WO2020208294A1 - Établissement de voies de communication sécurisées vers un serveur de connexion à voies multiples (mpc) à connexion initiale sur un réseau public - Google Patents

Établissement de voies de communication sécurisées vers un serveur de connexion à voies multiples (mpc) à connexion initiale sur un réseau public Download PDF

Info

Publication number
WO2020208294A1
WO2020208294A1 PCT/FI2020/050199 FI2020050199W WO2020208294A1 WO 2020208294 A1 WO2020208294 A1 WO 2020208294A1 FI 2020050199 W FI2020050199 W FI 2020050199W WO 2020208294 A1 WO2020208294 A1 WO 2020208294A1
Authority
WO
WIPO (PCT)
Prior art keywords
multipath
communication network
network
user equipment
connection
Prior art date
Application number
PCT/FI2020/050199
Other languages
English (en)
Inventor
Suresh Nair
Thomas Theimer
Thierry Van De Velde
Satish Kanugovi
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Publication of WO2020208294A1 publication Critical patent/WO2020208294A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/14Multichannel or multilink protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/06Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals

Definitions

  • the field relates generally to communication systems, and more particularly, but not exclusively, to security management within such systems.
  • Fourth generation (4G) wireless mobile telecommunications technology also known as Long Term Evolution (LTE) technology, was designed to provide high capacity mobile multimedia with high data rates particularly for human interaction.
  • Next generation or fifth generation (5G) technology is intended to be used not only for human interaction, but also for machine type communications in so-called Internet of Things (IoT) networks.
  • IoT Internet of Things
  • 5G networks are intended to enable massive IoT services (e.g., very large numbers of limited capacity devices) and mission-critical IoT services (e.g., requiring high reliability), improvements over legacy mobile communication services are supported in the form of enhanced mobile broadband (eMBB) services providing improved wireless Internet access for mobile devices.
  • eMBB enhanced mobile broadband
  • user equipment in a 5G network or, more broadly, a UE
  • a base station or access point referred to as a gNB in a 5G network.
  • the access point e.g., gNB
  • the access network is illustratively part of an access network of the communication system.
  • the access network is referred to as a 5G System and is described in 5G Technical Specification (TS) 23.501, V15.4.0, entitled “Technical Specification Group Services and System Aspects; System Architecture for the 5G System,” the disclosure of which is incorporated by reference herein in its entirety.
  • TS Technical Specification
  • the access point e.g., gNB
  • CN core network
  • a data network such as a packet data network (e.g., Internet).
  • TS 23.501 goes on to define a 5G Service-Based Architecture (SBA) which models services as network functions (NFs) that communicate with each other using representational state transfer application programming interfaces (Restful APIs).
  • SBA Service-Based Architecture
  • TS Technical Specification
  • V15.3.1 entitled“Technical Specification Group Services and System Aspects; Security Architecture and Procedures for the 5G System,” the disclosure of which is incorporated by reference herein in its entirety, further describes security management details associated with a 5G network.
  • MAMS multiple access management service
  • Illustrative embodiments provide improved techniques for security management in communication systems particularly with respect to multipath connectivity.
  • a method comprises establishing a multipath connectivity security context when registering with a first communication network, wherein the multipath connectivity security context relates to a multipath connection server.
  • the multipath connectivity security context is utilized to establish a first connection with the multipath connection server through the first communication network, and utilized to establish a second connection with the multipath connection server through a second communication network.
  • the first communication network comprises a wireless public network (e.g., 3GPP network) and the second communication network comprises a wireless private network (e.g., non 3GPP network).
  • a method comprises receiving a multipath connection cryptographic key request from a multipath connection server, wherein the multipath connection cryptographic key request comprises an identifier for given user equipment, an identifier for a multipath connection server, and an identifier for an enterprise cryptographic key.
  • An authentication information request is sent with the identifier for the given user equipment to an authentication function, and an authentication information response is received from the authentication function.
  • a multipath connection cryptographic key is generated based at least in part on information in the authentication information response, and sent to the multipath connection server.
  • the network function is a network exposure function of the first communication network.
  • a method comprises receiving a first session establishment request from given user equipment through a first communication network, wherein the first session establishment request comprises information identifying a multipath connectivity security context established between the given user equipment and the first communication network.
  • the given user equipment is verified using at least part of the security context, and a first connection is established with the given user equipment through the first communication network.
  • a second session establishment request is received from the given user equipment through a second communication network, wherein the second session establishment request comprises information identifying the multipath connectivity security context established between the given user equipment and the first communication network.
  • the given user equipment is verified using at least part of the security context, and a second connection is established with the given user equipment through the second communication network.
  • the first communication network comprises a wireless public network (e.g., 3GPP network) and the second communication network comprises a wireless private network (e.g., non 3GPP network).
  • the multipath connection server is able to establish more connections to user equipment over available communication networks as needed.
  • FIG. 1 illustrates a communication system with which one or more illustrative embodiments are implemented.
  • FIG. 2 illustrates processing architectures for security management participants, according to an illustrative embodiment.
  • FIG. 3 illustrates multipath connectivity scenarios, according to an illustrative embodiment.
  • FIG. 4 illustrates network functions of a communication system associated with secure communications between user equipment and a multipath connection server, according to an illustrative embodiment.
  • FIG. 5 illustrates a security management methodology for an initial connection with a multipath connection server, according to an illustrative embodiment.
  • FIG. 6 illustrates a security management methodology for a subsequent connection with a multipath connection server, according to an illustrative embodiment.
  • FIG. 7 illustrates a security management methodology for an initial connection with a multipath connection server, according to another illustrative embodiment.
  • Embodiments will be illustrated herein in conjunction with example communication systems and associated techniques for providing security management (e.g., cryptographic key management) in communication systems. It should be understood, however, that the scope of the claims is not limited to particular types of communication systems and/or processes disclosed. Embodiments can be implemented in a wide variety of other types of communication systems, using alternative processes and operations. For example, although illustrated in the context of wireless cellular systems utilizing 3 GPP system elements such as a 3GPP next generation system (5G), the disclosed embodiments can be adapted in a straightforward manner to a variety of other types of communication systems.
  • 3 GPP system elements such as a 3GPP next generation system (5G)
  • 5G next generation system
  • 3 GPP technical specifications TS
  • TR technical reports
  • 3GPP TS/TR documents provide other conventional details that one of ordinary skill in the art will realize.
  • illustrative embodiments are well-suited for implementation associated with the above- mentioned 5G-related 3GPP standards, alternative embodiments are not necessarily intended to be limited to any particular standards.
  • OSI model is a model that conceptually characterizes communication functions of a communication system such as, for example, a 5G network.
  • the OSI model is typically conceptualized as a hierarchical stack with a given layer serving the layer above and being served by the layer below.
  • the OSI model comprises seven layers with the top layer of the stack being the application layer (layer 7) followed by the presentation layer (layer 6), the session layer (layer 5), the transport layer (layer 4), the network layer (layer 3), the data link layer (layer 2), and the physical layer (layer 1).
  • Illustrative embodiments are related to security management associated with the Service-Based Architecture (SBA) for 5G networks.
  • SBA Service-Based Architecture
  • FIG. 1 shows a communication system 100 within which illustrative embodiments are implemented.
  • the elements shown in communication system 100 are intended to represent main functions provided within the system, e.g., UE access functions, mobility management functions, authentication functions, serving gateway functions, etc.
  • the blocks shown in FIG. 1 reference specific elements in 5G networks that provide these main functions.
  • other network elements may be used in other embodiments to implement some or all of the main functions represented.
  • not all functions of a 5G network are depicted in FIG. 1. Rather, functions that facilitate an explanation of illustrative embodiments are represented. Subsequent figures may depict some additional elements/functions.
  • communication system 100 comprises user equipment (UE) 102 that communicates via an air interface 103 with an access point (gNB) 104.
  • the UE 102 in some embodiments is a mobile station, and such a mobile station may comprise, by way of example, a mobile telephone, a computer, or any other type of communication device.
  • the term“user equipment” as used herein is therefore intended to be construed broadly, so as to encompass a variety of different types of mobile stations, subscriber stations or, more generally, communication devices, including examples such as a combination of a data card inserted in a laptop or other equipment such as a smart phone or other cellular device.
  • user equipment refers to an IoT device.
  • Such communication devices are also intended to encompass devices commonly referred to as access terminals.
  • UE 102 is comprised of a Universal Integrated Circuit Card (UICC) part and a Mobile Equipment (ME) part.
  • UICC Universal Integrated Circuit Card
  • ME Mobile Equipment
  • the UICC is the user-dependent part of the UE and contains at least one Universal Subscriber Identity Module (USIM) and appropriate application software.
  • USIM securely stores the permanent subscription identifier and its related key, which are used to identify and authenticate subscribers to access networks.
  • the ME is the user-independent part of the UE and contains terminal equipment (TE) functions and various mobile termination (MT) functions.
  • TE terminal equipment
  • MT mobile termination
  • the permanent subscription identifier is an International Mobile Subscriber Identity (IMSI) of a UE.
  • IMSI International Mobile Subscriber Identity
  • the IMSI is a fixed 15-digit length and consists of a 3-digit Mobile Country Code (MCC), a 3-digit Mobile Network Code (MNC), and a 9-digit Mobile Station Identification Number (MSIN).
  • MCC Mobile Country Code
  • MNC Mobile Network Code
  • MSIN Mobile Station Identification Number
  • SUPI Subscription Permanent Identifier
  • the MSIN provides the subscriber identity.
  • the MNC and MCC portions of the IMSI provide routing information, used by the serving network to route to the correct home network.
  • SUCI Subscription Concealed Identifier
  • the access point 104 is illustratively part of an access network of the communication system 100.
  • Such an access network comprises, for example, a 5G System having a plurality of base stations and one or more associated radio network control functions.
  • the base stations and radio network control functions in some embodiments are logically separate entities, but in some embodiments are implemented in the same physical network element, such as, for example, a base station router or cellular access point.
  • the access point 104 in this illustrative embodiment is operatively coupled to mobility management functions 106.
  • the mobility management function is implemented by an Access and Mobility Management Function (AMF).
  • a Security Anchor Function (SEAF) in some embodiments is also implemented with the AMF connecting a UE with the mobility management function.
  • a mobility management function is the element or function (i.e., entity) in the core network (CN) part of the communication system that manages or otherwise participates in, among other network operations, access and mobility (including authentication/authorization) operations with the UE (through the access point 104).
  • the AMF is also referred to herein, more generally, as an access and mobility management entity.
  • the AMF 106 in this illustrative embodiment is operatively coupled to home subscriber functions 108, i.e., one or more functions that are resident in the home network of the subscriber. As shown, some of these functions include the Unified Data Management (UDM) function, as well as an Authentication Server Function (AUSF). The AUSF and UDM (separately or collectively) are also referred to herein, more generally, as an authentication entity.
  • home subscriber functions include, but are not limited to, Network Slice Selection Function (NSSF), Network Exposure Function (NEF), Network Repository Function (NRF), and Policy Control Function (PCF).
  • NSSF Network Slice Selection Function
  • NEF Network Exposure Function
  • NRF Network Repository Function
  • PCF Policy Control Function
  • third party here, it is meant to refer to a party other than the subscriber of the UE or the operator of the core network.
  • the third party is an enterprise (e.g., corporation, business, group, individual, or the like).
  • the subscriber of the UE is an employee of the enterprise (or otherwise affiliated) who maintains a mobile subscription with the operator of the core network or another mobile network.
  • a UE is typically subscribed to what is referred to as a Home Public Fand Mobile Network (HPFMN) in which some or all of the home subscriber functions 108 reside. If the UE is roaming (not in the HPFMN), it is typically connected with a Visited Public Fand Mobile Network (VPFMN) also referred to as a serving network. Some or all of the mobility management functions 106 may reside in the VPLMN, in which case, functions in the VPLMN communicate with functions in the HPLMN as needed. However, in a non-roaming scenario, mobility management functions 106 and home subscriber functions 108 can reside in the same communication network.
  • HPFMN Home Public Fand Mobile Network
  • VPFMN Visited Public Fand Mobile Network
  • the application function is a multipath connection server in illustrative embodiments.
  • the multipath connection server is associated with a third party, such as an enterprise as illustratively mentioned above.
  • the access point 104 is also operatively coupled to a serving gateway function, i.e., Session Management Function (SMF) 110, which is operatively coupled to a User Plane Function (UPF) 112.
  • SMF Session Management Function
  • UPF 112 is operatively coupled to a Packet Data Network, e.g., Internet 114.
  • the user plane (UP) or data plane carries network user traffic while the control plane (CP) carries signaling traffic.
  • SMF 110 supports functionalities relating to UP subscriber sessions, e.g., establishment, modification and release of PDU sessions.
  • UPF 112 supports functionalities to facilitate UP operations, e.g., packet routing and forwarding, interconnection to the data network (e.g., 114 in FIG. 1), policy enforcement, and data buffering.
  • FIG. 1 is a simplified illustration in that not all communication links and connections between network functions (NFs) and other system elements are illustrated in FIG. 1.
  • NFs network functions
  • FIG. 1 is a simplified illustration in that not all communication links and connections between network functions (NFs) and other system elements are illustrated in FIG. 1.
  • NFs network functions
  • FIG. 1 is a simplified illustration in that not all communication links and connections between network functions (NFs) and other system elements are illustrated in FIG. 1.
  • NFs network functions
  • FIG. 1 is an example only, and other types and arrangements of additional or alternative elements can be used to implement a communication system in other embodiments.
  • the system 100 comprises other elements/functions not expressly shown herein.
  • FIG. 1 is for simplicity and clarity of illustration only.
  • a given alternative embodiment may include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations. It is also to be noted that while FIG.
  • Network slices comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure.
  • the network slices are instantiated as needed for a given service, e.g., eMBB service, massive IoT service, and mission-critical IoT service.
  • a network slice or function is thus instantiated when an instance of that network slice or function is created. In some embodiments, this involves installing or otherwise running the network slice or function on one or more host devices of the underlying physical infrastructure.
  • UE 102 is configured to access one or more of these services via gNB 104.
  • NFs can also access services of other NFs.
  • Illustrative embodiments provide a security management methodology for multipath connectivity where a multipath connectivity security context is established for a given UE and used when connecting with a multipath connection server.
  • security context is understood to refer to any information relating to the establishment and maintenance of security of communications between two or more participants.
  • a security context can comprise one or more identities and/or one or more keys or key materials (e.g., generated, derived, or otherwise obtained). Note that when the term“key” is used alone, it is understood to refer to a cryptographic key.
  • FIG. 2 is a block diagram of processing architectures 200 of participants in a security management methodology for multipath connectivity in an illustrative embodiment.
  • more than two participants are involved in security management according to illustrative embodiments, e.g., UE, AMF, NEF, UDM, SMF, non 3GPP elements.
  • FIG. 2 illustrates processing architectures associated with any two of the participants that directly or indirectly communicate. Therefore, in illustrative embodiments, each participant in a security management methodology is understood to be configured with the processing architecture shown in FIG. 2.
  • a first security management participant 202 comprises a processor 212 coupled to a memory 216 and interface circuitry 210.
  • the processor 212 of the first security management participant 202 includes a security management processing module 214 that may be implemented at least in part in the form of software executed by the processor.
  • the processing module 214 performs security management described in conjunction with subsequent figures and otherwise herein.
  • the memory 216 of the first security management participant 202 includes a security management storage module 218 that stores data generated or otherwise used during security management operations.
  • a second security management participant 204 comprises a processor 222 coupled to a memory 226 and interface circuitry 220.
  • the processor 222 of the second security management participant 204 includes a security management processing module 224 that may be implemented at least in part in the form of software executed by the processor 222.
  • the processing module 224 performs security management described in conjunction with subsequent figures and otherwise herein.
  • the memory 226 of the second security management participant 204 includes a security management storage module 228 that stores data generated or otherwise used during security management operations.
  • the processors 212 and 222 of the respective security management participants 202 and 204 may comprise, for example, microprocessors, application-specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs) or other types of processing devices or integrated circuits, as well as portions or combinations of such elements.
  • ASICs application-specific integrated circuits
  • FPGAs field programmable gate arrays
  • DSPs digital signal processors
  • Such integrated circuit devices, as well as portions or combinations thereof, are examples of“circuitry” as that term is used herein.
  • a wide variety of other arrangements of hardware and associated software or firmware may be used in implementing the illustrative embodiments.
  • the memories 216 and 226 of the respective security management participants 202 and 204 may be used to store one or more software programs that are executed by the respective processors 212 and 222 to implement at least a portion of the functionality described herein.
  • security management operations and other functionality as described in conjunction with subsequent figures and otherwise herein may be implemented in a straightforward manner using software code executed by processors 212 and 222.
  • a given one of the memories 216 or 226 may therefore be viewed as an example of what is more generally referred to herein as a computer program product or still more generally as a processor-readable storage medium that has executable program code embodied therein.
  • processor-readable storage media may include disks or other types of magnetic or optical media, in any combination.
  • Illustrative embodiments can include articles of manufacture comprising such computer program products or other processor-readable storage media.
  • the memory 216 or 226 may more particularly comprise, for example, an electronic random-access memory (RAM) such as static RAM (SRAM), dynamic RAM (DRAM) or other types of volatile or non-volatile electronic memory.
  • RAM electronic random-access memory
  • SRAM static RAM
  • DRAM dynamic RAM
  • the latter may include, for example, non-volatile memories such as flash memory, magnetic RAM (MRAM), phase- change RAM (PC-RAM) or ferroelectric RAM (FRAM).
  • MRAM magnetic RAM
  • PC-RAM phase- change RAM
  • FRAM ferroelectric RAM
  • memory is intended to be broadly construed, and may additionally or alternatively encompass, for example, a read-only memory (ROM), a disk-based memory, or other type of storage device, as well as portions or combinations of such devices.
  • the interface circuitries 210 and 220 of the respective security management participants 202 and 204 illustratively comprise transceivers or other communication hardware or firmware that allows the associated system elements to communicate with one another in the manner described herein.
  • first security management participant 202 is configured for communication with the second security management participant 204 and vice-versa via their respective interface circuitries 210 and 220. This communication involves the first security management participant 202 sending data to the second security management participant 204, and the second security management participant 204 sending data to the first security management participant 202.
  • other network elements or other components may be operatively coupled between, as well as to, the security management participants 202 and 204.
  • the term“data” as used herein is intended to be construed broadly, so as to encompass any type of information that may be sent between security management participants including, but not limited to, messages, tokens, identifiers, keys, indicators, user data, control data, etc.
  • FIG. 2 It is to be appreciated that the particular arrangement of components shown in FIG. 2 is an example only, and numerous alternative configurations are used in other embodiments. For example, any given network element/function can be configured to incorporate additional or alternative components and to support other communication protocols.
  • FIG. 3 illustrates a multipath connectivity scenario 300, according to an illustrative embodiment.
  • multipath connectivity functionality e.g., MAMS
  • MAMS multipath connectivity functionality
  • UE 302 is connected to a multipath connection server 304 over a 5G core network 306 and over a non 3 GPP access such as a private network, e.g., WLAN 308.
  • Multipath connection server 304 functions as a multipath connectivity proxy (e.g., a network function in the context of a 5G network), which can be accessed over multiple independent networks (e.g., two networks in the FIG. 3 embodiments but which can be more than two independent networks in other embodiments).
  • multipath connectivity proxy e.g., multipath connection server 304
  • independent networks e.g., 5G core network 306 and WLAN 308
  • Multipath protocol procedures may require the client to establish a multipath session when the initial access network connection is established, i.e. even when the device starts with a single access network connection.
  • MPTCP Multipath protocol procedures
  • a robotic device connects via 5G, it has to setup the first leg of a multipath connection with the multipath connectivity function in the network. Later, when the robotic device connects via WLAN, it establishes the second multipath leg to the same multipath connectivity function.
  • the robotic devices perform critical functions in the factory, often in cooperation with other robotic devices and other types of devices in the factory network, it is important to ensure a secured connection. Irrespective of the varied level of security offered by the underlying access network connections, it is realized herein that unauthorized users should not be able to establish new multipath sessions or break into existing multipath sessions.
  • the network should control which devices are authorized to establish the initial multipath session and also ensure that the second leg establishment, from an independent network, is indeed from the originator of the first leg.
  • a device should assert its identity of the multipath session. In illustrative embodiments, this is ensured by exchanging a commonly derived key (part of a security context) between the UE (e.g., robotic or other IoT device) and the multipath connectivity function during establishment of initial and subsequent legs, which cannot be carried across multipath sessions.
  • the UE that wants to establish a multipath connection connects to the 5G network.
  • the UE accesses the 5G network with its 5G network subscription identity SUPI and undergoes 5G authentication procedures.
  • the UE and the network authenticate each other and establish a connection.
  • the UDM determines that the UE is also subscribed to a multipath connection server.
  • the UDM instructs the AUSF to generate intermediate keys intended for authenticating exposure to the multipath connection server through the NEF.
  • the NEF generates specific keys for the exposure, in this case, exposing the multipath connection server to the UE.
  • the NEF acts as a security anchor for exposure of network functions (NF) to third party applications and derives the specific keys meant to authenticate any UE that is requesting the NF services.
  • NF network functions
  • the NEF derives specific authentication keys based on a multipath connection server identity.
  • the NEF may consider the identity of the multipath connection server, such as its Internet Protocol (IP) address, fully qualified domain name (FQDN), server type, etc., while deriving the unique keys.
  • IP Internet Protocol
  • FQDN fully qualified domain name
  • the UE also is expected to know how to derive the key specific for an NF.
  • the UE accesses the multipath connection server over the 5G 3 GPP system first, e.g., over NR (New Radio), subsequent to a successful 5G authentication.
  • NR New Radio
  • the second access to the multipath connection server is made over a non 3 GPP network or private network (e.g., WLAN).
  • the UE presents its unique identity and credentials received over the secured 3 GPP network, to the multipath connection server, while registering with it over the non 3 GPP network.
  • the unique identity may include one of a permanent subscription identity (SUPI), device identity IMEI, 3 GPP network IP address, 3 GPP temporary network identity such as serving temporary mobile subscriber identity (STMSI) or globally unique temporary identity (GUTI), or any identity assigned by the multipath connection server over the 3 GPP network.
  • SUPI permanent subscription identity
  • STMSI serving temporary mobile subscriber identity
  • GUI globally unique temporary identity
  • Illustrative embodiments assume that UE 302 first makes the connection to multipath connection server 304 over 5G core network 306.
  • UE 302 can start the connection over a 3GPP network or over a non 3 GPP network and move around freely without losing the connection with multipath connection server 304.
  • NEF functionality is specified in the above-referenced TS 23.501 (e.g., clause 6.2.5).
  • the NEF is adapted as a security anchor that provides security management services to a multipath connection (MPC) server.
  • the NEF is responsible for generating MPC-specific key material to be used between the UE and the MPC server and in maintaining an active UE security context.
  • the NEF and its functional environment are depicted in process 400 of FIG. 4 which shows how the NEF acts as a security anchor function for an MPC server (note that the MPC server is considered an NF in illustrative embodiments).
  • FIG. 4 illustrates a 5G Core (CN) 410 with SEAF 412, UDM 414, NEF 416, and AUSF 418.
  • NEF 416 is operatively coupled to UDM 414 and MPC server 420, while UE 430 is operatively coupled to MPC server 420 and AUSF 418.
  • NEF 416 interfaces with UDM 414 in 5G Core 410 to obtain the required inputs (such as one or more AVs) for generating a UE-specific MPC key (a key specific to UE 330 for MPC server 420).
  • UDM 414 generates an enterprise key based on UE subscription data, which is then used by NEF 416 to generate an MPC-specific cryptographic key using an MPC identifier as one of the inputs.
  • NEF 416 provides a Service-Based Interface (SBI)-based northbound interface to MPC server 420.
  • SBI Service-Based Interface
  • FIG. 3 illustrates a multipath connectivity scenario whereby a UE establishes a first connection with an MPC server through the 5G core (public or 3 GPP) network, followed by a second connection with the MPC server through a private (non 3GPP) network such as a WLAN.
  • 5G core public or 3 GPP
  • FIGS. 5 and 7 illustrate embodiments of message flows for establishing the first or initial connection
  • FIG. 6 illustrates an embodiment of a message flow for establishing the second or subsequent connection.
  • FIG. 5 illustrates a security management methodology for an initial connection with a multipath connection server, according to an illustrative embodiment.
  • the initial or first connection is with a 3GPP network (e.g., 5G core). More particularly, FIG. 5 depicts an end-to-end message flow 500 between UE 502, AMF 504, multipath connection (MPC) server 506, NEF 508, and UDM 510.
  • MPC multipath connection
  • Step 1 (520).
  • UE 502 registers over the 5G 3GPP network and gets authenticated in a typical 5G authentication manner. Access to the 5G Core over a trusted NR interface as well as untrusted Wifi access over N3IWF with 5GC credentials are assumed here.
  • Step 2 (522).
  • UE 502 wants to access the MPC server 506, it generates an Enterprise key for general enterprise access using NEF 508 and also a specific MPC server key.
  • Step 3 UE 502 sends a Session Establishment Request to the MPC server 506 which is considered one of the NFs within the 3GPP network.
  • MPC server 506 is assumed to function as an independent NF in the Service Based Architecture of the 5G core network.
  • Step 4 MPC server 506 sends an Application Key Request for the UE 502, with the UE ID (identity), and its own MPC server ID, to NEF 508 within the 5G Core.
  • Step 5 NEF 508 verifies whether an authentication and special key is required to be connected to the MPC server 506.
  • Step 6 (530). If special authentication is required for connectivity to MPC server 506, NEF 508 sends an Authentication Information Request to UDM 510 with UE ID.
  • UDM 510 generates AVs for authenticating UE 502 by the MPC server 506.
  • UDM 510 sends back Authentication Information Response containing (AVs, and UE ID).
  • Step 8 From the AVs, NEF 508 generates an Enterprise key for UE 502 and specific MPC server keys to authenticate UE 502. Step 9 (536). NEF 508 sends back Application Key Response to MPC server 506 with the MPC key and validity time (i.e., duration of validity of the key).
  • Step 10 MPC server 506 generates an MPC key, to be used as a pre-shared key (PSK) for the multipath connectivity to UE 502.
  • PSK pre-shared key
  • MPC server 506 and UE 502 exchange multiple session establishment messages to establish connectivity to MPC server 506.
  • the multiple messages may involve Challenge-Response messages to verify that UE 502 is in possession of the PSK and the authentication key and to verify UE identity.
  • FIG. 6 illustrates a security management methodology for a subsequent connection (i.e., a connection following the first connection described above in the context of FIG. 5 or below in the context of FIG. 7) with a multipath connection server, according to an illustrative embodiment. More particularly, FIG. 6 shows an end-to-end message flow 600 for establishing a second or subsequent connection to the MPC server over private non 3GPP access, assuming a first connection has been made through a 3 GPP network. The same system elements, i.e., UE 502, AMF 504, MPC server 506, NEF 508, and UDM 510, are shown in FIG. 6.
  • UE 502 registers over the 3GPP network, gets authenticated and establishes UE context with 5G core.
  • Step 2 (622) UE 502 gets connected over the 3GPP network to the MPC server 506.
  • Step 3 UE 502 moves around and when conditions are met, registers over a non 3GPP network (private network) to the MPC server 506.
  • the message contains, MPC server ID, UE ID, connection ID, validation credentials etc. received over the 3 GPP network, for the MPC server 506 to determine the correct UE security context.
  • UE 502 uses the MPC server ID to register to the same MPC server it had registered over 3 GPP network.
  • the registration protocol over the non 3 GPP network may be different than the 3 GPP network.
  • MPC server 506 validates UE ID, MPC server ID, and the credentials presented.
  • Step 5 MPC server 506 may initiate multiple challenge-response messages with UE 502 to verify that the UE is really in possession of the parameters using the keys established over the 3 GPP network.
  • Step 6 630.
  • both UE 502 and MPC server 506 establishes connection over the non 3GPP network as well as the 3GPP network (i.e., establishes multipath connectivity).
  • FIG. 7 illustrates a security management methodology for an initial connection with a multipath connection server, according to another illustrative embodiment. More particularly, FIG. 7 depicts and end-to-end message flow 700 as an alternate embodiment (to the FIG. 5 embodiment) for establishing a primary connection to the MPC server over the 3GPP network using secondary authentication method.
  • the same system elements, i.e., UE 502, AMF 504, MPC server 506 (configured as an external data network or DN) and UDM 510, are shown in FIG. 7, with the addition of SMF 512.
  • UE 502 gets attached to the 3GPP network, and gets authenticated by one of the 3GPP defined primary authentication methods, either 3GPP AKA (RFC 5247) or EAP-AKA’ (RFC 5448) method.
  • AKA stands for Authentication and Key Agreement
  • EAP stands for Extensible Authentication Protocol.
  • UE 502 decides to establish connection to MPC server 506.
  • UE 502 sends a packet data unit (PDU) session Request to SMF 512 with UE ID and access point name (APN) ID.
  • PDU packet data unit
  • APN access point name
  • MPC server 506 is configured with respect to SMF 512 as an APN requiring secondary authentication.
  • SMF 512 triggers secondary authentication as defined in TS 33.501 clause 11.1 for establishing connection between UE 502 and MPC server 506 after verifying that UE 502 has a subscription to MPC server 506.
  • the procedure may involve multiple Challenge/Requests as part of the defined EAP procedure.
  • UE 502 is connected to MPC server 506 over the 3 GPP network.
  • UE 502 receives a unique ID and security credentials for subsequent connection establishment over the non 3 GPP network.
  • UE 502 sends second a Connection Request to MPC server 506 over the non 3 GPP network using the UE ID assigned over the 3 GPP network.
  • Step 8 MPC server 506 authenticates UE 502 using the credentials assigned over the 3 GPP network.
  • Step 9 (736). At the end of successful authentication, UE 502 is connected to MPC server 506 both over the 3 GPP network as well as the non 3 GPP network.
  • FIGS. 5-7 The particular processing operations and other system functionality described in conjunction with the message flow diagrams of FIGS. 5-7 are presented by way of illustrative example only, and should not be construed as limiting the scope of the disclosure in any way. Alternative embodiments can use other types of processing operations and messaging protocols. For example, the ordering of the steps may be varied in other embodiments, or certain steps may be performed at least in part concurrently with one another rather than serially. Also, one or more of the steps may be repeated periodically, or multiple instances of the methods can be performed in parallel with one another.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé d'un équipement d'utilisateur donné consistant à établir un contexte de sécurité de connectivité à voies multiples lors de l'enregistrement auprès d'un premier réseau de communication, le contexte de sécurité de connectivité à voies multiples se rapportant à un serveur de connexion à voies multiples. Le contexte de sécurité de connectivité à voies multiples sert à établir une première connexion avec le serveur de connexion à voies multiples à travers le premier réseau de communication et à établir une seconde connexion avec le serveur de connexion à voies multiples à travers un second réseau de communication. Le premier réseau de communication comprend un réseau public sans fil (par ex. un réseau 3GPP) tandis que le second réseau de communication comprend un réseau privé sans fil (par ex. un réseau non-3GPP).
PCT/FI2020/050199 2019-04-11 2020-03-27 Établissement de voies de communication sécurisées vers un serveur de connexion à voies multiples (mpc) à connexion initiale sur un réseau public WO2020208294A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN201941014729 2019-04-11
IN201941014729 2019-04-11

Publications (1)

Publication Number Publication Date
WO2020208294A1 true WO2020208294A1 (fr) 2020-10-15

Family

ID=72750478

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2020/050199 WO2020208294A1 (fr) 2019-04-11 2020-03-27 Établissement de voies de communication sécurisées vers un serveur de connexion à voies multiples (mpc) à connexion initiale sur un réseau public

Country Status (1)

Country Link
WO (1) WO2020208294A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116743413A (zh) * 2022-10-26 2023-09-12 荣耀终端有限公司 一种物联网设备认证方法及电子设备
WO2024093923A1 (fr) * 2022-11-04 2024-05-10 华为技术有限公司 Procédé et appareil de communication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108809635A (zh) * 2017-05-05 2018-11-13 华为技术有限公司 锚密钥生成方法、设备以及系统
US20180343249A1 (en) * 2017-05-24 2018-11-29 Lg Electronics Inc. Method and apparatus for authenticating ue between heterogeneous networks in wireless communication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108809635A (zh) * 2017-05-05 2018-11-13 华为技术有限公司 锚密钥生成方法、设备以及系统
US20180343249A1 (en) * 2017-05-24 2018-11-29 Lg Electronics Inc. Method and apparatus for authenticating ue between heterogeneous networks in wireless communication system

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Procedures for the 5G System; Stage 2 (Release 16", 3GPP TS 23.502, 1 April 2019 (2019-04-01), Retrieved from the Internet <URL:https://www.3gpp.org/ftp/Specs/archive/23_series/23.502/23502-g02.zip> [retrieved on 20200630] *
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on authentication and key management for applications; based on 3GPP credential in 5G (Release 16", 3GPP TR 33.835, 1 April 2019 (2019-04-01), XP011593618, Retrieved from the Internet <URL:https://www.3gpp.org/ftp/Specs/archive/33_series/33.835/33835-040.zip> [retrieved on 20200630] *
HUAWEI ET AL.: "S3-170682 . Reuse anchor key for fasting untrusted non-3GPP access", 3GPP TSG SA WG3 (SECURITY) MEETING #86BIS, 20 March 2017 (2017-03-20), Busan, Korea, XP051258373, Retrieved from the Internet <URL:https://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_86b_Busan/Docs/S3-170682.zip> [retrieved on 20200701] *
KANUGOVI, S. ET AL., MULTIPLE ACCESS MANAGEMENT SERVICES, INTERNET - DRAFT, DRAFT-KANUGOVI-INTAREA-MAMS-FRAMEWORK-03, 28 February 2019 (2019-02-28), XP011717096, Retrieved from the Internet <URL:https://tools.ietf.org/pdf/draft-kanugovi-intarea-mams-framework-03.pdf> [retrieved on 20200702] *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116743413A (zh) * 2022-10-26 2023-09-12 荣耀终端有限公司 一种物联网设备认证方法及电子设备
CN116743413B (zh) * 2022-10-26 2024-04-12 荣耀终端有限公司 一种物联网设备认证方法及电子设备
WO2024093923A1 (fr) * 2022-11-04 2024-05-10 华为技术有限公司 Procédé et appareil de communication

Similar Documents

Publication Publication Date Title
US11844014B2 (en) Service authorization for indirect communication in a communication system
US11038923B2 (en) Security management in communication systems with security-based architecture using application layer security
US20210234706A1 (en) Network function authentication based on public key binding in access token in a communication system
US11483741B2 (en) Automated roaming service level agreements between network operators via security edge protection proxies in a communication system environment
EP3753226B1 (fr) Gestion de sécurité dans des systèmes de communication entre des éléments mandataires de protection de bord de sécurité
US20210250186A1 (en) Security management for edge proxies on an inter-network interface in a communication system
US11722891B2 (en) User authentication in first network using subscriber identity module for second legacy network
EP3753269A1 (fr) Gestion de sécurité pour autorisation de service d&#39;itinérance dans des systèmes de communication avec architecture basée sur un service
US11924641B2 (en) Security management for service access in a communication system
WO2020053481A1 (fr) Authentification de fonction réseau au moyen d&#39;une demande de service signée numériquement dans un système de communication
WO2020249861A1 (fr) Sécurité de communication entre un équipement utilisateur et une application tierce à l&#39;aide d&#39;une clé basée sur un réseau de communication
CN113994727A (zh) 通信系统中的安全访问控制
CN113994633B (zh) 通信系统中的网络功能集合的授权
WO2021094349A1 (fr) Autorisation de services en plusieurs étapes pour la communication indirecte dans un système de communication
WO2020065130A1 (fr) Gestion de sécurité entre un mandataire de périphérie et un nœud d&#39;échange inter-réseaux dans un système de communication
WO2022018580A1 (fr) Autorisation de service dans des systèmes de communication
US11789803B2 (en) Error handling framework for security management in a communication system
WO2020208294A1 (fr) Établissement de voies de communication sécurisées vers un serveur de connexion à voies multiples (mpc) à connexion initiale sur un réseau public
WO2022023943A1 (fr) Source d&#39;horloge sécurisée en tant que service dans un système de communication
WO2021090171A1 (fr) Autorisation dans un mandataire de communication de service
WO2020208295A1 (fr) Établissement de trajets de communication sécurisés avec un serveur de connexion par trajets multiples, avec une connexion initiale sur un réseau privé
TW202308363A (zh) 用於板載處理之使用者裝備與通訊網路間之認證技術
US20220191008A1 (en) Communication network-anchored cryptographic key sharing with third-party application
US11956627B2 (en) Securing user equipment identifier for use external to communication network
US20240154803A1 (en) Rekeying in authentication and key management for applications in communication network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20787424

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20787424

Country of ref document: EP

Kind code of ref document: A1