Method and apparatus for providing bootstrapping procedures in a communication network

US 9,906,528 B2
Filed: 03/15/2016
Issued: 02/27/2018
Est. Priority Date: 02/11/2005
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus embedded in a network element to at least perform the following steps:

receiving from a user device a message requesting authentication for accessing information by the user device over a data network, wherein the message specifies a user identity associated with the user device, the user identity is generated based on a secret data and a random secret data generated at the user device, and the message is generated according to a hypertext transfer protocol;

forwarding the user identity to a location register configured to verify, based on the user identity, cryptographic parameters including the random secret data and to generate the secret data, from the random secret data according to a cryptographic algorithm;

receiving the secret data at the network element from the location register;

generating an authentication vector by converting the secret data to key parameters that include an authenticating token and an authentication response;

transmitting the authenticating token from the network element to the user device that is configured to output an authentication response based on the authenticating token;

validating the authentication response received from the user device using the authentication response of the authentication vector;

after the authentication response received from the user device is validated, generating a master key based on the key parameters; and

authenticating one or more messages from the user device using the master key,wherein the secret data is shared between the network element and the user device to generate the master key for the network element and another master key for the user device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for performing authentication in a communication system. In one embodiment, a key is established with a terminal in a communication network according to a key agreement protocol. The agreed key is tied to an authentication procedure to provide a security association that supports reuse of the key. A master key is generated based on the agreed key. In another embodiment, digest authentication is combined with key exchange parameters (e.g., Diffie-Hellman parameters) in the payload of the digest message, in which a key (e.g., SMEKEY or MN-AAA) is utilized as a password. In yet another embodiment, an authentication algorithm (e.g., Cellular Authentication and Voice Encryption (CAVE)) is employed with a key agreement protocol with conversion functions to support bootstrapping.

16 Citations

18 Claims

1. A non-transitory computer-readable storage medium carrying one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus embedded in a network element to at least perform the following steps:
- receiving from a user device a message requesting authentication for accessing information by the user device over a data network, wherein the message specifies a user identity associated with the user device, the user identity is generated based on a secret data and a random secret data generated at the user device, and the message is generated according to a hypertext transfer protocol;
  
  forwarding the user identity to a location register configured to verify, based on the user identity, cryptographic parameters including the random secret data and to generate the secret data, from the random secret data according to a cryptographic algorithm;
  
  receiving the secret data at the network element from the location register;
  
  generating an authentication vector by converting the secret data to key parameters that include an authenticating token and an authentication response;
  
  transmitting the authenticating token from the network element to the user device that is configured to output an authentication response based on the authenticating token;
  
  validating the authentication response received from the user device using the authentication response of the authentication vector;
  
  after the authentication response received from the user device is validated, generating a master key based on the key parameters; and
  
  authenticating one or more messages from the user device using the master key,wherein the secret data is shared between the network element and the user device to generate the master key for the network element and another master key for the user device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The non-transitory computer-readable storage medium according to claim 1, wherein the random secret data is a random challenge, the authentication vector includes a random number that is based on the random secret data, and the authentication vector further includes a cipher key and an integrity key.
  - 3. The non-transitory computer-readable storage medium according to claim 1, wherein the network element is a base station or an authentication center.
  - 4. The non-transitory computer-readable storage medium according to claim 1, wherein the cryptographic algorithm includes a cellular authentication and voice encryption algorithm.
  - 5. The non-transitory computer-readable storage medium according to claim 1, wherein a plurality of sets of cryptographic parameters are generated by the location register for generating the authentication vector.
  - 6. The non-transitory computer-readable storage medium according to claim 1, further comprising:
    - communicating with the user device using spread spectrum.

7. A method comprising:
- receiving, at a network element from a user device, a message requesting authentication for accessing information by the user device over a data network, wherein the message specifies a user identity associated with the user device, the user identity is generated based on a secret data and a random secret data generated at the user device, and the message is generated according to a hypertext transfer protocol;
  
  forwarding the user identity from the network element to a location register configured to verify, based on the user identity, cryptographic parameters including the random secret data and to generate the secret data from the random secret data according to a cryptographic algorithm;
  
  receiving the secret data at the network element from the location register;
  
  generating, by the network element, an authentication vector by converting the secret data to key parameters that include an authenticating token and an authentication response;
  
  transmitting the authenticating token from the network element to the user device that is configured to output an authentication response based on the authenticating token;
  
  validating, by the network element, the authentication response received from the user device using the authentication response of the authentication vector;
  
  after the authentication response received from the user device is validated, generating, by the network element, a master key based on the key parameters; and
  
  authenticating, by the network element, one or more messages from the user device using the master key,wherein the secret data is shared between the network element and the user device to generate the master key for the network element and another master key for the user device.
- View Dependent Claims (8, 9, 10, 11, 12, 14, 15, 16, 17, 18)
- - 8. The method according to claim 7, further comprising:
    - encrypting, by the network element using the master key, one or more messages to the user device.
  - 9. The method according to claim 7, wherein the random secret data is a random challenge, the authentication vector includes a random number that is based on the random secret data, and the authentication vector further includes a cipher key and an integrity key.
  - 10. The method according to claim 7, wherein the conversion from the cryptographic parameters to the key parameters includes generating a key based on the secret data, and wherein the network element is a base station or an authentication center.
  - 11. The method according to claim 7, wherein the cryptographic algorithm includes a cellular authentication and voice encryption algorithm, and the secret data is a concatenation of a key used for authentication and a key used along with other parameters to generate an encryption mask and a private code.
  - 12. The method according to claim 7, wherein a plurality of sets of cryptographic parameters are generated by the location register for generating the authentication vector.
  - 14. The apparatus according to claim 7, wherein the random secret data is a random challenge, the authentication vector includes a random number that is based on the random secret data, and the authentication vector further includes a cipher key and an integrity key.
  - 15. The apparatus according to claim 7, wherein the conversion from the cryptographic parameters to the key parameters includes generating a key based on the secret data, and wherein the network element is a base station or an authentication center.
  - 16. The apparatus according to claim 7, wherein the cryptographic algorithm includes a cellular authentication and voice encryption algorithm.
  - 17. The apparatus according to claim 7, wherein a plurality of sets of cryptographic parameters are generated by the location register for generating the authentication vector.
  - 18. The apparatus according to claim 7, wherein the apparatus is further caused to:
    - communicate with the user device using a spread spectrum.

13. An apparatus comprising:
- at least one processor; and
  
  at least one memory including computer program code for one or more programs,the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus embedded in a network element to perform at least the following,receive from a user device a message requesting authentication for accessing information by the user device over a data network, wherein the message specifies a user identity associated with the user device, the user identity is generated based on a secret data and a random secret data generated at the user device, and the message is generated according to a hypertext transfer protocol;
  
  forward the user identity to a location register configured to verify, based on the user identity, cryptographic parameters including the random secret data and to generate the secret data from the random secret data according to a cryptographic algorithm;
  
  receive the secret data at the network element from the location register;
  
  generate an authentication vector by converting the secret data to key parameters that include an authenticating token and an authentication response;
  
  transmit the authenticating token from the network element to the user device that is configured to output an authentication response based on the authenticating token;
  
  validate the authentication response received from the user device using the authentication response of the authentication vector;
  
  after the authentication response received from the user device is validated, generate a master key based on the key parameters; and
  
  authenticate one or more messages from the user device using the master key,wherein the secret data is shared between the network element and the user device to generate the master key for the network element and another master key for the user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Nokia Corporation
Inventors
Laitinen, Pekka, Ginzboorg, Philip, Asokan, Nadarajah, Bajko, Gabor
Primary Examiner(s)
AVERY, JEREMIAH L

Application Number

US15/070,678
Publication Number

US 20160197922A1
Time in Patent Office

714 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 9/4416   Network booting; Remote ini...

H04L 2209/80   Wireless network architectu...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0876   based on the identity of th...

H04L 63/0892   by using authentication-aut...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 9/0844   with user authentication or...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

Method and apparatus for providing bootstrapping procedures in a communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing bootstrapping procedures in a communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links