In the EPS-architecture, the subscriber authentication is performed between a UE and an MME (Mobility Management Entity), and the MME manages e.g. the mobility, the UE-identities and the security parameters. The basis for defining the security procedure in the EPS is a security key, K_ASME, which is shared between the MME and the UE, and established at the authentication of the UE. A functional entity of the EPS-architecture called the ASME (Access Security Management Entity) may e.g. be co-located with the MME, and the ASME receives and stores the security key K_ASME derived from the CK/IK-keys confined in the home network. From the security key, K_ASME, the ASME derives an NAS security context used to protect the NAS signalling, i.e. the Non Access Stratum signalling between the MME of the Evolved Packet Core (EPC) network and a UE. The NAS security context contains parameters for the encryption and integrity protection of the NAS signalling, such as K_NAS_enc, K_NAS_int, as well as uplink and downlink sequence numbers, NAS_U_SEQ and NAS_D_SEQ, and the sequence numbers are used to prevent replay of old messages, as well as for input to the encryption and integrity protection procedures. The ASME provides the MME with the NAS security context, and one NAS security context is kept in the MME, and a corresponding NAS security context is kept in the UE, and the replay protection, integrity protection and encryption are based on that the sequence numbers of the NAS security contexts of the MME and UE are not reused.
Preferably, the security context for the protection of the UP/RRC traffic between a UE and the serving eNodeB (i.e. a radio base station in an EPS-architecture) is also based on said security key, K_ASME. The procedure to establish the UP/RRC security context involves deriving a key called K_eNB, from which the encryption key K_eNB_UP_enc is derived for protecting the UP (User Plane), i.e. the end user data transferred over EPC and E-UTRAN, as well as the encryption key, K_eNB_RRC_enc, and the integrity protection key, K_eNB_RRC_int, for protecting the RRC (Radio Resource Control).
FIG. 1 illustrates a conventional exemplary signalling flow for a UE-initiated IDLE to ACTIVE state transition in an EPS-architecture. An IDLE UE is only known to the EPC (Evolved Packet Core) of the EPS, and no UP/RRC security context exists between the eNodeB and the UE. An UE in the ACTIVE state is known both in the EPC and in the EUTRAN, and a UP/RRC security context has been established for protection of the UP/RRC-traffic between the UE and its serving eNobeB.
FIG. 1 illustrates a UE 11, an eNodeB 12, an MME 13, a serving GW (Gateway) 14, a PDN Gateway 15, and the HSS (Home Subscriber Server) 16. The Serving Gateway 14 is the node of the EPC that terminates the interface towards EUTRAN, and the PDN Gateway is the node of the EPC that terminates the interface towards a PDN (Packet Data Network). If a UE accesses multiple PDNs, there may be multiple PDN Gateways for that UE. In signal S1 and signal S2, the NAS Service Request is transparently forwarded from the UE to the MME, and the NAS Service Request is integrity protected based on NAS_U_SEQ. In the optional signal S3, the UE is authenticated by the MME and the K_ASME is established, using subscriber data stored in the HSS (Home Subscriber Server), and the MME sends the Initial Context Setup Request to the eNodeB, in S4. In the signals S5 and S6, the eNodeB establishes the radio bearer with the UE and forwards uplink data, and returns an Initial Context Setup Complete-message to the MME in signal S7. In signal S8, the MME sends an update bearer request to the Serving GW, and the serving GW responds in signal S9.
In prior solutions, the derivation of the K_eNB by the UE and MME for the RRC/UP security context is based e.g. on a NAS SERVICE ACCEPT message or other explicit information sent from the MME to the UE. However, as illustrated in the exemplary conventional EPS signalling flow in FIG. 1, the MME will normally not send any NAS SERVICE ACCEPT upon receiving a NAS SERVICE REQUEST from a UE in an EPS. Therefore, it will not be possible to derive the K_eNB from the information in a NAS SERVICE ACCEPT message.
According to an exemplary known solution, the K_eNB is derived by the MME from the K_ASME and the NAS_D_SEQ used by the MME in the NAS SERVICE ACCEPT message, and the UE derives the same K_eNB by retrieving the sequence number, NAS_D_SEQ, from the NAS SERVICE ACCEPT message and performing the same K_eNB derivation as the MME. The MME transfers the K_eNB to the eNodeB when it sets up the S1-connenction to the eNodeB. However, a drawback with this known solution is that if no explicit NAS SERVICE ACCEPT message is defined from the MME to the UE, as in the exemplary conventional EPS signalling flow in FIG. 1, it is not possible for the UE to derive the same K_eNB as the MME. Even though it is technically possible for the UE to estimate a current NAS downlink sequence number, NAS_D_SEQ, this estimation could be erroneous, since the MME may have sent NAS messages that were lost and never received by the UE. In such a case, the MME would have updated its NAS_D_SEQ, without the UE being aware of the updating, leading to an erroneous NAS_D_SEQ in the UE.
According to another exemplary known solution, the derivation of the K_eNB is based on a separate sequence number maintained specifically for the derivation of the K_eNB, and this sequence number is explicitly synchronized during the NAS Service Request procedure either by the UE sending it to the MME, or by the MME sending it to the UE. However, a drawback with this solution is the extra complexity of the separate sequence number, since it has to be maintained both in the UE and in the MME in order to prevent replay attacks.