Patent Application
20080215888
The present invention concerns a method and arrangement for authentication of user entities in a communications network. In particular, the invention concerns improved security in a communications network implementing a Generic Authentication/Generic Bootstrapping Architecture, GAA/GBA.
The 3GPP authentication infrastructure, including the 3GPP Authentication Centre (AuC), the Universal SIM Card (USIM) or the IM Services Identity Module (ISIM), and the 3GPP Authentication and Key Agreement protocol (AKA) run between them, is a very valuable asset of 3GPP operators. It has been recognized that this infrastructure could be leveraged to enable application functions in the network and on the user side to establish shared keys. Therefore, 3GPP has specified “Generic Bootstrapping Architecture” (GBA) enabling distribution of shared secrets to the User Equipment (UE) and a Network Application Function (NAF) using AKA-based mechanisms ([1], [2]).
At this point, NAF is able to use the distributed credentials. This material may be used for further end-user authentication that NAF may initiate e.g. the http-digest procedure as defined in [3] using the distributed shared secrets. The credentials can also be used for other purposes than authentication, e.g. for integrity, confidentiality, or key derivation.
3GPP is proposing the use of GBA for end-user authentication purposes defining a so-called “Generic Authentication Architecture”, GAA as described in reference [1]. GAA leverages GBA procedures to establish shared secrets at the UE and NAF so that these credentials can be further used as the base for subsequent end-user authentication mechanisms executed between the NAF and UE.
3GPP has also studied use of GBA in an IMS system, e.g. reference [4].
There are two fundamental problems with GAA/GBA:
Regarding privacy, it is noticed that the same B-TID is used for every NAF. This fact can be used to build a user profile indicating subscribed services thus violating privacy requirements. This type of privacy attack is known as collusion. While being a minor issue for applications that are provided by the same operator, it becomes a serious concern when third parties provide applications or when the operator hosts 3rd party services within its premises.
Further, the GAA/GBA architecture has a problem in that man-in-the-middle attacks are possible whereby a fraudulent user can request credentials belonging to someone else.
Basically, the GAA/GBA architecture is SIM-based key-distribution architecture. The term “SIM” is here understood as either USIM (3G) or ISIM. GAA/GBA is not generic with respect to the supported authentication mechanisms since it assumes SIM-based authentication. Further, GAA/GBA is not authentication oriented since the provisioned keys may or may not be used for authentication.
It is a disadvantage of GAA/GBA requiring applications to implement the following mechanisms in order to become GAA/GBA compliant:
The burden of implementing all these GAA/GBA mechanisms, especially the need to implement a key distribution procedure, is high for applications that often only require validating the user identity.
Many applications may not even implement mechanisms to authenticate the user due to the burden of managing user credentials such as passwords. In fact, the problem of password management (storage, protection, renewal, loss, invalidation, theft) has been identified as a barrier for application deployment.
Further disadvantages of prior art GAA/GBA architecture relate to the operator:
Therefore, there is need for an improved GAA/GBA architecture that overcomes problems and disadvantages of prior art system and providing for additional privacy protection and authentication support.
The present invention improves over the deficiencies and drawbacks of the prior art arrangements.
Generally, the purpose of this invention is to leverage on the existing GAA/GBA infrastructure in order to improve privacy protection and authentication support keeping changes to the current GAA/GBA procedure to a minimum.
An object of the invention is to provide an Authentication Voucher asserting authorization of a user in a communications network that implements a GAA/GBA-architecture.
A further object is to provide a key identifier B_TID_NAF, linked to a user entity UE that is unique for each network application node NAF.
Another object is to prevent man-in-the-middle attacks on the Ua interface and to enable BSF to verify the sender of a bootstrapping identifier B_TID_NAF.
Still another object is to arrange for NAF to communicate with BSF for verifying that NAF requirements on the authentication of a user are fulfilled without revealing, in said communication, such data that allows tracking of the user entity UE.
It is a further object of the invention to allow for batch generation of keys Ks_NAF and corresponding identifiers B_TID_NAF related to a plurality of Network Application Functions, NAF.
It is an object of the invention to arrange the Authentication Voucher to be unique for each NAF thereby avoiding collusion between several NAF entities for tracking the user.
It is a specific object to provide a method and system for improved privacy protection and authentication support in a communications network implementing a GAA/GBA-architecture.
It is also a specific object to provide a BSF network node for supporting improved privacy protection and authentication.
These and other objects are achieved by a method and arrangement according to the accompanying patent claims.
Briefly the invention involves a Bootstrap Server Function (BSF) that creates, at request of a user, an Authentication Voucher asserting that the user has been authenticated by use of any method for authentication. Following standard procedure, reference [2], BSF generates keys Ks and Ks_NAF, the latter for use in communication between a user and a network application function NAF. The key Ks_NAF is identified cover the Ua interface, according to the invention, by an identifier B_TID_NAF that is unique for each NAF in contrast to standard procedure wherein a same identifier, B_TID, is used for any NAF. A user accessing a network application function NAF provides the identifier B_TID_NAF enabling NAF to derive from the identifier the address of its home BSF and to request the Authentication Voucher at BSF. In response to the identifier B_TID_NAF, the BSF may identify the Authentication Voucher to enable establishment of authentication status of UE. The use of a unique identifier B_TID_NAF prevents creation of a user profile and improves privacy.
Further optional improvements of privacy, according to the invention, are achieved for example by signing the identifier B_TID_NAF (or alternatively B_TID) using the key Ks known to BSF and the user UE. This prevents man-in-the-middle attacks on the interface between user UE and network application function NAF. Encrypting communication of credentials between user UE and BSF over the Ub interface by use of the key Ks is another example of how to further improve security of the system.
In an exemplary embodiment, the Authentication Voucher may be stripped of any information that allows tracking of the user and only provide an assertion that authentication of the user has taken place. If NAF has further requirements on the authentication procedure, NAF can present to BSF these requirements and BSF respond thereto with a confirmation of those requirements that are fulfilled.
In another exemplary aspect of the invention BSF sends the Authentication Voucher to the user UE over the Ub interface. The user presents the Authentication Voucher to a NAF being accessed. According to the invention, NAF relies on BSF to verify validity of the Authentication Voucher before accepting further communication with the user. The identity B_TID_NAF may also be used to retrieve the key Ks_NAF from BSF if NAF, additionally, e.g. requires establishment of session keys with UE.
The invention is generally applicable on existing GAA/GBA infrastructure in order to improve privacy protection and authentication. As GBA is currently discussed for use in IMS systems it is foreseen to apply the invention in such systems.
A major advantage of the invention is to provide a method for authentication of a user without the need to implement, at a network application function NAF, support for key management.
Another advantage of the invention is to provide enhanced privacy protection to current GAA/GBA infrastructure including protection against colluding NAF-entities and man-in-the-middle attacks.
Other advantages offered by the present invention will be appreciated upon reading of the following detailed description of several embodiments of the invention in conjunction with attached drawings and which are taken as examples only being it clear for a skilled person that numerous other embodiments are possible without departing from the main purpose of the invention.
The invention, together with further objects and advantages thereof, will be best understood by reference to the following description taken together with the accompanying drawings, in which:
In a first exemplary aspect of the invention, an additional bootstrapping identifier to B-TID currently defined in GAA/GBA specifications is introduced. B_TID and key Ks will be generated according to the GAA standard. However, according to the invention, B_TID is only used between the UE and the BSF, i.e. over the Ub interface whereas the additional bootstrapping identifier, B_TID_NAF, is normally used between the UE and the NAF over the Ua interface. B_TID_NAF is different from B_TID and specific for each NAF.
According to the GAA/GBA standard the UE does not need to contact BSF each time a new NAF is accessed since B_TID is sufficient to locate a NAF and to identify user credentials. However, as explained above, such an approach compromises privacy across NAF entities. Therefore, according to an exemplary preferred embodiment of the invention, an extra signaling with the BSF for each new NAF is introduced. However, the volume of signaling may be decreased by a batch procedure that is further described below.
BSF will maintain links between identity of UE, B_TID, Ks and a set of B_TID_NAF identifiers and associated keys Ks_NAF generated for a corresponding set of NAF entities.
The use of a unique B_TID_NAF for each NAF prevents the user from being tracked over the Ua interface.
Whenever a user wants to access an application NAF that is only requiring identifying/authenticating the user, the NAF will be directed to the BSF, which then acts as an authentication center/authority.
According to an exemplary preferred embodiment of the invention the BSF generates an Authentication Voucher attesting that the user has been authenticated. The Authentication Voucher will be identified by B_TID over the Ub interface. Over Ua interface the Authentication Voucher will be identified by the B_TID_NAF. NAF can refer to the voucher by providing the B_TID_NAF identifier over the Zn interface.
At 310 there are means for input/output for exchanging data with other units. An internal bus system 370 interconnects the different function means. At 320 means are shown for generation of keys and corresponding key identifiers, e.g. key Ks and identifier B_TID. At 330 is shown means for generation of an Authentication Voucher and at 340 there are means for verification of validity of an Authentication Voucher. Means for encryption/decryption is shown at 380. Random numbers are generated by means 390. Storage means 360 stores generated information such as user identity, key Ks, keys B_TID_NAF, key identifiers and links data related to a specific user. Processing means 350 controls internal operations of the unit 300. It is understood that the function means of the node 300 can be implemented as hardware, software or a mix of the two.
An exemplary method for initial authentication of a user and creation of Bootstrapping material, according to the invention, is clearer from
In step 1, UE initiates the Bootstrapping procedure by sending a request to BSF. The request can be sent by UE as result of configuration setting prior to accessing any NAF.
Alternatively, according to the standard reference [2], the request can result from redirection order by NAF in response to an initial access attempt wherein NAF determines that no previous Bootstrapping data exist or has expired.
The request may include an explicit user identity, e.g. International Mobile Station Identity (IMSI) or IP Multimedia Private Identity (IMPI) reference [5]. At least one identifier B_TID_NAF is generated that identifies generated data for a particular NAF, e.g. a key related to NAF.
If the request concerns an operation involving a previously generated key Ks, e.g. for generation of a key derived from Ks, Ks_NAF, related to a specific NAF or for retrieving a previously generated key Ks_NAF the request includes the identifier B_TID in place of an explicit user identity and at least the identity of one particular NAF. It is noticed that B_TID is sufficient for BSF to retrieve the identity of UE. This procedure is introduced in order to improve the privacy of the user identity in the additional signaling introduced according to the invention.
The request may also include a specification, “spec”, providing additional requirements on the request. For example, such specification may relate to particular requirements that NAF may have, e.g. if a key Ks_NAF is required, an Authentication Voucher or both or else if a specific authentication method should be used, exemplary authentication based on a USIM-card.
In step 2, BSF initiates a user authentication procedure if no valid bootstrapping key Ks exists for the user as indicated by the user ID or B_TID. Exemplary, an AKA authentication procedure may be executed well known in the art, or authentication procedure may use a public key algorithm.
In step 3, BSF generates a bootstrapped key Ks and, in addition, an Authentication Voucher. The Authentication Voucher, may for example include information on:
Typically, the lifetime of the Authentication Voucher and the bootstrapped Ks will be the same but it could be set individually.
Information about the authentication method indicates, for example, whether user has a USIM or an ISIM card or whether user authentication was of type GBA-me, based on the mobile equipment, or GBA-u, based on a Universal Integrated Circuit Card, UICC.
Further, in this step, B_TID is generated and derived keys Ks_NAF with corresponding B_TID_NAF identifiers. The lifetime is also set for various entities such as keys Ks, Ks_NAF, and Authentication Voucher.
In step 4, identifiers B_TID, (B_TID_NAF)n and the lifetime of the bootstrapping material are returned to the UE.
If desired or otherwise appropriate, the B_TID-NAF can be protected during transfer between entities e.g. with TLS/SSL. Additional application specific data (msg), may also be included.
NAF submits a request for authentication of the user in step 2 forwarding the received identifier B-TID-NAF. In order to eliminate a need for NAF applications, which are only interested in user authentication, to support and implement additional key management and user authentication mechanisms, a NAF application can request BSF only to provide a user Authentication Voucher. Thus NAF may, in step 2, include information (info) e.g. to indicate a need for an Authentication Voucher, a key Ks_NAF, or both of these entities.
In step 3 BSF returns to NAF the requested material. The response by BSF to NAF may be protected with some transport security e.g. TLS/SSL. In addition, at least part of a user profile (Prof), key lifetime (Key Lifetime), the Authentication Voucher, and a response message (respmsg) may be included. The Authentication Voucher enables NAF to verify authentication of the user. As mentioned in relation to
Alternatively, only the Authentication Voucher is returned to NAF, e.g. NAF applications that are only interested in user authentication.
In step 4, NAF usually stores at least some of the received material. In particular, NAF may not need to store the Authentication Voucher after verification. This means that if only the Authentication Voucher has been returned, it may not be necessary to store any information. If a key Ks_NAF has been received this can be used in subsequent accesses by UE as long as key lifetime is valid NAF preferably checks the information within the Authentication Voucher in order to verify end-user authentication status. However, as will become apparent from the description of alternative embodiments below, the verification of the Authentication Voucher can alternatively be performed at the BSF.
In step 5, NAF may respond to the initial request in step 1 indicating if UE needs to request new credentials at BSF according to
In a second exemplary aspect of the invention, the Authentication Voucher is sent to the user equipment UE over the Ub interface. UE presents the voucher to NAF when requesting services from NAF. With reference to
If the Voucher is valid NAF may request, in step 3, a key from BSF as identified by B_TID_NAF. In step 4, BSF normally replies with a key (Ks_NAF), key lifetime (Key Lifetime), and preferably also at least part of profile information (Prof). The key request and response in steps 3 and 4 may also be included within step 2 as part of the communication between NAF and BSF in the voucher verification process. In step 5, the received material is stored and in step 6 a response is given to the user entity UE. Again, it is noticed that a request for a key Ks_NAF is optional and that, for authentication only, the Voucher is sufficient.
In an exemplary embodiment of the invention, B_TID and B_TID_NAF in
According to another exemplary embodiment, a plurality of NAF_ID may be included in the request
In step 3 of
Steps 4-6 are similar to steps 3-5 in
According to an alternative embodiment of the first aspect of the invention, the Authentication Voucher is limited to a message that authentication has been made. It is noticed that certain information, as specified in the first aspect of the invention, such as method for authentication and time for authentication, may be used to track the user and, thus, to attack privacy. According to the alternative embodiment, the information contained in the Voucher is limited to information that does not allow any such tracking. If NAF requires further information, in order to accept the assertion of authentication, it can send to BSF these requirements whereupon BSF verifies thus requirements that are fulfilled. Exemplary, NAF may require that the user be authenticated based on a USIM-card. This question/response dialogue can be included in steps 2 and 3
Regarding the second aspect of the invention, step 2 in
In one embodiment the key Ks encrypts the Authentication Voucher and verification of validity is made by NAF sending the encrypted Authentication Voucher to BSF. BSF has the key Ks and can decrypt the Authentication Voucher and verify its validity. Thus, with reference to
It is noticed that, in the previous embodiments of the second aspect of the invention, each NAF will receive the same Authentication Voucher thus providing some possibility for colluding NAF entities to track the user. This problem is solved in another embodiment, illustrated in
With reference to
Since NAF does not have the key Ks and cannot decrypt the Authentication Voucher, NAF forwards the message in step 2 to BSF for verification.
In step 3, BSF decrypts the message, extracts the Authentication Voucher, and verifies the validity of the Authentication Voucher. Thereafter, BSF determines a second random number (Rand2) and double encrypts, using the key Ks, the Authentication Voucher according to the formula:
Encr(Ks,Encr(Ks,Voucher,Rand2)).
In step 4, a return message is sent by BSF to NAF1 of the outcome of the verification including the double encrypted Authentication Voucher. NAF1 forwards the return message to UE in step 5. In step 6, UE decrypts the double encrypted message once to obtain:
Encr(Ks,Voucher,Rand2) Eq. (1)
In a forthcoming access to e.g. NAF2 in step 7, UE provides the encrypted Authentication Voucher according to Eq. (1) now including the second random number (Rand2). The same procedure as before is repeated as illustrated in step 8. Thus, each access to a NAF will use a unique Authentication Voucher preventing tracking of the user.
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/SE05/01128 | 7/7/2005 | WO | 1/7/2008 |
