WO2020215280A1 - Authentification sécurisée et privée et accord de clé pour une communication de relais de dispositif à dispositif - Google Patents

Authentification sécurisée et privée et accord de clé pour une communication de relais de dispositif à dispositif Download PDF

Info

Publication number
WO2020215280A1
WO2020215280A1 PCT/CN2019/084334 CN2019084334W WO2020215280A1 WO 2020215280 A1 WO2020215280 A1 WO 2020215280A1 CN 2019084334 W CN2019084334 W CN 2019084334W WO 2020215280 A1 WO2020215280 A1 WO 2020215280A1
Authority
WO
WIPO (PCT)
Prior art keywords
relay
hint
message
alias
public key
Prior art date
Application number
PCT/CN2019/084334
Other languages
English (en)
Inventor
Mingjun Wang
Zheng Yan
Original Assignee
Nokia Technologies Oy
Nokia Technologies (Beijing) Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy, Nokia Technologies (Beijing) Co., Ltd. filed Critical Nokia Technologies Oy
Priority to PCT/CN2019/084334 priority Critical patent/WO2020215280A1/fr
Publication of WO2020215280A1 publication Critical patent/WO2020215280A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Definitions

  • D2D communication refers to information exchanged between two wireless communication devices over a communication path that does not necessarily include a service network (SN) in the communication path.
  • D2D communication allows first and second user equipment to communicate directly with each other over an air interface between the first and second user equipment without including any network elements in the D2D communication path.
  • the D2D communication protocols can be used to support voice or data transmission on a one-to-one basis (unicast) , on a one-to-many basis (groupcast) for applications such as push-to-talk (PTT) , or on a one-to-ali basis (broadcast) .
  • D2D communication is also used to create relay connections between a user equipment and an SN when the user equipment is near or beyond a boundary of the geographic area (or cell) served by a base station in the SN, or otherwise unable to establish a robust connection to the SN.
  • a first user equipment near the edge of a cell can establish a connection to a second user equipment that is closer to a base station in the SN that serves the cell.
  • the second user equipment relays uplink messages from the first user equipment to the base station and downlink messages from the base station to the first user equipment.
  • the presence of the relay creates security vulnerabilities for communicated data, such as vulnerabilities to a man-in-the-middle attack, impersonation attack, eavesdropping, and the like.
  • a user equipment includes a memory to store a first public key and a UE-specific first private key associated with a group including the UE, a relay, and a service network (SN) .
  • the user equipment also includes a processor configured to generate a first message including a first hint created based on a first random number and a generating element provided by a service network (SN) .
  • the processor is also configured to verify, based on a second public key, that the SN signed a second message including a second hint using a second private key associated with the second public key.
  • the processor is further configured to generate, based on the first random number and the second hint created by the SN using a second random number and the generating element, first secret keys that are shared with the SN and encrypt an identifier of the UE using the first secret keys.
  • the user equipment further includes a transceiver configured to transmit the first message and a third message to the relay, wherein the third message includes the encrypted identifier of the UE and is signed based on the UE-specific first private key.
  • Some embodiments of the transceiver are configured to receive the first public key, the UE-specific first private key, and the second public key in response to the UE registering to join the group including the relay and the SN, and wherein the SN is a group manager of the group.
  • Some embodiments of the processor are configured to generate the first message including the first hint, an identifier of the SN, and a first alias of the UE.
  • Some embodiments of the transceiver are configured to receive a fourth message from the relay that includes a second alias of the relay, the identifier of the SN, a third hint created by the relay using a third random number and the generating element, and a first group signature created by the relay based on a relay-specific first private key and the first public key.
  • Some embodiments of the processor are configured to verify the first group signature based on the first public key.
  • Some embodiments of the processor are configured to generate a second secret key based on the third hint and the first random number, wherein the second secret key is shared with the relay.
  • Some embodiments of the processor are configured to sign the third message using a first signature generated by hashing the first alias, the identifier of the UE, the second alias, the identifier of the SN, the first hint, and the second hint.
  • Some embodiments of the processor are configured to generate a second signature comprising the UE-specific first private key, the first public key, and a hash of the identifier of the SN, the first alias, the second alias, the first hint, and the third hint, and wherein the transceiver is configured to transmit a fifth message including the first alias and the second signature.
  • Some embodiments of the processor and transceiver are configured to exchange encrypted messages with the SN based on the first secret keys.
  • a relay in some embodiments, includes a memory to store a first public key and a relay-specific first private key associated with a group including a user equipment (UE) , a relay, and a service network (SN) .
  • the relay also includes a transceiver configured to receive, from the UE, a first message including a first alias of the UE, an identifier of the SN, and a first hint created based on a first random number and a generating element provided by the SN.
  • the relay further includes a processor configured to generate a second message including a second hint created based on a second random number and the generating element.
  • the processor is also configured to generate a signature for the second message based on the relay-specific first private key, the first public key, and a hash of the identifier of the SN, the first alias, a second alias of the relay, the first hint, and the second hint.
  • the transceiver is configured to transmit the second message to the UE.
  • Some embodiments of the transceiver are configured to receive the first public key and the relay-specific first private key in response to the relay registering to join the group including the UE and the SN, and wherein the SN is a group manager of the group.
  • Some embodiments of the transceiver are configured to receive, from the SN, a third message including a third hint generated by the SN using a third random number and the generating element, wherein the SN signed the third message using a second private key associated with a second public key.
  • Some embodiments of the transceiver are configured to forward the third message to the UE.
  • Some embodiments of the transceiver are configured to transmit, to the SN, a fourth message including the first alias, the identifier of the SN, the first hint, and the second alias.
  • Some embodiments of the processor are configured to generate a first secret key based on the second hint, wherein the first secret key is shared with the UE.
  • Some embodiments of the transceiver are configured to receive a fifth message including the first alias and a first signature generated based on a UE-specific first private key associated with the first public key, the first public key, and a hash of the identifier of the SN, the first alias, the second alias, the first hint, and the second hint.
  • Some embodiments of the processor are configured to verify that the UE transmitted the fifth message based on the first signature, the first public key, and a hash of the identifier of the SN, the first alias, the second alias, the first hint, and the second hint.
  • Some embodiments of the processor and transceiver are configured to exchange encrypted messages with the UE based on the first secret key in response to verifying that the UE transmitted the fifth message.
  • a service network includes a memory to store a first public key and a group master private key associated with a group including a user equipment (UE) , a relay, and the SN, a second private key, and a second public key associated with the second private key.
  • the SN also includes a transceiver configured to receive, from the UE, a first message including a first alias of the UE and a first hint created based on a first random number and a generating element from the SN.
  • the SN further includes a processor configured to generate a second hint based on a second random number and the generating element.
  • the processor is also configured to sign a second message including the second hint using the second private key and generate first secret keys shared with the UE based on the first hint and the second random number.
  • the transceiver is configured to receive, from the UE, a third message comprising an identifier of the UE that is encrypted based on the first secret keys.
  • Some embodiments of the transceiver are configured to transmit the UE-specific private key to the UE and the relay-specific private key to the relay.
  • Some embodiments of the transceiver are configured to broadcast a tuple comprising the first public key, the second public key, and the generating element.
  • Some embodiments of the processor are configured to sign the second message using a signature determined by the second private key and a hash of an identifier of the SN, a second alias of the relay, the first alias, the first hint, and the second hint.
  • Some embodiments of the processor are configured to verify that the third message was signed by the UE based onthe first public key, a signature generated by the UE, and a hash of the first alias, the identifier of the UE, a second alias of the relay, an identifier of the SN, the first hint, and the second hint.
  • FIG. 1 illustrates a wireless communication system according to some embodiments.
  • FIG. 2 illustrates a message exchange that is used to assign a user equipment (UE) , a relay, and service network (SN) to a group according to some embodiments.
  • UE user equipment
  • SN service network
  • FIG. 3 illustrates a message exchange that initiates establishment of a secure and private connection between a UE and an SN via a relay according to some embodiments.
  • FIG. 4 illustrates a message exchange that completes the establishment of a secure and private connection between a UE and an SN via a relay according to some embodiments.
  • FIG. 5 is a block diagram of a communication system that supports secure and private device-to-device (D2D) relay communication according to some embodiments.
  • D2D device-to-device
  • a Technical Report (TR 23.733) published by the Third Generation Partnership Project (3GPP) discusses architectural enhancements to support D2D relay communications and analyzes security issues, threats, and requirements associated with the introduction of D2D relay communication into a Fifth Generation (5G) wireless communication system.
  • the candidate solutions discussed in the Technical Report address authorization, authentication of user equipment, and handover of a relay node, but does not provide security and privacy protection for D2D relay communications.
  • D2D relay communication is used to transmit health data from a patient to a physician using certificate-less generalized signcyption techniques to provide data confidentiality, integrity protection, and identify authentication.
  • Pseudonyms are used instead of the patient's real identity to provide anonymity.
  • Wireless roaming networks and vehicle ad hoc networks also implement security systems.
  • a roaming user attaches to a visited network after mutual authentication with the visited or home network and key generation for communication between the user and the visited network.
  • Three-part authentication and key exchange protocols achieve one-way anonymous authentication for the roaming user, which verifies an identity of the visited network but the visited network is unable to determine the identity of the user.
  • this technique does not protect the identities of any entity besides the user and would therefore be unable to protect the identity of the relay in a D2D relay scenario.
  • a roadside unit receives messages broadcast by an onboard unit (OBU) in a vehicle.
  • OBU onboard unit
  • the RSU then delivers traffic information to a traffic control center and responds to requests from the OBU.
  • the VANETs implement security protocols to perform mutual authentication and preserve the privacy of the vehicle identity. However, the security protocols do not support anonymous identities and do not provide comprehensive mutual authentication between three different parties.
  • FIGs. 1-5 disclose techniques that provide secure and private communication between a user equipment (UE) and a service network (SN) via a relay (which can be another user equipment) by registering the SN, UE, and relay as members of group that are configured to sign messages on behalf of the group.
  • the group members verify group messages signed by other members without revealing an identity of the signer.
  • Messages generated by the UE and the relay are signed using first private keys that are allocated to members of the group, e.g., by the SN. Other members of the group, including the SN, verify that the signature was generated by another member of the group based on a first public key. Messages generated by the SN are signed based on a second private key and the UE verifies the signature based on a second public key.
  • the SN and UE exchange hints for secret keys that are shared by the SN and UE, such as shared secret keys generated using a Diffe-Hellman key exchange.
  • the SN and UE establish a secure connection using the shared secret keys that are generated based on the exchanged hints.
  • the UE and the relay also exchange hints for another set of secret keys that are shared by the UE and the relay.
  • the hints are transmitted in the clear (in messages signed using the group signatures or the private SN signature) because it is computationally intractable to generate the underlying shared secret keys based on the hints.
  • the UE then encrypts an identifier and transmits the encrypted identifier to the SN to inform the SN of the actual identity of the UE.
  • the SN generates the first public key and the first private keys for the SN, UE, and relay in response to the UE and relay registering for the group.
  • the SN also distributes information indicating a generating element for creating the shared secret keys using publicly exchanged hints, such as Diffe-Hellman key exchange.
  • the UE initiates a secure session with the SN by selecting a first random number and creating a first hint for first shared secret keys based on the first random number and the generating element.
  • the first hint is sent to the SN via the relay in a first message.
  • the SN In response to receiving the first message, the SN generates a second hint for the first shared secret keys based on the generating element and a second random number.
  • the second hint is sent to the UE via the relay in a second message that is signed using the second private key known to the SN and verifiable based on the second public key.
  • the relay In response to receiving the second message, the relay generates a third hint for second shared secret keys based on the generating element and a third random number.
  • the relay sends the third hint to the UE in a third message that is signed using the first private key known to the relay and verifiable based on the first public key for the group.
  • the UE verifies that the SN sent the second message using the second public key and verifies that the relay sent the third message using the first public key.
  • the UE If the UE successfully verifies the second and third messages, the UE generates the first and second shared secret keys based on the second hint (shared with the SN) and third hint (shared with the relay) , respectively.
  • the UE encrypts a UE identifier using the first shared secret keys and sends the encrypted UE-ID to the SN in a fourth message that is signed using the UE's first private key for the group.
  • the UE also sends a fifth message that is signed with the UE's first private key for the group.
  • the SN and the relay verify the fourth and fifth messages based on the first public key.
  • FIG. 1 illustrates a communication system 100 according to some embodiments.
  • the communication system 100 includes a service network (SN) 105 that provides wireless connectivity within a geographic area or cell 110.
  • Some embodiments of the SN 105 include one or more base stations 115 including antennas for providing wireless connectivity and one or more servers 120 that perform a processing related to wireless communication and provide connectivity to external networks.
  • the communication system 100 also includes user equipment (UE) 125, 130 such as smart phones, Internet-of-Things devices, and the like.
  • the SN 105 performs system management for system subscribers including the UEs 125, 130, as well as management of device-to-device (D2D) communication for communication between the UEs 125, 130.
  • the SN 105 is also responsible for system security.
  • Some embodiments of the SN 105 generate security keys (as discussed herein) and support the establishment of secure D2D communication links.
  • the SN 105 also manages the establishment of a secure communication link with the UE 130 via the UE 125, as discussed herein.
  • the UE 125 is within the cell 110 and is therefore able to establish communication sessions with the SN 105 over an air interface 135 between the UE 125 and the base station 115.
  • the UE 125 establishes a secure channel with the SN 105 over the air interface 135, e.g., using Long Term Evolution (LTE) protocols or 5G authentication and key agreement (AKA) protocols.
  • LTE Long Term Evolution
  • AKA 5G authentication and key agreement
  • the SN 105 authenticates the UE 125 as a legal subscriber, neither the SN 105 nor the UE 130 consider the UE 125 as a trusted entity. For example, an attacker could compromise the UE 125.
  • the UE 130 is at, near, or beyond a boundary of the cell 110.
  • the UE 130 is outside of the cell 110 and is therefore unable to establish a reliable communication connection directly with the SN 105, e.g., by establishing a wireless communication connection with the base station 115.
  • the UE 130 uses a D2D discovery function to scan for devices that are close enough to the UE 130 to establish a wireless connection that can be used to relay communications to the SN 105.
  • the UE 130 identifies the UE 125 as a candidate device for performing the D2D relay function.
  • the UE 130 sends a D2D relay communication request to the UE 125, which accepts the request to relay communication between the UE 130 and the SN 105.
  • the UE 125 is therefore referred to herein as the relay 125.
  • the relay 125 is not trusted by either the UE 130 or the SN 105. Communication channels involving the relay 125 are therefore subject to eavesdropping by passive attacks and tampering, interception, and injection of messages by active attackers.
  • Some embodiments of the communication system 100 implement secure and private AKA for D2D relay communication between the SN 105, the relay 125, and the UE 130 that supports the following features:
  • the communication system 100 guarantees two mutual authentications.
  • the UE 130 authenticates the legality of the relay 125 to guarantee that messages transmitted from the UE 130 to the relay 125 are transmitted by a claimed user.
  • the relay 125 also authenticates the UE 130 inversely in order to prevent active attacks such as denial of service (DOS) attacks.
  • DOS denial of service
  • ⁇ User Identity Anonymity the real or actual identity of the UE 130 is not revealed to other entities including the relay 125 or attackers. Furthermore, privacy of the relay 125 is not revealed to other entities including the UE 130 or attackers when providing relay services. The identities of the relay 125 and the UE 130 are revealed to the SN 105. However, with the exception of the SN 105, no other entities have access to the real or actual identities of the relay 125 and the UE 130.
  • ⁇ Communication Content Privacy contents of messages communicated between the SN 105 and the UE 130 are confidential and the relay 125 is not able to read the contents of the messages. Moreover, the communication link over the air interface 140 between the relay 125 and the UE 130 is a D2D direct link so that the relay 125 and the UE 130 can communicate directly without forwarding through the SN 105. The SN 105 is not able to eavesdrop on communication between the relay 125 and the UE 130.
  • intruders such as a “curious” relay 125
  • a “curious” relay 125 are unable to deduce whether different relay services are delivered to the same UE 130 by eavesdropping and analyzing pseudonyms used by the UE 130.
  • relay services provided by the relay 125 in different sessions cannot be linked to determine that the relay 125 provided the different relay services.
  • Two independent session keys are negotiated to provide confidentiality and integrity of messages transmitted in the communication system 100.
  • a first session key is established between the relay 125 and the UE 130 to protect the direct link over the air interface 140.
  • a second session key is established between the UE 130 and the SN 105 to prevent eavesdropping and modification on an indirect relay channel 145 between the UE 130 and the SN 105.
  • the relay 125 and the UE 130 register with the SN 105 to be a member of a group so that the SN 105, the relay 125, and the UE 130 can sign messages on behalf of the group and verify group messages signed by other members without revealing an identity of the signer.
  • the SN 105 acts as a group manager that generates private keys for the relay 125 in the UE 130, as well as its own private key and a public key that is broadcast and used to verify received group signatures.
  • the SN 105 therefore performs algorithms for enrolling entities (e.g., the relay 125 and the UE 130) in the group and generating keys for the entities in the group.
  • the SN 105 is also able to trace messages received from other entities based on a revocation key generated by the SN 105 and revocation tokens for the group members including the relay 125 and the UE 130.
  • the SN 105, the relay 125, and the UE 130 implement algorithms for signing messages and verifying signatures of received messages.
  • signatures in the group are generated based on a bilinear pairing as follows.
  • G and G T be two multiplicative cyclic groups with the same prime order q.
  • g be a generator of G
  • e be an efficiently computable bilinear map e: G ⁇ G ⁇ G T , with the following properties:
  • a bilinear map e can be constructed using a modified Weil and Tate pairings on elliptical curves.
  • Some embodiments of the group signature scheme are implemented using a set of probabilistic polynomial-time algorithms to generate public and private keys, enroll entities in the group, sign messages, verify signatures of messages, and trace an identity of an entity that signed a message.
  • the key generation (G. Kg) algorithm is randomized.
  • the algorithm also utilizes two independent hash functions: H 0 and H 1 with ranges G 2 and respectively.
  • the SN 105 runs an enrollment algorithm (G. Enroll) to generate private keys usk i for each user i, such as the relay 125 and the UE 130
  • the SN 105 randomly picks such that ⁇ + x i ⁇ 0 and then computes
  • the group members (including the SN 105, the relay 125, and the UE 130) execute a signing algorithm (G. Sign) to generate a signature or signing message.
  • G. Sign a signing algorithm
  • H 1 , c H 1 (gpk, M, r, T 1 , T 2 , R 1 , R 2 , R 3 ) .
  • G. Ver a verification algorithm that receives a group public key gpk as an input, a purported signature ⁇ , and a message M.
  • the member verifies that the signature ⁇ is valid as follows:
  • G. Trace a trace algorithm
  • the SN 105 In addition to the group signatures, the SN 105 generates a digital signature for messages using a private key that is known only to the SN 105 (sk sn ) and a public key (pk sn ) . Any entity can verify that a message was generated by the SN 105 using the public key (pk sn ) .
  • the private key and the public key are generated according to an elliptic curve digital signature algorithm (ECDSA) .
  • FIG. 2 illustrates a message exchange 200 that is used to assign a UE, a relay, and an SN to a group according to some embodiments.
  • the message exchange 200 is implemented in some embodiments of the UE 130, the relay 125, and the SN 105 in the communication system 100 shown in FIG. 1.
  • the SN generates the tuple using the techniques discussed herein with regard to FIG. 1.
  • the SN calls the algorithm G. Kg to generate the system key pair (gpk, gsk) and two hash functions H 0 and H 1 .
  • the SN also generates the signing and verification key pair (pk SN , sk SN ) .
  • the SN publishes the system parameters ⁇ G, G T , q, g, g T , pk SN , H 0 , H 1 ⁇ to provide the entities in the communication system access to the system parameters that are used for signing and verification of messages.
  • the SN keeps the keys gsk and sk SN secret.
  • the UE and the relay register with the SN for D2D service by transmitting requests 215 and 220, respectively, to the SN.
  • the SN calls (at block 225) the enrollment algorithm (G. Enroll) to generate a private key usk UE (A UE , x UE ) and a trace key (grt UE ) for the UE.
  • the SN also calls the enrollment algorithm to generate a private key (usk R (A R , x R ) ) and a trace key (grt R ) , for the relay.
  • the private key usk UE (A UE , x UE ) is sent to the UE in a message 230 and the private key (usk R (A R , x R ) ) is sent to the relay in a message 235.
  • the trace keys (grt UE , grt R ) are kept secretly at the SN.
  • FIG. 3 illustrates a message exchange 300 that initiates establishment of a secure and private connection between a UE and an SN via a relay according to some embodiments.
  • the message exchange 300 is implemented in some embodiments of the UE 130, the relay 125, and the SN 105 in the communication system 100 shown in FIG. 1.
  • the UE and the relay have registered with the SN for D2D services and, in response to receiving the registration requests, the SN generates private keys, trace keys, and public keys according to some embodiments of the message exchange 200 shown in FIG. 2.
  • the UE discovers the relay with a pseudonym through a conventional D2D discovery process.
  • the UE and the relay adopt aliases (alias, alias', respectively for the UE and the relay) for use during the initial stages of the message exchange 300 to preserve privacy by not revealing the actual identities of the UE and the relay.
  • aliases alias, alias', respectively for the UE and the relay
  • the UE generates a message (m 1 ) including a hint that is generated using the generating element (g) provided by the SN and a random number (r UE ) that is generated by the UE:
  • m 1 ⁇ alias, SN, hint UE ⁇
  • the UE then transmits the message (m 1 ) to the relay, as indicated by the arrow 310.
  • the relay In response to receiving the message 310, the relay generates a message (M 1 ) at block 315:
  • M 1 ⁇ alias′, alias, SN, hint UE ⁇
  • the relay then transmits the message (M 1 ) to the SN, as indicated by the arrow 320.
  • the SN In response to receiving the message 320 from the relay, the SN checks legality of the relay. If the SN determines that the relay is not a legal device in the system, the message 320 is rejected and the message exchange 300 stops. If the SN determines that the relay is legal, the SN selects (at block 325) a random number (r SN ) and computes a key hint using the generating element. The SN also generates a digital signature ( ⁇ SN ) on a message m SN that is generated using a hash function. In the illustrated embodiment, the digital signature ( ⁇ SN ) is generated according to ECDSA using the private key (sk SN ) of the SN:
  • m sn H 1 (SN, alias′, alias, hint SN , hint UE )
  • ⁇ SN ECDSA. Sig (sk SN , m SN )
  • the SN uses the digital signature to sign the D2D response message M 2 :
  • M 2 ⁇ SN, hint SN , ⁇ SN ⁇
  • the SN also computes a tuple of the shared secret keys (k 1 , k 2 ) :
  • the SN then erases the random number r SN .
  • the key k 1 is used to secure the real identity of the UE and the key k 2 is used as a session key between the UE and the SN.
  • the SN sends the D2D response message M 2 to the relay, as indicated by the arrow 335.
  • the relay In response to receiving the D2D response message 335, the relay caches the message M 2 . Then, at block 340, the relay selects a random number (r R ) and generates a hint based on the generating element:
  • the relay computes an authentication signature ( ⁇ R ) on the message (m R ) using the group signature algorithm discussed herein.
  • the authentication signature ( ⁇ R ) is used to sign the message (m 2 ) :
  • m R H 1 (SN, alias, alias′, hint R , hint UE )
  • ⁇ R G. Sig (usk R , gpk, m R )
  • m 2 ⁇ alias′, SN, hintR, ⁇ R ⁇
  • the relay generates a shared secret key (sk 2 ) :
  • the relay then erases the random number r R .
  • the relay then forwards the message m 2 , as indicated by the arrow 350, and the relay forwards the message M 2 to the UE, as indicated by the arrow 355.
  • the user equipment verifies (at block 360) the group and digital signatures on the messages m 2 and M 2 .
  • the UE verifies the digital signature according to the ECDSA verification algorithm and the UE verifies the group signature using the group verification algorithm disclosed herein:
  • m SN H 1 (SN, alias′, alias, hint SN , hint UE )
  • m R H 1 (SN, alias, alias′, hint R , hint UE )
  • the message exchange 300 continues with the secure and private D2D authentication and key assignment algorithm, e.g., using the message exchange 400 shown in FIG. 4. Otherwise, the message exchange 300 ends in response to a failure to verify either the group or the digital signature.
  • FIG. 4 illustrates a message exchange 400 that completes the establishment of a secure and private connection between a UE and an SN via a relay according to some embodiments.
  • the message exchange 400 is implemented in some embodiments of the UE 130, the relay 125, and the SN 105 in the communication system 100 shown in FIG. 1. Some embodiments of the message exchange 400 are performed in response to successfully verifying the group and digital signature is received at the UE, e.g., in the message exchange 300 shown in FIG. 3.
  • the UE computes the key tuple (at block 405) for the secret keys that are shared with the SN based on the hint received from the SN and the random number (r UE ) :
  • the UE also computes the secret key that is shared with the relay based on the hint received from the relay and the random number (r UE )
  • the UE encrypts an identifier that indicates the actual identity of the UE (ID UE ) using the key k 1 and a symmetric encryption function ⁇ (k 1 , ID UE ) .
  • the encrypted UE identifier can therefore be sent to the SN via the relay without revealing the identity of the UE to the relay.
  • the UE generates messages (mn 3 , M 3 ) for the relay and the SN, respectively.
  • the UE signs the messages (m 3 , M 3 ) using group signatures that are verifiable by the relay and the SN, respectively.
  • the UE transmits the signed message m 3 to the relay (as indicated by the arrow 420) and the signed message M 3 to the relay (as indicated by the arrow 425) .
  • the relay verifies (at block 430) the signature received from the UE using the group verification algorithm disclosed herein:
  • the message exchange 400 ends. If the result of the verification is negative, the message exchange 400 ends. If the result of the verification is positive, the relay authenticates the legality of the UE and forwards the signed message M 3 to the SN, as indicated by the arrow 435. The relay is unable to verify the group signature because the relay does not know the actual identity (ID UE ) of the UE.
  • the SN verifies (at block 440) the signature received from the UE using the group verification algorithm disclosed herein:
  • the SN If the SN successfully verifies the signature the SN decrypts the user identity ⁇ (k 1 , ID UE ) using the shared secret key k 1 .
  • the SN then stores the D2D relay communication session information including the identities of the UE and the relay, session keys k 1 and k 2 , in a local session management table in a memory of the SN.
  • the UE and the SN have a secure and private connection 445 via the relay,
  • the UE and the SN can exchange messages without exposing the contents of the messages or the identity of the UE to the relay.
  • FIG. 5 is a block diagram of a communication system 500 that supports secure and private D2D relay communication according to some embodiments.
  • the communication system 500 is implemented in some embodiments of communication system 100 shown in FIG. 1.
  • the communication system 500 includes a UE 505, a relay 510, and an SN 515.
  • the UE 505 establishes a secure and private communication connection 518 with the SN 515 using some embodiments of the message exchanges 200, 300, 400 shown in FIGs. 2-4.
  • the UE 505 includes a transceiver 520 for transmitting and receiving signals over a D2D interface with the relay 510.
  • the UE 505 also includes a processor 525 and a memory 530.
  • the processor 525 executes instructions stored in the memory 530 and stores information in the memory 530 such as the results of the executed instructions or session information used to establish secure and private D2D communication sessions, as disclosed herein.
  • the memory 530 also stores private or secret keys 532 and public keys 534, as discussed herein.
  • Some embodiments of the transceiver 520, the processor 525, or the memory 530 are configured to perform portions of the message exchanges 200, 300, 400 shown in FIGs. 2-4.
  • the relay 510 includes a transceiver 535 for transmitting and receiving signals over a D2D interface with the UE 505 and a secure channel with the SN 515.
  • the relay 510 also includes a processor 540 and a memory 545.
  • the processor 540 executes instructions stored in the memory 545 and stores information in the memory 545 such as the results of the executed instructions or session information used to establish secure and private D2D communication sessions, as disclosed herein.
  • the memory 545 also stores private or secret keys 547 and public keys 548, as discussed herein.
  • Some embodiments of the transceiver 535, the processor 540, or the memory 545 are configured to perform portions of the message exchanges 200, 300, 400 shown in FIGs. 2-4.
  • the SN 515 includes a transceiver 550 for transmitting and receiving signals over a secure channel with the relay 510.
  • the SN 515 also includes a processor 555 and a memory 560.
  • the processor 555 executes instructions stored in the memory 560 and stores information in the memory 560 such as the results of the executed instructions or session information used to establish secure and private D2D communication sessions, as disclosed herein.
  • the memory 560 also stores private or secret keys 562 and public keys 564, as discussed herein.
  • Some embodiments of the transceiver 550, the processor 555, or the memory 560 are configured to perform portions of the message exchanges 200, 300, 400 shown in FIGs. 2-4.
  • certain aspects of the techniques described above may implemented by one or more processors of a processing system executing software.
  • the software comprises one or more sets of executable instructions stored or otherwise tangibly embodied on a non-transitory computer readable storage medium.
  • the software can include the instructions and certain data that, when executed by the one or more processors, manipulate the one or more processors to perform one or more aspects of the techniques described above.
  • the non-transitory computer readable storage medium can include, for example, a magnetic or optical disk storage device, solid state storage devices such as Flash memory, a cache, random access memory (RAM) or other non-volatile memory device or devices, and the like.
  • the executable instructions stored on the non-transitory computer readable storage medium may be in source code, assembly language code, object code, or other instruction format that is interpreted or otherwise executable by one or more processors.
  • a computer readable storage medium may include any storage medium, or combination of storage media, accessible by a computer system during use to provide instructions and/or data to the computer system.
  • Such storage media can include, but is not limited to, optical media (e.g., compact disc (CD) , digital versatile disc (DVD) , Blu-Ray disc) , magnetic media (e.g., floppy disc, magnetic tape, or magnetic hard drive) , volatile memory (e.g., random access memory (RAM) or cache) , non-volatile memory (e.g., read-only memory (ROM) or Flash memory) , or microelectromechanical systems (MEMS) -based storage media.
  • optical media e.g., compact disc (CD) , digital versatile disc (DVD) , Blu-Ray disc
  • magnetic media e.g., floppy disc, magnetic tape, or magnetic hard drive
  • volatile memory e.g., random access memory (RAM) or cache
  • non-volatile memory e.g., read-
  • the computer readable storage medium may be embedded in the computing system (e.g., system RAM or ROM) , fixedly attached to the computing system (e.g., a magnetic hard drive) , removably attached to the computing system (e.g., an optical disc or Universal Serial Bus (USB) -based Flash memory) , or coupled to the computer system via a wired or wireless network (e.g., network accessible storage (NAS) ) .
  • NAS network accessible storage
  • circuitry may refer to one or more or all of the following:
  • any portions of a hardware processor (s) with software including digital signal processor (s) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions
  • software including digital signal processor (s) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in a server, a cellular network device, or other computing or network device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un équipement utilisateur (UE), un relais et un réseau de service (SN) qui s'enregistrent en tant que membres d'un groupe configuré pour signer des messages au nom du groupe et vérifier des messages de groupe signés par d'autres membres sans révéler l'identité du signataire. Les messages générés par l'UE et le relais sont signés à l'aide de premières clés privées qui sont attribuées aux membres du groupe et vérifiées sur la base d'une première clé publique. Les messages générés par le SN sont signés sur la base d'une seconde clé privée et vérifiés sur la base d'une seconde clé publique. Le SN et l'UE échangent des indications pour des clés secrètes partagées et établissent une connexion sécurisée à l'aide des clés secrètes partagées. L'UE et le relais échangent également des indications pour un autre ensemble de clés secrètes qui sont partagées par l'UE et le relais. L'UE chiffre un identifiant et transmet l'identifiant chiffré au SN.
PCT/CN2019/084334 2019-04-25 2019-04-25 Authentification sécurisée et privée et accord de clé pour une communication de relais de dispositif à dispositif WO2020215280A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/084334 WO2020215280A1 (fr) 2019-04-25 2019-04-25 Authentification sécurisée et privée et accord de clé pour une communication de relais de dispositif à dispositif

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/084334 WO2020215280A1 (fr) 2019-04-25 2019-04-25 Authentification sécurisée et privée et accord de clé pour une communication de relais de dispositif à dispositif

Publications (1)

Publication Number Publication Date
WO2020215280A1 true WO2020215280A1 (fr) 2020-10-29

Family

ID=72941259

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/084334 WO2020215280A1 (fr) 2019-04-25 2019-04-25 Authentification sécurisée et privée et accord de clé pour une communication de relais de dispositif à dispositif

Country Status (1)

Country Link
WO (1) WO2020215280A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114142995A (zh) * 2021-11-05 2022-03-04 支付宝(杭州)信息技术有限公司 面向区块链中继通信网络的密钥安全分发方法及装置
WO2022242774A1 (fr) * 2021-05-21 2022-11-24 Telefonaktiebolaget Lm Ericsson (Publ) Procédés et dispositifs dans un réseau de communication
EP4152688A1 (fr) * 2021-09-15 2023-03-22 BIOTRONIK SE & Co. KG Dispositif médical, système comprenant un tel dispositif médical et son procédé de fonctionnement

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106961682A (zh) * 2017-03-28 2017-07-18 西安电子科技大学 一种基于移动中继的群到路径移动切换认证方法
US20180212970A1 (en) * 2017-01-20 2018-07-26 Verizon Patent And Licensing Inc. Distributed authentication for internet-of-things resources
CN108429740A (zh) * 2018-02-12 2018-08-21 华为技术有限公司 一种获得设备标识的方法及装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180212970A1 (en) * 2017-01-20 2018-07-26 Verizon Patent And Licensing Inc. Distributed authentication for internet-of-things resources
CN106961682A (zh) * 2017-03-28 2017-07-18 西安电子科技大学 一种基于移动中继的群到路径移动切换认证方法
CN108429740A (zh) * 2018-02-12 2018-08-21 华为技术有限公司 一种获得设备标识的方法及装置

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022242774A1 (fr) * 2021-05-21 2022-11-24 Telefonaktiebolaget Lm Ericsson (Publ) Procédés et dispositifs dans un réseau de communication
EP4152688A1 (fr) * 2021-09-15 2023-03-22 BIOTRONIK SE & Co. KG Dispositif médical, système comprenant un tel dispositif médical et son procédé de fonctionnement
CN114142995A (zh) * 2021-11-05 2022-03-04 支付宝(杭州)信息技术有限公司 面向区块链中继通信网络的密钥安全分发方法及装置
CN114142995B (zh) * 2021-11-05 2023-08-22 支付宝(杭州)信息技术有限公司 面向区块链中继通信网络的密钥安全分发方法及装置

Similar Documents

Publication Publication Date Title
EP3395091B1 (fr) Authentification et accord de clé dans un réseau de communication
US9705856B2 (en) Secure session for a group of network nodes
US7123721B2 (en) Enhanced subscriber authentication protocol
He et al. Handover authentication for mobile networks: security and efficiency aspects
WO2019137067A1 (fr) Procédé, dispositif, et système de distribution de clé
JP4002035B2 (ja) 機密を要する情報を最初は機密化されてない通信を用いて伝送するための方法
EP3465978B1 (fr) Protection de la confidentialité dans des réseaux de télécommunication sans fil
CN108880813B (zh) 一种附着流程的实现方法及装置
WO2020215280A1 (fr) Authentification sécurisée et privée et accord de clé pour une communication de relais de dispositif à dispositif
Singla et al. Look before you leap: Secure connection bootstrapping for 5g networks to defend against fake base-stations
Vijayakumar et al. A new SmartSMS protocol for secure SMS communication in m-health environment
Ramadan et al. User-to-User Mutual Authentication and Key Agreement Scheme for LTE Cellular System.
He et al. An accountable, privacy-preserving, and efficient authentication framework for wireless access networks
Nikooghadam et al. A provably secure ECC-based roaming authentication scheme for global mobility networks
Shang et al. A certificateless authentication protocol for D2D group communications in 5G cellular networks
Saxena et al. BVPSMS: A batch verification protocol for end-to-end secure SMS for mobile users
Maccari et al. Security analysis of IEEE 802.16
Braeken Device-to-device group authentication compatible with 5G AKA protocol
JP2022503839A (ja) 分散ネットワークセルラー式アイデンティティ管理
WO2022001225A1 (fr) Procédé d'application de justificatif d'identité, procédé d'authentification d'identité, dispositif et appareil
Roychoudhury et al. A secure Device-to-Device communication scheme for massive Machine Type Communication
Manulis et al. Authenticated wireless roaming via tunnels: Making mobile guests feel at home
Gupta et al. PSEH: A provably secure and efficient handover AKA protocol in LTE/LTE-A network
Hamoud et al. Towards using multiple KGC for CL-PKC to secure D2D communications
Hussein et al. Proactive discovery protocol with security enhancement for D2D communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19925669

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19925669

Country of ref document: EP

Kind code of ref document: A1