Patent Application
20160044505
The present invention relates to a method to establish a secure voice communication session between two user equipments. In the invention. “user” means a subscriber to a certain mobile network service (MNO). More particularly the invention relates to the implementation of such secure voice communication in the context of Generic Bootstrapping Architecture.
The invention also pertains to network application functions (NAF) and to a GBA compliant user equipment able to implement steps of the method of the invention.
In mobile phones, Generic Bootstrapping Architecture (GBA) is one technology enabling the establishment of shared keys between a User Equipment and any Application Server thanks to the 3GPP user authentication. This 3GPP user authentication is possible if the user owns a valid identity on a Home Location Register (HLR) or a Home Subscriber Server (HSS).
GBA is standardized at the 3GPP. 3GPP TS 33.220 specifies Generic Bootstrapping Architecture (GBA), which allows a User Equipment (UE) and a Network Application Function server (NAF) to share a secret by interacting with Bootstrapping Server Function (BSF). The user authentication is instantiated by a shared secret between the user in a smartcard inside his/her mobile equipment and the other is on the HLR/HSS.
GBA bootstrapping authenticates the user by sending a network component challenge to the user's card and verify that the answer is similar to the one predicted by the HLR/HSS.
The architecture includes the user equipment (UE), i.e a Mobile Equipment (ME, e.g. a mobile cellular telephone) including a smart card (a UICC), that needs access to a specific service, an application server (NAF: Network Application Function), e.g. for mobile TV, that provides the service, a Bootstrapping Server Function (BSF), that arranges security relation between UE and NAF thanks to its connection with the HSS, a mobile network operator's Home Subscriber Server (HSS), that hosts user profiles.
The term ‘bootstrapping’ is related to building a security relation with a previously unknown device first and to allow installing security elements (keys) in the device and the BSF afterwards.
Thus, instead of asking a service provider NAF to rely on HLR or HSS for every key establishment request, the BSF establishes a shared secret between the user's card and the service provider NAF. This shared secret is limited in time and for a specific domain.
The secret derived via GAA/GBA procedure can be used for further communication between the UE (composed of ME and UICC) and the NAF. One advantage is that there is no need for user enrollment phase nor secure deployment of keys, making this solution a very low cost one compared to PKI. It is also easy to integrate the authentication method into terminals and service providers, as it is based on HTTP's “Digest access authentication”. Every Web server already implement HTTP digest authentication and the effort to implement GBA on top of digest authentication is thus minimal.
On device side is needed an HTTP client (Web browser) implementing digest authentication and the special case designed by a “3gpp” string in the HTTP header and a mean to dialog with a smartcard and to sign a challenge sent by the BSF. Direct communications with the smart card through APDU via the BaseBand of the device are used. GBA nevertheless does not apply for any communication between two or more parties and even less voice communication. As there is a need to secure such voice communication when carried on the web, further alternative and advantageous solutions relative to the GBA would, accordingly, be desirable in the art.
Further, GBA based UICC is called GBA_U UICC.
The present invention aims at securing voice communication without requiring the use of dedicated infrastructure.
The present invention thus proposes a method to establish a secure voice communication session between two user equipments with the help of a dedicated Network Application Functions (NAF) and of at least one Bootstrapping Server Function (BSF), comprising the steps of:
the method further comprising the steps of:
While using the GBA authentication of each user on each side of a voice communication, the invention enables to base a secure voice communication on the GBA architecture without requiring further implementation of security features. The invention involves an extension of NAF capability, which is based on GBA infrastructure. And eventually, the function of GBA compliant UICC is also enhanced. With the invention a mobile network operator can offer security related services leveraging GBA infrastructure without needing to upgrade UICCs deployed in the field. It is here noted that the number of user equipments could be increased while remaining under the scope of the invention. The used key materials are the ones defined in 3GPP TS 33.220 or TS 33.110.
Basically, the NAF possesses the following key materials for each user: RAND, B-TID, Ks_ext_NAF, Ks_int_NAF, other attributes, like key lifetime, UICCType, and so forth.
According to a first embodiment, said step of calculation of the session key is performed by the NAF that further sends the key session to both equipments encrypted with respective NAF keys.
This embodiment is adapted to any configuration where the UICC is not GBA_U.
Advantageously, in case where there is at least one of the user equipment comprising a GBA_U compliant UICC, the encryption of the session key by the NAF for this user equipment uses an internal NAF key.
This enables the session key to be decrypted in the UICC itself and to enhance security.
According to a second embodiment, the method includes a step of generation by the NAF of two messages comprising data to be used to calculate the session key, each message comprising, for a given equipment, at least a NAF key of the other equipment encrypted with the own NAF key of said given equipment, a step of sending the encrypted messages to both equipments and, for each equipment, a step of decryption of the encrypted message and a step of calculation of the session key from its own derived NAF key and the other user equipment's NAF key received in the message.
External NAF key can be transferred and external or internal NAF key can be used for encryption. It is necessary for the both calculations to have the same inputs. The same pair of NAF key, one for the first user equipment and the second for the second equipment, has to be known on both calculation sides. Messages thus include the complementary NAF key for the calculation of the session key. Such KeyMaterials (e.g User_Param, Ks_NAF, other attributes) are sent to each user equipment from the NAF over Ua secure tunnel.
Preferably transferred NAF keys are external NAF keys.
In fact, GBA standard is currently not open to the transfer of internal NAF keys since according to GBA principle the internal NAF key shall never leave the UICC of a user equipment and shall not be shared with another user equipment for security reasons. With this feature only Ks_ext_NAF, and thus not internal NAF key, of another user can be seen by the user of a mobile equipment in case the message exchanged between the mobile equipment and the NAF is encrypted with Ks_ext_NAF of the mobile equipment. Thus, it is theoretically possible for a user to observe and retrieve Ks_ext_NAF of other users. And later, he/she can use those obtained keys fraudulently to masquerade another user for instance. This solution is not thus completely secure.
According to a preferred feature, at least one user equipment comprising a GBA_U compliant UICC, the encryption of the NAF key of the other equipment for this user equipment uses the internal NAF key for this user equipment.
This avoids the mobile equipment having the GBA compliant UICC from knowing the key materials of the other user equipment. The internal NAF key of the other equipment is in fact known only by the NAF and from the UICC inside the mobile equipment. Preferably, both equipments are in this situation. The sending of the internal NAF keys of each UICC to the other could thus be avoided. This encryption procedure prevents a vicious user from trying to eavesdrop the communication in the middle and to collect the other users' keys, so that he/she can use them for fraudulent actions later on. It is here noted that, if a non GBA_U compliant UICC is able to derive keys by any other means than by the GBA_U compliance, such feature can been implemented.
According to an advantageous feature, the UICC further comprising a calculation module to calculate the session key, the session key is calculated inside the UICC.
This implies the use of a GBA_U compliant UICC. It has here to be noted that a user can compute all the keys theoretically by monitoring the communication between the ME and the UICC. It is thus highly recommended to make the UICC compute the session key instead of the ME as stated in this advantageous embodiment.
According to a particular feature, first and second BSF being the same BSF, the NAF keys or the session key are calculated by this BSF, is retrieved by the NAF and sent to the user equipments encrypted with respective NAF keys.
This feature centralizes the calculation of session key inside the BSF which can be preferable for the MNO or required by the MNO.
The invention also concerns a Network Application Functions (NAF) server comprising:
The invention also relates to a GBA compliant user equipment comprising:
Advantageously, such GBA compliant user equipment comprises an UICC including said challenge processing module, said key derivation module and said decryption module.
Such user equipment can implement some of the preferred embodiments of the invention where the decryption of the message for constructing the session key or of the session key itself is realized inside the UICC.
Preferably, said UICC further includes said calculation module.
Such a user equipment is able to implement the preferred embodiment and option of the invention where the session key is calculated inside the UICC guaranteeing the strongest security.
With the invention, a true end to end security for user-to-user communication can be achieved without requiring physical replacement of UICC deployed in the field. The mechanism is generic and can be applied to any type of user-to-user secure communication.
To the accomplishment of the foregoing and related ends, one or more embodiments comprise the features hereinafter fully described and particularly pointed out in the claims.
The following description and the annexed drawings set forth in detail certain illustrative aspects and are indicative of but a few of the various ways in which the principles of the embodiments may be employed. Other advantages and novel features will become apparent from the following detailed description when considered in conjunction with the drawings and the disclosed embodiments are intended to include all such aspects and their equivalents.
In the following detailed description, reference is made to the accompanying drawings that show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It is to be understood that the various embodiments of the invention, although different, are not necessarily mutually exclusive. For example, a particular feature, structure, or characteristic described herein in connection with one embodiment may be implemented within other embodiments without departing from the spirit and scope of the invention. In the drawings, like numerals refer to the same or similar functionality throughout the several views. For clarity, only those elements and steps which are useful to the understanding of the present invention have been shown in the drawings and will be described.
Then, when an action is said to be performed by a device, it is in fact executed by a microprocessor in this device controlled by instruction codes recorded in a program memory on the said device. An action is also ascribed to an application. This means that part of the instruction codes making up the application are executed by the microprocessor.
The BSF is further connected to at least a Home Subscriber Server HSS through an interface Zh. Advantageously the BSF is also connected to a Subscriber Locator Function SLF through an interface Dz. Names of different functions and interfaces are standardized in the Generic Bootstrapping Architecture standard.
The invention intervenes when the user of the user equipment UE1 requests a secure voice communication to be established with another user having a second user equipment UE2. Thus the UE1 sends a request of communication REQ(ID1,ID2) to the second user equipment UE2 typically e.g. via an underlying IP Multimedia Subsystem (IMS). This request of communication REQ(ID1,ID2) includes the identifiers ID1 and ID2 of the two user equipments.
In parallel UE1 sends a request for security association REQ(ID1,ID2,SEC) for this voice communication to a dedicated Network Application Function NAF. This triggers the establishment of a link with a Bootstrapping Server Function BSF1. This BSF1 is for example the one of the Mobile Network Operator of UE1. If no valid bootstrapped key Ks is available in the UE1, an initial bootstrapping procedure designated by curly bracket CH1 (NAF) is thus launched between UE1 and BSF1. A challenge is generally sent to the user equipment UE1 that gives a response in return. The entire security is thus based on MNO's credential used to authenticate one subscriber. As it can be seen on
Following request REQ(ID1, ID2, SEC) from the UE1, the NAF sends request to the BSF1 in order to retrieve the NAF keys associated to the UE1. Here, as UE1 comprises a GBA compliant UICC1, two NAF keys are obtained, one external Ks_ext_NAF1 and one internal Ks_int_NAF1. Those keys are then sent to the NAF by the BSF1.
In parallel with the procedure where UE1 is implicated, the other user equipment UE2, that received the request for communication REQ(ID1,ID2) sends a request for security association REQ(ID1,ID2,SEC) to NAF. This launches an initial bootstrapping procedure between UE2 and a second BSF2 if no valid bootstrapped key is available in the UE2. It implies the UICC2 being implicated according to the GBA requirements even if this UICC is not GBA compliant. Said procedure is designated by curly brackets CH2(NAF). Indeed, the two BSF could be the same, e.g. if the same MNO is used by the two user equipments but, on a general base, they are different.
Here it has to be noted that, in the example shown on
When the procedure CH2(NAF) is ended, the BSF proceeds to key derivation for the concerned NAF from a bootstrapped key Ks2. Here a single Ks_NAF2 is obtained. This key, which is of the external type (belonging to the mobile equipment ME2), is then transferred to the NAF.
In the embodiment shown on
Then the session key Ks_SV is encrypted differently depending on the recipient UE1 or UE2. In the case, a same BSF is accessible for both user equipments, the session key calculation can also be performed in the BSF.
For example Ks_SV=KDF(Ks_int_NAF_1, Ks_int_NAF_2, User_Param_1, User_Param_2, . . . )
User Param can be RAND, B-TID, and other attributes associated to each user's Ks_int_NAF.
External NAF key could also be used.
The session key (Ks_SV)K
Also shown on
(1) Access to GBA functionality is done through secure channel
(2) The external application has its right to access to GBA function.
If there is no such a control, a situation could occur where attacker tries to retrieve keys exchanged outside the secure channel by forcing the ME not to set up secure channel.
The beginning of the method is identical with the one shown on
Once the NAF received Ks_NAF2 and Ks_int_NAF1, Ks_ext_NAF1, it generates in a step GEN(MSG1,MSG2) two encrypted messages MSG1 and MSG2 each being intended to be sent to each one of the equipments UE1 and UE2.
The message MSG2 intended to be sent in a step SD(MSG2) to UE2 includes at least the external NAF key of ME1 encrypted with the NAF key of ME2. Thus the internal NAF key of UICC1 is kept inside the NAF and is not threaten by any leak. Messages may further include identifiers and other data, for example a random that could be used for the derivation of the session key.
In a first option, the message MSG1 intended to be sent in a step SD(MSG1) to UE1 includes at least the NAF key of ME2 encrypted with the external NAF key of ME1. This option corresponds to a case where the session key Ks_SV is calculated in a step CAL in the mobile equipment ME1 in a way similar to the one implemented in UE2. This stands after the decryption DEC of the encrypted message MSG1 using the external NAF key of ME1.
In a second option, shown after the first OR in
It is here understood that this last option is the most secure for this embodiment as only the external NAF keys of the user equipments are transferred securely and all calculation to obtain the session key are done inside UICC1.
It is here underlined that, if the user equipment UE2 would also have an integrated circuit card GBA compliant UICC2, the option could have been applied to both equipment and the obtained method would have been completely secure as only the both external NAF keys Ks_ext_NAF1 and Ks_ext_NAF2 would be transferred respectively encrypted with internal keys Ks_int_NAF2 and Ks_int_NAF1. The decryption of MSG1 and MSG2 and the calculation of the session key Ks_SV would be done in the respective UICC before being transferred to respective mobile equipment ME1 and ME2 in charge for them to establish the voice communication using the obtained session key Ks_SV. Here, using the attributes communicated with the messages enabling the construction of the session key, fine-tuned usage control is possible. In other words, UICC can do a check according to pre-defined security policy. For example, UICCType can be used to check if the counterpart has the correctly configured UICC and if not, it rejects the key derivation request.
a transmitter adapted to transmit requests of communication with another user equipment,
Such communication means are not further disclosed as the man skilled in the art will be able to implement such means that can be based on wireless interfaces, advantageously, or on wired interfaces. In the GBA system, the role of UICC is fundamental as UICCs constitute distributed security tokens.
The above detailed description is not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims, appropriately interpreted, along with the full range of equivalents to which the claims are entitled.
| Number | Date | Country | Kind |
|---|---|---|---|
| 13305379.3 | Mar 2013 | EP | regional |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2014/055328 | 3/17/2014 | WO | 00 |
