Ltd. filed Critical Huawei International Pte. Ltd.
Publication of WO2017188895A1 publication Critical patent/WO2017188895A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • Embodiments of the invention further relate to authentication of user equipment with asymmetric key in USIM/eUICC as authentication credentials.
  • UE User Equipment
  • 4G networks To protect mobile devices and networks in the data communications from being eavesdropped or manipulated, in the 4G networks, mutual authentications are employed to ensure the mobile devices (normally known as User Equipment (UE)), and networks are genuine. To perform mutual authentication, both UEs and networks are required to keep some credentials that can prove the identity of each other.
  • UE User Equipment
  • the credentials are kept in servers named Home Subscriber Server (HSS); while at the UE side, the credentials are kept in an isolated device named Universal Subscriber Identity Module (USIM) card.
  • HSS Home Subscriber Server
  • USIM Universal Subscriber Identity Module
  • IMSI International Mobile Subscriber Identity
  • USIM card is a computing device. It is embedded in the USIM slot inside the
  • USIM and UE can exchange information via a special interface.
  • EPS-AKA Evolved Packet System-Authentication and Key Agreement.
  • UE With the EPS-AKA procedure, UE first sends an Attach Request to the Mobility Management Entity (MME) via the eNodeB. MME forwards the request to the HSS and HSS generates an authentication vector based on the credentials shared with UE. The authentication vectors are sent to MME and MME further sends authentication material to UE. UE authenticates the network and then sends an authentication code to MME. MME verifies the authentication code and authenticates the UE. After authentication, UE exchanges key material with MME and eNB to further generate session keys for control and data plane.
  • Figure 1 shows the authentication signalling exchanging procedure.
  • Figure 2 shows key architecture of the Long-Term Evolution (LTE) network.
  • LTE Long-Term Evolution
  • DH Diffie-Hellman
  • Alice and Bob who want to generate a session key, first agree on a finite cyclic group G and a generating element g in G.
  • Alice picks a random natural number A and sends g A to Bob.
  • Bob picks a random natural number B and sends g B to Alice.
  • Alice computes (g B ) A and Bob computes (g A ) B .
  • Figure 3 shows an example procedure of the Diffie-Hellman key exchange.
  • CN 101969638 B provides a method for protecting international mobile subscriber identity (IMSI) in mobile communication.
  • IMSI international mobile subscriber identity
  • CN 102664725 provides a security certificate method of a femtocell base station and a femtocell wireless communication system. CN 102664725 proposes a use of public key to authenticate the network. The method is valid for authentication.
  • embodiments of the invention disclose storage of a pair of asymmetric keys at User Equipment (UE) and core network entity separately, and a mechanism based on the asymmetric keys to authenticate UE and core network entity, and also generate session keys.
  • UE User Equipment
  • a method for authentication and key generation in a cellular network comprising: receiving, at a core network entity, at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; generating an authentication vector based at least on the decrypted first random number; and transmitting the authentication vector which is destined for the UE for authentication of the core network entity.
  • UE user equipment
  • a first possible implementation manner of the first aspect further comprising: receiving a first message authentication code (MAC) from the UE; generating a second MAC based at least on the decrypted first random number; authenticating the UE successfully when the first MAC and the second MAC meet a preset conditioner example, the first MAC and the second MAC are equal).
  • MAC message authentication code
  • generating a second message authentication code (MAC) based at least on the decrypted first random number comprises: generating the second MAC based at least on the decrypted first random number and a symmetric key which is shared between the core network entity and the UE.
  • generating a second message authentication code (MAC) based at least on the decrypted first random number comprises: generating the second MAC based at least on the decrypted first random number and a hash function which is shared between the core network entity and the UE.
  • the first to the third possible implementation manner of the first aspect in a fourth possible implementation manner of the first aspect, further comprising: generating one of a third MAC and a signature based at least on the decrypted first random number; transmitting, from the core network entity to the UE, the one of the generated third MAC or the signature.
  • a fifth possible implementation manner of the first aspect wherein decrypting, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity is performed at a Home Subscriber Server (HSS) of the core network; wherein generating an authentication vector based at least on the decrypted first random number comprises: generating, at the HSS, the authentication vector based on the decrypted first random number, and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the HSS and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector comprises: transmitting, to a management entity of the core network, at least the network AUTN and the XRES; and wherein the method further comprising: receiving from the UE a response value
  • a sixth possible implementation manner of the first aspect wherein decrypting the encrypted first random number with a private key which is retrieved from the core network entity is performed at a management entity of the core network; wherein generating an authentication vector based at least on the decrypted first random number comprises: generating, at a Home Subscriber Server (HSS), the authentication vector based on the decrypted first random number, and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the HSS and the UE, wherein the authentication vector includes a network AUTN and an XRES; wherein transmitting the authentication vector comprises: transmitting, to a management entity of the core network entity, at least the network AUTN and the XRES; and wherein the method further comprising: receiving from the UE a response value (RES) at the management entity; and authenticating the UE successfully when the response value (RES) and expected
  • a seventh possible implementation manner of the first aspect further comprising: receiving a signature from the UE; verifying the received signature based on a public key which is retrieved from the core network entity and associated with the UE identity; encrypting at least a second random number generated at the core network by using a public key which is retrieved from the core network entity based on the UE identity, upon the received signature is verified successfully,; and signing at least the second random number by using a private key which is associated with the core network entity and retrieved therefrom; and transmting the encrypted second random number and the signed second random number to the UE.
  • generating an authentication vector based at least on the decrypted first random number comprises: generating a first key (KRND-CN) based on the decrypted first random number; generating a first Diffie-Hellman public key (g x ); generating a first message authentication code (MAC) based at least on the first Diffie-Hellman public key (g x ) by using the first key(K RND -cN),; the method further comprising: receiving a second Diffie-Hellman public key (g y ) and a MAC from the UE; authenticating the UE based at least on the first MAC and the second MAC.
  • KRND-CN first key
  • g x a first Diffie-Hellman public key
  • MAC message authentication code
  • a ninth possible implementation manner of the first aspect further comprising : generating a session key based on the first key (K RND -CN) and the second Diffie-Hellman public key (g y ).
  • a method for authentication and key generation in a cellular network comprising:
  • a user equipment UE
  • a first random number a public key which is retrieved from a UE and associated with a UE identity
  • transmitting at least the UE identity and the encrypted first random number to a core network entity
  • receiving a first authentication data from the core network entity
  • authenticating the core network entity by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique.
  • authenticating the core network by verifying the first authentication data comprises: verifying one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmitting the authentication result to the core network entity.
  • MAC message authentication code
  • authenticating the core network entity by verifying the first authentication data comprises: generating a second authentication data based at least on a second random number included in the first authentication data; and authenticating the core network entity successfully when a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data meet a preset conditioner example, the first AUTN and the second AUTN are equal).
  • AUTN authentication token
  • AUTN second authentication token
  • generating a second authentication data based at least on a second random number included in the first authentication data comprises: generating the second authentication data based at least on the second random number and a symmetric key shared between the UE and a Home Subscriber Server (HSS) in the core network entity.
  • HSS Home Subscriber Server
  • the first to the third possible implementation manner of the second aspect in the fourth possible implementation manner of the second aspect, further comprising: generating a message authentication code (MAC) based at least on a symmetric key shared between the UE and the core network entity; transmitting the message authentication code (MAC) to the core network entity.
  • MAC message authentication code
  • the method further comprises: further comprising: generating a first signature based at least on a first secret key retrieved from the UE; transmitting the first signature to the core network entity; receiving a second signature and an encrypted second random number from the core network entity; wherein authenticating the core network by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique, comprises: decrypting the encrypted second random number by using a secret key; verifying the second signature by using the public key; and generating a session key based on the first random number and the decrypted second random number.
  • a sixth possible implementation manner of the second aspect further comprising: receiving a first message authentication code (MAC); wherein authenticating the core network entity by verifying the first authentication data comprises: generating a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and authenticating the core network entity successfully when the first MAC and the second MAC are equal.
  • MAC message authentication code
  • a system for authentication and key generation in a cellular network comprising:
  • a random number generation unit configured to: generate, at a user equipment (UE), a first random number; an encryption-decryption unit configured to: encrypt the first random number with a public key retrieved from the UE, wherein the public key is based on a UE identity associated with the UE; a transmitting unit configured to: transmit at least the UE identity and the encrypted first random number to a core network entity; a receiving unit configured to: receive a first authentication data from the core network entity; and an authentication unit configured to: authenticate the core network entity by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique.
  • UE user equipment
  • the authentication unit is further configured to: verify one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmit the authentication result to the core network entity.
  • MAC message authentication code
  • the authentication unit is further configured to: generate a second authentication data based at least on a second random number included in the first authentication data; and authenticate the core network entity successfully when a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data meet a preset conditioner example, the first AUTN and the second AUTN are equal).
  • AUTN authentication token
  • AUTN authentication token
  • the authentication unit is further configured to: generate the second authentication data based at least on the second random number and a symmetric key shared between the UE and a Home Subscriber Server (HSS) in the core network entity.
  • HSS Home Subscriber Server
  • the system further comprising: an authentication data generation unit configured to: generate a message authentication code (MAC) based at least on a symmetric key shared between the UE and the core network entity; wherein the transmitting unit is further configured to: transmit the message authentication code to the core network entity.
  • MAC message authentication code
  • the system further comprising: an authentication data generation unit configured to: generate a message authentication code (MAC) based at least on a hash function shared between the UE and the core network entity; wherein the transmitting unit is further configured to: transmit the message authentication code to the core network entity.
  • MAC message authentication code
  • the encryption-decryption unit is further configured to: generate a first signature based at least on a first secret key retrieved from the UE; wherein the transmitting unit is configured to: transmit the first signature to the core network entity; wherein the receiving unit is further configured to: receive a second signature and an encrypted second random number from the core network entity; wherein the encryption-decryption unit is further configured to: decrypt the encrypted second random number by using the secret key; wherein the authentication unit is further configured to: verify the second signature by using the public key; and the system further comprises: a key generation unit configured to: generate a session key based on the first random number and the decrypted second random number.
  • the receiving unit is further configured to: receive a first message authentication code (MAC); wherein the authentication unit is further configured to: generate a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and authenticate the core network entity successfully when the first MAC and the second MAC are equal.
  • MAC message authentication code
  • a method for authentication and key generation in a cellular network comprising:
  • a first core network entity receiving at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and transmitting the authentication vector to a second core network entity.
  • UE user equipment
  • generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number comprises: generating the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector to a second core network entity comprises: transmitting at least the network authentication token (AUTN) and the expected result value (XRES).
  • AUTN network authentication token
  • XRES expected result value
  • a system for authentication and key generation in a cellular network comprises:
  • a communication unit provided at a first core network entity and configured to: receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; an authentication vector generation unit provided at the first core network entity and configured to: generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and a communication unit provided at the first core network and configured to: transmit the authentication vector to a second core network entity.
  • UE user equipment
  • the communication unit is further configured to: receive the decrypted first random number; wherein the authentication vector generation unit is further configured to: generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein the communication unit is further configured to: transmit at least the network authentication token (AUTN) and the expected result value (XRES).
  • AUTN network authentication token
  • XRES expected result value
  • the system of claim 30, further comprising: a decryption unit provided at the first core network entity and configured to: before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, decrypt the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the first core network entity based on the UE identity.
  • a decryption unit provided at the first core network entity and configured to: before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, decrypt the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the first core network entity based on the UE identity.
  • the first core network entity includes Home Subscriber Server (HSS).
  • HSS Home Subscriber Server
  • UE user equipment
  • HSS Home Subscriber Server
  • generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number comprises: generating the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector to a second core network entity comprises:transmitting at least the network authentication token (AUTN) and the expected result value (XRES).
  • AUTN network authentication token
  • XRES expected result value
  • the method before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, the method further comprising:decrypting the encrypted first random number with a private key which is retrieved from the first core network entity based on the UE identity, by using at least asymmetric key technique.
  • a system for authentication and key generation in a cellular network comprising: a communication unit provided at a first core network entity and configured to receive at least a user equipment (UE) identity and decrypted first random number from the second core network entity ;an authentication vector generation unit provided at the first core network entity and configured to generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and a communication unit provided at the first core network and configured to transmit the authentication vector to a second core network entity, wherein the communication unit is further configured to receive the decrypted first random number; wherein the authentication vector generation unit is further configured to generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES);
  • AUTN
  • a method for authentication and key generation in a cellular network comprising: at a second core network entity: receiving at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the second core network entity based on the UE identity; transmitting an authentication vector request to a first core network entity, wherein the authentication vector request includes the UE identity and the decrypted first random number; receiving an authentication vector from the first core network entity; and transmitting the authentication vector to the UE.
  • UE user equipment
  • the authentication vector at least includes expected result value (XRES); receiving from the UE a response value (RES); and authenticating the UE successfully when the response value (RES) and expected result value (XRES) are equal; wherein the first core network entity includes Home Subscriber Server (HSS) and the second core network entity includes one of Mobility Management Entity (MME) and Authentication, Authorization and Accounting (AAA) server.
  • HSS Home Subscriber Server
  • MME Mobility Management Entity
  • AAA Authentication, Authorization and Accounting
  • a system for authentication and key generation in a cellular network comprising: a communication unit provided at a second core network entity and configured to receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; a decryption unit provided at the second core network entity and configured to use at least asymmetric key techniques, decrypt the encrypted first random number with a private key which is retrieved from the second core network entity based on the UE identity; wherein the communication unit is further configured to transmit an authentication vector request to a first core network entity, wherein the authentication vector request includes the UE identity and the decrypted first random number receive an authentication vector from the first core network entity; and transmit the authentication vector to the UE.
  • UE user equipment
  • the authentication vector at least includes expected result value (XRES); the communication unit is configured to:receive from the UE a response value (RES); and anthentication unit is configured to : authenticate the UE successfully when the response value (RES) and expected result value (XRES) are equal;
  • the first core network entity includes Home Subscriber Server (HSS)
  • the second core network entity includes one of Mobility Management Entity (MME) and Authentication, Authorization and Accounting (AAA) server.
  • MME Mobility Management Entity
  • AAA Authentication, Authorization and Accounting
  • a method for authentication and key generation in a cellular network comprising: receiving, at a core network entity, at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; generating an authentication vector based at least on one of the decrypted first random number; and a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the HSS and the UE, transmitting the authentication vector which is destined for the UE for authentication of the core network entity.
  • UE user equipment
  • the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector comprises: transmitting, to a management entity of the core network, at least the network authentication token (AUTN) and the expected result value (XRES); and wherein the method further comprising: receiving from the UE a response value (RES) at the management entity of the core network; and authenticating the UE successfully when the response value (RES) and expected result value (XRES) meet a preset condition( for example, the RES and XRES are equal).
  • RES response value
  • a user equipment comprises a processor; and a storage medium communicably coupled thereto and storing instructions which are executable by the processor to cause the processor to: generate, at a user equipment (UE), a first random number; encrypt the first random number with a public key retrieved from the UE, wherein the public key is based on a UE identity associated with the UE; transmit at least the UE identity and the encrypted first random number to a core network entity; receive a first authentication data from the core network entity; and authenticate the core network entity by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique.
  • UE user equipment
  • the processor is further configured to: verify one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmit the authentication result to the core network entity.
  • MAC message authentication code
  • the processor is further configured to: generate a second authentication data based at least on a second random number included in the first authentication data; and authenticate the core network entity successfully when a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data meet a preset conditioner example, the first AUTN and the second AUTN are equal).
  • the processor is further configured to: generate the second authentication data based at least on the second random number and a symmetric key shared between the UE and a Home Subscriber Server (HSS) in the core network entity.
  • HSS Home Subscriber Server
  • the processor is further configured to: generate a message authentication code (MAC) based at least on a symmetric key shared between the UE and the core network entity; transmit the message authentication code (MAC) to the core network entity.
  • MAC message authentication code
  • the processor is further configured to: generate a first signature based at least on a first secret key retrieved from the UE; transmit the first signature to the core network entity; receive a second signature and an encrypted second random number from the core network entity; decrypt the encrypted second random number by using the secret key; verify the second signature by using the public key; and generate a session key based on the first random number and the decrypted second random number.
  • the processor is further configured to: receive a first message authentication code (MAC); generate a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and authenticate the core network entity successfully when the first MAC and the second MAC are equal.
  • MAC message authentication code
  • MAC second message authentication code
  • a first core network entity comprises a processor; and a storage medium communicably coupled thereto and storing instructions which are executable by the processor to cause the processor to: receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and transmit the authentication vector to a second core network entity.
  • UE user equipment
  • the processor is further configured to: receive the decrypted first random number from the second core network entity; generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); transmit at least the network authentication token (AUTN) and the expected result value (XRES).
  • AUTN network authentication token
  • XRES expected result value
  • the processor is further configured to: before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, decrypt the encrypted first random number with a private key by using at least asymmetric key technique, wherein the private key is retrieved from the first core network entity based on the UE identity.
  • the first core network entity includes Home Subscriber Server (HSS).
  • HSS Home Subscriber Server
  • a first core network entity comprises a processor; and a storage medium communicably coupled thereto and storing instructions which are executable by the processor to cause the processor to: receive at least a user equipment (UE) identity and decrypted first random number from the second core network entity; generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and transmit the authentication vector to a second core network entity.
  • UE user equipment
  • the processor is further configured to: wherein generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number comprises: generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES);wherein transmit the authentication vector to a second core network entity comprises: transmit at least the network authentication token (AUTN) and the expected result value (XRES).
  • AUTN network authentication token
  • XRES expected result value
  • a second core network entity comprises a processor; and a storage medium communicably coupled thereto and storing instructions which are executable by the processor to cause the processor to: receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypt the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the second core network entity based on the UE identity; transmit an authentication vector request to a first core network entity, wherein the authentication vector request includes the UE identity and the decrypted first random number; receive an authentication vector from the first core network entity; and transmit the authentication vector to the UE.
  • UE user equipment
  • the first core network entity includes Home Subscriber Server (HSS) and the second core network entity includes one of Mobility Management Entity (MME) and Authentication, Authorization and Accounting (AAA) server.
  • HSS Home Subscriber Server
  • MME Mobility Management Entity
  • AAA Authentication, Authorization and Accounting
  • a method for authentication and key generation in a cellular network comprising:
  • HSS Home Subscriber Server
  • UE user equipment
  • a method for authentication and key generation in a cellular network comprising:
  • HSS Home Subscriber Server
  • UE user equipment
  • MME Mobility Management Entity
  • FIG. 1 shows an existing authentication signaling exchanging procedure
  • Figure 2 shows key architecture of the Long-Term Evolution (LTE) network
  • Figure 3 shows a Diffie-Hellman procedure
  • Figure 4 is a flow chart illustrating a method for mutual authentication between UE and CN using a pair of asymmetric keys according to one embodiment of the invention
  • Figure 5 is a flow chart illustrating a method for mutual authentication between
  • Figure 6 is a flow chart illustrating a method for mutual authentication between
  • Figure 7 is a flow chart illustrating a method for mutual authentication between
  • Figure 8 is a flow chart illustrating an alternative method for mutual authentication between UE and CN in LTE network or its evolved version using a pair of asymmetric keys together with a symmetric key according to one embodiment of the invention
  • Figure 9 is a flow chart illustrating a method for mutual authentication between UE and CN using two pairs of asymmetric keys according to one embodiment
  • Figure 10 is a flow chart illustrating a method for mutual authentication between UE and CN using a pair of asymmetric keys and Diffie-Hellman procedure according to one embodiment
  • Figure 1 1 shows a network architecture of 3G/4G network system where embodiments of the invention may be applied.
  • Figure 12 is a schematic system representation showing functional modules for supporting embodiments of the invention. Detailed Description
  • authentication vector is comprised of a plurality of components or parameters that provide temporary authentication data that enables authentication of a core network entity and/or a UE.
  • authentication vector (AV) components include, but are not limited to, random number (RND), network authentication token (AUTN), expected response value (XRES), master key (KASME)-
  • An authentication vector may include a plurality of components which are selected from the above-mentioned component examples and may include other suitable components.
  • the phrase "authentication data" refers to any of the listed AV components and/or other suitable components.
  • Embodiments of the invention provide methods to alleviate threats resulting of exposure of credentials in the USIM card. Asymmetric key techniques are used in mutual authentication between UE and CN to prevent Man-in-the-Middle attack.
  • Figure 4 is a flow chart 400 illustrating a method for mutual authentication between a user equipment (UE) and a core network (CN) using a pair of asymmetric keys according to one embodiment of the invention.
  • UE user equipment
  • CN core network
  • UE and CN jointly own a pair of asymmetric keys, i.e. public key PKx and private key SKx.
  • PKx is stored in the USIM card of a UE and may be referred to as UE-public key.
  • the USIM card may be either a normal USIM card or an eUICC.
  • SKx is stored at the CN and may be referred to as CN-private key.
  • Each UE may own multiple unique pairs of keys.
  • UE attempts to access the network and activates mutual authentication procedure with CN.
  • UE generates a random number RNDUE, i.e. a UE-derived random parameter, and a first message authentication code MACUE, i.e. first UE-derived MAC (optional).
  • the first MACUE may be generated with the RNDUE and a sequence number SQN (optional) as inputs to a predefined hash function.
  • UE further encrypts RNDUE, MACUE, and SQN with the UE-public key PKx.
  • SQN and MACUE are optional; one or both of them may be omitted from encryption and subsequent steps.
  • the MACUE can be generated with a hash function known to both UE and core network entity, for example, SHA256.
  • UE transmits a first message to CN.
  • the first message includes an identity of the UE, i.e. UE identity, the UE-encrypted RNDUE, first MACUE and SQN which are generated in block 401 .
  • UE identity may be IMSI, GUTI or other suitable parameters.
  • CN receives the first message and commences authentication of UE.
  • a core network entity e.g. HSS/ Authentication, Authorization and Accounting (AAA)/controller, retrieves the private key SKx based on the UE identity provided in the first message.
  • the private key SKx may be stored at the network entity.
  • the network entity decodes or decrypts the RNDUE, SQN and MACUE-
  • the network entity generates a first MACCN, i.e. first CN-derived MAC, with the decrypted RNDUE and SQN as inputs.
  • the MACCN can be generated with a hash function known to both UE and core network entity, for example, SHA256.
  • the network entity compares the first MACCN which is generated by the network entity with the first MACCN which is contained in the first message. If the first MACCN and the first MACUE are equal, i.e. have same values, CN successfully authenticates UE.
  • the network entity After authenticating the UE, the network entity generates a second message for UE to authenticate the CN.
  • the second message contains parameters for key generation and a second MACCN, i.e. second CN-derived MAC, or a signature.
  • the second MACCN or signature is generated based at least on the decrypted RNDUE as input.
  • SKx is used when signature is generated.
  • the network entity of CN may also generate a random number RND C N i.e. a CN-derived random parameter, and include it in both the parameters list and also in the second MACCN or signature generation.
  • the network entity of CN e.g. MME/AAA/controller, transmits the second message to UE for authentication of CN.
  • UE After receiving the second message from CN, UE extracts parameters from the second message, and verifies the MAC or signature contained in the message. PKx of the UE is used when a signature is contained in the second message. If the verification succeeds, CN is successfully authenticated. Otherwise, authentication of CN fails.
  • UE transmits a third message to CN.
  • the third message can contain either notification of success/failure of the authentication or a code for CN to authenticate UE.
  • CN authenticates UE based on the code from block 406 if this authentication had not been performed in block 403.
  • Figure 5 is a flow chart 500 illustrating a method for mutual authentication between UE and CN in LTE network or its evolved version using a pair of asymmetric keys according to one embodiment of the invention.
  • UE before transmitting an Attach Request to a Management Entity such as MME or AAA server or other network entity with similar functionalities, UE generates a random number RNDUE and encrypts RNDUE with UE-public key PKx.
  • a Management Entity such as MME or AAA server or other network entity with similar functionalities
  • UE transmits an Attach Request to a Management Entity such as MME, AAA server or other network entity with similar functionalities.
  • the Attach Request includes UE identity, the encrypted RNDUE and possibly other parameters such as SON and a first MACUE generated based on RNDUE-
  • the first MACUE can be generated with a hash function known to both UE and core network entity, for example, SHA256.
  • Management Entity after Management Entity receives the Attach Request, it further generates a message, for example, an Authentication Data Request message as specified in the 3GPP specification, with the UE identity and encrypted RNDUE extracted from the Attach Request, and transmits the Authentication Data Request, to HSS.
  • a message for example, an Authentication Data Request message as specified in the 3GPP specification, with the UE identity and encrypted RNDUE extracted from the Attach Request, and transmits the Authentication Data Request, to HSS.
  • HSS retrieves or locates the CN-private key SKx based on either the UE identity such as IMSI, GUTI, or other identity information.
  • HSS decrypts the Authentication Data Request to obtain a decrypted RNDUE- HSS may verify the validity of the RNDUE based on the received MAC if a MAC is contained in the message.
  • HSS generates a first MACCN, i.e. first CN-derived MAC, with the decrypted RNDUE and SQN as inputs.
  • the first MACCN can be generated with a hash function known to both UE and core network entity, for example, SHA256.
  • HSS generates CN-derived random number RNDCN, and uses RND C N, RNDUE or a value derived from RNDUE, together with any SQN (optional), SNJD (optional) as inputs to a Key Derive Function, for example, EPS-AKA algorithm defined in the LTE specification, to generate authentication vectors.
  • Each Authentication Vector (AV) includes RND C N, HSS-derived network authentication token AUTNHSS, expected result value XRES, and key K
  • HSS transmits an Authentication Data Response message with the generated AV to the Management Entity.
  • the Management Entity After receiving the generated AV, the Management Entity generates and transmits an Authentication Request to be sent to UE, which contains RNDCN and AUTNHSS-
  • UE extracts RNDCN and AUTN Hss from the Authentication Request message received from network.
  • USIM/eUICC in the UE generates UE-derived network authentication token AUTNUE by inputting RNDCN, RND ue , SN ID and SQN to the LTE AKA Algorithm.
  • UE compares the AUTNUE with AUTNHSS- If AUTNUE and AUTNHSS are equal, UE successfully authenticates CN. Otherwise, authentication of CN fails.
  • UE transmits a response code RES based on the authentication result in block 508 to the Management Entity such as MME, AAA, controller other network entity with similar functionality.
  • Management Entity such as MME, AAA, controller other network entity with similar functionality.
  • the Management Entity compares the RES with XRES. If RES and XRES values are equal, UE is successfully authenticated. Otherwise, authentication of UE fails.
  • FIG. 6 is a flow chart 600 illustrating a method for mutual authentication between UE and CN using a pair of asymmetric keys together with a symmetric key.
  • a pair of symmetric keys KUE is shared by UE and HSS, e.g. stored in the USIM card of the UE and in HSS. KUE is unique to each UE.
  • UE and CN share a pair of asymmetric keys, where PKx is stored in the USIM/eUICC of UE and also referred to as UE-public key, and SKx is stored in HSS and also referred to as CN-private key.
  • the pair of PKx and SKx may be shared by many UEs.
  • UE generates a random number RNDUE, encrypts the RNDUE and SQN (optional) with the UE-public key PKx, and generates a first MACUE with KUE, UE identity, RNDUE, and SQN as input.
  • SQN may be optional for encryption and MAC calculation.
  • UE sends a first message to CN.
  • the first message includes an identity of the UE, i.e. UE identity, the UE-encrypted RNDUE and SQN, and first MACUE-
  • a network entity at the CN decrypts the message with CN-private key SKx and extracts RNDUE and any SQN.
  • the network entity calculates a first MACCN based on KUE and the decrypted RNDUE, SQN and UE identity and compares the first MACCN with first MACUE received at the CN. If the first MAC C N and first MACUE are equal , UE is successfully authenticated. Otherwise, authentication of UE fails.
  • the network entity generates authentication vectors.
  • Each authentication vector includes RND C N, AUTN C N and other parameters.
  • the generation of authentication vectors is based on RNDUE, RND C N, KUE, SQN and other parameters in consideration.
  • CN transmits a second message which includes RNDCN, and AUTNCN.
  • UE extracts the RND C N, and AUTNCN.
  • UE generates AUTNUE- The generation of AUTNUE takes RNDUE, RND C N, KUE, SQN and other parameters in consideration. If the generated AUTNUE and the received AUTN C N are equal, the CN is successfully authenticated. Otherwise, authentication of CN fails.
  • UE when MACUE is not included in the first message, UE sends a third message containing RES code to the CN to authenticate UE.
  • FIG. 7 is a flow chart 700 illustrating a method for mutual authentication between UE and CN in LTE network or its evolved version using a pair of asymmetric keys together with a symmetric key according to one embodiment of the invention.
  • the symmetric key is shared by HSS and UE.
  • UE before transmitting an Attach Request to a network entity such as MME or AAA server or other network entity with similar functionalities, UE generates a random number RNDUE and encrypts RNDUE with the UE-public key.
  • the UE transmits an Attach Request which includes UE identity and RNDUE which is encrypted by the PKx.
  • the Attach Request includes the encrypted RNDUE and other parameters.
  • the Management Entity After the Management Entity receives the Attach Request, it generates another message, for example, an Authentication Data Request message, with the UE identity and encrypted RNDUE extracted from the Attach Request and transmits the Authentication Data Request to HSS.
  • another message for example, an Authentication Data Request message, with the UE identity and encrypted RNDUE extracted from the Attach Request and transmits the Authentication Data Request to HSS.
  • HSS retrieves or locates the CN-private key SKx based on the UE identity in the Authentication Data Request and decrypts the Authentication Data Request to obtain a decrypted RNDUE- HSS generates CN-derived RND C N, and further generates a new number based on both RNDCN and decrypted RNDUE, for example, generating the new random number by performing an Exclusive-or function (XOR) on RNDCN and RNDUE, together with K UE , SQN, SN ID as inputs to EPS-AKA algorithm defined in the LTE specification to generate authentication vectors.
  • Each authentication vector includes RNDCN, HSS-derived AUTNHSS, XRES, and KASME-
  • HSS transmits an Authentication Data Response message with the generated AV to the Management Entity.
  • the Management Entity After receiving the generated AV, the Management Entity generates and transmits an Authentication Request to UE, which contains RNDCN and AUTNHSS-
  • UE extracts RND C N and AUTN Hss from the Authentication Request message received from network.
  • USIM/eUICC in the UE generates UE-derived network authentication token AUTNUE by inputting K UE , RNDCN, RND ue , SN ID and SQN to the LTE AKA Algorithm.
  • RNDCN and RNDUE are used to generate a new number as an input for EPS-AKA algorithm.
  • the random number can be RNDUE XOR RND C N-
  • UE compares the AUTNUE with AUTNHSS- If AUTNUE and AUTNHSS are equal, CN is successfully authenticated.
  • UE transmits a response code RES based on the authentication result in block 708 to the Management Entity.
  • the Management Entity compares the RES with XRES. If RES and XRES values are equal, UE is successfully authenticated. Otherwise, authentication of UE fails.
  • Figure 8 is a flow chart 800 illustrating another method for mutual authentication between UE and CN in LTE network or its evolved version using a pair of asymmetric keys together with a symmetric key according to one embodiment of the invention.
  • the symmetric key is shared by Management Entity and UE.
  • UE before transmitting an Attach Request to a management entity such as MME or AAA server or other network entity with similar functionalities, UE generates a random number RNDUE and encrypts RNDUE with the UE-public key.
  • a management entity such as MME or AAA server or other network entity with similar functionalities
  • the UE transmits to Management Entity an Attach Request which includes UE identity and RNDUE encrypted by the PKx.
  • the Attach Request includes the encrypted RNDUE and other parameters.
  • UE may encrypt UE identity and RNDUE with the PKx.
  • Management Entity retrieves or locates the CN-private key SKx based on the UE identity in the Attach Request and decrypts the Attach Request to obtain a decrypted RNDUE.
  • Management Entity decrypts both the UE identity and RNDUE included in the received Attach Request.
  • the Management Entity generates an Authentication Data Request message with the UE identity and decrypted RNDUE and transmits the Authentication Data Request to HSS.
  • HSS extracts RNDUE from the Authentication Data Request.
  • HSS generates CN-derived RNDCN, and further derives a new random number based on both RNDCN and RNDUE, for example, generating the new random number by performing an Exclusive-or function (XOR) on RND C N and RNDUE, together with KUE, SQN, SN ID as inputs to EPS-AKA algorithm defined in the LTE specification to generate authentication vectors.
  • Each authentication vector includes RND C N, HSS- derived AUTNHSS, XRES, and KASME-
  • HSS transmits an Authentication Data Response message with the generated AV to the Management Entity.
  • the Management Entity After receiving the generated AV, the Management Entity generates and transmits an Authentication Request to UE, which contains RNDCN and AUTNHSS-
  • UE extracts RND C N and AUTN Hss from the Authentication Request message received from network.
  • USIM/eUICC in the UE generates UE-derived network authentication token AUTNUE by inputting K UE , RND CN , RND UE , SN ID and SQN to the LTE AKA Algorithm.
  • RNDCN and RNDUE are used to generate a new random number as an input for EPS-AKA algorithm.
  • the new random number can be RNDUE XOR RND C N-
  • UE compares the AUTNUE with AUTNHSS- If AUTNUE and
  • AUTNHSS are equal, UE successfully authenticates CN. Otherwise, authentication of the CN fails.
  • UE transmits a response code RES based on the authentication result in block 809 to the Management Entity.
  • the Management Entity compares the RES with XRES. If RES and XRES values are equal, UE is successfully authenticated. Otherwise, authentication of UE fails.
  • FIG. 9 is a flow chart 900 illustrating a method for mutual authentication between UE and CN using two pairs of asymmetric keys according to one embodiment.
  • UE is assigned a pair of asymmetric keys, i.e. UE-public key PKUE and UE-private key SKUE, which are different from other UEs.
  • CN is assigned a pair of asymmetric keys, i.e. CN-public key PKCN and CN-private key SKCN-
  • the CN has two choices: the CN may be assigned a pair of asymmetric keys that apply to all UEs, or the CN may be assigned different pairs of asymmetric keys for different UEs.
  • the UICC card of UE stores CN-public key PKCN and UE-private key SKUE; while a network entity in CN such as MME or HSS stores the UE-public key PKUE and CN- private key SKCN-
  • UE before sending a first message from UE to CN, UE generates a random number RNDUE- UE encrypts the RNDUE and SQ ⁇ (optional) using CN- public key PKCN, and generates a signature by signing UE identity, RNDUE, and SQ ⁇ using UE-private key SKUE- SQ ⁇ may be optional in encryption and signature generation.
  • UE transmits a first message to CN.
  • the first message includes UE identity, the UE-encrypted RNDUE and SQN ; and UE-generated signature.
  • CN decrypts the first message using CN-private key SK C N and extracts RNDUE and any SQN!.
  • CN also verifies the signature in the first message by using PKUE which is stored at CN and retrieved therefrom based on the UE identity. If the signature is correct, UE is successfully authenticated.
  • CN generates a random number RNDCN, encrypts RNDCN and any SQN 2 using the UE-public key PK UE , and signs the RNDUE, RND C N and SQN 2 using CN-private key SK C N- CN may generate session keys based on the RND C N and RNDUE-
  • CN transmits a second message to UE.
  • the second message includes CN-generated signature, and the CN-encrypted RND C N and SQN1 .
  • UE decrypts the second message using UE-private key PKUE to extract RNDCN and any SQN 2 .
  • UE verifies the received signature. If the signature is correct, CN is successfully authenticated.
  • UE transmits or returns a confirmation information to CN.
  • FIG 10 is a flow chart illustrating a method for mutual authentication between UE and CN and embedding Diffie-Hellman procedure in the authentication.
  • UE and CN share a pair of asymmetric keys, where PKx is stored in the USIM/eUICC of UE and also referred to as UE-public key, and SKx is stored in core network entity or HSS and also referred to as CN-private key.
  • the pair of PKx and SKx can be unique to the UE.
  • UE generates a random number RNDUE ⁇
  • UE encrypts the RNDUE and a sequence number SON (optional).
  • UE uses PKx to generate a first MACUE based on RNDUE and SON (optional). UE also generates a key KRND-UE based on RNDUE- One embodiment is to input RNDUE to a KDF function to derive the key K RND .
  • UE sends a first message to the core network entity.
  • the first message includes UE identity and the encrypted RNDUE, SON and the first MACUE-
  • the CN first retrieves or locates a private key SK X based on the UE identity received in the first message and then decrypts the RNDUE, SON and first MACUE with the private key SK X .
  • CN authenticates the UE based on the decrypted RNDUE, SON and first MACUE, or validates the received RNDUE with MAC and SON.
  • CN After authenticating the UE, CN generates a key K RND -CN based on the decrypted RNDUE-CN further generates a Diffie-Hellman public key g x , where x is a random number.
  • CN encrypts SON by KRND-CN, and generates a first MACCN which is based on SON and g x and using K RN D-CN-
  • CN sends a second message to the UE, which includes the encrypted SON, g x , and the first MACCN generated in block 1 003.
  • UE decrypts the SON with KRND-UE which was generated with RNDUE at the UE side in block 1 001 , and calculates a second MACUE based on both SON and g x as inputs. If the second MACUE generated by UE and the first MACCN received in the second message are equal, CN is successfully authenticated. Otherwise, authentication of CN fails.
  • UE In block 1 006, UE generates a Diffie-Hellman public key, g y , where y is a random number, and sends a third message to CN.
  • the third message includes SON', encrypted by KRND-UE, a third MACUE which is generated with SON and g y using KRND-UE, and g y .
  • SON and g y are encrypted using KRND-UE-
  • CN may further authenticate UE based on the received third
  • MACUE and the first MACCN, and generate a session key based on K RN D-CN and Diffie-Hellman public key, g y .
  • FIG. 1 1 shows network architecture of 3G/4G network system.
  • Figure 12 is a schematic system representation showing functional modules for supporting the above-described methods.
  • UE is provided with asymmetric and/or symmetric key(s), encryption and/or decryption unit, DH procedure unit, key generation unit, random number generation unit, authentication data generation unit, authentication unit, communication unit.
  • E-UTRAN is provided with key generation unit.
  • Management Entity is provided with asymmetric and/or symmetric key(s), encryption and/or decryption unit, DH procedure unit, key generation unit, random number generation unit, authentication unit, communication unit.
  • HSS is provided with asymmetric and/or symmetric key(s), encryption and/or decryption unit, DH procedure unit, key generation unit, random number generation unit, authentication vector generation unit, authentication unit, communication unit.
  • Each of the UE, Management Entity and HSS are provided with transmitting unit and receiving unit which comprise the communication unit. It is to be appreciated that the UE/Management Entity/HSS may be provided with some or all of the respectively-listed units depending on requirements. It is to be appreciated that each listed unit may be incorporated with another listed unit.
  • a system for authentication and key generation comprising: a receiving unit configured to: receive, at a core network entity, at least a user equipment (UE) identity and an encrypted first random number which is generated by the UE; a decryption unit configured to: using at least asymmetric key techniques, decrypt the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; an authentication vector generating unit configured to: generate an authentication vector based at least on the decrypted first random number; and a transmitting unit configured to: transmit the authentication vector which is destined for the UE for authentication of the core network entity.
  • UE user equipment
  • the receiving unit is further configured to: receive a first message authentication code (MAC); the authentication vector generation unit is further configured to: generate a second message authentication code (MAC) based at least on the decrypted random number; wherein the system further comprising an authentication unit configured to: successfully authenticate the UE if the first MAC and the second MAC are equal.
  • the transmitting unit is further configured to: generate one of a third message authentication code (MAC) and a signature based at least on the decrypted random number; and transmit the one of the second MAC and the signature.
  • MAC message authentication code
  • the authentication vector generation unit is further configured to: generate the second message authentication code (MAC) further based on a symmetric key which is shared by the core network entity and the UE.
  • MAC second message authentication code
  • the decryption unit is provided at a Home Subscriber Server (HSS); the system further comprises: a random number generation unit configured to: generate, at the HSS, a second random number; the authentication vector generation unit is further configured to: generate, at the HSS, the authentication vector further based on the first random number received from UE and the second random number generated, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); the transmitting unit is further configured to: transmit, to a management entity, at least the network authentication token (AUTN) and the expected result value (XRES); and wherein the system further comprises: an authentication unit configured to: at the management entity, receive from the UE a response value (RES), and successfully authenticate the UE if the response value (RES) and expected result value (XRES) are equal.
  • HSS Home Subscriber Server
  • the authentication vector generating unit is further configured to: generate, at a Home Subscriber Server (HSS), the authentication vector further based on a symmetric key which is shared by the HSS and the UE.
  • HSS Home Subscriber Server
  • the decryption unit is provided at a management entity; the system further comprises: a random number generation unit configured to: generate, at the HSS, a second random number; the authentication vector generation unit is further configured to: generate, at a Home Subscriber Server (HSS), the authentication vector further based on the second random number and a symmetric key which is shared by the HSS and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); the transmitting unit is further configured to: transmit, to a management entity, at least the network authentication token (AUTN) and the expected result value (XRES); and the system further comprises: an authentication unit configured to: at the management entity, receive from the UE a response value (RES), and successfully authenticating the UE if the response value (RES) and expected result value (XRES) are equal.
  • a random number generation unit configured to: generate, at the HSS, a second random number
  • the authentication vector generation unit is further configured to: generate, at a Home Subscriber Server (HS
  • the receiving unit is further configured to: receive a signature; the system further comprises: a random number generation unit configured to: generate a second random number; the authentication vector generation unit is further configured to: using a public key which is retrieved from the core network entity based on the UE identity, encrypt at least the second random number; and using a private key which is associated with the core network entity and retrieved therefrom, sign at least the second random number; and the system further comprises: an authentication unit further configured to: verify the received signature.
  • the receiving unit is further configured to: receive a first message authentication code (MAC); the authentication vector generation unit is further configured to: generate a first key (KRND-CN) based on the decrypted first random number; generate a first Diffie-Hellman public key (g x ); using the first key(K RND -cN), generate a second message authentication code (MAC) based at least on the first Diffie-Hellman public key (g x ); the transmitting unit is further configured to: transmit at least the second message authentication code; the system further comprises: a Diffie-Hellman procedure unit configured to: receive a second Diffie-Hellman public key (g y ); generate a second key based on the Diffie-Hellman public key (g y ).
  • MAC message authentication code
  • the Diffie-Hellman procedure unit is further configured to: generate a session key based on the first key and the second key.
  • a system for authentication and key generation in a cellular network comprising: a random number generation unit configured to: generate, at a user equipment (UE), a first random number; an encryption-decryption unit configured to: encrypt the first random number with a public key retrieved from the UE; a transmitting unit configured to: transmit at least a UE identity and the encrypted first random number to a core network entity; a receiving unit configured to: receive a first authentication data from the core network entity; and an authentication unit configured to: using at least one of symmetric key and asymmetric key techniques, authenticate the core network entity by verifying the first authentication data.
  • a random number generation unit configured to: generate, at a user equipment (UE), a first random number
  • an encryption-decryption unit configured to: encrypt the first random number with a public key retrieved from the UE
  • a transmitting unit configured
  • the authentication unit is further configured to: verify one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmit the authentication result to the core network entity.
  • MAC message authentication code
  • the authentication unit is further configured to: generate a second authentication data based at least on a second random number included in the first authentication data; and successfully authenticate the core network entity if a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data are equal.
  • AUTN first authentication token
  • AUTN second authentication token
  • the system further comprises: an authentication data generation unit configured to:
  • the transmitting unit is further configured to: transmit the message authentication code to the core network entity.
  • MAC message authentication code
  • the system further comprises: an authentication data generation unit configured to: generate a message authentication code (MAC) based at least on a hash function shared by the UE and the core network entity; wherein the transmitting unit is further configured to: transmit the message authentication code to the core network entity.
  • MAC message authentication code
  • the authentication unit is further configured to: generate the second authentication data further based on a symmetric key shared by the UE and a Home Subscriber Server (HSS) in the core network entity.
  • HSS Home Subscriber Server
  • the encryption-decryption unit is further configured to: generate a first signature based at least on a first secret key retrieved from the UE; the transmitting unit is configured to: transmit the first signature; the receiving unit is further configured to: receive a second signature and an encrypted second random number; the
  • encryption-decryption unit is further configured to: using the secret key, decrypt the encrypted second random number; the authentication unit is further configured to: using the public key, verify the second signature; and the system further comprises: a key generation unit configured to: generate a session key based on the first random number and the decrypted second random number.
  • the receiving unit is further configured to: receive a first message authentication code (MAC); the authentication unit is further configured to: generate a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and successfully authenticate the core network entity if the first MAC and the second MAC are equal.
  • MAC message authentication code
  • MAC second message authentication code

Abstract

Embodiments of the invention relate to authentication of user equipment and core network with at least an asymmetric key in USIM/eUICC as authentication credentials to prevent man-in-the-middle attacks. Embodiments of the invention further relate to use of asymmetric key in combination with any of a symmetric key,another pair of asymmetric keys and Diffie-Hellman (DH) procedure in authentication and/or key generation procedure.

Description

METHOD AND SYSTEM FOR AUTHENTICATION WITH ASYMMETRIC KEY Technical Field
Embodiments of the invention further relate to authentication of user equipment with asymmetric key in USIM/eUICC as authentication credentials.
Background
To protect mobile devices and networks in the data communications from being eavesdropped or manipulated, in the 4G networks, mutual authentications are employed to ensure the mobile devices (normally known as User Equipment (UE)), and networks are genuine. To perform mutual authentication, both UEs and networks are required to keep some credentials that can prove the identity of each other.
In the 3G/4G networks, symmetric key technology is used for authentication and key generation. With such a technology, at the network side, the credentials are kept in servers named Home Subscriber Server (HSS); while at the UE side, the credentials are kept in an isolated device named Universal Subscriber Identity Module (USIM) card. For a given International Mobile Subscriber Identity (IMSI), the credentials kept in the corresponding USIM and HSS are the same.
USIM card is a computing device. It is embedded in the USIM slot inside the
UE devices. USIM and UE can exchange information via a special interface.
With the 3G/4G network, when UE wants to access network and transmits data, it has to attach to a network first. Authentication is performed during the attachment and authentication procedure, also known as EPS-AKA. EPS-AKA stands for Evolved Packet System-Authentication and Key Agreement.
With the EPS-AKA procedure, UE first sends an Attach Request to the Mobility Management Entity (MME) via the eNodeB. MME forwards the request to the HSS and HSS generates an authentication vector based on the credentials shared with UE. The authentication vectors are sent to MME and MME further sends authentication material to UE. UE authenticates the network and then sends an authentication code to MME. MME verifies the authentication code and authenticates the UE. After authentication, UE exchanges key material with MME and eNB to further generate session keys for control and data plane. Figure 1 shows the authentication signalling exchanging procedure. Figure 2 shows key architecture of the Long-Term Evolution (LTE) network.
All the keys are derived based on the root key kept in USIM and HSS, and also the parameters exchanged between UE and core network. Keys are not transmitted in the air interface. It has been proven that the session keys generated for control and data plane with aforementioned procedure are secure provided that the root keys are not disclosed. However, recent news reported that hacking of certain servers led to theft of root keys for SIM cards. If roots key for SIM card have been stolen, this implies that the credentials in the USIM may have been disclosed. Disclosure of the USIM card credentials to attackers results in serious security risks. With the current authentication and key generation mechanism, once credentials in the SIM card is exposed to attackers, attackers can derive the user's session key by eavesdropping to the attachment and authentication signaling exchanges between UE and network.
Another technical trend is that mobile industry needs a more flexible design to support update or change of the credentials kept in the USIM. These credentials may be exposed to third parties and increases the security risks.
To overcome the security issue caused by USIM card credentials exposing to third party or being accidentally stolen, one way is to enhance the session generation with stronger forward secrecy technology, for example, the Diffie-Hellman (DH) procedure. With the DH procedure, two parties, Alice and Bob, who want to generate a session key, first agree on a finite cyclic group G and a generating element g in G. Alice picks a random natural number A and sends gA to Bob. Bob picks a random natural number B and sends gB to Alice. Alice computes (gB)A and Bob computes (gA)B. The value K = (gB)A = (gA)B can be used as a key for encryption. It can also be used as a base for key derivation. Figure 3 shows an example procedure of the Diffie-Hellman key exchange.
Although the Diffie-Hellman procedure can prevent user data from being eavesdropping, it cannot prevent the attackers from playing the Man-ln-the-Middle attack. Another way that can protect user from being eavesdropped and at the same time can also prevent Man-ln-the-Middle attack is to use public key technology. CN 101969638 B provides a method for protecting international mobile subscriber identity (IMSI) in mobile communication. By protecting IMSI with the public key in the Attach Request transmission as proposed in CN 101969638 B, it increases the difficulty for the attackers to break the session key of the relative user even if the credentials in the SIM card are disclosed. The reason is that without knowing the IMSI, the attackers do not know which credentials can be used to break the session key. However, protection is insufficient since the attacker can do an offline dictionary attack and break the session key. Because the number of users of an operator is limited, usually vary between a few hundred thousand to a few hundred millions, it is not difficult for an attacker to break the session key, especially when the number of users belonging to one operator is not high. Therefore, protecting the IMSI with public key cannot prevent breaking of the session key using dictionary attack.
CN 102664725 provides a security certificate method of a femtocell base station and a femtocell wireless communication system. CN 102664725 proposes a use of public key to authenticate the network. The method is valid for authentication.
However, method for network to authenticate the UE with the public key is not provided. Therefore, the solution is not complete for cellular networks. Also, method of generating session key after authentication is not provided.
In view of the possible security threats resulting from loss of USIM card credentials, improved methods and systems to address the above and other issues are highly desirable.
Summary Instead of keeping a symmetric key at both UE and core network entity, embodiments of the invention disclose storage of a pair of asymmetric keys at User Equipment (UE) and core network entity separately, and a mechanism based on the asymmetric keys to authenticate UE and core network entity, and also generate session keys.
According to a first aspect of the invention, a method for authentication and key generation in a cellular network is provided, wherein the method comprising: receiving, at a core network entity, at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; generating an authentication vector based at least on the decrypted first random number; and transmitting the authentication vector which is destined for the UE for authentication of the core network entity.
With reference to the first aspect, in a first possible implementation manner of the first aspect, further comprising: receiving a first message authentication code (MAC) from the UE; generating a second MAC based at least on the decrypted first random number; authenticating the UE successfully when the first MAC and the second MAC meet a preset conditioner example, the first MAC and the second MAC are equal).
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, wherein generating a second message authentication code (MAC) based at least on the decrypted first random number comprises: generating the second MAC based at least on the decrypted first random number and a symmetric key which is shared between the core network entity and the UE. With reference to the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, wherein generating a second message authentication code (MAC) based at least on the decrypted first random number comprises: generating the second MAC based at least on the decrypted first random number and a hash function which is shared between the core network entity and the UE.
With reference to any one of the first aspect, the first to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, further comprising: generating one of a third MAC and a signature based at least on the decrypted first random number; transmitting, from the core network entity to the UE, the one of the generated third MAC or the signature.
With reference to the first possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, wherein decrypting, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity is performed at a Home Subscriber Server (HSS) of the core network; wherein generating an authentication vector based at least on the decrypted first random number comprises: generating, at the HSS, the authentication vector based on the decrypted first random number, and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the HSS and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector comprises: transmitting, to a management entity of the core network, at least the network AUTN and the XRES; and wherein the method further comprising: receiving from the UE a response value (RES) at the management entity of the core network; and authenticating the UE successfully when the RES and XRES meet a preset conditioner example, the RES and XRES meet a preset condition).
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, wherein decrypting the encrypted first random number with a private key which is retrieved from the core network entity is performed at a management entity of the core network; wherein generating an authentication vector based at least on the decrypted first random number comprises: generating, at a Home Subscriber Server (HSS), the authentication vector based on the decrypted first random number, and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the HSS and the UE, wherein the authentication vector includes a network AUTN and an XRES; wherein transmitting the authentication vector comprises: transmitting, to a management entity of the core network entity, at least the network AUTN and the XRES; and wherein the method further comprising: receiving from the UE a response value (RES) at the management entity; and authenticating the UE successfully when the response value (RES) and expected result value (XRES) are equal. With reference to the first aspect, in a seventh possible implementation manner of the first aspect, further comprising: receiving a signature from the UE; verifying the received signature based on a public key which is retrieved from the core network entity and associated with the UE identity; encrypting at least a second random number generated at the core network by using a public key which is retrieved from the core network entity based on the UE identity, upon the received signature is verified successfully,; and signing at least the second random number by using a private key which is associated with the core network entity and retrieved therefrom; and transmting the encrypted second random number and the signed second random number to the UE.
With reference to the first aspect, in an eighth possible implementation manner of the first aspect, wherein generating an authentication vector based at least on the decrypted first random number comprises: generating a first key (KRND-CN) based on the decrypted first random number; generating a first Diffie-Hellman public key (gx); generating a first message authentication code (MAC) based at least on the first Diffie-Hellman public key (gx) by using the first key(KRND-cN),; the method further comprising: receiving a second Diffie-Hellman public key (gy) and a MAC from the UE; authenticating the UE based at least on the first MAC and the second MAC.
With reference to the first aspect, in a ninth possible implementation manner of the first aspect, further comprising : generating a session key based on the first key (KRND-CN) and the second Diffie-Hellman public key (gy).
According to a second aspect of the invention, a method for authentication and key generation in a cellular network is provided, the method comprising:
generating, at a user equipment (UE), a first random number and encrypting the first random number with a public key which is retrieved from a UE and associated with a UE identity; transmitting at least the UE identity and the encrypted first random number to a core network entity; receiving a first authentication data from the core network entity; and authenticating the core network entity by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique.
With reference to the second aspect, in a first possible implementation manner of the second aspect, wherein authenticating the core network by verifying the first authentication data comprises: verifying one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmitting the authentication result to the core network entity. With reference to the second aspect, in a second possible implementation manner of the second aspect, wherein authenticating the core network entity by verifying the first authentication data comprises: generating a second authentication data based at least on a second random number included in the first authentication data; and authenticating the core network entity successfully when a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data meet a preset conditioner example, the first AUTN and the second AUTN are equal).
With reference to the first possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, wherein generating a second authentication data based at least on a second random number included in the first authentication data comprises: generating the second authentication data based at least on the second random number and a symmetric key shared between the UE and a Home Subscriber Server (HSS) in the core network entity.
With reference to any one of the second aspect, the first to the third possible implementation manner of the second aspect, in the fourth possible implementation manner of the second aspect, further comprising: generating a message authentication code (MAC) based at least on a symmetric key shared between the UE and the core network entity; transmitting the message authentication code (MAC) to the core network entity.
With reference to the second aspect, in a fifth possible implementation manner of the second aspect, the method further comprises: further comprising: generating a first signature based at least on a first secret key retrieved from the UE; transmitting the first signature to the core network entity; receiving a second signature and an encrypted second random number from the core network entity; wherein authenticating the core network by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique, comprises: decrypting the encrypted second random number by using a secret key; verifying the second signature by using the public key; and generating a session key based on the first random number and the decrypted second random number.
With reference to the second aspect, in a sixth possible implementation manner of the second aspect, further comprising: receiving a first message authentication code (MAC); wherein authenticating the core network entity by verifying the first authentication data comprises: generating a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and authenticating the core network entity successfully when the first MAC and the second MAC are equal.
According to a third aspect of the invention, a system for authentication and key generation in a cellular network is provided, the system comprising:
a random number generation unit configured to: generate, at a user equipment (UE), a first random number; an encryption-decryption unit configured to: encrypt the first random number with a public key retrieved from the UE, wherein the public key is based on a UE identity associated with the UE; a transmitting unit configured to: transmit at least the UE identity and the encrypted first random number to a core network entity; a receiving unit configured to: receive a first authentication data from the core network entity; and an authentication unit configured to: authenticate the core network entity by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique.
With reference to the third aspect, in a first possible implementation manner of the third aspect, wherein the authentication unit is further configured to: verify one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmit the authentication result to the core network entity.
With reference to the third aspect, in a second possible implementation manner of the third aspect, wherein the authentication unit is further configured to: generate a second authentication data based at least on a second random number included in the first authentication data; and authenticate the core network entity successfully when a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data meet a preset conditioner example, the first AUTN and the second AUTN are equal).
With reference to the second possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, wherein the authentication unit is further configured to: generate the second authentication data based at least on the second random number and a symmetric key shared between the UE and a Home Subscriber Server (HSS) in the core network entity. With reference to any one of the third aspect, the first to the third possible implementation manner of the third aspect, in a fourth possible implementation manner of the third aspect, the system further comprising: an authentication data generation unit configured to: generate a message authentication code (MAC) based at least on a symmetric key shared between the UE and the core network entity; wherein the transmitting unit is further configured to: transmit the message authentication code to the core network entity.
With reference to the first possible implementation manner of the third aspect, in a fifth possible implementation manner of the third aspect, the system further comprising: an authentication data generation unit configured to: generate a message authentication code (MAC) based at least on a hash function shared between the UE and the core network entity; wherein the transmitting unit is further configured to: transmit the message authentication code to the core network entity.
With reference to the third aspect, in a sixth possible implementation manner of the third aspect, wherein the encryption-decryption unit is further configured to: generate a first signature based at least on a first secret key retrieved from the UE; wherein the transmitting unit is configured to: transmit the first signature to the core network entity; wherein the receiving unit is further configured to: receive a second signature and an encrypted second random number from the core network entity; wherein the encryption-decryption unit is further configured to: decrypt the encrypted second random number by using the secret key; wherein the authentication unit is further configured to: verify the second signature by using the public key; and the system further comprises: a key generation unit configured to: generate a session key based on the first random number and the decrypted second random number. With reference to the third aspect, in a seventh possible implementation manner of the third aspect, wherein the receiving unit is further configured to: receive a first message authentication code (MAC); wherein the authentication unit is further configured to: generate a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and authenticate the core network entity successfully when the first MAC and the second MAC are equal.
According to a fourth aspect of the invention, a method for authentication and key generation in a cellular network is provided, comprising:
at a first core network entity: receiving at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and transmitting the authentication vector to a second core network entity.
With reference to the fourth aspect, in a first possible implementation manner of the third aspect, wherein generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number comprises: generating the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector to a second core network entity comprises: transmitting at least the network authentication token (AUTN) and the expected result value (XRES).
With reference to the fourth aspect, in a second possible implementation manner of the fourth aspect, wherein before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, the method further comprising: decrypting the encrypted first random number with a private key by using at least asymmetric key technique, wherein the private key is retrieved from the first core network entity based on the UE identity. With reference to the second possible implementation manner of the fourth aspect, in a third possible implementation manner of the fourth aspect, wherein the first core network entity includes Home Subscriber Server (HSS). According to a fifth aspect of the invention, a system for authentication and key generation in a cellular network is provided, the system comprises:
a communication unit provided at a first core network entity and configured to: receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; an authentication vector generation unit provided at the first core network entity and configured to: generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and a communication unit provided at the first core network and configured to: transmit the authentication vector to a second core network entity.
With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect, wherein the communication unit is further configured to: receive the decrypted first random number; wherein the authentication vector generation unit is further configured to: generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein the communication unit is further configured to: transmit at least the network authentication token (AUTN) and the expected result value (XRES). With reference to the fifth aspect, in a second possible implementation manner of the fifth aspect, The system of claim 30, further comprising: a decryption unit provided at the first core network entity and configured to: before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, decrypt the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the first core network entity based on the UE identity.
With reference to the second possible implementation manner of the fifth aspect, in a third possible implementation manner of the fifth aspect, wherein the first core network entity includes Home Subscriber Server (HSS).
In anther apsect, A method for authentication and key generation in a cellular network, at a first core network entity,the method comprising:
receiving at least a user equipment (UE) identity and decrypted first random number from the second core network entity;generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; andtransmitting the authentication vector to a second core network entity, wherein the first core network entity includes Home Subscriber Server (HSS). wherein generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number comprises: generating the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector to a second core network entity comprises:transmitting at least the network authentication token (AUTN) and the expected result value (XRES). wherein before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, the method further comprising:decrypting the encrypted first random number with a private key which is retrieved from the first core network entity based on the UE identity, by using at least asymmetric key technique. Correspondingly, a system for authentication and key generation in a cellular network, comprising: a communication unit provided at a first core network entity and configured to receive at least a user equipment (UE) identity and decrypted first random number from the second core network entity ;an authentication vector generation unit provided at the first core network entity and configured to generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and a communication unit provided at the first core network and configured to transmit the authentication vector to a second core network entity, wherein the communication unit is further configured to receive the decrypted first random number; wherein the authentication vector generation unit is further configured to generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein the communication unit is further configured to transmit at least the network authentication token (AUTN) and the expected result value (XRES).
According to a sixth aspect of the invention, a method for authentication and key generation in a cellular network is provided, comprising: at a second core network entity: receiving at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the second core network entity based on the UE identity; transmitting an authentication vector request to a first core network entity, wherein the authentication vector request includes the UE identity and the decrypted first random number; receiving an authentication vector from the first core network entity; and transmitting the authentication vector to the UE.
With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, wherein the authentication vector at least includes expected result value (XRES); receiving from the UE a response value (RES); and authenticating the UE successfully when the response value (RES) and expected result value (XRES) are equal; wherein the first core network entity includes Home Subscriber Server (HSS) and the second core network entity includes one of Mobility Management Entity (MME) and Authentication, Authorization and Accounting (AAA) server.
According to a seventh aspect of the invention, a system for authentication and key generation in a cellular network is provided, wherein the system comprises: a communication unit provided at a second core network entity and configured to receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; a decryption unit provided at the second core network entity and configured to use at least asymmetric key techniques, decrypt the encrypted first random number with a private key which is retrieved from the second core network entity based on the UE identity; wherein the communication unit is further configured to transmit an authentication vector request to a first core network entity, wherein the authentication vector request includes the UE identity and the decrypted first random number receive an authentication vector from the first core network entity; and transmit the authentication vector to the UE.
With reference to the seventh aspect, in a first possible implementation manner of the seventh aspect, wherein the authentication vector at least includes expected result value (XRES); the communication unit is configured to:receive from the UE a response value (RES); and anthentication unit is configured to : authenticate the UE successfully when the response value (RES) and expected result value (XRES) are equal;wherein the first core network entity includes Home Subscriber Server (HSS), and the second core network entity includes one of Mobility Management Entity (MME) and Authentication, Authorization and Accounting (AAA) server.
In another apsect, a method for authentication and key generation in a cellular network, comprising: receiving, at a core network entity, at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; generating an authentication vector based at least on one of the decrypted first random number; and a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the HSS and the UE, transmitting the authentication vector which is destined for the UE for authentication of the core network entity.
wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES);wherein transmitting the authentication vector comprises: transmitting, to a management entity of the core network, at least the network authentication token (AUTN) and the expected result value (XRES); and wherein the method further comprising: receiving from the UE a response value (RES) at the management entity of the core network; and authenticating the UE successfully when the response value (RES) and expected result value (XRES) meet a preset condition( for example, the RES and XRES are equal). According to an eighth aspect of the invention, a user equipment comprises a processor; and a storage medium communicably coupled thereto and storing instructions which are executable by the processor to cause the processor to: generate, at a user equipment (UE), a first random number; encrypt the first random number with a public key retrieved from the UE, wherein the public key is based on a UE identity associated with the UE; transmit at least the UE identity and the encrypted first random number to a core network entity; receive a first authentication data from the core network entity; and authenticate the core network entity by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique.
With reference to the eighth aspect, in a first possible implementation manner of the eighth aspect, the processor is further configured to: verify one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmit the authentication result to the core network entity.
With reference to the eighth aspect, in a second possible implementation manner of the eighth aspect, the processor is further configured to: generate a second authentication data based at least on a second random number included in the first authentication data; and authenticate the core network entity successfully when a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data meet a preset conditioner example, the first AUTN and the second AUTN are equal). With reference to the second possible implementation manner of the eighth aspect, in a third possible implementation manner of the eighth aspect, the processor is further configured to: generate the second authentication data based at least on the second random number and a symmetric key shared between the UE and a Home Subscriber Server (HSS) in the core network entity.
With reference to any one of the eighth aspect, the first to the third possible implementation manner of the eighth aspect, in a fourth possible implementation manner of the eighth aspect, the processor is further configured to: generate a message authentication code (MAC) based at least on a symmetric key shared between the UE and the core network entity; transmit the message authentication code (MAC) to the core network entity.
With reference to the eighth aspect, in a fifth possible implementation manner of the eighth aspect, the processor is further configured to: generate a first signature based at least on a first secret key retrieved from the UE; transmit the first signature to the core network entity; receive a second signature and an encrypted second random number from the core network entity; decrypt the encrypted second random number by using the secret key; verify the second signature by using the public key; and generate a session key based on the first random number and the decrypted second random number.
With reference to the eighth aspect, in a sixth possible implementation manner of the eighth aspect, the processor is further configured to: receive a first message authentication code (MAC); generate a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and authenticate the core network entity successfully when the first MAC and the second MAC are equal.
According to a ninth aspect of the invention, a first core network entity comprises a processor; and a storage medium communicably coupled thereto and storing instructions which are executable by the processor to cause the processor to: receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and transmit the authentication vector to a second core network entity. With reference to the ninth aspect, in a first possible implementation manner of the ninth aspect, the processor is further configured to: receive the decrypted first random number from the second core network entity; generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); transmit at least the network authentication token (AUTN) and the expected result value (XRES). With reference to the ninth aspect, in a second possible implementation manner of the ninth aspect, the processor is further configured to: before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, decrypt the encrypted first random number with a private key by using at least asymmetric key technique, wherein the private key is retrieved from the first core network entity based on the UE identity.
With reference to any one of the ninth aspect, in a third possible implementation manner of the ninth aspect, the first core network entity includes Home Subscriber Server (HSS).
In another aspect of the invention, a first core network entity comprises a processor; and a storage medium communicably coupled thereto and storing instructions which are executable by the processor to cause the processor to: receive at least a user equipment (UE) identity and decrypted first random number from the second core network entity; generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and transmit the authentication vector to a second core network entity. the processor is further configured to: wherein generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number comprises: generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES);wherein transmit the authentication vector to a second core network entity comprises: transmit at least the network authentication token (AUTN) and the expected result value (XRES). the processor is further configured to: decrypt the encrypted first random number with a private key which is retrieved from the first core network entity based on the UE identity, by using at least asymmetric key technique, wherein the first core network entity includes Home Subscriber Server (HSS). According to a tenth aspect of the invention, a second core network entity comprises a processor; and a storage medium communicably coupled thereto and storing instructions which are executable by the processor to cause the processor to: receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypt the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the second core network entity based on the UE identity; transmit an authentication vector request to a first core network entity, wherein the authentication vector request includes the UE identity and the decrypted first random number; receive an authentication vector from the first core network entity; and transmit the authentication vector to the UE.
With reference to the tenth aspect, in a first possible implementation manner of the tenth aspect, the first core network entity includes Home Subscriber Server (HSS) and the second core network entity includes one of Mobility Management Entity (MME) and Authentication, Authorization and Accounting (AAA) server. In another aspect, a method for authentication and key generation in a cellular network, comprising:
receiving, at a Home Subscriber Server (HSS), at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting, at the HSS, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; generating, at the HSS, an authentication vector based at least on the decrypted first random number; and transmitting, at the HSS, the authentication vector which is destined for the UE for authentication of the core network entity.
In another aspect, a method for authentication and key generation in a cellular network, comprising:
receiving, at a Home Subscriber Server (HSS), at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting, at the HSS, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; generating, at the HSS, an authentication vector based at least on the decrypted first random number; and transmitting, at the HSS, the authentication vector to a Mobility Management Entity (MME); transmitting, at the MME, the authentication vector which is destined for the
UE for authentication of the core network entity. Brief Description of the Drawings
Embodiments of the invention are disclosed hereinafter with reference to the drawings, in which:
Figure 1 shows an existing authentication signaling exchanging procedure; Figure 2 shows key architecture of the Long-Term Evolution (LTE) network;
Figure 3 shows a Diffie-Hellman procedure;
Figure 4 is a flow chart illustrating a method for mutual authentication between UE and CN using a pair of asymmetric keys according to one embodiment of the invention; Figure 5 is a flow chart illustrating a method for mutual authentication between
UE and CN in LTE network or its evolved version using a pair of asymmetric keys according to one embodiment of the invention;
Figure 6 is a flow chart illustrating a method for mutual authentication between
UE and CN using a pair of asymmetric keys together with a symmetric key;
Figure 7 is a flow chart illustrating a method for mutual authentication between
UE and CN in LTE network or its evolved version using a pair of asymmetric keys together with a symmetric key according to one embodiment of the invention;
Figure 8 is a flow chart illustrating an alternative method for mutual authentication between UE and CN in LTE network or its evolved version using a pair of asymmetric keys together with a symmetric key according to one embodiment of the invention;
Figure 9 is a flow chart illustrating a method for mutual authentication between UE and CN using two pairs of asymmetric keys according to one embodiment;
Figure 10 is a flow chart illustrating a method for mutual authentication between UE and CN using a pair of asymmetric keys and Diffie-Hellman procedure according to one embodiment;
Figure 1 1 shows a network architecture of 3G/4G network system where embodiments of the invention may be applied; and
Figure 12 is a schematic system representation showing functional modules for supporting embodiments of the invention. Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of various illustrative embodiments of the invention. It will be understood, however, to one skilled in the art, that embodiments of the invention may be practiced without some or all of these specific details. In other instances, well known process operations have not been described in detail in order not to unnecessarily obscure pertinent aspects of embodiments being described. In the drawings, like reference numerals refer to same or similar functionalities or features throughout the several views.
As used in the description and claims, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common element, merely indicate that different instances of like elements are being referred to, and are not intended to imply that the elements so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner. In this disclosure, the phrase "authentication vector" is comprised of a plurality of components or parameters that provide temporary authentication data that enables authentication of a core network entity and/or a UE. Examples of authentication vector (AV) components include, but are not limited to, random number (RND), network authentication token (AUTN), expected response value (XRES), master key (KASME)- An authentication vector may include a plurality of components which are selected from the above-mentioned component examples and may include other suitable components. The phrase "authentication data" refers to any of the listed AV components and/or other suitable components. Embodiments of the invention provide methods to alleviate threats resulting of exposure of credentials in the USIM card. Asymmetric key techniques are used in mutual authentication between UE and CN to prevent Man-in-the-Middle attack.
Figure 4 is a flow chart 400 illustrating a method for mutual authentication between a user equipment (UE) and a core network (CN) using a pair of asymmetric keys according to one embodiment of the invention.
UE and CN jointly own a pair of asymmetric keys, i.e. public key PKx and private key SKx. PKx is stored in the USIM card of a UE and may be referred to as UE-public key. The USIM card may be either a normal USIM card or an eUICC. SKx is stored at the CN and may be referred to as CN-private key. Each UE may own multiple unique pairs of keys.
In block 401 , UE attempts to access the network and activates mutual authentication procedure with CN. UE generates a random number RNDUE, i.e. a UE-derived random parameter, and a first message authentication code MACUE, i.e. first UE-derived MAC (optional). The first MACUE may be generated with the RNDUE and a sequence number SQN (optional) as inputs to a predefined hash function. UE further encrypts RNDUE, MACUE, and SQN with the UE-public key PKx. SQN and MACUE are optional; one or both of them may be omitted from encryption and subsequent steps. The MACUE can be generated with a hash function known to both UE and core network entity, for example, SHA256.
In block 402, UE transmits a first message to CN. The first message includes an identity of the UE, i.e. UE identity, the UE-encrypted RNDUE, first MACUE and SQN which are generated in block 401 . UE identity may be IMSI, GUTI or other suitable parameters.
In block 403, CN receives the first message and commences authentication of UE. Particularly, a core network entity, e.g. HSS/ Authentication, Authorization and Accounting (AAA)/controller, retrieves the private key SKx based on the UE identity provided in the first message. The private key SKx may be stored at the network entity. The network entity decodes or decrypts the RNDUE, SQN and MACUE- The network entity generates a first MACCN, i.e. first CN-derived MAC, with the decrypted RNDUE and SQN as inputs. The MACCN can be generated with a hash function known to both UE and core network entity, for example, SHA256.
The network entity compares the first MACCN which is generated by the network entity with the first MACCN which is contained in the first message. If the first MACCN and the first MACUE are equal, i.e. have same values, CN successfully authenticates UE.
In block 403, after authenticating the UE, the network entity generates a second message for UE to authenticate the CN. The second message contains parameters for key generation and a second MACCN, i.e. second CN-derived MAC, or a signature. The second MACCN or signature is generated based at least on the decrypted RNDUE as input. SKx is used when signature is generated. The network entity of CN may also generate a random number RNDCN i.e. a CN-derived random parameter, and include it in both the parameters list and also in the second MACCN or signature generation.
In block 404, the network entity of CN, e.g. MME/AAA/controller, transmits the second message to UE for authentication of CN.
In block 405, after receiving the second message from CN, UE extracts parameters from the second message, and verifies the MAC or signature contained in the message. PKx of the UE is used when a signature is contained in the second message. If the verification succeeds, CN is successfully authenticated. Otherwise, authentication of CN fails.
In block 406, based on the authentication result of block 405, UE transmits a third message to CN. The third message can contain either notification of success/failure of the authentication or a code for CN to authenticate UE.
In block 407, CN authenticates UE based on the code from block 406 if this authentication had not been performed in block 403.
Figure 5 is a flow chart 500 illustrating a method for mutual authentication between UE and CN in LTE network or its evolved version using a pair of asymmetric keys according to one embodiment of the invention.
In block 501 , before transmitting an Attach Request to a Management Entity such as MME or AAA server or other network entity with similar functionalities, UE generates a random number RNDUE and encrypts RNDUE with UE-public key PKx.
In block 502, UE transmits an Attach Request to a Management Entity such as MME, AAA server or other network entity with similar functionalities. The Attach Request includes UE identity, the encrypted RNDUE and possibly other parameters such as SON and a first MACUE generated based on RNDUE- The first MACUE can be generated with a hash function known to both UE and core network entity, for example, SHA256.
In block 503, after Management Entity receives the Attach Request, it further generates a message, for example, an Authentication Data Request message as specified in the 3GPP specification, with the UE identity and encrypted RNDUE extracted from the Attach Request, and transmits the Authentication Data Request, to HSS.
In block 504, after receiving the message from the Management Entity, HSS retrieves or locates the CN-private key SKx based on either the UE identity such as IMSI, GUTI, or other identity information. HSS decrypts the Authentication Data Request to obtain a decrypted RNDUE- HSS may verify the validity of the RNDUE based on the received MAC if a MAC is contained in the message. HSS generates a first MACCN, i.e. first CN-derived MAC, with the decrypted RNDUE and SQN as inputs. The first MACCN can be generated with a hash function known to both UE and core network entity, for example, SHA256. HSS generates CN-derived random number RNDCN, and uses RNDCN, RNDUE or a value derived from RNDUE, together with any SQN (optional), SNJD (optional) as inputs to a Key Derive Function, for example, EPS-AKA algorithm defined in the LTE specification, to generate authentication vectors. Each Authentication Vector (AV) includes RNDCN, HSS-derived network authentication token AUTNHSS, expected result value XRES, and key KASME- In block 505, HSS transmits an Authentication Data Response message with the generated AV to the Management Entity.
In block 506, after receiving the generated AV, the Management Entity generates and transmits an Authentication Request to be sent to UE, which contains RNDCN and AUTNHSS- In block 507, after receiving the Authentication Request, UE extracts RNDCN and AUTN Hss from the Authentication Request message received from network. USIM/eUICC in the UE generates UE-derived network authentication token AUTNUE by inputting RNDCN, RNDue, SN ID and SQN to the LTE AKA Algorithm. UE compares the AUTNUE with AUTNHSS- If AUTNUE and AUTNHSS are equal, UE successfully authenticates CN. Otherwise, authentication of CN fails.
In block 508, UE transmits a response code RES based on the authentication result in block 508 to the Management Entity such as MME, AAA, controller other network entity with similar functionality.
In block 509, the Management Entity compares the RES with XRES. If RES and XRES values are equal, UE is successfully authenticated. Otherwise, authentication of UE fails.
Figure 6 is a flow chart 600 illustrating a method for mutual authentication between UE and CN using a pair of asymmetric keys together with a symmetric key. A pair of symmetric keys KUE is shared by UE and HSS, e.g. stored in the USIM card of the UE and in HSS. KUE is unique to each UE. At the same time, UE and CN share a pair of asymmetric keys, where PKx is stored in the USIM/eUICC of UE and also referred to as UE-public key, and SKx is stored in HSS and also referred to as CN-private key. The pair of PKx and SKx may be shared by many UEs.
In block 601 , UE generates a random number RNDUE, encrypts the RNDUE and SQN (optional) with the UE-public key PKx, and generates a first MACUE with KUE, UE identity, RNDUE, and SQN as input. SQN may be optional for encryption and MAC calculation.
In block 602, UE sends a first message to CN. The first message includes an identity of the UE, i.e. UE identity, the UE-encrypted RNDUE and SQN, and first MACUE-
In block 603, after receiving first message, a network entity at the CN, e.g. MME or HSS, decrypts the message with CN-private key SKx and extracts RNDUE and any SQN. The network entity calculates a first MACCN based on KUE and the decrypted RNDUE, SQN and UE identity and compares the first MACCN with first MACUE received at the CN. If the first MACCN and first MACUE are equal , UE is successfully authenticated. Otherwise, authentication of UE fails.
In block 603, the network entity generates authentication vectors. Each authentication vector includes RNDCN, AUTNCN and other parameters. The generation of authentication vectors is based on RNDUE, RNDCN, KUE, SQN and other parameters in consideration.
In block 604, CN transmits a second message which includes RNDCN, and AUTNCN.
In block 605, after receiving the second message, UE extracts the RNDCN, and AUTNCN. UE generates AUTNUE- The generation of AUTNUE takes RNDUE, RNDCN, KUE, SQN and other parameters in consideration. If the generated AUTNUE and the received AUTNCN are equal, the CN is successfully authenticated. Otherwise, authentication of CN fails.
In block 606, when MACUE is not included in the first message, UE sends a third message containing RES code to the CN to authenticate UE.
In block 607, CN authenticates UE with RES code received. Figure 7 is a flow chart 700 illustrating a method for mutual authentication between UE and CN in LTE network or its evolved version using a pair of asymmetric keys together with a symmetric key according to one embodiment of the invention. The symmetric key is shared by HSS and UE.
In block 701 , before transmitting an Attach Request to a network entity such as MME or AAA server or other network entity with similar functionalities, UE generates a random number RNDUE and encrypts RNDUE with the UE-public key.
In block 702, the UE transmits an Attach Request which includes UE identity and RNDUE which is encrypted by the PKx. The Attach Request includes the encrypted RNDUE and other parameters.
In block 703, after the Management Entity receives the Attach Request, it generates another message, for example, an Authentication Data Request message, with the UE identity and encrypted RNDUE extracted from the Attach Request and transmits the Authentication Data Request to HSS.
In block 704, HSS retrieves or locates the CN-private key SKx based on the UE identity in the Authentication Data Request and decrypts the Authentication Data Request to obtain a decrypted RNDUE- HSS generates CN-derived RNDCN, and further generates a new number based on both RNDCN and decrypted RNDUE, for example, generating the new random number by performing an Exclusive-or function (XOR) on RNDCN and RNDUE, together with KUE, SQN, SN ID as inputs to EPS-AKA algorithm defined in the LTE specification to generate authentication vectors. Each authentication vector includes RNDCN, HSS-derived AUTNHSS, XRES, and KASME- In block 705, HSS transmits an Authentication Data Response message with the generated AV to the Management Entity.
In block 706, after receiving the generated AV, the Management Entity generates and transmits an Authentication Request to UE, which contains RNDCN and AUTNHSS- In block 707, after receiving the Authentication Request, UE extracts RNDCN and AUTN Hss from the Authentication Request message received from network. USIM/eUICC in the UE generates UE-derived network authentication token AUTNUE by inputting KUE, RNDCN, RNDue, SN ID and SQN to the LTE AKA Algorithm. RNDCN and RNDUE are used to generate a new number as an input for EPS-AKA algorithm. For example, the random number can be RNDUE XOR RNDCN-
In block 708, UE compares the AUTNUE with AUTNHSS- If AUTNUE and AUTNHSS are equal, CN is successfully authenticated.
In block 709, UE transmits a response code RES based on the authentication result in block 708 to the Management Entity.
In block 710, the Management Entity compares the RES with XRES. If RES and XRES values are equal, UE is successfully authenticated. Otherwise, authentication of UE fails.
Figure 8 is a flow chart 800 illustrating another method for mutual authentication between UE and CN in LTE network or its evolved version using a pair of asymmetric keys together with a symmetric key according to one embodiment of the invention. The symmetric key is shared by Management Entity and UE.
In block 801 , before transmitting an Attach Request to a management entity such as MME or AAA server or other network entity with similar functionalities, UE generates a random number RNDUE and encrypts RNDUE with the UE-public key.
In block 802, the UE transmits to Management Entity an Attach Request which includes UE identity and RNDUE encrypted by the PKx. The Attach Request includes the encrypted RNDUE and other parameters. In another embodiment, UE may encrypt UE identity and RNDUE with the PKx.
In block 803, after the Management Entity receives the Attach Request, it retrieves or locates the CN-private key SKx based on the UE identity in the Attach Request and decrypts the Attach Request to obtain a decrypted RNDUE. In another embodiment, Management Entity decrypts both the UE identity and RNDUE included in the received Attach Request.
In block 804, the Management Entity generates an Authentication Data Request message with the UE identity and decrypted RNDUE and transmits the Authentication Data Request to HSS.
In block 805, HSS extracts RNDUE from the Authentication Data Request. HSS generates CN-derived RNDCN, and further derives a new random number based on both RNDCN and RNDUE, for example, generating the new random number by performing an Exclusive-or function (XOR) on RNDCN and RNDUE, together with KUE, SQN, SN ID as inputs to EPS-AKA algorithm defined in the LTE specification to generate authentication vectors. Each authentication vector includes RNDCN, HSS- derived AUTNHSS, XRES, and KASME-
In block 806, HSS transmits an Authentication Data Response message with the generated AV to the Management Entity.
In block 807, after receiving the generated AV, the Management Entity generates and transmits an Authentication Request to UE, which contains RNDCN and AUTNHSS-
In block 808, after receiving the Authentication Request, UE extracts RNDCN and AUTN Hss from the Authentication Request message received from network. USIM/eUICC in the UE generates UE-derived network authentication token AUTNUE by inputting KUE, RNDCN, RNDUE, SN ID and SQN to the LTE AKA Algorithm. RNDCN and RNDUE are used to generate a new random number as an input for EPS-AKA algorithm. For example, the new random number can be RNDUE XOR RNDCN- In block 809, UE compares the AUTNUE with AUTNHSS- If AUTNUE and
AUTNHSS are equal, UE successfully authenticates CN. Otherwise, authentication of the CN fails.
In block 810, UE transmits a response code RES based on the authentication result in block 809 to the Management Entity.
In block 81 1 , the Management Entity compares the RES with XRES. If RES and XRES values are equal, UE is successfully authenticated. Otherwise, authentication of UE fails.
Figure 9 is a flow chart 900 illustrating a method for mutual authentication between UE and CN using two pairs of asymmetric keys according to one embodiment. UE is assigned a pair of asymmetric keys, i.e. UE-public key PKUE and UE-private key SKUE, which are different from other UEs. CN is assigned a pair of asymmetric keys, i.e. CN-public key PKCN and CN-private key SKCN- The CN has two choices: the CN may be assigned a pair of asymmetric keys that apply to all UEs, or the CN may be assigned different pairs of asymmetric keys for different UEs. The UICC card of UE stores CN-public key PKCN and UE-private key SKUE; while a network entity in CN such as MME or HSS stores the UE-public key PKUE and CN- private key SKCN- In block 901 , before sending a first message from UE to CN, UE generates a random number RNDUE- UE encrypts the RNDUE and SQ^ (optional) using CN- public key PKCN, and generates a signature by signing UE identity, RNDUE, and SQ^ using UE-private key SKUE- SQ^ may be optional in encryption and signature generation.
In block 902, UE transmits a first message to CN. The first message includes UE identity, the UE-encrypted RNDUE and SQN ; and UE-generated signature.
In block 903, after receiving the first message, CN decrypts the first message using CN-private key SKCN and extracts RNDUE and any SQN!. CN also verifies the signature in the first message by using PKUE which is stored at CN and retrieved therefrom based on the UE identity. If the signature is correct, UE is successfully authenticated. CN generates a random number RNDCN, encrypts RNDCN and any SQN2 using the UE-public key PKUE, and signs the RNDUE, RNDCN and SQN2 using CN-private key SKCN- CN may generate session keys based on the RNDCN and RNDUE-
In block 904, CN transmits a second message to UE. The second message includes CN-generated signature, and the CN-encrypted RNDCN and SQN1 .
In block 905, after receiving the second message, UE decrypts the second message using UE-private key PKUE to extract RNDCN and any SQN2. UE verifies the received signature. If the signature is correct, CN is successfully authenticated.
Otherwise, authentication of CN fails.
In block 906, UE transmits or returns a confirmation information to CN.
Figure 10 is a flow chart illustrating a method for mutual authentication between UE and CN and embedding Diffie-Hellman procedure in the authentication. UE and CN share a pair of asymmetric keys, where PKx is stored in the USIM/eUICC of UE and also referred to as UE-public key, and SKx is stored in core network entity or HSS and also referred to as CN-private key. The pair of PKx and SKx can be unique to the UE. In block 1001 , UE generates a random number RNDUE■ Using PKx, UE encrypts the RNDUE and a sequence number SON (optional). Using PKx, UE generates a first MACUE based on RNDUE and SON (optional). UE also generates a key KRND-UE based on RNDUE- One embodiment is to input RNDUE to a KDF function to derive the key KRND.
In block 1 002, UE sends a first message to the core network entity. The first message includes UE identity and the encrypted RNDUE, SON and the first MACUE- In block 1 003, after receiving the first message from UE, the CN first retrieves or locates a private key SKX based on the UE identity received in the first message and then decrypts the RNDUE, SON and first MACUE with the private key SKX. CN authenticates the UE based on the decrypted RNDUE, SON and first MACUE, or validates the received RNDUE with MAC and SON. After authenticating the UE, CN generates a key KRND-CN based on the decrypted RNDUE-CN further generates a Diffie-Hellman public key gx, where x is a random number.
CN encrypts SON by KRND-CN, and generates a first MACCN which is based on SON and gx and using KRND-CN-
In block 1 004, CN sends a second message to the UE, which includes the encrypted SON, gx, and the first MACCN generated in block 1 003.
In block 1 005, after receiving the second message, UE decrypts the SON with KRND-UE which was generated with RNDUE at the UE side in block 1 001 , and calculates a second MACUE based on both SON and gx as inputs. If the second MACUE generated by UE and the first MACCN received in the second message are equal, CN is successfully authenticated. Otherwise, authentication of CN fails.
In block 1 006, UE generates a Diffie-Hellman public key, gy, where y is a random number, and sends a third message to CN. The third message includes SON', encrypted by KRND-UE, a third MACUE which is generated with SON and gy using KRND-UE, and gy. SON and gy are encrypted using KRND-UE- In block 1 007, CN may further authenticate UE based on the received third
MACUE and the first MACCN, and generate a session key based on KRND-CN and Diffie-Hellman public key, gy.
The above-described methods for mutual authentication of CN and UE may be implemented in a system specified by the 3G/4G specification or a system evolved from the system specified by the 3G/4G specification which is defined by the 3G PP standard organization. Figure 1 1 shows network architecture of 3G/4G network system. Figure 12 is a schematic system representation showing functional modules for supporting the above-described methods. Particularly, UE is provided with asymmetric and/or symmetric key(s), encryption and/or decryption unit, DH procedure unit, key generation unit, random number generation unit, authentication data generation unit, authentication unit, communication unit. E-UTRAN is provided with key generation unit. Management Entity (MME/AAA) is provided with asymmetric and/or symmetric key(s), encryption and/or decryption unit, DH procedure unit, key generation unit, random number generation unit, authentication unit, communication unit. HSS is provided with asymmetric and/or symmetric key(s), encryption and/or decryption unit, DH procedure unit, key generation unit, random number generation unit, authentication vector generation unit, authentication unit, communication unit. Each of the UE, Management Entity and HSS are provided with transmitting unit and receiving unit which comprise the communication unit. It is to be appreciated that the UE/Management Entity/HSS may be provided with some or all of the respectively-listed units depending on requirements. It is to be appreciated that each listed unit may be incorporated with another listed unit.
With reference to the CN of Figure 12 and in accordance with Figures 4 to 10, a system for authentication and key generation is provided, the system comprising: a receiving unit configured to: receive, at a core network entity, at least a user equipment (UE) identity and an encrypted first random number which is generated by the UE; a decryption unit configured to: using at least asymmetric key techniques, decrypt the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; an authentication vector generating unit configured to: generate an authentication vector based at least on the decrypted first random number; and a transmitting unit configured to: transmit the authentication vector which is destined for the UE for authentication of the core network entity. With reference to the CN of Figure 12 and in accordance with Figure 4, the receiving unit is further configured to: receive a first message authentication code (MAC); the authentication vector generation unit is further configured to: generate a second message authentication code (MAC) based at least on the decrypted random number; wherein the system further comprising an authentication unit configured to: successfully authenticate the UE if the first MAC and the second MAC are equal. As an additional option, the transmitting unit is further configured to: generate one of a third message authentication code (MAC) and a signature based at least on the decrypted random number; and transmit the one of the second MAC and the signature.
With reference to the CN of Figure 12 and in accordance with Figure 6, the authentication vector generation unit is further configured to: generate the second message authentication code (MAC) further based on a symmetric key which is shared by the core network entity and the UE.
With reference to the CN of Figure 12 and in accordance with Figure 5, the decryption unit is provided at a Home Subscriber Server (HSS); the system further comprises: a random number generation unit configured to: generate, at the HSS, a second random number; the authentication vector generation unit is further configured to: generate, at the HSS, the authentication vector further based on the first random number received from UE and the second random number generated, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); the transmitting unit is further configured to: transmit, to a management entity, at least the network authentication token (AUTN) and the expected result value (XRES); and wherein the system further comprises: an authentication unit configured to: at the management entity, receive from the UE a response value (RES), and successfully authenticate the UE if the response value (RES) and expected result value (XRES) are equal.
With reference to the CN of Figure 12 and in accordance with Figure 7, the authentication vector generating unit is further configured to: generate, at a Home Subscriber Server (HSS), the authentication vector further based on a symmetric key which is shared by the HSS and the UE. With reference to the CN of Figure 12 and in accordance with Figure 8,_the decryption unit is provided at a management entity; the system further comprises: a random number generation unit configured to: generate, at the HSS, a second random number; the authentication vector generation unit is further configured to: generate, at a Home Subscriber Server (HSS), the authentication vector further based on the second random number and a symmetric key which is shared by the HSS and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); the transmitting unit is further configured to: transmit, to a management entity, at least the network authentication token (AUTN) and the expected result value (XRES); and the system further comprises: an authentication unit configured to: at the management entity, receive from the UE a response value (RES), and successfully authenticating the UE if the response value (RES) and expected result value (XRES) are equal.
With reference to the CN of Figure 12 and in accordance with Figure 9, the receiving unit is further configured to: receive a signature; the system further comprises: a random number generation unit configured to: generate a second random number; the authentication vector generation unit is further configured to: using a public key which is retrieved from the core network entity based on the UE identity, encrypt at least the second random number; and using a private key which is associated with the core network entity and retrieved therefrom, sign at least the second random number; and the system further comprises: an authentication unit further configured to: verify the received signature.
With reference to the CN of Figure 12 and in accordance with Figure 10, the receiving unit is further configured to: receive a first message authentication code (MAC); the authentication vector generation unit is further configured to: generate a first key (KRND-CN) based on the decrypted first random number; generate a first Diffie-Hellman public key (gx); using the first key(KRND-cN), generate a second message authentication code (MAC) based at least on the first Diffie-Hellman public key (gx); the transmitting unit is further configured to: transmit at least the second message authentication code; the system further comprises: a Diffie-Hellman procedure unit configured to: receive a second Diffie-Hellman public key (gy); generate a second key based on the Diffie-Hellman public key (gy). As an additional option, the Diffie-Hellman procedure unit is further configured to: generate a session key based on the first key and the second key. With reference to the UE of Figure 12 and in accordance with Figures 4 to 10, a system for authentication and key generation in a cellular network is provided, the system comprising: a random number generation unit configured to: generate, at a user equipment (UE), a first random number; an encryption-decryption unit configured to: encrypt the first random number with a public key retrieved from the UE; a transmitting unit configured to: transmit at least a UE identity and the encrypted first random number to a core network entity; a receiving unit configured to: receive a first authentication data from the core network entity; and an authentication unit configured to: using at least one of symmetric key and asymmetric key techniques, authenticate the core network entity by verifying the first authentication data.
With reference to the UE of Figure 12 and in accordance with Figure 4, the authentication unit is further configured to: verify one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmit the authentication result to the core network entity.
With reference to the UE of Figure 12 and in accordance with Figure 5, the authentication unit is further configured to: generate a second authentication data based at least on a second random number included in the first authentication data; and successfully authenticate the core network entity if a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data are equal.
With reference to the UE of Figure 12 and in accordance with Figure 6, the system further comprises: an authentication data generation unit configured to:
generate a message authentication code (MAC) based at least on a symmetric key shared by the UE and the core network entity; the transmitting unit is further configured to: transmit the message authentication code to the core network entity.
With reference to the UE of Figure 12 and in accordance with Figure 6, the system further comprises: an authentication data generation unit configured to: generate a message authentication code (MAC) based at least on a hash function shared by the UE and the core network entity; wherein the transmitting unit is further configured to: transmit the message authentication code to the core network entity. With reference to the UE of Figure 12 and in accordance with Figures 7 and 8, the authentication unit is further configured to: generate the second authentication data further based on a symmetric key shared by the UE and a Home Subscriber Server (HSS) in the core network entity. With reference to the UE of Figure 12 and in accordance with Figure 9, the encryption-decryption unit is further configured to: generate a first signature based at least on a first secret key retrieved from the UE; the transmitting unit is configured to: transmit the first signature; the receiving unit is further configured to: receive a second signature and an encrypted second random number; the
encryption-decryption unit is further configured to: using the secret key, decrypt the encrypted second random number; the authentication unit is further configured to: using the public key, verify the second signature; and the system further comprises: a key generation unit configured to: generate a session key based on the first random number and the decrypted second random number. With reference to the UE of Figure 12 and in accordance with Figure 10,_the receiving unit is further configured to: receive a first message authentication code (MAC); the authentication unit is further configured to: generate a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and successfully authenticate the core network entity if the first MAC and the second MAC are equal.
Other embodiments will be apparent to those skilled in the art from consideration of the specification and practice of the invention. Furthermore, certain terminology has been used for the purposes of descriptive clarity, and not to limit the disclosed embodiments of the invention. The embodiments and features described above should be considered exemplary.

Claims

Claims:
1 . A method for authentication and key generation in a cellular network, comprising: receiving, at a core network entity, at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; generating an authentication vector based at least on the decrypted first random number; and transmitting the authentication vector which is destined for the UE for authentication of the core network entity.
2. The method of claim 1 , further comprising: receiving a first message authentication code (MAC) from the UE; generating a second MAC based at least on the decrypted first random number; authenticating the UE successfully when the first MAC and the second MAC meet a preset condition.
3. The method of claim 2, wherein generating a second message authentication code (MAC) based at least on the decrypted first random number comprises: generating the second MAC based at least on the decrypted first random number and a symmetric key which is shared between the core network entity and the UE.
4. The method of claim 2, wherein generating a second message authentication code (MAC) based at least on the decrypted first random number comprises: generating the second MAC based at least on the decrypted first random number and a hash function which is shared between the core network entity and the UE.
5. The method of any one of claims 1 -4, further comprising: generating one of a third MAC and a signature based at least on the decrypted first random number; transmitting, from the core network entity to the UE, the one of the generated third MAC or the signature.
6. The method of claim 1 , wherein decrypting, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity is performed at a Home Subscriber Server (HSS) of the core network; wherein generating an authentication vector based at least on the decrypted first random number comprises: generating, at the HSS, the authentication vector based on the decrypted first random number, and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the HSS and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector comprises: transmitting, to a management entity of the core network, at least the network AUTN and the XRES; and wherein the method further comprising: receiving from the UE a response value (RES) at the management entity of the core network; and authenticating the UE successfully when the RES and XRES meet a preset condition.
7. The method of claim 1 , wherein decrypting the encrypted first random number with a private key which is retrieved from the core network entity is performed at a management entity of the core network; wherein generating an authentication vector based at least on the decrypted first random number comprises: generating, at a Home Subscriber Server (HSS), the authentication vector based on the decrypted first random number, and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the HSS and the UE, wherein the authentication vector includes a network AUTN and an XRES; wherein transmitting the authentication vector comprises: transmitting, to a management entity of the core network entity, at least the network AUTN and the XRES; and wherein the method further comprising: receiving from the UE a response value (RES) at the management entity; and authenticating the UE successfully when the response value (RES) and expected result value (XRES) are equal.
8. The method of claim 1 , further comprising: receiving a signature from the UE; verifying the received signature based on a public key which is retrieved from the core network entity and associated with the UE identity; encrypting at least a second random number generated at the core network by using a public key which is retrieved from the core network entity based on the UE identity, upon the received signature is verified successfully,; and signing at least the second random number by using a private key which is associated with the core network entity and retrieved therefrom; and transmting the encrypted second random number and the signed second random number to the UE.
9. The method of claim 1 , wherein generating an authentication vector based at least on the decrypted first random number comprises: generating a first key (KRND-CN) based on the decrypted first random number; generating a first Diffie-Hellman public key (gx); generating a first message authentication code (MAC) based at least on the first Diffie-Hellman public key (gx) by using the first key(KRND-cN),; the method further comprising: receiving a second Diffie-Hellman public key (gy) and a MAC from the UE; authenticating the UE based at least on the first MAC and the second MAC.
1 CK The method of claim 9, further comprising : generating a session key based on the first key (KRND-CN) and the second Diffie-Hellman public key (gy).
1 1 . A method for authentication and key generation in a cellular network, the method comprising:
generating, at a user equipment (UE), a first random number and encrypting the first random number with a public key which is retrieved from a UE and associated with a UE identity; transmitting at least the UE identity and the encrypted first random number to a core network entity; receiving a first authentication data from the core network entity; and authenticating the core network entity by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique.
12. The method of claim 1 1 , wherein authenticating the core network by verifying the first authentication data comprises: verifying one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmitting the authentication result to the core network entity.
13. The method of claim 1 1 , wherein authenticating the core network entity by verifying the first authentication data comprises: generating a second authentication data based at least on a second random number included in the first authentication data; and authenticating the core network entity successfully when a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data meet a preset condition.
14. The method of claim 13, wherein generating a second authentication data based at least on a second random number included in the first authentication data comprises: generating the second authentication data based at least on the second random number and a symmetric key shared between the UE and a Home Subscriber Server (HSS) in the core network entity.
15. The method of any one of claims 1 1 to 14, further comprising: generating a message authentication code (MAC) based at least on a symmetric key shared between the UE and the core network entity; transmitting the message authentication code (MAC) to the core network entity.
16. The method of claim 1 1 , further comprising: generating a first signature based at least on a first secret key retrieved from the UE; transmitting the first signature to the core network entity; receiving a second signature and an encrypted second random number from the core network entity; wherein authenticating the core network by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique, comprises: decrypting the encrypted second random number by using a secret key; verifying the second signature by using the public key; and generating a session key based on the first random number and the decrypted second random number.
17. The method of claim 1 1 , further comprising: receiving a first message authentication code (MAC); wherein authenticating the core network entity by verifying the first authentication data comprises: generating a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and authenticating the core network entity successfully when the first MAC and the second MAC are equal.
18. A system for authentication and key generation in a cellular network, the system comprising:
a random number generation unit configured to: generate, at a user equipment (UE), a first random number; an encryption-decryption unit configured to: encrypt the first random number with a public key retrieved from the UE, wherein the public key is based on a UE identity associated with the UE; a transmitting unit configured to: transmit at least the UE identity and the encrypted first random number to a core network entity; a receiving unit configured to: receive a first authentication data from the core network entity; and an authentication unit configured to: authenticate the core network entity by verifying the first authentication data by using at least one of symmetric key and asymmetric key technique.
19. The system of claim 18, wherein the authentication unit is further configured to: verify one of a message authentication code (MAC) and a signature included in the first authentication data to generate an authentication result; and transmit the authentication result to the core network entity.
20. The system of claim 18, wherein the authentication unit is further configured to: generate a second authentication data based at least on a second random number included in the first authentication data; and authenticate the core network entity successfully when a first authentication token (AUTN) included in the first authentication data and a second authentication token (AUTN) included in the second authentication data meet a preset condition.
21 . The system of claim 20, wherein the authentication unit is further configured to: generate the second authentication data based at least on the second random number and a symmetric key shared between the UE and a Home Subscriber Server (HSS) in the core network entity.
22. The system of any one of claims 18 to 21 , the system further comprising: an authentication data generation unit configured to: generate a message authentication code (MAC) based at least on a symmetric key shared between the UE and the core network entity; wherein the transmitting unit is further configured to: transmit the message authentication code to the core network entity.
23. The system of claim 19, the system further comprising: an authentication data generation unit configured to: generate a message authentication code (MAC) based at least on a hash function shared between the UE and the core network entity; wherein the transmitting unit is further configured to: transmit the message authentication code to the core network entity.
24. The system of claim 18, wherein the encryption-decryption unit is further configured to: generate a first signature based at least on a first secret key retrieved from the UE; wherein the transmitting unit is configured to: transmit the first signature to the core network entity; wherein the receiving unit is further configured to: receive a second signature and an encrypted second random number from the core network entity; wherein the encryption-decryption unit is further configured to: decrypt the encrypted second random number by using the secret key; wherein the authentication unit is further configured to: verify the second signature by using the public key; and the system further comprises: a key generation unit configured to: generate a session key based on the first random number and the decrypted second random number.
25. The system of claim 18, wherein the receiving unit is further configured to: receive a first message authentication code (MAC); wherein the authentication unit is further configured to: generate a second message authentication code (MAC) based at least on a first Diffie-Hellman public key included in the first authentication data; and authenticate the core network entity successfully when the first MAC and the second MAC are equal.
26. A method for authentication and key generation in a cellular network, comprising: at a first core network entity: receiving at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and transmitting the authentication vector to a second core network entity.
27. The method of claim 26, wherein generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number comprises: generating the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector to a second core network entity comprises: transmitting at least the network authentication token (AUTN) and the expected result value (XRES).
28. The method of claim 26, wherein before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, the method further comprising: decrypting the encrypted first random number with a private key by using at least asymmetric key technique, wherein the private key is retrieved from the first core network entity based on the UE identity.
29. The method of any one of claims 26 to 28, wherein the first core network entity includes Home Subscriber Server (HSS).
30. A system for authentication and key generation in a cellular network, the system comprises:
a communication unit provided at a first core network entity and configured to: receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; an authentication vector generation unit provided at the first core network entity and configured to: generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and a communication unit provided at the first core network and configured to: transmit the authentication vector to a second core network entity.
31 The system of claim 30, wherein the communication unit is further configured to: receive the decrypted first random number; wherein the authentication vector generation unit is further configured to: generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein the communication unit is further configured to: transmit at least the network authentication token (AUTN) and the expected result value (XRES).
32. The system of claim 30, further comprising: a decryption unit provided at the first core network entity and configured to: before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, decrypt the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the first core network entity based on the UE identity.
33. The system of any one of claims 30 to 32, wherein the first core network entity includes Home Subscriber Server (HSS).
34. A method for authentication and key generation in a cellular network, the method comprising:
at a first core network entity: receiving at least a user equipment (UE) identity and decrypted first random number from the second core network entity; generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and transmitting the authentication vector to a second core network entity.
35. The method of claim 34,wherein generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number comprises: generating the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector to a second core network entity comprises: transmitting at least the network authentication token (AUTN) and the expected result value (XRES).
36 The method of claim 34, wherein before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, the method further comprising: decrypting the encrypted first random number with a private key which is retrieved from the first core network entity based on the UE identity, by using at least asymmetric key technique.
37. The method of any one of claims 34 to 36, wherein the first core network entity includes Home Subscriber Server (HSS).
38. A system for authentication and key generation in a cellular network, comprising: a communication unit provided at a first core network entity and configured to: receive at least a user equipment (UE) identity and decrypted first random number from the second core network entity ; an authentication vector generation unit provided at the first core network entity and configured to: generate an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number; and a communication unit provided at the first core network and configured to: transmit the authentication vector to a second core network entity.
39. The system of claim 38, wherein the communication unit is further configured to: receive the decrypted first random number; wherein the authentication vector generation unit is further configured to: generate the authentication vector based on the decrypted first random number and at least one of a second random number and a symmetric key, wherein the second random number is generated at the the first core network entity, wherein the symmetric key is shared between the first core network entity and the UE, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein the communication unit is further configured to: transmit at least the network authentication token (AUTN) and the expected result value (XRES).
40. The system of claim 38, the system further comprising: a decryption unit provided at the first core network entity and configured to: before generating an authentication vector based at least on a decrypted first random number which is obtained from the encrypted first random number, decrypt the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the first core network entity based on the UE identity.
41 . The system of any one of claims 38 to 40, wherein the first core network entity includes Home Subscriber Server (HSS).
42. A method for authentication and key generation in a cellular network, comprising: at a second core network entity: receiving at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting the encrypted first random number with a private key by using at least asymmetric key techniques, wherein the private key is retrieved from the second core network entity based on the UE identity; transmitting an authentication vector request to a first core network entity, wherein the authentication vector request includes the UE identity and the decrypted first random number; receiving an authentication vector from the first core network entity; and transmitting the authentication vector to the UE.
43. The method of claim 42, comprising: wherein the authentication vector at least includes expected result value (XRES); receiving from the UE a response value (RES); and authenticating the UE successfully when the response value (RES) and expected result value (XRES) are equal; wherein the first core network entity includes Home Subscriber Server (HSS) and the second core network entity includes one of Mobility Management Entity (MME) and Authentication, Authorization and Accounting (AAA) server.
44. A system for authentication and key generation in a cellular network, the system comprises: a communication unit provided at a second core network entity and configured to: receive at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; a decryption unit provided at the second core network entity and configured to: decrypt the encrypted first random number with a private key by using at least asymmetric key technique, wherein the private key is retrieved from the second core network entity based on the UE identity; wherein the communication unit is further configured to: transmit an authentication vector request to a first core network entity, wherein the authentication vector request includes the UE identity and the decrypted first random number; receive an authentication vector from the first core network entity; and transmit the authentication vector to the UE.
45. The system of claim 44, wherein the authentication vector at least includes expected result value (XRES); the communication unit is configured to: receive from the UE a response value (RES); and anthentication unit is configured to : authenticate the UE successfully when the response value (RES) and expected result value (XRES) are equal; wherein the first core network entity includes Home Subscriber Server (HSS), and the second core network entity includes one of Mobility Management Entity (MME) and Authentication, Authorization and Accounting (AAA) server.
46. A method for authentication and key generation in a cellular network, comprising: receiving, at a core network entity, at least a user equipment (UE) identity and an encrypted first random number which is generated by a UE associated with the UE identity; decrypting, based at least on asymmetric key technique, the encrypted first random number with a private key which is retrieved from the core network entity based on the UE identity; generating an authentication vector based at least on one of the decrypted first random number; and a second random number and a symmetric key, wherein the second random number is generated at the HSS, wherein the symmetric key is shared between the HSS and the UE, transmitting the authentication vector which is destined for the UE for authentication of the core network entity.
47. The mothed of 46, wherein the authentication vector includes a network authentication token (AUTN) and an expected result value (XRES); wherein transmitting the authentication vector comprises: transmitting, to a management entity of the core network, at least the network authentication token (AUTN) and the expected result value (XRES); and wherein the method further comprising: receiving from the UE a response value (RES) at the management entity of the core network; and authenticating the UE successfully when the response value (RES) and expected result value (XRES) meet a preset condition.
PCT/SG2017/050220 2016-04-27 2017-04-20 Method and system for authentication with asymmetric key WO2017188895A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG10201603367TA SG10201603367TA (en) 2016-04-27 2016-04-27 Method and system for authentication with asymmetric key
SG10201603367T 2016-04-27

Publications (1)

Publication Number Publication Date
WO2017188895A1 true WO2017188895A1 (en) 2017-11-02

Family

ID=58737841

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2017/050220 WO2017188895A1 (en) 2016-04-27 2017-04-20 Method and system for authentication with asymmetric key

Country Status (2)

Country Link
SG (1) SG10201603367TA (en)
WO (1) WO2017188895A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108599932A (en) * 2018-04-10 2018-09-28 国网山东省电力公司博兴县供电公司 A kind of identity identifying method for electric system
CN109451504A (en) * 2019-01-03 2019-03-08 中国联合网络通信集团有限公司 Internet of Things mould group method for authenticating and system
EP3506560A1 (en) * 2017-12-29 2019-07-03 Nagravision S.A. Secure provisioning of keys
CN110519046A (en) * 2019-07-12 2019-11-29 如般量子科技有限公司 Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN110620659A (en) * 2019-08-28 2019-12-27 如般量子科技有限公司 Anti-quantum computation RFID authentication method and system based on symmetric key pool and secondary surplus
CN110933673A (en) * 2019-10-12 2020-03-27 国网浙江省电力有限公司信息通信分公司 Access authentication method of IMS network
CN111263361A (en) * 2020-01-10 2020-06-09 中国联合网络通信集团有限公司 Connection authentication method and device based on block chain network and micro base station
CN112565176A (en) * 2019-09-26 2021-03-26 通用电气公司 Securely communicating with devices in a distributed control system
CN113098860A (en) * 2021-03-30 2021-07-09 三一汽车起重机械有限公司 CAN bus encryption method and device, engineering machinery and storage medium
US11146540B2 (en) 2018-05-09 2021-10-12 Datalogic Ip Tech S.R.L. Systems and methods for public key exchange employing a peer-to-peer protocol
CN114697122A (en) * 2022-04-08 2022-07-01 中国电信股份有限公司 Data transmission method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102036238A (en) * 2010-12-27 2011-04-27 中国科学院软件研究所 Method for realizing user and network authentication and key distribution based on public key
CN102664725A (en) 2012-04-26 2012-09-12 成都交大光芒科技股份有限公司 Method for realizing clock synchronization subsystem in passenger special line comprehensive monitoring system
US20130163762A1 (en) * 2010-09-13 2013-06-27 Nec Corporation Relay node device authentication mechanism
CN101969638B (en) 2010-09-30 2013-08-14 中国科学院软件研究所 Method for protecting international mobile subscriber identity (IMSI) in mobile communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130163762A1 (en) * 2010-09-13 2013-06-27 Nec Corporation Relay node device authentication mechanism
CN101969638B (en) 2010-09-30 2013-08-14 中国科学院软件研究所 Method for protecting international mobile subscriber identity (IMSI) in mobile communication
CN102036238A (en) * 2010-12-27 2011-04-27 中国科学院软件研究所 Method for realizing user and network authentication and key distribution based on public key
CN102664725A (en) 2012-04-26 2012-09-12 成都交大光芒科技股份有限公司 Method for realizing clock synchronization subsystem in passenger special line comprehensive monitoring system

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3506560A1 (en) * 2017-12-29 2019-07-03 Nagravision S.A. Secure provisioning of keys
CN108599932A (en) * 2018-04-10 2018-09-28 国网山东省电力公司博兴县供电公司 A kind of identity identifying method for electric system
US11146540B2 (en) 2018-05-09 2021-10-12 Datalogic Ip Tech S.R.L. Systems and methods for public key exchange employing a peer-to-peer protocol
CN109451504A (en) * 2019-01-03 2019-03-08 中国联合网络通信集团有限公司 Internet of Things mould group method for authenticating and system
CN109451504B (en) * 2019-01-03 2021-11-16 中国联合网络通信集团有限公司 Internet of things module authentication method and system
CN110519046A (en) * 2019-07-12 2019-11-29 如般量子科技有限公司 Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN110519046B (en) * 2019-07-12 2023-10-13 如般量子科技有限公司 Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
CN110620659A (en) * 2019-08-28 2019-12-27 如般量子科技有限公司 Anti-quantum computation RFID authentication method and system based on symmetric key pool and secondary surplus
CN110620659B (en) * 2019-08-28 2021-08-31 如般量子科技有限公司 Anti-quantum computation RFID authentication method and system based on symmetric key pool and secondary surplus
CN112565176A (en) * 2019-09-26 2021-03-26 通用电气公司 Securely communicating with devices in a distributed control system
CN112565176B (en) * 2019-09-26 2022-12-23 通用电气公司 Securely communicating with devices in a distributed control system
US11711206B2 (en) 2019-09-26 2023-07-25 General Electric Company Communicating securely with devices in a distributed control system
CN110933673A (en) * 2019-10-12 2020-03-27 国网浙江省电力有限公司信息通信分公司 Access authentication method of IMS network
CN110933673B (en) * 2019-10-12 2023-10-24 国网浙江省电力有限公司信息通信分公司 Access authentication method of IMS network
CN111263361A (en) * 2020-01-10 2020-06-09 中国联合网络通信集团有限公司 Connection authentication method and device based on block chain network and micro base station
CN111263361B (en) * 2020-01-10 2023-04-18 中国联合网络通信集团有限公司 Connection authentication method and device based on block chain network and micro base station
CN113098860A (en) * 2021-03-30 2021-07-09 三一汽车起重机械有限公司 CAN bus encryption method and device, engineering machinery and storage medium
CN114697122A (en) * 2022-04-08 2022-07-01 中国电信股份有限公司 Data transmission method and device, electronic equipment and storage medium
CN114697122B (en) * 2022-04-08 2023-11-07 中国电信股份有限公司 Data transmission method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
SG10201603367TA (en) 2017-11-29

Similar Documents

Publication Publication Date Title
WO2017188895A1 (en) Method and system for authentication with asymmetric key
US10931445B2 (en) Method and system for session key generation with diffie-hellman procedure
US11075752B2 (en) Network authentication method, and related device and system
EP2033479B1 (en) Method and apparatus for security protection of an original user identity in an initial signaling message
CN101640886B (en) Authentication method, re-authentication method and communication device
US11700245B2 (en) Key distribution method, key receiving method, first key management system, and first network element
CN102036238B (en) Method for realizing user and network authentication and key distribution based on public key
US20070192602A1 (en) Clone resistant mutual authentication in a radio communication network
CN108880813B (en) Method and device for realizing attachment process
US10103887B2 (en) Operator-assisted key establishment
JP2013537374A (en) Relay node device authentication mechanism
CN111865603A (en) Authentication method, authentication device and authentication system
KR20070112260A (en) Network assisted terminal to sim/uicc key establishment
CN108809903B (en) Authentication method, device and system
AU2017313215B2 (en) Authentication server of a cellular telecommunication network and corresponding UICC
CN101192927B (en) Authorization based on identity confidentiality and multiple authentication method
Ekene et al. Enhanced user security and privacy protection in 4G LTE network
CN101784048B (en) Method and system for dynamically updating identity authentication and secret key agreement of secret key
CN101547091A (en) Method and device for transmitting information
Moroz et al. Methods for ensuring data security in mobile standards
US20230108626A1 (en) Ue challenge to a network before authentication procedure
Jain et al. SAP: A Low-latency Protocol for Mitigating Evil Twin Attacks and High Computation Overhead in WI-FI Networks
WO2018126750A1 (en) Key delivery method and device
Wang et al. Research on an improved proposal of 3G security
CN117156436A (en) 5G authentication method and functional entity based on cryptographic algorithm

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17724463

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 15.02.2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17724463

Country of ref document: EP

Kind code of ref document: A1