The use of various processor-based devices has proliferated to the point of being nearly ubiquitous. Correspondingly, a variety of services, such as telephony services (e.g., wireless or cellular telephony and voice over Internet protocol (IP), including voice over WiFi), wireless media delivery services (e.g., multimedia on demand and streaming content channels), virtual private network (VPN) services (e.g., ecommerce sessions and enterprise network portals), etc., utilizing processor-based devices have become widely used.
Typically, the aforementioned services are facilitated through one or more client application on the processor-based devices. For example, smartphones (one very popular form of processor-based devices) may be provided from the manufacturer or service provider (e.g., mobile operator) to the user with one or more applications (referred to herein as native applications) for facilitating use of particular services, such as wireless telephony, electronic mail delivery, electronic commerce, etc. Additionally or alternatively, a user of the smartphone may download one or more applications (referred to herein as third party or non-native applications) for facilitating use of particular services, such as to provide an alternative application and/or service provider with respect to native applications, to provide access to additional services, etc.
The third generation partnership project (3GPP) specifies practices for access security mandating that devices that are allowed access to the mobile Evolved Packet Core (EPC) from an untrusted access network must be protected for data integrity and confidentiality of their signaling and media traffic through use of the IP security (IPsec) protocol suite. As used herein, an untrusted access network is a network for which a service provider (e.g., the mobile operator) has no direct control over and/or is outside of the mechanisms used by the service provider to provide security of communications (e.g., with respect to the mobile operator, the 3G or long term evolution (LTE) radio access network (RAN) is a trusted access network while the Internet is an untrusted access network).
One authentication method used with respect to smartphones to establish access security is the extensible authentication protocol-authentication key agreement (EAP-AKA) method. The EAP-AKA method described in RFC 4187 and RFC 5448 enables the establishment of an IP security (IPsec) Security Association (IPsec SA) between a smartphone and a network-located security element over an untrusted access network for providing a particular service with respect to the smartphone. The EAP-AKA procedure utilizes smartphone subscriber identity module (SIM) based credentials (e.g., SIM-based secret key) and standardized authentication algorithms to independently derive a set of session keys (e.g., master session key (MSK)) that initialize the IPsec SA at each end of the dialog. The IPsec SA subsequently protects the communications between the smartphone and the mobile network with respect to the service using data integrity checking and data encryption.
However, most modern smartphone Operating Systems intentionally limit access to the SIM for non-authorized use. Accordingly, it is generally not possible for third party applications to execute SIM-based algorithms to enable authentication of the device to the network. That is, SIM-based authentication is only available to applications that are given explicit permission to access the smartphone SIM for authentication purposes and thus third party applications (e.g., ANDROID applications downloaded from the GOOGLE PLAY STORE), in general, are unable to authenticate themselves to the network using the same SIM-based methods that the device operating system (OS) and/or native applications use because the SIM-based credentials, and thus the EAP-AKA methods, are not available to the third party applications.
Accordingly, alternate EAP methods are often used to establish an IPsec SA between the smartphone and network with respect to third party applications. These alternate EAP methods not only present their own set of issues, but also necessitate that multiple authentication methods must be simultaneously deployed (i.e., preventing standardizing on a single method for securing network access for applications that can use SIM-based authentication as well as those that cannot). Accordingly, service providers such as mobile operators are unable to minimize the number of secure entry points to the network and to reduce the number of disparate credentials and protocols that are otherwise required.