Conventionally, an act of authentication is not separated from an act of authorization. Typically, once an end-user client is authenticated by an authentication server, that user is also authorized by the same server to use a specific service. In the case that authentication and authorization are performed by the same server, the server is capable of performing cryptographic functions related to authentication. It also has access to user credentials and identities; and may be capable of accessing a user's profile and service access rights, as well as interacting with service equipment to see if service may be granted.
As diverse broadband access technologies are increasingly developed and deployed, revenue margins for access providers tend to decrease. Diversity of access technologies also dictates a need for access-independent application and service offerings—such that a service-only provider can deploy a single service-architecture for any user, regardless of underlying access technology, while co-existing with access providers providing only connectivity. Mobile Internet Protocol v6 (MIPv6) operational development is, for example, considering scenarios where a mobility service provider is separate and distinct from an access service provider. Different providers will naturally use different Authenticating, Authentication, and Authorization (AAA) servers, and possibly different AAA infrastructure, to control and manage resource usage and users.
Service provider equipment and infrastructure may be different from network access equipment. For instance, a MIP Home Agent (HA) may be part of a service provider network, while a network access server/Extensible Authentication Protocol (EAP) authenticator may be part of a network access provider. A separation of signaling path for authorization and authentication may be needed in such a configuration.
Conventional systems have typically used the same authentication and authorization credentials. However, this may not be so in the future, if cleaner separation of authentication and authorization functions and servers are developed, and better protection of sensitive authentication credentials against brute force attacks are desired. The less that authentication credentials are used, the better—from a security standpoint. Separation may be especially beneficial since an authentication procedure may typically establish a set of security associations with network boundaries, and later the authorization signaling may be performed over this secure channel using less security-intense authorization credentials.
By way of illustration, consider an analogy of watching a movie at a movie theater. At least for the time being, watching a movie requires only a movie ticket. Showing a movie ticket does not require showing a drivers license, particularly when a person may have already shown a drivers license in conjunction with paying for the ticket (e.g., with a credit card).
Another approach is being developed in the Internet Engineering Task force (IETF) to address issues arising in conjunction with this new trend—one where no proof of prior authentication is provided to an authorizing server. This approach is obviously subject to a number of security concerns, however.
By way of illustration, Kerberos is a conventional technology for performing authentication and authorization separately. Using Kerberos, a token is generated in an authentication process, and is used for authorization. However, both a service server and a client receive keys through a Key Distribution Center (KDC), via secure transport. No keys are transported between the service server and the client. A token is service specific, and is encrypted with a key, known only to the service server. Retrieval of the token requires additional roundtrips between a client and the KDC server.
Another emerging trend is the use of extensible authentication protocol (EAP) for authentication of mobile nodes at AAA servers. Key generation capabilities of EAP servers [EAPKEYING] [USRK], combined with the addition of EAP as an authentication method for IKEv2 [IKEv2], and use of backend Diameter servers and infrastructure [RFC4072], have made EAP a popular authentication method—as compared to customized authentication and key management mechanisms defined for MIPv4 or Kerberos. Once EAP authentication is performed successfully, and EAP master session keys (MSK and EMSK) are generated, a server will be able to use these keys to generate root keys for a variety of uses—such as MIPv6 [MIP-USRK].
Since MIPv6 operation requires bootstrapping of various parameters—such as home address, home agent address, and IPsec security associations—efforts in the IETF are underway to perform such bootstrapping through AAA infrastructure. In more recent efforts, the IPSec association required for MIPv6 operation between a mobile node (MN) and a home agent (HA) is established using IKEv2. To get around the need for pre-shared key for IKEv2 authentication, the MN authenticates through a MIP home agent (HA) to a backend AAAn, using EAP. Thus, EAP authentication is done as part of an IKEv2 exchange. However, the authentication of an MN is only part of the MIP service establishment procedure. Once the MN completes the IKEv2-EAP authentication, and establishes an IPsec channel with the HA, it still needs to be authorized for use MIP service. This typically means that an authorization server (usually also an AAA server) needs to perform the act of authorization.
The recent trend on separation of access service from mobility service, leads to newer design that separates the act of EAP authentication from the act of authorization for MIPv6 service. Under this paradigm, a peer and AAA client first run an EAP authentication with an authenticating AAA server—referred to as AAA-EAP or AAAn. The peer then requests MIPv6 service authorization from an authorizing server—referred to as MIPAAA or AAAz. It has been suggested that there may be scenarios where AAAn and AAAz are logically or physically different servers, and may not have access to the same database. A number of security and operation considerations arise in such scenarios
For instance, an AAAn server that only performs authentication is not only unaware of future service requests by a peer, but also is not able to provide any such authorization. However an AAAn, as an entity performing EAP, is the only entity allowed to cache EMSK—since EMSK is not allowed to be transported outside AAAn [EAPKEYING]. This means that root keys for other usages—such as MIPv6_USRK (Mobile IPv6 usage specific root key)—can only be generated at and by the AAAn. In contrast, MIP service is authorized only at AAAz. This means that the MIPv6-USRK must be created only after such authorization, and be accessible to the AAAz for generation of other MIPv6 security keys. Furthermore, generation of MIPv6_USRK requires access to other “usage data” specific for Mobile IPv6; which is typically not available at the AAAn. Thus, the AAAz must make the “usage data” available to the AAAn, and request MIPv6_USRK from the AAAn, in order to be able to generate further MIPv6 keys.
In further consideration, most traditional authorization frameworks simply do not have any special credential-based procedure for authorization. An authorization decision itself is performed based a user profile available at a server—not based on a credential presented by a client as proof for a right of access to service. As long as the client is previously authenticated, the client's identity is used against its profile in a database. Under this scheme, using the movie theater analogy, a person walks into a movie theater and—instead of paying for a ticket as a proof of right to view a movie—the person simply shows some identification. Based on the person's identity, and upon some movie theater membership list—the person is allowed to just walk into the theater without a ticket.
However, such separation of authorization from authentication means that an authorizing server (AAAz) needs an assurance of previous authentication from an authenticating server (AAAn). Even if an identical peer identifier is used for both authentication and authorization requests with AAAn and AAAz, respectively, there is still no explicit proof presented to the AAAz that the peer has proved this identity to the AAAn. Furthermore, the lack of a prior state—especially the lack of established security association between the peer (e.g., an MN in MIP protocol) and the AAAz—has a cascading effect on security problems. A rogue MN (or even an AAA client) could potentially use a spoofed identity (for a legitimate subscriber) to send service requests on behalf of a legitimate MN, and have charges for rendered services transferred to the legitimate MN. Existence of an MN-HA IPsec association can protect service requests on the MN-HA path to the AAAz, but does not provide any integrity or non-repudiation protection for MN service requests outside the MN-HA. Any proxy or middle man (including the HA itself) on the path from HA to the AAAz can modify a service request. So it is important that when AAAz receives a service request from an MN, it can confirm that the MN has already been authenticated by an AAAn, and is using the same authenticated identity for its service request—so that the AAAz can authorize service for a legitimate MN.
In consideration of all of this, there is a need for a system where authentication and authorization are performed separately and securely. There is also a need for a system performing authentication and authorization separately that provides Authentication Authorization and Accounting (AAA) services with high performance and low complexity.