TREA

Authenticator relocation method for WiMAX system

Follow

Information

  • Patent Grant
  • 8443431
  • Patent Number
    8,443,431
  • Date Filed
    Friday, January 8, 2010
    14 years ago
  • Date Issued
    Tuesday, May 14, 2013
    11 years ago
Information
Abstract
A method is provided for Authenticator Relocation in a communication system applying an Extensible Authentication Protocol, or the like, which provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS. The method of the invention optionally allows secure refresh of the MSK.
Description
FIELD OF THE INVENTION

The present invention generally relates to authentication between mobile terminals and base stations in wireless communication systems.


BACKGROUND OF THE INVENTION

The WiMAX Forum defines specifications for network support of the IEEE 802.16e based radio interface. As of the date of filing this application, the current releases of these specifications are described in the Stage 2 [WMF-T32-005-R010v04_Network-Stage2] and Stage 3 [WMF-T33-004-R010v04_Network-Stage3] documents published by the WiMAX Forum.


To provide communications security in a WiMAX wireless system, a security association is maintained between the mobile terminal and the serving network. This security association is created with the assistance of the subscriber's home network during initial subscription authentication of the user terminal entering the network, and subsequently can be refreshed during re-authentication events. Optimal allocation of system resources during such re-authentication events constitutes an on-going issue.


SUMMARY OF INVENTION

A method is provided for Authenticator Relocation in a communication system that typically applies an Extensible Authentication Protocol, or the like, which provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS. In one embodiment of the invention an application of a counter value is provided as a token in messages exchanged among elements of the authentication protocol for relocation of the authenticator. In another embodiment of the invention, an application is provided for a secure refresh of the Master Session Key without conducting re-authentication.





BRIEF DESCRIPTION OF THE FIGURES

The teachings of the present invention can be readily understood by considering the following detailed description in conjunction with the accompanying drawings, in which:



FIG. 1 depicts a system architecture in which example embodiments may be implemented.



FIG. 2 shows a flow sequence for authentication according to a conventional method.



FIG. 3 shows a flow sequence for authentication according to an embodiment of the invention.



FIG. 4 shows a flow sequence for authentication according to another embodiment of the invention.





DETAILED DESCRIPTION

In the following description, for purposes of explanation and not limitation, specific details are set forth such as particular architectures, interfaces, techniques, etc., in order to provide a thorough understanding of illustrative embodiments of the invention. However, it will be apparent to those skilled in the art that the invention may be practiced in other illustrative embodiments that depart from these specific details. In some instances, detailed descriptions of well-known devices, circuits, and methods are omitted so as not to obscure the description of described embodiments with unnecessary detail. All principles, aspects, and embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future.


The invention is described hereafter in terms of a WiMAX application. It should be clear, however, that the invention will be applicable to in other wireless systems, and that the use the WiMAX application in the description following is solely for purposes of illustrating the invention principles, and is not in any way intended to limit the scope of the invention.



FIG. 1 depicts a system architecture in which the inventive method disclosed herein may be implemented. That figure corresponds to the typical Network Reference Model shown on FIGS. 6-5 of WiMAX standard WMF-T32-005-R010v04_Network-Stage2. As illustrated in FIG. 1 mobile stations (MS) are connected to a Network Access Point (NAP) over interface R1 and to a network service provider (NSP) over interface R2, the NAPs are connected to each other over interface R4. Each NAP provides radio access functionality including acting as an Access Service Network (ASN) having base stations (BS) and an ASN gateway (ASN GW). Each NSP provides IP connectivity services including acting as a connectivity service network (CSN) having a home agent (HA), policy functions (PF) and a Authentication, Authorization, and Accounting (AAA) server. R5 defines an optional interface between the CSNs of different NSP such that a roaming subscriber may get Internet connectivity directly from the visited NSP or from their home NSP over the optional R5 interface.


In wireless communication systems, a security mechanism is generally applied to assure that only authorized users are provided access to the communication system. The protocol carried out to implement such security mechanisms is generally characterized as authentication, and commonly is divided among three entities:

    • (1) a supplicant or client (MS), requesting access to the communication system,
    • (2) an authenticator (ASN-GW) that operates as a gate-keeper for access to the communications network in the WiMAX system and
    • (3) an authentication server (AAA) that determines if the supplicant (MS) is authorized based on an exchange of authentication messages (usually encrypted with one of more keys) between the supplicant and the authentication server.


In many wireless communication systems, including WiMAX, authentication is implemented using Extensible Authentication Protocol (EAP). As described in the WiMAX security framework, Sec.7.3, and in particular, Sec.7.3.8, with successful completion of the EAP-based authentication protocol, both the mobile station (MS) and the Home AAA (HAAA) server generate the secret Master Session Key (MSK). This key is sent by the HAAA to the Authenticator function in the Serving System ASN-GW.


This MSK security association is further used to create multiple lower level security keys for information encryption, integrity protection, etc.


The Authenticator function in the ASN-GW is anchored and may remain static for a substantial period of time, while the MS is served by Base Stations (BS) within the realm of the Serving ASN. The Authenticator may also remain anchored if the MS roams into a neighboring ASN, as long as that ASN belongs in a fully trusted domain of the same operator. However, as the MS hands over to another ASN crossing the trust boundary, over the R4 interface reference point (as shown in FIG. 1), the security framework prescribes a re-authentication of the MS.


As a result of re-authentication, the new ASN-GW assumes Authenticator responsibilities, and receives the new MSK. In effect, such re-authentication causes relocation of the Authenticator.


In a dynamic high mobility environment, rapid movements of the MS will cause frequent handovers between neighboring ASNs, and thus will require frequent relocations of the Authenticator function from one ASN-GW to another. Conducting such repeated re-authentications imposes additional burden on the backhaul network, AAA infrastructure, and, more importantly, on the Air Interface.


For example, consider an MS that roams from one ASN to another while in the Idle mode, i.e., not actively communicating with the serving system. In order to conduct the re-authentication for Authenticator relocation, the system would need to “wake up” the MS, execute a complex EAP authentication protocol, and then release the MS back into Idle. This operation will strain the MS and system resources.


A method has been provided in the art for Authenticator shifting without conducting re-authentication. The essence of that approach is shown on FIG. 2 and is summarized below:

    • The MS recognizes that it has roamed into another ASN by, for instance, analyzing received indications from an overlaying serving network about the present Paging Area, and therefore knows that it needs to update its registered location. Alternatively, the MS may decide to access the new ASN to request a session. In either case, the MS sends a Ranging Request, RNG-REQ, to the closest Base Station BS in the area.
    • The RNG-REQ message from the MS is received by the Base Station BS and needs to be validated. To implement that function, the BS needs to request the access security key AK from the current Anchor Authenticator that serves this MS. As depicted in step 2 of FIG. 2, the BS typically relays this request over the R6 interface (between BS and ASN-GW) to the local ASN-GW, which becomes a new Target Authenticator (depicted nA, for “New Authenticator”) for the MS, to be differentiated from the current Anchored Serving Authenticator (depicted pA, for “Previous Authenticator”) associated with the ASN previously serving the MS.
    • The nA recognizes that the MS is registered in another ASN, and that its security association is anchored in the pA. As depicted in step 3 of FIG. 2, the nA forwards the request to the pA over the R4 interface.
    • The current Authenticator for the MS, pA, generates two nonces, Nonce1 and Nonce2. The pA then uses the MSK and the Nonce 1 in addition to the identity of the nA to create a message (token) Relocation Request Token shown in step 4 of FIG. 2 as MSKhash1. This Relocation Request Token is delivered to the new Target Authenticator nA in step 4, and forwarded by the nA to the HAAA over the R3/R5 interface in step 5.
    • The HAAA validates this Token as a proof that the pA (which currently possesses the secret MSK) agrees to transfer its Authenticator responsibilities to the nA.
    • The HAAA also checks local policy stored in PF to verify that the nA is authorized to perform Authenticator duties for the current MS session, and is trusted enough to receive the same MSK. In such case the HAAA sends the current active MSK to the nA in step 6.
    • Upon receiving the MSK, the nA computes the Relocation Authorization Token MSKhash2 using the received MSK and Nonce2. The token MSKhash2 is then sent to the pA, in step 7, as the proof that the nA is now in possession of the MSK, and that HAAA has authorized the Authenticator transfer.
    • In step 8, the AuthRelocFinResp message closes the transaction initiated by the message of step 7. In effect, the AuthRelocFinResp message lets the nA know that the pA validated and accepted the MSKHash2, is satisfied with it, and treats it as a proof that the nA with the AAA authorization is now in possession of the valid MSK. In other words, the Authenticator Relocation can now be concluded.
    • Subsequent Accounting Stop from the pA (step 9) and Accounting Start from the nA (step 11) indicate to the HAAA that Authenticator relocation is completed successfully.


The above-described prior-art procedure suffers from several deficiencies as described below:

    • Both Nonce1 and Nonce2 are generated as random numbers by the same entity, pA, and cannot be verified by any other network entity for freshness. That is, neither nA nor HAAA can verify that presented random Nonce1 or Nonce2 has not been used before. Therefore, there is no guarantee of replay protection for the Authenticator relocation transaction. As a result, a rogue ASN-GW can repeat the Relocation Request Token in a request to the HAAA, and receive the MSK even if the MS is served elsewhere. Possession of the MSK would allow such a rogue ASN-GW to eavesdrop on the MS session, and even deny its service in another system.
    • The prior-art protocol described above assumes that the R4 interface is protected by Transport Layer security measures, with the result that the pA and nA Authenticators can not masquerade or spoof their identities. This assumption is not warranted, as a rogue ASN-GW can insert itself as the Man-in-the-Middle R4 entity between pA and nA, cache the Relocation Request Token, and reuse it at a later time for obtaining the MSK.
    • Reusing the same MSK in more than one ASN increases the scope of MSK vulnerability, as the compromised ASN-GW can not only decrypt current MS traffic, but also all previous and future data of this MS for the whole duration of the MSK validity.


The inventor discloses herein several modifications to the prior art methodology that address the problems identified in that approach. These modifications are shown in FIGS. 3 and 4, which depict two illustrative embodiments of the invention, and described below. Note that steps unchanged from the FIG. 2 flow diagram are generally not repeated in the discussion below of FIGS. 3 and 4.


Specifically,

    • In step 3a, a new variable, Counter 1, based on an ever-increasing counter, is generated at the pA (as a replacement for the random nonce Nonce1), along with Nonce 2, to create the Relocation Request Token.
    • Advantageously, such a counter already exists in the WiMAX/IEEE 802.16e system, and it is defined as the CMAC_KEY_COUNT counter described in Sec.4.3.4 of the standard [WMF-T33-001-R010v04_Network-Stage3-Base]. This CMAC-KEY-COUNT is currently used for a replay protection of management messages on the Air Interface, and is maintained by the MS (CMAC_KEY_COUNTM). and Anchor Authenticator pA (CMAC_KEY_COUNTN). The CMAC_KEY_COUNTM is included in the Physical Attachment message (RNG-REQ, LU-REQ) sent by the MS to the serving Base Station.
    • This CMAC_KEY_COUNTM is forwarded by the serving BS to the nA over the R6 interface during the step 2 transaction of FIGS. 3 and 4, and relayed by the nA to the pA over the R4 interface in a step 3. In normal operation, the pA will compare the received CMAC_KEY_COUNTM with the locally maintained CMAC_KEY_COUNTN and select the larger value as an active value of the CMAC_KEY_COUNTN.
    • The pA can now use the CMAC_KEY_COUNTN in step 3a as the Counter1 parameter in computing the Relocation Request Token.
    • As shown in the step 3b, values of MSK, Counter1, Nonce2, and pA-ID and nA-ID are included in computation of the Relocation Request Token to ensure proper binding of entities involved in the relocation transaction, where pA-ID is the ID of the pA and nA-ID is the ID of the nA. This measure prevents possible identity spoofing by a rogue ASN-GW.
    • The Relocation Request Token, pA-ID, nA-ID, Counter1, and nonce2 are delivered to the new Authenticator nA in step 4, and forwarded by the nA to the HAAA in step 5.
    • The HAAA recognizes that, according to the requirements defined in Sec.4.3.4 of the WiMAX standard [WMF-T33-001-R010v04_Network-Stage3-Base], at the time of successful EAP authentication the CMAC_KEY_COUNTN is reset to value 1, and incremented with every successful MS entry into the network. The HAAA is also aware that, pursuant to the method of the invention, the pA sets the Counter1 value to be equal to the current maintained value of the CMAC_KEY_COUNTN, which must be larger than 1 and larger than any other previously received value of Counter1, until the next re-authentication. Any violation of this check indicates a replay of the Relocation Request Token, and must be rejected.
    • After evaluating the value of Counter 1 against the tests of the prior section (in step 5a), and finding the Counter 1 value acceptable, the HAAA validates the Relocation Request Token (in step 5b).


As noted above, two illustrative embodiments of the invention are depicted by FIGS. 3 and 4. To this point, operation of the two embodiments are the same in both figures, and such common operation has been described above for both figures. Hereafter, however, invention operation for the two embodiments diverges somewhat and they are separately described in respect to FIG. 3 and FIG. 4.

    • In the embodiment depicted in FIG. 3, the HAAA generates a fresh version of the MSK, denoted MSK′, by using the Counter1 as the freshness parameter, as shown in step 5c, to generate MSK′ as a hash of MSK and Counter 1.
    • The MSK′ is then delivered to the nA from HAAA in step 6.
    • The nA computes the Relocation Authorization Token in step 6a using the MSK′ and returns this Token to the pA (in step 7) as a proof of possession of MSK′.
    • The pA evaluates the Relocation Authorization Token in step 7a, validates in step 7b and completes the Authenticator Relocation in step 8.
    • The Authenticator Relocation Indicator (ARI) is sent to the MS in a transaction of step 9, indicating that physical attachment or location update is completed, and additionally, the MSK is refreshed. Using this indication, the MS re-computes the MSK using its current value and the CMAC_KEY_COUNTM as the freshness parameter.
    • It should be noted that, if the value of the CMACKEY_COUNTM was smaller than the CMAC_KEY_COUNTN maintained at the pA, the MS would not have been admitted into the network. If the CMAC_KEY_COUNTM was equal or larger than previously maintained CMAC_KEY_COUNTN, the pA would have updated its CMAC_KEY_COUNTN to be in sync with the CMAC_KEY_COUNTM initially reported by the MS. And therefore, the values of CMAC_KEY_COUNT in the MS, pA, and HAAA are at this point fully synchronized. As a result, the MSK′ computed by the MS, pA, and HAAA are the same.
    • Subsequent RADIUS Accounting Stop from the pA (step 10) and Accounting Start from the nA (step 11) indicate to the HAAA that Authenticator Relocation is completed.
    • At this point, the MS, the HAAA, and the nA can declare the new MSK=MSK′ to be active, and the pA can delete the old MSK.
    • In an alternative embodiment depicted in FIG. 4, operation of the invention proceeds without generation of a new MSK. Thus, for this embodiment, the HAAA does not generate a fresh value of the MSK, MSK′ (as depicted in step 5c of FIG. 3), but instead returns the current valid MSK to the nA (step 6 of FIG. 4).
    • The nA computes the Relocation Authorization Token in step 6a using the MSK and returns this Token to the pA, in step 7, as a proof of possession of MSK.
    • The pA evaluates the Relocation Authorization Token in step 7a, validates in step 7b, and completes the Authenticator Relocation in step 8.
    • The Ranging Response RNG-RSP is sent to the MS in a transaction of step 9, indicating that physical attachment or location update is completed without modification of the MSK.


In summary, the modified Authenticator Relocation procedure of the invention methodology, as described herein, provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS, while optionally allowing secure refresh of the MSK.


Herein, the inventors have disclosed a method for supporting mobility of a roaming mobile terminal from one serving system to another, with relocation of the Authenticator function, but without the need for Re-authenticating the mobile terminal, that provides significant improvements in network security over methods of the art. Numerous modifications and alternative embodiments of the invention will be apparent to those skilled in the art in view of the foregoing description.


Accordingly, this description is to be construed as illustrative only and is for the purpose of teaching those skilled in the art the best mode of carrying out the invention and is not intended to illustrate all possible forms thereof. It is also understood that the words used are words of description, rather that limitation, and that details of the structure may be varied substantially without departing from the spirit of the invention, and that the exclusive use of all modifications which come within the scope of the appended claims is reserved

Claims
  • 1. A method for relocating an authentication for a user from a first authentication server to a second authentication server, the method comprising: receiving a token at the second authentication server;evaluating the token, at the second authentication server, to determine a validity of a request associated with the token by verifying an identity of the first authentication server and comparing a counter value in the token with a counter value from a prior session with the first authentication server, the token being a function of at least the counter value from the prior session, the identity of the first authentication server and a first master session key (MSK); and.receiving an indication at the second authentication server that the authentication relationship for the user has been relocated to the second authentication server, if the second authentication server possesses the first MSK.
  • 2. The method of claim 1 wherein the second authentication server is configured to receive the counter value from an associated server and the counter value is initially generated for a function other than authentication.
  • 3. The method of claim 1, wherein further comprising: generating a second MSK at the second authentication server as a function of the counter value and the first MSK.
  • 4. The method of claim 3 wherein the second authentication server receives the token as an authenticated user moves to establish an authentication relationship with the second authentication server.
  • 5. The method of claim 4, further comprising: generating a second token indicating that the second authentication server is in possession of the first MSK; andforwarding the second token to the first authentication server.
  • 6. The method of claim 5 wherein the second token is generated as a function of the counter value and the first MSK.
  • 7. The method of claim 5 wherein the second token is generated as a function of the counter value and the second MSK.
  • 8. The method of claim 5, further comprising: establishing the authentication relationship between the user and the second authentication server, if the second token indicates that the second authentication server entity possesses the first MSK.
  • 9. A method for transferring an authentication relationship for a user from a first authentication entity to a second authentication entity comprising: generating, at the first authentication entity, a first token as a function of a Master Session Key (MSK), a counter value, an identity of the first authentication entity and an identity of the second authentication entity;sending the first token from the first authentication entity to the second authentication entity, the first token indicating that the first authentication entity agrees to transfer the authentication relationship for the user to the second authentication entity;sending the first token from the second authentication entity to an authentication server, along with an indicia of identity for the second authentication entity;evaluating the first token for authentication at the authentication server by verifying the identity of the first authentication entity and the identity of the second authentication entity and comparing the counter value in the first token with a counter value from a prior session with the first authentication entity;generating a second token at the second authentication entity as the function of the MSK and the counter value, if the first token is authenticated, the second token indicating that the second authentication entity is in possession of the MSK;forwarding the second token from the second authentication entity to the first authentication entity;evaluating the second token at the first authentication entity to determine if the second authentication entity possesses the MSK; andtransferring the authentication relationship for the user from the first authentication entity to the second authentication entity, if the second authentication entity possesses the MSK.
  • 10. The method of claim 9 wherein the counter value is provided from an associated entity and is initially generated for a function other than authentication.
  • 11. A method for transferring an authentication relationship for a user from a first authentication entity to a second authentication entity comprising: generating, at the first authentication entity, a first token as a function of a first Master Session Key (MSK), a counter value, an identity of the first authentication entity and an identity of the second authentication entity;sending the first token from the first authentication entity to the second authentication entity, the first token indicating that the first authentication entity agrees to transfer the authentication relationship for the user to the second authentication entity;sending the first token from the second authentication entity to an authentication server, along with an indicia of identity for the second authentication entity;evaluating the first token for authentication at the authentication server by verifying the identity of the first authentication entity and the identity of the second authentication entity and comparing the counter value in the first token with a counter value from a prior session with the first authentication entity,generating a second MSK value by the authentication server as a function of the first MSK value and the counter value;generating a second token as a function of the second MSK value at the second authentication entity and the counter value, if the first token is authenticated by the authentication server;forwarding the second token from the second authentication entity to the first authentication entity;evaluating the second token at the first authentication entity and transferring the authentication relationship for the user from the first authentication entity to the second authentication entity.
  • 12. The method of claim 11 wherein the counter value is provided from an associated entity and is initially generated for a function other than authentication.
  • 13. The method of claim 11, further comprising replacing the first MSK value with the second MSK value.
  • 14. A method of obtaining an authentication relationship for a user at a second authentication entity, the method comprising: receiving a first token at the second authentication entity indicating that a previous authentication entity agrees to transfer the authentication relationship for the user, the first token being a function of a Master Session Key (MSK), a counter value, an identity of the previous authentication entity and an identity of the second authentication entity;receiving an indication that the first token is authentic at the second authentication entity, the first token being authentic if the counter value contains an expected value and the identity of the previous authentication entity and the identity of the second authentication entity are verified,generating a second token at the second authentication entity as a function of the MSK and the counter value, if the first token is authentic, the second token indicating that the second authentication entity is in possession of the MSK;forwarding the second token from the second authentication entity to the previous authentication entity; andreceiving, at the second authentication entity, an indication that the authentication relationship for the user has been relocated to the second authentication entity, if the second authentication entity possesses the MSK.
  • 15. The method of claim 14 wherein the counter value is generated for a function other than authentication.
RELATED APPLICATIONS

This application claims priority pursuant to 35 U.S.C. Sec 119(e) to U.S. Provisional Application No. 61/280,168, filed Oct. 30, 2009, entitled “AUTHENTICATOR RELOCATION METHOD FOR WIMAX SYSTEM,” the subject matter thereof being fully incorporated herein by reference.

US Referenced Citations (43)
Number Name Date Kind
7624433 Clark et al. Nov 2009 B1
7752441 Mizikovsky et al. Jul 2010 B2
7987366 Blom et al. Jul 2011 B2
20030108199 Pinder et al. Jun 2003 A1
20040052377 Mattox et al. Mar 2004 A1
20050154889 Ashley et al. Jul 2005 A1
20070016780 Lee et al. Jan 2007 A1
20070150744 Cheng et al. Jun 2007 A1
20070154016 Nakhjiri et al. Jul 2007 A1
20070192605 Mizikovsky et al. Aug 2007 A1
20070201697 Altshuller et al. Aug 2007 A1
20080089294 Shon et al. Apr 2008 A1
20080137853 Mizikovsky et al. Jun 2008 A1
20080178274 Nakhjiri et al. Jul 2008 A1
20080227458 Wu Sep 2008 A1
20080253569 Lim et al. Oct 2008 A1
20090019284 Cho et al. Jan 2009 A1
20090110196 Tsai et al. Apr 2009 A1
20090193511 Noe et al. Jul 2009 A1
20090274302 Wu et al. Nov 2009 A1
20090280774 Patel et al. Nov 2009 A1
20090282243 Rose et al. Nov 2009 A1
20090282253 Rose et al. Nov 2009 A1
20090307496 Hahn et al. Dec 2009 A1
20100046467 Chiou et al. Feb 2010 A1
20100167747 Karnam et al. Jul 2010 A1
20100180111 Hahn et al. Jul 2010 A1
20100184407 Tachikawa Jul 2010 A1
20100205442 Han et al. Aug 2010 A1
20100205448 Tarhan et al. Aug 2010 A1
20100232606 Lee et al. Sep 2010 A1
20100235900 Robinton et al. Sep 2010 A1
20100325714 Iyer et al. Dec 2010 A1
20110004754 Walker et al. Jan 2011 A1
20110041003 Pattar et al. Feb 2011 A1
20110047382 Wang et al. Feb 2011 A1
20110063997 Gras et al. Mar 2011 A1
20110076987 Lee et al. Mar 2011 A1
20110149926 Li et al. Jun 2011 A1
20110238834 Nair et al. Sep 2011 A1
20110302646 Ronda et al. Dec 2011 A1
20110307949 Ronda et al. Dec 2011 A1
20120066757 Vysogorets et al. Mar 2012 A1
Foreign Referenced Citations (1)
Number Date Country
1 954 083 Aug 2008 EP
Non-Patent Literature Citations (2)
Entry
Kim, Youngwook et al, “Enhancing Security Using The Discarded Security Information in Mobile WiMAX Networks”, Global Telecommunications Conference, 2008. IEEE Globecom 2008, Piscataway, NJ USA, Nov. 30, 2008, XP031370077, pp. 1-5.
International Search Report dated May 25, 2011 (PCT/US2010/054426) 5 sheets.
Related Publications (1)
Number Date Country
20110107085 A1 May 2011 US
Provisional Applications (1)
Number Date Country
61280168 Oct 2009 US