Method and apparatus for providing bootstrapping procedures in a communication network

US 20060182280A1
Filed: 02/10/2006
Published: 08/17/2006
Est. Priority Date: 02/11/2005
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating comprising:

establishing a key with a terminal in a communication network according to a key agreement protocol, wherein the terminal is configured to operate using spread spectrum;

tying the agreed key to an authentication procedure to provide a security association that supports reuse of the key; and

generating a master key based on the agreed key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for performing authentication in a communication system. In one embodiment, a key is established with a terminal in a communication network according to a key agreement protocol. The agreed key is tied to an authentication procedure to provide a security association that supports reuse of the key. A master key is generated based on the agreed key. In another embodiment, digest authentication is combined with key exchange parameters (e.g., Diffie-Hellman parameters) in the payload of the digest message, in which a key (e.g., SMEKEY or MN-AAA) is utilized as a password. In yet another embodiment, an authentication algorithm (e.g., Cellular Authentication and Voice Encryption (CAVE)) is employed with a key agreement protocol with conversion functions to support bootstrapping.

81 Citations

View as Search Results

57 Claims

1. A method for authenticating comprising:
- establishing a key with a terminal in a communication network according to a key agreement protocol, wherein the terminal is configured to operate using spread spectrum;
  
  tying the agreed key to an authentication procedure to provide a security association that supports reuse of the key; and
  
  generating a master key based on the agreed key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, further comprising:
    - generating a challenge message from the agreed key according to the authentication procedure.
  - 3. A method according to claim 1, further comprising:
    - generating a challenge message from a key agreement message exchanged with the terminal according to the key agreement protocol.
  - 4. A method according to claim 1, wherein the key agreement protocol includes a Diffie-Hellman key exchange scheme.
  - 5. A method according to claim 4, wherein the key agreement is performed over a transport layer security (TLS) tunnel.
  - 6. A method according to claim 4, wherein the terminal is configured to communicate using spread spectrum and to perform bootstrapping according to a generic authentication architecture.
  - 7. A method according to claim 1, wherein the authentication procedure includes a challenge handshake authentication protocol (CHAP).

8. A method for authenticating comprising:
- establishing a shared key with a network element in a communication network according to a key agreement protocol, wherein the network element is configured to tie the agreed key to an authentication procedure to provide a security association that supports reuse of the key; and
  
  generating a master key based on the agreed key.
- View Dependent Claims (9, 10, 11, 12)
- - 9. A method according to claim 8, wherein the key agreement protocol includes a Diffie-Hellman key exchange scheme.
  - 10. A method according to claim 8, wherein the key agreement is performed over a transport layer security (TLS) tunnel.
  - 11. A method according to claim 8, further comprising:
    - communicating with the network element using Code Division Multiple Access (CDMA); and
      
      performing bootstrapping according to a generic authentication architecture.
  - 12. A method according to claim 8, wherein the authentication procedure includes a challenge handshake authentication protocol (CHAP).

13. An apparatus for authenticating comprising:
- an authentication module configured to establish a shared key with a network element in a communication network according to a key agreement protocol, wherein the network element is configured to tie the agreed key to an authentication procedure to provide a security association that supports reuse of the key, the authentication module being further configured to generate a master key based on the agreed key.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. An apparatus according to claim 13, wherein the key agreement protocol includes a Diffie-Hellman key exchange scheme.
  - 15. An apparatus according to claim 13, wherein the key agreement is performed over a transport layer security (TLS) tunnel.
  - 16. An apparatus according to claim 13, further comprising:
    - a transceiver configured to communicate with the network element using spread spectrum, wherein the authentication module being further configured to perform bootstrapping according to a generic authentication architecture.
  - 17. An apparatus according to claim 13, wherein the authentication procedure includes a challenge handshake authentication protocol (CHAP).
  - 18. A system comprising the apparatus and the network element of claim 13.

19. A method for authenticating comprising:
- generating a message for authenticating communication with a network element configured to perform bootstrapping;
  
  setting a password field of the message to a function of a secret key; and
  
  specifying key establishment information within a payload of the message, wherein the message is transmitted according to a transport protocol for accessing information over a data network.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. A method according to claim 19, wherein the transport protocol includes a hypertext transfer protocol.
  - 21. A method according to claim 19, wherein the key establishment information includes Diffie-Hellman parameters.
  - 22. A method according to claim 19, further comprising:
    - setting a username field of the message to an identifier of a terminal.
  - 23. A method according to claim 19, wherein the function of the secret key is a checksum or a digest.
  - 24. A method according to claim 19, wherein the secret key is a signaling message encryption key (SMEKEY) or a mobile node authentication, authorization and accounting (MN-AAA) key.

25. A method for authenticating comprising:
- receiving a message from a terminal, according to a transport protocol for accessing information over a data network, requesting authentication, wherein the message includes a password field that is a function of a secret key and a payload containing key establishment information specifying parameters for determining another secret key; and
  
  generating a master key based on the secret keys.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. A method according to claim 25, wherein the transport protocol includes a hypertext transfer protocol.
  - 27. A method according to claim 25, wherein the key establishment information includes Diffie-Hellman parameters.
  - 28. A method according to claim 25, wherein the message includes a username field for specifying an identifier of a terminal.
  - 29. A method according to claim 25, wherein the function of the secret key is a checksum or a digest.
  - 30. A method according to claim 25, wherein the secret key is a signaling message encryption key (SMEKEY) or a mobile node authentication, authorization and accounting (MN-AAA) key.

31. An apparatus for authenticating comprising:
- an authentication module configured to generate a message for authenticating communication with a network element configured to perform bootstrapping, and to set a password field of the message to be a function of a secret key, the message having a payload that includes new key establishment information, wherein the message is transmitted according to a transport protocol for accessing information over a data network.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
- - 32. An apparatus according to claim 31, wherein the transport protocol includes a hypertext transfer protocol that supports secure communications over the data network.
  - 33. An apparatus according to claim 31, wherein the key establishment information includes Diffie-Hellman parameters.
  - 34. An apparatus according to claim 31, wherein the authentication module is further configured to set a username field of the message to an identifier of a terminal.
  - 35. An apparatus according to claim 31, wherein the function of the secret key is a checksum or a digest.
  - 36. An apparatus according to claim 31, wherein the secret key is a signaling message encryption key (SMEKEY) or a mobile node authentication, authorization and accounting (MN-AAA) key.
  - 37. An apparatus according to claim 31, further comprising:
    - a transceiver configured to communicate with the base station using spread spectrum, wherein the authentication module being further configured to perform bootstrapping according to a generic authentication architecture.
  - 38. A system comprising the apparatus and the network element of claim 31.

39. A method for authenticating comprising:
- receiving an authentication request specifying a user identity from a terminal;
  
  forwarding the user identity to a location register configured to generate based on the user identity, cryptographic parameters including a random secret data, and a secret data generated from the random secret data according to a cryptographic algorithm;
  
  receiving the generated cryptographic parameters from the location register;
  
  generating an authentication vector by converting the cryptographic parameters to key parameters including an authenticating token and an authentication response;
  
  transmitting the authenticating token to a terminal configured to output the authentication response;
  
  validating an authentication response from the terminal using the authentication response from the authentication vector; and
  
  generating a master key based on the key parameters.
- View Dependent Claims (40, 41, 42, 43, 44)
- - 40. A method according to claim 39, wherein the authentication request is generated according to a hypertext transfer protocol.
  - 41. A method according to claim 39, wherein the conversion from the cryptographic parameters to the key parameters includes generating a key based on the secret data.
  - 42. A method according to claim 39, wherein the authentication vector includes a random number that is based on the random secret data, the authentication vector further including a cipher key, and an integrity key.
  - 43. A method according to claim 39, wherein the cryptographic algorithm includes a cellular authentication and voice encryption algorithm.
  - 44. A method according to claim 39, wherein a plurality of sets of cryptographic parameters are generated by the location register for use in generating the authentication vector.

45. A method for authenticating comprising:
- generating an authentication request specifying a user identity;
  
  transmitting the authentication request to a network element configured to provide bootstrapping, wherein the network element forwards the user identity to a location register configured to generate, based on the user identity, cryptographic parameters including a random secret data, and a secret data generated from the random secret data according to a cryptographic algorithm, wherein the network element generates an authentication vector by converting the cryptographic parameters to key parameters including an authenticating token and an authentication response;
  
  receiving the authenticating token from the network element;
  
  outputting the authentication response based on the authenticating token;
  
  determining a digest response using the authentication response;
  
  transmitting the digest response to the network element for validation; and
  
  generating a master key based on the key parameters.
- View Dependent Claims (46, 47, 48, 49, 50)
- - 46. A method according to claim 45, wherein the authentication request is generated according to a hypertext transfer protocol.
  - 47. A method according to claim 45, wherein the conversion from the cryptographic parameters to the key parameters includes generating a key based on the secret data.
  - 48. A method according to claim 45, wherein the authentication vector includes a random number that is based on the random secret data, the authentication vector further including a cipher key, an integrity key.
  - 49. A method according to claim 45, wherein the cryptographic algorithm includes a cellular authentication and voice encryption algorithm.
  - 50. A method according to claim 45, wherein a plurality of sets of cryptographic parameters are generated by the location register for use in generating the authentication vector.

51. An apparatus for authenticating comprising:
- an authentication module configured to generate an authentication request specifying a user identity; and
  
  a transceiver configured to transmit the authentication request to a network element configured to provide bootstrapping, wherein the network element forwards the user identity to a location register configured to generate, based on the user identity, cryptographic parameters including a random secret data, and a secret data generated from the random secret data according to a cryptographic algorithm, wherein the network element generates an authentication vector by converting the cryptographic parameters to key parameters including an authenticating token and an authentication response, wherein the transceiver is further configured to receive the authenticating token from the network element, and the authentication module is further configured to output the authentication vector based on the authenticating token, to determine a digest response using the authentication response, and to generate a master key based on the key parameters upon validation of the digest response by the network element.
- View Dependent Claims (52, 53, 54, 55, 56, 57)
- - 52. An apparatus according to claim 51, wherein the authentication request is generated according to a hypertext transfer protocol.
  - 53. An apparatus according to claim 51, wherein the conversion from the cryptographic parameters to the key parameters includes generating a key based on the secret data.
  - 54. An apparatus according to claim 51, wherein the authentication vector includes a random number that is based on the random secret data, the authentication vector further including a cipher key, and an integrity key.
  - 55. An apparatus according to claim 51, wherein the cryptographic algorithm includes a cellular authentication and voice encryption algorithm.
  - 56. An apparatus according to claim 51, wherein a plurality of sets of cryptographic parameters are generated by the location register for use in generating the authentication vector.
  - 57. A system comprising the apparatus of claim 51, and the network element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Technologies Oy (Nokia Corporation)
Inventors
Bajko, Garbor, Asokan, Nadarajah, Laitinen, Pekka, Ginzboorg, Philip

Granted Patent

US 9,300,641 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/247
CPC Class Codes

G06F 9/4416   Network booting; Remote ini...

H04L 2209/80   Wireless network architectu...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0876   based on the identity of th...

H04L 63/0892   by using authentication-aut...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 9/0844   with user authentication or...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

Method and apparatus for providing bootstrapping procedures in a communication network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing bootstrapping procedures in a communication network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links