Patent Application
20080005785
The present invention relates to a usage of a nonce-based authentication scheme in a session-based authentication application. In particular, the present invention relates to authentication in a communication system comprising a session control server and an authentication server, which are configured to provide for a session-based authentication application, wherein the authentication is based on a nonce-based authentication scheme.
In present-day and future communication systems such as for example GPRS (General Packet Radio Service), UMTS (Universal Mobile Telecommunication Service) or CDMA (Code Divisional Multiple Access), authentication and authorization represent essential issues.
For ensuring security and trustiness within such communication systems, which is particularly important for functions and services related to security-relevant, personal and/or confidential data and services, and for controlling access to such network systems and parts thereof, a user authentication is usually performed. To this end, several authentication, authorization and accounting (AAA) methods have been proposed. The applicability of such AAA methods, however, depends on underlying network concepts and/or technologies of the communication system.
For example, the 3rd Generation Partnership Project (3GPP) has specified a so-called IP Multimedia Subsystem (IMS). The IP Multimedia Subsystem comprises, among others, a home subscriber server (HSS), several call state control functions (CSCF; CSCSF's being divided into proxy, interrogating and serving CSCF's) and a server locator function (SLF). On the interfaces between these network entities, referred to as Cx and Dx interfaces, a Diameter protocol according to a Diameter Base Protocol as defined in RFC3855, particularly in sections 1 and 2 thereof, is used for authentication purposes.
In an IMS network, the session initiation protocol (SIP) specified by the Internet Engineering Task Force (IETF) is usually employed as a session control protocol. Hence, the HSS may be referred to as a Diameter server and the (S-)CSCF's may be referred to as SIP servers. In this connection, the IMS defines a Diameter application to interact with the SIP signaling during session setup and other ones to perform and/or control other SIP services. As defined in sections 8 and 16 of RFC3261, a SIP server may operate in a user agent mode, thus representing an end system, or in a proxy mode, thus representing an intermediary between user agent server and client.
In this regard, there has been proposed a Diameter SIP application in the Internet-draft “draft-ietf-aaa-diameter-sip-app-12” of Apr. 28, 2006 (already being approved by the IETF as an RFC, the number of which is not yet known). This proposal describes an interworking of Diameter and SIP in that a SIP server relies on Diameter AAA infrastructure for authenticating a SIP request (for example, a SIP registration request such as SIP REGISTER) and authorizing the usage of particular SIP services. The Diameter SIP application provides a Diameter client being co-located with a SIP server, with the ability to request the authentication of users and authorization of SIP resources usage from a Diameter server. Pursuant to different operations of the Diameter SIP application, an actual authentication is either performed at a Diameter server or at a Diameter client (i.e. SIP server).
In the following, the Diameter SIP application is referred to as a non-limiting example for a session-based authentication application.
Furthermore, there has been proposed a solution for providing security, i.e. authentication, for IP-related network environments, which is usually referred to as “HTTP Digest authentication”. This solution is e.g. disclosed in RFC2617, and utilizes cryptographic hashes for authentication. For example, the above-mentioned Diameter SIP application supports HTTP Digest as the only authentication scheme in session control according to SIP. The Digest scheme is based on a simple challenge-response paradigm using a nonce value for challenging, a nonce (“number used once”) being a (pseudo) random number used for authentication.
In the following, the HTTP Digest authentication is referred to as a non-limiting example for a nonce-based authentication scheme.
As regards an interaction of e.g. HTTP Digest with Diameter SIP for authenticating a user, the following procedures apply.
When a SIP server wants to authenticate a SIP user agent client (e.g. a user equipment), the SIP server may acquire user-related authentication and authorization data from a Diameter server. As mentioned above, a certain SIP server has to co-locate a Diameter client, when it wants to get user information from a Diameter server. During authentication of a certain SIP user agent client (UAC), the Diameter client in the SIP server has to send a request and process a response to and from a proper Diameter server.
When the Diameter client wants to get authentication information for the user agent client to be authenticated or wants to authenticate the user agent client, then the Diameter client sends an authentication request, known as Multimedia-Auth-Request (MAR command), along with available user data to the Diameter server. The Diameter server as a response sends an authentication response, known as Multimedia-Auth-Answer (MAA command), along with user authentication data or sends a result of an authentication, which in this example case is performed by means of HTTP Digest. In dependence on the fact, whether the authentication is performed at the Diameter server or at the Diameter client (i.e. SIP server), either two pairs of MAR/MAA commands or one pair of MAR/MAA commands are exchanged.
The HTTP Digest authentication requires a nonce generated by a server, in this case the Diameter server. This nonce is generated by the Diameter server in the framework of the Diameter SIP application. Besides a nonce value it is also possible to use a nonce count value for the case of nonce reuse in HTTP Digest authentication.
A new nonce can be issued either with a 200 (OK) response or by sending a 401 (Unauthorized) or a 407 (Proxy Authentication Required) response. It depends on an operation mode of the SIP server, i.e. user agent mode or proxy mode, which nonce option is applicable. Whenever the SIP server is operating in user agent mode, i.e. as a user agent server, it sends a new nonce in each 200 (OK) response, because it is preferable to use a fresh nonce in each request instead of updating a nonce count value. Whenever the SIP server is operating in proxy mode, it prefers to avoid extra roundtrip delay of challenging by nonce count value usage. Thus, the SIP server sends a new nonce, an operator policy of nonce usage counter and nonce lifetime actually trigger that a nonce value cannot be used anymore.
However, there is a problem in that the Diameter server, which is expected to generate a nonce for the authentication, is not able to apply HTTP Digest procedures correctly. If a Diameter server is assigned to manage nonce state with nonce count value allocated to a certain user (which is up to an operator policy, but is beneficial in order to avoid replay attacks), the Diameter server thus has no information (after a successful authentication), whether a new nonce should be generated or a nonce count should be updated.
This can be detrimental as it may result in that, after a successful authentication, a Diameter server drops an old nonce (used in the previous authentication) and generates a new nonce and a Diameter server expects from the SIP server to send new nonce in a “nextnonce” parameter. However, it may happen that the SIP server works as a SIP proxy server and has no possibility to utilize a new “nextnonce” nonce generated by the Diameter server. However, the Diameter server should assume that the SIP client (i.e. user agent client) would use a “nextnonce” based on the SIP protocol. Therefore, when the user agent client (e.g. a user equipment) next time sends a request with an HTTP Digest response using an old nonce (with increased nonce count), then a pre-generated authentication response would be wrong. This results that the request will be challenged by the SIP server based on a Diameter server response using a new nonce.
Although this behavior does not prevent the user agent client from registering and using the SIP server, the benefits of using nonce count and “nextnonce” in HTTP Digest authentication are lost. This leads to increased network traffic for both the SIP server and the Diameter server.
Thus, a solution to the above problems and drawbacks is needed for providing an efficient usage of nonce-based authentication scheme in a session-based authentication application.
It is a concern of the present invention to remove the above drawbacks and to provide accordingly improved methods, apparatuses and the like.
According to one aspect of the invention, there is provided a method of authentication as described in the following.
According to one aspect of the invention, there is provided an apparatus for a session control server's side as described in the following.
According to one aspect of the invention, there is provided a method of operating an apparatus according to the second aspect as described in the following.
According to one aspect of the invention, there is provided an apparatus for an authentication server's side as described in the following.
According to one aspect of the invention, there is provided a method of operating an apparatus according to the fourth aspect as described in the following.
According to one aspect of the invention, there is provided a system of authentication as described in the following, wherein the system in one implementation basically comprises an apparatus according to the second aspect and an apparatus according to the fourth aspect.
According to further aspects of the invention, there are provided computer programs and data structures to operate the above-mentioned apparatuses, either each one alone or in any combination, as described in the following.
Basically, the invention comprises an indication of an operation mode of a session control server from that session control server to an authentication server, wherein conceivable operation modes are a proxy mode and a user agent mode. Further, the invention comprises an application of nonce-based authentication procedures in view of an operation mode of a session control server. Additionally, the invention comprises a spreading of authentication parameters in dependence on an operation mode of a session control server.
According to embodiments of the present invention, the cooperation between a session control server and an authentication server is improved. Accordingly, the authentication server obtains knowledge about the type of authentication mode used by the session control server, i.e. user-to-user mode or proxy-to-user mode.
By way of embodiments of the present invention, a synchronization on session control level like SIP level is achievable between a session control server like a SIP server and an authentication server like a Diameter server, when a nonce-based authentication scheme is used in a session-based authentication application.
It is another facet of embodiments of the present invention that a usage of a nonce-based authentication scheme such as e.g. HTTP Digest in a session-based authentication application such as e.g. Diameter SIP application is enabled. This results in that a user agent client can utilize any possible feature of a nonce-based authentication scheme in a session-based authentication framework in each case of operation mode of a session control server.
Thereby, network traffic is reduced by embodiments of the present invention.
In the following, the present invention will be described in greater detail with reference to the accompanying drawings, in which
The present invention is described herein with reference to particular non-limiting examples. A person skilled in the art will appreciate that the invention is not limited to these examples, and may be more broadly applied.
In particular, the present invention is described in relation to usage of HTTP Digest authentication in a SIP Diameter application framework as an example implementation. As such, the description of the aspects and embodiments given herein specifically refers to terminology which is directly related to this example. Such terminology is, however, only used in the context of the presented examples, and does not limit the invention in any way.
It is to be noted that a SIP server shown in
As shown in
In
Upon receipt of such an operation mode indication from the SIP server, the Diameter server analyzes the contents of the MAR command in accordance with one of implementation alternatives as set out below (step S2). In step S3, the Diameter server according to the illustrated embodiment generates a nonce and possibly also another nonce for a subsequent authentication, hereinafter referred to as “nextnonce”. The generation of nextnonce is based on, thus taking into consideration, the indicated operation mode of the session control server and, if applicable, also on other Digest parameters available. As set out above, either a new nonce is created or a nonce count value is updated at the Diameter server managing the nonce state. The kind of nextnonce generated basically depends on the operation mode of the SIP server such that a new nonce is usually generated, when the SIP server operates in user agent mode, and a nonce count value is updated, when the SIP server operates in proxy mode.
Thereupon, in step S4, the Diameter server transmits to the SIP server authentication parameters (possibly including the nonce generated) based on the previous analysis of step S2 and/or the previous generation of step S3. In
Among others, the MAA message includes a Digest-HA1 AVP that contains H(A1) (as defined in RFC 2617), and that allows the Diameter client to calculate the expected response. The presence of the Digest-HA1 AVP indicates to the SIP server (i.e. Diameter client) that the user authentication has to take place there. Then the SIP server can authenticate the user using the received parameters.
Although not shown in
It is to be noted that the method flow depicted in
With regard to the two cases mentioned above (i.e. authentication being performed in the Diameter client or in the Diameter server), the embodiment of
According to a first implementation alternative of one embodiment, an indication is effected by using an attribute-value-pair (AVP) in the MAR message, which is specifically assigned for indicating a session control server mode. That is, a new AVP in addition to those as defined in the current Internet-Draft is introduced, thus forming a new data structure.
Such a newly introduced Diameter AVP, wherein AVP is a specific but non-limiting term for a message field, represents a SIP-Server-UA-mode AVP, which can indicate towards the Diameter Server whether the SIP server is working in proxy or in UA mode.
In this case, the Diameter Server can send a nextnonce in a SIP-Authentication-Info AVP, if the SIP-Server-UA-mode AVP indicates a SIP UA mode and HTTP Digest parameters enable usage of it. If the indicated SIP server mode in the new AVP is proxy mode, then the Diameter server should not send a SIP-Authentication-Info AVP, even if other Digest parameters would allow it.
This solution alternative provides a flexible way to populate a SIP server working mode, if needed. If not needed, then this AVP can be left from the MAR command sent from the SIP server (i.e. Diameter client). This alternative can also be used, if an authentication scheme other than HTTP digest is applied.
According to a second implementation alternative of one embodiment, an indication is effected by using a parameter, which is specifically assigned for indicating a session control server mode, within an attribute-value-pair, which is assigned for indicating a session control method. That is, a new parameter in addition to those as defined for a SIP-Method AVP in the current Internet-Draft is introduced, thus forming a new data structure.
Accordingly, an existing SIP-Method AVP is extended with indicating that a SIP request is being processed in proxy or in UAS mode in the SIP server. When the Diameter server receives such an MAR command, then it has to analyze the SIP server UA mode from this new parameter of the SIP-Method AVP. After a successful authentication, the Diameter server can decide, whether user-to-user or proxy-to-user HTTP Digest authentication should be applied.
According to a third implementation alternative of one embodiment, an indication is effected by using an attribute-value-pair, which is specifically assigned for indicating a session control server mode, if the session control server is in proxy mode, and using an attribute-value-pair, which is assigned for the session-based authentication application, if the session control server is in user agent mode. That is, the kind of indication used is distinguished on the basis of the operation mode of the SIP server. In this case, a new AVP in addition to those as defined in the current Internet-Draft is introduced for at least one condition, thus forming a new data structure.
Accordingly, new Diameter AVPs are defined for the purpose of a SIP proxy-to-user HTTP Digest authentication. These AVPs can for example be a SIP-Proxy-Authorization AVP and a SIP-Proxy-Authenticate AVP so as to match for SIP headers Proxy-Authorization and Proxy-Authenticate, respectively. For the purpose of a SIP user-to-user HTTP Digest authentication the already defined Diameter AVPs can be used. This means that already existing SIP-Authenticate/SIP-Authorization AVPs are matched for SIP headers WWW-Authenticate and Authorization, respectively. Also, an existing SIP-Authentication-Info AVP can be mapped to a SIP header Authentication-Info.
According to one embodiment, an apparatus at the SIP server side (which in
According to one embodiment, an apparatus at the Diameter server side (which in
Further, there may be provided a generator, i.e. means for generating a nonce for a subsequent authentication in consideration of the result output from the analyzer, namely an indicated operation mode of the SIP server. A storage is provided for holding a nonce state with a nonce count value such that the Diameter server side is able to manage the nonce state. To this end, the storage is connected to the generator, from where newly generated values are input, to a processor, i.e. means for performing an authentication on the basis of generated and/or stored authentication parameters, and to a transmitter, i.e. means for transmitting respective authentication parameters to the SIP server.
For authentication purposes, the processors of both sides (although not shown) are enabled to cooperate in accordance with the authentication scheme used, in this case HTT Digest.
It is to be noted that
The operation of any individual element of
In general, it is also to be noted that the mentioned functional elements, e.g. indicator and analyzer according to the present invention can be implemented by any known means, either in integrated or removable hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts. For example, the analyzer can be implemented by any data processing unit, e.g. a microprocessor, being configured to analyze an authentication request in view of an operation mode indication as defined herein. The mentioned parts can also be realized in individual functional blocks or by individual devices, or one or more of the mentioned parts can be realized in a single functional block or by a single device. Correspondingly, the above illustration of
Furthermore, method steps likely to be implemented as software code portions and being run using a processor at one of the entities are software code independent and can be specified using any known or future developed programming language such as e.g. Java, C, C++, and Assembler. Method steps and/or devices or means likely to be implemented as hardware components at one of the peer entities are hardware independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS, CMOS, BiCMOS, ECL, TTL, etc, using for example ASIC components or DSP components, as an example. Generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention. Devices and means can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to those skilled in the art.
According to embodiments of the present invention, a session control server, e.g. SIP server, indicates in an authentication request, e.g. MAR command, whether it is working in proxy mode or user agent mode from point of view of session control signaling. An authentication sever, e.g. Diameter server, receiving the indication then knows how to apply nonce-based authentication, e.g. HTTP Digest authentication, and how to populate parameters in an authentication response, e.g. MAA command, to the session control server.
The embodiments of the present invention are applicable in any communication system comprising a session control server and an authentication server, which are configured to provide for a session-based authentication application. This may for example be the case in an IMS system, where the present invention is particularly appropriate to be applied on the Cx interface. Other examples include systems defined by ETSI (European Telecommunication Standards Institute), 3GPP and 3GPP2 (3GPP: Third Generation Partnership Project) and TISPAN (Telecoms & Internet converged Services & Protocols for Advanced Networks).
In short, the above-described exemplary embodiments of the present invention could be summarized as an on-demand HTTP Digest nextnonce generation in a Diameter server.
In view of the forgoing it becomes clear that the present invention addresses several aspects of methods, entities and elements, which are as follows:
(First Aspect)
A method of authentication, usable in a communication system comprising a session control server and an authentication server, which are configured to provide for a session-based authentication application, wherein authentication is based on a nonce-based authentication scheme, the method comprising:
indicating an operation mode of the session control server from the session control server to the authentication server in an authentication request.
The above method, wherein the operation mode of the session control server includes a proxy mode and a user agent mode.
The above method, wherein indicating an operation mode is conducted before and/or after a successful authentication.
The above method, wherein according to a first option indicating an operation mode is effected by using an attribute-value-pair, which is assigned for indicating a session control server mode.
The above method, wherein according to a second option indicating an operation mode is effected by using a parameter, which is assigned for indicating a session control server mode, within an attribute-value-pair, which is assigned for indicating a session control method.
The above method, wherein according to a third option indicating an operation mode is effected by using an attribute-value-pair, which is assigned for indicating a session control server mode, if the session control server is in proxy mode, and using an attribute-value-pair, which is assigned for the session-based authentication application, if the session control server is in user agent mode.
The above method, further comprising:
analyzing, at the authentication server, an authentication request from the session control server; and
generating, at the authentication server, a nonce for a subsequent authentication in consideration of the indicated operation mode of the session control server.
The above method, wherein generating a nonce includes creating a new nonce and updating a nonce count value of a previous nonce.
The above method, further comprising:
transmitting authentication parameters in consideration of an indicated operation mode and/or a generated nonce from the authentication server to the session control server in an authentication response; and/or
performing authentication using the nonce-based authentication scheme in consideration of an indicated operation mode and/or a generated nonce.
(Second Aspect)
An apparatus, usable in a communication system comprising a session control server and an authentication server, which are configured to provide for a session-based authentication application, wherein authentication is based on a nonce-based authentication scheme, the apparatus comprising:
an indicator configured to indicate an operation mode of the session control server from the session control server to the authentication server in an authentication request.
The above apparatus, wherein the operation mode of the session control server includes a proxy mode and a user agent mode.
The above apparatus, wherein the indicator is configured to indicate an operation mode before and/or after a successful authentication.
The above apparatus, wherein according to a first option the indicator is configured to indicate an operation mode by using an attribute-value-pair, which is assigned for indicating a session control server mode.
The above apparatus, wherein according to a second option the indicator is configured to indicate an operation mode by using a parameter, which is assigned for indicating a session control server mode, within an attribute-value-pair, which is assigned for indicating a session control method.
The above apparatus, wherein according to a third option the indicator is configured to indicate an operation mode by using an attribute-value-pair, which is assigned for indicating a session control server mode, if the session control server is in proxy mode, and using an attribute-value-pair, which is assigned for the session-based authentication application, if the session control server is in user agent mode.
The above apparatus, further comprising:
a receiver configured to receive authentication parameters from the authentication server; and/or
a processor configured to perform authentication using the nonce-based authentication scheme based on received authentication parameters.
The above apparatus, wherein the authentication parameters comprise a nonce.
The above apparatus, wherein the apparatus is arranged at the session control server.
(Third Aspect)
A method of operating the above apparatus of the second aspect according to the method of the first aspect, wherein the apparatus acts as the session control server.
(Fourth Aspect)
An apparatus, usable in a communication system comprising a session control server and an authentication server, which are configured to provide for a session-based authentication application, wherein authentication is based on a nonce-based authentication scheme, the apparatus comprising:
a receiver configured to receive an indication of an operation mode of the session control server from the session control server in an authentication request.
The above apparatus, wherein the operation mode of the session control server includes a proxy mode and a user agent mode.
The above apparatus, further comprising:
an analyzer configured to analyze an authentication request from the session control server; and
a generator configured to generate a nonce for a subsequent authentication in consideration of the indicated operation mode of the session control server.
The above apparatus, further comprising a storage configured to hold a nonce state with a nonce count value.
The above apparatus, wherein the generator is configured to create a new nonce and to update a nonce count value of a previous nonce.
The above apparatus, further comprising:
a transmitter configured to transmit authentication parameters in consideration of an indicated operation mode and/or a generated nonce from the authentication server to the session control server in an authentication response; and/or
a processor configured to perform authentication using the nonce-based authentication scheme in consideration of an indicated operation mode and/or a generated nonce.
The above apparatus, wherein the apparatus is arranged at the authentication server.
(Fifth Aspect)
A method of operating the above apparatus of the fourth aspect according to the method of the first aspect, wherein the apparatus acts as the authentication server.
(Sixth Aspect)
A system of authentication, usable in a communication system comprising a session control server and an authentication server, which are configured to provide for a session-based authentication application, wherein authentication is based on a nonce-based authentication scheme, the system comprising:
an indicator configured to indicate an operation mode of the session control server from the session control server to the authentication server in an authentication request.
The above system, wherein the operation mode of the session control server includes a proxy mode and a user agent mode.
The above system, wherein the indicator is configured to operate as set out in connection with the above apparatus.
The above system, further comprising:
an analyzer configured to analyze an authentication request from the session control server; and
a generator configured to generate a nonce for a subsequent authentication in consideration of the indicated operation mode of the session control server.
The above system, wherein the generator is configured to create a new nonce and to update a nonce count value of a previous nonce.
The above system, further comprising:
a transmitter at the authentication server and a receiver at the session control server, configured to transmit authentication parameters in consideration of an indicated operation mode and/or a generated nonce from the authentication server to the session control server in an authentication response; and/or
A processor configured to perform authentication using the nonce-based authentication scheme in consideration of an indicated operation mode and/or a generated nonce.
The above system, comprising the apparatus of the second aspect and/or the apparatus of the fourth aspect.
(Seventh Aspect)
A computer program embodied in a computer-readable medium comprising program code configured to operate an apparatus according to the second aspect.
(Eighth Aspect)
A computer program embodied in a computer-readable medium comprising program code configured to operate an apparatus according to the fourth aspect.
According to certain embodiments of the present invention, the subject-matter of the above aspects is configured such that:
the session-based authentication application comprises a Diameter SIP application, and/or
the nonce-based authentication scheme comprises an HTTP Digest authentication, and/or
the session control server comprises a SIP server and/or a Diameter client, and/or
the authentication server comprises a Diameter server.
According to further certain embodiments of the present invention, the subject-matter of the above aspects is configured such that:
the communication system comprises an IP Multimedia Subsystem (IMS), and/or
the session control server comprises a call state control function, and/or
the authentication server comprises a home subscriber server.
In summary, there is provided a usage of nonce-based authentication scheme in a session-based authentication application, usable in a communication system comprising a session control server and an authentication server, which are configured to provide for a session-based authentication application, wherein authentication is in consideration of a nonce-based authentication scheme, comprising an indication of an operation mode of the session control server from the session control server to the authentication server in an authentication request, wherein the operation mode included proxy mode and user agent mode.
Even though the invention is described above with reference to the examples according to the accompanying drawings, it is clear that the invention is not restricted thereto. Rather, it is apparent to those skilled in the art that the present invention can be modified in many ways without departing from the scope of the inventive idea as disclosed above.
This application claims priority of U.S. Provisional Patent Application Ser. No. 60/814,058 filed on Jun. 16, 2006, the entire contents of which are incorporated herein by reference.
| Number | Date | Country | |
|---|---|---|---|
| 60814058 | Jun 2006 | US |
