Authentication in communications networks
First Claim
1. A method comprising:
- sending a message from a network entity to an user equipment, wherein the message includes a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity, the set of options including a first option and a second option, wherein the first option represents using a first internet key exchange authentication procedure based on a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture, and wherein the second option represents using a second internet key exchange authentication procedure based on a certificate;
selecting at least one of the first option and the second option from the set of options and, when the first option is selected, the first internet key exchange authentication procedure is implemented between the network entity and the user equipment and a shared secret is generated from the security key established in the generic bootstrapping architecture over a second interface between the user equipment and the bootstrapping service function; and
using the shared secret to compute and verify authentication payloads in the first internet key exchange authentication procedure for the internet protocol communication over the first interface.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a method of authenticating a user equipment in a communications network. The method involves sending a message from a network entity to the user equipment. This message includes a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity; said options including a “shared key”-based authentication procedure. The method also involves selecting an option from the set. In the event that the “shared-key”-based authentication procedure is selected, a shared secret from a security key established in a generic bootstrapping architecture (GBA) is generated over a second interface between the user equipment and a bootstrapping service function. The shared secret is then used to compute and verify authentication payloads in the key-based authentication procedure for the communication over the first interface.
17 Citations
24 Claims
-
1. A method comprising:
-
sending a message from a network entity to an user equipment, wherein the message includes a set of options for an authentication procedure for authenticating an internet protocol communication over a first interface between the user equipment and the network entity, the set of options including a first option and a second option, wherein the first option represents using a first internet key exchange authentication procedure based on a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture, and wherein the second option represents using a second internet key exchange authentication procedure based on a certificate; selecting at least one of the first option and the second option from the set of options and, when the first option is selected, the first internet key exchange authentication procedure is implemented between the network entity and the user equipment and a shared secret is generated from the security key established in the generic bootstrapping architecture over a second interface between the user equipment and the bootstrapping service function; and using the shared secret to compute and verify authentication payloads in the first internet key exchange authentication procedure for the internet protocol communication over the first interface. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An apparatus comprising:
-
a network entity comprising at least one processor configured to establish an internet protocol communication with a user equipment over an interface; dispatch a message to the user equipment including a set of options for an authentication procedure, the set of options including a first option of using a shared secret derived based on a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture and a second option of using a certificate; receive an authentication payload from the user equipment when the first option is selected, the authentication payload having been computed using the shared secret from the user equipment; and authenticate the received authentication payload using the shared secret from the bootstrapping function. - View Dependent Claims (19, 20)
-
-
21. An apparatus comprising:
-
a user equipment comprising at least one processor configured to establish a communication channel with a network entity in the communications network; receive a message which includes a set of options for the authentication procedure, the set of options including a first option of using a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture and a second option of using a certificate; select one of the set of options; compute an authentication payload for transmission to a network entity using a shared secret generated from the security key established in the generic bootstrapping architecture, when the first option is selected; and transmit the authentication payload in a message over the channel according to an internet protocol. - View Dependent Claims (22, 23)
-
-
24. A method comprising:
-
establishing a communication channel with a network entity in a communications network; receiving, at a user equipment, a message including a set of options for an authentication procedure, the set of options including a first option and a second option, wherein the first option represents using a first internet key exchange authentication procedure based on a security key obtained from a bootstrapping service function in accordance with a generic bootstrapping architecture, and wherein the second option represents using a second internet key exchange authentication procedure based on a certificate; selecting one of the set of options; computing an authentication payload for transmission to a network entity using a shared secret generated from the security key established in the generic bootstrapping architecture, when the first option is selected; and transmitting the authentication payload in a message over the channel according to an internet protocol.
-
Specification