Explanation of Abbreviations Used
PANAProtocol for carrying Authentication forNetwork Access AuthenticationPAAPANA Authentication AgentPaCPANA ClientTLSTransport Level SecurityEAPExtensible Authentication ProtocolAAAHAAA Home serverMNMobile NodeDoSDenial of ServiceSeNAASecure Network Access AuthenticationLSASecurity AssociationAAAAuthentication, Authorization and Accounting
1. Field of the Invention
The invention relates to a method and a system for expediting in at least one network the establishment of a secure tunnel which provides connection between user equipment (UE) and one network entity and authenticating the user equipment with another network entity.
2. Description of the Prior Art
The IETF draft (draft-forsberg-pana-secure-network-access-auth-00.txt) presents a link layer independent network access authentication method, Secure Network Access Authentication (SeNAA), to support smooth interaction between user equipment (UE) and access networks while roaming. The draft authentication method has two phases, I and II. Phase I must be completed before phase II can be started. The serial message processing is slow.
FIG. 1 depicts the original (draft) version of the authentication protocol which was not adopted. Mobile terminals utilize different link layer technologies and roam between different layers. A generic link layer independent authentication and authorization method is needed to support smooth interaction between user equipment and access networks while roaming. User equipment network access authentication in different network technologies has become an important issue in the Internet. Different authentication methods already exist but are more or less link layer dependent.
Secure Network Access Authentication uses User Datagram Protocol (UDP) as the transport protocol. UDP is a lightweight protocol and allows application level implementations with port numbers UDP carries DIAMETER formatted Secure Network Access Authentication messages. Secure Network Access Authentication provides reliable request and response style message delivery (re-transmission and duplicate packet detection).
Secure Network Access Authentication does not assume a secure channel between Protocol for carrying Authentication for Network Access Authentication (PANA) Client (PaC) and PANA PANA Authentication Agent (PAA). Thus, on top of the Secure Network Access Authentication protocol Transport Level Security (TLS), a protocol is used to negotiate a Local Security Association (LSA) between PANA Client and PANA Authentication Agent. Transport Level Security provides authentication, privacy, integrity, and replay protection. Transport Level Security is used to protect Secure Network Access Authentication message AVPs and EAP between PANA Client and PANA Authentication Agent. AVPs that need protection are fed to the Transport Level Security Record layer, and the resulting encrypted and compressed data is stored into a TLS-Payload AVP. EAP protocol is carried inside an EAP-Payload AVP. Secure Network Access Authentication messages after successful Transport Level Security handshake are integrity protected with a check sum stored in the Msg-Checksum AVP. The AVP is protected with Transport Level Security Record layer.
Transport Level Security is also used for re-authentication between PANA Client and PANA Authentication Agent. Transport Level Security TLS supports mutual authentication and can optionally be used instead of EAP for user authentication. In all cases Transport Level Security is used for access network authentication. Secure Network Access Authentication messages carry information such as the PANA Client's Device Identifier (DI), that must be integrity protected. If PANA Authentication Agent supports DIAMETER and/or RADIUS Authentication Authorization and Accounting (AAA) back-end, signaling between PANA Client and PANA Authentication Agent can easily be extended to the back-end. Secure Network Access Authentication doesn't rely on any modifications to the EAP protocol. It provides secure transport up to the PANA Authentication Agent for EAP. Thus, any existing EAP methods can be used securely with Secure Network Access Authentication between PANA Client and PANA Authentication Agent. Security after PANA Authentication Agent is outside the scope of Secure Network Access Authentication. PANA Authentication Agent is assumed to get user authentication answer (Success or Failure) from the authenticator.
Secure Network Access Authentication utilizes protocols like EAP, TLS, UDP and IP that are assumed to exist in the PANA Client terminal already even without Secure Network Access Authentication. FIG. 2 illustrates an exemplary one. DIAMETER like message formatting and request response style reliability transport is one additional requirement for the PANA Client terminal and is provided with the Secure Network Access Authentication protocol. TCP and SCTP are considered too heavy weight transport protocols for Secure Network Access Authentication purposes (i.e. more message round trips needed).
Data protection, such as IP datagrams, is out of the scope of Secure Network Access Authentication. One possibility for further studies is to use the key material produced in the Transport Level Security handshake process with IPSec.
With reference to FIG. 1, successful mutual authentication is divided into two phases. In Phase I the network is authenticated, and the user is authenticated in Phase II.
Phase I consists of a Transport Level Security handshake as is shown in FIG. 3A which provides initial authentication with Transport Level Security to provide a secure tunnel. Local reauthentication, where PANA Client authenticates to PANA Authentication Agent, is in Phase I and is handled with Transport Level Security Session Resumption (illustrated in FIG. 3B which provides re-authentication with TLS). Access network authentication is based on access network certificates. How certificates are created, processed and verified is known and not described herein.
Phase II uses EAP for authenticating the user (FIG. 4 illustrates user authentication signalling with EAP being carried inside the EAP-Payload AVP). User authentication is bound to the DI, which is used to control access to the network.
With reference to FIG. 1, in Phase I, Server-Certificate-Request (SCR) message carries Client-Hello TLS message. Server-Certificate-Answer (SCA) carries the TLS answer which contains the Access Network certificate. PANA Client verifies the certificate. PANA Authentication Agent also adds a Session-Id AVP into the SCA message. This Session-Id is different from the Transport Level Security session-Id. The next messages must have the AVP included during the whole session. To finish the TLS handshake, PANA Client sends Client-Security-Association-Request (CSAR) message to the PANA Authentication Agent. PANA Authentication Agent answers with Client-Security-Association-Answer (CSM).
With reference to FIG. 1, in Phase I, Server-Certificate-Request (SCR) message carries Client-Hello TLS message. Server-Certificate-Answer (SCA) carries the TLS answer which contains the Access Network certificate. PaC verifies the certificate. PAA also adds a Session-Id AVP into the SCA message. This Session-Id is different from the TLS session-Id. The next messages must have the AVP included during the whole session. To finish the TLS handshake, PaC sends Client-Security-Association-Request (CSAR) message to the PAA. PAA answers with Client-Security-Association-Answer (CSAA).
When Transport Level Security is not used, a different User Datagram Protocol (UDP) port number (PAA UDP port <UDP-port3>, PaC UDP port <UDP-port4>) must be used for plaintext CLR/CLA message delivery. PANA Client can decide not to use Phase I authentication but must use Phase I authentication if <UDP-port3>is not reachable. Similarly if UDP port <UDPporti>is not reachable, PANA Client should try to use UDP port <UDP-port3>.
In Phase II, after a successful TLS handshake, PANA Client uses AAA-Client Request (CLR) message to start user authentication and DI authorization. CLR carries EAP-Payload AVP to PANA Authentication Agent. PANA Authentication Agent answers with AAA-Client-Answer (CLA) message with a Result-Code AVP. Result-Code informs PANA Client if multiple round trips are needed for completing the EAP authentication method or if the authentication (authorization) succeeded or failed.
PANA Client adds DI(s) thereof into the CLR message so that PANA Authentication Agent can verify the integrity of the DI and optionally provide it for the enforcement point.
PANA Authentication Agent can be co-located in the ARs or separated from the ARs. In case of separation, ARs act as relay agents to PANA Authentication Agent for MN. PANA Authentication Agent is in the same subnet as the AR and Mobile Node (Mn). When PANA Authentication Agent receives a message from Mobile Node through an AR, it must send the reply directly to the Mobile Node. When PANA Authentication Agent is separated from ARs, an AR should relay MN's Secure Network Access Authentication messages to the PANA Authentication Agent. When Mobile Node receives an answer from PANA Authentication Agent, the Mobile Node must send further requests to the PANA Authentication Agent directly.
Secure Network Access Authentication uses request and response style transactions. For each request a response is sent. If a response is not received in time, the request is re-sent. This mechanism is used for packet loss recovery. The received response works as an acknowledgment. Secure Network Access Authentication uses DIAMETER message formatting. The DIAMETER message header provides packet duplication (End-to-End Id) detection and request/response mapping (Hop-by-Hop Id).
To protect integrity of the DIAMETER header and the whole message, MAC is calculated over the DIAMETER message. The MAC is put into an AVP called Msg-Checksum. CLR/CLA messages use this AVP. PANA Client needs to be authenticated before network access is granted through the enforcement point (EP) in the access network.
Authentication and re-authentication initiator can be PANA Client or PANA Authentication Agent.
PANA Client starts re-authentication by sending CSAR message with Transport Level Security Client Hello in the TLS-Payload AVP to PANA Authentication Agent to UDP port<UDP-port1>(FIG. 3B). Similarly, PANA Authentication Agent initiates re-authentication by sending CSAA message with Transport Level Security Server Hello message in the TLS-Payload AVP to PANA Client to UDP port<UDP-port2>. The hello message contains the current Transport Level Security session specific id, which is used to detect session resumption from initial authentication. Re-authentication involves multiple CSAR/CSAA round trips.
After a Transport Level Security handshake or session, resumption is done and the SA is established PANA Client uses the Transport Level Security Record Layer to encrypt Secure Network Access Authentication message AVPs.
Secure Network Access Authentication doesn't assume connection-oriented links. Thus, Transport Level Security reauthentication is used for notifying PANA Authentication Agent of PANA Client'presence. Re-authentication interval is implementation specific<TBD?>.
Transport Level Security Alert, Handshake and Change cipher specification protocols are carried inside Transport Level Security Record Layer. For example if Transport Level Security Alert protocol reports a fatal error it is delivered with the next TLS-Payload AVP or with separate CSAR/CSM messages. The Secure Network Access Authentication application must understand the return codes from Transport Level Security Record Layer API functions. When fatal error is received, the Transport Level Security session is torn down. The Secure Network Access Authentication session MUST be re-negotiated.
Transport Level Security message formats can be found from Transport Level Security. The DIAMETER message header format and AVP format is known. SCA and CSM messages do not contain Result-Code AVPs.
Format of the SRC message:<Server-Certificate-Request> ::= < Diameter Header: <TBD>, REQ, PXY>{ User-Name }{ TLS-payload }TLS-Payload AVP contains the Transport Level Security handshakemessages in the AVP data area as specified in [TLS]. The TLS-Payload AVP containsTLS-Client-hello.Format of the SCA message:<Server-Certificate-Answer> ::= < Diameter Header: <TBD>, PXY > <Session-Id>{ TLS-payload }A Session-Id is generated for the PANA Client and delivered in the Session-Id AVP. The TLS-Payload AVP contains Transport Level Security Server-hello, Transport Level Security Server-Certificate,TLS server-Key-Exchange, and Transport Level Security Server-Hello-Donemessages. Format of the CSAR message:<Client-Security-Association-Request> :: <Diameter Header: <TBD>, REQ><Session-Id>{ TLS-payload }The Session-Id AVP is used in every SeNAA message between PANA Clientand PANA Authentication Agent.The TLS-Payload contains TLS-Client-Key-Exchange, TLS-Change-CipherSpec,and TLS-Client-Finished messages.Format of the CSM message:<Client-Security-Association-Answer> ::= < Diameter Header: <TBD>, PxY><Session-Id>{ TLS-Payload }
The TLS-Payload contains TLS-Change-Cipher-Spec and TLS-ServerFinished messages.
Format of the initial CLR message:<AAA-Client-Request> :: <Diameter Header: <TBD>, REQ, PXY > [TLS-Payload:<Session-Id> { User-Name } { Device-Identity } [EAP-Payload][Authorization-Lifetime][Msg-Checksum]]The TLS-Payload AVP data area contains encrypted AVPs through TransportLevel Security Record layer.Format of the CLA message from PANA Authentication Agent to PANAClient:<AAA-Client-Answer> ::= < Diameter Header: <TBD>, PXY> [TLS-Payload:<Session-Id> { Result-Code } [ EAP-payload ][Authorization-Lifetime][Auth-Grace-Period][Multi-Round-Time-Out][Msg-Checksum]]
The TLS-Payload AVP data area contains encrypted AVPs through Transport Level Security Record layer.
The TLS-Payload AVP data contains encapsulated AVPs that are encrypted and compressed by Transport Level Security Record layer. Upon receive of TLS-Payload AVP the data area is first fed to the Transport Level Security Record layer to get the plain text AVP list for further processing.
The Msg-Checksum AVP data contains checksum of the whole DIAMETER message. Msg-Checksum is calculated over the message with MsgChecksum AVP data area bits set to zero. Checksum algorithm is<TBD>.
The CLA message contains Transport Level Security protected Result-Code AVP. In Secure Network Access Authentication one of the following Result-Code values is possible.
DIAMETER_MULTI_ROUND_AUTH 1001EAP user authentication requires more round trips.DIAMETER_SUCCESS  2001EAP user authentication and network access authorization successful.DIAMETER_AUTHENTICATION_REJECTED 4001EAP user authentication failure.
Secure Network Access Authentication provides reliable request and response style transactions. Peer which initiates the transaction is responsible for re-transmission if the corresponding response is not received in<TBD-msec1>milliseconds. Maximum number of retries is<TBD-retries1>.
If Multi-Round-Time-Out AVP is included in a Secure Network Access Authentication message from PANA Authentication Agent to PANA Client, the re-transmission (same Hop-by-Hop Id and End-to-End Id) MUST not exceed this time limit.
UDP Port number(s) must be defined. SCR/SCA, CSAR/CSM and CLR/CLA message command codes must be assigned. Msg-Checksum and TLS-Payload AVP codes must be assigned.
FIG. I as described above illustrates the use of DIAMETE-EAP authentication. In the first step, the EAP client is requested to initiate the authentication procedure. Normally, the client (EAP peer) authentication is requested by the EAP authenticator or an access point, but one round-trip of EAP messages is saved when the client device, which comprises the EAP client, initiates the authentication request (EAP Request (Identity)). The EAP client responds to the request and provides an identity in the response message.
In the next step, the client or user equipment request the server in the access network (access router) to authenticate itself. The client sends a message (client hello in this embodiment where Transport Level Security is used) to the server, the message containing a session ID and information on the client'supported cryptographic algorithms. The client can indicate in the message, from which certifying authority it wishes the server to acquire its security certificate. The server responds with a server hello message, indicating the selected encryption/validation algorithm, as well as provides a security certificate to the client. The next messages conclude Phase I, establishing a secure connection between the client and the server in the access network. Both the client and the server send a finished message to confirm that the key exchange and authentication were successful.
In Phase II, the client authentication stage, uses the secure connection established between the client and the server for exchanging authentication information with an authentication server. The client sends an authentication request, which is to be passed on to the authenticator by the access point server. The message contains, for example, the client ID which the client received from the EAP peer in the first step. The server in the access network forwards the authentication request to the AAA home server, which in turn forwards the EAP response (received from the EAP peer/client in step 1) to the EAP authenticator. In the next step, the EAP authenticator indicates that it is not satisfied with the client's identity information only, but requires an additional authentication round. The EAP authenticator sends an EAP request toward the client with a ‘multi-round’ result code, which indicates, that an additional round trip is required for authentication. The EAP authenticator indicates in the EAP request sent toward the client, which type of further authentication is requested from the client. The message is then forwarded through the AAA infrastructure to the EAP client, which creates the required response to the authentication request and sends the response back toward the EAP authenticator through the AAA infrastructure. When the EAP authenticator receives the client's response, it checks whether the response was as expected, and in case of a valid response, the EAP sends a message indicating successful authentication toward the client.
FIG. 5 illustrates a prior art diagram of a generic system and process in which serial processing involving phases I and II, like FIG. 1, is illustrated between UE, an access network and a home network which may be an AAA home network. Phase I represents the establishment of a secure tunnel between the UE and the access network and Phase II represents authentication of the UE with the home network. As may be seen, the establishment of a secure connection (Phase I) precedes the authentication of the UE (Phase II) in the home network. This serial process has the resultant time delay.
FIG. 6 illustrates a prior art diagram of a generic system and process in which serial processing involving Phases I and II, like FIG. 1 and, is illustrated between a UE and one of either a home network or a visited network network. Like the processing described above in conjunction with FIGS. 1 and 5, the processing is serial involving Phases I and II with the attendant time delay. A single network entity in the home or visited network is the point of exchange with the Request and Answer messages involving Phases I and II.
First, the UE or client requests the access network server to authenticate itself, the server provides the client with its security certificate, and the key exchange and authentication is confirmed by “finished” messages sent by both the client and the server. The client sends an authentication request through the network infrastructure which may be an AAA architecture toward the authentication server, the authentication server challenges the UE to provide additional authentication information, and once the server receives a valid response to its challenge from the UE, the server sends a message indicating successful authentication toward the UE through the infrastructure.