[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2005078988A1 - Key management for network elements - Google Patents

Key management for network elements Download PDF

Info

Publication number
WO2005078988A1
WO2005078988A1 PCT/SE2004/000179 SE2004000179W WO2005078988A1 WO 2005078988 A1 WO2005078988 A1 WO 2005078988A1 SE 2004000179 W SE2004000179 W SE 2004000179W WO 2005078988 A1 WO2005078988 A1 WO 2005078988A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
network element
network domain
key
session key
Prior art date
Application number
PCT/SE2004/000179
Other languages
French (fr)
Inventor
Rolf Blom
Mats NÄSLUND
Elisabetta Carrara
Fredrik Lindholm
Karl Norrman
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to DK04710139.9T priority Critical patent/DK1714418T3/en
Priority to PCT/SE2004/000179 priority patent/WO2005078988A1/en
Priority to CN200480041617A priority patent/CN100592678C/en
Priority to EP04710139.9A priority patent/EP1714418B1/en
Priority to US10/597,864 priority patent/US7987366B2/en
Publication of WO2005078988A1 publication Critical patent/WO2005078988A1/en
Priority to HK07106273.8A priority patent/HK1101624A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention generally refers to key management in communications systems, and in particular to inter-network domain key management for network infrastructure elements in such systems.
  • a communications environment or system can generally be envisaged as comprising a plurality of independent communication network domains.
  • Each such network domain can provide access to its services for users connected thereto.
  • NEs network elements
  • a typical example of such a secure inter-domain communication between two network elements is a secure communication tunnel between Security Gateways (SEGs) of two telecommunication or network operators.
  • SEGs Security Gateways
  • a key management/ key exchange protocol is typically used to establish the security parameters necessary for the inter- NE communication.
  • key management protocols There exist different types of key management protocols in the prior art, and they can generally be divided into two classes: symmetric key and public key protocols, respectively.
  • the former relies, in principle, on a secret key that is shared between the parties and cryptographic techniques based on such key(s).
  • the latter makes use of a pair of keys per party (a secret key and a public key), a trusted third party "validating" public keys and public key cryptography techniques.
  • each domain has access to one SEG and n is the total number of SEGs in the communications environment housing the domains, the number of long-term keys to be distributed to the SEGs and n - ⁇ stored in each SEG will amount to n if every SEG is to be able to
  • the number of pre- shared secret keys can be very large and grows rapidly (with ri 2 ) in dependence of the number of active SEGs in the network domains.
  • each network domain can have more than one communicating NE or SEG, and that the SEGs/NEs need to communicate with a relatively large number of other SEGs/NEs in other network domains.
  • adding a new SEG to an existing network domain requires large workload in the form of key distribution, management and storage.
  • all SEGs in the different network domains have to be updated and new long-term secret keys have to be distributed therebetween.
  • KDC Key Distribution Center
  • Typical examples in prior art of this solution are the Kerberos-based key management protocols.
  • a drawback is that it is typically hard to find a suitable trusted third party that can act as a KDC, in particular in the case of inter-operator communication.
  • increased administrative work is required to arrange for a common trust of this trusted third party solution.
  • the KDC is also a possible single point of failure, if it is compromised, all network domains using its services are threatened.
  • the preferred key agreement protocol according to [1], which is also discussed in [2], is to utilize a Public Key Infrastructure (PKI) based method, whereby the SEGs or NEs share their public keys.
  • PKI Public Key Infrastructure
  • the document [1] discloses a certificate-based solution without a Bridge Certification Authority (CA) PKI, or with a Bridge CA PKI, which is also further discussed in [2].
  • CA Bridge Certification Authority
  • each operator whose NEs or SEGs are to communicate, has to sign the other party's root certificate. These certificates are then securely configured in each communicating SEG.
  • a major drawback with PKI protocols is that the (initial) cost of establishing a PKI infrastructure is very large. Furthermore, revocations of certificates require manual administration and revocation checks must always be performed (a certificate is a credential that is valid unless a verification returns that it is revoked), which requires on-line communication between the operators' Certificate Revocation Lists (CRLs). Moreover, the cryptographic operations involved in PKI solutions are expensive.
  • a further object of the invention is provide a secret shared between two network elements of different network domains re-using existing network infrastructure and functionalities.
  • Still a further object of the invention is to avoid introducing any possible single point of failures, the compromise of which might render all inter- domain communication insecure.
  • the present invention involves establishing a symmetric secret or session key shared between two network elements (NEs) belonging to different networks or network domains (NDs), typically managed by different network operators or service providers.
  • This shared session key then enables the network elements to securely communicate with each other.
  • a network element could be a charging node needing to contact a corresponding charging node of another network domain.
  • a secure channel has to be set up between two security gateways (network elements) of different network domains.
  • a further example could be the communication between a Proxy Call State Control Function (P-CSCF) of a visited network domain and an Interrogating CSCF or a Serving CSCF of a home domain, traffic between Serving Gateway General Packet Radio System (GPRS) Support Nodes (SGSN) and Gateway GPRS Support Nodes (GGSN).
  • the communicating network elements could be a Home Location Register (HLR) and a Visited Location Register (NLR) or, in general, any form of inter-domain signalling, e.g. using Signaling System No. 7 (SS7).
  • HLR Home Location Register
  • NLR Visited Location Register
  • SS7 Signaling System No. 7
  • This master key is preferably (securely) kept in a central key storage or repository in the network domain.
  • the domain further includes cryptographic means or a cryptographic key management center (KMC) or module connected or associated with the key storage.
  • KMC cryptographic key management center
  • This KMC includes functionalities and algorithms for performing key management and possibly authentication by means of the keys in the storage.
  • the KMC constitutes or comprises the
  • AAA Authentication, Authorization and Accounting
  • the key establishment procedure generally starts with a network element (NEa) in a network domain A (NDa) requesting security parameters from its associated intra-ND KMC (AAAa).
  • This request typically is accompanied by or includes an identifier of an external network element (NEb) in a network domain B (NDb) that the network element NEa wants to communicate with, or an identifier of the network domain NDb of this external network element NEb.
  • the AAAa Upon reception of the request, the AAAa generates a freshness token, which could be or include a random challenge, a time-stamp and/or a sequence number.
  • the AAAa identifies the relevant master key from the associated key repository based on the received identifier and generates a session key using a cryptographic function, typically, with the identified master key and generated freshness token as input parameters.
  • the generated freshness token and session key is then, preferably securely, provided to the network element NEa, which forwards the freshness token to the external network element NEb.
  • This external network element NEb forwards the received token to its associated KMC (AAAb), preferably accompanied by an identifier of the network element NEa or an identifier of the network domain NDa of network element NEa.
  • the AAAb identifies the (same) correct master key from its associated key storage and generates a (identical) copy of the session key using an instance of the same cryptographic function as the AAAa of the other network domain NDa and the identified master key and received freshness token as input parameters.
  • the copy of the session key is then, preferably securely, provided to the network element NEb.
  • the two network elements NEa and NEb now share a secret symmetric session key.
  • This key may be employed directly for enabling secure communication between the network elements.
  • the session key can be used directly in Internet Protocol security (IPsec) protocols and algorithms.
  • IPsec Internet Protocol security
  • the session key could be used for running e.g. Internet Key Exchange (IKE) and negotiating Security Association (SA).
  • IKE Internet Key Exchange
  • SA Security Association
  • the session key establishment is performed by means of the Authentication and Key Agreement (AKA) algorithms and protocols provided in the AAA server node (KMC), preferably using a challenge-response scheme. It is then possible to connect the key establishment with an authentication procedure, where the communicating network elements may be authenticated.
  • AKA Authentication and Key Agreement
  • the AAAa calculates an expected response based on the master key and the random challenge. This expected response is then (securely) provided to the network element NEa together with the other security parameters (session key, random challenge).
  • the AAAb of the other network domain NDb Upon reception of the random challenge (freshness token), the AAAb of the other network domain NDb generates a response based on the challenge and the master key, in addition to generating the copy of the session key. This response is then transmitted, via its associated network element NEb to the network element NEa, which compares the received response with the expected response value provided previously from its associated cryptographic means AAAa. If they correctly match, network element NEa authenticates network element NEb and considers the session key establishment successful.
  • the challenge- response scheme could be repeated (interleaved) in the opposite direction.
  • the shared generated session key(s) may then be a function of the keys generated in both directions. Similarly, the challenge and/ or responses in respective direction could be interdependent.
  • the key storage of the each network domain houses the master key(s) shared with other domains. According to the invention, this storage only needs to keep one long-term master key per network domain pair. In other words, a network domain shares a first master key with a first external network domain and a second master key with a second external domain, etc. Contrary to these long-term master keys that basically only needs to be exchanged if a key storage is compromised, the lifetime of the generated session keys is comparatively much shorter. Thus, a session key is typically only valid during a communication session between network elements, or sometimes only during a portion of such a session. Moreover, should the key storage of a first domain be compromised only communication to that particular domain is potentially threatened, i.e. other network domains, e.g. a second and a third domain, can still securely inter-communicate.
  • the secret master keys used by the invention can be (securely) exchanged between the network domains (key repositories of the domains) in a number of different ways, for example using the Diffie-Hellman protocol, which can even be carried out manually between operator staff personnel, thereby providing the authentication of the Diffie-Hellman exchange.
  • the most sensitive part of the establishment of the session key between two NEs can be performed manually, assuring authenticity by personal contact/ exchange between operator or provider personnel.
  • the present invention facilitates adding/ revoking a network element to/ in an existing network domain. Basically, when adding a new network element, a secure channel is established between this new network element and the node(s) housing the cryptographic means. This is a configuration issue and can usually be done in combination with setting up the operation and maintenance channels to the new network element. Similarly, when a network element is revoked, the cryptographic means simply deletes the network element from its database of available network elements. Any (session) key cached in the network element is further erased.
  • the master keys in the key repository (and the corresponding copies of the master keys stored in repositories of other network domains) are simply updated, e.g. by anew performing the Diffie-Hellman or similar agreement protocol mentioned above.
  • the master key could be used in a bootstrap fashion to intermittently or regularly update or exchange new master keys between the domains. This has the advantage that the content of the domain key storage at a given time does not comprise older keys.
  • some or all network elements may need to be flushed from temporary stored session keys. This should be compared to the fully meshed symmetric solution discussed in the background section. In such a solution, if a single network element is hacked the keys of all network elements in all network domains (often several tens or hundreds of keys and network elements) may need to be replaced. However, by employing the present invention, if a network element is hacked, no key replacement has to be performed, though possibly a new session key has to be generated and provided if the network element currently is communicating with another external network element.
  • the invention offers the following advantages: Reduces the number of long-term secret keys required to be distributed between and stored in network domains; - Provides re-utilization of existing network infrastructure and functionality by using the AAA server node and its AKA algorithms, markedly reducing the cost of implementing a key establishment between network elements; Is more computationally efficient than PKI based protocols; Provides replay protection and freshness in establishing shared session keys; Provides easy revocation of network elements and network domains; and Provides easy addition of network elements to existing network domains.
  • Fig. 1 is an overview of a communications system illustrated with three network domains according to the present invention
  • Fig. 2 is an illustration of an embodiment of a communications system according to the present invention
  • Fig. 3 is a schematic diagram of an embodiment of a session key establishment according to the present invention
  • Fig. 4 is a schematic diagram of another embodiment of a session key establishment according to the present invention
  • Fig. 5 is a schematic diagram of a further embodiment of a session key establishment according to the present invention
  • Fig. 6 is a schematic diagram continuing the session key establishment of Fig. 5
  • Fig. 7 is a schematic diagram of an embodiment of a master key agreement according to the present invention
  • Fig. 1 is an overview of a communications system illustrated with three network domains according to the present invention
  • Fig. 2 is an illustration of an embodiment of a communications system according to the present invention
  • Fig. 3 is a schematic diagram of an embodiment of a session key establishment according to the present invention
  • Fig. 4 is a schematic diagram of another embodiment
  • Fig. 8 is a block diagram of an embodiment of (cryptographic) key management center (KMC) according to the present invention
  • Fig. 9 is a block diagram of an embodiment of an authentication and keying unit of the KMC of Fig. 8
  • Fig. 10 is a block diagram of an embodiment of a network element according to the present invention.
  • the present invention relates to key management for establishing a shared secret key between two network elements of different networks or network domains in a communications system or environment.
  • the invention also enables secure communication between the two network elements based on the established and shared secret key.
  • a network is referred a number of connected or associated computers and/ or network nodes having communications means and interconnections therebetween.
  • a network domain or administrative network domain is (typically a portion of) a network governed by certain polices, defined by the administrator of the network.
  • the invention will be described with reference to establishing a shared secret between two network elements of different network domains.
  • the two network elements could, alternatively, belong to different administrative network domains and/ or networks, and/ or two domains of one and the same network.
  • communication between networks is then referred to (if not pointed out otherwise) communication between network domains.
  • the communications system 1 includes three independent network domains (NDs), denoted 100; 200 and 300, respectively.
  • Each such network domain 100; 200; 300 is managed by a network operator or service provider and provides services to users connected to the network domain 100; 200; 300 and, possibly, having a service agreement, e.g. a subscription, with the network operator.
  • each network operator manages one network domain 100; 200; 300, e.g. network domain 100 is managed by a first network operator, a second operator manages network domain 200, etc.
  • the network domains 100; 200; 300 typically comprise a number of network elements (NE) or nodes NEai, NEa2; NEb; NEci, NEc2, NEc3 that are able to conduct communication with network elements of the same domain and also with network elements of other external network domains, the latter case being of particular interest for the present invention.
  • NE network elements
  • Such a network element NEai, NEa2; NEb; NEci, NEc2, NEc3 could be a charging node needing to contact a corresponding charging node of another network domain.
  • a secure channel has to be set up between two Security Gateways (SEGs) (or network elements) of different network domains.
  • SEGs Security Gateways
  • a further example could be the communication between a Proxy Call State Control Function (P-CSCF) of a visited network domain and an Interrogating
  • P-CSCF Proxy Call State Control Function
  • the communicating network elements could be a Home Location Register (HLR) and a Visited Location Register (NLR) or, in general, any form of inter-domain signalling, e.g. using Signaling System No. 7 (SS7).
  • HLR Home Location Register
  • NLR Visited Location Register
  • the network elements NEai, NEa_>; NEb; NEci, NEC2, NEc3 are typically fixedly arranged and constitute a portion of the infrastructure of respective network domain 100; 200; 300, allowing provision of different services to users connected to the network domain 100; 200; 300.
  • the network domain 100; 200; 300 includes cryptographic means or a (cryptographic) key management center (KMC) or module 120; 220; 320 and an associated central key repository or key distribution center 140; 240; 340.
  • KMC cryptographic means or a (cryptographic) key management center
  • the KMC 120; 220; 320 provides keys managed and stored in the key repository 140; 240; 340, performs cryptographic functionalities, e.g. encryption and decryption, using these keys and authentication for the network domain 100; 200; 300 and its network elements NEai, NEa2; NEb; NEci, NEC2, NEC3.
  • each network element NEai, NEa2; NEb; NEci, NEc2, NEc3 may be configured for conducting communication with all or some of the network elements in the other network domains.
  • network element NEai may communicate with network element NEb of network domain 200 and all the network elements NEci, NEC2, NEC3 of network domain 300.
  • a network element may, alternatively, only be allowed to communicate with a limited number of the external network elements.
  • the network elements NEai, NEa2; NEb; NEci, NEc2, NEc3 are also connected with the KMC 120; 220; 320 of respective network domain 100; 200; 300, preferably by means of a secure channel.
  • the KMC 120; 220; 320 may provide keys and other sensitive information to its associated network elements NEai, NEa2; NEb; NEci, NEC2, NEc3.
  • a typical example of such a secure channel is an Operation and
  • O&M Management
  • the KMC will be instantiated by an Authentication, Authorization and Accounting (AAA) server node 120; 220 of the network domain 100; 200.
  • AAA Authentication, Authorization and Accounting
  • the AAA server node 120; 220 typically includes functionalities and algorithms for generating and managing keys provided in associated key repositories 140; 240 in addition to authentication functionalities, e.g. by using an Authentication and Key Agreement (AKA) functionality or protocol.
  • AKA Authentication and Key Agreement
  • the network domain 100; 200 may include one or a few communicating network elements SEGa; SEGb dedicated for conducting communication with external communicating network elements.
  • such dedicated network elements are exemplified by two security gateways SEGa; SEGb, adapted for mutual communication.
  • any protocols necessary for the communication may then be housed in only one or a few network elements in each network domain, instead of in all of the network elements of the domain.
  • Any communication between two network elements NEai, NEa2; NEb not adapted for inter-domain communication is then conducted in a proxy fashion through the security gateways SEGa; SEGb of Fig. 2.
  • Use of designated SEGs is advantageous as security processing only needs to be implemented in the SEG (SEGa; SEGb), which then acts as a "security proxy" for other network elements NEai, NEa2; NEb.
  • the network domains whose network elements are to communicate, share a secret symmetric key, denoted master key in the following.
  • master key a secret symmetric key
  • KAB master key
  • KAC master key
  • KBC master key
  • the KMC of respective domain Once two network elements of different network domains are to securely communicate with each other, the KMC of respective domain generates a symmetric secret or session key and, preferably securely (relying on intra- domain security in the form of cryptography or in the form of physically protected links), provides it to its associated network element.
  • the inter-NE communication may then be securely performed based on the session keys now present in the network elements. The generation of session key is discussed in more detail herebelow.
  • Fig. 3 schematically illustrates a method of establishing a session key shared by two network elements (NEa, NEb) of two network domains.
  • the KMC or AAA-server (AAAa, AAAb) of the network domains have pre-shared a master key (KAB) (step SI).
  • respective AAA server node preferably has a secure (trusted) intra-domain channel towards its associated network element(s).
  • NEb may optionally trigger the communication by sending its identifier or an identifier of its network domain (IDb) to NEa (step S2). Alternatively, NEa triggers the communication itself.
  • IDb an identifier of its network domain
  • NEa issues a request to AAAa for security parameters for the communication with NEb.
  • the request is accompanied by the identifier IDb (step S3).
  • AAAa In response to the request, AAAa generates or obtains a freshness token (FRESH). Furthermore, the relevant pre-shared master key KAB is identified based on the received identifier IDb and is provided typically from the associated key repository. Once the correct master key KAB is obtained, AAAa generates or calculates a session key (K) based on the generated freshness token FRESH, the master key KAB and some cryptographic function (g). Optionally, additional information, such as the identifiers of the network elements and/ or domains IDa, IDb, may be used in this calculation.
  • FRESH freshness token
  • IDb the relevant pre-shared master key KAB is identified based on the received identifier IDb and is provided typically from the associated key repository.
  • AAAa session key (K) based on the generated freshness token FRESH, the master key KAB and some cryptographic function (g).
  • additional information such as the identifiers of the network elements and/ or domains IDa, IDb, may be used in this calculation.
  • the session key K and freshness token FRESH is then (securely) transmitted, preferably using the secure channel, to NEa (step S4).
  • NEa extracts the session key K from the received security parameters and forwards the freshness token FRESH to NEb, possible accompanied by its identifier or the identifier of its network domain (IDa) (step S5) .
  • NEb forwards the freshness token FRESH to its associated cryptographic KMC or AAAb together with the identifier IDa, received from NEa or obtained elsewhere (step S6).
  • AAAb identifies and provides the relevant pre-shared master key KAB from its storage, e.g. in the associated key repository, based on the obtained identifier IDa. Furthermore, AAAb generates an copy of the session key K using an instance of the same cryptographic function g as AAAa with the master key KAB and freshness token FRESH as input parameters.
  • the now generated (copy of) session key K is, preferably securely, transmitted to NEb (step S7).
  • the network elements NEa and NEb shares a secret symmetric session key K.
  • This key may be employed directly for enabling secure communication between the network elements (step S8).
  • the session key can be used directly in Internet Protocol Security (IPsec) protocols and algorithms.
  • IPsec Internet Protocol Security
  • the session key could be used for e.g. running Internet Key Exchange (IKE) and negotiating Security
  • the cryptographic function used for calculating the session key could also include other information as input parameters in addition to the master key and freshness token.
  • the identifier IDa and/or IDb could be possible additional input to the function.
  • the freshness token required for generating the session key could be generated by the AAA server node of the network domain or by some other unit or node connected thereto, including the communicating network element.
  • the freshness token could be a time-stamp, e.g. a time-stamp associated with the time of reception of the request for security parameters from the network element, a sequence number and/or a random challenge, possibly associated with an authentication token.
  • the establishment of session keys may be accompanied by an authentication of the communicating network elements, e.g. using a challenge-response scheme.
  • the AAA server node could re-use the AKA algorithms traditionally employed for authenticating and key agreement between a network operator's AAA server and a user's mobile unit, or more precisely between the AAA server and an Identity Module, e.g. Subscriber
  • SIM Identity Module
  • Fig. 4 schematically illustrates a session key establishment according to the present invention using a challenge-response procedure.
  • AAAa and AAAb pre-shares a secret master key KAB (step S10).
  • the communication between the network elements may optionally be triggered by NEb providing its identifier or its domain identifier IDb to NEa (step S l l).
  • NEa transmits a request for security parameters to AAAa, typically, including the identifier IDb (step S I 2).
  • AAAa Upon reception of the request, AAAa identifies the relevant master key KAB based on the provided identifier IDb similarly to Fig. 3. In addition, AAAa generates an authentication vector (AN).
  • the AN is a quintuple of security and authentication parameters.
  • R ⁇ D random challenge
  • AUT ⁇ authentication token
  • the authentication token AUT ⁇ could be e.g. a (simple) counter or some cryptographically protected information, such as authenticated using a key based on the master key KAB.
  • an expected response (XRES) is generated using a cryptographic function (f) on the challenge RA ⁇ D and master key KAB.
  • a cipher key (Ck) and integrity key (Ik) are also generated based on the master key KAB and challenge RA ⁇ D, and possibly other optional information, as input to cryptographic function fl and f2, respectively.
  • Ck and/or Ik are used as session key(s).
  • the generated quintuple AN is then (securely) transmitted to ⁇ Ea (step S I 3).
  • ⁇ Ea extracts the random challenge RA ⁇ D and authentication token AUT ⁇ form the received security parameters AN and forwards them, possibly together with its identifier or the identifier of its domain IDa, to ⁇ Eb (step S14).
  • ⁇ Eb Upon reception of the parameters, ⁇ Eb forwards them to its associated AAAb server node (step S I 5).
  • AAAb identifies and retrieves the correct master key KAB from its storage based on the received identifier IDa and checks if the authentication token AUT ⁇ is ok. If the token AUT ⁇ was cryptographically protected by AAAa using its instance of the master key KAB, AAAb employs the identified and provided master key KAB for authentication purposes. Furthermore, using instances of the same functions f, fl, f2 as AAAa, AAAb generates a response (RES) and the cipher Ck and integrity Ik keys.
  • RES response
  • the response RES and session keys (Ck, Ik) are then, preferably securely, transmitted to ⁇ Eb (step S I 6).
  • the network element ⁇ Eb forwards the received response RES to ⁇ Ea (step SI 7), which now can authenticate ⁇ Eb by comparing the received response RES with the expected response value XRES in the quintuple AN provided previously from AAAa. If they correctly match, ⁇ Ea authenticates ⁇ Eb and considers the session key establishment successful.
  • NEa and NEb now have access to the keys Ck and Ik, which can be used as session keys e.g. for conducting secure communication between the network elements (step S I 8), as was discussed in connection with Fig. 3.
  • the AAA server node and its AKA functionality and protocols are re-used for establishing session keys for network elements and for enabling secure communication between such elements of different network domains.
  • the AAA node of the present invention will have two rolls.
  • NEa could be viewed as corresponding to an AAA proxy and NEb as a "mobile telephone”.
  • NEb and AAAb function as two separate network elements or nodes, whereas a mobile telephone and SIM are one integrated mobile unit.
  • the challenge-response scheme of Fig. 4 could be repeated in the opposite direction.
  • the shared generated session key(s) may then be a function of the keys generated in both directions.
  • Figs. 5 and 6 schematically illustrates a possible solution for a double challenge-response procedure according to the present invention.
  • Steps S20, S21 and S22 correspond to steps S I , S2 and S3 of Fig. 3 (steps S 10, Sl l and S 12 of Fig. 4) and are not further discussed.
  • AAAa Upon reception of a request for security parameters from the associated network element NEa, AAAa generates or obtains a first random challenge (RANDa) and a first authentication token (AUTNa). Furthermore, AAAa identifies the correct master key KAB based on the received NEb or NDb associated identifier IDb. A first expected response (XRESb) is calculated using a cryptographic function f and the identified master key KAB and provided first random challenge RANDa as input parameters.
  • the cryptographic means of the server node AAAa generates a first pre-cipher key (Cka) and a first pre-integrity key (Ika) by means of the master key g ⁇ , random challenge RANDa and cryptographic function fl and f2, respectively. These keys Cka, Ika are then stored in the server node, or in an associated accessible storage provided elsewhere, for later use.
  • the security parameters are then (securely) transmitted as a triplet authentication vector, comprising the first authentication token AUTNa, random challenge RANDa and expected response XRESb, to the network element NEa (step S23).
  • the network element NEa extracts and removes the first expected response XRESb from the authentication vector.
  • the rest of the AV i.e. AUTNa, RANDa
  • the rest of the AV is then transmitted to the network element NEb possibly accompanied by its identifier of its domain identifier IDa (step S24).
  • the network element NEb forwards the authentication vector and the identifier IDa to its associated AAAb server node (step S25).
  • AAAb identifies and retrieves the correct master key KAB from its storage based on the received identifier IDa and investigates whether the first authentication token AUTNa is correct. Using instances of the same functions f, fl, f2 as AAAa, AAAb generates a first response (RESb) and the first pre-cipher Cka and pre-integrity Ika keys. AAAb also generates or obtains from some other unit in its network domain NDb a second random challenge (RANDb) and second authentication token (AUTNb). A second expected response (XRESa) is then calculated using function f and the master key KAB and a concatenation of the second random challenge RANDb and the first response RESb. It is anticipated by the invention that some other function, e.g.
  • the provided second random challenge RANDb is also used, together with the master key KAB and cryptographic function fl and f2, respectively, for generating a second pre-cipher key (Ckb) and a second pre-integrity key (Ikb).
  • session key(s) represented by a cipher key Ck and/ or integrity key Ik are generated based on the first and second pre-cipher keys Cka, Ckb and the first and second pre-integrity keys Ika, Ikb, respectively, and some function (h).
  • an authentication vector including the second authentication token AUTNb, second random challenge RANDb, first response RESb, second expected response XRESa and the cipher Ck and integrity Ik keys is, preferably securely, transmitted to the network element
  • the network element NEb extracts the cipher Ck and integrity Ik keys (session key(s)) and second expected response XRESa from the vector, the rest of which is then forwarded, possibly accompanied by the NEb or NDb identifier IDb, to the network element NEa (step S27).
  • the network element extracts the first response RESb from the authentication vector and compares it to the first expected response XRESb received previously from AAAa. If they correspond or match, network element
  • NEa considers the network element NEb successfully authenticated and forwards the authentication vector received from NEb to AAAa (step S28).
  • AAAa identifies the correct master key g ⁇ based on the received NEb or NDb identifier IDb and verifies the second authentication token AUTNb.
  • a second response (RESa) is then calculated using function f and the master key KAB and a concatenation of the received second random challenge RANDb and the first expected response XRESb (or first response RESb) as input parameters.
  • This first expected response XRESb could be obtained from a storage in the AAAa server node, or in an associated storage.
  • AAAa has then previously entered the expected response XRESb in the storage, e.g. in connection to generating it upon reception of the request for security parameters from the network element NEa, see Fig. 5.
  • the first expected response XRESb or first response RESb could be provided from
  • AAAa • network element NEa together with the authentication vector transmitted in step S28. It is also possible for AAAa to anew calculate the first expected response XRESb by means of the first random challenge RANDa, as provided from a storage or from network element NEa.
  • AAAa generates the second pre-cipher key Ckb and pre-integrity key Ikb by means of the master key KAB and the received second random challenge RANDb as input parameters to functions fl and f2, respectively. These calculated keys are used together with the previously generated and stored first pre-cipher key Cka and pre-integrity key Ika for generating the session key(s) (cipher key Ck and/ or integrity key Ik).
  • the generated second response RESa and the cipher Ck and integrity Ik keys are then, preferably securely, provided to the network element NEa (step S29).
  • the network element NEa extracts the keys (Ck, Ik) and forwards the second response RESa to the network element NEb (step S30).
  • Network element NEb compares this second response RESa with the second expected response XRESa received earlier from its associated AAAb server node. If they correspond, network element NEb has authenticated network element NEa and considers the session key establishment successful.
  • the now shared secret cipher key Ck and/or integrity key Ik can be used as session key(s) e.g. for conducting secure communication between the network elements (step S31), as was discussed in connection with Fig. 3.
  • the double challenge-response procedure discussed above and in connection with Figs. 5 and 6 should merely be seen as an example of such repeated challenge-response based session key establishment according to the present invention.
  • the second expected response and second response could be calculated with a concatenation, XOR and/ or hash of the first and second random challenge as input parameters instead of, or as a complement to, a concatenation, XOR and/ or hash of the second random challenge and the first response/ expected response.
  • AAAb could use a message authentication code (MAC) function on the second random challenge and an XOR value of the first and second integrity keys (or first and second cipher keys).
  • MAC message authentication code
  • AAAa verifies that the calculated output m corresponds to the received output m'.
  • the session key(s) generated according to the present invention could be used for cryptographically protecting the traffic between the two network elements during the duration of a whole communication session and is then discarded when the communication is over.
  • the lifetime, during which the session key is valid may be shorter than the duration of the communication session.
  • the key could be used only for initiating the secure inter-NE channel, where some other key, e.g. derived from the session key, is used for actually encrypting and decrypting information transmitted between the network elements.
  • the session key could be used for transmitting only a certain amount of data, after which a new key establishment or portion thereof has to be performed. In either case, the total lifetime of the session key may be negotiated, e.g. during IKE, between the network elements or domains and may be determined in such a privacy negotiation.
  • the lifetime or valid time of a session key is comparatively much shorter than the corresponding lifetime of the long-term secret master key shared between two network domains.
  • a new secret session key is, typically, generated for each communication session, or several times per session
  • the same master key is, preferably, used for several such communication sessions.
  • the master keys only have to be exchanged if the storage (key repository), where the master keys are kept in respective domain, is broken.
  • the master key could be used in a bootstrap fashion to regularly or intermittently update or exchange new master keys between the domains. This has the advantage that the content of the key repository at a given time does not comprise older keys.
  • the agreement and sharing of master keys between the network domains in the communication systems may be implemented in various ways. However, one common misinterpretation is often that the agreement on a symmetric master key requires complicated (very high) security procedures.
  • a typical example of a key agreement protocol for the master key that can be employed according to the present invention is the Diffie-Hellman (DH) agreement protocol. This protocol allows a robust and secure master key inter-ND establishment.
  • DH Diffie-Hellman
  • Fig. 7 schematically illustrates a Diffie-Hellman procedure for master key establishment according the present invention.
  • two network domains are to share a common master key.
  • the two network domains, or AAA server nodes of the domains each generates a secret key, x for AAAa and y for AAAb in Fig. 7.
  • the secret key is then securely stored, e.g. in a tamper- resistant storage in the key repository of respective domain.
  • the secret x; y preferably never should leave this secure storage.
  • a corresponding public value of the secret x; y is calculated, denoted g x and g y , respectively.
  • g x and g y refer to exponentiation operations (i.e. repeated group operations) in a suitable finite group. For more information refer to [4].
  • This key generation and calculation can be done at any time in advance of the actual master key agreement.
  • the calculated public values g x ; g y are exchanged (step S40 and S41).
  • This public value exchange is preferably performed in an authenticated way, e.g. by the operators' representatives exchanging floppy disks, each comprising a DH public value g x ; g y of the generated secret x; y.
  • these values could be printed on paper in an Optical Character Recognition (OCR) friendly manner.
  • OCR Optical Character Recognition
  • Yet another approach is to use compact flash cards, Universal Serial Bus (USB) storage devices, etc., or the teaching of document [5].
  • the AAA server of respective network domain can then generate a common shared secret key (master key) g 3 ⁇ based on the exchanged public values g x ; g y and respective stored secret x; y.
  • master key g 3 ⁇
  • the AAA server of respective network domain can then generate a common shared secret key (master key) g 3 ⁇ based on the exchanged public values g x ; g y and respective stored secret x; y.
  • the most sensitive part of the session key establishment can be performed manually and assuring authenticity.
  • a ND operator would like to revoke e.g. his roaming agreement with another network domain so that his network elements no longer should be able to securely communicate with the other ND operator's network elements
  • the master key shared with this external network domain is simply deleted from the key storage or repository.
  • the master keys in the key repository (and the corresponding copies of the master keys stored in repositories of other network domains) are simply updated, e.g. by anew performing the Diffie-Hellman agreement protocol discussed above.
  • some or all network elements may need to be flushed from temporary stored session keys. This should be compared to the fully meshed symmetric solution discussed in the background section. In such a solution, if a single network element is hacked the keys of all network elements in all network domains (often several tens or hundreds of keys and network elements) may need to be replaced.
  • a network element is hacked, no key replacement has to be performed, though possibly a new session key has to be generated and provided if the network element currently is communicating with another external network element.
  • the key storage 140 of the network domain 100 be compromised only communication to that particular domain 100 is potentially threatened, i.e. other network domains, e.g. the domain 200 and the domain 300, can still securely inter-communicate.
  • the AAA node when a network element is to be revoked from a network domain, the AAA node simply deletes the network element (the key used for the secure channel between AAA and the network element) from its database of available network elements, to which it has a (secure) channel. Any (session) key cached in the network element is further erased.
  • Fig. 8 is a schematic block diagram of a (cryptographic) key management center (KMC) or module (AAA server) 20 according to the present invention illustrated associated with a key repository 40.
  • the KMC 20 generally includes an input and output (I/O) unit 22 for managing communication with external units, nodes and elements.
  • the I/O unit 22 is adapted for receiving requests for security parameters, possibly including a NE or ND identifier, from an associated network element, for (securely) transmitting requested security parameters (including the session key) to a requesting network element and for reception of a freshness token from a intra-ND network element.
  • the KMC 20 further includes an authentication and keying unit 30, typically comprising AKA functionality for performing key management and possibly authentication.
  • the units 22, 30 of the KMC 20 may be provided as software, hardware or a combination thereof. They may be implemented together for example in a network node in the network domain. Alternatively, a distributed implementation is also possible with some of the units provided in different network nodes.
  • the KMC 20 comprises, is connected to or associated with the (central) key repository or storage 40 of the network domain.
  • the repository 40 typically includes a set of secrets (xi, X2, ...) used for generating DH public values and master keys.
  • only one secret is used for generating the required master keys shared with other network domains.
  • one secret is preferably only used for generating one master key.
  • a network domain is to share master keys with two other network domains it preferably generates to two different secrets (xi, X2), where the first (xi) is used for calculating the master key shared with the first domains and the other secret (x2) is employed for generating the master key shared with the second domain.
  • the repository 40 also comprises a set of master keys (g x,y ' , g *2Z ' , ...) (or more generally, representations of master keys, e.g. obtained by hashing each Diffie- Hellman value) associated with identifiers (IDb, IDc, ...) of the relevant network domain, with which it shares the master keys.
  • master keys g x,y ' , g *2Z ' , ...) (or more generally, representations of master keys, e.g. obtained by hashing each Diffie- Hellman value) associated with identifiers (IDb, IDc, ...) of the relevant network domain, with which it shares the master keys.
  • IDb, IDc e.g. obtained by hashing each Diffie- Hellman value
  • a set of secret keys (Si, S2, ...) used for secure communication between the KMC 20 and its associated network elements is stored in the repository 40.
  • a corresponding copy of the relevant secret key is then stored also in the network element. It could be possible to use one and the same secret key for the secure communication between the AAA node and all its associated network elements. However, it may be preferred to use one secret only for a group of network elements or a single network element.
  • the key repository 40 could be provided as a stand-alone node in the communication domain and (securely) connected to the KMC 20.
  • the repository 40 and KMC 20 may be implemented in one and the same network node.
  • a distributed implementation is possible, where the different set of keys are provided in different nodes, e.g. the master keys (g x ' y ' , g 2Z
  • the KMC (AAA server node) 20 and the key repository 40 could for clarity be regarded as one logic unit in the network domain, even if implemented in separate nodes.
  • the key storage 40 is preferably tamper- resistant rendering it more difficult to break.
  • secrets and keys preferably should preferably not leave the secure environment unprotected.
  • Fig. 9 is a block diagram illustrating the authentication and keying unit 30 of Fig. 8 in more detail.
  • the authentication and keying unit 30 generally comprises a freshness token generator 32.
  • the generator 32 could be implemented as a random challenge generator, sequence number counter, time-stamping unit, etc. Alternatively, this token generator 32 could be provided elsewhere in the network domain, including in a network element.
  • the unit 30 may optionally include a cryptographic functionality 34 for generating an expected response or response by means of the freshness token from the generator 32 and a master key from the key storage.
  • a key manager 36 is implemented in the authentication and keying unit.
  • the manager 36 in particular includes functionality 38 for generating keys, including generating master keys, generating secrets used for generating master keys, generating DH public values and generating or calculating session keys.
  • the key generator 38 could use a single cryptographic function.
  • a unique cryptographic function could be used for each network domain so that each network domain pair shares one unique function.
  • the key manager 36 also typically manages key deletion and replacement or updatings in the key repository, and possible in the associated network elements, such by sending a key storage flushing command to the network elements and key storage.
  • the units 32, 34, 36, 38 of the authentication and keying unit 30 may be provided as software, hardware or a combination thereof. They may be implemented together for example in a network node in the network domain. Alternatively, a distributed implementation is also possible with some of the units provided in different network nodes.
  • Fig. 10 is a schematic block diagram of a network element or node 10 according to the present invention.
  • the network element 10 includes an I/O unit 12 for communicating with the associated AAA server node (KMC) and with external network elements of other network domains.
  • a key storage 14 is also preferably arranged in the network element for (temporarily) storing session keys (K). Also the secret key (Si) shared with the AAA server and used for secure communication therewith may be housed in the storage 14.
  • the key storage 14 is preferably tamper-resistant making it harder to hack or break for an adversary.
  • a comparison unit 16 may be provided in the network element 10 for comparing an expected response received in the authentication vector (security parameters) from the AAA server with the response from an external network element.
  • the network element 10 may authenticate the external network element, with which it wants to securely communicate.
  • a key manager for deleting session keys when their lifetime has expired and/or flushing the key storage 14 upon reception of a key flushing command from the AAA server node may be implemented in the network element.
  • the units 12, 16 of the network element 10 may be provided as software, hardware or a combination thereof.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an establishment of a secret session key shared Between two network elements (NEa, NEb) belonging to different network domains (NDa, NDb). A first network element (NEa) of a first network domain (NDa) requests security parameters from an associated key management center (KMC) (AAAa). Upon reception of the request, the KMC (AAAa) generates a freshness token (FRESH) and calculates the session key (K) based on this token (FRESH) and a master key (KAB) shared with a second network domain (NDb). The security parameters are (securely) provided to the network element (NEa), which extracts the session key (K) and forwards the freshness token (FRESH) to the KMC (AAAb) of the second domain (NDb) through a second network element (NEb). Based on the token (FRESH) and the shared master key (KAB), the KMC (AAAb) generates a copy of the session key (K), which is (securely) provided to the second network element (NEb). The two network elements (NEa, NEb) now have shares the session key (K), enabling them to securely communicate with each other.

Description

KEY MANAGEMENT FOR NETWORK ELEMENTS
TECHNICAL FIELD
The present invention generally refers to key management in communications systems, and in particular to inter-network domain key management for network infrastructure elements in such systems.
BACKGROUND
A communications environment or system can generally be envisaged as comprising a plurality of independent communication network domains.
Each such network domain can provide access to its services for users connected thereto. In order to provide mobility within the communications environment and across different domains it is typically desirable to establish communications, in particular secure communications, between network elements (NEs) belonging to the different domains. A typical example of such a secure inter-domain communication between two network elements is a secure communication tunnel between Security Gateways (SEGs) of two telecommunication or network operators.
In order to provide secure communication between network elements of different networks domains, a key management/ key exchange protocol is typically used to establish the security parameters necessary for the inter- NE communication. There exist different types of key management protocols in the prior art, and they can generally be divided into two classes: symmetric key and public key protocols, respectively. The former relies, in principle, on a secret key that is shared between the parties and cryptographic techniques based on such key(s). The latter makes use of a pair of keys per party (a secret key and a public key), a trusted third party "validating" public keys and public key cryptography techniques.
In a feasibility study to support Network Domain Security (NDS)/ Internet Protocol (IP) evolution for 3G mobile network operators [1] a fully meshed symmetric solution for secure inter-SEG communication is disclosed. In the disclosure of [1] each SEG shares a long-term secret key with each exterior
SEG, i.e. each SEG belonging to another network domain, it wishes to
(securely) communicate with. If each domain has access to one SEG and n is the total number of SEGs in the communications environment housing the domains, the number of long-term keys to be distributed to the SEGs and n - \ stored in each SEG will amount to n if every SEG is to be able to
communicate securely with every other SEG. Thus, the number of pre- shared secret keys can be very large and grows rapidly (with ri2) in dependence of the number of active SEGs in the network domains. In addition, it is expected that each network domain can have more than one communicating NE or SEG, and that the SEGs/NEs need to communicate with a relatively large number of other SEGs/NEs in other network domains. Also adding a new SEG to an existing network domain requires large workload in the form of key distribution, management and storage. In addition, if a single SEG is broken or hacked, all SEGs in the different network domains have to be updated and new long-term secret keys have to be distributed therebetween.
Another possible solution, briefly mentioned in [1], is to employ a trusted third party, typically called Key Distribution Center (KDC), common to all network domains that is to communicate securely. In such a case, the KDC shares a secret key with each network domain it has a service agreement with. In order to establish secure communication between two NEs or SEGs of different network domains, the KDC distributes a fresh secret (usually not the same as the shared secret) to the parties that need to communicate.
Typical examples in prior art of this solution are the Kerberos-based key management protocols. However, a drawback is that it is typically hard to find a suitable trusted third party that can act as a KDC, in particular in the case of inter-operator communication. In addition, increased administrative work is required to arrange for a common trust of this trusted third party solution. The KDC is also a possible single point of failure, if it is compromised, all network domains using its services are threatened. The preferred key agreement protocol according to [1], which is also discussed in [2], is to utilize a Public Key Infrastructure (PKI) based method, whereby the SEGs or NEs share their public keys. The document [1] discloses a certificate-based solution without a Bridge Certification Authority (CA) PKI, or with a Bridge CA PKI, which is also further discussed in [2]. In either solution, each operator, whose NEs or SEGs are to communicate, has to sign the other party's root certificate. These certificates are then securely configured in each communicating SEG.
A major drawback with PKI protocols is that the (initial) cost of establishing a PKI infrastructure is very large. Furthermore, revocations of certificates require manual administration and revocation checks must always be performed (a certificate is a credential that is valid unless a verification returns that it is revoked), which requires on-line communication between the operators' Certificate Revocation Lists (CRLs). Moreover, the cryptographic operations involved in PKI solutions are expensive.
SUMMARY The present invention overcomes these and other drawbacks of the prior art arrangements.
It is a general object of the present invention to provide a secret shared between two network elements of different networks domains in a communications system or environment.
It is a particular object of the invention that the provision of the secret shared between the two network elements is performed in a simple, possibly partially manual, way.
It is another object of the invention to enable secure communication between network elements belonging to different network domains. Yet another object of the invention is to reduce the number of long-term secret keys required for enabling secure communication between network elements belonging to different network domains.
A further object of the invention is provide a secret shared between two network elements of different network domains re-using existing network infrastructure and functionalities.
Still a further object of the invention is to avoid introducing any possible single point of failures, the compromise of which might render all inter- domain communication insecure.
These and other objects are met by the invention as defined by the accompanying patent claims.
Briefly, the present invention involves establishing a symmetric secret or session key shared between two network elements (NEs) belonging to different networks or network domains (NDs), typically managed by different network operators or service providers. This shared session key then enables the network elements to securely communicate with each other. Such a network element could be a charging node needing to contact a corresponding charging node of another network domain. Similarly, a secure channel has to be set up between two security gateways (network elements) of different network domains. A further example could be the communication between a Proxy Call State Control Function (P-CSCF) of a visited network domain and an Interrogating CSCF or a Serving CSCF of a home domain, traffic between Serving Gateway General Packet Radio System (GPRS) Support Nodes (SGSN) and Gateway GPRS Support Nodes (GGSN). In yet another example, the communicating network elements could be a Home Location Register (HLR) and a Visited Location Register (NLR) or, in general, any form of inter-domain signalling, e.g. using Signaling System No. 7 (SS7). The session key establishment procedure of the invention is based on that the network domains, comprising the network elements needing to communicate, share a (long-term) secret key, denoted master key in following. This master key is preferably (securely) kept in a central key storage or repository in the network domain. The domain further includes cryptographic means or a cryptographic key management center (KMC) or module connected or associated with the key storage. This KMC includes functionalities and algorithms for performing key management and possibly authentication by means of the keys in the storage. In a preferred embodiment of the invention, the KMC constitutes or comprises the
Authentication, Authorization and Accounting (AAA) server node of respective network domain.
The key establishment procedure generally starts with a network element (NEa) in a network domain A (NDa) requesting security parameters from its associated intra-ND KMC (AAAa). This request typically is accompanied by or includes an identifier of an external network element (NEb) in a network domain B (NDb) that the network element NEa wants to communicate with, or an identifier of the network domain NDb of this external network element NEb. Upon reception of the request, the AAAa generates a freshness token, which could be or include a random challenge, a time-stamp and/or a sequence number. In addition, the AAAa identifies the relevant master key from the associated key repository based on the received identifier and generates a session key using a cryptographic function, typically, with the identified master key and generated freshness token as input parameters.
The generated freshness token and session key is then, preferably securely, provided to the network element NEa, which forwards the freshness token to the external network element NEb. This external network element NEb in turn forwards the received token to its associated KMC (AAAb), preferably accompanied by an identifier of the network element NEa or an identifier of the network domain NDa of network element NEa. Similar to above, the AAAb identifies the (same) correct master key from its associated key storage and generates a (identical) copy of the session key using an instance of the same cryptographic function as the AAAa of the other network domain NDa and the identified master key and received freshness token as input parameters.
The copy of the session key is then, preferably securely, provided to the network element NEb. The two network elements NEa and NEb now share a secret symmetric session key. This key may be employed directly for enabling secure communication between the network elements. For example, the session key can be used directly in Internet Protocol security (IPsec) protocols and algorithms. Alternatively, the session key could be used for running e.g. Internet Key Exchange (IKE) and negotiating Security Association (SA).
In a preferred embodiment of the invention, the session key establishment is performed by means of the Authentication and Key Agreement (AKA) algorithms and protocols provided in the AAA server node (KMC), preferably using a challenge-response scheme. It is then possible to connect the key establishment with an authentication procedure, where the communicating network elements may be authenticated. In such a case, in addition to the freshness token (typically a random challenge in case of challenge-response scheme) and session key, the AAAa calculates an expected response based on the master key and the random challenge. This expected response is then (securely) provided to the network element NEa together with the other security parameters (session key, random challenge). Upon reception of the random challenge (freshness token), the AAAb of the other network domain NDb generates a response based on the challenge and the master key, in addition to generating the copy of the session key. This response is then transmitted, via its associated network element NEb to the network element NEa, which compares the received response with the expected response value provided previously from its associated cryptographic means AAAa. If they correctly match, network element NEa authenticates network element NEb and considers the session key establishment successful. In order to increase the security and allow both network domains (KMC of the domains) influence the generation of the session key, the challenge- response scheme could be repeated (interleaved) in the opposite direction. The shared generated session key(s) may then be a function of the keys generated in both directions. Similarly, the challenge and/ or responses in respective direction could be interdependent.
The key storage of the each network domain houses the master key(s) shared with other domains. According to the invention, this storage only needs to keep one long-term master key per network domain pair. In other words, a network domain shares a first master key with a first external network domain and a second master key with a second external domain, etc. Contrary to these long-term master keys that basically only needs to be exchanged if a key storage is compromised, the lifetime of the generated session keys is comparatively much shorter. Thus, a session key is typically only valid during a communication session between network elements, or sometimes only during a portion of such a session. Moreover, should the key storage of a first domain be compromised only communication to that particular domain is potentially threatened, i.e. other network domains, e.g. a second and a third domain, can still securely inter-communicate.
The secret master keys used by the invention can be (securely) exchanged between the network domains (key repositories of the domains) in a number of different ways, for example using the Diffie-Hellman protocol, which can even be carried out manually between operator staff personnel, thereby providing the authentication of the Diffie-Hellman exchange. Thus, the most sensitive part of the establishment of the session key between two NEs can be performed manually, assuring authenticity by personal contact/ exchange between operator or provider personnel.
The present invention facilitates adding/ revoking a network element to/ in an existing network domain. Basically, when adding a new network element, a secure channel is established between this new network element and the node(s) housing the cryptographic means. This is a configuration issue and can usually be done in combination with setting up the operation and maintenance channels to the new network element. Similarly, when a network element is revoked, the cryptographic means simply deletes the network element from its database of available network elements. Any (session) key cached in the network element is further erased.
Furthermore, if a key repository is hacked, the master keys in the key repository (and the corresponding copies of the master keys stored in repositories of other network domains) are simply updated, e.g. by anew performing the Diffie-Hellman or similar agreement protocol mentioned above. Indeed, to provide "backwards" security, the master key could be used in a bootstrap fashion to intermittently or regularly update or exchange new master keys between the domains. This has the advantage that the content of the domain key storage at a given time does not comprise older keys.
Depending on the lifetime of the session keys, some or all network elements may need to be flushed from temporary stored session keys. This should be compared to the fully meshed symmetric solution discussed in the background section. In such a solution, if a single network element is hacked the keys of all network elements in all network domains (often several tens or hundreds of keys and network elements) may need to be replaced. However, by employing the present invention, if a network element is hacked, no key replacement has to be performed, though possibly a new session key has to be generated and provided if the network element currently is communicating with another external network element.
The invention offers the following advantages: Reduces the number of long-term secret keys required to be distributed between and stored in network domains; - Provides re-utilization of existing network infrastructure and functionality by using the AAA server node and its AKA algorithms, markedly reducing the cost of implementing a key establishment between network elements; Is more computationally efficient than PKI based protocols; Provides replay protection and freshness in establishing shared session keys; Provides easy revocation of network elements and network domains; and Provides easy addition of network elements to existing network domains.
Other advantages offered by the present invention will be appreciated upon reading of the below description of the embodiments of the invention.
SHORT DESCRIPTION OF THE DRAWINGS
The invention together with further objects and advantages thereof, may best be understood by making reference to the following description taken together with the accompanying drawings, in which:
Fig. 1 is an overview of a communications system illustrated with three network domains according to the present invention; Fig. 2 is an illustration of an embodiment of a communications system according to the present invention; Fig. 3 is a schematic diagram of an embodiment of a session key establishment according to the present invention; Fig. 4 is a schematic diagram of another embodiment of a session key establishment according to the present invention; Fig. 5 is a schematic diagram of a further embodiment of a session key establishment according to the present invention; Fig. 6 is a schematic diagram continuing the session key establishment of Fig. 5; Fig. 7 is a schematic diagram of an embodiment of a master key agreement according to the present invention; Fig. 8 is a block diagram of an embodiment of (cryptographic) key management center (KMC) according to the present invention; Fig. 9 is a block diagram of an embodiment of an authentication and keying unit of the KMC of Fig. 8; and Fig. 10 is a block diagram of an embodiment of a network element according to the present invention.
DETAILED DESCRIPTION
Throughout the drawings, the same reference characters will be used for corresponding or similar elements.
The present invention relates to key management for establishing a shared secret key between two network elements of different networks or network domains in a communications system or environment. The invention also enables secure communication between the two network elements based on the established and shared secret key.
In order to facilitate understanding of the invention, in the present description a network is referred a number of connected or associated computers and/ or network nodes having communications means and interconnections therebetween. A network domain or administrative network domain is (typically a portion of) a network governed by certain polices, defined by the administrator of the network. In the following, the invention will be described with reference to establishing a shared secret between two network elements of different network domains. However, as the person skilled in the art understands, the two network elements could, alternatively, belong to different administrative network domains and/ or networks, and/ or two domains of one and the same network. Furthermore, communication between networks is then referred to (if not pointed out otherwise) communication between network domains.
Referring to Fig. 1, a communications system 1 or environment is schematically illustrated. In the figure, the communications system 1 includes three independent network domains (NDs), denoted 100; 200 and 300, respectively. Each such network domain 100; 200; 300 is managed by a network operator or service provider and provides services to users connected to the network domain 100; 200; 300 and, possibly, having a service agreement, e.g. a subscription, with the network operator. In a typical example, each network operator manages one network domain 100; 200; 300, e.g. network domain 100 is managed by a first network operator, a second operator manages network domain 200, etc. However, it is possible for a single operator to manage two or more of the network domains 100; 200; 300 in the communications system 1.
The network domains 100; 200; 300 typically comprise a number of network elements (NE) or nodes NEai, NEa2; NEb; NEci, NEc2, NEc3 that are able to conduct communication with network elements of the same domain and also with network elements of other external network domains, the latter case being of particular interest for the present invention. Such a network element NEai, NEa2; NEb; NEci, NEc2, NEc3 could be a charging node needing to contact a corresponding charging node of another network domain. Similarly, a secure channel has to be set up between two Security Gateways (SEGs) (or network elements) of different network domains. A further example could be the communication between a Proxy Call State Control Function (P-CSCF) of a visited network domain and an Interrogating
CSCF or a Serving CSCF of a home domain, traffic between Serving Gateway General Packet Radio System (GPRS) Support Nodes (SGSN) and Gateway GPRS Support Nodes (GGSN). In yet another example, the communicating network elements could be a Home Location Register (HLR) and a Visited Location Register (NLR) or, in general, any form of inter-domain signalling, e.g. using Signaling System No. 7 (SS7).
The network elements NEai, NEa_>; NEb; NEci, NEC2, NEc3 are typically fixedly arranged and constitute a portion of the infrastructure of respective network domain 100; 200; 300, allowing provision of different services to users connected to the network domain 100; 200; 300. In addition to a number of network elements NEai, NEa2; NEb; NEci, NEc2, NEc3, the network domain 100; 200; 300 includes cryptographic means or a (cryptographic) key management center (KMC) or module 120; 220; 320 and an associated central key repository or key distribution center 140; 240; 340. The KMC 120; 220; 320 provides keys managed and stored in the key repository 140; 240; 340, performs cryptographic functionalities, e.g. encryption and decryption, using these keys and authentication for the network domain 100; 200; 300 and its network elements NEai, NEa2; NEb; NEci, NEC2, NEC3.
In the communication system 1, each network element NEai, NEa2; NEb; NEci, NEc2, NEc3 may be configured for conducting communication with all or some of the network elements in the other network domains. For example, network element NEai may communicate with network element NEb of network domain 200 and all the network elements NEci, NEC2, NEC3 of network domain 300. However, a network element may, alternatively, only be allowed to communicate with a limited number of the external network elements.
The network elements NEai, NEa2; NEb; NEci, NEc2, NEc3 are also connected with the KMC 120; 220; 320 of respective network domain 100; 200; 300, preferably by means of a secure channel. Using such a secure channel the KMC 120; 220; 320 may provide keys and other sensitive information to its associated network elements NEai, NEa2; NEb; NEci, NEC2, NEc3. A typical example of such a secure channel is an Operation and
Management (O&M) channel between a network element NEai, NEa2; NEb; NEci, NEC2, NEcs and the KMC 120; 220; 320.
In the following, which is further illustrated in the communication systems 1 of Fig. 2, the KMC will be instantiated by an Authentication, Authorization and Accounting (AAA) server node 120; 220 of the network domain 100; 200. The AAA server node 120; 220 typically includes functionalities and algorithms for generating and managing keys provided in associated key repositories 140; 240 in addition to authentication functionalities, e.g. by using an Authentication and Key Agreement (AKA) functionality or protocol.
Alternatively to Fig. 1, the network domain 100; 200 may include one or a few communicating network elements SEGa; SEGb dedicated for conducting communication with external communicating network elements. In Fig. 2, such dedicated network elements are exemplified by two security gateways SEGa; SEGb, adapted for mutual communication. In such a case, any protocols necessary for the communication may then be housed in only one or a few network elements in each network domain, instead of in all of the network elements of the domain. Any communication between two network elements NEai, NEa2; NEb not adapted for inter-domain communication is then conducted in a proxy fashion through the security gateways SEGa; SEGb of Fig. 2. Use of designated SEGs is advantageous as security processing only needs to be implemented in the SEG (SEGa; SEGb), which then acts as a "security proxy" for other network elements NEai, NEa2; NEb.
According to the present invention, the network domains, whose network elements are to communicate, share a secret symmetric key, denoted master key in the following. For example, referring back to Fig. 1, network domain
100 shares a master key (KAB) with network domain 200 and another master key (KAC) with domain 300. Similarly, network domain 200 and domain 300 share a master key (KBC). These master keys are long-term shared keys that are secure kept, preferably, centrally at the key repository 140; 240; 340 of respective domain 100; 200; 300. The procedure of this master key establishment is discussed further below.
Once two network elements of different network domains are to securely communicate with each other, the KMC of respective domain generates a symmetric secret or session key and, preferably securely (relying on intra- domain security in the form of cryptography or in the form of physically protected links), provides it to its associated network element. The inter-NE communication may then be securely performed based on the session keys now present in the network elements. The generation of session key is discussed in more detail herebelow.
Fig. 3 schematically illustrates a method of establishing a session key shared by two network elements (NEa, NEb) of two network domains. The KMC or AAA-server (AAAa, AAAb) of the network domains have pre-shared a master key (KAB) (step SI). In addition, respective AAA server node preferably has a secure (trusted) intra-domain channel towards its associated network element(s).
When NEa and NEb need to communicate, NEb may optionally trigger the communication by sending its identifier or an identifier of its network domain (IDb) to NEa (step S2). Alternatively, NEa triggers the communication itself.
NEa issues a request to AAAa for security parameters for the communication with NEb. The request is accompanied by the identifier IDb (step S3).
In response to the request, AAAa generates or obtains a freshness token (FRESH). Furthermore, the relevant pre-shared master key KAB is identified based on the received identifier IDb and is provided typically from the associated key repository. Once the correct master key KAB is obtained, AAAa generates or calculates a session key (K) based on the generated freshness token FRESH, the master key KAB and some cryptographic function (g). Optionally, additional information, such as the identifiers of the network elements and/ or domains IDa, IDb, may be used in this calculation.
The session key K and freshness token FRESH is then (securely) transmitted, preferably using the secure channel, to NEa (step S4).
NEa extracts the session key K from the received security parameters and forwards the freshness token FRESH to NEb, possible accompanied by its identifier or the identifier of its network domain (IDa) (step S5) . NEb forwards the freshness token FRESH to its associated cryptographic KMC or AAAb together with the identifier IDa, received from NEa or obtained elsewhere (step S6).
Similarly to AAAa, AAAb identifies and provides the relevant pre-shared master key KAB from its storage, e.g. in the associated key repository, based on the obtained identifier IDa. Furthermore, AAAb generates an copy of the session key K using an instance of the same cryptographic function g as AAAa with the master key KAB and freshness token FRESH as input parameters.
The now generated (copy of) session key K is, preferably securely, transmitted to NEb (step S7).
At this point, the network elements NEa and NEb shares a secret symmetric session key K. This key may be employed directly for enabling secure communication between the network elements (step S8). For example, the session key can be used directly in Internet Protocol Security (IPsec) protocols and algorithms. Alternatively, the session key could be used for e.g. running Internet Key Exchange (IKE) and negotiating Security
Association (SA).
By employing the above-identified method of the present invention, replay protection and freshness for the generation of session keys are provided. As was briefly mentioned above, the cryptographic function used for calculating the session key could also include other information as input parameters in addition to the master key and freshness token. For example, the identifier IDa and/or IDb could be possible additional input to the function.
The freshness token required for generating the session key could be generated by the AAA server node of the network domain or by some other unit or node connected thereto, including the communicating network element. The freshness token could be a time-stamp, e.g. a time-stamp associated with the time of reception of the request for security parameters from the network element, a sequence number and/or a random challenge, possibly associated with an authentication token.
The establishment of session keys may be accompanied by an authentication of the communicating network elements, e.g. using a challenge-response scheme. In such a case, the AAA server node could re-use the AKA algorithms traditionally employed for authenticating and key agreement between a network operator's AAA server and a user's mobile unit, or more precisely between the AAA server and an Identity Module, e.g. Subscriber
Identity Module (SIM), arranged in the mobile unit.
Fig. 4 schematically illustrates a session key establishment according to the present invention using a challenge-response procedure.
Correspondingly to Fig. 3, AAAa and AAAb pre-shares a secret master key KAB (step S10). The communication between the network elements may optionally be triggered by NEb providing its identifier or its domain identifier IDb to NEa (step S l l). NEa transmits a request for security parameters to AAAa, typically, including the identifier IDb (step S I 2).
Upon reception of the request, AAAa identifies the relevant master key KAB based on the provided identifier IDb similarly to Fig. 3. In addition, AAAa generates an authentication vector (AN). In this embodiment, the AN is a quintuple of security and authentication parameters. Starting with a random challenge (RAΝD), generated by AAAa or elsewhere, and an authentication token (AUTΝ), generally constituting the freshness token of Fig. 3. The authentication token AUTΝ could be e.g. a (simple) counter or some cryptographically protected information, such as authenticated using a key based on the master key KAB. Furthermore, an expected response (XRES) is generated using a cryptographic function (f) on the challenge RAΝD and master key KAB. A cipher key (Ck) and integrity key (Ik) are also generated based on the master key KAB and challenge RAΝD, and possibly other optional information, as input to cryptographic function fl and f2, respectively. In this embodiment Ck and/or Ik are used as session key(s). For more information of generation of the quintuple AN reference is made to [3], with the master key (or a key derived therefrom) as initial secret for the algorithms in [3].
The generated quintuple AN is then (securely) transmitted to ΝEa (step S I 3).
ΝEa extracts the random challenge RAΝD and authentication token AUTΝ form the received security parameters AN and forwards them, possibly together with its identifier or the identifier of its domain IDa, to ΝEb (step S14).
Upon reception of the parameters, ΝEb forwards them to its associated AAAb server node (step S I 5).
AAAb identifies and retrieves the correct master key KAB from its storage based on the received identifier IDa and checks if the authentication token AUTΝ is ok. If the token AUTΝ was cryptographically protected by AAAa using its instance of the master key KAB, AAAb employs the identified and provided master key KAB for authentication purposes. Furthermore, using instances of the same functions f, fl, f2 as AAAa, AAAb generates a response (RES) and the cipher Ck and integrity Ik keys.
The response RES and session keys (Ck, Ik) are then, preferably securely, transmitted to ΝEb (step S I 6).
The network element ΝEb forwards the received response RES to ΝEa (step SI 7), which now can authenticate ΝEb by comparing the received response RES with the expected response value XRES in the quintuple AN provided previously from AAAa. If they correctly match, ΝEa authenticates ΝEb and considers the session key establishment successful. NEa and NEb now have access to the keys Ck and Ik, which can be used as session keys e.g. for conducting secure communication between the network elements (step S I 8), as was discussed in connection with Fig. 3.
Thus, in this embodiment of the invention, the AAA server node and its AKA functionality and protocols are re-used for establishing session keys for network elements and for enabling secure communication between such elements of different network domains. Compared to the traditional role of the AAA server node in authenticating SIM of mobile telephones and other mobile units, the AAA node of the present invention will have two rolls.
Firstly that of a normal AAA server (AAAa in Fig. 4) and that of SIM (AAAb in Fig. 4). In this context, NEa could be viewed as corresponding to an AAA proxy and NEb as a "mobile telephone". However, NEb and AAAb function as two separate network elements or nodes, whereas a mobile telephone and SIM are one integrated mobile unit.
In order to increase the security and allow both network domains (AAA of the domains) influence the generation of the session key, the challenge-response scheme of Fig. 4 could be repeated in the opposite direction. The shared generated session key(s) may then be a function of the keys generated in both directions.
Figs. 5 and 6 schematically illustrates a possible solution for a double challenge-response procedure according to the present invention. Steps S20, S21 and S22 correspond to steps S I , S2 and S3 of Fig. 3 (steps S 10, Sl l and S 12 of Fig. 4) and are not further discussed.
Upon reception of a request for security parameters from the associated network element NEa, AAAa generates or obtains a first random challenge (RANDa) and a first authentication token (AUTNa). Furthermore, AAAa identifies the correct master key KAB based on the received NEb or NDb associated identifier IDb. A first expected response (XRESb) is calculated using a cryptographic function f and the identified master key KAB and provided first random challenge RANDa as input parameters. Correspondingly, the cryptographic means of the server node AAAa generates a first pre-cipher key (Cka) and a first pre-integrity key (Ika) by means of the master key g^, random challenge RANDa and cryptographic function fl and f2, respectively. These keys Cka, Ika are then stored in the server node, or in an associated accessible storage provided elsewhere, for later use.
The security parameters are then (securely) transmitted as a triplet authentication vector, comprising the first authentication token AUTNa, random challenge RANDa and expected response XRESb, to the network element NEa (step S23).
The network element NEa extracts and removes the first expected response XRESb from the authentication vector. The rest of the AV (i.e. AUTNa, RANDa) is then transmitted to the network element NEb possibly accompanied by its identifier of its domain identifier IDa (step S24).
The network element NEb forwards the authentication vector and the identifier IDa to its associated AAAb server node (step S25).
AAAb identifies and retrieves the correct master key KAB from its storage based on the received identifier IDa and investigates whether the first authentication token AUTNa is correct. Using instances of the same functions f, fl, f2 as AAAa, AAAb generates a first response (RESb) and the first pre-cipher Cka and pre-integrity Ika keys. AAAb also generates or obtains from some other unit in its network domain NDb a second random challenge (RANDb) and second authentication token (AUTNb). A second expected response (XRESa) is then calculated using function f and the master key KAB and a concatenation of the second random challenge RANDb and the first response RESb. It is anticipated by the invention that some other function, e.g. exclusive OR (XOR) and/or hash function, could be used instead of the concatenation. The provided second random challenge RANDb is also used, together with the master key KAB and cryptographic function fl and f2, respectively, for generating a second pre-cipher key (Ckb) and a second pre-integrity key (Ikb). Finally, session key(s) represented by a cipher key Ck and/ or integrity key Ik are generated based on the first and second pre-cipher keys Cka, Ckb and the first and second pre-integrity keys Ika, Ikb, respectively, and some function (h).
Continuing to Fig. 6, an authentication vector including the second authentication token AUTNb, second random challenge RANDb, first response RESb, second expected response XRESa and the cipher Ck and integrity Ik keys is, preferably securely, transmitted to the network element
NEb (step S26).
The network element NEb extracts the cipher Ck and integrity Ik keys (session key(s)) and second expected response XRESa from the vector, the rest of which is then forwarded, possibly accompanied by the NEb or NDb identifier IDb, to the network element NEa (step S27).
The network element extracts the first response RESb from the authentication vector and compares it to the first expected response XRESb received previously from AAAa. If they correspond or match, network element
NEa considers the network element NEb successfully authenticated and forwards the authentication vector received from NEb to AAAa (step S28).
AAAa identifies the correct master key g^ based on the received NEb or NDb identifier IDb and verifies the second authentication token AUTNb. A second response (RESa) is then calculated using function f and the master key KAB and a concatenation of the received second random challenge RANDb and the first expected response XRESb (or first response RESb) as input parameters. This first expected response XRESb could be obtained from a storage in the AAAa server node, or in an associated storage. AAAa has then previously entered the expected response XRESb in the storage, e.g. in connection to generating it upon reception of the request for security parameters from the network element NEa, see Fig. 5. Alternatively, the first expected response XRESb or first response RESb could be provided from
network element NEa together with the authentication vector transmitted in step S28. It is also possible for AAAa to anew calculate the first expected response XRESb by means of the first random challenge RANDa, as provided from a storage or from network element NEa.
In addition, AAAa generates the second pre-cipher key Ckb and pre-integrity key Ikb by means of the master key KAB and the received second random challenge RANDb as input parameters to functions fl and f2, respectively. These calculated keys are used together with the previously generated and stored first pre-cipher key Cka and pre-integrity key Ika for generating the session key(s) (cipher key Ck and/ or integrity key Ik).
The generated second response RESa and the cipher Ck and integrity Ik keys are then, preferably securely, provided to the network element NEa (step S29).
The network element NEa extracts the keys (Ck, Ik) and forwards the second response RESa to the network element NEb (step S30).
Network element NEb compares this second response RESa with the second expected response XRESa received earlier from its associated AAAb server node. If they correspond, network element NEb has authenticated network element NEa and considers the session key establishment successful. The now shared secret cipher key Ck and/or integrity key Ik can be used as session key(s) e.g. for conducting secure communication between the network elements (step S31), as was discussed in connection with Fig. 3.
The double challenge-response procedure discussed above and in connection with Figs. 5 and 6 should merely be seen as an example of such repeated challenge-response based session key establishment according to the present invention. In another embodiment, the second expected response and second response could be calculated with a concatenation, XOR and/ or hash of the first and second random challenge as input parameters instead of, or as a complement to, a concatenation, XOR and/ or hash of the second random challenge and the first response/ expected response. Furthermore, AAAb could use a message authentication code (MAC) function on the second random challenge and an XOR value of the first and second integrity keys (or first and second cipher keys). The output (m'=MAC[(Ika XOR Ikb), RANDb]) from the MAC function could then be provided to AAAa (through steps S26, S27 and S28). AAAa then uses an instance of the same MAC function for calculating a corresponding output (m= MAC [(Ika XOR Ikb), RANDb). AAAa then verifies that the calculated output m corresponds to the received output m'.
The session key(s) generated according to the present invention could be used for cryptographically protecting the traffic between the two network elements during the duration of a whole communication session and is then discarded when the communication is over. Alternatively, the lifetime, during which the session key is valid, may be shorter than the duration of the communication session. For example, the key could be used only for initiating the secure inter-NE channel, where some other key, e.g. derived from the session key, is used for actually encrypting and decrypting information transmitted between the network elements. Alternatively, the session key could be used for transmitting only a certain amount of data, after which a new key establishment or portion thereof has to be performed. In either case, the total lifetime of the session key may be negotiated, e.g. during IKE, between the network elements or domains and may be determined in such a privacy negotiation.
Generally, the lifetime or valid time of a session key is comparatively much shorter than the corresponding lifetime of the long-term secret master key shared between two network domains. Whereas a new secret session key is, typically, generated for each communication session, or several times per session, the same master key is, preferably, used for several such communication sessions. Actually, the master keys only have to be exchanged if the storage (key repository), where the master keys are kept in respective domain, is broken. However, in some applications it may be advantageous from security point of view to intermittently update master keys, e.g. once a year, in the network domains. Indeed, to provide "backwards" security, the master key could be used in a bootstrap fashion to regularly or intermittently update or exchange new master keys between the domains. This has the advantage that the content of the key repository at a given time does not comprise older keys.
The agreement and sharing of master keys between the network domains in the communication systems may be implemented in various ways. However, one common misinterpretation is often that the agreement on a symmetric master key requires complicated (very high) security procedures. A typical example of a key agreement protocol for the master key that can be employed according to the present invention is the Diffie-Hellman (DH) agreement protocol. This protocol allows a robust and secure master key inter-ND establishment.
Fig. 7 schematically illustrates a Diffie-Hellman procedure for master key establishment according the present invention. In the figure, two network domains are to share a common master key. The two network domains, or AAA server nodes of the domains, each generates a secret key, x for AAAa and y for AAAb in Fig. 7. The secret key is then securely stored, e.g. in a tamper- resistant storage in the key repository of respective domain. The secret x; y preferably never should leave this secure storage. In addition, a corresponding public value of the secret x; y is calculated, denoted gx and gy, respectively. Here, gx and gy refer to exponentiation operations (i.e. repeated group operations) in a suitable finite group. For more information refer to [4]. This key generation and calculation can be done at any time in advance of the actual master key agreement.
At the time of the master key establishment, e.g. at the time of signing a roaming agreement between the operators of the two network domains, the calculated public values gx; gy are exchanged (step S40 and S41). This public value exchange is preferably performed in an authenticated way, e.g. by the operators' representatives exchanging floppy disks, each comprising a DH public value gx; gy of the generated secret x; y. Alternatively, these values could be printed on paper in an Optical Character Recognition (OCR) friendly manner. Yet another approach is to use compact flash cards, Universal Serial Bus (USB) storage devices, etc., or the teaching of document [5].
The AAA server of respective network domain can then generate a common shared secret key (master key) g3^ based on the exchanged public values gx; gy and respective stored secret x; y. By employing the procedure described above and illustrated in Fig. 7, there is (under usual intractability assumptions on the Diffie-Hellman problem) absolutely no risk of revealing the master key g3^, not even if both floppy disks are "sniffed" by an adversary. The authenticity of the exchange is verified visually by the respective operator representative.
Thus, the most sensitive part of the session key establishment can be performed manually and assuring authenticity.
If a ND operator would like to revoke e.g. his roaming agreement with another network domain so that his network elements no longer should be able to securely communicate with the other ND operator's network elements, the master key shared with this external network domain is simply deleted from the key storage or repository. In addition, each time a network element requests security parameters, including the session key, from its AAA server node, it gives automatic check of revocation status of the correspondent network element and operator.
Furthermore, if any key repository is hacked, the master keys in the key repository (and the corresponding copies of the master keys stored in repositories of other network domains) are simply updated, e.g. by anew performing the Diffie-Hellman agreement protocol discussed above. Depending on the lifetime of the session keys, some or all network elements may need to be flushed from temporary stored session keys. This should be compared to the fully meshed symmetric solution discussed in the background section. In such a solution, if a single network element is hacked the keys of all network elements in all network domains (often several tens or hundreds of keys and network elements) may need to be replaced. However, according to the present invention if a network element is hacked, no key replacement has to be performed, though possibly a new session key has to be generated and provided if the network element currently is communicating with another external network element. Moreover, returning briefly to Fig. 1 , should the key storage 140 of the network domain 100 be compromised only communication to that particular domain 100 is potentially threatened, i.e. other network domains, e.g. the domain 200 and the domain 300, can still securely inter-communicate.
When a new network element is added to an existing network domain, basically the only measure required is the establishment of a, preferably secure, channel between this new network element and the AAA node. This is a configuration issue. No further distribution of keys or certificates is required.
Similarly, when a network element is to be revoked from a network domain, the AAA node simply deletes the network element (the key used for the secure channel between AAA and the network element) from its database of available network elements, to which it has a (secure) channel. Any (session) key cached in the network element is further erased.
Fig. 8 is a schematic block diagram of a (cryptographic) key management center (KMC) or module (AAA server) 20 according to the present invention illustrated associated with a key repository 40. The KMC 20 generally includes an input and output (I/O) unit 22 for managing communication with external units, nodes and elements. In particular, the I/O unit 22 is adapted for receiving requests for security parameters, possibly including a NE or ND identifier, from an associated network element, for (securely) transmitting requested security parameters (including the session key) to a requesting network element and for reception of a freshness token from a intra-ND network element. The KMC 20 further includes an authentication and keying unit 30, typically comprising AKA functionality for performing key management and possibly authentication.
The units 22, 30 of the KMC 20 may be provided as software, hardware or a combination thereof. They may be implemented together for example in a network node in the network domain. Alternatively, a distributed implementation is also possible with some of the units provided in different network nodes.
The KMC 20 comprises, is connected to or associated with the (central) key repository or storage 40 of the network domain. The repository 40 typically includes a set of secrets (xi, X2, ...) used for generating DH public values and master keys. In a first embodiment only one secret is used for generating the required master keys shared with other network domains. However, one secret is preferably only used for generating one master key. In other words, if a network domain is to share master keys with two other network domains it preferably generates to two different secrets (xi, X2), where the first (xi) is used for calculating the master key shared with the first domains and the other secret (x2) is employed for generating the master key shared with the second domain.
The repository 40 also comprises a set of master keys (gx,y' , g*2Z' , ...) (or more generally, representations of master keys, e.g. obtained by hashing each Diffie- Hellman value) associated with identifiers (IDb, IDc, ...) of the relevant network domain, with which it shares the master keys. The identifier and master key association allows identification of correct master key based on information of the identifier.
Preferably, also a set of secret keys (Si, S2, ...) used for secure communication between the KMC 20 and its associated network elements is stored in the repository 40. A corresponding copy of the relevant secret key is then stored also in the network element. It could be possible to use one and the same secret key for the secure communication between the AAA node and all its associated network elements. However, it may be preferred to use one secret only for a group of network elements or a single network element.
The key repository 40 could be provided as a stand-alone node in the communication domain and (securely) connected to the KMC 20. Alternatively, the repository 40 and KMC 20 may be implemented in one and the same network node. Also a distributed implementation is possible, where the different set of keys are provided in different nodes, e.g. the master keys (gx'y' , g 2Z| > • ••) are provided in one node, the secrets (xi, X2, ...) used for generating the master keys in a second node and the secrets (Si, S2, ...) employed for the secure communication with the network elements in a third node, e.g. the AAA server node. However, in the present invention the KMC (AAA server node) 20 and the key repository 40 could for clarity be regarded as one logic unit in the network domain, even if implemented in separate nodes. In either way, the key storage 40 is preferably tamper- resistant rendering it more difficult to break. Furthermore, secrets and keys preferably should preferably not leave the secure environment unprotected.
Fig. 9 is a block diagram illustrating the authentication and keying unit 30 of Fig. 8 in more detail. The authentication and keying unit 30 generally comprises a freshness token generator 32. Depending on the type of freshness token employed in the session key establishment procedure of the invention, the generator 32 could be implemented as a random challenge generator, sequence number counter, time-stamping unit, etc. Alternatively, this token generator 32 could be provided elsewhere in the network domain, including in a network element. Further, the unit 30 may optionally include a cryptographic functionality 34 for generating an expected response or response by means of the freshness token from the generator 32 and a master key from the key storage. Also a key manager 36 is implemented in the authentication and keying unit. The manager 36 in particular includes functionality 38 for generating keys, including generating master keys, generating secrets used for generating master keys, generating DH public values and generating or calculating session keys. In particular in the case of session key generation, the key generator 38 could use a single cryptographic function. Alternatively, a unique cryptographic function could be used for each network domain so that each network domain pair shares one unique function. The key manager 36 also typically manages key deletion and replacement or updatings in the key repository, and possible in the associated network elements, such by sending a key storage flushing command to the network elements and key storage.
The units 32, 34, 36, 38 of the authentication and keying unit 30 may be provided as software, hardware or a combination thereof. They may be implemented together for example in a network node in the network domain. Alternatively, a distributed implementation is also possible with some of the units provided in different network nodes.
Fig. 10 is a schematic block diagram of a network element or node 10 according to the present invention. The network element 10 includes an I/O unit 12 for communicating with the associated AAA server node (KMC) and with external network elements of other network domains. A key storage 14 is also preferably arranged in the network element for (temporarily) storing session keys (K). Also the secret key (Si) shared with the AAA server and used for secure communication therewith may be housed in the storage 14. The key storage 14 is preferably tamper-resistant making it harder to hack or break for an adversary. Optionally, a comparison unit 16 may be provided in the network element 10 for comparing an expected response received in the authentication vector (security parameters) from the AAA server with the response from an external network element. Based on the comparison performed by the unit 16, the network element 10 may authenticate the external network element, with which it wants to securely communicate. Although not illustrated in the figure, a key manager for deleting session keys when their lifetime has expired and/or flushing the key storage 14 upon reception of a key flushing command from the AAA server node may be implemented in the network element. The units 12, 16 of the network element 10 may be provided as software, hardware or a combination thereof.
It will be understood a person skilled in the art that various modifications and changes may be made to the present invention without departure from the scope thereof, which is defined by the appended claims.
REFERENCES
1 3GPP TR 33.810 V6.0.0, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Network Domain Security/ Authentication Framework (NDS/AF); Feasibility study to support NDS/IP evolution, December 2002.
2 3GPP TS 33.310 V0.30, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Network Domain Security; Authentication Framework, May 2003.
3 3GPP TS 33.102 V5.2.0, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security architecture, June 2003.
4 A.J. Menezes, P.C. van Oorschot and S.C. Vanstone, "Handbook of Applied Cryptography", CRC Press, 1996.
5 ISO/IEC 9798-6, "Information technology, Security techniques, Entity authentication, Part 6: Mechanisms using manual data transfer", Working draft, April 2003.

Claims

1. A method of establishing a session key (K) shared between a first network element (NEa) of a first network domain (100) and a second network element (NEb) of a second network domain (200), said first network domain (100) comprising first cryptographic means (120) and sharing a secret key (KAB) with said second network domain (200) comprising second cryptographic means (220), said method comprising the steps of: said first cryptographic means (120) generating a freshness token (FRESH); - said first cryptographic means (120) generating said session key (K) based on said shared secret key (KAB) and said generated freshness token (FRESH); providing said session key (K) to said first network element (NEa); providing said freshness token (FRESH) to said second cryptographic means (220); said second cryptographic means (220) generating a copy of said session key (K) based on said shared secret key (KAB) and said provided freshness token (FRESH); and providing said copy of said session key (K) to said second network element (NEb).
2. A method of enabling secure communication between a first network element (NEa) of a first network domain (100) and a second network element (NEb) of a second network domain (200), said first network domain (100) comprising first cryptographic means (120) and sharing a secret key (KAB) with said second network domain (200) comprising second cryptographic means (220), said method comprising the steps of: said first cryptographic means (120) generating a freshness token (FRESH); - said first cryptographic means (120) generating said session key (K) based on said shared secret key (KAB) and said generated freshness token (FRESH); providing said session key (K) to said first network element (NEa); providing said freshness token (FRESH) to said second cryptographic means (220); said second cryptographic means (220) generating a copy of said session key (K) based on said shared secret key (KAB) and said provided freshness token (FRESH); providing said copy of said session key (K) to said second network element (NEb); and said first network element (NEa) and said second network element (NEb) securely communicating based on said session key (K) and said copy of said session key (K).
3. The method according to claim 1 or 2, wherein said session key providing step comprises the step of securely providing said session key (K) to said first network element (NEa) and said session key copy providing step comprises the step of securely providing said copy of said session key (K) to said second network element (NEb).
4. The method according to any of the claims 1 to 3, wherein said freshness token (FRESH) comprises a random challenge (RAND) and said method comprises the steps of: said first cryptographic means (120) generating an expected response (XRES) based on said shared secret key (KAB) and said random challenge (RAND); providing said expected response (XRES) to said first network element (NEa); said second cryptographic means (220) generating a response (RES) based on said shared secret key (KAB) and said provided random challenge (RAND); providing said response (RES) to said first network element (NEa); - said first network element (NEa) authenticating said second network element (NEb) based on a comparison between said expected response (XRES) and said response (RES).
5. The method according to claim 4, wherein said first cryptographic means (120) comprises an Authentication and Key Agreement (AKA) algorithm (30) for generating said random challenge (RAND), said expected response (XRES) and said session key (K), and said second cryptographic means (220) comprises an AKA algorithm (30) for generating said response (RES) and said copy of said session key (K).
6. The method according to any of the claims 1 to 5, further comprising the steps of: - said first network element (NEa) providing an identifier (IDb) associated with said second network domain (200) to said first cryptographic means (120); and said second network element (NEb) providing an identifier (IDa) associated with said first network domain (100) to said second cryptographic means (220).
7. The method according to claim 6, wherein said session key (K) and said copy of said session key (K) are generated based on at least one of said identifier (IDa) associated with said first network domain (100) and said identifier (IDb) associated with said second network domain (200).
8. The method according to claim 6 or 7, further comprising the steps of: said first cryptographic means (120) identifying said shared secret key (KAB) based on said identifier (IDb) associated with said second network domain (200); and said second cryptographic means (220) identifying said shared secret key (KAB) based on said identifier (IDa) associated with said first network domain (100).
9. The method according to any of the claims 1 to 8, wherein said first cryptographic means (120) is an Authentication, Authorization and Accounting (AAA) server provided in a network node of said first network domain (100) and said second cryptographic means (220) is an AAA server provided in a network node of said second network domain (200).
10. The method according to any of the claims 1 to 9, wherein said first network domain (100) shares a second secret key (KAC) with a third network domain (300) comprising third cryptographic means (320) and at least a third network element (NEci, NEc2, NEc3).
1 1. The method according to any of the claims 1 to 10, wherein said first network domain (100) is managed by a first communications network operator and said second network domain (200) is managed by a second different communications network operator.
12. The method according to any of the claims 1 to 1 1 , further comprising the step of intermittently replacing said shared secret (KAB) by a new shared secret by basing a key agreement between said first network domain (100) and said second network domain (200) on said shared secret (KAB) .
13. A system of establishing a session key (K) shared between a first network element (NEa) of a first network domain (100) and a second network element
(NEb) of a second network domain (200), said first network domain (100) sharing a secret key (KAB) with said second network domain (200), said first network domain (100) comprises: first cryptographic means (120) for generating a freshness token (FRESH) and for generating a session key (K) based on said shared secret key
(KAB) and said generated freshness token (FRESH); means (22) for providing said session key (K) from said first cryptographic means (120) to said first network element (NEa); and means (22) for providing said freshness token (FRESH) to said second network domain (200), said second network domain (200) comprises: second cryptographic means (220) for generating a copy of said session key (K) based on said shared secret key (KAB) and said provided freshness token (FRESH); and means (22) for providing said copy of said session key (K) from said second cryptographic means (220) to said second network element (NEb).
14. A system of enabling secure communication between a first network element (NEa) of a first network domain (100) and a second network element
(NEb) of a second network domain (200), said first network domain (100) sharing a secret key (KAB) with said second network domain (200), said first network domain (100) comprises: first cryptographic means (120) for generating a freshness token (FRESH) and for generating a session key (K) based on said shared secret key
(KAB) and said generated freshness token (FRESH); means (22) for providing said session key (K) from said first cryptographic means (120) to said first network element (NEa); and means (22) for providing said freshness token (FRESH) to said second network domain (200), said second network domain (200) comprises: second cryptographic means (220) for generating a copy of said session key (K) based on said shared secret key (KAB) and said provided freshness token (FRESH); and means (22) for providing said copy of said session key (K) from said second cryptographic means (220) to said second network element (NEb), said first network element (NEa) comprises means (12) for conducting secure communication with said second network element (NEb) based said session key (K) and said second network element (NEb) comprises means (12) for conducting secure communication with said first network element (NEa) based on said copy of said session key (K).
15. The system according to claim 13 or 14, wherein said session key providing means (22) is adapted for securely providing said session key (K) from said first cryptographic means (120) to said first network element (NEa) and said session key copy providing means (22) is adapted for securely providing said copy of said session key (K) from said second cryptographic means (220) to said second network element (NEb).
16. The system according to any of the claims 13 to 15, wherein said freshness token (FRESH) comprises a random challenge (RAND) and said first cryptographic means (120) comprises means (34) for generating an expected response (XRES) based on said shared secret key (KAB) and said random challenge (RAND) and said second cryptographic means (220) comprises means (34) for generating a response (RES) based on said shared secret key (KAB) and said random challenge (RAND), said first network domain (100) comprises means (22) for providing said expected response (XRES) to said first network element (NEa) and said second network domain (200) comprises means (22) for providing said response (RES) to said first network element
(NEa), wherein said first network element (NEa) comprises means (16) for authenticating said second network element (NEb) based on a comparison between said expected response (XRES) and said response (RES).
17. The system according to claim 16, wherein said first cryptographic means (120) comprises an Authentication and Key Agreement (AKA) algorithm (30) for generating said random challenge (RAND), said expected response (XRES) and said session key (K), and said second cryptographic means (220) comprises an AKA algorithm (30) for generating said response (RES) and said copy of said session key (K).
18. The system according to any of the claims 13 to 17, wherein said first cryptographic means (120) is an Authentication, Authorization and Accounting (AAA) server provided in a network node of said first network domain (100) and said second cryptographic means (220) is an AAA server provided in a network node of said second network domain (200).
19. The system according to any of the claims 13 to 18, further comprising a third network domain (300) with third cryptographic means (320) and at least a third network element (NEci, NEc2, NEc3), said first network domain
(100) and said third network domain (300) share a second secret key (KAC).
20. The system according to any of the claims 13 to 19, wherein said first network domain (100) is managed by a first communications network operator and said second network domain (200) is managed by a second different communications network operator.
21. The system according to any of the claims 13 to 20, further comprising means (36) for intermittently replacing said shared secret (KAB) by a new shared secret, said shared secret replacing means (36) is adapted for replacing said shared secret (KAB) based on a key agreement between said first network domain (100) and said second network domain (200) using said shared secret
(KAB).
22. A network domain (100) comprising: a first network element (NEa), adapted for communication with a second network element (NEb) of an external network domain (200), said network domain (100) and said external network domain (200) sharing a secret key (KAB); cryptographic means (20) for generating a freshness token (FRESH) and for generating a session key (K) based on said shared secret key (KAB) and said generated freshness token (FRESH); means (22) for providing said session key (K) from said cryptographic means (20) to said first network element (NEa); and means (22) for providing said freshness token (FRESH) to said external network domain (200), wherein said external network domain (200) comprises means (20) for generating a copy of said session key (K) for said second network element (NEb) based on said shared secret key (KAB) and said provided freshness token (FRESH).
23. The network domain according to claim 22, wherein said session key providing means (22) is adapted for securely providing said session key (K) from said cryptographic means (20) to said first network element (NEa).
24. The network domain according to claim 22 or 23, wherein said freshness token (FRESH) comprises a random challenge (RAND) and said cryptographic means (20) comprises means (34) for generating an expected response (XRES) based on said shared secret key (KAB) and said random challenge (RAND) and said external network domain (200) comprises means (34) for generating a response (RES) based on said shared secret key (KAB) and said random challenge (RAND), said network domain (100) comprises means (22) for providing said expected response (XRES) to said first network element (NEa) and said external network domain (200) comprises means (22) for providing said response (RES) to said first network element (NEa), wherein said first network element (NEa) comprises means (16) for authenticating said second network element (NEb) based on a comparison between said expected response (XRES) and said response (RES).
25. The network domain according to any of the claims 22 to 24, wherein said cryptographic means (20) is an Authentication, Authorization and Accounting (AAA) server provided in a network node of said network domain (100).
26. A network domain (200) comprising: a first network element (NEb), adapted for communication with a second network element (NEa) of an external network domain (100), said network domain (200) and said external network domain (100) sharing a secret key (KAB); - cryptographic means (20) for generating a session key (K) based on said shared secret key (KAB) and a freshness token (FRESH) provided from said external network domain (100); and means (22) for providing said session key (K) from said cryptographic means (20) to said first network element (NEb), wherein said external network domain (100) comprises means (20) for generating said freshness token
(FRESH) and for generating a copy of said session key (K) for said second network element (NEa) based on said shared secret key (KAB) and said generated freshness token (FRESH).
27. The network domain according to claim 26, wherein said session key providing means (22) is adapted for securely providing said session key (K) from said cryptographic means (20) to said first network element (NEb).
28. The network domain according to claim 26 or 27, wherein said freshness token (FRESH) comprises a random challenge (RAND) and said cryptographic means (20) comprises means (34) for generating a response (RES) based on said shared secret key (KAB) and said random challenge (RAND) and said external network domain (100) comprises means (34) for generating an expected response (XRES) based on said shared secret key (KAB) and said random challenge (RAND) and means (22) for providing said expected response (XRES) to said second network element (NEa), said network domain (200) comprises means (22) for providing said response (RES) to said second network element (NEa), wherein said response (RES) and said expected response (XRES) enables said second network element (NEa) to authenticate said first network element (NEb).
29. The network domain according to any of the claims 26 to 28, wherein said cryptographic means (20) is an Authentication, Authorization and Accounting (AAA) server provided in a network node of said network domain
(200).
PCT/SE2004/000179 2004-02-11 2004-02-11 Key management for network elements WO2005078988A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
DK04710139.9T DK1714418T3 (en) 2004-02-11 2004-02-11 KEY MANAGEMENT FOR NETWORK ELEMENTS
PCT/SE2004/000179 WO2005078988A1 (en) 2004-02-11 2004-02-11 Key management for network elements
CN200480041617A CN100592678C (en) 2004-02-11 2004-02-11 Key management for network elements
EP04710139.9A EP1714418B1 (en) 2004-02-11 2004-02-11 Key management for network elements
US10/597,864 US7987366B2 (en) 2004-02-11 2004-02-11 Key management for network elements
HK07106273.8A HK1101624A1 (en) 2004-02-11 2007-06-12 Key management for network elements

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2004/000179 WO2005078988A1 (en) 2004-02-11 2004-02-11 Key management for network elements

Publications (1)

Publication Number Publication Date
WO2005078988A1 true WO2005078988A1 (en) 2005-08-25

Family

ID=34859372

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2004/000179 WO2005078988A1 (en) 2004-02-11 2004-02-11 Key management for network elements

Country Status (6)

Country Link
US (1) US7987366B2 (en)
EP (1) EP1714418B1 (en)
CN (1) CN100592678C (en)
DK (1) DK1714418T3 (en)
HK (1) HK1101624A1 (en)
WO (1) WO2005078988A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010031600A1 (en) 2008-09-16 2010-03-25 Telefonaktiebolaget Lm Ericsson (Publ) Key management in a communication network
US7747540B2 (en) 2006-02-24 2010-06-29 Microsoft Corporation Account linking with privacy keys
EP2215769A1 (en) * 2007-11-30 2010-08-11 Telefonaktiebolaget LM Ericsson (publ) Key management for secure communication
KR101351110B1 (en) 2007-08-24 2014-01-16 한국과학기술원 Apparatus and method of transmitting/receiving encrypted data in a communication system
CN105141568A (en) * 2014-05-28 2015-12-09 腾讯科技(深圳)有限公司 Safe communication channel establishment method and system, client and server
CN108541367A (en) * 2015-06-09 2018-09-14 英特尔公司 For using the service of congregation and multiple key-distribution servers to carry out the systems, devices and methods of secure network bridge joint

Families Citing this family (55)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8229118B2 (en) * 2003-11-07 2012-07-24 Qualcomm Incorporated Method and apparatus for authentication in wireless communications
US8230058B2 (en) * 2004-03-29 2012-07-24 Verizon Business Global Llc Health reporting mechanism for inter-network gateway
WO2004100496A2 (en) * 2004-09-02 2004-11-18 Pisaramedia Oy Ends - messaging protocol that recovers and has backward security
CN100574185C (en) 2005-01-07 2009-12-23 华为技术有限公司 The method that in the IP multimedia service subsystem network, ensures media stream safety
CA2594468A1 (en) * 2005-01-28 2006-08-03 Telefonaktiebolaget Lm Ericsson (Publ) User authentication and authorisation in a communications system
US20070050630A1 (en) * 2005-08-24 2007-03-01 Samsung Electronics Co., Ltd. Authentication method and system for asynchronous eventing over the internet
GB0517592D0 (en) * 2005-08-25 2005-10-05 Vodafone Plc Data transmission
US7609837B2 (en) * 2005-09-01 2009-10-27 Sharp Laboratories Of America, Inc. System and method for automatic setup of a network device with secure network transmission of setup parameters
US7916869B2 (en) * 2005-09-01 2011-03-29 Sharp Laboratories Of America, Inc. System and method for automatic setup of a network device with secure network transmission of setup parameters using a standard remote control
US20070097934A1 (en) * 2005-11-03 2007-05-03 Jesse Walker Method and system of secured direct link set-up (DLS) for wireless networks
KR100834629B1 (en) * 2005-11-14 2008-06-02 삼성전자주식회사 System and method of providing based service on internet protocol classified in a communication system
KR100860404B1 (en) * 2006-06-29 2008-09-26 한국전자통신연구원 Device authenticaton method and apparatus in multi-domain home networks
JP4810379B2 (en) * 2006-09-22 2011-11-09 キヤノン株式会社 Communication system, terminal station, communication method and program
CN101232368B (en) * 2007-01-23 2011-06-01 华为技术有限公司 Method for distributing media stream cryptographic key and multimedia subsystem
EP1973265A1 (en) * 2007-03-21 2008-09-24 Nokia Siemens Networks Gmbh & Co. Kg Key refresh in SAE/LTE system
US8261351B1 (en) * 2008-01-22 2012-09-04 F5 Networks, Inc. DNS flood protection platform for a network
GB0801395D0 (en) 2008-01-25 2008-03-05 Qinetiq Ltd Network having quantum key distribution
EP2245789B1 (en) * 2008-01-25 2014-08-20 QinetiQ Limited Quantum cryptography apparatus
GB0801408D0 (en) * 2008-01-25 2008-03-05 Qinetiq Ltd Multi-community network with quantum key distribution
GB0801492D0 (en) * 2008-01-28 2008-03-05 Qinetiq Ltd Optical transmitters and receivers for quantum key distribution
US8533474B2 (en) * 2008-02-27 2013-09-10 Red Hat, Inc. Generating session keys
FR2931326A1 (en) * 2008-05-16 2009-11-20 St Microelectronics Rousset VERIFYING THE INTEGRITY OF AN ENCRYPTION KEY
GB0809044D0 (en) * 2008-05-19 2008-06-25 Qinetiq Ltd Multiplexed QKD
GB0809038D0 (en) * 2008-05-19 2008-06-25 Qinetiq Ltd Quantum key device
GB0809045D0 (en) * 2008-05-19 2008-06-25 Qinetiq Ltd Quantum key distribution involving moveable key device
GB0819665D0 (en) * 2008-10-27 2008-12-03 Qinetiq Ltd Quantum key dsitribution
GB0822254D0 (en) * 2008-12-05 2009-01-14 Qinetiq Ltd Method of performing authentication between network nodes
GB0822253D0 (en) * 2008-12-05 2009-01-14 Qinetiq Ltd Method of establishing a quantum key for use between network nodes
GB0822356D0 (en) * 2008-12-08 2009-01-14 Qinetiq Ltd Non-linear optical device
US9742560B2 (en) * 2009-06-11 2017-08-22 Microsoft Technology Licensing, Llc Key management in secure network enclaves
US8352741B2 (en) * 2009-06-11 2013-01-08 Microsoft Corporation Discovery of secure network enclaves
GB0917060D0 (en) 2009-09-29 2009-11-11 Qinetiq Ltd Methods and apparatus for use in quantum key distribution
US8443431B2 (en) * 2009-10-30 2013-05-14 Alcatel Lucent Authenticator relocation method for WiMAX system
US9525999B2 (en) * 2009-12-21 2016-12-20 Blackberry Limited Method of securely transferring services between mobile devices
CN102804826B (en) * 2010-03-17 2016-03-02 瑞典爱立信有限公司 For the enhancing key management of SRNS reorientation
US8650639B2 (en) * 2010-09-29 2014-02-11 Blackberry Limited System and method for hindering a cold boot attack
US8711843B2 (en) * 2010-10-29 2014-04-29 Telefonaktiebolaget Lm Ericsson (Publ) Cryptographically generated addresses using backward key chain for secure route optimization in mobile internet protocol
GB201020424D0 (en) 2010-12-02 2011-01-19 Qinetiq Ltd Quantum key distribution
US9264230B2 (en) 2011-03-14 2016-02-16 International Business Machines Corporation Secure key management
US8619990B2 (en) 2011-04-27 2013-12-31 International Business Machines Corporation Secure key creation
US8566913B2 (en) 2011-05-04 2013-10-22 International Business Machines Corporation Secure key management
US8634561B2 (en) * 2011-05-04 2014-01-21 International Business Machines Corporation Secure key management
US8789210B2 (en) 2011-05-04 2014-07-22 International Business Machines Corporation Key usage policies for cryptographic keys
US8755527B2 (en) 2011-05-04 2014-06-17 International Business Machines Corporation Key management policies for cryptographic keys
US8769627B1 (en) * 2011-12-08 2014-07-01 Symantec Corporation Systems and methods for validating ownership of deduplicated data
US9781085B2 (en) * 2012-02-14 2017-10-03 Nokia Technologies Oy Device to device security using NAF key
US8898764B2 (en) * 2012-04-19 2014-11-25 Microsoft Corporation Authenticating user through web extension using token based authentication scheme
EP2893734B1 (en) * 2012-09-06 2016-04-27 Koninklijke KPN N.V. Establishing a device-to-device communication session
EP2874421A1 (en) * 2013-11-13 2015-05-20 Gemalto SA System and method for securing communications between a card reader device and a remote server
US10205598B2 (en) * 2015-05-03 2019-02-12 Ronald Francis Sulpizio, JR. Temporal key generation and PKI gateway
US11184335B1 (en) * 2015-05-29 2021-11-23 Acronis International Gmbh Remote private key security
US10164710B2 (en) 2016-10-24 2018-12-25 Nokia Of America Corporation Optical transceiver for secure data transmission
EP3506668A1 (en) * 2017-12-27 2019-07-03 Gemalto Sa A method for updating a one-time secret key
CN113574829A (en) * 2019-03-12 2021-10-29 诺基亚技术有限公司 Sharing communication network anchored encryption keys with third party applications
US11841961B2 (en) * 2020-07-02 2023-12-12 International Business Machines Corporation Management of computing secrets

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5638444A (en) * 1995-06-02 1997-06-10 Software Security, Inc. Secure computer communication method and system
US6336188B2 (en) * 1998-05-01 2002-01-01 Certicom Corp. Authenticated key agreement protocol

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3263878B2 (en) * 1993-10-06 2002-03-11 日本電信電話株式会社 Cryptographic communication system
US7047416B2 (en) * 1998-11-09 2006-05-16 First Data Corporation Account-based digital signature (ABDS) system
US7688975B2 (en) * 2001-10-26 2010-03-30 Authenex, Inc. Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US7243366B2 (en) * 2001-11-15 2007-07-10 General Instrument Corporation Key management protocol and authentication system for secure internet protocol rights management architecture
US7334255B2 (en) * 2002-09-30 2008-02-19 Authenex, Inc. System and method for controlling access to multiple public networks and for controlling access to multiple private networks
US8972582B2 (en) * 2002-10-03 2015-03-03 Nokia Corporation Method and apparatus enabling reauthentication in a cellular communication system
US7549048B2 (en) * 2004-03-19 2009-06-16 Microsoft Corporation Efficient and secure authentication of computing systems
US8281136B2 (en) * 2005-10-21 2012-10-02 Novell, Inc. Techniques for key distribution for use in encrypted communications
CN100596063C (en) * 2007-02-01 2010-03-24 华为技术有限公司 Distributing system, method and device for group key control message

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5638444A (en) * 1995-06-02 1997-06-10 Software Security, Inc. Secure computer communication method and system
US6336188B2 (en) * 1998-05-01 2002-01-01 Certicom Corp. Authenticated key agreement protocol

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7747540B2 (en) 2006-02-24 2010-06-29 Microsoft Corporation Account linking with privacy keys
KR101351110B1 (en) 2007-08-24 2014-01-16 한국과학기술원 Apparatus and method of transmitting/receiving encrypted data in a communication system
US9178696B2 (en) 2007-11-30 2015-11-03 Telefonaktiebolaget L M Ericsson (Publ) Key management for secure communication
EP3079298A1 (en) 2007-11-30 2016-10-12 Telefonaktiebolaget LM Ericsson (publ) Key management for secure communication
EP2215769A4 (en) * 2007-11-30 2013-10-30 Ericsson Telefon Ab L M Key management for secure communication
EP2215769A1 (en) * 2007-11-30 2010-08-11 Telefonaktiebolaget LM Ericsson (publ) Key management for secure communication
US20100268937A1 (en) * 2007-11-30 2010-10-21 Telefonaktiebolaget L M Ericsson (Publ) Key management for secure communication
US9628271B2 (en) 2007-11-30 2017-04-18 Telefonaktiebolaget Lm Ericsson (Publ) Key management for secure communication
US9749318B2 (en) 2008-09-16 2017-08-29 Telefonaktiebolaget Lm Ericsson (Publ) Key management in a communication network
WO2010031600A1 (en) 2008-09-16 2010-03-25 Telefonaktiebolaget Lm Ericsson (Publ) Key management in a communication network
AU2009294815B2 (en) * 2008-09-16 2015-10-29 Telefonaktiebolaget Lm Ericsson (Publ) Key management in a communication network
US8837737B2 (en) 2008-09-16 2014-09-16 Telefonaktiebolaget Lm Ericsson (Publ) Key management in a communication network
CN105141568A (en) * 2014-05-28 2015-12-09 腾讯科技(深圳)有限公司 Safe communication channel establishment method and system, client and server
CN105141568B (en) * 2014-05-28 2019-02-12 腾讯科技(深圳)有限公司 Secured communication channel method for building up and system, client and server
CN108541367A (en) * 2015-06-09 2018-09-14 英特尔公司 For using the service of congregation and multiple key-distribution servers to carry out the systems, devices and methods of secure network bridge joint
CN108541367B (en) * 2015-06-09 2021-09-14 英特尔公司 System, apparatus and method for secure network bridging using a rendezvous service and multiple key distribution servers

Also Published As

Publication number Publication date
CN1914848A (en) 2007-02-14
US7987366B2 (en) 2011-07-26
HK1101624A1 (en) 2007-10-18
DK1714418T3 (en) 2017-04-24
US20070160201A1 (en) 2007-07-12
EP1714418B1 (en) 2017-01-11
EP1714418A1 (en) 2006-10-25
CN100592678C (en) 2010-02-24

Similar Documents

Publication Publication Date Title
US7987366B2 (en) Key management for network elements
US8559640B2 (en) Method of integrating quantum key distribution with internet key exchange protocol
JP5118048B2 (en) Method and apparatus for establishing a security association
CN110958229A (en) Credible identity authentication method based on block chain
US20200351082A1 (en) Key distribution method and system, and apparatus
Bersani et al. The EAP-PSK protocol: A pre-shared key extensible authentication protocol (EAP) method
CN101156352B (en) Authentication method, system and authentication center based on mobile network P2P communication
US11647006B2 (en) Protecting signaling messages in hop-by-hop network communication link
US20080016230A1 (en) User equipment credential system
JP5524176B2 (en) Method and apparatus for authentication and identity management using public key infrastructure (PKI) in an IP-based telephone environment
WO2002068418A2 (en) Authentication and distribution of keys in mobile ip network
BRPI0520722B1 (en) method for automatically providing a communication terminal with service access credentials for accessing an online service, system for automatically providing a communication terminal adapted for use on a communications network, service access credentials for accessing a service online, online service provider, and communication terminal.
Lee et al. Mobile IP and WLAN with AAA authentication protocol using identity-based cryptography
Lin Security and authentication in PCS
KR100970552B1 (en) Method for generating secure key using certificateless public key
Masmoudi et al. Building identity-based security associations for provider-provisioned virtual private networks
Bersani et al. RFC 4764: The EAP-PSK Protocol: A Pre-Shared Key Extensible Authentication Protocol (EAP) Method
Cheng et al. Internet Engineering Task Force H. Wang, Ed. Internet-Draft Y. Yang Intended status: Informational X. Kang Expires: April 12, 2021 Huawei International Pte. Ltd.
Cheng Internet Engineering Task Force H. Wang, Ed. Internet-Draft Y. Yang Intended status: Informational X. Kang Expires: April 12, 2020 Huawei International Pte. Ltd.
Cheng et al. Internet Engineering Task Force H. Wang, Ed. Internet-Draft Y. Yang Intended status: Informational X. Kang Expires: October 11, 2020 Huawei International Pte. Ltd.
Cheng Internet Engineering Task Force H. Wang, Ed. Internet-Draft Y. Yang Intended status: Informational X. Kang Expires: October 14, 2019 Huawei International Pte. Ltd.
Cheng Internet Engineering Task Force H. Wang, Ed. Internet-Draft Y. Yang Intended status: Informational X. Kang Expires: October 16, 2019 Huawei International Pte. Ltd.
Saninas et al. EVALUATING AND COMPARING PRIVACY AND ANONYMITY OF MOBILE NETWORK AUTHENTICATION SCHEMES
Harney et al. RFC 4535: GSAKMP: Group Secure Association Key Management Protocol
Latze Towards a secure and user friendly authentication method for public wireless networks

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200480041617.2

Country of ref document: CN

AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REEP Request for entry into the european phase

Ref document number: 2004710139

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2004710139

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2007160201

Country of ref document: US

Ref document number: 10597864

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Ref document number: DE

WWE Wipo information: entry into national phase

Ref document number: 4816/DELNP/2006

Country of ref document: IN

WWP Wipo information: published in national office

Ref document number: 2004710139

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 10597864

Country of ref document: US