Tamper resistant identity cards have been found to be a very good security token automatically providing security on the access link only requiring a user to know a PIN code. Exemplary identity cards are SIM, USIM, and ISIM. It is noticed that an identity card may be implemented as logic functionality in a physical card such as a UICC card (Universal Integrated Circuit Card) according to the UMTS standard. Mobile operators also find identity cards attractive from business point of view due to their large installed customer base that can be exploited beyond the cellular domain. Thus, there is a general desire to exploit identity cards also outside the mobile networks, e.g. to provide multi-access services, including also fixed broadband accesses (DSL, PON/FTTH, WiMax, WLAN) or even to provide Single-Sign-On services in federated business scenarios.
There are several business drivers behind the non-conventional usage of identity cards, for example to increase the ARPU (Average Revenue per Unit), to increase traffic in the access/transport networks, and to obtain new sources of income due to brokerage towards third party service providers.
For users who already have a mobile subscription, various ways are known to re-use an identity card for other accesses, including fixed access. However, it may be more difficult to re-use identity cards for users who do not have a mobile subscription. A solution with a home gateway is readily thought of. A home gateway would contain an identity card for authenticating the home subscription towards the operator/provider. However, the authentication would be independent of the user working behind the gateway. Moreover, the security association is inside the gateway. Such an arrangement allows trusted users behind the gateway to access the operator services under one single (group) subscription. This approach is currently being applied for providing residential IMS services to households via an ISIM-enabled home IMS gateway.
However, if one of the trusted users leaves the local home network and takes a mobile user entity beyond home network coverage, there is no established user specific security association that can be used to secure new services, e.g. WiMax or WCDMA access, or IMS service etc. A practical example may be a user who changes from 802.3 (LAN) access via the home gateway to 802.16 (MAN) access, e.g. when moving the terminal outside the house into the garden. Relying on known arrangements such a scenario would require a full re-authentication of the user preferably based on a user identity card, e.g. a SIM, USIM, or ISIM module. Thus, no, secure and convenient hand-over is possible. Transferring the already established security association out from the gateway is undesirable from security point of view, since if it happens to be re-used in an insecure access, the security of the gateway, and all users behind it, is also compromised. Even if it would be acceptable from security point of view, it is not possible for the operator to tell which of the users in the home who went outside. Thus, it is not possible to adapt certain services, e.g. to block adult content from being accessed by children.
Indeed, in many cases, a residential gateway contains a NAT server, a firewall, a router, etc, and there is simply no possibility to tell which user is working behind the gateway. In many cases this may be desirable from a security and privacy point of view. However, in other cases it is a disadvantage that group members can not act individually and independently from other group members.
One possibility to solve the problem of distinguishing individual users operating behind a group subscription is to use IMS ISIM allowing the registration of multiple public identities (IMPU) that are associated with a single private identity (IMPI). However, the gateway-dependency problem remains.
There is, further, a growing interest in using an identity module, such as a SIM, USIM or ISIM module, for authentication to various services provided to a network subscriber. Either the network operator provides such services or a third party service provider co-operates to offer service access through the operator network. The Generic Authentication Architecture (GAA) standard (3GPP TS 33.220) describes the security features and a mechanism to bootstrap authentication and key agreement for application security from the 3GPP AKA mechanism. However, a member of a group, such as a family member, working behind a gateway, such as a home gateway, may not be able to individually benefit from the (GAA) bootstrapping and gain access to desired services.
Thus, there is a need to provide individual group members behind, or moving outside range of a home gateway, convenient and individual access to services provided by a network operator. In particular, there is a need to provide mobile users, having no prior subscription with the operator, such access.