Method and system for providing security from a radio access network

Abstract

The disclosure relates to a security method in a radio access network system. A shared secret key is stored in both a user device and a core network system. A further secret key is received from the core network system, wherein the further secret key has been derived using the shared secret key stored in the core network system. One or more values are provided over the radio interface to the user device to derive the further secret key in the user device from at least the shared secret key stored in the user device and one or more of the one or more values provided over the radio interface. An authentication procedure and/or a key agreement procedure is performed for the user device over the wireless radio interface using the received further secret key in the radio access network system and the derived further secret key in the user device.

Claims

1. A user device configured for operating within a radio access network system, the radio access network system comprising one or more base stations providing a wireless radio interface for at least one user device, wherein a shared secret key is stored in both the user device and a core network system of a telecommunications network, wherein the user device comprises: a receiver configured for receiving one or more values provided over the radio interface from the radio access system, wherein one or more of one or more values provided over the radio interface to the user device are received as an authentication vector for the user device; a storage storing the shared secret key; and a computer system configured for: performing a first authentication procedure using the authentication vector and the shared secret key; and deriving a further secret key from the shared secret key and at least one of the one or more values received by the receiver, wherein the user device is configured to transmit a connection request to the radio access network system and to perform a local subsequent authentication procedure using the derived further secret key.

2. The user device according to claim 1, wherein the user device is further configured for processing a RAN_only indication indicating that the radio access network system is in a RAN-only mode, the RAN_only indication informing the user device that the further secret key should be derived.

3. The user device according to claim 1, wherein the user device is further configured for generating or storing, and transmitting at least one of: an indication indicating capability to derive the further secret key; or an indication indicating a request to perform the local subsequent authentication procedure and a local key agreement procedure with the radio access network; and wherein the user device is further configured for processing an identifier of the radio access network system initiating and/or being used in deriving the further secret key.

4. A subscriber hardware module for use in a user device, wherein the user device is configured for operating within a radio access network system the radio access network system comprising one or more base stations providing a wireless radio interface for at least one user device, wherein a shared secret key is stored in both the user device and a core network system of a telecommunications network, wherein the subscriber hardware module is configured to: store the shared secret key; receive a first authentication request causing the subscriber hardware module to use the shared secret key in a first authentication procedure and causing the hardware subscriber module to derive a further secret key; and receive a second authentication request, subsequent to the first authentication request, causing the subscriber hardware module to use the further secret key for a local authentication procedure, and wherein the user device is configured to perform the local authentication procedure using the derived further secret key.

5. The subscriber hardware module according to claim 4, wherein the subscriber hardware module is further configured to store the identifier of the radio access network.

6. A security method in a radio access network system of a telecommunications network providing a wireless radio interface for at least one user device, wherein a shared secret key is stored in both the at least one user device and a core network system of the telecommunications network, the method carried out in the radio access network system and comprising: receiving a further secret key from the core network system, wherein the further secret key has been derived using the shared secret key stored in the core network system; providing one or more values over the radio interface to the at least one user device to derive the further secret key in the at least one user device from at least the shared secret key stored in the user device and one or more of the one or more values provided over the radio interface, wherein one or more of the one or more values provided over the radio interface to the user device are received as an authentication vector for the user device; performing a first authentication procedure using the authentication vector; receiving a connection request from the at least one user device; and performing a local subsequent authentication procedure for the at least one user device over the wireless radio interface using the received further secret key in the radio access network system, wherein the at least one user devices uses the derived further secret key.

7. The security method according to claim 6, wherein the further secret key received from the core network is derived using at least one of: one or more of the one or more values provided over the radio interface to the user device; an identifier identifying the radio access network system; or an identifier of the user device.

8. The security method according to claim 6, further comprising receiving at least the further secret key at the radio access network system in a secure manner.

9. The security method according to claim 6, further comprising receiving one or more values of the one or more values to be provided over the radio interface to the at least one user device from the core network system as an authentication vector for the at least one user device.

10. The security method according to claim 6, further comprising: receiving at least one of the further secret key and one or more of the one or more values at the radio access network system in response to a trigger, wherein the trigger is provided prior to detecting an inability or unavailability for the radio access network system to handle at least one of an authentication procedure or a key agreement procedure from the core network system.

11. The security method according to claim 6, further comprising: transmitting a RAN_only indication onto the wireless radio interface when the radio access network system is in a RAN_only mode.

12. The security method according to claim 6, further comprising: determining from the connection request or in response to receiving the connection request that the local subsequent authentication procedure is to be performed from the radio access network system.

13. The security method according to claim 6, further comprising: requesting at least one of the further secret key or one or more of the one or more values from the core network system.

14. The security method according to claim 6, further comprising: transmitting an identifier of the radio access network system onto the wireless radio interface.

15. The security method according to claim 6, further comprising: receiving an indication from the user device indicating capability of deriving the further secret key.

16. A non-transitory computer-readable medium having instructions stored thereon that, when executed by one or more processors of a system, cause the system to carry out operations, wherein in the system comprises a radio access network system of a telecommunications network configured for providing a wireless radio interface for at least one user device, wherein a shared secret key is stored in both the at least one user device and a core network system of the telecommunications network, and wherein the operations include: receiving a further secret key from the core network system, wherein the further secret key has been derived using the shared secret key stored in the core network system; providing one or more values over the radio interface to the at least one user device to derive the further secret key in the at least one user device from at least the shared secret key stored in the user device and one or more of the one or more values provided over the radio interface, wherein one or more of the one or more values provided over the radio interface to the user device are received as an authentication vector for the user device; performing a first authentication procedure using the authentication vector; receiving a connection request from the at least one user device; and performing a local subsequent authentication procedure for the at least one user device over the wireless radio interface using the received further secret key in the radio access network system, wherein the at least one user device uses the derived further secret key.

17. A radio access network system comprising one or more base stations providing a wireless radio interface for at least one user device, wherein a shared secret key is stored in both the at least one user device and a core network system of a telecommunications network, wherein the radio access network system comprises: a receiver configured for receiving a further secret key from the core network system, wherein the further secret key is derived using the shared secret key stored in the core network system; a transmitter configured for providing one or more values over the wireless radio interface to the at least one user device to derive the further secret key in the at least one user device from at least the shared secret key stored in the at least one user device and one or more of the one or more values provided over the radio interface, wherein one or more of the one or more values provided over the wireless radio interface to the user device are received as an authentication vector for the user device; and a computer system configured for: performing a first authentication procedure using the authentication vector; receiving a connection request from the at least one user device; and performing a local subsequent authentication procedure for the at least one user device over the wireless radio interface, using the received further secret key in the radio access network system, wherein the at least one user device uses the further secret key.

18. The radio access network system according to claim 17, wherein the further secret key received from the core network is derived using at least one of: one or more of the one or more values provided over the radio interface to the user device; an identifier identifying the radio access network system; or an identifier of the user device.

19. The radio access network system according to claim 17, wherein receiving the further secret key comprises receiving at least the further secret key in a secure manner.

20. The radio access network system according to claim 17, wherein the receiver is further configured for receiving one or more values of the one or more values to be provided over the radio interface to the at least one user device from the core network system as an authentication vector for the at least one user device.

21. The radio access network system according to claim 17, wherein the receiver is further configured for: receiving at least one of the further secret key and one or more of the one or more values at the radio access network system in response to a trigger, wherein the trigger is provided prior to detecting an inability or unavailability for the radio access network system to handle at least one of an authentication procedure or a key agreement procedure from the core network system; and wherein the radio access network system is configured for requesting at least one of the further secret key or one or more of the one or more values from the core network system.

22. The radio access network system according to claim 17, wherein the transmitter is further configured for: transmitting a RAN_only indication onto the wireless radio interface when the radio access network system is in a RAN_only mode.

23. The radio access network system according to claim 17, wherein the transmitter is further configured for: transmitting an identifier of the radio access network system onto the wireless radio interface.

24. The radio access network system according to claim 17, wherein the receiver is further configured for: receiving an indication from the user device indicating capability of deriving the further secret key.

25. The radio access network system according to claim 17, wherein the radio access network system is configured for determining from the connection request or in response to receiving the connection request that the local subsequent authentication procedure is to be performed from the radio access network system.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Aspects of the invention will be explained in greater detail by reference to exemplary embodiments shown in the drawings, in which:

(2) FIG. 1 is a schematic illustration of a telecommunications network comprising a radio access network and a core network;

(3) FIG. 2 is a schematic illustration of various cases of radio access network systems at least comprising AKA functionality according to embodiments of the present disclosure;

(4) FIGS. 3A and 3B are schematic illustrations of various hardware components and functionality of these components as disclosed herein;

(5) FIGS. 4A-4C provide time diagrams illustrating exemplary steps of security methods disclosed herein;

(6) FIG. 5 provides a time diagram illustrating a more detailed security method wherein a connection of the radio access network system to the core network is available;

(7) FIG. 6 provides a time diagram illustrating a more detailed security method wherein the core network is disconnected from the radio access network system;

(8) FIGS. 7A and 7B illustrate generation and derivation of the further secret key in the core network system and the user device, respectively, along with other authentication vector values.

(9) FIG. 8 is a schematic block diagram of an embodiment of a general system or element of a telecommunications network or a user device.

DETAILED DESCRIPTION OF THE DRAWINGS

(10) FIG. 1 shows a schematic illustration of a telecommunications system 1. The telecommunications system 1 comprises a radio access network 2 (also indicated as E-UTRAN or RAN in FIG. 1) and a core network 3 containing various elements or nodes as described in further detail below.

(11) In the telecommunications system of FIG. 1, three generations of networks are schematically depicted together for purposes of brevity. A more detailed description of the architecture and overview can be found in 3GPP TS 23.002 which is included in the present application by reference in its entirety.

(12) The lower branch of FIG. 1 represents a GPRS or UMTS telecommunications network.

(13) For a GSM/GPRS telecommunications network, a radio access network 2 comprises a plurality of base stations (combination of a BSC and a BTS) and one or more Radio Network Controllers (RNCs), not shown individually in FIG. 1. The core network 3 comprises a Gateway GPRS Support Node (GGSN), a Serving GPRS Support Node (SGSN, for GPRS) or Mobile Switching Centre (MSC, for GSM, not shown in FIG. 1), a Home Location Register (HLR) combined with an Authentication Centre (AuC). The HLR contains subscription information for user devices 4 and the AuC contains a shared secret key K to be used for authentication and key agreement (AKA) procedures.

(14) For a UMTS radio access network (UTRAN), the radio access network 2 also comprises a Radio Network Controller (RNC) connected to a plurality of NodeBs, also not shown. In the core network 3, the GGSN and the SGSN/MSC are conventionally connected to the HLR/AuC that contains subscription information and shared secret keys K of the user devices 4.

(15) It should be noted that the RNC functionality in GSM and UMTS networks is formally part of the RAN. The RNC functionality may be implemented in one or more base stations. Such a configuration is known as a collapsed architecture.

(16) The upper branch in FIG. 1 represents a next generation telecommunications network, commonly indicated as Long Term Evolution (LTE) system or Evolved Packet System (EPS).

(17) The radio access network 2, indicated as E-UTRAN, comprises evolved NodeBs (eNodeBs or eNBs) providing wireless access for a device 3. The core network 3 comprises a PDN Gateway (P-GW) and a Serving Gateway (S-GW). The E-UTRAN of the EPS is connected to the S-GW via a packet network. The S-GW is connected to a Home Subscriber Server HSS and a Mobility Management Entity MME for signalling purposes. The HSS includes a subscription profile repository SPR and is combined with an Authentication Centre (AuC) that stores a shared secret key K for AKA procedures.

(18) For GPRS, UMTS and LTE telecommunications network, the core network 3 is generally connected to a further packet network 5, e.g. the internet, using e.g. a gateway (e.g. the P-GW).

(19) Further information of the general architecture of a EPS network can be found in 3GPP TS 23.401.

(20) Of course, architectures other than defined by 3GGP, e.g. WiMAX, can also be used within the context of the present disclosure.

(21) FIG. 2 is a schematic illustration of various cases of radio access network systems at least comprising local authentication and/or key agreement functionality according to embodiments of the present disclosure for an LTE telecommunications system.

(22) RAN system 10A is a radio access network system forming a cell of the radio access network 2 formed of eNodeBs, here eNodeB_1, eNodeB_2, eNodeB_3 and eNodeB_4.

(23) However, when there is no connection between RAN system 10A and core network system 11, RAN system 10A can provide communication services with the core network functionality of its own.

(24) RAN system 10B is an isolated radio access network system, i.e. a radio access system forming one or more cells separate from the radio access network 2.

(25) RAN system 10C is an stand-alone radio access network system not forming a cell of radio access network 2 but with (some) connectivity to the core network system 11 (e.g. over the internet).

(26) Each of the RAN systems, generally denoted with reference numeral 10, is enabled to provide communication services for a user device UE. A RAN system provides wireless radio coverage and may comprise one or more base station, antennas, core network functions and support for local services. A RAN system 10 may transmit an identifier of its own, i.e. an identifier different from the PLMN_ID of the radio access network 2. The identifier may indicate that RAN system 10 is a sub-network of radio access network 2. As illustrated by the various cases in FIG. 2, RAN system 10 may be intended for stand-alone use providing coverage or additional capacity where coverage was never present (e.g. in case of forest fire, or underground rescue) or where, for example, due to natural disaster coverage is no longer present. A specific example is the use case of military mission in developing country, where a truck could carry a radio access network system 10 requiring specific measures to ensure that when the local authentication core network function of the radio access network system gets captured by the adversary, it does not lead to compromise of the system as a whole.

(27) FIGS. 3A and 3B are schematic illustrations of various hardware components and functionality of these components as disclosed herein.

(28) In FIG. 3A, a block diagram of a user device UE, a radio access network system 10 and a core network system 11 is depicted. Each of these contains hardware circuitry able to process computer code to perform one or more of the functions described in further detail below.

(29) The user device UE comprises a transmitter/receiver Tx/Rx for information transmission over the wireless radio interface provided by radio access network system 10. Radio access network system 10 has a corresponding transmitter/receiver. Examples of information transmitted over the radio interface include at least one of the identifier SubNid of RAN system 10 and one or more values (e.g. a random number RAND and an authentication parameter AUTN) to be used by the user device UE to derive a further secret key K.sub.fs.

(30) User device UE further comprises a computer system (e.g. a processor) 20 and a storage 21. Initially, storage 21 at least comprises a shared secret key K and an identifier of the user device UE (e.g. the IMSI). During operation of the method disclosed herein, storage 21 may further store at least one of the further secret key K.sub.fs and the identifier SubNid.

(31) Further details of an example of operation of the user device are described with reference to FIG. 3B.

(32) RAN system 10 further comprises a computer system 22, one or more core network functions (indicated by block 23) and a transmitter/receiver (Tx/Rx) for information exchange with core network system 11. The core network functions of the RAN system may contain at least one of a local mobility management entity (MME) function, a local home subscription system (HSS) and a local authentication centre (AuC) in addition to the conventional eNodeB equipment and functionality. The radio access network system at least contains authentication and/or key agreement (AKA) functionality, as indicated in FIG. 3A. RAN system 10 also contains a storage 24. During operation of the method as disclosed herein, storage 24 of RAN system 10 stores at least a further secret key K.sub.fs.

(33) Core network system 11 comprises at least a transmitter/receiver (Tx/Rx) enabling information exchange with the RAN system 10. Core network system 11 may comprise a plurality of different entities, e.g. a subscriber system (e.g. an HSS), an authentication system (e.g. an AuC) and/or a mobility management system (e.g. an MME). The core network system 11 comprises a computer system 25 and a storage 26. Computer system 25 and storage 26 may include subscriber system functionality corresponding to an HSS. Storage 26 contains the shared secret key K (which remains stored in the core network system 11 during operation of the disclosed method). Storage 26 may also contain an indication I.sub.fs indicating that for a particular user device UE the further secret key K.sub.fs may be generated and/or transmitted to the radio access network system 10.

(34) FIG. 3B is a schematic embodiment of user device UE comprising a mobile entity ME and a subscriber module showing exemplary internal communications. The subscriber module may comprise a subscriber identity module, e.g. a SIM or USIM. The subscriber module is a secure module storing e.g. the shared secret key K. Computer system 20 may be distributed amongst mobile entity ME and the subscriber module. The subscriber module may comprise storage 21 initially storing at least shared secret key K and an identifier such as the IMSI. During or after performing of the disclosed method, the subscriber module may contain the further secret key K.sub.fs and/or the identifier of the RAN system 10 SubNid. Communications between the mobile entity ME and the subscriber module will be further described with reference to FIG. 4B.

(35) FIG. 4A is a time diagram illustrating a few steps in accordance with the disclosed security method. Initially, both user device UE and core network system 11 have stored shared secret key K as indicated, e.g. in storage 21 of the subscriber module of the UE and in storage 26 (e.g. the HSS) of core network system 11. Shared secret keys K remain stored therein during performing the disclosed method.

(36) At some point in time, e.g. caused by a trigger internal or external from the core network system 11, a further secret key K.sub.fs is generated in the core network system 11 in step S40, e.g. using computer system 25. The further secret key K.sub.fs is generated with an algorithm using shared secret key K as an input. One example of generating further secret key K.sub.fs is described with reference to FIG. 7A. In step S41, the further secret key K.sub.fs is transmitted from the core network system 11 to the radio access network system 10.

(37) The trigger for causing generation of the further secret key K.sub.fs may e.g. be an expiring timer or other type of time indication. One reason for generating the further secret key K.sub.fs and transmitting the further secret key K.sub.fs to the radio access network system 10 is to enable radio access network system 10 to provide local AKA services in a secure manner.

(38) The RAN system 10 receives the further secret key K.sub.fs and stores the further secret key K.sub.fs for further use, e.g. in storage 24. RAN system 10 transmits one or more values to the user device UE enabling user device in step S42 that enable user device UE to derive the further secret key K.sub.fs in step S43 also using shared secret key K stored in the user device UE. One example of generating further secret key K.sub.fs is described with reference to FIG. 7B.

(39) One or more of the one or more values to be transmitted from the RAN system 10 to the user device UE may be received from the core network system 11 and may include e.g. random number RAND. The values may also be pre-stored in the RAN system 10. Similarly, the further secret key K.sub.fs may also be pre-stored in RAN system 10.

(40) In step S44, at least one of an authentication procedure and a key agreement procedure for the user device UE may be performed over the wireless radio interface between the user device UE and the radio access network system 10 using the further secret key K.sub.fs. This procedure is also referred to as a local AKA procedure.

(41) By providing a separate set of further secret keys K.sub.fs in the radio access network system 10 and the user device UE, the disclosed security method and radio access system enables a virtually infinite number of local authentication and/or key agreement procedures to be performed for a user device UE using the generated further secret key K.sub.fs without storing the shared secret key K in the radio access network system 10. Accordingly, in case the radio access network system 10 is compromised and the further secret key K.sub.fs is revealed, the shared secret key K stored in the user device UE and the core network system 11 does not have to be replaced. Instead, a second further secret key may be applied for the user device UE using the method disclosed herein for authentication and/or key agreement purposes, thereby making the compromised former further secret key K.sub.fs useless.

(42) FIG. 4B is a time diagram illustrating another exemplary method of a security method. Again, both user device UE and core network system 11 have pre-stored shared secret key K as indicated, e.g. in storage 21 of the subscriber module of the UE and in storage 26 (e.g. the HSS) of core network system 11. Shared secret keys K remain stored therein during performing the disclosed method.

(43) In step S50, RAN system 10 receives a first attach request from user device UE. The attach request may contain an indication CAP(fs) indicating that user device UE is capable of performing a local AKA procedure, i.e. user device UE is capable of deriving further secret key K.sub.fs. The attach request is forwarded to core network system 11 containing the indication causing core network system 11 to generate the further secret K.sub.fs in step S52. The further secret key K.sub.fs is generated with an algorithm using shared secret key K as an input. In addition, one or more values of an authentication vector AV are used to generate the further secret key K.sub.fs. Examples of authentication vectors have been described in the summary of the present disclosure. One example of generating the further secret key K.sub.fs is described with reference to FIG. 7A.

(44) In step S53, both the further secret key K.sub.fs and the authentication vector AV are transmitted from the core network system 11 to the RAN system 10. Transmission of the further secret key K.sub.fs and the authentication vector AV may be performed in a secure manner. The further secret key K.sub.fs and one or more values of the authentication vector AV are stored in the RAN system 10.

(45) In step S54, at least some values of the authentication vector AV are transmitted from RAN system 10 to the user device UE. Examples of such values include RAND and AUTN. In one embodiment, transmission of RAND and/or AUTN is sufficient to perform the disclosed security method, i.e. to derive the further secret key K.sub.fs in the user device UE. An additional advantage is that the security method can be integrated within the existing AKA procedure.

(46) One or more of the received values have also been used to generate the further secret key K.sub.fs in the core network system 11. User device UE may be configured to exploit the received values both for performing an initial conventional AKA, i.e. to verify AUTN and to generate RES, as well as to derive the further secret key K.sub.fs. Legacy user devices, i.e. user device not configured to derive the further secret key K.sub.fs, are still able to perform the AKA procedure once.

(47) Referring now also to FIG. 3B, subsequent to step S54, the mobility entity of user device UE may transmit Authentication Command (1) to the subscriber module. Authentication Command (1) contains AV values RAND and AUTN that have been generated in the core network system 11 using K. AUTN is verified in the subscriber module to authenticate the RAN system 10. The subscriber module returns an AKA response containing RES that has been derived in a conventional manner using shared secret key K stored in storage 21. In step S55, the UE transmits RES to the RAN system 10 enabling RAN system 10 to authenticate the user device UE in a manner known as such.

(48) The value(s) of the AV may also be used to derive the further secret key K.sub.fs in the UE using shared secret key K as well as indicated by step S56. The further secret key K.sub.fs may be used for subsequent authentication and/or key agreement procedures.

(49) A subsequent AKA procedure may be triggered by a new attach request, indicated as step S57. The attach request may contain an indication that the further secret key K.sub.fs has been derived and, upon receiving the attach request, RAN system 10 may detect it has stored already a further secret key K.sub.fs for the particular user device UE, thereby obviating the need to request the core network system 11 for a further secret key K.sub.fs.

(50) In step S58, a local AKA procedure is performed using further key K.sub.fs to generate an authentication vector. As illustrated in FIG. 3B, a second Authentication Command (2) is generated contain values of the authentication vector obtained using the further secret key K.sub.fs. An AKA response is received from the subscriber module containing RES derived using the further secret key K.sub.fs.

(51) In FIG. 3B, the mobile entity ME indicates to the subscriber module that the Authentication Command should be executed and that the further secret key K.sub.fs should be derived, e.g. for a particular RAN system 10 identified by identifier SubNid. For subsequent AKAs by that RAN system 10, the mobile entity ME indicates to the subscriber module that the Authentication Command should be executed using the further secret key K.sub.fs for the particular RAN system identified by SubNid. Therefore, the first Authentication Command may signal to the subscriber module that the shared secret key K should be used to verify AUTN and to calculate RES as well as to derive the further secret key K.sub.fs, whereas further Authentication Commands signal to the subscriber module that the further secret key K.sub.fs is used to verify AUTN and to calculate RES.

(52) The mobile entity ME can perform signalling in different manners. For instance, particular bits in parameter P2 of the AUTHENTICATE APDU may be used. Furthermore, the mobile entity ME may provide the subscriber module with the identifier SubNid of the RAN system 10. This could be done as a authentication related data in the AUTHENTICATE command. The subscriber module could also contain an Elementary Field (EF) for the SubNid that may be referred to as EF.sub.SUBNID. The mobile entity uploads the identifier SubNid in this EF before giving the Authentication Commands. The subscriber module may use the SubNid stored in EF.sub.SUBNID in the calculation of the further secret key K.sub.fs in case of the first Authentication Command (1) and will retrieve the further secret key K.sub.fs associated with the SubNid stored in EF.sub.SUBNID in case of further Authentication Commands (2).

(53) FIG. 4C provides yet another exemplary time diagram illustrating as security method. Yet again, both user device UE and core network system 11 have pre-stored shared secret key K as indicated, e.g. in storage 21 of the subscriber module of the UE and in storage 26 (e.g. the HSS) of core network system 11. Shared secret keys K remain stored therein during performing the disclosed method.

(54) In step S60, RAN system 10 broadcasts an identifier SubNid and a RAN_only indication. The identifier SubNid, as already explained above, identifies the particular RAN system 10. The RAN_only indication may be used by the user device UE as information that the further secret key K.sub.fs should be derived and/or that the user device UE may request local AKA with the radio access network system. The RAN_only indication does not necessarily imply that the RAN system 10 cannot reach the core network system 11 as can be observed from FIG. 4C. It should also be noted that one of SubNid and the RAN_only indication may be sufficient for the user device to be aware that the further secret key K.sub.fs may or should be generated.

(55) In step S61, the user device UE transmits an attach request to the RAN system 10 containing the identifier IMSI. The attach request may be triggered in response to receiving at least one of the SubNid and the RAN_only indication.

(56) Step S62 illustrates a request from the RAN system 10 to the core network system 11 to generate a further secret key K.sub.fs for the RAN system 10 identified by SubNid.

(57) In step S63, the core network system first consults storage 26 to verify presence of I.sub.fs for the user device UE. This may be done on the basis of the IMSI contained in the attach request S61 and request S62. If it is determined that the user device UE is entitled to have generated a further secret key K.sub.fs for, the further secret key K.sub.fs is generated using shared secret key K and one or more values of authentication vector AV.

(58) In step S64, both the further secret key K.sub.fs and the authentication vector AV are transmitted from the core network system 11 to the RAN system 10. Transmission of the further secret key K.sub.fs and the authentication vector AV may be performed in a secure manner. The further secret key K.sub.fs and one or more values of the authentication vector AV are stored in the RAN system 10.

(59) In step S65, at least some values of the authentication vector AV are transmitted from RAN system 10 to the user device UE. Examples of such values include RAND and AUTN. In one embodiment, transmission of RAND and/or AUTN is sufficient to perform the disclosed security method, i.e. to derive the further secret key K.sub.fs in the user device UE. An additional advantage is that the security method can be integrated within the existing AKA procedure.

(60) One or more of the received values have also been used to generate the further secret key K.sub.fs in the core network system 11. User device UE may be configured to exploit the received values both for performing an initial conventional AKA, i.e. to verify AUTN and to generate RES, as well as to derive the further secret key K.sub.fs. Legacy user devices, i.e. user device not configured to derive the further secret key K.sub.fs, are still able to perform the AKA procedure once.

(61) The value(s) of the AV may also be used to derive the further secret key K.sub.fs in the UE using shared secret key K as well as indicated by step S66. The further secret key K.sub.fs may be used for subsequent authentication and/or key agreement procedures.

(62) In step S67, a local AKA procedure is performed using further key K.sub.fs to generate an authentication vector.

(63) In any of the methods described with reference to FIGS. 4A-4C, the RAN system 10 is enabled to provide secure communication services after performing the local AKA procedure S44, S58, S67.

(64) The disclosed method provides for securely establishing a further secret key K.sub.fs between the user device UE and a RAN system 10 (e.g. a local authentication centre AuC thereof). The further secret key can be used for local AKA procedures in any of the cases illustrated in FIG. 2.

(65) The further secret key K.sub.fs can be established when the user device UE is present and the RAN system 10 is still connected to the core network system 11. The further key K.sub.fs may also be established in the absence of the user device UE, wherein the RAN system 10 requests the further secret key K.sub.fs and the one or more values (of e.g. the authentication vector AV) beforehand.

(66) FIG. 5 provides a time diagram illustrating a more detailed security method wherein the user device UE is present and a connection of the radio access network system to the core network is available. In this case, the user device UE wants to attach to the RAN system 10 that is still connected to the core network system 11 (either as part of the radio access network as illustrated by RAN system 10A in FIG. 2 or as stand-alone RAN system 10C as illustrated in FIG. 2). The Local AuC of RAN system 10 and the user device UE do not share the further secret key K.sub.fs yet. In FIG. 5, the several core network functions of RAN system 10, illustrated as block 23 in FIG. 3A, are distinguished as local MME and local HSS/AuC. Similarly, an MME and a HSS/AuC are illustrated as part of the core network system 11.

(67) In step S70, the eNodeB is in RAN-only operation. The eNodeB will broadcast the PLMN_ID of the radio access network and identifying itself as a RAN system 10 associated with the radio access network (i.e. a subnetwork), by identifier SubNid via broadcast. Identifier SubNid can also be communicated to the user device UE during interaction with the user device.

(68) In step S71, the user device UE has selected the RAN system 10 based on the PLMN_ID and sends an attach request message to establish a connection with the RAN system 10. The eNodeB forwards the request to the Local MME function of the RAN system 10. The Local MME will request authentication data for this particular IMSI from the Local HSS/AuC of the RAN system 10 in step S72.

(69) If the user device has not yet established a further secret key K.sub.fs with the Local AuC of the RAN system 10 yet (the core network system 11 did not yet provide an authentication vector AV with a further secret key K.sub.fs yet), the Local HSS will respond with a failure message in step S73.

(70) In one example, illustrated in FIG. 5, the RAN system 10 request the core network system 11 to provide the further secret key K.sub.fs and the authentication vector. In another example, not shown in FIG. 5, the core network system 11 sets up a (secure) connection and uploads the further secret key K.sub.fs and the authentication vector to the RAN system 10 for a particular IMSI.

(71) In step S74, the local MME of the RAN system 10 requests the core network system 11 to initiate a particular subscriber (identified by the IMSI) at the RAN system 10 by providing an authentication vector AV and a further secret key K.sub.fs for this IMSI in the Local AuC. The local MME provides the identifier SubNid of RAN system 10 to the MME of the core network system 11. In step S75, the MME of the core network system 11 transmits a Sub-Network Authentication Data Request to the HSS/AuC of the core network system 11 enabling the HSS/AuC to verify whether the subscriber has the particular service of establishing a further secret key K.sub.fs (alternatively, this verification may also be performed by the MME in the core network system based on the subscriber profile received from the HSS). If the service is available for the IMSI, the AuC in the core network system calculates the values of K.sub.AMSE, AUTN, XRES, and RAND for the authentication vector and the further secret key K.sub.fs and encrypts these with the key K_AuC for the Local AuC of the RAN system 10. Both the values of the authentication vector AV and the further secret key K.sub.fs are obtained using the shared secret key K stored in the HSS/AuC as illustrated in FIG. 7A.

(72) It should be appreciated that there exist many cryptographic security protocols that can be used to secure the transfer of the AV and the further secret key K.sub.fs from the AuC to the Local AuC (e.g. the Secure Channel Protocol from GlobalPlatform). In this example the data is simply encrypted with a shared secret key K_AuC.

(73) In step S77, the MME of the core network system 11 sends the authentication vector AV and the further secret key K.sub.fs to the local MME of the RAN system 10. The local MME initiates the subscriber by sending a command with the encrypted authentication vector AV and the further secret key K.sub.fs to the local HSS & AuC in step S78.

(74) The local AuC will decrypt the encrypted authentication vector AV and the further secret key K.sub.fs using key K_Auc and store the IMSI and further secret key K.sub.fs. The local HSS will store the IMSI, authentication vector AV and indicate that this subscriber does not yet have the further secret key K.sub.fs. If the initialisation was successful the local HSS will respond to the local MME with an accept message as indicated by step S79.

(75) The local MME may now proceed with the attach request of step S71 from the user device UE and again request authentication data for this particular IMSI from the local HSS/AuC in step S80. The local HSS may respond in step S81 with the authentication vector AV.

(76) In step S82, the local MME of RAN system 10 can now send a Authentication Request to the user device UE and send the values of RAND and AUTN in a manner known as such. In the case of FIG. 5, the identifier SubNid of the RAN system 10 was already received by the user device UE in step S70. Alternatively, the identifier SubNid may be transmitted to the user device UE with the values of the authentication vector AV in step S82.

(77) In response to step S82, the user device UE may perform one or more of the steps described with reference to FIG. 3B and to be described with reference to FIG. 7B.

(78) Briefly, the mobile entity ME may request an authentication and initialisation of RAN system 10 from the subscriber module (e.g. the USIM). The mobile entity ME sends the RAND, AUTN received in step S82 and SubNid, to the subscriber module. The subscriber module calculates the RES and the further secret key K.sub.fs using the shared secret key K. The subscriber returns the RES to the mobile entity ME.

(79) The ME will send RES as Authentication response to the local MME of the RAN system 10 in step S83. If RES=XRES, then the local MME of the RAN system 10 will send Attach Accept in step S84.

(80) If the user device UE is not capable of communication with RAN system 10 it can still perform the authentication, since the authentication vector AV is based on the shared secret key K. If the user device UE is capable of communication with the RAN system 10, it may indicate this to the RAN system 10 as part of the UE capability signalling, e.g. in step S83.

(81) FIG. 6 provides a time diagram illustrating a more detailed security method wherein the core network system 11 is disconnected from the RAN system 10 or the core network system is not available for some reason. The user device is not involved in establishing the further secret key K.sub.fs in the RAN system 10.

(82) As can be seen from FIG. 6, similar steps as for FIG. 5 are taken for the security method but the order of the steps is different. In general, the authentication vector AV and the further secret key K.sub.fs are pre-provisioned in the RAN system 10, more specifically in the local HSS/AuC. Pre-provisioning of the information can be for a user device UE on the basis of e.g. the IMSI or for several user device (e.g. on the basis of a list of IMSI's). Pre-provisioning may either be triggered by the RAN system 10 or by the core network system 11. Values of the AV are transmitted to the user device UE upon request from the user device UE in order to derive the further secret key K.sub.fs in the user device UE.

(83) As already discussed with reference to FIG. 3B, in each of FIG. 5 and FIG. 6, the subscriber module calculates the further secret key K.sub.fs and is capable of using this key for local AKA purposes with the RAN system 10.

(84) After the authentication in which the further secret key K.sub.fs has been calculated, the K.sub.ASME that was derived from the shared secret key K in the core network system 11 is used to secure the communication with the RAN system 10. Only the next time RAN system 10 requests the user device UE to authenticate, the local AuC in RAN system 10 will generate random RAND, and calculate XRES, AUTN, K.sub.ASME using the further secret key K.sub.fs. The user device UE will then perform the authentication based on the further secret key K.sub.fs. The mobile entity MS signals to the subscriber module that it is now connected to the RAN system 10 (e.g. using the identifier SubNid) in order to select the further secret key K.sub.fs.

(85) FIGS. 7A and 7B illustrate generation and derivation of the further secret key in the core network system and the user device, respectively, along with other authentication vector values. It should be appreciated that alternative key generation and derivation schemes and algorithms are possible.

(86) In FIG. 7A, the generation of the values of the authentication vector AV and the further secret key K.sub.fs in the core network system 11 is illustrated using shared secret key K stored in the core network system 11. The result of the generation may be considered an authentication vector for the RAN system 10, denoted as EPS AV.sub.SubN in FIG. 7A.

(87) Authentication vector values XRES, K.sub.ASME, AUTN and RAND are generated in a manner known as such for LTE telecommunications networks. In addition to this, a key derivation function KDF(fs) is provided for generating the further secret key K.sub.fs. Input values for generating the further secret key K.sub.fs include shared secret key K, random RAND, identifier SubNid of the RAN system 10 and the IMSI.

(88) The use of one or more of the values (e.g. a random number RAND or authentication token AUTN) in deriving the further secret key K.sub.fs links the further secret key K.sub.fs to the authentication or key agreement procedure in which the user device UE authenticates the core network system 11 by means of one or more of the values (e.g. the authentication token AUTN). This ties the further secret key K.sub.fs to the authentication of the core network. The use of the identifier identifying the RAN system 10 (which may be a public identifier) ties the further secret key K.sub.fs to a particular radio access network system 10 for which the further secret key K.sub.fs is generated, making the further secret key inoperable for other radio access network systems. The use of the identifier of the user device UE (e.g. the IMSI), links the further secret key to a particular user device.

(89) FIG. 7B depicts an exemplary embodiment for deriving the further secret key K.sub.fs in the user device UE (more particularly in the subscriber module) on the basis of one or more values of the authentication vector AV. Value RES is generated in a known manner for AKA purposes. Further secret key K.sub.fs is derived using again shared secret key K, random RAND, identifier SubNid of the RAN system 10 and the IMSI as illustrated. For a local AKA procedure, the further secret key K.sub.fs may now be used.

(90) FIG. 8 is a block diagram illustrating an exemplary computer system 80 that may be used in or as a user device UE, in a RAN system 10 (e.g. a base station with core network functionality) or in a core network system 11 (e.g. a node with HSS/AuC functionality).

(91) Data processing system 80 may include at least one processor 81 coupled to memory elements 82 through a system bus 83. As such, the data processing system 80 may store program code within memory elements 82. Further, processor 81 may execute the program code accessed from memory elements 82 via system bus 83. In one aspect, data processing system 80 may be implemented as a computer that is suitable for storing and/or executing program code. It should be appreciated, however, that data processing system 80 may be implemented in the form of any system including a processor and memory that is capable of performing the functions described within this disclosure.

(92) Memory elements 82 may include one or more physical memory devices such as, for example, local memory 84 and one or more bulk storage devices 85. Local memory 84 may refer to random access memory or other non-persistent memory device(s) generally used during actual execution of the program code. A bulk storage device may be implemented as a hard drive or other persistent data storage device. The data processing system 80 may also include one or more cache memories (not shown) that provide temporary storage of at least some program code in order to reduce the number of times program code must be retrieved from bulk storage device 85 during execution.

(93) Input/output (I/O) devices depicted as input device 86 and output device 87 optionally can be coupled to the data processing system 80. Examples of input devices may include, but are not limited to, for example, a keyboard, a pointing device such as a mouse, a touchscreen, or the like. Examples of output device may include, but are not limited to, for example, a monitor or display, speakers, or the like. Input device 86 and/or output device 87 may be coupled to data processing system 80 either directly or through intervening I/O controllers. A network adapter 88 may also be coupled to data processing system 80 to enable it to become coupled to other systems, computer systems, remote network devices, and/or remote storage devices through intervening private or public networks. The network adapter 88 may comprise a data receiver for receiving data that is transmitted by said systems, devices and/or networks to said data processing system 80 and a data transmitter for transmitting data to said systems, devices and/or networks. Modems, cable modems, and Ethernet cards are examples of different types of network adapters that may be used with data processing system 80.

(94) As pictured in FIG. 8, memory elements 82 may store an application 89. It should be appreciated that data processing system 80 may further execute an operating system (not shown) that can facilitate execution of the application. Applications, being implemented in the form of executable program code, can be executed by data processing system 80, e.g., by processor 81. Responsive to executing the application 89, the data processing system 80 may be configured to perform one or more operations as described herein in further detail.

(95) In one aspect, for example, data processing system 80 may represent a user device UE, such as a mobile phone, a portable computer, a tablet, smart glasses, a smart watch, an MTC device etc. In that case, application 59 may represent an application that, when executed, configures data processing system 80 to perform the various functions described herein for the user device UE.

(96) In another aspect, data processing system 80 represents a RAN system 10 or a core network system 11 in which case application 89 is executed to perform one or more of the operations as described herein.

(97) It is noted that the method has been described in terms of steps to be performed, but it is not to be construed that the steps described must be performed in the exact order described and/or one after another. One skilled in the art may envision to change the order of the steps and/or to perform steps in parallel to achieve equivalent technical results.

(98) The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms a, an and the are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms comprises and/or comprising, when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

(99) The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiments have been chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

(100) Various embodiments of the disclosure may be implemented as a program product for use with a computer system or a processor, where the program(s) of the program product define functions of the embodiments (including the methods described herein). In one embodiment, the program(s) can be contained on a variety of non-transitory computer-readable storage media (generally referred to as storage), where, as used herein, the expression non-transitory computer readable storage media comprises all computer-readable media, with the sole exception being a transitory, propagating signal. In another embodiment, the program(s) can be contained on a variety of transitory computer-readable storage media. Illustrative computer-readable storage media include, but are not limited to: (i) non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive, ROM chips or any type of solid-state non-volatile semiconductor memory) on which information is permanently stored; and (ii) writable storage media (e.g., flash memory, floppy disks within a diskette drive or hard-disk drive or any type of solid-state random-access semiconductor memory) on which alterable information is stored.

Method and system for providing security from a radio access network

Assignee

Inventors

Cpc classification

Classification Explorer

H04L9/0861

ELECTRICITY

Classification Explorer

H04W12/0433

ELECTRICITY

Classification Explorer

H04W12/069

ELECTRICITY

Classification Explorer

H04W48/08

ELECTRICITY

Classification Explorer

H04L63/061

ELECTRICITY

Classification Explorer

H04W4/90

ELECTRICITY

Classification Explorer

H04L2463/061

ELECTRICITY

International classification

Classification Explorer

H04L29/06

ELECTRICITY

Classification Explorer

H04W12/04

ELECTRICITY

Classification Explorer

H04W48/08

ELECTRICITY

Classification Explorer

H04W12/06

ELECTRICITY

Abstract

Claims

Description