Method and Arrangement For Authentication and Privacy
First Claim
1. A method in a network for communication that implements GAA/GBA (Generic Authentication Architecture/Generic Bootstrapping Architecture) and wherein a BSF (Bootstrapping Server Function) network node performs initial steps at least comprising authorizing a user entity UE and establishing at least one security key, shared with UE, comprising first key Ks and associated key identifier B_TID, and at least one second key Ks_NAF derived from Ks and associated with at least one network application function NAF, for improved privacy protection and authentication support comprising the steps:
- the network node BSF further generating an Authentication Voucher asserting that UE has been authenticated;
generating at least one key identifier B_TID_NAF associated with said at least one second derived key, the key identifier being unique for each NAF;
the network node BSF sending the identifiers B_TID and the at least one identifier B_TID_NAF to UE;
a network application function NAF, in response to an access for services by UE including the at least one identifier B_TID_NAF, providing at least said identifier B_TID_NAF to BSF;
the network node BSF identifying, in response to said identifier B_TID_NAF, the Authentication Voucher of UE, for enabling establishment of authentication status of UE.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention improves privacy protection and authentication over prior art GAA/GBA system specifying a Bootstrap Server Function (BSF) that creates an Authentication Voucher asserting to a network application function NAF authentication of a. BSF generates keys Ks and Ks NAF with corresponding key identifiers B_TID and B_TID_NAF. In order to prevent tracking of user by collusion between several NAF entities B_TID_NAF and the Voucher can be unique for each NAF. The interface Ua is further protected by encryption using key Ks and the Ub interface is further protected against man-in-the-middle attacks by using signatures with key Ks and provision of freshness.
45 Citations
22 Claims
-
1. A method in a network for communication that implements GAA/GBA (Generic Authentication Architecture/Generic Bootstrapping Architecture) and wherein a BSF (Bootstrapping Server Function) network node performs initial steps at least comprising authorizing a user entity UE and establishing at least one security key, shared with UE, comprising first key Ks and associated key identifier B_TID, and at least one second key Ks_NAF derived from Ks and associated with at least one network application function NAF, for improved privacy protection and authentication support comprising the steps:
-
the network node BSF further generating an Authentication Voucher asserting that UE has been authenticated;
generating at least one key identifier B_TID_NAF associated with said at least one second derived key, the key identifier being unique for each NAF;
the network node BSF sending the identifiers B_TID and the at least one identifier B_TID_NAF to UE;
a network application function NAF, in response to an access for services by UE including the at least one identifier B_TID_NAF, providing at least said identifier B_TID_NAF to BSF;
the network node BSF identifying, in response to said identifier B_TID_NAF, the Authentication Voucher of UE, for enabling establishment of authentication status of UE. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. In a network for communication that implements the GAA/GBA-architecture a network node BSF performing authentication of a user entity UE and negotiating a shared key Ks with UE, the network node BSF further comprising:
-
means for generation of an identifier B_TID associated with Ks;
means for generation of at least one derived key Ks_NAF, associated with at least one network application function NAF, and for generation of at least a corresponding identifier B_TID_NAF, the identifier being unique for each NAF;
means for generation of an Authentication Voucher asserting that UE has been authenticated;
means for storing the keys, key identifiers, and Authentication Voucher and for linking these entities to UE;
means for sending B_TID and the at least one B_TID_NAF to UE;
means for retrieving, in response to reception of at least one identifier B_TID_NAF related to a user equipment UE, a corresponding Authentication Voucher to enable establishment of authentication status of UE. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A system for providing improved privacy protection and authentication in a communications network implementing a GAA/GBA infrastructure the system comprising:
-
a bootstrap server function BSF that provides an Authentication Voucher asserting authentication of a user entity UE and identifiers B_Ti DJsIAF of keys Ks_NAF associated with at least one network application function NAF, the identifiers being unique for each NAF;
an interface Ub between BSF-UE that is further protected by encryption using key Ks shared by BSF and UE;
an interface Ua between UE-IMAF that is further protected against man-in-the-middle attacks fc>
y signing messages using key Ks and freshness token;
at least one network application function NAF arranged to communicate with BSF about validity of an Authentication Voucher such as to prevent several NAF entities from colluding in order to track a user entity UE. - View Dependent Claims (22)
-
Specification