Security of wireless networks is ensured by using encryption methods. A Mobile Station (MS) which tries to access a network has to perform a mutual password authenticating procedure with the network. The MS and the network may perform the mutual password authenticating procedure by using long-term credentials (e.g., a user ID-password pair, X.509 certificate, a SIM card, and the like). The long-term credential is stored and managed in a server located in a Core Network (CN) of the MS and an operator of the network.
The server managing the long-term credential is known as an authentication, authorization, and accounting server (3A server). The 3A server located in a home network of the MS is known as a home authentication, authorization, and accounting server (H3A server). An access authentication procedure of the MS in the network is performed by a signaling of authentication related information between the MS and the H3A. Hereinafter, the 3A server or the H3A server will be generally referred to as an authentication server.
In the authentication procedure based on a type of the long-term credential, a round-trip signaling may be processed between the MS and the authentication server twice or more. In the authentication procedure, end-points in the network are authenticated, and also authorization parameters are transmitted to an Access Network (AN) which the MS tries to access.
The authorization parameters include information such as a type of IP service (e.g., IPv4 and IPv6), a type of mobility service (e.g., full mobile, nomadic, and fixed), IP addresses allocated to the MS, allocated home agents, service quality parameters, session lifetime, and the like. The AN requires the above-mentioned information in order to provide an authorized service including the authorization parameters to the MS.
The mutual authentication procedure between the MS and the authentication server may be performed in the network for a long period of time. A messaging for the mutual authentication procedure may enable two or more round-trips between the end-points based on an authentication scheme to be used.
For example, authentication and key agreement based authentication prescribed in RFC provisions may perform the round-trip twice, and transparent layer security based authentication may carry out the round-trip ten times or more if large certificate chains are used. Further, every round-trip between the MSs may be changed based on a topographical separation for several tens of ms to several hundred ms. Recently, an intercontinental round-trip latency generally is, for example, 500 ms. Therefore, the mutual authentication procedure may be delayed for 1 sec or more, and this delay causes a degradation of a service quality.
FIG. 1 is a block diagram illustrating a network access authentication/authorization operation in an initial network entry of an MS in a wireless communication system according to the related art.
The network access authentication/authorization operation of FIG. 1 may be performed even in the case where re-authentication/re-authorization is required according to expiration of the session lifetime in the network. Hereinafter, the network access authentication/authorization is referred to as network access authentication or access authentication for convenience of the description.
In operation 101 of FIG. 1, the MS 110 transmits an identifier of a corresponding MS 110 to an AN 130a at an initial entry into the network. The AN 130a may be a Base Station (BS) or a combination of the BS and an Access GateWay (AGW). In operation 103, the AN 130a transfers the identifier of the MS 110 to the CN 150 to which an authentication server managing parameters for the access authentication of the MS 110 belongs, and requests the access authentication of the MS 110. The CN 150 performs a crypto-handshake procedure for mutual authentication, and in operation 105, as the result of the access authentication of the MS 110, transfers authorization parameters to the AN 130a which the MS 110 tries to access. The authorization parameters are used for the session authorization. In operation 107, the AN 130a transfers some parameters among the authorization parameters, which are used in the MS 110, to the MS 110.
FIG. 2 is a block diagram illustrating a network access authentication operation in the wireless communication system when an MS performs a handover to a new AN (i.e., a target AN) according to the related art.
Referring to FIG. 2, the MS 110 transmits an identifier of the corresponding MS 110 to the target AN 130b for the access authentication in operation 201. The target AN 130b may be the BS or a combination of the BS and an AGW. In operation 203, the target AN 130b transfers the identifier of the MS 110 to the CN 150b to request the access authentication of the MS 110. Here, the CN 150b may be a CN which belongs to authentication server managing the parameters for the access authentication of the MS 110, an AN which the MS 110 previously accesses, an intermediary 3A node, or the like. The CN 150b performs a crypto-handshake procedure for the mutual authentication with the MS 110 in an identical manner as the access authentication procedure for the initial network entry in FIG. 1, and, as the result of the access authentication of the MS 110, transfers the authorization parameters to the target AN 130b which the MS 110 tries to access in operation 205. In operation 207, the AN 130b transfers some parameters among the authorization parameters, which are used in the MS 110, to the MS 110.
Like the conventional access authentication procedure of FIG. 2, the MS is required to transfer a signaling for the access authentication to another network such as the CN, the previous AN, intermediary 3A node, or the like, even when the MS initially accesses the network and when the MS performs the handover. However, a time delay occurring due to the access authentication during the handover may cause an interruption of a service or a degradation of a service quality. For example, the interruption of the service such as a dropped voice call or an interrupted video streaming may occur due to the time delay during the handover of the MS.
Accordingly, provide an apparatus and a method for authenticating access of a mobile station, which are capable of reducing a time for access authentication during a handover in a wireless communication system is desired.
The above information is presented as background information only to assist with an understanding of the present disclosure. No determination has been made, and no assertion is made, as to whether any of the above might be applicable as prior art with regard to the present disclosure.