(a) Field of the Invention
The present invention relates to an authentication method in a wireless portable Internet system, and more specifically, to a method for allocating an authorization key identifier in the wireless portable Internet system.
(b) Description of the Related Art
Wireless portable Internet supports mobility in local area data communication such as in a conventional wireless local access network (LAN) that uses a fixed access point, which is a next-generation communication system. Various standards for the wireless portable Internet have been proposed, and the international standard of the wireless portable Internet has progressed in the IEEE 802.16e. The above-described IEEE 802.16 supports the metropolitan area network (MAN) representing an information communication network covering the LAN and the wide area network (WAN).
To securely provide various traffic data services in a wireless portable Internet system, it is required to perform a security function including authentication and authorization functions. In addition, the above functions are required to guarantee network stability and stability of the wireless portable Internet service. Recently, a privacy key management version 2 (PKMv2) which is security key management protocol has been proposed to provide higher security. In the PKMv2, subscriber station equipment authentication, base station equipment authentication, and user authentication may be performed in a Rivest Shamir Adleman (RSA) authentication method or an extensible authentication protocol (EAP) authentication method. The subscriber station and the base station share an authorization key in the above RSA and EAP authentication methods.
In further detail, a method for allocating an authorization key identifier in a conventional IEEE 802.16 wireless metropolitan area network (MAN) system will be described.
Firstly, in the RSA-based authorization method, when an RSA-based authorization is achieved, the subscriber station and the base station share a primary authorization key (PAK). At this time, an identifier for the shared PAK is sequentially generated by the base station, and is transmitted to the subscriber station. In addition, an authorization key identifier which is an identifier for an authorization key yielded from the PAK has a value that is equal to that of the PAK identifier.
In the EAP-based authorization method, when an EAP-based authorization is achieved, the subscriber station and the base station share a pairwise master key (PMK). When the subscriber station and the base station share the PMK yielded from the EAP-based authorization, an identifier for the shared PMK has a value yielded from an EAP session ID value. In this case, the subscriber station and the base station receive the EAP session ID value from higher EAP protocol
In addition, an authorization key identifier which is an identifier for an authorization key generated by the PMK has a value that is generated from the same EAP Session ID value.
While the subscriber station and the base station share the authorization key from the above methods, the subscriber station and the base station respectively have the two PAKs and two authorization keys when re-authentication is performed by the RSA-based authorization method. In this case, since the base station allocates the respective PAK identifier and authorization key identifier, the PAKs may be identified by the two PAK identifiers, and the two authorization keys may be identified by the two authorization key identifiers.
In addition, when the re-authentication is performed by the EAP-based authorization method, the subscriber station and the base station respectively have the two authorization keys. In this case, it is required to identify the two authorization keys by using the authorization key identifiers respectively generated by the subscriber station and the base station with the EAP session ID value. However, since the EAP session ID value used as input data for generating the authorization key identifier by the subscriber station and the base station is not changed even when the EAP-based re-authentication is performed, the new authorization key identifier is equal to the previous authorization key identifier and the new PMK identifier is equal to the previous PMK identifier. Moreover, the subscriber station and the base station respectively have the two PMKs and the two authorization keys, and problematically, these keys may not be distinguished. Therefore, there is a problem in that the two PMKs and the two authorization keys in a re-authentication process may not be distinguished by the PMK identifier and the authorization key identifier used in the EAP-based authorization method.
In addition, with the authorization key identifier of the conventional IEEE 802.16 wireless MAN system-based wireless portable Internet system, there is a problem in that a lot of resources are consumed to transmit medium access control (MAC) messages including the PAK, PMK, and authorization key identifiers since sizes of the identifiers are large.
Therefore, the identifiers for the PAK, PMK, and authorization key shared by the subscriber station and the base station are required to identify respective keys, and the sizes of the identifiers are required to be efficiently reduced.
The above information disclosed in this Background section is only for enhancement of understanding of the background of the invention and therefore it may contain information that does not form the prior art that is already known in this country to a person of ordinary skill in the art.