The invention relates to the general field of telecommunications, and more particularly to the field of multimedia IP (Internet Protocol) network architectures, such as, notably, network architectures using the technology known as “Voice over IP” (or VoIP).
It has a favored but non-limiting application in the context of multimedia IP core networks based on an IMS (IP Multimedia Subsystem) architecture, as proposed by the 3GPP (Third Generation Partnership Project) standard, and implementing the multimedia session initiation protocol SIP (Session Initiation Protocol). The SIP protocol, defined by the IETF (Internet Engineering Task Force) standard, is described in detail in the document RFC 3261 titled “SIP: Session Initiation Protocol”, June 2002, published by the IETF.
The invention can, however, be used in association with other multimedia IP core network architectures, such as for example proprietary architectures, which may or may not implement the SIP protocol for the establishment of multimedia sessions (voice, text, video, data, etc.).
The invention more precisely relates to the security of communications between a terminal and a multimedia IP core network.
Telephone companies today have begun the migration of their circuit switching telephone networks to packet switching Voice over IP networks, such as for example VoIP networks based on an IMS architecture.
In these VoIP networks, a terminal may be connected and registered with the IMS core network by way of several access networks, such as, notably, via a 3GPP, xDSL (x Digital Subscriber Line), EPC (Evolved Packet Core), WLAN (Wireless Local Area Network), cable, WiMAX (Worldwide interoperability for Microwave Access) or CDMA2000 (Code Division Multiple Access 2000) access network.
The 3GPP standard, in its current definition, provides the possibility of establishing a secure link between a terminal and its server for connecting to the IMS core network, in other words between the terminal and the P-CSCF (Proxy-Call Session Control Function) server that is associated with it. This secure link, also known by the name of “secure tunnel” or “security association”, results in the encryption (i.e. the enciphering) of the data conveyed between the terminal and the P-CSCF server, and the control of integrity of this data. As described in specifications RFC 3329 and TS 33.203 from the 3GPP, the parameters of this secure link (security protocol used, enciphering or signature algorithms, port numbers used, etc.) are exchanged between the terminal and the P-CSCF server when the terminal registers with the IMS core network. Once this secure link is established, a security association exists between the terminal and the P-CSCF server which guarantees that data transmitted or received by the terminal will not be spied on.
More precisely, when a terminal proposes a method of authentication comprising the establishment of a secure tunnel, it transmits a registration request comprising a “header” (field in the registration request) called “Authorization”, as well as a “security-client” header containing:                either the value “ipsec-3gpp”, associated with the IPsec (Internet Protocol security) protocol (cf. Section 5.1.1.2.2 of the specification TS 24.229),        or the value “tls”, associated with the TLS (Transport Layer Security) protocol (cf. Section 5.1.1.2.4 of the specification TS 24.229),which are the two secure tunnel mechanisms provided by the 3GPP (cf. Appendix H of the specification TS 33.203). The IPsec protocol is associated with the authentication method known as “IMS AKA”, and the TLS protocol is associated with the authentication method known as “SIP digest with TLS”.        
However, the establishment and maintenance of such a secure tunnel is relatively expensive in resource terms, at terminal level and P-CSCF server level alike. Indeed, enciphering algorithms consume a good deal of CPU (Central Processing Unit) resources, which has an impact on the life of the batteries of the mobile terminals and requires the P-CSCF servers to be dimensioned in consequence.
The impact on the resources of the mobile terminals is further increased by the fact that the secure tunnel provided by the 3GPP standard is superimposed on the enciphering procedures already implemented by certain mobile access networks, such as the enciphering procedures provided for the protection of the information transmitted by the mobile terminals to SGSN (Serving GPRS Support Node) nodes for the control plane and BTS (Base Transceiver Station) or Node B nodes for the user plane of GERAN (GSM EDGE Radio Access Network) and UTRAN (UMTS Terrestrial Radio Access Network) networks, or to MME (Mobility Management Entity) entities for the control plane and e-NodeB entities for the user plane of LTE (Long Term Evolution) networks.
In other words, for these access networks, the data exchanged between the terminal and the multimedia IP core network are enciphered a first time by the enciphering procedures set up by the access networks, then the enciphered data obtained are enciphered a second time in the secure tunnel established between the terminal and the multimedia IP core network.
It should moreover be noted that one and the same terminal will be required to establish several communication channels on the user plane according to the services used (Internet, Voice over LTE, etc.), and for each of them a secure tunnel could be installed between the terminal and the access network.
If this multiple enciphering of data guarantees maximum protection of the data transmitted or received by the terminals, it also considerably reduces the autonomy of the terminals.