I. Technical Field
This invention pertains to authentication and security of information transmitted over a network, such as a telecommunications network, for example.
II. Related Art and Other Considerations
Many networks have a procedure for authenticating a user terminal to the network and vice versa. Typically the authentication procedure involves use of a pre-shared secret key stored both at a predetermined location (such as an Authentication Centre (AuC)) and at the user terminal. Other parameters utilized in the authentication procedure are generally derived from this key.
Usage of a key for authentication involves key management activities. Key management for some networks is generally based on well-known mechanisms such as the Authentication and Key Agreement (AKA) mechanisms. During an AKA procedure, messages with parameters to be confirmed by the user terminal are obtained/delivered from an Authentication Center (AuC). Such parameters are joined together in an Authentication Vector (AV). Parts of this Authentication Vector (AV) are delivered through the network to the user terminal. The user terminal must then perform some calculations to match this challenge. The result of the user terminal calculation is sent back and checked against the Authentication Vector (AV). If the results match, then the authentication is successful. If the result fails some other procedures are activated to correct the problem.
Authentication such as that described above can be utilized in many types of networks, such as telecommunications networks, for example. In a typical cellular radio system, wireless user terminals (also known as mobile stations, mobile terminals, and mobile user equipment units (UEs)) communicate via a radio access network (RAN) to one or more core networks. The user terminals can be mobile stations such as mobile telephones (“cellular” telephones) and laptops with mobile termination, and thus can be, for example, portable, pocket, hand-held, computer-included, or car-mounted mobile devices which communicate voice and/or data with radio access network.
The radio access network (RAN) covers a geographical area which is divided into cell areas, with each cell area being served by a base station, e.g., a radio base station (RBS), which in some networks is also called “NodeB” or “B node”. A cell is a geographical area where radio coverage is provided by the radio base station equipment at a base station site. Each cell is identified by a unique identity within the local radio area, which is broadcast in the cell. The base stations communicate over the air interface (e.g., radio frequencies) with the user terminals within range of the base stations. In the radio access network, several base stations are typically connected (e.g., by landlines or microwave) to a radio network controller (RNC). The radio network controller, also sometimes termed a base station controller (BSC), supervises and coordinates various activities of the plural base stations connected thereto. The radio network controllers are typically connected to one or more core networks.
The Universal Mobile Telecommunications System (UMTS) is a third generation mobile communication system, which evolved from the Global System for Mobile Communications (GSM), and is intended to provide improved mobile communication services based on Wideband Code Division Multiple Access (WCDMA) access technology. The UMTS Terrestrial Radio Access Network (UTRAN) is essentially a radio access network providing wideband code division multiple access for user equipment units (UEs). The Third Generation Partnership Project (3GPP) has undertaken to evolve further the UTRAN and GSM based radio access network technologies.
Key management for 2GPP/3GPP networks as well as IP Multimedia Subsystem [IMS] networks are generally based on well-known UMTS or GSM mechanisms such as the aforementioned Authentication and Key Agreement (AKA) mechanisms. See, for example, 3rd Generation Partnership Project, “3GPP Technical Specification 3GPP TS 33.102 V5.1.0: “Technical Specification Group Services and System Aspects; 3G Security; Security Architecture (Release 5)””, December 2002. Even the key management of the Internet Engineering Task Force/Extensible Authentication Protocol [IETF/EAP] uses essentially a variant of the AKA (having a “shimlayer” on top of the basic AKA), and thus for EAP the security properties are basically the same.
During an AKA procedure for a telecommunications network involving a radio access network (RAN), messages with parameters to be confirmed by the user terminal are obtained/delivered from an Authentication Center (AuC). Such parameters are joined together in an Authentication Vector (AV). The Authentication Vector (AV) is delivered to the core network, which distributes parts of this Authentication Vector (AV) through the radio access network to the user terminal. As indicated previously, the user terminal must then perform some calculations to match this challenge. The result of the user terminal calculation is sent back and checked against the Authentication Vector (AV) where it originated. If the results match, then the authentication is successful. If the result fails some other procedures are activated to correct the problem.
The AKA type mechanisms have not evolved very much over the last years. In the current evolution of telecommunication networks towards an all-IP network that consider convergence of fixed-mobile networks as well as convergence (or at least-integration) of 3GPP access networks (GERAN/UTRAN/LTE) with non-3GPP access networks which are more IEEE/IETF-based (Wimax/I-WLAN/xDSL), the number of security risks may increase. But a requirement in this evolution is compatibility with existing networks and mechanisms. This implies that these networks (and thus terminals) shall be able to also make use of AKA procedures. As noted, non-3GPP accesses may already use AKA over the IETF EAP framework (EAP-AKA).
3GPP is currently specifying standards for the “next generation” networks, the Evolved Packet System (EPS) with an Evolved UTRAN (EUTRAN) radio access. This is a simplified network architecture which needs to enjoy at least the same level of security as the more complex GERAN/UTRAN architectures.
In addition to making use of AKA in the access layers as described in the previous paragraph, it is also possible to use AKA in the application or service domain such as Digest AKA (also known as IP Multimedia Subsystem [IMS] AKA) is used in the IMS domain or GBA in the application domain in general.
The UICC (Universal Integrated Circuit Card) is a chip card (e.g., smart card) used in mobile user terminals in GSM and UMTS/EPS networks and involves, e.g., in authentication. In a GSM network, the UICC contains a SIM application and in a UMTS/EPS network it is the USIM application. A UICC may contain several applications, making it possible for the same smartcard to give access to both GSM and UMTS networks. A given UICC (Universal Integrated Circuit Card) [UICC] has two options: (1) using different “Ki” keys/credentials for USIM and ISIM applications; and (2) sharing the same Ki for both USIM and ISIM. However, in this case the security algorithms (key derivation functions) must be different for USIM and ISIM.
Unfortunately, prior art methods are generally inflexible in what basic “credential” that is allowed. While the EAP framework adds some flexibility by defining so-called “EAP methods”, there is no flexibility (with full security) when switching between different methods for a given client. There are also security problems when re-using the same credential/key for different purposes.
Some methods (typically smart card deployments in “military” scenarios) allow storing larger number of keys on the same “smart card”, but each key is typically tied to a specific purpose/application. This means that an attacker can “amortize” his cryptanalytic effort since he knows that each time application “X” is run, it will be using the same base key again and again.
In cryptography, a public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the certificate authority (CA).
A typical threat for PKI keys is to re-use the same key for both signatures and authentication (the terminal may “think” it is responding to an authentication challenge, but in reality it is signing/committing to a “document” or “agreement”). Normally, separate, designated keys are used for signatures and authentication to mitigate this (the certificate specifies the “allowed purpose” of the key).
What are needed, therefore, are further ways to increase security related to the actual keys that are used by AKA, and thus further strengthen AKA as a valid mechanism. This is particularly necessary when convergence of networks (and as convergence of different technologies) is the common denominator.