1. Field of the Invention
This invention relates generally to a communication system, and, more particularly, to a wireless communication system.
2. Description of the Related Art
Access points are used to provide wireless connectivity to one or more mobile units in a wireless communication system. Exemplary access points may include base stations, base station routers, Access Serving Networks (ASNs), WiMAX routers, and the like. Mobile units may include cellular telephones, personal data assistants, smart phones, text messaging devices, laptop computers, desktop computers, and the like. The access point also provides connectivity to one or more outside networks. For example, in a wireless network that operates according to an IEEE 802.16 protocol, a mobile unit may establish a wireless connection with a WiMAX router, which may include one or more Access Serving Network (ASN) entities and one or more base stations. The WiMAX router may be connected to one or more Connectivity Serving Networks (CSN) that provide connectivity to an outside network.
Security associations may be established and maintained to allow secure communications between mobile units and the serving network. For example, systems that operate according to the IEEE 802.16e and/or WiMAX standards may use the privacy and key management, version 2, (PKMv2) protocol with Extensible Authentication Protocol (EAP) for user authentication and device authorization. The PKMv2 protocol supports device authorization and user authentication between a mobile unit and a home Network Service Provider (NSP) using a 3-party scheme.
The three parties in the PKMv2 protocol are the supplicant, the authenticator, and the authentication server. A supplicant is an entity at one end of a point-to-point link that is being authenticated by an authenticator attached to the other end of that link. An authenticator is an entity at one end of a point-to-point link that facilitates authentication of supplicants that may be attached to the other end of the point-to-point link. The authenticator enforces authentication before allowing the supplicant access to services in the network. An authentication server is an entity that provides an authentication service to an authenticator. This authentication server uses the credentials provided by the supplicant to determine whether the supplicant is authorized to access the services provided via the authenticator. For example, in a WiMAX system, the supplicant is the mobile unit, the authenticator resides in the Access Serving Network (ASN), and the authentication server is implemented in an authentication, authorization, and accounting (AAA) server in the Connectivity Serving Network (CSN).
The Extensible Authentication Protocol (EAP) is an encapsulation protocol used to transport packet data units (PDUs) that may be used to negotiate an authentication method between the supplicant and the authentication server. The Extensible Authentication Protocol may be encapsulated within other protocols such as the PKMv2 protocol, the 802.16 protocol, a RADIUS or DIAMETER protocol, a Universal Datagram Protocol (UDP), a Transmission Control Protocol (TCP), an Internet Protocol (IP), and the like. The RADIUS protocol and possibly the DIAMETER protocol are the de facto transport protocols for EAP over IP networks between the authenticator and authentication server. The Extensible Authentication Protocol (EAP) supports cryptographically strong key-deriving methods such as EAP-TLS, EAP-AKA and EAP-MSCHAPv2, as well as reuse of user credential types across WiMAX networks.
Secure connections are typically established according to a security model that specifies an operational relationship between the supplicant, the authenticator, and the authentication server. For example, a four-phase security model may be used. In the first phase, a supplicant (e.g., a mobile unit) discovers one or more available base stations that can provide wireless connectivity in a coverage area and selects a particular base station as a preferred (or serving) base station. The mobile unit then discovers configuration data, and the discovery may occur statically and/or dynamically. In the second phase, the supplicant presents its credentials to the authenticator, which forwards the supplicant's credentials to the authentication server. Depending on the authentication method being negotiated, multiple roundtrip communications between the various entities may be used. If the authentication procedure succeeds, the authentication server forwards a session-related key to the authenticator in the third phase. The authentication server also forwards information that may be used to generate the session-related key to the supplicant. The session-related keys held by the authenticator and the supplicant are used to establish a security association manifested by a pair of secret symmetric keys, which may be used to generate keys to protect data transmitted in the fourth phase.
In systems that operate according to the IEEE 802.16 and WiMAX standards, a symmetric key called the Master Key (MK) is pre-provisioned into the supplicant and the authentication server upon initialization of the supplicant's subscription. The Master Key represents the current subscription-based security association and only the supplicant and the authentication server can possess Master Key, which demonstrates authorization to make a decision on behalf of supplicant. An example of a Master Key is the root key used in authentication and key agreement (AKA) protocols. The supplicant and/or the authentication server can generate a Master Session Key (MSK) and/or an Extended Master Session Key (EMSK) from the Master Key. The Master Session Key is typically used for fixed subscribers and the Extended Master Session Key is typically used for mobile subscribers. These keys may be derived as recommended in section 7.10 of the IETF RFC-3748 “Extensible Authentication Protocol.”
The supplicant and the authentication server may derive an AAA-key based on the Master Session Key (or the Extensible Master Session Key). The authentication server populates the AAA-Key into the corresponding authenticator using, for example, the RADIUS and/or DIAMETER protocols to establish a security association between the supplicant, the authenticator, and the authentication server. The supplicant and the authenticator each generate one of a pair of secret symmetric keys, which may be referred to as Pairwise Master Keys (PMKs), using the AAA-key. The IEEE 802.16 and WiMAX standards state that the supplicant and the authenticator derive the Pairwise Master Keys by truncating the AAA-key. Generation of the Pairwise Master Keys marks the successful completion of the Credential Verification and User Authentication phase, i.e. the second phase described above. The supplicant and the authenticator may each generate a copy of an Authorization Key (AK) using the Pairwise Master Key. Additional keys may be derived from the Authorization Key, as documented in the IEEE 802.16e draft standard.
Periodically refreshing the pair of secret symmetric keys that govern the security association between the supplicant and the authenticator may be useful. For example, the secret symmetric keys may expire after a predetermined key lifetime and thus it may be desirable to refresh the secret symmetric keys before they expire. Furthermore, the static linkage between the Pairwise Master Key and the Authorization Key requires that the Pairwise Master Key be erased when the Authorization Key is erased due to an 802.16e specified security operation. However, the only way to modify a Pairwise Master Key in the current IEEE 802.16e standard is to invoke the full three-party, four-phase authentication procedure described above.
The three-party, four-phase authentication procedure described above may consume a large amount of time and other system resources, at least in part because the authentication server in the subscriber's home network is to be accessed. Accordingly, a security association established between the supplicant and the authenticator (as expressed by a pair of secret symmetric keys) may be retained for a relatively long time. For example, the Pairwise Master Key used to define the security association between the mobile unit and the Access Serving Network may not be refreshed as long as the mobile unit stays within the boundary of the current Access Serving Network. Consequently, other keys derived from the pair of secret symmetric keys may not be refreshed. For example, the Access Key (AK) generated for a specific base station is typically defined as a function of the Pairwise Master Key (PMK), a Base Station Identifier (BS-ID), and a mobile unit identifier (MS-ID) and consequently will be set to the same value for as long as the Pairwise Master Key (PMK) remains the same.
However, maintaining a security association between the supplicant and the authenticator (as expressed by a pair of secret symmetric keys) for a relatively long time may increase security risks associated with the security association. Maintaining the secret symmetric keys for a relatively long period may also increase the probability of passive and active attacks on the relatively static values of the various keys, such as the Pairwise Master Key, the Authorization Key, and the like. For example, base stations in a less trusted security domain may use the values of keys such as the Pairwise Master Key and/or the Authorization Key to crypt-analyze the keys. The keys may then be used by an attacker to decrypt information associated with current and/or prior communication sessions.