Machine-to-machine (M2M) technologies allow devices to communicate more directly with each other using wired and wireless communications systems. M2M technologies enable further realization of the Internet of Things (IoT), a system of uniquely identifiable objects and virtual representations of such objects that communicate with each other over a network, such as the Internet. IoT may facilitate communication with even mundane everyday objects, such as products in a grocery store or appliances in a home, and thereby reduce costs and waste by improving knowledge of such objects. For example, stores may maintain very precise inventory data by being able to communicate with, or obtain data from, objects that may be in inventory or may have been sold.
Several efforts have been undertaken to develop standardized architectures for machine-to-machine communication. These include 3rd Generation Partnership Project (3GPP) Machine Type Communication (MTC) architecture, the ETSI M2M architecture, and the one M2M architecture. These architectures are summarized briefly below.
The 3GPP evolved packet core (EPC) network was not originally designed in a way that is optimized for handling machine-to-machine (M2M) communications, also referred to as machine type communications (MTC), in which machines, or devices, communicate with each other over the network, such as communications involving smart metering, home automation, eHealth, consumer products, fleet management, etc. Thus, in Release 11 (R11) of the 3GPP specifications, 3GPP enhanced the interworking capabilities of the UMTS core network for machine type communications/machine-to-machine communications. Interworking refers to a server, or application, interfacing to the core network for the purposes of exchanging information, controlling devices, or monitoring devices, or communicating with devices. FIG. 1 shows portions of the MTC architecture that is presented by 3GPP in TS 23.682 V11.5.0.
As shown in FIG. 1, user equipment 314 may connect to the EPC over radio access network (RAN) 319, which may comprise E-UTRAN (LTE access network). The Evolved NodeB (eNodeB) 3 is the base station for LTE radio. In this figure, the EPC comprises a number of network elements, including Serving Gateway (Serving GW) 310, Packet Data Network Gateway (PDN GW or P-GW) 353, mobility management entity (MME) 312 and Home Subscriber Server (HSS) 357.
HSS 357 is a database that contains user-related and subscriber-related information. It also provides support functions in mobility management, call and session setup, user authentication and access authorization.
The gateways (S-GW 310 and P-GW 352) deal with the user plane. They transport IP data traffic between the User Equipment (UE) 314 and an external network(s). S-GW 310 is the point of interconnect between the radio-side and the EPC. As its name indicates, this gateway serves the UE by routing incoming and outgoing IP packets. It is the anchor point for intra-LTE mobility (i.e., in case of handover between eNodeBs in the RAN 319) and between LTE and other 3GPP accesses. It is logically connected to the other gateway, the P-GW 353.
The P-GW 353 is the point of interconnect between the EPC and external IP networks, such as the Internet. These networks are called PDNs (Packet Data Networks), hence the name. The P-GW 353 routes packets to and from the PDNs. The P-GW 353 also performs various functions such as IP address/IP prefix allocation or policy control and charging. 3GPP specifies these gateways operate independently but in practice they may be combined in a single “box” by network vendors.
The MME 312 deals with the control plane. It handles the signaling related to mobility and security for E-UTRAN access. The MME is responsible for the tracking and the paging of UEs in idle-mode. It is also the termination point of the Non-Access Stratum (NAS).
As mentioned above, a UE 314 can reach the EPC using E-UTRAN, however this is not the only access technology supported. 3GPP specifies support of multiple access technologies and also the handover between these accesses. The idea is to bring convergence using a unique core network providing various IP-based services over multiple access technologies. Existing 3GPP radio access networks are supported. 3GPP specifications define how interworking is achieved between an E-UTRAN (LTE and LTE-Advanced), GERAN (radio access network of GSM/GPRS) and UTRAN (radio access network of UMTS-based technologies WCDMA and HSPA).
The architecture also allows non-3GPP technologies to interconnect the UE and the EPC. Non-3GPP means that these accesses were not specified in 3GPP. These technologies include, for example, WiMAX, cdma2000®, WLAN or fixed networks. Non-3GPP accesses can be split into two categories: the “trusted” ones and the “untrusted”. Trusted non-3GPP accesses can interact directly with the EPC. Untrusted non-3GPP accesses interwork with the EPC via a network entity called the ePDG (for Evolved Packet Data Gateway) (not shown). The main role of the ePDG is to provide security mechanisms such as IPsec tunneling of connections with the UE over an untrusted non-3GPP access. 3GPP does not specify which non-3GPP technologies should be considered trusted or untrusted. This decision is made by the operator.
As further illustrated in FIG. 1, service capability server (SCS) 361 may provide services to the core network, devices, and applications. The SCS may also be called an M2M Server, MTC Server, a Service Capability Layer (SCL), or a Common Services Entity (CSE). SCS 361 may be controlled by the operator of the home public land mobile network (HPLMN) or by an MTC service provider. An SCS may be deployed inside or outside the operator domain. If an SCS is deployed inside the operator domain, the SCS may be an internal network function and may be controlled by the operator. If an SCS is deployed outside the operator domain, the SCS may be controlled by a MTC service provider.
In the MTC architecture of FIG. 1, SCS 361 may communicate with a machine type communication (MTC) interworking function (MTC-IWF) 359 via a Tsp reference point (i.e., interface) 308. The Tsp reference point is an example of an interface that is used for interworking with the core network.
A UE may communicate through the public land mobile network (PLMN), which includes radio access network (RAN) 319, with SCS(s) and/or other MTC UE(s). An MTC UE 214 may host one or more MTC applications 316. The MTC applications may also be hosted on one or more application servers (AS) (e.g., AS 320). The MTC application 316 may be a MTC communication endpoint that may interact with SCS 361, AS MTC applications, or other UE MTC applications.
An application server (AS) (e.g. AS 320) may also host one or more MTC applications. The AS 320 may interface with the SCS 161, and the SCS 361 may provide services to an application(s) running on the AS 320. The MTC applications on an AS may interact with SCSs, UE MTC applications, or other MTC applications.
The MTC inter working function (MTC-IWF) 359 hides the internal PLMN topology from the SCS 361. The MTC-IWF may relay and/or translate signaling protocols used between itself and the SCS (e.g., over the Tsp reference point 308) to support MTC functionality (e.g., MTC UE triggering) in the PLMN. For example, the SCS may request that the MTC-IWF send a trigger to a MTC device. The MTC-IWF may deliver the MTC trigger to the MTC device 314 via SMS (not shown), for example. The MTC device 316, based on the trigger, may respond to the SCS 312. The MTC device 314 may, for example, respond with a sensor reading. When the MTC device 214 responds to the SCS 312, the MTC device may use a packet data network (PDN)/packet data protocol (PDP) connection, via P-GW 353, to communicate with the SCS 361. The MTC device may connect with the SCS using an IP connection.
The MTC-IWF 359 may authorize the SCS 361, before the SCS may establish communication with the 3GPP network. For example, when the SCS 359 makes a trigger request on the Tsp reference point, the MTC-IWF 359 may check whether the SCS is authorized to send the trigger request and that the SCS has not exceeded its quota or rate of trigger submissions.
The ETSI M2M architecture is illustrated in FIG. 2. In the ETSI M2M architecture, a service capability layer (SCL) uses core network functionalities through a set of exposed interfaces to provide service capabilities to the network. An SCL may interface to one or several different core networks.
In the ETSI M2M architecture, the network comprises M2M devices (e.g., device 145), M2M gateways (e.g., gateway 140), and M2M servers (e.g., M2M server 125). A device application (DA) may be executing on an M2M device, a gateway application (GA) may be executing on an M2M gateway, and a network application (NA) may be executing on an M2M server. As further shown, a device (e.g. device 145) may implement M2M service capabilities using a device service capabilities layer (DSCL) (e.g., DSCL 146), a gateway may implement a gateway SCL (GSCL 141), and a server may implement a network SCL (NSCL) (e.g., NSCL 126).
The mIa reference point allows a network application to access the M2M service capabilities in an M2M server.
The dIa reference point allows a device application residing in an M2M device to access the different M2M service capabilities in the same M2M device or in an M2M gateway; and allows a gateway application residing in an M2M gateway to access the different M2M service capabilities in the same M2M gateway.
The mId reference point allows M2M service capabilities layer residing in an M2M device or M2M gateway to communicate with the M2M service capabilities layer in the network. The mId reference point uses core network connectivity functions as an underlying layer.
Further according to the ETSI M2M architecture, an M2M entity (e.g., an M2M functional entity such as a device, gateway, or server/platform that may be implemented by a combination of hardware and/or software) may provide an application or service. For example, a light sensor may provide data indicating detected light levels or a thermostat may provide temperature data and the ability to adjust air conditioning controls. This data may be made available as a “resource” that may be accessed by other M2M entities and that essentially serves as a means to exchange data between M2M entities. A resource may be a uniquely addressable representation of data that may be addressed using a Universal Resource Indicator (URI) or Universal Resource Locator (URL). The availability of such resources may be communicated among M2M entities via the M2M service capabilities layer (SCL).
The M2M SCL is also a functional entity that may be implemented using a combination of hardware and software and provides functions exposed on the reference points (i.e., functional interfaces between M2M entities) mentioned above. For example, the M2M SCL may provide common (service) functionalities that are shared or commonly used by different M2M applications and/or services. M2M service capabilities may use functions and capabilities of the 3GPP core network architecture through a set of exposed interfaces (e.g., existing interfaces specified by 3GPP, 3GPP2, ETSI TISPAN, etc.) and may also interface to one or more other core networks. M2M devices and entities are typically organized into M2M network domains. In many implementations, an M2M server (e.g., M2M server 125) configured with a network SCL entity (NSCL) may maintain resources and resource data for use by other devices (e.g., other M2M devices and M2M gateways) in the same M2M network domain.
Still referring to FIG. 2, NSCL 126 may be in network domain 122 and configured with network application (NA) 127 at M2M server platform 125. NA 127 and NSCL 126 may communicate via reference point mIa 128. The mIa reference points may allow an NA to access the M2M service capabilities available from an NSCL in an M2M domain. Also within network domain 122 may be GSCL 141 and gateway application (GA) 142 that may be configured at M2M gateway device 140. GSCL 141 and GA 142 may communicate using reference point dIa 143. Also within network domain 122 may be DSCL 146 and device application (DA) 147 that may be configured at M2M device 145. DSCL 146 and DA 147 may communicate using reference point dIa 148. Each of GSCL 141 and DSCL 146 may communicate with NSCL 126 using reference point mId 124. In general, dIa reference points allow device and gateway applications to communicate with their respective local service capabilities (i.e., service capabilities available at a DSCL and a GSCL, respectively). The mId reference point allows an M2M SCL residing in an M2M device (e.g., DSCL 146) or an M2M gateway (e.g., GSCL 141) to communicate with the M2M service capabilities in the network domain and vice versa (e.g., NSCL 126).
Typically, the device 145, gateway 140, and M2M server platform 125 comprise computing devices, such as the devices illustrated in FIG. 8C and FIG. 8D and described below. The NSCL, DSCL, GSCL, NA, GA, and DA entities typically are logical entities that are implemented in the form of software, executing on the underlying device or platform, to perform their respective functions in the system 120. The M2M server 125 of the ETSI M2M architecture may be an SCS (e.g., SCS 361 of FIG. 1) in the 3GPP MTC architecture.
As further shown in FIG. 2, NSCL 131 may be in domain 130 with NA 132. NA 132 and NSCL 131 may communicate via mIa reference point 133. There may be an NSCL 136 in network domain 135, and NSCL 139 in network domain 138. mIm reference point 123 may be an inter-domain reference point that allows M2M network nodes in different network domains, such as NSCL 126 in network domain 122, NSCL 131 in network domain 130, NSCL 136 in network domain 135, or NSCL 139 in network domain 138, to communicate with one another. For simplicity herein, the term “M2M server” may be used to indicate a service capability server (SCS), NSCL, application server, NA, or an MTC server. In addition, the term user equipment (UE), as discussed herein, may apply to GA, GSCL, DA, or DSCL. A UE may comprise any wireless device capable of communicating in a 3GPP or other wireless network, such as an M2M or MTC device or gateway, and including for example, machines, sensors, appliances, or the like, a mobile station, a fixed or mobile subscriber unit, a pager, a personal digital assistant (PDA), a computer, a mobile phone or smart phone, or any other type of device capable of operating in a wired or wireless environment.
While the 3GPP MTC and ETSI M2M architectures are described by way of background herein and may be used to illustrate various embodiments described hereinafter, it is understood that implementations of the embodiments described hereinafter may vary while remaining within the scope of the present disclosure. One skilled in the art will also recognize that the disclosed embodiments are not limited to implementations using the 3GPP or ETSI M2M architectures discussed above, but rather may be implemented in other architectures and systems, such as one M2M, MQ Telemetry Transport (MQTT), and other related M2M systems and architectures.
One process that is often performed in an M2M system is called bootstrapping. Bootstrapping is a process by which entities (e.g., an end-user device and server) perform mutual authentication and key agreement to establish a relationship enabling secure communications between them. Mutual authentication is a procedure in which each party proves its identity to the other. Authentication helps prevent a rogue device from registering with a server by pretending it is a legitimate end-user device. Authentication also helps prevent a fraudulent server from performing a man-in-the-middle attack, which may consist of the fraudulent server establishing a connection with an end-user device by pretending that it is a legitimate server.
Key agreement is a procedure in which the communicating entities derive a security key that they can then use to secure communications between them, for example, by an encryption process that uses the security key. A feature of a key agreement mechanism is that the key is not transmitted. The key derivation function may be based on a shared secret value that is meant for only an end-user device and server to know, for example. This shared secret is also not transmitted. The key derivation function is designed such that it is prohibitively computationally complex for an eavesdropper, who does not know the shared secret, to compute the key by observing the messages that are transmitted during the key agreement procedure. An overview of some authentication and key agreement mechanisms is discussed herein. An overview of some authentication and key agreement mechanisms, such as Extensible Authentication Protocol (EAP) and Protocol for Carrying Authentication for Network Access (PANA), are discussed below to give further context to disclosed embodiments.
Extensible authentication protocol (EAP) is not an authentication method in itself, but rather a common authentication framework that can be used to implement specific authentication methods. In other words, EAP is a protocol that allows the Peer, Authenticator, and Authentication Server to negotiate what authentication method will be used. The selected authentication method is then run inside of the EAP protocol. EAP is defined in RFC 3748. RFC 3748 describes the EAP packet format, procedures, as well as basic functions such as negotiation of the desired authentication mechanism.
FIG. 4 illustrates the basic EAP architecture. As shown in FIG. 4, and described in RFC 3748, there is an EAP peer 161, which may contact an authentication server 162 via an EAP authenticator 163 (e.g., access point). EAP can use the Radius or Diameter protocols. There are many EAP methods defined by IETF. Discussed herein is an EAP method called EAP-authentication and key agreement (AKA) which is based on universal mobile telecommunications system (UMTS)-AKA and defined in RFC 4187. Yet, many of the ideas that are presented herein can be used regardless of the selected EAP authentication method. EAP was designed as a link layer (Layer 2) protocol. PANA is a protocol that may be used to carry EAP messages over an IP network. In other words, PANA is a transport for EAP. PANA runs on top of the network (IP) layer. PANA is defined in RFC5191. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from link layer mechanisms.