Many access technologies such as GSM, WCDMA, WLAN, WiMAX provide basic security for the first hop, i.e., communication between the user device and an access point of the network. The communication may use layer 2 or layer 3 in the protocol stack. SRTP (RFC3711) and MIKEY (RFC3830) are examples of protocols for media security and key management. MIKEY can be based on both pre-shared keys and PKI. Moreover, MIKEY can be integrated into session set-up signalling (SIP or RTSP) using RFC4567.
However, the basic security provided by these access technologies can not always be considered sufficiently secure. In fact, some access technologies do not provide any basic security, e.g. 802.3/Ethernet or DSL.
Therefore, there is a need to provide added or improved security mechanisms in many access technologies.
A problem with existing approaches to key management relates to the assumption that both end-points use the same type of basic credential. However, this assumption is not always true which is the case in, e.g., Fixed-Mobile Convergence (FMC). In FMC one of the users may be a 3GPP subscriber using SIM-based credential, e.g. SIM, USIM, ISIM, and the other may be e.g. a Cable access user that implements PKI-based credentials.
There are also certain problems with integration of key management into known signalling protocols.
Another example presenting a problem relates to “early media” meaning that media may start to flow back from the responder before the key management operations according to e.g. MIKEY-over-SIP has finished. Thus, although MIKEY may be carried in-band with SIP, there may not be any keys available to protect the first few packets. The alternative, using media-in-band key management would solve this problem but is disadvantageous e.g. from firewall traversal point of view. Furthermore, it is not sound engineering practice to carry signalling in the media path.
Another problem with known methods for key management relates to “forking” wherein the initiator of, e.g., a Multimedia Telephony call (MMTEL) may not be sure which terminal the other end-point will use to answer. Even if all the terminals for answering the call are PKI-enabled, different terminals may use different public keys and thus the initiator cannot know which key to use for an invitation request. More precisely, according to known methods it is not until after the responder has answered that key management can even start and that an appropriate public key can be determined. As mentioned above, media-in-band key management may alleviate the problem, however, being disadvantageous as mentioned above.
Still another problem with known methods for key management is that some IMS services are peer-to-peer (P2P) whereas others provide group services e.g. Push-to-talk over cellular PoC). Requiring users to manage group keys raises problems and, in fact, a user cannot be sure that all group members will even reply to an invitation and participate in the session. There is, thus, in this case a need to make a distinction between members that potentially could be in the group session and the members that are participating in the group session, since it may, e.g., be beneficial to only distribute session keys to the members who are actually participating.
A further problem with prior art is that some services, e.g. messaging, may be handled in different ways depending on whether the responder is on line or not. For instance, an instant message (IM) may automatically be converted into a deferred message (DM) for later delivery if the receiver is not on-line. The sender may not know if the other party is on-line and may thus not know what key management is suitable at the time of sending the message. S/MIME based solutions could possibly alleviate the situation, but S/MIME is not suitable for real-time media such as MMTEL. Therefore, the key management approach may become dependent on which IMS service that is being used which is undesirable. In addition, S/MIME lacks support for pre-shared keys (e.g. SIM) and does not provide replay protection due to the fact that there is no session concept in which two S/MIME protected messages can be correlated.