FIG. 1 illustrates diagrammatically the architecture of a cellular communications network for mobile wireless terminals. The network comprises a set of access nodes 4, 6 interconnected by an IP network 12. A subscriber owns user equipment (UE) 1 and has a subscription with a “home” network 3. The home network has a Home Location Register (HLR) 10 which comprises a database that stores subscriber information such as billing information, service allowance and subscriber location. The subscriber may take the UE and roam to a visited foreign wireless network 2, where he wishes to access certain communication services via a first access node 4, for example voice calls (routed through a circuit switched network), Internet access, peer-to-peer data connections with other UEs, or other data services. Before the subscriber is allowed to access such services via the UE, the visited network requires that the subscriber be authenticated, and this is typically achieved by the visited network 2 contacting the home network 3. The visited network may perform some initial check to verify that the UE is making a valid request.
The visited network 2 will not grant the subscriber access to any services until it knows that such access will be paid for, and the visited network therefore sends an authentication request 5 to the home network to determine whether the subscriber is a registered subscriber of the home network, and is therefore trusted. Only after the home network 3 has confirmed, in message 5′, that the subscriber is registered with the home network will the visited network provide access to the available services. The authentication process may require more than one pair of messages 5, 5′ to be exchanged between the visited network and the home network. The full authentication procedure may be a lengthy process, both in terms of the time it takes and the communication overheads enforced on the communication network. Protocols for use in authenticating roaming subscribers include MAP, RADIUS and DIAMETER.
After successful authentication, circumstances may change such that the UE has to access the visited network via an alternative access node 6. The access node that the UE uses to connect to the visited network can depend on a variety of factors, including amongst others physical proximity, bandwidth capacity and existing operational load. This may be the case, for example, in a wireless LAN, where cell sizes are small and movement of the UE between access nodes may be frequent.
Each time the UE wishes to attach to a new access node, the access node must repeat the authentication process carried out by the previous access nodes by sending a request 7 to the home network 3, and awaiting a response 7′ from the home network. This second authentication process takes a similar length of time and consumes a similar amount of network resources to the initial authentication process. It is undesirable for excessive amounts of signalling data to be transferred over the network; the network operators are provided with fixed bandwidth allocations, and can only charge subscribers for service-related data. Signalling data represents unchargeable bandwidth usage, and network operators wish to minimise its use. The second authentication process will likely result in an interruption of the services provided to the subscriber. This may not be a significant problem if, for example, the subscriber is accessing a website, where a small delay in the data being supplied does not adversely affect the quality of the service provided. However, for services such as voice calls or streaming multimedia broadcasts, an interruption to the service is undesirable.
It is therefore desirable to provide a secure authentication mechanism in which the authentication time when switching access nodes is reduced. It is also desirable to provide a secure authentication mechanism that bypasses the need to query the home network to confirm the identity of the UE, reducing the signalling overheads on the home network.
A concept known as “fast handoff” has been developed for use in networks in which UEs switch between different access nodes on a frequent basis, the concept providing a faster means for switching between alternative access nodes. A full authentication is provided, but bypassing the home network. This may be achieved using either a pre-emptive control from the home network, e.g. authenticating a UE to use a new access node prior to switching over from the current access node, or via some context transfer between the two access nodes, avoiding the home network altogether.
The first of these fast handoff mechanisms still suffers from undesirable large signalling overheads, requiring further signalling between the home and visited networks each time the UE switches access nodes. Considering further the second of these “fast handoff” mechanisms, a number of different fast handoff implementations have been proposed and these avoid excess communication with the home network 3 by using some type of session key or re-authentication key distributed to the access nodes. The keys are agreed upon by both the home network and the visited network during initial authentication, and the keys are distributed among the access nodes of the visited network. This enables fast re-attachment of a UE when switching between access nodes but exposes the system to unnecessary security vulnerabilities, the main one being that a single compromised access node has access to all such session and re-authentication keys. A single compromised access node can therefore provide information to a malicious third party which would enable that party to imitate the UE and access services from the visited network without having to provide payment.
It is therefore desirable to provide a fast handoff mechanism for fast switching of mobile nodes between access nodes in an access network and which avoids the risk that a single access node can be compromised to allow a third party to access other access nodes.